Ask to create master key (CMK) when adding first secret for app/env

uniiverse · Jul 4, 2016 · e574c1d · e574c1d
1 parent b0d6471
commit e574c1d
Show file tree

Hide file tree

Showing 4 changed files with 155 additions and 9 deletions.
diff --git a/cli_helper.go b/cli_helper.go
@@ -10,7 +10,24 @@ import (
 func GetInput(message string) string {
   reader := bufio.NewReader(os.Stdin)
   fmt.Print(message)
-  text, _ := reader.ReadString('\n')
+  text, err := reader.ReadString('\n')
+  if(err != nil) {
+    panic(err)
+  }
   text = strings.Replace(text, "\n", "", -1)
   return text
 }
+
+func BoolQuestion(message string) bool {
+  instructions := " (y/n): "
+  result := GetInput(message + instructions)
+  if(result == "y" || result == "yes") {
+    return true
+  } else if(result == "n" || result == "no") {
+    return false
+  } else {
+    fmt.Println("Invalid input, try again")
+    return BoolQuestion(message)
+  }
+}
+
diff --git a/cli.go → kms-cli.go b/cli.go → kms-cli.go
@@ -31,6 +31,8 @@ func addSecret(app, env, name string) {
   CheckEnv(env)
   CheckName(name)
 
+  CheckAndAddKey(app, env)
+
   fmt.Println("Adding secret called:", name)
 
   //prompt for secret value
@@ -104,6 +106,24 @@ func ParseEncryptWrite(input interface{}, app, env, path string) {
 
 }
 
+func CheckAndAddKey(app, env string) {
+  session := GetKMSSession()
+  aliases := ListAliases(session)
+  aliasExists := AliasExists(GetAliasName(app, env), aliases)
+
+  if(!aliasExists) {
+    createKey := BoolQuestion("Master Key doesn't exist, create?")
+
+    if(createKey) {
+      CreateKeyWithAlias(session, app, env)
+      fmt.Println("Key Created")
+    } else {
+      fmt.Println("Could not save secret without key")
+      os.Exit(1)
+    }
+  }
+}
+
 func UnmarshalSecrets(input []byte) map[string]interface{} {
   var dat map[string]interface{}
 

diff --git a/kms.go b/kms.go
@@ -33,6 +33,32 @@ func ListAliases(svc *kms.KMS) ([]*kms.AliasListEntry) {
   return resp.Aliases
 }
 
+func FilterAliases(entries []*kms.AliasListEntry, f func(*kms.AliasListEntry) bool) []*kms.AliasListEntry {
+  result := make([]*kms.AliasListEntry, 0)
+
+  for _, v := range entries {
+    if f(v) {
+      result = append(result, v)
+    }
+  }
+  return result
+}
+
+func AliasExists(aliasName string, entries []*kms.AliasListEntry) bool {
+  aliases := FilterAliases(entries, func(alias *kms.AliasListEntry) bool {
+    return *alias.AliasName == aliasName
+  })
+
+  if (len(aliases) == 0) {
+    return false
+  } else if (len(aliases) > 1) {
+    panic("Multiple Keys matching app and env found!")
+  } else {
+    //One found
+    return true
+  }
+}
+
 func GetAliasName(app, env string) string {
  return "alias/" + app + "-" + env
 }
@@ -76,3 +102,38 @@ func Decrypt(svc *kms.KMS, app, env string, payload []byte) []byte { //*kms.Decr
 
   return resp.Plaintext
 }
+
+func CreateKey(svc *kms.KMS, desc string) *kms.CreateKeyOutput {
+  params := &kms.CreateKeyInput{
+    Description: aws.String(desc),
+  }
+
+  resp, err := svc.CreateKey(params)
+
+  if(err != nil) {
+    panic(err)
+  }
+
+  return resp
+}
+
+func CreateAlias(svc *kms.KMS, app, env, targetKeyId string) *kms.CreateAliasOutput {
+  params := &kms.CreateAliasInput{
+    AliasName: aws.String(GetAliasName(app, env)),
+    TargetKeyId: aws.String(targetKeyId),
+  }
+
+  resp, err := svc.CreateAlias(params)
+
+  if(err != nil) {
+    panic(err)
+  }
+
+  return resp
+}
+
+func CreateKeyWithAlias(svc *kms.KMS, app, env string) {
+  desc := app + "-" + env
+  key := CreateKey(svc, desc)
+  CreateAlias(svc, app, env, *key.KeyMetadata.KeyId)
+}
diff --git a/kms_test.go b/kms_test.go
@@ -3,6 +3,7 @@ package main
 import (
   "fmt"
   "testing"
+  "github.com/aws/aws-sdk-go/service/kms"
 )
 
 func TestGetKMSSession(t *testing.T) {
@@ -19,16 +20,36 @@ func TestListAliases(t *testing.T) {
   fmt.Println(got)
 }
 
+func TestFilterAliases(t *testing.T) {
+  session := GetKMSSession()
+
+  aliases := ListAliases(session)
+
+  result := FilterAliases(aliases, func(alias *kms.AliasListEntry) bool {
+    return *alias.AliasName == "alias/myapp-staging"
+  })
+
+  fmt.Println(result)
+}
+
+func TestAliasExists(t *testing.T) {
+  session := GetKMSSession()
+
+  aliases := ListAliases(session)
+
+  result := AliasExists("alias/myapp-staginggg", aliases)
+
+  fmt.Println(result)
+}
+
 func TestEncrypt(t *testing.T) {
   svc := GetKMSSession()
 
-  //keyId := "1b4a9160-0e9a-4c4f-ae96-ff4f656ba8e2"
-  keyId := "alias/web-staging"
   payload := []byte(`{"Name":"Alice","Body":"Hello","Time":1294706395881547000}`)
   app := "web"
   env := "staging"
 
-  result := Encrypt(svc,keyId,app,env,payload)
+  result := Encrypt(svc,app,env,payload)
 
   fmt.Println(result)
 }
@@ -37,15 +58,42 @@ func TestDecrypt(t *testing.T) {
 
   svc := GetKMSSession()
 
-  //keyId := "1b4a9160-0e9a-4c4f-ae96-ff4f656ba8e2"
-  keyId := "alias/web-staging"
   payload := []byte(`{"Name":"Alice","Body":"Hello","Time":1294706395881547000}`)
   app := "web"
   env := "staging"
 
-  encryptResult := Encrypt(svc,keyId,app,env,payload)
+  encryptResult := Encrypt(svc,app,env,payload)
+
+  decryptResult := Decrypt(svc, app, env, encryptResult)
+
+  fmt.Println(string(decryptResult))
+}
+
+func TestCreateKey(t *testing.T) {
+  svc := GetKMSSession()
+
+  result := CreateKey(svc, "blah")
+
+  fmt.Println(result)
+}
+
+func TestCreateAlias(t *testing.T) {
+  svc := GetKMSSession()
+
+  targetKey := "b829684d-5066-4cd7-ab44-3f3de80110dc"
+  app := "myapp"
+  env := "staging"
+
+  result := CreateAlias(svc, app, env, targetKey)
+
+  fmt.Println(result)
+}
+
+func TestCreateKeyWithAlias(t *testing.T) {
+  svc := GetKMSSession()
 
-  decryptResult := Decrypt(svc, app, env, encryptResult.CiphertextBlob)
+  app := "myapp2"
+  env := "staging"
 
-  fmt.Println(string(decryptResult.Plaintext))
+  CreateKeyWithAlias(svc, app, env)
 }