-
Notifications
You must be signed in to change notification settings - Fork 110
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Allow apps to declare secret values (#129)
* Allow apps to declare secret values Add support for a `secrets` dictionary in `Schema`. Apps can declare secrets by providing an encrypted value that can only be decrypted by a private key. Each `runtime.Applet` now accepts a `SecretDecryptionKey`. If a key is provided, the runtime will use it to decrypt all of an app's secrets when loading the Starlark script. The decrypted values are provided to Starlark via the `config` object. During development, a value can be provided via `pixlet render`, or a querystring when using `pixlet serve`. * Add `pixlet encrypt` command The encrypt command encrypts secret values so that they can only be decrypted by a specific app running on the Tidbyt community servers.
- Loading branch information
1 parent
7bfb818
commit dfcc403
Showing
11 changed files
with
424 additions
and
80 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
package main | ||
|
||
import ( | ||
"fmt" | ||
"log" | ||
|
||
"github.com/spf13/cobra" | ||
"go.starlark.net/starlark" | ||
|
||
"tidbyt.dev/pixlet/runtime" | ||
) | ||
|
||
const PublicKeysetJSON = `{ | ||
"primaryKeyId": 1589560679, | ||
"key": [ | ||
{ | ||
"keyData": { | ||
"typeUrl": "type.googleapis.com/google.crypto.tink.EciesAeadHkdfPublicKey", | ||
"value": "ElwKBAgCEAMSUhJQCjh0eXBlLmdvb2dsZWFwaXMuY29tL2dvb2dsZS5jcnlwdG8udGluay5BZXNDdHJIbWFjQWVhZEtleRISCgYKAggQEBASCAoECAMQEBAgGAEYARogLGtas20og5yP8/g9mCNLNCWTDeLUdcHH7o9fbzouOQoiIBIth4hdVF5A2sztwfW+hNoZ0ht/HNH3dDTEBPW3GXA2", | ||
"keyMaterialType": "ASYMMETRIC_PUBLIC" | ||
}, | ||
"status": "ENABLED", | ||
"keyId": 1589560679, | ||
"outputPrefixType": "TINK" | ||
} | ||
] | ||
}` | ||
|
||
func init() { | ||
rootCmd.AddCommand(encryptCmd) | ||
} | ||
|
||
var encryptCmd = &cobra.Command{ | ||
Use: "encrypt [app name] [secret value]...", | ||
Short: "Encrypts secrets for use in an app that will be submitted to the Tidbyt community repo", | ||
Example: "encrypt weather my-top-secretweather-api-key-123456", | ||
Args: cobra.MinimumNArgs(2), | ||
Run: encrypt, | ||
} | ||
|
||
func encrypt(cmd *cobra.Command, args []string) { | ||
sek := &runtime.SecretEncryptionKey{ | ||
PublicKeysetJSON: []byte(PublicKeysetJSON), | ||
} | ||
|
||
appName := args[0] | ||
encrypted := make([]string, len(args)-1) | ||
|
||
for i, val := range args[1:] { | ||
var err error | ||
encrypted[i], err = sek.Encrypt(appName, val) | ||
if err != nil { | ||
log.Fatalf("encrypting value: %v", err) | ||
} | ||
} | ||
|
||
for _, val := range encrypted { | ||
fmt.Println(starlark.String(val).String()) | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,89 @@ | ||
package runtime | ||
|
||
import ( | ||
"bytes" | ||
"encoding/base64" | ||
"strings" | ||
|
||
"github.com/google/tink/go/hybrid" | ||
"github.com/google/tink/go/keyset" | ||
"github.com/google/tink/go/tink" | ||
"github.com/pkg/errors" | ||
) | ||
|
||
// SecretDecryptionKey is a key that can be used to decrypt secrets. | ||
type SecretDecryptionKey struct { | ||
// EncryptedKeysetJSON is the encrypted JSON representation of a Tink keyset. | ||
EncryptedKeysetJSON []byte | ||
|
||
// KeyEncryptionKey is a Tink key that can be used to decrypt the keyset. | ||
KeyEncryptionKey tink.AEAD | ||
} | ||
|
||
// SecretEncryptionKey is a key that can be used to encrypt secrets, | ||
// but not decrypt them. | ||
type SecretEncryptionKey struct { | ||
// PublicKeysetJSON is the serialized JSON representation of a Tink keyset. | ||
PublicKeysetJSON []byte | ||
} | ||
|
||
func (sdk *SecretDecryptionKey) decrypt(a *Applet) error { | ||
if a.schema == nil || len(a.schema.Secrets) == 0 { | ||
// nothing to do | ||
return nil | ||
} | ||
|
||
r := bytes.NewReader(sdk.EncryptedKeysetJSON) | ||
kh, err := keyset.Read(keyset.NewJSONReader(r), sdk.KeyEncryptionKey) | ||
if err != nil { | ||
return errors.Wrap(err, "reading keyset JSON") | ||
} | ||
|
||
dec, err := hybrid.NewHybridDecrypt(kh) | ||
if err != nil { | ||
return errors.Wrap(err, "NewHybridDecrypt") | ||
} | ||
|
||
context := []byte(strings.TrimSuffix(a.Filename, ".star")) | ||
|
||
a.decryptedSecrets = make(map[string]string, len(a.schema.Secrets)) | ||
for k, v := range a.schema.Secrets { | ||
ciphertext, err := base64.StdEncoding.DecodeString(v) | ||
if err != nil { | ||
return errors.Wrapf(err, "base64 decoding of secret '%s'", k) | ||
} | ||
|
||
cleartext, err := dec.Decrypt(ciphertext, context) | ||
if err != nil { | ||
return errors.Wrapf(err, "decrypting secret '%s'", k) | ||
} | ||
|
||
a.decryptedSecrets[k] = string(cleartext) | ||
} | ||
|
||
return nil | ||
} | ||
|
||
// Encrypt encrypts a value for use as a secret in an app. Provide both a value | ||
// and the name of the app the encrypted secret will be used in. The value will | ||
// only be usable with the specified app. | ||
func (sek *SecretEncryptionKey) Encrypt(appName, plaintext string) (string, error) { | ||
r := bytes.NewReader(sek.PublicKeysetJSON) | ||
kh, err := keyset.ReadWithNoSecrets(keyset.NewJSONReader(r)) | ||
if err != nil { | ||
return "", errors.Wrap(err, "reading keyset JSON") | ||
} | ||
|
||
enc, err := hybrid.NewHybridEncrypt(kh) | ||
if err != nil { | ||
return "", errors.Wrap(err, "NewHybridEncrypt") | ||
} | ||
|
||
context := []byte(strings.TrimSuffix(appName, ".star")) | ||
ciphertext, err := enc.Encrypt([]byte(plaintext), context) | ||
if err != nil { | ||
return "", errors.Wrap(err, "encrypting secret") | ||
} | ||
|
||
return base64.StdEncoding.EncodeToString(ciphertext), nil | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,78 @@ | ||
package runtime | ||
|
||
import ( | ||
"bytes" | ||
"fmt" | ||
"testing" | ||
|
||
"github.com/google/tink/go/hybrid" | ||
"github.com/google/tink/go/keyset" | ||
"github.com/google/tink/go/testutil" | ||
"github.com/stretchr/testify/assert" | ||
"github.com/stretchr/testify/require" | ||
) | ||
|
||
func TestSecretDecrypt(t *testing.T) { | ||
plaintext := "h4x0rrszZ!!" | ||
|
||
// make a test decryption key | ||
dummyKEK := &testutil.DummyAEAD{} | ||
khPriv, err := keyset.NewHandle(hybrid.ECIESHKDFAES128CTRHMACSHA256KeyTemplate()) | ||
require.NoError(t, err) | ||
|
||
privJSON := &bytes.Buffer{} | ||
err = khPriv.Write(keyset.NewJSONWriter(privJSON), dummyKEK) | ||
require.NoError(t, err) | ||
|
||
decryptionKey := &SecretDecryptionKey{ | ||
EncryptedKeysetJSON: privJSON.Bytes(), | ||
KeyEncryptionKey: dummyKEK, | ||
} | ||
|
||
// get the corresponding public key and serialize it | ||
khPub, err := khPriv.Public() | ||
require.NoError(t, err) | ||
|
||
pubJSON := &bytes.Buffer{} | ||
err = khPub.WriteWithNoSecrets(keyset.NewJSONWriter(pubJSON)) | ||
require.NoError(t, err) | ||
|
||
// encrypt the secret | ||
encrypted, err := (&SecretEncryptionKey{ | ||
PublicKeysetJSON: pubJSON.Bytes(), | ||
}).Encrypt("test", plaintext) | ||
require.NoError(t, err) | ||
assert.NotEqual(t, encrypted, "") | ||
|
||
src := fmt.Sprintf(` | ||
load("render.star", "render") | ||
load("schema.star", "schema") | ||
def assert_eq(message, actual, expected): | ||
if not expected == actual: | ||
fail(message, "-", "expected", expected, "actual", actual) | ||
def main(config): | ||
assert_eq("secret value", config.get("top_secret"), "%s") | ||
return render.Root(child=render.Box()) | ||
def get_schema(): | ||
return schema.Schema( | ||
version = "1", | ||
secrets = { | ||
"top_secret": "%s", | ||
}, | ||
) | ||
`, plaintext, encrypted) | ||
|
||
app := &Applet{ | ||
SecretDecryptionKey: decryptionKey, | ||
} | ||
|
||
err = app.Load("test.star", []byte(src), nil) | ||
require.NoError(t, err) | ||
|
||
roots, err := app.Run(nil) | ||
assert.NoError(t, err) | ||
assert.Equal(t, 1, len(roots)) | ||
} |
Oops, something went wrong.