AZKV: Also allow to omit version for AZKV keys specified in key groups.

Signed-off-by: Felix Fontein <[email protected]>

Author: felixfontein

azkv/keysource.go

@@ -64,9 +64,9 @@ type MasterKey struct {
 	clientOptions *azkeys.ClientOptions
 }
 
-// NewMasterKey creates a new MasterKey from a URL, key name and version,
+// newMasterKey creates a new MasterKey from a URL, key name and version,
 // setting the creation date to the current date.
-func NewMasterKey(vaultURL string, keyName string, keyVersion string) *MasterKey {
+func newMasterKey(vaultURL string, keyName string, keyVersion string) *MasterKey {
 	return &MasterKey{
 		VaultURL:     vaultURL,
 		Name:         keyName,
@@ -75,6 +75,14 @@ func NewMasterKey(vaultURL string, keyName string, keyVersion string) *MasterKey
 	}
 }
 
+// NewMasterKey creates a new MasterKey from a URL, key name and (optional) version,
+// setting the creation date to the current date.
+func NewMasterKey(vaultURL string, keyName string, keyVersion string) (*MasterKey, error) {
+	key := newMasterKey(vaultURL, keyName, keyVersion)
+	err := key.ensureKeyHasVersion(context.Background())
+	return key, err
+}
+
 // NewMasterKeyFromURL takes an Azure Key Vault key URL, and returns a new
 // MasterKey. The URL format is {vaultUrl}/keys/{keyName}/{keyVersion}.
 func NewMasterKeyFromURL(url string) (*MasterKey, error) {
@@ -88,9 +96,9 @@ func NewMasterKeyFromURL(url string) (*MasterKey, error) {
 	// version of the key. We need to put the actual version in the sops metadata block though
 	var key *MasterKey
 	if len(parts[3]) > 1 {
-		key = NewMasterKey(parts[1], parts[2], parts[3][1:])
+		key = newMasterKey(parts[1], parts[2], parts[3][1:])
 	} else {
-		key = NewMasterKey(parts[1], parts[2], "")
+		key = newMasterKey(parts[1], parts[2], "")
 	}
 	err := key.ensureKeyHasVersion(context.Background())
 	return key, err

azkv/keysource_test.go

@@ -181,15 +181,15 @@ func TestMasterKey_EncryptIfNeeded(t *testing.T) {
 }
 
 func TestMasterKey_NeedsRotation(t *testing.T) {
-	key := NewMasterKey("", "", "")
+	key := newMasterKey("", "", "")
 	assert.False(t, key.NeedsRotation())
 
 	key.CreationDate = key.CreationDate.Add(-(azkvTTL + time.Second))
 	assert.True(t, key.NeedsRotation())
 }
 
 func TestMasterKey_ToString(t *testing.T) {
-	key := NewMasterKey("https://test.vault.azure.net", "key-name", "key-version")
+	key := newMasterKey("https://test.vault.azure.net", "key-name", "key-version")
 	assert.Equal(t, "https://test.vault.azure.net/keys/key-name/key-version", key.ToString())
 }
 

config/config.go

@@ -330,7 +330,11 @@ func extractMasterKeys(group keyGroup) (sops.KeyGroup, error) {
 		keyGroup = append(keyGroup, gcpkms.NewMasterKeyFromResourceID(k.ResourceID))
 	}
 	for _, k := range group.AzureKV {
-		keyGroup = append(keyGroup, azkv.NewMasterKey(k.VaultURL, k.Key, k.Version))
+		if key, err := azkv.NewMasterKey(k.VaultURL, k.Key, k.Version); err == nil {
+			keyGroup = append(keyGroup, key)
+		} else {
+			return nil, err
+		}
 	}
 	for _, k := range group.Vault {
 		if masterKey, err := hcvault.NewMasterKeyFromURI(k); err == nil {