diff --git a/cmd/sops/main.go b/cmd/sops/main.go index 62d11f162..b20f3ceb7 100644 --- a/cmd/sops/main.go +++ b/cmd/sops/main.go @@ -43,6 +43,7 @@ import ( "github.com/getsops/sops/v3/stores" "github.com/getsops/sops/v3/stores/dotenv" "github.com/getsops/sops/v3/stores/json" + "github.com/getsops/sops/v3/tencentkms" "github.com/getsops/sops/v3/version" ) @@ -97,7 +98,7 @@ func main() { {Name: "CNCF Maintainers"}, } app.UsageText = `sops is an editor of encrypted files that supports AWS KMS, GCP, AZKV, - PGP, and Age + PGP, Tencent Cloud KMS,and Age To encrypt or decrypt a document with AWS KMS, specify the KMS ARN in the -k flag or in the SOPS_KMS_ARN environment variable. @@ -126,6 +127,12 @@ func main() { https://docs.microsoft.com/en-us/go/azure/azure-sdk-go-authorization#use-environment-based-authentication. The user/sp needs the key/encrypt and key/decrypt permissions.) + To encrypt or decrypt a document with Tencent Cloud KMS, specify the + Tencent Cloud KMS key ID in the --tencent-kms flag or in the + SOPS_TENCENT_KMS_IDS environment variable. + The format is 'keyId' (e.g., '93866e69-9755-11ef-8e65-52540089bc41'). + (Authentication is based on TENCENTCLOUD_SECRET_ID and TENCENTCLOUD_SECRET_KEY environment variables.) + To encrypt or decrypt using age, specify the recipient in the -a flag, or in the SOPS_AGE_RECIPIENTS environment variable. @@ -135,12 +142,12 @@ func main() { To use multiple KMS or PGP keys, separate them by commas. For example: $ sops -p "10F2...0A, 85D...B3F21" file.yaml - The -p, -k, --gcp-kms, --hc-vault-transit, and --azure-kv flags are only + The -p, -k, --gcp-kms, --hc-vault-transit, --tencent-kms, and --azure-kv flags are only used to encrypt new documents. Editing or decrypting existing documents can be done with "sops file" or "sops decrypt file" respectively. The KMS and PGP keys listed in the encrypted documents are used then. To manage master - keys in existing documents, use the "add-{kms,pgp,gcp-kms,azure-kv,hc-vault-transit}" - and "rm-{kms,pgp,gcp-kms,azure-kv,hc-vault-transit}" flags with --rotate + keys in existing documents, use the "add-{kms,pgp,gcp-kms,azure-kv,hc-vault-transit,tencent-kms}" + and "rm-{kms,pgp,gcp-kms,azure-kv,hc-vault-transit,tencent-kms}" flags with --rotate or the updatekeys command. To use a different GPG binary than the one in your PATH, set SOPS_GPG_EXEC. @@ -570,6 +577,10 @@ func main() { Name: "gcp-kms", Usage: "the GCP KMS Resource ID the new group should contain. Can be specified more than once", }, + cli.StringSliceFlag{ + Name: "tencent-kms", + Usage: "the Tencent Cloud KMS key ID the new group should contain. Can be specified more than once", + }, cli.StringSliceFlag{ Name: "azure-kv", Usage: "the Azure Key Vault key URL the new group should contain. Can be specified more than once", @@ -602,6 +613,7 @@ func main() { vaultURIs := c.StringSlice("hc-vault-transit") azkvs := c.StringSlice("azure-kv") ageRecipients := c.StringSlice("age") + tencentKms := c.StringSlice("tencent-kms") if c.NArg() != 0 { return common.NewExitError(fmt.Errorf("error: no positional arguments allowed"), codes.ErrorGeneric) } @@ -641,6 +653,11 @@ func main() { group = append(group, key) } } + + for _, keyID := range tencentKms { + group = append(group, tencentkms.NewMasterKeyFromKeyID(keyID)) + } + inputStore, err := inputStore(c, c.String("file")) if err != nil { return toExitError(err) @@ -953,6 +970,11 @@ func main() { Usage: "comma separated list of age recipients", EnvVar: "SOPS_AGE_RECIPIENTS", }, + cli.StringFlag{ + Name: "tencent-kms", + Usage: "comma separated list of Tencent Cloud KMS key IDs", + EnvVar: "SOPS_TENCENT_KMS_IDS", + }, cli.StringFlag{ Name: "input-type", Usage: "currently json, yaml, dotenv and binary are supported. If not set, sops will use the file's extension to determine the type", @@ -1158,6 +1180,16 @@ func main() { Name: "rm-pgp", Usage: "remove the provided comma-separated list of PGP fingerprints from the list of master keys on the given file", }, + + cli.StringFlag{ + Name: "add-tencent-kms", + Usage: "add the provided comma-separated list of Tencent Cloud KMS key IDs to the list of master keys on the given file", + }, + cli.StringFlag{ + Name: "rm-tencent-kms", + Usage: "remove the provided comma-separated list of Tencent Cloud KMS key IDs from the list of master keys on the given file", + }, + cli.StringFlag{ Name: "filename-override", Usage: "Use this filename instead of the provided argument for loading configuration, and for determining input type and output type", @@ -1184,8 +1216,8 @@ func main() { return toExitError(err) } if _, err := os.Stat(fileName); os.IsNotExist(err) { - if c.String("add-kms") != "" || c.String("add-pgp") != "" || c.String("add-gcp-kms") != "" || c.String("add-hc-vault-transit") != "" || c.String("add-azure-kv") != "" || c.String("add-age") != "" || - c.String("rm-kms") != "" || c.String("rm-pgp") != "" || c.String("rm-gcp-kms") != "" || c.String("rm-hc-vault-transit") != "" || c.String("rm-azure-kv") != "" || c.String("rm-age") != "" { + if c.String("add-kms") != "" || c.String("add-pgp") != "" || c.String("add-gcp-kms") != "" || c.String("add-tencent-kms") != "" || c.String("add-hc-vault-transit") != "" || c.String("add-azure-kv") != "" || c.String("add-age") != "" || + c.String("rm-kms") != "" || c.String("rm-pgp") != "" || c.String("rm-gcp-kms") != "" || c.String("rm-tencent-kms") != "" || c.String("rm-hc-vault-transit") != "" || c.String("rm-azure-kv") != "" || c.String("rm-age") != "" { return common.NewExitError(fmt.Sprintf("Error: cannot add or remove keys on non-existent file %q, use the `edit` subcommand instead.", fileName), codes.CannotChangeKeysFromNonExistentFile) } } @@ -1271,6 +1303,11 @@ func main() { Usage: "comma separated list of GCP KMS resource IDs", EnvVar: "SOPS_GCP_KMS_IDS", }, + cli.StringFlag{ + Name: "tencent-kms", + Usage: "comma separated list of Tencent Cloud KMS key IDs", + EnvVar: "SOPS_TENCENT_KMS_IDS", + }, cli.StringFlag{ Name: "azure-kv", Usage: "comma separated list of Azure Key Vault URLs", @@ -1684,6 +1721,11 @@ func main() { Usage: "comma separated list of Azure Key Vault URLs", EnvVar: "SOPS_AZURE_KEYVAULT_URLS", }, + cli.StringFlag{ + Name: "tencent-kms", + Usage: "comma separated list of Tencent Cloud KMS key IDs", + EnvVar: "SOPS_TENCENT_KMS_IDS", + }, cli.StringFlag{ Name: "hc-vault-transit", Usage: "comma separated list of vault's key URI (e.g. 'https://vault.example.org:8200/v1/transit/keys/dev')", @@ -1735,6 +1777,14 @@ func main() { Name: "rm-azure-kv", Usage: "remove the provided comma-separated list of Azure Key Vault key URLs from the list of master keys on the given file", }, + cli.StringFlag{ + Name: "add-tencent-kms", + Usage: "add the provided comma-separated list of Tencent Cloud KMS key IDs to the list of master keys on the given file", + }, + cli.StringFlag{ + Name: "rm-tencent-kms", + Usage: "remove the provided comma-separated list of Tencent Cloud KMS key IDs from the list of master keys on the given file", + }, cli.StringFlag{ Name: "add-kms", Usage: "add the provided comma-separated list of KMS ARNs to the list of master keys on the given file", @@ -1861,8 +1911,8 @@ func main() { return toExitError(err) } if _, err := os.Stat(fileName); os.IsNotExist(err) { - if c.String("add-kms") != "" || c.String("add-pgp") != "" || c.String("add-gcp-kms") != "" || c.String("add-hc-vault-transit") != "" || c.String("add-azure-kv") != "" || c.String("add-age") != "" || - c.String("rm-kms") != "" || c.String("rm-pgp") != "" || c.String("rm-gcp-kms") != "" || c.String("rm-hc-vault-transit") != "" || c.String("rm-azure-kv") != "" || c.String("rm-age") != "" { + if c.String("add-kms") != "" || c.String("add-pgp") != "" || c.String("add-gcp-kms") != "" || c.String("add-tencent-kms") != "" || c.String("add-hc-vault-transit") != "" || c.String("add-azure-kv") != "" || c.String("add-age") != "" || + c.String("rm-kms") != "" || c.String("rm-pgp") != "" || c.String("rm-gcp-kms") != "" || c.String("rm-tencent-kms") != "" || c.String("rm-hc-vault-transit") != "" || c.String("rm-azure-kv") != "" || c.String("rm-age") != "" { return common.NewExitError(fmt.Sprintf("Error: cannot add or remove keys on non-existent file %q, use `--kms` and `--pgp` instead.", fileName), codes.CannotChangeKeysFromNonExistentFile) } if isEncryptMode || isDecryptMode || isRotateMode { @@ -2191,7 +2241,7 @@ func getEncryptConfig(c *cli.Context, fileName string, inputStore common.Store, }, nil } -func getMasterKeys(c *cli.Context, kmsEncryptionContext map[string]*string, kmsOptionName string, pgpOptionName string, gcpKmsOptionName string, azureKvOptionName string, hcVaultTransitOptionName string, ageOptionName string) ([]keys.MasterKey, error) { +func getMasterKeys(c *cli.Context, kmsEncryptionContext map[string]*string, kmsOptionName string, pgpOptionName string, gcpKmsOptionName string, azureKvOptionName string, hcVaultTransitOptionName string, ageOptionName string, tencentKmsOptionName string) ([]keys.MasterKey, error) { var masterKeys []keys.MasterKey for _, k := range kms.MasterKeysFromArnString(c.String(kmsOptionName), kmsEncryptionContext, c.String("aws-profile")) { masterKeys = append(masterKeys, k) @@ -2209,6 +2259,9 @@ func getMasterKeys(c *cli.Context, kmsEncryptionContext map[string]*string, kmsO for _, k := range azureKeys { masterKeys = append(masterKeys, k) } + for _, k := range tencentkms.MasterKeysFromKeyIDString(c.String(tencentKmsOptionName)) { + masterKeys = append(masterKeys, k) + } hcVaultKeys, err := hcvault.NewMasterKeysFromURIs(c.String(hcVaultTransitOptionName)) if err != nil { return nil, err @@ -2228,11 +2281,11 @@ func getMasterKeys(c *cli.Context, kmsEncryptionContext map[string]*string, kmsO func getRotateOpts(c *cli.Context, fileName string, inputStore common.Store, outputStore common.Store, svcs []keyservice.KeyServiceClient, decryptionOrder []string) (rotateOpts, error) { kmsEncryptionContext := kms.ParseKMSContext(c.String("encryption-context")) - addMasterKeys, err := getMasterKeys(c, kmsEncryptionContext, "add-kms", "add-pgp", "add-gcp-kms", "add-azure-kv", "add-hc-vault-transit", "add-age") + addMasterKeys, err := getMasterKeys(c, kmsEncryptionContext, "add-kms", "add-pgp", "add-gcp-kms", "add-azure-kv", "add-hc-vault-transit", "add-age", "add-tencent-kms") if err != nil { return rotateOpts{}, err } - rmMasterKeys, err := getMasterKeys(c, kmsEncryptionContext, "rm-kms", "rm-pgp", "rm-gcp-kms", "rm-azure-kv", "rm-hc-vault-transit", "rm-age") + rmMasterKeys, err := getMasterKeys(c, kmsEncryptionContext, "rm-kms", "rm-pgp", "rm-gcp-kms", "rm-azure-kv", "rm-hc-vault-transit", "rm-age", "rm-tencent-kms") if err != nil { return rotateOpts{}, err } @@ -2381,6 +2434,7 @@ func keyGroups(c *cli.Context, file string, optionalConfig *config.Config) ([]so var azkvKeys []keys.MasterKey var hcVaultMkKeys []keys.MasterKey var ageMasterKeys []keys.MasterKey + var tencentKmsKeys []keys.MasterKey kmsEncryptionContext := kms.ParseKMSContext(c.String("encryption-context")) if c.String("encryption-context") != "" && kmsEncryptionContext == nil { return nil, common.NewExitError("Invalid KMS encryption context format", codes.ErrorInvalidKMSEncryptionContextFormat) @@ -2404,6 +2458,11 @@ func keyGroups(c *cli.Context, file string, optionalConfig *config.Config) ([]so azkvKeys = append(azkvKeys, k) } } + if c.String("tencent-kms") != "" { + for _, k := range tencentkms.MasterKeysFromKeyIDString(c.String("tencent-kms")) { + tencentKmsKeys = append(tencentKmsKeys, k) + } + } if c.String("hc-vault-transit") != "" { hcVaultKeys, err := hcvault.NewMasterKeysFromURIs(c.String("hc-vault-transit")) if err != nil { @@ -2427,7 +2486,7 @@ func keyGroups(c *cli.Context, file string, optionalConfig *config.Config) ([]so ageMasterKeys = append(ageMasterKeys, k) } } - if c.String("kms") == "" && c.String("pgp") == "" && c.String("gcp-kms") == "" && c.String("azure-kv") == "" && c.String("hc-vault-transit") == "" && c.String("age") == "" { + if c.String("kms") == "" && c.String("pgp") == "" && c.String("gcp-kms") == "" && c.String("azure-kv") == "" && c.String("hc-vault-transit") == "" && c.String("age") == "" && c.String("tencent-kms") == "" { conf := optionalConfig var err error if conf == nil { @@ -2447,6 +2506,7 @@ func keyGroups(c *cli.Context, file string, optionalConfig *config.Config) ([]so group = append(group, kmsKeys...) group = append(group, cloudKmsKeys...) group = append(group, azkvKeys...) + group = append(group, tencentKmsKeys...) group = append(group, pgpKeys...) group = append(group, hcVaultMkKeys...) group = append(group, ageMasterKeys...) diff --git a/config/config.go b/config/config.go index 6a67e0619..deff03b60 100644 --- a/config/config.go +++ b/config/config.go @@ -19,6 +19,7 @@ import ( "github.com/getsops/sops/v3/kms" "github.com/getsops/sops/v3/pgp" "github.com/getsops/sops/v3/publish" + "github.com/getsops/sops/v3/tencentkms" "go.yaml.in/yaml/v3" ) @@ -129,13 +130,14 @@ type configFile struct { } type keyGroup struct { - Merge []keyGroup `yaml:"merge"` - KMS []kmsKey `yaml:"kms"` - GCPKMS []gcpKmsKey `yaml:"gcp_kms"` - AzureKV []azureKVKey `yaml:"azure_keyvault"` - Vault []string `yaml:"hc_vault"` - Age []string `yaml:"age"` - PGP []string `yaml:"pgp"` + Merge []keyGroup `yaml:"merge"` + KMS []kmsKey `yaml:"kms"` + GCPKMS []gcpKmsKey `yaml:"gcp_kms"` + AzureKV []azureKVKey `yaml:"azure_keyvault"` + Vault []string `yaml:"hc_vault"` + Age []string `yaml:"age"` + PGP []string `yaml:"pgp"` + TencentKMS []tencentKmsKey `yaml:"tencent_kms"` } type gcpKmsKey struct { @@ -155,6 +157,10 @@ type azureKVKey struct { Version string `yaml:"version"` } +type tencentKmsKey struct { + KeyID string `yaml:"key_id"` +} + type destinationRule struct { PathRegex string `yaml:"path_regex"` S3Bucket string `yaml:"s3_bucket"` @@ -178,6 +184,7 @@ type creationRule struct { GCPKMS interface{} `yaml:"gcp_kms"` // string or []string AzureKeyVault interface{} `yaml:"azure_keyvault"` // string or []string VaultURI interface{} `yaml:"hc_vault_transit_uri"` // string or []string + TencentKMS interface{} `yaml:"tencent_kms"` // string or []string KeyGroups []keyGroup `yaml:"key_groups"` ShamirThreshold int `yaml:"shamir_threshold"` UnencryptedSuffix string `yaml:"unencrypted_suffix"` @@ -198,6 +205,10 @@ func (c *creationRule) GetAgeKeys() ([]string, error) { return parseKeyField(c.Age, "age") } +func (c *creationRule) GetTencentKMSKeys() ([]string, error) { + return parseKeyField(c.TencentKMS, "tencent_kms") +} + func (c *creationRule) GetPGPKeys() ([]string, error) { return parseKeyField(c.PGP, "pgp") } @@ -343,6 +354,9 @@ func extractMasterKeys(group keyGroup) (sops.KeyGroup, error) { return nil, err } } + for _, k := range group.TencentKMS { + keyGroup = append(keyGroup, tencentkms.NewMasterKeyFromKeyID(k.KeyID)) + } return deduplicateKeygroup(keyGroup), nil } @@ -424,6 +438,13 @@ func getKeyGroupsFromCreationRule(cRule *creationRule, kmsEncryptionContext map[ for _, k := range vaultKeys { keyGroup = append(keyGroup, k) } + tencentKMSKeys, err := getKeysWithValidation(cRule.GetTencentKMSKeys, "tencent_kms") + if err != nil { + return nil, err + } + for _, k := range tencentKMSKeys { + keyGroup = append(keyGroup, tencentkms.NewMasterKeyFromKeyID(k)) + } groups = append(groups, keyGroup) } return groups, nil diff --git a/go.mod b/go.mod index 47fdcf0a2..66217a59f 100644 --- a/go.mod +++ b/go.mod @@ -32,6 +32,8 @@ require ( github.com/pkg/errors v0.9.1 github.com/sirupsen/logrus v1.9.3 github.com/stretchr/testify v1.11.1 + github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.1.46 + github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/kms v1.1.3 github.com/urfave/cli v1.22.17 go.yaml.in/yaml/v3 v3.0.4 golang.org/x/crypto v0.43.0 diff --git a/go.sum b/go.sum index 0d828ecdb..747bd9cae 100644 --- a/go.sum +++ b/go.sum @@ -270,6 +270,11 @@ github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXl github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U= github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U= +github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.1.3/go.mod h1:r5r4xbfxSaeR04b166HGsBa/R4U3SueirEUpXGuw+Q0= +github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.1.46 h1:wWcfc+d0BJSGvLtIdPSLuN//KCgIhuWbjao68roZrzw= +github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.1.46/go.mod h1:r5r4xbfxSaeR04b166HGsBa/R4U3SueirEUpXGuw+Q0= +github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/kms v1.1.3 h1:HAGbYdcJcQtUQxU9Y7W/Rh0CwYAOKeZCeDeqtQXT16U= +github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/kms v1.1.3/go.mod h1:Xko/+Z18akdtRaU9HXIyAn/Xatxywl7PNgW2iud1uvU= github.com/urfave/cli v1.22.17 h1:SYzXoiPfQjHBbkYxbew5prZHS1TOLT3ierW8SYLqtVQ= github.com/urfave/cli v1.22.17/go.mod h1:b0ht0aqgH/6pBYzzxURyrM4xXNgsoT/n2ZzwQiEhNVo= github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= diff --git a/keyservice/keyservice.go b/keyservice/keyservice.go index 321af7942..d4f99858c 100644 --- a/keyservice/keyservice.go +++ b/keyservice/keyservice.go @@ -14,6 +14,7 @@ import ( "github.com/getsops/sops/v3/keys" "github.com/getsops/sops/v3/kms" "github.com/getsops/sops/v3/pgp" + "github.com/getsops/sops/v3/tencentkms" ) // KeyFromMasterKey converts a SOPS internal MasterKey to an RPC Key that can be serialized with Protocol Buffers @@ -78,6 +79,14 @@ func KeyFromMasterKey(mk keys.MasterKey) Key { }, }, } + case *tencentkms.MasterKey: + return Key{ + KeyType: &Key_TencentKmsKey{ + TencentKmsKey: &TencentKmsKey{ + KeyId: mk.KeyID, + }, + }, + } default: panic(fmt.Sprintf("Tried to convert unknown MasterKey type %T to keyservice.Key", mk)) } diff --git a/keyservice/keyservice.pb.go b/keyservice/keyservice.pb.go index a810b2805..9cc034a5c 100644 --- a/keyservice/keyservice.pb.go +++ b/keyservice/keyservice.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: -// protoc-gen-go v1.35.2 -// protoc v5.28.3 +// protoc-gen-go v1.31.0 +// protoc v5.29.3 // source: keyservice/keyservice.proto package keyservice @@ -33,14 +33,17 @@ type Key struct { // *Key_AzureKeyvaultKey // *Key_VaultKey // *Key_AgeKey + // *Key_TencentKmsKey KeyType isKey_KeyType `protobuf_oneof:"key_type"` } func (x *Key) Reset() { *x = Key{} - mi := &file_keyservice_keyservice_proto_msgTypes[0] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) + if protoimpl.UnsafeEnabled { + mi := &file_keyservice_keyservice_proto_msgTypes[0] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } } func (x *Key) String() string { @@ -51,7 +54,7 @@ func (*Key) ProtoMessage() {} func (x *Key) ProtoReflect() protoreflect.Message { mi := &file_keyservice_keyservice_proto_msgTypes[0] - if x != nil { + if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { ms.StoreMessageInfo(mi) @@ -115,6 +118,13 @@ func (x *Key) GetAgeKey() *AgeKey { return nil } +func (x *Key) GetTencentKmsKey() *TencentKmsKey { + if x, ok := x.GetKeyType().(*Key_TencentKmsKey); ok { + return x.TencentKmsKey + } + return nil +} + type isKey_KeyType interface { isKey_KeyType() } @@ -143,6 +153,10 @@ type Key_AgeKey struct { AgeKey *AgeKey `protobuf:"bytes,6,opt,name=age_key,json=ageKey,proto3,oneof"` } +type Key_TencentKmsKey struct { + TencentKmsKey *TencentKmsKey `protobuf:"bytes,7,opt,name=tencent_kms_key,json=tencentKmsKey,proto3,oneof"` +} + func (*Key_KmsKey) isKey_KeyType() {} func (*Key_PgpKey) isKey_KeyType() {} @@ -155,6 +169,8 @@ func (*Key_VaultKey) isKey_KeyType() {} func (*Key_AgeKey) isKey_KeyType() {} +func (*Key_TencentKmsKey) isKey_KeyType() {} + type PgpKey struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache @@ -165,9 +181,11 @@ type PgpKey struct { func (x *PgpKey) Reset() { *x = PgpKey{} - mi := &file_keyservice_keyservice_proto_msgTypes[1] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) + if protoimpl.UnsafeEnabled { + mi := &file_keyservice_keyservice_proto_msgTypes[1] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } } func (x *PgpKey) String() string { @@ -178,7 +196,7 @@ func (*PgpKey) ProtoMessage() {} func (x *PgpKey) ProtoReflect() protoreflect.Message { mi := &file_keyservice_keyservice_proto_msgTypes[1] - if x != nil { + if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { ms.StoreMessageInfo(mi) @@ -213,9 +231,11 @@ type KmsKey struct { func (x *KmsKey) Reset() { *x = KmsKey{} - mi := &file_keyservice_keyservice_proto_msgTypes[2] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) + if protoimpl.UnsafeEnabled { + mi := &file_keyservice_keyservice_proto_msgTypes[2] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } } func (x *KmsKey) String() string { @@ -226,7 +246,7 @@ func (*KmsKey) ProtoMessage() {} func (x *KmsKey) ProtoReflect() protoreflect.Message { mi := &file_keyservice_keyservice_proto_msgTypes[2] - if x != nil { + if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { ms.StoreMessageInfo(mi) @@ -279,9 +299,11 @@ type GcpKmsKey struct { func (x *GcpKmsKey) Reset() { *x = GcpKmsKey{} - mi := &file_keyservice_keyservice_proto_msgTypes[3] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) + if protoimpl.UnsafeEnabled { + mi := &file_keyservice_keyservice_proto_msgTypes[3] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } } func (x *GcpKmsKey) String() string { @@ -292,7 +314,7 @@ func (*GcpKmsKey) ProtoMessage() {} func (x *GcpKmsKey) ProtoReflect() protoreflect.Message { mi := &file_keyservice_keyservice_proto_msgTypes[3] - if x != nil { + if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { ms.StoreMessageInfo(mi) @@ -326,9 +348,11 @@ type VaultKey struct { func (x *VaultKey) Reset() { *x = VaultKey{} - mi := &file_keyservice_keyservice_proto_msgTypes[4] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) + if protoimpl.UnsafeEnabled { + mi := &file_keyservice_keyservice_proto_msgTypes[4] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } } func (x *VaultKey) String() string { @@ -339,7 +363,7 @@ func (*VaultKey) ProtoMessage() {} func (x *VaultKey) ProtoReflect() protoreflect.Message { mi := &file_keyservice_keyservice_proto_msgTypes[4] - if x != nil { + if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { ms.StoreMessageInfo(mi) @@ -387,9 +411,11 @@ type AzureKeyVaultKey struct { func (x *AzureKeyVaultKey) Reset() { *x = AzureKeyVaultKey{} - mi := &file_keyservice_keyservice_proto_msgTypes[5] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) + if protoimpl.UnsafeEnabled { + mi := &file_keyservice_keyservice_proto_msgTypes[5] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } } func (x *AzureKeyVaultKey) String() string { @@ -400,7 +426,7 @@ func (*AzureKeyVaultKey) ProtoMessage() {} func (x *AzureKeyVaultKey) ProtoReflect() protoreflect.Message { mi := &file_keyservice_keyservice_proto_msgTypes[5] - if x != nil { + if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { ms.StoreMessageInfo(mi) @@ -446,9 +472,11 @@ type AgeKey struct { func (x *AgeKey) Reset() { *x = AgeKey{} - mi := &file_keyservice_keyservice_proto_msgTypes[6] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) + if protoimpl.UnsafeEnabled { + mi := &file_keyservice_keyservice_proto_msgTypes[6] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } } func (x *AgeKey) String() string { @@ -459,7 +487,7 @@ func (*AgeKey) ProtoMessage() {} func (x *AgeKey) ProtoReflect() protoreflect.Message { mi := &file_keyservice_keyservice_proto_msgTypes[6] - if x != nil { + if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { ms.StoreMessageInfo(mi) @@ -481,6 +509,53 @@ func (x *AgeKey) GetRecipient() string { return "" } +type TencentKmsKey struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + KeyId string `protobuf:"bytes,1,opt,name=key_id,json=keyId,proto3" json:"key_id,omitempty"` +} + +func (x *TencentKmsKey) Reset() { + *x = TencentKmsKey{} + if protoimpl.UnsafeEnabled { + mi := &file_keyservice_keyservice_proto_msgTypes[7] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *TencentKmsKey) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*TencentKmsKey) ProtoMessage() {} + +func (x *TencentKmsKey) ProtoReflect() protoreflect.Message { + mi := &file_keyservice_keyservice_proto_msgTypes[7] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use TencentKmsKey.ProtoReflect.Descriptor instead. +func (*TencentKmsKey) Descriptor() ([]byte, []int) { + return file_keyservice_keyservice_proto_rawDescGZIP(), []int{7} +} + +func (x *TencentKmsKey) GetKeyId() string { + if x != nil { + return x.KeyId + } + return "" +} + type EncryptRequest struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache @@ -492,9 +567,11 @@ type EncryptRequest struct { func (x *EncryptRequest) Reset() { *x = EncryptRequest{} - mi := &file_keyservice_keyservice_proto_msgTypes[7] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) + if protoimpl.UnsafeEnabled { + mi := &file_keyservice_keyservice_proto_msgTypes[8] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } } func (x *EncryptRequest) String() string { @@ -504,8 +581,8 @@ func (x *EncryptRequest) String() string { func (*EncryptRequest) ProtoMessage() {} func (x *EncryptRequest) ProtoReflect() protoreflect.Message { - mi := &file_keyservice_keyservice_proto_msgTypes[7] - if x != nil { + mi := &file_keyservice_keyservice_proto_msgTypes[8] + if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { ms.StoreMessageInfo(mi) @@ -517,7 +594,7 @@ func (x *EncryptRequest) ProtoReflect() protoreflect.Message { // Deprecated: Use EncryptRequest.ProtoReflect.Descriptor instead. func (*EncryptRequest) Descriptor() ([]byte, []int) { - return file_keyservice_keyservice_proto_rawDescGZIP(), []int{7} + return file_keyservice_keyservice_proto_rawDescGZIP(), []int{8} } func (x *EncryptRequest) GetKey() *Key { @@ -544,9 +621,11 @@ type EncryptResponse struct { func (x *EncryptResponse) Reset() { *x = EncryptResponse{} - mi := &file_keyservice_keyservice_proto_msgTypes[8] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) + if protoimpl.UnsafeEnabled { + mi := &file_keyservice_keyservice_proto_msgTypes[9] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } } func (x *EncryptResponse) String() string { @@ -556,8 +635,8 @@ func (x *EncryptResponse) String() string { func (*EncryptResponse) ProtoMessage() {} func (x *EncryptResponse) ProtoReflect() protoreflect.Message { - mi := &file_keyservice_keyservice_proto_msgTypes[8] - if x != nil { + mi := &file_keyservice_keyservice_proto_msgTypes[9] + if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { ms.StoreMessageInfo(mi) @@ -569,7 +648,7 @@ func (x *EncryptResponse) ProtoReflect() protoreflect.Message { // Deprecated: Use EncryptResponse.ProtoReflect.Descriptor instead. func (*EncryptResponse) Descriptor() ([]byte, []int) { - return file_keyservice_keyservice_proto_rawDescGZIP(), []int{8} + return file_keyservice_keyservice_proto_rawDescGZIP(), []int{9} } func (x *EncryptResponse) GetCiphertext() []byte { @@ -590,9 +669,11 @@ type DecryptRequest struct { func (x *DecryptRequest) Reset() { *x = DecryptRequest{} - mi := &file_keyservice_keyservice_proto_msgTypes[9] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) + if protoimpl.UnsafeEnabled { + mi := &file_keyservice_keyservice_proto_msgTypes[10] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } } func (x *DecryptRequest) String() string { @@ -602,8 +683,8 @@ func (x *DecryptRequest) String() string { func (*DecryptRequest) ProtoMessage() {} func (x *DecryptRequest) ProtoReflect() protoreflect.Message { - mi := &file_keyservice_keyservice_proto_msgTypes[9] - if x != nil { + mi := &file_keyservice_keyservice_proto_msgTypes[10] + if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { ms.StoreMessageInfo(mi) @@ -615,7 +696,7 @@ func (x *DecryptRequest) ProtoReflect() protoreflect.Message { // Deprecated: Use DecryptRequest.ProtoReflect.Descriptor instead. func (*DecryptRequest) Descriptor() ([]byte, []int) { - return file_keyservice_keyservice_proto_rawDescGZIP(), []int{9} + return file_keyservice_keyservice_proto_rawDescGZIP(), []int{10} } func (x *DecryptRequest) GetKey() *Key { @@ -642,9 +723,11 @@ type DecryptResponse struct { func (x *DecryptResponse) Reset() { *x = DecryptResponse{} - mi := &file_keyservice_keyservice_proto_msgTypes[10] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) + if protoimpl.UnsafeEnabled { + mi := &file_keyservice_keyservice_proto_msgTypes[11] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } } func (x *DecryptResponse) String() string { @@ -654,8 +737,8 @@ func (x *DecryptResponse) String() string { func (*DecryptResponse) ProtoMessage() {} func (x *DecryptResponse) ProtoReflect() protoreflect.Message { - mi := &file_keyservice_keyservice_proto_msgTypes[10] - if x != nil { + mi := &file_keyservice_keyservice_proto_msgTypes[11] + if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { ms.StoreMessageInfo(mi) @@ -667,7 +750,7 @@ func (x *DecryptResponse) ProtoReflect() protoreflect.Message { // Deprecated: Use DecryptResponse.ProtoReflect.Descriptor instead. func (*DecryptResponse) Descriptor() ([]byte, []int) { - return file_keyservice_keyservice_proto_rawDescGZIP(), []int{10} + return file_keyservice_keyservice_proto_rawDescGZIP(), []int{11} } func (x *DecryptResponse) GetPlaintext() []byte { @@ -681,7 +764,7 @@ var File_keyservice_keyservice_proto protoreflect.FileDescriptor var file_keyservice_keyservice_proto_rawDesc = []byte{ 0x0a, 0x1b, 0x6b, 0x65, 0x79, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2f, 0x6b, 0x65, 0x79, - 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x98, 0x02, + 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xd2, 0x02, 0x0a, 0x03, 0x4b, 0x65, 0x79, 0x12, 0x22, 0x0a, 0x07, 0x6b, 0x6d, 0x73, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x07, 0x2e, 0x4b, 0x6d, 0x73, 0x4b, 0x65, 0x79, 0x48, 0x00, 0x52, 0x06, 0x6b, 0x6d, 0x73, 0x4b, 0x65, 0x79, 0x12, 0x22, 0x0a, 0x07, 0x70, 0x67, 0x70, @@ -698,64 +781,71 @@ var file_keyservice_keyservice_proto_rawDesc = []byte{ 0x0b, 0x32, 0x09, 0x2e, 0x56, 0x61, 0x75, 0x6c, 0x74, 0x4b, 0x65, 0x79, 0x48, 0x00, 0x52, 0x08, 0x76, 0x61, 0x75, 0x6c, 0x74, 0x4b, 0x65, 0x79, 0x12, 0x22, 0x0a, 0x07, 0x61, 0x67, 0x65, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x07, 0x2e, 0x41, 0x67, 0x65, 0x4b, - 0x65, 0x79, 0x48, 0x00, 0x52, 0x06, 0x61, 0x67, 0x65, 0x4b, 0x65, 0x79, 0x42, 0x0a, 0x0a, 0x08, - 0x6b, 0x65, 0x79, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x22, 0x2a, 0x0a, 0x06, 0x50, 0x67, 0x70, 0x4b, - 0x65, 0x79, 0x12, 0x20, 0x0a, 0x0b, 0x66, 0x69, 0x6e, 0x67, 0x65, 0x72, 0x70, 0x72, 0x69, 0x6e, - 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x66, 0x69, 0x6e, 0x67, 0x65, 0x72, 0x70, - 0x72, 0x69, 0x6e, 0x74, 0x22, 0xbb, 0x01, 0x0a, 0x06, 0x4b, 0x6d, 0x73, 0x4b, 0x65, 0x79, 0x12, - 0x10, 0x0a, 0x03, 0x61, 0x72, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x61, 0x72, - 0x6e, 0x12, 0x12, 0x0a, 0x04, 0x72, 0x6f, 0x6c, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, - 0x04, 0x72, 0x6f, 0x6c, 0x65, 0x12, 0x2e, 0x0a, 0x07, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74, - 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x4b, 0x6d, 0x73, 0x4b, 0x65, 0x79, 0x2e, - 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x07, 0x63, 0x6f, - 0x6e, 0x74, 0x65, 0x78, 0x74, 0x12, 0x1f, 0x0a, 0x0b, 0x61, 0x77, 0x73, 0x5f, 0x70, 0x72, 0x6f, - 0x66, 0x69, 0x6c, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x61, 0x77, 0x73, 0x50, - 0x72, 0x6f, 0x66, 0x69, 0x6c, 0x65, 0x1a, 0x3a, 0x0a, 0x0c, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x78, - 0x74, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, - 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, - 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, - 0x38, 0x01, 0x22, 0x2c, 0x0a, 0x09, 0x47, 0x63, 0x70, 0x4b, 0x6d, 0x73, 0x4b, 0x65, 0x79, 0x12, - 0x1f, 0x0a, 0x0b, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x01, - 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x49, 0x64, - 0x22, 0x6b, 0x0a, 0x08, 0x56, 0x61, 0x75, 0x6c, 0x74, 0x4b, 0x65, 0x79, 0x12, 0x23, 0x0a, 0x0d, - 0x76, 0x61, 0x75, 0x6c, 0x74, 0x5f, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x18, 0x01, 0x20, - 0x01, 0x28, 0x09, 0x52, 0x0c, 0x76, 0x61, 0x75, 0x6c, 0x74, 0x41, 0x64, 0x64, 0x72, 0x65, 0x73, - 0x73, 0x12, 0x1f, 0x0a, 0x0b, 0x65, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x5f, 0x70, 0x61, 0x74, 0x68, - 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x65, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x50, 0x61, - 0x74, 0x68, 0x12, 0x19, 0x0a, 0x08, 0x6b, 0x65, 0x79, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x03, - 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x6b, 0x65, 0x79, 0x4e, 0x61, 0x6d, 0x65, 