diff --git a/pkg/security/decrypt.go b/pkg/security/decrypt.go index 5dde24a1..c5fe067a 100644 --- a/pkg/security/decrypt.go +++ b/pkg/security/decrypt.go @@ -12,52 +12,52 @@ import ( "github.com/open-amt-cloud-toolkit/go-wsman-messages/v2/pkg/config" ) -// Decrypt ciphertext using AES-GCM with the provided key. -func (c Crypto) Decrypt(cipherText string, key []byte) ([]byte, error) { +// Decrypt cipher text using AES-GCM with the provided key. +func (c Crypto) Decrypt(cipherText string) (string, error) { data, err := base64.StdEncoding.DecodeString(cipherText) if err != nil { - return nil, err + return "", err } - block, err := aes.NewCipher(key) + block, err := aes.NewCipher([]byte(c.EncryptionKey)) if err != nil { - return nil, err + return "", err } gcm, err := cipher.NewGCM(block) if err != nil { - return nil, err + return "", err } if len(data) < gcm.NonceSize() { - return nil, errors.New("cipher text too short") + return "", errors.New("cipher text too short") } - nonce, ciphertext := data[:gcm.NonceSize()], data[gcm.NonceSize():] + nonce, cText := data[:gcm.NonceSize()], data[gcm.NonceSize():] - plainText, err := gcm.Open(nil, nonce, ciphertext, nil) + plainText, err := gcm.Open(nil, nonce, cText, nil) if err != nil { - return nil, err + return "", err } - return plainText, nil + return string(plainText), nil } // Read encrypted data from file and decrypt it. -func (c Crypto) ReadAndDecryptFile(filePath string, key []byte) (config.Configuration, error) { +func (c Crypto) ReadAndDecryptFile(filePath string) (config.Configuration, error) { encryptedData, err := os.ReadFile(filePath) if err != nil { return config.Configuration{}, err } - decryptedData, err := c.Decrypt(string(encryptedData), key) + decryptedData, err := c.Decrypt(string(encryptedData)) if err != nil { return config.Configuration{}, err } var configuration config.Configuration - err = yaml.Unmarshal(decryptedData, &configuration) + err = yaml.Unmarshal([]byte(decryptedData), &configuration) if err != nil { return config.Configuration{}, err } diff --git a/pkg/security/decrypt_test.go b/pkg/security/decrypt_test.go index cc22db5d..f20ee7b3 100644 --- a/pkg/security/decrypt_test.go +++ b/pkg/security/decrypt_test.go @@ -15,8 +15,8 @@ import ( ) var ( - validKey = "ThisismyveryStrongkey32byteslong" - wrongKey = "ThisismyveryStrongkey32bytelong!" + validKey = "Jf3Q2nXJ+GZzN1dbVQms0wbB4+i/5PjL" + wrongKey = "Jf3Q2nXJ+GZzN1dbVQms0wbB4+iwrong" shortKey = "shortKey" missingKey = "" validMessageText = "Hello, World!" @@ -111,7 +111,7 @@ func TestDecrypt(t *testing.T) { key string expectedError expectedError errorMsg error - expected []byte + expected string }{ { name: "successful decryption", @@ -119,7 +119,7 @@ func TestDecrypt(t *testing.T) { key: validKey, expectedError: expectedError{}, errorMsg: nil, - expected: []byte("Hello World"), + expected: "Hello World", }, { name: "fail to decode base64", @@ -127,7 +127,7 @@ func TestDecrypt(t *testing.T) { key: validKey, expectedError: expectedError{Base64Error: true}, errorMsg: base64.CorruptInputError(7), - expected: nil, + expected: "", }, { name: "fail to create new cipher", @@ -135,7 +135,7 @@ func TestDecrypt(t *testing.T) { key: missingKey, expectedError: expectedError{NewCipherError: true}, errorMsg: aes.KeySizeError(0), - expected: nil, + expected: "", }, } @@ -146,27 +146,29 @@ func TestDecrypt(t *testing.T) { var err error - var decryptedString []byte + var decryptedString string - cryptor := Crypto{} + cryptor := Crypto{ + EncryptionKey: tc.key, + } if tc.expectedError.Base64Error { - _, err = cryptor.Decrypt(tc.message, []byte(tc.key)) + _, err = cryptor.Decrypt(tc.message) assert.Equal(t, tc.errorMsg, err) assert.Equal(t, tc.expected, decryptedString) } if tc.expectedError.NewCipherError { - encryptedString, _ := cryptor.Encrypt([]byte(tc.message), tc.key) - decryptedString, err = cryptor.Decrypt(encryptedString, []byte(tc.key)) + encryptedString, _ := cryptor.Encrypt(tc.message) + decryptedString, err = cryptor.Decrypt(encryptedString) assert.Equal(t, tc.errorMsg, err) assert.Equal(t, tc.expected, decryptedString) } if !tc.expectedError.Base64Error && !tc.expectedError.NewCipherError { - encryptedString, _ := cryptor.Encrypt([]byte(tc.message), tc.key) - decryptedString, err = cryptor.Decrypt(encryptedString, []byte(tc.key)) - assert.Equal(t, tc.message, string(decryptedString)) + encryptedString, _ := cryptor.Encrypt(tc.message) + decryptedString, err = cryptor.Decrypt(encryptedString) + assert.Equal(t, tc.message, decryptedString) assert.NoError(t, err) } }) @@ -183,7 +185,7 @@ func TestReadAndDecryptFile(t *testing.T) { key string expectedError expectedError errorMsg error - expected []byte + expected string }{ { name: "successful decryption", @@ -191,7 +193,7 @@ func TestReadAndDecryptFile(t *testing.T) { key: validKey, expectedError: expectedError{}, errorMsg: nil, - expected: byteArrayConfigFile, + expected: string(byteArrayConfigFile), }, { name: "incorrect key size", @@ -199,7 +201,7 @@ func TestReadAndDecryptFile(t *testing.T) { key: shortKey, expectedError: expectedError{InvalidKeySizeError: true}, errorMsg: aes.KeySizeError(8), - expected: []byte("Hello World"), + expected: "", }, { name: "incorrect key", @@ -207,7 +209,7 @@ func TestReadAndDecryptFile(t *testing.T) { key: wrongKey, expectedError: expectedError{AuthenticationError: true}, errorMsg: errors.New("cipher: message authentication failed"), - expected: []byte("Hello World"), + expected: "", }, { name: "unable to read file", @@ -215,7 +217,7 @@ func TestReadAndDecryptFile(t *testing.T) { key: validKey, expectedError: expectedError{FileReadError: true}, errorMsg: &fs.PathError{Op: "open", Path: "testing/doesnotexist.yaml", Err: syscall.ENOENT}, - expected: []byte(""), + expected: "", }, } @@ -224,11 +226,13 @@ func TestReadAndDecryptFile(t *testing.T) { t.Run(test.name, func(t *testing.T) { t.Parallel() - cryptor := Crypto{} - _, err := cryptor.ReadAndDecryptFile(test.filePath, []byte(test.key)) + cryptor := Crypto{ + EncryptionKey: test.key, + } + _, err := cryptor.ReadAndDecryptFile(test.filePath) if !test.expectedError.InvalidKeySizeError && !test.expectedError.AuthenticationError && !test.expectedError.NewCipherError && !test.expectedError.Base64Error && !test.expectedError.FileReadError { - decryptedFile, err := cryptor.ReadAndDecryptFile(test.filePath, []byte(test.key)) + decryptedFile, err := cryptor.ReadAndDecryptFile(test.filePath) assert.Equal(t, expectedConfigFile, decryptedFile) assert.NoError(t, err) } else { diff --git a/pkg/security/encrypt.go b/pkg/security/encrypt.go index 6bf894f9..00a6d7fe 100644 --- a/pkg/security/encrypt.go +++ b/pkg/security/encrypt.go @@ -9,8 +9,8 @@ import ( ) // Encrypt encrypts a string. -func (c Crypto) Encrypt(plainText []byte, key string) (string, error) { - block, err := aes.NewCipher([]byte(key)) +func (c Crypto) Encrypt(plainText string) (string, error) { + block, err := aes.NewCipher([]byte(c.EncryptionKey)) if err != nil { return "", err } @@ -26,9 +26,9 @@ func (c Crypto) Encrypt(plainText []byte, key string) (string, error) { return "", err } - ciphertext := gcm.Seal(nonce, nonce, plainText, nil) + cipherText := gcm.Seal(nonce, nonce, []byte(plainText), nil) - return base64.StdEncoding.EncodeToString(ciphertext), nil + return base64.StdEncoding.EncodeToString(cipherText), nil } func (c Crypto) GenerateKey() string { diff --git a/pkg/security/encrypt_test.go b/pkg/security/encrypt_test.go index 8842a9b5..f32f0c9d 100644 --- a/pkg/security/encrypt_test.go +++ b/pkg/security/encrypt_test.go @@ -12,7 +12,7 @@ func TestEncrypt(t *testing.T) { tests := []struct { name string - message []byte + message string key string expectedError expectedError errorMsg error @@ -20,15 +20,15 @@ func TestEncrypt(t *testing.T) { }{ { name: "successful encryption", - message: []byte("test message"), + message: "test message", key: validKey, expectedError: expectedError{}, errorMsg: nil, - expected: []byte("test message"), + expected: "test message", }, { name: "key too short", - message: []byte("test message"), + message: "test message", key: shortKey, expectedError: expectedError{InvalidKeySizeError: true}, errorMsg: aes.KeySizeError(8), @@ -45,19 +45,21 @@ func TestEncrypt(t *testing.T) { var encryptedString string - cryptor := Crypto{} + cryptor := Crypto{ + EncryptionKey: tc.key, + } if !tc.expectedError.Base64Error && !tc.expectedError.NewCipherError && !tc.expectedError.AuthenticationError && !tc.expectedError.FileReadError && !tc.expectedError.InvalidKeySizeError { - encryptedString, err = cryptor.Encrypt(tc.message, tc.key) + encryptedString, err = cryptor.Encrypt(tc.message) assert.NoError(t, err) assert.NotEmpty(t, encryptedString) - decryptedMessage, err := cryptor.Decrypt(encryptedString, []byte(tc.key)) + decryptedMessage, err := cryptor.Decrypt(encryptedString) assert.NoError(t, err) assert.Equal(t, tc.expected, decryptedMessage) } if tc.expectedError.InvalidKeySizeError { - _, err = cryptor.Encrypt(tc.message, tc.key) + _, err = cryptor.Encrypt(tc.message) assert.Equal(t, tc.errorMsg, err) assert.Equal(t, tc.expected, encryptedString) } diff --git a/pkg/security/testing/encryptedConfig.yaml b/pkg/security/testing/encryptedConfig.yaml index a0261af6..12d36c02 100644 --- a/pkg/security/testing/encryptedConfig.yaml +++ b/pkg/security/testing/encryptedConfig.yaml @@ -1 +1 @@ -Ka2VC9bYYZwT99o+N+nnKJtC07FbTztJNeO0ARPWi4cjirxwclvOqu2nXqe4S9tQ4GD1nOPUlx4b+4JoUGjDxG44X1PSnGaANwbWYE1DDdOasF8EspbZh5KQcwdlY8Z17LDy/MPJW63+9AOlEeBhZBprRJFqqQVevdC7UDwQ0Xt5UdaJhypbVpnvQK9AEpsK2TD2Iwor8imnWdC3kvDYHF1620YWg8kZmpmq0v3vA+B+sv88LcHh9pdGvnYl2HDA/zmYrZNGZTkfwlSednDUwQhwvlKSSFscr0h2QjzIVHxDOZ5E4d3kceeWWEPbt10nW1NdxTNFvCGOZ+B8cHKrdrnmUdv+2395chL86Ps1zraewMTb5dOqHlocsBt5hIJTfSKlqseUjkRZa0XRdB3aURirflKa9jzPhhqF5I2gZgSMWHUvm1Bj4T+kw72zmDaP1vt/PwrBA3Ss6S+zCfkB9FKo4eVlRBFrZw4mbEcUxi72iWVrgu8L1gYw9AVZLsaK3R8E0yB4qvx9PBHfexZ3IfA0T+dJex7j2LeEddp/Lbn84l/+xcnIX4TxDaWyuT3bxUy7wIKwG/0+Z6g5pS6ilqXWj2mfiho4ov0YbMepFbkGBFnzXZ4aQMjzk4QkzIOvwQxEuWP/xYZ18Lb1RFx5GFJLGToeZJgSn7WqNvB2C/eADzmomZFJwDe2+NcANVFxt+l851lVxmv5dhcXAhnb6MbgwYsYP7Tk5ieuBU9+sli/g2fOIHQOJdz28H9gppFB+HejOiVG7jq/Tp1zUrvvfwzI3r1jinxSpoLChjyKp9wh+HgXY7j5CQOyBCPNXgl8R8+l6Cxvg6nmTTxOu97kkREReGyM3yVZxYxXdEgn0+VYu3CQY16Ur6Y4MnHwQa7+Nr4VT27EFLrJCtG5sq9zRljeeA/BZPtgqYwg7B/KeDI312IjoHeDSFCpf3EG1+y3thUw9mgWAzCF3r9SwWlOuHJUh+tpwPEswfW8Iv7+kR/DPGX6l7EUVCsAt0J4QA6lF9pB2Lx8ewW4ls5W43tmYe//a2oaV6ashVx9oImjXJUPqX2tZBYQxbrYGgwDb5sIE+qIPR41wyalCQjys+6J+Ol37zIrgjnCVtllV60J7APEt1/YrZjA1Xmr02yy2RgRBfl+UILA1yTdlzYzOicXQwEjBfR77BI1JGHk+dZ01m+juyUnc8GFqKpUFMqIxJhBvbyZudziZh5s0L7+xitqvGGJPpB7Y9z2bU+BeHwC2un5VgoUOi1s7mwAjiO1y3c7KTxxd4l0EOooePrWNIOp8Qe1/7S5ThsyETf8NblDGGEcq61uuJFkA/hjo9WOqyP7fLbvw8z8JPU8mhb1B1mETTC5/Wpl5i6Raz6bWjfRy8S5Gn1Aoo3X3U9RBc94AklPRpVmBlHHfjdIg2Rd4C2YrKdaqEOZHKHSsqzBAph9XXDUlRIhd1pgF03hq3ekup2ciO80tlufsctex6KfOCAbth9PY+Iib/bpECJN6kOomJCvVvTd2cghpOs3TrDGnKF8s/QGp2DlBejahy5dIkbXnuxXD7MdXZ+gznZMdiAlTQwfMwQbBKSKkGJZmyKNRIK37I+w3ahSYbS28Q5O+0+iA8yv7+vQupgw4WCvsiYhOinUontiz3o1GgpQD6TM8pPt9LGifRtC9A9I1aydO+bTvGYOfLQfnWoT9s1tr6HE+8KqJdjJ6UnOCsm/Bef+3moiYcZGDJO7rcRXniNobByHDHOVjwBBqI9MUWWKuOyyh22MVeVQZ/41ZJVT21kmUGvWNlBkGmlacj+BfShEBU+HNbPRk30vgpMji0cU6TTmUBpxXi0iPhJVZ6lbxza5VnlluVv78YliCqem6fKUhRJC4ShESLVmIFneYnhIfFPNJfC87MX8N9ZUw7Uy/iHQ8t2Ay2AsDF9hZ5GQTsHtRWNBnM8bGXN8Cnuv07KqZl4jBZnhSVZSKsOI7OCCPbkoa8JQK/XbVQKWVEmHhTXP043lTcmoGzg0HHg2j7+L0HX8dyKTuHNJJSeB2kYubJZT8sKOqwj1/hDT4YoHGJZBfJldCzQhjOHMsr6oVKf2QrQiN3bMF2ZloNcyhN3IrF5h6v8Ys1DJyENIpV2zyBd88EDIT4tY3iDhDbcPLAYl4yB9Ye4s5w80bWrSQu8KJ2n7pzzoYR/SaPFo+CVDRZu60hj7kYuz82sHWepA4a8aA4LAMko= \ No newline at end of file +bwt4bpq8STTYnMagG6xYtW/HUTSlBk08WMX4YvxhiPqHuPi2hAkIm+bZkxyYA3l0MAEVpXco/qBRNSDBBJVeWocqzQtOkikcyNIcIVncDy1wuglwlReSjo96P18412PWC3hvdj9ckufTCiZkQt279cDXbgaVVO05PhdLRqiEXwPdiiFZIpPqhUpPpDNBDSEDTs+o20zGosr0ju8awc0HSHTf7k9IoqvD1tKlOl8oKqQMmMpJOmuWHDCqflutb1e1R22kau83oLgvCR3sVG+VznoPMNrcl/BUGwQr0SFkEFTNaVqKjI7K7NRRRdZNOncDALIVu8nfEqIcnqI/Nu8nZg3lxX+klC0eVS3rJb3AF0sdpg4EMAQqkKFC+ULPAbQ6PuwJk4Mds+tTc7bjanR/QSZCx4EzcD40DmVwyaUO0g+qAuLLjDBPVW5trgZ5xKdaeBeOqCZnQNu2+oQFDvrWaGzven2U/fVByOoWWyLRLDgknooAfTdRSb/nblsTgkVwqv13Xr2pQUsCoh6vmSCyK3S217F4nMuXG3Xcl/1LjnTTTv7WZdsBXsI+LRW2yI6mjNZLGQAvhcGhX1LulRo/JrMgzEAFKuXGSPlWlOmfIOmkNha6XaxLTJTfiwmakafdatcGJN7smw3sowL6SICLqN+oJvtFHUm78f8RhggJ67yEQs/K8JACTc4qk4eJ+yaL9mso8A8DjN4QKOKpwpEICjeJ7jfy6ev7SHE8CXaxJOyViHGYQdwtv072SXcf9QO3ZmLNekdBk0AfOrPQG2sDmxlfe3ByatYQKt4RK4/zv0HhlHHViTVa8rweJE1b3PuzbSKt4rsexQ97UsaFMKz+gS2fuioqNhyRDyKXy6SQHbQhoPCPGUWozcx+U3feEUQ6lmbbssGGXWufrfc4W4mwJHpyE9qSMfGbwHp2/hM1Z94AIuRXfS30/L28dK+iYnpfXlrXdh+3eK4hyQ9E/g02okRA8Xh11QdQMlZ6fR9oWz+ldCwH6yqBRZKcCnMfmdDHKP/wJ35qc8y1toJJQqaSZtXYFD5OzcklTjd5U5CuD5C5LQKpoqzvlf56ZhIzroxW+KoHjV8vFyS4S6nvQZMYZ3q78t49wd7W5QcqXDEBrZHzRHkrdDJQWNc/xEhL20bJC7A61lZO9+DFlbJH0Or3Zi0fg2ilSG44I7W0UM3E2XyLzlsuJMe64CLjSqvHu6FZUplRa903jPDCSqznlw0kVWMGxfdw18kSaMgzpAB048zN4CdZm7aC3OjVQtAlhk67o8hh93q8hwxgvNiv7c0Ktigi5cAh/Jg90o8Gybq5jhL8RhXn2WpvA62od9l2lkAU9gKWg2w6U0Vsrf1rjZe9HQ/nP8PFUq1KFpDLyfYLDA01qu8xwu5Dfy3HDttGFluZ8H5BaDUfzyJ2EmlmwNKYsgISBN9ii2qNVb6tGRYM13r6BF0ctbTDFWXzabCeNC7+7LS76e/XLJXYob9QhPBffBceRpeEMWZK7lpxJf9MFRX1by8sY7oNnM6HtL9mjGgDvCkIHw2bzivGlQ6hBDIpfwjH6ITEFahm1hF0degk1iw0iXR4NHvCHCMdPGEjw+mgWPYz5vSBQnGbb7icz9mDx4dOXGga5VafdScdSBtBNVrZmTFKwIGdXkq9vEiu6kroa+jsYqUhy0UASMfUHcZYCS3utqCzAqpBIhznc4MLmmAwWl+q6YRXxSE8ox+z03ufZGwqORUZGrwWRkf3S5RtMg1Rgl70ev9Lz55ymhBaMTNKDRpDOO2uOPrAIT7PF1v8Bws7VTKz7WWATB5prWCgNPyJOf40NKKDRJy7guZUexTDqoEJmkaOSEq/YOhfDLHr7QswHnl87pK+Q5oHZdsMIof7SWFELdK3rRb5K/4fIEcPFXfN5LF/hVV/F1M7ZDjLFkpVu6ET/s9QDW6Ir91dCM7mLJYzQgzxs3r2emFAah8gYHOI8XDGx7fUYLBI9C62xYJWS9jUAgtAmA1Xk6ruSJahoxS/k18CmdG5mpa/YaYeD8hgPn9hGJ7X2p0vSwz5DivskEwbtVsDDOWpSEhhORc5QzycuoucvLBRauFstdLmVXcX+hf/+wt4O9kf9lKJHmY6h9MjgJqeX7J20aT0L5P/RkDgLNFv8HbYL968QDrtGkAEuLPXGLUJFHYsWZ6KWF7wSGm8lv6g3u1z/SmvE8xybra5vR2P05n1V9F46FPz6ztPFWQf0VGBRpJtthEHH813tS19r5RlF8b25anvTevbLKECHiU0WMQipfucXtlUqt/3ozsliJf5lRoov88RoFiTz1nk2YgNwRaSYamdlBWZGH9jeRH4AGxgt1YvEjjYIs7SR2ODef+Hgg7W4BzwPJQ4mQDt4L0LMIgGSzXIKt2qchfrnKroivXS3dtljAio/ThL2EekkECrg8jfhGIicQ== \ No newline at end of file diff --git a/pkg/security/types.go b/pkg/security/types.go index f284487b..a55dac17 100644 --- a/pkg/security/types.go +++ b/pkg/security/types.go @@ -7,13 +7,15 @@ import ( ) type Cryptor interface { - Decrypt(cipherText string, key []byte) ([]byte, error) - Encrypt(plainText []byte, key string) (string, error) + Decrypt(cipherText string) (string, error) + Encrypt(plainText string) (string, error) GenerateKey() string - ReadAndDecryptFile(filePath string, key []byte) (config.Configuration, error) + ReadAndDecryptFile(filePath string) (config.Configuration, error) } -type Crypto struct{} +type Crypto struct { + EncryptionKey string +} type Storager interface { GetKeyValue(key string) (string, error)