mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-01-20 12:21:43 -05:00
AB#1943 Extract KMS package (#56)
* Extract kmsapi from coordinator * Add kmsapi cmd server
This commit is contained in:
parent
2a6b1e2277
commit
c63d7126e7
@ -6,9 +6,9 @@ import (
|
||||
"io"
|
||||
|
||||
"github.com/edgelesssys/constellation/coordinator/atls"
|
||||
"github.com/edgelesssys/constellation/coordinator/kms"
|
||||
"github.com/edgelesssys/constellation/coordinator/pubapi/pubproto"
|
||||
"github.com/edgelesssys/constellation/coordinator/state"
|
||||
kms "github.com/edgelesssys/constellation/kms/server/setup"
|
||||
"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
|
||||
"google.golang.org/grpc"
|
||||
"google.golang.org/grpc/credentials"
|
||||
|
@ -12,7 +12,6 @@ import (
|
||||
"github.com/edgelesssys/constellation/coordinator/atls"
|
||||
"github.com/edgelesssys/constellation/coordinator/attestation/simulator"
|
||||
"github.com/edgelesssys/constellation/coordinator/core"
|
||||
"github.com/edgelesssys/constellation/coordinator/kms"
|
||||
"github.com/edgelesssys/constellation/coordinator/peer"
|
||||
"github.com/edgelesssys/constellation/coordinator/pubapi"
|
||||
"github.com/edgelesssys/constellation/coordinator/pubapi/pubproto"
|
||||
@ -22,6 +21,7 @@ import (
|
||||
"github.com/edgelesssys/constellation/coordinator/util/testdialer"
|
||||
"github.com/edgelesssys/constellation/coordinator/vpnapi"
|
||||
"github.com/edgelesssys/constellation/coordinator/vpnapi/vpnproto"
|
||||
kms "github.com/edgelesssys/constellation/kms/server/setup"
|
||||
"github.com/spf13/afero"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
|
@ -12,7 +12,6 @@ import (
|
||||
"github.com/edgelesssys/constellation/cli/file"
|
||||
"github.com/edgelesssys/constellation/coordinator/attestation/vtpm"
|
||||
"github.com/edgelesssys/constellation/coordinator/config"
|
||||
kmsSetup "github.com/edgelesssys/constellation/coordinator/kms"
|
||||
"github.com/edgelesssys/constellation/coordinator/nodestate"
|
||||
"github.com/edgelesssys/constellation/coordinator/role"
|
||||
"github.com/edgelesssys/constellation/coordinator/state"
|
||||
@ -20,6 +19,7 @@ import (
|
||||
"github.com/edgelesssys/constellation/coordinator/storewrapper"
|
||||
"github.com/edgelesssys/constellation/coordinator/util"
|
||||
"github.com/edgelesssys/constellation/kms/kms"
|
||||
kmsSetup "github.com/edgelesssys/constellation/kms/server/setup"
|
||||
"go.uber.org/zap"
|
||||
"google.golang.org/grpc"
|
||||
)
|
||||
|
@ -9,7 +9,6 @@ import (
|
||||
"github.com/edgelesssys/constellation/cli/file"
|
||||
"github.com/edgelesssys/constellation/coordinator/attestation/simulator"
|
||||
"github.com/edgelesssys/constellation/coordinator/attestation/vtpm"
|
||||
"github.com/edgelesssys/constellation/coordinator/kms"
|
||||
"github.com/edgelesssys/constellation/coordinator/nodestate"
|
||||
"github.com/edgelesssys/constellation/coordinator/peer"
|
||||
"github.com/edgelesssys/constellation/coordinator/role"
|
||||
@ -17,6 +16,7 @@ import (
|
||||
"github.com/edgelesssys/constellation/coordinator/store"
|
||||
"github.com/edgelesssys/constellation/coordinator/util/grpcutil"
|
||||
"github.com/edgelesssys/constellation/coordinator/util/testdialer"
|
||||
kms "github.com/edgelesssys/constellation/kms/server/setup"
|
||||
"github.com/spf13/afero"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
|
@ -12,13 +12,13 @@ import (
|
||||
"github.com/edgelesssys/constellation/cli/file"
|
||||
"github.com/edgelesssys/constellation/coordinator/atls"
|
||||
"github.com/edgelesssys/constellation/coordinator/attestation/simulator"
|
||||
"github.com/edgelesssys/constellation/coordinator/kms"
|
||||
"github.com/edgelesssys/constellation/coordinator/pubapi"
|
||||
"github.com/edgelesssys/constellation/coordinator/pubapi/pubproto"
|
||||
"github.com/edgelesssys/constellation/coordinator/state"
|
||||
"github.com/edgelesssys/constellation/coordinator/util/grpcutil"
|
||||
"github.com/edgelesssys/constellation/coordinator/vpnapi"
|
||||
"github.com/edgelesssys/constellation/coordinator/vpnapi/vpnproto"
|
||||
kms "github.com/edgelesssys/constellation/kms/server/setup"
|
||||
"github.com/spf13/afero"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
|
@ -7,12 +7,12 @@ import (
|
||||
|
||||
"github.com/edgelesssys/constellation/cli/file"
|
||||
"github.com/edgelesssys/constellation/coordinator/atls"
|
||||
"github.com/edgelesssys/constellation/coordinator/kms"
|
||||
"github.com/edgelesssys/constellation/coordinator/peer"
|
||||
"github.com/edgelesssys/constellation/coordinator/pubapi/pubproto"
|
||||
"github.com/edgelesssys/constellation/coordinator/role"
|
||||
"github.com/edgelesssys/constellation/coordinator/util/grpcutil"
|
||||
"github.com/edgelesssys/constellation/coordinator/util/testdialer"
|
||||
kms "github.com/edgelesssys/constellation/kms/server/setup"
|
||||
"github.com/spf13/afero"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
|
@ -12,7 +12,6 @@ import (
|
||||
"github.com/edgelesssys/constellation/coordinator/atls"
|
||||
"github.com/edgelesssys/constellation/coordinator/attestation/vtpm"
|
||||
"github.com/edgelesssys/constellation/coordinator/core"
|
||||
"github.com/edgelesssys/constellation/coordinator/kms"
|
||||
"github.com/edgelesssys/constellation/coordinator/oid"
|
||||
"github.com/edgelesssys/constellation/coordinator/peer"
|
||||
"github.com/edgelesssys/constellation/coordinator/pubapi/pubproto"
|
||||
@ -20,6 +19,7 @@ import (
|
||||
"github.com/edgelesssys/constellation/coordinator/state"
|
||||
"github.com/edgelesssys/constellation/coordinator/util/grpcutil"
|
||||
"github.com/edgelesssys/constellation/coordinator/util/testdialer"
|
||||
kms "github.com/edgelesssys/constellation/kms/server/setup"
|
||||
"github.com/edgelesssys/constellation/state/keyservice/keyproto"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
|
@ -3,10 +3,10 @@ package pubapi
|
||||
import (
|
||||
"context"
|
||||
|
||||
"github.com/edgelesssys/constellation/coordinator/kms"
|
||||
"github.com/edgelesssys/constellation/coordinator/peer"
|
||||
"github.com/edgelesssys/constellation/coordinator/role"
|
||||
"github.com/edgelesssys/constellation/coordinator/state"
|
||||
kms "github.com/edgelesssys/constellation/kms/server/setup"
|
||||
kubeadm "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta3"
|
||||
)
|
||||
|
||||
|
@ -5,10 +5,10 @@ import (
|
||||
"errors"
|
||||
"net/netip"
|
||||
|
||||
"github.com/edgelesssys/constellation/coordinator/kms"
|
||||
"github.com/edgelesssys/constellation/coordinator/peer"
|
||||
"github.com/edgelesssys/constellation/coordinator/role"
|
||||
"github.com/edgelesssys/constellation/coordinator/state"
|
||||
kms "github.com/edgelesssys/constellation/kms/server/setup"
|
||||
kubeadm "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta3"
|
||||
)
|
||||
|
||||
|
@ -8,10 +8,10 @@ import (
|
||||
"strconv"
|
||||
"strings"
|
||||
|
||||
"github.com/edgelesssys/constellation/coordinator/kms"
|
||||
"github.com/edgelesssys/constellation/coordinator/peer"
|
||||
"github.com/edgelesssys/constellation/coordinator/state"
|
||||
"github.com/edgelesssys/constellation/coordinator/store"
|
||||
kms "github.com/edgelesssys/constellation/kms/server/setup"
|
||||
kubeadm "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta3"
|
||||
)
|
||||
|
||||
|
6
go.mod
6
go.mod
@ -103,6 +103,12 @@ require (
|
||||
sigs.k8s.io/yaml v1.3.0
|
||||
)
|
||||
|
||||
require (
|
||||
github.com/fsnotify/fsnotify v1.5.1 // indirect
|
||||
github.com/onsi/ginkgo v1.16.5 // indirect
|
||||
github.com/onsi/gomega v1.17.0 // indirect
|
||||
)
|
||||
|
||||
require (
|
||||
cloud.google.com/go v0.100.2 // indirect
|
||||
github.com/Azure/azure-sdk-for-go/sdk/internal v0.9.1 // indirect
|
||||
|
9
go.sum
9
go.sum
@ -595,8 +595,9 @@ github.com/franela/goblin v0.0.0-20200105215937-c9ffbefa60db/go.mod h1:7dvUGVsVB
|
||||
github.com/franela/goreq v0.0.0-20171204163338-bcd34c9993f8/go.mod h1:ZhphrRTfi2rbfLwlschooIH4+wKKDR4Pdxhh+TRoA20=
|
||||
github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k=
|
||||
github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
|
||||
github.com/fsnotify/fsnotify v1.4.9 h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWoS4=
|
||||
github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
|
||||
github.com/fsnotify/fsnotify v1.5.1 h1:mZcQUHVQUQWoPXXtuf9yuEXKudkV2sx1E06UadKWpgI=
|
||||
github.com/fsnotify/fsnotify v1.5.1/go.mod h1:T3375wBYaZdLLcVNkcVbzGHY7f1l/uK5T5Ai1i3InKU=
|
||||
github.com/fullsailor/pkcs7 v0.0.0-20190404230743-d7302db945fa/go.mod h1:KnogPXtdwXqoenmZCw6S+25EAm2MkxbG0deNDu4cbSA=
|
||||
github.com/fullstorydev/grpcurl v1.6.0/go.mod h1:ZQ+ayqbKMJNhzLmbpCiurTVlaK2M/3nqZCxaQ2Ze/sM=
