forked from opentofu/opentofu
-
Notifications
You must be signed in to change notification settings - Fork 0
/
decryption.go
72 lines (64 loc) · 2.86 KB
/
decryption.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
package flow
import (
"github.com/opentofu/opentofu/internal/states/statecrypto/cryptoconfig"
"log"
)
func Decrypt(stateJson []byte, enabledCondition func(config cryptoconfig.Config) bool) ([]byte, error) {
primary, fallback, err := Configurations()
if err != nil {
log.Printf("[ERROR] failed to decrypt state because configuration was invalid, bailing out")
log.Printf("[TRACE] state decryption configuration error was: %s", err)
return stateJson, err
}
return decryptWithConfigs(stateJson, primary, enabledCondition(primary), fallback, enabledCondition(fallback))
}
func decryptWithConfigs(
stateJson []byte,
primary cryptoconfig.Config,
primaryEnabled bool,
fallback cryptoconfig.Config,
fallbackEnabled bool,
) ([]byte, error) {
if primaryEnabled {
candidate, err := attemptDecryption(stateJson, primary)
if err != nil {
if fallbackEnabled {
log.Printf("[TRACE] failed to decrypt state with primary configuration, now trying fallback. Error for primary was: %s", err)
candidate2, err2 := attemptDecryption(stateJson, fallback)
if err2 != nil {
log.Printf("[TRACE] failed to decrypt state with fallback configuration. Error for fallback was: %s", err)
log.Printf("[ERROR] failed to decrypt state with both primary and fallback configuration, bailing out")
return []byte{}, err2
}
log.Printf("[TRACE] successfully decrypted state using fallback configuration, input %d bytes, output %d bytes", len(stateJson), len(candidate2))
return candidate2, nil
} else {
log.Printf("[TRACE] failed to decrypt state with primary configuration. Error for primary was: %s", err)
log.Printf("[ERROR] failed to decrypt state with primary configuration and no fallback configured, bailing out")
return []byte{}, err
}
}
log.Printf("[TRACE] successfully decrypted state using primary configuration, input %d bytes, output %d bytes", len(stateJson), len(candidate))
return candidate, nil
} else if fallbackEnabled {
candidate, err := attemptDecryption(stateJson, fallback)
if err != nil {
log.Printf("[TRACE] failed to decrypt state with fallback configuration (no primary configured). Error for fallback was: %s", err)
log.Printf("[ERROR] failed to decrypt state with fallback configuration and no primary configuration available, bailing out")
return []byte{}, err
}
log.Printf("[TRACE] successfully decrypted state using fallback configuration (no primary configured), input %d bytes, output %d bytes", len(stateJson), len(candidate))
return candidate, nil
} else {
log.Printf("[TRACE] no decryption configured, passing through state unchanged")
return stateJson, nil
}
}
func attemptDecryption(stateJson []byte, config cryptoconfig.Config) ([]byte, error) {
stack, err := buildMethodStack(config)
if err != nil {
return stateJson, err
}
stateJson, _, err = stack.Decrypt(stateJson, config)
return stateJson, err
}