Exemple #1
0
func (m Encryptor) rewriteNode(logger lager.Logger, node *etcd.Node) error {
	if !node.Dir {
		encoder := format.NewEncoder(m.cryptor)
		payload, err := encoder.Decode([]byte(node.Value))
		if err != nil {
			logger.Error("failed-to-read-node", err, lager.Data{"etcd-key": node.Key})
			return nil
		}
		encryptedPayload, err := encoder.Encode(format.BASE64_ENCRYPTED, payload)
		if err != nil {
			return err
		}
		_, err = m.storeClient.CompareAndSwap(node.Key, encryptedPayload, etcddb.NO_TTL, node.ModifiedIndex)
		if err != nil {
			logger.Info("failed-to-compare-and-swap", lager.Data{"err": err, "etcd-key": node.Key})
			return nil
		}
	} else {
		for _, child := range node.Nodes {
			err := m.rewriteNode(logger, child)
			if err != nil {
				return err
			}
		}
	}
	return nil
}
Exemple #2
0
func decrypt(value []byte, key string, label string) (payload []byte, err error) {
	args := []string{}
	flagSet := flag.NewFlagSet("", flag.PanicOnError)
	eflags := encryption.AddEncryptionFlags(flagSet)

	args = append(args, "-encryptionKey="+key)
	args = append(args, "-activeKeyLabel="+label)
	flagSet.Parse(args)

	keyManager, err := eflags.Validate()
	encoder := format.NewEncoder(encryption.NewCryptor(keyManager, rand.Reader))
	payload, err = encoder.Decode([]byte(value))

	if err != nil {
		log.Println("Can not decode data: ", string(value))
	}

	return payload, err
}
Exemple #3
0
		keyManager, err := encryption.NewKeyManager(activeKey, decryptionKeys)
		Expect(err).NotTo(HaveOccurred())
		return encryption.NewCryptor(keyManager, rand.Reader)
	}

	Describe("PerformEncryption", func() {
		It("recursively re-encrypts all existing records", func() {
			var cryptor encryption.Cryptor
			var encoder format.Encoder

			value1 := []byte("some text")
			value2 := []byte("more text")

			cryptor = makeCryptor("old")
			encoder = format.NewEncoder(cryptor)

			encoded1, err := encoder.Encode(format.BASE64_ENCRYPTED, value1)
			Expect(err).NotTo(HaveOccurred())

			encoded2, err := encoder.Encode(format.LEGACY_UNENCODED, value2)
			Expect(err).NotTo(HaveOccurred())

			_, err = storeClient.Set(fmt.Sprintf("%s/my/key-1", etcd.V1SchemaRoot), encoded1, etcd.NO_TTL)
			Expect(err).NotTo(HaveOccurred())
			_, err = storeClient.Set(fmt.Sprintf("%s/my/nested/key-2", etcd.V1SchemaRoot), encoded2, etcd.NO_TTL)
			Expect(err).NotTo(HaveOccurred())

			cryptor = makeCryptor("new", "old")

			etcdDB = etcd.NewETCD(format.ENCRYPTED_PROTO, 100, 100, DesiredLRPCreationTimeout, cryptor, storeClient, clock)
				schedulingInfo, runInfo := desiredLRP.CreateComponents(fakeClock.Now())
				runInfo.DeprecatedStartTimeoutS = 15

				_, err := json.Marshal(desiredLRP.Routes)
				Expect(err).NotTo(HaveOccurred())

				schedInfoData, err := serializer.Marshal(logger, format.ENCRYPTED_PROTO, &schedulingInfo)
				Expect(err).NotTo(HaveOccurred())
				_, err = storeClient.Set(etcddb.DesiredLRPSchedulingInfoSchemaPath(processGuid), schedInfoData, 0)
				Expect(err).NotTo(HaveOccurred())
				runInfoData, err := serializer.Marshal(logger, format.ENCRYPTED_PROTO, &runInfo)
				Expect(err).NotTo(HaveOccurred())
				_, err = storeClient.Set(etcddb.DesiredLRPRunInfoSchemaPath(processGuid), runInfoData, 0)
				Expect(err).NotTo(HaveOccurred())

				encoder := format.NewEncoder(cryptor)
				encryptedVolumePlacement, err := serializer.Marshal(logger, format.ENCRYPTED_PROTO, schedulingInfo.VolumePlacement)
				Expect(err).NotTo(HaveOccurred())
				_, err = encoder.Decode(encryptedVolumePlacement)
				Expect(err).NotTo(HaveOccurred())

				migration.SetStoreClient(storeClient)
				migration.SetCryptor(cryptor)
				migration.SetClock(fakeClock)
				migrationErr = migration.Up(logger)
			})

			It("changes desiredLRP startTimeout to milliseconds", func() {
				Expect(migrationErr).NotTo(HaveOccurred())
				desiredLRP, err := db.DesiredLRPByProcessGuid(logger, processGuid)
				Expect(err).ToNot(HaveOccurred())