From 120086be1991d30989973ab77869de344406dcec Mon Sep 17 00:00:00 2001 From: Sam Hazlehurst Date: Tue, 22 Oct 2024 11:55:44 -0400 Subject: [PATCH] [confmap/provider] feat: Add confmap.Provider that supports AES decryption of values (#35549) **Description:** This package provides a `confmap.Provider` implementation for symmetric AES encryption of credentials (and other sensitive values) in configurations. It relies on the environment variable `OTEL_CREDENTIAL_PROVIDER` with the value of the AES key, base64 encoded. 16, 24, or 32 byte keys are supported, selecting AES-128, AES-192, or AES-256 respectively. An AES 32-byte (AES-256) key can be generated using the following command: ```shell openssl rand -base64 32 ``` Configurations can now use placeholders with the following pattern `${credential:}`. The value will be decrypted using the AES key provided in the environment variable `OTEL_CREDENTIAL_PROVIDER` > For example: > > ```shell > export OTEL_CREDENTIAL_PROVIDER="GQi+Y8HwOYzs8lAOjHUqB7vXlN8bVU2k0TAKtzwJzac=" > ``` > > ```yaml > password: ${aes:RsEf6cTWrssi8tlssfs1AJs2bRMrVm2Ce5TaWPY=} > ``` > > will resolve to: > ```yaml > password: '1' > ``` Since AES is a symmetric encryption algorithm, the same key must be used to encrypt and decrypt the values. If the key is exchanged between the collector and a server, it should be done over a secure connection. When the collector persists its configuration to disk, storing the key in the environment prevents compromising secrets in the configuration. It still presents a vulnerability if the attacker has access to the collector's memory or the environment's configuration, but increases security over plaintext configurations. **Testing:** Unit tests with 93.0% coverage, built agent and configured with `${credential:}` values. **Documentation:** `README.md` reflecting this PR description. **Issue:** https://github.com/open-telemetry/opentelemetry-collector-contrib/issues/35550 --- .chloggen/aes-credential-provider.yaml | 16 +++ .github/CODEOWNERS | 1 + .github/ISSUE_TEMPLATE/bug_report.yaml | 1 + .github/ISSUE_TEMPLATE/feature_request.yaml | 1 + .github/ISSUE_TEMPLATE/other.yaml | 1 + .github/ISSUE_TEMPLATE/unmaintained.yaml | 1 + confmap/provider/aesprovider/Makefile | 1 + confmap/provider/aesprovider/README.md | 33 +++++ confmap/provider/aesprovider/go.mod | 23 ++++ confmap/provider/aesprovider/go.sum | 37 ++++++ confmap/provider/aesprovider/metadata.yaml | 3 + confmap/provider/aesprovider/provider.go | 108 ++++++++++++++++ confmap/provider/aesprovider/provider_test.go | 121 ++++++++++++++++++ versions.yaml | 1 + 14 files changed, 348 insertions(+) create mode 100644 .chloggen/aes-credential-provider.yaml create mode 100644 confmap/provider/aesprovider/Makefile create mode 100644 confmap/provider/aesprovider/README.md create mode 100644 confmap/provider/aesprovider/go.mod create mode 100644 confmap/provider/aesprovider/go.sum create mode 100644 confmap/provider/aesprovider/metadata.yaml create mode 100644 confmap/provider/aesprovider/provider.go create mode 100644 confmap/provider/aesprovider/provider_test.go diff --git a/.chloggen/aes-credential-provider.yaml