rust/hyperswitch
1
0
Fork 0
mirror of https://github.com/juspay/hyperswitch.git synced 2025-10-29 00:49:42 +08:00
Code Issues Packages Projects Releases Wiki Activity

refactor(config): Add new type for kms encrypted values (#1823)

Browse Source
This commit is contained in:
Sampras Lopes
2023-08-02 14:25:23 +05:30
committed by GitHub
parent de875e6935
commit 73ed7ae7e3
21 changed files with 214 additions and 177 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
Cargo.lock generated
View File

@ -1811,6 +1811,7 @@ dependencies = [
"diesel_models",
"error-stack",
"external_services",
"masking",
"once_cell",
"redis_interface",
"router_env",

8
config/config.example.toml
View File

@ -20,24 +20,22 @@ request_body_limit = 16_384
# Main SQL data store credentials
[master_database]
username = "db_user" # DB Username
password = "db_pass" # DB Password. Only applicable when KMS is disabled.
password = "db_pass" # DB Password. Use base-64 encoded kms encrypted value here when kms is enabled
host = "localhost" # DB Host
port = 5432 # DB Port
dbname = "hyperswitch_db" # Name of Database
pool_size = 5 # Number of connections to keep open
connection_timeout = 10 # Timeout for database connection in seconds
kms_encrypted_password = "" # Base64-encoded (KMS encrypted) ciphertext of the database password. Only applicable when KMS is enabled.
# Replica SQL data store credentials
[replica_database]
username = "replica_user" # DB Username
password = "replica_pass" # DB Password. Only applicable when KMS is disabled.
password = "db_pass" # DB Password. Use base-64 encoded kms encrypted value here when kms is enabled
host = "localhost" # DB Host
port = 5432 # DB Port
dbname = "hyperswitch_db" # Name of Database
pool_size = 5 # Number of connections to keep open
connection_timeout = 10 # Timeout for database connection in seconds
kms_encrypted_password = "" # Base64-encoded (KMS encrypted) ciphertext of the database password. Only applicable when KMS is enabled.
# Redis credentials
[redis]
@ -101,6 +99,8 @@ admin_api_key = "test_admin" # admin API key for admin authentication. Only
kms_encrypted_admin_api_key = "" # Base64-encoded (KMS encrypted) ciphertext of the admin_api_key. Only applicable when KMS is enabled.
jwt_secret = "secret" # JWT secret used for user authentication. Only applicable when KMS is disabled.
kms_encrypted_jwt_secret = "" # Base64-encoded (KMS encrypted) ciphertext of the jwt_secret. Only applicable when KMS is enabled.
recon_admin_api_key = "recon_test_admin" # recon_admin API key for recon authentication. Only applicable when KMS is disabled.
kms_encrypted_recon_admin_api_key = "" # Base64-encoded (KMS encrypted) ciphertext of the recon_admin_api_key. Only applicable when KMS is enabled
# Locker settings contain details for accessing a card locker, a
# PCI Compliant storage entity which stores payment method information

2
config/development.toml
View File

@ -33,6 +33,8 @@ connection_timeout = 10
[secrets]
admin_api_key = "test_admin"
master_enc_key = "73ad7bbbbc640c845a150f67d058b279849370cd2c1f3c67c4dd6c869213e13a"
jwt_secret = "secret"
recon_admin_api_key = "recon_test_admin"
[locker]
host = ""

1
config/docker_compose.toml
View File

@ -40,6 +40,7 @@ pool_size = 5
admin_api_key = "test_admin"
jwt_secret = "secret"
master_enc_key = "73ad7bbbbc640c845a150f67d058b279849370cd2c1f3c67c4dd6c869213e13a"
recon_admin_api_key = "recon_test_admin"
[locker]
host = ""

