6b75c12831
The scripts were written in bash. Using bash became quite unwieldy.
Python by nature can deal well with yaml and is thus better suited
in dealing with the yaml-based configuration files. This change
rewrites the original scripts staying as close as possible to the
original ones.
Right now, the python scripts call subprocesses a lot to work with
the tools, which were already used before. At least for yaml-
templating there may be better tools that have a python integration,
which could be used in the future.
Change-Id: Ida16318445a05dcfdada9c7a56a391e4827f02e7
71 lines
1.9 KiB
Python
71 lines
1.9 KiB
Python
# Copyright (C) 2020 The Android Open Source Project
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
import subprocess
|
|
|
|
import gnupg
|
|
|
|
|
|
ENCRYPTED_KEYS = [
|
|
"accessToken",
|
|
"apiUrl",
|
|
"caCert",
|
|
"cert",
|
|
"htpasswd",
|
|
"key",
|
|
"password",
|
|
"secret",
|
|
]
|
|
|
|
|
|
def encrypt(pgp_identifier, config_path):
|
|
"""Encrypt the config file using sops and a PGP key.
|
|
|
|
Arguments:
|
|
pgp_identifier {string} -- A unique identifier of the PGP key to be used.
|
|
This can be the fingerprint, keyid or part of the uid (e.g. the email
|
|
address)
|
|
config_path {string} -- The path to the config file to be encrypted
|
|
|
|
Raises:
|
|
ValueError: Error, if no (unique) PGP key could be found
|
|
"""
|
|
gpg = gnupg.GPG()
|
|
gpg_keys = gpg.list_keys()
|
|
selected_keys = list(
|
|
filter(
|
|
lambda k: pgp_identifier in k["fingerprint"]
|
|
or pgp_identifier in k["keyid"]
|
|
or len([v for v in k["uids"] if pgp_identifier in v]) > 0,
|
|
gpg_keys,
|
|
)
|
|
)
|
|
|
|
if not selected_keys:
|
|
raise ValueError("PGP key not found.")
|
|
|
|
if len(selected_keys) > 1:
|
|
raise ValueError("Identifier of PGP not unique.")
|
|
|
|
command = [
|
|
"sops",
|
|
"--encrypt",
|
|
"--in-place",
|
|
"--encrypted-regex",
|
|
f"({'|'.join(ENCRYPTED_KEYS)})",
|
|
"--pgp",
|
|
selected_keys[0]["fingerprint"],
|
|
config_path,
|
|
]
|
|
subprocess.check_output(command)
|