feat: secret keeper

flanksource · Jan 21, 2025 · 5be4477 · 5be4477
1 parent 11097e7
commit 5be4477
Show file tree

Hide file tree

Showing 7 changed files with 251 additions and 22 deletions.
diff --git a/connection/awskms.go b/connection/awskms.go
@@ -0,0 +1,41 @@
+package connection
+
+import (
+	"fmt"
+
+	"github.com/flanksource/duty/context"
+	"github.com/flanksource/duty/models"
+	"gocloud.dev/secrets"
+	"gocloud.dev/secrets/awskms"
+)
+
+type AWSKMS struct {
+	AWSConnection `json:",inline"`
+
+	// keyID can be an alias (eg: alias/ExampleAlias?region=us-east-1) or the ARN
+	KeyID string `json:"keyID,omitempty"`
+}
+
+func (t *AWSKMS) Populate(ctx ConnectionContext) error {
+	return t.AWSConnection.Populate(ctx)
+}
+
+func (t *AWSKMS) FromModel(conn models.Connection) {
+	t.AWSConnection.FromModel(conn)
+	t.KeyID = conn.Properties["keyID"]
+}
+
+func (t *AWSKMS) SecretKeeper(ctx context.Context) (*secrets.Keeper, error) {
+	awsConfig, err := t.AWSConnection.Client(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create AWS client: %w", err)
+	}
+
+	kmsClient, err := awskms.DialV2(awsConfig)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create AWS KMS client: %w", err)
+	}
+
+	keeper := awskms.OpenKeeperV2(kmsClient, t.KeyID, nil)
+	return keeper, nil
+}
diff --git a/connection/azurekeyvault.go b/connection/azurekeyvault.go
@@ -0,0 +1,49 @@
+package connection
+
+import (
+	"fmt"
+
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
+	"github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys"
+	"github.com/flanksource/duty/context"
+	"github.com/flanksource/duty/models"
+	"gocloud.dev/secrets"
+	"gocloud.dev/secrets/azurekeyvault"
+)
+
+type AzureKeyVault struct {
+	AzureConnection `json:",inline"`
+
+	// keyID is a URL to the key in the format
+	// 	https://<vault-name>.vault.azure.net/keys/<key-name>
+	KeyID string `json:"keyID,omitempty"`
+}
+
+func (t *AzureKeyVault) Populate(ctx ConnectionContext) error {
+	return t.AzureConnection.HydrateConnection(ctx)
+}
+
+func (t *AzureKeyVault) FromModel(conn models.Connection) {
+	t.AzureConnection.FromModel(conn)
+	t.KeyID = conn.Properties["keyID"]
+}
+
+func (t *AzureKeyVault) SecretKeeper(ctx context.Context) (*secrets.Keeper, error) {
+	creds, err := t.AzureConnection.TokenCredential()
+	if err != nil {
+		return nil, fmt.Errorf("failed to create Azure token credential: %w", err)
+	}
+
+	clientMaker := func(keyVaultURI string) (*azkeys.Client, error) {
+		return azkeys.NewClient(keyVaultURI, creds, &azkeys.ClientOptions{
+			ClientOptions: policy.ClientOptions{},
+		})
+	}
+
+	keeper, err := azurekeyvault.OpenKeeper(clientMaker, t.KeyID, nil)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create Azure Key Vault keeper: %w", err)
+	}
+
+	return keeper, nil
+}
diff --git a/connection/gcpkms.go b/connection/gcpkms.go
@@ -0,0 +1,42 @@
+package connection
+
+import (
+	"fmt"
+
+	"github.com/flanksource/duty/context"
+	"github.com/flanksource/duty/models"
+	"gocloud.dev/secrets"
+	"gocloud.dev/secrets/gcpkms"
+)
+
+type GCPKMS struct {
+	GCPConnection `json:",inline"`
+
+	// keyID points to the key in the format
+	// projects/MYPROJECT/locations/MYLOCATION/keyRings/MYKEYRING/cryptoKeys/MYKEY
+	KeyID string `json:"keyID,omitempty"`
+}
+
+func (t *GCPKMS) Populate(ctx ConnectionContext) error {
+	return t.GCPConnection.HydrateConnection(ctx)
+}
+
+func (t *GCPKMS) FromModel(conn models.Connection) {
+	t.GCPConnection.FromModel(conn)
+	t.KeyID = conn.Properties["keyID"]
+}
+
+func (t *GCPKMS) SecretKeeper(ctx context.Context) (*secrets.Keeper, error) {
+	oauthToken, err := t.GCPConnection.TokenSource(ctx, "https://www.googleapis.com/auth/cloudkms")
+	if err != nil {
+		return nil, fmt.Errorf("failed to create GCP oauth2 token: %w", err)
