rust/hyperswitch
1
0
Fork 0
mirror of https://github.com/juspay/hyperswitch.git synced 2025-11-01 02:57:02 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix: kms decryption of redis_temp_locker_encryption_key (#2650)

Browse Source 
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
This commit is contained in:
Abhishek Marrivagu
2023-10-20 18:10:55 +05:30
committed by GitHub
parent 949937e364
commit 5a6601fad4
5 changed files with 26 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
crates/external_services/src/kms.rs
View File

@ -120,6 +120,14 @@ pub enum KmsError {
/// The KMS client has not been initialized. /// The KMS client has not been initialized.
#[error("The KMS client has not been initialized")] #[error("The KMS client has not been initialized")]
KmsClientNotInitialized, KmsClientNotInitialized,
/// The KMS client has not been initialized.
#[error("Hex decode failed")]
HexDecodeFailed,
/// The KMS client has not been initialized.
#[error("Utf8 decode failed")]
Utf8DecodeFailed,
} }
impl KmsConfig { impl KmsConfig {
@ -140,7 +148,7 @@ impl KmsConfig {
/// A wrapper around a KMS value that can be decrypted. /// A wrapper around a KMS value that can be decrypted.
#[derive(Clone, Debug, Default, serde::Deserialize, Eq, PartialEq)] #[derive(Clone, Debug, Default, serde::Deserialize, Eq, PartialEq)]
#[serde(transparent)] #[serde(transparent)]
pub struct KmsValue(Secret<String>); pub struct KmsValue(pub Secret<String>);
impl common_utils::ext_traits::ConfigExt for KmsValue { impl common_utils::ext_traits::ConfigExt for KmsValue {
fn is_empty_after_trim(&self) -> bool { fn is_empty_after_trim(&self) -> bool {

16
crates/router/src/configs/kms.rs
View File

@ -1,5 +1,6 @@
use common_utils::errors::CustomResult; use common_utils::errors::CustomResult;
use external_services::kms::{decrypt::KmsDecrypt, KmsClient, KmsError}; use error_stack::{IntoReport, ResultExt};
use external_services::kms::{decrypt::KmsDecrypt, KmsClient, KmsError, KmsValue};
use masking::ExposeInterface; use masking::ExposeInterface;
use crate::configs::settings; use crate::configs::settings;
@ -41,6 +42,19 @@ impl KmsDecrypt for settings::ActiveKmsSecrets {
kms_client: &KmsClient, kms_client: &KmsClient,
) -> CustomResult<Self::Output, KmsError> { ) -> CustomResult<Self::Output, KmsError> {
self.jwekey = self.jwekey.expose().decrypt_inner(kms_client).await?.into(); self.jwekey = self.jwekey.expose().decrypt_inner(kms_client).await?.into();
self.redis_temp_locker_encryption_key = hex::decode(
KmsValue(
String::from_utf8(self.redis_temp_locker_encryption_key.expose())
.into_report()
.change_context(KmsError::Utf8DecodeFailed)?
.into(),
)
.decrypt_inner(kms_client)
.await?,
)
.into_report()
.change_context(KmsError::HexDecodeFailed)?
.into();
Ok(self) Ok(self)
} }
} }

2
crates/router/src/configs/settings.rs
View File

@ -52,7 +52,7 @@ pub enum Subcommand {
#[derive(Clone)] #[derive(Clone)]
pub struct ActiveKmsSecrets { pub struct ActiveKmsSecrets {
pub jwekey: masking::Secret<Jwekey>, pub jwekey: masking::Secret<Jwekey>,
pub redis_temp_locker_encryption_key: masking::Secret<String>, pub redis_temp_locker_encryption_key: masking::Secret<Vec<u8>>,
} }
#[derive(Debug, Deserialize, Clone, Default)] #[derive(Debug, Deserialize, Clone, Default)]

1
crates/router/src/core/payment_methods/vault.rs
View File

@ -721,7 +721,6 @@ fn get_redis_temp_locker_encryption_key(state: &routes::AppState) -> RouterResul
.kms_secrets .kms_secrets
.redis_temp_locker_encryption_key .redis_temp_locker_encryption_key
.peek() .peek()
.as_bytes()
.to_owned(); .to_owned();
#[cfg(not(feature = "kms"))] #[cfg(not(feature = "kms"))]

1
crates/router/src/routes/app.rs
View File

@ -132,6 +132,7 @@ impl AppState {
.locker .locker
.redis_temp_locker_encryption_key .redis_temp_locker_encryption_key
.clone() .clone()
.into_bytes()
.into(), .into(),
} }
.decrypt_inner(kms_client) .decrypt_inner(kms_client)