Merge pull request #11 from beezy-dev/vault

'cleaning up hvault code'

Author: romdalf

cmd/kleidi/main.go

@@ -20,9 +20,10 @@ func main() {
 
 	// Generic vars considering the consistency across providers.
 	var (
-		listenAddr         = flag.String("listen", "unix:///tmp/kleidi/kleidi-kms-plugin.socket", "gRPC listen address.")
-		providerService    = flag.String("provider", "softhsm", "KMS provider to connect to (hvault, softhsm, tpm).")
-		providerConfigFile = flag.String("configfile", "/opt/kleidi/config.json", "Provider config file pat.")
+		listenAddr         = flag.String("listen", "unix:///tmp/kleidi/kleidi-kms-plugin.socket", "gRPC listen address")
+		providerService    = flag.String("provider", "softhsm", "KMS provider to connect to (hvault, softhsm, tpm)")
+		providerConfigFile = flag.String("configfile", "/opt/kleidi/config.json", "Provider config file pat")
+		debugMode          = flag.Bool("debugmode", false, "Enable debug mode")
 	)
 
 	// Parsing environment variables.
@@ -57,9 +58,11 @@ func main() {
 		log.Fatalln("EXIT: flag -configfile set to", providerConfig, "failed with error:\n", err.Error())
 	}
 
+	debug := *debugMode
+
 	//Starting the appropriate provider once previously validated.
 	//REFACTOR to a simple interface
 
-	utils.StartProvider(addr, provider, providerConfig)
+	utils.StartProvider(addr, provider, providerConfig, debug)
 
 }

configuration/k8s/encryption/vault-encryption-config.yaml

@@ -5,4 +5,9 @@ resources:
       - secrets
       - configmaps
     providers: 
+      - kms:
+          apiVersion: v2
+          name: kleidi-kms-plugin
+          endpoint: unix:///tmp/kleidi/kleidi-kms-plugin.socket
+          timeout: 5s    
       - identity: {}

configuration/testenv4kvault.sh

@@ -123,11 +123,7 @@ echo
 echo -e "  -> Trigger Kind k8s API server restart"
 kubectl delete -n kube-system pod/kube-apiserver-kleidi-vault-control-plane
 echo -e "  -> Sleeping for 10 seconds to allow kube-apiserver to restart"
-sleep 10
-
-echo
-echo -e "  -> Creating a post kleidi deployment Secret"
-kubectl create secret generic postkleidi -n default --from-literal=mykey=mydata
+sleep 30
 
 echo 
 echo -e "  -> Checking a pre kleidi deployment Secret"
@@ -140,6 +136,10 @@ else
     echo -e "  /!\ no unencrypted prekleidi Secret object found!"
 fi 
 
+echo
+echo -e "  -> Creating a post kleidi deployment Secret"
+kubectl create secret generic postkleidi -n default --from-literal=mykey=mydata
+
 echo 
 echo -e "  -> Checking a post kleidi deployment Secret"
 # kubectl -n kube-system exec etcd-kleidi-vault-control-plane -- sh -c "ETCDCTL_ENDPOINTS='https://127.0.0.1:2379' ETCDCTL_CACERT='/etc/kubernetes/pki/etcd/ca.crt' ETCDCTL_CERT='/etc/kubernetes/pki/etcd/server.crt' ETCDCTL_KEY='/etc/kubernetes/pki/etcd/server.key' ETCDCTL_API=3 etcdctl get /registry/secrets/default/postkleidi" | hexdump -C
@@ -166,15 +166,15 @@ else
     echo -e "  /!\ no encrypted prekleidi Secret object found!"
 fi 
 
-echo
-echo -e "  -> Cleaning any existing vault test env"
-killall -9 vault ||true
+# echo
+# echo -e "  -> Cleaning any existing vault test env"
+# killall -9 vault ||true
 
-echo
-echo -e "  -> Cleaning any existing kind test env" 
-kind delete cluster --name kleidi-vault
+# echo
+# echo -e "  -> Cleaning any existing kind test env" 
+# kind delete cluster --name kleidi-vault
 
