fix: use base64 for gcp encrypted kms

loopingz · Jan 18, 2024 · ac44466 · ac44466
1 parent 38a13fa
commit ac44466
Show file tree

Hide file tree

Showing 3 changed files with 44 additions and 8 deletions.
diff --git a/docs/pages/Concepts/ConfigurationService.md b/docs/pages/Concepts/ConfigurationService.md
@@ -55,3 +55,37 @@ This is the general process if the ConfigurationProvider can trigger, it will be
 - Every {@link Store} as it is designed in the parent class
 - {@link FileConfiguration} to simply use a file as configuration
 - {@link KubernetesConfiguration} to simply use Kubernetes Secrets or ConfigMap
+
+## String Encryption
+
+Configuration file can be encrypted using the `encrypt` command.
+
+Several modes are available:
+
+- `gcp`: encrypted using a GCP KMS key (@webda/gcp required)
+- `local`: encrypted using local machine id
+- `password`: encrypted using a password (@webda/runtime required)
+
+### How to use
+
+Prefix the string you want to encrypt with the mode you want to use.
+
+```config.json
+{
+	"mysecret": "encrypt:gcp:mysecret"
+}
+```
+
+Then run the command
+
+```
+webda config-encrypt config.json
+```
+
+If you need to migrate you can use, it will reencrypt all the encrypted strings with the new mode
+
+```
+webda config-encrypt --migrate gcp config.json
+```
+
+To define default KMS key for GCP use `WEBDA_GCP_KMS_KEY=projects/myproject/locations/us-central-1/keyRings/mykeyring/cryptoKeys/mykey` environment variable.
diff --git a/packages/gcp/src/services/kms.spec.ts b/packages/gcp/src/services/kms.spec.ts
@@ -37,7 +37,7 @@ class KMSTest extends WebdaSimpleTest {
       "my-key-ring",
       "my-key"
     ]);
-    assert.strictEqual(encoded.split(":").pop(), "ciphertext");
+    assert.strictEqual(encoded.split(":").pop(), "Y2lwaGVydGV4dA==");
     let decoded = await service.decrypt(encoded);
     assert.strictEqual(decoded, "plaintext");
     assert.rejects(() => service.decrypt(Buffer.from("test:plop").toString("base64") + ":test"));

diff --git a/packages/gcp/src/services/kms.ts b/packages/gcp/src/services/kms.ts
@@ -15,12 +15,14 @@ const encrypter = {
     return (
       Buffer.from(infos.join(":")).toString("base64") +
       ":" +
-      (
-        await client.encrypt({
-          name: key,
-          plaintext: Buffer.from(data)
-        })
-      )[0].ciphertext
+      Buffer.from(
+        (
+          await client.encrypt({
+            name: key,
+            plaintext: Buffer.from(data)
+          })
+        )[0].ciphertext
+      ).toString("base64")
     );
   },
   decrypt: async (data: string): Promise<string> => {
@@ -34,7 +36,7 @@ const encrypter = {
     return <string>(
       await client.decrypt({
         name: `projects/${infos[0]}/locations/${infos[1]}/keyRings/${infos[2]}/cryptoKeys/${infos[3]}`,
-        ciphertext: Buffer.from(data.substring(data.indexOf(":") + 1))
+        ciphertext: Buffer.from(data.substring(data.indexOf(":") + 1), "base64")
       })
     )[0].plaintext;
   }