diff --git a/go.mod b/go.mod index a17090cd..0dbf36a1 100644 --- a/go.mod +++ b/go.mod @@ -3,6 +3,7 @@ module github.com/ovotech/cloud-key-rotator go 1.12 require ( + github.com/Sectorbob/mlab-ns2 v0.0.0-20171030222938-d3aa0c295a8a cloud.google.com/go v0.49.0 // indirect cloud.google.com/go/bigquery v1.3.0 // indirect cloud.google.com/go/pubsub v1.1.0 // indirect @@ -12,33 +13,27 @@ require ( github.com/beamly/go-gocd v0.0.0-20190719193049-383d56afbf92 github.com/creack/pty v1.1.9 // indirect github.com/envoyproxy/go-control-plane v0.9.1 // indirect - github.com/golang/groupcache v0.0.0-20191027212112-611e8accdfc9 // indirect - github.com/google/go-cmp v0.3.1 // indirect github.com/google/gofuzz v0.0.0-20170612174753-24818f796faf // indirect github.com/google/pprof v0.0.0-20191105193234-27840fff0d09 // indirect github.com/googleapis/gnostic v0.0.0-20170729233727-0c5108395e2d // indirect github.com/hashicorp/golang-lru v0.5.3 // indirect github.com/json-iterator/go v0.0.0-20180701071628-ab8a2e0c74be // indirect - github.com/jstemmer/go-junit-report v0.9.1 // indirect github.com/jszwedko/go-circleci v0.3.0 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.1 // indirect + github.com/mongodb/go-client-mongodb-atlas v0.1.3 github.com/ovotech/cloud-key-client v0.0.0-20191119224032-d4d5f5354584 github.com/ovotech/mantle v0.0.0-20190313113039-b525d8003135 github.com/rogpeppe/go-internal v1.5.0 // indirect github.com/spf13/cobra v0.0.6 github.com/spf13/viper v1.6.2 - go.opencensus.io v0.22.2 // indirect go.uber.org/atomic v1.5.1 // indirect go.uber.org/multierr v1.4.0 // indirect go.uber.org/zap v1.14.0 golang.org/x/crypto v0.0.0-20191119213627-4f8c1d86b1ba golang.org/x/image v0.0.0-20191009234506-e7c1f5e7dbb8 // indirect golang.org/x/mobile v0.0.0-20191115022231-f0c40035f2ba // indirect - golang.org/x/net v0.0.0-20191119073136-fc4aabc6c914 // indirect - golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45 - golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e // indirect - golang.org/x/sys v0.0.0-20191119195528-f068ffe820e4 // indirect + golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6 golang.org/x/time v0.0.0-20191024005414-555d28b269f0 // indirect golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e // indirect golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898 // indirect @@ -48,6 +43,7 @@ require ( google.golang.org/grpc v1.25.1 // indirect gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 // indirect gopkg.in/inf.v0 v0.9.0 // indirect + gopkg.in/ini.v1 v1.51.0 gopkg.in/src-d/go-git.v4 v4.13.1 gopkg.in/yaml.v2 v2.2.7 // indirect k8s.io/api v0.0.0-20190313235455-40a48860b5ab diff --git a/go.sum b/go.sum index 635852f2..1c3fa4ef 100644 --- a/go.sum +++ b/go.sum @@ -47,6 +47,8 @@ github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym github.com/Netflix/go-expect v0.0.0-20180615182759-c93bf25de8e8/go.mod h1:oX5x61PbNXchhh0oikYAH+4Pcfw5LKv21+Jnpr6r6Pc= github.com/Netflix/go-expect v0.0.0-20180928190340-9d1f4485533b/go.mod h1:oX5x61PbNXchhh0oikYAH+4Pcfw5LKv21+Jnpr6r6Pc= github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= +github.com/Sectorbob/mlab-ns2 v0.0.0-20171030222938-d3aa0c295a8a