MCPcopy
hub / github.com/getsops/sops / FixAWSKMSEncryptionContextBug

Function FixAWSKMSEncryptionContextBug

cmd/sops/common/common.go:274–359  ·  view source on GitHub ↗

FixAWSKMSEncryptionContextBug is used to fix the issue described in https://github.com/mozilla/sops/pull/435

(opts GenericDecryptOpts, tree *sops.Tree)

Source from the content-addressed store, hash-verified

272
273// FixAWSKMSEncryptionContextBug is used to fix the issue described in https://github.com/mozilla/sops/pull/435
274func FixAWSKMSEncryptionContextBug(opts GenericDecryptOpts, tree *sops.Tree) (*sops.Tree, error) {
275 message := "Up until version 3.3.0 of sops there was a bug surrounding the " +
276 "use of encryption context with AWS KMS." +
277 "\nYou can read the full description of the issue here:" +
278 "\nhttps://github.com/mozilla/sops/pull/435" +
279 "\n\nIf a TTY is detected, sops will ask you if you'd like for this issue to be " +
280 "automatically fixed, which will require re-encrypting the data keys used by " +
281 "each key." +
282 "\n\nIf you are not using a TTY, sops will fix the issue for this run.\n\n"
283 fmt.Println(wordwrap.WrapString(message, 75))
284
285 persistFix := false
286
287 if term.IsTerminal(int(os.Stdout.Fd())) {
288 var response string
289 for response != "y" && response != "n" {
290 fmt.Println("Would you like sops to automatically fix this issue? (y/n): ")
291 _, err := fmt.Scanln(&response)
292 if err != nil {
293 return nil, err
294 }
295 }
296 if response == "n" {
297 return nil, fmt.Errorf("Exiting. User responded no")
298 }
299 persistFix = true
300 }
301
302 // If there is another key, then we should be able to just decrypt
303 // without having to try different variations of the encryption context.
304 dataKey, err := DecryptTree(DecryptTreeOpts{
305 Cipher: opts.Cipher,
306 IgnoreMac: opts.IgnoreMAC,
307 Tree: tree,
308 KeyServices: opts.KeyServices,
309 })
310 if err != nil {
311 dataKey = RecoverDataKeyFromBuggyKMS(opts, tree)
312 }
313
314 if dataKey == nil {
315 return nil, NewExitError(fmt.Sprintf("Failed to decrypt, meaning there is likely another problem from the encryption context bug: %s", err), codes.ErrorDecryptingTree)
316 }
317
318 errs := tree.Metadata.UpdateMasterKeysWithKeyServices(dataKey, opts.KeyServices)
319 if len(errs) > 0 {
320 err = fmt.Errorf("Could not re-encrypt data key: %s", errs)
321 return nil, err
322 }
323
324 err = EncryptTree(EncryptTreeOpts{
325 DataKey: dataKey,
326 Tree: tree,
327 Cipher: opts.Cipher,
328 })
329 if err != nil {
330 return nil, err
331 }

Callers 1

Calls 7

DecryptTreeFunction · 0.85
NewExitErrorFunction · 0.85
EncryptTreeFunction · 0.85
LoadEncryptedFileFunction · 0.85
EmitEncryptedFileMethod · 0.65

Tested by

no test coverage detected