func initializeETCDDB(logger lager.Logger, etcdClient *etcd.Client) *etcddb.ETCDDB {
key, keys, err := encryptionFlags.Parse()
if err != nil {
logger.Fatal("cannot-setup-encryption", err)
}
keyManager, err := encryption.NewKeyManager(key, keys)
if err != nil {
logger.Fatal("cannot-setup-encryption", err)
}
cryptor := encryption.NewCryptor(keyManager, rand.Reader)
return etcddb.NewETCD(format.ENCRYPTED_PROTO, 1000, 1000, 1*time.Minute, cryptor, etcddb.NewStoreClient(etcdClient), clock.NewClock())
}
func initializeSQLDB(logger lager.Logger, sqlConn *sql.DB) *sqldb.SQLDB {
key, keys, err := encryptionFlags.Parse()
if err != nil {
logger.Fatal("cannot-setup-encryption", err)
}
keyManager, err := encryption.NewKeyManager(key, keys)
if err != nil {
logger.Fatal("cannot-setup-encryption", err)
}
cryptor := encryption.NewCryptor(keyManager, rand.Reader)
return sqldb.NewSQLDB(sqlConn, 1000, 1000, format.ENCODED_PROTO, cryptor, guidprovider.DefaultGuidProvider, clock.NewClock(), databaseDriver)
}
var _ = Describe("Base 64 Protobuf Encode Migration", func() {
var (
migration migration.Migration
serializer format.Serializer
cryptor encryption.Cryptor
logger *lagertest.TestLogger
)
BeforeEach(func() {
logger = lagertest.NewTestLogger("test")
encryptionKey, err := encryption.NewKey("label", "passphrase")
Expect(err).NotTo(HaveOccurred())
keyManager, err := encryption.NewKeyManager(encryptionKey, nil)
Expect(err).NotTo(HaveOccurred())
cryptor = encryption.NewCryptor(keyManager, rand.Reader)
serializer = format.NewSerializer(cryptor)
migration = migrations.NewBase64ProtobufEncode()
})
It("appends itself to the migration list", func() {
Expect(migrations.Migrations).To(ContainElement(migration))
})
Describe("Version", func() {
It("returns the timestamp from which it was created", func() {
Expect(migration.Version()).To(BeEquivalentTo(1441411196))
})
})
makeCryptor := func(activeLabel string, decryptionLabels ...string) encryption.Cryptor {
activeKey, err := encryption.NewKey(activeLabel, fmt.Sprintf("%s-passphrase", activeLabel))
Expect(err).NotTo(HaveOccurred())
decryptionKeys := []encryption.Key{}
for _, label := range decryptionLabels {
key, err := encryption.NewKey(label, fmt.Sprintf("%s-passphrase", label))
Expect(err).NotTo(HaveOccurred())
decryptionKeys = append(decryptionKeys, key)
}
if len(decryptionKeys) == 0 {
decryptionKeys = nil
}
keyManager, err := encryption.NewKeyManager(activeKey, decryptionKeys)
Expect(err).NotTo(HaveOccurred())
return encryption.NewCryptor(keyManager, rand.Reader)
}
Describe("PerformEncryption", func() {
It("recursively re-encrypts all existing records", func() {
var cryptor encryption.Cryptor
var encoder format.Encoder
value1 := []byte("some text")
value2 := []byte("more text")
cryptor = makeCryptor("old")
encoder = format.NewEncoder(cryptor)
encryptionKey encryption.Key
decryptionKeys []encryption.Key
manager encryption.KeyManager
cerr error
)
BeforeEach(func() {
var err error
encryptionKey, err = encryption.NewKey("key label", "pass phrase")
Expect(err).NotTo(HaveOccurred())
decryptionKeys = []encryption.Key{}
cerr = nil
})
JustBeforeEach(func() {
manager, cerr = encryption.NewKeyManager(encryptionKey, decryptionKeys)
})
It("stores the correct encryption key", func() {
Expect(cerr).NotTo(HaveOccurred())
Expect(manager.EncryptionKey()).To(Equal(encryptionKey))
})
It("adds the encryption key as a decryption key", func() {
Expect(manager.DecryptionKey(encryptionKey.Label())).To(Equal(manager.EncryptionKey()))
})
Context("when decryption keys are provided", func() {
BeforeEach(func() {
key1, err := encryption.NewKey("label1", "some pass phrase")
Expect(err).NotTo(HaveOccurred())
func main() {
debugserver.AddFlags(flag.CommandLine)
lagerflags.AddFlags(flag.CommandLine)
etcdFlags := AddETCDFlags(flag.CommandLine)
encryptionFlags := encryption.AddEncryptionFlags(flag.CommandLine)
flag.Parse()
cfhttp.Initialize(*communicationTimeout)
logger, reconfigurableSink := lagerflags.New("bbs")
logger.Info("starting")
initializeDropsonde(logger)
clock := clock.NewClock()
consulClient, err := consuladapter.NewClientFromUrl(*consulCluster)
if err != nil {
logger.Fatal("new-consul-client-failed", err)
}
serviceClient := bbs.NewServiceClient(consulClient, clock)
maintainer := initializeLockMaintainer(logger, serviceClient)
_, portString, err := net.SplitHostPort(*listenAddress)
if err != nil {
logger.Fatal("failed-invalid-listen-address", err)
}
portNum, err := net.LookupPort("tcp", portString)
if err != nil {
logger.Fatal("failed-invalid-listen-port", err)
}
_, portString, err = net.SplitHostPort(*healthAddress)
if err != nil {
logger.Fatal("failed-invalid-health-address", err)
}
_, err = net.LookupPort("tcp", portString)
if err != nil {
logger.Fatal("failed-invalid-health-port", err)
}
registrationRunner := initializeRegistrationRunner(logger, consulClient, portNum, clock)
var activeDB db.DB
var sqlDB *sqldb.SQLDB
var sqlConn *sql.DB
var storeClient etcddb.StoreClient
var etcdDB *etcddb.ETCDDB
key, keys, err := encryptionFlags.Parse()
if err != nil {
logger.Fatal("cannot-setup-encryption", err)
}
keyManager, err := encryption.NewKeyManager(key, keys)
if err != nil {
logger.Fatal("cannot-setup-encryption", err)
}
cryptor := encryption.NewCryptor(keyManager, rand.Reader)
etcdOptions, err := etcdFlags.Validate()
if err != nil {
logger.Fatal("etcd-validation-failed", err)
}
if etcdOptions.IsConfigured {
storeClient = initializeEtcdStoreClient(logger, etcdOptions)
etcdDB = initializeEtcdDB(logger, cryptor, storeClient, serviceClient, *desiredLRPCreationTimeout)
activeDB = etcdDB
}
// If SQL database info is passed in, use SQL instead of ETCD
if *databaseDriver != "" && *databaseConnectionString != "" {
var err error
connectionString := appendSSLConnectionStringParam(logger, *databaseDriver, *databaseConnectionString, *sqlCACertFile)
sqlConn, err = sql.Open(*databaseDriver, connectionString)
if err != nil {
logger.Fatal("failed-to-open-sql", err)
}
defer sqlConn.Close()
sqlConn.SetMaxOpenConns(*maxDatabaseConnections)
sqlConn.SetMaxIdleConns(*maxDatabaseConnections)
err = sqlConn.Ping()
if err != nil {
logger.Fatal("sql-failed-to-connect", err)
}
sqlDB = sqldb.NewSQLDB(sqlConn, *convergenceWorkers, *updateWorkers, format.ENCRYPTED_PROTO, cryptor, guidprovider.DefaultGuidProvider, clock, *databaseDriver)
err = sqlDB.SetIsolationLevel(logger, sqldb.IsolationLevelReadCommitted)
if err != nil {
logger.Fatal("sql-failed-to-set-isolation-level", err)
}
err = sqlDB.CreateConfigurationsTable(logger)
if err != nil {
logger.Fatal("sql-failed-create-configurations-table", err)
