Merge pull request #670 from aryan9600/aws-kms-decryption

Author: hiddeco

go.mod

@@ -10,6 +10,7 @@ require (
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v0.22.0
 	github.com/Azure/azure-sdk-for-go/sdk/azidentity v0.13.2
 	github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys v0.4.0
+	github.com/aws/aws-sdk-go v1.43.43
 	github.com/aws/aws-sdk-go-v2 v1.16.4
 	github.com/aws/aws-sdk-go-v2/config v1.15.7
 	github.com/aws/aws-sdk-go-v2/credentials v1.12.2
@@ -91,7 +92,6 @@ require (
 	github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
 	github.com/armon/go-metrics v0.3.10 // indirect
 	github.com/armon/go-radix v1.0.0 // indirect
-	github.com/aws/aws-sdk-go v1.43.43 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.5 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.11 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.5 // indirect

internal/sops/awskms/keysource_test.go

@@ -21,6 +21,9 @@ import (
 	"github.com/aws/aws-sdk-go-v2/config"
 	"github.com/aws/aws-sdk-go-v2/credentials"
 	"github.com/aws/aws-sdk-go-v2/service/kms"
+	awsv1 "github.com/aws/aws-sdk-go/aws"
+	sessionv1 "github.com/aws/aws-sdk-go/aws/session"
+	kmsv1 "github.com/aws/aws-sdk-go/service/kms"
 	. "github.com/onsi/gomega"
 	"github.com/ory/dockertest"
 )
@@ -135,14 +138,24 @@ func TestMasterKey_Encrypt_SOPS_Compat(t *testing.T) {
 	dataKey := []byte("encrypt-compat")
 	g.Expect(encryptKey.Encrypt(dataKey)).To(Succeed())
 
-	decryptKey := createTestMasterKey(testKMSARN)
-	decryptKey.credentialsProvider = nil
-	decryptKey.EncryptedKey = encryptKey.EncryptedKey
+	// This is the core decryption logic of `sopskms.MasterKey.Decrypt()`.
+	// We don't call `sops.MasterKey.Decrypt()` directly to avoid issues with
+	// session and config setup.
+	config := awsv1.Config{
+		Region:   awsv1.String("us-west-2"),
+		Endpoint: &testKMSServerURL,
+	}
 	t.Setenv("AWS_ACCESS_KEY_ID", "id")
 	t.Setenv("AWS_SECRET_ACCESS_KEY", "secret")
-	dec, err := decryptKey.Decrypt()
+	k, err := base64.StdEncoding.DecodeString(encryptKey.EncryptedKey)
 	g.Expect(err).ToNot(HaveOccurred())
-	g.Expect(dec).To(Equal(dataKey))
+	sess, err := sessionv1.NewSessionWithOptions(sessionv1.Options{
+		Config: config,
+	})
+	kmsSvc := kmsv1.New(sess)
+	decrypted, err := kmsSvc.Decrypt(&kmsv1.DecryptInput{CiphertextBlob: k})
+	g.Expect(err).ToNot(HaveOccurred())
+	g.Expect(decrypted.Plaintext).To(Equal(dataKey))
 }
 
 func TestMasterKey_EncryptIfNeeded(t *testing.T) {
@@ -187,17 +200,25 @@ func TestMasterKey_Decrypt(t *testing.T) {
 func TestMasterKey_Decrypt_SOPS_Compat(t *testing.T) {
 	g := NewWithT(t)
 
+	// This is the core encryption logic of `sopskms.MasterKey.Encrypt()`.
+	// We don't call `sops.MasterKey.Encrypt()` directly to avoid issues with
+	// session and config setup.
 	dataKey := []byte("decrypt-compat")
-
-	encryptKey := createTestMasterKey(testKMSARN)
-	encryptKey.credentialsProvider = nil
+	config := awsv1.Config{
+		Region:   awsv1.String("us-west-2"),
+		Endpoint: &testKMSServerURL,
+	}
 	t.Setenv("AWS_ACCESS_KEY_ID", "id")
 	t.Setenv("AWS_SECRET_ACCESS_KEY", "secret")
-
-	g.Expect(encryptKey.Encrypt(dataKey)).To(Succeed())
+	sess, err := sessionv1.NewSessionWithOptions(sessionv1.Options{
+		Config: config,
+	})
+	kmsSvc := kmsv1.New(sess)
+	encrypted, err := kmsSvc.Encrypt(&kmsv1.EncryptInput{Plaintext: dataKey, KeyId: &testKMSARN})
+	g.Expect(err).ToNot(HaveOccurred())
 
 	decryptKey := createTestMasterKey(testKMSARN)
-	decryptKey.EncryptedKey = encryptKey.EncryptedKey
+	decryptKey.EncryptedKey = base64.StdEncoding.EncodeToString(encrypted.CiphertextBlob)
 	dec, err := decryptKey.Decrypt()
 	g.Expect(err).ToNot(HaveOccurred())
 	g.Expect(dec).To(Equal(dataKey))