MarvinImmick
diff --git a/‎README.rst‎
Lines changed: 77 additions & 6 deletions b/‎README.rst‎
Lines changed: 77 additions & 6 deletions
diff --git a/‎cmd/sops/main.go‎
Lines changed: 72 additions & 12 deletions b/‎cmd/sops/main.go‎
Lines changed: 72 additions & 12 deletions
@@ -2,7 +2,7 @@ SOPS: Secrets OPerationS
 ========================
 
 **SOPS** is an editor of encrypted files that supports YAML, JSON, ENV, INI and BINARY
-formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, HuaweiCloud KMS, age, and PGP.
+formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, HuaweiCloud KMS, T Cloud Public, age, and PGP.
 (`demo <https://www.youtube.com/watch?v=YTEVyLXFiq0>`_)
 
 .. image:: https://i.imgur.com/X0TM5NI.gif
@@ -604,13 +604,57 @@ You can also configure HuaweiCloud KMS keys in the ``.sops.yaml`` config file:
           hckms:
             - tr-west-1:abc12345-6789-0123-4567-890123456789,tr-west-2:def67890-1234-5678-9012-345678901234
 
+Encrypting using T Cloud Public KMS
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The T Cloud Public (formerly OpenTelekomCloud) KMS integration uses the
+`AuthenticatedClient function <https://github.com/opentelekomcloud/gophertelekomcloud/openstack/client.go>`_
+which expects the environment variables ``OS_ACCESS_KEY``, ``OS_SECRET_KEY``, ``OS_AUTH_URL`` to be set:
+
+.. code:: bash
+
+    export OS_ACCESS_KEY="your-access-key"
+    export OS_SECRET_KEY="your-secret-key"
+    export OS_AUTH_URL="https://iam.eu-de.otc.t-systems.com/v3"
+
+Encrypting/decrypting with T Cloud Public KMS requires a KMS key ID. You can get the key ID from the T Cloud Public console or using
+the T Cloud Public API.
+
+Now you can encrypt a file using:
+
+.. code:: sh
+
+    $ sops encrypt --tcloudkms tr-west-1:ghi12345-6789-0123-4567-890123456789 test.yaml > test.enc.yaml
+
+Or using the environment variable:
+
+.. code:: sh
+
+    $ export SOPS_TCLOUD_KMS_IDS="ghi12345-6789-0123-4567-890123456789"
+    $ sops encrypt test.yaml > test.enc.yaml
+
+And decrypt it using:
+
+.. code:: sh
+
+    $ sops decrypt test.enc.yaml
+
+You can also configure T Cloud Public KMS keys in the ``.sops.yaml`` config file:
+
+.. code:: yaml
+
+    creation_rules:
+        - path_regex: \.tcloudkms\.yaml$
+          tcloudkms:
+            - ghi12345-6789-0123-4567-890123456789,jkl67890-1234-5678-9012-345678901234
+
 Adding and removing keys
 ~~~~~~~~~~~~~~~~~~~~~~~~
 
 When creating new files, ``sops`` uses the PGP, KMS and GCP KMS defined in the
-command line arguments ``--kms``, ``--pgp``, ``--gcp-kms``, ``--hckms`` or ``--azure-kv``, or from
+command line arguments ``--kms``, ``--pgp``, ``--gcp-kms``, ``--hckms``, ``--azure-kv`` or ``--tcloudkms``, or from
 the environment variables ``SOPS_KMS_ARN``, ``SOPS_PGP_FP``, ``SOPS_GCP_KMS_IDS``,
-``SOPS_HUAWEICLOUD_KMS_IDS``, ``SOPS_AZURE_KEYVAULT_URLS``. That information is stored in the file under the
+``SOPS_HUAWEICLOUD_KMS_IDS``, ``SOPS_AZURE_KEYVAULT_URLS``, ``SOPS_TCLOUD_KMS_IDS``. That information is stored in the file under the
 ``sops`` section, such that decrypting files does not require providing those
 parameters again.
