Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for gcp access token #1578

Open
wants to merge 18 commits into
base: main
Choose a base branch
from
Open

Add support for gcp access token #1578

Show file tree
Hide file tree
Changes from 14 commits
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
af64307
feat: add support for the use of gcp access tokens with the environme…
marensofier Aug 6, 2024
5c01b44
Update README.rst
marensofier Aug 26, 2024
0f7dad5
added error message when none of the ways of providing credentials fo…
marensofier Aug 26, 2024
5cd41b2
build(deps): Bump github.com/docker/docker
dependabot[bot] Aug 9, 2024
caf7ac2
build(deps): Bump the ci group with 3 updates
dependabot[bot] Aug 12, 2024
f5c24b9
Note on the name of the configuration file
ErraticMaker Jul 30, 2024
b97969a
Use ReST admonition syntax for note
ErraticMaker Jul 30, 2024
6b52c79
build(deps): Bump the ci group with 2 updates
dependabot[bot] Aug 19, 2024
0bd5399
build(deps): Bump the go group across 1 directory with 15 updates
dependabot[bot] Aug 26, 2024
bb4bd8c
build(deps): Bump the ci group with 2 updates
dependabot[bot] Aug 26, 2024
6719977
add changes to readme-file
marensofier Aug 26, 2024
3f7920a
remove unsaved diff from rebase
marensofier Aug 26, 2024
7e43137
chore: fix error in readme
marensofier Aug 30, 2024
8e336b4
chore: update changes in main
marensofier Sep 4, 2024
6b407ea
chore: update doc string for getting gcp credentials file and oauth2 …
marensofier Sep 9, 2024
043d87a
chore: add to doc strings that a nil byte slice will be returned with…
marensofier Sep 9, 2024
5413fd2
Merge branch 'main' into add_access_token
marensofier Sep 19, 2024
8ad26e8
update go.mod
marensofier Sep 19, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 20 additions & 2 deletions README.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -221,8 +221,12 @@ Encrypting with SSH keys via age is not yet supported by SOPS.

