github.com/zntrio/harp/v2@v2.0.9/pkg/bundle/encryption.go (about) 1 // Licensed to Elasticsearch B.V. under one or more contributor 2 // license agreements. See the NOTICE file distributed with 3 // this work for additional information regarding copyright 4 // ownership. Elasticsearch B.V. licenses this file to you under 5 // the Apache License, Version 2.0 (the "License"); you may 6 // not use this file except in compliance with the License. 7 // You may obtain a copy of the License at 8 // 9 // http://www.apache.org/licenses/LICENSE-2.0 10 // 11 // Unless required by applicable law or agreed to in writing, 12 // software distributed under the License is distributed on an 13 // "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 14 // KIND, either express or implied. See the License for the 15 // specific language governing permissions and limitations 16 // under the License. 17 18 package bundle 19 20 import ( 21 "context" 22 "encoding/json" 23 "fmt" 24 25 "github.com/awnumar/memguard" 26 "github.com/golang/protobuf/ptypes/wrappers" 27 28 bundlev1 "github.com/zntrio/harp/v2/api/gen/go/harp/bundle/v1" 29 "github.com/zntrio/harp/v2/pkg/bundle/secret" 30 "github.com/zntrio/harp/v2/pkg/sdk/types" 31 "github.com/zntrio/harp/v2/pkg/sdk/value" 32 ) 33 34 // PartialLock apply conditional transformer according to applicable annotation 35 // on the given package. 36 // The annotation is referring to a key alias provided. 37 func PartialLock(ctx context.Context, b *bundlev1.Bundle, transformerMap map[string]value.Transformer, skipUnresolved bool) error { 38 // Check bundle 39 if b == nil { 40 return fmt.Errorf("unable to process nil bundle") 41 } 42 if transformerMap == nil { 43 return fmt.Errorf("unable to process nil transformer map") 44 } 45 46 // For each packages 47 for _, p := range b.Packages { 48 // Check annotation usage 49 keyAlias, hasKeyAlias := p.Annotations[packageEncryptionAnnotation] 50 if !hasKeyAlias { 51 // Skip package processing 52 continue 53 } 54 55 // Check key alias declaration 56 transformer, hasTransformer := transformerMap[keyAlias] 57 if !hasTransformer { 58 if skipUnresolved { 59 // Skip unresolved transformer alias. 60 continue 61 } 62 return fmt.Errorf("package encryption annotation found, but no key alias for %q provided", keyAlias) 63 } 64 if types.IsNil(transformer) { 65 return fmt.Errorf("key alias %q refers to a nil transformer", keyAlias) 66 } 67 68 // Convert secret as a map 69 secrets := map[string]interface{}{} 70 for _, s := range p.Secrets.Data { 71 var out interface{} 72 if err := secret.Unpack(s.Value, &out); err != nil { 73 return fmt.Errorf("unable to load secret value, corrupted bundle: %w", err) 74 } 75 76 // Assign to secret map 77 secrets[s.Key] = out 78 } 79 80 // Export secrets as JSON 81 content, err := json.Marshal(secrets) 82 if err != nil { 83 return fmt.Errorf("unable to extract secret map as json") 84 } 85 86 // Apply transformer 87 out, err := transformer.To(ctx, content) 88 if err != nil { 89 return fmt.Errorf("unable to apply secret transformer: %w", err) 90 } 91 92 // Cleanup 93 memguard.WipeBytes(content) 94 p.Secrets.Data = nil 95 96 // Assign locked secret 97 p.Secrets.Locked = &wrappers.BytesValue{ 98 Value: out, 99 } 100 } 101 102 // No error 103 return nil 104 } 105 106 // Lock apply transformer function to all secret values and set as locked. 107 func Lock(ctx context.Context, b *bundlev1.Bundle, transformer value.Transformer) error { 108 // Check bundle 109 if b == nil { 110 return fmt.Errorf("unable to process nil bundle") 111 } 112 if types.IsNil(transformer) { 113 return fmt.Errorf("unable to process nil transformer") 114 } 115 116 // For each packages 117 for _, p := range b.Packages { 118 // Convert secret as a map 119 secrets := map[string]interface{}{} 120 for _, s := range p.Secrets.Data { 121 var out interface{} 122 if err := secret.Unpack(s.Value, &out); err != nil { 123 return fmt.Errorf("unable to load secret value, corrupted bundle: %w", err) 124 } 125 126 // Assign to secret map 127 secrets[s.Key] = out 128 } 129 130 // Export secrets as JSON 131 content, err := json.Marshal(secrets) 132 if err != nil { 133 return fmt.Errorf("unable to extract secret map as json") 134 } 135 136 // Apply transformer 137 out, err := transformer.To(ctx, content) 138 if err != nil { 139 return fmt.Errorf("unable to apply secret transformer: %w", err) 140 } 141 142 // Cleanup 143 memguard.WipeBytes(content) 144 p.Secrets.Data = nil 145 146 // Assign locked secret 147 p.Secrets.Locked = &wrappers.BytesValue{ 148 Value: out, 149 } 150 } 151 152 // No error 153 return nil 154 } 155 156 // UnLock apply transformer function to all secret values and set as unlocked. 157 func UnLock(ctx context.Context, b *bundlev1.Bundle, transformers []value.Transformer, skipNotDecryptable bool) error { 158 // Check bundle 159 if b == nil { 160 return fmt.Errorf("unable to process nil bundle") 161 } 162 if len(transformers) == 0 { 163 return fmt.Errorf("unable to process empty transformer list") 164 } 165 166 // For each packages 167 for _, p := range b.Packages { 168 // Skip not locked package 169 if p.Secrets.Locked == nil { 170 continue 171 } 172 if len(p.Secrets.Locked.Value) == 0 { 173 continue 174 } 175 176 // Try all transformers 177 var ( 178 out []byte 179 errTransform error 180 ) 181 LOOP: 182 for _, t := range transformers { 183 // Apply transformation 184 out, errTransform = t.From(ctx, p.Secrets.Locked.Value) 185 switch { 186 case errTransform != nil: 187 // Try next transformer 188 continue 189 default: 190 break LOOP 191 } 192 } 193 if errTransform != nil { 194 if skipNotDecryptable { 195 // Skip not decrypted secrets. 196 continue 197 } 198 return fmt.Errorf("unable to transform %q: %w", p.Name, errTransform) 199 } 200 201 // Unpack secrets 202 raw := map[string]interface{}{} 203 if err := json.Unmarshal(out, &raw); err != nil { 204 return fmt.Errorf("unable to unpack locked secret: %w", err) 205 } 206 207 // Prepare secrets collection 208 secrets := []*bundlev1.KV{} 209 for key, value := range raw { 210 // Pack secret value 211 s, err := secret.Pack(value) 212 if err != nil { 213 return fmt.Errorf("unable to pack as secret bundle: %w", err) 214 } 215 216 // Add to secret collection 217 secrets = append(secrets, &bundlev1.KV{ 218 Key: key, 219 Type: fmt.Sprintf("%T", value), 220 Value: s, 221 }) 222 } 223 224 // Cleanup 225 memguard.WipeBytes(p.Secrets.Locked.Value) 226 p.Secrets.Locked = nil 227 228 // Assign unlocked secrets 229 p.Secrets.Data = secrets 230 } 231 232 // No error 233 return nil 234 }