WIP: Generate singular HMAC key and save it in the database

Neon-White · Neon-White · commit cf69a0b1d5f3 · 2024-03-26T20:01:26.000+01:00
Signed-off-by: Ben &lt;belimele@redhat.com&gt;
diff --git a/src/sdk/namespace_gcp.js b/src/sdk/namespace_gcp.js
@@ -27,6 +27,10 @@ class NamespaceGCP {
     *      private_key: string,
     *      access_mode: string,
     *      stats: import('./endpoint_stats_collector').EndpointStatsCollector,
+    *      hmac_key: {
+    *         access_id: string,
+    *         secret_key: string,
+    *      }
     * }} params
     */
     constructor({
@@ -37,26 +41,16 @@ class NamespaceGCP {
         private_key,
         access_mode,
         stats,
+        hmac_key,
     }) {
         this.namespace_resource_id = namespace_resource_id;
         this.project_id = project_id;
         this.client_email = client_email;
         this.private_key = private_key;
-        this.gcs = new GoogleCloudStorage({
-            projectId: this.project_id,
-            credentials: {
-                client_email: this.client_email,
-                private_key: this.private_key,
-            }
-        });
-        this.gcs.createHmacKey(client_email).then(res => {
-            this.hmac_key = res[0];
-            this.hmac_secret = res[1];
-        });
         this.s3_client = new AWS.S3({
             endpoint: 'https://storage.googleapis.com',
-            accessKeyId: this.hmac_key,
-            secretAccessKey: this.hmac_secret
+            accessKeyId: hmac_key.access_id,
+            secretAccessKey: hmac_key.secret_key
         });
 
         this.bucket = target_bucket;
diff --git a/src/sdk/object_sdk.js b/src/sdk/object_sdk.js
@@ -402,6 +402,7 @@ class ObjectSDK {
     /**
      * @returns {nb.Namespace}
      */
+    // resource is a namespace_resource
     _setup_single_namespace({ resource: r, path: p }, bucket_id, options) {
 
         if (r.endpoint_type === 'NOOBAA') {
@@ -461,6 +462,7 @@ class ObjectSDK {
                 private_key,
                 access_mode: r.access_mode,
                 stats: this.stats,
+                hmac_key: r.gcp_hmac_key,
             });
         }
         if (r.fs_root_path || r.fs_root_path === '') {
diff --git a/src/server/system_services/account_server.js b/src/server/system_services/account_server.js
@@ -737,6 +737,26 @@ async function add_external_connection(req) {
         };
     }
 
+    // If the connection is for Google, generate an HMAC key for S3-compatible actions (e.g. multipart uploads)
+    if (info.endpoint_type === 'GOOGLE') {
+        dbg.log0('add_external_connection: creating HMAC key for Google connection')
+        const key_file = JSON.parse(req.rpc_params.secret.unwrap());
+        const credentials = _.pick(key_file, 'client_email', 'private_key');
+        const gs_client = new GoogleStorage({ credentials, projectId: key_file.project_id });
+        try {
+            const [hmac_key, secret] = await gs_client.createHmacKey(credentials.client_email);
+            info.gcp_hmac_key = {
+                access_id: hmac_key.metadata.accessId,
+                secret_key: system_store.master_key_manager.encrypt_sensitive_string_with_master_key_id(
+                    new SensitiveString(secret), req.account.master_key_id._id)
+            };
+            } catch (err) {
+            // The most likely reason is that the storage account already has 10 existing HMAC keys, which is the limit
+            dbg.error('add_external_connection: failed to create HMAC key for Google connection', err);
+            throw new RpcError('INTERNAL_ERROR', 'Failed to create HMAC key for Google connection');
+        }
+    }
+
     info.cp_code = req.rpc_params.cp_code || undefined;
     info.auth_method = req.rpc_params.auth_method || config.DEFAULT_S3_AUTH_METHOD[info.endpoint_type] || undefined;
     info = _.omitBy(info, _.isUndefined);
diff --git a/src/server/system_services/master_key_manager.js b/src/server/system_services/master_key_manager.js
@@ -335,6 +335,13 @@ class MasterKeysManager {
                                 decipher: crypto.createDecipheriv(m_key.cipher_type, m_key.cipher_key, m_key.cipher_iv)
                             }, undefined);
                         }
+                        if (keys.gcp_hmac_key?.secret_key) {
+                            keys.gcp_hmac_key.secret_key = await this.secret_keys_cache.get_with_cache({
+                                encrypted_value: keys.gcp_hmac_key.secret_key,
+                                decipher: crypto.createDecipheriv(m_key.cipher_type, m_key.cipher_key, m_key.cipher_iv)
+                            }, undefined);
+                        
+                        }
                     }
                 }
             }

Original file line number	Diff line number	Diff line change
`@@ -335,6 +335,13 @@ class MasterKeysManager {`
`335`	`335`	`decipher: crypto.createDecipheriv(m_key.cipher_type, m_key.cipher_key, m_key.cipher_iv)`
`336`	`336`	`}, undefined);`
`337`	`337`	`}`
	`338`	`+ if (keys.gcp_hmac_key?.secret_key) {`
	`339`	`+ keys.gcp_hmac_key.secret_key = await this.secret_keys_cache.get_with_cache({`
	`340`	`+ encrypted_value: keys.gcp_hmac_key.secret_key,`
	`341`	`+ decipher: crypto.createDecipheriv(m_key.cipher_type, m_key.cipher_key, m_key.cipher_iv)`
	`342`	`+ }, undefined);`
	`343`	`+`
	`344`	`+ }`
`338`	`345`	`}`
`339`	`346`	`}`
`340`	`347`	`}`