FixAWSKMSEncryptionContextBug is used to fix the issue described in https://github.com/mozilla/sops/pull/435
(opts GenericDecryptOpts, tree *sops.Tree)
| 272 | |
| 273 | // FixAWSKMSEncryptionContextBug is used to fix the issue described in https://github.com/mozilla/sops/pull/435 |
| 274 | func FixAWSKMSEncryptionContextBug(opts GenericDecryptOpts, tree *sops.Tree) (*sops.Tree, error) { |
| 275 | message := "Up until version 3.3.0 of sops there was a bug surrounding the " + |
| 276 | "use of encryption context with AWS KMS." + |
| 277 | "\nYou can read the full description of the issue here:" + |
| 278 | "\nhttps://github.com/mozilla/sops/pull/435" + |
| 279 | "\n\nIf a TTY is detected, sops will ask you if you'd like for this issue to be " + |
| 280 | "automatically fixed, which will require re-encrypting the data keys used by " + |
| 281 | "each key." + |
| 282 | "\n\nIf you are not using a TTY, sops will fix the issue for this run.\n\n" |
| 283 | fmt.Println(wordwrap.WrapString(message, 75)) |
| 284 | |
| 285 | persistFix := false |
| 286 | |
| 287 | if term.IsTerminal(int(os.Stdout.Fd())) { |
| 288 | var response string |
| 289 | for response != "y" && response != "n" { |
| 290 | fmt.Println("Would you like sops to automatically fix this issue? (y/n): ") |
| 291 | _, err := fmt.Scanln(&response) |
| 292 | if err != nil { |
| 293 | return nil, err |
| 294 | } |
| 295 | } |
| 296 | if response == "n" { |
| 297 | return nil, fmt.Errorf("Exiting. User responded no") |
| 298 | } |
| 299 | persistFix = true |
| 300 | } |
| 301 | |
| 302 | // If there is another key, then we should be able to just decrypt |
| 303 | // without having to try different variations of the encryption context. |
| 304 | dataKey, err := DecryptTree(DecryptTreeOpts{ |
| 305 | Cipher: opts.Cipher, |
| 306 | IgnoreMac: opts.IgnoreMAC, |
| 307 | Tree: tree, |
| 308 | KeyServices: opts.KeyServices, |
| 309 | }) |
| 310 | if err != nil { |
| 311 | dataKey = RecoverDataKeyFromBuggyKMS(opts, tree) |
| 312 | } |
| 313 | |
| 314 | if dataKey == nil { |
| 315 | return nil, NewExitError(fmt.Sprintf("Failed to decrypt, meaning there is likely another problem from the encryption context bug: %s", err), codes.ErrorDecryptingTree) |
| 316 | } |
| 317 | |
| 318 | errs := tree.Metadata.UpdateMasterKeysWithKeyServices(dataKey, opts.KeyServices) |
| 319 | if len(errs) > 0 { |
| 320 | err = fmt.Errorf("Could not re-encrypt data key: %s", errs) |
| 321 | return nil, err |
| 322 | } |
| 323 | |
| 324 | err = EncryptTree(EncryptTreeOpts{ |
| 325 | DataKey: dataKey, |
| 326 | Tree: tree, |
| 327 | Cipher: opts.Cipher, |
| 328 | }) |
| 329 | if err != nil { |
| 330 | return nil, err |
| 331 | } |
no test coverage detected