DecryptContext decrypts the EncryptedKey field with GCP KMS and returns the result.
(ctx context.Context)
| 226 | // DecryptContext decrypts the EncryptedKey field with GCP KMS and returns |
| 227 | // the result. |
| 228 | func (key *MasterKey) DecryptContext(ctx context.Context) ([]byte, error) { |
| 229 | service, err := key.newKMSClient(ctx) |
| 230 | if err != nil { |
| 231 | log.WithField("resourceID", key.ResourceID).Info("Decryption failed") |
| 232 | return nil, fmt.Errorf("cannot create GCP KMS service: %w", err) |
| 233 | } |
| 234 | defer func() { |
| 235 | if err := service.Close(); err != nil { |
| 236 | log.Error("failed to close GCP KMS client connection") |
| 237 | } |
| 238 | }() |
| 239 | |
| 240 | // NB: this is for compatibility with SOPS <=3.8.x. The previous GCP KMS |
| 241 | // client used to work with base64 encoded strings. |
| 242 | decodedCipher, err := base64.StdEncoding.DecodeString(string(key.EncryptedDataKey())) |
| 243 | if err != nil { |
| 244 | log.WithField("resourceID", key.ResourceID).Info("Decryption failed") |
| 245 | return nil, err |
| 246 | } |
| 247 | |
| 248 | req := &kmspb.DecryptRequest{ |
| 249 | Name: key.ResourceID, |
| 250 | Ciphertext: decodedCipher, |
| 251 | } |
| 252 | resp, err := service.Decrypt(ctx, req) |
| 253 | if err != nil { |
| 254 | log.WithField("resourceID", key.ResourceID).Info("Decryption failed") |
| 255 | return nil, fmt.Errorf("failed to decrypt sops data key with GCP KMS key: %w", err) |
| 256 | } |
| 257 | |
| 258 | log.WithField("resourceID", key.ResourceID).Info("Decryption succeeded") |
| 259 | return resp.Plaintext, nil |
| 260 | } |
| 261 | |
| 262 | // NeedsRotation returns whether the data key needs to be rotated or not. |
| 263 | func (key *MasterKey) NeedsRotation() bool { |
no test coverage detected