Adds support for publishing to vault using KV v1 and a different mount
name (or multiple).

…s to a child process (#504)

* first pass: add --exec flag

* fix spacing

* subcommand for exec as well as other bits n bobs

--placeholder to pass files to child procs (similar to `find(1)`'s -exec flag)
--background to background processes if you don't need them to be interactive

* break the 2 execs into 2 subcommands

* add a non-fifo option for people who like files instead

* added a setuid flag just in case

* oups, used the wrong functions

* Update README.rst

* typo

* Changes to travis config and docs for using develop (#462)

* Fixes integration tests in travis to not run on PR's (they will now
run on merges into `develop` and `master`)
* Change README.rst and CONTRIBUTING.md to reflect the use of `develop`
as the primary development branch

* use golang 1.12 for building sops

* pgp/keysource: Check size of key fingerprint

Make sure the key fingerprint is longer than 16 characters before
slicing it.

Closes #463

* Allow set "json value" to be a string. (#468)

* Allow set "json value" to be a string.

Adds back support for string values in --set, while retaining support
for yaml multidoc that caused this bug.

Fixes #461

* Add functional test for --set'ing strings

* Vendoring update (#472)

It's been around 9 months since our last vendor update. This is also
needed for some new features being worked on for sops workspace.

Additionally, this PR regenerates the kms mocks.

* Remove duplicate sentence from readme (#475)

* 3.3.1 bump and release notes (#477)

3.4.0 (develop -> master)

Merge typo and release build fix for 3.4.0

…variables to a child process (#504)"

This reverts commit f103af7.

Revert exec command for 3.4.0 release

fix --encrypted-regex documentation

* first pass: add --exec flag

* fix spacing

* subcommand for exec as well as other bits n bobs

--placeholder to pass files to child procs (similar to `find(1)`'s -exec flag)
--background to background processes if you don't need them to be interactive

* break the 2 execs into 2 subcommands

* add a non-fifo option for people who like files instead

* added a setuid flag just in case

* oups, used the wrong functions

* Update README.rst

* typo

* first attempt at separating out windows/unix functionality

* add the caveat about windows

* windows: make sure --no-fifo is being used and warn when it's not

* stray fixes

* switch to logrus, break out the command builder, and remove /tmp/ default

Document how to operate on stdin

Add note about mandatory keys rotation when using --add-* options.

document updatekeys command

fix for #548 - handle .ini files in `decrypt.Data`, add other helper

* Sanitize hostname used for AWS STS role session name

From official docs for --role-session-name (https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role.html):
> The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@-

This fixes #441, which occurs when the hostname includes spaces and parentheses

* pr notes: wrap STS role session name regex compilation error

code is calling URLS https://github.com/mozilla/sops/blob/14a22d7a7060a0fba06c5dd716898d47728f0fce/cmd/sops/main.go#L371

correct azure key environment in readme

Develop -> Master for 3.5.0

Fix fpm commands and PROJECT var in Makefile

Commit e9b9f7a generated new PGP keys
for this repository, but failed to update the keys used by the examples.
As a result, the documentation for testing with the dev pgp key does not
work.

This commit rekeys the examples using the newly generated examples,
which allows the testing to work again.

At the moment, the examples produce warnings, due to the very old format
they use.

This commit re-encrypts the example files to eliminate the warnings that
are occurring from the use of the very old sops format.

…amples

Update the PGP Key for all Examples

in order to avoid version increment

fix filepath.Walk abuse; rename recursive flag; minor fixes

… logging

Dont fail Vault publish with write-only access; improve vault publish logging

Fix destination path on single file publish

Co-Authored-By: AJ Bahnken <1144310+ajvb@users.noreply.github.com>

Recursive publish - use relative paths

Publishing improvements: directory walking; prevent Vault unneeded version increment

This eliminates use of 3rd party tool but greatly simplifies supported versions.
MAJOR.MINOR.PTACH

Minor & Patch may be omitted ("v3", "v3.2", "v3.2.1")

Added version to docker tag #542

When reading and writing dotenv files, we need to make sure to
encode/decode newline characters. SOPS does not currently do this, as
can be seen from the below:

```console
$ echo '{"foo": "foo\nbar\nbaz"}' > plaintext.json
$ sops -e --output ciphertext.json plaintext.json
$ sops -d --output-type dotenv ciphertext.json
foo=foo
bar
baz
```

This output, is invalid and cannot even be fed back into SOPS:

```console
$ sops -d --output-type dotenv --output plaintext.env ciphertext.json
$ sops -e plaintext.env
Error unmarshalling file: invalid dotenv input line: bar
```

This commit fixes the issue, such that the final `sops -d ...` command
above produces the correct output:

```console
$ sops -d --output-type dotenv ciphertext.json
foo=foo\nbar\nbaz
```

* Add Dockerfile.alpine

* Publish alpine containers as "mozilla/sops:vX.X.X-alpine",  "mozilla/sops:vX.X-alpine",  "mozilla/sops:vX-alpine",  and "mozilla/sops:alpine"

update aws-sdk-go dependency

Revert "update aws-sdk-go dependency"

now returning exit code with exec-env and exec-file

Fixes #626 return exit code with exec-env and exec-file

Rationale
=========

The dotenv store as it exists right now performs splitting on newlines
to determine where a new key-value pair or comment begins. This works
remarkably well, up until you need to handle values that contain
newlines.

While I couldn't find an offical dotenv file format spec, I sampled a
number of open-source dotenv parsers and it seems that they typically
apply the following rules:

Comments:

* Comments may be written by starting a line with the `#` character.

Newline handling:

* If a value is unquoted or single-quoted and contains the character
  sequence `\n` (`0x5c6e`), it IS NOT decoded to a line feed (`0x0a`).

* If a value is double-quoted and contains the character sequence `\n`
  (`0x5c6e`), it IS decoded to a line feed (`0x0a`).

Whitespace trimming:

* For comments, the whitespace immediately after the `#` character and any
  trailing whitespace is trimmed.

* If a value is unquoted and contains any leading or trailing whitespace, it
  is trimmed.

* If a value is either single- or double-quoted and contains any leading or
  trailing whitespace, it is left untrimmed.

Quotation handling:

* If a value is surrounded by single- or double-quotes, the quotation marks
  are interpreted and not included in the value.

* Any number of single-quote characters may appear in a double-quoted
  value, or within a single-quoted value if they are escaped (i.e.,
  `'foo\'bar'`).

* Any number of double-quote characters may appear in a single-quoted
  value, or within a double-quoted value if they are escaped (i.e.,
  `"foo\"bar"`).

Because single- and double-quoted values may contain actual newlines,
we cannot split our input data on newlines as this may be in the middle
of a quoted value. This, along with the other rules around handling
quoted values, prompted me to try and implement a more robust parsing
solution. This commit is my first stab at that.

Special Considerations
======================

This is _not_ a backwards-compatible change:

* The `dotenv` files produced by this version of SOPS _cannot_ be read
  by an earlier version.

* The `dotenv` files produced by an earlier version of SOPS _can_ be
  read by this version, with the understanding that the semantics around
  quotations and newlines have changed.

Examples
========

The below examples show how double-quoted values are passed to the
running environment:

```console
$ echo 'FOO="foo\\nbar\\nbaz"' > plaintext.env
$ sops -e --output ciphertext.env plaintext.env
$ sops exec-env ciphertext.env 'env | grep FOO | xxd'
00000000: 464f 4f3d 666f 6f5c 6e62 6172 5c6e 6261  FOO=foo\nbar\nba
00000010: 7a0a                                     z.
```

```console
$ echo 'FOO="foo\nbar\nbaz"' > plaintext.env
$ sops -e --output ciphertext.env plaintext.env
$ sops exec-env ciphertext.env 'env | grep -A2 FOO | xxd'
00000000: 464f 4f3d 666f 6f0a 6261 720a 6261 7a0a  FOO=foo.bar.baz.
```

Add support for decoding JSON arrays of arrays by handling, during
slice decoding, when the next token is an array opening. This produces
nested []interface{} slices.