-echo
-echo -e "  -> Cleaning vault-encryption-config.yaml"
-cp k8s/encryption/vault-encryption-config-bkp.yaml k8s/encryption/vault-encryption-config.yaml
+# echo
+# echo -e "  -> Cleaning vault-encryption-config.yaml"
+# cp k8s/encryption/vault-encryption-config-bkp.yaml k8s/encryption/vault-encryption-config.yaml
 

internal/providers/hvault.go

@@ -24,14 +24,14 @@ type hvaultRemoteService struct {
 	*api.Client
 
 	keyID      string
-	keypath    string
+	debug      bool
 	Address    string `json:"Address"`
 	Transitkey string `json:"Transitkey"`
 	Vaultrole  string `json:"Vaultrole"`
 	Namespace  string `json:"Namespace"`
 }
 
-func NewVaultClientRemoteService(configFilePath string) (service.Service, error) {
+func NewVaultClientRemoteService(configFilePath string, debug bool) (service.Service, error) {
 	ctx, err := os.ReadFile(configFilePath)
 	if err != nil {
 		log.Fatalln("EXIT:ctx: failed to read vault config file with error:\n", err.Error())
@@ -40,8 +40,14 @@ func NewVaultClientRemoteService(configFilePath string) (service.Service, error)
 		log.Fatalln("EXIT:keyID len: invalid keyID")
 	}
 
+	if debug {
+		log.Println("DEBUG:--------------------------------------------------")
+		log.Println("DEBUG: verifying keyID:", keyID)
+	}
+
 	vaultService := &hvaultRemoteService{
 		keyID: keyID,
+		debug: debug,
 	}
 
 	json.Unmarshal(([]byte(ctx)), &vaultService)
@@ -50,11 +56,18 @@ func NewVaultClientRemoteService(configFilePath string) (service.Service, error)
 
 	keypath := fmt.Sprintf("transit/keys/%s", vaultService.Transitkey)
 
+	if debug {
+		log.Println("DEBUG:--------------------------------------------------")
+		log.Println("DEBUG: unmarshal JSON values:", "\n                    -> vaultService.Address:", vaultService.Address, "\n                    -> vaultService.Trasitkey:", vaultService.Transitkey, "\n                    -> vaultService.Vaultrole:", vaultService.Vaultrole, "\n                    -> vaultService.Namespace:", vaultService.Namespace, "\n                    -> keypath:", keypath)
+	}
+
 	client, err := api.NewClient(vaultconfig)
 	if err != nil {
-		log.Println("--------------------------------------------------------")
-		log.Println("DEBUG:client: json.Unmarshal output from configFile:", "\n vaultService.Address:", vaultService.Address)
-		log.Println("--------------------------------------------------------")
+		if debug {
+			log.Println("DEBUG:--------------------------------------------------")
+			log.Println("DEBUG:client: json.Unmarshal output from configFile:", "\n vaultService.Address:", vaultService.Address)
+			log.Println("DEBUG:--------------------------------------------------")
+		}
 		log.Fatalln("EXIT:client: failed to initialize Vault client with error:\n", err.Error())
 	}
 
@@ -63,9 +76,11 @@ func NewVaultClientRemoteService(configFilePath string) (service.Service, error)
 	)
 
 	if err != nil {
-		log.Println("--------------------------------------------------------")
-		log.Println("DEBUG:k8sAuth: json.Unmarshal output from configFile:", "\n vaultService.Vaultrole:", vaultService.Vaultrole)
-		log.Println("--------------------------------------------------------")
+		if debug {
+			log.Println("DEBUG:--------------------------------------------------")
+			log.Println("DEBUG:k8sAuth: json.Unmarshal output from configFile:", "\n vaultService.Vaultrole:", vaultService.Vaultrole)
+			log.Println("DEBUG:--------------------------------------------------")
+		}
 		log.Fatalln("EXIT:k8sAuth: unable to initialize Kubernetes auth method with error:\n", err.Error())
 	}
 
@@ -83,14 +98,13 @@ func NewVaultClientRemoteService(configFilePath string) (service.Service, error)
 
 	client.SetNamespace(vaultService.Namespace)
 
