88 lines
2.5 KiB
Go
88 lines
2.5 KiB
Go
package tables
|
|
|
|
import (
|
|
"github.com/maximhq/bifrost/core/schemas"
|
|
"github.com/maximhq/bifrost/framework/encrypt"
|
|
)
|
|
|
|
const (
|
|
// EncryptionStatusPlainText indicates the row's sensitive fields are stored as plaintext.
|
|
EncryptionStatusPlainText = "plain_text"
|
|
// EncryptionStatusEncrypted indicates the row's sensitive fields have been encrypted.
|
|
EncryptionStatusEncrypted = "encrypted"
|
|
)
|
|
|
|
// encryptEnvVar encrypts the Val field of an EnvVar in place using AES-256-GCM.
|
|
// It is a no-op if the field is nil, references an environment variable, or has an empty value.
|
|
func encryptEnvVar(field *schemas.EnvVar) error {
|
|
if field == nil || field.IsFromEnv() || field.GetValue() == "" {
|
|
return nil
|
|
}
|
|
encrypted, err := encrypt.Encrypt(field.Val)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
field.Val = encrypted
|
|
return nil
|
|
}
|
|
|
|
// decryptEnvVar decrypts the Val field of an EnvVar in place using AES-256-GCM.
|
|
// It is a no-op if the field is nil, references an environment variable, or has an empty value.
|
|
func decryptEnvVar(field *schemas.EnvVar) error {
|
|
if field == nil || field.IsFromEnv() || field.GetValue() == "" {
|
|
return nil
|
|
}
|
|
decrypted, err := encrypt.Decrypt(field.Val)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
field.Val = decrypted
|
|
return nil
|
|
}
|
|
|
|
// encryptEnvVarPtr encrypts the Val field of a pointer-to-EnvVar in place.
|
|
// It is a no-op if the pointer or the EnvVar it points to is nil.
|
|
func encryptEnvVarPtr(field **schemas.EnvVar) error {
|
|
if field == nil || *field == nil {
|
|
return nil
|
|
}
|
|
return encryptEnvVar(*field)
|
|
}
|
|
|
|
// decryptEnvVarPtr decrypts the Val field of a pointer-to-EnvVar in place.
|
|
// It is a no-op if the pointer or the EnvVar it points to is nil.
|
|
func decryptEnvVarPtr(field **schemas.EnvVar) error {
|
|
if field == nil || *field == nil {
|
|
return nil
|
|
}
|
|
return decryptEnvVar(*field)
|
|
}
|
|
|
|
// encryptString encrypts the string pointed to by value in place using AES-256-GCM.
|
|
// It is a no-op if the pointer is nil or the string is empty.
|
|
func encryptString(value *string) error {
|
|
if value == nil || *value == "" {
|
|
return nil
|
|
}
|
|
encrypted, err := encrypt.Encrypt(*value)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
*value = encrypted
|
|
return nil
|
|
}
|
|
|
|
// decryptString decrypts the string pointed to by value in place using AES-256-GCM.
|
|
// It is a no-op if the pointer is nil or the string is empty.
|
|
func decryptString(value *string) error {
|
|
if value == nil || *value == "" {
|
|
return nil
|
|
}
|
|
decrypted, err := encrypt.Decrypt(*value)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
*value = decrypted
|
|
return nil
|
|
}
|