Closes #640.

Update authors

Reference `run` python3 function
Use rst ticks

Update container to go 1.14

Readme tweak

…mpty (#662)

* feat: initial adding of vualt transit backend to sops
initial work on integration
feat(vault): added cli coomands working for vualt"

fix(vault): fixed config with correct tests

fix(vault): added vault to keygroup and to keyservice server

fixed metadata load

* feat(docs): added docs in README.md and in command help

fix(doc): fix rst formatting"

fix(doc): fix rst formatting

* fix(vault): addressed typos and fixes from autrilla

feat(cli): moved vault to hc-vault naming

* fix(test): typo while rebasing

* fix typos and imporve error messages for vault kms

* rename package from vault to hcvault

* refactor vault keysource url validation

* add negative test cases  for vault keysource

* add hc vault transit config option via objects
additional to URIs

* remove vault_example.yml

* streamline key name to snake case

* rename `BackendPath` to `EnginePath` for hc vault

* correction in hc-vault-transit commands

Signed-off-by: vnzongzna <github@vaibhavk.in>

* resolving conflict

Signed-off-by: vnzongzna <github@vaibhavk.in>

* Apply suggestions from code review

Co-Authored-By: Adrian Utrilla <adrianutrilla@gmail.com>

* allowing only hc_vault_transit_uri as input

Co-Authored-By: gitirabassi
Co-Authored-By: ldue
Signed-off-by: vnzongzna <github@vaibhavk.in>

Co-authored-by: gitirabassi <giacomo@tirabassi.eu>
Co-authored-by: ldue <larsduennwald@gmail.com>
Co-authored-by: Vaibhav Kaushik <vaibhavkaushik@vaibhavka-ltm1.internal.salesforce.com>
Co-authored-by: Adrian Utrilla <adrianutrilla@gmail.com>

* update 'updatekeys' subcommand to use config (if exists) from commandline

* Fix #671: `updatekeys` checks for config file flag

The 'updatekeys' subcommand did not check for the config flag
in the command line. Add that check and if found use it to set configPath.

* Fix #671: `updatekeys` checks for config file flag

The 'updatekeys' subcommand did not check for the config global string flag.
 Add that check and if found use it to set configPath.

* Fix #671: `updatekeys` checks for config file flag

The 'updatekeys' subcommand did not check for the config global string flag.
Add that check and if found use it to set configPath.

 Edit: Remove mistake file addition

* Update cmd/sops/main.go

Co-authored-by: Adrian Utrilla <adrianutrilla@gmail.com>

"sops updatekeys" is not working the same as when encrypting a file. The
reason is that for "sops --encrypt", the file path is made absolute before
it is compared with the path_regex in the config file. This is not done for
"sops updatekeys", therefore it does not match the correct entry in the
config file when updating keys.

updatekeys: Make file path absolute

AWS Profile not correctly resolving .aws/config file - #679

* Fix tests

* Fix endless loop in x/crypto/openpgp func ReadMessage

This fixes #665
See also golang/go#28786

In some strange situations it can happen, that openpgp.ReadMessage()
runs into a endless loop. This seems to be triggered by a slightly
inconsistency in key settings.
It happened to me, but I wasn't able to reproduce it with a fresh key.
A proposed solution from the x/crypto community was, to break this loop
in the callback passphrasePrompt.

* Revert "Fix tests"

This reverts commit 285f4dc.

* Improve error description

#690 (comment)

* Close tmpfile after writing

Windows will not allow for deletion of a file with an open handle, 
close tmpfile after writing to prevent unencrypted tmpfiles out-living
the execution

* Update cmd/sops/edit.go

Co-authored-by: Adrian Utrilla <adrianutrilla@gmail.com>

* defer edited file close

Co-authored-by: Adrian Utrilla <adrianutrilla@gmail.com>