)" `${1} 🔗︎ ${3}` | safeHTML }}
--------------------------------------------------------------------------------
/init-container/tests/expected.cfg:
--------------------------------------------------------------------------------
1 | key-newlines.json={"secret_key":"secret_value\nsecret_value"}
2 | key.json={"secret_key":"secret_value"}
3 | key1=super-secret-from-value
4 | key2=super-secret
5 |
--------------------------------------------------------------------------------
/scripts/run_security_tests.sh:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 |
3 | set -e
4 |
5 | docker run --rm -v $(pwd)/glue:/input soluto/glue-ci:1532426297485 sh -x /app/run_glue.sh /input/glue.json /input/report.json
--------------------------------------------------------------------------------
/site/layouts/index.redirects:
--------------------------------------------------------------------------------
1 | {{- $apiVersions := site.Data.apiVersions -}}
2 | {{- range $apiVersions }}
3 | /{{ . }} https://godoc.org/sigs.k8s.io/kind/pkg/cluster/config/{{ . }}
4 | {{- end }}
5 |
--------------------------------------------------------------------------------
/init-container/tests/expected-strict.cfg:
--------------------------------------------------------------------------------
1 | key-newlines.json={"secret_key":"secret_value\nsecret_value"}
2 | key.json={"secret_key":"secret_value"}
3 | key1="super-secret-from-value"
4 | key2="super-secret"
5 |
--------------------------------------------------------------------------------
/init-container/tests/expected.json:
--------------------------------------------------------------------------------
1 | {
2 | "key-newlines.json":{"secret_key":"secret_value\nsecret_value"},
3 | "key.json":{"secret_key":"secret_value"},
4 | "key1":"super-secret-from-value",
5 | "key2":"super-secret"
6 | }
--------------------------------------------------------------------------------
/init-container/templates/json.ejs:
--------------------------------------------------------------------------------
1 | {
2 | <%_ Object.keys(secrets).forEach(function(key, index){ -%>
3 | "<%= key %>":<%- JSON.stringify(secrets[key]) -%> <%_ if(Object.keys(secrets).length - 1 > index) { -%>,<%_ } %>
4 | <%_ }); -%>
5 | }
--------------------------------------------------------------------------------
/tests/crd-controller/updated-tls-KamusSecretV1Alpha2.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: "soluto.com/v1alpha2"
2 | kind: KamusSecret
3 | metadata:
4 | name: my-tls-secret
5 | type: TlsSecret
6 | stringData:
7 | key: fX+zM9o709PGkitf0f7PNg==:1iLWChg0N5+SwysTXvLSCw==
8 | serviceAccount: some-sa
--------------------------------------------------------------------------------
/init-container/templates/cfg-strict.ejs:
--------------------------------------------------------------------------------
1 | <%_ Object.keys(secrets).forEach(function(key){ -%>
2 | <%_ if(typeof(secrets[key]) === "string") { -%>
3 | <%= key %>="<%- secrets[key] %>"
4 | <%_ } else { -%>
5 | <%= key %>=<%- stringifyIfJson(secrets[key]) %>
6 | <%_ } -%>
7 | <%_ }); -%>
--------------------------------------------------------------------------------
/tests/blackbox/compose/glue/glue.json:
--------------------------------------------------------------------------------
1 | {
2 | "ZAPhttp://api:9999/api/v1/isAliveResource Allows Anonymous Access": "ignore",
3 | "ZAPhttp://api:9999/api/v1/encryptResource Allows Anonymous Access": "ignore",
4 | "ZAPhttp://api:9999/api/v1/encryptBase64 Disclosure": "ignore"
5 | }
--------------------------------------------------------------------------------
/src/decrypt-api/KubernetesAuthentication/KubernetesAuthenticationOptions.cs:
--------------------------------------------------------------------------------
1 | using Microsoft.AspNetCore.Authentication;
2 |
3 | namespace Kamus.KubernetesAuthentication
4 | {
5 | public class KubernetesAuthenticationOptions : AuthenticationSchemeOptions
6 | {
7 | }
8 | }
9 |
--------------------------------------------------------------------------------
/tests/blackbox/Wiremock/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM openjdk:8-stretch
2 |
3 | WORKDIR /wiremock
4 |
5 | RUN wget https://repo1.maven.org/maven2/com/github/tomakehurst/wiremock-standalone/2.17.0/wiremock-standalone-2.17.0.jar
6 |
7 | COPY . .
8 |
9 | CMD ["java", "-jar", "wiremock-standalone-2.17.0.jar"]
--------------------------------------------------------------------------------
/tests/integration/settings.json:
--------------------------------------------------------------------------------
1 | {
2 | "KeyManagement": {
3 | "Provider": "AESKey",
4 | "AES": {
5 | "Key": "rWnWbaFutavdoeqUiVYMNJGvmjQh31qaIej/vAxJ9G0="
6 | },
7 | "KeyVault": {
8 | "KeyType": "RSA",
9 | "KeyLength": "2048"
10 | }
11 | }
12 | }
--------------------------------------------------------------------------------
/init-container/tests/Wiremock/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM openjdk:8-stretch
2 |
3 | WORKDIR /wiremock
4 |
5 | RUN wget https://repo1.maven.org/maven2/com/github/tomakehurst/wiremock-standalone/2.17.0/wiremock-standalone-2.17.0.jar
6 |
7 | COPY . .
8 |
9 | CMD ["java", "-jar", "wiremock-standalone-2.17.0.jar"]
--------------------------------------------------------------------------------
/site/package.json:
--------------------------------------------------------------------------------
1 | {
2 | "name": "kamus-website",
3 | "version": "1.0.0",
4 | "main": "index.js",
5 | "license": "MIT",
6 | "dependencies": {
7 | "hugo-bin": "^0.62.0"
8 | },
9 | "scripts": {
10 | "build": "hugo",
11 | "serve": "hugo server -w"
12 | }
13 | }
14 |
--------------------------------------------------------------------------------
/site/static/browserconfig.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 | #2d89ef
7 |
8 |
9 |
10 |
--------------------------------------------------------------------------------
/src/decrypt-api/Extensions/LoggingExtensions.cs:
--------------------------------------------------------------------------------
1 | using Serilog;
2 |
3 | namespace Kamus.Extensions
4 | {
5 | public static class LoggingExtensions
6 | {
7 | public static ILogger AsAudit(this ILogger logger)
8 | {
9 | return logger.ForContext("log_type", "audit");
10 | }
11 | }
12 | }
--------------------------------------------------------------------------------
/src/encrypt-api/Extensions/LoggingExtensions.cs:
--------------------------------------------------------------------------------
1 | using Serilog;
2 |
3 | namespace Kamus.Extensions
4 | {
5 | public static class LoggingExtensions
6 | {
7 | public static ILogger AsAudit(this ILogger logger)
8 | {
9 | return logger.ForContext("log_type", "audit");
10 | }
11 | }
12 | }
--------------------------------------------------------------------------------
/security.md:
--------------------------------------------------------------------------------
1 | # Reporting Security Issues
2 |
3 | If you discover a security issue in Kamus, please report it by sending an email to security@soluto.com.
4 |
5 | This will allow us to assess the risk, and make a fix available before we add a bug report to the GitHub repository.
6 |
7 | Thanks for helping make Kamus safe for everyone.
8 |
9 |
--------------------------------------------------------------------------------
/tests/blackbox/compose/docker-compose.local.yaml:
--------------------------------------------------------------------------------
1 | version: '3'
2 | services:
3 | encryptor:
4 | build:
5 | context: ../../../.
6 | args:
7 | PROJECT_NAME: encrypt-api
8 | decryptor:
9 | build:
10 | context: ../../../.
11 | args:
12 | PROJECT_NAME: decrypt-api
13 |
--------------------------------------------------------------------------------
/site/layouts/partials/navbar.html:
--------------------------------------------------------------------------------
1 |
4 |
--------------------------------------------------------------------------------
/src/decrypt-api/Models/DecryptRequest.cs:
--------------------------------------------------------------------------------
1 | using Newtonsoft.Json;
2 |
3 | namespace Kamus.Models
4 | {
5 | public class DecryptRequest
6 | {
7 | [JsonProperty(PropertyName = "data", Required = Required.Always)]
8 | public string EncryptedData
9 | {
10 | get;
11 | set;
12 | }
13 | }
14 | }
15 |
--------------------------------------------------------------------------------
/scripts/teardown_tests.sh:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 |
3 | set -e
4 |
5 | api_file="docker-compose.ci.yaml"
6 |
7 | if [[ -z $IMAGE_TAG ]];
8 | then
9 | api_file="docker-compose.local.yaml"
10 | fi
11 |
12 | docker-compose -f tests/blackbox/compose/docker-compose.yaml -f tests/blackbox/compose/$api_file -f tests/blackbox/compose/docker-compose.security.yaml down
--------------------------------------------------------------------------------
/src/crd-controller/utils/LoggingExtensions.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using Serilog;
3 |
4 | namespace CustomResourceDescriptorController.Extensions
5 | {
6 | public static class LoggingExtensions
7 | {
8 | public static ILogger AsAudit(this ILogger logger)
9 | {
10 | return logger.ForContext("log_type", "audit");
11 | }
12 | }
13 | }
14 |
--------------------------------------------------------------------------------
/src/crd-controller/metrics/Counters.cs:
--------------------------------------------------------------------------------
1 | using App.Metrics;
2 | using App.Metrics.Counter;
3 |
4 | namespace CustomResourceDescriptorController.metrics
5 | {
6 | public static class Counters
7 | {
8 | public static CounterOptions EventReceived = new CounterOptions
9 | {
10 | Name = "Event Received",
11 | MeasurementUnit = Unit.Calls,
12 | };
13 |
14 | }
15 | }
--------------------------------------------------------------------------------
/site/layouts/partials/footer.html:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/init-container/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM node:10-alpine
2 |
3 | RUN mkdir /home/node/app
4 | # Create app directory
5 | WORKDIR /home/node/app
6 |
7 | # Install app dependencies
8 | # A wildcard is used to ensure both package.json AND package-lock.json are copied
9 | # where available (npm@5+)
10 | COPY package*.json yarn.lock ./
11 |
12 | RUN yarn --prod
13 |
14 | # Bundle app source
15 | COPY . .
16 |
17 | USER node
18 |
19 | ENTRYPOINT [ "node", "index.js" ]
--------------------------------------------------------------------------------
/site/layouts/index.html:
--------------------------------------------------------------------------------
1 |
2 |
3 | {{ partial "header.html" . }}
4 |
5 | {{ partial "sidebar.html" . }}
6 | {{ partial "navbar.html" . }}
7 |
8 |
{{ partial "fancymarkdown.html" .Content }}
9 | {{ partial "footer.html" . }}
10 |
{{ partial "navbar.html" . }}
7 |
8 |
{{ partial "fancymarkdown.html" .Content }}
9 | {{ partial "footer.html" . }}
10 |
{{ partial "navbar.html" . }}
7 |
8 |
{{ partial "fancymarkdown.html" .Content }}
9 | {{ partial "footer.html" . }}
10 |
{{ partial "navbar.html" . }}
7 |
8 |
{{ partial "fancymarkdown.html" .Content }}
9 | {{ partial "footer.html" . }}
10 |
22 |
23 | Let's take a deeper look of what's inside a pod:
24 | 
25 |
26 | We have multiple objects here:
27 |
28 | * We have the pods, which run (at least) 2 containers, the application container and the init container.
29 | * The config map, contains the encrypted secrets
30 | * An [emptyDir] (using memory medium) volume, shared between the containers.
31 | * The init container, read the encrypted secrets, decrypt them and write a configuration file to the shared volume.
32 | * The application container - this is where the user code is running.
33 | The application consume the configuration file with the decrypted secrets from the shared volume.
34 | * A [service account], used by the init container to authenticate to Kamus decryptor.
35 |
36 | ## Second flow - using KamusSecret
37 |
38 | High-level overview of encryption/decryption flow:
39 | 
40 |
41 | Kubernetes Icons created by [Kubernetes Community]
42 |
43 | [Kubernetes Community]: https://github.com/kubernetes/community
44 | [emptyDir]: https://kubernetes.io/docs/concepts/storage/volumes/#emptydir
45 | [service account]: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
46 |
--------------------------------------------------------------------------------
/site/content/docs/threatmodeling/threats/decryption/pod_impersonation.md:
--------------------------------------------------------------------------------
1 | # Impersonating pod to decrypt it's secrets
2 |
3 | Feature: Impersonating pod to decrypt it's secrets
4 | In order to decrypt pod's secrets
5 | As an attacker
6 | I want to impersonate this pod
7 |
8 | Scenario Outline: Impersonation via leaked token
9 | Given a service account token was compromised
10 | When the attacker use this token for authentication
11 | Then the attacker can decrypt this pod's secrets forever
12 |
13 | Examples: Data types
14 | | data-type |
15 | | password |
16 | | API key |
17 | | X.509 private key |
18 | | SSH private key |
19 |
20 | Scenario: Service accounts mount
21 | Given a permission to create a pod
22 | When the attacker launch a pod with anther pod's service account
23 | Then the attacker can use the token for authentication and decrypt the secrets
24 |
25 | Scenario: Impersonate Kubernetes API
26 | Given a compromised Kubernetes node
27 | And the attacker can spoof requests to Kubernetes API
28 | When Kamus use the API to review tokens
29 | Then the attacker can approve all requests
30 |
31 | ## Remarks
32 |
33 | * Controls:
34 | * [Deny request for default SA](/docs/threatmodeling/controls/decryption/deny_default_sa)
35 | * [Deny Kuberentes secrets view permissions](/docs/threatmodeling/controls/decryption/deny_secret_view)
36 | * [Use TLS when accessing Kuberentes API](/docs/threatmodeling/controls/decryption/k8s_api_tls)
37 | * [Use a policy to control pod's service account](/docs/threatmodeling/controls/decryption/opa_pods_secrets)
38 | * References:
39 | * https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
40 | * https://kubernetes.io/docs/concepts/configuration/secret#service-accounts-automatically-create-and-attach-secrets-with-api-credentials
41 | * https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.12/#tokenreview-v1-authentication-k8s-io
42 |
43 | Back to [Threats and Controls](/docs/threatmodeling/threats_controls)
--------------------------------------------------------------------------------
/tests/crd-controller/deployment.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: ServiceAccount
3 | metadata:
4 | name: crd-controller
5 | ---
6 | kind: ClusterRole
7 | apiVersion: rbac.authorization.k8s.io/v1
8 | metadata:
9 | namespace: default
10 | name: kamus-crd
11 | rules:
12 | - apiGroups: ["soluto.com"] # "" indicates the core API group
13 | resources: ["kamussecrets"]
14 | verbs: ["watch"]
15 | - apiGroups: [""] # "" indicates the core API group
16 | resources: ["secrets"]
17 | verbs: ["create", "delete", "patch"]
18 | ---
19 | kind: ClusterRoleBinding
20 | apiVersion: rbac.authorization.k8s.io/v1
21 | metadata:
22 | name: crd-controller
23 | subjects:
24 | - kind: ServiceAccount
25 | name: crd-controller
26 | namespace: default
27 | roleRef:
28 | kind: ClusterRole
29 | name: kamus-crd
30 | apiGroup: rbac.authorization.k8s.io
31 | ---
32 | apiVersion: v1
33 | kind: Service
34 | metadata:
35 | name: kamus-controller
36 | labels:
37 | app: kamus
38 | component: crd-controller
39 | heritage: Tiller
40 | spec:
41 | type: ClusterIP
42 | ports:
43 | - port: 443
44 | targetPort: 8888
45 | protocol: TCP
46 | name: http-kamus-controller
47 | selector:
48 | app: kamus
49 | component: crd-controller
50 | ---
51 | apiVersion: apps/v1
52 | kind: Deployment
53 | metadata:
54 | name: kamus-crd-controller
55 | labels:
56 | app: kamus
57 | component: crd-controller
58 | spec:
59 | replicas: 1
60 | selector:
61 | matchLabels:
62 | app: kamus
63 | component: crd-controller
64 | template:
65 | metadata:
66 | labels:
67 | app: kamus
68 | component: crd-controller
69 | spec:
70 | serviceAccountName: crd-controller
71 | containers:
72 | - name: controller
73 | image: crd-controller
74 | imagePullPolicy: IfNotPresent
75 | env:
76 | - name: Controller__ReconciliationIntervalInSeconds
77 | value: "10"
78 | livenessProbe:
79 | httpGet:
80 | path: /healthz
81 | port: 9999
82 | readinessProbe:
83 | httpGet:
84 | path: /healthz
85 | port: 9999
86 |
--------------------------------------------------------------------------------
/init-container/CONTRIBUTING.md:
--------------------------------------------------------------------------------
1 | # Running the init container locally
2 |
3 | 1. Make sure you have a working Kubernetes cluster (run `kubectl get pods` to check).
4 | 2. Start by running the decryptor API - run the following in the decryptor folder (`src/decrypt-api`):
5 | ```
6 | dotnet run
7 | ```
8 | 3. Run the following command to get a valid service account token:
9 | ```
10 | kubectl get secret $(kubectl get sa default -o jsonpath='{.secrets[0].name}') -o jsonpath='{.data.token}' | base64 -D > token.txt
11 | ```
12 | 4. Set the following env var for the init container to work correctly:
13 | ```
14 | export set TOKEN_FILE_PATH=$(pwd)/token.txt
15 | export set KAMUS_URL=http://localhost:5000
16 | ```
17 | 5. Now you can run the init container:
18 | ```
19 | node index.js -e encrypted -d decrypted -n output.json
20 | ```
21 |
22 | The first argument (`-e`) point to the folder with the encrypted files, the second (`-d`) point to the folder that will contain the decrypted items and (`-n`) is the decrypted file name.
23 |
24 | And you should see a file name `output.json` created under `decrypted` folder with the decrypted content.
25 | Now you can run the init continer locally, debug it and add features.
26 |
27 | Having more questions? Something unclear? Reach out to us via [Slack](https://join.slack.com/t/k8s-kamus/shared_invite/enQtODA2MjI3MjAzMjA1LThlODkxNTg3ZGVmMjVkOTBhY2RmMmRjOWFiOGU2NzQ1ODU4ODNiMDJiZTE5ZTY4YmRiOTM3MjI0MDc0OGFkN2E) or [file an issue](https://github.com/Soluto/kamus/issues/new)
28 |
29 | ## Tests
30 | The tests are using [WireMock](http://wiremock.org/) to mock the decryptor api (you can find ore about it [here](https://www.omerlh.info/2019/02/06/wiremock-for-fun-and-mocking/)).
31 | Running the tests is simple:
32 | 1. Build the init container docker image:
33 | ```
34 | yarn run build
35 | ```
36 | 2. Set the environment variable so the tests will use the local image:
37 | ```
38 | export set INIT_CONTAINER_IMAGE=init-container
39 | ```
40 | 3. Run the tests
41 | ```
42 | yarn run test
43 | ```
44 |
45 | Repeat steps 1 & 3 each time you change the code.
46 |
47 | The tests simply take various parameters and compare the generated file from the init container with the expected files.
--------------------------------------------------------------------------------
/site/content/docs/user/quick-start.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: "Quick Start"
3 | menu:
4 | main:
5 | parent: "user"
6 | identifier: "quick-start"
7 | weight: 1
8 | ---
9 |
10 | # Quick Start
11 |
12 | The simple way to run Kamus is by using the Helm chart:
13 | ```
14 | helm repo add soluto https://charts.soluto.io
15 | helm upgrade --install kamus soluto/kamus
16 | ```
17 | Refer to the [installation guide](./install.md) to learn about production grade deployment.
18 | After installing Kamus, you can start using it to encrypt secrets.
19 | Kamus encrypt secrets for a specific application, represent by a [Kubernetes Service Account](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account).
20 | Create a service account for your application, and mount it on the pods running your application.
21 | Now, when you know the name of the service account, and the namespace it exists in, install Kamus CLI:
22 | ```
23 | npm install -g @soluto-asurion/kamus-cli
24 | ```
25 | Use Kamus CLI to encrypt the secret:
26 | ```
27 | kamus-cli encrypt \\
28 | --secret super-secret \\
29 | --service-account kamus-example-sa \\
30 | --namespace default \\
31 | --kamus-url \\
32 | ```
33 |
34 | When Kamus URL is a url pointing to the encryptor pod of Kamus, exposed either via port forward (e.g. `kubectl port-forward svc/kamus-encryptor 9999:9999`) or via ingress.
35 | In case of non-https Kamus URL (e.g. `http://localhost:`), you'll have to add the `--allow-insecure-url` flag to enable http protocol.
36 |
37 | Pass the value returned by the CLI to your pod, and use Kamus Decrypt API to decrypt the value.
38 | The simplest way to achieve that is by using the init container.
39 | An alternative is to use Kamus decrypt API directly in the application code.
40 | To make it clearer, take a look on a working [example app](https://github.com/Soluto/kamus/tree/master/example).
41 | You can deploy this app to any Kubernetes cluster that has Kamus installed, to understand how it works.
42 |
43 | Have a question? Something is not clear? Reach out to us on [Kamus Slack](https://join.slack.com/t/k8s-kamus/shared_invite/enQtODA2MjI3MjAzMjA1LThlODkxNTg3ZGVmMjVkOTBhY2RmMmRjOWFiOGU2NzQ1ODU4ODNiMDJiZTE5ZTY4YmRiOTM3MjI0MDc0OGFkN2E)!
44 |
--------------------------------------------------------------------------------
/src/decrypt-api/Program.cs:
--------------------------------------------------------------------------------
1 | using App.Metrics.Formatters.Prometheus;
2 | using Microsoft.AspNetCore.Hosting;
3 | using Microsoft.Extensions.Configuration;
4 | using Microsoft.Extensions.Hosting;
5 | using Serilog;
6 |
7 | namespace Kamus
8 | {
9 | public class Program
10 | {
11 | public static void Main(string[] args)
12 | {
13 | BuildWebHost(args).Run();
14 | }
15 | public static IHost BuildWebHost(string[] args) =>
16 | Host.CreateDefaultBuilder(args)