-	// //keypath := fmt.Sprintf("transit/keys/%s", vaultService.Transitkey)
-	// keypath := "transit/keys/kleidi"
-
 	key, err := client.Logical().Read(keypath)
 	if err != nil {
-		log.Println("--------------------------------------------------------")
-		log.Println("DEBUG:key: keypath:", keypath)
-		log.Println("--------------------------------------------------------")
+		if debug {
+			log.Println("DEBUG:--------------------------------------------------")
+			log.Println("DEBUG:key: keypath:", keypath)
+			log.Println("DEBUG:--------------------------------------------------")
+		}
 		log.Fatalln("EXIT:key: unable to find transit key:\n", err.Error())
 	}
 
@@ -101,20 +115,22 @@ func NewVaultClientRemoteService(configFilePath string) (service.Service, error)
 
 func (s *hvaultRemoteService) Encrypt(ctx context.Context, uid string, plaintext []byte) (*service.EncryptResponse, error) {
 
-	// log.Println("--------------------------------------------------------------------------------------------------")
-	// log.Println("DEBUG: unencrypted payload:", string([]byte(plaintext)))
-	// log.Println("--------------------------------------------------------------------------------------------------")
+	if s.debug {
+		log.Println("DEBUG:--------------------------------------------------")
+		log.Println("DEBUG: unencrypted payload:", string([]byte(plaintext)))
+		log.Println("DEBUG:--------------------------------------------------")
+	}
 
-	// // keypath := fmt.Sprintf("transit/keys/%s", s.Transitkey)
+	enckeypath := fmt.Sprintf("transit/encrypt/%s", s.Transitkey)
 	// keypath := "transit/encrypt/kleidi"
 	encodepayload := map[string]interface{}{
 		"plaintext": base64.StdEncoding.EncodeToString(plaintext),
 	}
 
-	encrypt, err := s.Logical().WriteWithContext(ctx, s.keypath, encodepayload)
+	encrypt, err := s.Logical().WriteWithContext(ctx, enckeypath, encodepayload)
 	if err != nil {
 		log.Println("--------------------------------------------------------")
-		log.Println("DEBUG:encrypt:", "\nplaintext:", string([]byte(plaintext)), "\nkeypath:", s.keypath, "\nencodepayload:", encodepayload)
+		log.Println("DEBUG:encrypt:", "\nplaintext:", string([]byte(plaintext)), "\nkeypath:", enckeypath, "\nencodepayload:", encodepayload)
 		log.Println("--------------------------------------------------------")
 		log.Fatalln("EXIT:encrypt: with error:\n", err.Error())
 	}
@@ -150,16 +166,17 @@ func (s *hvaultRemoteService) Decrypt(ctx context.Context, uid string, req *serv
 		return nil, fmt.Errorf("/!\\ invalid keyID")
 	}
 
+	decryptkeypath := fmt.Sprintf("transit/decrypt/%s", s.Transitkey)
 	// // keypath := fmt.Sprintf("transit/keys/%s", s.Transitkey)
 	// keypath := "transit/decrypt/kleidi"
 	encryptedPayload := map[string]interface{}{
 		"ciphertext": string([]byte(req.Ciphertext)),
 	}
 
-	encryptedResponse, err := s.Logical().WriteWithContext(ctx, s.keypath, encryptedPayload)
+	encryptedResponse, err := s.Logical().WriteWithContext(ctx, decryptkeypath, encryptedPayload)
 	if err != nil {
 		log.Println("--------------------------------------------------------")
-		log.Println("DEBUG:encryptedResponse:", "\nkeypath:", s.keypath, "\nenresult:", encryptedPayload)
+		log.Println("DEBUG:encryptedResponse:", "\nkeypath:", decryptkeypath, "\nenresult:", encryptedPayload)
 		log.Println("--------------------------------------------------------")
 		log.Fatalln("EXIT:encryptedResponse: with error:", err.Error())
 	}

internal/utils/startprovider.go

@@ -16,19 +16,23 @@ const (
 	socketTimeOut = 10 * time.Second
 )
 
