WIP encryption is not easy
This commit is contained in:
parent
66a496a37a
commit
eb47d6a7ca
1 changed files with 51 additions and 3 deletions
|
@ -1,21 +1,42 @@
|
|||
package main
|
||||
import (
|
||||
"github.com/hashicorp/consul/api"
|
||||
/*"crypto/aes"*/
|
||||
"errors"
|
||||
"log"
|
||||
"fmt"
|
||||
"os"
|
||||
"encoding/base64"
|
||||
/*"github.com/aws/aws-sdk-go/service/s3"*/
|
||||
)
|
||||
|
||||
const consul_addr string = "KV2S3_CONSUL_ADDR"
|
||||
const enc_key string = "KV2S3_ENC_KEY"
|
||||
|
||||
const key_exp_bits int = 256
|
||||
const key_exp_bytes int = key_exp_bits / 8
|
||||
|
||||
func errIsPanic(err error, format string, a ...interface{}) {
|
||||
if err != nil {
|
||||
log.Panicf(format, a...)
|
||||
}
|
||||
}
|
||||
|
||||
func absentIsErr(present bool) error {
|
||||
if !present {
|
||||
return errors.New("Environement variable is not set.")
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func main() {
|
||||
log.Println("starting consul kv backup...")
|
||||
|
||||
//--- Ask Consul to Snapshot our KV
|
||||
var present bool
|
||||
conf := api.DefaultConfig()
|
||||
//@FIXME add later support for a different URL
|
||||
conf.Address, present = os.LookupEnv(consul_addr)
|
||||
err := absentIsErr(present)
|
||||
errIsPanic(err, "%v env required. %v", consul_addr, err)
|
||||
//@FIXME add later support for HTTPS
|
||||
|
||||
options := api.QueryOptions {
|
||||
|
@ -26,9 +47,36 @@ func main() {
|
|||
consul, err := api.NewClient(conf)
|
||||
errIsPanic(err, "Unable to build a new client. %v", err)
|
||||
|
||||
_, _, err = consul.Snapshot().Save(&options)
|
||||
reader, _, err := consul.Snapshot().Save(&options)
|
||||
errIsPanic(err, "Snapshot failed. %v", err)
|
||||
|
||||
//--- Get encryption key and check it
|
||||
b64_key, present := os.LookupEnv(enc_key)
|
||||
err = absentIsErr(present)
|
||||
errIsPanic(err, "%v env required. %v", enc_key, err)
|
||||
raw_key, err := base64.StdEncoding.DecodeString(b64_key)
|
||||
errIsPanic(err, "Unable to decode base64 key. %v", err)
|
||||
|
||||
err = nil
|
||||
key_size_bytes := len(raw_key)
|
||||
key_size_bits := key_size_bytes
|
||||
|
||||
if key_size_bytes != key_exp_bytes {
|
||||
msg := fmt.Sprintf(
|
||||
"Key size is %d bits (%d bytes) instead of %d bits (%d bytes).",
|
||||
key_size_bits,
|
||||
key_size_bytes,
|
||||
key_exp_bits,
|
||||
key_exp_bytes)
|
||||
|
||||
err = errors.New(msg)
|
||||
}
|
||||
errIsPanic(err, "We deliberately support only 256 bits (32 bytes) keys. %v", err)
|
||||
|
||||
//--- Encryption
|
||||
// Not a simple thing to do it in a streaming manner
|
||||
// To understand why age by Filippo Valsorda seems to be a good fit:
|
||||
// https://neilmadden.blog/2019/12/30/a-few-comments-on-age/
|
||||
|
||||
|
||||
}
|
||||
|
|
Reference in a new issue