26
crates/common_utils/src/ext_traits.rs
View File

@ -4,7 +4,7 @@
//!
use error_stack::{IntoReport, ResultExt};
use masking::{ExposeInterface, Secret, Strategy};
use masking::{ExposeInterface, PeekInterface, Secret, Strategy};
use quick_xml::de;
use serde::{Deserialize, Serialize};
@ -428,6 +428,30 @@ impl ConfigExt for String {
}
}
impl<T, U> ConfigExt for Secret<T, U>
where
T: ConfigExt + Default + PartialEq<T>,
U: Strategy<T>,
{
fn is_default(&self) -> bool
where
T: Default + PartialEq<T>,
{
*self.peek() == T::default()
}
fn is_empty_after_trim(&self) -> bool {
self.peek().is_empty_after_trim()
}
fn is_default_or_empty(&self) -> bool
where
T: Default + PartialEq<T>,
{
self.peek().is_default() || self.peek().is_empty_after_trim()
}
}
/// Extension trait for deserializing XML strings using `quick-xml` crate
pub trait XmlExt {
///

1
crates/drainer/Cargo.toml
View File

@ -28,6 +28,7 @@ tokio = { version = "1.28.2", features = ["macros", "rt-multi-thread"] }
# First Party Crates
common_utils = { version = "0.1.0", path = "../common_utils", features = ["signals"] }
external_services = { version = "0.1.0", path = "../external_services" }
masking = { version = "0.1.0", path = "../masking" }
redis_interface = { version = "0.1.0", path = "../redis_interface" }
router_env = { version = "0.1.0", path = "../router_env", features = ["log_extra_implicit_fields", "log_custom_entries_to_extra"] }
diesel_models = { version = "0.1.0", path = "../diesel_models", features = ["kv_store"] }

16
crates/drainer/src/connection.rs
View File

@ -1,7 +1,9 @@
use bb8::PooledConnection;
use diesel::PgConnection;
#[cfg(feature = "kms")]
use external_services::kms;
use external_services::kms::{self, decrypt::KmsDecrypt};
#[cfg(not(feature = "kms"))]
use masking::PeekInterface;
use crate::settings::Database;
@ -20,17 +22,17 @@ pub async fn redis_connection(
pub async fn diesel_make_pg_pool(
database: &Database,
_test_transaction: bool,
#[cfg(feature = "kms")] kms_config: &kms::KmsConfig,
#[cfg(feature = "kms")] kms_client: &'static kms::KmsClient,
) -> PgPool {
#[cfg(feature = "kms")]
let password = kms::get_kms_client(kms_config)
let password = database
.password
.decrypt_inner(kms_client)
.await
.decrypt(&database.kms_encrypted_password)
.await
.expect("Failed to KMS decrypt database password");
.expect("Failed to decrypt password");
#[cfg(not(feature = "kms"))]
let password = &database.password;
let password = &database.password.peek();
let database_url = format!(
"postgres://{}:{}@{}:{}/{}",

2
crates/drainer/src/services.rs
View File

@ -22,7 +22,7 @@ impl Store {
&config.master_database,
test_transaction,
#[cfg(feature = "kms")]
&config.kms,
external_services::kms::get_kms_client(&config.kms).await,
)
.await,
redis_conn: Arc::new(crate::connection::redis_connection(config).await),

37
crates/drainer/src/settings.rs
View File

@ -11,6 +11,11 @@ use serde::Deserialize;
use crate::errors;
#[cfg(feature = "kms")]
pub type Password = kms::KmsValue;
#[cfg(not(feature = "kms"))]
pub type Password = masking::Secret<String>;
#[derive(clap::Parser, Default)]
#[cfg_attr(feature = "vergen", command(version = router_env::version!()))]
pub struct CmdLineConf {
@ -35,15 +40,12 @@ pub struct Settings {
#[serde(default)]
pub struct Database {
pub username: String,
#[cfg(not(feature = "kms"))]
pub password: String,
pub password: Password,
pub host: String,
pub port: u16,
pub dbname: String,
pub pool_size: u32,
pub connection_timeout: u64,
#[cfg(feature = "kms")]
pub kms_encrypted_password: String,
}
#[derive(Debug, Clone, Deserialize)]
@ -60,15 +62,12 @@ impl Default for Database {
fn default() -> Self {
Self {
username: String::new(),
#[cfg(not(feature = "kms"))]
password: String::new(),
password: Password::default(),
host: "localhost".into(),
port: 5432,
dbname: String::new(),
pool_size: 5,
connection_timeout: 10,
#[cfg(feature = "kms")]
kms_encrypted_password: String::new(),
}
}
}
@ -107,23 +106,11 @@ impl Database {
))
})?;
#[cfg(not(feature = "kms"))]
{
when(self.password.is_default_or_empty(), || {
Err(errors::DrainerError::ConfigParsingError(
"database user password must not be empty".into(),
))
})
}
#[cfg(feature = "kms")]
{
when(self.kms_encrypted_password.is_default_or_empty(), || {
Err(errors::DrainerError::ConfigParsingError(
"database KMS encrypted password must not be empty".into(),
))
})
}
when(self.password.is_default_or_empty(), || {
Err(errors::DrainerError::ConfigParsingError(
"database user password must not be empty".into(),
))
})
}
}

20
crates/external_services/src/kms.rs
View File

@ -7,7 +7,10 @@ use aws_sdk_kms::{config::Region, primitives::Blob, Client};
use base64::Engine;
use common_utils::errors::CustomResult;
use error_stack::{IntoReport, ResultExt};
use masking::{PeekInterface, Secret};
use router_env::logger;
/// decrypting data using the AWS KMS SDK.
pub mod decrypt;
use crate::{consts, metrics};
@ -15,7 +18,7 @@ static KMS_CLIENT: tokio::sync::OnceCell<KmsClient> = tokio::sync::OnceCell::con
/// Returns a shared KMS client, or initializes a new one if not previously initialized.
#[inline]
pub async fn get_kms_client(config: &KmsConfig) -> &KmsClient {
pub async fn get_kms_client(config: &KmsConfig) -> &'static KmsClient {
KMS_CLIENT.get_or_init(|| KmsClient::new(config)).await
}
@ -113,6 +116,10 @@ pub enum KmsError {
/// An error occurred UTF-8 decoding KMS decrypted output.
#[error("Failed to UTF-8 decode decryption output")]
Utf8DecodingFailed,
/// The KMS client has not been initialized.
#[error("The KMS client has not been initialized")]
KmsClientNotInitialized,
}
impl KmsConfig {
@ -129,3 +136,14 @@ impl KmsConfig {
})
}
}
/// A wrapper around a KMS value that can be decrypted.
#[derive(Clone, Debug, Default, serde::Deserialize, Eq, PartialEq)]
#[serde(transparent)]
pub struct KmsValue(Secret<String>);
impl common_utils::ext_traits::ConfigExt for KmsValue {
fn is_empty_after_trim(&self) -> bool {
self.0.peek().is_empty_after_trim()
}
}

34
crates/external_services/src/kms/decrypt.rs Normal file
View File

@ -0,0 +1,34 @@
use common_utils::errors::CustomResult;
use super::*;
#[async_trait::async_trait]
/// This trait performs in place decryption of the structure on which this is implemented
pub trait KmsDecrypt {
/// The output type of the decryption
type Output;
/// Decrypts the structure given a KMS client
async fn decrypt_inner(self, kms_client: &KmsClient) -> CustomResult<Self::Output, KmsError>
where
Self: Sized;
/// Tries to use the Singleton client to decrypt the structure
async fn try_decrypt_inner(self) -> CustomResult<Self::Output, KmsError>
where
Self: Sized,
{
let client = KMS_CLIENT.get().ok_or(KmsError::KmsClientNotInitialized)?;
self.decrypt_inner(client).await
}
}
#[async_trait::async_trait]
impl KmsDecrypt for &KmsValue {
type Output = String;
async fn decrypt_inner(self, kms_client: &KmsClient) -> CustomResult<Self::Output, KmsError> {
kms_client
.decrypt(self.0.peek())
.await
.attach_printable("Failed to decrypt KMS value")
}
}

