From 43b14e8f959d5ce2cfe2fc05c200b029e76c243c Mon Sep 17 00:00:00 2001 From: alexmcardle <26905549+apjm@users.noreply.github.com> Date: Fri, 28 Feb 2020 16:29:47 +0000 Subject: [PATCH 1/3] Add Atlas location file and associated config --- pkg/config/config.go | 1 + pkg/cred/creds.go | 7 ++++ pkg/location/atlas.go | 88 ++++++++++++++++++++++++++++++++++++++++ pkg/rotate/rotatekeys.go | 4 ++ 4 files changed, 100 insertions(+) create mode 100644 pkg/location/atlas.go diff --git a/pkg/config/config.go b/pkg/config/config.go index 24bbbdfc..535095bd 100644 --- a/pkg/config/config.go +++ b/pkg/config/config.go @@ -69,6 +69,7 @@ type Filter struct { type KeyLocations struct { RotationAgeThresholdMins int ServiceAccountName string + Atlas []location.Atlas CircleCI []location.CircleCI GCS []location.Gcs Git location.Git diff --git a/pkg/cred/creds.go b/pkg/cred/creds.go index 9d3c389b..d1b615cd 100644 --- a/pkg/cred/creds.go +++ b/pkg/cred/creds.go @@ -22,6 +22,7 @@ type Credentials struct { AkrPath string KmsKey string GocdServer GocdServer + AtlasKeys AtlasKeys } // GitAccount type @@ -38,3 +39,9 @@ type GocdServer struct { Username string Password string } + +// Atlas type +type AtlasKeys struct { + PublicKey string + PrivateKey string +} \ No newline at end of file diff --git a/pkg/location/atlas.go b/pkg/location/atlas.go new file mode 100644 index 00000000..c9a27931 --- /dev/null +++ b/pkg/location/atlas.go @@ -0,0 +1,88 @@ +// Copyright 2019 OVO Technology +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package location + +import ( + "context" + "fmt" + "log" + + "github.com/Sectorbob/mlab-ns2/gae/ns/digest" + "github.com/mongodb/go-client-mongodb-atlas/mongodbatlas" + "github.com/ovotech/cloud-key-rotator/pkg/cred" +) + +// Atlas type +type Atlas struct { + BucketName string + ObjectName string + FileType string +} + +func newClient(publicKey, privateKey string) (*mongodbatlas.Client, error) { + + //Setup a transport to handle digest + transport := digest.NewTransport(publicKey, privateKey) + + //Initialize the client + client, err := transport.Client() + if err != nil { + return nil, err + } + + //Initialize the MongoDB Atlas API Client. + return mongodbatlas.NewClient(client), nil +} + +func (atlas Atlas) Write(serviceAccountName string, keyWrapper KeyWrapper, + creds cred.Credentials) (updated UpdatedLocation, err error) { + + var err error + var client *mongodbatlas.Client + if client, err = newClient(creds.AtlasKeys.PublicKey, creds.AtlasKeys.PrivateKey); err != nil { + return + } + + var ear *mongodbatlas.EncryptionAtRest + if ear, _, err = client.EncryptionsAtRest.Get(context.Background(), projectID); err != nil { + return + } + + provider := keyWrapper.KeyProvider + + switch provider { + case "gcp": + writeGcp() + case "aws": + writeAws(client, keyWrapper.KeyID, keyWrapper.Key ) + } +} + +func writeGcp() { + +} + +func writeAws(client *mongodbatlas.Client, accessKeyID, secretAccessKey string) (err error) { + createRequest := &mongodbatlas.EncryptionAtRest{ + GroupID: projectID, + AwsKms: mongodbatlas.AwsKms{ + AccessKeyID: accessKeyID, + SecretAccessKey: secretAccessKey, + }, + } + _, _, err = client.EncryptionsAtRest.Create(context.Background(), createRequest); err != nil { + return +} + diff --git a/pkg/rotate/rotatekeys.go b/pkg/rotate/rotatekeys.go index bb3056be..61cd79c2 100644 --- a/pkg/rotate/rotatekeys.go +++ b/pkg/rotate/rotatekeys.go @@ -274,6 +274,10 @@ func locationsToUpdate(keyLocation config.KeyLocations) (kws []location.KeyWrite var googleAppCredsRequired