From bf51722ffbfa5521b8c516b8751435f004aacacf Mon Sep 17 00:00:00 2001 From: Slava Semushin Date: Mon, 19 Jun 2017 20:00:39 +0200 Subject: [PATCH] ParseEncryptionConfiguration: simplify code. Also improves function name in godoc and many error messages. --- hack/.golint_failures | 1 - .../pkg/server/options/encryptionconfig/config.go | 14 +++++++------- .../pkg/server/options/encryptionconfig/types.go | 10 ++++++---- .../pkg/storage/value/encrypt/identity/identity.go | 6 +++--- .../value/encrypt/secretbox/secretbox_test.go | 2 +- 5 files changed, 17 insertions(+), 16 deletions(-) diff --git a/hack/.golint_failures b/hack/.golint_failures index 74f1571a0be..71cdc9c5e01 100644 --- a/hack/.golint_failures +++ b/hack/.golint_failures @@ -670,7 +670,6 @@ staging/src/k8s.io/apiserver/pkg/server/healthz staging/src/k8s.io/apiserver/pkg/server/httplog staging/src/k8s.io/apiserver/pkg/server/openapi staging/src/k8s.io/apiserver/pkg/server/options -staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig staging/src/k8s.io/apiserver/pkg/server/routes/data/swagger staging/src/k8s.io/apiserver/pkg/server/storage staging/src/k8s.io/apiserver/pkg/storage diff --git a/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config.go b/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config.go index 3aad5a00978..6e11d617583 100644 --- a/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config.go +++ b/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config.go @@ -68,12 +68,12 @@ func ParseEncryptionConfiguration(f io.Reader) (map[schema.GroupResource]value.T return nil, fmt.Errorf("error while parsing file: %v", err) } - if config.Kind != "EncryptionConfig" && config.Kind != "" { - return nil, fmt.Errorf("invalid configuration kind %q provided", config.Kind) - } if config.Kind == "" { return nil, fmt.Errorf("invalid configuration file, missing Kind") } + if config.Kind != "EncryptionConfig" { + return nil, fmt.Errorf("invalid configuration kind %q provided", config.Kind) + } // TODO config.APIVersion is unchecked resourceToPrefixTransformer := map[schema.GroupResource][]value.PrefixTransformer{} @@ -100,7 +100,7 @@ func ParseEncryptionConfiguration(f io.Reader) (map[schema.GroupResource]value.T return result, nil } -// GetPrefixTransformer constructs and returns the appropriate prefix transformers for the passed resource using its configuration +// GetPrefixTransformers constructs and returns the appropriate prefix transformers for the passed resource using its configuration func GetPrefixTransformers(config *ResourceConfig) ([]value.PrefixTransformer, error) { var result []value.PrefixTransformer for _, provider := range config.Providers { @@ -150,13 +150,13 @@ func GetPrefixTransformers(config *ResourceConfig) ([]value.PrefixTransformer, e result = append(result, transformer) if found == false { - return result, fmt.Errorf("invalid provider configuration provided") + return result, fmt.Errorf("invalid provider configuration: at least one provider must be specified") } } return result, nil } -// BlockTransformerFunc taske an AES cipher block and returns a value transformer. +// BlockTransformerFunc takes an AES cipher block and returns a value transformer. type BlockTransformerFunc func(cipher.Block) value.Transformer // GetAESPrefixTransformer returns a prefix transformer from the provided configuration. @@ -233,7 +233,7 @@ func GetSecretboxPrefixTransformer(config *SecretboxConfig) (value.PrefixTransfo } if len(key) != 32 { - return result, fmt.Errorf("expected key size 32 for aes-cbc provider, got %v", len(key)) + return result, fmt.Errorf("expected key size 32 for secretbox provider, got %v", len(key)) } keyArray := [32]byte{} diff --git a/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/types.go b/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/types.go index 2e19261ec20..1a88392c78a 100644 --- a/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/types.go +++ b/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/types.go @@ -31,7 +31,7 @@ type ResourceConfig struct { // resources is a list of kubernetes resources which have to be encrypted. Resources []string `json:"resources"` // providers is a list of transformers to be used for reading and writing the resources to disk. - // eg: aes, identity. + // eg: aesgcm, aescbc, secretbox, identity. Providers []ProviderConfig `json:"providers"` } @@ -50,20 +50,22 @@ type ProviderConfig struct { // AESConfig contains the API configuration for an AES transformer. type AESConfig struct { // keys is a list of keys to be used for creating the AES transformer. + // Each key has to be 32 bytes long for AES-CBC and 16, 24 or 32 bytes for AES-GCM. Keys []Key `json:"keys"` } -// SECRETBOXConfig contains the API configuration for an Secretbox transformer. +// SecretboxConfig contains the API configuration for an Secretbox transformer. type SecretboxConfig struct { // keys is a list of keys to be used for creating the Secretbox transformer. + // Each key has to be 32 bytes long. Keys []Key `json:"keys"` } -// Key contains name and secret of the provided key for AES transformer. +// Key contains name and secret of the provided key for a transformer. type Key struct { // name is the name of the key to be used while storing data to disk. Name string `json:"name"` - // secret is the actual AES key, encoded in base64. It has to be 16, 24 or 32 bytes long. + // secret is the actual key, encoded in base64. Secret string `json:"secret"` } diff --git a/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/identity/identity.go b/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/identity/identity.go index 0f7f1a70393..e322bd9b17c 100644 --- a/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/identity/identity.go +++ b/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/identity/identity.go @@ -23,7 +23,7 @@ import ( "k8s.io/apiserver/pkg/storage/value" ) -// encryptIdentityTransformer performs no transformation on provided data, but validates +// identityTransformer performs no transformation on provided data, but validates // that the data is not encrypted data during TransformFromStorage type identityTransformer struct{} @@ -35,7 +35,7 @@ func NewEncryptCheckTransformer() value.Transformer { // TransformFromStorage returns the input bytes if the data is not encrypted func (identityTransformer) TransformFromStorage(b []byte, context value.Context) ([]byte, bool, error) { - // EncryptIdentityTransformer has to return an error if the data is encoded using another transformer. + // identityTransformer has to return an error if the data is encoded using another transformer. // JSON data starts with '{'. Protobuf data has a prefix 'k8s[\x00-\xFF]'. // Prefix 'k8s:enc:' is reserved for encrypted data on disk. if bytes.HasPrefix(b, []byte("k8s:enc:")) { @@ -44,7 +44,7 @@ func (identityTransformer) TransformFromStorage(b []byte, context value.Context) return b, false, nil } -// TransformToStorage implements the Transformer interface for encryptIdentityTransformer +// TransformToStorage implements the Transformer interface for identityTransformer func (identityTransformer) TransformToStorage(b []byte, context value.Context) ([]byte, error) { return b, nil } diff --git a/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/secretbox/secretbox_test.go b/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/secretbox/secretbox_test.go index 80807574a54..9e9ae2f5aa2 100644 --- a/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/secretbox/secretbox_test.go +++ b/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/secretbox/secretbox_test.go @@ -145,7 +145,7 @@ func TestRoundTrip(t *testing.T) { context value.Context t value.Transformer }{ - {name: "GCM 16 byte key", t: NewSecretboxTransformer(key1)}, + {name: "Secretbox 32 byte key", t: NewSecretboxTransformer(key1)}, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) {