 
@@ -654,9 +698,9 @@ disabled by supplying the ``-y`` flag.
 
 The ``rotate`` command generates a new data encryption key and reencrypt all values
 with the new key. At the same time, the command line flag ``--add-kms``, ``--add-pgp``,
-``--add-gcp-kms``, ``--add-hckms``, ``--add-azure-kv``, ``--rm-kms``, ``--rm-pgp``, ``--rm-gcp-kms``,
-``--rm-hckms`` and ``--rm-azure-kv`` can be used to add and remove keys from a file. These flags use
-the comma separated syntax as the ``--kms``, ``--pgp``, ``--gcp-kms``, ``--hckms`` and ``--azure-kv``
+``--add-gcp-kms``, ``--add-hckms``, ``--add-azure-kv``, ``--add-tcloudkms``, --rm-kms``, ``--rm-pgp``, ``--rm-gcp-kms``,
+``--rm-hckms``, ``--rm-azure-kv`` and ``--rm-tcloudkms`` can be used to add and remove keys from a file. These flags use
+the comma separated syntax as the ``--kms``, ``--pgp``, ``--gcp-kms``, ``--hckms``, ``--azure-kv`` and ``--tcloudkms``
 arguments when creating new files.
 
 Use ``updatekeys`` if you want to add a key without rotating the data key.
@@ -878,6 +922,10 @@ can manage the three sets of configurations for the three types of files:
         - path_regex: \.hckms\.yaml$
           hckms: tr-west-1:abc12345-6789-0123-4567-890123456789,tr-west-2:def67890-1234-5678-9012-345678901234
 
+        # tcloudkms files using T Cloud Public KMS
+        - path_regex: \.tcloudkms\.yaml$
+          tcloudkms: ghi12345-6789-0123-4567-890123456789,jkl67890-1234-5678-9012-345678901234
+
         # Finally, if the rules above have not matched, this one is a
         # catchall that will encrypt the file using KMS set C as well as PGP
         # The absence of a path_regex means it will match everything
@@ -1883,6 +1931,16 @@ To directly specify a single key group, you can use the following keys:
           - tr-west-1:abc12345-6789-0123-4567-890123456789
           - tr-west-1:def67890-1234-5678-9012-345678901234
 
+* ``tcloudkms`` (list of strings): list of T Cloud Public KMS key IDs (format: ``<key-uuid>``).
+  Example:
+
+  .. code:: yaml
+
+    creation_rules:
+      - tcloudkms:
+          - ghi12345-6789-0123-4567-890123456789
+          - jkl67890-1234-5678-9012-345678901234
+
 To specify a list of key groups, you can use the following key:
 
 * ``key_groups`` (list of key group objects): a list of key group objects.
@@ -1912,6 +1970,8 @@ To specify a list of key groups, you can use the following key:
               - http://my.vault/v1/sops/keys/secondkey
             hckms:
               - tr-west-1:abc12345-6789-0123-4567-890123456789
+            tcloudkms:
+              - ghi12345-6789-0123-4567-890123456789
 
             merge:
               - pgp:
@@ -2000,6 +2060,17 @@ A key group supports the following keys:
 
     - key_id: tr-west-1:abc12345-6789-0123-4567-890123456789
 
+* ``tcloudkms`` (list of objects): list of T Cloud Public KMS key IDs.
+  Every object must have the following key:
+
+  * ``key_id`` (string): the key ID in format ``<key-uuid>``.
+
+  Example:
+
+  .. code:: yaml
+
+    - key_id: ghi12345-6789-0123-4567-890123456789
+
 * ``age`` (list of strings): list of Age public keys.
 
 * ``pgp`` (list of strings): list of PGP/GPG key fingerprints.
