Merge pull request #44 from smallstep/kmsfs

Kmsfs

Author: maraino

kms/apiv1/options.go

@@ -3,9 +3,10 @@ package apiv1
 import (
 	"crypto"
 	"crypto/x509"
+	"fmt"
 	"strings"
 
-	"github.com/pkg/errors"
+	"go.step.sm/crypto/kms/uri"
 )
 
 // KeyManager is the interface implemented by all the KMS.
@@ -86,7 +87,7 @@ const (
 // Options are the KMS options. They represent the kms object in the ca.json.
 type Options struct {
 	// The type of the KMS to use.
-	Type string `json:"type"`
+	Type Type `json:"type"`
 
 	// Path to the credentials file used in CloudKMS and AmazonKMS.
 	CredentialsFile string `json:"credentialsFile,omitempty"`
@@ -124,14 +125,30 @@ func (o *Options) Validate() error {
 		return nil
 	}
 
-	switch Type(strings.ToLower(o.Type)) {
+	typ := strings.ToLower(string(o.Type))
+	switch Type(typ) {
 	case DefaultKMS, SoftKMS: // Go crypto based kms.
 	case CloudKMS, AmazonKMS, AzureKMS: // Cloud based kms.
 	case YubiKey, PKCS11: // Hardware based kms.
 	case SSHAgentKMS: // Others
 	default:
-		return errors.Errorf("unsupported kms type %s", o.Type)
+		return fmt.Errorf("unsupported kms type %s", o.Type)
 	}
 
 	return nil
 }
+
+// GetType returns the type in the type property or the one present in the URI.
+func (o *Options) GetType() (Type, error) {
+	if o.Type != "" {
+		return o.Type, nil
+	}
+	if o.URI != "" {
+		u, err := uri.Parse(o.URI)
+		if err != nil {
+			return DefaultKMS, err
+		}
+		return Type(strings.ToLower(u.Scheme)), nil
+	}
+	return SoftKMS, nil
+}

kms/apiv1/options_test.go

@@ -27,6 +27,47 @@ func TestOptions_Validate(t *testing.T) {
 	}
 }
 
+func TestOptions_GetType(t *testing.T) {
+	type fields struct {
+		Type Type
+		URI  string
+	}
+	tests := []struct {
+		name    string
+		fields  fields
+		want    Type
+		wantErr bool
+	}{
+		{"ok", fields{PKCS11, ""}, PKCS11, false},
+		{"ok default", fields{"", ""}, SoftKMS, false},
+		{"ok by uri", fields{"", "PKCS11:foo=bar"}, PKCS11, false},
+		{"ok by uri", fields{"", "softkms:foo=bar"}, SoftKMS, false},
+		{"ok by uri", fields{"", "cloudkms:foo=bar"}, CloudKMS, false},
+		{"ok by uri", fields{"", "awskms:foo=bar"}, AmazonKMS, false},
+		{"ok by uri", fields{"", "pkcs11:foo=bar"}, PKCS11, false},
+		{"ok by uri", fields{"", "yubikey:foo=bar"}, YubiKey, false},
+		{"ok by uri", fields{"", "sshagentkms:foo=bar"}, SSHAgentKMS, false},
+		{"ok by uri", fields{"", "azurekms:foo=bar"}, AzureKMS, false},
+		{"fail uri", fields{"", "foo=bar"}, DefaultKMS, true},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			o := &Options{
+				Type: tt.fields.Type,
+				URI:  tt.fields.URI,
+			}
+			got, err := o.GetType()
+			if (err != nil) != tt.wantErr {
+				t.Errorf("Options.GetType() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+			if got != tt.want {
+				t.Errorf("Options.GetType() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
+
 func TestErrNotImplemented_Error(t *testing.T) {
 	type fields struct {
 		msg string

kms/kms.go

@@ -2,7 +2,6 @@ package kms
 
 import (
 	"context"
-	"strings"
 
 	"github.com/pkg/errors"
 	"go.step.sm/crypto/kms/apiv1"
@@ -30,14 +29,13 @@ func New(ctx context.Context, opts apiv1.Options) (KeyManager, error) {
 		return nil, err
 	}
 
-	t := apiv1.Type(strings.ToLower(opts.Type))
-	if t == apiv1.DefaultKMS {
-		t = apiv1.SoftKMS
+	typ, err := opts.GetType()
+	if err != nil {
+		return nil, err
 	}
-
-	fn, ok := apiv1.LoadKeyManagerNewFunc(t)
+	fn, ok := apiv1.LoadKeyManagerNewFunc(typ)
 	if !ok {
-		return nil, errors.Errorf("unsupported kms type '%s'", t)
+		return nil, errors.Errorf("unsupported kms type '%s'", typ)
 	}
 	return fn(ctx, opts)
 }

kms/kms_test.go

@@ -3,6 +3,7 @@ package kms
 import (
 	"context"
 	"os"
+	"path/filepath"
 	"reflect"
 	"testing"
 
@@ -15,6 +16,14 @@ import (
 func TestNew(t *testing.T) {
 	ctx := context.Background()
 
