getsops
diff --git a/‎README.rst
Lines changed: 25 additions & 0 deletions b/‎README.rst
Lines changed: 25 additions & 0 deletions
diff --git a/‎cmd/sops/common/common.go
Lines changed: 64 additions & 0 deletions b/‎cmd/sops/common/common.go
Lines changed: 64 additions & 0 deletions
diff --git a/‎cmd/sops/main.go
Lines changed: 45 additions & 1 deletion b/‎cmd/sops/main.go
Lines changed: 45 additions & 1 deletion
diff --git a/‎cmd/sops/subcommand/publish/publish.go
Lines changed: 151 additions & 0 deletions b/‎cmd/sops/subcommand/publish/publish.go
Lines changed: 151 additions & 0 deletions
@@ -791,6 +791,31 @@ By default ``sops`` just dumps all the output to the standard output. We can use
 Beware using both ``--in-place`` and ``--output`` flags will result in an error.
 
 
+Using the publish command
+~~~~~~~~~~~~~~~~~~~~~~~~~
+``sops publish $file`` publishes a file to a pre-configured destination (this lives in the sops
+config file). Additionally, support re-encryption rules that work just like the creation rules.
+
+This command requires a ``.sops.yaml`` configuration file. Below is an example:
+
+.. code:: yaml
+
+   destination_rules:
+      - s3_bucket: "sops-secrets"
+        path_regex: s3/*
+        recreation_rule:
+           pgp: F69E4901EDBAD2D1753F8C67A64535C4163FB307
+      - gcs_bucket: "sops-secrets"
+        path_regex: gcs/*
+        recreation_rule:
+           pgp: F69E4901EDBAD2D1753F8C67A64535C4163FB307
+
+The above configuration will place all files under ``s3/*`` into the S3 bucket ``sops-secrets`` and
+will place all files under ``gcs/*`` into the GCS bucket ``sops-secrets``. As well, it will decrypt
+these files and re-encrypt them using the ``F69E4901EDBAD2D1753F8C67A64535C4163FB307`` pgp key.
+
+You would deploy a file to S3 with a command like: ``sops publish s3/app.yaml``
+
 Important information on types
 ------------------------------
 
 
@@ -8,9 +8,11 @@ import (
 	"strings"
 	"time"
 
+	"github.com/fatih/color"
 	wordwrap "github.com/mitchellh/go-wordwrap"
 	"go.mozilla.org/sops"
 	"go.mozilla.org/sops/cmd/sops/codes"
+	"go.mozilla.org/sops/keys"
 	"go.mozilla.org/sops/keyservice"
 	"go.mozilla.org/sops/kms"
 	"go.mozilla.org/sops/stores/dotenv"
@@ -339,3 +341,65 @@ func RecoverDataKeyFromBuggyKMS(opts GenericDecryptOpts, tree *sops.Tree) []byte
 