 
@@ -44,6 +44,7 @@ import (
 	"github.com/getsops/sops/v3/stores"
 	"github.com/getsops/sops/v3/stores/dotenv"
 	"github.com/getsops/sops/v3/stores/json"
+	"github.com/getsops/sops/v3/tcloudkms"
 	"github.com/getsops/sops/v3/version"
 )
 
@@ -91,13 +92,13 @@ func main() {
 		},
 	}
 	app.Name = "sops"
-	app.Usage = "sops - encrypted file editor with AWS KMS, GCP KMS, HuaweiCloud KMS, Azure Key Vault, age, and GPG support"
+	app.Usage = "sops - encrypted file editor with AWS KMS, GCP KMS, HuaweiCloud KMS, T Cloud Public KMS, Azure Key Vault, age, and GPG support"
 	app.ArgsUsage = "sops [options] file"
 	app.Version = version.Version
 	app.Authors = []cli.Author{
 		{Name: "CNCF Maintainers"},
 	}
-	app.UsageText = `sops is an editor of encrypted files that supports AWS KMS, GCP, HuaweiCloud KMS, AZKV,
+	app.UsageText = `sops is an editor of encrypted files that supports AWS KMS, GCP, HuaweiCloud KMS, T Cloud Public KMS, AZKV,
 	PGP, and Age
 
    To encrypt or decrypt a document with AWS KMS, specify the KMS ARN
@@ -117,6 +118,12 @@ func main() {
     HUAWEICLOUD_SDK_AK, HUAWEICLOUD_SDK_SK, HUAWEICLOUD_SDK_PROJECT_ID, or
     use credentials file at ~/.huaweicloud/credentials)
 
+   To encrypt or decrypt a document with T Cloud Public KMS, specify the
+   T Cloud Public KMS key ID (format: key-uuid) in the --tcloudkms flag or in the
+   OS_KMS_IDS environment variable.
+   (You need to setup T Cloud Public credentials via environment variables:
+    OS_ACCESS_KEY, OS_SECRET_KEY, OS_AUTH_URL)
+
    To encrypt or decrypt a document with HashiCorp Vault's Transit Secret
    Engine, specify the Vault key URI name in the --hc-vault-transit flag
    or in the SOPS_VAULT_URIS environment variable (for example
@@ -180,7 +187,8 @@ func main() {
 						fmt.Fprint(c.App.Writer, GenZshCompletion(app.Name))
 						return nil
 					},
-				}},
+				},
+			},
 		},
 		{
 			Name:      "exec-env",
@@ -582,6 +590,10 @@ func main() {
 							Name:  "hckms",
 							Usage: "the HuaweiCloud KMS key ID (format: region:key-uuid) the new group should contain. Can be specified more than once",
 						},
+						cli.StringSliceFlag{
+							Name:  "tcloudkms",
+							Usage: "the T Cloud Public KMS key ID (format: key-uuid) the new group should contain. Can be specified more than once",
+						},
 						cli.StringSliceFlag{
 							Name:  "azure-kv",
 							Usage: "the Azure Key Vault key URL the new group should contain. Can be specified more than once",
@@ -950,6 +962,11 @@ func main() {
 					Usage:  "comma separated list of HuaweiCloud KMS key IDs (format: region:key-uuid)",
 					EnvVar: "SOPS_HUAWEICLOUD_KMS_IDS",
 				},
+				cli.StringFlag{
+					Name:   "tcloudkms",
+					Usage:  "comma separated list of T Cloud Public KMS key IDs (format: key-uuid)",
+					EnvVar: "SOPS_TCLOUD_KMS_IDS",
+				},
 				cli.StringFlag{
 					Name:   "azure-kv",
 					Usage:  "comma separated list of Azure Key Vault URLs",
@@ -1068,7 +1085,6 @@ func main() {
 					KeyServices:   svcs,
 					encryptConfig: encConfig,
 				})
-
 				if err != nil {
 					return toExitError(err)
 				}
@@ -1143,6 +1159,14 @@ func main() {
 					Name:  "rm-hckms",
 					Usage: "remove the provided comma-separated list of HuaweiCloud KMS key IDs (format: region:key-uuid) from the list of master keys on the given file",
 				},
+				cli.StringFlag{
+					Name:  "add-tcloudkms",
+					Usage: "add the provided comma-separated list of T Cloud Public KMS key IDs (format: key-uuid) to the list of master keys on the given file",
+				},
+				cli.StringFlag{
+					Name:  "rm-tcloudkms",
+					Usage: "remove the provided comma-separated list of T Cloud Public KMS key IDs (format: key-uuid) from the list of master keys on the given file",
+				},
 				cli.StringFlag{
 					Name:  "add-azure-kv",
 					Usage: "add the provided comma-separated list of Azure Key Vault key URLs to the list of master keys on the given file",
@@ -1209,8 +1233,8 @@ func main() {
 					return toExitError(err)
 				}
 				if _, err := os.Stat(fileName); os.IsNotExist(err) {
-					if c.String("add-kms") != "" || c.String("add-pgp") != "" || c.String("add-gcp-kms") != "" || c.String("add-hckms") != "" || c.String("add-hc-vault-transit") != "" || c.String("add-azure-kv") != "" || c.String("add-age") != "" ||
-						c.String("rm-kms") != "" || c.String("rm-pgp") != "" || c.String("rm-gcp-kms") != "" || c.String("rm-hckms") != "" || c.String("rm-hc-vault-transit") != "" || c.String("rm-azure-kv") != "" || c.String("rm-age") != "" {
+					if c.String("add-kms") != "" || c.String("add-pgp") != "" || c.String("add-gcp-kms") != "" || c.String("add-hckms") != "" || c.String("add-tcloudkms") != "" || c.String("add-hc-vault-transit") != "" || c.String("add-azure-kv") != "" || c.String("add-age") != "" ||
+						c.String("rm-kms") != "" || c.String("rm-pgp") != "" || c.String("rm-gcp-kms") != "" || c.String("rm-hckms") != "" || c.String("rm-tcloudkms") != "" || c.String("rm-hc-vault-transit") != "" || c.String("rm-azure-kv") != "" || c.String("rm-age") != "" {
 						return common.NewExitError(fmt.Sprintf("Error: cannot add or remove keys on non-existent file %q, use the `edit` subcommand instead.", fileName), codes.CannotChangeKeysFromNonExistentFile)
 					}
 				}
@@ -1301,6 +1325,11 @@ func main() {
 					Usage:  "comma separated list of HuaweiCloud KMS key IDs (format: region:key-uuid)",
 					EnvVar: "SOPS_HUAWEICLOUD_KMS_IDS",
 				},
+				cli.StringFlag{
+					Name:   "tcloudkms",
+					Usage:  "comma separated list of T Cloud Public KMS key IDs (format: key-uuid)",
+					EnvVar: "SOPS_TCLOUD_KMS_IDS",
+				},
 				cli.StringFlag{
 					Name:   "azure-kv",
 					Usage:  "comma separated list of Azure Key Vault URLs",
@@ -1714,6 +1743,11 @@ func main() {
 			Usage:  "comma separated list of HuaweiCloud KMS key IDs (format: region:key-uuid)",
 			EnvVar: "SOPS_HUAWEICLOUD_KMS_IDS",
 		},
+		cli.StringFlag{
+			Name:   "tcloudkms",
+			Usage:  "comma separated list of T Cloud Public KMS key IDs (format: key-uuid)",
+			EnvVar: "SOPS_TCLOUD_KMS_IDS",
+		},
 		cli.StringFlag{
 			Name:   "azure-kv",
 			Usage:  "comma separated list of Azure Key Vault URLs",
@@ -1770,6 +1804,14 @@ func main() {
 			Name:  "rm-hckms",
 			Usage: "remove the provided comma-separated list of HuaweiCloud KMS key IDs (format: region:key-uuid) from the list of master keys on the given file",
 		},
+		cli.StringFlag{
+			Name:  "add-tcloudkms",
