Add Cloud KMS based secret storage

-------------
Created by MOE: https://github.com/google/moe
MOE_MIGRATED_REVID=147791972
This commit is contained in:
shikhman 2017-02-16 17:55:19 -08:00 committed by Ben McIlwain
parent ab6e7b177a
commit be30ecdf66
24 changed files with 2255 additions and 0 deletions

View file

@ -0,0 +1,29 @@
// Copyright 2017 The Nomulus Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package google.registry.keyring.api;
/** Base class for all {@link Keyring} specific unchecked exceptions. */
public class KeyringException extends RuntimeException {
/** @see RuntimeException#RuntimeException(String) */
public KeyringException(String msg) {
super(msg);
}
/** @see RuntimeException#RuntimeException(String, Throwable) */
public KeyringException(String msg, Throwable cause) {
super(msg, cause);
}
}

View file

@ -0,0 +1,25 @@
package(
default_visibility = ["//visibility:public"],
)
licenses(["notice"]) # Apache 2.0
java_library(
name = "kms",
srcs = glob(["*.java"]),
deps = [
"//java/google/registry/config",
"//java/google/registry/keyring/api",
"//java/google/registry/model",
"//java/google/registry/util",
"//third_party/java/objectify:objectify-v4_1",
"@com_google_api_client",
"@com_google_apis_google_api_services_cloudkms",
"@com_google_code_findbugs_jsr305",
"@com_google_dagger",
"@com_google_guava",
"@com_google_http_client",
"@org_bouncycastle_bcpg_jdk15on",
"@org_bouncycastle_bcpkix_jdk15on",
],
)

