From 17432ddfb1840a8ecce6e90929b01819c95a1250 Mon Sep 17 00:00:00 2001 From: Lucas Kent Date: Wed, 30 Aug 2023 11:31:20 +1000 Subject: [PATCH] Replace rusoto with official AWS SDK (#1306) --- Cargo.lock | 278 +++++------------- shotover/Cargo.toml | 6 +- shotover/src/transforms/protect/aws_kms.rs | 91 +++--- .../src/transforms/protect/key_management.rs | 45 +-- shotover/src/transforms/protect/mod.rs | 2 +- 5 files changed, 155 insertions(+), 267 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index ef8cd3da2..d12ea55c7 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -66,9 +66,9 @@ dependencies = [ [[package]] name = "aho-corasick" -version = "1.0.4" +version = "1.0.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6748e8def348ed4d14996fa801f4122cd763fff530258cdc03f64b25f89d3a5a" +checksum = "0c378d78423fdad8089616f827526ee33c19f2fddbd5de1629152c9593ba4783" dependencies = [ "memchr", ] @@ -174,9 +174,9 @@ checksum = "96d30a06541fbafbc7f82ed10c06164cfbd2c401138f6addd8404629c4b16711" [[package]] name = "async-compression" -version = "0.4.1" +version = "0.4.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "62b74f44609f0f91493e3082d3734d98497e094777144380ea4db9f9905dd5b6" +checksum = "d495b6dc0184693324491a5ac05f559acc97bf937ab31d7a1c33dd0016be6d2b" dependencies = [ "flate2", "futures-core", @@ -382,6 +382,30 @@ dependencies = [ "tracing", ] +[[package]] +name = "aws-sdk-kms" +version = "0.30.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a92f134e75581d16a36a6d7e6dd8b6cdef5cbc610e599a8c12df317eb7868c8b" +dependencies = [ + "aws-credential-types", + "aws-http", + "aws-runtime", + "aws-smithy-async", + "aws-smithy-client", + "aws-smithy-http", + "aws-smithy-json", + "aws-smithy-runtime", + "aws-smithy-runtime-api", + "aws-smithy-types", + "aws-types", + "bytes", + "http", + "regex", + "tokio-stream", + "tracing", +] + [[package]] name = "aws-sdk-sso" version = "0.30.0" @@ -439,12 +463,12 @@ dependencies = [ "aws-smithy-http", "form_urlencoded", "hex", - "hmac 0.12.1", + "hmac", "http", "once_cell", "percent-encoding", "regex", - "sha2 0.10.7", + "sha2", "time 0.3.28", "tracing", ] @@ -704,7 +728,7 @@ checksum = "6aeac2e1fe888769f34f05ac343bbef98b14d1ffb292ab69d4608b3abc86f2a2" dependencies = [ "blowfish", "pbkdf2 0.12.2", - "sha2 0.10.7", + "sha2", ] [[package]] @@ -771,15 +795,6 @@ version = "2.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b4682ae6287fcf752ecaabbfcc7b6f9b72aa33933dc23a554d853aea8eea8635" -[[package]] -name = "block-buffer" -version = "0.9.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4152116fd6e9dadb291ae18fc1ec3575ed6d84c29642d97890f4b4a3417297e4" -dependencies = [ - "generic-array", -] - [[package]] name = "block-buffer" version = "0.10.4" @@ -1036,9 +1051,9 @@ dependencies = [ [[package]] name = "chrono" -version = "0.4.26" +version = "0.4.27" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ec837a71355b28f6556dbd569b37b3f363091c0bd4b2e735674521b4c5fd9bc5" +checksum = "f56b4c72906975ca04becb8a30e102dfecddd0c06181e3e95ddc444be28881f8" dependencies = [ "android-tzdata", "iana-time-zone", @@ -1047,7 +1062,7 @@ dependencies = [ "serde", "time 0.1.45", "wasm-bindgen", - "winapi", + "windows-targets 0.48.5", ] [[package]] @@ -1401,16 +1416,6 @@ dependencies = [ "typenum", ] -[[package]] -name = "crypto-mac" -version = "0.11.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b1d1a86f49236c215f271d40892d5fc950490551400b02ef360692c29815c714" -dependencies = [ - "generic-array", - "subtle", -] - [[package]] name = "csv" version = "1.2.2" @@ -1450,7 +1455,7 @@ dependencies = [ "cfg-if", "cpufeatures", "curve25519-dalek-derive", - "digest 0.10.7", + "digest", "fiat-crypto", "platforms", "rustc_version", @@ -1556,9 +1561,9 @@ dependencies = [ [[package]] name = "dashmap" -version = "5.5.1" +version = "5.5.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "edd72493923899c6f10c641bdbdeddc7183d6396641d99c1a0d1597f37f92e28" +checksum = "978747c1d849a7d2ee5e8adc0159961c48fb7e5db2f06af6723b80123bb53856" dependencies = [ "cfg-if", "hashbrown 0.14.0", @@ -1647,22 +1652,13 @@ dependencies = [ "syn 1.0.109", ] -[[package]] -name = "digest" -version = "0.9.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d3dd60d1080a57a05ab032377049e0591415d2b31afd7028356dbf3cc6dcb066" -dependencies = [ - "generic-array", -] - [[package]] name = "digest" version = "0.10.7" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9ed9a281f7bc9b7576e61468ba615a66a5c8cfdff42420a70aa82701a3b1e292" dependencies = [ - "block-buffer 0.10.4", + "block-buffer", "const-oid", "crypto-common", "subtle", @@ -1750,7 +1746,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a4b1e0c257a9e9f25f90ff76d7a68360ed497ee519c8e428d1825ef0000799d4" dependencies = [ "der", - "digest 0.10.7", + "digest", "elliptic-curve", "rfc6979", "signature", @@ -1777,7 +1773,7 @@ dependencies = [ "ed25519", "rand_core 0.6.4", "serde", - "sha2 0.10.7", + "sha2", "zeroize", ] @@ -1795,7 +1791,7 @@ checksum = "968405c8fdc9b3bf4df0a6638858cc0b52462836ab6b1c87377785dd09cf1c0b" dependencies = [ "base16ct", "crypto-bigint", - "digest 0.10.7", + "digest", "ff", "generic-array", "group", @@ -1857,9 +1853,9 @@ dependencies = [ [[package]] name = "errno" -version = "0.3.2" +version = "0.3.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6b30f669a7961ef1631673d2766cc92f52d64f7ef354d4fe0ddfd30ed52f0f4f" +checksum = "136526188508e25c6fef639d7927dfb3e0e3084488bf202267829cf7fc23dbdd" dependencies = [ "errno-dragonfly", "libc", @@ -2307,23 +2303,13 @@ version = "0.6.9" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "12cb882ccb290b8646e554b157ab0b71e64e8d5bef775cd66b6531e52d302669" -[[package]] -name = "hmac" -version = "0.11.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2a2a2320eb7ec0ebe8da8f744d7812d9fc4cb4d09344ac01898dbcb6a20ae69b" -dependencies = [ - "crypto-mac", - "digest 0.9.0", -] - [[package]] name = "hmac" version = "0.12.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "6c49c37c09c17a53d937dfbb742eb3a961d65a994e6bcdcf37e7399d0cc8ab5e" dependencies = [ - "digest 0.10.7", + "digest", ] [[package]] @@ -2693,17 +2679,6 @@ dependencies = [ "regex-automata 0.1.10", ] -[[package]] -name = "md-5" -version = "0.9.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7b5a279bb9607f9f53c22d496eade00d138d1bdcccd07d74650387cf94942a15" -dependencies = [ - "block-buffer 0.9.0", - "digest 0.9.0", - "opaque-debug", -] - [[package]] name = "md5" version = "0.7.0" @@ -2712,9 +2687,9 @@ checksum = "490cc448043f947bae3cbee9c203358d62dbee0db12107a74be5c30ccfd09771" [[package]] name = "memchr" -version = "2.6.0" +version = "2.6.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "76fc44e2588d5b436dbc3c6cf62aef290f90dab6235744a93dfe1cc18f451e2c" +checksum = "f478948fd84d9f8e86967bf432640e46adfb5a4bd4f14ef7e864ab38220534ae" [[package]] name = "memoffset" @@ -3212,7 +3187,7 @@ dependencies = [ "ecdsa", "elliptic-curve", "primeorder", - "sha2 0.10.7", + "sha2", ] [[package]] @@ -3224,7 +3199,7 @@ dependencies = [ "ecdsa", "elliptic-curve", "primeorder", - "sha2 0.10.7", + "sha2", ] [[package]] @@ -3273,10 +3248,10 @@ version = "0.11.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "83a0692ec44e4cf1ef28ca317f14f8f07da2d95ec3fa01f86e4467b725e60917" dependencies = [ - "digest 0.10.7", - "hmac 0.12.1", + "digest", + "hmac", "password-hash", - "sha2 0.10.7", + "sha2", ] [[package]] @@ -3285,7 +3260,7 @@ version = "0.12.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f8ed6a7761f76e3b9f92dfb0a60a6a6477c61024b775147ff0973a02653abaf2" dependencies = [ - "digest 0.10.7", + "digest", ] [[package]] @@ -3859,7 +3834,7 @@ version = "0.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f8dd2a808d456c4a54e300a23e9f5a67e122c3024119acbfd73e3bf664491cb2" dependencies = [ - "hmac 0.12.1", + "hmac", "subtle", ] @@ -3895,7 +3870,7 @@ checksum = "6ab43bb47d23c1a631b4b680199a45255dce26fa9ab2fa902581f624ff13e6a8" dependencies = [ "byteorder", "const-oid", - "digest 0.10.7", + "digest", "num-bigint-dig", "num-integer", "num-iter", @@ -3903,7 +3878,7 @@ dependencies = [ "pkcs1", "pkcs8", "rand_core 0.6.4", - "sha2 0.10.7", + "sha2", "signature", "spki", "subtle", @@ -3939,89 +3914,6 @@ dependencies = [ "unicode-ident", ] -[[package]] -name = "rusoto_core" -version = "0.48.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1db30db44ea73551326269adcf7a2169428a054f14faf9e1768f2163494f2fa2" -dependencies = [ - "async-trait", - "base64 0.13.1", - "bytes", - "crc32fast", - "futures", - "http", - "hyper", - "hyper-tls", - "lazy_static", - "log", - "rusoto_credential", - "rusoto_signature", - "rustc_version", - "serde", - "serde_json", - "tokio", - "xml-rs", -] - -[[package]] -name = "rusoto_credential" -version = "0.48.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ee0a6c13db5aad6047b6a44ef023dbbc21a056b6dab5be3b79ce4283d5c02d05" -dependencies = [ - "async-trait", - "chrono", - "dirs-next", - "futures", - "hyper", - "serde", - "serde_json", - "shlex", - "tokio", - "zeroize", -] - -[[package]] -name = "rusoto_kms" -version = "0.48.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3e1fc19cfcfd9f6b2f96e36d5b0dddda9004d2cbfc2d17543e3b9f10cc38fce8" -dependencies = [ - "async-trait", - "bytes", - "futures", - "rusoto_core", - "serde", - "serde_json", -] - -[[package]] -name = "rusoto_signature" -version = "0.48.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a5ae95491c8b4847931e291b151127eccd6ff8ca13f33603eb3d0035ecb05272" -dependencies = [ - "base64 0.13.1", - "bytes", - "chrono", - "digest 0.9.0", - "futures", - "hex", - "hmac 0.11.0", - "http", - "hyper", - "log", - "md-5", - "percent-encoding", - "pin-project-lite", - "rusoto_credential", - "rustc_version", - "serde", - "sha2 0.9.9", - "tokio", -] - [[package]] name = "russh" version = "0.38.0" @@ -4036,12 +3928,12 @@ dependencies = [ "chacha20", "ctr", "curve25519-dalek", - "digest 0.10.7", + "digest", "flate2", "futures", "generic-array", "hex-literal", - "hmac 0.12.1", + "hmac", "log", "num-bigint 0.4.4", "once_cell", @@ -4050,7 +3942,7 @@ dependencies = [ "russh-cryptovec", "russh-keys", "sha1", - "sha2 0.10.7", + "sha2", "subtle", "thiserror", "tokio", @@ -4085,7 +3977,7 @@ dependencies = [ "dirs", "ed25519-dalek", "futures", - "hmac 0.12.1", + "hmac", "inout", "log", "md5", @@ -4096,7 +3988,7 @@ dependencies = [ "rand_core 0.6.4", "russh-cryptovec", "serde", - "sha2 0.10.7", + "sha2", "thiserror", "tokio", "tokio-stream", @@ -4120,9 +4012,9 @@ dependencies = [ [[package]] name = "rustix" -version = "0.38.9" +version = "0.38.10" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9bfe0f2582b4931a45d1fa608f8a8722e8b3c7ac54dd6d5f3b3212791fedef49" +checksum = "ed6248e1caa625eb708e266e06159f135e8c26f2bb7ceb72dc4b2766d0340964" dependencies = [ "bitflags 2.4.0", "errno", @@ -4456,7 +4348,7 @@ checksum = "f5058ada175748e33390e40e872bd0fe59a19f265d0158daa551c5a88a76009c" dependencies = [ "cfg-if", "cpufeatures", - "digest 0.10.7", + "digest", ] [[package]] @@ -4467,7 +4359,7 @@ checksum = "f04293dc80c3993519f2d7f6f511707ee7094fe0c6d3406feb330cdb3540eba3" dependencies = [ "cfg-if", "cpufeatures", - "digest 0.10.7", + "digest", ] [[package]] @@ -4476,19 +4368,6 @@ version = "1.0.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ae1a47186c03a32177042e55dbc5fd5aee900b8e0069a8d70fba96a9375cd012" -[[package]] -name = "sha2" -version = "0.9.9" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4d58a1e1bf39749807d89cf2d98ac2dfa0ff1cb3faa38fbb64dd88ac8013d800" -dependencies = [ - "block-buffer 0.9.0", - "cfg-if", - "cpufeatures", - "digest 0.9.0", - "opaque-debug", -] - [[package]] name = "sha2" version = "0.10.7" @@ -4497,7 +4376,7 @@ checksum = "479fb9d862239e610720565ca91403019f2f00410f1864c5aa7479b950a76ed8" dependencies = [ "cfg-if", "cpufeatures", - "digest 0.10.7", + "digest", ] [[package]] @@ -4523,12 +4402,6 @@ dependencies = [ "yansi", ] -[[package]] -name = "shlex" -version = "1.1.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "43b2853a4d09f215c24cc5489c992ce46052d359b5109343cbafbf26bc62f8a3" - [[package]] name = "shotover" version = "0.1.11" @@ -4537,6 +4410,8 @@ dependencies = [ "async-recursion", "async-trait", "atomic_enum", + "aws-config", + "aws-sdk-kms", "backtrace", "backtrace-ext", "base64 0.21.3", @@ -4568,14 +4443,11 @@ dependencies = [ "metrics-exporter-prometheus", "nonzero_ext", "num", - "openssl", "ordered-float", "pretty-hex", "rand 0.8.5", "rand_distr", "redis-protocol", - "rusoto_kms", - "rusoto_signature", "rustls", "rustls-pemfile", "serde", @@ -4661,7 +4533,7 @@ version = "2.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "5e1788eed21689f9cf370582dfc467ef36ed9c707f073528ddafa8d83e3b8500" dependencies = [ - "digest 0.10.7", + "digest", "rand_core 0.6.4", ] @@ -4752,7 +4624,7 @@ checksum = "eb9242b9ef4108a78e8cd1a2c98e193ef372437f8c22be363075233321dd4a15" dependencies = [ "base64ct", "pem-rfc7468", - "sha2 0.10.7", + "sha2", ] [[package]] @@ -4767,7 +4639,7 @@ dependencies = [ "rand_core 0.6.4", "rsa", "sec1", - "sha2 0.10.7", + "sha2", "signature", "ssh-cipher", "ssh-encoding", @@ -4861,9 +4733,9 @@ dependencies = [ [[package]] name = "subtle" -version = "2.4.1" +version = "2.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6bdef32e8150c2a081110b42772ffe7d7c9032b606bc226c8260fd97e0976601" +checksum = "81cdd64d312baedb58e21336b31bc043b77e01cc99033ce76ef539f78e965ebc" [[package]] name = "syn" @@ -5865,12 +5737,6 @@ dependencies = [ "windows-sys 0.48.0", ] -[[package]] -name = "xml-rs" -version = "0.8.16" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "47430998a7b5d499ccee752b41567bc3afc57e1327dc855b1a2aa44ce29b5fa1" - [[package]] name = "xmlparser" version = "0.13.5" diff --git a/shotover/Cargo.toml b/shotover/Cargo.toml index 62ba7d63f..9207aabbc 100644 --- a/shotover/Cargo.toml +++ b/shotover/Cargo.toml @@ -39,8 +39,6 @@ hex-literal.workspace = true async-trait.workspace = true typetag.workspace = true tokio-tungstenite = "0.20.0" -# We need to enable the openssl "vendor" feature for rusoto -openssl.workspace = true # Error handling thiserror = "1.0" @@ -75,8 +73,8 @@ crc16 = "0.4.0" ordered-float = { version = "3.0.0", features = ["serde"] } #Crypto -rusoto_kms = "0.48.0" -rusoto_signature = "0.48.0" +aws-config = "0.56.0" +aws-sdk-kms = "0.30" strum_macros = "0.25" chacha20poly1305 = { version = "0.10.0", features = ["std"] } generic-array = { version = "0.14", features = ["serde"] } diff --git a/shotover/src/transforms/protect/aws_kms.rs b/shotover/src/transforms/protect/aws_kms.rs index caaf5c36d..a9e4fe10e 100644 --- a/shotover/src/transforms/protect/aws_kms.rs +++ b/shotover/src/transforms/protect/aws_kms.rs @@ -1,9 +1,12 @@ use crate::transforms::protect::key_management::KeyMaterial; use anyhow::{anyhow, Result}; +use aws_sdk_kms::operation::decrypt::builders::DecryptFluentBuilder; +use aws_sdk_kms::operation::generate_data_key::builders::GenerateDataKeyFluentBuilder; +use aws_sdk_kms::primitives::Blob; +use aws_sdk_kms::Client as KmsClient; use bytes::Bytes; use chacha20poly1305::Key; use derivative::Derivative; -use rusoto_kms::{DecryptRequest, GenerateDataKeyRequest, Kms, KmsClient}; use std::collections::HashMap; #[derive(Clone, Derivative)] @@ -15,16 +18,16 @@ pub struct AWSKeyManagement { pub cmk_id: String, pub encryption_context: Option>, pub key_spec: Option, - pub number_of_bytes: Option, + pub number_of_bytes: Option, pub grant_tokens: Option>, } enum DecOrGen { - Gen(GenerateDataKeyRequest), - Dec(DecryptRequest), + Gen(GenerateDataKeyFluentBuilder), + Dec(DecryptFluentBuilder), } -// See https://docs.rs/rusoto_kms/0.44.0/rusoto_kms/trait.Kms.html#tymethod.generate_data_key +// See https://docs.rs/aws-sdk-kms/latest/aws_sdk_kms/operation/generate_data_key/builders/struct.GenerateDataKeyFluentBuilder.html impl AWSKeyManagement { pub async fn get_key( @@ -34,26 +37,30 @@ impl AWSKeyManagement { ) -> anyhow::Result { let dog = dek.map_or_else( || { - DecOrGen::Gen(GenerateDataKeyRequest { - encryption_context: self.encryption_context.clone(), - grant_tokens: self.grant_tokens.clone(), - key_id: self.cmk_id.clone(), - key_spec: self.key_spec.clone(), - number_of_bytes: self.number_of_bytes, - }) + DecOrGen::Gen( + self.client + .generate_data_key() + .set_encryption_context(self.encryption_context.clone()) + .set_grant_tokens(self.grant_tokens.clone()) + .key_id(self.cmk_id.clone()) + .set_key_spec(self.key_spec.as_ref().map(|x| x.as_str().into())) + .set_number_of_bytes(self.number_of_bytes), + ) }, |dek| { - DecOrGen::Dec(DecryptRequest { - ciphertext_blob: Bytes::from(dek), - // This parameter is required only when the ciphertext was encrypted under an asymmetric CMK. - // The default value, SYMMETRIC_DEFAULT, represents the only supported algorithm that is valid for symmetric CMKs. - encryption_algorithm: None, - encryption_context: self.encryption_context.clone(), - grant_tokens: self.grant_tokens.clone(), - // We use the cmk id provided by the protected value over the configured one as it may have been - // rotated out - key_id: kek_alt.or_else(|| Some(self.cmk_id.clone())), - }) + DecOrGen::Dec( + self.client + .decrypt() + .ciphertext_blob(Blob::new(dek)) + // This parameter is required only when the ciphertext was encrypted under an asymmetric CMK. + // The default value, SYMMETRIC_DEFAULT, represents the only supported algorithm that is valid for symmetric CMKs. + .set_encryption_algorithm(None) + .set_encryption_context(self.encryption_context.clone()) + .set_grant_tokens(self.grant_tokens.clone()) + // We use the cmk id provided by the protected value over the configured one as it may have been + // rotated out + .key_id(kek_alt.unwrap_or_else(|| self.cmk_id.clone())), + ) }, ); self.fetch_key(dog).await @@ -63,31 +70,39 @@ impl AWSKeyManagement { impl AWSKeyManagement { async fn fetch_key(&self, dog: DecOrGen) -> Result { match dog { - DecOrGen::Gen(g) => { - let resp = self.client.generate_data_key(g).await?; + DecOrGen::Gen(generate) => { + let resp = generate.send().await?; Ok(KeyMaterial { - ciphertext_blob: resp - .ciphertext_blob - .ok_or_else(|| anyhow!("no ciphertext DEK found"))?, + ciphertext_blob: Bytes::from( + resp.ciphertext_blob + .ok_or_else(|| anyhow!("no ciphertext DEK found"))? + .into_inner(), + ), key_id: resp.key_id.ok_or_else(|| anyhow!("no CMK id found"))?, plaintext: *Key::from_slice( - &resp - .plaintext - .ok_or_else(|| anyhow!("no plaintext DEK provided"))?, + resp.plaintext + .ok_or_else(|| anyhow!("no plaintext DEK provided"))? + .as_ref(), ), }) } - DecOrGen::Dec(d) => { - let resp = self.client.decrypt(d.clone()).await?; + DecOrGen::Dec(decrypt) => { + let ciphertext_blob = decrypt + .get_ciphertext_blob() + .clone() + .unwrap() + .into_inner() + .into(); + let resp = decrypt.send().await?; Ok(KeyMaterial { - ciphertext_blob: d.ciphertext_blob.clone(), - key_id: d + ciphertext_blob, + key_id: resp .key_id .ok_or_else(|| anyhow!("seemed to have lost cmk id on the way???"))?, plaintext: *Key::from_slice( - &resp - .plaintext - .ok_or_else(|| anyhow!("no plaintext DEK provided"))?, + resp.plaintext + .ok_or_else(|| anyhow!("no plaintext DEK provided"))? + .as_ref(), ), }) } diff --git a/shotover/src/transforms/protect/key_management.rs b/shotover/src/transforms/protect/key_management.rs index 9a4d63cc2..458930d47 100644 --- a/shotover/src/transforms/protect/key_management.rs +++ b/shotover/src/transforms/protect/key_management.rs @@ -1,15 +1,16 @@ use crate::transforms::protect::aws_kms::AWSKeyManagement; use crate::transforms::protect::local_kek::LocalKeyManagement; use anyhow::{anyhow, Result}; +use aws_config::meta::region::RegionProviderChain; +use aws_config::SdkConfig; +use aws_sdk_kms::config::Region; +use aws_sdk_kms::Client as KmsClient; use base64::{engine::general_purpose, Engine as _}; use bytes::Bytes; use cached::proc_macro::cached; use chacha20poly1305::Key; -use rusoto_kms::KmsClient; -use rusoto_signature::Region; use serde::Deserialize; use std::collections::HashMap; -use std::str::FromStr; #[derive(Clone, Debug)] pub enum KeyManager { @@ -25,7 +26,7 @@ pub enum KeyManagerConfig { cmk_id: String, encryption_context: Option>, key_spec: Option, - number_of_bytes: Option, + number_of_bytes: Option, grant_tokens: Option>, endpoint: Option, }, @@ -35,8 +36,22 @@ pub enum KeyManagerConfig { }, } +async fn config(region: String, endpoint: Option) -> SdkConfig { + let region_provider = RegionProviderChain::first_try(Region::new(region)); + match endpoint { + Some(endpoint) => { + aws_config::from_env() + .region(region_provider) + .endpoint_url(endpoint) + .load() + .await + } + None => aws_config::from_env().region(region_provider).load().await, + } +} + impl KeyManagerConfig { - pub fn build(&self) -> Result { + pub async fn build(&self) -> Result { match self.clone() { KeyManagerConfig::AWSKms { region, @@ -47,16 +62,10 @@ impl KeyManagerConfig { grant_tokens, endpoint, } => Ok(KeyManager::AWSKms(AWSKeyManagement { - client: { - let region_obj = match endpoint { - Some(x) => Region::Custom { - name: Region::from_str(®ion)?.name().to_string(), - endpoint: x, - }, - _ => Region::from_str(®ion)?, - }; - KmsClient::new(region_obj) - }, + // TODO: This client is being recreated for each connection. + // but doing so is quite expensive so we should share it between all connections + // fortunately doing so is quite easy since all methods are `&self` + client: KmsClient::new(&config(region, endpoint).await), cmk_id, encryption_context, key_spec, @@ -131,7 +140,7 @@ mod key_manager_tests { kek_id: "".into(), }; - let _ = config.build().unwrap(); + let _ = futures::executor::block_on(config.build()).unwrap(); } #[test] @@ -141,7 +150,7 @@ mod key_manager_tests { kek_id: "".into(), }; - let result = config.build().unwrap_err(); + let result = futures::executor::block_on(config.build()).unwrap_err(); assert_eq!(result.to_string(), "Invalid key length".to_string()); } @@ -152,7 +161,7 @@ mod key_manager_tests { kek_id: "".into(), }; - let result = config.build().unwrap_err(); + let result = futures::executor::block_on(config.build()).unwrap_err(); assert_eq!( result.to_string(), "Invalid byte 61, offset 43.".to_string() diff --git a/shotover/src/transforms/protect/mod.rs b/shotover/src/transforms/protect/mod.rs index e34ef6450..fa55a40c6 100644 --- a/shotover/src/transforms/protect/mod.rs +++ b/shotover/src/transforms/protect/mod.rs @@ -53,7 +53,7 @@ impl TransformConfig for ProtectConfig { ) }) .collect(), - key_source: self.key_manager.build()?, + key_source: self.key_manager.build().await?, key_id: "XXXXXXX".to_string(), })) }