}
activeDB = sqlDB
}
if activeDB == nil {
logger.Fatal("no-database-configured", errors.New("no database configured"))
}
encryptor := encryptor.New(logger, activeDB, keyManager, cryptor, clock)
migrationsDone := make(chan struct{})
migrationManager := migration.NewManager(
logger,
etcdDB,
storeClient,
sqlDB,
sqlConn,
cryptor,
migrations.Migrations,
migrationsDone,
clock,
*databaseDriver,
)
desiredHub := events.NewHub()
actualHub := events.NewHub()
repTLSConfig := &rep.TLSConfig{
RequireTLS: *repRequireTLS,
CaCertFile: *repCACert,
CertFile: *repClientCert,
KeyFile: *repClientKey,
ClientCacheSize: *repClientSessionCacheSize,
}
httpClient := cfhttp.NewClient()
repClientFactory, err := rep.NewClientFactory(httpClient, httpClient, repTLSConfig)
if err != nil {
logger.Fatal("new-rep-client-factory-failed", err)
}
auctioneerClient := initializeAuctioneerClient(logger)
exitChan := make(chan struct{})
var accessLogger lager.Logger
if *accessLogPath != "" {
accessLogger = lager.NewLogger("bbs-access")
file, err := os.OpenFile(*accessLogPath, os.O_RDWR|os.O_CREATE|os.O_APPEND, 0666)
if err != nil {
logger.Error("invalid-access-log-path", err, lager.Data{"access-log-path": *accessLogPath})
os.Exit(1)
}
accessLogger.RegisterSink(lager.NewWriterSink(file, lager.INFO))
}
var tlsConfig *tls.Config
if *requireSSL {
tlsConfig, err = cfhttp.NewTLSConfig(*certFile, *keyFile, *caFile)
if err != nil {
logger.Fatal("tls-configuration-failed", err)
}
}
cbWorkPool := taskworkpool.New(logger, *taskCallBackWorkers, taskworkpool.HandleCompletedTask, tlsConfig)
handler := handlers.New(
logger,
accessLogger,
*updateWorkers,
*convergenceWorkers,
activeDB,
desiredHub,
actualHub,
cbWorkPool,
serviceClient,
auctioneerClient,
repClientFactory,
migrationsDone,
exitChan,
)
metricsNotifier := metrics.NewPeriodicMetronNotifier(logger)
retirer := controllers.NewActualLRPRetirer(activeDB, actualHub, repClientFactory, serviceClient)
lrpConvergenceController := controllers.NewLRPConvergenceController(logger, activeDB, actualHub, auctioneerClient, serviceClient, retirer, *convergenceWorkers)
taskController := controllers.NewTaskController(activeDB, cbWorkPool, auctioneerClient, serviceClient, repClientFactory)
convergerProcess := converger.New(
logger,
clock,
lrpConvergenceController,
taskController,
serviceClient,
*convergeRepeatInterval,
*kickTaskDuration,
*expirePendingTaskDuration,
*expireCompletedTaskDuration)
var server ifrit.Runner
if tlsConfig != nil {
server = http_server.NewTLSServer(*listenAddress, handler, tlsConfig)
} else {
server = http_server.New(*listenAddress, handler)
}
healthcheckServer := http_server.New(*healthAddress, http.HandlerFunc(healthCheckHandler))
members := grouper.Members{
{"healthcheck", healthcheckServer},
{"lock-maintainer", maintainer},
{"workpool", cbWorkPool},
{"server", server},
{"migration-manager", migrationManager},
{"encryptor", encryptor},
{"hub-maintainer", hubMaintainer(logger, desiredHub, actualHub)},
{"metrics", *metricsNotifier},
{"converger", convergerProcess},
{"registration-runner", registrationRunner},
}
if dbgAddr := debugserver.DebugAddress(flag.CommandLine); dbgAddr != "" {
members = append(grouper.Members{
{"debug-server", debugserver.Runner(dbgAddr, reconfigurableSink)},
}, members...)
