2020-12-02 08:44:18 +00:00
|
|
|
// +build !novaultkms
|
|
|
|
|
2020-11-30 20:46:34 +00:00
|
|
|
package kms
|
|
|
|
|
2020-12-02 08:44:18 +00:00
|
|
|
import (
|
|
|
|
// we import hashivault here to be able to disable Vault support using a build tag
|
|
|
|
_ "gocloud.dev/secrets/hashivault"
|
|
|
|
|
|
|
|
"github.com/drakkan/sftpgo/version"
|
2020-11-30 20:46:34 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
type vaultSecret struct {
|
|
|
|
baseGCloudSecret
|
|
|
|
}
|
|
|
|
|
2020-12-02 08:44:18 +00:00
|
|
|
func init() {
|
|
|
|
version.AddFeature("+vaultkms")
|
|
|
|
}
|
|
|
|
|
2020-11-30 20:46:34 +00:00
|
|
|
func newVaultSecret(base baseSecret, url, masterKey string) SecretProvider {
|
|
|
|
return &vaultSecret{
|
|
|
|
baseGCloudSecret{
|
|
|
|
baseSecret: base,
|
|
|
|
url: url,
|
|
|
|
masterKey: masterKey,
|
|
|
|
},
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *vaultSecret) Name() string {
|
|
|
|
return vaultProviderName
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *vaultSecret) IsEncrypted() bool {
|
|
|
|
return s.Status == SecretStatusVaultTransit
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *vaultSecret) Encrypt() error {
|
|
|
|
if err := s.baseGCloudSecret.Encrypt(); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
s.Status = SecretStatusVaultTransit
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *vaultSecret) Decrypt() error {
|
|
|
|
if !s.IsEncrypted() {
|
|
|
|
return errWrongSecretStatus
|
|
|
|
}
|
|
|
|
return s.baseGCloudSecret.Decrypt()
|
|
|
|
}
|