-
Notifications
You must be signed in to change notification settings - Fork 791
/
provider.go
87 lines (71 loc) · 2.36 KB
/
provider.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
package gcp_kms
import (
"context"
"crypto/rand"
"cloud.google.com/go/kms/apiv1/kmspb"
"github.com/googleapis/gax-go/v2"
"github.com/opentofu/opentofu/internal/encryption/keyprovider"
)
type keyMeta struct {
Ciphertext []byte `json:"ciphertext"`
}
func (m keyMeta) isPresent() bool {
return len(m.Ciphertext) != 0
}
type keyManagementClient interface {
Encrypt(ctx context.Context, req *kmspb.EncryptRequest, opts ...gax.CallOption) (*kmspb.EncryptResponse, error)
Decrypt(ctx context.Context, req *kmspb.DecryptRequest, opts ...gax.CallOption) (*kmspb.DecryptResponse, error)
}
type keyProvider struct {
svc keyManagementClient
ctx context.Context
keyName string
keyLength int
}
func (p keyProvider) Provide(rawMeta keyprovider.KeyMeta) (keyprovider.Output, keyprovider.KeyMeta, error) {
if rawMeta == nil {
return keyprovider.Output{}, nil, &keyprovider.ErrInvalidMetadata{Message: "bug: no metadata struct provided"}
}
inMeta, ok := rawMeta.(*keyMeta)
if !ok {
return keyprovider.Output{}, nil, &keyprovider.ErrInvalidMetadata{Message: "bug: invalid metadata struct type"}
}
outMeta := &keyMeta{}
out := keyprovider.Output{}
// Generate new key
out.EncryptionKey = make([]byte, p.keyLength)
_, err := rand.Read(out.EncryptionKey)
if err != nil {
return out, outMeta, &keyprovider.ErrKeyProviderFailure{
Message: "failed to generate key",
Cause: err,
}
}
// Encrypt new encryption key using kms
encryptedKeyData, err := p.svc.Encrypt(p.ctx, &kmspb.EncryptRequest{
Name: p.keyName,
Plaintext: out.EncryptionKey,
})
if err != nil {
return out, outMeta, &keyprovider.ErrKeyProviderFailure{
Message: "failed to encrypt key",
Cause: err,
}
}
outMeta.Ciphertext = encryptedKeyData.Ciphertext
// We do not set the DecryptionKey here as we should only be setting the decryption key if we are decrypting
// and that is handled below when we check if the inMeta has a CiphertextBlob
if inMeta.isPresent() {
// We have an existing decryption key to decrypt, so we should now populate the DecryptionKey
decryptedKeyData, decryptErr := p.svc.Decrypt(p.ctx, &kmspb.DecryptRequest{
Name: p.keyName,
Ciphertext: inMeta.Ciphertext,
})
if decryptErr != nil {
return out, outMeta, decryptErr
}
// Set decryption key on the output
out.DecryptionKey = decryptedKeyData.Plaintext
}
return out, outMeta, nil
}