ocikms: Oracle Cloud KMS support

.gitignore

@@ -1,5 +1,6 @@
 bin/
 dist/
 functional-tests/sops
+functional-tests/target
 vendor/
 profile.out

README.rst

@@ -2,7 +2,7 @@ SOPS: Secrets OPerationS
 ========================
 
 **SOPS** is an editor of encrypted files that supports YAML, JSON, ENV, INI and BINARY
-formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, HuaweiCloud KMS, age, and PGP.
+formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, HuaweiCloud KMS, Oracle Cloud KMS, age, and PGP.
 (`demo <https://www.youtube.com/watch?v=YTEVyLXFiq0>`_)
 
 .. image:: https://i.imgur.com/X0TM5NI.gif

cmd/sops/main.go

@@ -40,6 +40,7 @@ import (
 	"github.com/getsops/sops/v3/keyservice"
 	"github.com/getsops/sops/v3/kms"
 	"github.com/getsops/sops/v3/logging"
+	"github.com/getsops/sops/v3/ocikms"
 	"github.com/getsops/sops/v3/pgp"
 	"github.com/getsops/sops/v3/stores"
 	"github.com/getsops/sops/v3/stores/dotenv"
@@ -1209,8 +1210,8 @@ func main() {
 					return toExitError(err)
 				}
 				if _, err := os.Stat(fileName); os.IsNotExist(err) {
-					if c.String("add-kms") != "" || c.String("add-pgp") != "" || c.String("add-gcp-kms") != "" || c.String("add-hckms") != "" || c.String("add-hc-vault-transit") != "" || c.String("add-azure-kv") != "" || c.String("add-age") != "" ||
-						c.String("rm-kms") != "" || c.String("rm-pgp") != "" || c.String("rm-gcp-kms") != "" || c.String("rm-hckms") != "" || c.String("rm-hc-vault-transit") != "" || c.String("rm-azure-kv") != "" || c.String("rm-age") != "" {
+					if c.String("add-kms") != "" || c.String("add-pgp") != "" || c.String("add-gcp-kms") != "" || c.String("add-hckms") != "" || c.String("add-hc-vault-transit") != "" || c.String("add-azure-kv") != "" || c.String("add-age") != "" || c.String("add-oci-kms") != "" ||
+						c.String("rm-kms") != "" || c.String("rm-pgp") != "" || c.String("rm-gcp-kms") != "" || c.String("rm-hckms") != "" || c.String("rm-hc-vault-transit") != "" || c.String("rm-azure-kv") != "" || c.String("rm-age") != "" || c.String("rm-oci-kms") != "" {
 						return common.NewExitError(fmt.Sprintf("Error: cannot add or remove keys on non-existent file %q, use the `edit` subcommand instead.", fileName), codes.CannotChangeKeysFromNonExistentFile)
 					}
 				}
@@ -1734,6 +1735,11 @@ func main() {
 			Usage:  "comma separated list of age recipients",
 			EnvVar: "SOPS_AGE_RECIPIENTS",
 		},
+		cli.StringFlag{
+			Name:   "oci-kms",
+			Usage:  "comma separated list of OCI KMS OCIDs",
+			EnvVar: "SOPS_OCI_KMS_OCIDS",
+		},
 		cli.BoolFlag{
 			Name:  "in-place, i",
 			Usage: "write output back to the same file instead of stdout",
@@ -1802,6 +1808,14 @@ func main() {
 			Name:  "rm-age",
 			Usage: "remove the provided comma-separated list of age recipients from the list of master keys on the given file",
 		},
+		cli.StringFlag{
+			Name:  "add-oci-kms",
+			Usage: "add the provided comma-separated list of OCI KMS keys OCIDs to the list of master keys on the given file",
+		},
+		cli.StringFlag{
+			Name:  "rm-oci-kms",
+			Usage: "remove the provided comma-separated list of OCI KMS keys OCIDs from the list of master keys on the given file",
+		},
 		cli.StringFlag{
 			Name:  "add-pgp",
 			Usage: "add the provided comma-separated list of PGP fingerprints to the list of master keys on the given file",
@@ -2235,7 +2249,7 @@ func getEncryptConfig(c *cli.Context, fileName string, inputStore common.Store,
 	}, nil
 }
 
-func getMasterKeys(c *cli.Context, kmsEncryptionContext map[string]*string, kmsOptionName string, pgpOptionName string, gcpKmsOptionName string, hckmsOptionName string, azureKvOptionName string, hcVaultTransitOptionName string, ageOptionName string) ([]keys.MasterKey, error) {
+func getMasterKeys(c *cli.Context, kmsEncryptionContext map[string]*string, kmsOptionName string, pgpOptionName string, gcpKmsOptionName string, hckmsOptionName string, azureKvOptionName string, hcVaultTransitOptionName string, ageOptionName string, ociOptionName string) ([]keys.MasterKey, error) {
 	var masterKeys []keys.MasterKey
 	for _, k := range kms.MasterKeysFromArnString(c.String(kmsOptionName), kmsEncryptionContext, c.String("aws-profile")) {
 		masterKeys = append(masterKeys, k)
@@ -2274,16 +2288,19 @@ func getMasterKeys(c *cli.Context, kmsEncryptionContext map[string]*string, kmsO
 	for _, k := range ageKeys {
 		masterKeys = append(masterKeys, k)
 	}
+	for _, k := range ocikms.MasterKeysFromOCIDString(c.String(ociOptionName)) {
+		masterKeys = append(masterKeys, k)
+	}
 	return masterKeys, nil
 }
 
 func getRotateOpts(c *cli.Context, fileName string, inputStore common.Store, outputStore common.Store, svcs []keyservice.KeyServiceClient, decryptionOrder []string) (rotateOpts, error) {
 	kmsEncryptionContext := kms.ParseKMSContext(c.String("encryption-context"))
-	addMasterKeys, err := getMasterKeys(c, kmsEncryptionContext, "add-kms", "add-pgp", "add-gcp-kms", "add-hckms", "add-azure-kv", "add-hc-vault-transit", "add-age")
+	addMasterKeys, err := getMasterKeys(c, kmsEncryptionContext, "add-kms", "add-pgp", "add-gcp-kms", "add-hckms", "add-azure-kv", "add-hc-vault-transit", "add-age", "add-oci-kms")
 	if err != nil {
 		return rotateOpts{}, err
 	}
-	rmMasterKeys, err := getMasterKeys(c, kmsEncryptionContext, "rm-kms", "rm-pgp", "rm-gcp-kms", "rm-hckms", "rm-azure-kv", "rm-hc-vault-transit", "rm-age")
+	rmMasterKeys, err := getMasterKeys(c, kmsEncryptionContext, "rm-kms", "rm-pgp", "rm-gcp-kms", "rm-hckms", "rm-azure-kv", "rm-hc-vault-transit", "rm-age", "rm-oci-kms")
 	if err != nil {
 		return rotateOpts{}, err
 	}
@@ -2433,6 +2450,7 @@ func keyGroups(c *cli.Context, file string, optionalConfig *config.Config) ([]so
 	var hcVaultMkKeys []keys.MasterKey
 	var hckmsMkKeys []keys.MasterKey
 	var ageMasterKeys []keys.MasterKey
+	var ociMasterKeys []keys.MasterKey
 	kmsEncryptionContext := kms.ParseKMSContext(c.String("encryption-context"))
 	if c.String("encryption-context") != "" && kmsEncryptionContext == nil {
 		return nil, common.NewExitError("Invalid KMS encryption context format", codes.ErrorInvalidKMSEncryptionContextFormat)
@@ -2488,7 +2506,12 @@ func keyGroups(c *cli.Context, file string, optionalConfig *config.Config) ([]so
 			ageMasterKeys = append(ageMasterKeys, k)
 		}
 	}
-	if c.String("kms") == "" && c.String("pgp") == "" && c.String("gcp-kms") == "" && c.String("hckms") == "" && c.String("azure-kv") == "" && c.String("hc-vault-transit") == "" && c.String("age") == "" {
+	if c.String("oci-kms") != "" {
+		for _, k := range ocikms.MasterKeysFromOCIDString(c.String("oci-kms")) {
+			ociMasterKeys = append(ociMasterKeys, k)
+		}
+	}
+	if c.String("kms") == "" && c.String("pgp") == "" && c.String("gcp-kms") == "" && c.String("hckms") == "" && c.String("azure-kv") == "" && c.String("hc-vault-transit") == "" && c.String("age") == "" && c.String("oci-kms") == "" {
 		conf := optionalConfig
 		var err error
 		if conf == nil {
@@ -2512,6 +2535,7 @@ func keyGroups(c *cli.Context, file string, optionalConfig *config.Config) ([]so
 	group = append(group, pgpKeys...)
 	group = append(group, hcVaultMkKeys...)
 	group = append(group, ageMasterKeys...)
+	group = append(group, ociMasterKeys...)
 	log.Debugf("Master keys available:  %+v", group)
 	return []sops.KeyGroup{group}, nil
 }

config/config.go

@@ -18,6 +18,7 @@ import (
 	"github.com/getsops/sops/v3/hckms"
 	"github.com/getsops/sops/v3/hcvault"
 	"github.com/getsops/sops/v3/kms"
+	"github.com/getsops/sops/v3/ocikms"
 	"github.com/getsops/sops/v3/pgp"
 	"github.com/getsops/sops/v3/publish"
 	"go.yaml.in/yaml/v3"
@@ -137,6 +138,7 @@ type keyGroup struct {
 	AzureKV []azureKVKey `yaml:"azure_keyvault"`
 	Vault   []string     `yaml:"hc_vault"`
 	Age     []string     `yaml:"age"`
+	OCIKMS  []string     `yaml:"oci_kms"`
 	PGP     []string     `yaml:"pgp"`
 }
 
@@ -179,6 +181,7 @@ type creationRule struct {
 	PathRegex               string      `yaml:"path_regex"`
 	KMS                     interface{} `yaml:"kms"` // string or []string
 	AwsProfile              string      `yaml:"aws_profile"`
+	OCIKMS                  string      `yaml:"oci_kms"`
 	Age                     interface{} `yaml:"age"`     // string or []string
 	PGP                     interface{} `yaml:"pgp"`     // string or []string
 	GCPKMS                  interface{} `yaml:"gcp_kms"` // string or []string
@@ -327,6 +330,9 @@ func extractMasterKeys(group keyGroup) (sops.KeyGroup, error) {
 			keyGroup = append(keyGroup, key)
 		}
 	}
+	for _, k := range group.OCIKMS {
+		keyGroup = append(keyGroup, ocikms.NewMasterKeyFromOCID(k))
+	}
 	for _, k := range group.PGP {
 		keyGroup = append(keyGroup, pgp.NewMasterKeyFromFingerprint(k))
 	}
@@ -376,6 +382,9 @@ func getKeyGroupsFromCreationRule(cRule *creationRule, kmsEncryptionContext map[
 			if err != nil {
 				return nil, err
 			}
+			for _, k := range group.OCIKMS {
+				keyGroup = append(keyGroup, ocikms.NewMasterKeyFromOCID(k))
+			}
 			groups = append(groups, keyGroup)
 		}
 	} else {
@@ -423,6 +432,9 @@ func getKeyGroupsFromCreationRule(cRule *creationRule, kmsEncryptionContext map[
 		for _, k := range hckmsMasterKeys {
 			keyGroup = append(keyGroup, k)
 		}
+		for _, k := range ocikms.MasterKeysFromOCIDString(cRule.OCIKMS) {
+			keyGroup = append(keyGroup, k)
+		}
 		azKeys, err := getKeysWithValidation(cRule.GetAzureKeyVaultKeys, "azure_keyvault")
 		if err != nil {
 			return nil, err

go.mod

@@ -30,6 +30,8 @@ require (
 	github.com/lib/pq v1.12.3
 	github.com/mitchellh/go-homedir v1.1.0
 	github.com/mitchellh/go-wordwrap v1.0.1
+	github.com/ontariosystems/oci-cli-env-provider v0.1.0
+	github.com/oracle/oci-go-sdk/v65 v65.101.0
 	github.com/ory/dockertest/v3 v3.12.0
 	github.com/pkg/errors v0.9.1
 	github.com/sirupsen/logrus v1.9.4
@@ -102,6 +104,7 @@ require (
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/goccy/go-yaml v1.19.2 // indirect
+	github.com/gofrs/flock v0.12.1 // indirect
 	github.com/golang-jwt/jwt/v5 v5.3.1 // indirect
 	github.com/google/s2a-go v0.1.9 // indirect
 	github.com/google/uuid v1.6.0 // indirect
@@ -135,11 +138,13 @@ require (
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/ryanuber/go-glob v1.0.0 // indirect
+	github.com/sony/gobreaker v1.0.0 // indirect
 	github.com/spiffe/go-spiffe/v2 v2.6.0 // indirect
 	github.com/tjfoc/gmsm v1.4.1 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
+	github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78 // indirect
 	go.mongodb.org/mongo-driver v1.17.9 // indirect
 	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
 	go.opentelemetry.io/contrib/detectors/gcp v1.43.0 // indirect