mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-08-10 20:42:26 +00:00
Only support unix socket for kms gRPC, also add Version method
This commit is contained in:
Wu Qiang
parent
16b04d68b1
commit
a6368bb04c
@ -605,7 +605,6 @@ staging/src/k8s.io/apiserver/pkg/storage/storagebackend
|
||||
staging/src/k8s.io/apiserver/pkg/storage/testing
|
||||
staging/src/k8s.io/apiserver/pkg/storage/tests
|
||||
staging/src/k8s.io/apiserver/pkg/storage/value
|
||||
staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/v1beta1
|
||||
staging/src/k8s.io/apiserver/pkg/util/feature
|
||||
staging/src/k8s.io/apiserver/pkg/util/flag
|
||||
staging/src/k8s.io/apiserver/pkg/util/proxy
|
||||
|
||||
@ -152,8 +152,7 @@ func GetPrefixTransformers(config *ResourceConfig) ([]value.PrefixTransformer, e
|
||||
}
|
||||
|
||||
var envelopeService envelope.Service
|
||||
remoteConfig := provider.KMS.RemoteServer
|
||||
if remoteConfig == nil {
|
||||
if len(provider.KMS.ConfigFile) > 0 {
|
||||
// There should be no KMS provider plugins on API server side in future.
|
||||
f, err := os.Open(provider.KMS.ConfigFile)
|
||||
if err != nil {
|
||||
@ -169,13 +168,8 @@ func GetPrefixTransformers(config *ResourceConfig) ([]value.PrefixTransformer, e
|
||||
return nil, fmt.Errorf("KMS plugin %q not found", provider.KMS.Name)
|
||||
}
|
||||
} else {
|
||||
// Get gRPC client service with remote config
|
||||
envelopeService, err = envelope.NewGRPCService(
|
||||
remoteConfig.Endpoint,
|
||||
remoteConfig.ServerCACert,
|
||||
remoteConfig.ClientCert,
|
||||
remoteConfig.ClientKey,
|
||||
)
|
||||
// Get gRPC client service with endpoint.
|
||||
envelopeService, err = envelope.NewGRPCService(provider.KMS.Endpoint)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("could not configure KMS plugin %q, error: %v", provider.KMS.Name, err)
|
||||
}
|
||||
|
||||
@ -83,22 +83,6 @@ type KMSConfig struct {
|
||||
CacheSize int `json:"cachesize,omitempty"`
|
||||
// configfile is the path to the configuration file for the named KMS provider.
|
||||
ConfigFile string `json:"configfile"`
|
||||
// remoteServer is the configuration for connection gRPC server.
|
||||
RemoteServer *RemoteServerConfig `json:"remoteServer"`
|
||||
}
|
||||
|
||||
// RemoteServerConfig contains the connection informations that connect remote
|
||||
// gRPC server for envelope transformer.
|
||||
type RemoteServerConfig struct {
|
||||
// gRPC server listen address, for example tcp://localhost:3735,
|
||||
// unix:///var/run/kmsprovider.sock
|
||||
// the gRPC server listening address, for example "unix:///var/run/kms-provider.sock".
|
||||
Endpoint string `json:"endpoint"`
|
||||
|
||||
// CACert is the path to a PEM-encoded CA cert file to use to verify the
|
||||
// gRPC server SSL certificate.
|
||||
ServerCACert string `json:"serverCACert"`
|
||||
|
||||
// TLS certificate authentication information
|
||||
ClientCert string `json:"clientCert"`
|
||||
ClientKey string `json:"clientKey"`
|
||||
}
|
||||
|
||||
@ -14,10 +14,10 @@ go_library(
|
||||
],
|
||||
importpath = "k8s.io/apiserver/pkg/storage/value/encrypt/envelope",
|
||||
deps = [
|
||||
"//vendor/github.com/golang/glog:go_default_library",
|
||||
"//vendor/github.com/hashicorp/golang-lru:go_default_library",
|
||||
"//vendor/golang.org/x/net/context:go_default_library",
|
||||
"//vendor/google.golang.org/grpc:go_default_library",
|
||||
"//vendor/google.golang.org/grpc/credentials:go_default_library",
|
||||
"//vendor/k8s.io/apiserver/pkg/storage/value:go_default_library",
|
||||
"//vendor/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/v1beta1:go_default_library",
|
||||
],
|
||||
@ -27,21 +27,16 @@ go_test(
|
||||
name = "go_default_test",
|
||||
srcs = [
|
||||
"envelope_test.go",
|
||||
"grpc_service_test.go",
|
||||
"grpc_service_unix_test.go",
|
||||
],
|
||||
data = glob(["testdata/**"]),
|
||||
embed = [":go_default_library"],
|
||||
importpath = "k8s.io/apiserver/pkg/storage/value/encrypt/envelope",
|
||||
deps = [
|
||||
"//vendor/golang.org/x/net/context:go_default_library",
|
||||
"//vendor/golang.org/x/sys/unix:go_default_library",
|
||||
"//vendor/google.golang.org/grpc:go_default_library",
|
||||
"//vendor/google.golang.org/grpc/credentials:go_default_library",
|
||||
"//vendor/k8s.io/apiserver/pkg/storage/value:go_default_library",
|
||||
"//vendor/k8s.io/apiserver/pkg/storage/value/encrypt/aes:go_default_library",
|
||||
"//vendor/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/v1beta1:go_default_library",
|
||||
"//vendor/k8s.io/client-go/util/cert:go_default_library",
|
||||
],
|
||||
)
|
||||
|
||||
|
||||
@ -18,16 +18,14 @@ limitations under the License.
|
||||
package envelope
|
||||
|
||||
import (
|
||||
"crypto/tls"
|
||||
"crypto/x509"
|
||||
"fmt"
|
||||
"io/ioutil"
|
||||
"net"
|
||||
"net/url"
|
||||
"time"
|
||||
|
||||
"github.com/golang/glog"
|
||||
|
||||
"google.golang.org/grpc"
|
||||
"google.golang.org/grpc/credentials"
|
||||
|
||||
"golang.org/x/net/context"
|
||||
|
||||
@ -35,14 +33,14 @@ import (
|
||||
)
|
||||
|
||||
const (
|
||||
// Supportied protocol schema for gRPC.
|
||||
tcpProtocol = "tcp"
|
||||
// Now only supportied unix domain socket.
|
||||
unixProtocol = "unix"
|
||||
|
||||
// Current version for the protocal interface definition.
|
||||
version = "v1beta1"
|
||||
kmsapiVersion = "v1beta1"
|
||||
)
|
||||
|
||||
// The gRPC implementation for envelope.Service.
|
||||
type gRPCService struct {
|
||||
// gRPC client instance
|
||||
kmsClient kmsapi.KMSServiceClient
|
||||
@ -50,7 +48,9 @@ type gRPCService struct {
|
||||
}
|
||||
|
||||
// NewGRPCService returns an envelope.Service which use gRPC to communicate the remote KMS provider.
