Merge branch 'main' into go.yaml.in

Author: felixfontein

.github/workflows/cli.yml

@@ -29,7 +29,7 @@ jobs:
       VAULT_ADDR: "http://127.0.0.1:8200"
     steps:
       - name: Set up Go ${{ matrix.go-version }}
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
         with:
           go-version: ${{ matrix.go-version }}
         id: go

.github/workflows/codeql.yml

@@ -35,7 +35,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@3c3833e0f8c1c83d449a7478aa59c036a9165498 # v3.29.5
+        uses: github/codeql-action/init@f1f6e5f6af878fb37288ce1c627459e94dbf7d01 # v3.29.5
         with:
           languages: go
           # xref: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
@@ -52,6 +52,6 @@ jobs:
           make install
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@3c3833e0f8c1c83d449a7478aa59c036a9165498 # v3.29.5
+        uses: github/codeql-action/analyze@f1f6e5f6af878fb37288ce1c627459e94dbf7d01 # v3.29.5
         with:
           category: "/language:go"

.github/workflows/release.yml

@@ -31,7 +31,7 @@ jobs:
           persist-credentials: false
 
       - name: Setup Go
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v4.0.1
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v4.0.1
         with:
           go-version: 1.24
           cache: false

config/config.go

@@ -508,7 +508,18 @@ func parseDestinationRuleForFile(conf *configFile, filePath string, kmsEncryptio
 	}
 
 	var dest publish.Destination
-	if dRule.S3Bucket != "" && dRule.GCSBucket != "" && dRule.VaultPath != "" {
+	destinationCount := 0
+	if dRule.S3Bucket != "" {
+		destinationCount++
+	}
+	if dRule.GCSBucket != "" {
+		destinationCount++
+	}
+	if dRule.VaultPath != "" {
+		destinationCount++
+	}
+
+	if destinationCount > 1 {
 		return nil, fmt.Errorf("error loading config: more than one destinations were found in a single destination rule, you can only use one per rule")
 	}
 	if dRule.S3Bucket != "" {

