Update Acra tools with kms cli (#554)

* zhars/update_tools_kms_cli

Updated Acra tools with KMS CLI flags to support MasterKey loading

cmd/acra-addzone/acra-addzone.go

@@ -37,6 +37,7 @@ import (
 	"github.com/cossacklabs/acra/keystore/filesystem"
 	"github.com/cossacklabs/acra/keystore/keyloader"
 	"github.com/cossacklabs/acra/keystore/keyloader/hashicorp"
+	"github.com/cossacklabs/acra/keystore/keyloader/kms"
 	keystoreV2 "github.com/cossacklabs/acra/keystore/v2/keystore"
 	filesystemV2 "github.com/cossacklabs/acra/keystore/v2/keystore/filesystem"
 	filesystemBackendV2 "github.com/cossacklabs/acra/keystore/v2/keystore/filesystem/backend"
@@ -59,6 +60,7 @@ func main() {
 	outputDir := flag.String("keys_output_dir", keystore.DefaultKeyDirShort, "Folder where will be saved generated zone keys")
 	flag.Bool("fs_keystore_enable", true, "Use filesystem keystore (deprecated, ignored)")
 
+	kms.RegisterCLIParameters()
 	hashicorp.RegisterVaultCLIParameters()
 	cmd.RegisterRedisKeyStoreParameters()
 	verbose := flag.Bool("v", false, "Log to stderr all INFO, WARNING and ERROR logs")
@@ -77,7 +79,7 @@ func main() {
 		logging.SetLogLevel(logging.LogVerbose)
 	}
 
-	keyLoader, err := keyloader.GetInitializedMasterKeyLoader(hashicorp.GetVaultCLIParameters())
+	keyLoader, err := keyloader.GetInitializedMasterKeyLoader(hashicorp.GetVaultCLIParameters(), kms.GetCLIParameters())
 	if err != nil {
 		log.WithError(err).Errorln("Can't initialize ACRA_MASTER_KEY loader")
 		os.Exit(1)

cmd/acra-backup/acra-backup.go

@@ -28,6 +28,7 @@ import (
 	"github.com/cossacklabs/acra/keystore/filesystem"
 	"github.com/cossacklabs/acra/keystore/keyloader"
 	"github.com/cossacklabs/acra/keystore/keyloader/hashicorp"
+	"github.com/cossacklabs/acra/keystore/keyloader/kms"
 	"github.com/cossacklabs/acra/logging"
 	"github.com/cossacklabs/acra/utils"
 
@@ -57,6 +58,7 @@ func main() {
 	action := flag.String("action", "", fmt.Sprintf("%s|%s values are accepted", actionImport, actionExport))
 	file := flag.String("file", "", fmt.Sprintf("path to file which will be used for %s|%s action", actionImport, actionExport))
 
+	kms.RegisterCLIParameters()
 	cmd.RegisterRedisKeyStoreParameters()
 	hashicorp.RegisterVaultCLIParameters()
 
@@ -83,7 +85,7 @@ func main() {
 		storage = &filesystem.DummyStorage{}
 	}
 
-	keyLoader, err := keyloader.GetInitializedMasterKeyLoader(hashicorp.GetVaultCLIParameters())
+	keyLoader, err := keyloader.GetInitializedMasterKeyLoader(hashicorp.GetVaultCLIParameters(), kms.GetCLIParameters())
 	if err != nil {
 		log.WithError(err).Errorln("Can't initialize ACRA_MASTER_KEY loader")
 		os.Exit(1)

cmd/acra-keys/keys/generate.go

@@ -298,7 +298,7 @@ func (g *GenerateKeySubcommand) Execute() {
 		}
 	}
 
-	keyLoader, err := keyloader.GetInitializedMasterKeyLoader(g.CommonKeyStoreParameters.VaultCLIOptions())
+	keyLoader, err := keyloader.GetInitializedMasterKeyLoader(g.CommonKeyStoreParameters.VaultCLIOptions(), g.CommonKeyStoreParameters.KMSCLIOptions())
 	if err != nil {
 		return
 	}

cmd/acra-keys/keys/keystore.go

@@ -24,6 +24,7 @@ import (
 	"github.com/cossacklabs/acra/keystore/filesystem"
 	"github.com/cossacklabs/acra/keystore/keyloader"
 	"github.com/cossacklabs/acra/keystore/keyloader/hashicorp"
+	"github.com/cossacklabs/acra/keystore/keyloader/kms"
 	keystoreV2 "github.com/cossacklabs/acra/keystore/v2/keystore"
 	"github.com/cossacklabs/acra/keystore/v2/keystore/api"
 	filesystemV2 "github.com/cossacklabs/acra/keystore/v2/keystore/filesystem"
@@ -46,6 +47,7 @@ type KeyStoreParameters interface {
 	RedisConfigured() bool
 	RedisOptions() *redis.Options
 	VaultCLIOptions() hashicorp.VaultCLIOptions
+	KMSCLIOptions() kms.CLIOptions
 }
 
 // CommonKeyStoreParameters is a mix-in of command line parameters for keystore construction.
@@ -55,6 +57,7 @@ type CommonKeyStoreParameters struct {
 
 	redisOptions cmd.RedisOptions
 	vaultOptions hashicorp.VaultCLIOptions
+	kmsOptions   kms.CLIOptions
 }
 
 // KeyDir returns path to key directory.
@@ -85,6 +88,11 @@ func (p *CommonKeyStoreParameters) VaultCLIOptions() hashicorp.VaultCLIOptions {
 	return p.vaultOptions
 }
 
+// KMSCLIOptions returns KMS configuration options for ACRA_MASTER_KEY loading.
+func (p *CommonKeyStoreParameters) KMSCLIOptions() kms.CLIOptions {
+	return p.kmsOptions
+}
+
 // RegisterRedisWithPrefix registers redis options in given flag set, using additional prefix.
 func (p *CommonKeyStoreParameters) RegisterRedisWithPrefix(flags *flag.FlagSet, prefix, description string) {
 	p.redisOptions.RegisterKeyStoreParameters(flags, prefix, description)
@@ -100,6 +108,7 @@ func (p *CommonKeyStoreParameters) Register(flags *flag.FlagSet) {
 	p.RegisterPrefixed(flags, DefaultKeyDirectory, "", "")
 	p.redisOptions.RegisterKeyStoreParameters(flags, "", "")
 	p.vaultOptions.RegisterCLIParameters(flags, "", "")
+	p.kmsOptions.RegisterCLIParameters(flags, "", "")
 }
 
 // RegisterPrefixed registers keystore flags with the given flag set, using given prefix and description.
@@ -113,7 +122,7 @@ func (p *CommonKeyStoreParameters) RegisterPrefixed(flags *flag.FlagSet, default
 
 // OpenKeyStoreForReading opens a keystore suitable for reading keys.
 func OpenKeyStoreForReading(params KeyStoreParameters) (keystore.ServerKeyStore, error) {
-	keyLoader, err := keyloader.GetInitializedMasterKeyLoader(params.VaultCLIOptions())
+	keyLoader, err := keyloader.GetInitializedMasterKeyLoader(params.VaultCLIOptions(), params.KMSCLIOptions())
 	if err != nil {
 		return nil, err
 	}
@@ -126,7 +135,7 @@ func OpenKeyStoreForReading(params KeyStoreParameters) (keystore.ServerKeyStore,
 
 // OpenKeyStoreForWriting opens a keystore suitable for modifications.
 func OpenKeyStoreForWriting(params KeyStoreParameters) (keyStore keystore.KeyMaking, err error) {
-	keyLoader, err := keyloader.GetInitializedMasterKeyLoader(params.VaultCLIOptions())
+	keyLoader, err := keyloader.GetInitializedMasterKeyLoader(params.VaultCLIOptions(), params.KMSCLIOptions())
 	if err != nil {
 		return nil, err
 	}
@@ -139,7 +148,7 @@ func OpenKeyStoreForWriting(params KeyStoreParameters) (keyStore keystore.KeyMak
 
 // OpenKeyStoreForExport opens a keystore suitable for export operations.
 func OpenKeyStoreForExport(params KeyStoreParameters) (api.KeyStore, error) {
-	keyLoader, err := keyloader.GetInitializedMasterKeyLoader(params.VaultCLIOptions())
+	keyLoader, err := keyloader.GetInitializedMasterKeyLoader(params.VaultCLIOptions(), params.KMSCLIOptions())
 	if err != nil {
 		return nil, err
 	}
@@ -153,7 +162,7 @@ func OpenKeyStoreForExport(params KeyStoreParameters) (api.KeyStore, error) {
 
 // OpenKeyStoreForImport opens a keystore suitable for import operations.
 func OpenKeyStoreForImport(params KeyStoreParameters) (api.MutableKeyStore, error) {
-	keyLoader, err := keyloader.GetInitializedMasterKeyLoader(params.VaultCLIOptions())
+	keyLoader, err := keyloader.GetInitializedMasterKeyLoader(params.VaultCLIOptions(), params.KMSCLIOptions())
 	if err != nil {
 		return nil, err
 	}

cmd/acra-poisonrecordmaker/acra-poisonrecordmaker.go

@@ -35,6 +35,7 @@ import (
 	"github.com/cossacklabs/acra/keystore/filesystem"
 	"github.com/cossacklabs/acra/keystore/keyloader"
 	"github.com/cossacklabs/acra/keystore/keyloader/hashicorp"
+	"github.com/cossacklabs/acra/keystore/keyloader/kms"
 	keystoreV2 "github.com/cossacklabs/acra/keystore/v2/keystore"
 	filesystemV2 "github.com/cossacklabs/acra/keystore/v2/keystore/filesystem"
 	filesystemBackendV2 "github.com/cossacklabs/acra/keystore/v2/keystore/filesystem/backend"
@@ -63,6 +64,7 @@ func main() {
 	dataLength := flag.Int("data_length", poison.UseDefaultDataLength, fmt.Sprintf("Length of random data for data block in acrastruct. -1 is random in range 1..%v", poison.DefaultDataLength))
 	recordType := flag.String("type", RecordTypeAcraStruct, fmt.Sprintf("Type of poison record: \"%s\" | \"%s\"\n", RecordTypeAcraStruct, RecordTypeAcraBlock))
 
+	kms.RegisterCLIParameters()
 	cmd.RegisterRedisKeyStoreParameters()
 	hashicorp.RegisterVaultCLIParameters()
 
@@ -75,7 +77,7 @@ func main() {
 		os.Exit(1)
 	}
 
-	keyLoader, err := keyloader.GetInitializedMasterKeyLoader(hashicorp.GetVaultCLIParameters())
+	keyLoader, err := keyloader.GetInitializedMasterKeyLoader(hashicorp.GetVaultCLIParameters(), kms.GetCLIParameters())
 	if err != nil {
 		log.WithError(err).Errorln("Can't initialize ACRA_MASTER_KEY loader")
 		os.Exit(1)

cmd/acra-rollback/acra-rollback.go

@@ -28,16 +28,17 @@ import (
 	"database/sql"
 	"flag"
 	"fmt"
-	"github.com/cossacklabs/acra/acrastruct"
-	"github.com/cossacklabs/acra/keystore/keyloader"
-	"github.com/cossacklabs/acra/keystore/keyloader/hashicorp"
 	"os"
 	"path/filepath"
 	"strings"
 
+	"github.com/cossacklabs/acra/acrastruct"
 	"github.com/cossacklabs/acra/cmd"
 	"github.com/cossacklabs/acra/keystore"
 	"github.com/cossacklabs/acra/keystore/filesystem"
+	"github.com/cossacklabs/acra/keystore/keyloader"
+	"github.com/cossacklabs/acra/keystore/keyloader/hashicorp"
+	"github.com/cossacklabs/acra/keystore/keyloader/kms"
 	keystoreV2 "github.com/cossacklabs/acra/keystore/v2/keystore"
 	filesystemV2 "github.com/cossacklabs/acra/keystore/v2/keystore/filesystem"
 	"github.com/cossacklabs/acra/logging"
@@ -170,6 +171,7 @@ func main() {
 	useMysql := flag.Bool("mysql_enable", false, "Handle MySQL connections")
 	usePostgresql := flag.Bool("postgresql_enable", false, "Handle Postgresql connections")
 
+	kms.RegisterCLIParameters()
 	hashicorp.RegisterVaultCLIParameters()
 	logging.SetLogLevel(logging.LogVerbose)
 
@@ -223,7 +225,7 @@ func main() {
 		os.Exit(1)
 	}
 
-	keyLoader, err := keyloader.GetInitializedMasterKeyLoader(hashicorp.GetVaultCLIParameters())
+	keyLoader, err := keyloader.GetInitializedMasterKeyLoader(hashicorp.GetVaultCLIParameters(), kms.GetCLIParameters())
 	if err != nil {
 		log.WithError(err).Errorln("Can't initialize ACRA_MASTER_KEY loader")
 		os.Exit(1)

cmd/acra-rotate/acra-rotate.go

@@ -21,14 +21,15 @@ package main
 import (
 	"database/sql"
 	"flag"
-	"github.com/cossacklabs/acra/crypto"
 	"os"
 
 	"github.com/cossacklabs/acra/cmd"
+	"github.com/cossacklabs/acra/crypto"
 	"github.com/cossacklabs/acra/keystore"
 	"github.com/cossacklabs/acra/keystore/filesystem"
 	"github.com/cossacklabs/acra/keystore/keyloader"
 	"github.com/cossacklabs/acra/keystore/keyloader/hashicorp"
+	"github.com/cossacklabs/acra/keystore/keyloader/kms"
 	keystoreV2 "github.com/cossacklabs/acra/keystore/v2/keystore"
 	filesystemV2 "github.com/cossacklabs/acra/keystore/v2/keystore/filesystem"
 	filesystemBackendV2 "github.com/cossacklabs/acra/keystore/v2/keystore/filesystem/backend"
@@ -131,6 +132,7 @@ func main() {
 	dryRun := flag.Bool("dry-run", false, "perform rotation without saving rotated AcraStructs and keys")
 	logging.SetLogLevel(logging.LogVerbose)
 
+	kms.RegisterCLIParameters()
 	hashicorp.RegisterVaultCLIParameters()
 
 	err := cmd.Parse(DefaultConfigPath, ServiceName)
@@ -140,7 +142,7 @@ func main() {
 		os.Exit(1)
 	}
 
-	keyLoader, err := keyloader.GetInitializedMasterKeyLoader(hashicorp.GetVaultCLIParameters())
+	keyLoader, err := keyloader.GetInitializedMasterKeyLoader(hashicorp.GetVaultCLIParameters(), kms.GetCLIParameters())
 	if err != nil {
 		log.WithError(err).Errorln("Can't initialize ACRA_MASTER_KEY loader")
 		os.Exit(1)

cmd/acra-translator/acra-translator.go

@@ -44,6 +44,7 @@ import (
 	"github.com/cossacklabs/acra/keystore/filesystem"
 	"github.com/cossacklabs/acra/keystore/keyloader"
 	"github.com/cossacklabs/acra/keystore/keyloader/hashicorp"
+	"github.com/cossacklabs/acra/keystore/keyloader/kms"
 	keystoreV2 "github.com/cossacklabs/acra/keystore/v2/keystore"
 	filesystem2 "github.com/cossacklabs/acra/keystore/v2/keystore/filesystem"
 	filesystemBackendV2CE "github.com/cossacklabs/acra/keystore/v2/keystore/filesystem/backend"
@@ -134,6 +135,7 @@ func realMain() error {
 	useClientIDFromConnection := flag.Bool("acratranslator_client_id_from_connection_enable", false, "Use clientID from TLS certificates or secure session handshake instead directly passed values in gRPC methods")
 	enableAuditLog := flag.Bool("audit_log_enable", false, "Enable audit log functionality")
 
+	kms.RegisterCLIParameters()
 	hashicorp.RegisterVaultCLIParameters()
 	cmd.RegisterTracingCmdParameters()
 	cmd.RegisterJaegerCmdParameters()
@@ -197,7 +199,7 @@ func realMain() error {
 
 	cmd.SetupTracing(ServiceName)
 
-	keyLoader, err := keyloader.GetInitializedMasterKeyLoader(hashicorp.GetVaultCLIParameters())
+	keyLoader, err := keyloader.GetInitializedMasterKeyLoader(hashicorp.GetVaultCLIParameters(), kms.GetCLIParameters())
 	if err != nil {
 		log.WithError(err).Errorln("Can't initialize ACRA_MASTER_KEY loader")
 		return err

configs/acra-addzone.yaml

@@ -14,6 +14,12 @@ generate_markdown_args_table: false
 # Folder where will be saved generated zone keys
 keys_output_dir: .acrakeys
 
+# KMS credentials JSON file path
+kms_credentials_path: 
+
+# KMS type for using: <aws>
+kms_type: 
+
 # Number of Redis database for keys
 redis_db_keys: 0
 

configs/acra-backup.yaml

@@ -20,6 +20,12 @@ keys_private_dir: .acrakeys
 # Folder with public keys. Leave empty if keys stored in same folder as keys_private_dir
 keys_public_dir: 
 
+# KMS credentials JSON file path
+kms_credentials_path: 
+
+# KMS type for using: <aws>
+kms_type: 
+
 # Logging format: plaintext, json or CEF
 logging_format: plaintext
 

configs/acra-keys.yaml

@@ -17,6 +17,12 @@ keys_dir: .acrakeys
 # path to key directory for public keys
 keys_dir_public: 
 
+# KMS credentials JSON file path
+kms_credentials_path: 
+
+# KMS type for using: <aws>
+kms_type: 
+
 # Number of Redis database for keys
 redis_db_keys: 0
 

configs/acra-poisonrecordmaker.yaml

@@ -14,6 +14,12 @@ generate_markdown_args_table: false
 # Folder from which will be loaded keys
 keys_dir: .acrakeys
 
+# KMS credentials JSON file path
+kms_credentials_path: 
+
+# KMS type for using: <aws>
+kms_type: 
+
 # Number of Redis database for keys
 redis_db_keys: 0
 

configs/acra-rollback.yaml

@@ -26,6 +26,12 @@ insert:
 # Folder from which the keys will be loaded
 keys_dir: .acrakeys
 
+# KMS credentials JSON file path
+kms_credentials_path: 
+
+# KMS type for using: <aws>
+kms_type: 
+
 # Handle MySQL connections
 mysql_enable: false
 

configs/acra-rotate.yaml

@@ -20,6 +20,12 @@ generate_markdown_args_table: false
 # Folder from which the keys will be loaded
 keys_dir: .acrakeys
 
+# KMS credentials JSON file path
+kms_credentials_path: 
+
+# KMS type for using: <aws>
+kms_type: 
+
 # Handle MySQL connections
 mysql_enable: false
 

configs/acra-translator.yaml

@@ -50,6 +50,12 @@ keystore_cache_on_start_enable: true
 # Maximum number of keys stored in in-memory LRU cache in encrypted form. 0 - no limits, -1 - turn off cache. Default is 1000
 keystore_cache_size: 1000
 
+# KMS credentials JSON file path
+kms_credentials_path: 
+
+# KMS type for using: <aws>
+kms_type: 
+
 # Log to stderr if true
 log_to_console: true
 

keystore/keyloader/kms/kms_cli.go

@@ -62,7 +62,7 @@ func GetCLIParameters() *CLIOptions {
 }
 
 // New create MasterKeyLoader from kms.CLIOptions - implementation of keyloader.CliMasterKeyLoaderCreator interface
-func (options *CLIOptions) New() (keyloader.MasterKeyLoader, error) {
+func (options CLIOptions) New() (keyloader.MasterKeyLoader, error) {
 	if options.KMSType == "" {
 		return nil, nil
 	}