public async Task DataIsLessThenMaximumConfiguration_DecryptsBackCorrectly()
{
var data = "123";
var encryptedData = await mDecorator.Encrypt(data, "a-service-account");
var decryptedString = await mDecorator.Decrypt(encryptedData, "a-service-account");
Assert.Equal(data, decryptedString);
}
public async Task TestFullFlow()
{
var sa = "sa:namespace";
var data = "data";
var encrypted = await mGoogleCloudKeyManagement.Encrypt(data, sa);
var decrypted = await mGoogleCloudKeyManagement.Decrypt(encrypted, sa);
Assert.Equal(data, decrypted);
}
public async Task TestFullFlow()
{
var data = "test";
var serviceAccountId = "default:default:";
var encryptedData = await mAzureKeyManagement.Encrypt(data, serviceAccountId);
var decryptedData = await mAzureKeyManagement.Decrypt(encryptedData, serviceAccountId);
Assert.Equal(data, decryptedData);
}
public Task <string> Decrypt(string encryptedData, string serviceAccountId)
{
return(EnvelopeEncryptionUtils.Unwrap(encryptedData).Match(
some: async t =>
{
(string encryptedDataKey, byte[] iv, byte[] actualEncryptedData) = t;
var key = await mMasterKeyManagement.Decrypt(encryptedDataKey, serviceAccountId);
var decrypted = RijndaelUtils.Decrypt(Convert.FromBase64String(key), iv, actualEncryptedData);
return Encoding.UTF8.GetString(decrypted);
},
none: () => mMasterKeyManagement.Decrypt(encryptedData, serviceAccountId)
));
}
public async static Task <Dictionary <string, T> > DecryptItems <T>(
this IKeyManagement keyManagement,
Dictionary <string, string> source,
string serviceAccountId,
Action <Exception, string> errorHandler,
Func <string, T> mapper)
{
var result = new Dictionary <string, T>();
if (source == null)
{
return(result);
}
foreach (var(key, value) in source)
{
try
{
var decrypted = await keyManagement.Decrypt(value, serviceAccountId);
result.Add(key, mapper(decrypted));
}
catch (Exception e)
{
errorHandler(e, key);
}
}
return(result);
}
public async Task <string> Decrypt(string encryptedData, string serviceAccountId)
{
var regex = new Regex(@"(env)\$(.*)\$(.*)");
var match = regex.Match(encryptedData);
if (!match.Success)
{
return(await mMasterKeyManagement.Decrypt(encryptedData, serviceAccountId));
}
mLogger.Information("Encrypted data mactched envelope encryption pattern");
var encryptedKey = match.Groups[2].Value;
var extractedEncryptedData = match.Groups[3].Value;
var key = await mMasterKeyManagement.Decrypt(encryptedKey, serviceAccountId);
mDataKeyManagement.SetEncryptionKey(key);
return(await mDataKeyManagement.Decrypt(extractedEncryptedData, serviceAccountId));
}
private async Task HandleAdd(KamusSecret kamusSecret)
{
var @namespace = kamusSecret.Metadata.NamespaceProperty ?? "default";
var serviceAccount = kamusSecret.ServiceAccount;
var id = $"{@namespace}:{serviceAccount}";
var decryptedItems = new Dictionary <string, string>();
mLogger.Debug("Starting decrypting KamusSecret items. KamusSecret {name} in namesapce {namespace}",
kamusSecret.Metadata.Name,
@namespace);
foreach (var item in kamusSecret.Data)
{
try
{
var decrypted = await mKeyManagement.Decrypt(item.Value, id);
decryptedItems.Add(item.Key, decrypted);
}
catch (Exception e)
{
Log.Error(e, "Failed to decrypt KamusSecret key {key}. KamusSecret {name} in namesapce {namespace}",
item.Key,
kamusSecret.Metadata.Name,
@namespace);
return;
}
}
mLogger.Debug("KamusSecret items decrypted successfully. KamusSecret {name} in namesapce {namespace}",
kamusSecret.Metadata.Name,
@namespace);
var secret = new V1Secret
{
Metadata = new V1ObjectMeta
{
Name = kamusSecret.Metadata.Name,
NamespaceProperty = @namespace
},
Type = kamusSecret.Type,
StringData = decryptedItems
};
await mKubernetes.CreateNamespacedSecretAsync(secret, @namespace);
mAuditLogger.Information("Created a secret from KamusSecret {name} in namesapce {namespace successfully.",
kamusSecret.Metadata.Name,
@namespace);
}
public async Task DataIsMoreThenMaximumConfiguration_EnvelopeApplied_DecryptsBackCorrectly()
{
var randomString = new string('*', 16);
var encryptedData = await mDecorator.Encrypt(randomString, "a-service-account");
Assert.Contains("env$", encryptedData);
InitializeKeyManagement(); // reset the key management services to simulate new call to decrypt
var decryptedString = await mDecorator.Decrypt(encryptedData, "a-service-account");
Assert.Equal(randomString, decryptedString);
}
public async Task <ActionResult> Decrypt([FromBody] DecryptRequest body)
{
if (!ModelState.IsValid)
{
mAuditLogger.Warning("Bad request to Decrypt API: {sourceIP} {validationState}",
Request.HttpContext.Connection.RemoteIpAddress,
ModelState.ValidationState);
return(BadRequest("One or more of required fields doesn't present in the request body."));
}
var serviceAccountUserName = User.Claims.FirstOrDefault(claim => claim.Type == "name")?.Value;
if (string.IsNullOrEmpty(serviceAccountUserName) ||
!serviceAccountUserName.StartsWith(ServiceAccountUsernamePrefix, StringComparison.InvariantCulture))
{
mAuditLogger.Information("Unauthorized decrypt request, SourceIP: {sourceIp}, ServiceAccount User Name: {id}",
Request.HttpContext.Connection.RemoteIpAddress,
serviceAccountUserName);
return(StatusCode(403));
}
var id = serviceAccountUserName.Replace(ServiceAccountUsernamePrefix, "");
int position = id.IndexOf(":");
id = id.Substring(position + 1);
mAuditLogger.Information("Decryption request started, SourceIP: {sourceIp}, ServiceAccount User Name: {id}",
Request.HttpContext.Connection.RemoteIpAddress,
id);
try
{
var data = await mKeyManagement.Decrypt(body.EncryptedData, id);
mAuditLogger.Information("Decryption request succeeded, SourceIP: {sourceIp}, ServiceAccount user Name: {sa}",
Request.HttpContext.Connection.RemoteIpAddress,
id);
return(Content(data));
}
catch (DecryptionFailureException e)
{
mLogger.Warning(e, "Decryption request failed, SourceIP: {sourceIp}, ServiceAccount: {sa}",
Request.HttpContext.Connection.RemoteIpAddress,
serviceAccountUserName);
return(StatusCode(400));
}
}
private async Task <V1Secret> CreateSecret(KamusSecret kamusSecret)
{
var @namespace = kamusSecret.Metadata.NamespaceProperty ?? "default";
var serviceAccount = kamusSecret.ServiceAccount;
var id = $"{@namespace}:{serviceAccount}";
var decryptedItems = new Dictionary <string, string>();
mLogger.Debug("Starting decrypting KamusSecret items. KamusSecret {name} in namespace {namespace}",
kamusSecret.Metadata.Name,
@namespace);
foreach (var(key, value) in kamusSecret.Data)
{
try
{
var decrypted = await mKeyManagement.Decrypt(value, id);
decryptedItems.Add(key, decrypted);
}
catch (Exception e)
{
mLogger.Error(e,
"Failed to decrypt KamusSecret key {key}. KamusSecret {name} in namespace {namespace}",
key,
kamusSecret.Metadata.Name,
@namespace);
}
}
mLogger.Debug("KamusSecret items decrypted successfully. KamusSecret {name} in namespace {namespace}",
kamusSecret.Metadata.Name,
@namespace);
return(new V1Secret
{
Metadata = new V1ObjectMeta
{
Name = kamusSecret.Metadata.Name,
NamespaceProperty = @namespace
},
Type = kamusSecret.Type,
StringData = decryptedItems
});
}
public async Task <ActionResult> Decrypt([FromBody] DecryptRequest body)
{
var serviceAccountUserName = User.Claims.FirstOrDefault(claim => claim.Type == "name")?.Value;
if (string.IsNullOrEmpty(serviceAccountUserName) ||
!serviceAccountUserName.StartsWith(ServiceAccountUsernamePrefix, StringComparison.InvariantCulture))
{
mAuditLogger.Information("Unauthorized decrypt request, SourceIP: {sourceIp}, ServiceAccount User Name: {id}",
Request.HttpContext.Connection.RemoteIpAddress,
serviceAccountUserName);
return(StatusCode(403));
}
var id = serviceAccountUserName.Replace(ServiceAccountUsernamePrefix, "");
mAuditLogger.Information("Decryption request started, SourceIP: {sourceIp}, ServiceAccount User Name: {id}",
Request.HttpContext.Connection.RemoteIpAddress,
id);
try
{
var data = await mKeyManagement.Decrypt(body.EncryptedData, id);
mAuditLogger.Information("Decryption request succeeded, SourceIP: {sourceIp}, ServiceAccount user Name: {sa}",
Request.HttpContext.Connection.RemoteIpAddress,
id);
return(Content(data));
}
catch (DecryptionFailureException e)
{
mLogger.Warning(e, "Decryption request failed, SourceIP: {sourceIp}, ServiceAccount: {sa}",
Request.HttpContext.Connection.RemoteIpAddress,
serviceAccountUserName);
return(StatusCode(400));
}
}