h1:KFHLI4QGttB0i7M3qOkAo8Zn/GSsxwwCnInFqBaYtkM= +github.com/Sectorbob/mlab-ns2 v0.0.0-20171030222938-d3aa0c295a8a/go.mod h1:D73UAuEPckrDorYZdtlCu2ySOLuPB5W4rhIkmmc/XbI= github.com/alcortesm/tgz v0.0.0-20161220082320-9c5fe88206d7 h1:uSoVVbwJiQipAclBbw+8quDsfcvFjOpI5iCf4p/cqCs= github.com/alcortesm/tgz v0.0.0-20161220082320-9c5fe88206d7/go.mod h1:6zEj6s6u/ghQa61ZWa/C2Aw3RkjiTBOix7dkqa1VLIs= github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= @@ -126,6 +128,7 @@ github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk= github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= +github.com/go-test/deep v1.0.1/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA= github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= github.com/gogo/protobuf v1.2.1 h1:/s5zKNz0uPFCZ5hddgPdo2TK2TVrUNMn0OOX8/aZMTE= github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4= @@ -160,6 +163,8 @@ github.com/google/go-cmp v0.3.0 h1:crn/baboCvb5fXaQ0IJ1SGTsTVrWpDsCWC8EGETZijY= github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.3.1 h1:Xye71clBPdm5HgqGwUkwhbynsUJZhDbS20FvLhQ2izg= github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= +github.com/google/go-querystring v1.0.0 h1:Xkwi/a1rcvNg1PPYe5vI8GbeBY/jrVuDX5ASuANWTrk= +github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck= github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/gofuzz v0.0.0-20170612174753-24818f796faf h1:+RRA9JqSOZFfKrOeqr2z77+8R2RKyh8PG66dcu1V0ck= github.com/google/gofuzz v0.0.0-20170612174753-24818f796faf/go.mod h1:HP5RmnzzSNb993RKQDq4+1A4ia9nllfqcQFTQJedwGI= @@ -248,6 +253,10 @@ github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/reflect2 v1.0.1 h1:9f412s+6RmYXLWZSEzVVgPGK7C2PphHj5RJrvfx9AWI= github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= +github.com/mongodb/go-client-mongodb-atlas v0.1.3 h1:/l36BomZ93+YTQhqcnJLhgphP5+/VGqbmwAVQlWKhng= +github.com/mongodb/go-client-mongodb-atlas v0.1.3/go.mod h1:LS8O0YLkA+sbtOb3fZLF10yY3tJM+1xATXMJ3oU35LU= +github.com/mwielbut/pointy v1.1.0 h1:U5/YEfoIkaGCHv0St3CgjduqXID4FNRoyZgLM1kY9vg= +github.com/mwielbut/pointy v1.1.0/go.mod h1:MvvO+uMFj9T5DMda33HlvogsFBX7pWWKAkFIn4teYwY= github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= github.com/ovotech/cloud-key-client v0.0.0-20191009092017-7cf0d3273c04 h1:I6tBGiEJaOL+SLrWXflS6Fik3y2HUtZE4SYkksdZ6QQ= @@ -389,6 +398,7 @@ golang.org/x/crypto v0.0.0-20191002192127-34f69633bfdc h1:c0o/qxkaO2LF5t6fQrT4b5 golang.org/x/crypto v0.0.0-20191002192127-34f69633bfdc/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550 h1:ObdrDkeb4kJdCP557AjRjq69pTHfNouLtWZG7j9rPN8= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20191119213627-4f8c1d86b1ba h1:9bFeDpN3gTqNanMVqNcoR/pJQuP5uroC3t1D7eXozTE= golang.org/x/crypto v0.0.0-20191119213627-4f8c1d86b1ba/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= @@ -532,6 +542,7 @@ golang.org/x/time v0.0.0-20190308202827-9d24e82272b4 h1:SvFZT6jyqRaOeXpc5h/JSfZe golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190921001708-c4c64cad1fd0 h1:xQwXv67TxFo9nC1GJFyab5eq/5B590r6RlnL/G8Sz7w= golang.org/x/time v0.0.0-20190921001708-c4c64cad1fd0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20191024005414-555d28b269f0 