|
||||
github.com/fullstorydev/grpcurl v1.8.0/go.mod h1:Mn2jWbdMrQGJQ8UD62uNyMumT2acsZUCkZIqFxsQf1o=
|
||||
@ -1150,8 +1151,9 @@ github.com/onsi/ginkgo v1.12.0/go.mod h1:oUhWkIvk5aDxtKvDDuw8gItl8pKl42LzjC9KZE0
|
||||
github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk=
|
||||
github.com/onsi/ginkgo v1.13.0/go.mod h1:+REjRxOmWfHCjfv9TTWB1jD1Frx4XydAD3zm1lskyM0=
|
||||
github.com/onsi/ginkgo v1.14.0/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9klQyY=
|
||||
github.com/onsi/ginkgo v1.16.4 h1:29JGrr5oVBm5ulCWet69zQkzWipVXIol6ygQUe/EzNc=
|
||||
github.com/onsi/ginkgo v1.16.4/go.mod h1:dX+/inL/fNMqNlz0e9LfyB9TswhZpCVdJM/Z6Vvnwo0=
|
||||
github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE=
|
||||
github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU=
|
||||
github.com/onsi/gomega v0.0.0-20151007035656-2152b45fa28a/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
|
||||
github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
|
||||
github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
|
||||
@ -1161,8 +1163,9 @@ github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7J
|
||||
github.com/onsi/gomega v1.9.0/go.mod h1:Ho0h+IUsWyvy1OpqCwxlQ/21gkhVunqlU8fDGcoTdcA=
|
||||
github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
|
||||
github.com/onsi/gomega v1.10.3/go.mod h1:V9xEwhxec5O8UDM77eCW8vLymOMltsqPVYWrpDsH8xc=
|
||||
github.com/onsi/gomega v1.15.0 h1:WjP/FQ/sk43MRmnEcT+MlDw2TFvkrXlprrPST/IudjU=
|
||||
github.com/onsi/gomega v1.15.0/go.mod h1:cIuvLEne0aoVhAgh/O6ac0Op8WWw9H6eYCriF+tEHG0=
|
||||
github.com/onsi/gomega v1.17.0 h1:9Luw4uT5HTjHTN8+aNcSThgH1vdXnmdJ8xIfZ4wyTRE=
|
||||
github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY=
|
||||
github.com/op/go-logging v0.0.0-20160315200505-970db520ece7/go.mod h1:HzydrMdWErDVzsI23lYNej1Htcns9BCg93Dk0bBINWk=
|
||||
github.com/opencontainers/go-digest v0.0.0-20170106003457-a6d0ee40d420/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
|
||||
github.com/opencontainers/go-digest v0.0.0-20180430190053-c9281466c8b2/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
|
||||
|
@ -33,7 +33,8 @@ const (
|
||||
//
|
||||
// Cryptographic constants.
|
||||
//
|
||||
StateDiskKeyLength = 32
|
||||
StateDiskKeyLength = 32
|
||||
DerivedKeyLengthDefault = 32
|
||||
|
||||
//
|
||||
// CLI.
|
||||
@ -47,7 +48,7 @@ const (
|
||||
//
|
||||
|
||||
// KubernetesVersion installed by kubeadm.
|
||||
KubernetesVersion = "stable-1.23"
|
||||
KubernetesVersion = "stable-1.23"
|
||||
KubernetesJoinTokenTTL = 15 * time.Minute
|
||||
)
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
package kms
|
||||
package cluster
|
||||
|
||||
import (
|
||||
"context"
|
@ -1,4 +1,4 @@
|
||||
package kms
|
||||
package cluster
|
||||
|
||||
import (
|
||||
"context"
|
52
kms/server/cmd/main.go
Normal file
52
kms/server/cmd/main.go
Normal file
@ -0,0 +1,52 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"context"
|
||||
"flag"
|
||||
"log"
|
||||
"net"
|
||||
|
||||
"github.com/edgelesssys/constellation/coordinator/util"
|
||||
"github.com/edgelesssys/constellation/kms/server/kmsapi"
|
||||
"github.com/edgelesssys/constellation/kms/server/kmsapi/kmsproto"
|
||||
"github.com/edgelesssys/constellation/kms/server/setup"
|
||||
"go.uber.org/zap"
|
||||
|
||||
"google.golang.org/grpc"
|
||||
)
|
||||
|
||||
func main() {
|
||||
port := flag.String("p", "9000", "Port gRPC server listens on")
|
||||
flag.Parse()
|
||||
|
||||
// TODO: Get masterSecret from Constellation CLI / after activation from cluster.
|
||||
masterKey, err := util.GenerateRandomBytes(32)
|
||||
if err != nil {
|
||||
log.Fatalf("Failed to generate key: %v", err)
|
||||
}
|
||||
|
||||
conKMS, err := setup.SetUpKMS(context.Background(), setup.NoStoreURI, setup.ClusterKMSURI)
|
||||
if err != nil {
|
||||
log.Fatalf("Failed to setup KMS: %v", err)
|
||||
}
|
||||
|
||||
if err := conKMS.CreateKEK(context.Background(), "Constellation", masterKey); err != nil {
|
||||
log.Fatalf("Failed to create KMS KEK from MasterKey: %v", err)
|
||||
}
|
||||
|
||||
lis, err := net.Listen("tcp", net.JoinHostPort("0.0.0.0", *port))
|
||||
if err != nil {
|
||||
log.Fatalf("Failed to listen: %v", err)
|
||||
}
|
||||
|
||||
srv := kmsapi.New(&zap.Logger{}, conKMS)
|
||||
|
||||
// TODO: Launch server with aTLS to allow attestation for clients.
