Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

task: drop support for kmip and local file encryption #2780

Merged
merged 1 commit into from
Mar 19, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 1 addition & 3 deletions internal/cli/atlas/logs/logs.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,11 +29,9 @@ func Builder() *cobra.Command {
Short: "Download host logs for your project.",
}

keyProvidersCmd := decryption.KeyProvidersBuilder()
keyProvidersCmd.Hidden = true
cmd.AddCommand(
DownloadBuilder(),
keyProvidersCmd,
decryption.KeyProvidersBuilder(),
DecryptBuilder(),
)

Expand Down
1 change: 1 addition & 0 deletions internal/cli/decryption/key_providers.go
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ func KeyProvidersBuilder() *cobra.Command {
Use: "keyProviders",
Aliases: cli.GenerateAliases("keyProviders", "keys"),
Short: "Manage your key collections.",
Hidden: true,
}

cmd.AddCommand(KeyProvidersListBuilder())
Expand Down
28 changes: 0 additions & 28 deletions internal/cli/decryption/list_key_provider_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,12 +17,10 @@
package decryption

import (
"bytes"
"testing"

"github.com/mongodb/mongodb-atlas-cli/atlascli/internal/flag"
"github.com/mongodb/mongodb-atlas-cli/atlascli/internal/test"
"github.com/spf13/afero"
)

func TestListKeyProviderBuilder(t *testing.T) {
Expand All @@ -36,29 +34,3 @@ func TestListKeyProviderBuilder(t *testing.T) {
},
)
}

func TestKeyProviderListOpts_Run(t *testing.T) {
fileJSON := []byte(`{"ts":{"$date":{"$numberLong":"1644232049921"}},"version":"0.0","compressionMode":"zstd","keyStoreIdentifier":{"provider":"local","filename":"localKey"},"encryptedKey":{"$binary":{"base64":"+yjPCaKKE1M8fZmPGzGHkyfHYxaw34okpavsHzpd8iPVx2+JjOhXwXw5E2FdI5Rcb5JgmcPUFRPISh/7Si1R/g==","subType":"0"}},"MAC":"qE9fUsGK0EuRrrCRAQAAAAAAAAAAAAAA","auditRecordType":"header"}
{"ts":{"$date":{"$numberLong":"1644232049922"}},"log":"1Lu4o8XVMM/Rg7GKAQAAAAEAAAAAAAAA/8tXQ36mEd90OaAOzCOSti7N5a2jr0B9ek48/uvyteG/zUJHyM16Hs3wMEhDqTQGBwGhWSHEqXh0/5Jbz6tXsYHhDTMr1BOsn1zaavZScx/CkO5+Hd8Vx+zeFPREtQTe1y+JngXSIroezeyV0/zF4YC4vpug+OZtrEQLNEgwT2bjaqUyaKDbmzCNetd2Ff/eFfMFzinbzKVgXAC7T4YmDuowqXommEXLIBiYh2u4VagwJKZRw5OGZjnvqwyVpSPgGqLxGKUoFigh3NgC6EuGi17VIs5BLRZOIw7+OfbPgQQiKzjCxCk="}
{"ts":{"$date":{"$numberLong":"1644232049921"}},"version":"0.0","compressionMode":"zstd","keyStoreIdentifier":{"provider":"kmip","uid":"uniqueKeyID","kmipServerName":["kmipServerName"],"kmipPort":{"$numberInt":"8081"},"keyWrapMethod":"get"},"encryptedKey":{"$binary":{"base64":"+yjPCaKKE1M8fZmPGzGHkyfHYxaw34okpavsHzpd8iPVx2+JjOhXwXw5E2FdI5Rcb5JgmcPUFRPISh/7Si1R/g==","subType":"0"}},"MAC":"qE9fUsGK0EuRrrCRAQAAAAAAAAAAAAAA","auditRecordType":"header"}
{"ts":{"$date":{"$numberLong":"1644232049922"}},"log":"1Lu4o8XVMM/Rg7GKAQAAAAEAAAAAAAAA/8tXQ36mEd90OaAOzCOSti7N5a2jr0B9ek48/uvyteG/zUJHyM16Hs3wMEhDqTQGBwGhWSHEqXh0/5Jbz6tXsYHhDTMr1BOsn1zaavZScx/CkO5+Hd8Vx+zeFPREtQTe1y+JngXSIroezeyV0/zF4YC4vpug+OZtrEQLNEgwT2bjaqUyaKDbmzCNetd2Ff/eFfMFzinbzKVgXAC7T4YmDuowqXommEXLIBiYh2u4VagwJKZRw5OGZjnvqwyVpSPgGqLxGKUoFigh3NgC6EuGi17VIs5BLRZOIw7+OfbPgQQiKzjCxCk="}`)

