Skip to content

Commit

Permalink
Merge pull request #670 from aryan9600/aws-kms-decryption
Browse files Browse the repository at this point in the history
  • Loading branch information
@hiddeco
hiddeco authored May 30, 2022
2 parents 65af429 + 72f0e60 commit 8b7e7ec
Show file tree
Hide file tree
Showing 2 changed files with 33 additions and 12 deletions.
2 changes: 1 addition & 1 deletion go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ require (
github.com/Azure/azure-sdk-for-go/sdk/azcore v0.22.0
github.com/Azure/azure-sdk-for-go/sdk/azidentity v0.13.2
github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys v0.4.0
github.com/aws/aws-sdk-go v1.43.43
github.com/aws/aws-sdk-go-v2 v1.16.4
github.com/aws/aws-sdk-go-v2/config v1.15.7
github.com/aws/aws-sdk-go-v2/credentials v1.12.2
Expand Down Expand Up @@ -91,7 +92,6 @@ require (
github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
github.com/armon/go-metrics v0.3.10 // indirect
github.com/armon/go-radix v1.0.0 // indirect
github.com/aws/aws-sdk-go v1.43.43 // indirect
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.5 // indirect
github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.11 // indirect
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.5 // indirect
Expand Down
43 changes: 32 additions & 11 deletions internal/sops/awskms/keysource_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,9 @@ import (
"github.com/aws/aws-sdk-go-v2/config"
"github.com/aws/aws-sdk-go-v2/credentials"
"github.com/aws/aws-sdk-go-v2/service/kms"
awsv1 "github.com/aws/aws-sdk-go/aws"
sessionv1 "github.com/aws/aws-sdk-go/aws/session"
kmsv1 "github.com/aws/aws-sdk-go/service/kms"
. "github.com/onsi/gomega"
"github.com/ory/dockertest"
)
Expand Down Expand Up @@ -135,14 +138,24 @@ func TestMasterKey_Encrypt_SOPS_Compat(t *testing.T) {
dataKey := []byte("encrypt-compat")
g.Expect(encryptKey.Encrypt(dataKey)).To(Succeed())

decryptKey := createTestMasterKey(testKMSARN)
decryptKey.credentialsProvider = nil
decryptKey.EncryptedKey = encryptKey.EncryptedKey
// This is the core decryption logic of `sopskms.MasterKey.Decrypt()`.
// We don't call `sops.MasterKey.Decrypt()` directly to avoid issues with
// session and config setup.
config := awsv1.Config{
Region: awsv1.String("us-west-2"),
Endpoint: &testKMSServerURL,
}
t.Setenv("AWS_ACCESS_KEY_ID", "id")
t.Setenv("AWS_SECRET_ACCESS_KEY", "secret")
dec, err := decryptKey.Decrypt()
k, err := base64.StdEncoding.DecodeString(encryptKey.EncryptedKey)
g.Expect(err).ToNot(HaveOccurred())
g.Expect(dec).To(Equal(dataKey))
sess, err := sessionv1.NewSessionWithOptions(sessionv1.Options{
Config: config,
})
kmsSvc := kmsv1.New(sess)
decrypted, err := kmsSvc.Decrypt(&kmsv1.DecryptInput{CiphertextBlob: k})
g.Expect(err).ToNot(HaveOccurred())
g.Expect(decrypted.Plaintext).To(Equal(dataKey))
}

func TestMasterKey_EncryptIfNeeded(t *testing.T) {
Expand Down Expand Up @@ -187,17 +200,25 @@ func TestMasterKey_Decrypt(t *testing.T) {
func TestMasterKey_Decrypt_SOPS_Compat(t *testing.T) {
g := NewWithT(t)

// This is the core encryption logic of `sopskms.MasterKey.Encrypt()`.
// We don't call `sops.MasterKey.Encrypt()` directly to avoid issues with
// session and config setup.
dataKey := []byte("decrypt-compat")

encryptKey := createTestMasterKey(testKMSARN)
encryptKey.credentialsProvider = nil
config := awsv1.Config{
Region: awsv1.String("us-west-2"),
Endpoint: &testKMSServerURL,
}
t.Setenv("AWS_ACCESS_KEY_ID", "id")
t.Setenv("AWS_SECRET_ACCESS_KEY", "secret")

g.Expect(encryptKey.Encrypt(dataKey)).To(Succeed())
sess, err := sessionv1.NewSessionWithOptions(sessionv1.Options{
Config: config,
})
kmsSvc := kmsv1.New(sess)
encrypted, err := kmsSvc.Encrypt(&kmsv1.EncryptInput{Plaintext: dataKey, KeyId: &testKMSARN})
g.Expect(err).ToNot(HaveOccurred())

decryptKey := createTestMasterKey(testKMSARN)
decryptKey.EncryptedKey = encryptKey.EncryptedKey
decryptKey.EncryptedKey = base64.StdEncoding.EncodeToString(encrypted.CiphertextBlob)
dec, err := decryptKey.Decrypt()
g.Expect(err).ToNot(HaveOccurred())
g.Expect(dec).To(Equal(dataKey))
Expand Down

0 comments on commit 8b7e7ec

Please sign in to comment.