sops icon indicating copy to clipboard operation
sops copied to clipboard

ini: Encode duplicate sections

Open r10r opened this issue 8 months ago • 0 comments

It would be nice to encode sections with the same name in INI style config files. Duplicate sections should not be dropped from the encoded output, because some programs, namely wg from the wireguard-tools rely on this.

From https://www.man7.org/linux/man-pages/man8/wg.8.html

The configuration file format is based on INI. There are two top level sections -- Interface and Peer. Multiple Peer sections may be specified, but only one Interface section may be specified.

Example

Trying to encode a wg-quick configuration file fails because only a single [Peer] section is returned in the encoded with sops -e output.

input file test.ini

[Interface]
Address = 10.192.122.1/24
Address = 10.10.0.1/16
SaveConfig = true
PrivateKey = yAnz5TF+lXXJte14tji3zlMNq+hd2rYUIgJBgB3fBmk=
ListenPort = 51820

[Peer]
PublicKey = xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg=
AllowedIPs = 10.192.122.3/32, 10.192.124.1/24

[Peer]
PublicKey = TrMvSoP4jYQlY6RIzBgbssQqY3vxI2Pi+y71lOWWXX0=
AllowedIPs = 10.192.122.4/32, 192.168.0.0/16

[Peer]
PublicKey = gN65BkIKy1eCE9pP1wdc8ROUtkHLF2PfAqYdyYBz6EA=
AllowedIPs = 10.10.10.230/32

The following age key is used for encryption.

# created: 2023-11-03T18:50:59+01:00
# public key: age1uz5gjmw28w0zzmrlel2jy3n826qvhxsxu9aafyg2q0kyjk8v2g8sufhvlu
AGE-SECRET-KEY-1EYF85KESJDNUNDCVQXDGMC8NCEXYZS92HW5842VSG30L4JLPZVQQ36P0JH
export SOPS_AGE_RECIPIENTS=age1uz5gjmw28w0zzmrlel2jy3n826qvhxsxu9aafyg2q0kyjk8v2g8sufhvlu
sops -e --encrypted-regex PrivateKey test.ini 

encrypted output

[Interface]
Address    = 10.10.0.1/16
SaveConfig = true
PrivateKey = ENC[AES256_GCM,data:8HAoZSPkV11O8LgIBPNrOyRnSGLTfQg98qiqp8kIk2rb1aClftDqhNajW1E=,iv:2Ki3gTHuHFNyQR8mRppeWErdlKxw1uEW7J493uhYLTc=,tag:YqhfjQvxEr7w6cF3dTvYHQ==,type:str]
ListenPort = 51820

[Peer]
PublicKey  = gN65BkIKy1eCE9pP1wdc8ROUtkHLF2PfAqYdyYBz6EA=
AllowedIPs = 10.10.10.230/32

[sops]
version                    = 3.8.1
mac                        = ENC[AES256_GCM,data:8YauGBM28AD6cQJOSRLZrSVSMsfvnHJNkSvUfXvajI/ezW9Tu8jlGljRp+cBziSywBEhBj5pfOOsAOMUHImwa1by4vs+hljD0k1h12oocygMYz7gitAlTplUiDaYos/KkvCldLuPJRdQIuFMtJXUMbULM58G6pGJJowJoNKcuwE=,iv:QydnAZrherzVr1XJl4dISjc/CHx0cO6XvuYBEb/oU9E=,tag:EG8lKXZ64lgn/TBSYBdpUg==,type:str]
encrypted_regex            = PrivateKey
lastmodified               = 2023-11-03T17:52:07Z
age__list_0__map_recipient = age1uz5gjmw28w0zzmrlel2jy3n826qvhxsxu9aafyg2q0kyjk8v2g8sufhvlu
age__list_0__map_enc       = -----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvRHIvc3M5SDZTNlBibG9z\nMTJPd1JHQk1EUVgzTGlCTnRFMk1uL0d4NUh3CmxhUG1ua1kzWHdSZngrdnkwbC9k\nZjhLQXBsaytrUlVkL1pUWHFVRHUzb2MKLS0tIHBZaWlhUkxlNjNIZnhqb1dKakZk\naEMyY1RYVS95ME9VSGpTaW1BTWhFS2cKzbZOnpYxeRRhZ3UgOpNX0FbMV4JUnlCk\nvkeXSMq4E5DcliVJDCRHK+xsV2Rg9cK8SdcdmR1Of+V735mDIH97XQ==\n-----END AGE ENCRYPTED FILE-----\n

Only the first [Peer] section is included in the encrypted output file.

r10r avatar Nov 03 '23 18:11 r10r