feat: add support for Alibaba Cloud KMS in keyservice

Author: peiliqiancdt

README.rst

@@ -2,7 +2,7 @@ SOPS: Secrets OPerationS
 ========================
 
 **SOPS** is an editor of encrypted files that supports YAML, JSON, ENV, INI and BINARY
-formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, HuaweiCloud KMS, age, and PGP.
+formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, Alibaba Cloud KMS, HuaweiCloud KMS, age, and PGP.
 (`demo <https://www.youtube.com/watch?v=YTEVyLXFiq0>`_)
 
 .. image:: https://i.imgur.com/X0TM5NI.gif
@@ -597,13 +597,52 @@ You can also configure HuaweiCloud KMS keys in the ``.sops.yaml`` config file:
           hckms:
             - tr-west-1:abc12345-6789-0123-4567-890123456789,tr-west-2:def67890-1234-5678-9012-345678901234
 
+Encrypting using Alibaba Cloud KMS
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The Alibaba Cloud KMS integration uses the Alibaba Cloud SDK to communicate with the KMS service.
+It supports authentication via:
+
+1.  **Environment Variables**: ``ALIBABA_CLOUD_ACCESS_KEY_ID`` and ``ALIBABA_CLOUD_ACCESS_KEY_SECRET``.
+2.  **CLI Configuration**: It can read credentials from the Alibaba Cloud CLI configuration (``~/.aliyun/config.json``).
+3.  **Instance RAM Roles**: When running on an ECS instance with an attached RAM role.
+
+For example, using environment variables:
+
+.. code:: bash
+
+    export ALIBABA_CLOUD_ACCESS_KEY_ID="your-access-key-id"
+    export ALIBABA_CLOUD_ACCESS_KEY_SECRET="your-access-key-secret"
+
+To encrypt a file, specify the Alibaba Cloud KMS key using its ARN format:
+``acs:kms:RegionId:UserId:key/CmkId``.
+
+.. code:: sh
+
+    $ sops encrypt --acs-kms acs:kms:cn-shanghai:1234567890:key/key-idxxxx test.yaml > test.enc.yaml
+
+Or using the ``SOPS_ACS_KMS_IDS`` environment variable:
+
+.. code:: bash
+
+    export SOPS_ACS_KMS_IDS="acs:kms:cn-shanghai:1234567890:key/key-idxxxx"
+    $ sops encrypt test.yaml > test.enc.yaml
+
+You can also configure Alibaba Cloud KMS keys in the ``.sops.yaml`` config file:
+
+.. code:: yaml
+
+    creation_rules:
+        - path_regex: \.acs\.yaml$
+          acs_kms: "acs:kms:cn-shanghai:1234567890:key/key-idxxxx"
+
 Adding and removing keys
 ~~~~~~~~~~~~~~~~~~~~~~~~
 
 When creating new files, ``sops`` uses the PGP, KMS and GCP KMS defined in the
-command line arguments ``--kms``, ``--pgp``, ``--gcp-kms``, ``--hckms`` or ``--azure-kv``, or from
+command line arguments ``--kms``, ``--pgp``, ``--gcp-kms``, ``--acs-kms``, ``--hckms`` or ``--azure-kv``, or from
 the environment variables ``SOPS_KMS_ARN``, ``SOPS_PGP_FP``, ``SOPS_GCP_KMS_IDS``,
-``SOPS_HUAWEICLOUD_KMS_IDS``, ``SOPS_AZURE_KEYVAULT_URLS``. That information is stored in the file under the
+``SOPS_ACS_KMS_IDS``, ``SOPS_HUAWEICLOUD_KMS_IDS``, ``SOPS_AZURE_KEYVAULT_URLS``. That information is stored in the file under the
 ``sops`` section, such that decrypting files does not require providing those
 parameters again.
 
@@ -647,9 +686,9 @@ disabled by supplying the ``-y`` flag.
 
 The ``rotate`` command generates a new data encryption key and reencrypt all values
 with the new key. At the same time, the command line flag ``--add-kms``, ``--add-pgp``,
-``--add-gcp-kms``, ``--add-hckms``, ``--add-azure-kv``, ``--rm-kms``, ``--rm-pgp``, ``--rm-gcp-kms``,
-``--rm-hckms`` and ``--rm-azure-kv`` can be used to add and remove keys from a file. These flags use
-the comma separated syntax as the ``--kms``, ``--pgp``, ``--gcp-kms``, ``--hckms`` and ``--azure-kv``
+``--add-gcp-kms``, ``--add-acs-kms``, ``--add-hckms``, ``--add-azure-kv``, ``--rm-kms``, ``--rm-pgp``, ``--rm-gcp-kms``,
+``--rm-acs-kms``, ``--rm-hckms`` and ``--rm-azure-kv`` can be used to add and remove keys from a file. These flags use
+the comma separated syntax as the ``--kms``, ``--pgp``, ``--gcp-kms``, ``--acs-kms``, ``--hckms`` and ``--azure-kv``
 arguments when creating new files.
 
 Use ``updatekeys`` if you want to add a key without rotating the data key.
@@ -825,7 +864,7 @@ stdout.
 Using .sops.yaml conf to select KMS, PGP and age for new files
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-It is often tedious to specify the ``--kms`` ``--gcp-kms`` ``--hckms`` ``--pgp`` and ``--age`` parameters for creation
+It is often tedious to specify the ``--kms`` ``--gcp-kms`` ``--acs-kms`` ``--hckms`` ``--pgp`` and ``--age`` parameters for creation
 of all new files. If your secrets are stored under a specific directory, like a
 ``git`` repository, you can create a ``.sops.yaml`` configuration file at the root
 directory to define which keys are used for which filename.
@@ -1866,6 +1905,15 @@ To directly specify a single key group, you can use the following keys:
       - hc_vault_transit_uri:
           - http://my.vault/v1/sops/keys/secondkey
 
+* ``acs_kms`` (list of strings): list of Alibaba Cloud KMS key ARNs.
+  Example:
+
+  .. code:: yaml
+
+    creation_rules:
+      - acs_kms:
+          - acs:kms:cn-shanghai:1234567890:key/key-idxxxx
+
 * ``hckms`` (list of strings): list of HuaweiCloud KMS key IDs (format: ``<region>:<key-uuid>``).
   Example:
 
@@ -1982,6 +2030,17 @@ A key group supports the following keys:
 
 * ``hc_vault`` (list of strings): list of HashiCorp Vault transit URIs.
 
+* ``acs_kms`` (list of objects): list of Alibaba Cloud KMS key ARNs.
+  Every object must have the following key:
+
+  * ``arn`` (string): the key ARN.
+
+  Example:
+
+  .. code:: yaml
+
+    - arn: acs:kms:cn-shanghai:1234567890:key/key-idxxxx
+
 * ``hckms`` (list of objects): list of HuaweiCloud KMS key IDs.
   Every object must have the following key:
 

acskms/keysource.go

@@ -0,0 +1,219 @@
+package acskms
+
+import (
+	"encoding/base64"
+	"fmt"
+	"os"
+	"regexp"
+	"strings"
+	"time"
+
+	openapi "github.com/alibabacloud-go/darabonba-openapi/v2/client"
+	kmssdk "github.com/alibabacloud-go/kms-20160120/v3/client"
+	"github.com/alibabacloud-go/tea/tea"
+	"github.com/aliyun/credentials-go/credentials"
+	"github.com/getsops/sops/v3/keys"
+	"github.com/getsops/sops/v3/logging"
+	"github.com/sirupsen/logrus"
+)
+
+const (
+	// arnRegex matches an ACS ARN, for example:
+	// "acs:kms:cn-shanghai:1234567890:key/key-idxxxxx".
+	arnRegex = `^acs:kms:(.+):[0-9]+:key/(.+)$`
+	// kmsTTL is the duration after which a MasterKey requires rotation.
+	kmsTTL = time.Hour
+	// KeyTypeIdentifier is the string used to identify an ACS KMS MasterKey.
+	KeyTypeIdentifier = "acs_kms"
+)
+
+var (
+	// log is the global logger for any Alibaba Cloud KMS MasterKey.
+	log *logrus.Logger
+)
+
+func init() {
+	log = logging.NewLogger("ACSKMS")
+}
+
+// MasterKey is an Alibaba Cloud KMS key used to encrypt and decrypt SOPS' data key.
+type MasterKey struct {
+	// Arn is the full key identifier in format "region:key-id" or an ARN
+	Arn string
+	// Region is the Alibaba Cloud region (e.g., "cn-hangzhou")
+	Region string
+	// EncryptedKey stores the data key in its encrypted form.
+	EncryptedKey string
+	// CreationDate is when this MasterKey was created.
+	CreationDate time.Time
+}
+
+// NewMasterKey creates a new MasterKey from a key arn string, setting
+// the creation date to the current date.
+func NewMasterKey(arn string) (*MasterKey, error) {
+	region, err := parseKeyArn(arn)
+	if err != nil {
+		return nil, err
+	}
+	return &MasterKey{
+		Arn:          arn,
+		Region:       region,
+		CreationDate: time.Now().UTC(),
+	}, nil
+}
+
+// NewMasterKeyFromKeyIDString takes a comma separated list of Alibaba Cloud KMS
+// key ARNs, and returns a slice of new MasterKeys.
+func NewMasterKeyFromKeyIDString(keyArn string) ([]*MasterKey, error) {
+	var keys []*MasterKey
+	if keyArn == "" {
+		return keys, nil
+	}
+	for _, s := range strings.Split(keyArn, ",") {
+		s = strings.TrimSpace(s)
+		if s == "" {
+			continue
+		}
+		k, err := NewMasterKey(s)
+		if err != nil {
+			return nil, err
+		}
+		keys = append(keys, k)
+	}
+	return keys, nil
+}
+
+// parseKeyArn parse an Alibaba Cloud KMS key identifier, which can be a full ARN.
+func parseKeyArn(arn string) (string, error) {
+	re := regexp.MustCompile(arnRegex)
+	matches := re.FindStringSubmatch(arn)
+	if len(matches) != 3 {
+		return "", fmt.Errorf("invalid ACS KMS key ARN: %s", arn)
+	}
+
+	return matches[1], nil
+}
+
+// Encrypt encrypts the data key using Alibaba Cloud KMS.
+func (key *MasterKey) Encrypt(dataKey []byte) error {
+	client, err := key.getClient()
+	if err != nil {
+		return err
+	}
+
+	request := &kmssdk.EncryptRequest{
+		KeyId:     tea.String(key.Arn),
+		Plaintext: tea.String(base64.StdEncoding.EncodeToString(dataKey)),
+	}
+
+	resp, err := client.Encrypt(request)
+	if err != nil {
+		return fmt.Errorf("acskms encrypt error: %v", err)
+	}
+
+	key.EncryptedKey = *resp.Body.CiphertextBlob
+	return nil
+}
+
+// Decrypt decrypts the data key using Alibaba Cloud KMS.
+func (key *MasterKey) Decrypt() ([]byte, error) {
+	client, err := key.getClient()
+	if err != nil {
+		return nil, err
+	}
+
+	request := &kmssdk.DecryptRequest{
+		CiphertextBlob: tea.String(key.EncryptedKey),
+	}
+	// If an endpoint is manually set (e.g. KMS Instance), we might need to rely on the SDK's behavior.
+	// The standard SDK usually works fine with CiphertextBlob.
+
+	resp, err := client.Decrypt(request)
+	if err != nil {
+		return nil, fmt.Errorf("acskms decrypt error: %v", err)
+	}
+
+	return base64.StdEncoding.DecodeString(*resp.Body.Plaintext)
+}
+
+// EncryptIfNeeded encrypts the data key if it's not already encrypted.
+func (key *MasterKey) EncryptIfNeeded(dataKey []byte) error {
+	if key.EncryptedKey == "" {
+		return key.Encrypt(dataKey)
+	}
+	return nil
+}
+
+// EncryptedDataKey returns the encrypted data key.
+func (key *MasterKey) EncryptedDataKey() []byte {
+	return []byte(key.EncryptedKey)
+}
+
+// SetEncryptedDataKey sets the encrypted data key.
+func (key *MasterKey) SetEncryptedDataKey(enc []byte) {
+	key.EncryptedKey = string(enc)
+}
+
+// NeedsRotation checks if the key needs rotation.
+func (key *MasterKey) NeedsRotation() bool {
+	return false
+}
+
+// ToString returns the string representation of the key.
+func (key *MasterKey) ToString() string {
+	return key.Arn
+}
+
+// ToMap returns the map representation of the key.
+func (key *MasterKey) ToMap() map[string]interface{} {
+	return map[string]interface{}{
+		"arn":        key.Arn,
+		"created_at": key.CreationDate.UTC().Format(time.RFC3339),
+		"enc":        key.EncryptedKey,
+	}
+}
+
+// TypeToIdentifier returns the type identifier of the key.
+func (key *MasterKey) TypeToIdentifier() string {
+	return KeyTypeIdentifier
+}
+
+// getClient returns a new Alibaba Cloud KMS client.
+func (key *MasterKey) getClient() (*kmssdk.Client, error) {
+	cred, err := credentials.NewCredential(nil)
+	if err != nil {
+		return nil, fmt.Errorf("acskms credential error: %v", err)
+	}
+
+	config := &openapi.Config{
+		Credential: cred,
+		RegionId:   tea.String(key.Region),
+	}
+
+	if endpoint := os.Getenv("SOPS_ACSKMS_INSTANCE_ENDPOINT"); endpoint != "" {
+		config.Endpoint = tea.String(endpoint)
+	} else if key.Region != "" {
+		config.Endpoint = tea.String(fmt.Sprintf("kms.%s.aliyuncs.com", key.Region))
+	}
+
+	if caFile := os.Getenv("SOPS_ACSKMS_CA_FILE"); caFile != "" {
+		caContent, err := os.ReadFile(caFile)
+		if err == nil {
+			config.Ca = tea.String(string(caContent))
+		} else {
+			log.Warnf("Failed to read CA file %s: %v", caFile, err)
+		}
+	}
+
+	client, err := kmssdk.NewClient(config)
+	if err != nil {
+		return nil, fmt.Errorf("acskms client error: %v", err)
+	}
+	return client, nil
+}
+
+// ApplyToMasterKey applies the key parameters to the MasterKey.
+// Helper to reconstruct key from map.
+func (key *MasterKey) ApplyToMasterKey(k keys.MasterKey) {
+	// Not strictly needed for basic interface but good to have parity
+}