-func StartProvider(addr, provider, providerConfig string) {
+func StartProvider(addr, provider, providerConfig string, debug bool) {
 
 	switch provider {
 	case "softhsm":
-		startSofthsm(addr, provider, providerConfig)
+		startSofthsm(addr, provider, providerConfig, debug)
 	case "hvault":
-		startHvault(addr, provider, providerConfig)
+		startHvault(addr, provider, providerConfig, debug)
 	case "tpm":
-		startTpm(addr, provider, providerConfig)
+		startTpm(addr, provider, providerConfig, debug)
 	}
 }
 
-func startSofthsm(addr, provider, providerConfig string) {
+func startSofthsm(addr, provider, providerConfig string, debug bool) {
+
+	if debug {
+		log.Println("test")
+	}
 
 	remoteKMSService, err := providers.NewPKCS11RemoteService(providerConfig, "kleidi-kms-plugin")
 	if err != nil {
@@ -52,9 +56,9 @@ func startSofthsm(addr, provider, providerConfig string) {
 	grpcService.Shutdown()
 }
 
-func startHvault(addr, provider, providerConfig string) {
+func startHvault(addr, provider, providerConfig string, debug bool) {
 
-	remoteKMSService, err := providers.NewVaultClientRemoteService(providerConfig)
+	remoteKMSService, err := providers.NewVaultClientRemoteService(providerConfig, debug)
 	if err != nil {
 		log.Fatalln("EXIT: remote KMS provider [", provider, "] failed with error:\n", err.Error())
 	}
@@ -76,7 +80,11 @@ func startHvault(addr, provider, providerConfig string) {
 
 }
 
-func startTpm(addr, provider, providerConfig string) {
+func startTpm(addr, provider, providerConfig string, debug bool) {
+
+	if debug {
+		log.Println("test")
+	}
 
 	log.Println("BETA: flag -provider", provider, "with -listen", addr, "and -configfile", providerConfig, "currently unsafe to used in production.")
 	providers.TmpPlaceholder()

results.sarif

@@ -38,13 +38,13 @@
 								},
 								"region": {
 									"endColumn": 2,
-									"endLine": 47,
+									"endLine": 53,
 									"snippet": {
 										"text": "json.Unmarshal(([]byte(ctx)), \u0026vaultService)"
 									},
 									"sourceLanguage": "go",
 									"startColumn": 2,
-									"startLine": 47
+									"startLine": 53
 								}
 							}
 						}

scripts/prd/vault/env4kvault.sh

@@ -128,7 +128,7 @@ sleep 30
 
 echo 
 echo -e "  -> Checking a pre kleidi deployment Secret"
-# kubectl -n kube-system exec etcd-kleidi-vault-control-plane -- sh -c "ETCDCTL_ENDPOINTS='https://127.0.0.1:2379' ETCDCTL_CACERT='/etc/kubernetes/pki/etcd/ca.crt' ETCDCTL_CERT='/etc/kubernetes/pki/etcd/server.crt' ETCDCTL_KEY='/etc/kubernetes/pki/etcd/server.key' ETCDCTL_API=3 etcdctl get /registry/secrets/default/prekleidi" | hexdump -C
+# kubectl -n kube-system exec etcd-kleidi-vault-prd-control-plane -- sh -c "ETCDCTL_ENDPOINTS='https://127.0.0.1:2379' ETCDCTL_CACERT='/etc/kubernetes/pki/etcd/ca.crt' ETCDCTL_CERT='/etc/kubernetes/pki/etcd/server.crt' ETCDCTL_KEY='/etc/kubernetes/pki/etcd/server.key' ETCDCTL_API=3 etcdctl get /registry/secrets/default/prekleidi" | hexdump -C
 
 if kubectl -n kube-system exec etcd-kleidi-vault-prd-control-plane -- sh -c "ETCDCTL_ENDPOINTS='https://127.0.0.1:2379' ETCDCTL_CACERT='/etc/kubernetes/pki/etcd/ca.crt' ETCDCTL_CERT='/etc/kubernetes/pki/etcd/server.crt' ETCDCTL_KEY='/etc/kubernetes/pki/etcd/server.key' ETCDCTL_API=3 etcdctl get /registry/secrets/default/prekleidi" | hexdump -C | grep mydata;
 then 
@@ -144,7 +144,7 @@ kubectl create secret generic postkleidi -n default --from-literal=mykey=mydata
 
