From 07f13e56eb8dc02e73a8a90bf8569e0ee3c72246 Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Wed, 2 Sep 2020 13:27:40 +0200 Subject: [PATCH] GPG decryption in contained environment --- Dockerfile | 1 + controllers/kustomization_controller.go | 6 +- controllers/kustomization_decryptor.go | 30 +- go.mod | 5 + internal/sops/LICENSE | 373 ++++++++++++++++++++++++ internal/sops/keyservice/client.go | 38 +++ internal/sops/keyservice/server.go | 141 +++++++++ internal/sops/pgp/keysource.go | 362 +++++++++++++++++++++++ 8 files changed, 952 insertions(+), 4 deletions(-) create mode 100644 internal/sops/LICENSE create mode 100644 internal/sops/keyservice/client.go create mode 100644 internal/sops/keyservice/server.go create mode 100644 internal/sops/pgp/keysource.go diff --git a/Dockerfile b/Dockerfile index a68a7e8..da14862 100644 --- a/Dockerfile +++ b/Dockerfile @@ -19,6 +19,7 @@ RUN go mod download # copy source code COPY main.go main.go COPY controllers/ controllers/ +COPY internal/ internal/ # build RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on go build -a -o kustomize-controller main.go diff --git a/controllers/kustomization_controller.go b/controllers/kustomization_controller.go index 5e97a00..7ff4a7e 100644 --- a/controllers/kustomization_controller.go +++ b/controllers/kustomization_controller.go @@ -393,7 +393,11 @@ func (r *KustomizationReconciler) build(kustomization kustomizev1.Kustomization, ctx, cancel := context.WithTimeout(context.Background(), timeout) defer cancel() - dec := NewDecryptor(r.Client, kustomization) + dec, cleanup, err := NewTempDecryptor(r.Client, kustomization) + if err != nil { + return nil, err + } + defer cleanup() // import OpenPGP keys if any if err := dec.ImportKeys(ctx); err != nil { diff --git a/controllers/kustomization_decryptor.go b/controllers/kustomization_decryptor.go index a0106f1..730913d 100644 --- a/controllers/kustomization_decryptor.go +++ b/controllers/kustomization_decryptor.go @@ -12,6 +12,7 @@ import ( "go.mozilla.org/sops/v3/aes" "go.mozilla.org/sops/v3/cmd/sops/common" "go.mozilla.org/sops/v3/cmd/sops/formats" + "go.mozilla.org/sops/v3/keyservice" corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/types" "sigs.k8s.io/controller-runtime/pkg/client" @@ -19,6 +20,7 @@ import ( "sigs.k8s.io/yaml" kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1alpha1" + intkeyservice "github.com/fluxcd/kustomize-controller/internal/sops/keyservice" ) const DecryptionProviderSOPS = "sops" @@ -26,15 +28,28 @@ const DecryptionProviderSOPS = "sops" type KustomizeDecryptor struct { client.Client kustomization kustomizev1.Kustomization + homeDir string } -func NewDecryptor(kubeClient client.Client, kustomization kustomizev1.Kustomization) *KustomizeDecryptor { +func NewDecryptor(kubeClient client.Client, + kustomization kustomizev1.Kustomization, homeDir string) *KustomizeDecryptor { return &KustomizeDecryptor{ Client: kubeClient, kustomization: kustomization, + homeDir: homeDir, } } +func NewTempDecryptor(kubeClient client.Client, + kustomization kustomizev1.Kustomization) (*KustomizeDecryptor, func(), error) { + tmpDir, err := ioutil.TempDir("", fmt.Sprintf("decryptor-%s-", kustomization.Name)) + if err != nil { + return nil, nil, fmt.Errorf("tmp dir error: %w", err) + } + cleanup := func() { os.RemoveAll(tmpDir) } + return NewDecryptor(kubeClient, kustomization, tmpDir), cleanup, nil +} + func (kd *KustomizeDecryptor) Decrypt(res *resource.Resource) (*resource.Resource, error) { out, err := res.AsYAML() if err != nil { @@ -50,7 +65,11 @@ func (kd *KustomizeDecryptor) Decrypt(res *resource.Resource) (*resource.Resourc return nil, fmt.Errorf("LoadEncryptedFile: %w", err) } - key, err := tree.Metadata.GetDataKey() + key, err := tree.Metadata.GetDataKeyWithKeyServices( + []keyservice.KeyServiceClient{ + intkeyservice.NewLocalClient(intkeyservice.NewServer(false, kd.homeDir)), + }, + ) if err != nil { return nil, fmt.Errorf("GetDataKey: %w", err) } @@ -95,6 +114,7 @@ func (kd *KustomizeDecryptor) ImportKeys(ctx context.Context) error { if err != nil { return fmt.Errorf("tmp dir error: %w", err) } + defer os.RemoveAll(tmpDir) for name, key := range secret.Data { keyPath := path.Join(tmpDir, name) @@ -111,7 +131,11 @@ func (kd *KustomizeDecryptor) ImportKeys(ctx context.Context) error { } func (kd *KustomizeDecryptor) gpgImport(path string) error { - cmd := exec.Command("gpg", "--import", path) + args := []string{"--import", path} + if kd.homeDir != "" { + args = append([]string{"--homedir", kd.homeDir}, args...) + } + cmd := exec.Command("gpg", args...) out, err := cmd.CombinedOutput() if err != nil { return fmt.Errorf("gpg import error: %s", string(out)) diff --git a/go.mod b/go.mod index 2f28957..e24f4ef 100644 --- a/go.mod +++ b/go.mod @@ -13,9 +13,14 @@ require ( github.com/fluxcd/pkg/untar v0.0.5 github.com/fluxcd/source-controller/api v0.0.11 github.com/go-logr/logr v0.1.0 + github.com/howeyc/gopass v0.0.0-20170109162249-bf9dde6d0d2c github.com/onsi/ginkgo v1.12.1 github.com/onsi/gomega v1.10.1 + go.mozilla.org/gopgagent v0.0.0-20170926210634-4d7ea76ff71a go.mozilla.org/sops/v3 v3.6.0 + golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975 + golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7 + google.golang.org/grpc v1.26.0 k8s.io/api v0.18.8 k8s.io/apimachinery v0.18.8 k8s.io/client-go v0.18.8 diff --git a/internal/sops/LICENSE b/internal/sops/LICENSE new file mode 100644 index 0000000..a612ad9 --- /dev/null +++ b/internal/sops/LICENSE @@ -0,0 +1,373 @@ +Mozilla Public License Version 2.0 +================================== + +1. Definitions +-------------- + +1.1. "Contributor" + means each individual or legal entity that creates, contributes to + the creation of, or owns Covered Software. + +1.2. "Contributor Version" + means the combination of the Contributions of others (if any) used + by a Contributor and that particular Contributor's Contribution. + +1.3. "Contribution" + means Covered Software of a particular Contributor. + +1.4. "Covered Software" + means Source Code Form to which the initial Contributor has attached + the notice in Exhibit A, the Executable Form of such Source Code + Form, and Modifications of such Source Code Form, in each case + including portions thereof. + +1.5. "Incompatible With Secondary Licenses" + means + + (a) that the initial Contributor has attached the notice described + in Exhibit B to the Covered Software; or + + (b) that the Covered Software was made available under the terms of + version 1.1 or earlier of the License, but not also under the + terms of a Secondary License. + +1.6. "Executable Form" + means any form of the work other than Source Code Form. + +1.7. "Larger Work" + means a work that combines Covered Software with other material, in + a separate file or files, that is not Covered Software. + +1.8. "License" + means this document. + +1.9. "Licensable" + means having the right to grant, to the maximum extent possible, + whether at the time of the initial grant or subsequently, any and + all of the rights conveyed by this License. + +1.10. "Modifications" + means any of the following: + + (a) any file in Source Code Form that results from an addition to, + deletion from, or modification of the contents of Covered + Software; or + + (b) any new file in Source Code Form that contains any Covered + Software. + +1.11. "Patent Claims" of a Contributor + means any patent claim(s), including without limitation, method, + process, and apparatus claims, in any patent Licensable by such + Contributor that would be infringed, but for the grant of the + License, by the making, using, selling, offering for sale, having + made, import, or transfer of either its Contributions or its + Contributor Version. + +1.12. "Secondary License" + means either the GNU General Public License, Version 2.0, the GNU + Lesser General Public License, Version 2.1, the GNU Affero General + Public License, Version 3.0, or any later versions of those + licenses. + +1.13. "Source Code Form" + means the form of the work preferred for making modifications. + +1.14. "You" (or "Your") + means an individual or a legal entity exercising rights under this + License. For legal entities, "You" includes any entity that + controls, is controlled by, or is under common control with You. For + purposes of this definition, "control" means (a) the power, direct + or indirect, to cause the direction or management of such entity, + whether by contract or otherwise, or (b) ownership of more than + fifty percent (50%) of the outstanding shares or beneficial + ownership of such entity. + +2. License Grants and Conditions +-------------------------------- + +2.1. Grants + +Each Contributor hereby grants You a world-wide, royalty-free, +non-exclusive license: + +(a) under intellectual property rights (other than patent or trademark) + Licensable by such Contributor to use, reproduce, make available, + modify, display, perform, distribute, and otherwise exploit its + Contributions, either on an unmodified basis, with Modifications, or + as part of a Larger Work; and + +(b) under Patent Claims of such Contributor to make, use, sell, offer + for sale, have made, import, and otherwise transfer either its + Contributions or its Contributor Version. + +2.2. Effective Date + +The licenses granted in Section 2.1 with respect to any Contribution +become effective for each Contribution on the date the Contributor first +distributes such Contribution. + +2.3. Limitations on Grant Scope + +The licenses granted in this Section 2 are the only rights granted under +this License. No additional rights or licenses will be implied from the +distribution or licensing of Covered Software under this License. +Notwithstanding Section 2.1(b) above, no patent license is granted by a +Contributor: + +(a) for any code that a Contributor has removed from Covered Software; + or + +(b) for infringements caused by: (i) Your and any other third party's + modifications of Covered Software, or (ii) the combination of its + Contributions with other software (except as part of its Contributor + Version); or + +(c) under Patent Claims infringed by Covered Software in the absence of + its Contributions. + +This License does not grant any rights in the trademarks, service marks, +or logos of any Contributor (except as may be necessary to comply with +the notice requirements in Section 3.4). + +2.4. Subsequent Licenses + +No Contributor makes additional grants as a result of Your choice to +distribute the Covered Software under a subsequent version of this +License (see Section 10.2) or under the terms of a Secondary License (if +permitted under the terms of Section 3.3). + +2.5. Representation + +Each Contributor represents that the Contributor believes its +Contributions are its original creation(s) or it has sufficient rights +to grant the rights to its Contributions conveyed by this License. + +2.6. Fair Use + +This License is not intended to limit any rights You have under +applicable copyright doctrines of fair use, fair dealing, or other +equivalents. + +2.7. Conditions + +Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted +in Section 2.1. + +3. Responsibilities +------------------- + +3.1. Distribution of Source Form + +All distribution of Covered Software in Source Code Form, including any +Modifications that You create or to which You contribute, must be under +the terms of this License. You must inform recipients that the Source +Code Form of the Covered Software is governed by the terms of this +License, and how they can obtain a copy of this License. You may not +attempt to alter or restrict the recipients' rights in the Source Code +Form. + +3.2. Distribution of Executable Form + +If You distribute Covered Software in Executable Form then: + +(a) such Covered Software must also be made available in Source Code + Form, as described in Section 3.1, and You must inform recipients of + the Executable Form how they can obtain a copy of such Source Code + Form by reasonable means in a timely manner, at a charge no more + than the cost of distribution to the recipient; and + +(b) You may distribute such Executable Form under the terms of this + License, or sublicense it under different terms, provided that the + license for the Executable Form does not attempt to limit or alter + the recipients' rights in the Source Code Form under this License. + +3.3. Distribution of a Larger Work + +You may create and distribute a Larger Work under terms of Your choice, +provided that You also comply with the requirements of this License for +the Covered Software. If the Larger Work is a combination of Covered +Software with a work governed by one or more Secondary Licenses, and the +Covered Software is not Incompatible With Secondary Licenses, this +License permits You to additionally distribute such Covered Software +under the terms of such Secondary License(s), so that the recipient of +the Larger Work may, at their option, further distribute the Covered +Software under the terms of either this License or such Secondary +License(s). + +3.4. Notices + +You may not remove or alter the substance of any license notices +(including copyright notices, patent notices, disclaimers of warranty, +or limitations of liability) contained within the Source Code Form of +the Covered Software, except that You may alter any license notices to +the extent required to remedy known factual inaccuracies. + +3.5. Application of Additional Terms + +You may choose to offer, and to charge a fee for, warranty, support, +indemnity or liability obligations to one or more recipients of Covered +Software. However, You may do so only on Your own behalf, and not on +behalf of any Contributor. You must make it absolutely clear that any +such warranty, support, indemnity, or liability obligation is offered by +You alone, and You hereby agree to indemnify every Contributor for any +liability incurred by such Contributor as a result of warranty, support, +indemnity or liability terms You offer. You may include additional +disclaimers of warranty and limitations of liability specific to any +jurisdiction. + +4. Inability to Comply Due to Statute or Regulation +--------------------------------------------------- + +If it is impossible for You to comply with any of the terms of this +License with respect to some or all of the Covered Software due to +statute, judicial order, or regulation then You must: (a) comply with +the terms of this License to the maximum extent possible; and (b) +describe the limitations and the code they affect. Such description must +be placed in a text file included with all distributions of the Covered +Software under this License. Except to the extent prohibited by statute +or regulation, such description must be sufficiently detailed for a +recipient of ordinary skill to be able to understand it. + +5. Termination +-------------- + +5.1. The rights granted under this License will terminate automatically +if You fail to comply with any of its terms. However, if You become +compliant, then the rights granted under this License from a particular +Contributor are reinstated (a) provisionally, unless and until such +Contributor explicitly and finally terminates Your grants, and (b) on an +ongoing basis, if such Contributor fails to notify You of the +non-compliance by some reasonable means prior to 60 days after You have +come back into compliance. Moreover, Your grants from a particular +Contributor are reinstated on an ongoing basis if such Contributor +notifies You of the non-compliance by some reasonable means, this is the +first time You have received notice of non-compliance with this License +from such Contributor, and You become compliant prior to 30 days after +Your receipt of the notice. + +5.2. If You initiate litigation against any entity by asserting a patent +infringement claim (excluding declaratory judgment actions, +counter-claims, and cross-claims) alleging that a Contributor Version +directly or indirectly infringes any patent, then the rights granted to +You by any and all Contributors for the Covered Software under Section +2.1 of this License shall terminate. + +5.3. In the event of termination under Sections 5.1 or 5.2 above, all +end user license agreements (excluding distributors and resellers) which +have been validly granted by You or Your distributors under this License +prior to termination shall survive termination. + +************************************************************************ +* * +* 6. Disclaimer of Warranty * +* ------------------------- * +* * +* Covered Software is provided under this License on an "as is" * +* basis, without warranty of any kind, either expressed, implied, or * +* statutory, including, without limitation, warranties that the * +* Covered Software is free of defects, merchantable, fit for a * +* particular purpose or non-infringing. The entire risk as to the * +* quality and performance of the Covered Software is with You. * +* Should any Covered Software prove defective in any respect, You * +* (not any Contributor) assume the cost of any necessary servicing, * +* repair, or correction. This disclaimer of warranty constitutes an * +* essential part of this License. No use of any Covered Software is * +* authorized under this License except under this disclaimer. * +* * +************************************************************************ + +************************************************************************ +* * +* 7. Limitation of Liability * +* -------------------------- * +* * +* Under no circumstances and under no legal theory, whether tort * +* (including negligence), contract, or otherwise, shall any * +* Contributor, or anyone who distributes Covered Software as * +* permitted above, be liable to You for any direct, indirect, * +* special, incidental, or consequential damages of any character * +* including, without limitation, damages for lost profits, loss of * +* goodwill, work stoppage, computer failure or malfunction, or any * +* and all other commercial damages or losses, even if such party * +* shall have been informed of the possibility of such damages. This * +* limitation of liability shall not apply to liability for death or * +* personal injury resulting from such party's negligence to the * +* extent applicable law prohibits such limitation. Some * +* jurisdictions do not allow the exclusion or limitation of * +* incidental or consequential damages, so this exclusion and * +* limitation may not apply to