From 14a8d74efed00c13bd59e2ff9adc0b743803535d Mon Sep 17 00:00:00 2001 From: Mike Crute Date: Tue, 28 Feb 2023 20:02:58 -0800 Subject: secrets: support encrypt/decrypt --- secrets/client.go | 2 ++ secrets/config_file_client.go | 8 ++++++++ secrets/noop_client.go | 8 ++++++++ secrets/vault_client.go | 32 ++++++++++++++++++++++++++++++++ 4 files changed, 50 insertions(+) (limited to 'secrets') diff --git a/secrets/client.go b/secrets/client.go index aaa45d7..678a70d 100644 --- a/secrets/client.go +++ b/secrets/client.go @@ -76,6 +76,8 @@ type Client interface { AWSAssumeRoleSimple(ctx context.Context, name string) (*AWSCredential, Handle, error) AWSAssumeRole(ctx context.Context, name string, sessionName string, ttl time.Duration) (*AWSCredential, Handle, error) WriteSecret(ctx context.Context, suffix string, out any) error + Encrypt(ctx context.Context, suffix string, data []byte) (string, error) + Decrypt(ctx context.Context, suffix, data string) ([]byte, error) Destroy(Handle) error MakeNonCritical(Handle) error } diff --git a/secrets/config_file_client.go b/secrets/config_file_client.go index ef2907e..b3c8620 100644 --- a/secrets/config_file_client.go +++ b/secrets/config_file_client.go @@ -127,6 +127,14 @@ func (c *ConfigFileClient) WriteSecret(ctx context.Context, path string, in any) return nil } +func (c *ConfigFileClient) Encrypt(ctx context.Context, suffix string, data []byte) (string, error) { + return "", nil +} + +func (c *ConfigFileClient) Decrypt(ctx context.Context, suffix, data string) ([]byte, error) { + return nil, nil +} + func (c *ConfigFileClient) Destroy(h Handle) error { return nil } diff --git a/secrets/noop_client.go b/secrets/noop_client.go index e727e51..1b6b72b 100644 --- a/secrets/noop_client.go +++ b/secrets/noop_client.go @@ -54,6 +54,14 @@ func (c *NoopClient) WriteSecret(ctx context.Context, path string, in any) error return nil } +func (c *NoopClient) Encrypt(ctx context.Context, suffix string, data []byte) (string, error) { + return "", nil +} + +func (c *NoopClient) Decrypt(ctx context.Context, suffix, data string) ([]byte, error) { + return nil, nil +} + func (c *NoopClient) Destroy(h Handle) error { return nil } diff --git a/secrets/vault_client.go b/secrets/vault_client.go index b84b344..9d4b772 100644 --- a/secrets/vault_client.go +++ b/secrets/vault_client.go @@ -3,6 +3,7 @@ package secrets import ( "container/heap" "context" + "encoding/base64" "encoding/json" "errors" "fmt" @@ -436,6 +437,37 @@ func (c *VaultClient) WriteSecret(ctx context.Context, suffix string, in any) er return nil } +func (c *VaultClient) Encrypt(ctx context.Context, suffix string, data []byte) (string, error) { + s, err := c.logical.WriteWithContext( + ctx, + path.Join("transit/encrypt", suffix), + map[string]any{"plaintext": base64.StdEncoding.EncodeToString(data)}, + ) + if err != nil { + return "", fmt.Errorf("Encrypt: unable to write to vault: %w", err) + } + + return s.Data["ciphertext"].(string), nil +} + +func (c *VaultClient) Decrypt(ctx context.Context, suffix, data string) ([]byte, error) { + s, err := c.logical.WriteWithContext( + ctx, + path.Join("transit/decrypt", suffix), + map[string]any{"ciphertext": data}, + ) + if err != nil { + return nil, fmt.Errorf("Decrypt: unable to write to vault: %w", err) + } + + d, err := base64.StdEncoding.DecodeString(s.Data["plaintext"].(string)) + if err != nil { + return nil, fmt.Errorf("Decrypt: unable to base64 decode plaintext: %w", err) + } + + return d, nil +} + func (c *VaultClient) Destroy(h Handle) error { c.Lock() defer c.Unlock() -- cgit v1.2.3