0x22, 0x5d, 0x0a, - 0x10, 0x41, 0x7a, 0x75, 0x72, 0x65, 0x4b, 0x65, 0x79, 0x56, 0x61, 0x75, 0x6c, 0x74, 0x4b, 0x65, - 0x79, 0x12, 0x1b, 0x0a, 0x09, 0x76, 0x61, 0x75, 0x6c, 0x74, 0x5f, 0x75, 0x72, 0x6c, 0x18, 0x01, - 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x76, 0x61, 0x75, 0x6c, 0x74, 0x55, 0x72, 0x6c, 0x12, 0x12, - 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, - 0x6d, 0x65, 0x12, 0x18, 0x0a, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x03, 0x20, - 0x01, 0x28, 0x09, 0x52, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x22, 0x26, 0x0a, 0x06, - 0x41, 0x67, 0x65, 0x4b, 0x65, 0x79, 0x12, 0x1c, 0x0a, 0x09, 0x72, 0x65, 0x63, 0x69, 0x70, 0x69, - 0x65, 0x6e, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x72, 0x65, 0x63, 0x69, 0x70, - 0x69, 0x65, 0x6e, 0x74, 0x22, 0x46, 0x0a, 0x0e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x52, - 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x16, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, - 0x01, 0x28, 0x0b, 0x32, 0x04, 0x2e, 0x4b, 0x65, 0x79, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x1c, - 0x0a, 0x09, 0x70, 0x6c, 0x61, 0x69, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, - 0x0c, 0x52, 0x09, 0x70, 0x6c, 0x61, 0x69, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x22, 0x31, 0x0a, 0x0f, - 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, - 0x1e, 0x0a, 0x0a, 0x63, 0x69, 0x70, 0x68, 0x65, 0x72, 0x74, 0x65, 0x78, 0x74, 0x18, 0x01, 0x20, - 0x01, 0x28, 0x0c, 0x52, 0x0a, 0x63, 0x69, 0x70, 0x68, 0x65, 0x72, 0x74, 0x65, 0x78, 0x74, 0x22, - 0x48, 0x0a, 0x0e, 0x44, 0x65, 0x63, 0x72, 0x79, 0x70, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, - 0x74, 0x12, 0x16, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x04, - 0x2e, 0x4b, 0x65, 0x79, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x1e, 0x0a, 0x0a, 0x63, 0x69, 0x70, - 0x68, 0x65, 0x72, 0x74, 0x65, 0x78, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0a, 0x63, - 0x69, 0x70, 0x68, 0x65, 0x72, 0x74, 0x65, 0x78, 0x74, 0x22, 0x2f, 0x0a, 0x0f, 0x44, 0x65, 0x63, - 0x72, 0x79, 0x70, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x1c, 0x0a, 0x09, - 0x70, 0x6c, 0x61, 0x69, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, - 0x09, 0x70, 0x6c, 0x61, 0x69, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x32, 0x6c, 0x0a, 0x0a, 0x4b, 0x65, - 0x79, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x2e, 0x0a, 0x07, 0x45, 0x6e, 0x63, 0x72, - 0x79, 0x70, 0x74, 0x12, 0x0f, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x52, 0x65, 0x71, - 0x75, 0x65, 0x73, 0x74, 0x1a, 0x10, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x52, 0x65, - 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x2e, 0x0a, 0x07, 0x44, 0x65, 0x63, 0x72, - 0x79, 0x70, 0x74, 0x12, 0x0f, 0x2e, 0x44, 0x65, 0x63, 0x72, 0x79, 0x70, 0x74, 0x52, 0x65, 0x71, - 0x75, 0x65, 0x73, 0x74, 0x1a, 0x10, 0x2e, 0x44, 0x65, 0x63, 0x72, 0x79, 0x70, 0x74, 0x52, 0x65, - 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x42, 0x0e, 0x5a, 0x0c, 0x2e, 0x2f, 0x6b, 0x65, - 0x79, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x65, 0x79, 0x48, 0x00, 0x52, 0x06, 0x61, 0x67, 0x65, 0x4b, 0x65, 0x79, 0x12, 0x38, 0x0a, 0x0f, + 0x74, 0x65, 0x6e, 0x63, 0x65, 0x6e, 0x74, 0x5f, 0x6b, 0x6d, 0x73, 0x5f, 0x6b, 0x65, 0x79, 0x18, + 0x07, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x0e, 0x2e, 0x54, 0x65, 0x6e, 0x63, 0x65, 0x6e, 0x74, 0x4b, + 0x6d, 0x73, 0x4b, 0x65, 0x79, 0x48, 0x00, 0x52, 0x0d, 0x74, 0x65, 0x6e, 0x63, 0x65, 0x6e, 0x74, + 0x4b, 0x6d, 0x73, 0x4b, 0x65, 0x79, 0x42, 0x0a, 0x0a, 0x08, 0x6b, 0x65, 0x79, 0x5f, 0x74, 0x79, + 0x70, 0x65, 0x22, 0x2a, 0x0a, 0x06, 0x50, 0x67, 0x70, 0x4b, 0x65, 0x79, 0x12, 0x20, 0x0a, 0x0b, + 0x66, 0x69, 0x6e, 0x67, 0x65, 0x72, 0x70, 0x72, 0x69, 0x6e, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, + 0x09, 0x52, 0x0b, 0x66, 0x69, 0x6e, 0x67, 0x65, 0x72, 0x70, 0x72, 0x69, 0x6e, 0x74, 0x22, 0xbb, + 0x01, 0x0a, 0x06, 0x4b, 0x6d, 0x73, 0x4b, 0x65, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x61, 0x72, 0x6e, + 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x61, 0x72, 0x6e, 0x12, 0x12, 0x0a, 0x04, 0x72, + 0x6f, 0x6c, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x72, 0x6f, 0x6c, 0x65, 0x12, + 0x2e, 0x0a, 0x07, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, + 0x32, 0x14, 0x2e, 0x4b, 0x6d, 0x73, 0x4b, 0x65, 0x79, 0x2e, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x78, + 0x74, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x07, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x12, + 0x1f, 0x0a, 0x0b, 0x61, 0x77, 0x73, 0x5f, 0x70, 0x72, 0x6f, 0x66, 0x69, 0x6c, 0x65, 0x18, 0x04, + 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x61, 0x77, 0x73, 0x50, 0x72, 0x6f, 0x66, 0x69, 0x6c, 0x65, + 0x1a, 0x3a, 0x0a, 0x0c, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x45, 0x6e, 0x74, 0x72, 0x79, + 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, + 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, + 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0x2c, 0x0a, 0x09, + 0x47, 0x63, 0x70, 0x4b, 0x6d, 0x73, 0x4b, 0x65, 0x79, 0x12, 0x1f, 0x0a, 0x0b, 0x72, 0x65, 0x73, + 0x6f, 0x75, 0x72, 0x63, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, + 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x49, 0x64, 0x22, 0x6b, 0x0a, 0x08, 0x56, 0x61, + 0x75, 0x6c, 0x74, 0x4b, 0x65, 0x79, 0x12, 0x23, 0x0a, 0x0d, 0x76, 0x61, 0x75, 0x6c, 0x74, 0x5f, + 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x76, + 0x61, 0x75, 0x6c, 0x74, 0x41, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x12, 0x1f, 0x0a, 0x0b, 0x65, + 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x5f, 0x70, 0x61, 0x74, 0x68, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, + 0x52, 0x0a, 0x65, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x50, 0x61, 0x74, 0x68, 0x12, 0x19, 0x0a, 0x08, + 0x6b, 0x65, 0x79, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, + 0x6b, 0x65, 0x79, 0x4e, 0x61, 0x6d, 0x65, 0x22, 0x5d, 0x0a, 0x10, 0x41, 0x7a, 0x75, 0x72, 0x65, + 0x4b, 0x65, 0x79, 0x56, 0x61, 0x75, 0x6c, 0x74, 0x4b, 0x65, 0x79, 0x12, 0x1b, 0x0a, 0x09, 0x76, + 0x61, 0x75, 0x6c, 0x74, 0x5f, 0x75, 0x72, 0x6c, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, + 0x76, 0x61, 0x75, 0x6c, 0x74, 0x55, 0x72, 0x6c, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, + 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x18, 0x0a, 0x07, + 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x76, + 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x22, 0x26, 0x0a, 0x06, 0x41, 0x67, 0x65, 0x4b, 0x65, 0x79, + 0x12, 0x1c, 0x0a, 0x09, 0x72, 0x65, 0x63, 0x69, 0x70, 0x69, 0x65, 0x6e, 0x74, 0x18, 0x01, 0x20, + 0x01, 0x28, 0x09, 0x52, 0x09, 0x72, 0x65, 0x63, 0x69, 0x70, 0x69, 0x65, 0x6e, 0x74, 0x22, 0x26, + 0x0a, 0x0d, 0x54, 0x65, 0x6e, 0x63, 0x65, 0x6e, 0x74, 0x4b, 0x6d, 0x73, 0x4b, 0x65, 0x79, 0x12, + 0x15, 0x0a, 0x06, 0x6b, 0x65, 0x79, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, + 0x05, 0x6b, 0x65, 0x79, 0x49, 0x64, 0x22, 0x46, 0x0a, 0x0e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, + 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x16, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, + 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x04, 0x2e, 0x4b, 0x65, 0x79, 0x52, 0x03, 0x6b, 0x65, 0x79, + 0x12, 0x1c, 0x0a, 0x09, 0x70, 0x6c, 0x61, 0x69, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x18, 0x02, 0x20, + 0x01, 0x28, 0x0c, 0x52, 0x09, 0x70, 0x6c, 0x61, 0x69, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x22, 0x31, + 0x0a, 0x0f, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, + 0x65, 0x12, 0x1e, 0x0a, 0x0a, 0x63, 0x69, 0x70, 0x68, 0x65, 0x72, 0x74, 0x65, 0x78, 0x74, 0x18, + 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0a, 0x63, 0x69, 0x70, 0x68, 0x65, 0x72, 0x74, 0x65, 0x78, + 0x74, 0x22, 0x48, 0x0a, 0x0e, 0x44, 0x65, 0x63, 0x72, 0x79, 0x70, 0x74, 0x52, 0x65, 0x71, 0x75, + 0x65, 0x73, 0x74, 0x12, 0x16, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, + 0x32, 0x04, 0x2e, 0x4b, 0x65, 0x79, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x1e, 0x0a, 0x0a, 0x63, + 0x69, 0x70, 0x68, 0x65, 0x72, 0x74, 0x65, 0x78, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, + 0x0a, 0x63, 0x69, 0x70, 0x68, 0x65, 0x72, 0x74, 0x65, 0x78, 0x74, 0x22, 0x2f, 0x0a, 0x0f, 0x44, + 0x65, 0x63, 0x72, 0x79, 0x70, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x1c, + 0x0a, 0x09, 0x70, 0x6c, 0x61, 0x69, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, + 0x0c, 0x52, 0x09, 0x70, 0x6c, 0x61, 0x69, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x32, 0x6c, 0x0a, 0x0a, + 0x4b, 0x65, 0x79, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x2e, 0x0a, 0x07, 0x45, 0x6e, + 0x63, 0x72, 0x79, 0x70, 0x74, 0x12, 0x0f, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x52, + 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x10, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, + 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x2e, 0x0a, 0x07, 0x44, 0x65, + 0x63, 0x72, 0x79, 0x70, 0x74, 0x12, 0x0f, 0x2e, 0x44, 0x65, 0x63, 0x72, 0x79, 0x70, 0x74, 0x52, + 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x10, 0x2e, 0x44, 0x65, 0x63, 0x72, 0x79, 0x70, 0x74, + 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x42, 0x0e, 0x5a, 0x0c, 0x2e, 0x2f, + 0x6b, 0x65, 0x79, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, + 0x6f, 0x33, } var ( @@ -770,8 +860,8 @@ func file_keyservice_keyservice_proto_rawDescGZIP() []byte { return file_keyservice_keyservice_proto_rawDescData } -var file_keyservice_keyservice_proto_msgTypes = make([]protoimpl.MessageInfo, 12) -var file_keyservice_keyservice_proto_goTypes = []any{ +var file_keyservice_keyservice_proto_msgTypes = make([]protoimpl.MessageInfo, 13) +var file_keyservice_keyservice_proto_goTypes = []interface{}{ (*Key)(nil), // 0: Key (*PgpKey)(nil), // 1: PgpKey (*KmsKey)(nil), // 2: KmsKey @@ -779,11 +869,12 @@ var file_keyservice_keyservice_proto_goTypes = []any{ (*VaultKey)(nil), // 4: VaultKey (*AzureKeyVaultKey)(nil), // 5: AzureKeyVaultKey (*AgeKey)(nil), // 6: AgeKey - (*EncryptRequest)(nil), // 7: EncryptRequest - (*EncryptResponse)(nil), // 8: EncryptResponse - (*DecryptRequest)(nil), // 9: DecryptRequest - (*DecryptResponse)(nil), // 10: DecryptResponse - nil, // 11: KmsKey.ContextEntry + (*TencentKmsKey)(nil), // 7: TencentKmsKey + (*EncryptRequest)(nil), // 8: EncryptRequest + (*EncryptResponse)(nil), // 9: EncryptResponse + (*DecryptRequest)(nil), // 10: DecryptRequest + (*DecryptResponse)(nil), // 11: DecryptResponse + nil, // 12: KmsKey.ContextEntry } var file_keyservice_keyservice_proto_depIdxs = []int32{ 2, // 0: Key.kms_key:type_name -> KmsKey @@ -792,18 +883,19 @@ var file_keyservice_keyservice_proto_depIdxs = []int32{ 5, // 3: Key.azure_keyvault_key:type_name -> AzureKeyVaultKey 4, // 4: Key.vault_key:type_name -> VaultKey 6, // 5: Key.age_key:type_name -> AgeKey - 11, // 6: KmsKey.context:type_name -> KmsKey.ContextEntry - 0, // 7: EncryptRequest.key:type_name -> Key - 0, // 8: DecryptRequest.key:type_name -> Key - 7, // 9: KeyService.Encrypt:input_type -> EncryptRequest - 9, // 10: KeyService.Decrypt:input_type -> DecryptRequest - 8, // 11: KeyService.Encrypt:output_type -> EncryptResponse - 10, // 12: KeyService.Decrypt:output_type -> DecryptResponse - 11, // [11:13] is the sub-list for method output_type - 9, // [9:11] is the sub-list for method input_type - 9, // [9:9] is the sub-list for extension type_name - 9, // [9:9] is the sub-list for extension extendee - 0, // [0:9] is the sub-list for field type_name + 7, // 6: Key.tencent_kms_key:type_name -> TencentKmsKey + 12, // 7: KmsKey.context:type_name -> KmsKey.ContextEntry + 0, // 8: EncryptRequest.key:type_name -> Key + 0, // 9: DecryptRequest.key:type_name -> Key + 8, // 10: KeyService.Encrypt:input_type -> EncryptRequest + 10, // 11: KeyService.Decrypt:input_type -> DecryptRequest + 9, // 12: KeyService.Encrypt:output_type -> EncryptResponse + 11, // 13: KeyService.Decrypt:output_type -> DecryptResponse + 12, // [12:14] is the sub-list for method output_type + 10, // [10:12] is the sub-list for method input_type + 10, // [10:10] is the sub-list for extension type_name + 10, // [10:10] is the sub-list for extension extendee + 0, // [0:10] is the sub-list for field type_name } func init() { file_keyservice_keyservice_proto_init() } @@ -811,13 +903,160 @@ func file_keyservice_keyservice_proto_init() { if File_keyservice_keyservice_proto != nil { return } - file_keyservice_keyservice_proto_msgTypes[0].OneofWrappers = []any{ + if !protoimpl.UnsafeEnabled { + file_keyservice_keyservice_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*Key); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_keyservice_keyservice_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*PgpKey); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_keyservice_keyservice_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*KmsKey); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_keyservice_keyservice_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*GcpKmsKey); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_keyservice_keyservice_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*VaultKey); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_keyservice_keyservice_proto_msgTypes[5].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*AzureKeyVaultKey); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_keyservice_keyservice_proto_msgTypes[6].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*AgeKey); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_keyservice_keyservice_proto_msgTypes[7].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*TencentKmsKey); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_keyservice_keyservice_proto_msgTypes[8].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*EncryptRequest); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_keyservice_keyservice_proto_msgTypes[9].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*EncryptResponse); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_keyservice_keyservice_proto_msgTypes[10].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*DecryptRequest); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_keyservice_keyservice_proto_msgTypes[11].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*DecryptResponse); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + } + file_keyservice_keyservice_proto_msgTypes[0].OneofWrappers = []interface{}{ (*Key_KmsKey)(nil), (*Key_PgpKey)(nil), (*Key_GcpKmsKey)(nil), (*Key_AzureKeyvaultKey)(nil), (*Key_VaultKey)(nil), (*Key_AgeKey)(nil), + (*Key_TencentKmsKey)(nil), } type x struct{} out := protoimpl.TypeBuilder{ @@ -825,7 +1064,7 @@ func file_keyservice_keyservice_proto_init() { GoPackagePath: reflect.TypeOf(x{}).PkgPath(), RawDescriptor: file_keyservice_keyservice_proto_rawDesc, NumEnums: 0, - NumMessages: 12, + NumMessages: 13, NumExtensions: 0, NumServices: 1, }, diff --git a/keyservice/keyservice.proto b/keyservice/keyservice.proto index 8bf62f89b..573efbd25 100644 --- a/keyservice/keyservice.proto +++ b/keyservice/keyservice.proto @@ -10,6 +10,7 @@ message Key { AzureKeyVaultKey azure_keyvault_key = 4; VaultKey vault_key = 5; AgeKey age_key = 6; + TencentKmsKey tencent_kms_key = 7; } } @@ -44,6 +45,10 @@ message AgeKey { string recipient = 1; } +message TencentKmsKey { + string key_id = 1; +} + message EncryptRequest { Key key = 1; bytes plaintext = 2; diff --git a/keyservice/keyservice_grpc.pb.go b/keyservice/keyservice_grpc.pb.go index d278b82d9..881a6280f 100644 --- a/keyservice/keyservice_grpc.pb.go +++ b/keyservice/keyservice_grpc.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go-grpc. DO NOT EDIT. // versions: -// - protoc-gen-go-grpc v1.5.1 -// - protoc v5.28.3 +// - protoc-gen-go-grpc v1.3.0 +// - protoc v5.29.3 // source: keyservice/keyservice.proto package keyservice @@ -15,8 +15,8 @@ import ( // This is a compile-time assertion to ensure that this generated file // is compatible with the grpc package it is being compiled against. -// Requires gRPC-Go v1.64.0 or later. -const _ = grpc.SupportPackageIsVersion9 +// Requires gRPC-Go v1.32.0 or later. +const _ = grpc.SupportPackageIsVersion7 const ( KeyService_Encrypt_FullMethodName = "/KeyService/Encrypt" @@ -40,9 +40,8 @@ func NewKeyServiceClient(cc grpc.ClientConnInterface) KeyServiceClient { } func (c *keyServiceClient) Encrypt(ctx context.Context, in *EncryptRequest, opts ...grpc.CallOption) (*EncryptResponse, error) { - cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) out := new(EncryptResponse) - err := c.cc.Invoke(ctx, KeyService_Encrypt_FullMethodName, in, out, cOpts...) + err := c.cc.Invoke(ctx, KeyService_Encrypt_FullMethodName, in, out, opts...) if err != nil { return nil, err } @@ -50,9 +49,8 @@ func (c *keyServiceClient) Encrypt(ctx context.Context, in *EncryptRequest, opts } func (c *keyServiceClient) Decrypt(ctx context.Context, in *DecryptRequest, opts ...grpc.CallOption) (*DecryptResponse, error) { - cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) out := new(DecryptResponse) - err := c.cc.Invoke(ctx, KeyService_Decrypt_FullMethodName, in, out, cOpts...) + err := c.cc.Invoke(ctx, KeyService_Decrypt_FullMethodName, in, out, opts...) if err != nil { return nil, err } @@ -60,19 +58,17 @@ func (c *keyServiceClient) Decrypt(ctx context.Context, in *DecryptRequest, opts } // KeyServiceServer is the server API for KeyService service. -// All implementations should embed UnimplementedKeyServiceServer -// for forward compatibility. +// All implementations must embed UnimplementedKeyServiceServer +// for forward compatibility type KeyServiceServer interface { Encrypt(context.Context, *EncryptRequest) (*EncryptResponse, error) Decrypt(context.Context, *DecryptRequest) (*DecryptResponse, error) + mustEmbedUnimplementedKeyServiceServer() } -// UnimplementedKeyServiceServer should be embedded to have -// forward compatible implementations. -// -// NOTE: this should be embedded by value instead of pointer to avoid a nil -// pointer dereference when methods are called. -type UnimplementedKeyServiceServer struct{} +// UnimplementedKeyServiceServer must be embedded to have forward compatible implementations. +type UnimplementedKeyServiceServer struct { +} func (UnimplementedKeyServiceServer) Encrypt(context.Context, *EncryptRequest) (*EncryptResponse, error) { return nil, status.Errorf(codes.Unimplemented, "method Encrypt not implemented") @@ -80,7 +76,7 @@ func (UnimplementedKeyServiceServer) Encrypt(context.Context, *EncryptRequest) ( func (UnimplementedKeyServiceServer) Decrypt(context.Context, *DecryptRequest) (*DecryptResponse, error) { return nil, status.Errorf(codes.Unimplemented, "method Decrypt not implemented") } -func (UnimplementedKeyServiceServer) testEmbeddedByValue() {} +func (UnimplementedKeyServiceServer) mustEmbedUnimplementedKeyServiceServer() {} // UnsafeKeyServiceServer may be embedded to opt out of forward compatibility for this service. // Use of this interface is not recommended, as added methods to KeyServiceServer will @@ -90,13 +86,6 @@ type UnsafeKeyServiceServer interface { } func RegisterKeyServiceServer(s grpc.ServiceRegistrar, srv KeyServiceServer) { - // If the following call pancis, it indicates UnimplementedKeyServiceServer was - // embedded by pointer and is nil. This will cause panics if an - // unimplemented method is ever invoked, so we test this at initialization - // time to prevent it from happening at runtime later due to I/O. - if t, ok := srv.(interface{ testEmbeddedByValue() }); ok { - t.testEmbeddedByValue() - } s.RegisterService(&KeyService_ServiceDesc, srv) } diff --git a/keyservice/server.go b/keyservice/server.go index 9f2b486a6..0a9d709ab 100644 --- a/keyservice/server.go +++ b/keyservice/server.go @@ -9,6 +9,7 @@ import ( "github.com/getsops/sops/v3/hcvault" "github.com/getsops/sops/v3/kms" "github.com/getsops/sops/v3/pgp" + "github.com/getsops/sops/v3/tencentkms" "golang.org/x/net/context" "google.golang.org/grpc/codes" "google.golang.org/grpc/status" @@ -18,6 +19,8 @@ import ( type Server struct { // Prompt indicates whether the server should prompt before decrypting or encrypting data Prompt bool + // Embed UnimplementedKeyServiceServer for forward compatibility + UnimplementedKeyServiceServer } func (ks *Server) encryptWithPgp(key *PgpKey, plaintext []byte) ([]byte, error) { @@ -87,6 +90,17 @@ func (ks *Server) encryptWithAge(key *AgeKey, plaintext []byte) ([]byte, error) return []byte(ageKey.EncryptedKey), nil } +func (ks *Server) encryptWithTencentKms(key *TencentKmsKey, plaintext []byte) ([]byte, error) { + tencentKmsKey := tencentkms.MasterKey{ + KeyID: key.KeyId, + } + err := tencentKmsKey.Encrypt(plaintext) + if err != nil { + return nil, err + } + return []byte(tencentKmsKey.EncryptedKey), nil +} + func (ks *Server) decryptWithPgp(key *PgpKey, ciphertext []byte) ([]byte, error) { pgpKey := pgp.NewMasterKeyFromFingerprint(key.Fingerprint) pgpKey.EncryptedKey = string(ciphertext) @@ -141,6 +155,15 @@ func (ks *Server) decryptWithAge(key *AgeKey, ciphertext []byte) ([]byte, error) return []byte(plaintext), err } +func (ks *Server) decryptWithTencentKms(key *TencentKmsKey, ciphertext []byte) ([]byte, error) { + tencentKmsKey := tencentkms.MasterKey{ + KeyID: key.KeyId, + } + tencentKmsKey.EncryptedKey = string(ciphertext) + plaintext, err := tencentKmsKey.Decrypt() + return []byte(plaintext), err +} + // Encrypt takes an encrypt request and encrypts the provided plaintext with the provided key, returning the encrypted // result func (ks Server) Encrypt(ctx context.Context, @@ -196,6 +219,14 @@ func (ks Server) Encrypt(ctx context.Context, response = &EncryptResponse{ Ciphertext: ciphertext, } + case *Key_TencentKmsKey: + ciphertext, err := ks.encryptWithTencentKms(k.TencentKmsKey, req.Plaintext) + if err != nil { + return nil, err + } + response = &EncryptResponse{ + Ciphertext: ciphertext, + } case nil: return nil, status.Errorf(codes.NotFound, "Must provide a key") default: @@ -222,6 +253,10 @@ func keyToString(key *Key) string { return fmt.Sprintf("Azure Key Vault key with URL %s/keys/%s/%s", k.AzureKeyvaultKey.VaultUrl, k.AzureKeyvaultKey.Name, k.AzureKeyvaultKey.Version) case *Key_VaultKey: return fmt.Sprintf("Hashicorp Vault key with URI %s/v1/%s/keys/%s", k.VaultKey.VaultAddress, k.VaultKey.EnginePath, k.VaultKey.KeyName) + case *Key_AgeKey: + return fmt.Sprintf("Age key with recipient %s", k.AgeKey.Recipient) + case *Key_TencentKmsKey: + return fmt.Sprintf("Tencent Cloud KMS key with ID %s", k.TencentKmsKey.KeyId) default: return "Unknown key type" } @@ -298,6 +333,14 @@ func (ks Server) Decrypt(ctx context.Context, response = &DecryptResponse{ Plaintext: plaintext, } + case *Key_TencentKmsKey: + plaintext, err := ks.decryptWithTencentKms(k.TencentKmsKey, req.Ciphertext) + if err != nil { + return nil, err + } + response = &DecryptResponse{ + Plaintext: plaintext, + } case nil: return nil, status.Errorf(codes.NotFound, "Must provide a key") default: diff --git a/stores/stores.go b/stores/stores.go index 4d7f3788c..2eaffede6 100644 --- a/stores/stores.go +++ b/stores/stores.go @@ -22,6 +22,7 @@ import ( "github.com/getsops/sops/v3/hcvault" "github.com/getsops/sops/v3/kms" "github.com/getsops/sops/v3/pgp" + "github.com/getsops/sops/v3/tencentkms" ) const ( @@ -43,33 +44,35 @@ type SopsFile struct { // in order to allow the binary format to stay backwards compatible over time, but at the same time allow the internal // representation SOPS uses to change over time. type Metadata struct { - ShamirThreshold int `yaml:"shamir_threshold,omitempty" json:"shamir_threshold,omitempty"` - KeyGroups []keygroup `yaml:"key_groups,omitempty" json:"key_groups,omitempty"` - KMSKeys []kmskey `yaml:"kms,omitempty" json:"kms,omitempty"` - GCPKMSKeys []gcpkmskey `yaml:"gcp_kms,omitempty" json:"gcp_kms,omitempty"` - AzureKeyVaultKeys []azkvkey `yaml:"azure_kv,omitempty" json:"azure_kv,omitempty"` - VaultKeys []vaultkey `yaml:"hc_vault,omitempty" json:"hc_vault,omitempty"` - AgeKeys []agekey `yaml:"age,omitempty" json:"age,omitempty"` - LastModified string `yaml:"lastmodified" json:"lastmodified"` - MessageAuthenticationCode string `yaml:"mac" json:"mac"` - PGPKeys []pgpkey `yaml:"pgp,omitempty" json:"pgp,omitempty"` - UnencryptedSuffix string `yaml:"unencrypted_suffix,omitempty" json:"unencrypted_suffix,omitempty"` - EncryptedSuffix string `yaml:"encrypted_suffix,omitempty" json:"encrypted_suffix,omitempty"` - UnencryptedRegex string `yaml:"unencrypted_regex,omitempty" json:"unencrypted_regex,omitempty"` - EncryptedRegex string `yaml:"encrypted_regex,omitempty" json:"encrypted_regex,omitempty"` - UnencryptedCommentRegex string `yaml:"unencrypted_comment_regex,omitempty" json:"unencrypted_comment_regex,omitempty"` - EncryptedCommentRegex string `yaml:"encrypted_comment_regex,omitempty" json:"encrypted_comment_regex,omitempty"` - MACOnlyEncrypted bool `yaml:"mac_only_encrypted,omitempty" json:"mac_only_encrypted,omitempty"` - Version string `yaml:"version" json:"version"` + ShamirThreshold int `yaml:"shamir_threshold,omitempty" json:"shamir_threshold,omitempty"` + KeyGroups []keygroup `yaml:"key_groups,omitempty" json:"key_groups,omitempty"` + KMSKeys []kmskey `yaml:"kms,omitempty" json:"kms,omitempty"` + GCPKMSKeys []gcpkmskey `yaml:"gcp_kms,omitempty" json:"gcp_kms,omitempty"` + AzureKeyVaultKeys []azkvkey `yaml:"azure_kv,omitempty" json:"azure_kv,omitempty"` + VaultKeys []vaultkey `yaml:"hc_vault,omitempty" json:"hc_vault,omitempty"` + AgeKeys []agekey `yaml:"age,omitempty" json:"age,omitempty"` + TencentKMSKeys []tencentkmskey `yaml:"tencent_kms,omitempty" json:"tencent_kms,omitempty"` + LastModified string `yaml:"lastmodified" json:"lastmodified"` + MessageAuthenticationCode string `yaml:"mac" json:"mac"` + PGPKeys []pgpkey `yaml:"pgp,omitempty" json:"pgp,omitempty"` + UnencryptedSuffix string `yaml:"unencrypted_suffix,omitempty" json:"unencrypted_suffix,omitempty"` + EncryptedSuffix string `yaml:"encrypted_suffix,omitempty" json:"encrypted_suffix,omitempty"` + UnencryptedRegex string `yaml:"unencrypted_regex,omitempty" json:"unencrypted_regex,omitempty"` + EncryptedRegex string `yaml:"encrypted_regex,omitempty" json:"encrypted_regex,omitempty"` + UnencryptedCommentRegex string `yaml:"unencrypted_comment_regex,omitempty" json:"unencrypted_comment_regex,omitempty"` + EncryptedCommentRegex string `yaml:"encrypted_comment_regex,omitempty" json:"encrypted_comment_regex,omitempty"` + MACOnlyEncrypted bool `yaml:"mac_only_encrypted,omitempty" json:"mac_only_encrypted,omitempty"` + Version string `yaml:"version" json:"version"` } type keygroup struct { - PGPKeys []pgpkey `yaml:"pgp,omitempty" json:"pgp,omitempty"` - KMSKeys []kmskey `yaml:"kms,omitempty" json:"kms,omitempty"` - GCPKMSKeys []gcpkmskey `yaml:"gcp_kms,omitempty" json:"gcp_kms,omitempty"` - AzureKeyVaultKeys []azkvkey `yaml:"azure_kv,omitempty" json:"azure_kv,omitempty"` - VaultKeys []vaultkey `yaml:"hc_vault" json:"hc_vault"` - AgeKeys []agekey `yaml:"age" json:"age"` + PGPKeys []pgpkey `yaml:"pgp,omitempty" json:"pgp,omitempty"` + KMSKeys []kmskey `yaml:"kms,omitempty" json:"kms,omitempty"` + GCPKMSKeys []gcpkmskey `yaml:"gcp_kms,omitempty" json:"gcp_kms,omitempty"` + AzureKeyVaultKeys []azkvkey `yaml:"azure_kv,omitempty" json:"azure_kv,omitempty"` + VaultKeys []vaultkey `yaml:"hc_vault" json:"hc_vault"` + AgeKeys []agekey `yaml:"age" json:"age"` + TencentKMSKeys []tencentkmskey `yaml:"tencent_kms" json:"tencent_kms"` } type pgpkey struct { @@ -114,6 +117,12 @@ type agekey struct { EncryptedDataKey string `yaml:"enc" json:"enc"` } +type tencentkmskey struct { + KeyID string `yaml:"key_id" json:"key_id"` + CreatedAt string `yaml:"created_at" json:"created_at"` + EncryptedDataKey string `yaml:"enc" json:"enc"` +} + // MetadataFromInternal converts an internal SOPS metadata representation to a representation appropriate for storage func MetadataFromInternal(sopsMetadata sops.Metadata) Metadata { var m Metadata @@ -136,6 +145,7 @@ func MetadataFromInternal(sopsMetadata sops.Metadata) Metadata { m.VaultKeys = vaultKeysFromGroup(group) m.AzureKeyVaultKeys = azkvKeysFromGroup(group) m.AgeKeys = ageKeysFromGroup(group) + m.TencentKMSKeys = tencentkmsKeysFromGroup(group) } else { for _, group := range sopsMetadata.KeyGroups { m.KeyGroups = append(m.KeyGroups, keygroup{ @@ -145,6 +155,7 @@ func MetadataFromInternal(sopsMetadata sops.Metadata) Metadata { VaultKeys: vaultKeysFromGroup(group), AzureKeyVaultKeys: azkvKeysFromGroup(group), AgeKeys: ageKeysFromGroup(group), + TencentKMSKeys: tencentkmsKeysFromGroup(group), }) } } @@ -241,6 +252,20 @@ func ageKeysFromGroup(group sops.KeyGroup) (keys []agekey) { return } +func tencentkmsKeysFromGroup(group sops.KeyGroup) (keys []tencentkmskey) { + for _, key := range group { + switch key := key.(type) { + case *tencentkms.MasterKey: + keys = append(keys, tencentkmskey{ + KeyID: key.KeyID, + CreatedAt: key.CreationDate.Format(time.RFC3339), + EncryptedDataKey: key.EncryptedKey, + }) + } + } + return +} + // ToInternal converts a storage-appropriate Metadata struct to a SOPS internal representation func (m *Metadata) ToInternal() (sops.Metadata, error) { lastModified, err := time.Parse(time.RFC3339, m.LastModified) @@ -295,7 +320,19 @@ func (m *Metadata) ToInternal() (sops.Metadata, error) { }, nil } -func internalGroupFrom(kmsKeys []kmskey, pgpKeys []pgpkey, gcpKmsKeys []gcpkmskey, azkvKeys []azkvkey, vaultKeys []vaultkey, ageKeys []agekey) (sops.KeyGroup, error) { +func (tencentKmsKey *tencentkmskey) toInternal() (*tencentkms.MasterKey, error) { + creationDate, err := time.Parse(time.RFC3339, tencentKmsKey.CreatedAt) + if err != nil { + return nil, err + } + return &tencentkms.MasterKey{ + KeyID: tencentKmsKey.KeyID, + EncryptedKey: tencentKmsKey.EncryptedDataKey, + CreationDate: creationDate, + }, nil +} + +func internalGroupFrom(kmsKeys []kmskey, pgpKeys []pgpkey, gcpKmsKeys []gcpkmskey, azkvKeys []azkvkey, vaultKeys []vaultkey, ageKeys []agekey, tencentKmsKeys []tencentkmskey) (sops.KeyGroup, error) { var internalGroup sops.KeyGroup for _, kmsKey := range kmsKeys { k, err := kmsKey.toInternal() @@ -339,13 +376,20 @@ func internalGroupFrom(kmsKeys []kmskey, pgpKeys []pgpkey, gcpKmsKeys []gcpkmske } internalGroup = append(internalGroup, k) } + for _, tencentKmsKey := range tencentKmsKeys { + k, err := tencentKmsKey.toInternal() + if err != nil { + return nil, err + } + internalGroup = append(internalGroup, k) + } return internalGroup, nil } func (m *Metadata) internalKeygroups() ([]sops.KeyGroup, error) { var internalGroups []sops.KeyGroup - if len(m.PGPKeys) > 0 || len(m.KMSKeys) > 0 || len(m.GCPKMSKeys) > 0 || len(m.AzureKeyVaultKeys) > 0 || len(m.VaultKeys) > 0 || len(m.AgeKeys) > 0 { - internalGroup, err := internalGroupFrom(m.KMSKeys, m.PGPKeys, m.GCPKMSKeys, m.AzureKeyVaultKeys, m.VaultKeys, m.AgeKeys) + if len(m.PGPKeys) > 0 || len(m.KMSKeys) > 0 || len(m.GCPKMSKeys) > 0 || len(m.AzureKeyVaultKeys) > 0 || len(m.VaultKeys) > 0 || len(m.AgeKeys) > 0 || len(m.TencentKMSKeys) > 0 { + internalGroup, err := internalGroupFrom(m.KMSKeys, m.PGPKeys, m.GCPKMSKeys, m.AzureKeyVaultKeys, m.VaultKeys, m.AgeKeys, m.TencentKMSKeys) if err != nil { return nil, err } @@ -353,7 +397,7 @@ func (m *Metadata) internalKeygroups() ([]sops.KeyGroup, error) { return internalGroups, nil } else if len(m.KeyGroups) > 0 { for _, group := range m.KeyGroups { - internalGroup, err := internalGroupFrom(group.KMSKeys, group.PGPKeys, group.GCPKMSKeys, group.AzureKeyVaultKeys, group.VaultKeys, group.AgeKeys) + internalGroup, err := internalGroupFrom(group.KMSKeys, group.PGPKeys, group.GCPKMSKeys, group.AzureKeyVaultKeys, group.VaultKeys, group.AgeKeys, group.TencentKMSKeys) if err != nil { return nil, err } diff --git a/tencentkms/keysource.go b/tencentkms/keysource.go new file mode 100644 index 000000000..158a3eec4 --- /dev/null +++ b/tencentkms/keysource.go @@ -0,0 +1,256 @@ +/* +Package tencentkms contains an implementation of the github.com/getsops/sops/v3/keys.MasterKey +interface that encrypts and decrypts the data key using Tencent Cloud KMS with the +Tencent Cloud SDK for Go. +*/ +package tencentkms // import "github.com/getsops/sops/v3/tencentkms" + +import ( + "context" + "encoding/base64" + "fmt" + "os" + "strings" + "time" + + "github.com/getsops/sops/v3/logging" + "github.com/sirupsen/logrus" + "github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common" + "github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common/profile" + kms "github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/kms/v20190118" +) + +const ( + // KeyTypeIdentifier is the string used to identify a Tencent Cloud KMS MasterKey. + KeyTypeIdentifier = "tencent_kms" + // TencentKmsEnvVar is the environment variable name for Tencent Cloud KMS key IDs. + TencentKmsEnvVar = "SOPS_TENCENT_KMS_IDS" + + // TencentSecretIdEnvVar is the environment variable name for Tencent Cloud SecretId. + TencentSecretIdEnvVar = "TENCENTCLOUD_SECRET_ID" + // TencentSecretKeyEnvVar is the environment variable name for Tencent Cloud SecretKey. + TencentSecretKeyEnvVar = "TENCENTCLOUD_SECRET_KEY" + // TencentTokenEnvVar is the environment variable name for Tencent Cloud Token. + TencentTokenEnvVar = "TENCENTCLOUD_TOKEN" + // TencentRegionEnvVar is the environment variable name for Tencent Cloud region. + TencentRegionEnvVar = "TENCENTCLOUD_REGION" + // TencentKMSEndpointEnvVar is the environment variable name for Tencent Cloud kms service endpoint. + TencentKMSEndpointEnvVar = "TENCENTCLOUD_KMS_ENDPOINT" +) + +var ( + // log is the global logger for any Tencent Cloud KMS MasterKey. + log *logrus.Logger + // tencent kms TTL is the duration after which a MasterKey requires rotation. + tencentkmsTTL = time.Hour * 24 * 30 * 6 +) + +func init() { + log = logging.NewLogger("TENCENT_KMS") +} + +// MasterKey is a Tencent Cloud KMS Key used to Encrypt and Decrypt SOPS' data key. +type MasterKey struct { + // KeyID is the ID of the Tencent Cloud KMS key. + KeyID string + // Region is the region of the Tencent Cloud KMS key. + Region string + // EncryptedKey contains the SOPS data key encrypted with the Tencent Cloud KMS key. + EncryptedKey string + // CreationDate of the MasterKey, used to determine if the EncryptedKey needs rotation. + CreationDate time.Time + + // secretId is the Tencent Cloud SecretId used for authentication. + secretId string + // secretKey is the Tencent Cloud SecretKey used for authentication. + secretKey string + // token is the Tencent Cloud STS token used for authentication. + token string +} + +// NewMasterKeyFromKeyID creates a new MasterKey with the provided Key ID. +func NewMasterKeyFromKeyID(keyID string) *MasterKey { + k := &MasterKey{} + keyID = strings.Replace(keyID, " ", "", -1) + k.KeyID = keyID + k.CreationDate = time.Now().UTC() + return k +} + +// MasterKeysFromKeyIDString takes a comma separated list of Tencent KMS +// KeyIDs and returns a slice of new MasterKeys for them. +func MasterKeysFromKeyIDString(keyID string) []*MasterKey { + var keys []*MasterKey + if keyID == "" { + return keys + } + for _, s := range strings.Split(keyID, ",") { + keys = append(keys, NewMasterKeyFromKeyID(s)) + } + return keys +} + +// Encrypt takes a SOPS data key, encrypts it with Tencent Cloud KMS, and stores the result in the EncryptedKey field. +// Consider using EncryptContext instead. +func (key *MasterKey) Encrypt(dataKey []byte) error { + return key.EncryptContext(context.Background(), dataKey) +} + +// EncryptContext takes a SOPS data key, encrypts it with Tencent Cloud KMS, and stores the result in the EncryptedKey field. +func (key *MasterKey) EncryptContext(ctx context.Context, dataKey []byte) error { + client, err := key.createClient() + if err != nil { + log.WithFields(logrus.Fields{"keyId": key.KeyID}).Info("Encryption failed") + return fmt.Errorf("failed to create Tencent Cloud KMS client: %w", err) + } + + // Create encryption request + request := kms.NewEncryptRequest() + request.KeyId = common.StringPtr(key.KeyID) + request.Plaintext = common.StringPtr(base64.StdEncoding.EncodeToString(dataKey)) + + // Send encryption request + response, err := client.EncryptWithContext(ctx, request) + if err != nil { + log.WithFields(logrus.Fields{"keyId": key.KeyID}).Info("Encryption failed") + return fmt.Errorf("failed to encrypt data key with Tencent Cloud KMS: %w", err) + } + + // Store the encrypted key + key.EncryptedKey = *response.Response.CiphertextBlob + log.WithFields(logrus.Fields{"keyId": key.KeyID}).Info("Encryption successful") + return nil +} + +// EncryptIfNeeded encrypts the provided SOPS data key, if it has not been encrypted yet. +func (key *MasterKey) EncryptIfNeeded(dataKey []byte) error { + if key.EncryptedKey == "" { + return key.Encrypt(dataKey) + } + return nil +} + +// EncryptedDataKey returns the encrypted data key this master key holds. +func (key *MasterKey) EncryptedDataKey() []byte { + return []byte(key.EncryptedKey) +} + +// SetEncryptedDataKey sets the encrypted data key for this master key. +func (key *MasterKey) SetEncryptedDataKey(encrypted []byte) { + key.EncryptedKey = string(encrypted) +} + +// Decrypt decrypts the EncryptedKey field with Tencent Cloud KMS and returns the result. +func (key *MasterKey) Decrypt() ([]byte, error) { + return key.DecryptContext(context.Background()) +} + +// DecryptContext decrypts the EncryptedKey field with Tencent Cloud KMS and returns the result. +func (key *MasterKey) DecryptContext(ctx context.Context) ([]byte, error) { + if key.EncryptedKey == "" { + return nil, fmt.Errorf("master key is empty") + } + + client, err := key.createClient() + if err != nil { + log.WithFields(logrus.Fields{"keyId": key.KeyID}).Info("Decryption failed") + return nil, fmt.Errorf("failed to create Tencent Cloud KMS client: %w", err) + } + + // Create decryption request + request := kms.NewDecryptRequest() + request.CiphertextBlob = common.StringPtr(key.EncryptedKey) + + // Send decryption request + response, err := client.DecryptWithContext(ctx, request) + if err != nil { + log.WithFields(logrus.Fields{"keyId": key.KeyID}).Info("Decryption failed") + return nil, fmt.Errorf("failed to decrypt data key with Tencent Cloud KMS: %w", err) + } + + decodedCipher, err := base64.StdEncoding.DecodeString(*response.Response.Plaintext) + if err != nil { + log.WithField("keyId", key.KeyID).Info("Decryption failed") + return nil, err + } + + log.WithFields(logrus.Fields{"keyId": key.KeyID}).Info("Decryption successful") + return decodedCipher, nil +} + +// NeedsRotation returns whether the data key needs to be rotated or not. +func (key *MasterKey) NeedsRotation() bool { + return time.Since(key.CreationDate) > (tencentkmsTTL) +} + +// ToString converts the master key to a string representation. +func (key *MasterKey) ToString() string { + return key.KeyID +} + +// ToMap converts the master key to a map representation. +func (key *MasterKey) ToMap() map[string]interface{} { + return map[string]interface{}{ + "keyId": key.KeyID, + "created_at": key.CreationDate.UTC().Format(time.RFC3339), + "enc": key.EncryptedKey, + } +} + +// TypeToIdentifier returns the key type identifier. +func (key *MasterKey) TypeToIdentifier() string { + return KeyTypeIdentifier +} + +// createClient creates a new Tencent Cloud KMS client with support for multiple authentication methods. +func (key *MasterKey) createClient() (*kms.Client, error) { + credential, err := key.getCredential() + + if credential == nil { + log.WithFields(logrus.Fields{"keyId": key.KeyID}).Info("No valid credentials found") + return nil, fmt.Errorf("no valid credentials found. Please set TENCENTCLOUD_SECRET_ID and TENCENTCLOUD_SECRET_KEY environment variables") + } + + region := os.Getenv(TencentRegionEnvVar) + if region == "" { + region = "ap-guangzhou" + } + + cpf := profile.NewClientProfile() + endpoint := os.Getenv(TencentKMSEndpointEnvVar) + if endpoint != "" { + cpf.HttpProfile.Endpoint = endpoint + } + + client, err := kms.NewClient(credential, region, cpf) + if err != nil { + return nil, fmt.Errorf("failed to create Tencent KMS client for region %s: %w", region, err) + } + + return client, nil +} + +// getCredential gets authentication credentials, supports multiple methods +func (key *MasterKey) getCredential() (common.CredentialIface, error) { + if secretId, ok := os.LookupEnv(TencentSecretIdEnvVar); ok && len(secretId) > 0 { + key.secretId = secretId + } + + if secretKey, ok := os.LookupEnv(TencentSecretKeyEnvVar); ok && len(secretKey) > 0 { + key.secretKey = secretKey + } + + if key.secretId == "" && key.secretKey == "" { + return nil, fmt.Errorf("environment variable TENCENTCLOUD_SECRET_ID or TENCENTCLOUD_SECRET_KEY is not set") + } + + if token, ok := os.LookupEnv(TencentTokenEnvVar); ok && len(token) > 0 { + key.token = token + } + + if key.token != "" { + return common.NewTokenCredential(key.secretId, key.secretKey, key.token), nil + } + + return common.NewCredential(key.secretId, key.secretKey), nil +} diff --git a/tencentkms/keysource_integration_test.go b/tencentkms/keysource_integration_test.go new file mode 100644 index 000000000..8866a51c7 --- /dev/null +++ b/tencentkms/keysource_integration_test.go @@ -0,0 +1,74 @@ +//go:build integration + +package tencentkms + +import ( + "os" + "testing" + "time" + + "github.com/stretchr/testify/assert" +) + +// TestEncryptDecryptIntegration tests the full encrypt-decrypt cycle with real KMS operations +// This test requires valid Tencent KMS credentials to be set as environment variables +func TestEncryptDecryptIntegration(t *testing.T) { + // Skip test if credentials are not set + _ = os.Setenv(TencentSecretIdEnvVar, "") + _ = os.Setenv(TencentSecretKeyEnvVar, "") + _ = os.Setenv(TencentRegionEnvVar, "ap-singapore") + keyID := "" + + // Test cases for encryption and decryption + testCases := []struct { + name string + plaintext string + expectError bool + }{{ + name: "Simple string encryption", + plaintext: "Hello, Tencent KMS!", + expectError: false, + }, { + name: "Empty string encryption", + plaintext: "", + expectError: true, + }, { + name: "Long string encryption", + plaintext: generateLongString(1000), // 1000 characters + expectError: false, + }} + + for _, tc := range testCases { + t.Run(tc.name, func(t *testing.T) { + // Create a new master key + masterKey := NewMasterKeyFromKeyID(keyID) + masterKey.CreationDate = time.Now().UTC() + + err := masterKey.Encrypt([]byte(tc.plaintext)) + if tc.expectError { + assert.Error(t, err) + return + } + assert.NoError(t, err) + assert.NotNil(t, masterKey.EncryptedKey) + + // Decrypt the data key + decryptedKey, err := masterKey.Decrypt() + assert.NoError(t, err) + assert.NotNil(t, decryptedKey) + assert.Equal(t, tc.plaintext, string(decryptedKey)) + + // Verify key rotation status (should not need rotation if recently created) + assert.False(t, masterKey.NeedsRotation(), "Newly created key should not need rotation") + }) + } +} + +// generateLongString creates a string of the specified length for testing +func generateLongString(length int) string { + result := make([]byte, length) + for i := 0; i < length; i++ { + result[i] = byte(65 + (i % 26)) // A-Z characters + } + return string(result) +} diff --git a/tencentkms/keysource_test.go b/tencentkms/keysource_test.go new file mode 100644 index 000000000..355109e67 --- /dev/null +++ b/tencentkms/keysource_test.go @@ -0,0 +1,338 @@ +package tencentkms + +import ( + "context" + "encoding/base64" + "os" + "testing" + "time" + + "github.com/stretchr/testify/assert" +) + +var ( + // dummyKeyID + dummyKeyID = "xxxxx-xxxxx-xxxxx-xxxxx-xxxxx" + // dummyRegion + dummyRegion = "ap-singapore" + // dummyEncryptedKey + dummyEncryptedKey = "dummy-encrypted-key" +) + +// TestNewMasterKeyFromKeyID tests creating MasterKey from key ID +func TestNewMasterKeyFromKeyID(t *testing.T) { + t.Run("normal creation", func(t *testing.T) { + key := NewMasterKeyFromKeyID(dummyKeyID) + assert.Equal(t, dummyKeyID, key.KeyID) + assert.NotNil(t, key.CreationDate) + assert.Empty(t, key.Region) + assert.Empty(t, key.EncryptedKey) + }) + + t.Run("remove spaces", func(t *testing.T) { + key := NewMasterKeyFromKeyID(" xxxxx-xxxxx-xxxxx-xxxxx-xxxxx ") + assert.Equal(t, dummyKeyID, key.KeyID) + }) + + t.Run("empty string", func(t *testing.T) { + key := NewMasterKeyFromKeyID("") + assert.Empty(t, key.KeyID) + assert.NotNil(t, key.CreationDate) + }) +} + +// TestMasterKeysFromKeyIDString tests creating multiple MasterKeys from comma-separated key ID string +func TestMasterKeysFromKeyIDString(t *testing.T) { + t.Run("single key", func(t *testing.T) { + keys := MasterKeysFromKeyIDString(dummyKeyID) + assert.Len(t, keys, 1) + assert.Equal(t, dummyKeyID, keys[0].KeyID) + }) + + t.Run("multiple keys", func(t *testing.T) { + keyID2 := "yyyyy-yyyyy-yyyyy-yyyyy-yyyyy" + keys := MasterKeysFromKeyIDString(dummyKeyID + "," + keyID2) + assert.Len(t, keys, 2) + assert.Equal(t, dummyKeyID, keys[0].KeyID) + assert.Equal(t, keyID2, keys[1].KeyID) + }) + + t.Run("empty string", func(t *testing.T) { + keys := MasterKeysFromKeyIDString("") + assert.Len(t, keys, 0) + }) + + t.Run("with spaces", func(t *testing.T) { + keyID2 := "yyyyy-yyyyy-yyyyy-yyyyy-yyyyy" + keys := MasterKeysFromKeyIDString(dummyKeyID + ", " + keyID2) + assert.Len(t, keys, 2) + assert.Equal(t, dummyKeyID, keys[0].KeyID) + assert.Equal(t, keyID2, keys[1].KeyID) + }) + + t.Run("empty elements", func(t *testing.T) { + keys := MasterKeysFromKeyIDString(dummyKeyID + ",,") + assert.Len(t, keys, 3) // Empty strings will still create MasterKey + assert.Equal(t, dummyKeyID, keys[0].KeyID) + assert.Empty(t, keys[1].KeyID) + assert.Empty(t, keys[2].KeyID) + }) +} + +// TestMasterKey_EncryptIfNeeded tests encryption when needed +func TestMasterKey_EncryptIfNeeded(t *testing.T) { + // Since actual encryption requires Tencent Cloud KMS service, we use mock data for testing + key := &MasterKey{ + KeyID: dummyKeyID, + secretId: "mock-secret-id", // Set mock credentials to avoid nil reference + secretKey: "mock-secret-key", + Region: dummyRegion, + } + + // We can't actually call Tencent Cloud KMS, so we verify the logic flow + // Actual encryption will return an error, but EncryptIfNeeded should call Encrypt + err := key.EncryptIfNeeded([]byte("test-data")) + assert.Error(t, err) // Expected to fail because we're using mock credentials + + // Manually set encrypted key, then test that it won't be re-encrypted + key.EncryptedKey = dummyEncryptedKey + err = key.EncryptIfNeeded([]byte("different-data")) + assert.NoError(t, err) + assert.Equal(t, dummyEncryptedKey, key.EncryptedKey) // Confirm key wasn't modified +} + +// TestMasterKey_EncryptedDataKey tests getting encrypted data key +func TestMasterKey_EncryptedDataKey(t *testing.T) { + key := &MasterKey{EncryptedKey: dummyEncryptedKey} + assert.EqualValues(t, []byte(dummyEncryptedKey), key.EncryptedDataKey()) + + key = &MasterKey{EncryptedKey: ""} + assert.EqualValues(t, []byte(""), key.EncryptedDataKey()) +} + +// TestMasterKey_SetEncryptedDataKey tests setting encrypted data key +func TestMasterKey_SetEncryptedDataKey(t *testing.T) { + key := &MasterKey{} + data := []byte("test-encrypted-data") + key.SetEncryptedDataKey(data) + assert.Equal(t, string(data), key.EncryptedKey) + + // Test empty data + key.SetEncryptedDataKey([]byte{}) + assert.Equal(t, "", key.EncryptedKey) +} + +// TestMasterKey_NeedsRotation tests if key rotation is needed +func TestMasterKey_NeedsRotation(t *testing.T) { + key := NewMasterKeyFromKeyID(dummyKeyID) + assert.False(t, key.NeedsRotation()) // Newly created key doesn't need rotation + + // Set an expired creation time (significantly greater than TTL) + key.CreationDate = time.Now().UTC().Add(-(tencentkmsTTL + 24*time.Hour)) + assert.True(t, key.NeedsRotation()) + + // Set time significantly less than TTL to avoid precision issues + // We'll use a 1 hour difference to ensure it's clearly less than TTL + key.CreationDate = time.Now().UTC().Add(-(tencentkmsTTL - time.Hour)) + assert.False(t, key.NeedsRotation()) + + // We'll skip the exact TTL test due to time precision issues + // The implementation clearly uses '>' which means only strictly greater than TTL returns true +} + +// TestMasterKey_ToString tests conversion to string +func TestMasterKey_ToString(t *testing.T) { + key := NewMasterKeyFromKeyID(dummyKeyID) + assert.Equal(t, dummyKeyID, key.ToString()) + + key = NewMasterKeyFromKeyID("") + assert.Equal(t, "", key.ToString()) +} + +// TestMasterKey_ToMap tests conversion to map +func TestMasterKey_ToMap(t *testing.T) { + fixedTime := time.Date(2023, 1, 1, 12, 0, 0, 0, time.UTC) + key := &MasterKey{ + KeyID: dummyKeyID, + CreationDate: fixedTime, + EncryptedKey: dummyEncryptedKey, + } + + expectedMap := map[string]interface{}{ + "keyId": dummyKeyID, + "created_at": fixedTime.UTC().Format(time.RFC3339), + "enc": dummyEncryptedKey, + } + + resultMap := key.ToMap() + assert.Equal(t, expectedMap, resultMap) + + // Test empty value case + key = &MasterKey{ + KeyID: "", + CreationDate: fixedTime, + EncryptedKey: "", + } + + emptyExpectedMap := map[string]interface{}{ + "keyId": "", + "created_at": fixedTime.UTC().Format(time.RFC3339), + "enc": "", + } + + assert.Equal(t, emptyExpectedMap, key.ToMap()) +} + +// TestMasterKey_TypeToIdentifier tests type identifier +func TestMasterKey_TypeToIdentifier(t *testing.T) { + key := NewMasterKeyFromKeyID(dummyKeyID) + assert.Equal(t, KeyTypeIdentifier, key.TypeToIdentifier()) +} + +// TestMasterKey_createClient tests client creation logic +func TestMasterKey_createClient(t *testing.T) { + // Save original environment variables + originalSecretId := os.Getenv(TencentSecretIdEnvVar) + originalSecretKey := os.Getenv(TencentSecretKeyEnvVar) + originalRegion := os.Getenv(TencentRegionEnvVar) + defer func() { + // Restore original environment variables + os.Unsetenv(TencentSecretIdEnvVar) + os.Unsetenv(TencentSecretKeyEnvVar) + os.Unsetenv(TencentRegionEnvVar) + if originalSecretId != "" { + os.Setenv(TencentSecretIdEnvVar, originalSecretId) + } + if originalSecretKey != "" { + os.Setenv(TencentSecretKeyEnvVar, originalSecretKey) + } + if originalRegion != "" { + os.Setenv(TencentRegionEnvVar, originalRegion) + } + }() + + t.Run("use credentials from environment", func(t *testing.T) { + os.Setenv(TencentSecretIdEnvVar, "env-secret-id") + os.Setenv(TencentSecretKeyEnvVar, "env-secret-key") + os.Setenv(TencentRegionEnvVar, "env-region") + + key := &MasterKey{ + KeyID: dummyKeyID, + } + + client, err := key.createClient() + assert.NotNil(t, client, "should create client object from environment variables") + _ = err // Avoid unused variable warning + }) + + t.Run("prioritize credentials in key", func(t *testing.T) { + os.Setenv(TencentSecretIdEnvVar, "env-secret-id") + os.Setenv(TencentSecretKeyEnvVar, "env-secret-key") + os.Setenv(TencentRegionEnvVar, "env-region") + + key := &MasterKey{ + KeyID: dummyKeyID, + Region: "key-region", + secretId: "key-secret-id", + secretKey: "key-secret-key", + } + + // Check if function runs without crashing + client, err := key.createClient() + assert.NotNil(t, client, "should create client object") + _ = err // Avoid unused variable warning + }) + + t.Run("empty credentials", func(t *testing.T) { + key := &MasterKey{ + KeyID: dummyKeyID, + } + + // Check if client can be created with empty credentials (may return error or default client) + client, err := key.createClient() + // Don't make strict assertions, just ensure test doesn't crash + if err != nil { + assert.Error(t, err, "empty credentials may return error") + } else { + assert.NotNil(t, client, "empty credentials may return default client") + } + }) +} + +// TestEncryptDecryptMock tests encryption and decryption process (using mock data) +func TestEncryptDecryptMock(t *testing.T) { + // Create a key + key := &MasterKey{ + KeyID: dummyKeyID, + Region: dummyRegion, + secretId: "mock-secret-id", + secretKey: "mock-secret-key", + } + + // Test encryption (will fail but test the flow) + dataKey := []byte("test-data-key") + err := key.Encrypt(dataKey) + assert.Error(t, err) // Expected to fail because we're using mock credentials + + // Manually set encrypted key + key.EncryptedKey = base64.StdEncoding.EncodeToString(dataKey) + + // Test decryption (will fail but test the flow) + _, err = key.Decrypt() + assert.Error(t, err) // Expected to fail because we're using mock credentials +} + +// TestEncryptContextDecryptContextMock tests context-aware encryption and decryption process (using mock data) +func TestEncryptContextDecryptContextMock(t *testing.T) { + // Create a key + key := &MasterKey{ + KeyID: dummyKeyID, + Region: dummyRegion, + secretId: "mock-secret-id", + secretKey: "mock-secret-key", + } + + // Create a context + ctx := context.Background() + + // Test context-aware encryption (will fail but test the flow) + dataKey := []byte("test-data-key") + err := key.EncryptContext(ctx, dataKey) + assert.Error(t, err) // Expected to fail because we're using mock credentials + + // Manually set encrypted key + key.EncryptedKey = base64.StdEncoding.EncodeToString(dataKey) + + // Test context-aware decryption (will fail but test the flow) + _, err = key.DecryptContext(ctx) + assert.Error(t, err) // Expected to fail because we're using mock credentials + + // Test decryption with empty encrypted key + key.EncryptedKey = "" + _, err = key.DecryptContext(ctx) + assert.Error(t, err) + assert.Equal(t, "master key is empty", err.Error()) +} + +// TestTimeCalculations tests time calculation related functionality +func TestTimeCalculations(t *testing.T) { + // Verify TTL value + expectedTTL := time.Hour * 24 * 30 * 6 // 6 months + assert.Equal(t, expectedTTL, tencentkmsTTL) + + // Test time comparison logic + key := NewMasterKeyFromKeyID(dummyKeyID) + now := time.Now().UTC() + + // Newly created key doesn't need rotation + key.CreationDate = now + assert.False(t, key.NeedsRotation()) + + // Key close to but not exceeding TTL doesn't need rotation + key.CreationDate = now.Add(-(tencentkmsTTL - 24*time.Hour)) + assert.False(t, key.NeedsRotation()) + + // Key exceeding TTL needs rotation + key.CreationDate = now.Add(-(tencentkmsTTL + 24*time.Hour)) + assert.True(t, key.NeedsRotation()) +}