-
Notifications
You must be signed in to change notification settings - Fork 278
/
oidc_key_version.go
122 lines (109 loc) · 3.78 KB
/
oidc_key_version.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
package kms
import (
"context"
"github.com/hashicorp/boundary/internal/db"
"github.com/hashicorp/boundary/internal/errors"
"github.com/hashicorp/boundary/internal/kms/store"
wrapping "github.com/hashicorp/go-kms-wrapping"
"github.com/hashicorp/go-kms-wrapping/structwrapping"
"google.golang.org/protobuf/proto"
)
const (
DefaultOidcKeyVersionTableName = "kms_oidc_key_version"
)
type OidcKeyVersion struct {
*store.OidcKeyVersion
tableName string `gorm:"-"`
}
// NewOidcKeyVersion creates a new in memory oidc key version. This key is used
// to encrypt oidc state before it's included in the oidc auth url. No options
// are currently supported.
func NewOidcKeyVersion(oidcKeyId string, key []byte, rootKeyVersionId string, _ ...Option) (*OidcKeyVersion, error) {
const op = "kms.NewOidcKeyVersion"
if oidcKeyId == "" {
return nil, errors.New(errors.InvalidParameter, op, "missing oidc key id")
}
if len(key) == 0 {
return nil, errors.New(errors.InvalidParameter, op, "missing key")
}
if rootKeyVersionId == "" {
return nil, errors.New(errors.InvalidParameter, op, "missing root key version id")
}
k := &OidcKeyVersion{
OidcKeyVersion: &store.OidcKeyVersion{
OidcKeyId: oidcKeyId,
RootKeyVersionId: rootKeyVersionId,
Key: key,
},
}
return k, nil
}
// AllocOidcKeyVersion allocates a OidcKeyVersion
func AllocOidcKeyVersion() OidcKeyVersion {
return OidcKeyVersion{
OidcKeyVersion: &store.OidcKeyVersion{},
}
}
// Clone creates a clone of the OidcKeyVersion
func (k *OidcKeyVersion) Clone() interface{} {
cp := proto.Clone(k.OidcKeyVersion)
return &OidcKeyVersion{
OidcKeyVersion: cp.(*store.OidcKeyVersion),
}
}
// VetForWrite implements db.VetForWrite() interface and validates the oidc key
// version before it's written.
func (k *OidcKeyVersion) VetForWrite(ctx context.Context, r db.Reader, opType db.OpType, opt ...db.Option) error {
const op = "kms.(OidcKeyVersion).VetForWrite"
if k.PrivateId == "" {
return errors.New(errors.InvalidParameter, op, "missing private id")
}
switch opType {
case db.CreateOp:
if k.CtKey == nil {
return errors.New(errors.InvalidParameter, op, "missing key")
}
if k.OidcKeyId == "" {
return errors.New(errors.InvalidParameter, op, "missing oidc key id")
}
if k.RootKeyVersionId == "" {
return errors.New(errors.InvalidParameter, op, "missing root key version id")
}
case db.UpdateOp:
return errors.New(errors.InvalidParameter, op, "key is immutable")
}
return nil
}
// TableName returns the tablename to override the default gorm table name
func (k *OidcKeyVersion) TableName() string {
if k.tableName != "" {
return k.tableName
}
return DefaultOidcKeyVersionTableName
}
// SetTableName sets the tablename and satisfies the ReplayableMessage
// interface. If the caller attempts to set the name to "" the name will be
// reset to the default name.
func (k *OidcKeyVersion) SetTableName(n string) {
k.tableName = n
}
// Encrypt will encrypt the oidc key version's key
func (k *OidcKeyVersion) Encrypt(ctx context.Context, cipher wrapping.Wrapper) error {
const op = "kms.(OidcKeyVersion).Encrypt"
// structwrapping doesn't support embedding, so we'll pass in the
// store.OidcKeyVersion directly
if err := structwrapping.WrapStruct(ctx, cipher, k.OidcKeyVersion, nil); err != nil {
return errors.Wrap(err, op, errors.WithCode(errors.Encrypt))
}
return nil
}
// Decrypt will decrypt the oidc key version's key
func (k *OidcKeyVersion) Decrypt(ctx context.Context, cipher wrapping.Wrapper) error {
const op = "kms.(OidcKeyVersion).Decrypt"
// structwrapping doesn't support embedding, so we'll pass in the
// store.OidcKeyVersion directly
if err := structwrapping.UnwrapStruct(ctx, cipher, k.OidcKeyVersion, nil); err != nil {
return errors.Wrap(err, op, errors.WithCode(errors.Decrypt))
}
return nil
}