mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-01-16 09:57:07 -05:00
90b88e1cf9
In the light of extending our eKMS support it will be helpful to have a tighter use of the word "KMS". KMS should refer to the actual component that manages keys. The keyservice, also called KMS in the constellation code, does not manage keys itself. It talks to a KMS backend, which in turn does the actual key management.
74 lines
2.0 KiB
Go
74 lines
2.0 KiB
Go
/*
|
|
Copyright (c) Edgeless Systems GmbH
|
|
|
|
SPDX-License-Identifier: AGPL-3.0-only
|
|
*/
|
|
|
|
package kms
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
|
|
"github.com/edgelesssys/constellation/v2/internal/logger"
|
|
"github.com/edgelesssys/constellation/v2/keyservice/keyserviceproto"
|
|
"go.uber.org/zap"
|
|
"google.golang.org/grpc"
|
|
"google.golang.org/grpc/credentials/insecure"
|
|
)
|
|
|
|
// Client interacts with Constellation's keyservice.
|
|
type Client struct {
|
|
log *logger.Logger
|
|
endpoint string
|
|
grpc grpcClient
|
|
}
|
|
|
|
// New creates a new KMS.
|
|
func New(log *logger.Logger, endpoint string) Client {
|
|
return Client{
|
|
log: log,
|
|
endpoint: endpoint,
|
|
grpc: client{},
|
|
}
|
|
}
|
|
|
|
// GetDataKey returns a data encryption key for the given UUID.
|
|
func (c Client) GetDataKey(ctx context.Context, keyID string, length int) ([]byte, error) {
|
|
log := c.log.With(zap.String("keyID", keyID), zap.String("endpoint", c.endpoint))
|
|
// the KMS does not use aTLS since traffic is only routed through the Constellation cluster
|
|
// cluster internal connections are considered trustworthy
|
|
log.Infof("Connecting to KMS at %s", c.endpoint)
|
|
conn, err := grpc.DialContext(ctx, c.endpoint, grpc.WithTransportCredentials(insecure.NewCredentials()))
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
defer conn.Close()
|
|
|
|
log.Infof("Requesting data key")
|
|
res, err := c.grpc.GetDataKey(
|
|
ctx,
|
|
&keyserviceproto.GetDataKeyRequest{
|
|
DataKeyId: keyID,
|
|
Length: uint32(length),
|
|
},
|
|
conn,
|
|
)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("fetching data encryption key from Constellation KMS: %w", err)
|
|
}
|
|
|
|
log.Infof("Data key request successful")
|
|
return res.DataKey, nil
|
|
}
|
|
|
|
type grpcClient interface {
|
|
GetDataKey(context.Context, *keyserviceproto.GetDataKeyRequest, *grpc.ClientConn) (*keyserviceproto.GetDataKeyResponse, error)
|
|
}
|
|
|
|
type client struct{}
|
|
|
|
func (c client) GetDataKey(ctx context.Context, req *keyserviceproto.GetDataKeyRequest, conn *grpc.ClientConn) (*keyserviceproto.GetDataKeyResponse, error) {
|
|
return keyserviceproto.NewAPIClient(conn).GetDataKey(ctx, req)
|
|
}
|