debug: Log encryption inputs

keboola · Dec 19, 2024 · 64529cb · 64529cb
1 parent d347dd6
commit 64529cb
Show file tree

Hide file tree

Showing 4 changed files with 155 additions and 3 deletions.
diff --git a/go.mod b/go.mod
@@ -10,6 +10,7 @@ replace github.com/oauth2-proxy/mockoidc => github.com/keboola/go-mockoidc v0.0.
 
 require (
 	ariga.io/atlas v0.29.0
+	cloud.google.com/go/kms v1.20.0
 	entgo.io/ent v0.14.1
 	github.com/ActiveState/vt10x v1.3.1
 	github.com/AlecAivazis/survey/v2 v2.3.7
@@ -53,6 +54,7 @@ require (
 	github.com/mitchellh/hashstructure/v2 v2.0.2
 	github.com/oauth2-proxy/mockoidc v0.0.0-20240214162133-caebfff84d25
 	github.com/oauth2-proxy/oauth2-proxy/v7 v7.7.1
+	github.com/pkg/errors v0.9.1
 	github.com/pquerna/cachecontrol v0.2.0
 	github.com/prometheus/client_golang v1.20.5
 	github.com/qiangxue/fasthttp-routing v0.0.0-20160225050629-6ccdc2a18d87
@@ -153,7 +155,6 @@ require (
 	cloud.google.com/go/auth/oauth2adapt v0.2.5 // indirect
 	cloud.google.com/go/compute/metadata v0.5.2 // indirect
 	cloud.google.com/go/iam v1.2.1 // indirect
-	cloud.google.com/go/kms v1.20.0 // indirect
 	cloud.google.com/go/longrunning v0.6.1 // indirect
 	cloud.google.com/go/monitoring v1.21.1 // indirect
 	cloud.google.com/go/storage v1.46.0 // indirect
@@ -285,7 +286,6 @@ require (
 	github.com/pelletier/go-toml/v2 v2.2.3 // indirect
 	github.com/pierrec/lz4/v4 v4.1.21 // indirect
 	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
-	github.com/pkg/errors v0.9.1 // indirect
 	github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/power-devops/perfstat v0.0.0-20220216144756-c35f1ee13d7c // indirect

diff --git a/internal/pkg/service/stream/encryption/encode.go b/internal/pkg/service/stream/encryption/encode.go
@@ -0,0 +1,59 @@
+package encryption
+
+import (
+	"bytes"
+	"compress/gzip"
+	"encoding/base64"
+	"encoding/gob"
+
+	"github.com/pkg/errors"
+)
+
+func Encode(data any) ([]byte, error) {
+	var buffer bytes.Buffer
+
+	// Base64 encode
+	encoder := base64.NewEncoder(base64.StdEncoding, &buffer)
+
+	// Gzip compress
+	writer := gzip.NewWriter(encoder)
+
+	// gob encode
+	err := gob.NewEncoder(writer).Encode(data)
+	if err != nil {
+		return nil, errors.Wrapf(err, "gob encoder failed: %s", err.Error())
+	}
+
+	err = writer.Close()
+	if err != nil {
+		return nil, errors.Wrapf(err, "can't close gzip writer: %s", err.Error())
+	}
+
+	err = encoder.Close()
+	if err != nil {
+		return nil, errors.Wrapf(err, "base64 encoder failed: %s", err.Error())
+	}
+
+	return buffer.Bytes(), nil
+}
+
+func Decode[T any](data []byte) (decoded T, err error) {
+	// Base64 decode
+	decoder := base64.NewDecoder(base64.StdEncoding, bytes.NewReader(data))
+
+	// Gzip uncompress
+	reader, err := gzip.NewReader(decoder)
+	if err != nil {
+		return decoded, errors.Wrapf(err, "can't create gzip reader: %s", err.Error())
+	}
+
+	defer reader.Close()
+
+	// gob decode
+	err = gob.NewDecoder(reader).Decode(&decoded)
+	if err != nil {
+		return decoded, errors.Wrapf(err, "gob decoder failed: %s", err.Error())
+	}
+
+	return decoded, nil
+}
diff --git a/internal/pkg/service/stream/encryption/encryption.go b/internal/pkg/service/stream/encryption/encryption.go
@@ -33,7 +33,7 @@ func NewEncryptor(ctx context.Context, config Config, logger log.Logger) (cloude
 