31
crates/router/src/configs/defaults.rs
View File

@ -1,8 +1,10 @@
use std::collections::{HashMap, HashSet};
use api_models::{enums, payment_methods::RequiredFieldInfo};
#[cfg(feature = "kms")]
use external_services::kms::KmsValue;
use super::settings::{ConnectorFields, PaymentMethodType, RequiredFieldFinal};
use super::settings::{ConnectorFields, Password, PaymentMethodType, RequiredFieldFinal};
impl Default for super::settings::Server {
fn default() -> Self {
@ -21,35 +23,12 @@ impl Default for super::settings::Database {
fn default() -> Self {
Self {
username: String::new(),
#[cfg(not(feature = "kms"))]
password: String::new(),
password: Password::default(),
host: "localhost".into(),
port: 5432,
dbname: String::new(),
pool_size: 5,
connection_timeout: 10,
#[cfg(feature = "kms")]
kms_encrypted_password: String::new(),
}
}
}
impl Default for super::settings::Secrets {
fn default() -> Self {
Self {
#[cfg(not(feature = "kms"))]
jwt_secret: "secret".into(),
#[cfg(not(feature = "kms"))]
admin_api_key: "test_admin".into(),
#[cfg(not(feature = "kms"))]
recon_admin_api_key: "recon_test_admin".into(),
master_enc_key: "".into(),
#[cfg(feature = "kms")]
kms_encrypted_jwt_secret: "".into(),
#[cfg(feature = "kms")]
kms_encrypted_admin_api_key: "".into(),
#[cfg(feature = "kms")]
kms_encrypted_recon_admin_api_key: "".into(),
}
}
}
@ -809,7 +788,7 @@ impl Default for super::settings::ApiKeys {
fn default() -> Self {
Self {
#[cfg(feature = "kms")]
kms_encrypted_hash_key: String::new(),
kms_encrypted_hash_key: KmsValue::default(),
/// Hex-encoded 32-byte long (64 characters long when hex-encoded) key used for calculating
/// hashes of API keys

72
crates/router/src/configs/kms.rs
View File

@ -1,60 +1,46 @@
use common_utils::errors::CustomResult;
use external_services::kms;
use external_services::kms::{decrypt::KmsDecrypt, KmsClient, KmsError};
use masking::ExposeInterface;
use crate::configs::settings;
#[async_trait::async_trait]
// This trait performs inplace decryption of the structure on which this is implemented
pub trait KmsDecrypt {
async fn decrypt_inner(self, kms_config: &kms::KmsConfig) -> CustomResult<Self, kms::KmsError>
where
Self: Sized;
}
#[async_trait::async_trait]
impl KmsDecrypt for settings::Jwekey {
async fn decrypt_inner(self, kms_config: &kms::KmsConfig) -> CustomResult<Self, kms::KmsError> {
let client = kms::get_kms_client(kms_config).await;
type Output = Self;
// If this pattern required repetition, a macro approach needs to be deviced
let (
locker_encryption_key1,
locker_encryption_key2,
locker_decryption_key1,
locker_decryption_key2,
vault_encryption_key,
vault_private_key,
tunnel_private_key,
async fn decrypt_inner(
mut self,
kms_client: &KmsClient,
) -> CustomResult<Self::Output, KmsError> {
(
self.locker_encryption_key2,
self.locker_decryption_key1,
self.locker_encryption_key1,
self.locker_decryption_key2,
self.vault_encryption_key,
self.vault_private_key,
self.tunnel_private_key,
) = tokio::try_join!(
client.decrypt(self.locker_encryption_key1),
client.decrypt(self.locker_encryption_key2),
client.decrypt(self.locker_decryption_key1),
client.decrypt(self.locker_decryption_key2),
client.decrypt(self.vault_encryption_key),
client.decrypt(self.vault_private_key),
client.decrypt(self.tunnel_private_key),
kms_client.decrypt(self.locker_encryption_key1),
kms_client.decrypt(self.locker_encryption_key2),
kms_client.decrypt(self.locker_decryption_key1),
kms_client.decrypt(self.locker_decryption_key2),
kms_client.decrypt(self.vault_encryption_key),
kms_client.decrypt(self.vault_private_key),
kms_client.decrypt(self.tunnel_private_key),
)?;
Ok(Self {
locker_key_identifier1: self.locker_key_identifier1,
locker_key_identifier2: self.locker_key_identifier2,
locker_encryption_key1,
locker_encryption_key2,
locker_decryption_key1,
locker_decryption_key2,
vault_encryption_key,
vault_private_key,
tunnel_private_key,
})
Ok(self)
}
}
#[async_trait::async_trait]
impl KmsDecrypt for settings::ActiveKmsSecrets {
async fn decrypt_inner(self, kms_config: &kms::KmsConfig) -> CustomResult<Self, kms::KmsError> {
Ok(Self {
jwekey: self.jwekey.expose().decrypt_inner(kms_config).await?.into(),
})
type Output = Self;
async fn decrypt_inner(
mut self,
kms_client: &KmsClient,
) -> CustomResult<Self::Output, KmsError> {
self.jwekey = self.jwekey.expose().decrypt_inner(kms_client).await?.into();
Ok(self)
}
}

21
crates/router/src/configs/settings.rs
View File

@ -19,6 +19,10 @@ use crate::{
core::errors::{ApplicationError, ApplicationResult},
env::{self, logger, Env},
};
#[cfg(feature = "kms")]
pub type Password = kms::KmsValue;
#[cfg(not(feature = "kms"))]
pub type Password = masking::Secret<String>;
#[derive(clap::Parser, Default)]
#[cfg_attr(feature = "vergen", command(version = router_env::version!()))]
@ -338,7 +342,7 @@ where
.collect())
}
#[derive(Debug, Deserialize, Clone)]
#[derive(Debug, Default, Deserialize, Clone)]
#[serde(default)]
pub struct Secrets {
#[cfg(not(feature = "kms"))]
@ -347,13 +351,13 @@ pub struct Secrets {
pub admin_api_key: String,
#[cfg(not(feature = "kms"))]
pub recon_admin_api_key: String,
pub master_enc_key: String,
pub master_enc_key: Password,
#[cfg(feature = "kms")]
pub kms_encrypted_jwt_secret: String,
pub kms_encrypted_jwt_secret: kms::KmsValue,
#[cfg(feature = "kms")]
pub kms_encrypted_admin_api_key: String,
pub kms_encrypted_admin_api_key: kms::KmsValue,
#[cfg(feature = "kms")]
pub kms_encrypted_recon_admin_api_key: String,
pub kms_encrypted_recon_admin_api_key: kms::KmsValue,
}
#[derive(Debug, Deserialize, Clone)]
@ -414,15 +418,12 @@ pub struct Server {
#[serde(default)]
pub struct Database {
pub username: String,
#[cfg(not(feature = "kms"))]
pub password: String,
pub password: Password,
pub host: String,
pub port: u16,
pub dbname: String,
pub pool_size: u32,
pub connection_timeout: u64,
#[cfg(feature = "kms")]
pub kms_encrypted_password: String,
}
#[derive(Debug, Deserialize, Clone)]
@ -566,7 +567,7 @@ pub struct ApiKeys {
/// Base64-encoded (KMS encrypted) ciphertext of the key used for calculating hashes of API
/// keys
#[cfg(feature = "kms")]
pub kms_encrypted_hash_key: String,
pub kms_encrypted_hash_key: kms::KmsValue,
/// Hex-encoded 32-byte long (64 characters long when hex-encoded) key used for calculating
/// hashes of API keys

22
crates/router/src/configs/validations.rs
View File

@ -99,23 +99,11 @@ impl super::settings::Database {
))
})?;
#[cfg(not(feature = "kms"))]
{
when(self.password.is_default_or_empty(), || {
Err(ApplicationError::InvalidConfigurationValueError(
"database user password must not be empty".into(),
))
})
}
#[cfg(feature = "kms")]
{
when(self.kms_encrypted_password.is_default_or_empty(), || {
Err(ApplicationError::InvalidConfigurationValueError(
"database KMS encrypted password must not be empty".into(),
))
})
}
when(self.password.is_default_or_empty(), || {
Err(ApplicationError::InvalidConfigurationValueError(
"database user password must not be empty".into(),
))
})
}
}

15
crates/router/src/connection.rs
View File

@ -4,6 +4,10 @@ use diesel::PgConnection;
use error_stack::{IntoReport, ResultExt};
#[cfg(feature = "kms")]
use external_services::kms;
#[cfg(feature = "kms")]
use external_services::kms::decrypt::KmsDecrypt;
#[cfg(not(feature = "kms"))]
use masking::PeekInterface;
use crate::{configs::settings::Database, errors};
@ -41,17 +45,18 @@ pub async fn redis_connection(
pub async fn diesel_make_pg_pool(
database: &Database,
test_transaction: bool,
#[cfg(feature = "kms")] kms_config: &kms::KmsConfig,
#[cfg(feature = "kms")] kms_client: &kms::KmsClient,
) -> PgPool {
#[cfg(feature = "kms")]
let password = kms::get_kms_client(kms_config)
.await
.decrypt(&database.kms_encrypted_password)
let password = database
.password
.clone()
.decrypt_inner(kms_client)
.await
.expect("Failed to KMS decrypt database password");
#[cfg(not(feature = "kms"))]
let password = &database.password;
let password = &database.password.peek();
let database_url = format!(
"postgres://{}:{}@{}:{}/{}",

17
crates/router/src/core/api_keys.rs
View File

@ -27,19 +27,22 @@ const API_KEY_EXPIRY_NAME: &str = "API_KEY_EXPIRY";
#[cfg(feature = "email")]
const API_KEY_EXPIRY_RUNNER: &str = "API_KEY_EXPIRY_WORKFLOW";
#[cfg(feature = "kms")]
use external_services::kms::decrypt::KmsDecrypt;
static HASH_KEY: tokio::sync::OnceCell<StrongSecret<[u8; PlaintextApiKey::HASH_KEY_LEN]>> =
tokio::sync::OnceCell::const_new();
pub async fn get_hash_key(
api_key_config: &settings::ApiKeys,
#[cfg(feature = "kms")] kms_config: &kms::KmsConfig,
#[cfg(feature = "kms")] kms_client: &kms::KmsClient,
) -> errors::RouterResult<&'static StrongSecret<[u8; PlaintextApiKey::HASH_KEY_LEN]>> {
HASH_KEY
.get_or_try_init(|| async {
#[cfg(feature = "kms")]
let hash_key = kms::get_kms_client(kms_config)
.await
.decrypt(&api_key_config.kms_encrypted_hash_key)
let hash_key = api_key_config
.kms_encrypted_hash_key
.decrypt_inner(kms_client)
.await
.change_context(errors::ApiErrorResponse::InternalServerError)
.attach_printable("Failed to KMS decrypt API key hashing key")?;
@ -130,7 +133,7 @@ impl PlaintextApiKey {
pub async fn create_api_key(
state: &AppState,
api_key_config: &settings::ApiKeys,
#[cfg(feature = "kms")] kms_config: &kms::KmsConfig,
#[cfg(feature = "kms")] kms_client: &kms::KmsClient,
api_key: api::CreateApiKeyRequest,
merchant_id: String,
) -> RouterResponse<api::CreateApiKeyResponse> {
@ -150,7 +153,7 @@ pub async fn create_api_key(
let hash_key = get_hash_key(
api_key_config,
#[cfg(feature = "kms")]
kms_config,
kms_client,
)
.await?;
let plaintext_api_key = PlaintextApiKey::new(consts::API_KEY_LENGTH);
@ -555,7 +558,7 @@ mod tests {
let hash_key = get_hash_key(
&settings.api_keys,
#[cfg(feature = "kms")]
&settings.kms,
external_services::kms::get_kms_client(&settings.kms).await,
)
.await
.unwrap();

