Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for gcp access token #1578

Open
wants to merge 18 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 20 additions & 2 deletions README.rst
Original file line number Diff line number Diff line change
Expand Up @@ -242,8 +242,12 @@ It is also possible to use ``updatekeys``, when adding or removing age recipient

Encrypting using GCP KMS
~~~~~~~~~~~~~~~~~~~~~~~~
GCP KMS uses `Application Default Credentials
<https://developers.google.com/identity/protocols/application-default-credentials>`_.
GCP KMS has support for authorization with the use of `Application Default Credentials
<https://developers.google.com/identity/protocols/application-default-credentials>`_ and using an oauth2 token.
Application default credentials precedes the use of access token.

Using Application Default Credentials you can authorize by doing this:

If you already logged in using

.. code:: sh
Expand All @@ -256,6 +260,19 @@ you can enable application default credentials using the sdk:

$ gcloud auth application-default login

Using oauth tokens you can authorize by doing this:

.. code:: sh

$ export GOOGLE_OAUTH_ACCESS_TOKEN=<your access token>

Or if you are logged in you can authorize by generating an access token:

.. code:: sh

$ export GOOGLE_OAUTH_ACCESS_TOKEN="$(gcloud auth print-access-token)"

devstein marked this conversation as resolved.
Show resolved Hide resolved

Encrypting/decrypting with GCP KMS requires a KMS ResourceID. You can use the
cloud console the get the ResourceID or you can create one using the gcloud
sdk:
Expand All @@ -278,6 +295,7 @@ And decrypt it using::

$ sops decrypt test.enc.yaml


Encrypting using Azure Key Vault
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Expand Down
53 changes: 41 additions & 12 deletions gcpkms/keysource.go
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ import (
kms "cloud.google.com/go/kms/apiv1"
"cloud.google.com/go/kms/apiv1/kmspb"
"github.com/sirupsen/logrus"
"golang.org/x/oauth2"
"google.golang.org/api/option"
"google.golang.org/grpc"

Expand All @@ -23,6 +24,9 @@ const (
// a path to a credentials file, or directly as the variable's value in JSON
// format.
SopsGoogleCredentialsEnv = "GOOGLE_CREDENTIALS"
// SopsGoogleCredentialsOAuthToken is the environment variable used for the
// GCP Oauth2 Token.
SopsGoogleCredentialsOAuthToken = "GOOGLE_OAUTH_ACCESS_TOKEN"
// KeyTypeIdentifier is the string used to identify a GCP KMS MasterKey.
KeyTypeIdentifier = "gcp_kms"
)
Expand Down Expand Up @@ -203,8 +207,8 @@ func (key *MasterKey) TypeToIdentifier() string {
return KeyTypeIdentifier
}

// newKMSClient returns a GCP KMS client configured with the credentialJSON
// and/or grpcConn, falling back to environmental defaults.
// newKMSClient returns a GCP KMS client configured with the credentialJSON,
// tokenSource and/or grpcConn, falling back to environmental defaults.
// It returns an error if the ResourceID is invalid, or if the setup of the
// client fails.
func (key *MasterKey) newKMSClient() (*kms.KeyManagementClient, error) {
Expand All @@ -219,37 +223,62 @@ func (key *MasterKey) newKMSClient() (*kms.KeyManagementClient, error) {
case key.credentialJSON != nil:
opts = append(opts, option.WithCredentialsJSON(key.credentialJSON))
default:
credentials, err := getGoogleCredentials()
if err != nil {
return nil, err
}
credentials, err_credentials_file := getGoogleCredentials()
if credentials != nil {
opts = append(opts, option.WithCredentialsJSON(credentials))
break
}

at_credentials, err_credentials_token := getGoogleOAuthToken()
if at_credentials != nil {
opts = append(opts, option.WithTokenSource(at_credentials))
}

if err_credentials_file != nil && err_credentials_token != nil {
return nil, fmt.Errorf("credentials: failed to get credentials for gcp kms, add default credentials or oauth access token")
}
}

if key.grpcConn != nil {
opts = append(opts, option.WithGRPCConn(key.grpcConn))
}

ctx := context.Background()
client, err := kms.NewKeyManagementClient(ctx, opts...)
if err != nil {
return nil, err
client, err_credentials := kms.NewKeyManagementClient(ctx, opts...)
if err_credentials != nil {
return nil, err_credentials
}

return client, nil
}

// getGoogleCredentials returns the SopsGoogleCredentialsEnv variable, as
// either the file contents of the path of a credentials file, or as value in
// JSON format. It returns an error if the file cannot be read, and may return
// a nil byte slice if no value is set.
// JSON format.
// It returns an error and a nil byte slice if the environment variable is not set,
// or the file cannot be read.
func getGoogleCredentials() ([]byte, error) {
if defaultCredentials, ok := os.LookupEnv(SopsGoogleCredentialsEnv); ok && len(defaultCredentials) > 0 {
if _, err := os.Stat(defaultCredentials); err == nil {
return os.ReadFile(defaultCredentials)
}

return []byte(defaultCredentials), nil
}
return nil, nil
return nil, fmt.Errorf("could not find Google credential file")
Comment on lines +265 to +268
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you update the function doc comment to reflect behavior change? Right now, it incorrectly reads and may return a nil byte slice if no value is set.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I also changed the description of the SopsGoogleCredentialsOAuthToken, where i forgot to update after removing the possibility of using a file path!

Thank you for all of your comments, and time! 🌻

}

// getGoogleOAuthToken returns the SopsGoogleCredentialsOauthToken variable,
// as the oauth token.
// It returns an error and a nil byte slice if the envrionment variable is not set.
func getGoogleOAuthToken() (oauth2.TokenSource, error) {
if token, isSet := os.LookupEnv(SopsGoogleCredentialsOAuthToken); isSet {
tokenSource := oauth2.StaticTokenSource(
&oauth2.Token{AccessToken: token},
)

return tokenSource, nil
}

return nil, fmt.Errorf("could not find Google OAuth token")
}
43 changes: 37 additions & 6 deletions gcpkms/keysource_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -53,8 +53,9 @@ func TestMasterKey_Encrypt(t *testing.T) {
})

key := MasterKey{
grpcConn: newGRPCServer("0"),
ResourceID: testResourceID,
grpcConn: newGRPCServer("0"),
ResourceID: testResourceID,
credentialJSON: []byte("arbitrary credentials"),
}
err := key.Encrypt([]byte("encrypt"))
assert.NoError(t, err)
Expand All @@ -80,9 +81,10 @@ func TestMasterKey_Decrypt(t *testing.T) {
Plaintext: []byte(decryptedData),
})
key := MasterKey{
grpcConn: newGRPCServer("0"),
ResourceID: testResourceID,
EncryptedKey: "encryptedKey",
grpcConn: newGRPCServer("0"),
ResourceID: testResourceID,
EncryptedKey: "encryptedKey",
credentialJSON: []byte("arbitrary credentials"),
}
data, err := key.Decrypt()
assert.NoError(t, err)
Expand Down Expand Up @@ -116,7 +118,7 @@ func TestMasterKey_ToMap(t *testing.T) {
}, key.ToMap())
}

func TestMasterKey_createCloudKMSService(t *testing.T) {
func TestMasterKey_createCloudKMSService_withCredentialsFile(t *testing.T) {
tests := []struct {
key MasterKey
errString string
Expand All @@ -136,6 +138,12 @@ func TestMasterKey_createCloudKMSService(t *testing.T) {
"type": "authorized_user"}`),
},
},
{
key: MasterKey{
ResourceID: testResourceID,
},
errString: "credentials: failed to get credentials",
},
}

for _, tt := range tests {
Expand All @@ -149,6 +157,29 @@ func TestMasterKey_createCloudKMSService(t *testing.T) {
}
}

func TestMasterKey_createCloudKMSService_withOauthToken(t *testing.T) {
t.Setenv(SopsGoogleCredentialsOAuthToken, "token")

masterKey := MasterKey{
ResourceID: testResourceID,
}

_, err := masterKey.newKMSClient()

assert.NoError(t, err)
}

func TestMasterKey_createCloudKMSService_withoutCredentials(t *testing.T) {
masterKey := MasterKey{
ResourceID: testResourceID,
}

_, err := masterKey.newKMSClient()

assert.Error(t, err)
assert.ErrorContains(t, err, "credentials: failed to get credentials")
}

func newGRPCServer(port string) *grpc.ClientConn {
serv := grpc.NewServer()
kmspb.RegisterKeyManagementServiceServer(serv, &mockKeyManagement)
Expand Down
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@ require (
github.com/stretchr/testify v1.9.0
github.com/urfave/cli v1.22.15
golang.org/x/net v0.29.0
golang.org/x/oauth2 v0.23.0
golang.org/x/sys v0.25.0
golang.org/x/term v0.24.0
google.golang.org/api v0.197.0
Expand Down Expand Up @@ -126,7 +127,6 @@ require (
go.opentelemetry.io/otel/metric v1.29.0 // indirect
go.opentelemetry.io/otel/trace v1.29.0 // indirect
golang.org/x/crypto v0.27.0 // indirect
golang.org/x/oauth2 v0.23.0 // indirect
golang.org/x/sync v0.8.0 // indirect
golang.org/x/text v0.18.0 // indirect
golang.org/x/time v0.6.0 // indirect
Expand Down
Loading