}
group := grouper.NewOrdered(os.Interrupt, members)
monitor := ifrit.Invoke(sigmon.New(group))
go func() {
// If a handler writes to this channel, we've hit an unrecoverable error
// and should shut down (cleanly)
<-exitChan
monitor.Signal(os.Interrupt)
}()
logger.Info("started")
err = <-monitor.Wait()
if sqlConn != nil {
sqlConn.Close()
}
if err != nil {
logger.Error("exited-with-failure", err)
os.Exit(1)
}
logger.Info("exited")
}
"code.cloudfoundry.org/bbs/encryption"
"code.cloudfoundry.org/bbs/encryption/encryptionfakes"
. "github.com/onsi/ginkgo"
. "github.com/onsi/gomega"
)
var _ = Describe("Crypt", func() {
var cryptor encryption.Cryptor
var keyManager encryption.KeyManager
var prng io.Reader
BeforeEach(func() {
key, err := encryption.NewKey("label", "pass phrase")
Expect(err).NotTo(HaveOccurred())
keyManager, err = encryption.NewKeyManager(key, nil)
Expect(err).NotTo(HaveOccurred())
prng = rand.Reader
})
JustBeforeEach(func() {
cryptor = encryption.NewCryptor(keyManager, prng)
})
It("successfully encrypts and decrypts with a key", func() {
input := []byte("some plaintext data")
encrypted, err := cryptor.Encrypt(input)
Expect(err).NotTo(HaveOccurred())
Expect(encrypted.CipherText).NotTo(HaveLen(0))
Expect(encrypted.CipherText).NotTo(Equal(input))
sender *fake.FakeMetricSender
)
BeforeEach(func() {
sender = fake.NewFakeMetricSender()
metrics.Initialize(sender, nil)
fakeDB = new(dbfakes.FakeEncryptionDB)
logger = lagertest.NewTestLogger("test")
oldKey, err := encryption.NewKey("old-key", "old-passphrase")
encryptionKey, err := encryption.NewKey("label", "passphrase")
Expect(err).NotTo(HaveOccurred())
keyManager, err = encryption.NewKeyManager(encryptionKey, []encryption.Key{oldKey})
Expect(err).NotTo(HaveOccurred())
cryptor = encryption.NewCryptor(keyManager, rand.Reader)
fakeDB.EncryptionKeyLabelReturns("", models.ErrResourceNotFound)
})
JustBeforeEach(func() {
runner = encryptor.New(logger, fakeDB, keyManager, cryptor, clock.NewClock())
encryptorProcess = ifrit.Background(runner)
})
AfterEach(func() {
ginkgomon.Kill(encryptorProcess)
})
Expect(err).To(HaveOccurred())
})
It("splits keys on the first colon", func() {
args = append(args, "-encryptionKey="+"label:key:with:colon")
args = append(args, "-activeKeyLabel="+"label")
flagSet.Parse(args)
_, _, err := encryptionFlags.Parse()
Expect(err).ToNot(HaveOccurred())
flagSet.Parse(args)
key, keys, err := encryptionFlags.Parse()
Expect(err).ToNot(HaveOccurred())
km, err := encryption.NewKeyManager(key, keys)
Expect(km.EncryptionKey().Label()).To(Equal("label"))
})
It("ensures there's a selected active key", func() {
args = append(args, "-encryptionKey="+"label:key")
flagSet.Parse(args)
_, _, err := encryptionFlags.Parse()
Expect(err).To(HaveOccurred())
})
It("fails if the active key is not on the list", func() {
args = append(args, "-encryptionKey="+"label:key")
args = append(args, "-activeKeyLabel="+"other-label")
flagSet.Parse(args)