Encrypting using GCP KMS
~~~~~~~~~~~~~~~~~~~~~~~~
GCP KMS uses `Application Default Credentials
<https://developers.google.com/identity/protocols/application-default-credentials>`_.
GCP KMS has support for authorization with the use of `Application Default Credentials
<https://developers.google.com/identity/protocols/application-default-credentials>`_ and using an oauth2 token.
Application default credentials precedes the use of access token.

Using Application Default Credentials you can authorize by doing this:

If you already logged in using

.. code:: sh
Expand All @@ -235,6 +239,19 @@ you can enable application default credentials using the sdk:

$ gcloud auth application-default login

Using oauth tokens you can authorize by doing this:

.. code:: sh

$ export GOOGLE_OAUTH_ACCESS_TOKEN=<your access token>

Or if you are logged in you can authorize by generating an access token:

.. code:: sh

$ export GOOGLE_OAUTH_ACCESS_TOKEN="$(gcloud auth print-access-token)"

devstein marked this conversation as resolved.
Show resolved Hide resolved

Encrypting/decrypting with GCP KMS requires a KMS ResourceID. You can use the
cloud console the get the ResourceID or you can create one using the gcloud
sdk:
Expand All @@ -257,6 +274,7 @@ And decrypt it using::

$ sops decrypt test.enc.yaml


Encrypting using Azure Key Vault
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Expand Down
44 changes: 36 additions & 8 deletions gcpkms/keysource.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ import (
kms "cloud.google.com/go/kms/apiv1"
"cloud.google.com/go/kms/apiv1/kmspb"
"github.com/sirupsen/logrus"
"golang.org/x/oauth2"
"google.golang.org/api/option"
"google.golang.org/grpc"

Expand All @@ -23,6 +24,9 @@ const (
// a path to a credentials file, or directly as the variable's value in JSON
// format.
SopsGoogleCredentialsEnv = "GOOGLE_CREDENTIALS"
// SopsGoogleCredentialsOAuthToken can be set as an environment variable as either
// a path to a file, or directly as the varialbe's value
SopsGoogleCredentialsOAuthToken = "GOOGLE_OAUTH_ACCESS_TOKEN"
// KeyTypeIdentifier is the string used to identify a GCP KMS MasterKey.
KeyTypeIdentifier = "gcp_kms"
)
Expand Down Expand Up @@ -219,22 +223,30 @@ func (key *MasterKey) newKMSClient() (*kms.KeyManagementClient, error) {
case key.credentialJSON != nil:
opts = append(opts, option.WithCredentialsJSON(key.credentialJSON))
default:
credentials, err := getGoogleCredentials()
if err != nil {
return nil, err
}
credentials, err_credentials_file := getGoogleCredentials()
if credentials != nil {
opts = append(opts, option.WithCredentialsJSON(credentials))
break
}

at_credentials, err_credentials_token := getGoogleOAuthToken()
if at_credentials != nil {
opts = append(opts, option.WithTokenSource(at_credentials))
}

if err_credentials_file != nil && err_credentials_token != nil {
return nil, fmt.Errorf("credentials: failed to get credentials for gcp kms, add default credentials or oauth access token")
}
}

if key.grpcConn != nil {
opts = append(opts, option.WithGRPCConn(key.grpcConn))
}

ctx := context.Background()
client, err := kms.NewKeyManagementClient(ctx, opts...)
if err != nil {
return nil, err
client, err_credentials := kms.NewKeyManagementClient(ctx, opts...)
if err_credentials != nil {
return nil, err_credentials
}

return client, nil
Expand All @@ -249,7 +261,23 @@ func getGoogleCredentials() ([]byte, error) {
if _, err := os.Stat(defaultCredentials); err == nil {
return os.ReadFile(defaultCredentials)
}

return []byte(defaultCredentials), nil
}
return nil, nil
return nil, fmt.Errorf("could not find Google credential file")
Comment on lines +265 to +268
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you update the function doc comment to reflect behavior change? Right now, it incorrectly reads and may return a nil byte slice if no value is set.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I also changed the description of the SopsGoogleCredentialsOAuthToken, where i forgot to update after removing the possibility of using a file path!

Thank you for all of your comments, and time! 🌻

}

// getGoogleOAuthToken returns the SopsGoogleCredentialsOauthToken variable,
// as the oauth token.
// It returns an error and nil if the envrionment variable is not set.
func getGoogleOAuthToken() (oauth2.TokenSource, error) {
if token, isSet := os.LookupEnv(SopsGoogleCredentialsOAuthToken); isSet {
tokenSource := oauth2.StaticTokenSource(
&oauth2.Token{AccessToken: token},
)

return tokenSource, nil
}

return nil, fmt.Errorf("could not find Google OAuth token")
}
43 changes: 37 additions & 6 deletions gcpkms/keysource_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,8 +53,9 @@ func TestMasterKey_Encrypt(t *testing.T) {
})

key := MasterKey{
grpcConn: newGRPCServer("0"),
ResourceID: testResourceID,
grpcConn: newGRPCServer("0"),
ResourceID: testResourceID,
credentialJSON: []byte("arbitrary credentials"),
}
err := key.Encrypt([]byte("encrypt"))
assert.NoError(t, err)
Expand All @@ -80,9 +81,10 @@ func TestMasterKey_Decrypt(t *testing.T) {
Plaintext: []byte(decryptedData),
})
key := MasterKey{
grpcConn: newGRPCServer("0"),
ResourceID: testResourceID,
EncryptedKey: "encryptedKey",
grpcConn: newGRPCServer("0"),
ResourceID: testResourceID,
EncryptedKey: "encryptedKey",
credentialJSON: []byte("arbitrary credentials"),
}
data, err := key.Decrypt()
assert.NoError(t, err)
Expand Down Expand Up @@ -116,7 +118,7 @@ func TestMasterKey_ToMap(t *testing.T) {
}, key.ToMap())
}

func TestMasterKey_createCloudKMSService(t *testing.T) {
func TestMasterKey_createCloudKMSService_withCredentialsFile(t *testing.T) {
tests := []struct {
key MasterKey
errString string
Expand All @@ -136,6 +138,12 @@ func TestMasterKey_createCloudKMSService(t *testing.T) {
"type": "authorized_user"}`),
},
},
{
key: MasterKey{
ResourceID: testResourceID,
},
errString: "credentials: failed to get credentials",
},
}

for _, tt := range tests {
Expand All @@ -149,6 +157,29 @@ func TestMasterKey_createCloudKMSService(t *testing.T) {
}
}

func TestMasterKey_createCloudKMSService_withOauthToken(t *testing.T) {
t.Setenv(SopsGoogleCredentialsOAuthToken, "token")

masterKey := MasterKey{
ResourceID: testResourceID,
}

_, err := masterKey.newKMSClient()

assert.NoError(t, err)
}

func TestMasterKey_createCloudKMSService_withoutCredentials(t *testing.T) {
masterKey := MasterKey{
ResourceID: testResourceID,
}

_, err := masterKey.newKMSClient()

assert.Error(t, err)
assert.ErrorContains(t, err, "credentials: failed to get credentials")
}

func newGRPCServer(port string) *grpc.ClientConn {
serv := grpc.NewServer()
kmspb.RegisterKeyManagementServiceServer(serv, &mockKeyManagement)
Expand Down
2 changes: 1 addition & 1 deletion go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@ require (
github.com/stretchr/testify v1.9.0
github.com/urfave/cli v1.22.15
golang.org/x/net v0.28.0
golang.org/x/oauth2 v0.22.0
golang.org/x/sys v0.24.0
golang.org/x/term v0.23.0
google.golang.org/api v0.195.0
Expand Down Expand Up @@ -127,7 +128,6 @@ require (
go.opentelemetry.io/otel/metric v1.28.0 // indirect
go.opentelemetry.io/otel/trace v1.28.0 // indirect
golang.org/x/crypto v0.26.0 // indirect
golang.org/x/oauth2 v0.22.0 // indirect
golang.org/x/sync v0.8.0 // indirect
golang.org/x/text v0.17.0 // indirect
golang.org/x/time v0.6.0 // indirect
Expand Down
Loading