b/.chloggen/aes-credential-provider.yaml new file mode 100644 index 000000000000..9b6c80fd215e --- /dev/null +++ b/.chloggen/aes-credential-provider.yaml @@ -0,0 +1,16 @@ +# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix' +change_type: new_component + +# The name of the component, or a single word describing the area of concern, (e.g. filelogreceiver) +component: confmap/aesprovider + +# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`). +note: Initial aes encryption provider. Allows configurations to decrypt secrets using AES encryption. + +# One or more tracking issues related to the change +issues: [35550] + +# (Optional) One or more lines of additional information to render under the primary note. +# These lines will be padded with 2 spaces and then inserted directly into the document. +# Use pipe (|) for multiline entries. +subtext: \ No newline at end of file diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index c40e3e84ba9d..086da99edc4d 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -23,6 +23,7 @@ cmd/telemetrygen/ @open-teleme confmap/provider/s3provider/ @open-telemetry/collector-contrib-approvers @Aneurysm9 confmap/provider/secretsmanagerprovider/ @open-telemetry/collector-contrib-approvers @driverpt @atoulme +confmap/provider/aesprovider/ @open-telemetry/collector-contrib-approvers @djaglowski @shazlehu connector/countconnector/ @open-telemetry/collector-contrib-approvers @djaglowski @jpkrohling connector/datadogconnector/ @open-telemetry/collector-contrib-approvers @mx-psi @dineshg13 @ankitpatel96 diff --git a/.github/ISSUE_TEMPLATE/bug_report.yaml b/.github/ISSUE_TEMPLATE/bug_report.yaml index 04361b20d603..9002805c08d8 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.yaml +++ b/.github/ISSUE_TEMPLATE/bug_report.yaml @@ -23,6 +23,7 @@ body: - cmd/otelcontribcol - cmd/oteltestbedcol - cmd/telemetrygen + - confmap/provider/aesprovider - confmap/provider/s3provider - confmap/provider/secretsmanagerprovider - connector/count diff --git a/.github/ISSUE_TEMPLATE/feature_request.yaml b/.github/ISSUE_TEMPLATE/feature_request.yaml index 0067eca31d66..0a0d49a2e740 100644 --- a/.github/ISSUE_TEMPLATE/feature_request.yaml +++ b/.github/ISSUE_TEMPLATE/feature_request.yaml @@ -17,6 +17,7 @@ body: - cmd/otelcontribcol - cmd/oteltestbedcol - cmd/telemetrygen + - confmap/provider/aesprovider - confmap/provider/s3provider - confmap/provider/secretsmanagerprovider - connector/count diff --git a/.github/ISSUE_TEMPLATE/other.yaml b/.github/ISSUE_TEMPLATE/other.yaml index 875e32b29e98..0a02f8039eab 100644 --- a/.github/ISSUE_TEMPLATE/other.yaml +++ b/.github/ISSUE_TEMPLATE/other.yaml @@ -17,6 +17,7 @@ body: - cmd/otelcontribcol - cmd/oteltestbedcol - cmd/telemetrygen + - confmap/provider/aesprovider - confmap/provider/s3provider - confmap/provider/secretsmanagerprovider - connector/count diff --git a/.github/ISSUE_TEMPLATE/unmaintained.yaml b/.github/ISSUE_TEMPLATE/unmaintained.yaml index 5a86e2567820..defe573a3302 100644 --- a/.github/ISSUE_TEMPLATE/unmaintained.yaml +++ b/.github/ISSUE_TEMPLATE/unmaintained.yaml @@ -22,6 +22,7 @@ body: - cmd/otelcontribcol - cmd/oteltestbedcol - cmd/telemetrygen + - confmap/provider/aesprovider - confmap/provider/s3provider - confmap/provider/secretsmanagerprovider - connector/count diff --git a/confmap/provider/aesprovider/Makefile b/confmap/provider/aesprovider/Makefile new file mode 100644 index 000000000000..bdd863a203be --- /dev/null +++ b/confmap/provider/aesprovider/Makefile @@ -0,0 +1 @@ +include ../../../Makefile.Common diff --git a/confmap/provider/aesprovider/README.md b/confmap/provider/aesprovider/README.md new file mode 100644 index 000000000000..36a5fc7f26c4 --- /dev/null +++ b/confmap/provider/aesprovider/README.md @@ -0,0 +1,33 @@ +## Summary + +This package provides a `confmap.Provider` implementation for symmetric AES encryption of credentials (and other sensitive values) in configurations. It relies on the environment variable `OTEL_AES_CREDENTIAL_PROVIDER` set to the value of the AES key, base64 encoded. 16, 24, or 32 byte keys are supported, selecting AES-128, AES-192, or AES-256 respectively. + +An AES 32-byte (AES-256) key can be generated using the following command: + +```shell +openssl rand -base64 32 +``` + +## How it works + Use placeholders with the following pattern `${aes:}` in a configuration. The value will be decrypted using the AES key provided in the environment variable `OTEL_AES_CREDENTIAL_PROVIDER` + +> For example: +> +> ```shell +> export OTEL_AES_CREDENTIAL_PROVIDER="GQi+Y8HwOYzs8lAOjHUqB7vXlN8bVU2k0TAKtzwJzac=" +> ``` +> +> ```yaml +> password: ${aes:RsEf6cTWrssi8tlssfs1AJs2bRMrVm2Ce5TaWPY=} +> ``` +> +> will resolve to: +> ```yaml +> password: '1' +> ``` + +## Caveats + +Since AES is a symmetric encryption algorithm, the same key must be used to encrypt and decrypt the values. If the key needs to be exchanged between the collector and a server, it should be done over a secure connection. + +When the collector persists its configuration to disk, storing the key in the environment prevents compromising secrets in the configuration. It still presents a vulnerability if the attacker has access to the collector's memory or the environment's configuration, but increases security over plaintext configurations. \ No newline at end of file diff --git a/confmap/provider/aesprovider/go.mod b/confmap/provider/aesprovider/go.mod new file mode 100644 index 000000000000..a0deb02a2f88 --- /dev/null +++ b/confmap/provider/aesprovider/go.mod @@ -0,0 +1,23 @@ +module github.com/open-telemetry/opentelemetry-collector-contrib/confmap/provider/aesprovider + +go 1.22.0 + +require ( + github.com/stretchr/testify v1.9.0 + go.opentelemetry.io/collector/confmap v1.17.1-0.20241008154146-ea48c09c31ae + go.uber.org/zap v1.27.0 + +) + +require ( + github.com/davecgh/go-spew v1.1.1 // indirect + github.com/go-viper/mapstructure/v2 v2.2.1 // indirect + github.com/knadh/koanf/maps v0.1.1 // indirect + github.com/knadh/koanf/providers/confmap v0.1.0 // indirect + github.com/knadh/koanf/v2 v2.1.1 // indirect + github.com/mitchellh/copystructure v1.2.0 // indirect + github.com/mitchellh/reflectwalk v1.0.2 // indirect + github.com/pmezard/go-difflib v1.0.0 // indirect + go.uber.org/multierr