mirror of
https://github.com/opentofu/opentofu.git
synced 2024-12-29 10:21:01 -06:00
2f5dcd5c0a
Signed-off-by: Christian Mesh <christianmesh1@gmail.com>
111 lines
4.0 KiB
Go
111 lines
4.0 KiB
Go
// Copyright (c) The OpenTofu Authors
|
|
// SPDX-License-Identifier: MPL-2.0
|
|
// Copyright (c) 2023 HashiCorp, Inc.
|
|
// SPDX-License-Identifier: MPL-2.0
|
|
|
|
package encryption
|
|
|
|
import (
|
|
"encoding/json"
|
|
"fmt"
|
|
|
|
"github.com/hashicorp/hcl/v2"
|
|
"github.com/opentofu/opentofu/internal/encryption/config"
|
|
)
|
|
|
|
const StateEncryptionMarkerField = "encryption"
|
|
|
|
// ReadOnlyStateEncryption is an encryption layer for reading encrypted state files.
|
|
type ReadOnlyStateEncryption interface {
|
|
// DecryptState decrypts a potentially encrypted state file and returns a valid JSON-serialized state file.
|
|
//
|
|
// When implementing this function:
|
|
//
|
|
// If the user configured no encryption, also return the input as-is regardless if the state file is valid. If the
|
|
// user configured encryption unserialize the input as JSON and check for the presence of the field specified in the
|
|
// StateEncryptionMarkerField. If the field is not present, return the input as-is and return a warning that an
|
|
// unexpected unencrypted state file was encountered. Otherwise, decrypt the state file and return the decrypted
|
|
// state file as serialized JSON. If the state file cannot be decrypted, return an error in the diagnostics.
|
|
//
|
|
// When using this function:
|
|
//
|
|
// After reading the state file from its source (local file, remote backend, etc.), pass in the state file to this
|
|
// function. Do not attempt to determine if the state file is encrypted as this function will take care of any
|
|
// and all encryption-related matters. After the function returns, use the returned byte array as a normal state
|
|
// file.
|
|
DecryptState([]byte) ([]byte, error)
|
|
}
|
|
|
|
// StateEncryption describes the interface for encrypting state files.
|
|
type StateEncryption interface {
|
|
ReadOnlyStateEncryption
|
|
|
|
// EncryptState encrypts a state file and returns the encrypted form.
|
|
//
|
|
// When implementing this function:
|
|
//
|
|
// The file should take a JSON-serialized state file as an input and encrypt it according to the configuration.
|
|
// The encrypted form should also return a JSON which contains, at least, the key specified in
|
|
// StateEncryptionMarkerField to identify the state file as encrypted. This is necessary because some backends
|
|
// expect a state file to always be a JSON file.
|
|
//
|
|
// If the user configured no encryption, this function should be a no-op and return the input unchanged. If the
|
|
// input is not a valid state file, this function should return an error in the diagnostics return.
|
|
//
|
|
// When using this function:
|
|
//
|
|
// Pass in a valid JSON-serialized state file as an input and store the output. Note that you should not pass the
|
|
// output to any additional functions that require a valid state file as it may not contain the fields typically
|
|
// present in a state file.
|
|
EncryptState([]byte) ([]byte, error)
|
|
}
|
|
|
|
type stateEncryption struct {
|
|
base *baseEncryption
|
|
}
|
|
|
|
func newStateEncryption(enc *encryption, target *config.TargetConfig, enforced bool, name string) (StateEncryption, hcl.Diagnostics) {
|
|
base, diags := newBaseEncryption(enc, target, enforced, name)
|
|
return &stateEncryption{base}, diags
|
|
}
|
|
|
|
func (s *stateEncryption) EncryptState(plainState []byte) ([]byte, error) {
|
|
return s.base.encrypt(plainState)
|
|
}
|
|
|
|
func (s *stateEncryption) DecryptState(encryptedState []byte) ([]byte, error) {
|
|
return s.base.decrypt(encryptedState, func(data []byte) error {
|
|
tmp := struct {
|
|
FormatVersion string `json:"format_version"`
|
|
}{}
|
|
err := json.Unmarshal(data, &tmp)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if len(tmp.FormatVersion) == 0 {
|
|
// Not a state file
|
|
return fmt.Errorf("Given payload is not a state file")
|
|
}
|
|
// Probably a state file
|
|
return nil
|
|
})
|
|
}
|
|
|
|
func StateEncryptionDisabled() StateEncryption {
|
|
return &stateDisabled{}
|
|
}
|
|
|
|
type stateDisabled struct{}
|
|
|
|
func (s *stateDisabled) EncryptState(plainState []byte) ([]byte, error) {
|
|
return plainState, nil
|
|
}
|
|
func (s *stateDisabled) DecryptState(encryptedState []byte) ([]byte, error) {
|
|
return encryptedState, nil
|
|
}
|
|
|
|
// TODO REMOVEME once state encryption is fully integrated into the codebase
|
|
func StateEncryptionTODO() StateEncryption {
|
|
return &stateDisabled{}
|
|
}
|