|
||||
grpcServer := grpc.NewServer()
|
||||
|
||||
kmsproto.RegisterAPIServer(grpcServer, srv)
|
||||
|
||||
if err := grpcServer.Serve(lis); err != nil {
|
||||
log.Fatalf("Failed to serve: %s", err)
|
||||
}
|
||||
}
|
46
kms/server/kmsapi/kmsapi.go
Normal file
46
kms/server/kmsapi/kmsapi.go
Normal file
@ -0,0 +1,46 @@
|
||||
// Package kmsapi implements an API to manage encryption keys.
|
||||
package kmsapi
|
||||
|
||||
import (
|
||||
"context"
|
||||
|
||||
"github.com/edgelesssys/constellation/kms/kms"
|
||||
"github.com/edgelesssys/constellation/kms/server/kmsapi/kmsproto"
|
||||
"go.uber.org/zap"
|
||||
"google.golang.org/grpc/codes"
|
||||
"google.golang.org/grpc/status"
|
||||
)
|
||||
|
||||
// API resembles an encryption key management api server through logger, CloudKMS and proto-unimplemented server.
|
||||
type API struct {
|
||||
logger *zap.Logger
|
||||
conKMS kms.CloudKMS
|
||||
kmsproto.UnimplementedAPIServer
|
||||
}
|
||||
|
||||
// New creates a new API.
|
||||
func New(logger *zap.Logger, conKMS kms.CloudKMS) *API {
|
||||
return &API{
|
||||
logger: logger,
|
||||
conKMS: conKMS,
|
||||
}
|
||||
}
|
||||
|
||||
// GetDataKey returns a data key.
|
||||
func (a *API) GetDataKey(ctx context.Context, in *kmsproto.GetDataKeyRequest) (*kmsproto.GetDataKeyResponse, error) {
|
||||
// Error on 0 key length
|
||||
if in.Length == 0 {
|
||||
return nil, status.Error(codes.InvalidArgument, "can't derive key with length zero")
|
||||
}
|
||||
|
||||
// Error on empty DataKeyId
|
||||
if in.DataKeyId == "" {
|
||||
return nil, status.Error(codes.InvalidArgument, "no data key id specified")
|
||||
}
|
||||
|
||||
key, err := a.conKMS.GetDEK(ctx, "Constellation", "key-"+in.DataKeyId, int(in.Length))
|
||||
if err != nil {
|
||||
return nil, status.Errorf(codes.Internal, "%v", err)
|
||||
}
|
||||
return &kmsproto.GetDataKeyResponse{DataKey: key}, nil
|
||||
}
|
58
kms/server/kmsapi/kmsapi_test.go
Normal file
58
kms/server/kmsapi/kmsapi_test.go
Normal file
@ -0,0 +1,58 @@
|
||||
package kmsapi
|
||||
|
||||
import (
|
||||
"context"
|
||||
"errors"
|
||||
"testing"
|
||||
|
||||
"github.com/edgelesssys/constellation/kms/server/kmsapi/kmsproto"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
"go.uber.org/zap/zaptest"
|
||||
)
|
||||
|
||||
func TestGetDataKey(t *testing.T) {
|
||||
assert := assert.New(t)
|
||||
require := require.New(t)
|
||||
|
||||
kms := &stubKMS{derivedKey: []byte{0x0, 0x1, 0x2, 0x3, 0x4, 0x5}}
|
||||
api := New(zaptest.NewLogger(t), kms)
|
||||
|
||||
res, err := api.GetDataKey(context.Background(), &kmsproto.GetDataKeyRequest{DataKeyId: "1", Length: 32})
|
||||
require.NoError(err)
|
||||
assert.Equal(kms.derivedKey, res.DataKey)
|
||||
|
||||
// Test no data key id
|
||||
res, err = api.GetDataKey(context.Background(), &kmsproto.GetDataKeyRequest{Length: 32})
|
||||
require.Error(err)
|
||||
assert.Nil(res)
|
||||
|
||||
// Test no / zero key length
|
||||
res, err = api.GetDataKey(context.Background(), &kmsproto.GetDataKeyRequest{DataKeyId: "1"})
|
||||
require.Error(err)
|
||||
assert.Nil(res)
|
||||
|
||||
// Test derive key error
|
||||
api = New(zaptest.NewLogger(t), &stubKMS{deriveKeyErr: errors.New("error")})
|
||||
res, err = api.GetDataKey(context.Background(), &kmsproto.GetDataKeyRequest{DataKeyId: "1", Length: 32})
|
||||
assert.Error(err)
|
||||
assert.Nil(res)
|
||||
}
|
||||
|
||||
type stubKMS struct {
|
||||
masterKey []byte
|
||||
derivedKey []byte
|
||||
deriveKeyErr error
|
||||
}
|
||||
|
||||
func (c *stubKMS) CreateKEK(ctx context.Context, keyID string, kek []byte) error {
|
||||
c.masterKey = kek
|
||||
return nil
|
||||
}
|
||||
|
||||
func (c *stubKMS) GetDEK(ctx context.Context, kekID string, dekID string, dekSize int) ([]byte, error) {
|
||||
if c.deriveKeyErr != nil {
|
||||
return nil, c.deriveKeyErr
|
||||
}
|
||||
return c.derivedKey, nil
|
||||
}
|
226
kms/server/kmsapi/kmsproto/kmsapi.pb.go
Normal file
226
kms/server/kmsapi/kmsproto/kmsapi.pb.go
Normal file
@ -0,0 +1,226 @@
|
||||
// Code generated by protoc-gen-go. DO NOT EDIT.
