stelligent / crossing-go Goto Github PK

9.0 9.0 3.0 120 KB

Utility for storing objects in S3 while taking advantage of client side envelope encryption with KMS

License: MIT License

Go 100.00%

crossing-go's Introduction

🚸 crossing-go

🚸 Description

Crossing is a utility for storing objects in S3 while taking advantage of client side envelope encryption with KMS. The native AWS CLI tool does not have an easy way to client-side-encrypted-upload's into S3.

This utility allows you to do client side encrypted uploads to S3 from the command line, allowing you to quickly upload files to S3 securely. It is a golang implementation of crossing, a Ruby utility.

🚸 AWS Profile

Please note that crossing-go requires that your AWS credentials is properfly configured. Configuration and Credentials Files

🚸 Go Modules

Crossing-go has moved to go modules for dependency management Prerequisites: *Install latest Go 1.11 release

** Using go modules **
When starting a new terminal session you can set an enverionment variable:
export GO111MODULE=on

** or **
GO111MODULE=on go [command]

🚸 Build

git clone [email protected]:stelligent/crossing-go.git
cd crossing-go
go build

🚸 Verify Build

Change into the directory where crossing-go was built

./crossing-go --version
crossing-go version 0.0.5

🚸 Usage

Crossing is designed to be simple to use. To upload, you just need to provide a filepath, bucket location, region and which KMS key to use.

crossing-go put \
  --kms-key-id abcde-12345-abcde-12345 \
  sourcefile destinationlocation

or with a KMS alias crossing-go put
--kms-key-id 'alias/foo'
sourcefile destinationlocation

Downloading is basically the same:

crossing-go get \
  sourcelocation destinationfile

Where destinationlocation and sourcelocation are of the form s3://bucketname/objectprefix/object . If destinationfile is ommitted, the last part of the sourcelocation key is used as the filename. That is, s3://foo/bar/baz.txt would be written to baz.txt . If destinationlocation is a bare bucket or ends in "/", a destination object is created with the same name as the sourcefile. If destinationfile is a directory, a file is created with the object key as the filename.

A special feature is the ability to download a YAML-compatible file and print all of its values as environment variable exports, suitable for sourcing in a shell.

s3://foo/test.yml
---
a: foo
b: bar
c:
  d: cat
  e: dog
f:
  - 1
  - 2

crossing-go env s3://foo/test.yml

outputs

export a="foo"
export b="bar"
export c__d="cat"
export c__e="dog"
export f__0="1"
export f__1="2"

additionally a "-p" / "--prefix" option lets you specify a prefix

crossing-go env -p testyml s3://foo/test.yml

outputs

export testyml__a="foo"
export testyml__b="bar"
export testyml__c__d="cat"
export testyml__c__e="dog"
export testyml__f__0="1"
export testyml__f__1="2"

🚸 Contributing

Contributing to crossing-go will require that unit tests pass. To run unit tests in a go module environment please follow the instructions under the go modules heading first.

Tests are located in each submodules directory: ├── cmd │ ├── env.go │ ├── get.go │ ├── get_test.go │ ├── put.go │ ├── put_test.go │ ├── root.go │ ├── root_test.go │ ├── util.go │ └── util_test.go ├── crypto │ ├── aes_cbc_content_cipher.go │ ├── aes_cbc_content_cipher_test.go │ ├── aes_cbc.go │ ├── aes_cbc_test.go │ ├── cipher_util.go │ └── pkcs5_padder.go

Running tests for cmd module using the temp AWS profile: cd cmd AWS_PROFILE=temp go test ./... ok github.com/stelligent/crossing-go/cmd

🚸 Contributing

Crossing-go has move to go modules for dependency management. Unit tests can be ran locally via the go test command. ~/crossing-go/cmd$ go test crossing-go implements get/put to S3 using KMS envelope client-side encryption with the AWS SDK. It is intended to be object compatible with the Ruby crossing utility.

Usage:
crossing-go [command]

Available Commands:
env         Retrieve an object from S3 and export as environment variables
get         Retrieve an object from S3
help        Help about any command
put         Upload a file to S3

Flags:
    --config string   config file (default is $HOME/.crossing-go.yaml)
-h, --help            help for crossing-go
    --version         version for crossing-go

Use "crossing-go [command] --help" for more information about a command.
PASS
ok      github.com/stelligent/crossing-go/cmd   0.006s

Integration tests are ran to ensure the application can make proper API calls to AWS. This means that an authentication token is required or that AWS CLI must be configured with access key id and access key. The below example uses an aws-vault setup with mfa. ~/crossing-go/cmd$ aws-vault exec home -- go test -all wrote 5 bytes Waiting for bucket "crossinggojqvzsgmyj" to be created... Bucket "crossinggojqvzsgmyj" successfully created Successfully configured versioning "{\n\n}"{ KeyMetadata: { AWSAccountId: "324320755747", Arn: "arn:aws:kms:us-east-2:324320755747:key/54348bc1-6e3b-4cda-8b18-c6033ca7d328", CreationDate: 2019-07-12 18:23:13 +0000 UTC, Description: "", Enabled: true, KeyId: "54348bc1-6e3b-4cda-8b18-c6033ca7d328", KeyManager: "CUSTOMER", KeyState: "Enabled", KeyUsage: "ENCRYPT_DECRYPT", Origin: "AWS_KMS" } } Returning key: "54348bc1-6e3b-4cda-8b18-c6033ca7d328"{

}
{ "VersionId": "IqAC410t2VPQON6xubtS0BO_JPMeESP8" }
PASS
Deleted:  {
VersionId: "IqAC410t2VPQON6xubtS0BO_JPMeESP8"
}
Waiting for object to be deleted: "dat1", Id: "IqAC410t2VPQON6xubtS0BO_JPMeESP8"Delete was successful {

}
Key deletion scheduled:  {
DeletionDate: 2019-07-20 00:00:00 +0000 UTC,
KeyId: "arn:aws:kms:us-east-2:324320755747:key/54348bc1-6e3b-4cda-8b18-c6033ca7d328"
}
ok      github.com/stelligent/crossing-go/integration   2.963s

CAVEATS / KNOWN BUGS

The "env" subcommand does not correctly escape shell strings

🚸 License

Refer to LICENSE.md

crossing-go's People

Contributors

Stargazers

Watchers

Forkers

rjulian clunaslunas rmc3

crossing-go's Issues

Preserve a directory structure in multi-file upload using glob

Background:
There is another ticket to allow for glob patterns. In this case, there should be a switch which determines if the directory is flattened, or preserved in the upload

Depends On: #8

ToDo:
Add a flag to crossing-go put which will determine if the directory structure is preserved on multi-file upload. Something like --preserve, -p. The default behavior should also be defined.
Example:
`crossing-go put -k alias/crossing-go-key -p -b s3://my-big-bucket/sub-folder ./**/*.py

Upload files using a glob pattern

Background:
There is another ticket which is supposed to allow for multiple file uploads. It would also be beneficial to allow for regex/wildcards and the ability to preserve a directory structure in S3.

Depends On: #7

ToDo:
Extend the existing upload functionality to also accept glob-type patterns (*,?,[a-Z], etc) and upload all the files matching that pattern. Multiple patterns should also be supported, and if duplicates are found, only upload once
Example:
crossing-go put -k alias/crossing-go-key -b s3://my-big-bucket ./*.go ./*.py

crossing-go Testing - put_test.go

Refactoring put.go
Conforming to the composition pattern in go to allow proper unit testing as per the following article.
https://aws.amazon.com/blogs/developer/mocking-out-then-aws-sdk-for-go-for-unit-testing/

As of right now put_test.go does not work. Get put_test.go and improve the testing for put.go to include new output flag functionality.

Improve unit testing in get_test.go and refactor get.go

Conform get.go to the composition pattern for go to allow proper unit testing. Improve unit testing in go with mock structs.

Multiple File Download

Background:
Currently, crosisng-go allows for download a single KMS encrypted file. It would be great to extend that to numerous files

ToDo:
Take multiple files as arguments to crossing-go get and download them from S3.
Example:
`crossing-go get <s3_location> <local_destination> <s3_location> <local_destination> <s3_location> <local_destination>

Multiple File Upload Extension

Background:
There is another ticket to allow multi-file uploads. It would be nice to extend this to remove the need for continuously pointing to an endpoint

Dependent On: #6

ToDo:
Extend crossing-go put to add the --bucket, -b flag and then just list a group of files like so:
crossing-go put -k alias/crossing-go-key --bucket my-bucket-name/folder-name <local_file> <local_file> <continues arbitrarily>

The bucket would need to be smart enough to add s3:// for names that are missing it, and also to separate on the first forward slash, since the AWS API requires bucket and keyname to be separate.

Definition of Done:

crossing-go includes the new --bucket, -b flag
All files listed after the flag, are placed in the same endpoint

Multiple File Upload

Background
Currently, crossing-go allows for uploading a single KMS encrypted file. It would be advantageous to pull more than one

ToDo:
Take multiple files as an argument to crossing-go put and upload them to S3. The command would look like the following:
`crossing-go put -k alias/crossing-go-key <local_file> <s3_destination> <local_file> <s3_destination>

Definition of Done:

crossing-go can put multiple files to S3
Each file provided, can be put to a different endpoint

Preserve a directory structure in glob pattern download

Background:
There is another ticket to allow for glob patterns. In this case, there should be a switch which determines if the directory is flattened, or preserved in the download

Depends On: #11

ToDo:
Add a flag to crossing-go get which will determine if the directory structure is preserved on multi-file download. Something like --preserve, -p. The default behavior should also be defined.
Example:
crossing-go get -p s3://my-big-bucket/**/*.go ./

crossing-go integration testing

As of now, crossing-go does not have any integration testing incorporated in order to safely move changes into the master branch.

Refactor crossing-go to pass around a service client to unit test put.go

Service clients are created when api calls are made inside of functions. This does not allow us to follow the unit testing pattern outlined in:
https://aws.amazon.com/blogs/developer/mocking-out-then-aws-sdk-for-go-for-unit-testing/

Following this pattern would allow us to pass around a mock service client to implement proper unit testing.

crossing-go building and testing on circle-ci

I know we (Stelligent) have a circle-ci account which we use to build/test mu commits. We need the same thing set up for crossing-go.

Which also begs the question - how do we improve the testing of crossing-go?

Non KMS encrypted keys give misleading error

Background:
When attempting to use crossing-go get s3://some-bucket/keyname - if the key isn't encrypted, crossing says it doesn't exist

Solution:
Adjust the error to instead say the file isn't encrypted, and s3 sync or s3 cp should be used

Download using glob pattern

Background:
There is another ticket which is supposed to allow for multiple file downloads. It would also be beneficial to allow for regex/wildcards.

Depends On: #10

ToDo:
Extend the existing download functionality to also accept glob-type patterns (*,?,[a-Z], etc) and download all the files matching that pattern. Multiple patterns should also be supported, and if duplicates are found, only upload once
Example:
crossing-go get s3://bucket-name/**/*.py ./first-glob-location/ s3://second-bucket-name/**/*.go ./second-glob-location/

Allow pulling versions with crossing-go

Add an option like crossing-go get --version $VERSION_ID to allow for pulling versions of files in S3

Relevant documentation: https://docs.aws.amazon.com/sdk-for-go/api/service/s3/#GetObjectInput
Spot to add the version: https://github.com/stelligent/crossing-go/blob/master/cmd/get.go#L76

Note:
This will also require changing the Maximum number of arguments allowed for the "get" command. You'll have to provide a flag and the VersionId which means the max number of arguments should be 4. Then, you'll have to change how the s3 url is detected. Instead of assuming it's at position 0 of the args.

Finally, consider adding some validation to the VersionId to make sure the input is correct