search

getsops / sops

Simple and flexible tool for managing secrets
https://getsops.io/
Mozilla Public License 2.0
16.13k stars 854 forks source link

ini: Encode duplicate sections #1340

Open r10r opened 9 months ago

r10r commented 9 months ago

It would be nice to encode sections with the same name in INI style config files. Duplicate sections should not be dropped from the encoded output, because some programs, namely wg from the wireguard-tools rely on this.

From https://www.man7.org/linux/man-pages/man8/wg.8.html

The configuration file format is based on INI. There are two top level sections -- Interface and Peer. Multiple Peer sections may be specified, but only one Interface section may be specified.

Example

Trying to encode a wg-quick configuration file fails because only a single [Peer] section is returned in the encoded with sops -e output.

input file test.ini

[Interface]
Address = 10.192.122.1/24
Address = 10.10.0.1/16
SaveConfig = true
PrivateKey = yAnz5TF+lXXJte14tji3zlMNq+hd2rYUIgJBgB3fBmk=
ListenPort = 51820

[Peer]
PublicKey = xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg=
AllowedIPs = 10.192.122.3/32, 10.192.124.1/24

[Peer]
PublicKey = TrMvSoP4jYQlY6RIzBgbssQqY3vxI2Pi+y71lOWWXX0=
AllowedIPs = 10.192.122.4/32, 192.168.0.0/16

[Peer]
PublicKey = gN65BkIKy1eCE9pP1wdc8ROUtkHLF2PfAqYdyYBz6EA=
AllowedIPs = 10.10.10.230/32

The following age key is used for encryption.

# created: 2023-11-03T18:50:59+01:00
# public key: age1uz5gjmw28w0zzmrlel2jy3n826qvhxsxu9aafyg2q0kyjk8v2g8sufhvlu
AGE-SECRET-KEY-1EYF85KESJDNUNDCVQXDGMC8NCEXYZS92HW5842VSG30L4JLPZVQQ36P0JH
export SOPS_AGE_RECIPIENTS=age1uz5gjmw28w0zzmrlel2jy3n826qvhxsxu9aafyg2q0kyjk8v2g8sufhvlu
sops -e --encrypted-regex PrivateKey test.ini

encrypted output

[Interface]
Address    = 10.10.0.1/16
SaveConfig = true
PrivateKey = ENC[AES256_GCM,data:8HAoZSPkV11O8LgIBPNrOyRnSGLTfQg98qiqp8kIk2rb1aClftDqhNajW1E=,iv:2Ki3gTHuHFNyQR8mRppeWErdlKxw1uEW7J493uhYLTc=,tag:YqhfjQvxEr7w6cF3dTvYHQ==,type:str]
ListenPort = 51820

[Peer]
PublicKey  = gN65BkIKy1eCE9pP1wdc8ROUtkHLF2PfAqYdyYBz6EA=
AllowedIPs = 10.10.10.230/32

[sops]
version                    = 3.8.1
mac                        = ENC[AES256_GCM,data:8YauGBM28AD6cQJOSRLZrSVSMsfvnHJNkSvUfXvajI/ezW9Tu8jlGljRp+cBziSywBEhBj5pfOOsAOMUHImwa1by4vs+hljD0k1h12oocygMYz7gitAlTplUiDaYos/KkvCldLuPJRdQIuFMtJXUMbULM58G6pGJJowJoNKcuwE=,iv:QydnAZrherzVr1XJl4dISjc/CHx0cO6XvuYBEb/oU9E=,tag:EG8lKXZ64lgn/TBSYBdpUg==,type:str]
encrypted_regex            = PrivateKey
lastmodified               = 2023-11-03T17:52:07Z
age__list_0__map_recipient = age1uz5gjmw28w0zzmrlel2jy3n826qvhxsxu9aafyg2q0kyjk8v2g8sufhvlu
age__list_0__map_enc       = -----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvRHIvc3M5SDZTNlBibG9z\nMTJPd1JHQk1EUVgzTGlCTnRFMk1uL0d4NUh3CmxhUG1ua1kzWHdSZngrdnkwbC9k\nZjhLQXBsaytrUlVkL1pUWHFVRHUzb2MKLS0tIHBZaWlhUkxlNjNIZnhqb1dKakZk\naEMyY1RYVS95ME9VSGpTaW1BTWhFS2cKzbZOnpYxeRRhZ3UgOpNX0FbMV4JUnlCk\nvkeXSMq4E5DcliVJDCRHK+xsV2Rg9cK8SdcdmR1Of+V735mDIH97XQ==\n-----END AGE ENCRYPTED FILE-----\n

Only the first [Peer] section is included in the encrypted output file.

reindlt commented 5 months ago

I am facing exactly the same problem so I opened a PR for this issue. Let's see what the maintainers say.