age-plugin support

age/keysource.go

@@ -1,6 +1,7 @@
 package age
 
 import (
+	"bufio"
 	"bytes"
 	"errors"
 	"fmt"
@@ -12,9 +13,11 @@
 
 	"filippo.io/age"
 	"filippo.io/age/armor"
+	"filippo.io/age/plugin"
 	"github.com/sirupsen/logrus"
 
 	"github.com/getsops/sops/v3/logging"
+	"golang.org/x/term"
 )
 
 const (
@@ -60,7 +63,7 @@
 	parsedIdentities []age.Identity
 	// parsedRecipient contains a parsed age public key.
 	// It is used to lazy-load the Recipient at-most once.
-	parsedRecipient *age.X25519Recipient
+	parsedRecipient age.Recipient
 }
 
 // MasterKeysFromRecipients takes a comma-separated list of Bech32-encoded
@@ -247,7 +250,7 @@
 // SopsAgeKeyUserConfigPath). It will load all found references, and expects
 // at least one configuration to be present.
 func (key *MasterKey) loadIdentities() (ParsedIdentities, error) {
-	var readers = make(map[string]io.Reader, 0)
+	readers := make(map[string]io.Reader, 0)
 
 	if ageKey, ok := os.LookupEnv(SopsAgeKeyEnv); ok {
 		readers[SopsAgeKeyEnv] = strings.NewReader(ageKey)
@@ -284,7 +287,12 @@
 
 	var identities ParsedIdentities
 	for n, r := range readers {
-		ids, err := age.ParseIdentities(r)
+		buf := new(strings.Builder)
+		_, err := io.Copy(buf, r)
+		if err != nil {
+			return nil, fmt.Errorf("failed to read '%s' age identities: %w", n, err)
+		}
+		ids, err := parseIdentities(buf.String())
 		if err != nil {
 			return nil, fmt.Errorf("failed to parse '%s' age identities: %w", n, err)
 		}
@@ -293,14 +301,148 @@
 	return identities, nil
 }
 
+// clearLine clears the current line on the terminal, or opens a new line if
+// terminal escape codes don't work.
+func clearLine(out io.Writer) {
+	const (
+		CUI = "\033["   // Control Sequence Introducer
+		CPL = CUI + "F" // Cursor Previous Line
+		EL  = CUI + "K" // Erase in Line
+	)
+
+	// First, open a new line, which is guaranteed to work everywhere. Then, try
+	// to erase the line above with escape codes.
+	//
+	// (We use CRLF instead of LF to work around an apparent bug in WSL2's
+	// handling of CONOUT$. Only when running a Windows binary from WSL2, the
+	// cursor would not go back to the start of the line with a simple LF.
+	// Honestly, it's impressive CONIN$ and CONOUT$ work at all inside WSL2.)
+	fmt.Fprintf(out, "\r\n"+CPL+EL)
+}
+
+func withTerminal(f func(in, out *os.File) error) error {
+	if runtime.GOOS == "windows" {
+		in, err := os.OpenFile("CONIN$", os.O_RDWR, 0)
+		if err != nil {
+			return err
+		}
+		defer in.Close()
+		out, err := os.OpenFile("CONOUT$", os.O_WRONLY, 0)
+		if err != nil {
+			return err
+		}
+		defer out.Close()
+		return f(in, out)
+	} else if tty, err := os.OpenFile("/dev/tty", os.O_RDWR, 0); err == nil {
+		defer tty.Close()
+		return f(tty, tty)
+	} else if term.IsTerminal(int(os.Stdin.Fd())) {
+		return f(os.Stdin, os.Stdin)
+	} else {
+		return fmt.Errorf("standard input is not a terminal, and /dev/tty is not available: %v", err)
+	}
+}
+
+// readSecret reads a value from the terminal with no echo. The prompt is ephemeral.
+func readSecret(prompt string) (s []byte, err error) {
+	err = withTerminal(func(in, out *os.File) error {
+		fmt.Fprintf(out, "%s ", prompt)
+		defer clearLine(out)
+		s, err = term.ReadPassword(int(in.Fd()))
+		return err
+	})
+	return
+}
+
+// readCharacter reads a single character from the terminal with no echo. The
+// prompt is ephemeral.
+func readCharacter(prompt string) (c byte, err error) {
+	err = withTerminal(func(in, out *os.File) error {
+		fmt.Fprintf(out, "%s ", prompt)
+		defer clearLine(out)
+
+		oldState, err := term.MakeRaw(int(in.Fd()))
+		if err != nil {
+			return err
+		}
+		defer term.Restore(int(in.Fd()), oldState)
+
+		b := make([]byte, 1)
+		if _, err := in.Read(b); err != nil {
+			return err
+		}
+
+		c = b[0]
+		return nil
+	})
+	return
+}
+
+var pluginTerminalUI = &plugin.ClientUI{
+	DisplayMessage: func(name, message string) error {
+		log.Infof("%s plugin: %s", name, message)
+		return nil
+	},
+	RequestValue: func(name, message string, _ bool) (s string, err error) {
+		defer func() {
+			if err != nil {
+				log.Warnf("could not read value for age-plugin-%s: %v", name, err)
+			}
+		}()
+		secret, err := readSecret(message)
+		if err != nil {
+			return "", err
+		}
+		return string(secret), nil
+	},
+	Confirm: func(name, message, yes, no string) (choseYes bool, err error) {
+		defer func() {
+			if err != nil {
+				log.Warnf("could not read value for age-plugin-%s: %v", name, err)
+			}
+		}()
+		if no == "" {
+			message += fmt.Sprintf(" (press enter for %q)", yes)
+			_, err := readSecret(message)
+			if err != nil {
+				return false, err
+			}
+			return true, nil
+		}
+		message += fmt.Sprintf(" (press [1] for %q or [2] for %q)", yes, no)
+		for {
+			selection, err := readCharacter(message)
+			if err != nil {
+				return false, err
+			}
+			switch selection {
+			case '1':
+				return true, nil
+			case '2':
+				return false, nil
+			case '\x03': // CTRL-C
+				return false, errors.New("user cancelled prompt")
+			default:
+				log.Warnf("reading value for age-plugin-%s: invalid selection %q", name, selection)
+			}
+		}
+	},
+	WaitTimer: func(name string) {
+		log.Infof("waiting on %s plugin...", name)
+	},
+}
+
 // parseRecipient attempts to parse a string containing an encoded age public
 // key.
-func parseRecipient(recipient string) (*age.X25519Recipient, error) {
-	parsedRecipient, err := age.ParseX25519Recipient(recipient)
-	if err != nil {
-		return nil, fmt.Errorf("failed to parse input as Bech32-encoded age public key: %w", err)
+func parseRecipient(recipient string) (age.Recipient, error) {
+	switch {
+	case strings.HasPrefix(recipient, "age1") && strings.Count(recipient, "1") > 1:
+		return plugin.NewRecipient(recipient, pluginTerminalUI)
+	case strings.HasPrefix(recipient, "age1"):
+		return age.ParseX25519Recipient(recipient)
 	}
-	return parsedRecipient, nil
+
+	return nil, fmt.Errorf("unknown recipient type: %q", recipient)
 }
 
 // parseIdentities attempts to parse the string set of encoded age identities.
@@ -309,11 +451,51 @@
 func parseIdentities(identity ...string) (ParsedIdentities, error) {
 	var identities []age.Identity
 	for _, i := range identity {
-		parsed, err := age.ParseIdentities(strings.NewReader(i))
+		parsed, err := _parseIdentities(strings.NewReader(i))
 		if err != nil {
 			return nil, err
 		}
 		identities = append(identities, parsed...)
 	}
 	return identities, nil
 }
+
+func parseIdentity(s string) (age.Identity, error) {
+	switch {
+	case strings.HasPrefix(s, "AGE-PLUGIN-"):
+		return plugin.NewIdentity(s, pluginTerminalUI)
+	case strings.HasPrefix(s, "AGE-SECRET-KEY-1"):
+		return age.ParseX25519Identity(s)
+	default:
+		return nil, fmt.Errorf("unknown identity type")
+	}
+}
+
+// parseIdentities is like age.ParseIdentities, but supports plugin identities.
+func _parseIdentities(f io.Reader) (ParsedIdentities, error) {
+	const privateKeySizeLimit = 1 << 24 // 16 MiB
+	var ids []age.Identity
+	scanner := bufio.NewScanner(io.LimitReader(f, privateKeySizeLimit))
+	var n int
+	for scanner.Scan() {
+		n++
+		line := scanner.Text()
+		if strings.HasPrefix(line, "#") || line == "" {
+			continue
+		}
+
+		i, err := parseIdentity(line)
+		if err != nil {
+			return nil, fmt.Errorf("error at line %d: %v", n, err)
+		}
+		ids = append(ids, i)
+
+	}
+	if err := scanner.Err(); err != nil {
+		return nil, fmt.Errorf("failed to read secret keys file: %v", err)
+	}
+	if len(ids) == 0 {
+		return nil, fmt.Errorf("no secret keys found")
+	}
+	return ids, nil
+}

age/keysource_test.go

@@ -134,7 +134,7 @@ func TestMasterKey_Encrypt(t *testing.T) {
 		}
 		err := key.Encrypt([]byte(mockEncryptedKeyPlain))
 		assert.Error(t, err)
-		assert.ErrorContains(t, err, "failed to parse input as Bech32-encoded age public key")
+		assert.ErrorContains(t, err, "unknown recipient type:")
 		assert.Empty(t, key.EncryptedKey)
 	})
 

go.mod

@@ -5,7 +5,7 @@ go 1.19
 require (
 	cloud.google.com/go/kms v1.15.7
 	cloud.google.com/go/storage v1.38.0
-	filippo.io/age v1.1.1
+	filippo.io/age v1.1.2-0.20240110114017-29b68c20fc24
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.9.2
 	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.1
 	github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.1.0

go.sum

@@ -1,3 +1,4 @@
+c2sp.org/CCTV/age v0.0.0-20221230231406-5ea85644bd03 h1:0e2QjhWG02SgzlUOvNYaFraf04OBsUPOLxf+K+Ae/yM=
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 cloud.google.com/go v0.112.0 h1:tpFCD7hpHFlQ8yPwT3x+QeXqc2T6+n6T+hmABHfDUSM=
 cloud.google.com/go v0.112.0/go.mod h1:3jEEVwZ/MHU4djK5t5RHuKOA/GbLddgTdVubX1qnPD4=
@@ -11,8 +12,8 @@ cloud.google.com/go/kms v1.15.7 h1:7caV9K3yIxvlQPAcaFffhlT7d1qpxjB1wHBtjWa13SM=
 cloud.google.com/go/kms v1.15.7/go.mod h1:ub54lbsa6tDkUwnu4W7Yt1aAIFLnspgh0kPGToDukeI=
 cloud.google.com/go/storage v1.38.0 h1:Az68ZRGlnNTpIBbLjSMIV2BDcwwXYlRlQzis0llkpJg=
 cloud.google.com/go/storage v1.38.0/go.mod h1:tlUADB0mAb9BgYls9lq+8MGkfzOXuLrnHXlpHmvFJoY=
-filippo.io/age v1.1.1 h1:pIpO7l151hCnQ4BdyBujnGP2YlUo0uj6sAVNHGBvXHg=
-filippo.io/age v1.1.1/go.mod h1:l03SrzDUrBkdBx8+IILdnn2KZysqQdbEBUQ4p3sqEQE=
+filippo.io/age v1.1.2-0.20240110114017-29b68c20fc24 h1:vQIe2pCVvdZjX8OtZjbJ33nBKPjTnmy0zbdJxRjhH3w=
+filippo.io/age v1.1.2-0.20240110114017-29b68c20fc24/go.mod h1:y3Zb/i2jHg/kL8xc3ocrI0Wd0Vm+VWV6DKfsKzSGUmU=
 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.9.2 h1:c4k2FIYIh4xtwqrQwV0Ct1v5+ehlNXj5NI/MWVsiTkQ=
 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.9.2/go.mod h1:5FDJtLEO/GxwNgUxbwrY3LP0pEoThTQJtk2oysdXHxM=
 github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.1 h1:sO0/P7g68FrryJzljemN+6GTssUXdANk6aJ7T1ZxnsQ=