config/config_test.go

@@ -755,3 +755,127 @@ creation_rules:
 	assert.Equal(t, 1, keyTypeCounts["gcp_kms"])
 	assert.Equal(t, 1, keyTypeCounts["hc_vault"])
 }
+
+// Test configurations with multiple destinations should fail
+var sampleConfigWithS3GCSConflict = []byte(`
+destination_rules:
+  - path_regex: '^test/.*'
+    s3_bucket: 'my-s3-bucket'
+    s3_prefix: 'sops/'
+    gcs_bucket: 'my-gcs-bucket'
+    gcs_prefix: 'sops/'
+    recreation_rule:
+      kms: 'arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012'
+`)
+
+var sampleConfigWithS3VaultConflict = []byte(`
+destination_rules:
+  - path_regex: '^test/.*'
+    s3_bucket: 'my-s3-bucket'
+    s3_prefix: 'sops/'
+    vault_path: 'secret/sops'
+    vault_address: 'https://vault.example.com'
+    recreation_rule:
+      kms: 'arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012'
+`)
+
+var sampleConfigWithGCSVaultConflict = []byte(`
+destination_rules:
+  - path_regex: '^test/.*'
+    gcs_bucket: 'my-gcs-bucket'
+    gcs_prefix: 'sops/'
+    vault_path: 'secret/sops'
+    vault_address: 'https://vault.example.com'
+    recreation_rule:
+      kms: 'arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012'
+`)
+
+var sampleConfigWithAllThreeDestinations = []byte(`
+destination_rules:
+  - path_regex: '^test/.*'
+    s3_bucket: 'my-s3-bucket'
+    s3_prefix: 'sops/'
+    gcs_bucket: 'my-gcs-bucket'
+    gcs_prefix: 'sops/'
+    vault_path: 'secret/sops'
+    vault_address: 'https://vault.example.com'
+    recreation_rule:
+      kms: 'arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012'
+`)
+
+func TestDestinationValidationS3GCSConflict(t *testing.T) {
+	_, err := parseDestinationRuleForFile(parseConfigFile(sampleConfigWithS3GCSConflict, t), "test/secrets.yaml", nil)
+	assert.NotNil(t, err, "Expected error when both S3 and GCS destinations are specified")
+	if err != nil {
+		assert.Contains(t, err.Error(), "more than one destinations were found")
+	}
+}
+
+func TestDestinationValidationS3VaultConflict(t *testing.T) {
+	_, err := parseDestinationRuleForFile(parseConfigFile(sampleConfigWithS3VaultConflict, t), "test/secrets.yaml", nil)
+	assert.NotNil(t, err, "Expected error when both S3 and Vault destinations are specified")
+	if err != nil {
+		assert.Contains(t, err.Error(), "more than one destinations were found")
+	}
+}
+
+func TestDestinationValidationGCSVaultConflict(t *testing.T) {
+	_, err := parseDestinationRuleForFile(parseConfigFile(sampleConfigWithGCSVaultConflict, t), "test/secrets.yaml", nil)
+	assert.NotNil(t, err, "Expected error when both GCS and Vault destinations are specified")
+	if err != nil {
+		assert.Contains(t, err.Error(), "more than one destinations were found")
+	}
+}
+
+func TestDestinationValidationAllThreeDestinationsConflict(t *testing.T) {
+	_, err := parseDestinationRuleForFile(parseConfigFile(sampleConfigWithAllThreeDestinations, t), "test/secrets.yaml", nil)
+	assert.NotNil(t, err, "Expected error when all three destinations are specified")
+	if err != nil {
+		assert.Contains(t, err.Error(), "more than one destinations were found")
+	}
+}
+
+func TestDestinationValidationSingleS3Destination(t *testing.T) {
+	validS3Config := []byte(`
+destination_rules:
+  - path_regex: '^test/.*'
+    s3_bucket: 'my-s3-bucket'
+    s3_prefix: 'sops/'
+    recreation_rule:
+      kms: 'arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012'
+`)
+	conf, err := parseDestinationRuleForFile(parseConfigFile(validS3Config, t), "test/secrets.yaml", nil)
+	assert.Nil(t, err)
+	assert.NotNil(t, conf.Destination)
+	assert.Contains(t, conf.Destination.Path("secrets.yaml"), "s3://my-s3-bucket/sops/secrets.yaml")
+}
+
+func TestDestinationValidationSingleGCSDestination(t *testing.T) {
+	validGCSConfig := []byte(`
+destination_rules:
+  - path_regex: '^test/.*'
+    gcs_bucket: 'my-gcs-bucket'
+    gcs_prefix: 'sops/'
+    recreation_rule:
+      kms: 'arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012'
+`)
+	conf, err := parseDestinationRuleForFile(parseConfigFile(validGCSConfig, t), "test/secrets.yaml", nil)
+	assert.Nil(t, err)
+	assert.NotNil(t, conf.Destination)
+	assert.Contains(t, conf.Destination.Path("secrets.yaml"), "gcs://my-gcs-bucket/sops/secrets.yaml")
+}
+
+func TestDestinationValidationSingleVaultDestination(t *testing.T) {
+	validVaultConfig := []byte(`
+destination_rules:
+  - path_regex: '^test/.*'
+    vault_path: 'secret/sops'
+    vault_address: 'https://vault.example.com'
+    recreation_rule:
+      kms: 'arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012'
+`)
+	conf, err := parseDestinationRuleForFile(parseConfigFile(validVaultConfig, t), "test/secrets.yaml", nil)
+	assert.Nil(t, err)
+	assert.NotNil(t, conf.Destination)
+	assert.Contains(t, conf.Destination.Path("secrets.yaml"), "https://vault.example.com/v1/secret/data/secret/sops/secrets.yaml")
+}