Skip to content
Snippets Groups Projects
Commit e89c5861 authored by Dimitris Bozelos's avatar Dimitris Bozelos
Browse files

Issue #3488820 Provided service for copying keys

parent 3dfe0597
No related branches found
No related tags found
No related merge requests found
......@@ -3,3 +3,9 @@ services:
class: Drupal\lockr_to_kms\ConfigCreator
arguments:
- '@entity_type.manager'
lockr_to_kms.key_copier:
class: Drupal\lockr_to_kms\KeyCopier
arguments:
- '@entity_type.manager'
- '@encryption'
<?php
declare(strict_types=1);
namespace Drupal\lockr_to_kms;
use Drupal\encrypt\EncryptionProfileInterface;
use Drupal\encrypt\EncryptServiceInterface;
use Drupal\encrypt\Exception\EncryptException;
use Drupal\encrypt\Exception\EncryptionMethodCanNotDecryptException as CanNotDecryptException;
use Drupal\Core\Entity\EntityTypeManagerInterface;
use Drupal\Core\Config\Entity\ConfigEntityStorageInterface;
use Drupal\Component\Utility\Random;
/**
* Service that copies the key from Lockr to the KMS secret.
*/
class KeyCopier {
/**
* The KMS key storage.
*/
protected ConfigEntityStorageInterface $keyStorage;
/**
* The encryption profile storage.
*/
protected ConfigEntityStorageInterface $profileStorage;
/**
* Constructs a new KeyCopier object.
*
* @param \Drupal\Core\Entity\EntityTypeManagerInterface $entityTypeManager
* The entity type manager.
* @param \Drupal\encrypt\EncryptServiceInterface $encryptService
* The encryption service.
*/
public function __construct(
protected EntityTypeManagerInterface $entityTypeManager,
protected EncryptServiceInterface $encryptService,
) {
}
/**
* Copies the Lockr key to the KMS secret.
*
* The `lockr` module stores the wrapper key locally and the data encryption
* key remotely - in the Lockr keyring, while the `encrypt_kms` module stores
* the data encryption key locally and the wrapper key remotely - in the AWS
* KMS storage.
*
* We do not need to copy the wrapper key; a new symmetric wrapper key should
* be generated in AWS KMS. We only need to copy the actual data encryption
* key from Lockr, encrypt it, and store it in the local KMS secret.
*
* @param string $lockr_profile_id
* The ID of the Lockr encryption profile.
* @param string $kms_data_profile_id
* The ID of the KMS data profile.
*
* @throws \InvalidArgumentException
* When no encryption profile was found with any of the given IDs.
*/
public function copy(
string $lockr_profile_id,
string $kms_data_profile_id,
): void {
$kms_data_key = $this->loadProfile($kms_data_profile_id)->getEncryptionKey();
/** @var \Drupal\encrypt_kms\Plugin\KeyProvider\AwsKmsKeyProvider $kms_provider */
$kms_provider = $kms_data_key->getKeyProvider();
$kms_provider->deleteKeyValue($kms_data_key);
$kms_provider->setKeyValue(
$kms_data_key,
$this->loadProfile($lockr_profile_id)->getEncryptionKey()->getKeyValue(),
);
}
/**
* Loads the encryption profile with the given ID.
*
* @param string $profile_id
* The encryption profile ID.
*
* @return \Drupal\encrypt\EncryptionProfileInterface
* The encryption profile configuration entity.
*
* @throws \InvalidArgumentException
* When no encryption profile was found with the given ID.
*/
protected function loadProfile(
string $profile_id,
): EncryptionProfileInterface {
$profile = $this->profileStorage()->load($profile_id);
if (!$profile instanceof EncryptionProfileInterface) {
throw new \InvalidArgumentException(sprintf(
'Encryption profile "%s" does not exist.',
$profile_id,
));
}
return $profile;
}
/**
* Returns the key entity storage.
*
* @return \Drupal\Core\Config\Entity\ConfigEntityStorageInterface
* The key storage.
*/
protected function keyStorage(): ConfigEntityStorageInterface {
if (!isset($this->keyStorage)) {
$this->keyStorage = $this->entityTypeManager
->getStorage('key');
}
return $this->keyStorage;
}
/**
* Returns the encryption profile entity storage.
*
* @return \Drupal\Core\Config\Entity\ConfigEntityStorageInterface
* The encryption profile storage.
*/
protected function profileStorage(): ConfigEntityStorageInterface {
if (!isset($this->profileStorage)) {
$this->profileStorage = $this->entityTypeManager
->getStorage('encryption_profile');
}
return $this->profileStorage;
}
}
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment