-
Notifications
You must be signed in to change notification settings - Fork 278
/
session_key_version.go
118 lines (105 loc) · 3.7 KB
/
session_key_version.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
package kms
import (
"context"
"github.com/hashicorp/boundary/internal/db"
"github.com/hashicorp/boundary/internal/errors"
"github.com/hashicorp/boundary/internal/kms/store"
wrapping "github.com/hashicorp/go-kms-wrapping"
"github.com/hashicorp/go-kms-wrapping/structwrapping"
"google.golang.org/protobuf/proto"
)
const (
DefaultSessionKeyVersionTableName = "kms_session_key_version"
)
type SessionKeyVersion struct {
*store.SessionKeyVersion
tableName string `gorm:"-"`
}
// SessionKeyVersion creates a new in memory key version. No options are
// currently supported.
func NewSessionKeyVersion(sessionKeyId string, key []byte, rootKeyVersionId string, _ ...Option) (*SessionKeyVersion, error) {
const op = "kms.NewSessionKeyVersion"
if sessionKeyId == "" {
return nil, errors.New(errors.InvalidParameter, op, "missing session key id")
}
if len(key) == 0 {
return nil, errors.New(errors.InvalidParameter, op, "missing key")
}
if rootKeyVersionId == "" {
return nil, errors.New(errors.InvalidParameter, op, "missing root key version id")
}
k := &SessionKeyVersion{
SessionKeyVersion: &store.SessionKeyVersion{
SessionKeyId: sessionKeyId,
RootKeyVersionId: rootKeyVersionId,
Key: key,
},
}
return k, nil
}
// AllocSessionKeyVersion allocates a key version
func AllocSessionKeyVersion() SessionKeyVersion {
return SessionKeyVersion{
SessionKeyVersion: &store.SessionKeyVersion{},
}
}
// Clone creates a clone of the key version
func (k *SessionKeyVersion) Clone() interface{} {
cp := proto.Clone(k.SessionKeyVersion)
return &SessionKeyVersion{
SessionKeyVersion: cp.(*store.SessionKeyVersion),
}
}
// VetForWrite implements db.VetForWrite() interface and validates the key
// version before it's written.
func (k *SessionKeyVersion) VetForWrite(ctx context.Context, r db.Reader, opType db.OpType, opt ...db.Option) error {
const op = "kms.(SessionKeyVersion).VetForWrite"
if k.PrivateId == "" {
return errors.New(errors.InvalidParameter, op, "missing private id")
}
if opType == db.CreateOp {
if k.CtKey == nil {
return errors.New(errors.InvalidParameter, op, "missing key")
}
if k.SessionKeyId == "" {
return errors.New(errors.InvalidParameter, op, "missing session key id")
}
if k.RootKeyVersionId == "" {
return errors.New(errors.InvalidParameter, op, "missing root key version id")
}
}
return nil
}
// TableName returns the tablename to override the default gorm table name
func (k *SessionKeyVersion) TableName() string {
if k.tableName != "" {
return k.tableName
}
return DefaultSessionKeyVersionTableName
}
// SetTableName sets the tablename and satisfies the ReplayableMessage
// interface. If the caller attempts to set the name to "" the name will be
// reset to the default name.
func (k *SessionKeyVersion) SetTableName(n string) {
k.tableName = n
}
// Encrypt will encrypt the key version's key
func (k *SessionKeyVersion) Encrypt(ctx context.Context, cipher wrapping.Wrapper) error {
const op = "kms.(SessionKeyVersion).Encrypt"
// structwrapping doesn't support embedding, so we'll pass in the
// store.SessionKeyVersion directly
if err := structwrapping.WrapStruct(ctx, cipher, k.SessionKeyVersion, nil); err != nil {
return errors.Wrap(err, op, errors.WithCode(errors.Encrypt))
}
return nil
}
// Decrypt will decrypt the key version's key
func (k *SessionKeyVersion) Decrypt(ctx context.Context, cipher wrapping.Wrapper) error {
const op = "kms.(SessionKeyVersion).Decrypt"
// structwrapping doesn't support embedding, so we'll pass in the
// store.SessionKeyVersion directly
if err := structwrapping.UnwrapStruct(ctx, cipher, k.SessionKeyVersion, nil); err != nil {
return errors.Wrap(err, op, errors.WithCode(errors.Decrypt))
}
return nil
}