Add tests for envelope cypto and some enums

author: Stuart Stock <stuart@int08h.com> 2018-10-21 15:04:56 -0500
committer: Stuart Stock <stuart@int08h.com> 2018-10-21 15:04:56 -0500
commit: 44e6212e3480d2f3b15f30434abc892adcf3836f (patch)
tree: ddd3e4a80243acb008319c8c8b76bd37fc6516f9 /src/kms/gcpkms.rs
parent: b22a6f055f4578b96224ff2372a0ba0c5942a00f (diff)
download: roughenough-44e6212e3480d2f3b15f30434abc892adcf3836f.zip
1 files changed, 32 insertions, 26 deletions
diff --git a/src/kms/gcpkms.rs b/src/kms/gcpkms.rs
index d2590f5..1401925 100644
--- a/src/kms/gcpkms.rs
+++ b/src/kms/gcpkms.rs
@@ -17,48 +17,46 @@ extern crate log;
 
 #[cfg(feature = "gcpkms")]
 pub mod inner {
-
     extern crate base64;
     extern crate google_cloudkms1 as cloudkms1;
     extern crate hyper;
     extern crate hyper_rustls;
     extern crate yup_oauth2 as oauth2;
 
-
-    use std::fmt;
-    use std::env;
-    use std::fmt::Formatter;
-    use std::str::FromStr;
-    use std::result::Result;
     use std::default::Default;
-    use std::error::Error;
+    use std::env;
     use std::path::Path;
-    use std::time::Duration;
+    use std::result::Result;
 
     use self::cloudkms1::CloudKMS;
-    use self::cloudkms1::{
-        DecryptRequest, EncryptRequest, Error as CloudKmsError, Result as CloudKmsResult,
-    };
+    use self::cloudkms1::{DecryptRequest, EncryptRequest};
     use self::hyper::net::HttpsConnector;
-    use self::hyper::header::Headers;
     use self::hyper::status::StatusCode;
     use self::hyper_rustls::TlsClient;
-    use self::oauth2::{service_account_key_from_file, ServiceAccountAccess, ServiceAccountKey};
+    use self::oauth2::{ServiceAccountAccess, ServiceAccountKey};
+
+    use kms::{EncryptedDEK, KmsError, KmsProvider, PlaintextDEK, AD};
 
-    use kms::{EncryptedDEK, KmsError, KmsProvider, PlaintextDEK};
+    const GOOGLE_APP_CREDS: &str = &"GOOGLE_APPLICATION_CREDENTIALS";
 
+    /// Google Cloud Key Management Service
+    /// https://cloud.google.com/kms/
     pub struct GcpKms {
         key_resource_id: String,
         service_account: ServiceAccountKey,
     }
 
     impl GcpKms {
+        ///
+        /// Create a new GcpKms from a Google Cloud KMS key resource ID of the form
+        /// `projects/*/locations/*/keyRings/*/cryptoKeys/*`
+        ///
         pub fn from_resource_id(resource_id: &str) -> Result<Self, KmsError> {
             let svc_acct = load_gcp_credential()?;
 
             Ok(GcpKms {
                 key_resource_id: resource_id.to_string(),
-                service_account: svc_acct
+                service_account: svc_acct,
             })
         }
 
@@ -125,10 +123,9 @@ pub mod inner {
                         Err(self.pretty_http_error(&http_resp))
                     }
                 }
-                Err(e) => Err(KmsError::OperationFailed(format!("decrypt_dek() {:?}", e)))
+                Err(e) => Err(KmsError::OperationFailed(format!("decrypt_dek() {:?}", e))),
             }
         }
-
     }
 
     /// Minimal implementation of Application Default Credentials.
@@ -137,27 +134,36 @@ pub mod inner {
     ///   1. Look for GOOGLE_APPLICATION_CREDENTIALS and load service account
     ///      credentials if found.
     ///   2. If not, error
+    ///
+    /// TODO attempt to load GCE default credentials from metadata server.
+    /// This will be a bearer token instead of service account credential.
 
     fn load_gcp_credential() -> Result<ServiceAccountKey, KmsError> {
-        if let Ok(gac) = env::var("GOOGLE_APPLICATION_CREDENTIALS") {
+        if let Ok(gac) = env::var(GOOGLE_APP_CREDS.to_string()) {
             if Path::new(&gac).exists() {
                 match oauth2::service_account_key_from_file(&gac) {
                     Ok(svc_acct_key) => return Ok(svc_acct_key),
                     Err(e) => {
-                        return Err(KmsError::InvalidConfiguration(
-                            format!("Can't load service account credential '{}': {:?}", gac, e)))
+                        return Err(KmsError::InvalidConfiguration(format!(
+                            "Can't load service account credential '{}': {:?}",
+                            gac, e
+                        )))
                     }
                 }
             } else {
-                return Err(KmsError::InvalidConfiguration(
-                    format!("GOOGLE_APPLICATION_CREDENTIALS='{}' does not exist", gac)))
+                return Err(KmsError::InvalidConfiguration(format!(
+                    "{} ='{}' does not exist",
+                    GOOGLE_APP_CREDS, gac
+                )));
             }
-
         }
 
-        // TODO: call to metadata service to get default credential from
+        // TODO: call to GCE metadata service to get default credential from
         // http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token
 
-        panic!("Failed to load service account credential. Is GOOGLE_APPLICATION_CREDENTIALS set?");
+        panic!(
+            "Failed to load service account credential. Is {} set?",
+            GOOGLE_APP_CREDS
+        );
     }
 }
author	Stuart Stock <stuart@int08h.com>	2018-10-21 15:04:56 -0500
committer	Stuart Stock <stuart@int08h.com>	2018-10-21 15:04:56 -0500
commit	44e6212e3480d2f3b15f30434abc892adcf3836f (patch)
tree	ddd3e4a80243acb008319c8c8b76bd37fc6516f9 /src/kms/gcpkms.rs
parent	b22a6f055f4578b96224ff2372a0ba0c5942a00f (diff)
download	roughenough-44e6212e3480d2f3b15f30434abc892adcf3836f.zip