Added new gcip.addons.security.sops module.

bitfoo1 · bitfoo1 · commit c88bf409cde5 · 2021-04-19T17:27:27.000+02:00
Added sops_export_decrypted_values function to sops module.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -26,6 +26,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 * New addons: *aws* to allow receiving AWS account id and region.
 * New `gcip.addons.container.registries.Registry.AWS()` allows getting an ECR URL to be used in pipeline.
 * Added `crane.pull()` function to `gcip.addons.container.crane`.
+* Added new gcip.addons.security.sops module and added sops_export_decrypted_values function to sops module.
 
 ### Changed
 * Normalize config_file_path in `gcip.addons.container.config.DockerClientConfig`
diff --git a/gcip/addons/security/__init__.py b/gcip/addons/security/__init__.py
@@ -0,0 +1,7 @@
+__author__ = "Daniel von Eßen"
+__copyright__ = "Copyright 2020 DB Systel GmbH"
+__credits__ = ["Daniel von Eßen", "Thomas Steinbach"]
+# SPDX-License-Identifier: Apache-2.0
+__license__ = "Apache-2.0"
+__maintainer__ = "Thomas Steinbach"
+__email__ = "daniel.von-essen@deutschebahn.com"
diff --git a/gcip/addons/security/sops.py b/gcip/addons/security/sops.py
@@ -0,0 +1,22 @@
+__author__ = "Daniel von Eßen"
+__copyright__ = "Copyright 2020 DB Systel GmbH"
+__credits__ = ["Daniel von Eßen", "Thomas Steinbach"]
+# SPDX-License-Identifier: Apache-2.0
+__license__ = "Apache-2.0"
+__maintainer__ = "Thomas Steinbach"
+__email__ = "daniel.von-essen@deutschebahn.com"
+
+
+def sops_export_decrypted_values(path: str) -> str:
+    """Returns a helper string to embedd it into jobs to allow exporting
+    Values which are decrypted by `sops`. e.g. 'export $(sops -d sops/encrypted_file.env)'
+
+    This function is usefull, if you want to use environment variables to login to e.g. a container registry.
+
+    Args:
+        path (str): Path to `sops` encrypted file, must be relative to project directory.
+
+    Returns:
+        str: Export string of sops decrypted file.
+    """
+    return f"set -eo pipefail; SOPS_OUTPUT=$(sops -d {path}); export $SOPS_OUTPUT"
diff --git a/tests/unit/test_addons_security_sops.py b/tests/unit/test_addons_security_sops.py
@@ -0,0 +1,8 @@
+from gcip.addons.security.sops import (
+    sops_export_decrypted_values,
+)
+
+
+def test_sops_export_decrypted_values():
+    expected = "set -eo pipefail; SOPS_OUTPUT=$(sops -d secrets/encrypted_file.env); export $SOPS_OUTPUT"
+    assert sops_export_decrypted_values("secrets/encrypted_file.env") == expected