+			Usage: "add the provided comma-separated list of T Cloud Public KMS key IDs (format: key-uuid) to the list of master keys on the given file",
+		},
+		cli.StringFlag{
+			Name:  "rm-tcloudkms",
+			Usage: "remove the provided comma-separated list of T Cloud Public KMS key IDs (format: key-uuid) from the list of master keys on the given file",
+		},
 		cli.StringFlag{
 			Name:  "add-azure-kv",
 			Usage: "add the provided comma-separated list of Azure Key Vault key URLs to the list of master keys on the given file",
@@ -1904,8 +1946,8 @@ func main() {
 			return toExitError(err)
 		}
 		if _, err := os.Stat(fileName); os.IsNotExist(err) {
-			if c.String("add-kms") != "" || c.String("add-pgp") != "" || c.String("add-gcp-kms") != "" || c.String("add-hckms") != "" || c.String("add-hc-vault-transit") != "" || c.String("add-azure-kv") != "" || c.String("add-age") != "" ||
-				c.String("rm-kms") != "" || c.String("rm-pgp") != "" || c.String("rm-gcp-kms") != "" || c.String("rm-hckms") != "" || c.String("rm-hc-vault-transit") != "" || c.String("rm-azure-kv") != "" || c.String("rm-age") != "" {
+			if c.String("add-kms") != "" || c.String("add-pgp") != "" || c.String("add-gcp-kms") != "" || c.String("add-hckms") != "" || c.String("add-tcloudkms") != "" || c.String("add-hc-vault-transit") != "" || c.String("add-azure-kv") != "" || c.String("add-age") != "" ||
+				c.String("rm-kms") != "" || c.String("rm-pgp") != "" || c.String("rm-gcp-kms") != "" || c.String("rm-hckms") != "" || c.String("rm-tcloudkms") != "" || c.String("rm-hc-vault-transit") != "" || c.String("rm-azure-kv") != "" || c.String("rm-age") != "" {
 				return common.NewExitError(fmt.Sprintf("Error: cannot add or remove keys on non-existent file %q, use `--kms` and `--pgp` instead.", fileName), codes.CannotChangeKeysFromNonExistentFile)
 			}
 			if isEncryptMode || isDecryptMode || isRotateMode {
@@ -2235,7 +2277,7 @@ func getEncryptConfig(c *cli.Context, fileName string, inputStore common.Store,
 	}, nil
 }
 
-func getMasterKeys(c *cli.Context, kmsEncryptionContext map[string]*string, kmsOptionName string, pgpOptionName string, gcpKmsOptionName string, hckmsOptionName string, azureKvOptionName string, hcVaultTransitOptionName string, ageOptionName string) ([]keys.MasterKey, error) {
+func getMasterKeys(c *cli.Context, kmsEncryptionContext map[string]*string, kmsOptionName string, pgpOptionName string, gcpKmsOptionName string, hckmsOptionName string, tcloudkmsOptionName string, azureKvOptionName string, hcVaultTransitOptionName string, ageOptionName string) ([]keys.MasterKey, error) {
 	var masterKeys []keys.MasterKey
 	for _, k := range kms.MasterKeysFromArnString(c.String(kmsOptionName), kmsEncryptionContext, c.String("aws-profile")) {
 		masterKeys = append(masterKeys, k)
@@ -2253,6 +2295,13 @@ func getMasterKeys(c *cli.Context, kmsEncryptionContext map[string]*string, kmsO
 	for _, k := range hckmsKeys {
 		masterKeys = append(masterKeys, k)
 	}
+	tcloudkmsKeys, err := tcloudkms.NewMasterKeysFromKeyIDString(c.String(tcloudkmsOptionName))
+	if err != nil {
+		return nil, err
+	}
+	for _, k := range tcloudkmsKeys {
+		masterKeys = append(masterKeys, k)
+	}
 	azureKeys, err := azkv.MasterKeysFromURLs(c.String(azureKvOptionName))
