feat: add the public key or its identifier to the secret data

alxndr13 · Feb 6, 2024 · f509c39 · f509c39
1 parent c39358f
commit f509c39
Show file tree

Hide file tree

Showing 5 changed files with 50 additions and 15 deletions.
diff --git a/secret.go b/secret.go
@@ -34,12 +34,13 @@ func NewSecret(secretFile *SecretFile, driver string, alternative *Call, path []
 
 // SecretFileData describes the generic structure of secret files.
 type SecretFileData struct {
-	Data string `yaml:"data"`
-	Type string `yaml:"type"`
+	Data      string `yaml:"data"`
+	Type      string `yaml:"type"`
+	PublicKey string `yaml:"publickey"`
 }
 
 // NewSecretData constructs a [Data] map as it is required for secrets.
-func NewSecretData(data string, driver string) (*SecretFileData, error) {
+func NewSecretData(data string, driver string, key string) (*SecretFileData, error) {
 	if data == "" {
 		return nil, fmt.Errorf("secret data cannot be empty")
 	}
@@ -48,8 +49,9 @@ func NewSecretData(data string, driver string) (*SecretFileData, error) {
 	}
 
 	return &SecretFileData{
-		Data: data,
-		Type: driver,
+		Data:      data,
+		Type:      driver,
+		PublicKey: key,
 	}, nil
 }
 
@@ -141,7 +143,7 @@ func (secret *Secret) attemptCreate(fs afero.Fs, secretPath string) error {
 	}
 
 	// create new Data map which can then be written into the secret file
-	secretFileData, err := NewSecretData(encryptedData, secret.Driver.Type())
+	secretFileData, err := NewSecretData(encryptedData, secret.Driver.Type(), secret.Driver.GetPublicKey())
 	if err != nil {
 		return fmt.Errorf("could not create NewSecretData: %w", err)
 	}
@@ -229,7 +231,7 @@ func secretYamlFileLoader(secretFileList *[]*SecretFile) YamlFileLoaderFunc {
 
 // Value returns the actual secret value.
 func (s *Secret) Value() (string, error) {
-	return s.Driver.Decrypt(s.Data.Data)
+	return s.Driver.Decrypt(s.Data.Data, s.Data.PublicKey)
 }
 
 // FullName returns the full secret name as it would be expected to ocurr in a class/target.

diff --git a/secret/driver/aes.go b/secret/driver/aes.go
@@ -36,7 +36,9 @@ func (driver *Aes) Configure(config map[string]interface{}) error {
 	return nil
 }
 
-func (driver *Aes) Decrypt(encrypted string) (string, error) {
+func (driver *Aes) Decrypt(encrypted string, key string) (string, error) {
+	// key is dismissed, as we always use the key in the driver config here
+
 	decrypted, err := driver.decrypt([]byte(driver.config.Key), encrypted)
 	if err != nil {
 		return "", err
@@ -107,3 +109,7 @@ func (driver *Aes) decrypt(key []byte, secure string) (decoded string, err error
 func (driver *Aes) Type() string {
 	return "aes"
 }
+
+func (driver *Aes) GetPublicKey() string {
+	return "aesIsSymmetricThereIsNoPublicKey"
+}
diff --git a/secret/driver/azure.go b/secret/driver/azure.go
@@ -90,7 +90,20 @@ func (driver *Azure) Encrypt(input string) (string, error) {
 	return base64.RawStdEncoding.EncodeToString(res.Result), nil
 }
 
-func (driver *Azure) Decrypt(input string) (string, error) {
+// Decrypt decrypts an input either using the key configured in the driver or if the key parameter isn't empty it will use that one.
+func (driver *Azure) Decrypt(input string, key string) (string, error) {
+	var err error
+	keyName := driver.config.KeyName
+	keyVersion := driver.config.KeyVersion
+
+	// if we hand over a key to this func, make sure to use this key for the decryption, otherwise use the key configured in the driver
+	if len(key) > 0 {
+		_, keyName, keyVersion, err = parseAzureKeyVaultKeyId(key)
+		if err != nil {
+			return "", fmt.Errorf("the key we handed over to Decrypt() could not be parsed")
+		}
+	}
+
 	decoded, err := base64.RawStdEncoding.DecodeString(input)
 	if err != nil {
 		return "", err
@@ -101,11 +114,10 @@ func (driver *Azure) Decrypt(input string) (string, error) {
 		Value:     []byte(decoded),
 	}
 
-	version := driver.config.KeyVersion
 	if driver.config.IgnoreVersion {
-		version = ""
+		keyVersion = ""
 	}
-	res, err := driver.client.Decrypt(context.TODO(), driver.config.KeyName, version, encryptParams, nil)
+	res, err := driver.client.Decrypt(context.TODO(), keyName, keyVersion, encryptParams, nil)
 	if err != nil {
 		return "", err
 	}
@@ -157,3 +169,7 @@ func parseAzureKeyVaultKeyId(key string) (vaultName string, keyName string, keyV
 func (driver *Azure) Type() string {
 	return "azurekv"
 }
+
+func (driver Azure) GetPublicKey() string {
+	return driver.config.KeyId
+}
diff --git a/secret/driver/base64.go b/secret/driver/base64.go
@@ -17,7 +17,9 @@ func NewBase64() (*Base64, error) {
 	return &driver, nil
 }
 
-func (p *Base64) Decrypt(encrypted string) (string, error) {
+func (p *Base64) Decrypt(encrypted string, key string) (string, error) {
+	// key is dismissed, as base64 isn't decrypting stuff
+
 	out, err := base64.StdEncoding.DecodeString(encrypted)
 	if err != nil {
 		return "", err
@@ -32,3 +34,7 @@ func (p *Base64) Encrypt(input string) (string, error) {
 func (p *Base64) Type() string {
 	return "base64"
 }
+
+func (p *Base64) GetPublicKey() string {
+	return "base64DoesNotHaveAPublicKey"
+}
diff --git a/secret/driver/plain.go b/secret/driver/plain.go
@@ -14,7 +14,8 @@ func NewPlain() (*Plain, error) {
 }
 
 // the plain driver does not do anything
-func (p *Plain) Decrypt(encrypted string) (string, error) {
+func (p *Plain) Decrypt(encrypted string, key string) (string, error) {
+	// key is dismissed, as plain does not do anything
 	return encrypted, nil
 }
 
@@ -23,6 +24,10 @@ func (p *Plain) Encrypt(input string) (string, error) {
 	return input, nil
 }
 
-func (p *Plain) Type() string {
+func (p Plain) Type() string {
 	return "plain"
 }
+
+func (p Plain) GetPublicKey() string {
+	return "plainTextDoesntHaveAPublicKey"
+}