github.com/zntrio/harp/v2@v2.0.9/pkg/sdk/value/encryption/secretbox/transformer.go

github.com/zntrio/harp/v2@v2.0.9/pkg/sdk/value/encryption/secretbox/transformer.go (about)

     1  // Licensed to Elasticsearch B.V. under one or more contributor
     2  // license agreements. See the NOTICE file distributed with
     3  // this work for additional information regarding copyright
     4  // ownership. Elasticsearch B.V. licenses this file to you under
     5  // the Apache License, Version 2.0 (the "License"); you may
     6  // not use this file except in compliance with the License.
     7  // You may obtain a copy of the License at
     8  //
     9  //     http://www.apache.org/licenses/LICENSE-2.0
    10  //
    11  // Unless required by applicable law or agreed to in writing,
    12  // software distributed under the License is distributed on an
    13  // "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
    14  // KIND, either express or implied.  See the License for the
    15  // specific language governing permissions and limitations
    16  // under the License.
    17  
    18  package secretbox
    19  
    20  import (
    21  	"context"
    22  	"encoding/base64"
    23  	"fmt"
    24  	"strings"
    25  
    26  	"github.com/zntrio/harp/v2/build/fips"
    27  	"github.com/zntrio/harp/v2/pkg/sdk/value"
    28  	"github.com/zntrio/harp/v2/pkg/sdk/value/encryption"
    29  )
    30  
    31  func init() {
    32  	if !fips.Enabled() {
    33  		encryption.Register("secretbox", Transformer)
    34  	}
    35  }
    36  
    37  // Transformer returns a Nacl SecretBox encryption value transformer.
    38  func Transformer(key string) (value.Transformer, error) {
    39  	// Remove the prefix
    40  	key = strings.TrimPrefix(key, "secretbox:")
    41  
    42  	// Decode key
    43  	k, err := base64.URLEncoding.DecodeString(key)
    44  	if err != nil {
    45  		return nil, fmt.Errorf("secretbox: unable to decode key: %w", err)
    46  	}
    47  	if l := len(k); l != keyLength {
    48  		return nil, fmt.Errorf("secretbox: invalid secret key length (%d)", l)
    49  	}
    50  
    51  	// Copy secret key
    52  	secretKey := new([keyLength]byte)
    53  	copy(secretKey[:], k)
    54  
    55  	// Return transformer
    56  	return &secretboxTransformer{
    57  		key: secretKey,
    58  	}, nil
    59  }
    60  
    61  // -----------------------------------------------------------------------------
    62  
    63  type secretboxTransformer struct {
    64  	key *[keyLength]byte
    65  }
    66  
    67  func (d *secretboxTransformer) From(_ context.Context, input []byte) ([]byte, error) {
    68  	// Check output
    69  	if l := len(input); l < nonceLength {
    70  		return nil, fmt.Errorf("secretbox: invalid secret length (%d), check encryption status", l)
    71  	}
    72  
    73  	// Decrypt value
    74  	out, err := decrypt(input, *d.key)
    75  	if err != nil {
    76  		return nil, fmt.Errorf("secretbox: unable to transform value: %w", err)
    77  	}
    78  
    79  	// No error
    80  	return out, nil
    81  }
    82  
    83  func (d *secretboxTransformer) To(_ context.Context, input []byte) ([]byte, error) {
    84  	// Encrypt value
    85  	out, err := encrypt(input, *d.key)
    86  	if err != nil {
    87  		return nil, fmt.Errorf("secretbox: unable to transform value: %w", err)
    88  	}
    89  
    90  	// No error
    91  	return out, nil
    92  }