2
crates/router/src/routes/api_keys.rs
View File

@ -46,7 +46,7 @@ pub async fn api_key_create(
state,
&state.conf.api_keys,
#[cfg(feature = "kms")]
&state.conf.kms,
external_services::kms::get_kms_client(&state.conf.kms).await,
payload,
merchant_id.clone(),
)

16
crates/router/src/routes/app.rs
View File

@ -1,6 +1,8 @@
use actix_web::{web, Scope};
#[cfg(feature = "email")]
use external_services::email::{AwsSes, EmailClient};
#[cfg(feature = "kms")]
use external_services::kms::{self, decrypt::KmsDecrypt};
use tokio::sync::oneshot;
#[cfg(feature = "dummy_connector")]
@ -14,8 +16,6 @@ use super::{cache::*, health::*};
use super::{configs::*, customers::*, mandates::*, payments::*, refunds::*};
#[cfg(feature = "oltp")]
use super::{ephemeral_key::*, payment_methods::*, webhooks::*};
#[cfg(feature = "kms")]
use crate::configs::kms;
use crate::{
configs::settings,
db::{MockDb, StorageImpl, StorageInterface},
@ -64,6 +64,8 @@ impl AppState {
storage_impl: StorageImpl,
shut_down_signal: oneshot::Sender<()>,
) -> Self {
#[cfg(feature = "kms")]
let kms_client = kms::get_kms_client(&conf.kms).await;
let testable = storage_impl == StorageImpl::PostgresqlTest;
let store: Box<dyn StorageInterface> = match storage_impl {
StorageImpl::Postgresql | StorageImpl::PostgresqlTest => {
@ -74,12 +76,10 @@ impl AppState {
#[cfg(feature = "kms")]
#[allow(clippy::expect_used)]
let kms_secrets = kms::KmsDecrypt::decrypt_inner(
settings::ActiveKmsSecrets {
jwekey: conf.jwekey.clone().into(),
},
&conf.kms,
)
let kms_secrets = settings::ActiveKmsSecrets {
jwekey: conf.jwekey.clone().into(),
}
.decrypt_inner(kms_client)
.await
.expect("Failed while performing KMS decryption");

23
crates/router/src/services.rs
View File

@ -7,7 +7,9 @@ use std::sync::{atomic, Arc};
use error_stack::{IntoReport, ResultExt};
#[cfg(feature = "kms")]
use external_services::kms;
use external_services::kms::{self, decrypt::KmsDecrypt};
#[cfg(not(feature = "kms"))]
use masking::PeekInterface;
use redis_interface::{errors as redis_errors, PubsubInterface, RedisValue};
use tokio::sync::oneshot;
@ -166,11 +168,13 @@ impl Store {
async_spawn!({
redis_clone.on_error(shut_down_signal).await;
});
#[cfg(feature = "kms")]
let kms_client = kms::get_kms_client(&config.kms).await;
let master_enc_key = get_master_enc_key(
config,
#[cfg(feature = "kms")]
&config.kms,
kms_client,
)
.await;
@ -179,7 +183,7 @@ impl Store {
&config.master_database,
test_transaction,
#[cfg(feature = "kms")]
&config.kms,
kms_client,
)
.await,
#[cfg(feature = "olap")]
@ -187,7 +191,7 @@ impl Store {
&config.replica_database,
test_transaction,
#[cfg(feature = "kms")]
&config.kms,
kms_client,
)
.await,
redis_conn,
@ -248,13 +252,14 @@ impl Store {
#[allow(clippy::expect_used)]
async fn get_master_enc_key(
conf: &crate::configs::settings::Settings,
#[cfg(feature = "kms")] kms_config: &kms::KmsConfig,
#[cfg(feature = "kms")] kms_client: &kms::KmsClient,
) -> Vec<u8> {
#[cfg(feature = "kms")]
let master_enc_key = hex::decode(
kms::get_kms_client(kms_config)
.await
.decrypt(&conf.secrets.master_enc_key)
conf.secrets
.master_enc_key
.clone()
.decrypt_inner(kms_client)
.await
.expect("Failed to decrypt master enc key"),
)
@ -262,7 +267,7 @@ async fn get_master_enc_key(
#[cfg(not(feature = "kms"))]
let master_enc_key =
hex::decode(&conf.secrets.master_enc_key).expect("Failed to decode from hex");
hex::decode(conf.secrets.master_enc_key.peek()).expect("Failed to decode from hex");
master_enc_key
}