listOpts := &KeyProviderListOpts{
file: "test",
fs: afero.NewMemMapFs(),
}
bufOut := new(bytes.Buffer)
_ = listOpts.InitOutput(bufOut, listTmpl)()
_ = afero.WriteFile(listOpts.fs, "test", fileJSON, 0600)

if err := listOpts.Run(); err != nil {
t.Fatalf("Run() unexpected error: %v", err)
}

expected := `local: Filename = localKey
kmip: Unique Key ID = "uniqueKeyID" KMIP Server Name = "[kmipServerName]" KMIP Port = "8081" Key Wrap Method = "get"
`
if bufOut.String() != expected {
t.Fatalf("Run() expected: %s got: %v", expected, bufOut.String())
}
}
6 changes: 3 additions & 3 deletions internal/decryption/audit_log_line_scanner.go
Original file line number Diff line number Diff line change
Expand Up @@ -56,12 +56,12 @@ func peekFirstByte(reader io.ReadSeeker) (byte, error) {
return b[0], nil
}

func readAuditLogFile(reader io.ReadSeeker) (AuditLogFormat, auditLogScanner, error) {
func readAuditLogFile(reader io.ReadSeeker) (auditLogScanner, error) {
auditLogFormat := BSON

b, err := peekFirstByte(reader)
if err != nil {
return auditLogFormat, nil, err
return nil, err
}

if b == '{' {
Expand All @@ -75,7 +75,7 @@ func readAuditLogFile(reader io.ReadSeeker) (AuditLogFormat, auditLogScanner, er
case JSON:
scanner = newJSONScanner(reader)
}
return auditLogFormat, scanner, err
return scanner, err
}

type auditLogScanner interface {
Expand Down
184 changes: 0 additions & 184 deletions internal/decryption/audit_log_line_scanner_test.go

This file was deleted.

2 changes: 1 addition & 1 deletion internal/decryption/decryption.go
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,7 @@ func WithAzureOpts(tenantID, clientID, secret string) func(d *Decryption) {
// the credentials provided by the user and the AES-GCM algorithm.
// The decrypted audit log records are saved in the out stream.
func (d *Decryption) Decrypt(logReader io.ReadSeeker, out io.Writer) error {
_, logLineScanner, err := readAuditLogFile(logReader)
logLineScanner, err := readAuditLogFile(logReader)
if err != nil {
return err
}
Expand Down
30 changes: 0 additions & 30 deletions internal/decryption/encrypted_audit_log.go
Original file line number Diff line number Diff line change
Expand Up @@ -32,13 +32,6 @@ type AuditRecordType string

type AuditLogLineKeyStoreIdentifier struct {
Provider *keyproviders.KeyStoreProvider `json:"provider,omitempty"`
// localKey
Filename string `json:"filename,omitempty"`
// kmip
UID string `json:"uniqueKeyID,omitempty"`
KMIPServerName []string `json:"kmipServerName,omitempty"`
KMIPPort int `json:"kmipPort,omitempty"`
KeyWrapMethod keyproviders.KMIPKeyWrapMethod `json:"keyWrapMethod,omitempty"`
// aws
Key string `json:"key,omitempty"`
Region string `json:"region,omitempty"`
Expand Down Expand Up @@ -76,29 +69,6 @@ func (logLine *AuditLogLine) KeyProvider(opts KeyProviderOpts) (keyproviders.Key
}