v1.11.0 // indirect + gopkg.in/yaml.v3 v3.0.1 // indirect +) diff --git a/confmap/provider/aesprovider/go.sum b/confmap/provider/aesprovider/go.sum new file mode 100644 index 000000000000..dd38312c6c3b --- /dev/null +++ b/confmap/provider/aesprovider/go.sum @@ -0,0 +1,37 @@ +github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/go-viper/mapstructure/v2 v2.2.1 h1:ZAaOCxANMuZx5RCeg0mBdEZk7DZasvvZIxtHqx8aGss= +github.com/go-viper/mapstructure/v2 v2.2.1/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM= +github.com/knadh/koanf/maps v0.1.1 h1:G5TjmUh2D7G2YWf5SQQqSiHRJEjaicvU0KpypqB3NIs= +github.com/knadh/koanf/maps v0.1.1/go.mod h1:npD/QZY3V6ghQDdcQzl1W4ICNVTkohC8E73eI2xW4yI= +github.com/knadh/koanf/providers/confmap v0.1.0 h1:gOkxhHkemwG4LezxxN8DMOFopOPghxRVp7JbIvdvqzU= +github.com/knadh/koanf/providers/confmap v0.1.0/go.mod h1:2uLhxQzJnyHKfxG927awZC7+fyHFdQkd697K4MdLnIU= +github.com/knadh/koanf/v2 v2.1.1 h1:/R8eXqasSTsmDCsAyYj+81Wteg8AqrV9CP6gvsTsOmM= +github.com/knadh/koanf/v2 v2.1.1/go.mod h1:4mnTRbZCK+ALuBXHZMjDfG9y714L7TykVnZkXbMU3Es= +github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= +github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= +github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= +github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= +github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw= +github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s= +github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ= +github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ= +github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog= +github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= +github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= +go.opentelemetry.io/collector/confmap v1.17.1-0.20241008154146-ea48c09c31ae h1:mYgomPNE0dq1SU1OVnMb/Z8Xbj89jBXnjJexz9M71t0= +go.opentelemetry.io/collector/confmap v1.17.1-0.20241008154146-ea48c09c31ae/go.mod h1:GrIZ12P/9DPOuTpe2PIS51a0P/ZM6iKtByVee1Uf3+k= +go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= +go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= +go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= +go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= +go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8= +go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= +gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= diff --git a/confmap/provider/aesprovider/metadata.yaml b/confmap/provider/aesprovider/metadata.yaml new file mode 100644 index 000000000000..41c92fa8bbd5 --- /dev/null +++ b/confmap/provider/aesprovider/metadata.yaml @@ -0,0 +1,3 @@ +status: + codeowners: + active: [djaglowski, shazlehu] \ No newline at end of file diff --git a/confmap/provider/aesprovider/provider.go b/confmap/provider/aesprovider/provider.go new file mode 100644 index 000000000000..7d493754f930 --- /dev/null +++ b/confmap/provider/aesprovider/provider.go @@ -0,0 +1,108 @@ +// Copyright The OpenTelemetry Authors +// SPDX-License-Identifier: Apache-2.0 + +package aesprovider // import "github.com/open-telemetry/opentelemetry-collector-contrib/confmap/provider/aesprovider" + +import ( + "context" + "crypto/aes" + "crypto/cipher" + "encoding/base64" + "fmt" + "os" + "strings" + + "go.opentelemetry.io/collector/confmap" + "go.uber.org/zap" +) + +const ( + schemaName = "aes" + // This environment variable holds a base64-encoded AES key, either 16, 24, or 32 bytes to select AES-128, AES-192, or AES-256. + keyEnvVar = "OTEL_AES_CREDENTIAL_PROVIDER" +) + +type provider struct { + logger *zap.Logger + key []byte +} + +// NewFactory creates a new provider factory +func NewFactory() confmap.ProviderFactory { + return confmap.NewProviderFactory( + func(settings confmap.ProviderSettings) confmap.Provider { + return &provider{ + logger: settings.Logger, + } + }) +} + +func (*provider) Scheme() string { + return schemaName +} + +func (*provider) Shutdown(context.Context) error { + return nil +} + +func (p *provider) Retrieve(_ context.Context, uri string, _ confmap.WatcherFunc) (*confmap.Retrieved, error) { + + if !strings.HasPrefix(uri, schemaName+":") { + return nil, fmt.Errorf("%q uri is not supported by %q provider", uri, schemaName) + } + + if p.key == nil { + // base64 decode env var + base64Key, ok := os.LookupEnv(keyEnvVar) + if !ok { + return nil, fmt.Errorf("env var %q not set, required for %q provider", keyEnvVar, schemaName) + } + key, err := base64.StdEncoding.DecodeString(base64Key) + if err != nil { + return nil, fmt.Errorf("%q provider uri failed to base64 decode key: %w", schemaName, err) + } + p.key = key + } + + // Remove schemaName + cipherText := strings.Replace(uri, schemaName+":", "", 1) + + clearText, err := p.decrypt(cipherText) + if err != nil { + return nil, fmt.Errorf("%q provider failed to decrypt value: %w", schemaName, err) + } + + return confmap.NewRetrieved(clearText) +} + +func (p *provider) decrypt(cipherText string) (string, error) { + + cipherBytes, err := base64.StdEncoding.DecodeString(cipherText) + if err != nil { + return "", err + } + + block, err := aes.NewCipher(p.key) + if err != nil { + return "", err + } + + aesGCM, err := cipher.NewGCM(block) + if err != nil { + return "", err + } + + nonceSize := aesGCM.NonceSize() + if len(cipherBytes) < nonceSize { + return "", fmt.Errorf("ciphertext too short") + } + + nonce, cipherBytes := cipherBytes[:nonceSize], cipherBytes[nonceSize:] + + clearBytes, err := aesGCM.Open(nil, nonce, cipherBytes, nil) + if err != nil { + return "", err + } + + return string(clearBytes), nil +} diff --git a/confmap/provider/aesprovider/provider_test.go b/confmap/provider/aesprovider/provider_test.go new file mode 100644 index 000000000000..298c01826999 --- /dev/null +++ b/confmap/provider/aesprovider/provider_test.go @@ -0,0 +1,121 @@ +// Copyright The OpenTelemetry Authors +// SPDX-License-Identifier: Apache-2.0 + +package aesprovider + +import ( + "context" + "os" + "testing" + + "github.com/stretchr/testify/require" + "go.opentelemetry.io/collector/confmap" +) + +func TestAESCredentialProvider(t *testing.T) { + + tests := []struct { + name string + configValue string + expectedValue string + expectedError string + envVars map[string]string + }{ + { + name: "Valid