17 | .UseSerilog()
18 | .ConfigureAppConfiguration((hostContext, config) =>
19 | {
20 | var env = hostContext.HostingEnvironment;
21 | string appsettingsPath = "appsettings.json";
22 |
23 | if (env.IsDevelopment())
24 | {
25 | appsettingsPath = "appsettings.Development.json";
26 | }
27 | config.SetBasePath(env.ContentRootPath);
28 | config.AddJsonFile(appsettingsPath, optional: true, reloadOnChange: true);
29 | config.AddJsonFile("secrets/appsettings.secrets.json", optional: true);
30 | config.AddEnvironmentVariables();
31 | })
32 | .UseMetricsEndpoints(options => {
33 | options.MetricsEndpointOutputFormatter = new MetricsPrometheusTextOutputFormatter();
34 | options.MetricsTextEndpointEnabled = false;
35 | options.EnvironmentInfoEndpointEnabled = false;
36 | })
37 | .ConfigureWebHostDefaults(webBuilder =>
38 | {
39 | webBuilder.UseStartup();
40 | })
41 | .Build();
42 | }
43 | }
44 |
--------------------------------------------------------------------------------
/tests/crd-controller/tls-KamusSecretV1Alpha2.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: "soluto.com/v1alpha2"
2 | kind: KamusSecret
3 | metadata:
4 | annotations:
5 | key: value
6 | labels:
7 | key: value
8 | name: my-tls-secret
9 | type: TlsSecret
10 | stringData:
11 | key: J9NYLzTC/O44DvlCEZ+LfQ==:Cc9O5zQzFOyxwTD5ZHseqg==
12 | data:
13 | key3: 5SRnC8HJ6gJEOCpgby3ZSQ==:LUfzADu23z1l9CWFXzR71/Ua74IxI12Ehn18d5hnqA+C40D6o1qfaaOLuPzwPYILwsViZvg7FymTB9c/1vLlwnqQJfRXNNKg07cTD5tGoufKrQrgMpOHcEKsq/k3jwQ5MSyU99npBmPFkCZ93uE1b6llSbBkzp80cBQB+Peb7WtyfG4WoOn15hy7Eb71tcdNcRLd1r5pWaPWEIlMnVB8TERCfCpTUakXmuM5mvq5PTOp/OfRGpbqG3VRf/iDHSpSOqiNKhq6eiOWvG+WTCVqjpMv4iQiMlTCcJT31ayUHxafx1bg8EX5SuMVc0sHT7wwX4BBMDUCQ8i7qXHNS5gGAl6LXHC2fhfsK/PAJVDZ18PS/ISDuzAs/iV3zffqqLCZxy5qFDyBq5hdjE2deLhH40pL1G9i7fto40ikftdqKLFaa7pxc0A88bvQihkDuPj9gtAmXt7k+hnUXlPdP5VuoKGhfJUMaEDIwTxUekzcCPDPas9XrmLWyN27BFs6Z+s/kDL+8ZGHP4yyeJyxZV0Gxf0k7RY65GyFzkvcZElq8aI8sSSc9D4Li5OilpXb0M5/s+oZj0QCwwFR2+rNTc4vm1l5s2vRmNMHZ/mQEy1qSJbEvA65U6axYoRcjQIEnvth+sZHy1E3CNBW7LRvUMf2KCy6qX+rjV/i6krAVyohAOLCfWtS+Wi3ulkefoFbKLNVLVaDVP15s4c+dqsDAzscl3HtQHRlhkOlr9hAEsX7qQlRue2S8apDp4SN8umpaTFgZy7u03yTWE64fGYyubKYRYo38D0wTOI7Z9+47m/z52rk6214A3mxoTY8Mm4bmCyxcPwGMnKXdx8x9FN56mpdFifcQLx1HffkGM/F5Hj6/xUUaquHWnWnh3keQjm1gdE0eE5YLB/EZggczj5HiahTgd3IZ/oUd8a2bGo+VToTRimOczz8je4WN3+4px2KXRs+qgaTUTUZ/m1AT90PewOKVhHfWEZKmU9063xqBjtytMyFQxZkFvQqwZNmDYmkWMrqdkC2u5/yjm1Dc1OUEy6ImnxuStCB4j+8B7gXPBg+x/nSbY8vjhbnyhmXQ37m54rFN3Jqgr0XMg5c9h2eMs2oMw/1nGFxZqzxa9VdjsG4sPcfEAECmjgnqaKVY/d7tUoXEKYQWVcoetL5zQxo4Vg9BTFaIO+npwW0Dmc5ED0ShqfKVdUkN+jx5sm16Ik6SR+xvpgh8g4YmA5GmlhLUZuSPn7jTLYmt+1e9ZpvQnNRrSW9hzmpW5FCA2i7hr83x9NmW2S7iPQ979to+i1Ak8f8B1s95bJcgkzEv9kHyd+a6kroM2AXXq0Ra2xXSNYryAS+TESYs7VPzsXeGXzmcRYIwEPqA8Kh3/8b6oNdNzY1+PHavk9Op6jTWnlsGOnRMi1WzC4nFDa9V5lvEFtBT4c1dhNnUVuecBy7yeo2LopYsY6+7rKlWFHCSfC4srZtv7CIRIO6zNAao+Cl6g9O5d+1Yu4/fI9XJMMMqJZZBUl7TGwgGTZhoWol9H5ppgShrV6nYbq2Ekyw2y0I8f96NGRrzeX9AiApoCM/qfC42NP3zEvewdgtzPlo8O0izf76R8ggc/c1rcaQwnMB1FHfPIYup10oVTJvoH2mHSVRCrCuKRQqqB/uCVIglgDjA/jnK68+yoUBD+pwOy3xiyVkQBTmxpnGURMzqXxTypP2YOXHFISnuyTElr7JRNoaK7Oep2hhiXO+jlKEXHe3jeWOKlOW8gpPKKd2rxBrrX+IeaJx7EWKdxkCbackd7cpaeRLVQV8WCUIb91HeMUqz1DEALky+lsfXOr5VwaiikRcJzrlwJkIarNSoM2644Qf5Gyo87z3kmnHyHTqKerC5VrRSgEcH2Z3Ag4Skdf5qMnYC3jm90jp2hhZzq4pMcgGhambiUb1
14 | serviceAccount: some-sa
--------------------------------------------------------------------------------
/tests/crd-controller/tls-KamusSecretV1Alpha2-with-annotations.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: "soluto.com/v1alpha2"
2 | kind: KamusSecret
3 | metadata:
4 | annotations:
5 | key: value
6 | labels:
7 | key: value
8 | name: my-tls-secret
9 | type: TlsSecret
10 | stringData:
11 | key: J9NYLzTC/O44DvlCEZ+LfQ==:Cc9O5zQzFOyxwTD5ZHseqg==
12 | data:
13 | key3: 5SRnC8HJ6gJEOCpgby3ZSQ==:LUfzADu23z1l9CWFXzR71/Ua74IxI12Ehn18d5hnqA+C40D6o1qfaaOLuPzwPYILwsViZvg7FymTB9c/1vLlwnqQJfRXNNKg07cTD5tGoufKrQrgMpOHcEKsq/k3jwQ5MSyU99npBmPFkCZ93uE1b6llSbBkzp80cBQB+Peb7WtyfG4WoOn15hy7Eb71tcdNcRLd1r5pWaPWEIlMnVB8TERCfCpTUakXmuM5mvq5PTOp/OfRGpbqG3VRf/iDHSpSOqiNKhq6eiOWvG+WTCVqjpMv4iQiMlTCcJT31ayUHxafx1bg8EX5SuMVc0sHT7wwX4BBMDUCQ8i7qXHNS5gGAl6LXHC2fhfsK/PAJVDZ18PS/ISDuzAs/iV3zffqqLCZxy5qFDyBq5hdjE2deLhH40pL1G9i7fto40ikftdqKLFaa7pxc0A88bvQihkDuPj9gtAmXt7k+hnUXlPdP5VuoKGhfJUMaEDIwTxUekzcCPDPas9XrmLWyN27BFs6Z+s/kDL+8ZGHP4yyeJyxZV0Gxf0k7RY65GyFzkvcZElq8aI8sSSc9D4Li5OilpXb0M5/s+oZj0QCwwFR2+rNTc4vm1l5s2vRmNMHZ/mQEy1qSJbEvA65U6axYoRcjQIEnvth+sZHy1E3CNBW7LRvUMf2KCy6qX+rjV/i6krAVyohAOLCfWtS+Wi3ulkefoFbKLNVLVaDVP15s4c+dqsDAzscl3HtQHRlhkOlr9hAEsX7qQlRue2S8apDp4SN8umpaTFgZy7u03yTWE64fGYyubKYRYo38D0wTOI7Z9+47m/z52rk6214A3mxoTY8Mm4bmCyxcPwGMnKXdx8x9FN56mpdFifcQLx1HffkGM/F5Hj6/xUUaquHWnWnh3keQjm1gdE0eE5YLB/EZggczj5HiahTgd3IZ/oUd8a2bGo+VToTRimOczz8je4WN3+4px2KXRs+qgaTUTUZ/m1AT90PewOKVhHfWEZKmU9063xqBjtytMyFQxZkFvQqwZNmDYmkWMrqdkC2u5/yjm1Dc1OUEy6ImnxuStCB4j+8B7gXPBg+x/nSbY8vjhbnyhmXQ37m54rFN3Jqgr0XMg5c9h2eMs2oMw/1nGFxZqzxa9VdjsG4sPcfEAECmjgnqaKVY/d7tUoXEKYQWVcoetL5zQxo4Vg9BTFaIO+npwW0Dmc5ED0ShqfKVdUkN+jx5sm16Ik6SR+xvpgh8g4YmA5GmlhLUZuSPn7jTLYmt+1e9ZpvQnNRrSW9hzmpW5FCA2i7hr83x9NmW2S7iPQ979to+i1Ak8f8B1s95bJcgkzEv9kHyd+a6kroM2AXXq0Ra2xXSNYryAS+TESYs7VPzsXeGXzmcRYIwEPqA8Kh3/8b6oNdNzY1+PHavk9Op6jTWnlsGOnRMi1WzC4nFDa9V5lvEFtBT4c1dhNnUVuecBy7yeo2LopYsY6+7rKlWFHCSfC4srZtv7CIRIO6zNAao+Cl6g9O5d+1Yu4/fI9XJMMMqJZZBUl7TGwgGTZhoWol9H5ppgShrV6nYbq2Ekyw2y0I8f96NGRrzeX9AiApoCM/qfC42NP3zEvewdgtzPlo8O0izf76R8ggc/c1rcaQwnMB1FHfPIYup10oVTJvoH2mHSVRCrCuKRQqqB/uCVIglgDjA/jnK68+yoUBD+pwOy3xiyVkQBTmxpnGURMzqXxTypP2YOXHFISnuyTElr7JRNoaK7Oep2hhiXO+jlKEXHe3jeWOKlOW8gpPKKd2rxBrrX+IeaJx7EWKdxkCbackd7cpaeRLVQV8WCUIb91HeMUqz1DEALky+lsfXOr5VwaiikRcJzrlwJkIarNSoM2644Qf5Gyo87z3kmnHyHTqKerC5VrRSgEcH2Z3Ag4Skdf5qMnYC3jm90jp2hhZzq4pMcgGhambiUb1
14 | serviceAccount: some-sa
15 | propagateAnnotations: true
--------------------------------------------------------------------------------
/src/key-managment/SymmetricKeyManagement.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Text;
3 | using System.Threading.Tasks;
4 | using Org.BouncyCastle.Crypto.Digests;
5 | using Org.BouncyCastle.Crypto.Generators;
6 | using Org.BouncyCastle.Crypto.Parameters;
7 |
8 | namespace Kamus.KeyManagement
9 | {
10 | public class SymmetricKeyManagement : IKeyManagement
11 | {
12 | private readonly byte[] mKey;
13 | private readonly bool mUseKeyDerivation;
14 | private const int derivedKeySize = 32;
15 |
16 | public SymmetricKeyManagement(byte[] key, bool useKeyDerivation)
17 | {
18 | mKey = key;
19 | mUseKeyDerivation = useKeyDerivation;
20 | }
21 |
22 | public Task Decrypt(string encryptedData, string serviceAccountId)
23 | {
24 | var splitted = encryptedData.Split(':');
25 | if (splitted.Length != 2) {
26 | throw new InvalidOperationException("Encrypted data format is invalid");
27 | }
28 |
29 | var iv = Convert.FromBase64String(splitted[0]);
30 | var data = Convert.FromBase64String(splitted[1]);
31 |
32 | var key = mUseKeyDerivation ? DeriveKey(serviceAccountId) : mKey;
33 |
34 | var result = RijndaelUtils.Decrypt(key, iv, data);
35 |
36 | return Task.FromResult(Encoding.UTF8.GetString(result));
37 | }
38 |
39 | public Task Encrypt(string data, string serviceAccountId, bool createKeyIfMissing = true)
40 | {
41 | var key = mUseKeyDerivation ? DeriveKey(serviceAccountId) : mKey;
42 |
43 | var (decryptedData, iv) = RijndaelUtils.Encrypt(key, Encoding.UTF8.GetBytes(data));
44 |
45 | return Task.FromResult(Convert.ToBase64String(iv) + ":" + Convert.ToBase64String(decryptedData));
46 | }
47 |
48 | private byte[] DeriveKey(string serviceAccountId)
49 | {
50 | var generator = new HkdfBytesGenerator(new Sha256Digest());
51 |
52 | generator.Init(HkdfParameters.SkipExtractParameters(mKey, Encoding.UTF8.GetBytes(serviceAccountId)));
53 |
54 | var derivedKey = new byte[derivedKeySize];
55 |
56 | generator.GenerateBytes(derivedKey, 0, derivedKeySize);
57 |
58 | return derivedKey;
59 | }
60 | }
61 | }
--------------------------------------------------------------------------------
/site/assets/js/inline.js:
--------------------------------------------------------------------------------
1 | /* used when sidebar is manually toggled */
2 | function toggleSidebar() {
3 | if (document.body.classList.contains('sidebar-collapsed')) {
4 | window.localStorage.setItem('sidebar-collapsed', 'false');
5 | showSideBar();
6 | } else {
7 | window.localStorage.setItem('sidebar-collapsed', 'true');
8 | hideSideBar();
9 | }
10 | }
11 |
12 | function showSideBar() {
13 | document.body.classList.remove('sidebar-collapsed');
14 | }
15 |
16 | function hideSideBar() {
17 | document.body.classList.add('sidebar-collapsed');
18 | }
19 |
20 | /* get the page width */
21 | function getWidth() {
22 | return Math.max(
23 | document.body.scrollWidth,
24 | document.documentElement.scrollWidth,
25 | document.body.offsetWidth,
26 | document.documentElement.offsetWidth,
27 | document.documentElement.clientWidth
28 | );
29 | }
30 |
31 | var oldWidth;
32 | document.addEventListener("DOMContentLoaded", function () {
33 | // note: the default state of the page on load is collapsed
34 | var manualCollapsed = window.localStorage.getItem('sidebar-collapsed');
35 | var width = getWidth();
36 | // if we're now under 900px don't unhide it
37 | // otherwise only unhide if the user has not yet manually toggled it
38 | // or has toggled it back to visible
39 | if (width > 900 && (manualCollapsed == 'false' || manualCollapsed == null)) {
40 | showSideBar();
41 | }
42 | // setup listener for width change
43 | oldWidth = width;
44 | window.addEventListener("resize", function () {
45 | // bail out early if it wasn't the width that changed
46 | var width = getWidth();
47 | if (oldWidth == width) {
48 | oldWidth = width;
49 | return;
50 | }
51 | oldWidth = width;
52 | // if we're now under 900px, hide it
53 | if (width <= 900) {
54 | hideSideBar();
55 | } else {
56 | // otherwise only unhide if the user has not yet manually toggled it
57 | // or has toggled it back to visible
58 | var manualCollapsed = window.localStorage.getItem('sidebar-collapsed');
59 | if (manualCollapsed == 'false' || manualCollapsed == null) {
60 | showSideBar();
61 | }
62 | }
63 | });
64 | });
65 |
--------------------------------------------------------------------------------
/src/key-managment/EnvelopeEncryptionDecorator.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Text;
3 | using System.Text.RegularExpressions;
4 | using System.Threading.Tasks;
5 | using Serilog;
6 |
7 | namespace Kamus.KeyManagement
8 | {
9 | public class EnvelopeEncryptionDecorator : IKeyManagement
10 | {
11 | private readonly IKeyManagement mMasterKeyManagement;
12 | private readonly int mMaximumDataLength;
13 | private readonly ILogger mLogger = Log.ForContext();
14 |
15 | public EnvelopeEncryptionDecorator(IKeyManagement masterKeyManagement, int maximumDataLength)
16 | {
17 | mMasterKeyManagement = masterKeyManagement;
18 | mMaximumDataLength = maximumDataLength;
19 | }
20 |
21 | public async Task Encrypt(string data, string serviceAccountId, bool createKeyIfMissing = true)
22 | {
23 | if (data.Length <= mMaximumDataLength)
24 | {
25 | return await mMasterKeyManagement.Encrypt(data, serviceAccountId, createKeyIfMissing);
26 | }
27 |
28 | mLogger.Information("Encryption data too length, using envelope encryption");
29 |
30 | var dataKey = RijndaelUtils.GenerateKey(256);
31 | var (encryptedData, iv) = RijndaelUtils.Encrypt(dataKey, Encoding.UTF8.GetBytes(data));
32 | var encryptedDataKey = await mMasterKeyManagement.Encrypt(Convert.ToBase64String(dataKey), serviceAccountId, createKeyIfMissing);
33 | return EnvelopeEncryptionUtils.Wrap(encryptedDataKey, iv, encryptedData);
34 |
35 | }
36 |
37 | public Task Decrypt(string encryptedData, string serviceAccountId)
38 | {
39 | return EnvelopeEncryptionUtils.Unwrap(encryptedData).Match(
40 | some: async t =>
41 | {
42 | (string encryptedDataKey, byte[] iv, byte[] actualEncryptedData) = t;
43 |
44 | var key = await mMasterKeyManagement.Decrypt(encryptedDataKey, serviceAccountId);
45 |
46 | var decrypted = RijndaelUtils.Decrypt(Convert.FromBase64String(key), iv, actualEncryptedData);
47 | return Encoding.UTF8.GetString(decrypted);
48 | },
49 | none: () => mMasterKeyManagement.Decrypt(encryptedData, serviceAccountId)
50 | );
51 | }
52 | }
53 | }
54 |
--------------------------------------------------------------------------------
/cli/lib/index.js:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env node
2 |
3 | const pjson = require('../package.json');
4 | const prog = require('caporal');
5 | const encrypt = require('./actions/encrypt');
6 | const regexGuid = /^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i;
7 |
8 | const { ColorfulChalkLogger, INFO } = require('colorful-chalk-logger');
9 |
10 | const isVerboseLogging = (args) => args.indexOf('--verbose') > -1 || args.indexOf('-v') > -1;
11 |
12 | const logger = new ColorfulChalkLogger('kamus-cli', {
13 | level: INFO,
14 | date: false,
15 | colorful: true,
16 | }, isVerboseLogging(process.argv) ? process.argv.concat(['--log-level', 'debug']) : process.argv); // translate to ColorfulChalkLogger log level
17 |
18 | process.argv = process.argv.filter(x => x != '--verbose' && x != '-v' ); // ColorfulChalkLogger got the verbose, don't pass it to caporal
19 |
20 | prog
21 | .logger(logger)
22 | .version(pjson.version)
23 | .command('encrypt', 'Encrypt data')
24 | .action(encrypt)
25 | .option('-s, --secret ','Secret to encrypt', prog.STRING)
26 | .option('-f, --secret-file ','File with secret to encrypt', prog.STRING)
27 | .option('-a, --service-account ', 'Deployment service account', prog.REQUIRED)
28 | .option('-n, --namespace ', 'Deployment namespace', prog.REQUIRED)
29 | .option('-u, --kamus-url ', 'Kamus URL', prog.REQUIRED)
30 | .option('--auth-tenant ', 'Azure tenant id', regexGuid)
31 | .option('--auth-application ', 'Azure application id', regexGuid)
32 | .option('--auth-resource ', 'Azure resource name', prog.STRING)
33 | .option('--allow-insecure-url', 'Allow insecure (http) Kamus URL', prog.BOOL)
34 | .option('--cert-fingerprint ', 'Force server certificate to match the given fingerprint', prog.STRING)
35 | .option('--secret-file-encoding ', 'Encoding of secret file', prog.STRING)
36 | .option('-o, --output ', 'Output to file', prog.STRING)
37 | .option('-O, --overwrite', 'Overwrites file if it already exists', prog.BOOL)
38 | .option('--log-flag ', 'log format', prog.STRING)
39 | .option('--log-output ', 'output log to file', prog.STRING)
40 | .option('--log-encoding ', 'log file encoding')
41 | .option('-i, --ignore-new-line', 'ignore new line in provided file', prog.BOOL);
42 |
43 |
44 | prog.parse(process.argv);
--------------------------------------------------------------------------------
/example/README.md:
--------------------------------------------------------------------------------
1 | # Kamus Example
2 | A small example app, showing the power of Kamus.
3 | Before running this demo, make sure Kamus is up and running under the namespace default, and the CLI is installed.
4 | The example show 2 deployments of the same application:
5 | * Using regular secrets (`deployment-secret`)
6 | * Using Kamus init container (`deployment-kamus`)
7 |
8 | We included both options to make it easier to understand how Kamus make it easier to consume secrets.
9 |
10 | ## Running the demo
11 | Before running the demo, make sure to install Kamus on the cluster under the namespace default.
12 | If Kamus is not installed, use the following command:
13 | ```
14 | helm repo add soluto https://charts.soluto.io
15 | helm upgrade --install soluto/kamus
16 | ```
17 |
18 | Start by encrypting a secret using the CLI:
19 | ```bash
20 | kamus-cli encrypt \
21 | --secret super-secret \
22 | --service-account kamus-example-sa \
23 | --namespace default \
24 | --kamus-url
25 | ```
26 | You might have to pass aditional arguments, based on your installation.
27 |
28 | After encrypting the secret, open `deployment-kamus\configmap.yaml`.
29 | Modify the value of `key` to the encrypted value returned from the CLI.
30 |
31 | Now, run
32 | ```
33 | kubectl apply -f deployment-kamus/
34 | ```
35 | To deploy the example app.
36 | Check deployment status using
37 | ```
38 | kubectl get pods
39 | ```
40 | Notice the `kamus-example` pods. Now run:
41 | ```
42 | kubectl port-forward deployment/kamus-example 8080:80
43 | ```
44 | Open [`http://localhost:8080`](http://localhost:8080) on your browser, you should see the encrypted secrets decrypted!
45 |
46 | In case you have issues running the demo, we made a [recorded version](https://www.youtube.com/watch?v=i_vdtubTrso&feature=youtu.be) of the demo.
47 |
48 | ## Kubernetes Secrets
49 | To complete the example, reffer to `deployment-secret`.
50 | This example shows the alternative to Kamus - using Kubernetes native secrets.
51 | Run the demo using
52 | ```
53 | kubectl apply -f deployment-kamus/
54 | ```
55 | Notice the `kamus-example` pods. Wait for the pod to be in `Completed` state, and check the logs using
56 | ```
57 | kubectl logs -l app=kamus-example
58 | ```
59 | You should see the following output
60 | ```
61 | {"key":"super-secret"}
62 | ```
63 | Editing the secrets:
64 | * Open `secret.yaml`
65 | * Decode the value under `config.json` using base64 decoder
66 | * Edit the JSON
67 | * Encode the JSON using base64 encoder, and put this value under `config.json`
68 |
--------------------------------------------------------------------------------
/src/encrypt-api/Controllers/EncryptController.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Net;
3 | using System.Threading.Tasks;
4 | using System.Linq;
5 | using Kamus.Models;
6 | using Microsoft.AspNetCore.Authorization;
7 | using Microsoft.AspNetCore.Mvc;
8 | using Microsoft.Rest;
9 | using Kamus.Extensions;
10 | using Kamus.KeyManagement;
11 | using Serilog;
12 | using System.Net.Http;
13 |
14 | namespace Kamus.Controllers
15 | {
16 |
17 | public class EncryptController : Controller
18 | {
19 | private readonly IKeyManagement mKeyManagement;
20 | private readonly ILogger mAuditLogger = Log.ForContext().AsAudit();
21 | private readonly ILogger mLogger = Log.ForContext();
22 |
23 | public EncryptController(IKeyManagement keyManagement)
24 | {
25 | mKeyManagement = keyManagement;
26 | }
27 |
28 | [HttpPost]
29 | [Route("api/v1/encrypt")]
30 | public async Task Encrypt([FromBody]EncryptRequest body)
31 | {
32 | if (!ModelState.IsValid)
33 | {
34 | mAuditLogger.Warning("Bad request to Encrypt API: {sourceIP} {validationState}",
35 | Request.HttpContext.Connection.RemoteIpAddress,
36 | ModelState.ValidationState);
37 | return BadRequest("One or more of the required fields doesn't present in the request body.");
38 | }
39 |
40 | mAuditLogger.Information("Encryption request started, SourceIP: {sourceIp}, ServiceAccount: {sa}, Namespace: {namespace}",
41 | Request.HttpContext.Connection.RemoteIpAddress,
42 | body.ServiceAccountName,
43 | body.NamespaceName);
44 |
45 | var encryptedData = await mKeyManagement.Encrypt(body.Data, $"{body.NamespaceName}:{body.ServiceAccountName}");
46 |
47 | if (body.ServiceAccountName == "default")
48 | {
49 | return BadRequest("You cannot encrypt a secret for the default service account");
50 | }
51 |
52 | mAuditLogger.Information("Encryption request succeeded, SourceIP: {sourceIp}, ServiceAccount: {serviceAccount}, Namesacpe: {namespace}",
53 | Request.HttpContext.Connection.RemoteIpAddress,
54 | body.ServiceAccountName,
55 | body.NamespaceName);
56 |
57 | return Content(encryptedData);
58 | }
59 | }
60 | }
61 |
--------------------------------------------------------------------------------
/site/content/docs/threatmodeling/threats_controls.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: "Threats and Controls"
3 | menu:
4 | main:
5 | parent: "Threat Modeling"
6 | identifier: "threat_controls"
7 | weight: 2
8 | ---
9 |
10 | # Threats and Controls
11 | This page document the output of Kamus threat model, by listing all the different threats and mitigations that we discussed.
12 |
13 | ## Threats
14 | ### Decryption
15 |
16 | * [Impersonating pod to decrypt it's secrets](/docs/threatmodeling/threats/decryption/pod_impersonation)
17 | * [Sniff requests and responses to Kamus](/docs/threatmodeling/threats/decryption/sniffing_tampering)
18 | * [Using KamusSecret to decrypt secrets](/docs/threatmodeling/threats/decryption/leveraging_crd)
19 |
20 | ### Encryption
21 | * [Kamus server disrupting](/docs/threatmodeling/threats/encryption/denial_of_service)
22 | * [Exposing names of namespaces and service accounts](/docs/threatmodeling/threats/encryption/namespace_enumeration)
23 | * [Sniffing user's traffic](/docs/threatmodeling/threats/encryption/sniffing_user_traffic)
24 |
25 | ### KMS
26 | * [Accessing KMS with leaked credentials](/docs/threatmodeling/threats/kms/leaked_credentials)
27 | * [Breaking encryption key](/docs/threatmodeling/threats/kms/quantom_computing)
28 |
29 | ## Controls
30 | ### Decryption
31 |
32 | * [Deny default service account](/docs/threatmodeling/controls/decryption/deny_default_sa)
33 | * [Deny Kuberentes secrets view permissions](/docs/threatmodeling/controls/decryption/deny_secret_view)
34 | * [Use TLS when accessing Kuberentes API](/docs/threatmodeling/controls/decryption/k8s_api_tls)
35 | * [Serve Kamus API over TLS](/docs/threatmodeling/controls/decryption/kamus_in_cluster_tls)
36 | * [Use a policy to control pod's service account](/docs/threatmodeling/controls/decryption/opa_pods_secrets)
37 |
38 | ### Encryption
39 |
40 | * [Block anonymous internet access to Kamus](/docs/threatmodeling/controls/encryption/block_internet_access)
41 | * [Certificate pinning](/docs/threatmodeling/controls/encryption/certificate_pinning)
42 | * [Client-side encryption](/docs/threatmodeling/controls/encryption/client_side_encryption)
43 | * [Deny request for default SA](/docs/threatmodeling/controls/encryption/deny_default_sa)
44 | * [Throttling requests by source IP](/docs/threatmodeling/controls/encryption/ip_throttling)
45 |
46 | ### Key Management System
47 | * [Enable firewall protection for KMS](/docs/threatmodeling/controls/kms/firewall_protection)
48 | * [Credentials Hardening](/docs/threatmodeling/controls/kms/hardening_credentials)
49 | * [Key names obfuscation](/docs/threatmodeling/controls/kms/obfuscate_key_names)
50 | * [Use KMS with HSM support](/docs/threatmodeling/controls/kms/use_hsm)
--------------------------------------------------------------------------------
/src/key-managment/RijndaelUtils.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.IO;
3 | using System.Security.Cryptography;
4 |
5 | namespace Kamus.KeyManagement
6 | {
7 | public static class RijndaelUtils
8 | {
9 | public static byte[] GenerateKey(int keySize = 256)
10 | {
11 | using (var aes = new AesManaged())
12 | {
13 | aes.KeySize = 256;
14 | aes.GenerateKey();
15 | return aes.Key;
16 | }
17 | }
18 |
19 | public static (byte[] encryptedData, byte[] iv) Encrypt(byte[] key, byte[] data)
20 | {
21 | byte[] iv = GetRandomData(16);
22 | byte[] result;
23 | using (var rijndael = new RijndaelManaged())
24 | {
25 | using (var encryptor = rijndael.CreateEncryptor(key, iv))
26 | using (var resultStream = new MemoryStream())
27 | {
28 | using (var rijndaelStream = new CryptoStream(resultStream, encryptor, CryptoStreamMode.Write))
29 | using (var plainStream = new MemoryStream(data))
30 | {
31 | plainStream.CopyTo(rijndaelStream);
32 | }
33 |
34 | result = resultStream.ToArray();
35 | }
36 | }
37 |
38 | return (result, iv);
39 | }
40 |
41 | public static byte[] Decrypt(byte[] key, byte[] iv, byte[] encryptedData)
42 | {
43 | byte[] result;
44 | try
45 | {
46 | using (var rijndael = new RijndaelManaged())
47 | {
48 | using (var decryptor = rijndael.CreateDecryptor(key, iv))
49 | using (var resultStream = new MemoryStream())
50 | {
51 | using (var rijndaelStream = new CryptoStream(resultStream, decryptor, CryptoStreamMode.Write))
52 | using (var cipherStream = new MemoryStream(encryptedData))
53 | {
54 | cipherStream.CopyTo(rijndaelStream);
55 | }
56 |
57 | result = resultStream.ToArray();
58 | }
59 | }
60 | }catch(ArgumentException e)
61 | {
62 | throw new Exception($"on no {key.Length}", e);
63 | }
64 |
65 | return result;
66 |
67 | }
68 |
69 | private static byte[] GetRandomData(int size)
70 | {
71 | var provider = new RNGCryptoServiceProvider();
72 | var byteArray = new byte[size];
73 | provider.GetBytes(byteArray);
74 | return byteArray;
75 | }
76 | }
77 | }
78 |
--------------------------------------------------------------------------------
/src/encrypt-api/Startup.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Reflection;
3 | using App.Metrics;
4 | using Kamus.KeyManagement;
5 | using Microsoft.AspNetCore.Builder;
6 | using Microsoft.AspNetCore.Hosting;
7 | using Microsoft.AspNetCore.Http;
8 | using Microsoft.AspNetCore.Mvc;
9 | using Microsoft.Extensions.Configuration;
10 | using Microsoft.Extensions.DependencyInjection;
11 | using Microsoft.Extensions.Hosting;
12 | using Microsoft.OpenApi.Models;
13 | using Serilog;
14 |
15 | namespace Kamus
16 | {
17 | public class Startup {
18 |
19 | public Startup(IWebHostEnvironment env, IConfiguration configuration)
20 | {
21 | Configuration = configuration;
22 | var version = Assembly.GetExecutingAssembly().GetName().Version.ToString();
23 | Console.WriteLine($"Kamus Encryptor API {version} starting");
24 | }
25 |
26 |
27 | public IConfiguration Configuration;
28 |
29 | // This method gets called by the runtime. Use this method to add services to the container.
30 | public void ConfigureServices (IServiceCollection services) {
31 |
32 | services.AddControllers().AddNewtonsoftJson();
33 |
34 | services.AddSwaggerGen (swagger => {
35 | swagger.SwaggerDoc("v1", new OpenApiInfo { Title = "Kamus Encryptor API", Version = "v1" });
36 | });
37 |
38 | services.AddKeyManagement(Configuration, Log.Logger);
39 |
40 | services.AddSingleton(Configuration);
41 |
42 | services.AddSingleton();
43 | }
44 |
45 | // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
46 | public void Configure (IApplicationBuilder app, IWebHostEnvironment env)
47 | {
48 | app.UseMetricsAllMiddleware();
49 |
50 | if (env.IsDevelopment())
51 | {
52 | app.UseDeveloperExceptionPage();
53 | }
54 | else
55 | {
56 | app.UseExceptionMiddleware();
57 | }
58 |
59 | Log.Logger = new LoggerConfiguration ()
60 | .ReadFrom.Configuration (Configuration)
61 | .CreateLogger ();
62 |
63 |
64 | app.UseRouting();
65 | app.UseMetricsErrorTrackingMiddleware();
66 |
67 | app.UseSwagger();
68 |
69 | app.UseSwaggerUI(c => {
70 | c.SwaggerEndpoint("/swagger/v1/swagger.json", "Kamus Encryptor API");
71 | });
72 |
73 | app.UseEndpoints(endpoints =>
74 | {
75 | endpoints.MapControllers();
76 | });
77 |
78 | app.UseAuthentication();
79 | }
80 | }
81 | }
--------------------------------------------------------------------------------
/tests/integration/AwsKeyManagementTests.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.IO;
3 | using System.Text.RegularExpressions;
4 | using System.Threading.Tasks;
5 | using Amazon;
6 | using Amazon.KeyManagementService;
7 | using Amazon.KeyManagementService.Model;
8 | using Kamus.KeyManagement;
9 | using Microsoft.Extensions.Configuration;
10 | using Xunit;
11 |
12 | namespace integration
13 | {
14 | public class AwsKeyManagementTests
15 | {
16 | private readonly IKeyManagement mAwsKeyManagement;
17 | private readonly IConfiguration mConfiguration;
18 |
19 | public AwsKeyManagementTests()
20 | {
21 | mConfiguration = new ConfigurationBuilder()
22 | .AddJsonFile("settings.json")
23 | .AddEnvironmentVariables().Build();
24 |
25 | var awsKey = mConfiguration.GetValue("KeyManagement:AwsKms:Key");
26 | var awsSecret = mConfiguration.GetValue("KeyManagement:AwsKms:Secret");
27 |
28 | var kmsService = new AmazonKeyManagementServiceClient(awsKey, awsSecret, RegionEndpoint.USEast1);
29 |
30 | mAwsKeyManagement = new AwsKeyManagement(kmsService,"", true);
31 | }
32 |
33 | [Fact]
34 | public async Task TestFullFlow()
35 | {
36 | var sa = "sa:namespace";
37 | var data = "data";
38 | var encrypted = await mAwsKeyManagement.Encrypt(data, sa);
39 | var decrypted = await mAwsKeyManagement.Decrypt(encrypted, sa);
40 |
41 | Assert.Equal(data, decrypted);
42 | }
43 |
44 | [Fact]
45 | public async Task RegressionTest()
46 | {
47 | var sa = "sa:namespace";
48 | var data = "data";
49 | var encrypted = "env$AQIDAHizI6sed7zuuIsC3swHqi0UTTDv7X15xoyC5QG9deKqMwHEoOhAcGhmWHDZ0naCQQ6lAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMGK6qLAGscq77QeC7AgEQgDuxpshMWysHf2mXmCDlFCdOKjFiGIIJvYNdJIuZCOfYZGXokLN77e+OS/ecob+SnCRRYYPMwGGWNBilYg==$o3t8Q+fpxvM+BuDID3ssqw==:2sutg2A6bmpDctVXaqDl4A==";
50 | var decrypted = await mAwsKeyManagement.Decrypt(encrypted, sa);
51 |
52 | Assert.Equal(data, decrypted);
53 | }
54 |
55 | [Fact]
56 | public async Task DecryptWithDifferentSAFails()
57 | {
58 | var sa = "sa:namespace";
59 | var sa2 = "sa2:namespace";
60 | var data = "data";
61 | var encrypted = await mAwsKeyManagement.Encrypt(data, sa);
62 |
63 | // To make sure the key does exist
64 | await mAwsKeyManagement.Encrypt(data, sa2);
65 | // ===============================
66 | await Assert.ThrowsAsync(async () => await mAwsKeyManagement.Decrypt(encrypted, "SA2:namespace"));
67 | }
68 | }
69 |
70 | public class Configuration
71 | {
72 | }
73 | }
74 |
--------------------------------------------------------------------------------
/src/decrypt-api/KubernetesAuthentication/KubernetesAuthenticationHandler.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Security.Claims;
4 | using System.Text.Encodings.Web;
5 | using System.Threading.Tasks;
6 | using k8s;
7 | using k8s.Models;
8 | using Microsoft.AspNetCore.Authentication;
9 | using Microsoft.Extensions.Logging;
10 | using Microsoft.Extensions.Options;
11 |
12 | namespace Kamus.KubernetesAuthentication
13 | {
14 | public class KubernetesAuthenticationHandler : AuthenticationHandler
15 | {
16 | private readonly IKubernetes mKubernetes;
17 |
18 | public KubernetesAuthenticationHandler(
19 | IOptionsMonitor options,
20 | ILoggerFactory logger,
21 | UrlEncoder encoder,
22 | ISystemClock clock,
23 | IKubernetes kubernetes) : base(options, logger, encoder, clock)
24 | {
25 | mKubernetes = kubernetes;
26 | }
27 |
28 | protected override async Task HandleAuthenticateAsync()
29 | {
30 | string token = "";
31 | string authorization = Request.Headers["Authorization"];
32 |
33 | // If no authorization header found, nothing to process further
34 | if (string.IsNullOrEmpty(authorization))
35 | {
36 | return AuthenticateResult.NoResult();
37 | }
38 |
39 | if (authorization.StartsWith("Bearer ", StringComparison.OrdinalIgnoreCase))
40 | {
41 | token = authorization.Substring("Bearer ".Length).Trim();
42 | }
43 |
44 | // If no token found, no further work possible
45 | if (string.IsNullOrEmpty(token))
46 | {
47 | return AuthenticateResult.NoResult();
48 | }
49 |
50 | var reviewResult = await mKubernetes.CreateTokenReviewAsync(new V1TokenReview
51 | {
52 | Spec = new V1TokenReviewSpec
53 | {
54 | Token = token
55 | }
56 | });
57 |
58 | if (!reviewResult.Status.Authenticated.HasValue || !reviewResult.Status.Authenticated.Value) {
59 | //todo: improve logging
60 | return AuthenticateResult.Fail(reviewResult.Status.Error);
61 | }
62 |
63 |
64 | var claims = new List {
65 | new Claim("sub", reviewResult.Status.User.Uid),
66 | new Claim("name", reviewResult.Status.User.Username),
67 | new Claim("Groups", string.Join(",", reviewResult.Status.User.Groups))
68 | };
69 |
70 |
71 | return AuthenticateResult.Success(new AuthenticationTicket(new ClaimsPrincipal(new List { new ClaimsIdentity(claims, "kubernetes") }), "kubernetes"));
72 |
73 | }
74 | }
75 | }
76 |
--------------------------------------------------------------------------------
/site/content/docs/user/crd.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: "Creating Kubernetes Secrets"
3 | menu:
4 | main:
5 | parent: "user"
6 | identifier: "crd"
7 | weight: 3
8 | ---
9 |
10 | # Custom Resource Descriptor Support
11 | Kamus supports also creating native Kubernetes secrets from an object called KamusSecret.
12 | KamusSecret is very similar to Secret, with one small difference - all the items in it are encrypted.
13 | Using KamusSecret allows to use Kamus with applications that requires native Kubernetes secrets - for example, TLS secrets.
14 |
15 | ## Usage
16 | KamusSecret works very similary to regular secret encryption flow with Kamus.
17 | The encrypted data is represented in a format that is identical to regular [Kubernetes Secrets].
18 | Kamus will create an identical secret with the decrypted content.
