modify config only for the ingest

sda/cmd/ingest/ingest.go

@@ -61,7 +61,7 @@ func main() {
 		sigc <- syscall.SIGINT
 		panic(err)
 	}
-	keyList, err := config.GetC4GHKey()
+	keyList, err := config.GetC4GHKeyList()
 	if err != nil {
 		log.Error(err)
 		sigc <- syscall.SIGINT

sda/cmd/ingest/ingest_test.go

@@ -36,13 +36,31 @@ func (suite *TestSuite) SetupTest() {
 	pubKeyList = append(pubKeyList, publicKey)
 
 	tempDir := suite.T().TempDir()
-	privateKeyFile, err := os.Create(fmt.Sprintf("%s/c4fg.key", tempDir))
+
+	// Write the first private key file
+	privateKeyFile1, err := os.Create(fmt.Sprintf("%s/c4gh1.key", tempDir))
+	assert.NoError(suite.T(), err)
+	err = keys.WriteCrypt4GHX25519PrivateKey(privateKeyFile1, privateKey, []byte("c4ghpass1"))
+	assert.NoError(suite.T(), err)
+	privateKeyFile1.Close()
+
+	// Write the second private key file
+	privateKeyFile2, err := os.Create(fmt.Sprintf("%s/c4gh2.key", tempDir))
 	assert.NoError(suite.T(), err)
-	err = keys.WriteCrypt4GHX25519PrivateKey(privateKeyFile, privateKey, []byte("password"))
+	err = keys.WriteCrypt4GHX25519PrivateKey(privateKeyFile2, privateKey, []byte("c4ghpass2"))
 	assert.NoError(suite.T(), err)
-	viper.Set("c4gh.filepath", fmt.Sprintf("%s/c4fg.key", tempDir))
-	viper.Set("c4gh.passphrase", "password")
+	privateKeyFile2.Close()
 
+	viper.Set("c4gh.keys", []map[string]string{
+		{
+			"filePath":   fmt.Sprintf("%s/c4gh1.key", tempDir),
+			"passphrase": "c4ghpass1",
+		},
+		{
+			"filePath":   fmt.Sprintf("%s/c4gh2.key", tempDir),
+			"passphrase": "c4ghpass2",
+		},
+	})
 	viper.Set("broker.host", "test")
 	viper.Set("broker.port", 123)
 	viper.Set("broker.user", "test")
@@ -67,11 +85,20 @@ func (suite *TestSuite) TestTryDecrypt_wrongFile() {
 	buf, err := io.ReadAll(file)
 	assert.NoError(suite.T(), err)
 
-	key, err := config.GetC4GHKey()
-	assert.Nil(suite.T(), err)
-	b, err := tryDecrypt(key, buf)
-	assert.Nil(suite.T(), b)
-	assert.EqualError(suite.T(), err, "not a Crypt4GH file")
+	keyList, err := config.GetC4GHKeyList()
+	assert.NoError(suite.T(), err)
+
+	var decryptionSuccessful bool
+	for _, key := range keyList {
+		b, err := tryDecrypt(key, buf)
+		if b != nil || err == nil {
+			decryptionSuccessful = true
+			break
+		}
+		assert.EqualError(suite.T(), err, "not a Crypt4GH file")
+	}
+
+	assert.False(suite.T(), decryptionSuccessful, "Decryption should not succeed with any key")
 }
 
 func (suite *TestSuite) TestTryDecrypt() {
@@ -102,9 +129,14 @@ func (suite *TestSuite) TestTryDecrypt() {
 	buf, err := io.ReadAll(file)
 	assert.NoError(suite.T(), err)
 
-	key, err := config.GetC4GHKey()
-	assert.NoError(suite.T(), err)
-	header, err := tryDecrypt(key, buf)
+	keyList, err := config.GetC4GHKeyList()
 	assert.NoError(suite.T(), err)
-	assert.NotNil(suite.T(), header)
+	for _, key := range keyList {
+		header, err := tryDecrypt(key, buf)
+		if header != nil && err == nil {
+			break
+		}
+		assert.NoError(suite.T(), err)
+		assert.NotNil(suite.T(), header)
+	}
 }

sda/internal/config/config.go

@@ -53,7 +53,7 @@ type Config struct {
 
 type ReEncConfig struct {
 	APIConf
-	Crypt4GHKeyList []*[32]byte
+	Crypt4GHKey *[32]byte
 }
 
 type Sync struct {
@@ -367,6 +367,7 @@ func NewConfig(app string) (*Config, error) {
 		requiredConfVars = []string{
 			"c4gh.filepath",
 			"c4gh.passphrase",
+			"c4gh.keys",
 		}
 	case "s3inbox":
 		requiredConfVars = []string{
@@ -460,7 +461,23 @@ func NewConfig(app string) (*Config, error) {
 	}
 
 	for _, s := range requiredConfVars {
-		if !viper.IsSet(s) {
+		if s == "c4gh.keys" {
+			// Check if at least one key entry has a valid filepath and passphrase
+			var keysConfig []map[string]string
+			viper.UnmarshalKey("c4gh.keys", &keysConfig)
+
+			atLeastOneKeySet := false
+			for _, key := range keysConfig {
+				if key["filepath"] != "" && key["passphrase"] != "" {
+					atLeastOneKeySet = true
+					break
+				}
+			}
+
+			if !atLeastOneKeySet {
+				return nil, fmt.Errorf("at least one valid entry in c4gh.keys must have a filepath and passphrase set")
+			}
+		} else if !viper.IsSet(s) {
 			return nil, fmt.Errorf("%s not set", s)
 		}
 	}
@@ -922,7 +939,7 @@ func (c *Config) configReEncryptServer() (err error) {
 		c.ReEncrypt.Port = 50443
 	}
 
-	c.ReEncrypt.Crypt4GHKeyList, err = GetC4GHKey()
+	c.ReEncrypt.Crypt4GHKey, err = GetC4GHKey()
 	if err != nil {
 		return err
 	}
@@ -1050,8 +1067,29 @@ func (c *Config) configSyncAPI() {
 
 }
 
-// GetC4GHKey reads and decrypts keys and returns a list of c4gh keys
-func GetC4GHKey() ([]*[32]byte, error) {
+// GetC4GHKey reads and decrypts and returns the c4gh key
+func GetC4GHKey() (*[32]byte, error) {
+	keyPath := viper.GetString("c4gh.filepath")
+	passphrase := viper.GetString("c4gh.passphrase")
+
+	// Make sure the key path and passphrase is valid
+	keyFile, err := os.Open(keyPath)
+	if err != nil {
+		return nil, err
+	}
+
+	key, err := keys.ReadPrivateKey(keyFile, []byte(passphrase))
+	if err != nil {
+		return nil, err
+	}
+
+	keyFile.Close()
+
+	return &key, nil
+}
+
+// GetC4GHKeyList reads and decrypts keys and returns a list of c4gh keys
+func GetC4GHKeyList() ([]*[32]byte, error) {
 	// Retrieve the list of key configurations from the YAML file
 	var keyConfigs []KeyConfig
 	if err := viper.UnmarshalKey("c4gh.keys", &keyConfigs); err != nil {