getsops#661 & getsops#662

Author: Kamahl19

README.rst

@@ -967,6 +967,7 @@ This command requires a ``.sops.yaml`` configuration file. Below is an example:
       - vault_path: "sops/"
         vault_kv_mount_name: "secret/" # default
         vault_kv_version: 2 # default
+        vault_path_omit_filename: false # default
         path_regex: vault/*
 
 The above configuration will place all files under ``s3/*`` into the S3 bucket ``sops-secrets``,
@@ -982,14 +983,15 @@ Publishing to Vault
 
 There are a few settings for Vault that you can place in your destination rules. The first
 is ``vault_path``, which is required. The others are optional, and they are
-``vault_address``, ``vault_kv_mount_name``, ``vault_kv_version``.
+``vault_address``, ``vault_kv_mount_name``, ``vault_kv_version``, ``vault_path_omit_filename``.
 
 ``sops`` uses the official Vault API provided by Hashicorp, which makes use of `environment
 variables <https://www.vaultproject.io/docs/commands/#environment-variables>`_ for
 configuring the client.
 
 ``vault_kv_mount_name`` is used if your Vault KV is mounted somewhere other than ``secret/``.
 ``vault_kv_version`` supports ``1`` and ``2``, with ``2`` being the default.
+``vault_path_omit_filename`` set to ``true`` to omit filename from Vault path. ``false`` by default.
 
 Below is an example of publishing to Vault (using token auth with a local dev instance of Vault).
 

config/config.go

@@ -90,16 +90,17 @@ type azureKVKey struct {
 }
 
 type destinationRule struct {
-	PathRegex        string       `yaml:"path_regex"`
-	S3Bucket         string       `yaml:"s3_bucket"`
-	S3Prefix         string       `yaml:"s3_prefix"`
-	GCSBucket        string       `yaml:"gcs_bucket"`
-	GCSPrefix        string       `yaml:"gcs_prefix"`
-	VaultPath        string       `yaml:"vault_path"`
-	VaultAddress     string       `yaml:"vault_address"`
-	VaultKVMountName string       `yaml:"vault_kv_mount_name"`
-	VaultKVVersion   int          `yaml:"vault_kv_version"`
-	RecreationRule   creationRule `yaml:"recreation_rule,omitempty"`
+	PathRegex             string       `yaml:"path_regex"`
+	S3Bucket              string       `yaml:"s3_bucket"`
+	S3Prefix              string       `yaml:"s3_prefix"`
+	GCSBucket             string       `yaml:"gcs_bucket"`
+	GCSPrefix             string       `yaml:"gcs_prefix"`
+	VaultPath             string       `yaml:"vault_path"`
+	VaultAddress          string       `yaml:"vault_address"`
+	VaultKVMountName      string       `yaml:"vault_kv_mount_name"`
+	VaultKVVersion        int          `yaml:"vault_kv_version"`
+	VaultPathOmitFilename bool         `yaml:"vault_path_omit_filename"`
+	RecreationRule        creationRule `yaml:"recreation_rule,omitempty"`
 }
 
 type creationRule struct {
@@ -257,7 +258,7 @@ func parseDestinationRuleForFile(conf *configFile, filePath string, kmsEncryptio
 			dest = publish.NewGCSDestination(dRule.GCSBucket, dRule.GCSPrefix)
 		}
 		if dRule.VaultPath != "" {
-			dest = publish.NewVaultDestination(dRule.VaultAddress, dRule.VaultPath, dRule.VaultKVMountName, dRule.VaultKVVersion)
+			dest = publish.NewVaultDestination(dRule.VaultAddress, dRule.VaultPath, dRule.VaultKVMountName, dRule.VaultKVVersion, dRule.VaultPathOmitFilename)
 		}
 	}
 
@@ -271,6 +272,11 @@ func parseDestinationRuleForFile(conf *configFile, filePath string, kmsEncryptio
 }
 
 func parseCreationRuleForFile(conf *configFile, filePath string, kmsEncryptionContext map[string]*string) (*Config, error) {
+	// If config file doesn't contain CreationRules (it's empty or only contains DestionationRules), assume it does not exist
+	if conf.CreationRules == nil {
+		return nil, nil
+	}
+
 	var rule *creationRule
 
 	for _, r := range conf.CreationRules {

config/config_test.go

@@ -139,8 +139,25 @@ creation_rules:
     encrypted_suffix: _enc
     `)
 
