diff options
author | Stuart Stock <stuart@int08h.com> | 2018-10-21 15:04:56 -0500 |
---|---|---|
committer | Stuart Stock <stuart@int08h.com> | 2018-10-21 15:04:56 -0500 |
commit | 44e6212e3480d2f3b15f30434abc892adcf3836f (patch) | |
tree | ddd3e4a80243acb008319c8c8b76bd37fc6516f9 /src/kms/gcpkms.rs | |
parent | b22a6f055f4578b96224ff2372a0ba0c5942a00f (diff) | |
download | roughenough-44e6212e3480d2f3b15f30434abc892adcf3836f.zip |
Add tests for envelope cypto and some enums
Diffstat (limited to 'src/kms/gcpkms.rs')
-rw-r--r-- | src/kms/gcpkms.rs | 58 |
1 files changed, 32 insertions, 26 deletions
diff --git a/src/kms/gcpkms.rs b/src/kms/gcpkms.rs index d2590f5..1401925 100644 --- a/src/kms/gcpkms.rs +++ b/src/kms/gcpkms.rs @@ -17,48 +17,46 @@ extern crate log; #[cfg(feature = "gcpkms")] pub mod inner { - extern crate base64; extern crate google_cloudkms1 as cloudkms1; extern crate hyper; extern crate hyper_rustls; extern crate yup_oauth2 as oauth2; - - use std::fmt; - use std::env; - use std::fmt::Formatter; - use std::str::FromStr; - use std::result::Result; use std::default::Default; - use std::error::Error; + use std::env; use std::path::Path; - use std::time::Duration; + use std::result::Result; use self::cloudkms1::CloudKMS; - use self::cloudkms1::{ - DecryptRequest, EncryptRequest, Error as CloudKmsError, Result as CloudKmsResult, - }; + use self::cloudkms1::{DecryptRequest, EncryptRequest}; use self::hyper::net::HttpsConnector; - use self::hyper::header::Headers; use self::hyper::status::StatusCode; use self::hyper_rustls::TlsClient; - use self::oauth2::{service_account_key_from_file, ServiceAccountAccess, ServiceAccountKey}; + use self::oauth2::{ServiceAccountAccess, ServiceAccountKey}; + + use kms::{EncryptedDEK, KmsError, KmsProvider, PlaintextDEK, AD}; - use kms::{EncryptedDEK, KmsError, KmsProvider, PlaintextDEK}; + const GOOGLE_APP_CREDS: &str = &"GOOGLE_APPLICATION_CREDENTIALS"; + /// Google Cloud Key Management Service + /// https://cloud.google.com/kms/ pub struct GcpKms { key_resource_id: String, service_account: ServiceAccountKey, } impl GcpKms { + /// + /// Create a new GcpKms from a Google Cloud KMS key resource ID of the form + /// `projects/*/locations/*/keyRings/*/cryptoKeys/*` + /// pub fn from_resource_id(resource_id: &str) -> Result<Self, KmsError> { let svc_acct = load_gcp_credential()?; Ok(GcpKms { key_resource_id: resource_id.to_string(), - service_account: svc_acct + service_account: svc_acct, }) } @@ -125,10 +123,9 @@ pub mod inner { Err(self.pretty_http_error(&http_resp)) } } - Err(e) => Err(KmsError::OperationFailed(format!("decrypt_dek() {:?}", e))) + Err(e) => Err(KmsError::OperationFailed(format!("decrypt_dek() {:?}", e))), } } - } /// Minimal implementation of Application Default Credentials. @@ -137,27 +134,36 @@ pub mod inner { /// 1. Look for GOOGLE_APPLICATION_CREDENTIALS and load service account /// credentials if found. /// 2. If not, error + /// + /// TODO attempt to load GCE default credentials from metadata server. + /// This will be a bearer token instead of service account credential. fn load_gcp_credential() -> Result<ServiceAccountKey, KmsError> { - if let Ok(gac) = env::var("GOOGLE_APPLICATION_CREDENTIALS") { + if let Ok(gac) = env::var(GOOGLE_APP_CREDS.to_string()) { if Path::new(&gac).exists() { match oauth2::service_account_key_from_file(&gac) { Ok(svc_acct_key) => return Ok(svc_acct_key), Err(e) => { - return Err(KmsError::InvalidConfiguration( - format!("Can't load service account credential '{}': {:?}", gac, e))) + return Err(KmsError::InvalidConfiguration(format!( + "Can't load service account credential '{}': {:?}", + gac, e + ))) } } } else { - return Err(KmsError::InvalidConfiguration( - format!("GOOGLE_APPLICATION_CREDENTIALS='{}' does not exist", gac))) + return Err(KmsError::InvalidConfiguration(format!( + "{} ='{}' does not exist", + GOOGLE_APP_CREDS, gac + ))); } - } - // TODO: call to metadata service to get default credential from + // TODO: call to GCE metadata service to get default credential from // http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token - panic!("Failed to load service account credential. Is GOOGLE_APPLICATION_CREDENTIALS set?"); + panic!( + "Failed to load service account credential. Is {} set?", + GOOGLE_APP_CREDS + ); } } |