force symmetric secrets

Signed-off-by: Gregory Hill <[email protected]>

Author: Gregory Hill

Gopkg.lock

@@ -1,6 +1,7 @@
 package secrets
 
 import (
+	"fmt"
 	"io/ioutil"
 )
 
@@ -31,7 +32,7 @@ type Manager struct {
 	OpenPGP  *OpenPGPSecret
 }
 
-type SymmetricProvider func(secretID string) []byte
+type SymmetricProvider func(secretID string) ([]byte, error)
 
 // NoopSecretManager is an empty secret manager
 var NoopSecretManager = Manager{
@@ -40,8 +41,8 @@ var NoopSecretManager = Manager{
 }
 
 // NoopSymmetricProvider returns an empty provider
-func NoopSymmetricProvider(_ string) []byte {
-	return nil
+func NoopSymmetricProvider(_ string) ([]byte, error) {
+	return nil, fmt.Errorf("no secrets provided to hoard")
 }
 
 // ProviderFromConfig creates a secret reader from a set of symmetric secrets
@@ -53,8 +54,14 @@ func ProviderFromConfig(conf *SecretsConfig) SymmetricProvider {
 	for _, s := range conf.Symmetric {
 		secs[s.PublicID] = []byte(s.Passphrase)
 	}
-	return func(id string) []byte {
-		return secs[id]
+	return func(id string) ([]byte, error) {
+		if id == "" {
+			return nil, fmt.Errorf("empty secret ID passed to provider")
+		}
+		if val, ok := secs[id]; ok {
+			return val, nil
+		}
+		return nil, fmt.Errorf("could not find symmetric secret with ID '%s'", id)
 	}
 }
 

config/secrets/secrets.go

@@ -15,7 +15,11 @@ func Seal(secret secrets.Manager, ref *reference.Ref, spec *Spec) (*Grant, error
 	case *PlaintextSpec:
 		grt.EncryptedReference = PlaintextGrant(ref)
 	case *SymmetricSpec:
-		encRef, err := SymmetricGrant(ref, secret.Provider(s.PublicID))
+		secret, err := secret.Provider(s.PublicID)
+		if err != nil {
+			return nil, err
+		}
+		encRef, err := SymmetricGrant(ref, secret)
 		if err != nil {
 			return nil, err
 		}
@@ -38,7 +42,11 @@ func Unseal(secret secrets.Manager, grt *Grant) (*reference.Ref, error) {
 	case *PlaintextSpec:
 		return PlaintextReference(grt.EncryptedReference), nil
 	case *SymmetricSpec:
-		return SymmetricReference(grt.EncryptedReference, secret.Provider(s.PublicID))
+		secret, err := secret.Provider(s.PublicID)
+		if err != nil {
+			return nil, err
+		}
+		return SymmetricReference(grt.EncryptedReference, secret)
 	case *OpenPGPSpec:
 		return OpenPGPReference(grt.EncryptedReference, secret.OpenPGP)
 	}

grant/grant.go

@@ -18,12 +18,12 @@ func TestGrants(t *testing.T) {
 
 	testPGP := secrets.OpenPGPSecret{
 		PrivateID: "10449759736975846181",
-		Data:      []byte(keyPrivate),
+		Data:      keyPrivate,
 	}
 
 	testSecrets := secrets.Manager{
-		Provider: func(_ string) []byte {
-			return nil
+		Provider: func(_ string) ([]byte, error) {
+			return nil, nil
 		},
 		OpenPGP: &testPGP,
 	}
@@ -36,18 +36,29 @@ func TestGrants(t *testing.T) {
 	plaintextRef, err := Unseal(testSecrets, plaintextGrant)
 	assert.Equal(t, testRef, plaintextRef)
 
+	// SymmetricGrant with empty provider
 	symmetricSpec := Spec{Symmetric: &SymmetricSpec{PublicID: "test"}}
 	symmetricGrant, err := Seal(testSecrets, testRef, &symmetricSpec)
+	assert.Error(t, err)
+	assert.Nil(t, symmetricGrant)
+
+	// SymmetricGrant with correct provider
+	testSecrets.Provider = func(_ string) ([]byte, error) {
+		return []byte("sssshhhh"), nil
+	}
+	symmetricGrant, err = Seal(testSecrets, testRef, &symmetricSpec)
+	assert.NotNil(t, symmetricGrant)
 	assert.NoError(t, err)
 	symmetricRef, err := Unseal(testSecrets, symmetricGrant)
 	assert.Equal(t, testRef, symmetricRef)
 	assert.NoError(t, err)
 
-	asymmetricSpec := Spec{OpenPGP: &OpenPGPSpec{}}
-	asymmetricGrant, err := Seal(testSecrets, testRef, &asymmetricSpec)
+	// OpenPGPGrant encrypt / decrypt with local keypair
+	openpgpSpec := Spec{OpenPGP: &OpenPGPSpec{}}
+	openpgpGrant, err := Seal(testSecrets, testRef, &openpgpSpec)
 	assert.NoError(t, err)
-	asymmetricRef, err := Unseal(testSecrets, asymmetricGrant)
-	assert.Equal(t, testRef, asymmetricRef)
+	openpgpRef, err := Unseal(testSecrets, openpgpGrant)
+	assert.Equal(t, testRef, openpgpRef)
 	assert.NoError(t, err)
 }
 

grant/grant_test.go

@@ -16,8 +16,8 @@ import (
 )
 
 // OpenPGPGrant encrypts and signs a given reference
-func OpenPGPGrant(ref *reference.Ref, public string, private *secrets.OpenPGPSecret) ([]byte, error) {
-	if private == nil {
+func OpenPGPGrant(ref *reference.Ref, public string, keyring *secrets.OpenPGPSecret) ([]byte, error) {
+	if keyring == nil {
 		return nil, fmt.Errorf("cannot encrypt because no private key was provided")
 	}
 
@@ -35,24 +35,24 @@ func OpenPGPGrant(ref *reference.Ref, public string, private *secrets.OpenPGPSec
 		}
 	} else {
 		// default to configured keyring
-		if to, err = openpgp.ReadArmoredKeyRing(bytes.NewBuffer(private.Data)); err != nil {
+		if to, err = openpgp.ReadArmoredKeyRing(bytes.NewBuffer(keyring.Data)); err != nil {
 			return nil, fmt.Errorf("could not read private keyring: %s", err)
 		}
 	}
 
 	// read configured keyring
-	keyring, err := openpgp.ReadArmoredKeyRing(bytes.NewBuffer(private.Data))
+	keys, err := openpgp.ReadArmoredKeyRing(bytes.NewBuffer(keyring.Data))
 	if err != nil {
 		return nil, err
 	}
 
-	id, err := strconv.ParseUint(private.PrivateID, 10, 64)
+	id, err := strconv.ParseUint(keyring.PrivateID, 10, 64)
 	if err != nil {
 		return nil, err
 	}
 
 	// we can only sign with one key
-	from := keyring.KeysById(id)[0].Entity
+	from := keys.KeysById(id)[0].Entity
 	if from == nil {
 		return nil, fmt.Errorf("signing identity not found")
 	}
@@ -73,13 +73,13 @@ func OpenPGPGrant(ref *reference.Ref, public string, private *secrets.OpenPGPSec
 }
 
 // OpenPGPReference decrypts a given grant
-func OpenPGPReference(grant []byte, private *secrets.OpenPGPSecret) (*reference.Ref, error) {
-	if private == nil {
+func OpenPGPReference(grant []byte, keyring *secrets.OpenPGPSecret) (*reference.Ref, error) {
+	if keyring == nil {
 		return nil, fmt.Errorf("cannot decrypt because no private key was provided")
 	}
 
 	// read local keyring
-	to, err := openpgp.ReadArmoredKeyRing(bytes.NewBuffer(private.Data))
+	to, err := openpgp.ReadArmoredKeyRing(bytes.NewBuffer(keyring.Data))
 	block, err := armor.Decode(bytes.NewBuffer(grant))
 	if err != nil {
 		return nil, err

grant/openpgp.go

@@ -11,9 +11,13 @@ import (
 
 // We bump it a little from the 100ms for interactive logins rule: https://blog.filippo.io/the-scrypt-parameters/
 const scryptSecurityWorkExponent = 16
+const minSecretSize = 8
 
 // SymmetricGrant encrypts the given reference based on a secret read from the provider store
 func SymmetricGrant(ref *reference.Ref, secret []byte) ([]byte, error) {
+	if len(secret) < minSecretSize {
+		return nil, fmt.Errorf("SymmetricGrant cannot encrypt with a secret of size < %d", minSecretSize)
+	}
 	// Generate scrypt salt
 	salt := make([]byte, encryption.NonceSize)
 	_, err := rand.Read(salt)

grant/symmetric.go

@@ -3,19 +3,30 @@ package grant
 import (
 	"testing"
 
+	"github.com/stretchr/testify/assert"
+
 	"github.com/monax/hoard/reference"
-	"github.com/stretchr/testify/require"
 )
 
 func TestSymmetricGrant(t *testing.T) {
-	secret := []byte("sshh")
 	ref := &reference.Ref{
 		Address:   []byte("adddressss"),
 		SecretKey: []byte("other secret"),
 	}
-	grt, err := SymmetricGrant(ref, secret)
-	require.NoError(t, err)
+	grt, err := SymmetricGrant(ref, nil)
+	assert.Error(t, err)
+	assert.Nil(t, grt)
+
+	secret := []byte("sshh")
+	grt, err = SymmetricGrant(ref, secret)
+	assert.Errorf(t, err, "SymmetricGrant cannot encrypt with a secret of size < %d", minSecretSize)
+	assert.Nil(t, grt)
+
+	secret = []byte("sssshhhh")
+	grt, err = SymmetricGrant(ref, secret)
+	assert.NoError(t, err)
+	assert.NotNil(t, grt)
 	refOut, err := SymmetricReference(grt, secret)
-	require.NoError(t, err)
-	require.Equal(t, ref, refOut)
+	assert.NoError(t, err)
+	assert.Equal(t, ref, refOut)
 }