mirror of
https://github.com/woodpecker-ci/woodpecker.git
synced 2025-01-10 09:35:26 +00:00
6516a28cdd
closes #101 Added secrets encryption in database - Google TINK or simple AES as encryption mechanisms - Keys rotation support on TINK - Existing SecretService is wrapped by encryption layer - Encryption can be enabled and disabled at any time Co-authored-by: Kuzmin Ilya <ilia.kuzmin@indrive.com> Co-authored-by: 6543 <6543@obermui.de>
99 lines
4.6 KiB
Go
99 lines
4.6 KiB
Go
// Copyright 2023 Woodpecker Authors
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
|
|
package encryption
|
|
|
|
import "errors"
|
|
|
|
// common
|
|
const (
|
|
rawKeyConfigFlag = "encryption-raw-key"
|
|
tinkKeysetFilepathConfigFlag = "encryption-tink-keyset"
|
|
disableEncryptionConfigFlag = "encryption-disable-flag"
|
|
|
|
ciphertextSampleConfigKey = "encryption-ciphertext-sample"
|
|
|
|
keyTypeTink = "tink"
|
|
keyTypeRaw = "raw"
|
|
keyTypeNone = "none"
|
|
|
|
keyIDAssociatedData = "Primary key id"
|
|
AESGCMSIVNonceSize = 12
|
|
)
|
|
|
|
var (
|
|
errEncryptionNotEnabled = errors.New("encryption is not enabled")
|
|
errEncryptionKeyInvalid = errors.New("encryption key is invalid")
|
|
errEncryptionKeyRotated = errors.New("encryption key is being rotated")
|
|
)
|
|
|
|
const (
|
|
// error wrapping templates
|
|
errTemplateFailedInitializingUnencrypted = "failed initializing server in unencrypted mode: %w"
|
|
errTemplateFailedInitializing = "failed initializing encryption service: %w"
|
|
errTemplateFailedEnablingEncryption = "failed enabling encryption: %w"
|
|
errTemplateFailedRotatingEncryption = "failed rotating encryption: %w"
|
|
errTemplateFailedDisablingEncryption = "failed disabling encryption: %w"
|
|
errTemplateFailedLoadingServerConfig = "failed to load server encryption config: %w"
|
|
errTemplateFailedUpdatingServerConfig = "failed updating server encryption configuration: %w"
|
|
errTemplateFailedInitializingClients = "failed initializing encryption clients: %w"
|
|
errTemplateFailedValidatingKey = "failed validating encryption key: %w"
|
|
errTemplateEncryptionFailed = "encryption error: %w"
|
|
errTemplateBase64DecryptionFailed = "decryption error: Base64 decryption failed. Cause: %w"
|
|
errTemplateDecryptionFailed = "decryption error: %w"
|
|
|
|
// error messages
|
|
errMessageTemplateUnsupportedKeyType = "unsupported encryption key type: %s"
|
|
errMessageCantUseBothServices = "can not use raw encryption key and tink keyset at the same time"
|
|
errMessageNoKeysProvided = "encryption enabled but no keys provided"
|
|
errMessageFailedRotatingEncryption = "failed rotating encryption"
|
|
|
|
// log messages
|
|
logMessageEncryptionEnabled = "encryption enabled"
|
|
logMessageEncryptionDisabled = "encryption disabled"
|
|
logMessageEncryptionKeyRegistered = "registered new encryption key"
|
|
logMessageClientsInitialized = "initialized encryption on registered clients"
|
|
logMessageClientsEnabled = "enabled encryption on registered services"
|
|
logMessageClientsRotated = "updated encryption key on registered services"
|
|
logMessageClientsDecrypted = "disabled encryption on registered services"
|
|
)
|
|
|
|
// tink
|
|
const (
|
|
// error wrapping templates
|
|
errTemplateTinkFailedLoadingKeyset = "failed loading encryption keyset: %w"
|
|
errTemplateTinkFailedValidatingKeyset = "failed validating encryption keyset: %w"
|
|
errTemplateTinkFailedInitializeFileWatcher = "failed initializing keyset file watcher: %w"
|
|
errTemplateTinkFailedSubscribeKeysetFileChanges = "failed subscribing on encryption keyset file changes: %w"
|
|
errTemplateTinkFailedOpeningKeyset = "failed opening encryption keyset file: %w"
|
|
errTemplateTinkFailedReadingKeyset = "failed reading encryption keyset from file: %w"
|
|
errTemplateTinkFailedInitializingAEAD = "failed initializing AEAD instance: %w"
|
|
|
|
// error messages
|
|
errMessageTinkKeysetFileWatchFailed = "failed watching encryption keyset file changes"
|
|
|
|
// log message templates
|
|
logTemplateTinkKeysetFileChanged = "changes detected in encryption keyset file: '%s'. Encryption service will be reloaded"
|
|
logTemplateTinkLoadingKeyset = "loading encryption keyset from file: %s"
|
|
logTemplateTinkFailedClosingKeysetFile = "could not close keyset file: %s"
|
|
)
|
|
|
|
// aes
|
|
const (
|
|
// error wrapping templates
|
|
errTemplateAesFailedLoadingCipher = "failed loading encryption cipher: %w"
|
|
errTemplateAesFailedCalculatingHash = "failed calculating hash: %w"
|
|
errTemplateAesFailedGeneratingKey = "failed generating key from passphrase: %w"
|
|
errTemplateAesFailedGeneratingKeyID = "failed generating key id: %w"
|
|
)
|