bool // read locations + for _, atlas := range keyLocation.Atlas { + kws = append(kws, atlas) + } + for _, circleCI := range keyLocation.CircleCI { kws = append(kws, circleCI) } From c2929b8781e2f437c6388565f3767cd1f5dee8ba Mon Sep 17 00:00:00 2001 From: alexmcardle <26905549+apjm@users.noreply.github.com> Date: Wed, 4 Mar 2020 16:05:12 +0000 Subject: [PATCH 2/3] Tidy up the Atlas --- go.mod | 20 ++++---------------- go.sum | 11 +++++++++++ pkg/cred/creds.go | 8 ++++---- pkg/location/atlas.go | 36 +++++++++++++----------------------- 4 files changed, 32 insertions(+), 43 deletions(-) diff --git a/go.mod b/go.mod index db3f9a41..8b85d2e1 100644 --- a/go.mod +++ b/go.mod @@ -3,51 +3,39 @@ module github.com/ovotech/cloud-key-rotator go 1.12 require ( - cloud.google.com/go v0.49.0 // indirect - cloud.google.com/go/bigquery v1.3.0 // indirect - cloud.google.com/go/pubsub v1.1.0 // indirect cloud.google.com/go/storage v1.5.0 + github.com/Sectorbob/mlab-ns2 v0.0.0-20171030222938-d3aa0c295a8a github.com/aws/aws-lambda-go v1.13.3 github.com/aws/aws-sdk-go v1.28.9 github.com/beamly/go-gocd v0.0.0-20190719193049-383d56afbf92 github.com/creack/pty v1.1.9 // indirect github.com/envoyproxy/go-control-plane v0.9.1 // indirect - github.com/golang/groupcache v0.0.0-20191027212112-611e8accdfc9 // indirect - github.com/google/go-cmp v0.3.1 // indirect github.com/google/gofuzz v0.0.0-20170612174753-24818f796faf // indirect github.com/google/pprof v0.0.0-20191105193234-27840fff0d09 // indirect github.com/googleapis/gnostic v0.0.0-20170729233727-0c5108395e2d // indirect github.com/hashicorp/golang-lru v0.5.3 // indirect github.com/json-iterator/go v0.0.0-20180701071628-ab8a2e0c74be // indirect - github.com/jstemmer/go-junit-report v0.9.1 // indirect github.com/jszwedko/go-circleci v0.3.0 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.1 // indirect + github.com/mongodb/go-client-mongodb-atlas v0.1.3 github.com/ovotech/cloud-key-client v0.0.0-20191119224032-d4d5f5354584 github.com/ovotech/mantle v0.0.0-20190313113039-b525d8003135 github.com/rogpeppe/go-internal v1.5.0 // indirect github.com/spf13/cobra v0.0.5 github.com/spf13/viper v1.6.2 - go.opencensus.io v0.22.2 // indirect go.uber.org/atomic v1.5.1 // indirect go.uber.org/multierr v1.4.0 // indirect go.uber.org/zap v1.13.0 golang.org/x/crypto v0.0.0-20191119213627-4f8c1d86b1ba golang.org/x/image v0.0.0-20191009234506-e7c1f5e7dbb8 // indirect golang.org/x/mobile v0.0.0-20191115022231-f0c40035f2ba // indirect - golang.org/x/net v0.0.0-20191119073136-fc4aabc6c914 // indirect - golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45 - golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e // indirect - golang.org/x/sys v0.0.0-20191119195528-f068ffe820e4 // indirect + golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6 golang.org/x/time v0.0.0-20191024005414-555d28b269f0 // indirect - golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e // indirect - golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898 // indirect google.golang.org/api v0.15.0 - google.golang.org/appengine v1.6.5 // indirect - google.golang.org/genproto v0.0.0-20191115221424-83cc0476cb11 // indirect - google.golang.org/grpc v1.25.1 // indirect gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 // indirect gopkg.in/inf.v0 v0.9.0 // indirect + gopkg.in/ini.v1 v1.51.0 gopkg.in/src-d/go-git.v4 v4.13.1 gopkg.in/yaml.v2 v2.2.7 // indirect k8s.io/api v0.0.0-20190313235455-40a48860b5ab diff --git a/go.sum b/go.sum index c82f78a7..5b6df6d4 100644 --- a/go.sum +++ b/go.sum @@ -39,6 +39,8 @@ github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym github.com/Netflix/go-expect v0.0.0-20180615182759-c93bf25de8e8/go.mod h1:oX5x61PbNXchhh0oikYAH+4Pcfw5LKv21+Jnpr6r6Pc= github.com/Netflix/go-expect v0.0.0-20180928190340-9d1f4485533b/go.mod h1:oX5x61PbNXchhh0oikYAH+4Pcfw5LKv21+Jnpr6r6Pc= github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= +github.com/Sectorbob/mlab-ns2 v0.0.0-20171030222938-d3aa0c295a8a h1:KFHLI4QGttB0i7M3qOkAo8Zn/GSsxwwCnInFqBaYtkM= +github.com/Sectorbob/mlab-ns2 v0.0.0-20171030222938-d3aa0c295a8a/go.mod h1:D73UAuEPckrDorYZdtlCu2ySOLuPB5W4rhIkmmc/XbI= github.com/alcortesm/tgz v0.0.0-20161220082320-9c5fe88206d7 h1:uSoVVbwJiQipAclBbw+8quDsfcvFjOpI5iCf4p/cqCs= github.com/alcortesm/tgz v0.0.0-20161220082320-9c5fe88206d7/go.mod h1:6zEj6s6u/ghQa61ZWa/C2Aw3RkjiTBOix7dkqa1VLIs= github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= @@ -108,6 +110,7 @@ github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2 github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= +github.com/go-test/deep v1.0.1/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA= github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= github.com/gogo/protobuf v1.2.1 h1:/s5zKNz0uPFCZ5hddgPdo2TK2TVrUNMn0OOX8/aZMTE= github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4= @@ -137,6 +140,8 @@ github.com/google/go-cmp v0.3.0 h1:crn/baboCvb5fXaQ0IJ1SGTsTVrWpDsCWC8EGETZijY= github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.3.1 h1:Xye71clBPdm5HgqGwUkwhbynsUJZhDbS20FvLhQ2izg= github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= +github.com/google/go-querystring v1.0.0 h1:Xkwi/a1rcvNg1PPYe5vI8GbeBY/jrVuDX5ASuANWTrk= +github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck= github.com/google/gofuzz v0.0.0-20170612174753-24818f796faf h1:+RRA9JqSOZFfKrOeqr2z77+8R2RKyh8PG66dcu1V0ck= github.com/google/gofuzz v0.0.0-20170612174753-24818f796faf/go.mod h1:HP5RmnzzSNb993RKQDq4+1A4ia9nllfqcQFTQJedwGI= github.com/google/martian v2.1.0+incompatible h1:/CP5g8u/VJHijgedC/Legn3BAbAaWPgecwXBIDzw5no= @@ -221,6 +226,10 @@ github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/reflect2 v1.0.1 h1:9f412s+6RmYXLWZSEzVVgPGK7C2PphHj5RJrvfx9AWI= github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= +github.com/mongodb/go-client-mongodb-atlas v0.1.3 h1:/l36BomZ93+YTQhqcnJLhgphP5+/VGqbmwAVQlWKhng= +github.com/mongodb/go-client-mongodb-atlas v0.1.3/go.mod h1:LS8O0YLkA+sbtOb3fZLF10yY3tJM+1xATXMJ3oU35LU= +github.com/mwielbut/pointy v1.1.0 h1:U5/YEfoIkaGCHv0St3CgjduqXID4FNRoyZgLM1kY9vg= +github.com/mwielbut/pointy v1.1.0/go.mod h1:MvvO+uMFj9T5DMda33HlvogsFBX7pWWKAkFIn4teYwY= github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= github.com/ovotech/cloud-key-client v0.0.0-20191009092017-7cf0d3273c04 h1:I6tBGiEJaOL+SLrWXflS6Fik3y2HUtZE4SYkksdZ6QQ= @@ -355,6 +364,7 @@ golang.org/x/crypto v0.0.0-20191002192127-34f69633bfdc h1:c0o/qxkaO2LF5t6fQrT4b5 golang.org/x/crypto v0.0.0-20191002192127-34f69633bfdc/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550 h1:ObdrDkeb4kJdCP557AjRjq69pTHfNouLtWZG7j9rPN8= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20191119213627-4f8c1d86b1ba h1:9bFeDpN3gTqNanMVqNcoR/pJQuP5uroC3t1D7eXozTE= golang.org/x/crypto v0.0.0-20191119213627-4f8c1d86b1ba/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= @@ -474,6 +484,7 @@ golang.org/x/time v0.0.0-20190308202827-9d24e82272b4 h1:SvFZT6jyqRaOeXpc5h/JSfZe golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190921001708-c4c64cad1fd0 