go.chromium.org/luci@v0.0.0-20240309015107-7cdc2e660f33/client/cmd/cloudkms/decrypt.go (about) 1 // Copyright 2017 The LUCI Authors. 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 package main 16 17 import ( 18 "context" 19 20 "github.com/maruel/subcommands" 21 22 cloudkms "cloud.google.com/go/kms/apiv1" 23 "cloud.google.com/go/kms/apiv1/kmspb" 24 25 "go.chromium.org/luci/auth" 26 "go.chromium.org/luci/common/logging" 27 ) 28 29 func doDecrypt(ctx context.Context, client *cloudkms.KeyManagementClient, input []byte, keyPath string) ([]byte, error) { 30 // Set up request, using the ciphertext directly (should already be base64 encoded). 31 req := &kmspb.DecryptRequest{ 32 Name: keyPath, 33 Ciphertext: input, 34 } 35 36 resp, err := client.Decrypt(ctx, req) 37 if err != nil { 38 logging.Errorf(ctx, "Error while making request") 39 return nil, err 40 } 41 return resp.Plaintext, nil 42 } 43 44 func cmdDecrypt(authOpts auth.Options) *subcommands.Command { 45 return &subcommands.Command{ 46 UsageLine: "decrypt <options> <path>", 47 ShortDesc: "decrypts some ciphertext that was previously encrypted using a key in Cloud KMS", 48 LongDesc: `Uploads a ciphertext for decryption by Cloud KMS. 49 50 <path> refers to the path to the crypto key. e.g. 51 52 projects/<project>/locations/<location>/keyRings/<keyRing>/cryptoKeys/<cryptoKey>`, 53 CommandRun: func() subcommands.CommandRun { 54 c := cryptRun{doCrypt: doDecrypt} 55 c.Init(authOpts) 56 return &c 57 }, 58 } 59 }