+	}
+
+	kmsClient, _, err := gcpkms.Dial(ctx, oauthToken)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create GCP KMS client: %w", err)
+	}
+
+	keeper := gcpkms.OpenKeeper(kmsClient, t.KeyID, nil)
+	return keeper, nil
+}
diff --git a/go.mod b/go.mod
@@ -8,6 +8,7 @@ require (
 	cloud.google.com/go/storage v1.43.0
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.14.0
 	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0
+	github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys v0.10.0
 	github.com/RaveNoX/go-jsonmerge v1.0.0
 	github.com/TomOnTime/utfutil v0.0.0-20230223141146-125e65197b36
 	github.com/WinterYukky/gorm-extra-clause-plugin v0.2.0
@@ -64,6 +65,7 @@ require (
 	go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.21.0
 	go.opentelemetry.io/otel/sdk v1.28.0
 	go.opentelemetry.io/otel/trace v1.29.0
+	gocloud.dev v0.40.0
 	golang.org/x/crypto v0.30.0
 	golang.org/x/exp v0.0.0-20241108190413-2d47ceb2692f
 	golang.org/x/oauth2 v0.23.0
@@ -89,8 +91,11 @@ require (
 	cloud.google.com/go/auth/oauth2adapt v0.2.4 // indirect
 	cloud.google.com/go/compute/metadata v0.5.1 // indirect
 	cloud.google.com/go/iam v1.2.0 // indirect
+	cloud.google.com/go/kms v1.19.0 // indirect
+	cloud.google.com/go/longrunning v0.6.0 // indirect
 	dario.cat/mergo v1.0.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/keyvault/internal v0.7.1 // indirect
 	github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
 	github.com/Masterminds/semver/v3 v3.3.1 // indirect
@@ -100,17 +105,19 @@ require (
 	github.com/agext/levenshtein v1.2.3 // indirect
 	github.com/antlr4-go/antlr/v4 v4.13.0 // indirect
 	github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
-	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.5.4 // indirect
+	github.com/aws/aws-sdk-go v1.55.5 // indirect
+	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.3 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.14 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.18 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.18 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/v4a v1.2.10 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.15 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.5 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.2.10 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.3.17 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.20 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.16.10 // indirect
-	github.com/aws/aws-sdk-go-v2/service/s3 v1.48.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.15 // indirect
+	github.com/aws/aws-sdk-go-v2/service/kms v1.35.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/s3 v1.58.3 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sso v1.23.0 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.27.0 // indirect
 	github.com/aws/smithy-go v1.21.0 // indirect
@@ -159,6 +166,7 @@ require (
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/pprof v0.0.0-20240727154555-813a5fbdbec8 // indirect
 	github.com/google/s2a-go v0.1.8 // indirect
+	github.com/google/wire v0.6.0 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.4 // indirect
 	github.com/googleapis/gax-go/v2 v2.13.0 // indirect
 	github.com/gorilla/websocket v1.5.1 // indirect
@@ -258,7 +266,7 @@ require (
 	golang.org/x/text v0.21.0 // indirect
 	golang.org/x/time v0.6.0 // indirect
 	golang.org/x/tools v0.28.0 // indirect
-	golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect
+	golang.org/x/xerrors v0.0.0-20240716161551-93cc26a95ae9 // indirect
 	google.golang.org/genproto v0.0.0-20240903143218-8af14fe29dc1 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20240827150818-7e3bb234dfed // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 // indirect