more implementation of runtime unlock

models/secret.go

@@ -156,42 +156,48 @@ func (s *Secret) UpdateSecret() (*Secret, error) {
 func (s *Secret) EncryptSecret() (*Secret, error) {
 
 	//keyString := os.Getenv("SECRETS_KEY")
-	keyString := secretKey
+	//keyString := secretKey
 
 	// The key argument should be the AES key, either 16 or 32 bytes
 	// to select AES-128 or AES-256.
-	key := []byte(keyString)
+	//key := []byte(keyString)
+	key, err := ProvideKey()
+	if err != nil {
+		return s, err
+	}
+
 	plaintext := []byte(s.Secret)
 
-	//log.Printf("EncryptSecret applying key '%v' of length '%d' to plaintext secret '%s'\n", key, len(key), s.Secret)
+	log.Printf("EncryptSecret applying key '%v' of length '%d' to plaintext secret '%s'\n", key, len(key), s.Secret)
 
+	// TODO : move block and aesgcm generation to separate function since the identical code is used for encrypt and decrypt
 	block, err := aes.NewCipher(key)
 	if err != nil {
 		log.Printf("EncryptSecret NewCipher error '%s'\n", err)
 		return s, err
 	}
 
+	aesgcm, err := cipher.NewGCM(block)
+	if err != nil {
+		log.Printf("EncryptSecret NewGCM error '%s'\n", err)
+		return s, err
+	}
+
 	// Never use more than 2^32 random nonces with a given key because of the risk of a repeat.
 	nonce := make([]byte, nonceSize)
 	if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
 		log.Printf("EncryptSecret nonce generation error '%s'\n", err)
 		return s, err
 	}
-	//log.Printf("EncryptSecret random nonce value is '%x'\n", nonce)
-
-	aesgcm, err := cipher.NewGCM(block)
-	if err != nil {
-		log.Printf("EncryptSecret NewGCM error '%s'\n", err)
-		return s, err
-	}
+	log.Printf("EncryptSecret random nonce value is '%x'\n", nonce)
 
 	ciphertext := aesgcm.Seal(nil, nonce, plaintext, nil)
-	//log.Printf("EncryptSecret generated ciphertext '%x''\n", ciphertext)
+	log.Printf("EncryptSecret generated ciphertext '%x''\n", ciphertext)
 
 	// Create a new slice to store nonce at the start and then the resulting ciphertext
 	// Nonce is always 12 bytes
 	combinedText := append(nonce, ciphertext...)
-	//log.Printf("EncryptSecret combined secret value is now '%x'\n", combinedText)
+	log.Printf("EncryptSecret combined secret value is now '%x'\n", combinedText)
 
 	// Store the value back into the struct ready for database operations
 	s.Secret = hex.EncodeToString(combinedText)
@@ -205,9 +211,13 @@ func (s *Secret) DecryptSecret() (*Secret, error) {
 	// The key argument should be the AES key, either 16 or 32 bytes
 	// to select AES-128 or AES-256.
 	//keyString := os.Getenv("SECRETS_KEY")
-	keyString := secretKey
+	//keyString := secretKey
 
-	key := []byte(keyString)
+	//key := []byte(keyString)
+	key, err := ProvideKey()
+	if err != nil {
+		return s, err
+	}
 
 	if len(s.Secret) < nonceSize {
 		log.Printf("DecryptSecret ciphertext is too short to decrypt\n")
@@ -220,13 +230,13 @@ func (s *Secret) DecryptSecret() (*Secret, error) {
 		return s, err
 	}
 
-	//log.Printf("DecryptSecret processing secret '%x'\n", crypted)
+	log.Printf("DecryptSecret processing secret '%x'\n", crypted)
 
 	// The nonce is the first 12 bytes from the ciphertext
 	nonce := crypted[:nonceSize]
 	ciphertext := crypted[nonceSize:]
 
-	//log.Printf("DecryptSecret applying key '%v' and nonce '%x' to ciphertext '%x'\n", key, nonce, ciphertext)
+	log.Printf("DecryptSecret applying key '%v' and nonce '%x' to ciphertext '%x'\n", key, nonce, ciphertext)
 
 	block, err := aes.NewCipher(key)
 	if err != nil {
@@ -246,7 +256,7 @@ func (s *Secret) DecryptSecret() (*Secret, error) {
 		return s, err
 	}
 
-	//log.Printf("DecryptSecret plaintext is '%s'\n", plaintext)
+	log.Printf("DecryptSecret plaintext is '%s'\n", plaintext)
 
 	s.Secret = string(plaintext)
 	return s, nil