 	return nil
 }
+
+type Diff struct {
+	Common  []keys.MasterKey
+	Added   []keys.MasterKey
+	Removed []keys.MasterKey
+}
+
+func max(a, b int) int {
+	if a > b {
+		return a
+	}
+	return b
+}
+
+func DiffKeyGroups(ours, theirs []sops.KeyGroup) []Diff {
+	var diffs []Diff
+	for i := 0; i < max(len(ours), len(theirs)); i++ {
+		var diff Diff
+		var ourGroup, theirGroup sops.KeyGroup
+		if len(ours) > i {
+			ourGroup = ours[i]
+		}
+		if len(theirs) > i {
+			theirGroup = theirs[i]
+		}
+		ourKeys := make(map[string]struct{})
+		theirKeys := make(map[string]struct{})
+		for _, key := range ourGroup {
+			ourKeys[key.ToString()] = struct{}{}
+		}
+		for _, key := range theirGroup {
+			if _, ok := ourKeys[key.ToString()]; ok {
+				diff.Common = append(diff.Common, key)
+			} else {
+				diff.Added = append(diff.Added, key)
+			}
+			theirKeys[key.ToString()] = struct{}{}
+		}
+		for _, key := range ourGroup {
+			if _, ok := theirKeys[key.ToString()]; !ok {
+				diff.Removed = append(diff.Removed, key)
+			}
+		}
+		diffs = append(diffs, diff)
+	}
+	return diffs
+}
+
+func PrettyPrintDiffs(diffs []Diff) {
+	for i, diff := range diffs {
+		color.New(color.Underline).Printf("Group %d\n", i+1)
+		for _, c := range diff.Common {
+			fmt.Printf("    %s\n", c.ToString())
+		}
+		for _, c := range diff.Added {
+			color.New(color.FgGreen).Printf("+++ %s\n", c.ToString())
+		}
+		for _, c := range diff.Removed {
+			color.New(color.FgRed).Printf("--- %s\n", c.ToString())
+		}
+	}
+}
@@ -21,6 +21,7 @@ import (
 	"go.mozilla.org/sops/cmd/sops/common"
 	"go.mozilla.org/sops/cmd/sops/subcommand/groups"
 	keyservicecmd "go.mozilla.org/sops/cmd/sops/subcommand/keyservice"
+	publishcmd "go.mozilla.org/sops/cmd/sops/subcommand/publish"
 	"go.mozilla.org/sops/cmd/sops/subcommand/updatekeys"
 	"go.mozilla.org/sops/config"
 	"go.mozilla.org/sops/gcpkms"
@@ -105,6 +106,49 @@ func main() {
    For more information, see the README at github.com/mozilla/sops`
 	app.EnableBashCompletion = true
 	app.Commands = []cli.Command{
+		{
+			Name:      "publish",
+			Usage:     "Publish sops file to a configured destination",
+			ArgsUsage: `file`,
+			Flags: append([]cli.Flag{
+				cli.BoolFlag{
+					Name:  "yes, y",
+					Usage: `pre-approve all changes and run non-interactively`,
+				},
+				cli.BoolFlag{
+					Name:  "verbose",
+					Usage: "Enable verbose logging output",
+				},
+			}, keyserviceFlags...),
+			Action: func(c *cli.Context) error {
+				if c.Bool("verbose") || c.GlobalBool("verbose") {
+					logging.SetLevel(logrus.DebugLevel)
+				}
+				configPath, err := config.FindConfigFile(".")
+				if err != nil {
+					return common.NewExitError(err, codes.ErrorGeneric)
+				}
+				if c.NArg() < 1 {
+					return common.NewExitError("Error: no file specified", codes.NoFileSpecified)
+				}
+				fileName := c.Args()[0]
+				inputStore := inputStore(c, fileName)
+				err = publishcmd.Run(publishcmd.Opts{
+					ConfigPath:  configPath,
+					InputPath:   fileName,
+					InputStore:  inputStore,
+					Cipher:      aes.NewCipher(),
+					KeyServices: keyservices(c),
+					Interactive: !c.Bool("yes"),
+				})
+				if cliErr, ok := err.(*cli.ExitError); ok && cliErr != nil {
+					return cliErr
+				} else if err != nil {
+					return common.NewExitError(err, codes.ErrorGeneric)
+				}
+				return nil
+			},
+		},
 		{
 			Name:  "keyservice",
 			Usage: "start a SOPS key service server",
@@ -129,7 +173,7 @@ func main() {
 				},
 			},
 			Action: func(c *cli.Context) error {
-				if c.Bool("verbose") {
+				if c.Bool("verbose") || c.GlobalBool("verbose") {
 					logging.SetLevel(logrus.DebugLevel)
 				}
 				err := keyservicecmd.Run(keyservicecmd.Opts{
 