+	failCloudKMS := true
+	if home, err := os.UserHomeDir(); err == nil {
+		file := filepath.Join(home, ".config", "gcloud", "application_default_credentials.json")
+		if _, err := os.Stat(file); err == nil {
+			failCloudKMS = false
+		}
+	}
+
 	type args struct {
 		ctx  context.Context
 		opts apiv1.Options
@@ -26,11 +35,12 @@ func TestNew(t *testing.T) {
 		want     KeyManager
 		wantErr  bool
 	}{
-		{"softkms", false, args{ctx, apiv1.Options{Type: "softkms"}}, &softkms.SoftKMS{}, false},
 		{"default", false, args{ctx, apiv1.Options{}}, &softkms.SoftKMS{}, false},
+		{"softkms", false, args{ctx, apiv1.Options{Type: "softkms"}}, &softkms.SoftKMS{}, false},
+		{"uri", false, args{ctx, apiv1.Options{URI: "softkms:foo=bar"}}, &softkms.SoftKMS{}, false},
 		{"awskms", false, args{ctx, apiv1.Options{Type: "awskms"}}, &awskms.KMS{}, false},
-		{"cloudkms", true, args{ctx, apiv1.Options{Type: "cloudkms"}}, &cloudkms.CloudKMS{}, true}, // fails because not credentials
-		{"pkcs11", false, args{ctx, apiv1.Options{Type: "pkcs11"}}, nil, true},                     // not yet supported
+		{"cloudkms", true, args{ctx, apiv1.Options{Type: "cloudkms"}}, &cloudkms.CloudKMS{}, failCloudKMS},
+		{"fail not enabled", false, args{ctx, apiv1.Options{Type: "pkcs11"}}, nil, true}, // not enabled
 		{"fail validation", false, args{ctx, apiv1.Options{Type: "foobar"}}, nil, true},
 	}
 	for _, tt := range tests {

kms/kmsfs.go

@@ -0,0 +1,115 @@
+package kms
+
+import (
+	"context"
+	"fmt"
+	"io/fs"
+
+	"go.step.sm/crypto/kms/apiv1"
+)
+
+type kmsfs struct {
+	apiv1.KeyManager
+}
+
+func newFS(ctx context.Context, kmsuri string) (*kmsfs, error) {
+	if kmsuri == "" {
+		return &kmsfs{}, nil
+	}
+
+	km, err := loadKMS(ctx, kmsuri)
+	if err != nil {
+		return nil, err
+	}
+	return &kmsfs{KeyManager: km}, nil
+}
+
+func (f *kmsfs) getKMS(kmsuri string) (apiv1.KeyManager, error) {
+	if f.KeyManager == nil {
+		return loadKMS(context.TODO(), kmsuri)
+	}
+	return f.KeyManager, nil
+}
+
+func loadKMS(ctx context.Context, kmsuri string) (apiv1.KeyManager, error) {
+	return New(ctx, apiv1.Options{
+		URI: kmsuri,
+	})
+}
+
+func openError(name string, err error) *fs.PathError {
+	return &fs.PathError{
+		Path: name,
+		Op:   "open",
+		Err:  err,
+	}
+}
+
+// certFS implements an io/fs to load certificates from a KMS.
+type certFS struct {
+	*kmsfs
+}
+
+// CertFS creates a new io/fs with the given KMS URI.
+func CertFS(ctx context.Context, kmsuri string) (fs.FS, error) {
+	km, err := newFS(ctx, kmsuri)
+	if err != nil {
+		return nil, err
+	}
+	_, ok := km.KeyManager.(apiv1.CertificateManager)
+	if !ok {
+		return nil, fmt.Errorf("%s does not implement a CertificateManager", kmsuri)
+	}
+	return &certFS{kmsfs: km}, nil
+}
+
+// Open returns a file representing a certificate in an KMS.
+func (f *certFS) Open(name string) (fs.File, error) {
+	km, err := f.getKMS(name)
+	if err != nil {
+		return nil, openError(name, err)
+	}
+	cert, err := km.(apiv1.CertificateManager).LoadCertificate(&apiv1.LoadCertificateRequest{
+		Name: name,
+	})
+	if err != nil {
+		return nil, openError(name, err)
+	}
+	return &object{
+		Path:   name,
+		Object: cert,
+	}, nil
+}
+
+// keyFS implements an io/fs to load public keys from a KMS.
+type keyFS struct {
+	*kmsfs
+}
+
+// KeyFS creates a new KeyFS with the given KMS URI.
+func KeyFS(ctx context.Context, kmsuri string) (fs.FS, error) {
+	km, err := newFS(ctx, kmsuri)
+	if err != nil {
+		return nil, err
+	}
+	return &keyFS{kmsfs: km}, nil
+}
+
+// Open returns a file representing a public key in a KMS.
+func (f *keyFS) Open(name string) (fs.File, error) {
+	km, err := f.getKMS(name)
+	if err != nil {
+		return nil, openError(name, err)
+	}
+	// Attempt with a public key
+	pub, err := km.GetPublicKey(&apiv1.GetPublicKeyRequest{
+		Name: name,
+	})
+	if err != nil {
+		return nil, openError(name, err)
+	}
+	return &object{
+		Path:   name,
+		Object: pub,
+	}, nil
+}