View file

@ -0,0 +1,243 @@
// Copyright 2017 The Nomulus Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package google.registry.keyring.kms;
import static com.google.common.base.Preconditions.checkState;
import static google.registry.keyring.api.PgpHelper.KeyRequirement.ENCRYPT;
import static google.registry.model.common.EntityGroupRoot.getCrossTldKey;
import static google.registry.model.ofy.ObjectifyService.ofy;
import static java.nio.charset.StandardCharsets.UTF_8;
import com.google.api.services.cloudkms.v1beta1.CloudKMS;
import com.google.api.services.cloudkms.v1beta1.model.DecryptRequest;
import com.googlecode.objectify.Key;
import google.registry.config.RegistryConfig.Config;
import google.registry.keyring.api.Keyring;
import google.registry.keyring.api.KeyringException;
import google.registry.keyring.api.PgpHelper;
import google.registry.model.server.KmsSecret;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import javax.inject.Inject;
import org.bouncycastle.openpgp.PGPException;
import org.bouncycastle.openpgp.PGPKeyPair;
import org.bouncycastle.openpgp.PGPPrivateKey;
import org.bouncycastle.openpgp.PGPPublicKey;
import org.bouncycastle.openpgp.PGPSecretKeyRing;
import org.bouncycastle.openpgp.PGPUtil;
import org.bouncycastle.openpgp.bc.BcPGPPublicKeyRing;
import org.bouncycastle.openpgp.bc.BcPGPSecretKeyRing;
import org.bouncycastle.openpgp.operator.bc.BcPBESecretKeyDecryptorBuilder;
import org.bouncycastle.openpgp.operator.bc.BcPGPDigestCalculatorProvider;
/**
* A {@link Keyring} implementation which stores encrypted secrets in Datastore and decrypts them
* using encryption keys stored in Cloud KMS.
*
* @see <a href="https://cloud.google.com/kms/docs/">Google Cloud Key Management Service
* Documentation</a>
*/
public class KmsKeyring implements Keyring {
private static final String KMS_KEYRING_NAME_FORMAT = "projects/%s/locations/global/keyRings/%s";
private static final String KMS_CRYPTO_KEY_NAME_FORMAT =
"projects/%s/locations/global/keyRings/%s/cryptoKeys/%s";
private static final String KMS_CRYPTO_KEY_VERSION_NAME_FORMAT =
"projects/%s/locations/global/keyRings/%s/cryptoKeys/%s/cryptoKeyVersions";
static final String BRAINTREE_PRIVATE_KEY_NAME = "braintree-private-key";
static final String BRDA_RECEIVER_PUBLIC_NAME = "brda-receiver-public";
static final String BRDA_SIGNING_PRIVATE_NAME = "brda-signing-private";
static final String BRDA_SIGNING_PUBLIC_NAME = "brda-signing-public";
static final String ICANN_REPORTING_PASSWORD_NAME = "icann-reporting-password";
static final String JSON_CREDENTIAL_NAME = "json-credential";
static final String MARKSDB_DNL_LOGIN_NAME = "marksdb-dnl-login";
static final String MARKSDB_LORDN_PASSWORD_NAME = "marksdb-lordn-password";
static final String MARKSDB_SMDRL_LOGIN_NAME = "marksdb-smdrl-login";
static final String RDE_RECEIVER_PUBLIC_NAME = "rde-receiver-public";
static final String RDE_SIGNING_PRIVATE_NAME = "rde-signing-private";
static final String RDE_SIGNING_PUBLIC_NAME = "rde-signing-public";
static final String RDE_SSH_CLIENT_PRIVATE_NAME = "rde-ssh-client-private";
static final String RDE_SSH_CLIENT_PUBLIC_NAME = "rde-ssh-client-public";
static final String RDE_STAGING_PRIVATE_NAME = "rde-staging-private";
static final String RDE_STAGING_PUBLIC_NAME = "rde-staging-public";
private final CloudKMS kms;
private final String kmsKeyRingName;
private final String projectId;
@Inject
KmsKeyring(
@Config("cloudKmsProjectId") String projectId,
@Config("cloudKmsKeyRing") String kmsKeyringName,
CloudKMS kms) {
this.projectId = projectId;
this.kmsKeyRingName = kmsKeyringName;
this.kms = kms;
}
@Override
public PGPKeyPair getRdeSigningKey() {
return getKeyPair(RDE_SIGNING_PUBLIC_NAME, RDE_SIGNING_PRIVATE_NAME);
}
@Override
public PGPPublicKey getRdeStagingEncryptionKey() {
return getPublicKeyForEncrypting(RDE_STAGING_PUBLIC_NAME);
}
@Override
public PGPPrivateKey getRdeStagingDecryptionKey() {
return getPrivateKey(RDE_STAGING_PRIVATE_NAME);
}
@Override
public PGPPublicKey getRdeReceiverKey() {
