Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix mac creation, enhance error handling, add tests/coverage #15

Merged
merged 1 commit into from
Sep 26, 2024
Merged

Fix mac creation, enhance error handling, add tests/coverage #15

merged 1 commit into from
Sep 26, 2024

Conversation

tbrockmeyer-a
Copy link
Contributor

@tbrockmeyer-a tbrockmeyer-a commented Aug 7, 2024
edited
Loading

  • change Buffer to UInt8Array when using instanceof
  • fix mac creation
  • encryption modifiers
  • simplify walkAndDecrypt and decryptScalar
  • improve error output
  • Add integration tests and coverage library

Work to enable #14 for all use cases

Mac hash creation for some of the key encryption types was broken in the last update (10.2). The change from Buffer to UInt8Array in getKey prevents some false-positive errors that I was seeing. UInt8Array is a superclass of Buffer, and the Plaintext field of the KMS output was a UInt8Array for me, so the instanceof check was failing despite the duck typing being valid still. These changes should also bring the encryptionModifier implementation in line with the get-sops/sops implementation of the shouldBeEncrypted function.

In order to provide this improvement, I've also improved some of the error output for easier debugging, which also aligns the errors a bit more with the cli sops tool. I also simplified the walkAndDecrypt function, and factored out some logic from decryptScalar to make it simpler to reason about.

To assure correctness, I added some integration tests which encrypt various files using the sops cli client before trying to decrypt them using decodeFile. The tests use a variety of key encryption modes (unencrypted_suffix, encrypted_regex, etc), data structures (various data types and nesting levels), and it has support for multiple decryption methods (kms, gcp, pgp, etc) for the future if needed. I also added a coverage library but did not mark any amount of coverage as mandatory (I recommend 100% function coverage for integration tests).

With these changes, I was able to get the update_aws branch to run correctly with all tests passing.

@tbrockmeyer-a tbrockmeyer-a mentioned this pull request Aug 7, 2024
Merged
@tbrockmeyer-a
Copy link
Contributor Author

I realize now that the workflow runs npm test, but the tests I added require using an environment variable to specify a KMS key to use for the tests. I'm not sure how you want to handle that (either disable the tests in CI, or add your own KMS key to the workflow steps).

koblas
koblas approved these changes Sep 26, 2024
View reviewed changes
Copy link
Owner

@koblas koblas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, I did only fall half way off the planet!

Thank you for your work and pestering me.

@koblas koblas merged commit 569fdea into koblas:update_aws Sep 26, 2024
koblas added a commit that referenced this pull request Sep 26, 2024
@koblas @tbrockmeyer-a
feat!: updated to aws sdk v3 (#14)
2149aa9 
* feat!: updated to aws sdk v3

* Fix mac creation, enhance error handling, add tests/coverage (#15)

---------

Co-authored-by: Tyler Brockmeyer <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@koblas koblas koblas approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tbrockmeyer-a @koblas