add encryption.multi

2020-12-14 18:26:55 -06:00 · 2020-12-14 18:26:55 -06:00 · 9b3c4383a4
--- a/cmd/aro/monitor.go
+++ b/cmd/aro/monitor.go
@ -79,12 +79,7 @@ func monitor(ctx context.Context, log *logrus.Entry) error {

 	serviceKeyvault := keyvault.NewManager(msiKVAuthorizer, serviceKeyvaultURI)

-	key, err := serviceKeyvault.GetBase64Secret(ctx, env.EncryptionSecretName, "")
-	if err != nil {
-		return err
-	}
-
-	aead, err := encryption.NewXChaCha20Poly1305(ctx, key)
+	aead, err := encryption.NewMulti(ctx, serviceKeyvault, env.EncryptionSecretV2Name, env.EncryptionSecretName)
 	if err != nil {
 		return err
 	}
--- a/cmd/aro/portal.go
+++ b/cmd/aro/portal.go
@ -90,12 +90,7 @@ func portal(ctx context.Context, log *logrus.Entry, audit *logrus.Entry) error {

 	serviceKeyvault := keyvault.NewManager(msiKVAuthorizer, serviceKeyvaultURI)

-	key, err := serviceKeyvault.GetBase64Secret(ctx, env.EncryptionSecretName, "")
-	if err != nil {
-		return err
-	}
-
-	aead, err := encryption.NewXChaCha20Poly1305(ctx, key)
+	aead, err := encryption.NewMulti(ctx, serviceKeyvault, env.EncryptionSecretV2Name, env.EncryptionSecretName)
 	if err != nil {
 		return err
 	}
--- a/cmd/aro/rp.go
+++ b/cmd/aro/rp.go
@ -88,12 +88,7 @@ func rp(ctx context.Context, log, audit *logrus.Entry) error {
 		return err
 	}

-	dbKey, err := _env.ServiceKeyvault().GetBase64Secret(ctx, env.EncryptionSecretName, "")
-	if err != nil {
-		return err
-	}
-
-	aead, err := encryption.NewXChaCha20Poly1305(ctx, dbKey)
+	aead, err := encryption.NewMulti(ctx, _env.ServiceKeyvault(), env.EncryptionSecretV2Name, env.EncryptionSecretName)
 	if err != nil {
 		return err
 	}
@ -135,12 +130,7 @@ func rp(ctx context.Context, log, audit *logrus.Entry) error {

 	go database.EmitMetrics(ctx, log, dbOpenShiftClusters, m)

-	feKey, err := _env.ServiceKeyvault().GetBase64Secret(ctx, env.FrontendEncryptionSecretName, "")
-	if err != nil {
-		return err
-	}
-
-	feAead, err := encryption.NewXChaCha20Poly1305(ctx, feKey)
+	feAead, err := encryption.NewMulti(ctx, _env.ServiceKeyvault(), env.FrontendEncryptionSecretV2Name, env.FrontendEncryptionSecretName)
 	if err != nil {
 		return err
 	}
--- a/hack/db/db.go
+++ b/hack/db/db.go
@ -48,12 +48,7 @@ func run(ctx context.Context, log *logrus.Entry) error {

 	serviceKeyvault := keyvault.NewManager(msiKVAuthorizer, serviceKeyvaultURI)

-	key, err := serviceKeyvault.GetBase64Secret(ctx, env.EncryptionSecretName, "")
-	if err != nil {
-		return err
-	}
-
-	aead, err := encryption.NewXChaCha20Poly1305(ctx, key)
+	aead, err := encryption.NewMulti(ctx, serviceKeyvault, env.EncryptionSecretV2Name, env.EncryptionSecretName)
 	if err != nil {
 		return err
 	}
--- a/pkg/env/env.go
+++ b/pkg/env/env.go
@ -38,7 +38,9 @@ const (
 	RPServerSecretName               = "rp-server"
 	ClusterLoggingSecretName         = "cluster-mdsd"
 	EncryptionSecretName             = "encryption-key"
+	EncryptionSecretV2Name           = "encryption-key-v2"
 	FrontendEncryptionSecretName     = "fe-encryption-key"
+	FrontendEncryptionSecretV2Name   = "fe-encryption-key-v2"
 	DBTokenServerSecretName          = "dbtoken-server"
 	PortalServerSecretName           = "portal-server"
 	PortalServerClientSecretName     = "portal-client"
--- a/pkg/util/encryption/multi.go
+++ b/pkg/util/encryption/multi.go
@ -0,0 +1,73 @@
+package encryption
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the Apache License 2.0.
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/Azure/ARO-RP/pkg/util/keyvault"
+)
+
+type multi struct {
+	sealer  AEAD
+	openers []AEAD
+}
+
+var _ AEAD = (*multi)(nil)
+
+func NewMulti(ctx context.Context, serviceKeyvault keyvault.Manager, secretName, legacySecretName string) (AEAD, error) {
+	key, err := serviceKeyvault.GetBase64Secret(ctx, secretName, "")
+	if err != nil {
+		return nil, err
+	}
+
+	aead, err := NewAES256SHA512(ctx, key)
+	if err != nil {
+		return nil, err
+	}
+
+	m := &multi{
+		sealer: aead,
+	}
+
+	for _, x := range []struct {
+		secretName  string
+		aeadFactory func(context.Context, []byte) (AEAD, error)
+	}{
+		{secretName, NewAES256SHA512},
+		{legacySecretName, NewXChaCha20Poly1305},
+	} {
+		keys, err := serviceKeyvault.GetBase64Secrets(ctx, x.secretName)
+		if err != nil {
+			return nil, err
+		}
+
+		for _, key := range keys {
+			aead, err = x.aeadFactory(ctx, key)
+			if err != nil {
+				return nil, err
+			}
+
+			m.openers = append(m.openers, aead)
+		}
+	}
+
+	return m, nil
+}
+
+func (c *multi) Open(input []byte) ([]byte, error) {
+	for _, opener := range c.openers {
+		b, err := opener.Open(input)
+		if err == nil {
+			return b, nil
+		}
+	}
+
+	return nil, fmt.Errorf("could not open")
+}
+
+func (c *multi) Seal(input []byte) ([]byte, error) {
+	return c.sealer.Seal(input)
+}