You. * +* * +************************************************************************ + +8. Litigation +------------- + +Any litigation relating to this License may be brought only in the +courts of a jurisdiction where the defendant maintains its principal +place of business and such litigation shall be governed by laws of that +jurisdiction, without reference to its conflict-of-law provisions. +Nothing in this Section shall prevent a party's ability to bring +cross-claims or counter-claims. + +9. Miscellaneous +---------------- + +This License represents the complete agreement concerning the subject +matter hereof. If any provision of this License is held to be +unenforceable, such provision shall be reformed only to the extent +necessary to make it enforceable. Any law or regulation which provides +that the language of a contract shall be construed against the drafter +shall not be used to construe this License against a Contributor. + +10. Versions of the License +--------------------------- + +10.1. New Versions + +Mozilla Foundation is the license steward. Except as provided in Section +10.3, no one other than the license steward has the right to modify or +publish new versions of this License. Each version will be given a +distinguishing version number. + +10.2. Effect of New Versions + +You may distribute the Covered Software under the terms of the version +of the License under which You originally received the Covered Software, +or under the terms of any subsequent version published by the license +steward. + +10.3. Modified Versions + +If you create software not governed by this License, and you want to +create a new license for such software, you may create and use a +modified version of this License if you rename the license and remove +any references to the name of the license steward (except to note that +such modified license differs from this License). + +10.4. Distributing Source Code Form that is Incompatible With Secondary +Licenses + +If You choose to distribute Source Code Form that is Incompatible With +Secondary Licenses under the terms of this version of the License, the +notice described in Exhibit B of this License must be attached. + +Exhibit A - Source Code Form License Notice +------------------------------------------- + + This Source Code Form is subject to the terms of the Mozilla Public + License, v. 2.0. If a copy of the MPL was not distributed with this + file, You can obtain one at http://mozilla.org/MPL/2.0/. + +If it is not possible or desirable to put the notice in a particular +file, then You may include the notice in a location (such as a LICENSE +file in a relevant directory) where a recipient would be likely to look +for such a notice. + +You may add additional accurate notices of copyright ownership. + +Exhibit B - "Incompatible With Secondary Licenses" Notice +--------------------------------------------------------- + + This Source Code Form is "Incompatible With Secondary Licenses", as + defined by the Mozilla Public License, v. 2.0. diff --git a/internal/sops/keyservice/client.go b/internal/sops/keyservice/client.go new file mode 100644 index 0000000..50f0da9 --- /dev/null +++ b/internal/sops/keyservice/client.go @@ -0,0 +1,38 @@ +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at https://mozilla.org/MPL/2.0/. + +package keyservice + +import ( + "go.mozilla.org/sops/v3/keyservice" + "golang.org/x/net/context" + + "google.golang.org/grpc" +) + +// LocalClient is a key service client that performs all operations +// locally. The sole reason this exists is because the +// go.mozilla.org/sops/v3/keyservice.LocalClient does not implement +// the KeyServiceServer interface. +type LocalClient struct { + Server keyservice.KeyServiceServer +} + +// NewLocalClient creates a new local client that embeds the given +// KeyServiceServer. +func NewLocalClient(server keyservice.KeyServiceServer) LocalClient { + return LocalClient{server} +} + +// Decrypt processes a decrypt request locally. +func (c LocalClient) Decrypt(ctx context.Context, + req *keyservice.DecryptRequest, opts ...grpc.CallOption) (*keyservice.DecryptResponse, error) { + return c.Server.Decrypt(ctx, req) +} + +// Encrypt processes an encrypt request locally. +func (c LocalClient) Encrypt(ctx context.Context, + req *keyservice.EncryptRequest, opts ...grpc.CallOption) (*keyservice.EncryptResponse, error) { + return c.Server.Encrypt(ctx, req) +} diff --git a/internal/sops/keyservice/server.go b/internal/sops/keyservice/server.go new file mode 100644 index 0000000..230d24a --- /dev/null +++ b/internal/sops/keyservice/server.go @@ -0,0 +1,141 @@ +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at