fix: changing aws kms library to aws-sdk-kms to rusto (#203)

juspay · Aug 14, 2024 · a455f93 · a455f93
1 parent 49562b7
commit a455f93
Show file tree

Hide file tree

Showing 8 changed files with 539 additions and 113 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -52,8 +52,6 @@ reqwest = { version = "0.11.18", features = ["json"] }
 jsonschema = "~0.17"
 jsonlogic = { git = "https://github.com/juspay/jsonlogic_rs.git", version = "0.5.3" }
 rs-snowflake = "0.6.0"
-rusoto_kms = "0.48.0"
-rusoto_signature = "0.48.0"
 bytes = "1.4.0"
 rusoto_core = "0.48.0"
 rand = "0.8.5"
@@ -69,6 +67,8 @@ leptos_actix = { version = "0.6.11" }
 thiserror = { version = "1.0.57" }
 leptos-use = "0.10.3"
 mime = "0.3.17"
+aws-sdk-kms = {version = "1.38.0"}
+aws-config = { version = "1.1.7", features = ["behavior-version-latest"] }
 
 [workspace.lints.clippy]
 mod_module_files = "warn"
diff --git a/crates/context_aware_config/Cargo.toml b/crates/context_aware_config/Cargo.toml
@@ -34,8 +34,6 @@ chrono = { workspace = true }
 # ORM
 diesel = { workspace = true }
 blake3 = { workspace = true }
-rusoto_kms = { workspace = true }
-rusoto_signature = { workspace = true }
 bytes = { workspace = true }
 rusoto_core = { workspace = true }
 base64 = { workspace = true }

diff --git a/crates/service_utils/Cargo.toml b/crates/service_utils/Cargo.toml
@@ -20,8 +20,6 @@ anyhow = { workspace = true }
 strum_macros = { workspace = true }
 strum = { workspace = true }
 diesel = { workspace = true }
-rusoto_kms = { workspace = true }
-rusoto_signature = { workspace = true }
 bytes = { workspace = true }
 rusoto_core = { workspace = true }
 base64 = { workspace = true }
@@ -37,6 +35,8 @@ once_cell = { workspace = true }
 regex = { workspace = true }
 mime = { workspace = true }
 superposition_types = { path="../superposition_types" }
+aws-sdk-kms = {workspace = true}
+aws-config = {workspace = true}
 
 [lints]
 workspace = true
diff --git a/crates/service_utils/src/aws/kms.rs b/crates/service_utils/src/aws/kms.rs
@@ -1,46 +1,33 @@
-use crate::{helpers::get_from_env_unsafe, BASE64_ENGINE};
-use base64::Engine;
-use bytes::Bytes;
-use rusoto_kms::{DecryptRequest, DecryptResponse, Kms, KmsClient};
-use rusoto_signature::region::Region;
+use crate::helpers::get_from_env_unsafe;
+use aws_sdk_kms::{primitives::Blob, Client};
+use base64::{engine::general_purpose, Engine};
 
-//TODO refactor below code
-pub async fn decrypt(client: KmsClient, secret_name: &str) -> String {
-    let cypher = get_from_env_unsafe(secret_name)
-        .map(|x: String| BASE64_ENGINE.decode(x).unwrap())
-        .unwrap_or_else(|_| panic!("{secret_name} not found in env"));
-    let req = DecryptRequest {
-        ciphertext_blob: Bytes::from(cypher),
-        encryption_algorithm: None,
-        encryption_context: None,
-        grant_tokens: None,
-        //NOTE we use symmetric key encryption therefore key_id is optional
-        key_id: None,
-    };
-    let decrypt_resp = Kms::decrypt(&client, req).await;
-    match decrypt_resp {
-        Ok(DecryptResponse {
-            plaintext: Some(data),
-            ..
-        }) => String::from_utf8(data.to_vec()).unwrap_or_else(|_| {
-            panic!("Could not convert kms val for {secret_name} to utf8")
-        }),
-        e => panic!("KMS decryption failed for {secret_name} with error {e:?}"),
-    }
-}
-
-pub fn new_client() -> KmsClient {
-    //TODO make this an enum and add to appstate
-    let app_env: String = get_from_env_unsafe("APP_ENV").unwrap_or(String::from("PROD"));
+pub async fn decrypt(aws_kms_cli: Client, key: &str) -> String {
+    let key_value_env: String =
+        get_from_env_unsafe(key).expect(&format!("{key} not present in env"));
+    let key_value_enc = general_purpose::STANDARD
+        .decode(key_value_env)
+        .expect("Input string does not contain valid base 64 characters.");
 
-    let kms_region = match app_env.as_str() {
-        "DEV" => Region::Custom {
-            name: get_from_env_unsafe("AWS_REGION").unwrap_or(String::from("ap-south-1")),
-            endpoint: get_from_env_unsafe("AWS_REGION_ENDPOINT")
-                .unwrap_or(String::from("http://localhost:4566")),
-        },
-        _ => get_from_env_unsafe("AWS_REGION").unwrap_or(Region::ApSouth1),
-    };
+    let key_value_bytes_result = aws_kms_cli
+        .decrypt()
+        .ciphertext_blob(Blob::new(key_value_enc))
+        .send()
+        .await;
+    let key_value: String = String::from_utf8(
+        key_value_bytes_result
+            .expect(&format!("Failed to decrypt {key}"))
+            .plaintext()
+            .expect(&format!("Failed to get plaintext value for {key}"))
+            .as_ref()
+            .to_vec(),
+    )
+    .expect("Could not convert to UTF-8");
+    key_value
+}
 
-    KmsClient::new(kms_region)
+pub async fn new_client() -> Client {
+    let config = aws_config::load_from_env().await;
+    let aws_kms_cli = aws_sdk_kms::Client::new(&config);
+    aws_kms_cli
 }
diff --git a/crates/service_utils/src/db/utils.rs b/crates/service_utils/src/db/utils.rs
@@ -15,7 +15,7 @@ pub async fn get_database_url() -> String {
     let db_password: String = if app_env.as_str() == "DEV" || app_env.as_str() == "TEST" {
         get_from_env_or_default("DB_PASSWORD", "docker".into())
     } else {
-        let kms_client = kms::new_client();
+        let kms_client = kms::new_client().await;
         let db_password_raw = kms::decrypt(kms_client, "DB_PASSWORD").await;
         encode(db_password_raw.as_str()).to_string()
     };

diff --git a/crates/service_utils/src/lib.rs b/crates/service_utils/src/lib.rs
@@ -3,7 +3,3 @@ pub mod db;
 pub mod helpers;
 pub mod middlewares;
 pub mod service;
-
-/// General purpose base64 engine
-pub(crate) const BASE64_ENGINE: base64::engine::GeneralPurpose =
-    base64::engine::general_purpose::STANDARD;
diff --git a/crates/superposition/Cargo.toml b/crates/superposition/Cargo.toml
@@ -36,8 +36,6 @@ chrono = { workspace = true }
 # ORM
 diesel = { workspace = true }
 blake3 = { workspace = true }
-rusoto_kms = { workspace = true }
-rusoto_signature = { workspace = true }
 bytes = { workspace = true }
 rusoto_core = { workspace = true }
 base64 = { workspace = true }