feat: update OKMS 2.5 (#130)

Author: gbahezre

cmd/okms/common/client.go

@@ -3,16 +3,24 @@ package common
 import (
 	"os"
 
+	"github.com/google/uuid"
 	"github.com/ovh/okms-cli/common/config"
 	"github.com/ovh/okms-cli/common/utils/exit"
 	"github.com/ovh/okms-sdk-go"
 	"github.com/spf13/cobra"
 )
 
-var ccmRestClient *okms.Client
+var (
+	okmsId     uuid.UUID
+	restClient *okms.Client
+)
 
 func Client() *okms.Client {
-	return ccmRestClient
+	return restClient
+}
+
+func GetOkmsId() uuid.UUID {
+	return okmsId
 }
 
 type CustomizeFunc func(c *cobra.Command) func(*okms.Client)
@@ -28,6 +36,7 @@ func SetupRestApiFlags(command *cobra.Command, cust CustomizeFunc) {
 	}
 
 	config.SetupEndpointFlags(command, "http", func(command *cobra.Command, cfg config.EndpointConfig) {
+		okmsId = cfg.Auth.GetOkmsId()
 		clientCfg := okms.ClientConfig{
 			Timeout: timeout,
 			TlsCfg:  cfg.TlsConfig(""),
@@ -38,7 +47,12 @@ func SetupRestApiFlags(command *cobra.Command, cust CustomizeFunc) {
 		if *debug {
 			clientCfg.Middleware = okms.DebugTransport(os.Stderr)
 		}
-		ccmRestClient = exit.OnErr2(okms.NewRestAPIClient(cfg.Endpoint, clientCfg))
-		f(ccmRestClient)
+		restClient = exit.OnErr2(okms.NewRestAPIClient(cfg.Endpoint, clientCfg))
+
+		if cfg.Auth.GetToken() != nil {
+			restClient.SetCustomHeader("Authorization", "Bearer "+*cfg.Auth.GetToken())
+		}
+
+		f(restClient)
 	})
 }

cmd/okms/configure/root.go

@@ -45,10 +45,19 @@ func Run(profile string) {
 	choice := exit.OnErr2(pterm.DefaultInteractiveSelect.WithOptions([]string{"HTTP", "KMIP"}).Show("Select a protocol to configure"))
 	switch choice {
 	case "HTTP":
-		config.ReadUserInput("CA file", "http.ca", profile, config.ValidateFileExists.AllowEmpty())
-		config.ReadUserInput("Certificate file", "http.auth.cert", profile, config.ValidateFileExists)
-		config.ReadUserInput("Private key file", "http.auth.key", profile, config.ValidateFileExists)
 		config.ReadUserInput("Endpoint", "http.endpoint", profile, config.ValidateURL)
+		config.ReadUserInput("CA file", "http.ca", profile, config.ValidateFileExists.AllowEmpty())
+		authChoice := exit.OnErr2(pterm.DefaultInteractiveSelect.WithOptions([]string{"mtls", "token"}).Show("Select authentication to configure"))
+		switch authChoice {
+		case "mtls":
+			config.SetConfigKey(profile, "http.auth.type", "mtls")
+			config.ReadUserInput("Certificate file", "http.auth.cert", profile, config.ValidateFileExists)
+			config.ReadUserInput("Private key file", "http.auth.key", profile, config.ValidateFileExists)
+		case "token":
+			config.SetConfigKey(profile, "http.auth.type", "token")
+			config.ReadUserInput("Token", "http.auth.token", profile, config.ValidateNotEmpty)
+			config.ReadUserInput("okmsId", "http.auth.okmsId", profile, config.ValidateUUID)
+		}
 	case "KMIP":
 		config.ReadUserInput("CA file", "kmip.ca", profile, config.ValidateFileExists.AllowEmpty())
 		config.ReadUserInput("Certificate file", "kmip.auth.cert", profile, config.ValidateFileExists)

cmd/okms/keys/datakeys.go

@@ -39,7 +39,7 @@ func newGenerateDataKeyFromServiceKeyCmd() *cobra.Command {
 		Args:  cobra.ExactArgs(1),
 		Run: func(cmd *cobra.Command, args []string) {
 			keyId := exit.OnErr2(uuid.Parse(args[0]))
-			plaintext, encrypted := exit.OnErr3(common.Client().GenerateDataKey(cmd.Context(), keyId, name, keySize))
+			plaintext, encrypted := exit.OnErr3(common.Client().GenerateDataKey(cmd.Context(), common.GetOkmsId(), keyId, name, keySize))
 			if cmd.Flag("output").Value.String() == string(flagsmgmt.JSON_OUTPUT_FORMAT) {
 				output.JsonPrint(map[string]any{
 					"plain":     plaintext,
@@ -66,7 +66,7 @@ DATA-KEY can be either plain text, a '-' to read from stdin, or a filename prefi
 		Args: cobra.ExactArgs(2),
 		Run: func(cmd *cobra.Command, args []string) {
 			keyId := exit.OnErr2(uuid.Parse(args[0]))
-			plaintext := exit.OnErr2(common.Client().DecryptDataKey(cmd.Context(), keyId, flagsmgmt.StringFromArg(args[1], 8192)))
+			plaintext := exit.OnErr2(common.Client().DecryptDataKey(cmd.Context(), common.GetOkmsId(), keyId, flagsmgmt.StringFromArg(args[1], 8192)))
 			if cmd.Flag("output").Value.String() == string(flagsmgmt.JSON_OUTPUT_FORMAT) {
 				output.JsonPrint(plaintext)
 			} else {

cmd/okms/keys/decrypt.go

@@ -49,7 +49,7 @@ OUTPUT can be either a filepath, or a "-" for stdout. If not set, output is stdo
 			}
 
 			text := flagsmgmt.BytesFromArg(args[1], 8192)
-			resp := exit.OnErr2(common.Client().Decrypt(cmd.Context(), keyId, context, string(text)))
+			resp := exit.OnErr2(common.Client().Decrypt(cmd.Context(), common.GetOkmsId(), keyId, context, string(text)))
 			if cmd.Flag("output").Value.String() == string(flagsmgmt.JSON_OUTPUT_FORMAT) {
 				output.JsonPrint(resp)
 			} else {
@@ -84,7 +84,7 @@ func wrapDecrypt(ctx context.Context, input, output string, keyId uuid.UUID, key
 	out := flagsmgmt.WriterFromArg(output)
 	defer out.Close()
 
-	in, err := common.Client().DataKeys(keyId).DecryptStream(ctx, in, keyCtx)
+	in, err := common.Client().DataKeys(common.GetOkmsId(), keyId).DecryptStream(ctx, in, keyCtx)
 	if err != nil {
 		return err
 	}

cmd/okms/keys/encrypt.go

@@ -50,7 +50,7 @@ OUTPUT can be either a filepath, or a "-" for stdout. If not set, output is stdo
 				return
 			}
 			data := flagsmgmt.BytesFromArg(args[1], 8192)
-			resp := exit.OnErr2(common.Client().Encrypt(cmd.Context(), keyId, context, data))
+			resp := exit.OnErr2(common.Client().Encrypt(cmd.Context(), common.GetOkmsId(), keyId, context, data))
 			if cmd.Flag("output").Value.String() == string(flagsmgmt.JSON_OUTPUT_FORMAT) {
 				output.JsonPrint(resp)
 			} else {
@@ -83,7 +83,7 @@ func wrapEncrypt(ctx context.Context, input, output string, keyId uuid.UUID, key
 		defer out.Close()
 	}
 
-	out, err := common.Client().DataKeys(keyId).EncryptStream(ctx, out, keyCtx, okms.BlockSize4MB)
+	out, err := common.Client().DataKeys(common.GetOkmsId(), keyId).EncryptStream(ctx, out, keyCtx, okms.BlockSize4MB)
 	if err != nil {
 		return err
 	}

cmd/okms/keys/keys.go

@@ -28,8 +28,8 @@ import (
 
 func newListServiceKeysCmd() *cobra.Command {
 	var (
-		keysPageSize uint32
-		listAll      bool
+		pageSize uint32
+		listAll  bool
 	)
 
 	cmd := &cobra.Command{
@@ -47,7 +47,7 @@ func newListServiceKeysCmd() *cobra.Command {
 			if listAll {
 				stateFilter = types.KeyStatesAll
 			}
-			for key, err := range common.Client().ListAllServiceKeys(&keysPageSize, &stateFilter).Iter(cmd.Context()) {
+			for key, err := range common.Client().ListAllServiceKeys(common.GetOkmsId(), &pageSize, &stateFilter).Iter(cmd.Context()) {
 				exit.OnErr(err)
 				keys.ObjectsList = append(keys.ObjectsList, *key)
 			}
@@ -75,7 +75,7 @@ func newListServiceKeysCmd() *cobra.Command {
 		},
 	}
 
-	cmd.Flags().Uint32Var(&keysPageSize, "page-size", 100, "Number of keys to fetch per page (between 10 and 500)")
+	cmd.Flags().Uint32Var(&pageSize, "page-size", 100, "Number of keys to fetch per page (between 10 and 500)")
 	cmd.Flags().BoolVarP(&listAll, "all", "A", false, "List all keys (including deactivated and deleted ones)")
 	return cmd
 }
@@ -115,7 +115,7 @@ func newAddServiceKeyCmd() *cobra.Command {
 				body.Size = &keySizeEnum
 			}
 
-			resp := exit.OnErr2(common.Client().CreateImportServiceKey(cmd.Context(), nil, body))
+			resp := exit.OnErr2(common.Client().CreateImportServiceKey(cmd.Context(), common.GetOkmsId(), nil, body))
 			if cmd.Flag("output").Value.String() == string(flagsmgmt.JSON_OUTPUT_FORMAT) {
 				output.JsonPrint(resp)
 			} else {
@@ -141,7 +141,7 @@ func newGetServiceKeyCmd() *cobra.Command {
 		Args:  cobra.ExactArgs(1),
 		Run: func(cmd *cobra.Command, args []string) {
 			keyId := exit.OnErr2(uuid.Parse(args[0]))
-			resp := exit.OnErr2(common.Client().GetServiceKey(cmd.Context(), keyId, nil))
+			resp := exit.OnErr2(common.Client().GetServiceKey(cmd.Context(), common.GetOkmsId(), keyId, nil))
 			if cmd.Flag("output").Value.String() == string(flagsmgmt.JSON_OUTPUT_FORMAT) {
 				output.JsonPrint(resp)
 			} else {
@@ -159,7 +159,7 @@ func newExportPublicKeyCmd() *cobra.Command {
 		Args:  cobra.ExactArgs(1),
 		Run: func(cmd *cobra.Command, args []string) {
 			keyId := exit.OnErr2(uuid.Parse(args[0]))
-			resp := exit.OnErr2(common.Client().GetServiceKey(cmd.Context(), keyId, utils.PtrTo(types.Jwk)))
+			resp := exit.OnErr2(common.Client().GetServiceKey(cmd.Context(), common.GetOkmsId(), keyId, utils.PtrTo(types.Jwk)))
 			if resp.Keys == nil || len(*resp.Keys) == 0 {
 				exit.OnErr(errors.New("Server returned no key"))
 			}
@@ -228,10 +228,10 @@ func newImportServiceKeyCmd() *cobra.Command {
 			key := flagsmgmt.BytesFromArg(args[1], 8192)
 			var resp *types.GetServiceKeyResponse
 			if !symmetric {
-				resp = exit.OnErr2(common.Client().ImportKeyPairPEM(cmd.Context(), key, args[0], keyContext, keyUsage.ToCryptographicUsage()...))
+				resp = exit.OnErr2(common.Client().ImportKeyPairPEM(cmd.Context(), common.GetOkmsId(), key, args[0], keyContext, keyUsage.ToCryptographicUsage()...))
 			} else {
 				k := exit.OnErr2(base64.StdEncoding.DecodeString(string(key)))
-				resp = exit.OnErr2(common.Client().ImportKey(cmd.Context(), k, args[0], keyContext, keyUsage.ToCryptographicUsage()...))
+				resp = exit.OnErr2(common.Client().ImportKey(cmd.Context(), common.GetOkmsId(), k, args[0], keyContext, keyUsage.ToCryptographicUsage()...))
 			}
 
 			if cmd.Flag("output").Value.String() == string(flagsmgmt.JSON_OUTPUT_FORMAT) {
@@ -310,12 +310,12 @@ func newDeleteKeyCmd() *cobra.Command {
 					continue
 				}
 				if force {
-					if err := common.Client().DeactivateServiceKey(cmd.Context(), keyId, types.Unspecified); err != nil {
+					if err := common.Client().DeactivateServiceKey(cmd.Context(), common.GetOkmsId(), keyId, types.Unspecified); err != nil {
 						errs = append(errs, fmt.Errorf("Failed to deactivate key %q: %w", id, err))
 						continue
 					}
 				}
-				if err := common.Client().DeleteServiceKey(cmd.Context(), keyId); err != nil {
+				if err := common.Client().DeleteServiceKey(cmd.Context(), common.GetOkmsId(), keyId); err != nil {
 					errs = append(errs, fmt.Errorf("Failed to delete key %q: %w", id, err))
 				}
 			}
@@ -342,7 +342,7 @@ func newDeactivateKeyCmd() *cobra.Command {
 					errs = append(errs, fmt.Errorf("Invalid Key ID %q: %w", id, err))
 					continue
 				}
-				if err := common.Client().DeactivateServiceKey(cmd.Context(), keyId, revocationReason.RestModel()); err != nil {
+				if err := common.Client().DeactivateServiceKey(cmd.Context(), common.GetOkmsId(), keyId, revocationReason.RestModel()); err != nil {
 					errs = append(errs, fmt.Errorf("Failed to deactivate key %q: %w", id, err))
 				}
 			}
@@ -366,7 +366,7 @@ func newActivateKeyCmd() *cobra.Command {
 					errs = append(errs, fmt.Errorf("Invalid Key ID %q: %w", id, err))
 					continue
 				}
-				if err := common.Client().ActivateServiceKey(cmd.Context(), keyId); err != nil {
+				if err := common.Client().ActivateServiceKey(cmd.Context(), common.GetOkmsId(), keyId); err != nil {
 					errs = append(errs, fmt.Errorf("Failed to activate key %q: %w", id, err))
 				}
 			}
@@ -388,7 +388,7 @@ func newUpdateKeyCmd() *cobra.Command {
 			if name != "" {
 				body.Name = name
 			}
-			resp := exit.OnErr2(common.Client().UpdateServiceKey(cmd.Context(), keyId, body))
+			resp := exit.OnErr2(common.Client().UpdateServiceKey(cmd.Context(), common.GetOkmsId(), keyId, body))
 			printServiceKey(resp)
 		},
 	}

cmd/okms/keys/sign.go

@@ -41,7 +41,7 @@ In both cases, DATA can be either plain text, a '-' to read from stdin, or a fil
 	signCmd.Run = func(cmd *cobra.Command, args []string) {
 		data := readDigest(params.signatureAlgorithm, args[1], "Signing", noProgress)
 		keyId := exit.OnErr2(uuid.Parse(args[0]))
-		signature := exit.OnErr2(common.Client().Sign(cmd.Context(), keyId, nil, params.signatureAlgorithm.Alg(), true, data))
+		signature := exit.OnErr2(common.Client().Sign(cmd.Context(), common.GetOkmsId(), keyId, nil, params.signatureAlgorithm.Alg(), true, data))
 		if cmd.Flag("output").Value.String() == string(flagsmgmt.JSON_OUTPUT_FORMAT) {
 			output.JsonPrint(signature)
 		} else {
@@ -81,7 +81,7 @@ SIGNATURE can also be passed from a file or stdin using '-' or '@'. Stdin can ho
 		signature := flagsmgmt.StringFromArg(args[2], 8192)
 		keyId := exit.OnErr2(uuid.Parse(args[0]))
 		if !local {
-			valid := exit.OnErr2(common.Client().Verify(cmd.Context(), keyId, params.signatureAlgorithm.Alg(), true, data, signature))
+			valid := exit.OnErr2(common.Client().Verify(cmd.Context(), common.GetOkmsId(), keyId, params.signatureAlgorithm.Alg(), true, data, signature))
 			if cmd.Flag("output").Value.String() == string(flagsmgmt.JSON_OUTPUT_FORMAT) {
 				output.JsonPrint(valid)
 			} else if valid {
@@ -91,7 +91,7 @@ SIGNATURE can also be passed from a file or stdin using '-' or '@'. Stdin can ho
 				exit.OnErr(errors.New("Signature invalid"))
 			}
 		} else {
-			resp := exit.OnErr2(common.Client().GetServiceKey(cmd.Context(), keyId, utils.PtrTo(types.Jwk)))
+			resp := exit.OnErr2(common.Client().GetServiceKey(cmd.Context(), common.GetOkmsId(), keyId, utils.PtrTo(types.Jwk)))
 			if len(*resp.Keys) == 0 {
 				exit.OnErr(errors.New("The server returned no key"))
 			}

