func (m Encryptor) rewriteNode(logger lager.Logger, node *etcd.Node) error {
if !node.Dir {
encoder := format.NewEncoder(m.cryptor)
payload, err := encoder.Decode([]byte(node.Value))
if err != nil {
logger.Error("failed-to-read-node", err, lager.Data{"etcd-key": node.Key})
return nil
}
encryptedPayload, err := encoder.Encode(format.BASE64_ENCRYPTED, payload)
if err != nil {
return err
}
_, err = m.storeClient.CompareAndSwap(node.Key, encryptedPayload, etcddb.NO_TTL, node.ModifiedIndex)
if err != nil {
logger.Info("failed-to-compare-and-swap", lager.Data{"err": err, "etcd-key": node.Key})
return nil
}
} else {
for _, child := range node.Nodes {
err := m.rewriteNode(logger, child)
if err != nil {
return err
}
}
}
return nil
}
func decrypt(value []byte, key string, label string) (payload []byte, err error) {
args := []string{}
flagSet := flag.NewFlagSet("", flag.PanicOnError)
eflags := encryption.AddEncryptionFlags(flagSet)
args = append(args, "-encryptionKey="+key)
args = append(args, "-activeKeyLabel="+label)
flagSet.Parse(args)
keyManager, err := eflags.Validate()
encoder := format.NewEncoder(encryption.NewCryptor(keyManager, rand.Reader))
payload, err = encoder.Decode([]byte(value))
if err != nil {
log.Println("Can not decode data: ", string(value))
}
return payload, err
}
keyManager, err := encryption.NewKeyManager(activeKey, decryptionKeys)
Expect(err).NotTo(HaveOccurred())
return encryption.NewCryptor(keyManager, rand.Reader)
}
Describe("PerformEncryption", func() {
It("recursively re-encrypts all existing records", func() {
var cryptor encryption.Cryptor
var encoder format.Encoder
value1 := []byte("some text")
value2 := []byte("more text")
cryptor = makeCryptor("old")
encoder = format.NewEncoder(cryptor)
encoded1, err := encoder.Encode(format.BASE64_ENCRYPTED, value1)
Expect(err).NotTo(HaveOccurred())
encoded2, err := encoder.Encode(format.LEGACY_UNENCODED, value2)
Expect(err).NotTo(HaveOccurred())
_, err = storeClient.Set(fmt.Sprintf("%s/my/key-1", etcd.V1SchemaRoot), encoded1, etcd.NO_TTL)
Expect(err).NotTo(HaveOccurred())
_, err = storeClient.Set(fmt.Sprintf("%s/my/nested/key-2", etcd.V1SchemaRoot), encoded2, etcd.NO_TTL)
Expect(err).NotTo(HaveOccurred())
cryptor = makeCryptor("new", "old")
etcdDB = etcd.NewETCD(format.ENCRYPTED_PROTO, 100, 100, DesiredLRPCreationTimeout, cryptor, storeClient, clock)
schedulingInfo, runInfo := desiredLRP.CreateComponents(fakeClock.Now())
runInfo.DeprecatedStartTimeoutS = 15
_, err := json.Marshal(desiredLRP.Routes)
Expect(err).NotTo(HaveOccurred())
schedInfoData, err := serializer.Marshal(logger, format.ENCRYPTED_PROTO, &schedulingInfo)
Expect(err).NotTo(HaveOccurred())
_, err = storeClient.Set(etcddb.DesiredLRPSchedulingInfoSchemaPath(processGuid), schedInfoData, 0)
Expect(err).NotTo(HaveOccurred())
runInfoData, err := serializer.Marshal(logger, format.ENCRYPTED_PROTO, &runInfo)
Expect(err).NotTo(HaveOccurred())
_, err = storeClient.Set(etcddb.DesiredLRPRunInfoSchemaPath(processGuid), runInfoData, 0)
Expect(err).NotTo(HaveOccurred())
encoder := format.NewEncoder(cryptor)
encryptedVolumePlacement, err := serializer.Marshal(logger, format.ENCRYPTED_PROTO, schedulingInfo.VolumePlacement)
Expect(err).NotTo(HaveOccurred())
_, err = encoder.Decode(encryptedVolumePlacement)
Expect(err).NotTo(HaveOccurred())
migration.SetStoreClient(storeClient)
migration.SetCryptor(cryptor)
migration.SetClock(fakeClock)
migrationErr = migration.Up(logger)
})
It("changes desiredLRP startTimeout to milliseconds", func() {
Expect(migrationErr).NotTo(HaveOccurred())
desiredLRP, err := db.DesiredLRPByProcessGuid(logger, processGuid)
Expect(err).ToNot(HaveOccurred())