https://mozilla.org/MPL/2.0/. + +package keyservice + +import ( + "fmt" + + "go.mozilla.org/sops/v3/keyservice" + "golang.org/x/net/context" + "google.golang.org/grpc" + "google.golang.org/grpc/codes" + + "github.com/fluxcd/kustomize-controller/internal/sops/pgp" +) + +// Server is a key service server that uses SOPS MasterKeys to fulfill +// requests. It intercepts encryption and decryption requests made for +// PGP keys, so that they can be run in a contained environment, +// instead of the default implementation which heavily utilizes +// environmental variables. Any other request is forwarded to +// the embedded DefaultServer. +type Server struct { + // Prompt indicates whether the server should prompt before decrypting + // or encrypting data. + Prompt bool + + // HomeDir configures the home directory used for PGP operations. + HomeDir string + + // DefaultServer is the server used for any other request than a PGP + // encryption/decryption. + DefaultServer keyservice.KeyServiceServer +} + +func NewServer(prompt bool, homeDir string) keyservice.KeyServiceServer { + server := &Server{ + Prompt: prompt, + HomeDir: homeDir, + DefaultServer: &keyservice.Server{ + Prompt: prompt, + }, + } + return server +} + +func (ks *Server) encryptWithPgp(key *keyservice.PgpKey, plaintext []byte) ([]byte, error) { + pgpKey := pgp.NewMasterKeyFromFingerprint(key.Fingerprint, ks.HomeDir) + err := pgpKey.Encrypt(plaintext) + if err != nil { + return nil, err + } + return []byte(pgpKey.EncryptedKey), nil +} + +func (ks *Server) decryptWithPgp(key *keyservice.PgpKey, ciphertext []byte) ([]byte, error) { + pgpKey := pgp.NewMasterKeyFromFingerprint(key.Fingerprint, ks.HomeDir) + pgpKey.EncryptedKey = string(ciphertext) + plaintext, err := pgpKey.Decrypt() + return plaintext, err +} + +// Encrypt takes an encrypt request and encrypts the provided plaintext with the provided key, +// returning the encrypted result. +func (ks Server) Encrypt(ctx context.Context, + req *keyservice.EncryptRequest) (*keyservice.EncryptResponse, error) { + key := *req.Key + var response *keyservice.EncryptResponse + switch k := key.KeyType.(type) { + case *keyservice.Key_PgpKey: + ciphertext, err := ks.encryptWithPgp(k.PgpKey, req.Plaintext) + if err != nil { + return nil, err + } + response = &keyservice.EncryptResponse{ + Ciphertext: ciphertext, + } + default: + return ks.Encrypt(ctx, req) + } + if ks.Prompt { + err := ks.prompt(key, "encrypt") + if err != nil { + return nil, err + } + } + return response, nil +} + +func keyToString(key keyservice.Key) string { + switch k := key.KeyType.(type) { + case *keyservice.Key_PgpKey: + return fmt.Sprintf("PGP key with fingerprint %s", k.PgpKey.Fingerprint) + default: + return fmt.Sprintf("Unknown key type") + } +} + +func (ks Server) prompt(key keyservice.Key, requestType string) error { + keyString := keyToString(key) + var response string + for response != "y" && response != "n" { + fmt.Printf("\nReceived %s request using %s. Respond to request? (y/n): ", requestType, keyString) + _, err := fmt.Scanln(&response) + if err != nil { + return err + } + } + if response == "n" { + return grpc.Errorf(codes.PermissionDenied, "Request rejected by user") + } + return nil +} + +// Decrypt takes a decrypt request and decrypts the provided ciphertext with the provided key, +// returning the decrypted result. +func (ks Server) Decrypt(ctx context.Context, + req *keyservice.DecryptRequest) (*keyservice.DecryptResponse, error) { + key := *req.Key + var response *keyservice.DecryptResponse + switch k := key.KeyType.(type) { + case *keyservice.Key_PgpKey: + plaintext, err := ks.decryptWithPgp(k.PgpKey, req.Ciphertext) + if err != nil { + return nil, err + } + response = &keyservice.DecryptResponse{ + Plaintext: plaintext, + } + default: + return ks.DefaultServer.Decrypt(ctx, req) + } + if ks.Prompt { + err := ks.prompt(key, "decrypt") + if err != nil { + return nil, err + } + } + return response, nil +} diff --git a/internal/sops/pgp/keysource.go b/internal/sops/pgp/keysource.go new file mode 100644 index 0000000..63a09ab --- /dev/null +++ b/internal/sops/pgp/keysource.go @@ -0,0 +1,362 @@ +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at https://mozilla.org/MPL/2.0/. + +package pgp + +import ( + "bytes" + "encoding/hex" + "fmt" + "io/ioutil" + "net/http" + "os" + "os/exec" + "os/user" + "path" + "strings" + "time" + + "github.com/howeyc/gopass" + gpgagent "go.mozilla.org/gopgagent" + "golang.org/x/crypto/openpgp" + "golang.org/x/crypto/openpgp/armor" +) + +// MasterKey is a PGP key used to securely store sops' data key by +// encrypting it and decrypting it. +type MasterKey struct { + Fingerprint string + EncryptedKey string + CreationDate time.Time + homeDir string +} + +// EncryptedDataKey returns the encrypted data key this master key holds. +func (key *MasterKey) EncryptedDataKey() []byte { + return []byte(key.EncryptedKey) +} + +// SetEncryptedDataKey sets the encrypted data key for this master key. +func (key *MasterKey) SetEncryptedDataKey(enc []byte) { + key.EncryptedKey = string(enc) +} + +func gpgBinary() string { + binary := "gpg" + if envBinary := os.Getenv("SOPS_GPG_EXEC"); envBinary != "" { + binary = envBinary + } + return binary +} + +func (key *MasterKey) encryptWithGPGBinary(dataKey []byte) error { + fingerprint := key.Fingerprint + if offset := len(fingerprint) - 16; offset > 0 { + fingerprint = fingerprint[offset:] + } + args := []string{ + "--no-default-recipient", + "--yes", + "--encrypt", + "-a", + "-r", + key.Fingerprint, + "--trusted-key", + fingerprint, + "--no-encrypt-to", + } + if key.homeDir != "" { + args = append([]string{"--homedir", key.homeDir}, args...) + } + cmd := exec.Command(gpgBinary(), args...) + var stdout, stderr bytes.Buffer + cmd.Stdin = bytes.NewReader(dataKey) + cmd.Stdout = &stdout + cmd.Stderr = &stderr + err := cmd.Run() + if err != nil { + return err + } + key.EncryptedKey = stdout.String() + return nil +} + +func getKeyFromKeyServer(keyserver string, fingerprint string) (openpgp.Entity, error) { + url := fmt.Sprintf("https://%s/pks/lookup?op=get&options=mr&search=0x%s", keyserver, fingerprint) + resp, err := http.Get(url) + if err != nil { + return openpgp.Entity{}, fmt.Errorf("error getting key from keyserver: %s", err) + } + defer resp.Body.Close() + if resp.StatusCode != 200 { + return openpgp.Entity{}, fmt.Errorf("keyserver returned non-200 status code %s", resp.Status) + } + ents, err := openpgp.ReadArmoredKeyRing(resp.Body) + if err != nil { + return openpgp.Entity{}, fmt.Errorf("could not read entities: %s", err) + } + return *ents[0], nil +} + +func gpgKeyServer() string { + keyServer := "gpg.mozilla.org" + if envKeyServer := os.Getenv("SOPS_GPG_KEYSERVER"); envKeyServer != "" { + keyServer = envKeyServer + } + return keyServer +} + +func (key *MasterKey) getPubKey() (openpgp.Entity, error) { + ring, err := key.pubRing() + if err == nil { + fingerprints := key.fingerprintMap(ring) + entity, ok := fingerprints[key.Fingerprint] + if ok { + return entity, nil + } + } + keyServer := gpgKeyServer() + entity, err := getKeyFromKeyServer(keyServer, key.Fingerprint) + if err != nil { + return openpgp.Entity{}, + fmt.Errorf("key with fingerprint %s is not available "+ + "in keyring and could not be retrieved from keyserver", key.Fingerprint) + } + return entity, nil +} + +func (key *MasterKey) encryptWithCryptoOpenPGP(dataKey []byte) error { + entity, err := key.getPubKey() + if err != nil { + return err + } + encbuf := new(bytes.Buffer) + armorbuf, err := armor.Encode(encbuf, "PGP MESSAGE", nil) + if err != nil { + return err + } + plaintextbuf, err := openpgp.Encrypt(armorbuf, []*openpgp.Entity{&entity}, nil, &openpgp.FileHints{IsBinary: true}, nil) + if err != nil { + return err + } + _, err = plaintextbuf.Write(dataKey) + if err != nil { + return err + } + err = plaintextbuf.Close() + if err != nil { + return err + } + err = armorbuf.Close() + if err != nil { + return err + } + b, err := ioutil.ReadAll(encbuf) + if err != nil { + return err + } + key.EncryptedKey = string(b) + return nil +} + +// Encrypt encrypts the data key with the PGP key with the same +// fingerprint as the MasterKey. It first looks for PGP public +// keys in MasterKey.homeDir, and falls back to $GNUPGHOME/pubring.gpg. +func (key *MasterKey) Encrypt(dataKey []byte) error { + openpgpErr := key.encryptWithCryptoOpenPGP(dataKey) + if openpgpErr == nil { + return nil + } + binaryErr := key.encryptWithGPGBinary(dataKey) + if binaryErr == nil { + return nil + } + return fmt.Errorf( + `could not encrypt data key with PGP key: golang.org/x/crypto/openpgp error: %v; GPG binary error: %v`, + openpgpErr, binaryErr) +} + +// EncryptIfNeeded encrypts the data key with PGP only if it's needed, +// that is, if it hasn't been encrypted already. +func (key *MasterKey) EncryptIfNeeded(dataKey []byte) error { + if key.EncryptedKey == "" { + return key.Encrypt(dataKey) + } + return nil +} + +func (key *MasterKey) decryptWithGPGBinary() ([]byte, error) { + args := []string{ + "--use-agent", + "-d", + } + if key.homeDir != "" { + args = append([]string{"--homedir", key.homeDir}, args...) + } + cmd := exec.Command(gpgBinary(), args...) + var stdout, stderr bytes.Buffer + cmd.Stdin = strings.NewReader(key.EncryptedKey) + cmd.Stdout = &stdout + cmd.Stderr = &stderr + err := cmd.Run() + if err != nil { + return nil, err + } + return stdout.Bytes(), nil +} + +func (key *MasterKey) decryptWithCryptoOpenpgp() ([]byte, error) { + ring, err := key.secRing() + if err != nil { + return nil, fmt.Errorf("Could not load secring: %s", err) + } + block, err := armor.Decode(strings.NewReader(key.EncryptedKey)) + if err != nil { + return nil, fmt.Errorf("Armor decoding failed: %s", err) + } + md, err := openpgp.ReadMessage(block.Body, ring, key.passphrasePrompt(), nil) + if err != nil { + return nil, fmt.Errorf("Reading PGP message failed: %s", err) + } + if b, err := ioutil.ReadAll(md.UnverifiedBody); err == nil { + return b, nil + } + return nil, fmt.Errorf("The key could not be decrypted with any of the PGP entries") +} + +// Decrypt uses PGP to obtain the data key from the EncryptedKey store +// in the MasterKey and returns it. +func (key *MasterKey) Decrypt() ([]byte, error) { + dataKey, openpgpErr := key.decryptWithCryptoOpenpgp() + if openpgpErr == nil { + return dataKey, nil + } + dataKey, binaryErr := key.decryptWithGPGBinary() + if binaryErr == nil { + return dataKey, nil + } + return nil, fmt.Errorf( + `could not decrypt data key with PGP key: golang.org/x/crypto/openpgp error: %v; GPG binary error: %v`, + openpgpErr, binaryErr) +} + +// NeedsRotation returns whether the data key needs to be rotated +// or not. +func (key *MasterKey) NeedsRotation() bool { + return time.Since(key.CreationDate).Hours() > 24*30*6 +} + +// ToString returns the string representation of the key, i.e. its +// fingerprint. +func (key *MasterKey) ToString() string { + return key.Fingerprint +} + +func (key *MasterKey) gpgHome() string { + if key.homeDir != "" { + return key.homeDir + } + dir := os.Getenv("GNUPGHOME") + if dir == "" { + usr, err := user.Current() + if err != nil { + return path.Join(os.Getenv("HOME"), "/.gnupg") + } + return path.Join(usr.HomeDir, ".gnupg") + } + return dir +} + +// NewMasterKeyFromFingerprint takes a PGP fingerprint and returns a +// new MasterKey with that fingerprint. +func NewMasterKeyFromFingerprint(fingerprint, homeDir string) *MasterKey { + return &MasterKey{ + Fingerprint: strings.Replace(fingerprint, " ", "", -1), + CreationDate: time.Now().UTC(), + homeDir: homeDir, + } +} + +func (key *MasterKey) loadRing(path string) (openpgp.EntityList, error) { + f, err := os.Open(path) + if err != nil { + return openpgp.EntityList{}, err + } + defer f.Close() + keyring, err := openpgp.ReadKeyRing(f) + if err != nil { + return keyring, err + } + return keyring, nil +} + +func (key *MasterKey) secRing() (openpgp.EntityList, error) { + return key.loadRing(key.gpgHome() + "/secring.gpg") +} + +func (key *MasterKey) pubRing() (openpgp.EntityList, error) { + return key.loadRing(key.gpgHome() + "/pubring.gpg") +} + +func (key *MasterKey) fingerprintMap(ring openpgp.EntityList) map[string]openpgp.Entity { + fps := make(map[string]openpgp.Entity) + for _, entity := range ring { + fp := strings.ToUpper(hex.EncodeToString(entity.PrimaryKey.Fingerprint[:])) + if entity != nil { + fps[fp] = *entity + } + } + return fps +} + +func (key *MasterKey) passphrasePrompt() func(keys []openpgp.Key, symmetric bool) ([]byte, error) { + callCounter := 0 + maxCalls := 3 + return func(keys []openpgp.Key, symmetric bool) ([]byte, error) { + if callCounter >= maxCalls { + return nil, fmt.Errorf("function passphrasePrompt called too many times") + } + callCounter++ + + conn, err := gpgagent.NewConn() + if err == gpgagent.ErrNoAgent { + fmt.Print("Enter PGP key passphrase: ") + pass, err := gopass.GetPasswd() + if err != nil { + return nil, err + } + for _, k := range keys { + k.PrivateKey.Decrypt(pass) + } + return pass, err + } + if err != nil { + return nil, fmt.Errorf("Could not establish connection with gpg-agent: %s", err) + } + defer conn.Close() + for _, k := range keys { + req := gpgagent.PassphraseRequest{ + CacheKey: k.PublicKey.KeyIdShortString(), + Prompt: "Passphrase", + Desc: fmt.Sprintf("Unlock key %s to decrypt sops's key", k.PublicKey.KeyIdShortString()), + } + pass, err := conn.GetPassphrase(&req) + if err != nil { + return nil, fmt.Errorf("gpg-agent passphrase request errored: %s", err) + } + k.PrivateKey.Decrypt([]byte(pass)) + return []byte(pass), nil + } + return nil, fmt.Errorf("No key to unlock") + } +} + +// ToMap converts the MasterKey into a map for serialization purposes +func (key MasterKey) ToMap() map[string]interface{} { + out := make(map[string]interface{}) + out["fp"] = key.Fingerprint + out["created_at"] = key.CreationDate.UTC().Format(time.RFC3339) + out["enc"] = key.EncryptedKey + return out +}