sops/azkv: ensure compatibility with upstream

To please the older Azure SDK, the upstream SOPS implementation base64 URL encodes data before encryption, and decodes it afterwards. With the new SDK, this has changed, requiring us to do the opposite to ensure compatibility. Signed-off-by: Hidde Beydals <hello@hidde.co>
fluxcd · Mar 29, 2022 · 03ec6ca · 03ec6ca
1 parent fd6b054
commit 03ec6ca
Showing 1 changed file with 14 additions and 2 deletions.
diff --git a/internal/sops/azkv/keysource.go b/internal/sops/azkv/keysource.go
@@ -7,6 +7,7 @@ package azkv
 import (
 	"bytes"
 	"context"
+	"encoding/base64"
 	"encoding/binary"
 	"fmt"
 	"io/ioutil"
@@ -150,7 +151,11 @@ func (key *MasterKey) Encrypt(dataKey []byte) error {
 	if err != nil {
 		return fmt.Errorf("failed to encrypt data: %w", err)
 	}
-	key.EncryptedKey = string(resp.Result)
+	// This is for compatibility between the SOPS upstream which uses
+	// a much older Azure SDK, and our implementation which is up-to-date
+	// with the latest.
+	encodedEncryptedKey := base64.RawURLEncoding.EncodeToString(resp.Result)
+	key.SetEncryptedDataKey([]byte(encodedEncryptedKey))
 	return nil
 }
 
@@ -168,7 +173,14 @@ func (key *MasterKey) Decrypt() ([]byte, error) {
 	if err != nil {
 		return nil, fmt.Errorf("failed to construct client to decrypt data: %w", err)
 	}
-	resp, err := c.Decrypt(context.Background(), crypto.EncryptionAlgorithmRSAOAEP256, []byte(key.EncryptedKey), nil)
+	// This is for compatibility between the SOPS upstream which uses
+	// a much older Azure SDK, and our implementation which is up-to-date
+	// with the latest.
+	rawEncryptedKey, err := base64.RawURLEncoding.DecodeString(key.EncryptedKey)
+	if err != nil {
+		return nil, fmt.Errorf("failed to decode encrypted key: %w", err)
+	}
+	resp, err := c.Decrypt(context.Background(), crypto.EncryptionAlgorithmRSAOAEP256, rawEncryptedKey, nil)
 	if err != nil {
 		return nil, fmt.Errorf("failed to decrypt data: %w", err)
 	}