|
||||
// versions:
|
||||
// protoc-gen-go v1.25.0-devel
|
||||
// protoc v3.14.0
|
||||
// source: kmsproto/kmsapi.proto
|
||||
|
||||
package kmsproto
|
||||
|
||||
import (
|
||||
protoreflect "google.golang.org/protobuf/reflect/protoreflect"
|
||||
protoimpl "google.golang.org/protobuf/runtime/protoimpl"
|
||||
reflect "reflect"
|
||||
sync "sync"
|
||||
)
|
||||
|
||||
const (
|
||||
// Verify that this generated code is sufficiently up-to-date.
|
||||
_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
|
||||
// Verify that runtime/protoimpl is sufficiently up-to-date.
|
||||
_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
|
||||
)
|
||||
|
||||
type GetDataKeyRequest struct {
|
||||
state protoimpl.MessageState
|
||||
sizeCache protoimpl.SizeCache
|
||||
unknownFields protoimpl.UnknownFields
|
||||
|
||||
DataKeyId string `protobuf:"bytes,1,opt,name=data_key_id,json=dataKeyId,proto3" json:"data_key_id,omitempty"`
|
||||
Length uint32 `protobuf:"varint,2,opt,name=length,proto3" json:"length,omitempty"`
|
||||
}
|
||||
|
||||
func (x *GetDataKeyRequest) Reset() {
|
||||
*x = GetDataKeyRequest{}
|
||||
if protoimpl.UnsafeEnabled {
|
||||
mi := &file_kmsproto_kmsapi_proto_msgTypes[0]
|
||||
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
|
||||
ms.StoreMessageInfo(mi)
|
||||
}
|
||||
}
|
||||
|
||||
func (x *GetDataKeyRequest) String() string {
|
||||
return protoimpl.X.MessageStringOf(x)
|
||||
}
|
||||
|
||||
func (*GetDataKeyRequest) ProtoMessage() {}
|
||||
|
||||
func (x *GetDataKeyRequest) ProtoReflect() protoreflect.Message {
|
||||
mi := &file_kmsproto_kmsapi_proto_msgTypes[0]
|
||||
if protoimpl.UnsafeEnabled && x != nil {
|
||||
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
|
||||
if ms.LoadMessageInfo() == nil {
|
||||
ms.StoreMessageInfo(mi)
|
||||
}
|
||||
return ms
|
||||
}
|
||||
return mi.MessageOf(x)
|
||||
}
|
||||
|
||||
// Deprecated: Use GetDataKeyRequest.ProtoReflect.Descriptor instead.
|
||||
func (*GetDataKeyRequest) Descriptor() ([]byte, []int) {
|
||||
return file_kmsproto_kmsapi_proto_rawDescGZIP(), []int{0}
|
||||
}
|
||||
|
||||
func (x *GetDataKeyRequest) GetDataKeyId() string {
|
||||
if x != nil {
|
||||
return x.DataKeyId
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func (x *GetDataKeyRequest) GetLength() uint32 {
|
||||
if x != nil {
|
||||
return x.Length
|
||||
}
|
||||
return 0
|
||||
}
|
||||
|
||||
type GetDataKeyResponse struct {
|
||||
state protoimpl.MessageState
|
||||
sizeCache protoimpl.SizeCache
|
||||
unknownFields protoimpl.UnknownFields
|
||||
|
||||
DataKey []byte `protobuf:"bytes,1,opt,name=data_key,json=dataKey,proto3" json:"data_key,omitempty"`
|
||||
}
|
||||
|
||||
func (x *GetDataKeyResponse) Reset() {
|
||||
*x = GetDataKeyResponse{}
|
||||
if protoimpl.UnsafeEnabled {
|
||||
mi := &file_kmsproto_kmsapi_proto_msgTypes[1]
|
||||
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
|
||||
ms.StoreMessageInfo(mi)
|
||||
}
|
||||
}
|
||||
|
||||
func (x *GetDataKeyResponse) String() string {
|
||||
return protoimpl.X.MessageStringOf(x)
|
||||
}
|
||||
|
||||
func (*GetDataKeyResponse) ProtoMessage() {}
|
||||
|
||||
func (x *GetDataKeyResponse) ProtoReflect() protoreflect.Message {
|
||||
mi := &file_kmsproto_kmsapi_proto_msgTypes[1]
|
||||
if protoimpl.UnsafeEnabled && x != nil {
|
||||
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
|
||||
if ms.LoadMessageInfo() == nil {
|
||||
ms.StoreMessageInfo(mi)
|
||||
}
|
||||
return ms
|
||||
}
|
||||
return mi.MessageOf(x)
|
||||
}
|
||||
|
||||
// Deprecated: Use GetDataKeyResponse.ProtoReflect.Descriptor instead.
|
||||
func (*GetDataKeyResponse) Descriptor() ([]byte, []int) {
|
||||
return file_kmsproto_kmsapi_proto_rawDescGZIP(), []int{1}
|
||||
}
|
||||
|
||||
func (x *GetDataKeyResponse) GetDataKey() []byte {
|
||||
if x != nil {
|
||||
return x.DataKey
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
var File_kmsproto_kmsapi_proto protoreflect.FileDescriptor
|
||||
|
||||
var file_kmsproto_kmsapi_proto_rawDesc = []byte{
|
||||
0x0a, 0x15, 0x6b, 0x6d, 0x73, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x6b, 0x6d, 0x73, 0x61, 0x70,
|
||||
0x69, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x06, 0x70, 0x75, 0x62, 0x61, 0x70, 0x69, 0x22,
|
||||
0x4b, 0x0a, 0x11, 0x47, 0x65, 0x74, 0x44, 0x61, 0x74, 0x61, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71,
|
||||
0x75, 0x65, 0x73, 0x74, 0x12, 0x1e, 0x0a, 0x0b, 0x64, 0x61, 0x74, 0x61, 0x5f, 0x6b, 0x65, 0x79,
|
||||
0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x64, 0x61, 0x74, 0x61, 0x4b,
|
||||
0x65, 0x79, 0x49, 0x64, 0x12, 0x16, 0x0a, 0x06, 0x6c, 0x65, 0x6e, 0x67, 0x74, 0x68, 0x18, 0x02,
|
||||
0x20, 0x01, 0x28, 0x0d, 0x52, 0x06, 0x6c, 0x65, 0x6e, 0x67, 0x74, 0x68, 0x22, 0x2f, 0x0a, 0x12,
|
||||
0x47, 0x65, 0x74, 0x44, 0x61, 0x74, 0x61, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e,
|
||||
0x73, 0x65, 0x12, 0x19, 0x0a, 0x08, 0x64, 0x61, 0x74, 0x61, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x01,
|
||||
0x20, 0x01, 0x28, 0x0c, 0x52, 0x07, 0x64, 0x61, 0x74, 0x61, 0x4b, 0x65, 0x79, 0x32, 0x4a, 0x0a,
|
||||
0x03, 0x41, 0x50, 0x49, 0x12, 0x43, 0x0a, 0x0a, 0x47, 0x65, 0x74, 0x44, 0x61, 0x74, 0x61, 0x4b,
|
||||
0x65, 0x79, 0x12, 0x19, 0x2e, 0x70, 0x75, 0x62, 0x61, 0x70, 0x69, 0x2e, 0x47, 0x65, 0x74, 0x44,
|
||||
0x61, 0x74, 0x61, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1a, 0x2e,
|
||||
0x70, 0x75, 0x62, 0x61, 0x70, 0x69, 0x2e, 0x47, 0x65, 0x74, 0x44, 0x61, 0x74, 0x61, 0x4b, 0x65,
|
||||
0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x42, 0x41, 0x5a, 0x3f, 0x67, 0x69, 0x74,
|
||||
0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x65, 0x64, 0x67, 0x65, 0x6c, 0x65, 0x73, 0x73,
|
||||
0x73, 0x79, 0x73, 0x2f, 0x63, 0x6f, 0x6e, 0x73, 0x74, 0x65, 0x6c, 0x6c, 0x61, 0x74, 0x69, 0x6f,
|
||||
0x6e, 0x2f, 0x6b, 0x6d, 0x73, 0x2f, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x2f, 0x6b, 0x6d, 0x73,
|
||||
0x61, 0x70, 0x69, 0x2f, 0x6b, 0x6d, 0x73, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x06, 0x70, 0x72,
|
||||
0x6f, 0x74, 0x6f, 0x33,
|
||||
}
|
||||
|
||||
var (
|
||||
file_kmsproto_kmsapi_proto_rawDescOnce sync.Once
|
||||
file_kmsproto_kmsapi_proto_rawDescData = file_kmsproto_kmsapi_proto_rawDesc
|
||||
)
|
||||
|
||||
func file_kmsproto_kmsapi_proto_rawDescGZIP() []byte {
|
||||
file_kmsproto_kmsapi_proto_rawDescOnce.Do(func() {
|
||||
file_kmsproto_kmsapi_proto_rawDescData = protoimpl.X.CompressGZIP(file_kmsproto_kmsapi_proto_rawDescData)
|
||||
})
|
||||
return file_kmsproto_kmsapi_proto_rawDescData
|
||||
}
|
||||
|
||||
var file_kmsproto_kmsapi_proto_msgTypes = make([]protoimpl.MessageInfo, 2)
|
||||
var file_kmsproto_kmsapi_proto_goTypes = []interface{}{
|
||||
(*GetDataKeyRequest)(nil), // 0: pubapi.GetDataKeyRequest
|
||||
(*GetDataKeyResponse)(nil), // 1: pubapi.GetDataKeyResponse
|
||||
}
|
||||
var file_kmsproto_kmsapi_proto_depIdxs = []int32{
|
||||
0, // 0: pubapi.API.GetDataKey:input_type -> pubapi.GetDataKeyRequest
|
||||
1, // 1: pubapi.API.GetDataKey:output_type -> pubapi.GetDataKeyResponse
|
||||
1, // [1:2] is the sub-list for method output_type
|
||||
0, // [0:1] is the sub-list for method input_type
|
||||
0, // [0:0] is the sub-list for extension type_name
|
||||
0, // [0:0] is the sub-list for extension extendee
|
||||
0, // [0:0] is the sub-list for field type_name
|
||||
}
|
||||
|
||||
func init() { file_kmsproto_kmsapi_proto_init() }
|
||||
func file_kmsproto_kmsapi_proto_init() {
|
||||
if File_kmsproto_kmsapi_proto != nil {
|
||||
return
|
||||
}
|
||||
if !protoimpl.UnsafeEnabled {
|
||||
file_kmsproto_kmsapi_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
|
||||
switch v := v.(*GetDataKeyRequest); i {
|
||||
case 0:
|
||||
return &v.state
|
||||
case 1:
|
||||
return &v.sizeCache
|
||||
case 2:
|
||||
return &v.unknownFields
|
||||
default:
|
||||
return nil
|
||||
}
|
||||
}
|
||||
file_kmsproto_kmsapi_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} {
|
||||
switch v := v.(*GetDataKeyResponse); i {
|
||||
case 0:
|
||||
return &v.state
|
||||
case 1:
|
||||
return &v.sizeCache
|
||||
case 2:
|
||||
return &v.unknownFields
|
||||
default:
|
||||
return nil
|
||||
}
|
||||
}
|
||||
}
|
||||
type x struct{}
|
||||
out := protoimpl.TypeBuilder{
|
||||
File: protoimpl.DescBuilder{
|
||||
GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
|
||||
RawDescriptor: file_kmsproto_kmsapi_proto_rawDesc,
|
||||
NumEnums: 0,
|
||||
NumMessages: 2,
|
||||
NumExtensions: 0,
|
||||
NumServices: 1,
|
||||
},
|
||||
GoTypes: file_kmsproto_kmsapi_proto_goTypes,
|
||||
DependencyIndexes: file_kmsproto_kmsapi_proto_depIdxs,
|
||||
MessageInfos: file_kmsproto_kmsapi_proto_msgTypes,
|
||||
}.Build()
|
||||
File_kmsproto_kmsapi_proto = out.File
|
||||
file_kmsproto_kmsapi_proto_rawDesc = nil
|
||||
file_kmsproto_kmsapi_proto_goTypes = nil
|
||||
file_kmsproto_kmsapi_proto_depIdxs = nil
|
||||
}
|
18
kms/server/kmsapi/kmsproto/kmsapi.proto
Normal file
18
kms/server/kmsapi/kmsproto/kmsapi.proto
Normal file
@ -0,0 +1,18 @@
|
||||
syntax = "proto3";
|
||||
|
||||
package kmsapi;
|
||||
|
||||
option go_package = "github.com/edgelesssys/constellation/kms/server/kmsapi/kmsproto";
|
||||
|
||||
service API {
|
||||
rpc GetDataKey(GetDataKeyRequest) returns (GetDataKeyResponse);
|
||||
}
|
||||
|
||||
message GetDataKeyRequest {
|
||||
string data_key_id = 1;
|
||||
uint32 length = 2;
|
||||
}
|
||||
|
||||
message GetDataKeyResponse {
|
||||
bytes data_key = 1;
|
||||
}
|
101
kms/server/kmsapi/kmsproto/kmsapi_grpc.pb.go
Normal file
101
kms/server/kmsapi/kmsproto/kmsapi_grpc.pb.go
Normal file
@ -0,0 +1,101 @@
|
||||
// Code generated by protoc-gen-go-grpc. DO NOT EDIT.
|
||||
|
||||
package kmsproto
|
||||
|
||||
import (
|
||||
context "context"
|
||||
grpc "google.golang.org/grpc"
|
||||
codes "google.golang.org/grpc/codes"
|
||||
status "google.golang.org/grpc/status"
|
||||
)
|
||||
|
||||
// This is a compile-time assertion to ensure that this generated file
|
||||
// is compatible with the grpc package it is being compiled against.
|
||||
// Requires gRPC-Go v1.32.0 or later.
|
||||
const _ = grpc.SupportPackageIsVersion7
|
||||
|
||||
// APIClient is the client API for API service.
|
||||
//
|
||||
// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
|
||||
type APIClient interface {
|
||||
GetDataKey(ctx context.Context, in *GetDataKeyRequest, opts ...grpc.CallOption) (*GetDataKeyResponse, error)
|
||||
}
|
||||
|
||||
type aPIClient struct {
|
||||
cc grpc.ClientConnInterface
|
||||
}
|
||||
|
||||
func NewAPIClient(cc grpc.ClientConnInterface) APIClient {
|
||||
return &aPIClient{cc}
|
||||
}
|
||||
|
||||
func (c *aPIClient) GetDataKey(ctx context.Context, in *GetDataKeyRequest, opts ...grpc.CallOption) (*GetDataKeyResponse, error) {
|
||||
out := new(GetDataKeyResponse)
|
||||
err := c.cc.Invoke(ctx, "/pubapi.API/GetDataKey", in, out, opts...)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return out, nil
|
||||
}
|
||||
|
||||
// APIServer is the server API for API service.
|
||||
// All implementations must embed UnimplementedAPIServer
|
||||
// for forward compatibility
|
||||
type APIServer interface {
|
||||
GetDataKey(context.Context, *GetDataKeyRequest) (*GetDataKeyResponse, error)
|
||||
mustEmbedUnimplementedAPIServer()
|
||||
}
|
||||
|
||||
// UnimplementedAPIServer must be embedded to have forward compatible implementations.
|
||||
type UnimplementedAPIServer struct {
|
||||
}
|
||||
|
||||
func (UnimplementedAPIServer) GetDataKey(context.Context, *GetDataKeyRequest) (*GetDataKeyResponse, error) {
|
||||
return nil, status.Errorf(codes.Unimplemented, "method GetDataKey not implemented")
|
||||
}
|
||||
func (UnimplementedAPIServer) mustEmbedUnimplementedAPIServer() {}
|
||||
|
||||
// UnsafeAPIServer may be embedded to opt out of forward compatibility for this service.
