kmsprovider

package
v0.5.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 29, 2024 License: Apache-2.0 Imports: 17 Imported by: 8

Documentation

Overview

Package kmsprovider contains KMS Master Key Provider implementation.

Example DiscoveryKmsProvider in discovery mode: 

kmsProvider, err := kmsprovider.New()
if err != nil {
    panic(err) // handle error
}

Example StrictKmsProvider in strict mode: 

keyID := "arn:aws:kms:us-east-1:123456789011:key/12345678-1234-1234-1234-123456789011"
kmsProvider, err := kmsprovider.New(keyID)
if err != nil {
    panic(err) // handle error
}

Example StrictKmsProvider with custom AWS config: 

keyID := "arn:aws:kms:us-east-1:123456789011:key/12345678-1234-1234-1234-123456789011"
kmsProvider, err := kmsprovider.NewWithOpts(
    []string{keyID},
    kmsprovider.WithAwsLoadOptions(
        // add more AWS Config options if needed
        config.WithSharedConfigProfile("your_profile_name"),
        config.WithRegion("us-west-2"),
    ),
)
if err != nil {
    panic(err) // handle error
}

Example MrkAwareStrictKmsProvider: 

keyID := "arn:aws:kms:us-east-1:123456789011:key/12345678-1234-1234-1234-123456789011"
kmsProvider, err := kmsprovider.NewWithOpts(
    []string{keyID},                // KMS CMK ARNs
    kmsprovider.WithMrkAwareness(), // enable MRK-aware
)
if err != nil {
    panic(err) // handle error
}

Example DiscoveryKmsProvider with discovery filter: 

kmsProvider, err := kmsprovider.NewWithOpts(
    nil,
    // enable discovery, and filter by accountIDs and partition
    kmsprovider.WithDiscoveryFilter([]string{"123456789011"}, "aws"),
)
if err != nil {
    panic(err) // handle error
}

Example MrkAwareDiscoveryKmsProvider with discovery region and filter: 

kmsProvider, err := kmsprovider.NewWithOpts(
    nil,
    // enable discovery, and filter by accountIDs and partition
    kmsprovider.WithDiscoveryFilter([]string{"123456789011"}, "aws"),
    kmsprovider.WithMrkAwareness(),               // enable MRK-aware
    kmsprovider.WithDiscoveryRegion("us-west-2"), // specify region for discovery
)
if err != nil {
    panic(err) // handle error
}

See examples for more detailed usage.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type KmsKeyProvider 

type KmsKeyProvider[KT model.MasterKey] struct {
	// contains filtered or unexported fields
}

KmsKeyProvider is a KMS key provider.

func New 

func New(keyIDs ...string) (*KmsKeyProvider[model.MasterKey], error)

New creates a new KmsKeyProvider with the given keyIDs.

If no keyIDs are provided, DiscoveryKmsProvider will be created.

Example DiscoveryKmsProvider in discovery mode: 

kmsProvider, err := kmsprovider.New()
if err != nil {
    panic(err) // handle error
}

Example StrictKmsProvider in strict mode: 

keyID := "arn:aws:kms:us-east-1:123456789011:key/12345678-1234-1234-1234-123456789011"
kmsProvider, err := kmsprovider.New(keyID)
if err != nil {
    panic(err) // handle error
}

Example StrictKmsProvider with multiple keyIDs: 

keyID1 := "arn:aws:kms:us-east-1:123456789011:key/12345678-1234-1234-1234-123456789011"
keyID2 := "arn:aws:kms:us-east-1:123456789011:key/22345678-1234-1234-1234-123456789012"
kmsProvider, err := kmsprovider.New(keyID1, keyID2)
if err != nil {
    panic(err) // handle error
}

See examples for more detailed usage.

func NewWithOpts 

func NewWithOpts(keyIDs []string, optFns ...func(options *Options) error) (*KmsKeyProvider[model.MasterKey], error)

NewWithOpts creates a new KmsKeyProvider with the given keyIDs.

It also accepts an optional variadic set of functional Options for configuring the provider.

See usage below and check examples for more detailed usage.

Example StrictKmsProvider with custom AWS config: 

keyID := "arn:aws:kms:us-east-1:123456789011:key/12345678-1234-1234-1234-123456789011"
kmsProvider, err := kmsprovider.NewWithOpts(
    []string{keyID},
    kmsprovider.WithAwsLoadOptions(
        // add more AWS Config options if needed
        config.WithSharedConfigProfile("your_profile_name"),
        config.WithRegion("us-west-2"),
    ),
)
if err != nil {
    panic(err) // handle error
}

Example MrkAwareStrictKmsProvider: 

keyID := "arn:aws:kms:us-east-1:123456789011:key/12345678-1234-1234-1234-123456789011"
kmsProvider, err := kmsprovider.NewWithOpts(
    []string{keyID},                // KMS CMK ARNs
    kmsprovider.WithMrkAwareness(), // enable MRK-aware
)
if err != nil {
    panic(err) // handle error
}

Example DiscoveryKmsProvider with discovery filter: 

kmsProvider, err := kmsprovider.NewWithOpts(
    nil,
    // enable discovery, and filter by accountIDs and partition
    kmsprovider.WithDiscoveryFilter([]string{"123456789011"}, "aws"),
)
if err != nil {
    panic(err) // handle error
}

Example MrkAwareDiscoveryKmsProvider with discovery region and filter: 

kmsProvider, err := kmsprovider.NewWithOpts(
    nil,
    // enable discovery, and filter by accountIDs and partition
    kmsprovider.WithDiscoveryFilter([]string{"123456789011"}, "aws"),
    kmsprovider.WithMrkAwareness(),               // enable MRK-aware
    kmsprovider.WithDiscoveryRegion("us-west-2"), // specify region for discovery
)
if err != nil {
    panic(err) // handle error
}

func (*KmsKeyProvider[KT]) AddMasterKey 

func (kmsKP *KmsKeyProvider[KT]) AddMasterKey(keyID string) (model.MasterKey, error)

AddMasterKey validates the given keyID, checks if it doesn't exist within the KMS Provider, creates Kms Master Key, and adds it to the master key provider.

func (*KmsKeyProvider[KT]) DecryptDataKey 

func (kmsKP *KmsKeyProvider[KT]) DecryptDataKey(ctx context.Context, encryptedDataKey model.EncryptedDataKeyI, alg *suite.AlgorithmSuite, ec suite.EncryptionContext) (model.DataKeyI, error)

DecryptDataKey attempts to decrypt the encrypted data key with a KeyProvider.

func (*KmsKeyProvider[KT]) DecryptDataKeyFromList 

func (kmsKP *KmsKeyProvider[KT]) DecryptDataKeyFromList(ctx context.Context, encryptedDataKeys []model.EncryptedDataKeyI, alg *suite.AlgorithmSuite, ec suite.EncryptionContext) (model.DataKeyI, error)

DecryptDataKeyFromList attempts to decrypt the encrypted data keys with a KeyProvider.

func (*KmsKeyProvider[KT]) MasterKeyForDecrypt 

func (kmsKP *KmsKeyProvider[KT]) MasterKeyForDecrypt(ctx context.Context, metadata model.KeyMeta) (model.MasterKey, error)

MasterKeyForDecrypt returns kms.MasterKey for the given metadata.

First, it checks registered keys for Encrypt, then checks registered keys for Decrypt.

If the key is not found, it creates a new master key and adds it to the master key provider to be used for decryption.

This method mainly used by keyprovider.KeyProvider when vendOnDecrypt is enabled.

func (*KmsKeyProvider[KT]) MasterKeysForDecryption 

func (kmsKP *KmsKeyProvider[KT]) MasterKeysForDecryption() []model.MasterKey

MasterKeysForDecryption returns the list of master keys registered for encryption and decryption with the KMS Provider.

This method mainly used by keyprovider.KeyProvider.

func (*KmsKeyProvider[KT]) MasterKeysForEncryption 

func (kmsKP *KmsKeyProvider[KT]) MasterKeysForEncryption(_ context.Context, _ suite.EncryptionContext) (model.MasterKey, []model.MasterKey, error)

MasterKeysForEncryption returns the primary model.MasterKey and a list of master keys registered with the KMS Provider for encryption.

func (*KmsKeyProvider[KT]) NewMasterKey 

func (kmsKP *KmsKeyProvider[KT]) NewMasterKey(ctx context.Context, keyID string) (model.MasterKey, error)

NewMasterKey returns a new instance of kms.MasterKey created by kms.KeyFactory.

It also checks if the keyID is allowed by the discovery filter.

func (*KmsKeyProvider[KT]) ProviderID 

func (kmsKP *KmsKeyProvider[KT]) ProviderID() string

ProviderID returns the ID types.KmsProviderID.

func (*KmsKeyProvider[KT]) ProviderKind 

func (kmsKP *KmsKeyProvider[KT]) ProviderKind() types.ProviderKind

ProviderKind returns the kind types.AwsKms.

func (*KmsKeyProvider[KT]) ValidateMasterKey 

func (kmsKP *KmsKeyProvider[KT]) ValidateMasterKey(keyID string) error

ValidateMasterKey validates the given keyID is a valid KMS key ARN.

func (*KmsKeyProvider[KT]) ValidateProviderID 

func (kmsKP *KmsKeyProvider[KT]) ValidateProviderID(otherID string) error

ValidateProviderID validates master key provider ID matches the given provider ID.

type KmsProvider 

type KmsProvider interface {
	model.MasterKeyProvider
	// contains filtered or unexported methods
}

KmsProvider is an interface for KMS providers.

type Options 

type Options struct {
	// contains filtered or unexported fields
}

Options contains the configuration options for the KmsKeyProvider.

type OptionsFunc 

type OptionsFunc func(options *Options) error

OptionsFunc is a function that applies an option to the Options.

func WithAwsLoadOptions 

func WithAwsLoadOptions(optFns ...func(options *config.LoadOptions) error) OptionsFunc

WithAwsLoadOptions sets the AWS configuration loaders for the KMS provider.

func WithClientFactory 

func WithClientFactory(factory model.KMSClientFactory) OptionsFunc

WithClientFactory sets the KMS client factory for the KMS provider.

func WithDiscovery 

func WithDiscovery() OptionsFunc

WithDiscovery enables the discovery mode for the KMS provider.

func WithDiscoveryFilter 

func WithDiscoveryFilter(accountIDs []string, partition string) OptionsFunc

WithDiscoveryFilter sets the discovery filter for the KMS provider, it also enables the discovery mode.

func WithDiscoveryRegion 

func WithDiscoveryRegion(region string) OptionsFunc

WithDiscoveryRegion sets the discovery region for the KMS provider.

func WithKeyFactory 

func WithKeyFactory(keyFactory model.MasterKeyFactory) OptionsFunc

WithKeyFactory sets the master key factory for the KMS provider.

func WithKeyProvider 

func WithKeyProvider(keyProvider model.BaseKeyProvider) OptionsFunc

WithKeyProvider sets the base key provider for the KMS provider.

func WithMrkAwareness 

func WithMrkAwareness() OptionsFunc

WithMrkAwareness enables the multi-region key awareness for the KMS provider.

type ProviderType 

type ProviderType int

ProviderType represents the type of KMS Provider. 

const (
	StrictKmsProvider            ProviderType = iota // Default Strict KMS Provider
	MrkAwareStrictKmsProvider                        // MRK-Aware Strict KMS Provider
	DiscoveryKmsProvider                             // Discovery-Enabled KMS Provider
	MrkAwareDiscoveryKmsProvider                     // MRK-Aware Discovery-Enabled KMS Provider
)

func (ProviderType) String 

func (k ProviderType) String() string

String returns the string representation of the KMS Provider type.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.