updated credential encryption (#2233)

cmd/ingest/ingest.go

@@ -2,11 +2,12 @@ package ingest
 
 import (
 	"context"
+	"errors"
 	"fmt"
-
 	"github.com/frain-dev/convoy/config"
 	"github.com/frain-dev/convoy/database/postgres"
 	"github.com/frain-dev/convoy/internal/pkg/cli"
+	"github.com/frain-dev/convoy/internal/pkg/keys"
 	"github.com/frain-dev/convoy/internal/pkg/limiter"
 	"github.com/frain-dev/convoy/internal/pkg/memorystore"
 	"github.com/frain-dev/convoy/internal/pkg/metrics"
@@ -47,6 +48,19 @@ func AddIngestCommand(a *cli.App) *cobra.Command {
 				return err
 			}
 
+			km := keys.NewHCPVaultKeyManagerFromConfig(cfg.HCPVault, a.Licenser, a.Cache)
+			if km.IsSet() {
+				if _, err = km.GetCurrentKeyFromCache(); err != nil {
+					if !errors.Is(err, keys.ErrCredentialEncryptionFeatureUnavailable) {
+						return err
+					}
+					km.Unset()
+				}
+			}
+			if err = keys.Set(km); err != nil {
+				return err
+			}
+
 			err = StartIngest(cmd.Context(), a, cfg, interval)
 			if err != nil {
 				return err

cmd/utils/init_encryption.go

@@ -21,15 +21,10 @@ var (
 
 func AddInitEncryptionCommand(a *cli.App) *cobra.Command {
 	cmd := &cobra.Command{
-		Use:   "init-encryption <encryption-key>",
-		Short: "Initializes encryption for the specified table columns with the provided encryption key",
-		Args:  cobra.ExactArgs(1),
+		Use:   "init-encryption",
+		Short: "Initializes encryption for the specified table columns with the encryption key fetched from HCP Vault",
+		Args:  cobra.ExactArgs(0),
 		RunE: func(cmd *cobra.Command, args []string) error {
-			encryptionKey := args[0]
-
-			if encryptionKey == "" {
-				return ErrEncryptionKeyCannotBeEmpty
-			}
 			timeout, err := cmd.Flags().GetInt("timeout")
 			if err != nil {
 				log.WithError(err).Errorln("failed to get timeout")
@@ -56,7 +51,16 @@ func AddInitEncryptionCommand(a *cli.App) *cobra.Command {
 				return ErrMissingHCPVaultConfig
 			}
 
-			log.Infof("Initializing encryption with the provided key...")
+			currentKey, err := km.GetCurrentKey()
+			if err != nil {
+				return err
+			}
+
+			if currentKey == "" {
+				return ErrEncryptionKeyCannotBeEmpty
+			}
+
+			log.Infof("Initializing encryption with the current encryption key...")
 
 			db, err := postgres.NewDB(cfg)
 			if err != nil {
@@ -65,7 +69,7 @@ func AddInitEncryptionCommand(a *cli.App) *cobra.Command {
 			}
 			defer db.Close()
 
-			err = keys.InitEncryption(a.Logger, db, km, encryptionKey, timeout)
+			err = keys.InitEncryption(a.Logger, db, km, currentKey, timeout)
 			if err != nil {
 				log.WithError(err).Error("Error initializing encryption key.")
 			}

cmd/utils/revert_encryption.go

@@ -1,7 +1,6 @@
 package utils
 
 import (
-	"errors"
 	"github.com/frain-dev/convoy/config"
 	"github.com/frain-dev/convoy/database/postgres"
 	"github.com/frain-dev/convoy/internal/pkg/cli"
@@ -13,23 +12,17 @@ import (
 
 func AddRevertEncryptionCommand(a *cli.App) *cobra.Command {
 	cmd := &cobra.Command{
-		Use:   "revert-encryption <encryption-key>",
-		Short: "Reverts the encryption initialization for the specified table columns with the provided encryption key",
-		Args:  cobra.ExactArgs(1),
-		RunE: func(cmd *cobra.Command, args []string) error {
-			encryptionKey := args[0]
+		Use:   "revert-encryption",
+		Short: "Reverts the encryption initialization for the specified table columns with the encryption key fetched from HCP Vaults",
+		Args:  cobra.ExactArgs(0),
+		RunE: func(cmd *cobra.Command, _ []string) error {
 
-			if encryptionKey == "" {
-				return ErrEncryptionKeyCannotBeEmpty
-			}
 			timeout, err := cmd.Flags().GetInt("timeout")
 			if err != nil {
 				log.WithError(err).Errorln("failed to get timeout")
 				return err
 			}
 
-			log.Infof("Reverting encryption with the provided key...")
-
 			cfg, err := config.Get()
 			if err != nil {
 				log.WithError(err).Error("Error fetching the config.")
@@ -46,28 +39,25 @@ func AddRevertEncryptionCommand(a *cli.App) *cobra.Command {
 				return ErrMissingHCPVaultConfig
 			}
 
-			// Ensure the encryption key matches the current key
-			currentKey, err := km.GetCurrentKey()
+			currentKey, err := km.GetHCPSecretKey()
 			if err != nil {
-				if !errors.Is(err, keys.ErrCredentialEncryptionFeatureUnavailable) {
-					return err
-				}
+				return err
 			}
-			if encryptionKey != currentKey {
-				if !errors.Is(err, keys.ErrCredentialEncryptionFeatureUnavailable) {
-					return ErrEncryptionKeyMismatch
-				}
-				// allow any key if downgraded
+
+			if currentKey == "" {
+				return ErrEncryptionKeyCannotBeEmpty
 			}
 
+			log.Infof("Reverting encryption with the current encryption key...")
+
 			db, err := postgres.NewDB(cfg)
 			if err != nil {
 				log.WithError(err).Error("Error connecting to database.")
 				return err
 			}
 			defer db.Close()
 
-			err = keys.RevertEncryption(a.Logger, db, encryptionKey, timeout)
+			err = keys.RevertEncryption(a.Logger, db, currentKey, timeout)
 			if err != nil {
 				log.WithError(err).Error("Error reverting the encryption key.")
 			}

internal/pkg/keys/encrypter_init.go

@@ -57,13 +57,6 @@ func InitEncryption(lo log.StdLogger, db database.Database, km KeyManager, encry
 		}
 	}
 
-	err = km.SetKey(encryptionKey)
-	if err != nil {
-		rollback(lo, tx)
-		lo.WithError(err).Error("failed to set encryption key")
-		return fmt.Errorf("failed to update encryption key: %w", err)
-	}
-
 	// Commit the transaction
 	if err := tx.Commit(); err != nil {
 		lo.WithError(err).Error("failed to commit transaction")

internal/pkg/keys/hcpvault.go

@@ -143,7 +143,11 @@ func (k *HCPVaultKeyManager) GetCurrentKey() (string, error) {
 	if !k.licenser.CredentialEncryption() {
 		return "", ErrCredentialEncryptionFeatureUnavailable
 	}
+	return k.GetHCPSecretKey()
+}
 
+// GetHCPSecretKey retrieves the current key from HCP Vault API.
+func (k *HCPVaultKeyManager) GetHCPSecretKey() (string, error) {
 	retryCount := 1
 	for {
 		if err := k.ensureValidToken(); err != nil {