fix: Implement KMS-backed key pair for each organisation (#76)

This PR integrates [`@relaycorp/webcrypto-kms`](https://github.com/relaycorp/webcrypto-kms-js) in such a way that we use a [mock AWS KMS server](https://github.com/nsmithuk/local-kms) in development and can use any supported KMS in production (GCP's in our case). Fixes #4. # Manual testing I tested it with the following HTTP file in WebStorm: ```http ### Create org POST http://veraid-authority.default.10.103.177.106.sslip.io/orgs Content-Type: application/json { "name": "example.com", "memberAccessType": "OPEN" } ### Destroy org DELETE http://veraid-authority.default.10.103.177.106.sslip.io/orgs/example.com ``` And the Local KMS logs showed the key was created and subsequently removed: ``` INFO[2023-04-06 22:36:17.482] Local KMS started on 0.0.0.0:8080 INFO[2023-04-06 22:42:02.194] New RSA_2048 key created: arn:aws:kms:eu-west-2:111122223333:key/88d88fac-abe7-49c4-8f83-a480d2facf8a INFO[2023-04-06 22:43:49.804] Schedule key deletion: arn:aws:kms:eu-west-2:111122223333:key/88d88fac-abe7-49c4-8f83-a480d2facf8a ```
relaycorp · Apr 7, 2023 · a621969 · a621969
1 parent 3285288
commit a621969
Show file tree

Hide file tree

Showing 22 changed files with 3,887 additions and 296 deletions.
diff --git a/k8s/credentials-cm.yml b/k8s/credentials-cm.yml
@@ -3,4 +3,5 @@ kind: ConfigMap
 metadata:
   name: credentials
 data:
-  mongodb_username: root
+  mongodb_username: "root"
+  aws_kms_access_key_id: "access_key_id"
diff --git a/k8s/credentials-secret.yml b/k8s/credentials-secret.yml
@@ -1,6 +1,7 @@
 apiVersion: v1
 kind: Secret
-data:
-  mongodb_password: cGFzc3dvcmQxMjM=
 metadata:
   name: credentials
+data:
+  mongodb_password: cGFzc3dvcmQxMjM=
+  aws_kms_secret_access_key: c2VjcmV0X2FjY2Vzc19rZXkK
diff --git a/k8s/kms.yml b/k8s/kms.yml
@@ -0,0 +1,35 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: mock-aws-kms
+  name: mock-aws-kms
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: mock-aws-kms
+  strategy: {}
+  template:
+    metadata:
+      labels:
+        app: mock-aws-kms
+    spec:
+      containers:
+        - image: nsmithuk/local-kms:3.11.4
+          name: mock-aws-kms
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: mock-aws-kms
+  name: mock-aws-kms
+spec:
+  ports:
+    - port: 8080
+      protocol: TCP
+      targetPort: 8080
+  selector:
+    app: mock-aws-kms
+  type: ClusterIP
diff --git a/k8s/mongodb.yml b/k8s/mongodb.yml
@@ -66,4 +66,3 @@ spec:
   selector:
     app: mongodb
   type: ClusterIP
-
diff --git a/k8s/service.yml b/k8s/service.yml
@@ -28,3 +28,21 @@ spec:
                   key: mongodb_password
             - name: MONGODB_URI
               value: mongodb://$(MONGODB_USERNAME):$(MONGODB_PASSWORD)@mongodb
+
+            # Mock AWS KMS (used by WebCrypto KMS)
+            - name: KMS_ADAPTER
+              value: AWS
+            - name: AWS_ACCESS_KEY_ID
+              valueFrom:
+                configMapKeyRef:
+                  name: credentials
+                  key: aws_kms_access_key_id
+            - name: AWS_SECRET_ACCESS_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: credentials
+                  key: aws_kms_secret_access_key
+            - name: AWS_KMS_ENDPOINT
+              value: http://mock-aws-kms:8080
+            - name: AWS_KMS_REGION
+              value: eu-west-2
Original file line number	Diff line number	Diff line change
Expand Up		@@ -66,4 +66,3 @@ spec:
		selector:
		app: mongodb
		type: ClusterIP