MCPcopy
hub / github.com/getsops/sops / DecryptContext

Method DecryptContext

kms/keysource.go:319–343  ·  view source on GitHub ↗

DecryptContext decrypts the EncryptedKey with a newly created AWS KMS config, and returns the result.

(ctx context.Context)

Source from the content-addressed store, hash-verified

317// DecryptContext decrypts the EncryptedKey with a newly created AWS KMS config, and
318// returns the result.
319func (key *MasterKey) DecryptContext(ctx context.Context) ([]byte, error) {
320 k, err := base64.StdEncoding.DecodeString(key.EncryptedKey)
321 if err != nil {
322 log.WithField("arn", key.Arn).Info("Decryption failed")
323 return nil, fmt.Errorf("error base64-decoding encrypted data key: %s", err)
324 }
325 cfg, err := key.createKMSConfig(ctx)
326 if err != nil {
327 log.WithField("arn", key.Arn).Info("Decryption failed")
328 return nil, err
329 }
330 client := key.createClient(cfg)
331 input := &kms.DecryptInput{
332 KeyId: &key.Arn,
333 CiphertextBlob: k,
334 EncryptionContext: stringPointerToStringMap(key.EncryptionContext),
335 }
336 decrypted, err := client.Decrypt(ctx, input)
337 if err != nil {
338 log.WithField("arn", key.Arn).Info("Decryption failed")
339 return nil, fmt.Errorf("failed to decrypt sops data key with AWS KMS: %w", err)
340 }
341 log.WithField("arn", key.Arn).Info("Decryption succeeded")
342 return decrypted.Plaintext, nil
343}
344
345// NeedsRotation returns whether the data key needs to be rotated or not.
346func (key *MasterKey) NeedsRotation() bool {

Callers 1

DecryptMethod · 0.95

Calls 4

createKMSConfigMethod · 0.95
createClientMethod · 0.95
stringPointerToStringMapFunction · 0.85
DecryptMethod · 0.65

Tested by

no test coverage detected