 	if err != nil {
 		return nil, err
@@ -2279,11 +2328,11 @@ func getMasterKeys(c *cli.Context, kmsEncryptionContext map[string]*string, kmsO
 
 func getRotateOpts(c *cli.Context, fileName string, inputStore common.Store, outputStore common.Store, svcs []keyservice.KeyServiceClient, decryptionOrder []string) (rotateOpts, error) {
 	kmsEncryptionContext := kms.ParseKMSContext(c.String("encryption-context"))
-	addMasterKeys, err := getMasterKeys(c, kmsEncryptionContext, "add-kms", "add-pgp", "add-gcp-kms", "add-hckms", "add-azure-kv", "add-hc-vault-transit", "add-age")
+	addMasterKeys, err := getMasterKeys(c, kmsEncryptionContext, "add-kms", "add-pgp", "add-gcp-kms", "add-hckms", "add-tcloudkms", "add-azure-kv", "add-hc-vault-transit", "add-age")
 	if err != nil {
 		return rotateOpts{}, err
 	}
-	rmMasterKeys, err := getMasterKeys(c, kmsEncryptionContext, "rm-kms", "rm-pgp", "rm-gcp-kms", "rm-hckms", "rm-azure-kv", "rm-hc-vault-transit", "rm-age")
+	rmMasterKeys, err := getMasterKeys(c, kmsEncryptionContext, "rm-kms", "rm-pgp", "rm-gcp-kms", "rm-hckms", "rm-tcloudkms", "rm-azure-kv", "rm-hc-vault-transit", "rm-age")
 	if err != nil {
 		return rotateOpts{}, err
 	}
@@ -2432,6 +2481,7 @@ func keyGroups(c *cli.Context, file string, optionalConfig *config.Config) ([]so
 	var azkvKeys []keys.MasterKey
 	var hcVaultMkKeys []keys.MasterKey
 	var hckmsMkKeys []keys.MasterKey
+	var tcloudkmsMkKeys []keys.MasterKey
 	var ageMasterKeys []keys.MasterKey
 	kmsEncryptionContext := kms.ParseKMSContext(c.String("encryption-context"))
 	if c.String("encryption-context") != "" && kmsEncryptionContext == nil {
@@ -2456,6 +2506,15 @@ func keyGroups(c *cli.Context, file string, optionalConfig *config.Config) ([]so
 			hckmsMkKeys = append(hckmsMkKeys, k)
 		}
 	}
+	if c.String("tcloudkms") != "" {
+		tcloudkmsKeys, err := tcloudkms.NewMasterKeysFromKeyIDString(c.String("tcloudkms"))
+		if err != nil {
+			return nil, err
+		}
+		for _, k := range tcloudkmsKeys {
+			tcloudkmsMkKeys = append(tcloudkmsMkKeys, k)
+		}
+	}
 	if c.String("azure-kv") != "" {
 		azureKeys, err := azkv.MasterKeysFromURLs(c.String("azure-kv"))
 		if err != nil {
@@ -2488,7 +2547,7 @@ func keyGroups(c *cli.Context, file string, optionalConfig *config.Config) ([]so
 			ageMasterKeys = append(ageMasterKeys, k)
 		}
 	}
-	if c.String("kms") == "" && c.String("pgp") == "" && c.String("gcp-kms") == "" && c.String("hckms") == "" && c.String("azure-kv") == "" && c.String("hc-vault-transit") == "" && c.String("age") == "" {
+	if c.String("kms") == "" && c.String("pgp") == "" && c.String("gcp-kms") == "" && c.String("hckms") == "" && c.String("tcloudkms") == "" && c.String("azure-kv") == "" && c.String("hc-vault-transit") == "" && c.String("age") == "" {
 		conf := optionalConfig
 		var err error
 		if conf == nil {
@@ -2508,6 +2567,7 @@ func keyGroups(c *cli.Context, file string, optionalConfig *config.Config) ([]so
 	group = append(group, kmsKeys...)
 	group = append(group, cloudKmsKeys...)
 	group = append(group, hckmsMkKeys...)
+	group = append(group, tcloudkmsMkKeys...)
 	group = append(group, azkvKeys...)
 	group = append(group, pgpKeys...)
 	group = append(group, hcVaultMkKeys...)