h1:/5xXl8Y5W96D+TtHSlonuFqGHIWVuyCkGJLwGh9JJFs= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= diff --git a/pkg/config/config.go b/pkg/config/config.go index 24bbbdfc..535095bd 100644 --- a/pkg/config/config.go +++ b/pkg/config/config.go @@ -69,6 +69,7 @@ type Filter struct { type KeyLocations struct { RotationAgeThresholdMins int ServiceAccountName string + Atlas []location.Atlas CircleCI []location.CircleCI GCS []location.Gcs Git location.Git diff --git a/pkg/cred/creds.go b/pkg/cred/creds.go index 9d3c389b..7e16dc9c 100644 --- a/pkg/cred/creds.go +++ b/pkg/cred/creds.go @@ -22,6 +22,7 @@ type Credentials struct { AkrPath string KmsKey string GocdServer GocdServer + AtlasKeys AtlasKeys } // GitAccount type @@ -38,3 +39,9 @@ type GocdServer struct { Username string Password string } + +// AtlasKeys type +type AtlasKeys struct { + PublicKey string + PrivateKey string +} diff --git a/pkg/location/atlas.go b/pkg/location/atlas.go new file mode 100644 index 00000000..35d7fd09 --- /dev/null +++ b/pkg/location/atlas.go @@ -0,0 +1,78 @@ +// Copyright 2019 OVO Technology +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package location + +import ( + "context" + "time" + + "github.com/Sectorbob/mlab-ns2/gae/ns/digest" + "github.com/mongodb/go-client-mongodb-atlas/mongodbatlas" + "github.com/ovotech/cloud-key-rotator/pkg/cred" +) + +const ( + secretAccessKeyWaitSecs = 20 +) + +// Atlas type +type Atlas struct { + ProjectID string +} + +func newClient(publicKey, privateKey string) (*mongodbatlas.Client, error) { + + //Setup a transport to handle digest + transport := digest.NewTransport(publicKey, privateKey) + + //Initialize the client + client, err := transport.Client() + if err != nil { + return nil, err + } + + //Initialize the MongoDB Atlas API Client. + return mongodbatlas.NewClient(client), nil +} + +func (atlas Atlas) Write(serviceAccountName string, keyWrapper KeyWrapper, + creds cred.Credentials) (updated UpdatedLocation, err error) { + + var client *mongodbatlas.Client + if client, err = newClient(creds.AtlasKeys.PublicKey, creds.AtlasKeys.PrivateKey); err != nil { + return + } + + provider := keyWrapper.KeyProvider + + switch provider { + case "aws": + err = writeAws(client, keyWrapper.KeyID, keyWrapper.Key, atlas.ProjectID) + } + return +} + +func writeAws(client *mongodbatlas.Client, accessKeyID, secretAccessKey, projectID string) (err error) { + time.Sleep(secretAccessKeyWaitSecs * time.Second) + createRequest := &mongodbatlas.EncryptionAtRest{ + GroupID: projectID, + AwsKms: mongodbatlas.AwsKms{ + AccessKeyID: accessKeyID, + SecretAccessKey: secretAccessKey, + }, + } + _, _, err = client.EncryptionsAtRest.Create(context.Background(), createRequest) + return +} diff --git a/pkg/rotate/rotatekeys.go b/pkg/rotate/rotatekeys.go index bc080fa8..bf068729 100644 --- a/pkg/rotate/rotatekeys.go +++ b/pkg/rotate/rotatekeys.go @@ -282,6 +282,10 @@ func locationsToUpdate(keyLocation config.KeyLocations) (kws []location.KeyWrite var googleAppCredsRequired bool // read locations + for _, atlas := range keyLocation.Atlas { + kws = append(kws, atlas) + } + for _, circleCI := range keyLocation.CircleCI { kws = append(kws, circleCI) }