MCPcopy
hub / github.com/getsops/sops / DecryptContext

Method DecryptContext

gcpkms/keysource.go:228–260  ·  view source on GitHub ↗

DecryptContext decrypts the EncryptedKey field with GCP KMS and returns the result.

(ctx context.Context)

Source from the content-addressed store, hash-verified

226// DecryptContext decrypts the EncryptedKey field with GCP KMS and returns
227// the result.
228func (key *MasterKey) DecryptContext(ctx context.Context) ([]byte, error) {
229 service, err := key.newKMSClient(ctx)
230 if err != nil {
231 log.WithField("resourceID", key.ResourceID).Info("Decryption failed")
232 return nil, fmt.Errorf("cannot create GCP KMS service: %w", err)
233 }
234 defer func() {
235 if err := service.Close(); err != nil {
236 log.Error("failed to close GCP KMS client connection")
237 }
238 }()
239
240 // NB: this is for compatibility with SOPS <=3.8.x. The previous GCP KMS
241 // client used to work with base64 encoded strings.
242 decodedCipher, err := base64.StdEncoding.DecodeString(string(key.EncryptedDataKey()))
243 if err != nil {
244 log.WithField("resourceID", key.ResourceID).Info("Decryption failed")
245 return nil, err
246 }
247
248 req := &kmspb.DecryptRequest{
249 Name: key.ResourceID,
250 Ciphertext: decodedCipher,
251 }
252 resp, err := service.Decrypt(ctx, req)
253 if err != nil {
254 log.WithField("resourceID", key.ResourceID).Info("Decryption failed")
255 return nil, fmt.Errorf("failed to decrypt sops data key with GCP KMS key: %w", err)
256 }
257
258 log.WithField("resourceID", key.ResourceID).Info("Decryption succeeded")
259 return resp.Plaintext, nil
260}
261
262// NeedsRotation returns whether the data key needs to be rotated or not.
263func (key *MasterKey) NeedsRotation() bool {

Callers 1

DecryptMethod · 0.95

Calls 4

newKMSClientMethod · 0.95
EncryptedDataKeyMethod · 0.95
DecryptMethod · 0.65
ErrorMethod · 0.45

Tested by

no test coverage detected