Merge pull request #55184 from sakshamsharma/envelope-service-to-bytearray
Automatic merge from submit-queue (batch tested with PRs 56828, 55184, 56849, 57081, 56654). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Update envelope.Service to use []byte in place of string. In accordance to discussion with @lavalamp in [KMS Plugins API design doc](https://docs.google.com/document/d/1S_Wgn-psI0Z7SYGvp-83ePte5oUNMr4244uanGLYUmw/edit?usp=sharing). Modifies envelope transformer introduced by #49350. @lavalamp @destijl @kksriram ```release-note NONE ``` Kubernetes-commit: 8856f6a1cd5e13a2db03732eb2f5fb8a3a976e3e
This commit is contained in:
		
						commit
						88c9c9d9be
					
				
										
											
												File diff suppressed because it is too large
												Load Diff
											
										
									
								
							|  | @ -226,18 +226,18 @@ type testEnvelopeService struct { | |||
| 	disabled bool | ||||
| } | ||||
| 
 | ||||
| func (t *testEnvelopeService) Decrypt(data string) ([]byte, error) { | ||||
| func (t *testEnvelopeService) Decrypt(data []byte) ([]byte, error) { | ||||
| 	if t.disabled { | ||||
| 		return nil, fmt.Errorf("Envelope service was disabled") | ||||
| 	} | ||||
| 	return base64.StdEncoding.DecodeString(data) | ||||
| 	return base64.StdEncoding.DecodeString(string(data)) | ||||
| } | ||||
| 
 | ||||
| func (t *testEnvelopeService) Encrypt(data []byte) (string, error) { | ||||
| func (t *testEnvelopeService) Encrypt(data []byte) ([]byte, error) { | ||||
| 	if t.disabled { | ||||
| 		return "", fmt.Errorf("Envelope service was disabled") | ||||
| 		return nil, fmt.Errorf("Envelope service was disabled") | ||||
| 	} | ||||
| 	return base64.StdEncoding.EncodeToString(data), nil | ||||
| 	return []byte(base64.StdEncoding.EncodeToString(data)), nil | ||||
| } | ||||
| 
 | ||||
| func (t *testEnvelopeService) SetDisabledStatus(status bool) { | ||||
|  |  | |||
|  | @ -21,6 +21,7 @@ import ( | |||
| 	"crypto/aes" | ||||
| 	"crypto/cipher" | ||||
| 	"crypto/rand" | ||||
| 	"encoding/base64" | ||||
| 	"encoding/binary" | ||||
| 	"fmt" | ||||
| 
 | ||||
|  | @ -34,10 +35,10 @@ const defaultCacheSize = 1000 | |||
| 
 | ||||
| // Service allows encrypting and decrypting data using an external Key Management Service.
 | ||||
| type Service interface { | ||||
| 	// Decrypt a given data string to obtain the original byte data.
 | ||||
| 	Decrypt(data string) ([]byte, error) | ||||
| 	// Encrypt bytes to a string ciphertext.
 | ||||
| 	Encrypt(data []byte) (string, error) | ||||
| 	// Decrypt a given bytearray to obtain the original data as bytes.
 | ||||
| 	Decrypt(data []byte) ([]byte, error) | ||||
| 	// Encrypt bytes to a ciphertext.
 | ||||
| 	Encrypt(data []byte) ([]byte, error) | ||||
| } | ||||
| 
 | ||||
| type envelopeTransformer struct { | ||||
|  | @ -78,15 +79,12 @@ func (t *envelopeTransformer) TransformFromStorage(data []byte, context value.Co | |||
| 	if keyLen+2 > len(data) { | ||||
| 		return nil, false, fmt.Errorf("invalid data encountered by genvelope transformer, length longer than available bytes: %q", data) | ||||
| 	} | ||||
| 	encKey := string(data[2 : keyLen+2]) | ||||
| 	encKey := data[2 : keyLen+2] | ||||
| 	encData := data[2+keyLen:] | ||||
| 
 | ||||
| 	var transformer value.Transformer | ||||
| 	// Look up the decrypted DEK from cache or Envelope.
 | ||||
| 	_transformer, found := t.transformers.Get(encKey) | ||||
| 	if found { | ||||
| 		transformer = _transformer.(value.Transformer) | ||||
| 	} else { | ||||
| 	transformer := t.getTransformer(encKey) | ||||
| 	if transformer == nil { | ||||
| 		key, err := t.envelopeService.Decrypt(encKey) | ||||
| 		if err != nil { | ||||
| 			return nil, false, fmt.Errorf("error while decrypting key: %q", err) | ||||
|  | @ -136,16 +134,27 @@ func (t *envelopeTransformer) TransformToStorage(data []byte, context value.Cont | |||
| var _ value.Transformer = &envelopeTransformer{} | ||||
| 
 | ||||
| // addTransformer inserts a new transformer to the Envelope cache of DEKs for future reads.
 | ||||
| func (t *envelopeTransformer) addTransformer(encKey string, key []byte) (value.Transformer, error) { | ||||
| func (t *envelopeTransformer) addTransformer(encKey []byte, key []byte) (value.Transformer, error) { | ||||
| 	block, err := aes.NewCipher(key) | ||||
| 	if err != nil { | ||||
| 		return nil, err | ||||
| 	} | ||||
| 	transformer := t.baseTransformerFunc(block) | ||||
| 	t.transformers.Add(encKey, transformer) | ||||
| 	// Use base64 of encKey as the key into the cache because hashicorp/golang-lru
 | ||||
| 	// cannot hash []uint8.
 | ||||
| 	t.transformers.Add(base64.StdEncoding.EncodeToString(encKey), transformer) | ||||
| 	return transformer, nil | ||||
| } | ||||
| 
 | ||||
| // getTransformer fetches the transformer corresponding to encKey from cache, if it exists.
 | ||||
| func (t *envelopeTransformer) getTransformer(encKey []byte) value.Transformer { | ||||
| 	_transformer, found := t.transformers.Get(base64.StdEncoding.EncodeToString(encKey)) | ||||
| 	if found { | ||||
| 		return _transformer.(value.Transformer) | ||||
| 	} | ||||
| 	return nil | ||||
| } | ||||
| 
 | ||||
| // generateKey generates a random key using system randomness.
 | ||||
| func generateKey(length int) ([]byte, error) { | ||||
| 	key := make([]byte, length) | ||||
|  |  | |||
|  | @ -42,22 +42,22 @@ type testEnvelopeService struct { | |||
| 	keyVersion string | ||||
| } | ||||
| 
 | ||||
| func (t *testEnvelopeService) Decrypt(data string) ([]byte, error) { | ||||
| func (t *testEnvelopeService) Decrypt(data []byte) ([]byte, error) { | ||||
| 	if t.disabled { | ||||
| 		return nil, fmt.Errorf("Envelope service was disabled") | ||||
| 	} | ||||
| 	dataChunks := strings.SplitN(data, ":", 2) | ||||
| 	dataChunks := strings.SplitN(string(data), ":", 2) | ||||
| 	if len(dataChunks) != 2 { | ||||
| 		return nil, fmt.Errorf("invalid data encountered for decryption: %s. Missing key version", data) | ||||
| 	} | ||||
| 	return base64.StdEncoding.DecodeString(dataChunks[1]) | ||||
| } | ||||
| 
 | ||||
| func (t *testEnvelopeService) Encrypt(data []byte) (string, error) { | ||||
| func (t *testEnvelopeService) Encrypt(data []byte) ([]byte, error) { | ||||
| 	if t.disabled { | ||||
| 		return "", fmt.Errorf("Envelope service was disabled") | ||||
| 		return nil, fmt.Errorf("Envelope service was disabled") | ||||
| 	} | ||||
| 	return t.keyVersion + ":" + base64.StdEncoding.EncodeToString(data), nil | ||||
| 	return []byte(t.keyVersion + ":" + base64.StdEncoding.EncodeToString(data)), nil | ||||
| } | ||||
| 
 | ||||
| func (t *testEnvelopeService) SetDisabledStatus(status bool) { | ||||
|  |  | |||
		Loading…
	
		Reference in New Issue