-var sampleInvalidConfig = []byte(`
+var sampleConfigWithNoMatchingRules = []byte(`
 creation_rules:
+  - path_regex: notexisting
+    pgp: bar
+`)
+
+var sampleEmptyConfig = []byte(``)
+
+var sampleConfigWithEmptyCreationRules = []byte(`
+creation_rules:
+`)
+
+var sampleConfigWithOnlyDestinationRules = []byte(`
+destination_rules:
+  - path_regex: ""
+    s3_bucket: "foobar"
+    s3_prefix: "test/"
+    recreation_rule:
+      pgp: newpgp
 `)
 
 var sampleConfigWithDestinationRule = []byte(`
@@ -178,6 +195,9 @@ destination_rules:
     vault_kv_mount_name: "kv/"
     vault_kv_version: 1
     path_regex: "vault-v1/*"
+  - vault_path: "omit/"
+    vault_path_omit_filename: true
+    path_regex: "vault-omit-filename/*"
 `)
 
 func parseConfigFile(confBytes []byte, t *testing.T) *configFile {
@@ -248,11 +268,29 @@ func TestLoadConfigFileWithGroups(t *testing.T) {
 	assert.Equal(t, expected, conf)
 }
 
-func TestLoadInvalidConfigFile(t *testing.T) {
-	_, err := parseCreationRuleForFile(parseConfigFile(sampleInvalidConfig, t), "foobar2000", nil)
+func TestLoadConfigFileWithNoMatchingRules(t *testing.T) {
+	_, err := parseCreationRuleForFile(parseConfigFile(sampleConfigWithNoMatchingRules, t), "foobar2000", nil)
 	assert.NotNil(t, err)
 }
 
+func TestLoadEmptyConfigFile(t *testing.T) {
+	conf, err := parseCreationRuleForFile(parseConfigFile(sampleEmptyConfig, t), "foobar2000", nil)
+	assert.Nil(t, conf)
+	assert.Nil(t, err)
+}
+
+func TestLoadConfigFileWithEmptyCreationRules(t *testing.T) {
+	conf, err := parseCreationRuleForFile(parseConfigFile(sampleConfigWithEmptyCreationRules, t), "foobar2000", nil)
+	assert.Nil(t, conf)
+	assert.Nil(t, err)
+}
+
+func TestLoadConfigFileWithOnlyDestinationRules(t *testing.T) {
+	conf, err := parseCreationRuleForFile(parseConfigFile(sampleConfigWithOnlyDestinationRules, t), "foobar2000", nil)
+	assert.Nil(t, conf)
+	assert.Nil(t, err)
+}
+
 func TestKeyGroupsForFile(t *testing.T) {
 	conf, err := parseCreationRuleForFile(parseConfigFile(sampleConfig, t), "foobar2000", nil)
 	assert.Nil(t, err)
@@ -328,4 +366,8 @@ func TestLoadConfigFileWithVaultDestinationRules(t *testing.T) {
 	assert.Nil(t, err)
 	assert.NotNil(t, conf.Destination)
 	assert.Equal(t, "http://127.0.0.1:8200/v1/kv/barfoo/barfoo", conf.Destination.Path("barfoo"))
+	conf, err = parseDestinationRuleForFile(parseConfigFile(sampleConfigWithVaultDestinationRules, t), "vault-omit-filename/barfoo", nil)
+	assert.Nil(t, err)
+	assert.NotNil(t, conf.Destination)
+	assert.Equal(t, "http://127.0.0.1:8200/v1/secret/data/omit/", conf.Destination.Path("omit"))
 }

publish/vault.go

@@ -8,13 +8,14 @@ import (
 )
 
 type VaultDestination struct {
-	vaultAddress string
-	vaultPath    string
-	kvMountName  string
-	kvVersion    int
+	vaultAddress          string
+	vaultPath             string
+	kvMountName           string
+	kvVersion             int
+	vaultPathOmitFilename bool
 }
 
-func NewVaultDestination(vaultAddress, vaultPath, kvMountName string, kvVersion int) *VaultDestination {
+func NewVaultDestination(vaultAddress, vaultPath, kvMountName string, kvVersion int, vaultPathOmitFilename bool) *VaultDestination {
 	if !strings.HasSuffix(vaultPath, "/") {
 		vaultPath = vaultPath + "/"
 	}
@@ -27,7 +28,7 @@ func NewVaultDestination(vaultAddress, vaultPath, kvMountName string, kvVersion
 	if kvVersion != 1 && kvVersion != 2 {
 		kvVersion = 2
 	}
-	return &VaultDestination{vaultAddress, vaultPath, kvMountName, kvVersion}
+	return &VaultDestination{vaultAddress, vaultPath, kvMountName, kvVersion, vaultPathOmitFilename}
 }
 
 func (vaultd *VaultDestination) getAddress() string {
@@ -42,6 +43,9 @@ func (vaultd *VaultDestination) Path(fileName string) string {
 }
 
 func (vaultd *VaultDestination) secretsPath(fileName string) string {
+	if vaultd.vaultPathOmitFilename {
+		fileName = ""
+	}
 	if vaultd.kvVersion == 1 {
 		return fmt.Sprintf("%s%s%s", vaultd.kvMountName, vaultd.vaultPath, fileName)
 	}