filebrowser/encfs/kms.go

package encfs

import (
	"bytes"
	"encoding/hex"
	"encoding/json"
	"errors"
	"fmt"
	"io"
	"net/http"
	"os"
	"strings"
	"sync"
	"time"
)

const LOCAL_MINI_KMS_ADDRESS = "LOCAL_MINI_KMS_ADDRESS"
const DISABLE_ENCRYPTION_MASTER_KEY = "DISABLE_ENCRYPTION_MASTER_KEY"
const ENCRYPTED_ENCRYPTION_MASTER_KEY = "ENCRYPTED_ENCRYPTION_MASTER_KEY"

type MultiViewValue struct {
	ValueHex    string `json:"value_hex"`
	ValueBase64 string `json:"value_base64"`
}

type EncryptRequest struct {
	EncryptedValue string `json:"encrypted_value"`
}

var cachedcEncryptionMasterKey *EncryptionMasterKey = nil
var cachedcEncryptionMasterKeyLock sync.Mutex

func GetCachedEncryptionMasterKey() (*EncryptionMasterKey, error) {
	cachedcEncryptionMasterKeyLock.Lock()
	defer cachedcEncryptionMasterKeyLock.Unlock()
	if cachedcEncryptionMasterKey == nil {
		var err error
		cachedcEncryptionMasterKey, err = GetEncryptionMasterKey()
		if err != nil {
			return nil, err
		}
	}
	return cachedcEncryptionMasterKey, nil
}

func GetEncryptionMasterKey() (*EncryptionMasterKey, error) {
	disableEncryptionMasterKey := os.Getenv(DISABLE_ENCRYPTION_MASTER_KEY)
	if disableEncryptionMasterKey == "1" ||
		disableEncryptionMasterKey == "on" ||
		disableEncryptionMasterKey == "yes" ||
		disableEncryptionMasterKey == "true" {
		return nil, nil
	}
	encryptedEncryptionMasterKey := os.Getenv(ENCRYPTED_ENCRYPTION_MASTER_KEY)
	if encryptedEncryptionMasterKey == "" {
		fmt.Println("[ERROR] encrypted encryption master key is not present")
		return nil, errors.New("encrypted encryption master key is not present")
	}
	key, err := DecryptBytes(encryptedEncryptionMasterKey)
	if err != nil {
		return nil, err
	}
	return &EncryptionMasterKey{
		key: key,
	}, nil
}

func DecryptBytes(encryptedValue string) ([]byte, error) {
	localMiniKmsAddress := os.Getenv(LOCAL_MINI_KMS_ADDRESS)
	if localMiniKmsAddress == "" {
		localMiniKmsAddress = "127.0.0.1:5567"
	}
	if !strings.HasPrefix(strings.ToLower(localMiniKmsAddress), "http://") {
		localMiniKmsAddress = fmt.Sprintf("http://%s", localMiniKmsAddress)
	}
	multiViewValue, err := Decrypt(localMiniKmsAddress, encryptedValue)
	if err != nil {
		fmt.Println("[ERROR] Decrypt from", localMiniKmsAddress, "failed, error:", err)
		return nil, err
	}
	valueBytes, err := hex.DecodeString(multiViewValue.ValueHex)
	if err != nil {
		return nil, err
	}
	return valueBytes, nil
}

func Decrypt(endpoint, encryptedValue string) (*MultiViewValue, error) {
	encryptRequest := EncryptRequest{
		EncryptedValue: encryptedValue,
	}
	encryptRequestBytes, err := json.Marshal(&encryptRequest)
	if err != nil {
		return nil, err
	}
	encryptRequestReader := bytes.NewReader(encryptRequestBytes)
	client := http.Client{
		Timeout: 5 * time.Second,
	}
	encryptResponse, err := client.Post(joinEnpointPath(endpoint, "/decrypt"), "application/json", encryptRequestReader)
	if err != nil {
		return nil, err
	}
	if encryptResponse.StatusCode != 200 {
		return nil, fmt.Errorf("decrypt failed, http status: %d", encryptResponse.StatusCode)
	}
	encryptResponseBodyBytes, err := io.ReadAll(encryptResponse.Body)
	if err != nil {
		return nil, err
	}
	var multiViewValue MultiViewValue
	err = json.Unmarshal(encryptResponseBodyBytes, &multiViewValue)
	if err != nil {
		return nil, err
	}
	return &multiViewValue, nil
}

func joinEnpointPath(endpoint, path string) string {
	endpointEndsWithSlash := strings.HasSuffix(endpoint, "/")
	pathStartsWithSlash := strings.HasPrefix(path, "/")
	if endpointEndsWithSlash && pathStartsWithSlash {
		return fmt.Sprintf("%s%s", endpoint, path[1:])
	} else if endpointEndsWithSlash || pathStartsWithSlash {
		return fmt.Sprintf("%s%s", endpoint, path)
	} else {
		return fmt.Sprintf("%s/%s", endpoint, path)
	}
}