|
||||
// Use of this interface is not recommended, as added methods to APIServer will
|
||||
// result in compilation errors.
|
||||
type UnsafeAPIServer interface {
|
||||
mustEmbedUnimplementedAPIServer()
|
||||
}
|
||||
|
||||
func RegisterAPIServer(s grpc.ServiceRegistrar, srv APIServer) {
|
||||
s.RegisterService(&API_ServiceDesc, srv)
|
||||
}
|
||||
|
||||
func _API_GetDataKey_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
|
||||
in := new(GetDataKeyRequest)
|
||||
if err := dec(in); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if interceptor == nil {
|
||||
return srv.(APIServer).GetDataKey(ctx, in)
|
||||
}
|
||||
info := &grpc.UnaryServerInfo{
|
||||
Server: srv,
|
||||
FullMethod: "/pubapi.API/GetDataKey",
|
||||
}
|
||||
handler := func(ctx context.Context, req interface{}) (interface{}, error) {
|
||||
return srv.(APIServer).GetDataKey(ctx, req.(*GetDataKeyRequest))
|
||||
}
|
||||
return interceptor(ctx, in, info, handler)
|
||||
}
|
||||
|
||||
// API_ServiceDesc is the grpc.ServiceDesc for API service.
|
||||
// It's only intended for direct use with grpc.RegisterService,
|
||||
// and not to be introspected or modified (even as a copy)
|
||||
var API_ServiceDesc = grpc.ServiceDesc{
|
||||
ServiceName: "pubapi.API",
|
||||
HandlerType: (*APIServer)(nil),
|
||||
Methods: []grpc.MethodDesc{
|
||||
{
|
||||
MethodName: "GetDataKey",
|
||||
Handler: _API_GetDataKey_Handler,
|
||||
},
|
||||
},
|
||||
Streams: []grpc.StreamDesc{},
|
||||
Metadata: "kmsproto/kmsapi.proto",
|
||||
}
|
@ -1,4 +1,4 @@
|
||||
package kms
|
||||
package setup
|
||||
|
||||
import (
|
||||
"context"
|
||||
@ -9,6 +9,7 @@ import (
|
||||
"github.com/edgelesssys/constellation/kms/kms"
|
||||
"github.com/edgelesssys/constellation/kms/kms/aws"
|
||||
"github.com/edgelesssys/constellation/kms/kms/azure"
|
||||
"github.com/edgelesssys/constellation/kms/kms/cluster"
|
||||
"github.com/edgelesssys/constellation/kms/kms/gcp"
|
||||
"github.com/edgelesssys/constellation/kms/storage"
|
||||
kmspb "google.golang.org/genproto/googleapis/cloud/kms/v1"
|
||||
@ -122,7 +123,7 @@ func getKMS(ctx context.Context, kmsURI string, store kms.Storage) (kms.CloudKMS
|
||||
return gcp.New(ctx, project, location, keyRing, store, kmspb.ProtectionLevel(protectionLvl))
|
||||
|
||||
case "cluster-kms":
|
||||
return &ClusterKMS{}, nil
|
||||
return &cluster.ClusterKMS{}, nil
|
||||
|
||||
default:
|
||||
return nil, fmt.Errorf("unknown KMS type: %s", uri.Host)
|
@ -1,4 +1,4 @@
|
||||
package kms
|
||||
package setup
|
||||
|
||||
import (
|
||||
"context"
|
@ -44,9 +44,15 @@ WORKDIR /service
|
||||
COPY debugd/service/*.proto /service
|
||||
RUN protoc --go_out=. --go_opt=paths=source_relative --go-grpc_out=. --go-grpc_opt=paths=source_relative *.proto
|
||||
|
||||
## key management
|
||||
WORKDIR /kms
|
||||
COPY kms/server/kmsapi/kmsproto/*.proto /kms
|
||||
RUN protoc --go_out=. --go_opt=paths=source_relative --go-grpc_out=. --go-grpc_opt=paths=source_relative *.proto
|
||||
|
||||
|
||||
FROM scratch as export
|
||||
COPY --from=build /pubapi/*.go coordinator/pubapi/pubproto/
|
||||
COPY --from=build /vpnapi/*.go coordinator/vpnapi/vpnproto/
|
||||
COPY --from=build /disk-mapper/*.go state/keyservice/keyproto/
|
||||
COPY --from=build /service/*.go debugd/service/
|
||||
COPY --from=build /kms/*.go kms/server/kmsproto/
|
||||
|
@ -23,11 +23,11 @@ import (
|
||||
"github.com/docker/go-connections/nat"
|
||||
"github.com/edgelesssys/constellation/coordinator/atls"
|
||||
"github.com/edgelesssys/constellation/coordinator/core"
|
||||
"github.com/edgelesssys/constellation/coordinator/kms"
|
||||
"github.com/edgelesssys/constellation/coordinator/pubapi/pubproto"
|
||||
"github.com/edgelesssys/constellation/coordinator/role"
|
||||
"github.com/edgelesssys/constellation/coordinator/store"
|
||||
"github.com/edgelesssys/constellation/coordinator/storewrapper"
|
||||
kms "github.com/edgelesssys/constellation/kms/server/setup"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
"go.uber.org/goleak"
|
||||
|
Loading…
Reference in New Issue
Block a user