search

getsops / sops

Simple and flexible tool for managing secrets
https://getsops.io/
Mozilla Public License 2.0
16.14k stars 854 forks source link

sops encryption/decryption with age key doesn't work for Python ini Files with [DEFAULT] section #1451

Open TheRaspyDev opened 5 months ago

TheRaspyDev commented 5 months ago

I have the following config.ini File for a Python project:

image

Running sops --encrypt config.ini > config__sops__.ini results in the following file:

image

Running sops --decrypt config__sops__.ini > config.ini results in the following file:

image

--> The [DEFAULT] section is stripped.

The [DEFAULT] section is very important for the Python configparser (https://docs.python.org/3/library/configparser.html#module-configparser). When it's missing, the configparser can't read the config file.

After decrypting and encrypting the config.ini, Python can't read the config.ini anymore.

When I rename the [DEFAULT] section name in config.ini File to [default] (or any other name), then sops works as expected (but Python won't work anymore). It seems, that the [DEFAULT] section (with capital letters) is somehow reserved for sops???

A possible workaround for me is to define the "default" section in the Python code with setting the default_section property when initializing the configparser.

Please fix this issue.

Thanks in advance TheRaspyDev

felixfontein commented 5 months ago

It seems that the problem is that the INI library used by SOPS uses DEFAULT as the section name for entries outside a section (https://pkg.go.dev/gopkg.in/ini.v1?utm_source=godoc#pkg-variables). This is going to be tricky to fix, in particular without breaking backwards compatibility.

felixfontein commented 5 months ago

(The name DEFAULT seems to be hard-coded in that library. :-( )

TheRaspyDev commented 5 months ago

Thanks for the fast reply.

I always thought, that INI File is a "standard". But it seems that (at least) Python works different. In Python, a "default" section is mandatory (the .ini file has to start with a section header). Otherwise the configparser will fail.

The workaround (define a custom default_section) is fine for me at the moment: config_parser = configparser.ConfigParser(default_section="common")

I'm looking forward whether a solution can be found for this bug.

felixfontein commented 5 months ago

I always thought, that INI File is a "standard".

Unfortunately no, there are thousands of similar, but sometimes incompatible ways that applications deal with INI files...