fluxcd
/
kustomize-controller
mirror of https://github.com/fluxcd/kustomize-controller.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
kustomize-controller/internal/sops/pgp/keysource.go

333 lines
8.9 KiB
Go
Raw Permalink Blame History

// This Source Code Form is subject to the terms of the Mozilla Public
// License, v. 2.0. If a copy of the MPL was not distributed with this
// file, You can obtain one at https://mozilla.org/MPL/2.0/.
package pgp
import (
"bytes"
"encoding/hex"
"fmt"
"io"
"net/http"
"os"
"os/exec"
"os/user"
"path"
"strings"
"time"
"github.com/ProtonMail/go-crypto/openpgp"
"github.com/ProtonMail/go-crypto/openpgp/armor"
)
// MasterKey is a PGP key used to securely store sops' data key by
// encrypting it and decrypting it.
//
// Adapted from https://github.com/mozilla/sops/blob/v3.7.0/pgp/keysource.go
// to be able to control the GPG home directory and have a "contained"
// environment.
//
// We are unable to drop the dependency on the GPG binary (although we
// wish!) because the builtin GPG support in Go is limited, it does for
// example not offer support for FIPS:
// * https://github.com/golang/go/issues/11658#issuecomment-120448974
// * https://github.com/golang/go/issues/45188
type MasterKey struct {
Fingerprint string
EncryptedKey string
CreationDate time.Time
homeDir string
}
// EncryptedDataKey returns the encrypted data key this master key holds.
func (key *MasterKey) EncryptedDataKey() []byte {
return []byte(key.EncryptedKey)
}
// SetEncryptedDataKey sets the encrypted data key for this master key.
func (key *MasterKey) SetEncryptedDataKey(enc []byte) {
key.EncryptedKey = string(enc)
}
func gpgBinary() string {
binary := "gpg"
if envBinary := os.Getenv("SOPS_GPG_EXEC"); envBinary != "" {
binary = envBinary
}
return binary
}
func (key *MasterKey) encryptWithGPGBinary(dataKey []byte) error {
fingerprint := key.Fingerprint
if offset := len(fingerprint) - 16; offset > 0 {
fingerprint = fingerprint[offset:]
}
args := []string{
"--no-default-recipient",
"--yes",
"--encrypt",
"-a",
"-r",
key.Fingerprint,
"--trusted-key",
fingerprint,
"--no-encrypt-to",
}
if key.homeDir != "" {
args = append([]string{"--homedir", key.homeDir}, args...)
}
cmd := exec.Command(gpgBinary(), args...)
var stdout, stderr bytes.Buffer
cmd.Stdin = bytes.NewReader(dataKey)
cmd.Stdout = &stdout
cmd.Stderr = &stderr
err := cmd.Run()
if err != nil {
return err
}
key.EncryptedKey = stdout.String()
return nil
}
func getKeyFromKeyServer(keyserver string, fingerprint string) (openpgp.Entity, error) {
url := fmt.Sprintf("https://%s/pks/lookup?op=get&options=mr&search=0x%s", keyserver, fingerprint)
resp, err := http.Get(url)
if err != nil {
return openpgp.Entity{}, fmt.Errorf("error getting key from keyserver: %s", err)
}
defer resp.Body.Close()
if resp.StatusCode != 200 {
return openpgp.Entity{}, fmt.Errorf("keyserver returned non-200 status code %s", resp.Status)
}
ents, err := openpgp.ReadArmoredKeyRing(resp.Body)
if err != nil {
return openpgp.Entity{}, fmt.Errorf("could not read entities: %s", err)
}
return *ents[0], nil
}
func gpgKeyServer() string {
keyServer := "gpg.mozilla.org"
if envKeyServer := os.Getenv("SOPS_GPG_KEYSERVER"); envKeyServer != "" {
keyServer = envKeyServer
}
return keyServer
}
func (key *MasterKey) getPubKey() (openpgp.Entity, error) {
ring, err := key.pubRing()
if err == nil {
fingerprints := key.fingerprintMap(ring)
entity, ok := fingerprints[key.Fingerprint]
if ok {
return entity, nil
}
}
keyServer := gpgKeyServer()
entity, err := getKeyFromKeyServer(keyServer, key.Fingerprint)
if err != nil {
return openpgp.Entity{},
fmt.Errorf("key with fingerprint %s is not available "+
"in keyring and could not be retrieved from keyserver", key.Fingerprint)
}
return entity, nil
}
func (key *MasterKey) encryptWithCryptoOpenPGP(dataKey []byte) error {
entity, err := key.getPubKey()
if err != nil {
return err
}
encbuf := new(bytes.Buffer)
armorbuf, err := armor.Encode(encbuf, "PGP MESSAGE", nil)
if err != nil {
return err
}
plaintextbuf, err := openpgp.Encrypt(armorbuf, []*openpgp.Entity{&entity}, nil, &openpgp.FileHints{IsBinary: true}, nil)
if err != nil {
return err
}
_, err = plaintextbuf.Write(dataKey)
if err != nil {
return err
}
err = plaintextbuf.Close()
if err != nil {
return err
}
err = armorbuf.Close()
if err != nil {
return err
}
b, err := io.ReadAll(encbuf)
if err != nil {
return err
}
key.EncryptedKey = string(b)
return nil
}
// Encrypt encrypts the data key with the PGP key with the same
// fingerprint as the MasterKey. It first looks for PGP public
// keys in MasterKey.homeDir, and falls back to $GNUPGHOME/pubring.gpg.
func (key *MasterKey) Encrypt(dataKey []byte) error {
openpgpErr := key.encryptWithCryptoOpenPGP(dataKey)
if openpgpErr == nil {
return nil
}
binaryErr := key.encryptWithGPGBinary(dataKey)
if binaryErr == nil {
return nil
}
return fmt.Errorf(
`could not encrypt data key with PGP key: golang.org/x/crypto/openpgp error: %v; GPG binary error: %v`,
openpgpErr, binaryErr)
}
// EncryptIfNeeded encrypts the data key with PGP only if it's needed,
// that is, if it hasn't been encrypted already.
func (key *MasterKey) EncryptIfNeeded(dataKey []byte) error {
if key.EncryptedKey == "" {
return key.Encrypt(dataKey)
}
return nil
}
func (key *MasterKey) decryptWithGPGBinary() ([]byte, error) {
args := []string{
"--use-agent",
"-d",
}
if key.homeDir != "" {
args = append([]string{"--homedir", key.homeDir}, args...)
}
cmd := exec.Command(gpgBinary(), args...)
var stdout, stderr bytes.Buffer
cmd.Stdin = strings.NewReader(key.EncryptedKey)
cmd.Stdout = &stdout
cmd.Stderr = &stderr
err := cmd.Run()
if err != nil {
return nil, err
}
return stdout.Bytes(), nil
}
func (key *MasterKey) decryptWithCryptoOpenpgp() ([]byte, error) {
ring, err := key.secRing()
if err != nil {
return nil, fmt.Errorf("could not load secring: %s", err)
}
block, err := armor.Decode(strings.NewReader(key.EncryptedKey))
if err != nil {
return nil, fmt.Errorf("armor decoding failed: %s", err)
}
// No support for encrypted private keys
noPrompt := func(keys []openpgp.Key, symmetric bool) ([]byte, error) {
return nil, fmt.Errorf("PGP keys encrypted with a passphrase are not supported")
}
md, err := openpgp.ReadMessage(block.Body, ring, noPrompt, nil)
if err != nil {
return nil, fmt.Errorf("reading PGP message failed: %s", err)
}
if b, err := io.ReadAll(md.UnverifiedBody); err == nil {
return b, nil
}
return nil, fmt.Errorf("the key could not be decrypted with any of the PGP entries")
}
// Decrypt uses PGP to obtain the data key from the EncryptedKey store
// in the MasterKey and returns it.
func (key *MasterKey) Decrypt() ([]byte, error) {
dataKey, openpgpErr := key.decryptWithCryptoOpenpgp()
if openpgpErr == nil {
return dataKey, nil
}
dataKey, binaryErr := key.decryptWithGPGBinary()
if binaryErr == nil {
return dataKey, nil
}
return nil, fmt.Errorf(
`could not decrypt data key with PGP key: golang.org/x/crypto/openpgp error: %v; GPG binary error: %v`,
openpgpErr, binaryErr)
}
// NeedsRotation returns whether the data key needs to be rotated
// or not.
func (key *MasterKey) NeedsRotation() bool {
return time.Since(key.CreationDate).Hours() > 24*30*6
}
// ToString returns the string representation of the key, i.e. its
// fingerprint.
func (key *MasterKey) ToString() string {
return key.Fingerprint
}
func (key *MasterKey) gpgHome() string {
if key.homeDir != "" {
return key.homeDir
}
dir := os.Getenv("GNUPGHOME")
if dir == "" {
usr, err := user.Current()
if err != nil {
return path.Join(os.Getenv("HOME"), "/.gnupg")
}
return path.Join(usr.HomeDir, ".gnupg")
}
return dir
}
// NewMasterKeyFromFingerprint takes a PGP fingerprint and returns a
// new MasterKey with that fingerprint.
func NewMasterKeyFromFingerprint(fingerprint, homeDir string) *MasterKey {
return &MasterKey{
Fingerprint: strings.Replace(fingerprint, " ", "", -1),
CreationDate: time.Now().UTC(),
homeDir: homeDir,
}
}
func (key *MasterKey) loadRing(path string) (openpgp.EntityList, error) {
f, err := os.Open(path)
if err != nil {
return openpgp.EntityList{}, err
}
defer f.Close()
keyring, err := openpgp.ReadKeyRing(f)
if err != nil {
return keyring, err
}
return keyring, nil
}
func (key *MasterKey) secRing() (openpgp.EntityList, error) {
return key.loadRing(key.gpgHome() + "/secring.gpg")
}
func (key *MasterKey) pubRing() (openpgp.EntityList, error) {
return key.loadRing(key.gpgHome() + "/pubring.gpg")
}
func (key *MasterKey) fingerprintMap(ring openpgp.EntityList) map[string]openpgp.Entity {
fps := make(map[string]openpgp.Entity)
for _, entity := range ring {
fp := strings.ToUpper(hex.EncodeToString(entity.PrimaryKey.Fingerprint[:]))
if entity != nil {
fps[fp] = *entity
}
}
return fps
}
// ToMap converts the MasterKey into a map for serialization purposes
func (key MasterKey) ToMap() map[string]interface{} {
out := make(map[string]interface{})
out["fp"] = key.Fingerprint
out["created_at"] = key.CreationDate.UTC().Format(time.RFC3339)
out["enc"] = key.EncryptedKey
return out
}
Reference in New Issue View Git Blame Copy Permalink