type, key, JSON value", + configValue: `aes:RsEf6cTWrssi8tls+5Tlk3H8AQBVT2uVDcJ88zj3Sph1iSN8z97yGlxNrWf7oUHSyS4lISEcuqrQq2sPsvcl480rEajM0DIWNVoPi2ApKhADCygGoRxbykm4Tuce+rx0aWIPj1zDkuBM6NIYI1E9H2gxrH+P89Hlwmwq26S3HkqIvtW/BFAHJ8Z08iIg95NFwdbZBu4bMwY93r0KWhL0Y4xk9PGmCZhHk5jaaCgd5YREhJCH8ahenZ/t71yGdu71gSIVbg1xwGZNDKf9wRpOCW4oVQ+OWORDrgKX+58QZMOu0zjRxIkeFQV66xMIEziLYERW0xnT/GthH2+FdO/OlrUlzTBnQBbgqpp86cW1xKPFE1XeFJAIHXca7sYIjl/bz6csiUGSXKVyzApsz6fQEhaFwPGw7YKg/hN4+AEu7zYwHlpiPZyQZVE8xPEgwAy1ZKKk7nJ391ujXohXEsmc7u40bOdQmvktyjemf3KcYSCSoVqvdm49K8/ZfKgG1LMCSnHMk0HWdVGyO8jjBj3RnhpT1/dQ/aMudwPMsPFE+85GYEPTe9Sjq8erkjLRfGomDYWJhSpMESMovVRKpyjv9W+3xS0fHracj1AIx8iRQ9KNq7YKSX9n+wtE7LXMr6CUxwDs0wm1FCdVpc/JfH7BghbAh9qNSZg7qeNWQO9BG9vVa31EpRTDHOOogzGOQU2APtjc0qU65we6lpShBl2HU6S/5SgjB5m9ZnCsJSqlCQTf/e/Riuvx8l5LBlv1JNbHnLD6LO7xarpEKzR2Nc2N2+6pP86SvVB/ZqxGug06SUckjQbrmVrjU5X0RFWQAb4ZdPUobxk2xOXGhxUxEB/pDv5DcuDaEry97XsYBgzYpCtVZr8uQc5kd5jPcMsVgIYo78t+v+2yvCdYtRSHOrAcrOyBbrXCo1yI4UA9qAmfBE1PWC7km9xdhtlIAA5Szei+2oRxCwSvVO0TeYCwByDmYDolL0Tv5jtdgsPbcgnZsL/b9KRBAUU4wXKVm55mzw3AiOehX/bms84XLnRWZaxN06tJ/DiMbMcatTQP0pxk4zoemVD66wo7dA8U0nrnfP8AMfQmFQ==`, + expectedValue: `{ "type": "service_account", "project_id": "my-test-project-12345", "private_key_id": "abcdef1234567890abcdef1234567890abcdef12", "private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCAmMwggJfAgEAAoGBALKlO+j9ALhlg5po\nfakePrivateKeyValue+/abc/def/123/fakeData==\n-----END PRIVATE KEY-----\n", "client_email": "test-service-account@my-test-project-12345.iam.gserviceaccount.com", "client_id": "123456789012345678901", "auth_uri": "https://accounts.google.com/o/oauth2/auth", "token_uri": "https://oauth2.googleapis.com/token", "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/test-service-account%40my-test-project-12345.iam.gserviceaccount.com" }`, + + envVars: map[string]string{ + "OTEL_AES_CREDENTIAL_PROVIDER": "GQi+Y8HwOYzs8lAOjHUqB7vXlN8bVU2k0TAKtzwJzac=", + }, + }, + + { + name: "Invalid base64 key", + configValue: `aes:RsEf6cTWrssi8tlssfs1AJs2bRMrVm2Ce5TaWPY=`, + expectedError: `"aes" provider uri failed to base64 decode key: illegal base64 data at input byte 25`, + + envVars: map[string]string{ + "OTEL_AES_CREDENTIAL_PROVIDER": "GQi+Y8lN8bVU2k0TAKtzwJzac=", + }, + }, + { + name: "Invalid AES key", + configValue: `aes:RsEf6cTWrssi8tls+5Tlk3H8AQBVT2uVDcJ88zj3Sph1iSN8z97yGlxNrWf7oUHSyS4lISEcuqrQq2sPsvcl480rEajM0DIWNVoPi2ApKhADCygGoRxbykm4Tuce+rx0aWIPj1zDkuBM6NIYI1E9H2gxrH+P89Hlwmwq26S3HkqIvtW/BFAHJ8Z08iIg95NFwdbZBu4bMwY93r0KWhL0Y4xk9PGmCZhHk5jaaCgd5YREhJCH8ahenZ/t71yGdu71gSIVbg1xwGZNDKf9wRpOCW4oVQ+OWORDrgKX+58QZMOu0zjRxIkeFQV66xMIEziLYERW0xnT/GthH2+FdO/OlrUlzTBnQBbgqpp86cW1xKPFE1XeFJAIHXca7sYIjl/bz6csiUGSXKVyzApsz6fQEhaFwPGw7YKg/hN4+AEu7zYwHlpiPZyQZVE8xPEgwAy1ZKKk7nJ391ujXohXEsmc7u40bOdQmvktyjemf3KcYSCSoVqvdm49K8/ZfKgG1LMCSnHMk0HWdVGyO8jjBj3RnhpT1/dQ/aMudwPMsPFE+85GYEPTe9Sjq8erkjLRfGomDYWJhSpMESMovVRKpyjv9W+3xS0fHracj1AIx8iRQ9KNq7YKSX9n+wtE7LXMr6CUxwDs0wm1FCdVpc/JfH7BghbAh9qNSZg7qeNWQO9BG9vVa31EpRTDHOOogzGOQU2APtjc0qU65we6lpShBl2HU6S/5SgjB5m9ZnCsJSqlCQTf/e/Riuvx8l5LBlv1JNbHnLD6LO7xarpEKzR2Nc2N2+6pP86SvVB/ZqxGug06SUckjQbrmVrjU5X0RFWQAb4ZdPUobxk2xOXGhxUxEB/pDv5DcuDaEry97XsYBgzYpCtVZr8uQc5kd5jPcMsVgIYo78t+v+2yvCdYtRSHOrAcrOyBbrXCo1yI4UA9qAmfBE1PWC7km9xdhtlIAA5Szei+2oRxCwSvVO0TeYCwByDmYDolL0Tv5jtdgsPbcgnZsL/b9KRBAUU4wXKVm55mzw3AiOehX/bms84XLnRWZaxN06tJ/DiMbMcatTQP0pxk4zoemVD66wo7dA8U0nrnfP8AMfQmFQ==`, + expectedError: `"aes" provider failed to decrypt value: crypto/aes: invalid key size 1`, + + envVars: map[string]string{ + "OTEL_AES_CREDENTIAL_PROVIDER": "MQ==", + }, + }, + + { + name: "simple message", + configValue: "aes:RsEf6cTWrssi8tlssfs1AJs2bRMrVm2Ce5TaWPY=", + expectedValue: "1", + envVars: map[string]string{ + "OTEL_AES_CREDENTIAL_PROVIDER": "GQi+Y8HwOYzs8lAOjHUqB7vXlN8bVU2k0TAKtzwJzac=", + }, + }, + { + name: "empty message", + configValue: "aes:RsEf6cTWrssi8tlsZ4V68iFEJRFI8o71+QoYYw==", + expectedValue: "", + envVars: map[string]string{ + "OTEL_AES_CREDENTIAL_PROVIDER": "GQi+Y8HwOYzs8lAOjHUqB7vXlN8bVU2k0TAKtzwJzac=", + }, + }, + { + name: "Truncated base64 value", + configValue: "aes:R=", + expectedError: `"aes" provider failed to decrypt value: illegal base64 data at input byte 1`, + envVars: map[string]string{ + "OTEL_AES_CREDENTIAL_PROVIDER": "GQi+Y8HwOYzs8lAOjHUqB7vXlN8bVU2k0TAKtzwJzac=", + }, + }, + { + name: "Truncated encryted text", + configValue: "aes:MQ==", + expectedError: `"aes" provider failed to decrypt value: ciphertext too short`, + envVars: map[string]string{ + "OTEL_AES_CREDENTIAL_PROVIDER": "GQi+Y8HwOYzs8lAOjHUqB7vXlN8bVU2k0TAKtzwJzac=", + }, + }, + { + name: "Wrong schema", + configValue: "foo:MQ==", + expectedError: `"foo:MQ==" uri is not supported by "aes" provider`, + }, + { + name: "No env vars", + configValue: "aes:MQ==", + expectedError: `env var "OTEL_AES_CREDENTIAL_PROVIDER" not set, required for "aes" provider`, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + os.Clearenv() + for k, v := range tt.envVars { + if err := os.Setenv(k, v); err != nil { + t.Fatalf("Failed to set env var %s: %v", k, err) + } + } + + p := NewFactory().Create(confmap.ProviderSettings{}) + retrieved, err := p.Retrieve(context.Background(), tt.configValue, nil) + if tt.expectedError == "" { + require.NoError(t, err) + } else { + require.Error(t, err) + require.Equal(t, tt.expectedError, err.Error()) + return + } + require.NotNil(t, retrieved) + stringValue, err := retrieved.AsString() + require.NoError(t, err) + require.Equal(t, tt.expectedValue, stringValue) + }) + } +} diff --git a/versions.yaml b/versions.yaml index 95dd67608171..3fdd70c13fa8 100644 --- a/versions.yaml +++ b/versions.yaml @@ -9,6 +9,7 @@ module-sets: - github.com/open-telemetry/opentelemetry-collector-contrib/cmd/githubgen - github.com/open-telemetry/opentelemetry-collector-contrib/cmd/opampsupervisor - github.com/open-telemetry/opentelemetry-collector-contrib/cmd/telemetrygen + - github.com/open-telemetry/opentelemetry-collector-contrib/confmap/provider/aesprovider - github.com/open-telemetry/opentelemetry-collector-contrib/confmap/provider/s3provider - github.com/open-telemetry/opentelemetry-collector-contrib/confmap/provider/secretsmanagerprovider - github.com/open-telemetry/opentelemetry-collector-contrib/connector/countconnector