@@ -0,0 +1,151 @@
+package publish
+
+import (
+	"errors"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+
+	"go.mozilla.org/sops"
+	"go.mozilla.org/sops/cmd/sops/codes"
+	"go.mozilla.org/sops/cmd/sops/common"
+	"go.mozilla.org/sops/config"
+	"go.mozilla.org/sops/keyservice"
+	"go.mozilla.org/sops/logging"
+	"go.mozilla.org/sops/version"
+
+	"github.com/sirupsen/logrus"
+)
+
+var log *logrus.Logger
+
+func init() {
+	log = logging.NewLogger("PUBLISH")
+}
+
+type Opts struct {
+	Interactive bool
+	Cipher      sops.Cipher
+	ConfigPath  string
+	InputPath   string
+	KeyServices []keyservice.KeyServiceClient
+	InputStore  sops.Store
+}
+
+func Run(opts Opts) error {
+	var fileContents []byte
+	path, err := filepath.Abs(opts.InputPath)
+	if err != nil {
+		return err
+	}
+	info, err := os.Stat(path)
+	if err != nil {
+		return err
+	}
+	if info.IsDir() {
+		return fmt.Errorf("can't operate on a directory")
+	}
+	_, fileName := filepath.Split(path)
+
+	conf, err := config.LoadDestinationRuleForFile(opts.ConfigPath, opts.InputPath, make(map[string]*string))
+	if err != nil {
+		return err
+	}
+	if conf.Destination == nil {
+		return errors.New("no destination configured for this file")
+	}
+
+	// Check that this is a sops-encrypted file
+	tree, err := common.LoadEncryptedFile(opts.InputStore, opts.InputPath)
+	if err != nil {
+		return err
+	}
+
+	// Re-encrypt if settings exist to do so
+	if len(conf.KeyGroups[0]) != 0 {
+		log.Debug("Re-encrypting tree before publishing")
+		_, err = common.DecryptTree(common.DecryptTreeOpts{
+			Cipher:      opts.Cipher,
+			IgnoreMac:   false,
+			Tree:        tree,
+			KeyServices: opts.KeyServices,
+		})
+		if err != nil {
+			return err
+		}
+
+		diffs := common.DiffKeyGroups(tree.Metadata.KeyGroups, conf.KeyGroups)
+		keysWillChange := false
+		for _, diff := range diffs {
+			if len(diff.Added) > 0 || len(diff.Removed) > 0 {
+				keysWillChange = true
+			}
+		}
+		if keysWillChange {
+			fmt.Printf("The following changes will be made to the file's key groups:\n")
+			common.PrettyPrintDiffs(diffs)
+		}
+
+		tree.Metadata = sops.Metadata{
+			KeyGroups:         conf.KeyGroups,
+			UnencryptedSuffix: conf.UnencryptedSuffix,
+			EncryptedSuffix:   conf.EncryptedSuffix,
+			Version:           version.Version,
+			ShamirThreshold:   conf.ShamirThreshold,
+		}
+
+		dataKey, errs := tree.GenerateDataKeyWithKeyServices(opts.KeyServices)
+		if len(errs) > 0 {
+			err = fmt.Errorf("Could not generate data key: %s", errs)
+			return err
+		}
+
+		err = common.EncryptTree(common.EncryptTreeOpts{
+			DataKey: dataKey,
+			Tree:    tree,
+			Cipher:  opts.Cipher,
+		})
+		if err != nil {
+			return err
+		}
+
+		fileContents, err = opts.InputStore.EmitEncryptedFile(*tree)
+		if err != nil {
+			return common.NewExitError(fmt.Sprintf("Could not marshal tree: %s", err), codes.ErrorDumpingTree)
+		}
+	} else {
+		fileContents, err = ioutil.ReadFile(path)
+		if err != nil {
+			return fmt.Errorf("could not read file: %s", err)
+		}
+	}
+
+	if opts.Interactive {
+		var response string
+		for response != "y" && response != "n" {
+			fmt.Printf("uploading %s to %s ? (y/n): ", path, conf.Destination.Path(fileName))
+			_, err := fmt.Scanln(&response)
+			if err != nil {
+				return err
+			}
+		}
+		if response == "n" {
+			return errors.New("Publish canceled")
+		}
+	}
+
+	err = conf.Destination.Upload(fileContents, fileName)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func min(a, b int) int {
+	if a < b {
+		return a
+	}
+	return b
+}