forked from Deuxfleurs/infrastructure
WIP encryption is not easy
This commit is contained in:
parent
66a496a37a
commit
eb47d6a7ca
1 changed files with 51 additions and 3 deletions
|
@ -1,21 +1,42 @@
|
||||||
package main
|
package main
|
||||||
import (
|
import (
|
||||||
"github.com/hashicorp/consul/api"
|
"github.com/hashicorp/consul/api"
|
||||||
/*"crypto/aes"*/
|
"errors"
|
||||||
"log"
|
"log"
|
||||||
|
"fmt"
|
||||||
|
"os"
|
||||||
|
"encoding/base64"
|
||||||
/*"github.com/aws/aws-sdk-go/service/s3"*/
|
/*"github.com/aws/aws-sdk-go/service/s3"*/
|
||||||
)
|
)
|
||||||
|
|
||||||
|
const consul_addr string = "KV2S3_CONSUL_ADDR"
|
||||||
|
const enc_key string = "KV2S3_ENC_KEY"
|
||||||
|
|
||||||
|
const key_exp_bits int = 256
|
||||||
|
const key_exp_bytes int = key_exp_bits / 8
|
||||||
|
|
||||||
func errIsPanic(err error, format string, a ...interface{}) {
|
func errIsPanic(err error, format string, a ...interface{}) {
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Panicf(format, a...)
|
log.Panicf(format, a...)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func absentIsErr(present bool) error {
|
||||||
|
if !present {
|
||||||
|
return errors.New("Environement variable is not set.")
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
func main() {
|
func main() {
|
||||||
log.Println("starting consul kv backup...")
|
log.Println("starting consul kv backup...")
|
||||||
|
|
||||||
|
//--- Ask Consul to Snapshot our KV
|
||||||
|
var present bool
|
||||||
conf := api.DefaultConfig()
|
conf := api.DefaultConfig()
|
||||||
//@FIXME add later support for a different URL
|
conf.Address, present = os.LookupEnv(consul_addr)
|
||||||
|
err := absentIsErr(present)
|
||||||
|
errIsPanic(err, "%v env required. %v", consul_addr, err)
|
||||||
//@FIXME add later support for HTTPS
|
//@FIXME add later support for HTTPS
|
||||||
|
|
||||||
options := api.QueryOptions {
|
options := api.QueryOptions {
|
||||||
|
@ -26,9 +47,36 @@ func main() {
|
||||||
consul, err := api.NewClient(conf)
|
consul, err := api.NewClient(conf)
|
||||||
errIsPanic(err, "Unable to build a new client. %v", err)
|
errIsPanic(err, "Unable to build a new client. %v", err)
|
||||||
|
|
||||||
_, _, err = consul.Snapshot().Save(&options)
|
reader, _, err := consul.Snapshot().Save(&options)
|
||||||
errIsPanic(err, "Snapshot failed. %v", err)
|
errIsPanic(err, "Snapshot failed. %v", err)
|
||||||
|
|
||||||
|
//--- Get encryption key and check it
|
||||||
|
b64_key, present := os.LookupEnv(enc_key)
|
||||||
|
err = absentIsErr(present)
|
||||||
|
errIsPanic(err, "%v env required. %v", enc_key, err)
|
||||||
|
raw_key, err := base64.StdEncoding.DecodeString(b64_key)
|
||||||
|
errIsPanic(err, "Unable to decode base64 key. %v", err)
|
||||||
|
|
||||||
|
err = nil
|
||||||
|
key_size_bytes := len(raw_key)
|
||||||
|
key_size_bits := key_size_bytes
|
||||||
|
|
||||||
|
if key_size_bytes != key_exp_bytes {
|
||||||
|
msg := fmt.Sprintf(
|
||||||
|
"Key size is %d bits (%d bytes) instead of %d bits (%d bytes).",
|
||||||
|
key_size_bits,
|
||||||
|
key_size_bytes,
|
||||||
|
key_exp_bits,
|
||||||
|
key_exp_bytes)
|
||||||
|
|
||||||
|
err = errors.New(msg)
|
||||||
|
}
|
||||||
|
errIsPanic(err, "We deliberately support only 256 bits (32 bytes) keys. %v", err)
|
||||||
|
|
||||||
|
//--- Encryption
|
||||||
|
// Not a simple thing to do it in a streaming manner
|
||||||
|
// To understand why age by Filippo Valsorda seems to be a good fit:
|
||||||
|
// https://neilmadden.blog/2019/12/30/a-few-comments-on-age/
|
||||||
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue