Merge pull request #301 from microsoft/user/jirenugo/keysvc

SDK changes for key service

Author: jirenugo

Makefile

@@ -5,7 +5,7 @@ GOBUILD=$(GOCMD) build -v #-mod=vendor
 GOHOSTOS=$(strip $(shell $(GOCMD) env get GOHOSTOS))
 GOPATH_BIN := $(shell go env GOPATH)/bin
 GOTEST=GOOS=$(GOHOSTOS) $(GOCMD) test -v -coverprofile=coverage.out -covermode count -timeout 60m0s
-TESTDIRECTORIES= ./services/compute/virtualmachine/internal
+TESTDIRECTORIES= ./services/compute/virtualmachine/internal ./services/security/keyvault/key/internal
 
 TAG ?= $(shell git describe --tags)
 COMMIT ?= $(shell git describe --always)

pkg/client/client.go

@@ -324,6 +324,16 @@ func GetSecretClient(serverAddress *string, authorizer auth.Authorizer) (securit
 	return security_pb.NewSecretAgentClient(conn), nil
 }
 
+// GetKeyClient returns the secret client to communicate with the wssdagent
+func GetKeyClient(serverAddress *string, authorizer auth.Authorizer) (security_pb.KeyAgentClient, error) {
+	conn, err := getClientConnection(serverAddress, authorizer)
+	if err != nil {
+		log.Fatalf("Unable to get KeyVaultClient. Failed to dial: %v", err)
+	}
+
+	return security_pb.NewKeyAgentClient(conn), nil
+}
+
 // GetIdentityClient returns the secret client to communicate with the wssdagent
 func GetIdentityClient(serverAddress *string, authorizer auth.Authorizer) (security_pb.IdentityAgentClient, error) {
 	conn, err := getClientConnection(serverAddress, authorizer)

services/security/identity/internal/wssd.go

@@ -125,6 +125,7 @@ func getIdentity(identity *wssdsecurity.Identity) *security.Identity {
 		ID:          &identity.Id,
 		Name:        &identity.Name,
 		TokenExpiry: &identity.TokenExpiry,
+		Token:       &identity.Token,
 		IdentityProperties: &security.IdentityProperties{
 			ProvisioningState: status.GetProvisioningState(identity.GetStatus().GetProvisioningStatus()),
 			Statuses:          status.GetStatuses(identity.GetStatus()),

services/security/keyvault/key/client.go

@@ -0,0 +1,72 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT license
+
+package key
+
+import (
+	"context"
+
+	"github.com/microsoft/moc/pkg/auth"
+	"github.com/microsoft/wssd-sdk-for-go/services/security"
+	"github.com/microsoft/wssd-sdk-for-go/services/security/keyvault"
+	"github.com/microsoft/wssd-sdk-for-go/services/security/keyvault/key/internal"
+)
+
+// Service interface
+type Service interface {
+	Get(context.Context, string, string) (*[]keyvault.Key, error)
+	CreateOrUpdate(context.Context, *keyvault.Key) (*keyvault.Key, error)
+	Delete(context.Context, *keyvault.Key) error
+	RotateKey(context.Context, *keyvault.KeyOperationRequest) (*keyvault.KeyOperationResult, error)
+	WrapKey(context.Context, *keyvault.KeyOperationRequest) (*keyvault.KeyOperationResult, error)
+	UnwrapKey(context.Context, *keyvault.KeyOperationRequest) (*keyvault.KeyOperationResult, error)
+}
+
+// Client structure
+type KeyClient struct {
+	security.BaseClient
+	internal Service
+}
+
+// NewClient method returns new client
+func NewKeyClient(cloudFQDN string, authorizer auth.Authorizer) (*KeyClient, error) {
+	c, err := internal.NewKeyClient(cloudFQDN, authorizer)
+	if err != nil {
+		return nil, err
+	}
+
+	return &KeyClient{internal: c}, nil
+}
+
+// Get methods invokes the client Get method
+func (c *KeyClient) Get(ctx context.Context, name, vaultName string) (*[]keyvault.Key, error) {
+	return c.internal.Get(ctx, name, vaultName)
+}
+
+// CreateOrUpdate methods invokes create or update on the client
+func (c *KeyClient) CreateOrUpdate(ctx context.Context, key *keyvault.Key) (*keyvault.Key, error) {
+	return c.internal.CreateOrUpdate(ctx, key)
+}
+
+// Delete methods invokes delete of the key resource
+func (c *KeyClient) Delete(ctx context.Context, key *keyvault.Key) error {
+	return c.internal.Delete(ctx, key)
+}
+
+// RotateKey methods invokes delete of the key resource
+func (c *KeyClient) RotateKey(ctx context.Context, key *keyvault.Key) (*keyvault.KeyOperationResult, error) {
+	keyOpRequest := &keyvault.KeyOperationRequest{Key: key}
+	return c.internal.RotateKey(ctx, keyOpRequest)
+}
+
+// WrapKey methods invokes delete of the key resource
+func (c *KeyClient) WrapKey(ctx context.Context, key *keyvault.Key, alg *keyvault.JSONWebKeyEncryptionAlgorithm, data *string) (*keyvault.KeyOperationResult, error) {
+	keyOpRequest := &keyvault.KeyOperationRequest{Key: key, Algorithm: alg, Data: data}
+	return c.internal.WrapKey(ctx, keyOpRequest)
+}
+
+// UnwrapKey methods invokes delete of the key resource
+func (c *KeyClient) UnwrapKey(ctx context.Context, key *keyvault.Key, alg *keyvault.JSONWebKeyEncryptionAlgorithm, data *string) (*keyvault.KeyOperationResult, error) {
+	keyOpRequest := &keyvault.KeyOperationRequest{Key: key, Algorithm: alg, Data: data}
+	return c.internal.UnwrapKey(ctx, keyOpRequest)
+}

