diff options
author | Mike Crute <mike@crute.us> | 2023-02-28 20:02:58 -0800 |
---|---|---|
committer | Mike Crute <mike@crute.us> | 2023-02-28 20:02:58 -0800 |
commit | 14a8d74efed00c13bd59e2ff9adc0b743803535d (patch) | |
tree | 2642faa720d6103ed23c07ec60230cee0dd58a38 | |
parent | 3c13745d23b7474b87346fb60903d4dec600fd34 (diff) | |
download | golib-14a8d74efed00c13bd59e2ff9adc0b743803535d.tar.bz2 golib-14a8d74efed00c13bd59e2ff9adc0b743803535d.tar.xz golib-14a8d74efed00c13bd59e2ff9adc0b743803535d.zip |
secrets: support encrypt/decryptsecrets/v0.4.0
-rw-r--r-- | secrets/client.go | 2 | ||||
-rw-r--r-- | secrets/config_file_client.go | 8 | ||||
-rw-r--r-- | secrets/noop_client.go | 8 | ||||
-rw-r--r-- | secrets/vault_client.go | 32 |
4 files changed, 50 insertions, 0 deletions
diff --git a/secrets/client.go b/secrets/client.go index aaa45d7..678a70d 100644 --- a/secrets/client.go +++ b/secrets/client.go | |||
@@ -76,6 +76,8 @@ type Client interface { | |||
76 | AWSAssumeRoleSimple(ctx context.Context, name string) (*AWSCredential, Handle, error) | 76 | AWSAssumeRoleSimple(ctx context.Context, name string) (*AWSCredential, Handle, error) |
77 | AWSAssumeRole(ctx context.Context, name string, sessionName string, ttl time.Duration) (*AWSCredential, Handle, error) | 77 | AWSAssumeRole(ctx context.Context, name string, sessionName string, ttl time.Duration) (*AWSCredential, Handle, error) |
78 | WriteSecret(ctx context.Context, suffix string, out any) error | 78 | WriteSecret(ctx context.Context, suffix string, out any) error |
79 | Encrypt(ctx context.Context, suffix string, data []byte) (string, error) | ||
80 | Decrypt(ctx context.Context, suffix, data string) ([]byte, error) | ||
79 | Destroy(Handle) error | 81 | Destroy(Handle) error |
80 | MakeNonCritical(Handle) error | 82 | MakeNonCritical(Handle) error |
81 | } | 83 | } |
diff --git a/secrets/config_file_client.go b/secrets/config_file_client.go index ef2907e..b3c8620 100644 --- a/secrets/config_file_client.go +++ b/secrets/config_file_client.go | |||
@@ -127,6 +127,14 @@ func (c *ConfigFileClient) WriteSecret(ctx context.Context, path string, in any) | |||
127 | return nil | 127 | return nil |
128 | } | 128 | } |
129 | 129 | ||
130 | func (c *ConfigFileClient) Encrypt(ctx context.Context, suffix string, data []byte) (string, error) { | ||
131 | return "", nil | ||
132 | } | ||
133 | |||
134 | func (c *ConfigFileClient) Decrypt(ctx context.Context, suffix, data string) ([]byte, error) { | ||
135 | return nil, nil | ||
136 | } | ||
137 | |||
130 | func (c *ConfigFileClient) Destroy(h Handle) error { | 138 | func (c *ConfigFileClient) Destroy(h Handle) error { |
131 | return nil | 139 | return nil |
132 | } | 140 | } |
diff --git a/secrets/noop_client.go b/secrets/noop_client.go index e727e51..1b6b72b 100644 --- a/secrets/noop_client.go +++ b/secrets/noop_client.go | |||
@@ -54,6 +54,14 @@ func (c *NoopClient) WriteSecret(ctx context.Context, path string, in any) error | |||
54 | return nil | 54 | return nil |
55 | } | 55 | } |
56 | 56 | ||
57 | func (c *NoopClient) Encrypt(ctx context.Context, suffix string, data []byte) (string, error) { | ||
58 | return "", nil | ||
59 | } | ||
60 | |||
61 | func (c *NoopClient) Decrypt(ctx context.Context, suffix, data string) ([]byte, error) { | ||
62 | return nil, nil | ||
63 | } | ||
64 | |||
57 | func (c *NoopClient) Destroy(h Handle) error { | 65 | func (c *NoopClient) Destroy(h Handle) error { |
58 | return nil | 66 | return nil |
59 | } | 67 | } |
diff --git a/secrets/vault_client.go b/secrets/vault_client.go index b84b344..9d4b772 100644 --- a/secrets/vault_client.go +++ b/secrets/vault_client.go | |||
@@ -3,6 +3,7 @@ package secrets | |||
3 | import ( | 3 | import ( |
4 | "container/heap" | 4 | "container/heap" |
5 | "context" | 5 | "context" |
6 | "encoding/base64" | ||
6 | "encoding/json" | 7 | "encoding/json" |
7 | "errors" | 8 | "errors" |
8 | "fmt" | 9 | "fmt" |
@@ -436,6 +437,37 @@ func (c *VaultClient) WriteSecret(ctx context.Context, suffix string, in any) er | |||
436 | return nil | 437 | return nil |
437 | } | 438 | } |
438 | 439 | ||
440 | func (c *VaultClient) Encrypt(ctx context.Context, suffix string, data []byte) (string, error) { | ||
441 | s, err := c.logical.WriteWithContext( | ||
442 | ctx, | ||
443 | path.Join("transit/encrypt", suffix), | ||
444 | map[string]any{"plaintext": base64.StdEncoding.EncodeToString(data)}, | ||
445 | ) | ||
446 | if err != nil { | ||
447 | return "", fmt.Errorf("Encrypt: unable to write to vault: %w", err) | ||
448 | } | ||
449 | |||
450 | return s.Data["ciphertext"].(string), nil | ||
451 | } | ||
452 | |||
453 | func (c *VaultClient) Decrypt(ctx context.Context, suffix, data string) ([]byte, error) { | ||
454 | s, err := c.logical.WriteWithContext( | ||
455 | ctx, | ||
456 | path.Join("transit/decrypt", suffix), | ||
457 | map[string]any{"ciphertext": data}, | ||
458 | ) | ||
459 | if err != nil { | ||
460 | return nil, fmt.Errorf("Decrypt: unable to write to vault: %w", err) | ||
461 | } | ||
462 | |||
463 | d, err := base64.StdEncoding.DecodeString(s.Data["plaintext"].(string)) | ||
464 | if err != nil { | ||
465 | return nil, fmt.Errorf("Decrypt: unable to base64 decode plaintext: %w", err) | ||
466 | } | ||
467 | |||
468 | return d, nil | ||
469 | } | ||
470 | |||
439 | func (c *VaultClient) Destroy(h Handle) error { | 471 | func (c *VaultClient) Destroy(h Handle) error { |
440 | c.Lock() | 472 | c.Lock() |
441 | defer c.Unlock() | 473 | defer c.Unlock() |