Skip to content

Commit

Permalink
sops/keyservice: error on unfulfilled requirements
Browse files Browse the repository at this point in the history
This ensures we signal early that we will be unable to fulfill the
request, instead of letting the underlying keysource implementation
run into mayhem. Which can be problematic for e.g. PGP, which has
assumptions about things being located relative to the given home
directory, resulting in possible unexpected behavior if an empty path
is given.

Signed-off-by: Hidde Beydals <hello@hidde.co>
  • Loading branch information
hiddeco committed Mar 31, 2022
1 parent 95a1829 commit 886918d
Showing 1 changed file with 28 additions and 0 deletions.
28 changes: 28 additions & 0 deletions internal/sops/keyservice/server.go
Original file line number Diff line number Diff line change
Expand Up @@ -152,6 +152,10 @@ func (ks Server) Decrypt(ctx context.Context, req *keyservice.DecryptRequest) (*
}

func (ks *Server) encryptWithPgp(key *keyservice.PgpKey, plaintext []byte) ([]byte, error) {
if ks.homeDir == "" {
return nil, status.Errorf(codes.Unimplemented, "PGP encrypt service unavailable: missing home dir configuration")
}

pgpKey := pgp.NewMasterKeyFromFingerprint(key.Fingerprint, ks.homeDir)
err := pgpKey.Encrypt(plaintext)
if err != nil {
Expand All @@ -161,13 +165,21 @@ func (ks *Server) encryptWithPgp(key *keyservice.PgpKey, plaintext []byte) ([]by
}

func (ks *Server) decryptWithPgp(key *keyservice.PgpKey, ciphertext []byte) ([]byte, error) {
if ks.homeDir == "" {
return nil, status.Errorf(codes.Unimplemented, "PGP decrypt service unavailable: missing home dir configuration")
}

pgpKey := pgp.NewMasterKeyFromFingerprint(key.Fingerprint, ks.homeDir)
pgpKey.EncryptedKey = string(ciphertext)
plaintext, err := pgpKey.Decrypt()
return plaintext, err
}

func (ks *Server) encryptWithAge(key *keyservice.AgeKey, plaintext []byte) ([]byte, error) {
// Unlike the other encrypt and decrypt methods, validation of configuration
// is not required here. As the encryption happens purely based on the
// Recipient from the key.

ageKey := age.MasterKey{
Recipient: key.Recipient,
}
Expand All @@ -178,6 +190,10 @@ func (ks *Server) encryptWithAge(key *keyservice.AgeKey, plaintext []byte) ([]by
}

func (ks *Server) decryptWithAge(key *keyservice.AgeKey, ciphertext []byte) ([]byte, error) {
if len(ks.agePrivateKeys) == 0 {
return nil, status.Errorf(codes.Unimplemented, "age decrypt service unavailable: no private keys present")
}

ageKey := age.MasterKey{
Recipient: key.Recipient,
Identities: ks.agePrivateKeys,
Expand All @@ -188,6 +204,10 @@ func (ks *Server) decryptWithAge(key *keyservice.AgeKey, ciphertext []byte) ([]b
}

func (ks *Server) decryptWithVault(key *keyservice.VaultKey, ciphertext []byte) ([]byte, error) {
if ks.vaultToken == "" {
return nil, status.Errorf(codes.Unimplemented, "Hashicorp Vault decrypt service unavailable: no token found")
}

vaultKey := hcvault.MasterKey{
VaultAddress: key.VaultAddress,
EnginePath: key.EnginePath,
Expand All @@ -200,6 +220,10 @@ func (ks *Server) decryptWithVault(key *keyservice.VaultKey, ciphertext []byte)
}

func (ks *Server) encryptWithAzureKeyvault(key *keyservice.AzureKeyVaultKey, plaintext []byte) ([]byte, error) {
if ks.azureAADConfig == nil {
return nil, status.Errorf(codes.Unimplemented, "Azure Key Vault encrypt service unavailable: no authentication config present")
}

azureKey := azkv.MasterKey{
VaultURL: key.VaultUrl,
Name: key.Name,
Expand All @@ -215,6 +239,10 @@ func (ks *Server) encryptWithAzureKeyvault(key *keyservice.AzureKeyVaultKey, pla
}

func (ks *Server) decryptWithAzureKeyvault(key *keyservice.AzureKeyVaultKey, ciphertext []byte) ([]byte, error) {
if ks.azureAADConfig == nil {
return nil, status.Errorf(codes.Unimplemented, "Azure Key Vault decrypt service unavailable: no authentication config present")
}

azureKey := azkv.MasterKey{
VaultURL: key.VaultUrl,
Name: key.Name,
Expand Down

0 comments on commit 886918d

Please sign in to comment.