mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-08-18 04:27:02 +02:00
Code Issues Projects Releases Wiki Activity
a2de4c75cd
vault/command/agentproxyshared/cache/keymanager/passthrough.go
Violet Hynes 6b4b0f7aaf
VAULT-15547 First pass at agent/proxy decoupling (#20548) 
* VAULT-15547 First pass at agent/proxy decoupling

* VAULT-15547 Fix some imports

* VAULT-15547 cases instead of string.Title

* VAULT-15547 changelog

* VAULT-15547 Fix some imports

* VAULT-15547 some more dependency updates

* VAULT-15547 More dependency paths

* VAULT-15547 godocs for tests

* VAULT-15547 godocs for tests

* VAULT-15547 test package updates

* VAULT-15547 test packages

* VAULT-15547 add proxy to test packages

* VAULT-15547 gitignore

* VAULT-15547 address comments

* VAULT-15547 Some typos and small fixes
2023-05-17 09:38:34 -04:00

72 lines
1.7 KiB
Go
Raw Blame History

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0
package keymanager
import (
"context"
"crypto/rand"
"fmt"
wrapping "github.com/hashicorp/go-kms-wrapping/v2"
"github.com/hashicorp/go-kms-wrapping/wrappers/aead/v2"
)
var _ KeyManager = (*PassthroughKeyManager)(nil)
type PassthroughKeyManager struct {
wrapper *aead.Wrapper
}
// NewPassthroughKeyManager returns a new instance of the Kube encryption key.
// If a key is provided, it will be used as the encryption key for the wrapper,
// otherwise one will be generated.
func NewPassthroughKeyManager(ctx context.Context, key []byte) (*PassthroughKeyManager, error) {
var rootKey []byte = nil
switch len(key) {
case 0:
newKey := make([]byte, 32)
_, err := rand.Read(newKey)
if err != nil {
return nil, err
}
rootKey = newKey
case 32:
rootKey = key
default:
return nil, fmt.Errorf("invalid key size, should be 32, got %d", len(key))
}
wrapper := aead.NewWrapper()
if _, err := wrapper.SetConfig(ctx, wrapping.WithConfigMap(map[string]string{"key_id": KeyID})); err != nil {
return nil, err
}
if err := wrapper.SetAesGcmKeyBytes(rootKey); err != nil {
return nil, err
}
k := &PassthroughKeyManager{
wrapper: wrapper,
}
return k, nil
}
// Wrapper returns the manager's wrapper for key operations.
func (w *PassthroughKeyManager) Wrapper() wrapping.Wrapper {
return w.wrapper
}
// RetrievalToken returns the key that was used on the wrapper since this key
// manager is simply a passthrough and does not provide a mechanism to abstract
// this key.
func (w *PassthroughKeyManager) RetrievalToken(ctx context.Context) ([]byte, error) {
if w.wrapper == nil {
return nil, fmt.Errorf("unable to get wrapper for token retrieval")
}
return w.wrapper.KeyBytes(ctx)
}
Reference in New Issue View Git Blame Copy Permalink