gcpkms

package
v0.2.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 10, 2024 License: Apache-2.0 Imports: 23 Imported by: 0

Documentation

Overview

Package gcpkms implements keys.ManagerInterface with a Google Cloud Platform Key Management Service (GCP KMS) client.

The key management operations Bootstrap/Rotate/Wipeout are primarily implemented in rotate/, but any extra KMS-specific arguments for the commands are defined as context types within their respective <command>.go file.

Index

Constants

This section is empty.

Variables

View Source 
var (

	// ErrNoKeyVersions is returned when bootstrapping fails to find a key version under a created
	// key.
	ErrNoKeyVersions = errors.New("no enabled or pending_generation key versions post key-creation")
	// ErrNoBootstrapContext is returned when gcpkms.FromBootstrapContext can't find the requisite
	// context.
	ErrNoBootstrapContext = errors.New("no gcpkms.BootstrapContext in context")
)
View Source 
var (
	// ErrNoSigningKeyContext is returned when gcpkms.FromSigningKeyContext can't find the requisite
	// context.
	ErrNoSigningKeyContext = errors.New("no gcpkms.SigningKeyContext in context")
)

Functions

func NewBootstrapContext 

func NewBootstrapContext(ctx context.Context, f *BootstrapContext) context.Context

NewBootstrapContext returns ctx extended with the given KmsBootstrapContext.

func NewSigningKeyContext 

func NewSigningKeyContext(ctx context.Context, f *SigningKeyContext) context.Context

NewSigningKeyContext returns ctx extended with the given gcpkms.SigningKeyContext.

Types

type BootstrapContext 

type BootstrapContext struct {
	// KeyRingID is the base name for the root ring within the given project, location, and key ring.
	RootKeyID string
	// SigningKeyID is the base name for the signing key within the given project, location, and key ring.
	SigningKeyID string
	// SigningKeyOperators are IAM member strings to assign the given accounts as a signing key operator.
	SigningKeyOperators []string
}

BootstrapContext encapsulates the KMS-specific options for key bootstrapping.

func FromBootstrapContext 

func FromBootstrapContext(ctx context.Context) (*BootstrapContext, error)

FromBootstrapContext returns the KmsBootstrapContext in the context if it exists.

func (*BootstrapContext) AddFlags 

func (kbc *BootstrapContext) AddFlags(cmd *cobra.Command)

AddFlags adds GCP KMS cryptoKey name flags for the root and signing keys to create.

func (*BootstrapContext) InitContext 

func (kbc *BootstrapContext) InitContext(ctx context.Context) (context.Context, error)

InitContext returns the given context without changes.

func (*BootstrapContext) PersistentPreRunE 

func (kbc *BootstrapContext) PersistentPreRunE(*cobra.Command, []string) (err error)

PersistentPreRunE returns an error if either root_key or signing_key are unset.

type Manager 

type Manager struct {
	// Project is the GCP project name that will own the assets.
	Project string
	// Location is the GCP location name that will host the key ring.
	Location string
	// KeyRingID is the base name for the key ring within the given project and location.
	KeyRingID string
	// KeyClient is a connected CloudKMS client.
	KeyClient kmspb.KeyManagementServiceClient
	// IAMClient is a connected IAM client.
	IAMClient iampb.IAMPolicyClient
}

Manager defines KMS-specific input parameters for key operations.

func (*Manager) AddFlags 

func (m *Manager) AddFlags(cmd *cobra.Command)

AddFlags defines GCP KMS-specific key management flags for all key subcommands.

func (*Manager) CertificateTemplate 

func (m *Manager) CertificateTemplate(ctx context.Context, issuer *x509.Certificate, subjectPubKey any) (*x509.Certificate, error)

CertificateTemplate returns a certificate template that will be used for signing.

func (*Manager) CreateFirstSigningKey 

func (m *Manager) CreateFirstSigningKey(ctx context.Context) (string, error)

CreateFirstSigningKey is called during CA bootstrapping to create the first signing key that can be used for endorse.

func (*Manager) CreateNewRootKey 

func (m *Manager) CreateNewRootKey(ctx context.Context) (string, error)

CreateNewRootKey establishes a new key for use as the root CA key.

func (*Manager) CreateNewSigningKeyVersion 

func (m *Manager) CreateNewSigningKeyVersion(ctx context.Context) (string, error)

CreateNewSigningKeyVersion is callable after CreateNewSigningKey, and is meant for key rotation. The signing key's name ought to be available from the context.

func (*Manager) DestroyKeyVersion 

func (m *Manager) DestroyKeyVersion(ctx context.Context, keyVersionName string) error

DestroyKeyVersion destroys a single key version.

func (*Manager) FullKeyName 

func (m *Manager) FullKeyName(keyName string) string

FullKeyName returns the key name as CloudKMS understands names given the project, location, key ring name, and key name.

func (*Manager) FullKeyRingName 

func (m *Manager) FullKeyRingName() string

FullKeyRingName returns the keyRing name as CloudKMS understands names given the project, location, and the keyRing name.

func (*Manager) FullLocationName 

func (m *Manager) FullLocationName() string

FullLocationName returns the location-based parent resource name as CloudKMS understands names given the project and location names.

func (*Manager) InitContext 

func (m *Manager) InitContext(ctx context.Context) (context.Context, error)

InitContext initializes keys.Context's Manager to the gcskms.Manager and the signer to a gcpkms Signer.

func (*Manager) PersistentPreRunE 

func (m *Manager) PersistentPreRunE(*cobra.Command, []string) error

PersistentPreRunE returns an error if any flag values are invalid.

func (*Manager) Wipeout 

func (m *Manager) Wipeout(ctx context.Context) error

Wipeout destroys all keys created and persisted by this interface.

type Signer 

type Signer struct {
	Manager *Manager
}

Signer implements sops.Signer for signing hashes with named keys.

func (*Signer) PublicKey 

func (s *Signer) PublicKey(ctx context.Context, keyVersionName string) ([]byte, error)

PublicKey returns the public key for the named key version.

func (*Signer) Sign 

func (s *Signer) Sign(ctx context.Context, keyVersionName string, digest styp.Digest, opts crypto.SignerOpts) ([]byte, error)

Sign uses the Signer's key manager to sign a digest with the given keyVersionName.

type SigningKeyContext 

type SigningKeyContext struct {
	// SigningKeyID is the base name for the signing key within the given project, location, and key
	// ring.
	SigningKeyID string
}

SigningKeyContext holds the KMS-specific arguments needed for specifying a key rotation.

func FromSigningKeyContext 

func FromSigningKeyContext(ctx context.Context) (*SigningKeyContext, error)

FromSigningKeyContext returns the gcpkms.SigningKeyContext in the context if it exists.

func (*SigningKeyContext) AddFlags 

func (skc *SigningKeyContext) AddFlags(cmd *cobra.Command)

AddFlags adds a GCP KMS cryptoKey name flag for the signing key to rotate.

func (*SigningKeyContext) InitContext 

func (*SigningKeyContext) InitContext(ctx context.Context) (context.Context, error)

InitContext returns the given context without changes.

func (*SigningKeyContext) PersistentPreRunE 

func (skc *SigningKeyContext) PersistentPreRunE(*cobra.Command, []string) error

PersistentPreRunE returns an error if signing_key is unset.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.