diff --git a/packages/cmd/tokens.go b/packages/cmd/tokens.go index a2e44523..c610374d 100644 --- a/packages/cmd/tokens.go +++ b/packages/cmd/tokens.go @@ -4,8 +4,6 @@ Copyright (c) 2023 Infisical Inc. package cmd import ( - "crypto/rand" - "encoding/base64" "encoding/hex" "fmt" "strings" @@ -115,24 +113,11 @@ var tokensCreateCmd = &cobra.Command{ } } - workspaceKey, err := util.GetPlainTextWorkspaceKey(loggedInUserDetails.UserCredentials.JTWToken, loggedInUserDetails.UserCredentials.PrivateKey, workspaceId) - if err != nil { - util.HandleError(err, "Unable to get workspace key needed to create service token") - } - - newWorkspaceEncryptionKey := make([]byte, 16) - _, err = rand.Read(newWorkspaceEncryptionKey) - if err != nil { - util.HandleError(err) - } - - newWorkspaceEncryptionKeyHexFormat := hex.EncodeToString(newWorkspaceEncryptionKey) - - // encrypt the workspace key symmetrically - encryptedDetails, err := crypto.EncryptSymmetric(workspaceKey, []byte(newWorkspaceEncryptionKeyHexFormat)) + randomBytes, err := crypto.GenerateRandomBytes(16) if err != nil { util.HandleError(err) } + hexEncodedRandomBytes := hex.EncodeToString(randomBytes) // make a call to the api to save the encrypted symmetric key details httpClient, err := util.GetRestyClientWithCustomHeaders() @@ -144,22 +129,24 @@ var tokensCreateCmd = &cobra.Command{ SetHeader("Accept", "application/json") createServiceTokenResponse, err := api.CallCreateServiceToken(httpClient, api.CreateServiceTokenRequest{ - Name: serviceTokenName, - WorkspaceId: workspaceId, - Scopes: permissions, - ExpiresIn: expireSeconds, - EncryptedKey: base64.StdEncoding.EncodeToString(encryptedDetails.CipherText), - Iv: base64.StdEncoding.EncodeToString(encryptedDetails.Nonce), - Tag: base64.StdEncoding.EncodeToString(encryptedDetails.AuthTag), - RandomBytes: newWorkspaceEncryptionKeyHexFormat, - Permissions: accessLevels, + Name: serviceTokenName, + WorkspaceId: workspaceId, + Scopes: permissions, + ExpiresIn: expireSeconds, + Permissions: accessLevels, + RandomBytes: hexEncodedRandomBytes, + + // No longer required for creating service tokens: + EncryptedKey: "", + Iv: "", + Tag: "", }) if err != nil { util.HandleError(err, "Unable to create service token") } - serviceToken := createServiceTokenResponse.ServiceToken + "." + newWorkspaceEncryptionKeyHexFormat + serviceToken := createServiceTokenResponse.ServiceToken + "." + hexEncodedRandomBytes if tokenOnly { fmt.Println(serviceToken) diff --git a/packages/crypto/crypto.go b/packages/crypto/crypto.go index 2f507ed4..0aeacbe9 100644 --- a/packages/crypto/crypto.go +++ b/packages/crypto/crypto.go @@ -10,6 +10,15 @@ import ( "golang.org/x/crypto/nacl/box" ) +func GenerateRandomBytes(length int) ([]byte, error) { + bytes := make([]byte, length) + _, err := rand.Read(bytes) + if err != nil { + return nil, err + } + return bytes, nil +} + // will decrypt cipher text to plain text using iv and tag func DecryptSymmetric(key []byte, cipherText []byte, tag []byte, iv []byte) ([]byte, error) { // Case: empty string diff --git a/packages/util/secrets.go b/packages/util/secrets.go index 9910df46..9352238e 100644 --- a/packages/util/secrets.go +++ b/packages/util/secrets.go @@ -2,7 +2,6 @@ package util import ( "crypto/rand" - "encoding/base64" "encoding/hex" "encoding/json" "errors" @@ -543,51 +542,6 @@ func GetEnvelopmentBasedOnGitBranch(workspaceFile models.WorkspaceConfigFile) st } } -func GetPlainTextWorkspaceKey(authenticationToken string, receiverPrivateKey string, workspaceId string) ([]byte, error) { - httpClient, err := GetRestyClientWithCustomHeaders() - if err != nil { - return nil, fmt.Errorf("GetPlainTextWorkspaceKey: unable to get client with custom headers [err=%v]", err) - } - - httpClient.SetAuthToken(authenticationToken). - SetHeader("Accept", "application/json") - - request := api.GetEncryptedWorkspaceKeyRequest{ - WorkspaceId: workspaceId, - } - - workspaceKeyResponse, err := api.CallGetEncryptedWorkspaceKey(httpClient, request) - if err != nil { - return nil, fmt.Errorf("GetPlainTextWorkspaceKey: unable to retrieve your encrypted workspace key. [err=%v]", err) - } - - encryptedWorkspaceKey, err := base64.StdEncoding.DecodeString(workspaceKeyResponse.EncryptedKey) - if err != nil { - return nil, fmt.Errorf("GetPlainTextWorkspaceKey: Unable to get bytes represented by the base64 for encryptedWorkspaceKey [err=%v]", err) - } - - encryptedWorkspaceKeySenderPublicKey, err := base64.StdEncoding.DecodeString(workspaceKeyResponse.Sender.PublicKey) - if err != nil { - return nil, fmt.Errorf("GetPlainTextWorkspaceKey: Unable to get bytes represented by the base64 for encryptedWorkspaceKeySenderPublicKey [err=%v]", err) - } - - encryptedWorkspaceKeyNonce, err := base64.StdEncoding.DecodeString(workspaceKeyResponse.Nonce) - if err != nil { - return nil, fmt.Errorf("GetPlainTextWorkspaceKey: Unable to get bytes represented by the base64 for encryptedWorkspaceKeyNonce [err=%v]", err) - } - - currentUsersPrivateKey, err := base64.StdEncoding.DecodeString(receiverPrivateKey) - if err != nil { - return nil, fmt.Errorf("GetPlainTextWorkspaceKey: Unable to get bytes represented by the base64 for currentUsersPrivateKey [err=%v]", err) - } - - if len(currentUsersPrivateKey) == 0 || len(encryptedWorkspaceKeySenderPublicKey) == 0 { - return nil, fmt.Errorf("GetPlainTextWorkspaceKey: Missing credentials for generating plainTextEncryptionKey") - } - - return crypto.DecryptAsymmetric(encryptedWorkspaceKey, encryptedWorkspaceKeyNonce, encryptedWorkspaceKeySenderPublicKey, currentUsersPrivateKey), nil -} - func parseSecrets(fileName string, content string) (map[string]string, error) { secrets := make(map[string]string)