internal: refactor storage credentials (#1071)

* Move storage clients to separate packages * Allow setting of client credentials for AWS S3 * Use managed identity client secret or default credentials for Azure Blob Storage * Use credentials file to authorize GCS client --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2025-10-10 09:38:25 -04:00 · 2023-03-02 15:08:31 +01:00 · 2023-03-02 15:08:31 +01:00 · 5eb73706f5
commit 5eb73706f5
parent 96b4b74a7a
30 changed files with 857 additions and 1130 deletions
--- a/cli/internal/cmd/init.go
+++ b/cli/internal/cmd/init.go
@ -33,7 +33,7 @@ import (
 	"github.com/edgelesssys/constellation/v2/internal/file"
 	"github.com/edgelesssys/constellation/v2/internal/grpc/dialer"
 	grpcRetry "github.com/edgelesssys/constellation/v2/internal/grpc/retry"
-	kmssetup "github.com/edgelesssys/constellation/v2/internal/kms/setup"
+	"github.com/edgelesssys/constellation/v2/internal/kms/uri"
 	"github.com/edgelesssys/constellation/v2/internal/license"
 	"github.com/edgelesssys/constellation/v2/internal/retry"
 	"github.com/edgelesssys/constellation/v2/internal/versions"
@ -164,7 +164,7 @@ func (i *initCmd) initialize(cmd *cobra.Command, newDialer func(validator *cloud
 		MasterSecret:           masterSecret.Key,
 		Salt:                   masterSecret.Salt,
 		KmsUri:                 masterSecret.EncodeToURI(),
-		StorageUri:             kmssetup.NoStoreURI,
+		StorageUri:             uri.NoStoreURI,
 		KeyEncryptionKeyId:     "",
 		UseExistingKek:         false,
 		CloudServiceAccountUri: serviceAccURI,
@ -351,19 +351,19 @@ type initFlags struct {
 }

 // readOrGenerateMasterSecret reads a base64 encoded master secret from file or generates a new 32 byte secret.
-func (i *initCmd) readOrGenerateMasterSecret(outWriter io.Writer, fileHandler file.Handler, filename string) (kmssetup.MasterSecret, error) {
+func (i *initCmd) readOrGenerateMasterSecret(outWriter io.Writer, fileHandler file.Handler, filename string) (uri.MasterSecret, error) {
 	if filename != "" {
 		i.log.Debugf("Reading master secret from file %q", filename)
-		var secret kmssetup.MasterSecret
+		var secret uri.MasterSecret
 		if err := fileHandler.ReadJSON(filename, &secret); err != nil {
-			return kmssetup.MasterSecret{}, err
+			return uri.MasterSecret{}, err
 		}

 		if len(secret.Key) < crypto.MasterSecretLengthMin {
-			return kmssetup.MasterSecret{}, fmt.Errorf("provided master secret is smaller than the required minimum of %d Bytes", crypto.MasterSecretLengthMin)
+			return uri.MasterSecret{}, fmt.Errorf("provided master secret is smaller than the required minimum of %d Bytes", crypto.MasterSecretLengthMin)
 		}
 		if len(secret.Salt) < crypto.RNGLengthDefault {
-			return kmssetup.MasterSecret{}, fmt.Errorf("provided salt is smaller than the required minimum of %d Bytes", crypto.RNGLengthDefault)
+			return uri.MasterSecret{}, fmt.Errorf("provided salt is smaller than the required minimum of %d Bytes", crypto.RNGLengthDefault)
 		}
 		return secret, nil
 	}
@ -372,19 +372,19 @@ func (i *initCmd) readOrGenerateMasterSecret(outWriter io.Writer, fileHandler fi
 	i.log.Debugf("Generating new master secret")
 	key, err := crypto.GenerateRandomBytes(crypto.MasterSecretLengthDefault)
 	if err != nil {
-		return kmssetup.MasterSecret{}, err
+		return uri.MasterSecret{}, err
 	}
 	salt, err := crypto.GenerateRandomBytes(crypto.RNGLengthDefault)
 	if err != nil {
-		return kmssetup.MasterSecret{}, err
+		return uri.MasterSecret{}, err
 	}
-	secret := kmssetup.MasterSecret{
+	secret := uri.MasterSecret{
 		Key:  key,
 		Salt: salt,
 	}
 	i.log.Debugf("Generated master secret key and salt values")
 	if err := fileHandler.WriteJSON(constants.MasterSecretFilename, secret, file.OptNone); err != nil {
-		return kmssetup.MasterSecret{}, err
+		return uri.MasterSecret{}, err
 	}
 	fmt.Fprintf(outWriter, "Your Constellation master secret was successfully written to ./%s\n", constants.MasterSecretFilename)
 	return secret, nil
--- a/cli/internal/cmd/init_test.go
+++ b/cli/internal/cmd/init_test.go
@ -18,9 +18,6 @@ import (
 	"testing"
 	"time"