services/security/keyvault/key/internal/wssd.go

@@ -0,0 +1,254 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT license
+
+package internal
+
+import (
+	"context"
+
+	"github.com/microsoft/moc/pkg/status"
+	"github.com/microsoft/wssd-sdk-for-go/services/security/keyvault"
+
+	"github.com/microsoft/moc/pkg/auth"
+	"github.com/microsoft/moc/pkg/errors"
+	wssdcommonproto "github.com/microsoft/moc/rpc/common"
+	wssdsecurity "github.com/microsoft/moc/rpc/nodeagent/security"
+	wssdclient "github.com/microsoft/wssd-sdk-for-go/pkg/client"
+	log "k8s.io/klog"
+)
+
+type client struct {
+	wssdsecurity.KeyAgentClient
+}
+
+// NewKeyClient - creates a client session with the backend wssd agent
+func NewKeyClient(subID string, authorizer auth.Authorizer) (*client, error) {
+	c, err := wssdclient.GetKeyClient(&subID, authorizer)
+	if err != nil {
+		return nil, err
+	}
+	return &client{c}, nil
+}
+
+// Get
+func (c *client) Get(ctx context.Context, name string, vaultName string) (*[]keyvault.Key, error) {
+	request := getKeyRequest(wssdcommonproto.Operation_GET, name, vaultName, nil, 0, nil)
+	response, err := c.KeyAgentClient.Invoke(ctx, request)
+	if err != nil {
+		return nil, err
+	}
+	return getKeysFromResponse(response), nil
+}
+
+// CreateOrUpdate
+func (c *client) CreateOrUpdate(ctx context.Context, keyIn *keyvault.Key) (*keyvault.Key, error) {
+	err := c.validate(ctx, keyIn)
+	if err != nil {
+		return nil, err
+	}
+
+	request := getKeyRequest(wssdcommonproto.Operation_POST, "", "", nil, 0, keyIn)
+	response, err := c.KeyAgentClient.Invoke(ctx, request)
+	if err != nil {
+		log.Errorf("[Key] Create failed with error %v", err)
+		return nil, err
+	}
+
+	keys := getKeysFromResponse(response)
+
+	if len(*keys) == 0 {
+		return nil, errors.New("[Key][Create] Unexpected error: Creating a key returned no result")
+	}
+
+	return &((*keys)[0]), err
+}
+
+func (c *client) validate(ctx context.Context, key *keyvault.Key) (err error) {
+	if key == nil || key.VaultName == nil || key.Name == nil || key.KeyType == nil || getMOCKeySize(key.KeySize) == wssdcommonproto.KeySize_K_UNKNOWN {
+		return errors.Wrapf(errors.InvalidInput, "[Key][Create] Invalid Input")
+	}
+
+	return nil
+}
+
+// Delete methods invokes create or update on the client
+func (c *client) Delete(ctx context.Context, key *keyvault.Key) error {
+	keys, err := c.Get(ctx, *key.Name, *key.VaultName)
+	if err != nil {
+		return err
+	}
+	if len(*keys) == 0 {
+		return errors.Wrapf(errors.NotFound, "Key [%s] not found", *key.Name)
+	}
+
+	request := getKeyRequest(wssdcommonproto.Operation_DELETE, "", "", nil, 0, &(*keys)[0])
+	_, err = c.KeyAgentClient.Invoke(ctx, request)
+	return err
+}
+
+// Rotates a key and returns the new key
+func (c *client) RotateKey(ctx context.Context, keyReq *keyvault.KeyOperationRequest) (*keyvault.KeyOperationResult, error) {
+	wssdReq, err := getKeyOperationRequest(keyReq, wssdcommonproto.ProviderAccessOperation_Key_Rotate)
+	if err != nil {
+		return nil, err
+	}
+
+	wssdRep, err := c.KeyAgentClient.Operate(ctx, wssdReq)
+
+	if err != nil {
+		return nil, err
+	}
+
+	keyOpRes := keyvault.KeyOperationResult{
+		Key:    getKey(wssdRep.GetKey()),
+		Result: nil} // No result expected from rotate
+
+	return &keyOpRes, nil
+}
+
+// Wraps a key and returns the result
+func (c *client) WrapKey(ctx context.Context, keyReq *keyvault.KeyOperationRequest) (*keyvault.KeyOperationResult, error) {
+	wssdReq, err := getKeyOperationRequest(keyReq, wssdcommonproto.ProviderAccessOperation_Key_WrapKey)
+	if err != nil {
+		return nil, err
+	}
+
+	wssdRep, err := c.KeyAgentClient.Operate(ctx, wssdReq)
+
+	if err != nil {
+		return nil, err
+	}
+
+	if wssdRep.Data == "" {
+		return nil, errors.New("[Key][Wrap] Unexpected error: Wrapping a key returned no result")
+	}
+
+	keyOpRes := keyvault.KeyOperationResult{
+		Key:    nil, // No key changes expected
+		Result: &wssdRep.Data}
+
+	return &keyOpRes, nil
+}
+
+// Unwraps a key and returns the result
+func (c *client) UnwrapKey(ctx context.Context, keyReq *keyvault.KeyOperationRequest) (*keyvault.KeyOperationResult, error) {
+	wssdReq, err := getKeyOperationRequest(keyReq, wssdcommonproto.ProviderAccessOperation_Key_UnwrapKey)
+	if err != nil {
+		return nil, err
+	}
+
+	wssdRep, err := c.KeyAgentClient.Operate(ctx, wssdReq)
+
+	if err != nil {
+		return nil, err
+	}
+
+	if wssdRep.Data == "" {
+		return nil, errors.New("[Key][Wrap] Unexpected error: Unwrapping a key returned no result")
+	}
+
+	keyOpRes := keyvault.KeyOperationResult{
+		Key:    nil, // No key changes expected
+		Result: &wssdRep.Data}
+
+	return &keyOpRes, nil
+}
+
+func getKeyOperationRequest(keyReq *keyvault.KeyOperationRequest, op wssdcommonproto.ProviderAccessOperation) (*wssdsecurity.KeyOperationRequest, error) {
+	var wssdReq wssdsecurity.KeyOperationRequest
+	switch op {
+	case wssdcommonproto.ProviderAccessOperation_Key_Rotate:
+		wssdReq = wssdsecurity.KeyOperationRequest{
+			Key:           getWssdKey(keyReq.Key),
+			OperationType: wssdcommonproto.ProviderAccessOperation_Key_Rotate}
+
+	case wssdcommonproto.ProviderAccessOperation_Key_UnwrapKey:
+	case wssdcommonproto.ProviderAccessOperation_Key_WrapKey:
+		wssdReq = wssdsecurity.KeyOperationRequest{
+			Key:           getWssdKey(keyReq.Key),
+			Algorithm:     wssdcommonproto.Algorithm(wssdcommonproto.Algorithm_value[string(*keyReq.Algorithm)]),
+			OperationType: op,
+			Data:          *keyReq.Data}
+	default:
+		return nil, errors.InvalidInput
+	}
+
+	return &wssdReq, nil
+}
+
+func getKeysFromResponse(response *wssdsecurity.KeyResponse) *[]keyvault.Key {
+	Keys := []keyvault.Key{}
+	for _, key := range response.GetKeys() {
+		Keys = append(Keys, *(getKey(key)))
+	}
+
+	return &Keys
+}
+
+func getKeyRequest(opType wssdcommonproto.Operation, name, vaultName string, keyType *keyvault.JSONWebKeyType, keySize int32, key *keyvault.Key) *wssdsecurity.KeyRequest {
+	request := &wssdsecurity.KeyRequest{
+		OperationType: opType,
+		Keys:          []*wssdsecurity.Key{},
+	}
+
+	if key != nil {
+		request.Keys = append(request.Keys, getWssdKey(key))
+	} else if len(name) > 0 {
+		tempKey := &wssdsecurity.Key{
+			Name:      name,
+			VaultName: vaultName,
+			Size:      getMOCKeySize(keySize)}
+
+		if keyType != nil {
+			tempKey.Type = wssdcommonproto.JsonWebKeyType(wssdcommonproto.JsonWebKeyType_value[string(*keyType)])
+		}
+
+		request.Keys = append(request.Keys, tempKey)
+	}
+	return request
+}
+
+func getKey(key *wssdsecurity.Key) *keyvault.Key {
+	ct := key.CreationTime.AsTime()
+	keyType := keyvault.JSONWebKeyType(wssdcommonproto.JsonWebKeyType_name[int32(key.Type)])
+	return &keyvault.Key{
+		ID:                &key.Id,
+		Name:              &key.Name,
+		VaultName:         &key.VaultName,
+		CreationTime:      &ct,
+		KeyVersion:        key.KeyVersion,
+		KeyType:           &keyType,
+		KeySize:           getKeySize(key.Size),
+		ProvisioningState: status.GetProvisioningState(key.GetStatus().GetProvisioningStatus())}
+}
+
+func getWssdKey(key *keyvault.Key) *wssdsecurity.Key {
+	keyOut := &wssdsecurity.Key{
+		Name:       *key.Name,
+		VaultName:  *key.VaultName,
+		Type:       wssdcommonproto.JsonWebKeyType(wssdcommonproto.JsonWebKeyType_value[string(*key.KeyType)]),
+		Size:       getMOCKeySize(key.KeySize),
+		KeyVersion: key.KeyVersion}
+
+	return keyOut
+}
+
+func getMOCKeySize(size int32) (ksize wssdcommonproto.KeySize) {
+	switch size {
+	case 256:
+		ksize = wssdcommonproto.KeySize__256
+	default:
+		ksize = wssdcommonproto.KeySize_K_UNKNOWN
+	}
+	return
+}
+
+func getKeySize(ksize wssdcommonproto.KeySize) (size int32) {
+	switch ksize {
+	case wssdcommonproto.KeySize__256:
+		size = 256
+	default:
+		size = -1
+	}
+	return
+}