cmd/okms/secrets/config.go

@@ -33,7 +33,7 @@ func kvReadConfigCommand() *cobra.Command {
 		Short: "Reads secret engine configuration",
 		Args:  cobra.NoArgs,
 		Run: func(cmd *cobra.Command, args []string) {
-			resp := exit.OnErr2(common.Client().GetSecretConfig(cmd.Context()))
+			resp := exit.OnErr2(common.Client().GetSecretConfig(cmd.Context(), common.GetOkmsId()))
 			if cmd.Flag("output").Value.String() == string(flagsmgmt.JSON_OUTPUT_FORMAT) {
 				output.JsonPrint(resp)
 			} else {
@@ -82,7 +82,7 @@ func kvWriteConfigCommand() *cobra.Command {
 				MaxVersions:        m,
 			}
 
-			exit.OnErr(common.Client().PostSecretConfig(cmd.Context(), body))
+			exit.OnErr(common.Client().PostSecretConfig(cmd.Context(), common.GetOkmsId(), body))
 		},
 	}
 

cmd/okms/secrets/metadata.go

@@ -35,7 +35,7 @@ func kvGetMetadataCommand() *cobra.Command {
 		Short: "Retrieves path metadata from the KV store",
 		Args:  cobra.ExactArgs(1),
 		Run: func(cmd *cobra.Command, args []string) {
-			resp := exit.OnErr2(common.Client().GetSecretsMetadata(cmd.Context(), args[0], false))
+			resp := exit.OnErr2(common.Client().GetSecretsMetadata(cmd.Context(), common.GetOkmsId(), args[0], false))
 			if cmd.Flag("output").Value.String() == string(flagsmgmt.JSON_OUTPUT_FORMAT) {
 				output.JsonPrint(resp)
 			} else if resp.Data != nil {
@@ -141,7 +141,7 @@ func kvPutMetadataCommand() *cobra.Command {
 				CustomMetadata:     &customMetadata,
 			}
 
-			exit.OnErr(common.Client().PostSecretMetadata(cmd.Context(), args[0], body))
+			exit.OnErr(common.Client().PostSecretMetadata(cmd.Context(), common.GetOkmsId(), args[0], body))
 		},
 	}
 
@@ -187,7 +187,7 @@ func kvPatchMetadataCommand() *cobra.Command {
 				CustomMetadata:     &customMetadata,
 			}
 
-			exit.OnErr(common.Client().PatchSecretMetadata(cmd.Context(), args[0], body))
+			exit.OnErr(common.Client().PatchSecretMetadata(cmd.Context(), common.GetOkmsId(), args[0], body))
 		},
 	}
 
@@ -204,7 +204,7 @@ func kvDeleteMetadataCommand() *cobra.Command {
 		Short: "Deletes all versions and metadata for the provided path.",
 		Args:  cobra.ExactArgs(1),
 		Run: func(cmd *cobra.Command, args []string) {
-			exit.OnErr(common.Client().DeleteSecretMetadata(cmd.Context(), args[0]))
+			exit.OnErr(common.Client().DeleteSecretMetadata(cmd.Context(), common.GetOkmsId(), args[0]))
 		},
 	}
 }