1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
use rsb_derive::*;
use crate::*;
use async_trait::async_trait;
use gcloud_sdk::google::cloud::kms::v1::key_management_service_client::KeyManagementServiceClient;
use gcloud_sdk::google::cloud::kms::v1::*;
use gcloud_sdk::proto_ext::kms::*;
use gcloud_sdk::*;
use tracing::*;
use rvstruct::ValueStruct;
use secret_vault_value::SecretValue;
use tonic::metadata::MetadataValue;
#[derive(Debug, Clone, Eq, PartialEq, Builder)]
pub struct GcpKmsKeyRef {
pub google_project_id: String,
pub location: String,
pub key_ring: String,
pub key: String,
}
impl GcpKmsKeyRef {
fn to_google_ref(&self) -> String {
format!(
"projects/{}/locations/{}/keyRings/{}/cryptoKeys/{}",
self.google_project_id, self.location, self.key_ring, self.key
)
}
}
pub struct GcpKmsProvider {
client: GoogleApi<KeyManagementServiceClient<GoogleAuthMiddleware>>,
gcp_key_ref: GcpKmsKeyRef,
}
impl GcpKmsProvider {
pub async fn new(kms_key_ref: &GcpKmsKeyRef) -> KmsAeadResult<Self> {
debug!(
"Initialising Google KMS envelope encryption for {}",
kms_key_ref.to_google_ref()
);
let client: GoogleApi<KeyManagementServiceClient<GoogleAuthMiddleware>> =
GoogleApi::from_function(
KeyManagementServiceClient::new,
"https://cloudkms.googleapis.com",
None,
)
.await?;
Ok(Self {
gcp_key_ref: kms_key_ref.clone(),
client,
})
}
}
#[async_trait]
impl KmsAeadRingEncryptionProvider for GcpKmsProvider {
async fn encrypt_session_key(
&self,
session_key: SecretValue,
) -> KmsAeadResult<EncryptedSessionKey> {
let mut encrypt_request = tonic::Request::new(EncryptRequest {
name: self.gcp_key_ref.to_google_ref(),
plaintext: secret_vault_value::SecretValue::new(
hex::encode(session_key.ref_sensitive_value().as_slice()).into_bytes(),
),
..Default::default()
});
encrypt_request.metadata_mut().insert(
"x-goog-request-params",
MetadataValue::<tonic::metadata::Ascii>::try_from(format!(
"name={}",
self.gcp_key_ref.to_google_ref()
))
.unwrap(),
);
let encrypt_response = self.client.get().encrypt(encrypt_request).await?;
Ok(EncryptedSessionKey(secret_vault_value::SecretValue::new(
encrypt_response.into_inner().ciphertext,
)))
}
async fn decrypt_session_key(
&self,
encrypted_session_secret: &EncryptedSessionKey,
) -> KmsAeadResult<SecretValue> {
let mut decrypt_request = tonic::Request::new(DecryptRequest {
name: self.gcp_key_ref.to_google_ref(),
ciphertext: encrypted_session_secret
.value()
.ref_sensitive_value()
.clone(),
..Default::default()
});
decrypt_request.metadata_mut().insert(
"x-goog-request-params",
MetadataValue::<tonic::metadata::Ascii>::try_from(format!(
"name={}",
self.gcp_key_ref.to_google_ref()
))
.unwrap(),
);
let decrypt_response = self.client.get().decrypt(decrypt_request).await?;
Ok(secret_vault_value::SecretValue::new(
hex::decode(
decrypt_response
.into_inner()
.plaintext
.ref_sensitive_value(),
)
.unwrap(),
))
}
}
