Introduce EncryptContext and DecryptContext for AWS, Azure, GCP, PGP

and HashiCorp Vault

Signed-off-by: Matheus Pimenta <[email protected]>

Author: matheuscscp

azkv/keysource.go

@@ -120,7 +120,15 @@ func (t TokenCredential) ApplyToMasterKey(key *MasterKey) {
 
 // Encrypt takes a SOPS data key, encrypts it with Azure Key Vault, and stores
 // the result in the EncryptedKey field.
+//
+// Deprecated: use EncryptContext instead.
 func (key *MasterKey) Encrypt(dataKey []byte) error {
+	return key.EncryptContext(context.Background(), dataKey)
+}
+
+// EncryptContext takes a SOPS data key, encrypts it with Azure Key Vault, and stores
+// the result in the EncryptedKey field.
+func (key *MasterKey) EncryptContext(ctx context.Context, dataKey []byte) error {
 	token, err := key.getTokenCredential()
 	if err != nil {
 		log.WithFields(logrus.Fields{"key": key.Name, "version": key.Version}).Info("Encryption failed")
@@ -133,7 +141,7 @@ func (key *MasterKey) Encrypt(dataKey []byte) error {
 		return fmt.Errorf("failed to construct Azure Key Vault client to encrypt data: %w", err)
 	}
 
-	resp, err := c.Encrypt(context.Background(), key.Name, key.Version, azkeys.KeyOperationParameters{
+	resp, err := c.Encrypt(ctx, key.Name, key.Version, azkeys.KeyOperationParameters{
 		Algorithm: to.Ptr(azkeys.EncryptionAlgorithmRSAOAEP256),
 		Value:     dataKey,
 	}, nil)
@@ -169,7 +177,15 @@ func (key *MasterKey) EncryptIfNeeded(dataKey []byte) error {
 
 // Decrypt decrypts the EncryptedKey field with Azure Key Vault and returns
 // the result.
+//
+// Deprecated: use DecryptContext instead.
 func (key *MasterKey) Decrypt() ([]byte, error) {
+	return key.DecryptContext(context.Background())
+}
+
+// DecryptContext decrypts the EncryptedKey field with Azure Key Vault and returns
+// the result.
+func (key *MasterKey) DecryptContext(ctx context.Context) ([]byte, error) {
 	token, err := key.getTokenCredential()
 	if err != nil {
 		log.WithFields(logrus.Fields{"key": key.Name, "version": key.Version}).Info("Decryption failed")
@@ -188,7 +204,7 @@ func (key *MasterKey) Decrypt() ([]byte, error) {
 		return nil, fmt.Errorf("failed to construct Azure Key Vault client to decrypt data: %w", err)
 	}
 
-	resp, err := c.Decrypt(context.Background(), key.Name, key.Version, azkeys.KeyOperationParameters{
+	resp, err := c.Decrypt(ctx, key.Name, key.Version, azkeys.KeyOperationParameters{
 		Algorithm: to.Ptr(azkeys.EncryptionAlgorithmRSAOAEP256),
 		Value:     rawEncryptedKey,
 	}, nil)

gcpkms/keysource.go

@@ -118,8 +118,16 @@ func (c CredentialJSON) ApplyToMasterKey(key *MasterKey) {
 
 // Encrypt takes a SOPS data key, encrypts it with GCP KMS, and stores the
 // result in the EncryptedKey field.
+//
+// Deprecated: use EncryptContext instead.
 func (key *MasterKey) Encrypt(dataKey []byte) error {
-	service, err := key.newKMSClient()
+	return key.EncryptContext(context.Background(), dataKey)
+}
+
+// EncryptContext takes a SOPS data key, encrypts it with GCP KMS, and stores the
+// result in the EncryptedKey field.
+func (key *MasterKey) EncryptContext(ctx context.Context, dataKey []byte) error {
+	service, err := key.newKMSClient(ctx)
 	if err != nil {
 		log.WithField("resourceID", key.ResourceID).Info("Encryption failed")
 		return fmt.Errorf("cannot create GCP KMS service: %w", err)
@@ -134,7 +142,6 @@ func (key *MasterKey) Encrypt(dataKey []byte) error {
 		Name:      key.ResourceID,
 		Plaintext: dataKey,
 	}
-	ctx := context.Background()
 	resp, err := service.Encrypt(ctx, req)
 	if err != nil {
 		log.WithField("resourceID", key.ResourceID).Info("Encryption failed")
@@ -169,8 +176,16 @@ func (key *MasterKey) EncryptIfNeeded(dataKey []byte) error {
 
 // Decrypt decrypts the EncryptedKey field with GCP KMS and returns
 // the result.
+//
+// Deprecated: use DecryptContext instead.
 func (key *MasterKey) Decrypt() ([]byte, error) {
-	service, err := key.newKMSClient()
+	return key.DecryptContext(context.Background())
+}
+
+// DecryptContext decrypts the EncryptedKey field with GCP KMS and returns
+// the result.
+func (key *MasterKey) DecryptContext(ctx context.Context) ([]byte, error) {
+	service, err := key.newKMSClient(ctx)
 	if err != nil {
 		log.WithField("resourceID", key.ResourceID).Info("Decryption failed")
 		return nil, fmt.Errorf("cannot create GCP KMS service: %w", err)
@@ -193,7 +208,6 @@ func (key *MasterKey) Decrypt() ([]byte, error) {
 		Name:       key.ResourceID,
 		Ciphertext: decodedCipher,
 	}
-	ctx := context.Background()
 	resp, err := service.Decrypt(ctx, req)
 	if err != nil {
 		log.WithField("resourceID", key.ResourceID).Info("Decryption failed")
@@ -232,7 +246,7 @@ func (key *MasterKey) TypeToIdentifier() string {
 // or credentialJSON, and/or grpcConn, falling back to environmental defaults.
 // It returns an error if the ResourceID is invalid, or if the setup of the
 // client fails.
-func (key *MasterKey) newKMSClient() (*kms.KeyManagementClient, error) {
+func (key *MasterKey) newKMSClient(ctx context.Context) (*kms.KeyManagementClient, error) {
 	re := regexp.MustCompile(`^projects/[^/]+/locations/[^/]+/keyRings/[^/]+/cryptoKeys/[^/]+$`)
 	matches := re.FindStringSubmatch(key.ResourceID)
 	if matches == nil {
@@ -265,7 +279,6 @@ func (key *MasterKey) newKMSClient() (*kms.KeyManagementClient, error) {
 		opts = append(opts, option.WithGRPCConn(key.grpcConn))
 	}
 
-	ctx := context.Background()
 	client, err := kms.NewKeyManagementClient(ctx, opts...)
 	if err != nil {
 		return nil, err

gcpkms/keysource_test.go

@@ -1,6 +1,7 @@
 package gcpkms
 
 import (
+	"context"
 	"encoding/base64"
 	"fmt"
 	"net"
@@ -155,7 +156,7 @@ func TestMasterKey_createCloudKMSService_withCredentialsFile(t *testing.T) {
 	}
 
 	for _, tt := range tests {
-		_, err := tt.key.newKMSClient()
+		_, err := tt.key.newKMSClient(context.Background())
 		if tt.errString != "" {
 			assert.Error(t, err)
 			assert.ErrorContains(t, err, tt.errString)
@@ -172,7 +173,7 @@ func TestMasterKey_createCloudKMSService_withOauthToken(t *testing.T) {
 		ResourceID: testResourceID,
 	}
 
-	_, err := masterKey.newKMSClient()
+	_, err := masterKey.newKMSClient(context.Background())
 
 	assert.NoError(t, err)
 }
@@ -182,7 +183,7 @@ func TestMasterKey_createCloudKMSService_withoutCredentials(t *testing.T) {
 		ResourceID: testResourceID,
 	}
 
-	_, err := masterKey.newKMSClient()
+	_, err := masterKey.newKMSClient(context.Background())
 
 	assert.Error(t, err)
 	assert.ErrorContains(t, err, "credentials: could not find default credentials")

hcvault/keysource.go

@@ -2,6 +2,7 @@ package hcvault
 
 import (
 	"bytes"
+	"context"
 	"encoding/base64"
 	"errors"
 	"fmt"
@@ -130,7 +131,15 @@ func NewMasterKey(address, enginePath, keyName string) *MasterKey {
 
 // Encrypt takes a SOPS data key, encrypts it with Vault Transit, and stores
 // the result in the EncryptedKey field.
+//
+// Deprecated: use EncryptContext instead.
 func (key *MasterKey) Encrypt(dataKey []byte) error {
+	return key.EncryptContext(context.Background(), dataKey)
+}
+
+// EncryptContext takes a SOPS data key, encrypts it with Vault Transit, and stores
+// the result in the EncryptedKey field.
+func (key *MasterKey) EncryptContext(ctx context.Context, dataKey []byte) error {
 	fullPath := key.encryptPath()
 
 	client, err := vaultClient(key.VaultAddress, key.token)
@@ -139,7 +148,7 @@ func (key *MasterKey) Encrypt(dataKey []byte) error {
 		return err
 	}
 
-	secret, err := client.Logical().Write(fullPath, encryptPayload(dataKey))
+	secret, err := client.Logical().WriteWithContext(ctx, fullPath, encryptPayload(dataKey))
 	if err != nil {
 		log.WithField("Path", fullPath).Info("Encryption failed")
 		return fmt.Errorf("failed to encrypt sops data key to Vault transit backend '%s': %w", fullPath, err)
@@ -175,7 +184,14 @@ func (key *MasterKey) SetEncryptedDataKey(enc []byte) {
 }
 
 // Decrypt decrypts the EncryptedKey field with Vault Transit and returns the result.
+//
+// Deprecated: use DecryptContext instead.
 func (key *MasterKey) Decrypt() ([]byte, error) {
+	return key.DecryptContext(context.Background())
+}
+
+// DecryptContext decrypts the EncryptedKey field with Vault Transit and returns the result.
+func (key *MasterKey) DecryptContext(ctx context.Context) ([]byte, error) {
 	fullPath := key.decryptPath()
 
 	client, err := vaultClient(key.VaultAddress, key.token)
@@ -184,7 +200,7 @@ func (key *MasterKey) Decrypt() ([]byte, error) {
 		return nil, err
 	}
 
-	secret, err := client.Logical().Write(fullPath, decryptPayload(key.EncryptedKey))
+	secret, err := client.Logical().WriteWithContext(ctx, fullPath, decryptPayload(key.EncryptedKey))
 	if err != nil {
 		log.WithField("Path", fullPath).Info("Decryption failed")
 		return nil, fmt.Errorf("failed to decrypt sops data key from Vault transit backend '%s': %w", fullPath, err)

kms/keysource.go

@@ -235,8 +235,16 @@ func (c CredentialsProvider) ApplyToMasterKey(key *MasterKey) {
 
 // Encrypt takes a SOPS data key, encrypts it with KMS and stores the result
 // in the EncryptedKey field.
+//
+// Deprecated: use EncryptContext instead.
 func (key *MasterKey) Encrypt(dataKey []byte) error {
-	cfg, err := key.createKMSConfig()
+	return key.EncryptContext(context.Background(), dataKey)
+}
+
+// EncryptContext takes a SOPS data key, encrypts it with KMS and stores the result
+// in the EncryptedKey field.
+func (key *MasterKey) EncryptContext(ctx context.Context, dataKey []byte) error {
+	cfg, err := key.createKMSConfig(ctx)
 	if err != nil {
 		log.WithField("arn", key.Arn).Info("Encryption failed")
 		return err
@@ -247,7 +255,7 @@ func (key *MasterKey) Encrypt(dataKey []byte) error {
 		Plaintext:         dataKey,
 		EncryptionContext: stringPointerToStringMap(key.EncryptionContext),
 	}
-	out, err := client.Encrypt(context.TODO(), input)
+	out, err := client.Encrypt(ctx, input)
 	if err != nil {
 		log.WithField("arn", key.Arn).Info("Encryption failed")
 		return fmt.Errorf("failed to encrypt sops data key with AWS KMS: %w", err)
@@ -278,13 +286,21 @@ func (key *MasterKey) SetEncryptedDataKey(enc []byte) {
 
 // Decrypt decrypts the EncryptedKey with a newly created AWS KMS config, and
 // returns the result.
+//
+// Deprecated: use DecryptContext instead.
 func (key *MasterKey) Decrypt() ([]byte, error) {
+	return key.DecryptContext(context.Background())
+}
+
+// DecryptContext decrypts the EncryptedKey with a newly created AWS KMS config, and
+// returns the result.
+func (key *MasterKey) DecryptContext(ctx context.Context) ([]byte, error) {
 	k, err := base64.StdEncoding.DecodeString(key.EncryptedKey)
 	if err != nil {
 		log.WithField("arn", key.Arn).Info("Decryption failed")
 		return nil, fmt.Errorf("error base64-decoding encrypted data key: %s", err)
 	}
-	cfg, err := key.createKMSConfig()
+	cfg, err := key.createKMSConfig(ctx)
 	if err != nil {
 		log.WithField("arn", key.Arn).Info("Decryption failed")
 		return nil, err
@@ -295,7 +311,7 @@ func (key *MasterKey) Decrypt() ([]byte, error) {
 		CiphertextBlob:    k,
 		EncryptionContext: stringPointerToStringMap(key.EncryptionContext),
 	}
-	decrypted, err := client.Decrypt(context.TODO(), input)
+	decrypted, err := client.Decrypt(ctx, input)
 	if err != nil {
 		log.WithField("arn", key.Arn).Info("Decryption failed")
 		return nil, fmt.Errorf("failed to decrypt sops data key with AWS KMS: %w", err)
@@ -351,15 +367,15 @@ func (key *MasterKey) TypeToIdentifier() string {
 
 // createKMSConfig returns an AWS config with the credentialsProvider of the
 // MasterKey, or the default configuration sources.
-func (key MasterKey) createKMSConfig() (*aws.Config, error) {
+func (key MasterKey) createKMSConfig(ctx context.Context) (*aws.Config, error) {
 	re := regexp.MustCompile(arnRegex)
 	matches := re.FindStringSubmatch(key.Arn)
 	if matches == nil {
 		return nil, fmt.Errorf("no valid ARN found in '%s'", key.Arn)
 	}
 	region := matches[1]
 
-	cfg, err := config.LoadDefaultConfig(context.TODO(), func(lo *config.LoadOptions) error {
+	cfg, err := config.LoadDefaultConfig(ctx, func(lo *config.LoadOptions) error {
 		// Use the credentialsProvider if present, otherwise default to reading credentials
 		// from the environment.
 		if key.credentialsProvider != nil {
@@ -376,7 +392,7 @@ func (key MasterKey) createKMSConfig() (*aws.Config, error) {
 	}
 
 	if key.Role != "" {
-		return key.createSTSConfig(&cfg)
+		return key.createSTSConfig(ctx, &cfg)
 	}
 	return &cfg, nil
 }
@@ -393,7 +409,7 @@ func (key MasterKey) createClient(config *aws.Config) *kms.Client {
 // createSTSConfig uses AWS STS to assume a role and returns a config
 // configured with that role's credentials. It returns an error if
 // it fails to construct a session name, or assume the role.
-func (key MasterKey) createSTSConfig(config *aws.Config) (*aws.Config, error) {
+func (key MasterKey) createSTSConfig(ctx context.Context, config *aws.Config) (*aws.Config, error) {
 	name, err := stsSessionName()
 	if err != nil {
 		return nil, err
@@ -404,7 +420,7 @@ func (key MasterKey) createSTSConfig(config *aws.Config) (*aws.Config, error) {
 	}
 
 	client := sts.NewFromConfig(*config)
-	out, err := client.AssumeRole(context.TODO(), input)
+	out, err := client.AssumeRole(ctx, input)
 	if err != nil {
 		return nil, fmt.Errorf("failed to assume role '%s': %w", key.Role, err)
 	}

kms/keysource_test.go

@@ -535,7 +535,7 @@ aws_secret_access_key = test-secret`), 0600))
 			if tt.envFunc != nil {
 				tt.envFunc(t)
 			}
-			cfg, err := tt.key.createKMSConfig()
+			cfg, err := tt.key.createKMSConfig(context.Background())
 			tt.assertFunc(t, cfg, err)
 		})
 	}
@@ -549,7 +549,7 @@ func TestMasterKey_createSTSConfig(t *testing.T) {
 			return
 		}
 		key := NewMasterKeyFromArn(dummyARN, nil, "")
-		cfg, err := key.createSTSConfig(nil)
+		cfg, err := key.createSTSConfig(context.Background(), nil)
 		assert.Error(t, err)
 		assert.ErrorContains(t, err, "failed to construct STS session name")
 		assert.Nil(t, cfg)
@@ -558,7 +558,7 @@ func TestMasterKey_createSTSConfig(t *testing.T) {
 	t.Run("role assumption error", func(t *testing.T) {
 		key := NewMasterKeyFromArn(dummyARN, nil, "")
 		key.Role = "role"
-		got, err := key.createSTSConfig(&aws.Config{})
+		got, err := key.createSTSConfig(context.Background(), &aws.Config{})
 		assert.Error(t, err)
 		assert.ErrorContains(t, err, "failed to assume role 'role'")
 		assert.Nil(t, got)
@@ -629,7 +629,7 @@ func createTestMasterKey(arn string) MasterKey {
 // createTestKMSClient creates a new client with the
 // aws.EndpointResolverWithOptions set to epResolver.
 func createTestKMSClient(key MasterKey) (*kms.Client, error) {
-	cfg, err := key.createKMSConfig()
+	cfg, err := key.createKMSConfig(context.Background())
 	if err != nil {
 		return nil, err
 	}