|
|
@ -37,49 +37,61 @@ type kmsProviderConfig struct { |
|
|
|
awsConfigFile *string |
|
|
|
awsConfigFile *string |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
func (cfg kmsProviderConfig) validate() error { |
|
|
|
func (config kmsProviderConfig) validate() error { |
|
|
|
if !cfg.awsCfgSrcType.isValid() { |
|
|
|
if !config.awsCfgSrcType.isValid() { |
|
|
|
return errors.New("unknown AwsCfgSrcType") |
|
|
|
return errors.New("unknown AwsCfgSrcType") |
|
|
|
} |
|
|
|
} |
|
|
|
if cfg.awsCfgSrcType == AwsCfgSrcFile { |
|
|
|
if config.awsCfgSrcType == AwsCfgSrcFile { |
|
|
|
if !stringIsSet(cfg.awsConfigFile) { |
|
|
|
if !stringIsSet(config.awsConfigFile) { |
|
|
|
return errors.New("config field AwsConfig file must set for AwsCfgSrcFile") |
|
|
|
return errors.New("config field AwsConfig file must set for AwsCfgSrcFile") |
|
|
|
} |
|
|
|
} |
|
|
|
if !isFile(*cfg.awsConfigFile) { |
|
|
|
if !isFile(*config.awsConfigFile) { |
|
|
|
return fmt.Errorf("aws config file not exist %v", *cfg.awsConfigFile) |
|
|
|
return fmt.Errorf("aws config file not exist %v", *config.awsConfigFile) |
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|
return nil |
|
|
|
return nil |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
// kmsClientProvider provides the kms client. Implemented by
|
|
|
|
// kmsProvider provide the aws kms client
|
|
|
|
// baseKMSProvider - abstract implementation
|
|
|
|
type kmsProvider interface { |
|
|
|
// sharedKMSProvider - provide the client with default .aws folder
|
|
|
|
|
|
|
|
// fileKMSProvider - provide the aws config with a json file
|
|
|
|
|
|
|
|
// promptKMSProvider - provide the config field from prompt with time out
|
|
|
|
|
|
|
|
type kmsClientProvider interface { |
|
|
|
|
|
|
|
// getKMSClient returns the KMSClient of the kmsClientProvider with lazy loading.
|
|
|
|
|
|
|
|
getKMSClient() (*kms.KMS, error) |
|
|
|
getKMSClient() (*kms.KMS, error) |
|
|
|
|
|
|
|
|
|
|
|
// toStr return the string presentation of kmsClientProvider
|
|
|
|
|
|
|
|
toStr() string |
|
|
|
|
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
type getAwsCfgFunc func() (*AwsConfig, error) |
|
|
|
// lazyKmsProvider provide the kms client with singleton lazy initialization with config get
|
|
|
|
|
|
|
|
// from awsConfigGetter for aws credential and regions loading.
|
|
|
|
|
|
|
|
type lazyKmsProvider struct { |
|
|
|
|
|
|
|
acGetter awsConfigGetter |
|
|
|
|
|
|
|
|
|
|
|
// baseKMSProvider provide the kms client with singleton initialization through
|
|
|
|
|
|
|
|
// function getConfig for aws credential and regions loading.
|
|
|
|
|
|
|
|
type baseKMSProvider struct { |
|
|
|
|
|
|
|
client *kms.KMS |
|
|
|
client *kms.KMS |
|
|
|
err error |
|
|
|
err error |
|
|
|
once sync.Once |
|
|
|
once sync.Once |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
getAWSConfig getAwsCfgFunc |
|
|
|
// newLazyKmsProvider creates a kmsProvider with the given config
|
|
|
|
|
|
|
|
func newLazyKmsProvider(config kmsProviderConfig) (*lazyKmsProvider, error) { |
|
|
|
|
|
|
|
var acg awsConfigGetter |
|
|
|
|
|
|
|
switch config.awsCfgSrcType { |
|
|
|
|
|
|
|
case AwsCfgSrcFile: |
|
|
|
|
|
|
|
if stringIsSet(config.awsConfigFile) { |
|
|
|
|
|
|
|
acg = newFileACGetter(*config.awsConfigFile) |
|
|
|
|
|
|
|
} else { |
|
|
|
|
|
|
|
acg = newSharedAwsConfigGetter() |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
case AwsCfgSrcPrompt: |
|
|
|
|
|
|
|
acg = newPromptACGetter(defKmsPromptTimeout) |
|
|
|
|
|
|
|
case AwsCfgSrcShared: |
|
|
|
|
|
|
|
acg = newSharedAwsConfigGetter() |
|
|
|
|
|
|
|
default: |
|
|
|
|
|
|
|
return nil, errors.New("unknown aws config source type") |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
return &lazyKmsProvider{ |
|
|
|
|
|
|
|
acGetter: acg, |
|
|
|
|
|
|
|
}, nil |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
func (provider *baseKMSProvider) getKMSClient() (*kms.KMS, error) { |
|
|
|
func (provider *lazyKmsProvider) getKMSClient() (*kms.KMS, error) { |
|
|
|
provider.once.Do(func() { |
|
|
|
provider.once.Do(func() { |
|
|
|
cfg, err := provider.getAWSConfig() |
|
|
|
cfg, err := provider.acGetter.getAwsConfig() |
|
|
|
if err != nil { |
|
|
|
if err != nil { |
|
|
|
provider.err = err |
|
|
|
provider.err = err |
|
|
|
return |
|
|
|
return |
|
|
@ -92,94 +104,80 @@ func (provider *baseKMSProvider) getKMSClient() (*kms.KMS, error) { |
|
|
|
return provider.client, nil |
|
|
|
return provider.client, nil |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
func (provider *baseKMSProvider) toStr() string { |
|
|
|
// awsConfigGetter provides the aws config. Implemented by
|
|
|
|
return "not implemented" |
|
|
|
// sharedACGetter - provide the nil to use shared AWS configuration
|
|
|
|
|
|
|
|
// fileACGetter - provide the aws config with a json file
|
|
|
|
|
|
|
|
// promptACGetter - provide the config field from prompt with time out
|
|
|
|
|
|
|
|
type awsConfigGetter interface { |
|
|
|
|
|
|
|
getAwsConfig() (*AwsConfig, error) |
|
|
|
|
|
|
|
String() string |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
// sharedKMSProvider provide the kms session with the default aws config
|
|
|
|
// sharedACGetter returns nil for getAwsConfig to use shared aws configurations
|
|
|
|
// locates in directory $HOME/.aws/config
|
|
|
|
type sharedACGetter struct{} |
|
|
|
type sharedKMSProvider struct { |
|
|
|
|
|
|
|
baseKMSProvider |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
func newSharedKmsProvider() *sharedKMSProvider { |
|
|
|
func newSharedAwsConfigGetter() *sharedACGetter { |
|
|
|
provider := &sharedKMSProvider{baseKMSProvider{}} |
|
|
|
return &sharedACGetter{} |
|
|
|
provider.baseKMSProvider.getAWSConfig = provider.getAWSConfig |
|
|
|
|
|
|
|
return provider |
|
|
|
|
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
// TODO(Jacky): set getAwsConfig into a function, not bind with structure
|
|
|
|
func (getter *sharedACGetter) getAwsConfig() (*AwsConfig, error) { |
|
|
|
func (provider *sharedKMSProvider) getAWSConfig() (*AwsConfig, error) { |
|
|
|
|
|
|
|
return nil, nil |
|
|
|
return nil, nil |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
func (provider *sharedKMSProvider) toStr() string { |
|
|
|
func (getter *sharedACGetter) String() string { |
|
|
|
return "shared aws config" |
|
|
|
return "shared aws config" |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
// fileKMSProvider provide the kms session from a file with json data of structure
|
|
|
|
// fileACGetter get aws config through a customized json file
|
|
|
|
// AwsConfig
|
|
|
|
type fileACGetter struct { |
|
|
|
type fileKMSProvider struct { |
|
|
|
|
|
|
|
baseKMSProvider |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
file string |
|
|
|
file string |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
func newFileKmsProvider(file string) *fileKMSProvider { |
|
|
|
func newFileACGetter(file string) *fileACGetter { |
|
|
|
provider := &fileKMSProvider{ |
|
|
|
return &fileACGetter{file} |
|
|
|
baseKMSProvider: baseKMSProvider{}, |
|
|
|
|
|
|
|
file: file, |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
provider.baseKMSProvider.getAWSConfig = provider.getAWSConfig |
|
|
|
|
|
|
|
return provider |
|
|
|
|
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
func (provider *fileKMSProvider) getAWSConfig() (*AwsConfig, error) { |
|
|
|
func (getter *fileACGetter) getAwsConfig() (*AwsConfig, error) { |
|
|
|
b, err := ioutil.ReadFile(provider.file) |
|
|
|
b, err := ioutil.ReadFile(getter.file) |
|
|
|
if err != nil { |
|
|
|
if err != nil { |
|
|
|
return nil, err |
|
|
|
return nil, err |
|
|
|
} |
|
|
|
} |
|
|
|
var cfg *AwsConfig |
|
|
|
var cfg AwsConfig |
|
|
|
if err := json.Unmarshal(b, cfg); err != nil { |
|
|
|
if err := json.Unmarshal(b, &cfg); err != nil { |
|
|
|
return nil, err |
|
|
|
return nil, err |
|
|
|
} |
|
|
|
} |
|
|
|
return cfg, nil |
|
|
|
return &cfg, nil |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
func (provider *fileKMSProvider) toStr() string { |
|
|
|
func (getter *fileACGetter) String() string { |
|
|
|
return fmt.Sprintf("file %v", provider.file) |
|
|
|
return fmt.Sprintf("file %v", getter.file) |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
// promptKMSProvider provide a user interactive console for AWS config.
|
|
|
|
// promptACGetter provide a user interactive console for AWS config.
|
|
|
|
// Three fields are asked:
|
|
|
|
// Four fields are asked:
|
|
|
|
// 1. AccessKey 2. SecretKey 3. Region
|
|
|
|
// 1. AccessKey 2. SecretKey 3. Region
|
|
|
|
// Each field is asked with a timeout mechanism.
|
|
|
|
// Each field is asked with a timeout mechanism.
|
|
|
|
type promptKMSProvider struct { |
|
|
|
type promptACGetter struct { |
|
|
|
baseKMSProvider |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
timeout time.Duration |
|
|
|
timeout time.Duration |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
func newPromptKmsProvider(timeout time.Duration) *promptKMSProvider { |
|
|
|
func newPromptACGetter(timeout time.Duration) *promptACGetter { |
|
|
|
provider := &promptKMSProvider{ |
|
|
|
return &promptACGetter{ |
|
|
|
baseKMSProvider: baseKMSProvider{}, |
|
|
|
timeout: timeout, |
|
|
|
timeout: timeout, |
|
|
|
|
|
|
|
} |
|
|
|
} |
|
|
|
provider.baseKMSProvider.getAWSConfig = provider.getAWSConfig |
|
|
|
|
|
|
|
return provider |
|
|
|
|
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
func (provider *promptKMSProvider) getAWSConfig() (*AwsConfig, error) { |
|
|
|
func (getter *promptACGetter) getAwsConfig() (*AwsConfig, error) { |
|
|
|
console.println("Please provide AWS configurations for KMS encoded BLS keys:") |
|
|
|
console.println("Please provide AWS configurations for KMS encoded BLS keys:") |
|
|
|
accessKey, err := provider.prompt(" AccessKey:") |
|
|
|
accessKey, err := getter.prompt(" AccessKey:") |
|
|
|
if err != nil { |
|
|
|
if err != nil { |
|
|
|
return nil, fmt.Errorf("cannot get aws access key: %v", err) |
|
|
|
return nil, fmt.Errorf("cannot get aws access key: %v", err) |
|
|
|
} |
|
|
|
} |
|
|
|
secretKey, err := provider.prompt(" SecretKey:") |
|
|
|
secretKey, err := getter.prompt(" SecretKey:") |
|
|
|
if err != nil { |
|
|
|
if err != nil { |
|
|
|
return nil, fmt.Errorf("cannot get aws secret key: %v", err) |
|
|
|
return nil, fmt.Errorf("cannot get aws secret key: %v", err) |
|
|
|
} |
|
|
|
} |
|
|
|
region, err := provider.prompt("Region:") |
|
|
|
region, err := getter.prompt("Region:") |
|
|
|
if err != nil { |
|
|
|
if err != nil { |
|
|
|
return nil, fmt.Errorf("cannot get aws region: %v", err) |
|
|
|
return nil, fmt.Errorf("cannot get aws region: %v", err) |
|
|
|
} |
|
|
|
} |
|
|
@ -192,17 +190,17 @@ func (provider *promptKMSProvider) getAWSConfig() (*AwsConfig, error) { |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
// prompt prompt the user to input a string for a certain field with timeout.
|
|
|
|
// prompt prompt the user to input a string for a certain field with timeout.
|
|
|
|
func (provider *promptKMSProvider) prompt(hint string) (string, error) { |
|
|
|
func (getter *promptACGetter) prompt(hint string) (string, error) { |
|
|
|
var ( |
|
|
|
var ( |
|
|
|
res string |
|
|
|
res string |
|
|
|
err error |
|
|
|
err error |
|
|
|
|
|
|
|
|
|
|
|
finished = make(chan struct{}) |
|
|
|
finished = make(chan struct{}) |
|
|
|
timedOut = time.After(provider.timeout) |
|
|
|
timedOut = time.After(getter.timeout) |
|
|
|
) |
|
|
|
) |
|
|
|
|
|
|
|
|
|
|
|
go func() { |
|
|
|
go func() { |
|
|
|
res, err = provider.threadedPrompt(hint) |
|
|
|
res, err = getter.threadedPrompt(hint) |
|
|
|
close(finished) |
|
|
|
close(finished) |
|
|
|
}() |
|
|
|
}() |
|
|
|
|
|
|
|
|
|
|
@ -216,12 +214,12 @@ func (provider *promptKMSProvider) prompt(hint string) (string, error) { |
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
func (provider *promptKMSProvider) threadedPrompt(hint string) (string, error) { |
|
|
|
func (getter *promptACGetter) threadedPrompt(hint string) (string, error) { |
|
|
|
console.print(hint) |
|
|
|
console.print(hint) |
|
|
|
return console.readPassword() |
|
|
|
return console.readPassword() |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
func (provider *promptKMSProvider) toStr() string { |
|
|
|
func (getter *promptACGetter) String() string { |
|
|
|
return "prompt" |
|
|
|
return "prompt" |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|