-	kmssetup "github.com/edgelesssys/constellation/v2/internal/kms/setup"
-	"github.com/edgelesssys/constellation/v2/internal/versions"
-
 	"github.com/edgelesssys/constellation/v2/bootstrapper/initproto"
 	"github.com/edgelesssys/constellation/v2/cli/internal/cloudcmd"
 	"github.com/edgelesssys/constellation/v2/cli/internal/clusterid"
@ -33,9 +30,11 @@ import (
 	"github.com/edgelesssys/constellation/v2/internal/grpc/atlscredentials"
 	"github.com/edgelesssys/constellation/v2/internal/grpc/dialer"
 	"github.com/edgelesssys/constellation/v2/internal/grpc/testdialer"
+	"github.com/edgelesssys/constellation/v2/internal/kms/uri"
 	"github.com/edgelesssys/constellation/v2/internal/license"
 	"github.com/edgelesssys/constellation/v2/internal/logger"
 	"github.com/edgelesssys/constellation/v2/internal/oid"
+	"github.com/edgelesssys/constellation/v2/internal/versions"
 	"github.com/spf13/afero"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@ -193,7 +192,7 @@ func TestInitialize(t *testing.T) {
 			require.NoError(err)
 			// assert.Contains(out.String(), base64.StdEncoding.EncodeToString([]byte("ownerID")))
 			assert.Contains(out.String(), hex.EncodeToString([]byte("clusterID")))
-			var secret kmssetup.MasterSecret
+			var secret uri.MasterSecret
 			assert.NoError(fileHandler.ReadJSON(constants.MasterSecretFilename, &secret))
 			assert.NotEmpty(secret.Key)
 			assert.NotEmpty(secret.Salt)
@ -288,7 +287,7 @@ func TestReadOrGenerateMasterSecret(t *testing.T) {
 			createFileFunc: func(handler file.Handler) error {
 				return handler.WriteJSON(
 					"someSecret",
-					kmssetup.MasterSecret{Key: []byte("constellation-master-secret"), Salt: []byte("constellation-32Byte-length-salt")},
+					uri.MasterSecret{Key: []byte("constellation-master-secret"), Salt: []byte("constellation-32Byte-length-salt")},
 					file.OptNone,
 				)
 			},
@ -319,7 +318,7 @@ func TestReadOrGenerateMasterSecret(t *testing.T) {
 			createFileFunc: func(handler file.Handler) error {
 				return handler.WriteJSON(
 					"shortSecret",
-					kmssetup.MasterSecret{Key: []byte("constellation-master-secret"), Salt: []byte("short")},
+					uri.MasterSecret{Key: []byte("constellation-master-secret"), Salt: []byte("short")},
 					file.OptNone,
 				)
 			},
@ -331,7 +330,7 @@ func TestReadOrGenerateMasterSecret(t *testing.T) {
 			createFileFunc: func(handler file.Handler) error {
 				return handler.WriteJSON(
 					"shortSecret",
-					kmssetup.MasterSecret{Key: []byte("short"), Salt: []byte("constellation-32Byte-length-salt")},
+					uri.MasterSecret{Key: []byte("short"), Salt: []byte("constellation-32Byte-length-salt")},
 					file.OptNone,
 				)
 			},
@ -377,7 +376,7 @@ func TestReadOrGenerateMasterSecret(t *testing.T) {
 					tc.filename = strings.Trim(filename[1], "\n")
 				}

-				var masterSecret kmssetup.MasterSecret
+				var masterSecret uri.MasterSecret
 				require.NoError(fileHandler.ReadJSON(tc.filename, &masterSecret))
 				assert.Equal(masterSecret.Key, secret.Key)
 				assert.Equal(masterSecret.Salt, secret.Salt)
--- a/cli/internal/cmd/recover.go
+++ b/cli/internal/cmd/recover.go
@ -24,7 +24,7 @@ import (
 	"github.com/edgelesssys/constellation/v2/internal/file"
 	"github.com/edgelesssys/constellation/v2/internal/grpc/dialer"
 	grpcRetry "github.com/edgelesssys/constellation/v2/internal/grpc/retry"
-	kmssetup "github.com/edgelesssys/constellation/v2/internal/kms/setup"
+	"github.com/edgelesssys/constellation/v2/internal/kms/uri"
 	"github.com/edgelesssys/constellation/v2/internal/retry"
 	"github.com/spf13/afero"
 	"github.com/spf13/cobra"
@ -73,7 +73,7 @@ func (r *recoverCmd) recover(
 	}
 	r.log.Debugf("Using flags: %+v", flags)

-	var masterSecret kmssetup.MasterSecret
+	var masterSecret uri.MasterSecret
 	r.log.Debugf("Loading master secret file from %s", flags.secretPath)
 	if err := fileHandler.ReadJSON(flags.secretPath, &masterSecret); err != nil {
 		return err
@ -102,7 +102,7 @@ func (r *recoverCmd) recover(
 	r.log.Debugf("Created a new validator")
 	doer.setDialer(newDialer(validator), flags.endpoint)
 	r.log.Debugf("Set dialer for endpoint %s", flags.endpoint)
-	doer.setURIs(masterSecret.EncodeToURI(), kmssetup.NoStoreURI)
+	doer.setURIs(masterSecret.EncodeToURI(), uri.NoStoreURI)
 	r.log.Debugf("Set secrets")
 	if err := r.recoverCall(cmd.Context(), cmd.OutOrStdout(), interval, doer); err != nil {
 		if grpcRetry.ServiceIsUnavailable(err) {
--- a/cli/internal/cmd/recover_test.go
+++ b/cli/internal/cmd/recover_test.go
@ -26,7 +26,7 @@ import (
 	"github.com/edgelesssys/constellation/v2/internal/grpc/atlscredentials"
 	"github.com/edgelesssys/constellation/v2/internal/grpc/dialer"
 	"github.com/edgelesssys/constellation/v2/internal/grpc/testdialer"
-	kmssetup "github.com/edgelesssys/constellation/v2/internal/kms/setup"
+	"github.com/edgelesssys/constellation/v2/internal/kms/uri"
 	"github.com/edgelesssys/constellation/v2/internal/logger"
 	"github.com/spf13/afero"
 	"github.com/stretchr/testify/assert"
@ -158,7 +158,7 @@ func TestRecover(t *testing.T) {

 			require.NoError(fileHandler.WriteJSON(
 				"constellation-mastersecret.json",
-				kmssetup.MasterSecret{Key: tc.masterSecret.Secret, Salt: tc.masterSecret.Salt},
+				uri.MasterSecret{Key: tc.masterSecret.Secret, Salt: tc.masterSecret.Salt},
 				file.OptNone,
 			))