19 |
20 | To encrypt the data, start by deciding to which namespace and which service account you're encrypting it.
21 | The service account does not have to exist or used by the pod consuming the secret.
22 | It just used for expressing who can consume this encrypted secret.
23 | Use the [CLI](https://github.com/Soluto/kamus/blob/master/cli/README.md) to encrypt the data:
24 | ```
25 | kamus-cli encrypt
26 | --secret super-secret \\
27 | --service-account kamus-example-sa \\
28 | --namespace default \\
29 | --kamus-url
30 | ```
31 | Now that you have the data encrypted, create a KamusSecret object, using the following manifest:
32 | ```
33 | apiVersion: "soluto.com/v1alpha2"
34 | kind: KamusSecret
35 | metadata:
36 | name: my-tls-secret //This will be the name of the secret
37 | namespace: default //The secret and KamusSecret live in this namespace
38 | type: TlsSecret //The type of the secret that will be created
39 | stringData: //Put here all the encrypted data, that will be stored (decrypted) on the secret data
40 | key: J9NYLzTC/O44DvlCEZ+LfQ==:Cc9O5zQzFOyxwTD5ZHseqg==
41 | data: //Put here base64 encoded data (usually, binary data like private keys in der format) encrypted (e.g. encrypt the value after base64 encoding it)
42 | key2: J9NYLzTC/O44DvlCEZ+LfQ==:Cc9O5zQzFOyxwTD5ZHseqg==
43 | serviceAccount: some-sa //The service account used for encrypting the data
44 | ```
45 | And finally, create the KamusSecret using:
46 | ```
47 | kubectl apply -f kamussecret.yaml
48 | ```
49 | And after a few seconds you'll see the new secret created:
50 | ```
51 | $ kubectl get secrets
52 | NAME TYPE DATA AGE
53 | default-token-m6whl kubernetes.io/service-account-token 3 1d
54 | my-tls-secret TlsSecret 1 5s
55 | ```
56 |
57 | ## Known limitation
58 | This is the alpha release of this feature, so not all functionality is supported.
59 | The current known issues:
60 |
61 | * There is no validation - so if you forgot to add mandatory keys to the KamusSecret objects, it will not be created properly.
62 |
63 | [kubernetes secrets]: (https://kubernetes.io/docs/concepts/configuration/secret/)
64 |
--------------------------------------------------------------------------------
/tests/crd-controller/run-tests.sh:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 |
3 | set -o errexit
4 | set -o nounset
5 | set -o pipefail
6 |
7 | readonly KIND_VERSION=0.10.0
8 | readonly CLUSTER_NAME=e2e-test
9 |
10 | if [ "$(uname)" == "Darwin" ]; then
11 | machine=darwin
12 | else
13 | machine=linux
14 | fi
15 |
16 | backup_current_kubeconfig() {
17 | mv "$HOME/.kube/config" "$HOME/.kube/config.bkp" || echo "No original kubeconfig to backup was found."
18 | }
19 |
20 | run_e2e_container() {
21 | echo 'Running e2e container...'
22 | docker run --rm --interactive --detach --network host --name e2e \
23 | --volume "$(pwd):/workdir" \
24 | --workdir /workdir/tests/crd-controller \
25 | "mcr.microsoft.com/dotnet/core/sdk:3.0" \
26 | cat
27 | echo
28 | }
29 |
30 | cleanup() {
31 | echo 'Removing e2e container...'
32 | docker kill e2e > /dev/null 2>&1
33 | echo 'Removing kind e2e-test cluster'
34 | ./kind delete clusters e2e-test
35 | echo 'Restoring kubeconfig'
36 | mv "$HOME/.kube/config.bkp" "$HOME/.kube/config" || echo "No original kubeconfig to backup was found."
37 | echo 'Removing kubectl and kind binaries'
38 | rm kubectl
39 | rm kind
40 | echo 'Done!'
41 | }
42 |
43 | docker_exec() {
44 | docker exec --interactive e2e "$@"
45 | }
46 |
47 | create_kind_cluster() {
48 | K8S_VERSION=$1
49 | echo 'Installing kind...'
50 | echo 'kubernetes version' "$K8S_VERSION"
51 |
52 | curl -sfSLo kind "https://github.com/kubernetes-sigs/kind/releases/download/v$KIND_VERSION/kind-$machine-amd64"
53 | chmod +x kind
54 |
55 | curl -sfSLO https://storage.googleapis.com/kubernetes-release/release/"$K8S_VERSION"/bin/linux/amd64/kubectl
56 | chmod +x kubectl
57 |
58 | docker cp kubectl e2e:/usr/local/bin/kubectl
59 |
60 | kind_config="kind-config.yaml"
61 |
62 | TMPDIR=$HOME ./kind create cluster --name "$CLUSTER_NAME" --config tests/crd-controller/$kind_config --image "kindest/node:$K8S_VERSION"
63 |
64 | ./kind load image-archive docker-cache-api/crd-controller.tar --name "$CLUSTER_NAME"
65 | docker_exec mkdir -p /root/.kube
66 |
67 | echo 'Copying kubeconfig to container...'
68 | kubeconfig_path="$HOME/.kube/config"
69 | if [ "$machine" == "darwin" ]; then
70 | kubectl config set-cluster kind-e2e-test --insecure-skip-tls-verify=true
71 | sed -i "" 's/127.0.0.1/host.docker.internal/g' "$kubeconfig_path"
72 | fi
73 |
74 | docker cp "$kubeconfig_path" e2e:/root/.kube/config
75 | echo -n 'Waiting for cluster to be ready...'
76 | until ! grep --quiet 'NotReady' <(docker_exec kubectl get nodes --no-headers); do
77 | printf '.'
78 | sleep 1
79 | done
80 |
81 | echo '✔︎'
82 | echo
83 |
84 | docker_exec kubectl get nodes
85 | echo
86 |
87 | echo 'Cluster ready!'
88 | echo
89 | }
90 |
91 | run_test() {
92 | docker_exec dotnet test
93 | echo
94 | }
95 |
96 | main() {
97 | backup_current_kubeconfig
98 | run_e2e_container
99 | trap cleanup EXIT
100 |
101 | create_kind_cluster "$1"
102 |
103 | run_test
104 | }
105 |
106 | main "$@"
--------------------------------------------------------------------------------
/src/decrypt-api/Controllers/MonitoringController.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Linq;
4 | using Microsoft.AspNetCore.Authorization;
5 | using System.Threading.Tasks;
6 | using Microsoft.AspNetCore.Mvc;
7 | using k8s;
8 | using k8s.Models;
9 | using Serilog;
10 | using Microsoft.Extensions.Caching.Memory;
11 |
12 | namespace Kamus.Controllers
13 | {
14 | public class MonitoringController
15 | {
16 | private readonly IKubernetes mKubernetes;
17 | private readonly ILogger mLogger = Log.ForContext();
18 | private static readonly MemoryCache _memoryCache = new MemoryCache(new MemoryCacheOptions());
19 |
20 | public MonitoringController(IKubernetes kubernetes)
21 | {
22 | mKubernetes = kubernetes;
23 | }
24 |
25 | [HttpGet]
26 | [Route("api/v1/isAlive")]
27 | public async Task IsAlive()
28 | {
29 | var isAliveCached = _memoryCache.Get("isAlive");
30 |
31 | if (isAliveCached is bool b && (bool)b)
32 | {
33 | return true;
34 | }
35 |
36 | if (!await CheckIsAlive())
37 | {
38 | return false;
39 | }
40 |
41 | _memoryCache.Set("isAlive", true, DateTimeOffset.Now.AddMinutes(5));
42 |
43 | return true;
44 | }
45 |
46 | // Accodring to Kubernetes code: Not filling in spec.namespace means "in all namespaces".
47 | // https://github.com/kubernetes/kubernetes/blob/dc3edee5f5f732df7c6b50e073c35bd20912ac6a/pkg/apis/authorization/types.go#L28
48 | private async Task CheckIsAlive()
49 | {
50 | try
51 | {
52 | var result = await mKubernetes.CreateSelfSubjectAccessReviewAsync(new V1SelfSubjectAccessReview
53 | {
54 | Kind = "SelfSubjectAccessReview",
55 | ApiVersion = "authorization.k8s.io/v1",
56 | Spec = new V1SelfSubjectAccessReviewSpec
57 | {
58 | ResourceAttributes = new V1ResourceAttributes
59 | {
60 | Group = "authentication.k8s.io",
61 | Verb = "create",
62 | Resource = "tokenreviews"
63 | }
64 | }
65 | });
66 |
67 | if (!result.Status.Allowed)
68 | {
69 | mLogger.Warning("SelfSubjectAccessReview result is denied. Error: {error}, reason: {reason}", result.Status.EvaluationError, result.Status.Reason);
70 | }
71 |
72 | return result.Status.Allowed;
73 | }
74 | catch (Exception e)
75 | {
76 | mLogger.Warning(e, "SelfSubjectAccessReview check failed");
77 | return false;
78 | }
79 | }
80 |
81 | [HttpGet]
82 | [Route("")]
83 | public string Welcome()
84 | {
85 | return "welcome";
86 | }
87 | }
88 | }
--------------------------------------------------------------------------------
/tests/unit/KeyManagment/SymmetricKeyManagmentTests.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Security.Cryptography;
3 | using System.Threading.Tasks;
4 | using Kamus.KeyManagement;
5 | using Xunit;
6 |
7 | namespace unit.KeyManagement
8 | {
9 | public class SymmetricKeyManagementTests
10 | {
11 | private static readonly byte[] Key = Convert.FromBase64String("tWG4dk8ARsETnFL3jCf1xtMVe05imlx9vimER7iky2s =");
12 |
13 | [Fact]
14 | public async Task Get_ReturnsCorrectValues()
15 | {
16 | var kms = new SymmetricKeyManagement(Key, false);
17 | var expected = "hello";
18 | var encrypted = await kms.Encrypt(expected, "sa");
19 | var decrypted = await kms.Decrypt(encrypted, "sa");
20 |
21 | Assert.Equal(expected, decrypted);
22 | }
23 |
24 | [Fact]
25 | public async Task Get_ReturnsCorrectValuesWhenDeriviationEnabled()
26 | {
27 | var kms = new SymmetricKeyManagement(Key, true);
28 | var expected = "hello";
29 | var encrypted = await kms.Encrypt(expected, "sa");
30 | var decrypted = await kms.Decrypt(encrypted, "sa");
31 |
32 | Assert.Equal(expected, decrypted);
33 | }
34 |
35 | [Fact]
36 | public async Task Get_ReturnsCorrectValuesForDifferentServiceAccounts()
37 | {
38 | var kms = new SymmetricKeyManagement(Key, false);
39 | var expected = "hello";
40 | var encryptedSa1 = await kms.Encrypt(expected, "sa1");
41 | var encryptedSa2 = await kms.Encrypt(expected, "sa2");
42 | var decryptedSa1 = await kms.Decrypt(encryptedSa2, "sa1");
43 | var decryptedSa2 = await kms.Decrypt(encryptedSa1, "sa2");
44 |
45 | Assert.Equal(expected, decryptedSa1);
46 | Assert.Equal(expected, decryptedSa2);
47 | }
48 |
49 | [Fact]
50 | public async Task Get_ReturnsInvalidValuesForDifferentServiceAccountsWhenDeriviationEnabled()
51 | {
52 | var kms = new SymmetricKeyManagement(Key, true);
53 | var expected = "hello";
54 | var encryptedSa1 = await kms.Encrypt(expected, "sa1");
55 | var encryptedSa2 = await kms.Encrypt(expected, "sa2");
56 | await Assert.ThrowsAsync(async () => await kms.Decrypt(encryptedSa2, "sa1"));
57 | await Assert.ThrowsAsync(async () => await kms.Decrypt(encryptedSa1, "sa2"));
58 | }
59 |
60 | [Fact]
61 | public async Task RegressionTest()
62 | {
63 | var kms = new SymmetricKeyManagement(Key, false);
64 | var expected = "hello";
65 | var encrypted = "C4gChhspnTa5yVqYmSitrg==:tr0Ke6OGUaUa8KZgMJg14g==";
66 | var decrypted = await kms.Decrypt(encrypted, "sa");
67 |
68 | Assert.Equal(expected, decrypted);
69 | }
70 |
71 | [Fact]
72 | public async Task RegressionTestWithDeriviation()
73 | {
74 | var kms = new SymmetricKeyManagement(Key, true);
75 | var expected = "hello";
76 | var encrypted = "VnZkifeNdxI7NWMbjr/MZg==:qskLf4Z57DC9HBTe6+IEkA==";
77 | var decrypted = await kms.Decrypt(encrypted, "sa");
78 |
79 | Assert.Equal(expected, decrypted);
80 | }
81 |
82 | }
83 | }
84 |
--------------------------------------------------------------------------------
/tests/integration/GoogleCloudKeyManagementTests.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.IO;
3 | using System.Threading.Tasks;
4 | using Google.Cloud.Kms.V1;
5 | using Grpc.Core;
6 | using Kamus.KeyManagement;
7 | using Microsoft.Extensions.Configuration;
8 | using Xunit;
9 |
10 | namespace integration
11 | {
12 | public class GoogleCloudKeyManagementTests
13 | {
14 | private readonly GoogleCloudKeyManagement mGoogleCloudKeyManagement;
15 | private readonly IConfiguration mConfiguration;
16 |
17 | public GoogleCloudKeyManagementTests()
18 | {
19 | mConfiguration = new ConfigurationBuilder()
20 | .AddJsonFile("settings.json")
21 | .AddEnvironmentVariables().Build();
22 |
23 | var stream = new MemoryStream();
24 | var writer = new StreamWriter(stream);
25 | File.WriteAllText("creds.json", System.Environment.GetEnvironmentVariable("GOOGLE_APPLICATION_CREDENTIALS"));
26 | System.Environment.SetEnvironmentVariable("GOOGLE_APPLICATION_CREDENTIALS", "creds.json");
27 | var location = mConfiguration.GetValue("KeyManagement:GoogleKms:Location");
28 | var keyRingName = mConfiguration.GetValue("KeyManagement:GoogleKms:KeyRingName");
29 | var protectionLevel = mConfiguration.GetValue("KeyManagement:GoogleKms:ProtectionLevel");
30 | var projectId = mConfiguration.GetValue("KeyManagement:GoogleKms:ProjectId");
31 |
32 | mGoogleCloudKeyManagement = new GoogleCloudKeyManagement(
33 | KeyManagementServiceClient.Create(),
34 | projectId,
35 | keyRingName,
36 | location,
37 | protectionLevel,
38 | "30");
39 | }
40 |
41 | [Fact]
42 | public async Task TestFullFlow()
43 | {
44 | var sa = "sa:namespace";
45 | var data = "The quick brown fox jumps over the lazy dog";
46 | var encrypted = await mGoogleCloudKeyManagement.Encrypt(data, sa);
47 | var decrypted = await mGoogleCloudKeyManagement.Decrypt(encrypted, sa);
48 |
49 | Assert.Equal(data, decrypted);
50 | }
51 |
52 | [Fact]
53 | public async Task RegresssionTests()
54 | {
55 | var sa = "sa:namespace";
56 | var data = "data";
57 | var encrypted = "CiQAk2+d4VDCX+mbfEUBV+2yvzWbWFuWe3qVI+0IQQ6tgH+xnmESMBIuCgyzGbLErJFqtftMuhUSDAq8ngWQqfd/eTFetBoQAZty6/68gUNAU++kCbx20Q==";
58 | var decrypted = await mGoogleCloudKeyManagement.Decrypt(encrypted, sa);
59 |
60 | Assert.Equal(data, decrypted);
61 |
62 | }
63 |
64 | [Fact]
65 | public async Task DecryptWithDifferentSAFails()
66 | {
67 | var sa = "sa:namespace";
68 | var sa2 = "sa2:namespace";
69 | var data = "data";
70 | var encrypted = await mGoogleCloudKeyManagement.Encrypt(data, sa);
71 |
72 | // To make sure the key does exist
73 | await mGoogleCloudKeyManagement.Encrypt(data, sa2);
74 | // ===============================
75 |
76 | await Assert.ThrowsAsync(async () => await mGoogleCloudKeyManagement.Decrypt(encrypted, "SA2:namespace"));
77 | }
78 | }
79 | }
80 |
--------------------------------------------------------------------------------
/cli/.snyk:
--------------------------------------------------------------------------------
1 | # Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
2 | version: v1.14.1
3 | ignore: {}
4 | # patches apply the minimum changes required to fix a vulnerability
5 | patch:
6 | SNYK-JS-LODASH-450202:
7 | - adal-node > async > lodash:
8 | patched: '2019-07-04T03:58:07.989Z'
9 | - caporal > tabtab > inquirer > lodash:
10 | patched: '2019-07-04T03:58:07.989Z'
11 | - snyk > snyk-config > lodash:
12 | patched: '2019-07-04T06:26:56.428Z'
13 | - snyk > lodash:
14 | patched: '2019-07-04T06:26:56.428Z'
15 | - snyk > snyk-nodejs-lockfile-parser > lodash:
16 | patched: '2019-07-04T06:26:56.428Z'
17 | - snyk > snyk-mvn-plugin > lodash:
18 | patched: '2019-07-04T06:26:56.428Z'
19 | - snyk > @snyk/dep-graph > lodash:
20 | patched: '2019-07-04T06:26:56.428Z'
21 | - snyk > snyk-nuget-plugin > lodash:
22 | patched: '2019-07-04T06:26:56.428Z'
23 | - snyk > inquirer > lodash:
24 | patched: '2019-07-04T06:26:56.428Z'
25 | - snyk > snyk-nodejs-lockfile-parser > graphlib > lodash:
26 | patched: '2019-07-04T06:26:56.428Z'
27 | - snyk > snyk-go-plugin > graphlib > lodash:
28 | patched: '2019-07-04T06:26:56.428Z'
29 | - snyk > @snyk/dep-graph > graphlib > lodash:
30 | patched: '2019-07-04T06:26:56.428Z'
31 | - snyk > snyk-php-plugin > @snyk/composer-lockfile-parser > lodash:
32 | patched: '2019-07-04T06:26:56.428Z'
33 | SNYK-JS-LODASH-567746:
34 | - caporal > lodash:
35 | patched: '2020-05-01T06:59:12.326Z'
36 | - snyk > lodash:
37 | patched: '2020-05-01T06:59:12.326Z'
38 | - adal-node > async > lodash:
39 | patched: '2020-05-01T06:59:12.326Z'
40 | - snyk > @snyk/dep-graph > lodash:
41 | patched: '2020-05-01T06:59:12.326Z'
42 | - snyk > inquirer > lodash:
43 | patched: '2020-05-01T06:59:12.326Z'
44 | - snyk > snyk-config > lodash:
45 | patched: '2020-05-01T06:59:12.326Z'
46 | - snyk > snyk-mvn-plugin > lodash:
47 | patched: '2020-05-01T06:59:12.326Z'
48 | - snyk > snyk-nodejs-lockfile-parser > lodash:
49 | patched: '2020-05-01T06:59:12.326Z'
50 | - snyk > snyk-nuget-plugin > lodash:
51 | patched: '2020-05-01T06:59:12.326Z'
52 | - caporal > tabtab > inquirer > lodash:
53 | patched: '2020-05-01T06:59:12.326Z'
54 | - snyk > @snyk/dep-graph > graphlib > lodash:
55 | patched: '2020-05-01T06:59:12.326Z'
56 | - snyk > snyk-go-plugin > graphlib > lodash:
57 | patched: '2020-05-01T06:59:12.326Z'
58 | - snyk > snyk-nodejs-lockfile-parser > graphlib > lodash:
59 | patched: '2020-05-01T06:59:12.326Z'
60 | - snyk > @snyk/snyk-cocoapods-plugin > @snyk/dep-graph > lodash:
61 | patched: '2020-05-01T06:59:12.326Z'
62 | - snyk > snyk-nuget-plugin > dotnet-deps-parser > lodash:
63 | patched: '2020-05-01T06:59:12.326Z'
64 | - snyk > snyk-php-plugin > @snyk/composer-lockfile-parser > lodash:
65 | patched: '2020-05-01T06:59:12.326Z'
66 | - snyk > @snyk/snyk-cocoapods-plugin > @snyk/dep-graph > graphlib > lodash:
67 | patched: '2020-05-01T06:59:12.326Z'
68 | - snyk > @snyk/snyk-cocoapods-plugin > @snyk/cocoapods-lockfile-parser > @snyk/ruby-semver > lodash:
69 | patched: '2020-05-01T06:59:12.326Z'
70 | - snyk > @snyk/snyk-cocoapods-plugin > @snyk/cocoapods-lockfile-parser > @snyk/dep-graph > graphlib > lodash:
71 | patched: '2020-05-01T06:59:12.326Z'
72 |
--------------------------------------------------------------------------------
/tests/integration/EnvelopeDecoratorIntegrationTests.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.IO;
3 | using System.Text.RegularExpressions;
4 | using System.Threading.Tasks;
5 | using Kamus.KeyManagement;
6 | using Microsoft.Azure.KeyVault;
7 | using Microsoft.Extensions.Configuration;
8 | using Xunit;
9 |
10 | namespace integration
11 | {
12 | public class EnvelopeDecoratorIntegrationTests
13 | {
14 | private IKeyManagement mDecorator;
15 | private readonly IConfiguration mConfiguration;
16 |
17 | public EnvelopeDecoratorIntegrationTests()
18 | {
19 | mConfiguration = new ConfigurationBuilder().AddJsonFile("settings.json").AddEnvironmentVariables().Build();
20 | InitializeKeyManagement();
21 | }
22 |
23 | private void InitializeKeyManagement()
24 | {
25 | var clientId = mConfiguration.GetValue("ActiveDirectory:ClientId");
26 | var clientSecret = mConfiguration.GetValue("ActiveDirectory:ClientSecret");
27 | var keyVaultClient = new KeyVaultClient(((authority, resource, scope) =>
28 | Utils.AuthenticationCallback(clientId, clientSecret, authority, resource, scope)));
29 | var keyVaultManagement = new AzureKeyVaultKeyManagement(keyVaultClient, mConfiguration);
30 | mDecorator = new EnvelopeEncryptionDecorator(keyVaultManagement, 15);
31 | }
32 |
33 | [Fact]
34 | public async Task DataIsLessThenMaximumConfiguration_NoEnvelope()
35 | {
36 | var encryptedData = await mDecorator.Encrypt("123", "a-service-account");
37 | Assert.DoesNotContain(encryptedData, "env$");
38 | }
39 |
40 | [Fact]
41 | public async Task DataIsLessThenMaximumConfiguration_DecryptsBackCorrectly()
42 | {
43 | var data = "123";
44 | var encryptedData = await mDecorator.Encrypt(data, "a-service-account");
45 |
46 | var decryptedString = await mDecorator.Decrypt(encryptedData, "a-service-account");
47 |
48 | Assert.Equal(data, decryptedString);
49 |
50 | }
51 |
52 | [Fact]
53 | public async Task DataIsMoreThenMaximumConfiguration_EnvelopeApplied_DecryptsBackCorrectly()
54 | {
55 | var randomString = new string('*', 16);
56 | var encryptedData = await mDecorator.Encrypt(randomString, "a-service-account");
57 | Assert.Contains("env$", encryptedData);
58 |
59 | var decryptedString = await mDecorator.Decrypt(encryptedData, "a-service-account");
60 |
61 | Assert.Equal(randomString, decryptedString);
62 | }
63 |
64 | [Fact]
65 | public async Task RegressionTest()
66 | {
67 | var randomString = new string('*', 16);
68 | var encryptedData = "env$Ux2a2llsVdGY5/FsQ+G79A0WJfvjzddXS2jQk+hkY7zzJh6k29Kezkg12M6OorA0cYA7nXByBAOilNRbIWsE2+36ygCeqZg8PUMxBDPGOVE4ANYI+3abrl4aXmUSIy8uDrbISdl4RCVhwFNO2BCgecwioNv5mFGNzonELR1FcX1cLShezibWJehcptPExFM9Sey+GcXixPS2Fi6IivgTjzwFqHMze20wLlDFPkiFHN9CcUsHOt9ntxUFujtaMpZTJecTvXnhwknQOqQ3KNBBWyOgX65Svm45f4YEP5WZmdvF2mBSHTdkQ7AkfKZZV15p4dN1mzxs3raHTR2Qp366Sg==$nzx0kjzDxQ/d4rYfDUfBhw==:BSRpNCPL7R3uKFanSnjUw2E55xXcqIHvMRKWC1e+zVU=";
69 |
70 | var decryptedString = await mDecorator.Decrypt(encryptedData, "a-service-account");
71 |
72 | Assert.Equal(randomString, decryptedString);
73 | }
74 | }
75 | }
--------------------------------------------------------------------------------
/src/key-managment/AzureKeyVaultKeyManagement.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Net;
3 | using System.Security.Cryptography;
4 | using System.Text;
5 | using System.Threading.Tasks;
6 | using Microsoft.AspNetCore.WebUtilities;
7 | using Microsoft.Azure.KeyVault;
8 | using Microsoft.Azure.KeyVault.Models;
9 | using Microsoft.Extensions.Configuration;
10 | using Serilog;
11 |
12 | namespace Kamus.KeyManagement
13 | {
14 | public class AzureKeyVaultKeyManagement : IKeyManagement
15 | {
16 | private readonly IKeyVaultClient mKeyVaultClient;
17 | private readonly string mKeyVaultName;
18 | private readonly string mKeyType;
19 | private readonly short mKeyLength;
20 | private readonly ILogger mLogger = Log.ForContext();
21 |
22 | public AzureKeyVaultKeyManagement(IKeyVaultClient keyVaultClient,
23 | IConfiguration configuration)
24 | {
25 | mKeyVaultClient = keyVaultClient;
26 |
27 | mKeyVaultName = configuration["KeyManagement:KeyVault:Name"];
28 | mKeyType = configuration["KeyManagement:KeyVault:KeyType"];
29 |
30 | if (!short.TryParse(configuration["KeyManagement:KeyVault:KeyLength"], out mKeyLength)){
31 | throw new Exception($"Expected key length int, got {configuration["KeyManagement:KeyVault:KeyLength"]}");
32 | }
33 | }
34 |
35 | public async Task Decrypt(string encryptedData, string serviceAccountId)
36 | {
37 | var hash = KeyIdCreator.Create(serviceAccountId);
38 |
39 | var keyId = $"https://{mKeyVaultName}.vault.azure.net/keys/{hash}";
40 | try
41 | {
42 | var encryptionResult =
43 | await mKeyVaultClient.DecryptAsync(keyId, "RSA-OAEP", Convert.FromBase64String(encryptedData));
44 |
45 | return Encoding.UTF8.GetString(encryptionResult.Result);
46 | }
47 | catch (KeyVaultErrorException e)
48 | {
49 | throw new DecryptionFailureException("KeyVault decryption failed", e);
50 | }
51 | catch (FormatException e)
52 | {
53 | throw new DecryptionFailureException("Invalid encrypted data format - probably an issue with the encrytion", e);
54 | }
55 | }
56 |
57 | public async Task Encrypt(string data, string serviceAccountId, bool createKeyIfMissing = true)
58 | {
59 | var hash = KeyIdCreator.Create(serviceAccountId);
60 |
61 | var keyId = $"https://{mKeyVaultName}.vault.azure.net/keys/{hash}";
62 |
63 | try
64 | {
65 | await mKeyVaultClient.GetKeyAsync(keyId);
66 | }
67 | catch (KeyVaultErrorException e) when (e.Response.StatusCode == HttpStatusCode.NotFound && createKeyIfMissing)
68 | {
69 | mLogger.Information(
70 | "KeyVault key was not found for service account id {serviceAccount}, creating new one.",
71 | serviceAccountId);
72 |
73 | await mKeyVaultClient.CreateKeyAsync($"https://{mKeyVaultName}.vault.azure.net", hash, mKeyType, mKeyLength);
74 | }
75 |
76 | var encryptionResult = await mKeyVaultClient.EncryptAsync(keyId, "RSA-OAEP", Encoding.UTF8.GetBytes(data));
77 |
78 | return Convert.ToBase64String(encryptionResult.Result);
79 | }
80 | }
81 | }
82 |
--------------------------------------------------------------------------------
/cli/README.md:
--------------------------------------------------------------------------------
1 | [](https://badge.fury.io/js/%40soluto-asurion%2Fkamus-cli)
2 | [](https://snyk.io/test/github/soluto/kamus) [](https://hub.docker.com/r/soluto/kamus-cli "Get your own image badge on microbadger.com")
3 |
4 | ## Kamus CLI
5 |
6 | This cli was created to provide an easy interface to interact with Kamus API.
7 |
8 | It supports azure device flow authentication out of the box.
9 |
10 | To install, use the following NPM command:
11 | ```
12 | npm install -g @soluto-asurion/kamus-cli
13 | ```
14 | Alternatively, you can use docker to run the CLI (for example, to run it inside the cluster when the encryptor is deployed without ingress):
15 | ```
16 | docker run -it --rm ghcr.io/soluto/kamus-cli encrypt
17 | ```
18 | Or, using kubectl:
19 | ```
20 | kubectl run -it --rm --restart=Never kamus-cli --image=soluto/kamus-cli -- encrypt
21 | ```
22 | ---
23 |
24 | #### Supported commands:
25 |
26 | ##### Encrypt
27 | `kamus-cli encrypt --secret --service-account --namespace --kamus-url `
28 |
29 | ---
30 | #### How to enable azure active directory authentication
31 | You need working active directory [tenant](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-create-new-tenant) and designated [native app registration](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-v2-register-an-app), Then just set all the `auth` prefixed options.
32 | Once the user will run the cli with the auth options, he will get a small code and and azure URL to login into.
33 |
34 | ---
35 | ##### CLI options:
36 |
37 | | Option | Required | Description | Default Value |
38 | | ------------------- | ------------ | ----------------------------------------------- | ------------- |
39 | | --auth-tenant | false | azure authentication tenant id | |
40 | | --auth-application | false | azure authentication application id | |
41 | | --auth-resource | false | azure authentication resource id | |
42 | | --cert-fingerprint | false | [certificate fingerprint](http://hassansin.github.io/certificate-pinning-in-nodejs) of encrypt api for validation | |
43 | | --kamus-url | true | url of kamus encrypt api | |
44 | | --allow-insecure-url | false | allow or block non https endpoints | false |
45 | | --log-level | false | specify global logger level |
46 | | --log-flag <\[no-\](date|inline|colorful)> | false | the prefix no- represent negation. date: whether to print date. default value is false. inline: each log record output in one line. default value is false. colorful: whether to print with colors. default value is true.
47 | | --log-output | false | specify the output path (default behavior is output directory to stdout).
48 | | --log-encoding | false | specify the log file's encoding.
49 | | --secret or --secret-file | true | the secret to encrypt, or the file containing it | |
--------------------------------------------------------------------------------
/src/crd-controller/HealthChecks/KubernetesPermissionsHelthCheck.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Linq;
3 | using System.Threading;
4 | using System.Threading.Tasks;
5 | using k8s;
6 | using k8s.Models;
7 | using Microsoft.Extensions.Caching.Memory;
8 | using Microsoft.Extensions.Diagnostics.HealthChecks;
9 | using Serilog;
10 |
11 | namespace CustomResourceDescriptorController.HealthChecks
12 | {
13 | public class KubernetesPermissionsHelthCheck : IHealthCheck
14 | {
15 | private readonly IKubernetes mKubernetes;
16 | private readonly ILogger mLogger = Log.ForContext();
17 | private static readonly MemoryCache _memoryCache = new MemoryCache(new MemoryCacheOptions());
18 |
19 | public KubernetesPermissionsHelthCheck(IKubernetes kubernetes)
20 | {
21 | mKubernetes = kubernetes;
22 | }
23 |
24 | public async Task CheckHealthAsync(HealthCheckContext context, CancellationToken cancellationToken = default(CancellationToken))
25 | {
26 | var isAliveCached = _memoryCache.Get("isAlive");
27 |
28 | if (isAliveCached is bool b && (bool)b)
29 | {
30 | return HealthCheckResult.Healthy("Kubernetes permissions configured correctly");
31 | }
32 |
33 | if (!await CheckIsAlive())
34 | {
35 | return HealthCheckResult.Unhealthy("Kubernetes permissions misconfigured");
36 | }
37 |
38 | _memoryCache.Set("isAlive", true, DateTimeOffset.Now.AddMinutes(20));
39 |
40 | return HealthCheckResult.Healthy("Kubernetes permissions configured correctly");
41 | }
42 |
43 | private async Task CheckIsAlive()
44 | {
45 | var results = await Task.WhenAll(new[] {
46 | CheckPermissions("soluto.com", "kamussecrets", "watch"),
47 | CheckPermissions("", "secrets", "create"),
48 | CheckPermissions("", "secrets", "delete")
49 | });
50 |
51 | return results.All(r => r);
52 | }
53 |
54 | private async Task CheckPermissions(string group, string resource, string verb)
55 | {
56 | try
57 | {
58 | var result = await mKubernetes.CreateSelfSubjectAccessReviewAsync(new V1SelfSubjectAccessReview
59 | {
60 | Kind = "SelfSubjectAccessReview",
61 | ApiVersion = "authorization.k8s.io/v1",
62 | Spec = new V1SelfSubjectAccessReviewSpec
63 | {
64 | ResourceAttributes = new V1ResourceAttributes
65 | {
66 | Group = group,
67 | Verb = verb,
68 | Resource = resource
69 | }
70 | }
71 | });
72 |
73 | if (!result.Status.Allowed)
74 | {
75 | mLogger.Warning("SelfSubjectAccessReview result is denied. Error: {error}, reason: {reason}, group: {group}, verb: {verb}, resource: {resource}", result.Status.EvaluationError, result.Status.Reason, group, verb, resource);
76 | }
77 |
78 | return result.Status.Allowed;
79 | }
80 | catch (Exception e)
81 | {
82 | mLogger.Warning(e, "SelfSubjectAccessReview check failed");
83 | return false;
84 | }
85 | }
86 | }
87 | }
88 |
--------------------------------------------------------------------------------
/src/decrypt-api/Controllers/DecryptController.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Net;
3 | using System.Threading.Tasks;
4 | using System.Linq;
5 | using Kamus.Models;
6 | using k8s;
7 | using Microsoft.AspNetCore.Authorization;
8 | using Microsoft.AspNetCore.Mvc;
9 | using Microsoft.Rest;
10 | using Kamus.Extensions;
11 | using Kamus.KeyManagement;
12 | using Serilog;
13 |
14 | namespace Kamus.Controllers
15 | {
16 |
17 | public class DecryptController : Controller
18 | {
19 | private readonly IKubernetes mKubernetes;
20 | private readonly IKeyManagement mKeyManagement;
21 | private readonly ILogger mAuditLogger = Log.ForContext().AsAudit();
22 | private readonly ILogger mLogger = Log.ForContext();
23 |
24 | //see: https://github.com/kubernetes/kubernetes/blob/d5803e596fc8aba17aa8c74a96aff9c73bb0f1da/staging/src/k8s.io/apiserver/pkg/authentication/serviceaccount/util.go#L27
25 | private const string ServiceAccountUsernamePrefix = "system:serviceaccount:";
26 |
27 | public DecryptController(IKubernetes kubernetes, IKeyManagement keyManagement)
28 | {
29 | mKubernetes = kubernetes;
30 | mKeyManagement = keyManagement;
31 | }
32 |
33 | [HttpPost]
34 | [Route("api/v1/decrypt")]
35 | [Authorize(AuthenticationSchemes = "kubernetes")]
36 | public async Task Decrypt([FromBody] DecryptRequest body)
37 | {
38 | if (!ModelState.IsValid)
39 | {
40 | mAuditLogger.Warning("Bad request to Decrypt API: {sourceIP} {validationState}",
41 | Request.HttpContext.Connection.RemoteIpAddress,
42 | ModelState.ValidationState);
43 | return BadRequest("One or more of required fields doesn't present in the request body.");
44 | }
45 |
46 | var serviceAccountUserName = User.Claims.FirstOrDefault(claim => claim.Type == "name")?.Value;
47 |
48 | if (string.IsNullOrEmpty(serviceAccountUserName) ||
49 | !serviceAccountUserName.StartsWith(ServiceAccountUsernamePrefix, StringComparison.InvariantCulture))
50 | {
51 | mAuditLogger.Information("Unauthorized decrypt request, SourceIP: {sourceIp}, ServiceAccount User Name: {id}",
52 | Request.HttpContext.Connection.RemoteIpAddress,
53 | serviceAccountUserName);
54 |
55 | return StatusCode(403);
56 | }
57 |
58 | var id = serviceAccountUserName.Replace(ServiceAccountUsernamePrefix, "");
59 |
60 | mAuditLogger.Information("Decryption request started, SourceIP: {sourceIp}, ServiceAccount User Name: {id}",
61 | Request.HttpContext.Connection.RemoteIpAddress,
62 | id);
63 |
64 | try
65 | {
66 | var data = await mKeyManagement.Decrypt(body.EncryptedData, id);
67 |
68 | mAuditLogger.Information("Decryption request succeeded, SourceIP: {sourceIp}, ServiceAccount user Name: {sa}",
69 | Request.HttpContext.Connection.RemoteIpAddress,
70 | id);
71 | return Content(data);
72 | }
73 | catch (DecryptionFailureException e)
74 | {
75 | mLogger.Warning(e, "Decryption request failed, SourceIP: {sourceIp}, ServiceAccount: {sa}",
76 | Request.HttpContext.Connection.RemoteIpAddress,
77 | serviceAccountUserName);
78 | return StatusCode(400);
79 | }
80 | }
81 |
82 |
83 | }
84 | }
85 |
--------------------------------------------------------------------------------
3 |