mirrors/woodpecker
1
0
Fork 0
mirror of https://github.com/woodpecker-ci/woodpecker.git synced 2024-05-04 23:38:44 +00:00
Code Issues Projects Releases Wiki Activity
woodpecker/server/plugins/encryption/constants.go
antomy-gc 6516a28cdd
Secrets encryption in database (#1475) 
closes #101

Added secrets encryption in database

- Google TINK or simple AES as encryption mechanisms
- Keys rotation support on TINK
- Existing SecretService is wrapped by encryption layer
- Encryption can be enabled and disabled at any time

Co-authored-by: Kuzmin Ilya <ilia.kuzmin@indrive.com>
Co-authored-by: 6543 <6543@obermui.de>
2023-01-12 20:59:07 +01:00

100 lines
4.6 KiB
Go
Raw Blame History

// Copyright 2023 Woodpecker Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package encryption
import "errors"
// common
const (
rawKeyConfigFlag = "encryption-raw-key"
tinkKeysetFilepathConfigFlag = "encryption-tink-keyset"
disableEncryptionConfigFlag = "encryption-disable-flag"
ciphertextSampleConfigKey = "encryption-ciphertext-sample"
keyTypeTink = "tink"
keyTypeRaw = "raw"
keyTypeNone = "none"
keyIDAssociatedData = "Primary key id"
AESGCMSIVNonceSize = 12
)
var (
errEncryptionNotEnabled = errors.New("encryption is not enabled")
errEncryptionKeyInvalid = errors.New("encryption key is invalid")
errEncryptionKeyRotated = errors.New("encryption key is being rotated")
)
const (
// error wrapping templates
errTemplateFailedInitializingUnencrypted = "failed initializing server in unencrypted mode: %w"
errTemplateFailedInitializing = "failed initializing encryption service: %w"
errTemplateFailedEnablingEncryption = "failed enabling encryption: %w"
errTemplateFailedRotatingEncryption = "failed rotating encryption: %w"
errTemplateFailedDisablingEncryption = "failed disabling encryption: %w"
errTemplateFailedLoadingServerConfig = "failed to load server encryption config: %w"
errTemplateFailedUpdatingServerConfig = "failed updating server encryption configuration: %w"
errTemplateFailedInitializingClients = "failed initializing encryption clients: %w"
errTemplateFailedValidatingKey = "failed validating encryption key: %w"
errTemplateEncryptionFailed = "encryption error: %w"
errTemplateBase64DecryptionFailed = "decryption error: Base64 decryption failed. Cause: %w"
errTemplateDecryptionFailed = "decryption error: %w"
// error messages
errMessageTemplateUnsupportedKeyType = "unsupported encryption key type: %s"
errMessageCantUseBothServices = "can not use raw encryption key and tink keyset at the same time"
errMessageNoKeysProvided = "encryption enabled but no keys provided"
errMessageFailedRotatingEncryption = "failed rotating encryption"
// log messages
logMessageEncryptionEnabled = "encryption enabled"
logMessageEncryptionDisabled = "encryption disabled"
logMessageEncryptionKeyRegistered = "registered new encryption key"
logMessageClientsInitialized = "initialized encryption on registered clients"
logMessageClientsEnabled = "enabled encryption on registered services"
logMessageClientsRotated = "updated encryption key on registered services"
logMessageClientsDecrypted = "disabled encryption on registered services"
)
// tink
const (
// error wrapping templates
errTemplateTinkFailedLoadingKeyset = "failed loading encryption keyset: %w"
errTemplateTinkFailedValidatingKeyset = "failed validating encryption keyset: %w"
errTemplateTinkFailedInitializeFileWatcher = "failed initializing keyset file watcher: %w"
errTemplateTinkFailedSubscribeKeysetFileChanges = "failed subscribing on encryption keyset file changes: %w"
errTemplateTinkFailedOpeningKeyset = "failed opening encryption keyset file: %w"
errTemplateTinkFailedReadingKeyset = "failed reading encryption keyset from file: %w"
errTemplateTinkFailedInitializingAEAD = "failed initializing AEAD instance: %w"
// error messages
errMessageTinkKeysetFileWatchFailed = "failed watching encryption keyset file changes"
// log message templates
logTemplateTinkKeysetFileChanged = "changes detected in encryption keyset file: '%s'. Encryption service will be reloaded"
logTemplateTinkLoadingKeyset = "loading encryption keyset from file: %s"
logTemplateTinkFailedClosingKeysetFile = "could not close keyset file: %s"
)
// aes
const (
// error wrapping templates
errTemplateAesFailedLoadingCipher = "failed loading encryption cipher: %w"
errTemplateAesFailedCalculatingHash = "failed calculating hash: %w"
errTemplateAesFailedGeneratingKey = "failed generating key from passphrase: %w"
errTemplateAesFailedGeneratingKeyID = "failed generating key id: %w"
)
Reference in a new issue View git blame Copy permalink