kmsprovider

package

v0.4.0 Latest Latest Go to latest Published: Mar 21, 2024 License: Apache-2.0 Imports: 17 Imported by: 8

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/chainifynet/aws-encryption-sdk-go

Links

Open Source Insights

Documentation ¶

Overview ¶

Package kmsprovider contains KMS Master Key Provider implementation.

Example DiscoveryKmsProvider in discovery mode:

kmsProvider, err := kmsprovider.New()
if err != nil {
    panic(err) // handle error
}

Example StrictKmsProvider in strict mode:

keyID := "arn:aws:kms:us-east-1:123456789011:key/12345678-1234-1234-1234-123456789011"
kmsProvider, err := kmsprovider.New(keyID)
if err != nil {
    panic(err) // handle error
}

Example StrictKmsProvider with custom AWS config:

keyID := "arn:aws:kms:us-east-1:123456789011:key/12345678-1234-1234-1234-123456789011"
kmsProvider, err := kmsprovider.NewWithOpts(
    []string{keyID},
    kmsprovider.WithAwsLoadOptions(
        // add more AWS Config options if needed
        config.WithSharedConfigProfile("your_profile_name"),
        config.WithRegion("us-west-2"),
    ),
)
if err != nil {
    panic(err) // handle error
}

Example MrkAwareStrictKmsProvider:

keyID := "arn:aws:kms:us-east-1:123456789011:key/12345678-1234-1234-1234-123456789011"
kmsProvider, err := kmsprovider.NewWithOpts(
    []string{keyID},                // KMS CMK ARNs
    kmsprovider.WithMrkAwareness(), // enable MRK-aware
)
if err != nil {
    panic(err) // handle error
}

Example DiscoveryKmsProvider with discovery filter:

kmsProvider, err := kmsprovider.NewWithOpts(
    nil,
    // enable discovery, and filter by accountIDs and partition
    kmsprovider.WithDiscoveryFilter([]string{"123456789011"}, "aws"),
)
if err != nil {
    panic(err) // handle error
}

Example MrkAwareDiscoveryKmsProvider with discovery region and filter:

kmsProvider, err := kmsprovider.NewWithOpts(
    nil,
    // enable discovery, and filter by accountIDs and partition
    kmsprovider.WithDiscoveryFilter([]string{"123456789011"}, "aws"),
    kmsprovider.WithMrkAwareness(),               // enable MRK-aware
    kmsprovider.WithDiscoveryRegion("us-west-2"), // specify region for discovery
)
if err != nil {
    panic(err) // handle error
}

See examples for more detailed usage.

Index ¶

type KmsKeyProvider
- func New(keyIDs ...string) (*KmsKeyProvider[model.MasterKey], error)
- func NewWithOpts(keyIDs []string, optFns ...func(options *Options) error) (*KmsKeyProvider[model.MasterKey], error)
type KmsProvider
type Options
type OptionsFunc
type ProviderType
- func (k ProviderType) String() string

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type KmsKeyProvider ¶

type KmsKeyProvider[KT model.MasterKey] struct {
	// contains filtered or unexported fields
}

KmsKeyProvider is a KMS key provider.

func New ¶

func New(keyIDs ...string) (*KmsKeyProvider[model.MasterKey], error)

New creates a new KmsKeyProvider with the given keyIDs.

If no keyIDs are provided, DiscoveryKmsProvider will be created.

Example DiscoveryKmsProvider in discovery mode:

kmsProvider, err := kmsprovider.New()
if err != nil {
    panic(err) // handle error
}

Example StrictKmsProvider in strict mode:

keyID := "arn:aws:kms:us-east-1:123456789011:key/12345678-1234-1234-1234-123456789011"
kmsProvider, err := kmsprovider.New(keyID)
if err != nil {
    panic(err) // handle error
}

Example StrictKmsProvider with multiple keyIDs:

keyID1 := "arn:aws:kms:us-east-1:123456789011:key/12345678-1234-1234-1234-123456789011"
keyID2 := "arn:aws:kms:us-east-1:123456789011:key/22345678-1234-1234-1234-123456789012"
kmsProvider, err := kmsprovider.New(keyID1, keyID2)
if err != nil {
    panic(err) // handle error
}

See examples for more detailed usage.

func NewWithOpts ¶

func NewWithOpts(keyIDs []string, optFns ...func(options *Options) error) (*KmsKeyProvider[model.MasterKey], error)

NewWithOpts creates a new KmsKeyProvider with the given keyIDs.

It also accepts an optional variadic set of functional Options for configuring the provider.

See usage below and check examples for more detailed usage.

Example StrictKmsProvider with custom AWS config:

keyID := "arn:aws:kms:us-east-1:123456789011:key/12345678-1234-1234-1234-123456789011"
kmsProvider, err := kmsprovider.NewWithOpts(
    []string{keyID},
    kmsprovider.WithAwsLoadOptions(
        // add more AWS Config options if needed
        config.WithSharedConfigProfile("your_profile_name"),
        config.WithRegion("us-west-2"),
    ),
)
if err != nil {
    panic(err) // handle error
}

Example MrkAwareStrictKmsProvider:

keyID := "arn:aws:kms:us-east-1:123456789011:key/12345678-1234-1234-1234-123456789011"
kmsProvider, err := kmsprovider.NewWithOpts(
    []string{keyID},                // KMS CMK ARNs
    kmsprovider.WithMrkAwareness(), // enable MRK-aware
)
if err != nil {
    panic(err) // handle error
}

Example DiscoveryKmsProvider with discovery filter:

kmsProvider, err := kmsprovider.NewWithOpts(
    nil,
    // enable discovery, and filter by accountIDs and partition
    kmsprovider.WithDiscoveryFilter([]string{"123456789011"}, "aws"),
)
if err != nil {
    panic(err) // handle error
}

Example MrkAwareDiscoveryKmsProvider with discovery region and filter:

kmsProvider, err := kmsprovider.NewWithOpts(
    nil,
    // enable discovery, and filter by accountIDs and partition
    kmsprovider.WithDiscoveryFilter([]string{"123456789011"}, "aws"),
    kmsprovider.WithMrkAwareness(),               // enable MRK-aware
    kmsprovider.WithDiscoveryRegion("us-west-2"), // specify region for discovery
)
if err != nil {
    panic(err) // handle error
}

func (*KmsKeyProvider[KT]) AddMasterKey ¶

func (kmsKP *KmsKeyProvider[KT]) AddMasterKey(keyID string) (model.MasterKey, error)

AddMasterKey validates the given keyID, checks if it doesn't exist within the KMS Provider, creates Kms Master Key, and adds it to the master key provider.

func (*KmsKeyProvider[KT]) DecryptDataKey ¶

func (kmsKP *KmsKeyProvider[KT]) DecryptDataKey(ctx context.Context, encryptedDataKey model.EncryptedDataKeyI, alg *suite.AlgorithmSuite, ec suite.EncryptionContext) (model.DataKeyI, error)

DecryptDataKey attempts to decrypt the encrypted data key with a KeyProvider.

func (*KmsKeyProvider[KT]) DecryptDataKeyFromList ¶

func (kmsKP *KmsKeyProvider[KT]) DecryptDataKeyFromList(ctx context.Context, encryptedDataKeys []model.EncryptedDataKeyI, alg *suite.AlgorithmSuite, ec suite.EncryptionContext) (model.DataKeyI, error)

DecryptDataKeyFromList attempts to decrypt the encrypted data keys with a KeyProvider.

func (*KmsKeyProvider[KT]) MasterKeyForDecrypt ¶

func (kmsKP *KmsKeyProvider[KT]) MasterKeyForDecrypt(ctx context.Context, metadata model.KeyMeta) (model.MasterKey, error)

MasterKeyForDecrypt returns kms.MasterKey for the given metadata.

First, it checks registered keys for Encrypt, then checks registered keys for Decrypt.

If the key is not found, it creates a new master key and adds it to the master key provider to be used for decryption.

This method mainly used by keyprovider.KeyProvider when vendOnDecrypt is enabled.

func (*KmsKeyProvider[KT]) MasterKeysForDecryption ¶

func (kmsKP *KmsKeyProvider[KT]) MasterKeysForDecryption() []model.MasterKey

MasterKeysForDecryption returns the list of master keys registered for encryption and decryption with the KMS Provider.

This method mainly used by keyprovider.KeyProvider.

func (*KmsKeyProvider[KT]) MasterKeysForEncryption ¶

func (kmsKP *KmsKeyProvider[KT]) MasterKeysForEncryption(_ context.Context, _ suite.EncryptionContext) (model.MasterKey, []model.MasterKey, error)

MasterKeysForEncryption returns the primary model.MasterKey and a list of master keys registered with the KMS Provider for encryption.

func (*KmsKeyProvider[KT]) NewMasterKey ¶

func (kmsKP *KmsKeyProvider[KT]) NewMasterKey(ctx context.Context, keyID string) (model.MasterKey, error)

NewMasterKey returns a new instance of kms.MasterKey created by kms.KeyFactory.

It also checks if the keyID is allowed by the discovery filter.

func (*KmsKeyProvider[KT]) ProviderID ¶

func (kmsKP *KmsKeyProvider[KT]) ProviderID() string

ProviderID returns the ID types.KmsProviderID.

func (*KmsKeyProvider[KT]) ProviderKind ¶

func (kmsKP *KmsKeyProvider[KT]) ProviderKind() types.ProviderKind

ProviderKind returns the kind types.AwsKms.

func (*KmsKeyProvider[KT]) ValidateMasterKey ¶

func (kmsKP *KmsKeyProvider[KT]) ValidateMasterKey(keyID string) error

ValidateMasterKey validates the given keyID is a valid KMS key ARN.

func (*KmsKeyProvider[KT]) ValidateProviderID ¶

func (kmsKP *KmsKeyProvider[KT]) ValidateProviderID(otherID string) error

ValidateProviderID validates master key provider ID matches the given provider ID.

type KmsProvider ¶

type KmsProvider interface {
	model.MasterKeyProvider
	// contains filtered or unexported methods
}

KmsProvider is an interface for KMS providers.

type Options ¶

type Options struct {
	// contains filtered or unexported fields
}

Options contains the configuration options for the KmsKeyProvider.

type OptionsFunc ¶

type OptionsFunc func(options *Options) error

OptionsFunc is a function that applies an option to the Options.

func WithAwsLoadOptions ¶

func WithAwsLoadOptions(optFns ...func(options *config.LoadOptions) error) OptionsFunc

WithAwsLoadOptions sets the AWS configuration loaders for the KMS provider.

func WithClientFactory ¶

func WithClientFactory(factory model.KMSClientFactory) OptionsFunc

WithClientFactory sets the KMS client factory for the KMS provider.

func WithDiscovery ¶

func WithDiscovery() OptionsFunc

WithDiscovery enables the discovery mode for the KMS provider.

func WithDiscoveryFilter ¶

func WithDiscoveryFilter(accountIDs []string, partition string) OptionsFunc

WithDiscoveryFilter sets the discovery filter for the KMS provider, it also enables the discovery mode.

func WithDiscoveryRegion ¶

func WithDiscoveryRegion(region string) OptionsFunc

WithDiscoveryRegion sets the discovery region for the KMS provider.

func WithKeyFactory ¶

func WithKeyFactory(keyFactory model.MasterKeyFactory) OptionsFunc

WithKeyFactory sets the master key factory for the KMS provider.

func WithKeyProvider ¶

func WithKeyProvider(keyProvider model.BaseKeyProvider) OptionsFunc

WithKeyProvider sets the base key provider for the KMS provider.

func WithMrkAwareness ¶

func WithMrkAwareness() OptionsFunc

WithMrkAwareness enables the multi-region key awareness for the KMS provider.

type ProviderType ¶

type ProviderType int

ProviderType represents the type of KMS Provider.

const (
	StrictKmsProvider            ProviderType = iota // Default Strict KMS Provider
	MrkAwareStrictKmsProvider                        // MRK-Aware Strict KMS Provider
	DiscoveryKmsProvider                             // Discovery-Enabled KMS Provider
	MrkAwareDiscoveryKmsProvider                     // MRK-Aware Discovery-Enabled KMS Provider
)

func (ProviderType) String ¶

func (k ProviderType) String() string

String returns the string representation of the KMS Provider type.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL