func (m Encryptor) rewriteNode(logger lager.Logger, node *etcd.Node) error { if !node.Dir { encoder := format.NewEncoder(m.cryptor) payload, err := encoder.Decode([]byte(node.Value)) if err != nil { logger.Error("failed-to-read-node", err, lager.Data{"etcd-key": node.Key}) return nil } encryptedPayload, err := encoder.Encode(format.BASE64_ENCRYPTED, payload) if err != nil { return err } _, err = m.storeClient.CompareAndSwap(node.Key, encryptedPayload, etcddb.NO_TTL, node.ModifiedIndex) if err != nil { logger.Info("failed-to-compare-and-swap", lager.Data{"err": err, "etcd-key": node.Key}) return nil } } else { for _, child := range node.Nodes { err := m.rewriteNode(logger, child) if err != nil { return err } } } return nil }
func decrypt(value []byte, key string, label string) (payload []byte, err error) { args := []string{} flagSet := flag.NewFlagSet("", flag.PanicOnError) eflags := encryption.AddEncryptionFlags(flagSet) args = append(args, "-encryptionKey="+key) args = append(args, "-activeKeyLabel="+label) flagSet.Parse(args) keyManager, err := eflags.Validate() encoder := format.NewEncoder(encryption.NewCryptor(keyManager, rand.Reader)) payload, err = encoder.Decode([]byte(value)) if err != nil { log.Println("Can not decode data: ", string(value)) } return payload, err }
keyManager, err := encryption.NewKeyManager(activeKey, decryptionKeys) Expect(err).NotTo(HaveOccurred()) return encryption.NewCryptor(keyManager, rand.Reader) } Describe("PerformEncryption", func() { It("recursively re-encrypts all existing records", func() { var cryptor encryption.Cryptor var encoder format.Encoder value1 := []byte("some text") value2 := []byte("more text") cryptor = makeCryptor("old") encoder = format.NewEncoder(cryptor) encoded1, err := encoder.Encode(format.BASE64_ENCRYPTED, value1) Expect(err).NotTo(HaveOccurred()) encoded2, err := encoder.Encode(format.LEGACY_UNENCODED, value2) Expect(err).NotTo(HaveOccurred()) _, err = storeClient.Set(fmt.Sprintf("%s/my/key-1", etcd.V1SchemaRoot), encoded1, etcd.NO_TTL) Expect(err).NotTo(HaveOccurred()) _, err = storeClient.Set(fmt.Sprintf("%s/my/nested/key-2", etcd.V1SchemaRoot), encoded2, etcd.NO_TTL) Expect(err).NotTo(HaveOccurred()) cryptor = makeCryptor("new", "old") etcdDB = etcd.NewETCD(format.ENCRYPTED_PROTO, 100, 100, DesiredLRPCreationTimeout, cryptor, storeClient, clock)
schedulingInfo, runInfo := desiredLRP.CreateComponents(fakeClock.Now()) runInfo.DeprecatedStartTimeoutS = 15 _, err := json.Marshal(desiredLRP.Routes) Expect(err).NotTo(HaveOccurred()) schedInfoData, err := serializer.Marshal(logger, format.ENCRYPTED_PROTO, &schedulingInfo) Expect(err).NotTo(HaveOccurred()) _, err = storeClient.Set(etcddb.DesiredLRPSchedulingInfoSchemaPath(processGuid), schedInfoData, 0) Expect(err).NotTo(HaveOccurred()) runInfoData, err := serializer.Marshal(logger, format.ENCRYPTED_PROTO, &runInfo) Expect(err).NotTo(HaveOccurred()) _, err = storeClient.Set(etcddb.DesiredLRPRunInfoSchemaPath(processGuid), runInfoData, 0) Expect(err).NotTo(HaveOccurred()) encoder := format.NewEncoder(cryptor) encryptedVolumePlacement, err := serializer.Marshal(logger, format.ENCRYPTED_PROTO, schedulingInfo.VolumePlacement) Expect(err).NotTo(HaveOccurred()) _, err = encoder.Decode(encryptedVolumePlacement) Expect(err).NotTo(HaveOccurred()) migration.SetStoreClient(storeClient) migration.SetCryptor(cryptor) migration.SetClock(fakeClock) migrationErr = migration.Up(logger) }) It("changes desiredLRP startTimeout to milliseconds", func() { Expect(migrationErr).NotTo(HaveOccurred()) desiredLRP, err := db.DesiredLRPByProcessGuid(logger, processGuid) Expect(err).ToNot(HaveOccurred())