 		return encryptor, nil
 	case ProviderGCP:
-		encryptor, err = cloudencrypt.NewGCPEncryptor(ctx, config.GCP.KMSKeyID)
+		encryptor, err = NewGCPEncryptor(ctx, config.GCP.KMSKeyID, logger)
 		if err != nil {
 			return nil, err
 		}

diff --git a/internal/pkg/service/stream/encryption/gcp.go b/internal/pkg/service/stream/encryption/gcp.go
@@ -0,0 +1,93 @@
+package encryption
+
+import (
+	"context"
+
+	kms "cloud.google.com/go/kms/apiv1"
+	"cloud.google.com/go/kms/apiv1/kmspb"
+	"github.com/keboola/go-cloud-encrypt/pkg/cloudencrypt"
+	"github.com/pkg/errors"
+
+	"github.com/keboola/keboola-as-code/internal/pkg/log"
+)
+
+// GCPEncryptor Implements Encryptor using Google Cloud's Key Management Service.
+type GCPEncryptor struct {
+	client *kms.KeyManagementClient
+	keyID  string
+	logger log.Logger
+}
+
+func NewGCPEncryptor(ctx context.Context, keyID string, logger log.Logger) (*GCPEncryptor, error) {
+	client, err := kms.NewKeyManagementClient(ctx)
+	if err != nil {
+		return nil, errors.Wrapf(err, "can't create gpc kms client: %s", err.Error())
+	}
+
+	return &GCPEncryptor{
+		client: client,
+		keyID:  keyID,
+		logger: logger,
+	}, nil
+}
+
+func (encryptor *GCPEncryptor) Encrypt(ctx context.Context, plaintext []byte, metadata cloudencrypt.Metadata) ([]byte, error) {
+	additionalData, err := Encode(metadata)
+	if err != nil {
+		return nil, err
+	}
+
+	encryptor.logger.Infof(ctx, "encryption key: %s", encryptor.keyID)
+	encryptor.logger.Infof(ctx, "encryption metadata: %s", string(additionalData))
+	encryptor.logger.Infof(ctx, "encryption plaintext: %s", string(plaintext))
+
+	request := &kmspb.EncryptRequest{
+		Name:                        encryptor.keyID,
+		Plaintext:                   plaintext,
+		AdditionalAuthenticatedData: additionalData,
+	}
+
+	response, err := encryptor.client.Encrypt(ctx, request)
+	if err != nil {
+		return nil, errors.Wrapf(err, "gcp encryption failed: %s", err.Error())
+	}
+
+	encryptor.logger.Infof(ctx, "encryption ciphertext: %s", string(response.GetCiphertext()))
+
+	return response.GetCiphertext(), nil
+}
+
+func (encryptor *GCPEncryptor) Decrypt(ctx context.Context, ciphertext []byte, metadata cloudencrypt.Metadata) ([]byte, error) {
+	additionalData, err := Encode(metadata)
+	if err != nil {
+		return nil, err
+	}
+
+	encryptor.logger.Infof(ctx, "decryption key: %s", encryptor.keyID)
+	encryptor.logger.Infof(ctx, "decryption metadata: %s", string(additionalData))
+	encryptor.logger.Infof(ctx, "decryption ciphertext: %s", string(ciphertext))
+
+	request := &kmspb.DecryptRequest{
+		Name:                        encryptor.keyID,
+		Ciphertext:                  ciphertext,
+		AdditionalAuthenticatedData: additionalData,
+	}
+
+	response, err := encryptor.client.Decrypt(ctx, request)
+	if err != nil {
+		return nil, errors.Wrapf(err, "gcp decryption failed: %s", err.Error())
+	}
+
+	encryptor.logger.Infof(ctx, "decryption plaintext: %s", string(response.GetPlaintext()))
+
+	return response.GetPlaintext(), nil
+}
+
+func (encryptor *GCPEncryptor) Close() error {
+	err := encryptor.client.Close()
+	if err != nil {
+		return errors.Wrapf(err, "can't close gcp client: %s", err.Error())
+	}
+
+	return nil
+}