Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use kms per client #556

Merged
merged 14 commits into from
Aug 8, 2022
Merged

Use kms per client #556

merged 14 commits into from
Aug 8, 2022

Conversation

Zhaars
Copy link
Contributor

@Zhaars Zhaars commented Aug 1, 2022

Initial Implementation of KMS per client.

This PR contains several significant changes:

  • change keystore.Encryptor interface - now Encrypt/Decrypt method expect to pass KeyContext.
  • SCellEncryptor implementation was changed based on KeyContext.Context
  • Implemented kms.Encryptor and kms.KeyMakingWrapper which is simple Decorator with kms key creation
type KeyContext struct {
  ClientID []byte
  ZoneID []byte
  Context []byte
  Purpose []byte/string/etc
}

Left some TODOs in the code with some open questions to discuss.

Checklist

Implementation of KMS pre client
@Zhaars Zhaars requested review from Lagovas and G1gg1L3s August 1, 2022 09:51
Zhaars added 2 commits August 1, 2022 14:38
# Conflicts:
#	keystore/filesystem/server_keystore.go
#	keystore/filesystem/server_keystore_test.go
Fixed conflicts with master
keystore/filesystem/filesystem_backup.go Outdated Show resolved Hide resolved
keyID, err := getKeyIDFromContext(keyContext)
if err != nil {
// TODO: add logging
return nil, err
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we can try to get logger from the context via logging.GetLoggerFromContext function

keystore/kms/key_encryptor.go Outdated Show resolved Hide resolved
keystore/kms/key_encryptor.go Outdated Show resolved Hide resolved
keystore/kms/key_making_wrapper.go Show resolved Hide resolved
keystore/filesystem/filesystem_backup.go Outdated Show resolved Hide resolved
keystore/keystore.go Outdated Show resolved Hide resolved
Zhaars added 2 commits August 1, 2022 17:44
Fixed after review
keystore/filesystem/filesystem_backup.go Outdated Show resolved Hide resolved
@@ -239,8 +242,10 @@ func newFilesystemKeyStore(privateKeyFolder, publicKeyFolder string, storage Sto
return nil, err
}
}

ctx, _ := context.WithTimeout(context.Background(), network.DefaultNetworkTimeout)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you please tell, why there is a timeout in context?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure. It is a good practice to have a timeout for any network operation. We can ignore it for our SCellEncrytor as we don't do any network calls, but for KMS-related stuff, we should have some timeout checking. In the case of KMS unavailability or some network issue, the request will exit (in 60 secs) with an error TimoutExceeded

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And context is a commonly used thing for this case in Go. A great practice to pass context as the first param to the functions

Fixed after review/added integration tests/extend addzone with KMS KEK creating
@Zhaars Zhaars requested a review from Lagovas August 3, 2022 15:31
@Zhaars Zhaars marked this pull request as ready for review August 3, 2022 15:32
Zhaars added 3 commits August 3, 2022 17:45
Added KMS keystore encryptor initialization to acra-translator
Restructure configs
Added KMS keystore encryptor for all keystore use acra tools
@@ -226,7 +226,7 @@ func MigrateV1toV2(srcV1 filesystem.KeyExport, dstV2 keystoreV2.KeyFileImportV1)

log.Tracef("Importing %d keys from keystore v1", expected)
for _, key := range keys {
log := log.WithField("purpose", key.Purpose).WithField("id", key.ID)
log := log.WithField("purpose", key.KeyContext.Purpose).WithField("id", keystore.GetKeyContextFromContext(key.KeyContext))
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

how key.KeyContext will be logged?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But we are logging key.KeyContext.Purpose here or what do you mean?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

.WithField("id", keystore.GetKeyContextFromContext(key.KeyContext))
How it will look in log entry? Something like &{ClientID: nil, ZoneID: nil, Context: []byte{0, 12, 42, 321}} or something else?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not precisely, previously we had

log := log.WithField("purpose", key.Purpose).WithField("id", key.ID) 

where key.ID is simple bytes slice which is strange as it would print something like []byte{0, 12, 42, 321}

So I just repeat the functionality. Here key.KeyContext is not bytes slice but keystore.KeyContext struct. So now it will print some bytes slice because of the function.

func GetKeyContextFromContext(keyContext KeyContext) []byte {
	if keyContext.ZoneID != nil {
		return keyContext.ZoneID
	}
	if keyContext.ClientID != nil {
		return keyContext.ClientID
	}
	if keyContext.Context != nil {
		return keyContext.Context
	}
	return nil
}

I think it makes sense to wrap with string to print string data instead of bytes @Lagovas

Copy link
Collaborator

@Lagovas Lagovas Aug 8, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1. maybe lets implement String() string to allow logger use this function?

keystore/filesystem/translator_keystore.go Outdated Show resolved Hide resolved
keystore/keystore.go Show resolved Hide resolved
keystore/kms/key_encryptor.go Show resolved Hide resolved
tests/test.py Outdated Show resolved Hide resolved
tests/test.py Show resolved Hide resolved
tests/test.py Show resolved Hide resolved
Fixed after review/add integration tests
@Zhaars Zhaars requested review from Lagovas and G1gg1L3s August 4, 2022 16:50
@Zhaars Zhaars self-assigned this Aug 4, 2022
keystore/kms/aws/client.go Outdated Show resolved Hide resolved
for new records"""
args = [os.path.join(BINARY_OUTPUT_FOLDER, 'acra-poisonrecordmaker')]
if keys_dir:
args.append('--keys_dir={}'.format(keys_dir))
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we pass here keystore version too?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, its is required for keymaker but not for poisonrecordmaker.

Added keystore_encryption_type flag
Zhaars added 3 commits August 5, 2022 16:28
Fixed unit tests
Fixed tests/updated CHANGELOG file
Fixed after review
Copy link
Collaborator

@Lagovas Lagovas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

great job

@Zhaars Zhaars merged commit 0404a68 into master Aug 8, 2022
@Lagovas Lagovas deleted the zhars/use_kms_per_client branch August 22, 2022 21:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants