From 3beaab4fe965e62b88b659d40d946129abc8f489 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A1chym=20Tou=C5=A1ek?= Date: Mon, 18 Nov 2024 11:47:43 +0100 Subject: [PATCH] refactor: Simplify metadata --- pkg/cloudencrypt/aws.go | 8 ++++---- pkg/cloudencrypt/aws_test.go | 8 +++----- pkg/cloudencrypt/azure.go | 4 ++-- pkg/cloudencrypt/azure_test.go | 8 +++----- pkg/cloudencrypt/cached.go | 12 ++++++------ pkg/cloudencrypt/cached_test.go | 8 +++----- pkg/cloudencrypt/dual.go | 16 ++++++++-------- pkg/cloudencrypt/dual_test.go | 8 +++----- pkg/cloudencrypt/encryptor.go | 6 ++++-- pkg/cloudencrypt/gcp.go | 8 ++++---- pkg/cloudencrypt/gcp_test.go | 8 +++----- pkg/cloudencrypt/logged.go | 8 ++++---- pkg/cloudencrypt/logged_test.go | 8 +++----- pkg/cloudencrypt/metadata.go | 14 -------------- pkg/cloudencrypt/native.go | 8 ++++---- pkg/cloudencrypt/native_test.go | 8 +++----- 16 files changed, 57 insertions(+), 83 deletions(-) delete mode 100644 pkg/cloudencrypt/metadata.go diff --git a/pkg/cloudencrypt/aws.go b/pkg/cloudencrypt/aws.go index 5d63cd9..6616d70 100644 --- a/pkg/cloudencrypt/aws.go +++ b/pkg/cloudencrypt/aws.go @@ -28,11 +28,11 @@ func NewAWSEncryptor(ctx context.Context, region, keyID string) (*AWSEncryptor, }, nil } -func (encryptor *AWSEncryptor) Encrypt(ctx context.Context, plaintext []byte, metadata ...MetadataKV) ([]byte, error) { +func (encryptor *AWSEncryptor) Encrypt(ctx context.Context, plaintext []byte, metadata Metadata) ([]byte, error) { encryptInput := &kms.EncryptInput{ KeyId: &encryptor.keyID, Plaintext: plaintext, - EncryptionContext: buildMetadataMap(metadata...), + EncryptionContext: metadata, } encryptOutput, err := encryptor.client.Encrypt(ctx, encryptInput) @@ -43,11 +43,11 @@ func (encryptor *AWSEncryptor) Encrypt(ctx context.Context, plaintext []byte, me return encryptOutput.CiphertextBlob, nil } -func (encryptor *AWSEncryptor) Decrypt(ctx context.Context, ciphertext []byte, metadata ...MetadataKV) ([]byte, error) { +func (encryptor *AWSEncryptor) Decrypt(ctx context.Context, ciphertext []byte, metadata Metadata) ([]byte, error) { decryptInput := &kms.DecryptInput{ KeyId: &encryptor.keyID, CiphertextBlob: ciphertext, - EncryptionContext: buildMetadataMap(metadata...), + EncryptionContext: metadata, } decryptOutput, err := encryptor.client.Decrypt(ctx, decryptInput) diff --git a/pkg/cloudencrypt/aws_test.go b/pkg/cloudencrypt/aws_test.go index 3795ed0..70cfe31 100644 --- a/pkg/cloudencrypt/aws_test.go +++ b/pkg/cloudencrypt/aws_test.go @@ -27,15 +27,13 @@ func TestAWSEncryptor(t *testing.T) { encryptor, err := NewAWSEncryptor(ctx, region, keyID) require.NoError(t, err) - meta := MetadataKV{ - Key: "metakey", - Value: "metavalue", - } + meta := Metadata{} + meta["metakey"] = "metavalue" ciphertext, err := encryptor.Encrypt(ctx, []byte("Lorem ipsum"), meta) require.NoError(t, err) - _, err = encryptor.Decrypt(ctx, ciphertext) + _, err = encryptor.Decrypt(ctx, ciphertext, Metadata{}) assert.ErrorContains(t, err, "aws decryption failed: operation error KMS: Decrypt") plaintext, err := encryptor.Decrypt(ctx, ciphertext, meta) diff --git a/pkg/cloudencrypt/azure.go b/pkg/cloudencrypt/azure.go index 40e2278..6b90d70 100644 --- a/pkg/cloudencrypt/azure.go +++ b/pkg/cloudencrypt/azure.go @@ -30,7 +30,7 @@ func NewAzureEncryptor(ctx context.Context, vaultBaseURL, keyName string) (*Azur }, nil } -func (encryptor *AzureEncryptor) Encrypt(ctx context.Context, plaintext []byte, metadata ...MetadataKV) ([]byte, error) { +func (encryptor *AzureEncryptor) Encrypt(ctx context.Context, plaintext []byte, metadata Metadata) ([]byte, error) { algorithm := azkeys.EncryptionAlgorithmRSAOAEP256 result, err := encryptor.client.Encrypt( @@ -50,7 +50,7 @@ func (encryptor *AzureEncryptor) Encrypt(ctx context.Context, plaintext []byte, return result.Result, nil } -func (encryptor *AzureEncryptor) Decrypt(ctx context.Context, ciphertext []byte, metadata ...MetadataKV) ([]byte, error) { +func (encryptor *AzureEncryptor) Decrypt(ctx context.Context, ciphertext []byte, metadata Metadata) ([]byte, error) { algorithm := azkeys.EncryptionAlgorithmRSAOAEP256 result, err := encryptor.client.Decrypt( diff --git a/pkg/cloudencrypt/azure_test.go b/pkg/cloudencrypt/azure_test.go index ce3a870..4a87c43 100644 --- a/pkg/cloudencrypt/azure_test.go +++ b/pkg/cloudencrypt/azure_test.go @@ -30,15 +30,13 @@ func TestAzureEncryptor(t *testing.T) { encryptor, err := NewDualEncryptor(ctx, azureEncryptor) require.NoError(t, err) - meta := MetadataKV{ - Key: "metakey", - Value: "metavalue", - } + meta := Metadata{} + meta["metakey"] = "metavalue" ciphertext, err := encryptor.Encrypt(ctx, []byte("Lorem ipsum"), meta) require.NoError(t, err) - _, err = encryptor.Decrypt(ctx, ciphertext) + _, err = encryptor.Decrypt(ctx, ciphertext, Metadata{}) assert.ErrorContains(t, err, "decryption failed") plaintext, err := encryptor.Decrypt(ctx, ciphertext, meta) diff --git a/pkg/cloudencrypt/cached.go b/pkg/cloudencrypt/cached.go index f346acc..0c6275e 100644 --- a/pkg/cloudencrypt/cached.go +++ b/pkg/cloudencrypt/cached.go @@ -22,13 +22,13 @@ func NewCachedEncryptor(ctx context.Context, encryptor Encryptor, ttl time.Durat }, nil } -func (encryptor *CachedEncryptor) Encrypt(ctx context.Context, plaintext []byte, metadata ...MetadataKV) ([]byte, error) { - key, err := encode(buildMetadataMap(metadata...)) +func (encryptor *CachedEncryptor) Encrypt(ctx context.Context, plaintext []byte, metadata Metadata) ([]byte, error) { + key, err := encode(metadata) if err != nil { return nil, err } - encryptedValue, err := encryptor.encryptor.Encrypt(ctx, plaintext, metadata...) + encryptedValue, err := encryptor.encryptor.Encrypt(ctx, plaintext, metadata) if err != nil { return nil, err } @@ -40,8 +40,8 @@ func (encryptor *CachedEncryptor) Encrypt(ctx context.Context, plaintext []byte, return encryptedValue, nil } -func (encryptor *CachedEncryptor) Decrypt(ctx context.Context, ciphertext []byte, metadata ...MetadataKV) ([]byte, error) { - key, err := encode(buildMetadataMap(metadata...)) +func (encryptor *CachedEncryptor) Decrypt(ctx context.Context, ciphertext []byte, metadata Metadata) ([]byte, error) { + key, err := encode(metadata) if err != nil { return nil, err } @@ -53,7 +53,7 @@ func (encryptor *CachedEncryptor) Decrypt(ctx context.Context, ciphertext []byte return cached, nil } - plaintext, err := encryptor.encryptor.Decrypt(ctx, ciphertext, metadata...) + plaintext, err := encryptor.encryptor.Decrypt(ctx, ciphertext, metadata) if err != nil { return nil, err } diff --git a/pkg/cloudencrypt/cached_test.go b/pkg/cloudencrypt/cached_test.go index e65f20c..fb03968 100644 --- a/pkg/cloudencrypt/cached_test.go +++ b/pkg/cloudencrypt/cached_test.go @@ -46,10 +46,8 @@ func TestCachedEncryptor(t *testing.T) { ) assert.NoError(t, err) - meta := MetadataKV{ - Key: "metakey", - Value: "metavalue", - } + meta := Metadata{} + meta["metakey"] = "metavalue" ciphertext, err := encryptor.Encrypt(ctx, []byte("Lorem ipsum"), meta) assert.NoError(t, err) @@ -57,7 +55,7 @@ func TestCachedEncryptor(t *testing.T) { // Wait for cached item to be available for get operations cache.Wait() - _, err = encryptor.Decrypt(ctx, ciphertext) + _, err = encryptor.Decrypt(ctx, ciphertext, Metadata{}) assert.ErrorContains(t, err, "cipher: message authentication failed") plaintext, err := encryptor.Decrypt(ctx, ciphertext, meta) diff --git a/pkg/cloudencrypt/dual.go b/pkg/cloudencrypt/dual.go index 687a817..ad80c7d 100644 --- a/pkg/cloudencrypt/dual.go +++ b/pkg/cloudencrypt/dual.go @@ -21,7 +21,7 @@ func NewDualEncryptor(ctx context.Context, encryptor Encryptor) (*DualEncryptor, }, nil } -func (encryptor *DualEncryptor) Encrypt(ctx context.Context, plaintext []byte, metadata ...MetadataKV) ([]byte, error) { +func (encryptor *DualEncryptor) Encrypt(ctx context.Context, plaintext []byte, metadata Metadata) ([]byte, error) { // Generate a random secret key secretKey, err := generateSecretKey() if err != nil { @@ -34,7 +34,7 @@ func (encryptor *DualEncryptor) Encrypt(ctx context.Context, plaintext []byte, m } // Encrypt the secret key - encryptedSecretKey, err := encryptor.encryptor.Encrypt(ctx, secretKey, metadata...) + encryptedSecretKey, err := encryptor.encryptor.Encrypt(ctx, secretKey, metadata) if err != nil { return nil, err } @@ -51,14 +51,14 @@ func (encryptor *DualEncryptor) Encrypt(ctx context.Context, plaintext []byte, m return encoded, nil } -func (encryptor *DualEncryptor) Decrypt(ctx context.Context, ciphertext []byte, metadata ...MetadataKV) ([]byte, error) { +func (encryptor *DualEncryptor) Decrypt(ctx context.Context, ciphertext []byte, metadata Metadata) ([]byte, error) { decoded, err := decode[map[string][]byte](ciphertext) if err != nil { return nil, err } // Decrypt the secret key - secretKey, err := encryptor.encryptor.Decrypt(ctx, decoded[mapKeySecretKey], metadata...) + secretKey, err := encryptor.encryptor.Decrypt(ctx, decoded[mapKeySecretKey], metadata) if err != nil { return nil, err } @@ -75,7 +75,7 @@ func (encryptor *DualEncryptor) Close() error { return encryptor.encryptor.Close() } -func nativeEncrypt(ctx context.Context, secretKey []byte, plaintext []byte, metadata []MetadataKV) ([]byte, error) { +func nativeEncrypt(ctx context.Context, secretKey []byte, plaintext []byte, metadata Metadata) ([]byte, error) { nativeEncryptor, err := NewNativeEncryptor(secretKey) if err != nil { return nil, err @@ -84,7 +84,7 @@ func nativeEncrypt(ctx context.Context, secretKey []byte, plaintext []byte, meta defer nativeEncryptor.Close() // Encrypt given plaintext using the random secret key - ciphertext, err := nativeEncryptor.Encrypt(ctx, plaintext, metadata...) + ciphertext, err := nativeEncryptor.Encrypt(ctx, plaintext, metadata) if err != nil { return nil, err } @@ -92,7 +92,7 @@ func nativeEncrypt(ctx context.Context, secretKey []byte, plaintext []byte, meta return ciphertext, nil } -func nativeDecrypt(ctx context.Context, secretKey []byte, ciphertext []byte, metadata []MetadataKV) ([]byte, error) { +func nativeDecrypt(ctx context.Context, secretKey []byte, ciphertext []byte, metadata Metadata) ([]byte, error) { // Decrypt the value using the decrypted secret key nativeEncryptor, err := NewNativeEncryptor(secretKey) if err != nil { @@ -101,7 +101,7 @@ func nativeDecrypt(ctx context.Context, secretKey []byte, ciphertext []byte, met defer nativeEncryptor.Close() - plaintext, err := nativeEncryptor.Decrypt(ctx, ciphertext, metadata...) + plaintext, err := nativeEncryptor.Decrypt(ctx, ciphertext, metadata) if err != nil { return nil, err } diff --git a/pkg/cloudencrypt/dual_test.go b/pkg/cloudencrypt/dual_test.go index b2975ee..d365dc8 100644 --- a/pkg/cloudencrypt/dual_test.go +++ b/pkg/cloudencrypt/dual_test.go @@ -21,15 +21,13 @@ func TestDualEncryptor(t *testing.T) { encryptor, err := NewDualEncryptor(ctx, nativeEncryptor) assert.NoError(t, err) - meta := MetadataKV{ - Key: "metakey", - Value: "metavalue", - } + meta := Metadata{} + meta["metakey"] = "metavalue" ciphertext, err := encryptor.Encrypt(ctx, []byte("Lorem ipsum"), meta) assert.NoError(t, err) - _, err = encryptor.Decrypt(ctx, ciphertext) + _, err = encryptor.Decrypt(ctx, ciphertext, Metadata{}) assert.ErrorContains(t, err, "cipher: message authentication failed") plaintext, err := encryptor.Decrypt(ctx, ciphertext, meta) diff --git a/pkg/cloudencrypt/encryptor.go b/pkg/cloudencrypt/encryptor.go index e285f88..f6d7dce 100644 --- a/pkg/cloudencrypt/encryptor.go +++ b/pkg/cloudencrypt/encryptor.go @@ -7,9 +7,11 @@ import ( "github.com/pkg/errors" ) +type Metadata map[string]string + type Encryptor interface { - Encrypt(ctx context.Context, plaintext []byte, metadata ...MetadataKV) ([]byte, error) - Decrypt(ctx context.Context, ciphertext []byte, metadata ...MetadataKV) ([]byte, error) + Encrypt(ctx context.Context, plaintext []byte, metadata Metadata) ([]byte, error) + Decrypt(ctx context.Context, ciphertext []byte, metadata Metadata) ([]byte, error) Close() error } diff --git a/pkg/cloudencrypt/gcp.go b/pkg/cloudencrypt/gcp.go index 794d52d..9405e18 100644 --- a/pkg/cloudencrypt/gcp.go +++ b/pkg/cloudencrypt/gcp.go @@ -26,8 +26,8 @@ func NewGCPEncryptor(ctx context.Context, keyID string) (*GCPEncryptor, error) { }, nil } -func (encryptor *GCPEncryptor) Encrypt(ctx context.Context, plaintext []byte, metadata ...MetadataKV) ([]byte, error) { - additionalData, err := encode(buildMetadataMap(metadata...)) +func (encryptor *GCPEncryptor) Encrypt(ctx context.Context, plaintext []byte, metadata Metadata) ([]byte, error) { + additionalData, err := encode(metadata) if err != nil { return nil, err } @@ -46,8 +46,8 @@ func (encryptor *GCPEncryptor) Encrypt(ctx context.Context, plaintext []byte, me return response.GetCiphertext(), nil } -func (encryptor *GCPEncryptor) Decrypt(ctx context.Context, ciphertext []byte, metadata ...MetadataKV) ([]byte, error) { - additionalData, err := encode(buildMetadataMap(metadata...)) +func (encryptor *GCPEncryptor) Decrypt(ctx context.Context, ciphertext []byte, metadata Metadata) ([]byte, error) { + additionalData, err := encode(metadata) if err != nil { return nil, err } diff --git a/pkg/cloudencrypt/gcp_test.go b/pkg/cloudencrypt/gcp_test.go index 1f4aaf9..53cd385 100644 --- a/pkg/cloudencrypt/gcp_test.go +++ b/pkg/cloudencrypt/gcp_test.go @@ -22,15 +22,13 @@ func TestGCPEncryptor(t *testing.T) { encryptor, err := NewGCPEncryptor(ctx, keyID) require.NoError(t, err) - meta := MetadataKV{ - Key: "metakey", - Value: "metavalue", - } + meta := Metadata{} + meta["metakey"] = "metavalue" ciphertext, err := encryptor.Encrypt(ctx, []byte("Lorem ipsum"), meta) require.NoError(t, err) - _, err = encryptor.Decrypt(ctx, ciphertext) + _, err = encryptor.Decrypt(ctx, ciphertext, Metadata{}) assert.ErrorContains(t, err, "gcp decryption failed: rpc error: code = InvalidArgument") plaintext, err := encryptor.Decrypt(ctx, ciphertext, meta) diff --git a/pkg/cloudencrypt/logged.go b/pkg/cloudencrypt/logged.go index 9fb8caa..b8e4be2 100644 --- a/pkg/cloudencrypt/logged.go +++ b/pkg/cloudencrypt/logged.go @@ -18,8 +18,8 @@ func NewLoggedEncryptor(ctx context.Context, encryptor Encryptor, logger *log.Lo }, nil } -func (encryptor *LoggedEncryptor) Encrypt(ctx context.Context, plaintext []byte, metadata ...MetadataKV) ([]byte, error) { - encryptedValue, err := encryptor.encryptor.Encrypt(ctx, plaintext, metadata...) +func (encryptor *LoggedEncryptor) Encrypt(ctx context.Context, plaintext []byte, metadata Metadata) ([]byte, error) { + encryptedValue, err := encryptor.encryptor.Encrypt(ctx, plaintext, metadata) if err != nil { encryptor.logger.Printf("encryption error: %s", err.Error()) return nil, err @@ -30,8 +30,8 @@ func (encryptor *LoggedEncryptor) Encrypt(ctx context.Context, plaintext []byte, return encryptedValue, nil } -func (encryptor *LoggedEncryptor) Decrypt(ctx context.Context, ciphertext []byte, metadata ...MetadataKV) ([]byte, error) { - plaintext, err := encryptor.encryptor.Decrypt(ctx, ciphertext, metadata...) +func (encryptor *LoggedEncryptor) Decrypt(ctx context.Context, ciphertext []byte, metadata Metadata) ([]byte, error) { + plaintext, err := encryptor.encryptor.Decrypt(ctx, ciphertext, metadata) if err != nil { encryptor.logger.Printf("decryption error: %s", err.Error()) return nil, err diff --git a/pkg/cloudencrypt/logged_test.go b/pkg/cloudencrypt/logged_test.go index 0649f64..1f06d12 100644 --- a/pkg/cloudencrypt/logged_test.go +++ b/pkg/cloudencrypt/logged_test.go @@ -27,15 +27,13 @@ func TestLoggedEncryptor(t *testing.T) { encryptor, err := NewLoggedEncryptor(ctx, nativeEncryptor, logger) assert.NoError(t, err) - meta := MetadataKV{ - Key: "metakey", - Value: "metavalue", - } + meta := Metadata{} + meta["metakey"] = "metavalue" ciphertext, err := encryptor.Encrypt(ctx, []byte("Lorem ipsum"), meta) assert.NoError(t, err) - _, err = encryptor.Decrypt(ctx, ciphertext) + _, err = encryptor.Decrypt(ctx, ciphertext, Metadata{}) assert.ErrorContains(t, err, "cipher: message authentication failed") plaintext, err := encryptor.Decrypt(ctx, ciphertext, meta) diff --git a/pkg/cloudencrypt/metadata.go b/pkg/cloudencrypt/metadata.go deleted file mode 100644 index b55f159..0000000 --- a/pkg/cloudencrypt/metadata.go +++ /dev/null @@ -1,14 +0,0 @@ -package cloudencrypt - -type MetadataKV struct { - Key string - Value string -} - -func buildMetadataMap(metadata ...MetadataKV) map[string]string { - out := make(map[string]string) - for _, kv := range metadata { - out[kv.Key] = kv.Value - } - return out -} diff --git a/pkg/cloudencrypt/native.go b/pkg/cloudencrypt/native.go index eb8ddf5..ce272a8 100644 --- a/pkg/cloudencrypt/native.go +++ b/pkg/cloudencrypt/native.go @@ -29,8 +29,8 @@ func NewNativeEncryptor(secretKey []byte) (*NativeEncryptor, error) { }, nil } -func (encryptor *NativeEncryptor) Encrypt(ctx context.Context, plaintext []byte, metadata ...MetadataKV) ([]byte, error) { - additionalData, err := encode(buildMetadataMap(metadata...)) +func (encryptor *NativeEncryptor) Encrypt(ctx context.Context, plaintext []byte, metadata Metadata) ([]byte, error) { + additionalData, err := encode(metadata) if err != nil { return nil, err } @@ -44,8 +44,8 @@ func (encryptor *NativeEncryptor) Encrypt(ctx context.Context, plaintext []byte, return encryptor.gcm.Seal(nonce, nonce, plaintext, additionalData), nil } -func (encryptor *NativeEncryptor) Decrypt(ctx context.Context, ciphertext []byte, metadata ...MetadataKV) ([]byte, error) { - additionalData, err := encode(buildMetadataMap(metadata...)) +func (encryptor *NativeEncryptor) Decrypt(ctx context.Context, ciphertext []byte, metadata Metadata) ([]byte, error) { + additionalData, err := encode(metadata) if err != nil { return nil, err } diff --git a/pkg/cloudencrypt/native_test.go b/pkg/cloudencrypt/native_test.go index 69a5663..1e2fae1 100644 --- a/pkg/cloudencrypt/native_test.go +++ b/pkg/cloudencrypt/native_test.go @@ -18,15 +18,13 @@ func TestNativeEncryptor(t *testing.T) { encryptor, err := NewNativeEncryptor(secretKey) assert.NoError(t, err) - meta := MetadataKV{ - Key: "metakey", - Value: "metavalue", - } + meta := Metadata{} + meta["metakey"] = "metavalue" ciphertext, err := encryptor.Encrypt(ctx, []byte("Lorem ipsum"), meta) assert.NoError(t, err) - _, err = encryptor.Decrypt(ctx, ciphertext) + _, err = encryptor.Decrypt(ctx, ciphertext, Metadata{}) assert.ErrorContains(t, err, "cipher: message authentication failed") plaintext, err := encryptor.Decrypt(ctx, ciphertext, meta)