24
crates/router/src/services/authentication.rs
View File

@ -4,7 +4,7 @@ use async_trait::async_trait;
use common_utils::date_time;
use error_stack::{report, IntoReport, ResultExt};
#[cfg(feature = "kms")]
use external_services::kms;
use external_services::kms::{self, decrypt::KmsDecrypt};
use jsonwebtoken::{decode, Algorithm, DecodingKey, Validation};
use masking::{PeekInterface, StrongSecret};
@ -99,7 +99,7 @@ where
api_keys::get_hash_key(
&config.api_keys,
#[cfg(feature = "kms")]
&config.kms,
kms::get_kms_client(&config.kms).await,
)
.await?
};
@ -151,14 +151,14 @@ static ADMIN_API_KEY: tokio::sync::OnceCell<StrongSecret<String>> =
pub async fn get_admin_api_key(
secrets: &settings::Secrets,
#[cfg(feature = "kms")] kms_config: &kms::KmsConfig,
#[cfg(feature = "kms")] kms_client: &kms::KmsClient,
) -> RouterResult<&'static StrongSecret<String>> {
ADMIN_API_KEY
.get_or_try_init(|| async {
#[cfg(feature = "kms")]
let admin_api_key = kms::get_kms_client(kms_config)
.await
.decrypt(&secrets.kms_encrypted_admin_api_key)
let admin_api_key = secrets
.kms_encrypted_admin_api_key
.decrypt_inner(kms_client)
.await
.change_context(errors::ApiErrorResponse::InternalServerError)
.attach_printable("Failed to KMS decrypt admin API key")?;
@ -191,7 +191,7 @@ where
let admin_api_key = get_admin_api_key(
&conf.secrets,
#[cfg(feature = "kms")]
&conf.kms,
kms::get_kms_client(&conf.kms).await,
)
.await?;
@ -456,14 +456,14 @@ static JWT_SECRET: tokio::sync::OnceCell<StrongSecret<String>> = tokio::sync::On
pub async fn get_jwt_secret(
secrets: &settings::Secrets,
#[cfg(feature = "kms")] kms_config: &kms::KmsConfig,
#[cfg(feature = "kms")] kms_client: &kms::KmsClient,
) -> RouterResult<&'static StrongSecret<String>> {
JWT_SECRET
.get_or_try_init(|| async {
#[cfg(feature = "kms")]
let jwt_secret = kms::get_kms_client(kms_config)
.await
.decrypt(&secrets.kms_encrypted_jwt_secret)
let jwt_secret = secrets
.kms_encrypted_jwt_secret
.decrypt_inner(kms_client)
.await
.change_context(errors::ApiErrorResponse::InternalServerError)
.attach_printable("Failed to KMS decrypt JWT secret")?;
@ -484,7 +484,7 @@ where
let secret = get_jwt_secret(
&conf.secrets,
#[cfg(feature = "kms")]
&conf.kms,
kms::get_kms_client(&conf.kms).await,
)
.await?
.peek()