Pid 2645 implement aws secret storage provider #848
Conversation
…ub.com:0xPolygonID/issuer-node into PID-2645-implement-aws-secret-storage-provider
|
| GitGuardian id | GitGuardian status | Secret | Commit | Filename | |
|---|---|---|---|---|---|
| 14295020 | Triggered | Generic High Entropy Secret | 129144c | internal/kms/aws_secret_storage_provider_test.go | View secret |
| 8664826 | Triggered | Generic Password | 004c9a9 | k8s/helm/values.yaml | View secret |
| 14295020 | Triggered | Generic High Entropy Secret | 129144c | internal/kms/aws_secret_storage_provider_test.go | View secret |
| 14295020 | Triggered | Generic High Entropy Secret | 129144c | internal/kms/aws_secret_storage_provider_test.go | View secret |
| 14295020 | Triggered | Generic High Entropy Secret | bc715b3 | internal/kms/aws_secret_storage_provider_test.go | View secret |
🛠 Guidelines to remediate hardcoded secrets
- Understand the implications of revoking this secret by investigating where it is used in your code.
- Replace and store your secrets safely. Learn here the best practices.
- Revoke and rotate these secrets.
- If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.
To avoid such incidents in the future consider
- following these best practices for managing and storing secrets including API keys and other credentials
- install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.
🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.
cmd/kms_priv_key_importer/main.go
Outdated
| if issuerKMSEthPluginVar != config.LocalStorage && issuerKMSEthPluginVar != config.Vault && issuerKMSEthPluginVar != config.AWS { | ||
| log.Error(ctx, "issuer kms eth provider is not set or is not localstorage or vault or aws", "plugin: ", issuerKMSEthPluginVar) | ||
| if issuerKMSETHProviderToUse != config.LocalStorage && issuerKMSETHProviderToUse != config.Vault && issuerKMSETHProviderToUse != config.AWS { | ||
| log.Error(ctx, "issuer kms eth provider is not set or is not localstorage or vault or aws", "plugin: ", issuerKMSETHProviderToUse) |
There was a problem hiding this comment.
This error message is messy. Cleaner one would be issuer kms eth provider is invalid, supported values are: localstorage, vault, aws
| ) | ||
|
|
||
| const ( | ||
| localstackSecretManagerEndpoint = "http://localhost:4566" |
There was a problem hiding this comment.
- It should not be a constant, should be configurable through env vars or config param.
- It's default value (coming from the env var / config) should not be localhost, but container name (e.g. http://localstack:4566)
- Name should not include "localstack" because user may switch to something else, better use "local" as in the name of key storage config.
There was a problem hiding this comment.
- ok
- ok
- I prefer
URLfor the name of the variable. So AWS config will be:
ISSUER_KMS_AWS_ACCESS_KEY=<aws_access_key>
ISSUER_KMS_AWS_SECRET_KEY=<aws_secret_key>
ISSUER_KMS_AWS_REGION=<aws_region> # if this value is `local` then `ISSUER_KMS_AWS_URL` is used
ISSUER_KMS_AWS_URL=<aws_url> # aws secret store URL
Note: ISSUER_KMS_AWS_REGION=local is for running tests.
| localstack: | ||
| image: localstack/localstack:latest | ||
| ports: | ||
| - "4566:4566" |
There was a problem hiding this comment.
Don't do port forwarding. Please remove the same for other containers (in a separate PR if too many changes are needed).
There was a problem hiding this comment.
We need port forwarding because localstack is used for running tests and those tests are outside docker
| } | ||
|
|
||
| // NewLocalStorageFileProvider - creates new local storage file manager | ||
| func NewLocalStorageFileProvider(file string) StorageManager { |
There was a problem hiding this comment.
Better rename local storage to file storage everywhere (including in config params and file name, and deprecate local as a storage option, but still support it), so that here we would have NewFileStorageManager (because it returns StorageManager, not StoragePrivider).
There was a problem hiding this comment.
@demonsh What do you think about introducing new kms config option file and deprecating local? I think it should be easier to understand what it is and how it works.
| return &localStorageFileProvider{file} | ||
| } | ||
|
|
||
| func (ls *localStorageFileProvider) SaveKeyMaterial(ctx context.Context, keyMaterial map[string]string, id string) error { |
| PrivateKey string `json:"private_key"` | ||
| type localBJJKeyProvider struct { | ||
| keyType KeyType | ||
| reIdenKeyPathHex *regexp.Regexp // RE of key path bounded to identity |
| type localBJJKeyProvider struct { | ||
| keyType KeyType | ||
| reIdenKeyPathHex *regexp.Regexp // RE of key path bounded to identity | ||
| reAnonKeyPathHex *regexp.Regexp // RE of key path not bounded to identity |
| KeyType string `json:"key_type"` | ||
| KeyPath string `json:"key_path"` | ||
| PrivateKey string `json:"private_key"` | ||
| type localBJJKeyProvider struct { |
There was a problem hiding this comment.
local means that the issuer node handles the creation of the keys unlike Vault or AWS KMS.
localBJJKeyProvider uses a storageManager to store the keys, which can be a text file or an AWS secret manager.
| keyType KeyType | ||
| reIdenKeyPathHex *regexp.Regexp // RE of key path bounded to identity | ||
| localStorageFileManager LocalStorageFileManager | ||
| type localEthKeyProvider struct { |
There was a problem hiding this comment.
local means that the issuer node handles the creation of the keys unlike Vault or AWS KMS.
localETHKeyProvider uses a storageManager to store the keys, which can be a text file or an AWS secret manager.
internal/kms/utils_test.go
Outdated
| ) | ||
|
|
||
| func Test_getKeyID(t *testing.T) { | ||
| identity, err := w3c.ParseDID("did:polygonid:polygon:amoy:2qQ68JkRcf3ySMcjPtGKJhGgu7jh4zzhrz6UxpXwPw") |
martinsaporiti
deleted the
PID-2645-implement-aws-secret-storage-provider
branch
No description provided.