kms: add support for Oracle Key Vault

Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
2024-11-25 00:50:31 +00:00 · 2024-10-03 06:59:54 +02:00 · 2024-10-03 06:59:54 +02:00 · 8325fbc7dd
commit 8325fbc7dd
parent f6a5264a2e
6 changed files with 35 additions and 30 deletions
--- a/internal/cmd/startsubsys.go
+++ b/internal/cmd/startsubsys.go
@ -90,6 +90,10 @@ Command-line flags should be specified in the Subsystem declaration.
 				logger.Error(logSender, connectionID, "unable to initialize KMS: %v", err)
 				os.Exit(1)
 			}
+			if err := plugin.Initialize(config.GetPluginsConfig(), logLevel); err != nil {
+				logger.Error(logSender, connectionID, "unable to initialize plugin system: %v", err)
+				os.Exit(1)
+			}
 			mfaConfig := config.GetMFAConfig()
 			err = mfaConfig.Initialize()
 			if err != nil {
@ -109,10 +113,6 @@ Command-line flags should be specified in the Subsystem declaration.
 				logger.Error(logSender, connectionID, "unable to initialize the data provider: %v", err)
 				os.Exit(1)
 			}
-			if err := plugin.Initialize(config.GetPluginsConfig(), logLevel); err != nil {
-				logger.Error(logSender, connectionID, "unable to initialize plugin system: %v", err)
-				os.Exit(1)
-			}
 			smtpConfig := config.GetSMTPConfig()
 			err = smtpConfig.Initialize(configDir, false)
 			if err != nil {
--- a/internal/httpd/httpd_test.go
+++ b/internal/httpd/httpd_test.go
@ -366,6 +366,24 @@ func TestMain(m *testing.M) {
 		os.Exit(1)
 	}

+	kmsConfig := config.GetKMSConfig()
+	err = kmsConfig.Initialize()
+	if err != nil {
+		logger.ErrorToConsole("error initializing kms: %v", err)
+		os.Exit(1)
+	}
+	err = plugin.Initialize(pluginsConfig, "debug")
+	if err != nil {
+		logger.ErrorToConsole("error initializing plugin: %v", err)
+		os.Exit(1)
+	}
+	mfaConfig := config.GetMFAConfig()
+	err = mfaConfig.Initialize()
+	if err != nil {
+		logger.ErrorToConsole("error initializing MFA: %v", err)
+		os.Exit(1)
+	}
+
 	err = dataprovider.Initialize(providerConf, configDir, true)
 	if err != nil {
 		logger.WarnToConsole("error initializing data provider: %v", err)
@ -385,23 +403,6 @@ func TestMain(m *testing.M) {
 	httpConfig.RetryMax = 1
 	httpConfig.Timeout = 5
 	httpConfig.Initialize(configDir) //nolint:errcheck
-	kmsConfig := config.GetKMSConfig()
-	err = kmsConfig.Initialize()
-	if err != nil {
-		logger.ErrorToConsole("error initializing kms: %v", err)
-		os.Exit(1)
-	}
-	mfaConfig := config.GetMFAConfig()
-	err = mfaConfig.Initialize()
-	if err != nil {
-		logger.ErrorToConsole("error initializing MFA: %v", err)
-		os.Exit(1)
-	}
-	err = plugin.Initialize(pluginsConfig, "debug")
-	if err != nil {
-		logger.ErrorToConsole("error initializing plugin: %v", err)
-		os.Exit(1)
-	}

 	httpdConf := config.GetHTTPDConfig()

--- a/internal/kms/kms.go
+++ b/internal/kms/kms.go
@ -73,7 +73,8 @@ var (
 	// ErrInvalidSecret defines the error to return if a secret is not valid
 	ErrInvalidSecret    = errors.New("invalid secret")
 	validSecretStatuses = []string{sdkkms.SecretStatusPlain, sdkkms.SecretStatusAES256GCM, sdkkms.SecretStatusSecretBox,
-		sdkkms.SecretStatusVaultTransit, sdkkms.SecretStatusAWS, sdkkms.SecretStatusGCP, sdkkms.SecretStatusRedacted}
+		sdkkms.SecretStatusVaultTransit, sdkkms.SecretStatusAWS, sdkkms.SecretStatusGCP, sdkkms.SecretStatusAzureKeyVault,
+		"OracleKeyVault", sdkkms.SecretStatusRedacted}
 	config          Configuration
 	secretProviders = make(map[string]registeredSecretProvider)
 )
--- a/internal/plugin/kms.go
+++ b/internal/plugin/kms.go
@ -29,9 +29,10 @@ import (
 )

 var (
-	validKMSSchemes           = []string{sdkkms.SchemeAWS, sdkkms.SchemeGCP, sdkkms.SchemeVaultTransit, sdkkms.SchemeAzureKeyVault}
+	validKMSSchemes = []string{sdkkms.SchemeAWS, sdkkms.SchemeGCP, sdkkms.SchemeVaultTransit,
+		sdkkms.SchemeAzureKeyVault, "ocikeyvault"}
 	validKMSEncryptedStatuses = []string{sdkkms.SecretStatusVaultTransit, sdkkms.SecretStatusAWS, sdkkms.SecretStatusGCP,
-		sdkkms.SecretStatusAzureKeyVault}
+		sdkkms.SecretStatusAzureKeyVault, "OracleKeyVault"}
 )

 // KMSConfig defines configuration parameters for kms plugins
--- a/internal/plugin/plugin.go
+++ b/internal/plugin/plugin.go
@ -227,7 +227,7 @@ func initializePlugins() error {
 			kmsID++
 			kms.RegisterSecretProvider(config.KMSOptions.Scheme, config.KMSOptions.EncryptedStatus,
 				Handler.Configs[idx].newKMSPluginSecretProvider)
-			logger.Info(logSender, "", "registered secret provider for scheme: %v, encrypted status: %v",
+			logger.Info(logSender, "", "registered secret provider for scheme %q, encrypted status %q",
 				config.KMSOptions.Scheme, config.KMSOptions.EncryptedStatus)
 		case auth.PluginName:
 			plugin, err := newAuthPlugin(config)
--- a/internal/service/service.go
+++ b/internal/service/service.go
@ -129,6 +129,13 @@ func (s *Service) initializeServices(disableAWSInstallationCode bool) error {
 		logger.ErrorToConsole("unable to initialize KMS: %v", err)
 		return err
 	}
+	// We may have KMS plugins and their schema needs to be registered before
+	// initializing the data provider which may contain KMS secrets.
+	if err := plugin.Initialize(config.GetPluginsConfig(), s.LogLevel); err != nil {
+		logger.Error(logSender, "", "unable to initialize plugin system: %v", err)
+		logger.ErrorToConsole("unable to initialize plugin system: %v", err)
+		return err
+	}
 	mfaConfig := config.GetMFAConfig()
 	err = mfaConfig.Initialize()
 	if err != nil {
@ -142,11 +149,6 @@ func (s *Service) initializeServices(disableAWSInstallationCode bool) error {
 		logger.ErrorToConsole("error initializing data provider: %v", err)
 		return err
 	}
-	if err := plugin.Initialize(config.GetPluginsConfig(), s.LogLevel); err != nil {
-		logger.Error(logSender, "", "unable to initialize plugin system: %v", err)
-		logger.ErrorToConsole("unable to initialize plugin system: %v", err)
-		return err
-	}
 	smtpConfig := config.GetSMTPConfig()
 	err = smtpConfig.Initialize(s.ConfigDir, s.PortableMode != 1)
 	if err != nil {