return getPublicKeyForEncrypting(RDE_RECEIVER_PUBLIC_NAME);
}
@Override
public PGPKeyPair getBrdaSigningKey() {
return getKeyPair(BRDA_SIGNING_PUBLIC_NAME, BRDA_SIGNING_PRIVATE_NAME);
}
@Override
public PGPPublicKey getBrdaReceiverKey() {
return getPublicKeyForEncrypting(BRDA_RECEIVER_PUBLIC_NAME);
}
@Override
public String getRdeSshClientPublicKey() {
return new String(getDecryptedData((RDE_SSH_CLIENT_PUBLIC_NAME)), UTF_8);
}
@Override
public String getRdeSshClientPrivateKey() {
return new String(getDecryptedData(RDE_SSH_CLIENT_PRIVATE_NAME), UTF_8);
}
@Override
public String getIcannReportingPassword() {
return new String(getDecryptedData(ICANN_REPORTING_PASSWORD_NAME), UTF_8);
}
@Override
public String getMarksdbDnlLogin() {
return new String(getDecryptedData(MARKSDB_DNL_LOGIN_NAME), UTF_8);
}
@Override
public String getMarksdbLordnPassword() {
return new String(getDecryptedData(MARKSDB_LORDN_PASSWORD_NAME), UTF_8);
}
@Override
public String getMarksdbSmdrlLogin() {
return new String(getDecryptedData(MARKSDB_SMDRL_LOGIN_NAME), UTF_8);
}
@Override
public String getJsonCredential() {
return new String(getDecryptedData(JSON_CREDENTIAL_NAME), UTF_8);
}
@Override
public String getBraintreePrivateKey() {
return new String(getDecryptedData(BRAINTREE_PRIVATE_KEY_NAME), UTF_8);
}
/** No persistent resources are maintained for this Keyring implementation. */
@Override
public void close() {}
private PGPKeyPair getKeyPair(String publicKeyName, String privateKeyName) {
try {
PGPPublicKey publicKey =
new BcPGPPublicKeyRing(getPgpInputStream(publicKeyName)).getPublicKey();
return new PGPKeyPair(publicKey, getPrivateKey(privateKeyName));
} catch (IOException e) {
throw new KeyringException(
String.format(
"Could not parse public key %s and private key %s", publicKeyName, privateKeyName),
e);
}
}
private PGPPublicKey getPublicKeyForEncrypting(String publicKeyName) {
try {
return PgpHelper.lookupPublicSubkey(
new BcPGPPublicKeyRing(getPgpInputStream(publicKeyName)), ENCRYPT)
.get();
} catch (IOException e) {
throw new KeyringException(String.format("Could not parse public key %s", publicKeyName), e);
}
}
private PGPPrivateKey getPrivateKey(String privateKeyName) {
try {
PGPSecretKeyRing privateKeyRing = new BcPGPSecretKeyRing(getPgpInputStream(privateKeyName));
// There shouldn't be a passphrase on the key
return privateKeyRing
.getSecretKey()
.extractPrivateKey(
new BcPBESecretKeyDecryptorBuilder(new BcPGPDigestCalculatorProvider())
.build(new char[0]));
} catch (IOException | PGPException e) {
throw new KeyringException(
String.format("Could not parse private key %s", privateKeyName), e);
}
}
private InputStream getPgpInputStream(String privateKeyName) throws IOException {
return PGPUtil.getDecoderStream(new ByteArrayInputStream(getDecryptedData(privateKeyName)));
}
private byte[] getDecryptedData(String keyName) {
KmsSecret secret =
ofy().load().key(Key.create(getCrossTldKey(), KmsSecret.class, keyName)).now();
checkState(secret != null, "Requested secret '%s' does not exist.", keyName);
String encryptedData = ofy().load().key(secret.getLatestRevision()).now().getEncryptedValue();
try {
return kms.projects()
.locations()
.keyRings()
.cryptoKeys()
.decrypt(
getCryptoKeyName(projectId, kmsKeyRingName, secret.getName()),
new DecryptRequest().setCiphertext(encryptedData))
.execute()
.decodePlaintext();
} catch (IOException e) {
throw new KeyringException(
String.format("CloudKMS decrypt operation failed for secret %s", keyName), e);
}
}
static String getKeyRingName(String projectId, String kmsKeyRingName) {
return String.format(KMS_KEYRING_NAME_FORMAT, projectId, kmsKeyRingName);
}
static String getCryptoKeyName(String projectId, String kmsKeyRingName, String cryptoKeyName) {
return String.format(KMS_CRYPTO_KEY_NAME_FORMAT, projectId, kmsKeyRingName, cryptoKeyName);
}
static String getCryptoKeyVersionName(
String projectId, String kmsKeyRingName, String cryptoKeyName) {
return String.format(
KMS_CRYPTO_KEY_VERSION_NAME_FORMAT, projectId, kmsKeyRingName, cryptoKeyName);
}
}

