maybe-joe · March 30, 2019 05:04
diff --git a/configuration.go b/configuration.go
 package configuration

 import (
 	"bytes"
 	"cloud.google.com/go/storage"
 	"context"
 	"encoding/base64"
 	"golang.org/x/oauth2/google"
 	cloudkms "google.golang.org/api/cloudkms/v1"
 )

 // This snippet of code downloads, decrypts, and decodes private keys and config
 // that shouldn't be hard coded or stored in a repository.
 //
 // I use this for things like keys for encrpyting session cookies or private config
 // reguired to create a firebase admin client.
 //
 // I call this code in the root main func of the project. A draw back to this method
 // is it increases the time taken to restart the server during development (for me this is every file save!).
 // but the benefit is once the code is deployed revoking a compromised key only requires
 // a server restart once the new key is uploaded. Also I can use env variables along
 // with the container environment e.g. app engine to toggle pointing the service 
 // at development resources or production.
 //
 //
 // The commands below use gcloud cli to encrpyt and store json files.
 //
 // base64 -i service-private-key.json -o service-private-key.txt
 // 
 // gcloud kms encrypt \
 //   --location=global  \
 //   --keyring=gcp-project-id \
 //   --key=service-private-key \
 //   --plaintext-file=service-private-key.txt \
 //   --ciphertext-file=service-private-key.enc
 // 
 // gsutil cp algolia.enc gs://gcp-project-id-config/
 	
 func Config(projectID, bucketName, fileObjectName, keyRing, cryptoKey string) ([]byte, error) {
 	ctx := context.Background()

 	storageClient, err := storage.NewClient(ctx)
 	if err != nil {
 		return nil, err
 	}

 	bucket := storageClient.Bucket(bucketName)
 	fileObject := bucket.Object(fileObjectName)

 	reader, err := fileObject.NewReader(ctx)
 	if err != nil {
 		return nil, err
 	}

 	buffer := new(bytes.Buffer)
 	buffer.ReadFrom(reader)
 	reader.Close()

 	key := "projects/" + projectID + "/locations/global/keyRings/" + keyRing + "/cryptoKeys/" + cryptoKey

 	ciphertext := buffer.Bytes()

 	defaultClient, err := google.DefaultClient(ctx, cloudkms.CloudPlatformScope)
 	if err != nil {
 		return nil, err
 	}

 	cloudkmsService, err := cloudkms.New(defaultClient)
 	if err != nil {
 		return nil, err
 	}

 	req := &cloudkms.DecryptRequest{
 		Ciphertext: base64.StdEncoding.EncodeToString(ciphertext),
 	}

 	response, err := cloudkmsService.Projects.Locations.KeyRings.CryptoKeys.Decrypt(key, req).Do()
 	if err != nil {
 		return nil, err
 	}

 	content, err := base64.StdEncoding.DecodeString(response.Plaintext)
 	if err != nil {
 		return nil, err
 	}

 	blob, err := base64.StdEncoding.DecodeString(string(content))
 	if err != nil {
 		return nil, err
 	}

 	return blob, nil
 }
	package configuration

	import (
	"bytes"
	"cloud.google.com/go/storage"
	"context"
	"encoding/base64"
	"golang.org/x/oauth2/google"
	cloudkms "google.golang.org/api/cloudkms/v1"
	)

	// This snippet of code downloads, decrypts, and decodes private keys and config
	// that shouldn't be hard coded or stored in a repository.
	//
	// I use this for things like keys for encrpyting session cookies or private config
	// reguired to create a firebase admin client.
	//
	// I call this code in the root main func of the project. A draw back to this method
	// is it increases the time taken to restart the server during development (for me this is every file save!).
	// but the benefit is once the code is deployed revoking a compromised key only requires
	// a server restart once the new key is uploaded. Also I can use env variables along
	// with the container environment e.g. app engine to toggle pointing the service
	// at development resources or production.
	//
	//
	// The commands below use gcloud cli to encrpyt and store json files.
	//
	// base64 -i service-private-key.json -o service-private-key.txt
	//
	// gcloud kms encrypt \
	// --location=global \
	// --keyring=gcp-project-id \
	// --key=service-private-key \
	// --plaintext-file=service-private-key.txt \
	// --ciphertext-file=service-private-key.enc
	//
	// gsutil cp algolia.enc gs://gcp-project-id-config/

	func Config(projectID, bucketName, fileObjectName, keyRing, cryptoKey string) ([]byte, error) {
	ctx := context.Background()

	storageClient, err := storage.NewClient(ctx)
	if err != nil {
	return nil, err
	}

	bucket := storageClient.Bucket(bucketName)
	fileObject := bucket.Object(fileObjectName)

	reader, err := fileObject.NewReader(ctx)
	if err != nil {
	return nil, err
	}

	buffer := new(bytes.Buffer)
	buffer.ReadFrom(reader)
	reader.Close()

	key := "projects/" + projectID + "/locations/global/keyRings/" + keyRing + "/cryptoKeys/" + cryptoKey

	ciphertext := buffer.Bytes()

	defaultClient, err := google.DefaultClient(ctx, cloudkms.CloudPlatformScope)
	if err != nil {
	return nil, err
	}

	cloudkmsService, err := cloudkms.New(defaultClient)
	if err != nil {
	return nil, err
	}

	req := &cloudkms.DecryptRequest{
	Ciphertext: base64.StdEncoding.EncodeToString(ciphertext),
	}

	response, err := cloudkmsService.Projects.Locations.KeyRings.CryptoKeys.Decrypt(key, req).Do()
	if err != nil {
	return nil, err
	}

	content, err := base64.StdEncoding.DecodeString(response.Plaintext)
	if err != nil {
	return nil, err
	}

	blob, err := base64.StdEncoding.DecodeString(string(content))
	if err != nil {
	return nil, err
	}

	return blob, nil
	}