 echo 
 echo -e "  -> Checking a post kleidi deployment Secret"
-# kubectl -n kube-system exec etcd-kleidi-vault-control-plane -- sh -c "ETCDCTL_ENDPOINTS='https://127.0.0.1:2379' ETCDCTL_CACERT='/etc/kubernetes/pki/etcd/ca.crt' ETCDCTL_CERT='/etc/kubernetes/pki/etcd/server.crt' ETCDCTL_KEY='/etc/kubernetes/pki/etcd/server.key' ETCDCTL_API=3 etcdctl get /registry/secrets/default/postkleidi" | hexdump -C
+# kubectl -n kube-system exec etcd-kleidi-vault-prd-control-plane -- sh -c "ETCDCTL_ENDPOINTS='https://127.0.0.1:2379' ETCDCTL_CACERT='/etc/kubernetes/pki/etcd/ca.crt' ETCDCTL_CERT='/etc/kubernetes/pki/etcd/server.crt' ETCDCTL_KEY='/etc/kubernetes/pki/etcd/server.key' ETCDCTL_API=3 etcdctl get /registry/secrets/default/postkleidi" | hexdump -C
 
 if kubectl -n kube-system exec etcd-kleidi-vault-prd-control-plane -- sh -c "ETCDCTL_ENDPOINTS='https://127.0.0.1:2379' ETCDCTL_CACERT='/etc/kubernetes/pki/etcd/ca.crt' ETCDCTL_CERT='/etc/kubernetes/pki/etcd/server.crt' ETCDCTL_KEY='/etc/kubernetes/pki/etcd/server.key' ETCDCTL_API=3 etcdctl get /registry/secrets/default/postkleidi" | hexdump -C | grep kms;
 then 
@@ -160,7 +160,7 @@ echo -e "  -> Performing replace of prekleidi"
 kubectl get secret prekleidi -o json | kubectl replace -f -
 
 echo -e "  -> Checking a pre kleidi Secret replace"
-# kubectl -n kube-system exec etcd-kleidi-vault-control-plane -- sh -c "ETCDCTL_ENDPOINTS='https://127.0.0.1:2379' ETCDCTL_CACERT='/etc/kubernetes/pki/etcd/ca.crt' ETCDCTL_CERT='/etc/kubernetes/pki/etcd/server.crt' ETCDCTL_KEY='/etc/kubernetes/pki/etcd/server.key' ETCDCTL_API=3 etcdctl get /registry/secrets/default/prekleidi" | hexdump -C
+# kubectl -n kube-system exec etcd-kleidi-vault-prd-control-plane -- sh -c "ETCDCTL_ENDPOINTS='https://127.0.0.1:2379' ETCDCTL_CACERT='/etc/kubernetes/pki/etcd/ca.crt' ETCDCTL_CERT='/etc/kubernetes/pki/etcd/server.crt' ETCDCTL_KEY='/etc/kubernetes/pki/etcd/server.key' ETCDCTL_API=3 etcdctl get /registry/secrets/default/prekleidi" | hexdump -C
 
 if kubectl -n kube-system exec etcd-kleidi-vault-prd-control-plane -- sh -c "ETCDCTL_ENDPOINTS='https://127.0.0.1:2379' ETCDCTL_CACERT='/etc/kubernetes/pki/etcd/ca.crt' ETCDCTL_CERT='/etc/kubernetes/pki/etcd/server.crt' ETCDCTL_KEY='/etc/kubernetes/pki/etcd/server.key' ETCDCTL_API=3 etcdctl get /registry/secrets/default/prekleidi" | hexdump -C |grep kms;
 then 
@@ -175,7 +175,7 @@ killall -9 vault ||true
 
 echo
 echo -e "  -> Cleaning any existing kind test env" 
-kind delete cluster --name kleidi-vault
+kind delete cluster --name kleidi-vault-prd
 
 echo
 echo -e "  -> Cleaning vault-encryption-config.yaml"