h1:xQwXv67TxFo9nC1GJFyab5eq/5B590r6RlnL/G8Sz7w= golang.org/x/time v0.0.0-20190921001708-c4c64cad1fd0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20191024005414-555d28b269f0 h1:/5xXl8Y5W96D+TtHSlonuFqGHIWVuyCkGJLwGh9JJFs= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= diff --git a/pkg/cred/creds.go b/pkg/cred/creds.go index d1b615cd..62b83f73 100644 --- a/pkg/cred/creds.go +++ b/pkg/cred/creds.go @@ -22,7 +22,7 @@ type Credentials struct { AkrPath string KmsKey string GocdServer GocdServer - AtlasKeys AtlasKeys + AtlasKeys AtlasKeys } // GitAccount type @@ -42,6 +42,6 @@ type GocdServer struct { // Atlas type type AtlasKeys struct { - PublicKey string - PrivateKey string -} \ No newline at end of file + PublicKey string + PrivateKey string +} diff --git a/pkg/location/atlas.go b/pkg/location/atlas.go index c9a27931..35d7fd09 100644 --- a/pkg/location/atlas.go +++ b/pkg/location/atlas.go @@ -16,19 +16,20 @@ package location import ( "context" - "fmt" - "log" + "time" "github.com/Sectorbob/mlab-ns2/gae/ns/digest" "github.com/mongodb/go-client-mongodb-atlas/mongodbatlas" "github.com/ovotech/cloud-key-rotator/pkg/cred" ) +const ( + secretAccessKeyWaitSecs = 20 +) + // Atlas type type Atlas struct { - BucketName string - ObjectName string - FileType string + ProjectID string } func newClient(publicKey, privateKey string) (*mongodbatlas.Client, error) { @@ -46,35 +47,25 @@ func newClient(publicKey, privateKey string) (*mongodbatlas.Client, error) { return mongodbatlas.NewClient(client), nil } -func (atlas Atlas) Write(serviceAccountName string, keyWrapper KeyWrapper, +func (atlas Atlas) Write(serviceAccountName string, keyWrapper KeyWrapper, creds cred.Credentials) (updated UpdatedLocation, err error) { - var err error var client *mongodbatlas.Client if client, err = newClient(creds.AtlasKeys.PublicKey, creds.AtlasKeys.PrivateKey); err != nil { return } - var ear *mongodbatlas.EncryptionAtRest - if ear, _, err = client.EncryptionsAtRest.Get(context.Background(), projectID); err != nil { - return - } - provider := keyWrapper.KeyProvider switch provider { - case "gcp": - writeGcp() case "aws": - writeAws(client, keyWrapper.KeyID, keyWrapper.Key ) - } -} - -func writeGcp() { - + err = writeAws(client, keyWrapper.KeyID, keyWrapper.Key, atlas.ProjectID) + } + return } -func writeAws(client *mongodbatlas.Client, accessKeyID, secretAccessKey string) (err error) { +func writeAws(client *mongodbatlas.Client, accessKeyID, secretAccessKey, projectID string) (err error) { + time.Sleep(secretAccessKeyWaitSecs * time.Second) createRequest := &mongodbatlas.EncryptionAtRest{ GroupID: projectID, AwsKms: mongodbatlas.AwsKms{ @@ -82,7 +73,6 @@ func writeAws(client *mongodbatlas.Client, accessKeyID, secretAccessKey string) SecretAccessKey: secretAccessKey, }, } - _, _, err = client.EncryptionsAtRest.Create(context.Background(), createRequest); err != nil { + _, _, err = client.EncryptionsAtRest.Create(context.Background(), createRequest) return } - From 2aa3a3920e65959184c77676b2ffcb11a76993b8 Mon Sep 17 00:00:00 2001 From: alexmcardle <26905549+apjm@users.noreply.github.com> Date: Wed, 4 Mar 2020 16:13:25 +0000 Subject: [PATCH 3/3] Change comment in creds.go from Atlas to AtlasKeys --- pkg/cred/creds.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/cred/creds.go b/pkg/cred/creds.go index 62b83f73..7e16dc9c 100644 --- a/pkg/cred/creds.go +++ b/pkg/cred/creds.go @@ -40,7 +40,7 @@ type GocdServer struct { Password string } -// Atlas type +// AtlasKeys type type AtlasKeys struct { PublicKey string PrivateKey string