forked from hashicorp/go-kms-wrapping
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmain.go
132 lines (115 loc) · 3.6 KB
/
main.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0
package main
import (
"context"
"embed"
"flag"
"fmt"
"io/fs"
"os"
"github.com/hashicorp/go-hclog"
wrapping "github.com/hashicorp/go-kms-wrapping/v2"
"github.com/hashicorp/go-kms-wrapping/v2/aead" // a built-in go-kms-wrapping wrapper (no additional dependencies)
configutil "github.com/hashicorp/go-secure-stdlib/configutil/v2"
"github.com/hashicorp/go-secure-stdlib/pluginutil/v2"
)
// support the --use-transit flag which requires the caller to run:
// "docker-compose up" before executing the example
const rootKmsTransitHcl = `
kms "transit" {
purpose = "root"
address = "http://localhost:8200"
token = "vault-plaintext-root-token"
disable_renewal = "false"
key_name = "examplekey"
mount_path = "transit/"
namespace = "ns1/"
}`
func main() {
mainCtx := context.Background()
pt := flag.String("plaintext", "default plaintext secret", "plaintext you'd like to use for encrypt/decrypt ops with a wrapper")
flag.Parse()
fmt.Fprintf(os.Stderr, "initializing the vault transit plugin wrapper\n")
wrapper, cleanupFn, err := newVaultTransitPluginWrapper(mainCtx)
if err != nil {
fmt.Fprintf(os.Stderr, "unable to initialize vault transit plugin wrapper: %s\n\n", err)
fmt.Fprintf(os.Stderr, `did you run "docker-compose up" first`)
return
}
if cleanupFn != nil {
defer cleanupFn()
}
fmt.Fprintf(os.Stderr, "encrypting the plaintext: %q\n", *pt)
cipherText, err := wrapper.Encrypt(mainCtx, []byte(*pt))
if err != nil {
fmt.Fprintf(os.Stderr, "unable to encrypt plaintext: %s\n\n", err)
return
}
fmt.Fprintf(os.Stderr, "decrypting the ciphertext\n")
decryptedPlaintext, err := wrapper.Decrypt(mainCtx, cipherText)
if err != nil {
fmt.Fprintf(os.Stderr, "unable to decrypt ciphertext: %s\n\n", err)
return
}
if string(decryptedPlaintext) != *pt {
fmt.Fprintf(os.Stderr, "%q doesn't equal %q\n\n", string(decryptedPlaintext), *pt)
return
}
fmt.Fprintf(os.Stderr, "successfully encrypted/decrypted %q using the plugin\n", *pt)
fmt.Fprintf(os.Stderr, "done!\n")
}
// newVaultTransitPluginWrapper will initialize a vault transit wrapper
func newVaultTransitPluginWrapper(ctx context.Context) (wrapping.Wrapper, func() error, error) {
const (
op = "kms.NewVaultTransitRootWrapper"
kmsPluginPrefix = "plugin-"
)
wrapperCfg, err := configutil.ParseConfig(rootKmsTransitHcl)
if err != nil {
return nil, nil, err
}
if len(wrapperCfg.Seals) != 1 {
return nil, nil, fmt.Errorf("expected 1 seal and got %d", len(wrapperCfg.Seals))
}
fmt.Fprintf(
os.Stderr,
"configuring/initializing %s plugin for address: %s\n",
wrapperCfg.Seals[0].Type,
wrapperCfg.Seals[0].Config["address"],
)
wrapper, cleanup, err := configutil.ConfigureWrapper(
ctx,
wrapperCfg.Seals[0],
nil,
nil,
configutil.WithPluginOptions(
pluginutil.WithPluginsMap(builtinKmsPlugins()),
pluginutil.WithPluginsFilesystem(kmsPluginPrefix, assetsFileSystem()),
),
configutil.WithLogger(hclog.NewNullLogger()),
)
if err != nil {
return nil, nil, fmt.Errorf("Error configuring kms: %w", err)
}
return wrapper, cleanup, nil
}
func builtinKmsPlugins() map[string]pluginutil.InmemCreationFunc {
return map[string]pluginutil.InmemCreationFunc{
"aead": func() (interface{}, error) {
return aead.NewWrapper(), nil
},
}
}
// content is our static web server content.
//go:embed plugins/assets
var content embed.FS
func assetsFileSystem() fs.FS {
const contentDir = "plugins/assets"
// Remove the root
f, err := fs.Sub(content, contentDir)
if err != nil {
panic(err)
}
return f
}