Skip to content
Snippets Groups Projects
Commit 3dfe0597 authored by Dimitris Bozelos's avatar Dimitris Bozelos
Browse files

Issue #3488817 Added service for creating Encrypt KMS configuration

parent d397cef4
No related branches found
No related tags found
No related merge requests found
services:
lockr_to_kms.config_creator:
class: Drupal\lockr_to_kms\ConfigCreator
arguments:
- '@entity_type.manager'
<?php
declare(strict_types=1);
namespace Drupal\lockr_to_kms;
use Drupal\encrypt\EncryptionProfileInterface;
use Drupal\Core\Entity\EntityTypeManagerInterface;
use Drupal\Core\Config\Entity\ConfigEntityStorageInterface;
/**
* Service that creates the configuration entities required for KMS.
*/
class ConfigCreator {
/**
* The KMS key storage.
*/
protected ConfigEntityStorageInterface $keyStorage;
/**
* The encryption profile storage.
*/
protected ConfigEntityStorageInterface $profileStorage;
/**
* The secret storage.
*/
protected ConfigEntityStorageInterface $secretStorage;
/**
* Constructs a new ConfigCreator object.
*
* @param \Drupal\Core\Entity\EntityTypeManagerInterface $entityTypeManager
* The entity type manager.
*/
public function __construct(
protected EntityTypeManagerInterface $entityTypeManager,
) {
}
/**
* Creates the configuration needed for a KMS key.
*
* For each Lockr key that will be migrated over to KMS, we need an `aws_kms`
* key/encryption profile and an `aws_kms_data/real_aes` key/encryption
* profile, together with a secret that will hold that actual data encryption
* key. This methods creates these configuration entities in preparation for
* the migration command.
*
* @param string $kms_key_id
* The ID to give to the KMS key.
* @param string $kms_key_label
* The label to give to the KMS key.
* @param string $kms_profile_id
* The ID to give to the KMS profile.
* @param string $kms_profile_label
* The label to give to the KMS profile.
* @param string $kms_data_key_id
* The ID to give to the KMS data key.
* @param string $kms_data_key_label
* The label to give to the KMS data key.
* @param string $kms_data_profile_id
* The ID to give to the KMS data profile.
* @param string $kms_data_profile_label
* The label to give to the KMS data profile.
*/
public function create(
string $kms_key_id,
string $kms_key_label,
string $kms_profile_id,
string $kms_profile_label,
string $kms_data_key_id,
string $kms_data_key_label,
string $kms_data_profile_id,
string $kms_data_profile_label,
): void {
$kms_profile = $this->createKmsProfile(
$kms_key_id,
$kms_key_label,
$kms_profile_id,
$kms_profile_label,
);
$this->createKmsDataProfile(
$kms_data_key_id,
$kms_data_key_label,
$kms_data_profile_id,
$kms_data_profile_label,
$kms_profile,
);
}
/**
* Creates the KMS key/encryption profile.
*
* @param string $kms_key_id
* The ID to give to the KMS key.
* @param string $kms_key_label
* The label to give to the KMS key.
* @param string $kms_profile_id
* The ID to give to the KMS profile.
* @param string $kms_profile_label
* The label to give to the KMS profile.
*
* @return \Drupal\encrypt\EncryptionProfileInterface
* The created encryption profile.
*/
protected function createKmsProfile(
string $kms_key_id,
string $kms_key_label,
string $kms_profile_id,
string $kms_profile_label,
): EncryptionProfileInterface {
$kms_key = $this->keyStorage()->create([
'id' => $kms_key_id,
'label' => $kms_key_label,
'key_type' => 'aws_kms',
'key_provider' => 'config',
'key_provider_settings' => [
// This value will need to be configured or overridden in settings.
'key_value' => '',
'base64_encoded' => FALSE,
],
'key_input' => 'aws_kms_arn',
'key_input_settings' => [
'base64_encoded' => FALSE,
],
]);
$this->keyStorage()->save($kms_key);
/** @var \Drupal\encrypt\EncryptionProfileInterface $kms_profile **/
$kms_profile = $this->profileStorage()->create([
'id' => $kms_profile_id,
'label' => $kms_profile_label,
'encryption_method' => 'aws_kms',
'encryption_key' => $kms_key->id(),
]);
$this->profileStorage()->save($kms_profile);
return $kms_profile;
}
/**
* Creates the KMS key/encryption profile.
*
* @param string $kms_data_key_id
* The ID to give to the KMS data key.
* @param string $kms_data_key_label
* The label to give to the KMS data key.
* @param string $kms_data_profile_id
* The ID to give to the KMS data profile.
* @param string $kms_data_profile_label
* The label to give to the KMS data profile.
* @param \Drupal\encrypt\EncryptionProfileInterface $kms_profile
* The newly created KMS profile.
*/
protected function createKmsDataProfile(
string $kms_data_key_id,
string $kms_data_key_label,
string $kms_data_profile_id,
string $kms_data_profile_label,
EncryptionProfileInterface $kms_profile,
): void {
$kms_data_key = $this->keyStorage()->create([
'id' => $kms_data_key_id,
'label' => $kms_data_key_label,
'key_type' => 'aws_kms_data',
'key_type_settings' => [
'key_size' => 256,
'client_master_profile' => $kms_profile->id(),
],
'key_provider' => 'aws_kms',
'key_provider_settings' => [
'client_master_profile' => $kms_profile->id(),
],
'key_input' => 'generate',
'key_input_settings' => [
'generated' => TRUE,
'display_once' => TRUE,
],
]);
$this->keyStorage()->save($kms_data_key);
$secret = $this->secretStorage()->create([
'id' => $kms_data_key->id(),
// This value will be populated when copying the key from Lockr.
'value' => 'Placeholder value',
]);
$this->secretStorage()->save($secret);
$kms_data_profile = $this->profileStorage()->create([
'id' => $kms_data_profile_id,
'label' => $kms_data_profile_label,
'encryption_method' => 'real_aes',
'encryption_key' => $kms_data_key->id(),
]);
// Note that this will cause an error to be logged because the secret is not
// valid, but it still successfully prepares the site to use KMS.
$this->profileStorage()->save($kms_data_profile);
}
/**
* Returns the key entity storage.
*
* @return \Drupal\Core\Config\Entity\ConfigEntityStorageInterface
* The key storage.
*/
protected function keyStorage(): ConfigEntityStorageInterface {
if (!isset($this->keyStorage)) {
$this->keyStorage = $this->entityTypeManager
->getStorage('key');
}
return $this->keyStorage;
}
/**
* Returns the encryption profile entity storage.
*
* @return \Drupal\Core\Config\Entity\ConfigEntityStorageInterface
* The encryption profile storage.
*/
protected function profileStorage(): ConfigEntityStorageInterface {
if (!isset($this->profileStorage)) {
$this->profileStorage = $this->entityTypeManager
->getStorage('encryption_profile');
}
return $this->profileStorage;
}
/**
* Returns the KMS secret entity storage.
*
* @return \Drupal\Core\Config\Entity\ConfigEntityStorageInterface
* The KMS secret storage.
*/
protected function secretStorage(): ConfigEntityStorageInterface {
if (!isset($this->secretStorage)) {
$this->secretStorage = $this->entityTypeManager
->getStorage('aws_kms_secret');
}
return $this->secretStorage;
}
}
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment