-
Notifications
You must be signed in to change notification settings - Fork 137
/
service.go
87 lines (70 loc) · 2.04 KB
/
service.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
package keyring
import (
"errors"
"fmt"
"os"
)
var (
ErrFieldRequired = errors.New("field required")
)
// Keyring handle the encryption/decryption keys
type Keyring interface {
// CredentialsEncryptorKey returns the key used to encrypt credentials values,
// stored in accounts.
CredentialsEncryptorKey() *NACLKey
// CredentialsDecryptorKey returns the key used to decrypt credentials values,
// stored in accounts.
CredentialsDecryptorKey() *NACLKey
}
// Config used to setup a [Keyring] service.
type Config struct {
EncryptorKeyPath string `mapstructure:"credentials_encryptor_key"`
DecryptorKeyPath string `mapstructure:"credentials_decryptor_key"`
}
// Service contains security keys used for various encryption or signing of
// critical assets.
type Service struct {
credsEncryptor *NACLKey
credsDecryptor *NACLKey
}
func NewFromConfig(conf Config) (Keyring, error) {
if conf.DecryptorKeyPath == "" || conf.EncryptorKeyPath == "" {
return NewStub()
}
return NewService(conf)
}
// NewService instantiate a new [Keyring].
func NewService(conf Config) (*Service, error) {
if conf.EncryptorKeyPath == "" {
return nil, fmt.Errorf("credentials_encryptor_key: %w", ErrFieldRequired)
}
if conf.DecryptorKeyPath == "" {
return nil, fmt.Errorf("credentials_decryptor_key: %w", ErrFieldRequired)
}
credsEncryptor, err := decodeKeyFromPath(conf.EncryptorKeyPath)
if err != nil {
return nil, err
}
credsDecryptor, err := decodeKeyFromPath(conf.DecryptorKeyPath)
if err != nil {
return nil, err
}
return &Service{credsEncryptor, credsDecryptor}, nil
}
func (s *Service) CredentialsEncryptorKey() *NACLKey {
return s.credsEncryptor
}
func (s *Service) CredentialsDecryptorKey() *NACLKey {
return s.credsDecryptor
}
func decodeKeyFromPath(path string) (*NACLKey, error) {
keyBytes, err := os.ReadFile(path)
if err != nil {
return nil, fmt.Errorf("failed to open file %q: %w", path, err)
}
creds, err := UnmarshalNACLKey(keyBytes)
if err != nil {
return nil, fmt.Errorf("failed to unmarshal NACL key: %w", err)
}
return creds, nil
}