switch *logLine.KeyStoreIdentifier.Provider {
case keyproviders.LocalKey:
if opts.Local == nil {
return nil, fmt.Errorf("%w: %s", ErrKeyProviderNotSupported, *logLine.KeyStoreIdentifier.Provider)
}
return &keyproviders.LocalKeyIdentifier{
HeaderFilename: logLine.KeyStoreIdentifier.Filename,
Filename: opts.Local.KeyFileName,
}, nil
case keyproviders.KMIP:
if opts.KMIP == nil {
return nil, fmt.Errorf("%w: %s", ErrKeyProviderNotSupported, *logLine.KeyStoreIdentifier.Provider)
}
return &keyproviders.KMIPKeyIdentifier{
UniqueKeyID: logLine.KeyStoreIdentifier.UID,
ServerNames: logLine.KeyStoreIdentifier.KMIPServerName,
ServerPort: logLine.KeyStoreIdentifier.KMIPPort,
KeyWrapMethod: logLine.KeyStoreIdentifier.KeyWrapMethod,
ServerCAFileName: opts.KMIP.ServerCAFileName,
ClientCertificateFileName: opts.KMIP.ClientCertificateFileName,
ClientCertificatePassword: opts.KMIP.ClientCertificatePassword,
Username: opts.KMIP.Username,
Password: opts.KMIP.Password,
}, nil
case keyproviders.AWS:
if opts.AWS == nil {
return nil, fmt.Errorf("%w: %s", ErrKeyProviderNotSupported, *logLine.KeyStoreIdentifier.Provider)
Expand Down
21 changes: 13 additions & 8 deletions internal/decryption/header_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ package decryption

import (
"encoding/base64"
"fmt"
"testing"
"time"

Expand Down Expand Up @@ -96,7 +97,7 @@ func Test_validateMAC(t *testing.T) {
func Test_validateHeaderFields(t *testing.T) {
ts := time.Now()
invalidCompressionMode := "foo"
provider := keyproviders.LocalKey
provider := keyproviders.Azure
encryptedKey := []byte{0, 1, 2, 3}

testCases := []struct {
Expand Down Expand Up @@ -225,12 +226,16 @@ func Test_validateHeaderFields(t *testing.T) {
expectErr: true,
},
}
for _, testCase := range testCases {
err := validateHeaderFields(pointer.Get(testCase.input))
if testCase.expectErr && err == nil {
t.Errorf("expected: not nil got: %v", err)
} else if !testCase.expectErr && err != nil {
t.Errorf("expected: nil got: %v", err)
}
for i, tc := range testCases {
tt := tc
t.Run(fmt.Sprintf("test_%d", i), func(t *testing.T) {
t.Parallel()
err := validateHeaderFields(&tt.input)
if tt.expectErr && err == nil {
t.Errorf("expected: not nil got: %v", err)
} else if !tt.expectErr && err != nil {
t.Errorf("expected: nil got: %v", err)
}
})
}
}
8 changes: 3 additions & 5 deletions internal/decryption/keyproviders/key_provider.go
Original file line number Diff line number Diff line change
Expand Up @@ -24,11 +24,9 @@ import (
type KeyStoreProvider string

const (
LocalKey KeyStoreProvider = "local"
KMIP KeyStoreProvider = "kmip"
AWS KeyStoreProvider = "aws"
GCP KeyStoreProvider = "gcp"
Azure KeyStoreProvider = "azure"
AWS KeyStoreProvider = "aws"
GCP KeyStoreProvider = "gcp"
Azure KeyStoreProvider = "azure"
)

type KeyProvider interface {
Expand Down
Loading