github.com/kyma-project/kyma-environment-broker@v0.0.1/internal/storage/encrypt.go

github.com/kyma-project/kyma-environment-broker@v0.0.1/internal/storage/encrypt.go (about)

     1  package storage
     2  
     3  import (
     4  	"crypto/aes"
     5  	"crypto/cipher"
     6  	"crypto/rand"
     7  	"encoding/base64"
     8  	"fmt"
     9  	"io"
    10  
    11  	"github.com/kyma-project/kyma-environment-broker/internal"
    12  )
    13  
    14  func NewEncrypter(secretKey string) *Encrypter {
    15  	return &Encrypter{key: []byte(secretKey)}
    16  }
    17  
    18  type Encrypter struct {
    19  	key []byte
    20  }
    21  
    22  func (e *Encrypter) Encrypt(obj []byte) ([]byte, error) {
    23  	block, err := aes.NewCipher(e.key)
    24  	if err != nil {
    25  		return nil, err
    26  	}
    27  	b := base64.StdEncoding.EncodeToString(obj)
    28  	bytes := make([]byte, aes.BlockSize+len(b))
    29  	iv := bytes[:aes.BlockSize]
    30  	if _, err := io.ReadFull(rand.Reader, iv); err != nil {
    31  		return nil, err
    32  	}
    33  	cfb := cipher.NewCFBEncrypter(block, iv)
    34  	cfb.XORKeyStream(bytes[aes.BlockSize:], []byte(b))
    35  
    36  	return []byte(base64.StdEncoding.EncodeToString(bytes)), nil
    37  }
    38  
    39  func (e *Encrypter) Decrypt(obj []byte) ([]byte, error) {
    40  	obj, err := base64.StdEncoding.DecodeString(string(obj))
    41  	if err != nil {
    42  		return nil, fmt.Errorf("while decoding input object: %w", err)
    43  	}
    44  	block, err := aes.NewCipher(e.key)
    45  	if err != nil {
    46  		return nil, err
    47  	}
    48  	if len(obj) < aes.BlockSize {
    49  		return nil, fmt.Errorf("cipher text is too short")
    50  	}
    51  	iv := obj[:aes.BlockSize]
    52  	obj = obj[aes.BlockSize:]
    53  	cfb := cipher.NewCFBDecrypter(block, iv)
    54  	cfb.XORKeyStream(obj, obj)
    55  	data, err := base64.StdEncoding.DecodeString(string(obj))
    56  	if err != nil {
    57  		return nil, fmt.Errorf("while decoding internal object: %w", err)
    58  	}
    59  	return data, nil
    60  }
    61  
    62  func (e *Encrypter) EncryptSMCreds(provisioningParameters *internal.ProvisioningParameters) error {
    63  	if provisioningParameters.ErsContext.SMOperatorCredentials == nil {
    64  		return nil
    65  	}
    66  	var err error
    67  	encrypted := internal.ERSContext{}
    68  
    69  	creds := provisioningParameters.ErsContext.SMOperatorCredentials
    70  	var clientID, clientSecret []byte
    71  	if creds.ClientID != "" {
    72  		clientID, err = e.Encrypt([]byte(creds.ClientID))
    73  		if err != nil {
    74  			return fmt.Errorf("while encrypting ClientID: %w", err)
    75  		}
    76  	}
    77  	if creds.ClientSecret != "" {
    78  		clientSecret, err = e.Encrypt([]byte(creds.ClientSecret))
    79  		if err != nil {
    80  			return fmt.Errorf("while encrypting ClientSecret: %w", err)
    81  		}
    82  	}
    83  	encrypted.SMOperatorCredentials = &internal.ServiceManagerOperatorCredentials{
    84  		ClientID:          string(clientID),
    85  		ClientSecret:      string(clientSecret),
    86  		ServiceManagerURL: creds.ServiceManagerURL,
    87  		URL:               creds.URL,
    88  		XSAppName:         creds.XSAppName,
    89  	}
    90  
    91  	provisioningParameters.ErsContext.SMOperatorCredentials = encrypted.SMOperatorCredentials
    92  	return nil
    93  }
    94  
    95  func (e *Encrypter) EncryptKubeconfig(provisioningParameters *internal.ProvisioningParameters) error {
    96  	if len(provisioningParameters.Parameters.Kubeconfig) == 0 {
    97  		return nil
    98  	}
    99  	encryptedKubeconfig, err := e.Encrypt([]byte(provisioningParameters.Parameters.Kubeconfig))
   100  	if err != nil {
   101  		return fmt.Errorf("while encrypting kubeconfig: %w", err)
   102  	}
   103  	provisioningParameters.Parameters.Kubeconfig = string(encryptedKubeconfig)
   104  	return nil
   105  }
   106  
   107  func (e *Encrypter) DecryptSMCreds(provisioningParameters *internal.ProvisioningParameters) error {
   108  	if provisioningParameters.ErsContext.SMOperatorCredentials == nil {
   109  		return nil
   110  	}
   111  	var err error
   112  	var clientID, clientSecret []byte
   113  
   114  	creds := provisioningParameters.ErsContext.SMOperatorCredentials
   115  	if creds.ClientID != "" {
   116  		clientID, err = e.Decrypt([]byte(creds.ClientID))
   117  		if err != nil {
   118  			return fmt.Errorf("while decrypting ClientID: %w", err)
   119  		}
   120  	}
   121  	if creds.ClientSecret != "" {
   122  		clientSecret, err = e.Decrypt([]byte(creds.ClientSecret))
   123  		if err != nil {
   124  			return fmt.Errorf("while decrypting ClientSecret: %w", err)
   125  		}
   126  	}
   127  
   128  	if len(clientID) != 0 {
   129  		provisioningParameters.ErsContext.SMOperatorCredentials.ClientID = string(clientID)
   130  	}
   131  	if len(clientSecret) != 0 {
   132  		provisioningParameters.ErsContext.SMOperatorCredentials.ClientSecret = string(clientSecret)
   133  	}
   134  	return nil
   135  }
   136  
   137  func (e *Encrypter) DecryptKubeconfig(provisioningParameters *internal.ProvisioningParameters) error {
   138  	if len(provisioningParameters.Parameters.Kubeconfig) == 0 {
   139  		return nil
   140  	}
   141  
   142  	decryptedKubeconfig, err := e.Decrypt([]byte(provisioningParameters.Parameters.Kubeconfig))
   143  	if err != nil {
   144  		return fmt.Errorf("while decrypting kubeconfig: %w", err)
   145  	}
   146  	provisioningParameters.Parameters.Kubeconfig = string(decryptedKubeconfig)
   147  	return nil
   148  }