|
||||
func NewGRPCService(endpoint, serverCert, clientCert, clientKey string) (Service, error) {
|
||||
func NewGRPCService(endpoint string) (Service, error) {
|
||||
glog.Infof("Configure KMS provider with endpoint: %s", endpoint)
|
||||
|
||||
protocol, addr, err := parseEndpoint(endpoint)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
@ -60,18 +60,20 @@ func NewGRPCService(endpoint, serverCert, clientCert, clientKey string) (Service
|
||||
return net.DialTimeout(protocol, addr, timeout)
|
||||
}
|
||||
|
||||
// With or without TLS/SSL support
|
||||
tlsOption, err := getTLSDialOption(serverCert, clientCert, clientKey)
|
||||
connection, err := grpc.Dial(addr, grpc.WithInsecure(), grpc.WithDialer(dialer))
|
||||
if err != nil {
|
||||
return nil, err
|
||||
return nil, fmt.Errorf("connect remote KMS provider %q failed, error: %v", addr, err)
|
||||
}
|
||||
|
||||
conn, err := grpc.Dial(addr, tlsOption, grpc.WithDialer(dialer))
|
||||
kmsClient := kmsapi.NewKMSServiceClient(connection)
|
||||
|
||||
err = checkAPIVersion(kmsClient)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("connect remote image service %s failed, error: %v", addr, err)
|
||||
connection.Close()
|
||||
return nil, fmt.Errorf("failed check version for %q, error: %v", addr, err)
|
||||
}
|
||||
|
||||
return &gRPCService{kmsClient: kmsapi.NewKMSServiceClient(conn), connection: conn}, nil
|
||||
return &gRPCService{kmsClient: kmsClient, connection: connection}, nil
|
||||
}
|
||||
|
||||
// Parse the endpoint to extract schema, host or path.
|
||||
@ -82,63 +84,35 @@ func parseEndpoint(endpoint string) (string, string, error) {
|
||||
|
||||
u, err := url.Parse(endpoint)
|
||||
if err != nil {
|
||||
return "", "", fmt.Errorf("invalid kms provider endpoint %q, error: %v", endpoint, err)
|
||||
return "", "", fmt.Errorf("invalid endpoint %q for remote KMS provider, error: %v", endpoint, err)
|
||||
}
|
||||
|
||||
switch u.Scheme {
|
||||
case tcpProtocol:
|
||||
return tcpProtocol, u.Host, nil
|
||||
case unixProtocol:
|
||||
return unixProtocol, u.Path, nil
|
||||
default:
|
||||
return "", "", fmt.Errorf("invalid endpoint %q for remote KMS provider", endpoint)
|
||||
if u.Scheme != unixProtocol {
|
||||
return "", "", fmt.Errorf("unsupported scheme %q for remote KMS provider", u.Scheme)
|
||||
}
|
||||
return unixProtocol, u.Path, nil
|
||||
}
|
||||
|
||||
// Build the TLS/SSL options for gRPC client.
|
||||
func getTLSDialOption(serverCert, clientCert, clientKey string) (grpc.DialOption, error) {
|
||||
// No TLS/SSL support.
|
||||
if len(serverCert) == 0 && len(clientCert) == 0 && len(clientKey) == 0 {
|
||||
return grpc.WithInsecure(), nil
|
||||
// Check the KMS provider API version.
|
||||
// Only matching kubeRuntimeAPIVersion is supported now.
|
||||
func checkAPIVersion(kmsClient kmsapi.KMSServiceClient) error {
|
||||
request := &kmsapi.VersionRequest{Version: kmsapiVersion}
|
||||
response, err := kmsClient.Version(context.Background(), request)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed get version from remote KMS provider: %v", err)
|
||||
}
|
||||
if response.Version != kmsapiVersion {
|
||||
return fmt.Errorf("KMS provider api version %s is not supported, only %s is supported now",
|
||||
response.Version, kmsapiVersion)
|
||||
}
|
||||
|
||||
// Set the CA that verify the certificate from the gRPC server.
|
||||
certPool := x509.NewCertPool()
|
||||
if len(serverCert) > 0 {
|
||||
ca, err := ioutil.ReadFile(serverCert)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("kms provider invalid server cert, error: %v", err)
|
||||
}
|
||||
if !certPool.AppendCertsFromPEM(ca) {
|
||||
return nil, fmt.Errorf("can't append server cert for kms provider")
|
||||
}
|
||||
}
|
||||
|
||||
// Set client authenticate certificate.
|
||||
certificates := make([]tls.Certificate, 0, 1)
|
||||
if len(clientCert) != 0 || len(clientKey) != 0 {
|
||||
if len(clientCert) == 0 || len(clientKey) == 0 {
|
||||
return nil, fmt.Errorf("both client cert and key must be provided for kms provider")
|
||||
}
|
||||
|
||||
cert, err := tls.LoadX509KeyPair(clientCert, clientKey)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("kms provider invalid client cert or key, error: %v", err)
|
||||
}
|
||||
certificates = append(certificates, cert)
|
||||
}
|
||||
|
||||
tlsConfig := tls.Config{
|
||||
Certificates: certificates,
|
||||
RootCAs: certPool,
|
||||
}
|
||||
transportCreds := credentials.NewTLS(&tlsConfig)
|
||||
return grpc.WithTransportCredentials(transportCreds), nil
|
||||
glog.Infof("KMS provider %s initialized, version: %s", response.RuntimeName, response.RuntimeVersion)
|
||||
return nil
|
||||
}
|
||||
|
||||
// Decrypt a given data string to obtain the original byte data.
|
||||
func (g *gRPCService) Decrypt(cipher string) ([]byte, error) {
|
||||
request := &kmsapi.DecryptRequest{Cipher: []byte(cipher), Version: version}
|
||||
func (g *gRPCService) Decrypt(cipher []byte) ([]byte, error) {
|
||||
request := &kmsapi.DecryptRequest{Cipher: cipher, Version: kmsapiVersion}
|
||||
response, err := g.kmsClient.Decrypt(context.Background(), request)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
@ -147,11 +121,11 @@ func (g *gRPCService) Decrypt(cipher string) ([]byte, error) {
|
||||
}
|
||||
|
||||
// Encrypt bytes to a string ciphertext.
|
||||
func (g *gRPCService) Encrypt(plain []byte) (string, error) {
|
||||
request := &kmsapi.EncryptRequest{Plain: plain, Version: version}
|
||||
func (g *gRPCService) Encrypt(plain []byte) ([]byte, error) {
|
||||
request := &kmsapi.EncryptRequest{Plain: plain, Version: kmsapiVersion}
|
||||
response, err := g.kmsClient.Encrypt(context.Background(), request)
|
||||
if err != nil {
|
||||
return "", err
|
||||
return nil, err
|
||||
}
|
||||
return string(response.Cipher), nil
|
||||
return response.Cipher, nil
|
||||
}
|
||||
|
||||
@ -1,219 +0,0 @@
|
||||
/*
|
||||
Copyright 2017 The Kubernetes Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
// Package envelope transforms values for storage at rest using a Envelope provider
|
||||
package envelope
|
||||
|
||||
import (
|
||||
"crypto/tls"
|
||||
"encoding/base64"
|
||||
"fmt"
|
||||
"net"
|
||||
"reflect"
|
||||
"testing"
|
||||
|
||||
"google.golang.org/grpc"
|
||||
"google.golang.org/grpc/credentials"
|
||||
|
||||
"golang.org/x/net/context"
|
||||
kmsapi "k8s.io/apiserver/pkg/storage/value/encrypt/envelope/v1beta1"
|
||||
"k8s.io/client-go/util/cert"
|
||||
)
|
||||
|
||||
const (
|
||||
// Port 0 to select any available port
|
||||
listenerAddr = "127.0.0.1:0"
|
||||
|
||||
cafile = "testdata/ca.crt"
|
||||
serverCert = "testdata/server.crt"
|
||||
serverKey = "testdata/server.key"
|
||||
clientCert = "testdata/client.crt"
|
||||
clientKey = "testdata/client.key"
|
||||
)
|
||||
|
||||
func TestTCPEndpoint(t *testing.T) {
|
||||
// Start the gRPC server that listens on tcp socket.
|
||||
listener, err := tcpListner()
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
server := startTestKMSProvider(listener)
|
||||
defer server.Stop()
|
||||
|
||||
endpoint := tcpProtocol + "://" + listener.Addr().String()
|
||||
verifyService(t, endpoint, "", "", "")
|
||||
}
|
||||
|
||||
func TestTLSEndpoint(t *testing.T) {
|
||||
// Start the gRPC server that listens on tcp socket.
|
||||
listener, err := tcpListner()
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
tlsOption, err := tlsServerOption()
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
server := startTestKMSProvider(listener, tlsOption)
|
||||
defer server.Stop()
|
||||
|
||||
// There are 2 TLS case: no auth and client auth.
|
||||
endpoint := tcpProtocol + "://" + listener.Addr().String()
|
||||
certConfigs := []struct {
|
||||
name string
|
||||
serverCACert string
|
||||
clientCert string
|
||||
clientKey string
|
||||
}{
|
||||
{"noAuth", cafile, "", ""},
|
||||
{"clientAuth", cafile, clientCert, clientKey},
|
||||
}
|
||||
for _, testCase := range certConfigs {
|
||||
t.Run(testCase.name, func(t *testing.T) {
|
||||
verifyService(t, endpoint, testCase.serverCACert, testCase.clientCert, testCase.clientKey)
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestInvalidConfiguration(t *testing.T) {
|
||||
// Start the gRPC server that listens on tcp socket.
|
||||
listener, err := tcpListner()
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
tlsOption, err := tlsServerOption()
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
server := startTestKMSProvider(listener, tlsOption)
|
||||
defer server.Stop()
|
||||
endpoint := tcpProtocol + "://" + listener.Addr().String()
|
||||
|
||||
invalidConfigs := []struct {
|
||||
name string
|
||||
endpoint string
|
||||
serverCACert string
|
||||
clientCert string
|
||||
clientKey string
|
||||
}{
|
||||
{"emptyConfiguration", "", "", "", ""},
|
||||
{"invalidEndpoint", "http://localhost:80", "", "", ""},
|
||||
{"invalidServerCACert", endpoint, "non-exits.pem", "", ""},
|
||||
{"missClientKey", endpoint, cafile, clientCert, ""},
|
||||
{"invalidClientCert", endpoint, cafile, "non-exists.pem", clientKey},
|
||||
}
|
||||
|
||||
for _, testCase := range invalidConfigs {
|
||||
t.Run(testCase.name, func(t *testing.T) {
|
||||
_, err := NewGRPCService(
|
||||
testCase.endpoint,
|
||||
testCase.serverCACert,
|
||||
testCase.clientCert,
|
||||
testCase.clientKey,
|
||||
)
|
||||
if err == nil {
|
||||
t.Fatalf("should fail to create envelope service for %s.", testCase.name)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func verifyService(t *testing.T, endpoint, serverCACert, clientCert, clientKey string) {
|
||||
service, err := NewGRPCService(endpoint, serverCACert, clientCert, clientKey)
|
||||
if err != nil {
|
||||
t.Fatalf("failed to create envelope service, error: %v", err)
|
||||
}
|
||||
defer destroyService(service)
|
||||
|
||||
data := []byte("test data")
|
||||
cipher, err := service.Encrypt(data)
|
||||
if err != nil {
|
||||
t.Fatalf("failed when execute encrypt, error: %v", err)
|
||||
}
|
||||
|
||||
result, err := service.Decrypt(cipher)
|
||||
if err != nil {
|
||||
t.Fatalf("failed when execute decrypt, error: %v", err)
|
||||
}
|
||||
|
||||
if !reflect.DeepEqual(data, result) {
|
||||
t.Errorf("expect: %v, but: %v", data, result)
|
||||
}
|
||||
}
|
||||
|
||||
func destroyService(service Service) {
|
||||
gs := service.(*gRPCService)
|
||||
gs.connection.Close()
|
||||
}
|
||||
|
||||
func tcpListner() (net.Listener, error) {
|
||||
listener, err := net.Listen(tcpProtocol, listenerAddr)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to listen on the tcp address, error: %v", err)
|
||||
}
|
||||
|
||||
return listener, nil
|
||||
}
|
||||
|
||||
func startTestKMSProvider(listener net.Listener, options ...grpc.ServerOption) *grpc.Server {
|
||||
server := grpc.NewServer(options...)
|
||||
kmsapi.RegisterKMSServiceServer(server, &base64Server{})
|
||||
go server.Serve(listener)
|
||||
return server
|
||||
}
|
||||
|
||||
func tlsServerOption() (grpc.ServerOption, error) {
|
||||
certificate, err := tls.LoadX509KeyPair(serverCert, serverKey)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("bad server cert or key, error: %v", err)
|
||||
}
|
||||
|
||||
certPool, err := cert.NewPool(cafile)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("bad ca file, error: %v", err)
|
||||
}
|
||||
|
||||
tlsConfig := &tls.Config{
|
||||
ClientAuth: tls.VerifyClientCertIfGiven,
|
||||
Certificates: []tls.Certificate{certificate},
|
||||
ClientCAs: certPool,
|
||||
}
|
||||
return grpc.Creds(credentials.NewTLS(tlsConfig)), nil
|
||||
}
|
||||
|
||||
// Fake gRPC sever for remote KMS provider.
|
||||
type base64Server struct{}
|
||||
|
||||
func (b *base64Server) Decrypt(ctx context.Context, request *kmsapi.DecryptRequest) (*kmsapi.DecryptResponse, error) {
|
||||
buf := make([]byte, base64.StdEncoding.DecodedLen(len(request.Cipher)))
|
||||
n, err := base64.StdEncoding.Decode(buf, request.Cipher)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return &kmsapi.DecryptResponse{Plain: buf[:n]}, nil
|
||||
}
|
||||
|
||||
func (b *base64Server) Encrypt(ctx context.Context, request *kmsapi.EncryptRequest) (*kmsapi.EncryptResponse, error) {
|
||||
buf := make([]byte, base64.StdEncoding.EncodedLen(len(request.Plain)))
|
||||
base64.StdEncoding.Encode(buf, request.Plain)
|
||||
return &kmsapi.EncryptResponse{Cipher: buf}, nil
|
||||
}
|
||||
@ -20,38 +20,100 @@ limitations under the License.
|
||||
package envelope
|
||||
|
||||
import (
|
||||
"context"
|
||||
"encoding/base64"
|
||||
"fmt"
|
||||
"net"
|
||||
"os"
|
||||
"reflect"
|
||||
"testing"
|
||||
|
||||
"google.golang.org/grpc"
|
||||
|
||||
"golang.org/x/sys/unix"
|
||||
|
||||
kmsapi "k8s.io/apiserver/pkg/storage/value/encrypt/envelope/v1beta1"
|
||||
)
|
||||
|
||||
const (
|
||||
sockFile = "/tmp/kms-provider.sock"
|
||||
)
|
||||
|
||||
func TestUnixSockEndpoint(t *testing.T) {
|
||||
// Start the gRPC server that listens on unix socket.
|
||||
listener, err := unixSockListner()
|
||||
// Normal encryption and decryption operation.
|
||||
func TestGRPCService(t *testing.T) {
|
||||
// Start a test gRPC server.
|
||||
server, err := startTestKMSProvider()
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
t.Fatalf("failed to start test KMS provider server, error: %v", err)
|
||||
}
|
||||
defer stopTestKMSProvider(server)
|
||||
|
||||
// Create the gRPC client service.
|
||||
endpoint := unixProtocol + "://" + sockFile
|
||||
service, err := NewGRPCService(endpoint)
|
||||
if err != nil {
|
||||
t.Fatalf("failed to create envelope service, error: %v", err)
|
||||
}
|
||||
defer destroyService(service)
|
||||
|
||||
// Call service to encrypt data.
|
||||
data := []byte("test data")
|
||||
cipher, err := service.Encrypt(data)
|
||||
if err != nil {
|
||||
t.Fatalf("failed when execute encrypt, error: %v", err)
|
||||
}
|
||||
|
||||
server := startTestKMSProvider(listener)
|
||||
defer func() {
|
||||
server.Stop()
|
||||
if err := cleanSockFile(); err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
}()
|
||||
// Call service to decrypt data.
|
||||
result, err := service.Decrypt(cipher)
|
||||
if err != nil {
|
||||
t.Fatalf("failed when execute decrypt, error: %v", err)
|
||||
}
|
||||
|
||||
endpoint := unixProtocol + "://" + sockFile
|
||||
verifyService(t, endpoint, "", "", "")
|
||||
if !reflect.DeepEqual(data, result) {
|
||||
t.Errorf("expect: %v, but: %v", data, result)
|
||||
}
|
||||
}
|
||||
|
||||
func unixSockListner() (net.Listener, error) {
|
||||
func destroyService(service Service) {
|
||||
s := service.(*gRPCService)
|
||||
s.connection.Close()
|
||||
}
|
||||
|
||||
// Test all those invalid configuration for KMS provider.
|
||||
func TestInvalidConfiguration(t *testing.T) {
|
||||
// Start a test gRPC server.
|
||||
server, err := startTestKMSProvider()
|
||||
if err != nil {
|
||||
t.Fatalf("failed to start test KMS provider server, error: %v", err)
|
||||
}
|
||||
defer stopTestKMSProvider(server)
|
||||
|
||||
invalidConfigs := []struct {
|
||||
name string
|
||||
apiVersion string
|
||||
endpoint string
|
||||
}{
|
||||
{"emptyConfiguration", kmsapiVersion, ""},
|
||||
{"invalidScheme", kmsapiVersion, "tcp://localhost:6060"},
|
||||
{"unavailableEndpoint", kmsapiVersion, unixProtocol + "://" + sockFile + ".nonexist"},
|
||||
{"invalidAPIVersion", "invalidVersion", unixProtocol + "://" + sockFile},
|
||||
}
|
||||
|
||||
for _, testCase := range invalidConfigs {
|
||||
t.Run(testCase.name, func(t *testing.T) {
|
||||
setAPIVersion(testCase.apiVersion)
|
||||
defer setAPIVersion(kmsapiVersion)
|
||||
|
||||
_, err := NewGRPCService(testCase.endpoint)
|
||||
if err == nil {
|
||||
t.Fatalf("should fail to create envelope service for %s.", testCase.name)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
// Start the gRPC server that listens on unix socket.
|
||||
func startTestKMSProvider() (*grpc.Server, error) {
|
||||
if err := cleanSockFile(); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
@ -61,7 +123,15 @@ func unixSockListner() (net.Listener, error) {
|
||||
return nil, fmt.Errorf("failed to listen on the unix socket, error: %v", err)
|
||||
}
|
||||
|
||||
return listener, nil
|
||||
server := grpc.NewServer()
|
||||
kmsapi.RegisterKMSServiceServer(server, &base64Server{})
|
||||
go server.Serve(listener)
|
||||
return server, nil
|
||||
}
|
||||
|
||||
func stopTestKMSProvider(server *grpc.Server) {
|
||||
server.Stop()
|
||||
cleanSockFile()
|
||||
}
|
||||
|
||||
func cleanSockFile() error {
|
||||
@ -71,3 +141,33 @@ func cleanSockFile() error {
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// Fake gRPC sever for remote KMS provider.
|
||||
// Use base64 to simulate encrypt and decrypt.
|
||||
type base64Server struct{}
|
||||
|
||||
var testProviderAPIVersion = kmsapiVersion
|
||||
|
||||
func setAPIVersion(apiVersion string) {
|
||||
testProviderAPIVersion = apiVersion
|
||||
}
|
||||
|
||||
func (s *base64Server) Version(ctx context.Context, request *kmsapi.VersionRequest) (*kmsapi.VersionResponse, error) {
|
||||
return &kmsapi.VersionResponse{Version: testProviderAPIVersion, RuntimeName: "testKMS", RuntimeVersion: "0.0.1"}, nil
|
||||
}
|
||||
|
||||
func (s *base64Server) Decrypt(ctx context.Context, request *kmsapi.DecryptRequest) (*kmsapi.DecryptResponse, error) {
|
||||
buf := make([]byte, base64.StdEncoding.DecodedLen(len(request.Cipher)))
|
||||
n, err := base64.StdEncoding.Decode(buf, request.Cipher)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return &kmsapi.DecryptResponse{Plain: buf[:n]}, nil
|
||||
}
|
||||
|
||||
func (s *base64Server) Encrypt(ctx context.Context, request *kmsapi.EncryptRequest) (*kmsapi.EncryptResponse, error) {
|
||||
buf := make([]byte, base64.StdEncoding.EncodedLen(len(request.Plain)))
|
||||
base64.StdEncoding.Encode(buf, request.Plain)
|
||||
return &kmsapi.EncryptResponse{Cipher: buf}, nil
|
||||
}
|
||||
|
||||
@ -1,22 +0,0 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIDujCCAqKgAwIBAgIUASbBmHT/Y+wdxggFudEoKKgLXsYwDQYJKoZIhvcNAQEL
|
||||
BQAwdTELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDVNhbiBGcmFuY2lzY28xCzAJBgNV
|
||||
BAcTAkNBMRgwFgYDVQQKEw9NeSBDb21wYW55IE5hbWUxEzARBgNVBAsTCk9yZyBV
|
||||
bml0IDIxEjAQBgNVBAMTCU15IG93biBDQTAeFw0xNzA3MTcwNTMzMDBaFw0yMjA3
|
||||
MTYwNTMzMDBaMHUxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1TYW4gRnJhbmNpc2Nv
|
||||
MQswCQYDVQQHEwJDQTEYMBYGA1UEChMPTXkgQ29tcGFueSBOYW1lMRMwEQYDVQQL
|
||||
EwpPcmcgVW5pdCAyMRIwEAYDVQQDEwlNeSBvd24gQ0EwggEiMA0GCSqGSIb3DQEB
|
||||
AQUAA4IBDwAwggEKAoIBAQC4c79AZIRgUjiE4ekjISLYw0nAH7c9FJf6+U22xwLe
|
||||
X4Yc3uy94Md1lNhYyvNdba6qLLBKqThYCZYsXK2ZPRnmScYHS/edTmzhZ79tSXUA
|
||||
+R0YJZK00taWyRCZm2tCgXWdWNebrDBwGL+b2P1bButw81CQVYzPQnZiTnnAOUMt
|
||||
6qbMxGDXRhNydKGx43QtBuRWHS6wjJEjI50dGK8RBWDupBQrEQzaFt9gU3grTPlh
|
||||
RWvClrM7LU3A1Ymz3Eq6l4tQhcUXSS3JJVhOLrvh4wujJv/tmIzYylrp7gbUvEYn
|
||||
PW46UZHKrUM8tNthgTnvcychk73+ZZMoWIj5hsne0mTrAgMBAAGjQjBAMA4GA1Ud
|
||||
DwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBShLj7pyAcfeLfB
|
||||
l6vyHo5uvY5WnjANBgkqhkiG9w0BAQsFAAOCAQEAUK7jmNOHmTs58f9fIj6hGppt
|
||||
Lz/l5+C6KA+1P03cdo+KgQb6MnzvKmhGFHD4QM0envHilHBRNO7VWgA7PuO2JtY1
|
||||
NwWQfLoyWcft3OXLmJdWcUI9Che/UWFSxCmxC3U+Cb4+4bNq3j+ygt1T6/I9aTTo
|
||||
/ymS8H+dXF4n69psY591PA8QeUbaQwc5SEWtIont/XWoq+NwXsrNYglPFzGiaoO6
|
||||
gF52I3Z0o0fCHtnOIhBDwrOr7oPJy/SEo49WdnxtG5FcN7qNBvFET7/gOI8TxJMr
|
||||
gTW3G6jSTjBA8sEIhD4k4LOXxWGWwemP6I/LI849/uKd+DoqKjr5Y/BQvcLy+g==
|
||||
-----END CERTIFICATE-----
|
||||
@ -1,19 +0,0 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIDCzCCAfOgAwIBAgIUHqXu3n2P44f2JjHIKPV0m41URRowDQYJKoZIhvcNAQEL
|
||||
BQAwdTELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDVNhbiBGcmFuY2lzY28xCzAJBgNV
|
||||
BAcTAkNBMRgwFgYDVQQKEw9NeSBDb21wYW55IE5hbWUxEzARBgNVBAsTCk9yZyBV
|
||||
bml0IDIxEjAQBgNVBAMTCU15IG93biBDQTAeFw0xNzA3MTcwNTQ1MDBaFw0yMjA3
|
||||
MTYwNTQ1MDBaMEYxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMN
|
||||
U2FuIEZyYW5jaXNjbzESMBAGA1UEAxMJbG9jYWxob3N0MFkwEwYHKoZIzj0CAQYI
|
||||
KoZIzj0DAQcDQgAE1na/uyZ4Za0+8letub+cQyqoz40NdouSbxcmb/EEv/rtPMmz
|
||||
A3u+F8LeXt4SI2+ndQbL0DvpFAOBjJejb3jlfKOBjDCBiTAOBgNVHQ8BAf8EBAMC
|
||||
BaAwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU
|
||||
856v+uMt0F4cgO0dk2k6HpaEa+IwHwYDVR0jBBgwFoAUoS4+6cgHH3i3wZer8h6O
|
||||
br2OVp4wFAYDVR0RBA0wC4IJbG9jYWxob3N0MA0GCSqGSIb3DQEBCwUAA4IBAQBt
|
||||
5uNxxxhWFCGlGBrVr2J2KA2IJ3thoMSn6lV9/qU2KMBBYneHHE0FG/ubrP9urQhI
|
||||
KGPwXsfOdS3iuABOBziiuge9iQisHVWQuNEOtbINbdau2ZLsB2BKKAPit1xG+8gn
|
||||
7leSvyurcpXPc6QuPHCP5hI081y3w+1H4IUDF0qXoi0jYC/BDwl+lk8yHGFQReu2
|
||||
33QdhjXr9Wd20XBO8TJ3oQcAezYvb9bJFDgOkUEhSmMVf86YX0QkuphDvuuU3hQC
|
||||
S4vVpIzM7xoH3xkvXgOMeReLV1df3J3iHyADhUWiS1RNskymGhFmUumlNUPimhUc
|
||||
E0wqi62pL+kxg1zjXdXY
|
||||
-----END CERTIFICATE-----
|
||||
@ -1,5 +0,0 @@
|
||||
-----BEGIN EC PRIVATE KEY-----
|
||||
MHcCAQEEINjBFDLQH8NJxn/DBF1lOm92fbx2QGkpfWwwADcPE5p7oAoGCCqGSM49
|
||||
AwEHoUQDQgAE1na/uyZ4Za0+8letub+cQyqoz40NdouSbxcmb/EEv/rtPMmzA3u+
|
||||
F8LeXt4SI2+ndQbL0DvpFAOBjJejb3jlfA==
|
||||
-----END EC PRIVATE KEY-----
|
||||
@ -1,19 +0,0 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIDETCCAfmgAwIBAgIUU5D4PeHC+zpmc/jwwa2c/6aHPbowDQYJKoZIhvcNAQEL
|
||||
BQAwdTELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDVNhbiBGcmFuY2lzY28xCzAJBgNV
|
||||
BAcTAkNBMRgwFgYDVQQKEw9NeSBDb21wYW55IE5hbWUxEzARBgNVBAsTCk9yZyBV
|
||||
bml0IDIxEjAQBgNVBAMTCU15IG93biBDQTAeFw0xNzA3MTcwNTM3MDBaFw0yMjA3
|
||||
MTYwNTM3MDBaMEYxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMN
|
||||
U2FuIEZyYW5jaXNjbzESMBAGA1UEAxMJbG9jYWxob3N0MFkwEwYHKoZIzj0CAQYI
|
||||
KoZIzj0DAQcDQgAEd2CnjPbDOHsbR6CcMhzktDsBrRZAaLjpC/9IHtPH+ivDrey8
|
||||
jJzZnD+9aLp5E/QG5Rf1tzKDH+oRatQ43mViHKOBkjCBjzAOBgNVHQ8BAf8EBAMC
|
||||
BaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU
|
||||
rkKlAy9PqK+TrUqApq4BVBSQgNQwHwYDVR0jBBgwFoAUoS4+6cgHH3i3wZer8h6O
|
||||
br2OVp4wGgYDVR0RBBMwEYIJbG9jYWxob3N0hwR/AAABMA0GCSqGSIb3DQEBCwUA
|
||||
A4IBAQCikDXkrB4dw8zBrkIA6plgdcgVm1zJbRDhjAVHxHlh/ISPP7Zu9faLmlEN
|
||||
GC0KK1AmQQciCyoI84VoBQ5WMtyMfbEn0klJ4OOtGwMZtZfgWSD0LX9APIZEU9WH
|
||||
nvjLLCHkxbq/cf01pAYIlyBhI5vl7/m8b1xVYarKcb2/Homr8guTzRSyJb0Gmeoo
|
||||
vdiGIhHhvP186OGzOOQVlorZ/WWJTlhXviGJ0QWARthUi+wEHRhJ+STH2VtOrKhb
|
||||
4tvG0/G9mYK1LOIbZesHtF9C35XThkh/W/rKRWe6/J8pOYh/vFB/aQL73HPvIcpD
|
||||
tcmR7635hb+42P7raby70UC7nLWf
|
||||
-----END CERTIFICATE-----
|
||||
@ -1,5 +0,0 @@
|
||||
-----BEGIN EC PRIVATE KEY-----
|
||||
MHcCAQEEIN18H0TgTgqfYWVn2BtQym4mUfICD4XcuWE+nhn+fxSeoAoGCCqGSM49
|
||||
AwEHoUQDQgAEd2CnjPbDOHsbR6CcMhzktDsBrRZAaLjpC/9IHtPH+ivDrey8jJzZ
|
||||
nD+9aLp5E/QG5Rf1tzKDH+oRatQ43mViHA==
|
||||
-----END EC PRIVATE KEY-----
|
||||
@ -14,9 +14,8 @@ See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
// Code generated by protoc-gen-go.
|
||||
// Code generated by protoc-gen-go. DO NOT EDIT.
|
||||
// source: service.proto
|
||||
// DO NOT EDIT!
|
||||
|
||||
/*
|
||||
Package v1beta1 is a generated protocol buffer package.
|
||||
@ -25,6 +24,8 @@ It is generated from these files:
|
||||
service.proto
|
||||
|
||||
It has these top-level messages:
|
||||
VersionRequest
|
||||
VersionResponse
|
||||
DecryptRequest
|
||||
DecryptResponse
|
||||
EncryptRequest
|
||||
@ -52,47 +53,147 @@ var _ = math.Inf
|
||||
// proto package needs to be updated.
|
||||
const _ = proto.ProtoPackageIsVersion2 // please upgrade the proto package
|
||||
|
||||
type VersionRequest struct {
|
||||
// Version of the KMS plugin API.
|
||||
Version string `protobuf:"bytes,1,opt,name=version" json:"version,omitempty"`
|
||||
}
|
||||
|
||||
func (m *VersionRequest) Reset() { *m = VersionRequest{} }
|
||||
func (m *VersionRequest) String() string { return proto.CompactTextString(m) }
|
||||
func (*VersionRequest) ProtoMessage() {}
|
||||
func (*VersionRequest) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{0} }
|
||||
|
||||
func (m *VersionRequest) GetVersion() string {
|
||||
if m != nil {
|
||||
return m.Version
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
type VersionResponse struct {
|
||||
// Version of the KMS plugin API.
|
||||
Version string `protobuf:"bytes,1,opt,name=version" json:"version,omitempty"`
|
||||
// Name of the KMS provider.
|
||||
RuntimeName string `protobuf:"bytes,2,opt,name=runtime_name,json=runtimeName" json:"runtime_name,omitempty"`
|
||||
// Version of the KMS provider. The string must be semver-compatible.
|
||||
RuntimeVersion string `protobuf:"bytes,3,opt,name=runtime_version,json=runtimeVersion" json:"runtime_version,omitempty"`
|
||||
}
|
||||
|
||||
func (m *VersionResponse) Reset() { *m = VersionResponse{} }
|
||||
func (m *VersionResponse) String() string { return proto.CompactTextString(m) }
|
||||
func (*VersionResponse) ProtoMessage() {}
|
||||
func (*VersionResponse) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{1} }
|
||||
|
||||
func (m *VersionResponse) GetVersion() string {
|
||||
if m != nil {
|
||||
return m.Version
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func (m *VersionResponse) GetRuntimeName() string {
|
||||
if m != nil {
|
||||
return m.RuntimeName
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func (m *VersionResponse) GetRuntimeVersion() string {
|
||||
if m != nil {
|
||||
return m.RuntimeVersion
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
type DecryptRequest struct {
|
||||
Cipher []byte `protobuf:"bytes,1,opt,name=cipher,proto3" json:"cipher,omitempty"`
|
||||
// Version of the KMS plugin API, now use “v1beta1”
|
||||
Version string `protobuf:"bytes,2,opt,name=version" json:"version,omitempty"`
|
||||
// Version of the KMS plugin API.
|
||||
Version string `protobuf:"bytes,1,opt,name=version" json:"version,omitempty"`
|
||||
// The data to be decrypted.
|
||||
Cipher []byte `protobuf:"bytes,2,opt,name=cipher,proto3" json:"cipher,omitempty"`
|
||||
}
|
||||
|
||||
func (m *DecryptRequest) Reset() { *m = DecryptRequest{} }
|
||||
func (m *DecryptRequest) String() string { return proto.CompactTextString(m) }
|
||||
func (*DecryptRequest) ProtoMessage() {}
|
||||
func (*DecryptRequest) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{0} }
|
||||
func (*DecryptRequest) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{2} }
|
||||
|
||||
func (m *DecryptRequest) GetVersion() string {
|
||||
if m != nil {
|
||||
return m.Version
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func (m *DecryptRequest) GetCipher() []byte {
|
||||
if m != nil {
|
||||
return m.Cipher
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
type DecryptResponse struct {
|
||||
// The decrypted data.
|
||||
Plain []byte `protobuf:"bytes,1,opt,name=plain,proto3" json:"plain,omitempty"`
|
||||
}
|
||||
|
||||
func (m *DecryptResponse) Reset() { *m = DecryptResponse{} }
|
||||
func (m *DecryptResponse) String() string { return proto.CompactTextString(m) }
|
||||
func (*DecryptResponse) ProtoMessage() {}
|
||||
func (*DecryptResponse) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{1} }
|
||||
func (*DecryptResponse) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{3} }
|
||||
|
||||
func (m *DecryptResponse) GetPlain() []byte {
|
||||
if m != nil {
|
||||
return m.Plain
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
type EncryptRequest struct {
|
||||
Plain []byte `protobuf:"bytes,1,opt,name=plain,proto3" json:"plain,omitempty"`
|
||||
// Version of the KMS plugin API, now use “v1beta1”
|
||||
Version string `protobuf:"bytes,2,opt,name=version" json:"version,omitempty"`
|
||||
// Version of the KMS plugin API.
|
||||
Version string `protobuf:"bytes,1,opt,name=version" json:"version,omitempty"`
|
||||
// The data to be encrypted.
|
||||
Plain []byte `protobuf:"bytes,2,opt,name=plain,proto3" json:"plain,omitempty"`
|
||||
}
|
||||
|
||||
func (m *EncryptRequest) Reset() { *m = EncryptRequest{} }
|
||||
func (m *EncryptRequest) String() string { return proto.CompactTextString(m) }
|
||||
func (*EncryptRequest) ProtoMessage() {}
|
||||
func (*EncryptRequest) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{2} }
|
||||
func (*EncryptRequest) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{4} }
|
||||
|
||||
func (m *EncryptRequest) GetVersion() string {
|
||||
if m != nil {
|
||||
return m.Version
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func (m *EncryptRequest) GetPlain() []byte {
|
||||
if m != nil {
|
||||
return m.Plain
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
type EncryptResponse struct {
|
||||
// The encrypted data.
|
||||
Cipher []byte `protobuf:"bytes,1,opt,name=cipher,proto3" json:"cipher,omitempty"`
|
||||
}
|
||||
|
||||
func (m *EncryptResponse) Reset() { *m = EncryptResponse{} }
|
||||
func (m *EncryptResponse) String() string { return proto.CompactTextString(m) }
|
||||
func (*EncryptResponse) ProtoMessage() {}
|
||||
func (*EncryptResponse) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{3} }
|
||||
func (*EncryptResponse) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{5} }
|
||||
|
||||
func (m *EncryptResponse) GetCipher() []byte {
|
||||
if m != nil {
|
||||
return m.Cipher
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func init() {
|
||||
proto.RegisterType((*VersionRequest)(nil), "v1beta1.VersionRequest")
|
||||
proto.RegisterType((*VersionResponse)(nil), "v1beta1.VersionResponse")
|
||||
proto.RegisterType((*DecryptRequest)(nil), "v1beta1.DecryptRequest")
|
||||
proto.RegisterType((*DecryptResponse)(nil), "v1beta1.DecryptResponse")
|
||||
proto.RegisterType((*EncryptRequest)(nil), "v1beta1.EncryptRequest")
|
||||
@ -110,7 +211,11 @@ const _ = grpc.SupportPackageIsVersion4
|
||||
// Client API for KMSService service
|
||||
|
||||
type KMSServiceClient interface {
|
||||
// Version returns the runtime name and runtime version.
|
||||
Version(ctx context.Context, in *VersionRequest, opts ...grpc.CallOption) (*VersionResponse, error)
|
||||
// Execute decryption operation in KMS provider.
|
||||
Decrypt(ctx context.Context, in *DecryptRequest, opts ...grpc.CallOption) (*DecryptResponse, error)
|
||||
// Execute encryption operation in KMS provider.
|
||||
Encrypt(ctx context.Context, in *EncryptRequest, opts ...grpc.CallOption) (*EncryptResponse, error)
|
||||
}
|
||||
|
||||
@ -122,6 +227,15 @@ func NewKMSServiceClient(cc *grpc.ClientConn) KMSServiceClient {
|
||||
return &kMSServiceClient{cc}
|
||||
}
|
||||
|
||||
func (c *kMSServiceClient) Version(ctx context.Context, in *VersionRequest, opts ...grpc.CallOption) (*VersionResponse, error) {
|
||||
out := new(VersionResponse)
|
||||
err := grpc.Invoke(ctx, "/v1beta1.KMSService/Version", in, out, c.cc, opts...)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return out, nil
|
||||
}
|
||||
|
||||
func (c *kMSServiceClient) Decrypt(ctx context.Context, in *DecryptRequest, opts ...grpc.CallOption) (*DecryptResponse, error) {
|
||||
out := new(DecryptResponse)
|
||||
err := grpc.Invoke(ctx, "/v1beta1.KMSService/Decrypt", in, out, c.cc, opts...)
|
||||
@ -143,7 +257,11 @@ func (c *kMSServiceClient) Encrypt(ctx context.Context, in *EncryptRequest, opts
|
||||
// Server API for KMSService service
|
||||
|
||||
type KMSServiceServer interface {
|
||||
// Version returns the runtime name and runtime version.
|
||||
Version(context.Context, *VersionRequest) (*VersionResponse, error)
|
||||
// Execute decryption operation in KMS provider.
|
||||
Decrypt(context.Context, *DecryptRequest) (*DecryptResponse, error)
|
||||
// Execute encryption operation in KMS provider.
|
||||
Encrypt(context.Context, *EncryptRequest) (*EncryptResponse, error)
|
||||
}
|
||||
|
||||
@ -151,6 +269,24 @@ func RegisterKMSServiceServer(s *grpc.Server, srv KMSServiceServer) {
|
||||
s.RegisterService(&_KMSService_serviceDesc, srv)
|
||||
}
|
||||
|
||||
func _KMSService_Version_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
|
||||
in := new(VersionRequest)
|
||||
if err := dec(in); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if interceptor == nil {
|
||||
return srv.(KMSServiceServer).Version(ctx, in)
|
||||
}
|
||||
info := &grpc.UnaryServerInfo{
|
||||
Server: srv,
|
||||
FullMethod: "/v1beta1.KMSService/Version",
|
||||
}
|
||||
handler := func(ctx context.Context, req interface{}) (interface{}, error) {
|
||||
return srv.(KMSServiceServer).Version(ctx, req.(*VersionRequest))
|
||||
}
|
||||
return interceptor(ctx, in, info, handler)
|
||||
}
|
||||
|
||||
func _KMSService_Decrypt_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
|
||||
in := new(DecryptRequest)
|
||||
if err := dec(in); err != nil {
|
||||
@ -191,6 +327,10 @@ var _KMSService_serviceDesc = grpc.ServiceDesc{
|
||||
ServiceName: "v1beta1.KMSService",
|
||||
HandlerType: (*KMSServiceServer)(nil),
|
||||
Methods: []grpc.MethodDesc{
|
||||
{
|
||||
MethodName: "Version",
|
||||
Handler: _KMSService_Version_Handler,
|
||||
},
|
||||
{
|
||||
MethodName: "Decrypt",
|
||||
Handler: _KMSService_Decrypt_Handler,
|
||||
@ -207,18 +347,23 @@ var _KMSService_serviceDesc = grpc.ServiceDesc{
|
||||
func init() { proto.RegisterFile("service.proto", fileDescriptor0) }
|
||||
|
||||
var fileDescriptor0 = []byte{
|
||||
// 207 bytes of a gzipped FileDescriptorProto
|
||||
0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xe2, 0xe2, 0x2d, 0x4e, 0x2d, 0x2a,
|
||||
0xcb, 0x4c, 0x4e, 0xd5, 0x2b, 0x28, 0xca, 0x2f, 0xc9, 0x17, 0x62, 0x2f, 0x33, 0x4c, 0x4a, 0x2d,
|
||||
0x49, 0x34, 0x54, 0x72, 0xe2, 0xe2, 0x73, 0x49, 0x4d, 0x2e, 0xaa, 0x2c, 0x28, 0x09, 0x4a, 0x2d,
|
||||
0x2c, 0x4d, 0x2d, 0x2e, 0x11, 0x12, 0xe3, 0x62, 0x4b, 0xce, 0x2c, 0xc8, 0x48, 0x2d, 0x92, 0x60,
|
||||
0x54, 0x60, 0xd4, 0xe0, 0x09, 0x82, 0xf2, 0x84, 0x24, 0xb8, 0xd8, 0xcb, 0x52, 0x8b, 0x8a, 0x33,
|
||||
0xf3, 0xf3, 0x24, 0x98, 0x14, 0x18, 0x35, 0x38, 0x83, 0x60, 0x5c, 0x25, 0x75, 0x2e, 0x7e, 0xb8,
|
||||
0x19, 0xc5, 0x05, 0xf9, 0x79, 0xc5, 0xa9, 0x42, 0x22, 0x5c, 0xac, 0x05, 0x39, 0x89, 0x99, 0x79,
|
||||
0x50, 0x33, 0x20, 0x1c, 0x25, 0x07, 0x2e, 0x3e, 0xd7, 0x3c, 0x14, 0xcb, 0xb0, 0xaa, 0xc3, 0x63,
|
||||
0x95, 0x26, 0x17, 0x3f, 0xdc, 0x04, 0xa8, 0x55, 0x38, 0xdc, 0x6b, 0xd4, 0xc3, 0xc8, 0xc5, 0xe5,
|
||||
0xed, 0x1b, 0x1c, 0x0c, 0xf1, 0xb7, 0x90, 0x1d, 0x17, 0x3b, 0xd4, 0x91, 0x42, 0xe2, 0x7a, 0x50,
|
||||
0xdf, 0xeb, 0xa1, 0x7a, 0x5d, 0x4a, 0x02, 0x53, 0x02, 0x62, 0x89, 0x12, 0x03, 0x48, 0x3f, 0xd4,
|
||||
0x66, 0x24, 0xfd, 0xa8, 0xbe, 0x41, 0xd2, 0x8f, 0xe6, 0x48, 0x25, 0x86, 0x24, 0x36, 0x70, 0xc0,
|
||||
0x1b, 0x03, 0x02, 0x00, 0x00, 0xff, 0xff, 0xd2, 0x95, 0x8d, 0x5c, 0x89, 0x01, 0x00, 0x00,
|
||||
// 279 bytes of a gzipped FileDescriptorProto
|
||||
0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x8c, 0x52, 0xcd, 0x4a, 0xc4, 0x30,
|
||||
0x10, 0xde, 0xae, 0xb8, 0xc5, 0xb1, 0xb6, 0x10, 0x44, 0x8b, 0x27, 0xcd, 0x65, 0xd5, 0x43, 0x61,
|
||||
0xf5, 0x2e, 0x22, 0x7a, 0x12, 0x3d, 0x74, 0xc1, 0xab, 0x74, 0xcb, 0x80, 0x01, 0x9b, 0xc6, 0x24,
|
||||
0x5b, 0xf1, 0x1d, 0x7d, 0x28, 0xb1, 0x99, 0xd6, 0xb4, 0x22, 0xee, 0x71, 0x26, 0xdf, 0xdf, 0xcc,
|
||||
0x04, 0xf6, 0x0c, 0xea, 0x46, 0x94, 0x98, 0x29, 0x5d, 0xdb, 0x9a, 0x85, 0xcd, 0x62, 0x85, 0xb6,
|
||||
0x58, 0xf0, 0x73, 0x88, 0x9f, 0x50, 0x1b, 0x51, 0xcb, 0x1c, 0xdf, 0xd6, 0x68, 0x2c, 0x4b, 0x21,
|
||||
0x6c, 0x5c, 0x27, 0x0d, 0x8e, 0x83, 0xd3, 0x9d, 0xbc, 0x2b, 0xf9, 0x3b, 0x24, 0x3d, 0xd6, 0xa8,
|
||||
0x5a, 0x1a, 0xfc, 0x1b, 0xcc, 0x4e, 0x20, 0xd2, 0x6b, 0x69, 0x45, 0x85, 0xcf, 0xb2, 0xa8, 0x30,
|
||||
0x9d, 0xb6, 0xcf, 0xbb, 0xd4, 0x7b, 0x2c, 0x2a, 0x64, 0x73, 0x48, 0x3a, 0x48, 0x27, 0xb2, 0xd5,
|
||||
0xa2, 0x62, 0x6a, 0x93, 0x1b, 0xbf, 0x81, 0xf8, 0x16, 0x4b, 0xfd, 0xa1, 0xec, 0xbf, 0x21, 0xd9,
|
||||
0x01, 0xcc, 0x4a, 0xa1, 0x5e, 0x50, 0xb7, 0x8e, 0x51, 0x4e, 0x15, 0x9f, 0x43, 0xd2, 0x6b, 0x50,
|
||||
0xf8, 0x7d, 0xd8, 0x56, 0xaf, 0x85, 0x70, 0x12, 0x51, 0xee, 0x0a, 0x7e, 0x0d, 0xf1, 0x9d, 0xdc,
|
||||
0xd0, 0xac, 0x57, 0x98, 0xfa, 0x0a, 0x67, 0x90, 0xf4, 0x0a, 0x64, 0xf5, 0x93, 0x2a, 0xf0, 0x53,
|
||||
0x5d, 0x7c, 0x06, 0x00, 0xf7, 0x0f, 0xcb, 0xa5, 0x3b, 0x0e, 0xbb, 0x82, 0x90, 0x66, 0x66, 0x87,
|
||||
0x19, 0x9d, 0x28, 0x1b, 0xde, 0xe7, 0x28, 0xfd, 0xfd, 0xe0, 0x4c, 0xf8, 0xe4, 0x9b, 0x4f, 0x43,
|
||||
0x7a, 0xfc, 0xe1, 0xea, 0x3c, 0xfe, 0x68, 0x1f, 0x8e, 0x4f, 0xc9, 0x3d, 0xfe, 0x70, 0x1b, 0x1e,
|
||||
0x7f, 0x34, 0x24, 0x9f, 0xac, 0x66, 0xed, 0xef, 0xba, 0xfc, 0x0a, 0x00, 0x00, 0xff, 0xff, 0x28,
|
||||
0x69, 0xfc, 0xea, 0x6e, 0x02, 0x00, 0x00,
|
||||
}
|
||||
|
||||
@ -2,28 +2,52 @@ syntax = "proto3";
|
||||
|
||||
package v1beta1;
|
||||
|
||||
// This service defines the public APIs for remote KMS provider.
|
||||
service KMSService {
|
||||
// Version returns the runtime name and runtime version of the KMS provider.
|
||||
rpc Version(VersionRequest) returns (VersionResponse) {}
|
||||
|
||||
// Execute decryption operation in KMS provider.
|
||||
rpc Decrypt(DecryptRequest) returns (DecryptResponse) {}
|
||||
// Execute encryption operation in KMS provider.
|
||||
rpc Encrypt(EncryptRequest) returns (EncryptResponse) {}
|
||||
}
|
||||
|
||||
message VersionRequest {
|
||||
// Version of the KMS plugin API.
|
||||
string version = 1;
|
||||
}
|
||||
|
||||
message VersionResponse {
|
||||
// Version of the KMS plugin API.
|
||||
string version = 1;
|
||||
// Name of the KMS provider.
|
||||
string runtime_name = 2;
|
||||
// Version of the KMS provider. The string must be semver-compatible.
|
||||
string runtime_version = 3;
|
||||
}
|
||||
|
||||
message DecryptRequest {
|
||||
bytes cipher = 1;
|
||||
// Version of the KMS plugin API, now use “v1beta1”
|
||||
string version = 2;
|
||||
// Version of the KMS plugin API.
|
||||
string version = 1;
|
||||
// The data to be decrypted.
|
||||
bytes cipher = 2;
|
||||
}
|
||||
|
||||
message DecryptResponse {
|
||||
// The decrypted data.
|
||||
bytes plain = 1;
|
||||
}
|
||||
|
||||
message EncryptRequest {
|
||||
bytes plain = 1;
|
||||
// Version of the KMS plugin API, now use “v1beta1”
|
||||
string version = 2;
|
||||
// Version of the KMS plugin API.
|
||||
string version = 1;
|
||||
// The data to be encrypted.
|
||||
bytes plain = 2;
|
||||
}
|
||||
|
||||
message EncryptResponse {
|
||||
// The encrypted data.
|
||||
bytes cipher = 1;
|
||||
}
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user