View file

@ -0,0 +1,42 @@
// Copyright 2017 The Nomulus Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package google.registry.keyring.kms;
import com.google.api.client.http.HttpRequestInitializer;
import com.google.api.client.http.HttpTransport;
import com.google.api.client.json.JsonFactory;
import com.google.api.services.cloudkms.v1beta1.CloudKMS;
import com.google.api.services.cloudkms.v1beta1.CloudKMSScopes;
import com.google.common.base.Function;
import dagger.Module;
import dagger.Provides;
import google.registry.config.RegistryConfig.Config;
import java.util.Set;
/** Dagger module for Cloud KMS connection objects. */
@Module
public final class KmsModule {
@Provides
static CloudKMS provideKms(
HttpTransport transport,
JsonFactory jsonFactory,
Function<Set<String>, ? extends HttpRequestInitializer> credential,
@Config("cloudKmsProjectId") String projectId) {
return new CloudKMS.Builder(transport, jsonFactory, credential.apply(CloudKMSScopes.all()))
.setApplicationName(projectId)
.build();
}
}

View file

@ -0,0 +1,281 @@
// Copyright 2017 The Nomulus Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package google.registry.keyring.kms;
import static com.google.common.base.Preconditions.checkArgument;
import static com.google.common.base.Preconditions.checkState;
import static google.registry.keyring.kms.KmsKeyring.BRAINTREE_PRIVATE_KEY_NAME;
import static google.registry.keyring.kms.KmsKeyring.BRDA_RECEIVER_PUBLIC_NAME;
import static google.registry.keyring.kms.KmsKeyring.BRDA_SIGNING_PRIVATE_NAME;
import static google.registry.keyring.kms.KmsKeyring.BRDA_SIGNING_PUBLIC_NAME;
import static google.registry.keyring.kms.KmsKeyring.ICANN_REPORTING_PASSWORD_NAME;
import static google.registry.keyring.kms.KmsKeyring.JSON_CREDENTIAL_NAME;
import static google.registry.keyring.kms.KmsKeyring.MARKSDB_DNL_LOGIN_NAME;
import static google.registry.keyring.kms.KmsKeyring.MARKSDB_LORDN_PASSWORD_NAME;
import static google.registry.keyring.kms.KmsKeyring.MARKSDB_SMDRL_LOGIN_NAME;
import static google.registry.keyring.kms.KmsKeyring.RDE_RECEIVER_PUBLIC_NAME;
import static google.registry.keyring.kms.KmsKeyring.RDE_SIGNING_PRIVATE_NAME;
import static google.registry.keyring.kms.KmsKeyring.RDE_SIGNING_PUBLIC_NAME;
import static google.registry.keyring.kms.KmsKeyring.RDE_SSH_CLIENT_PRIVATE_NAME;
import static google.registry.keyring.kms.KmsKeyring.RDE_SSH_CLIENT_PUBLIC_NAME;
import static google.registry.keyring.kms.KmsKeyring.RDE_STAGING_PRIVATE_NAME;
import static google.registry.keyring.kms.KmsKeyring.RDE_STAGING_PUBLIC_NAME;
import static google.registry.keyring.kms.KmsKeyring.getCryptoKeyName;
import static google.registry.keyring.kms.KmsKeyring.getCryptoKeyVersionName;
import static google.registry.keyring.kms.KmsKeyring.getKeyRingName;
import static google.registry.model.ofy.ObjectifyService.ofy;
import static google.registry.util.PreconditionsUtils.checkArgumentNotNull;
import static java.nio.charset.StandardCharsets.UTF_8;
import com.google.api.client.googleapis.json.GoogleJsonResponseException;
import com.google.api.services.cloudkms.v1beta1.CloudKMS;
import com.google.api.services.cloudkms.v1beta1.model.CryptoKey;
import com.google.api.services.cloudkms.v1beta1.model.CryptoKeyVersion;
import com.google.api.services.cloudkms.v1beta1.model.EncryptRequest;
import com.google.api.services.cloudkms.v1beta1.model.EncryptResponse;
import com.google.api.services.cloudkms.v1beta1.model.KeyRing;
import com.google.common.collect.ImmutableMap;
import com.googlecode.objectify.VoidWork;
import google.registry.config.RegistryConfig.Config;
import google.registry.model.server.KmsSecret;
import google.registry.model.server.KmsSecretRevision;
import java.io.IOException;
import java.util.HashMap;
import java.util.LinkedHashMap;
import java.util.Map;
import javax.inject.Inject;
import org.bouncycastle.openpgp.PGPPublicKey;
import org.bouncycastle.openpgp.bc.BcPGPSecretKeyRing;
/**
* The {@link KmsUpdater} accumulates updates to a {@link KmsKeyring} and persists them to KMS and
* Datastore when closed.
*/
public final class KmsUpdater {
private static final int RESOURCE_NOT_FOUND = 404;
private final String projectId;
private final String kmsKeyRingName;
private final CloudKMS kms;
private final HashMap<String, byte[]> secretValues;
@Inject
public KmsUpdater(
@Config("cloudKmsProjectId") String projectId,
@Config("cloudKmsKeyRing") String kmsKeyRingName,
CloudKMS kms) {
this.projectId = projectId;
this.kmsKeyRingName = kmsKeyRingName;
this.kms = kms;
// Use LinkedHashMap to preserve insertion order on update() to simplify testing and debugging
this.secretValues = new LinkedHashMap<>();
}
public KmsUpdater setRdeSigningKey(BcPGPSecretKeyRing secretKeyRing) throws IOException {
checkArgumentNotNull(secretKeyRing);
setSecret(RDE_SIGNING_PRIVATE_NAME, checkArgumentNotNull(secretKeyRing).getEncoded());
setSecret(RDE_SIGNING_PUBLIC_NAME, secretKeyRing.getPublicKey().getEncoded());
return this;
}
public KmsUpdater setRdeStagingKey(BcPGPSecretKeyRing secretKeyRing) throws IOException {
checkArgumentNotNull(secretKeyRing);
setSecret(RDE_STAGING_PRIVATE_NAME, secretKeyRing.getEncoded());
setSecret(RDE_STAGING_PUBLIC_NAME, secretKeyRing.getPublicKey().getEncoded());
return this;
}
public KmsUpdater setRdeReceiverPublicKey(PGPPublicKey rdeReceiverPublicKey) throws IOException {
setSecret(RDE_RECEIVER_PUBLIC_NAME, checkArgumentNotNull(rdeReceiverPublicKey).getEncoded());
return this;
}
public KmsUpdater setBrdaSigningKey(BcPGPSecretKeyRing secretKeyRing) throws IOException {
checkArgumentNotNull(secretKeyRing);
setSecret(BRDA_SIGNING_PRIVATE_NAME, secretKeyRing.getEncoded());
setSecret(BRDA_SIGNING_PUBLIC_NAME, secretKeyRing.getPublicKey().getEncoded());
return this;
}
public KmsUpdater setBrdaReceiverPublicKey(PGPPublicKey publicKey) throws IOException {
setSecret(BRDA_RECEIVER_PUBLIC_NAME, checkArgumentNotNull(publicKey).getEncoded());
return this;
}
public KmsUpdater setRdeSshClientPublicKey(String asciiPublicKey) {
setSecret(RDE_SSH_CLIENT_PUBLIC_NAME, checkArgumentNotNull(asciiPublicKey).getBytes(UTF_8));
return this;
}
public KmsUpdater setRdeSshClientPrivateKey(String asciiPrivateKey) {
setSecret(RDE_SSH_CLIENT_PRIVATE_NAME, checkArgumentNotNull(asciiPrivateKey).getBytes(UTF_8));
return this;
}
public KmsUpdater setIcannReportingPassword(String password) {
setSecret(ICANN_REPORTING_PASSWORD_NAME, checkArgumentNotNull(password).getBytes(UTF_8));
return this;
}
public KmsUpdater setMarksdbDnlLogin(String login) {
setSecret(MARKSDB_DNL_LOGIN_NAME, checkArgumentNotNull(login).getBytes(UTF_8));
return this;
}
public KmsUpdater setMarksdbLordnPassword(String password) {
setSecret(MARKSDB_LORDN_PASSWORD_NAME, checkArgumentNotNull(password).getBytes(UTF_8));
return this;
}
public KmsUpdater setMarksdbSmdrlLogin(String login) {
setSecret(MARKSDB_SMDRL_LOGIN_NAME, checkArgumentNotNull(login).getBytes(UTF_8));
return this;
}
public KmsUpdater setJsonCredential(String credential) {
setSecret(JSON_CREDENTIAL_NAME, checkArgumentNotNull(credential).getBytes(UTF_8));
return this;
}
public KmsUpdater setBraintreePrivateKey(String braintreePrivateKey) {
setSecret(
BRAINTREE_PRIVATE_KEY_NAME, checkArgumentNotNull(braintreePrivateKey).getBytes(UTF_8));
return this;
}
/**
* Generates new encryption keys in KMS, encrypts the updated secrets with them, and persists the
* encrypted secrets to Datastore.
*
* <p>The operations in this method are organized so that existing {@link KmsSecretRevision}
* entities remain primary and decryptable if a failure occurs.
*/
public void update() throws IOException {
checkState(!secretValues.isEmpty(), "At least one Keyring value must be persisted");
persistEncryptedValues(encryptValues(secretValues));
}
/**
* Encrypts updated secrets using KMS. If the configured {@code KeyRing} or {@code CryptoKey}
* associated with a secret doesn't exist, they will first be created.
*
* @see google.registry.config.RegistryConfigSettings#kms
*/
private ImmutableMap<String, EncryptResponse> encryptValues(Map<String, byte[]> keyValues)
throws IOException {
String fullKeyRingName = getKeyRingName(projectId, kmsKeyRingName);
try {
kms.projects().locations().keyRings().get(fullKeyRingName).execute();
} catch (GoogleJsonResponseException jsonException) {
if (jsonException.getStatusCode() == RESOURCE_NOT_FOUND) {
// Create the KeyRing in the "global" namespace. Encryption keys will be accessible from all
// GCP regions.
kms.projects()
.locations()
.keyRings()
.create("global", new KeyRing().setName(fullKeyRingName))
.execute();
} else {
throw jsonException;
}
}
ImmutableMap.Builder<String, EncryptResponse> encryptedValues = new ImmutableMap.Builder<>();
for (Map.Entry<String, byte[]> entry : keyValues.entrySet()) {
String keyName = entry.getKey();
String fullKeyName = getCryptoKeyName(projectId, kmsKeyRingName, keyName);
try {
kms.projects().locations().keyRings().cryptoKeys().get(fullKeyName).execute();
} catch (GoogleJsonResponseException jsonException) {
if (jsonException.getStatusCode() == RESOURCE_NOT_FOUND) {
kms.projects()
.locations()
.keyRings()
.cryptoKeys()
.create(fullKeyName, new CryptoKey().setName(keyName).setPurpose("ENCRYPT_DECRYPT"))
.execute();
} else {
throw jsonException;
}
}
CryptoKeyVersion cryptoKeyVersion =
kms.projects()
.locations()
.keyRings()
.cryptoKeys()
.cryptoKeyVersions()
.create(
getCryptoKeyVersionName(projectId, kmsKeyRingName, keyName),
new CryptoKeyVersion())
.execute();
encryptedValues.put(
keyName,
kms.projects()
.locations()
.keyRings()
.cryptoKeys()
.encrypt(
cryptoKeyVersion.getName(),
new EncryptRequest().encodePlaintext(entry.getValue()))
.execute());
}
return encryptedValues.build();
}
/**
* Persists encrypted secrets to Datastore as {@link KmsSecretRevision} entities and makes them
* primary. {@link KmsSecret} entities point to the latest {@link KmsSecretRevision}.
*
* <p>The changes are committed transactionally; if an error occurs, all existing {@link
* KmsSecretRevision} entities will remain primary.
*/
private static void persistEncryptedValues(
final ImmutableMap<String, EncryptResponse> encryptedValues) {
ofy()
.transact(
new VoidWork() {
@Override
public void vrun() {
for (Map.Entry<String, EncryptResponse> entry : encryptedValues.entrySet()) {
String secretName = entry.getKey();
EncryptResponse revisionData = entry.getValue();
KmsSecretRevision secretRevision =
new KmsSecretRevision.Builder()
.setEncryptedValue(revisionData.getCiphertext())
.setKmsCryptoKeyVersionName(revisionData.getName())
.setParent(secretName)
.build();
ofy()
.save()
.entities(secretRevision, KmsSecret.create(secretName, secretRevision));
}
}
});
}
private void setSecret(String secretName, byte[] value) {
checkArgument(!secretValues.containsKey(secretName), "Attempted to set %s twice", secretName);
secretValues.put(secretName, value);
}
}