rename/resuffle c4gh key variables

neicnordic · Jan 8, 2025 · f8f5ac6 · f8f5ac6
1 parent a17e23d
commit f8f5ac6
Show file tree

Hide file tree

Showing 10 changed files with 87 additions and 85 deletions.
diff --git a/charts/sda-svc/templates/download-deploy.yaml b/charts/sda-svc/templates/download-deploy.yaml
@@ -141,9 +141,9 @@ spec:
           value: {{ .Values.global.log.level | quote }}
       {{- end }}
       {{- if .Values.global.download.serveDecrypted.c4ghKeyFile }}
-        - name: APP_C4GH_PRIVATEKEYPATH
+        - name: C4GH_TRANSIENTKEYPATH
           value: {{ template "c4ghPath" . }}/{{ .Values.global.download.serveDecrypted.c4ghKeyFile }}
-        - name: APP_C4GH_PASSPHRASE
+        - name: C4GH_TRANSIENTPASSPHRASE
           valueFrom:
             secretKeyRef:
               name: {{ required "A secret for the transient c4gh key is required" .Values.global.download.serveDecrypted.secretName }}

diff --git a/sda-download/api/s3/s3.go b/sda-download/api/s3/s3.go
@@ -330,7 +330,7 @@ func Download(c *gin.Context) {
 		ListBuckets(c)
 
 	case c.Param("filename") != "":
-		if config.Config.App.Crypt4GHPublicKeyB64 == "" {
+		if config.Config.C4GH.PublicKeyB64 == "" {
 			GetEcnryptedObject(c)
 		} else {
 			GetObject(c)

diff --git a/sda-download/api/sda/sda.go b/sda-download/api/sda/sda.go
@@ -213,7 +213,7 @@ func Download(c *gin.Context) {
 	// So we need this check.
 	// Checking the type instead of the field S3 is better because it also provides a sanity check for the /s3 case.
 
-	if c.Param("type") != "encrypted" && config.Config.App.Crypt4GHPublicKeyB64 == "" {
+	if c.Param("type") != "encrypted" && config.Config.C4GH.PublicKeyB64 == "" {
 		c.String(http.StatusBadRequest, "downloading unencrypted data is not supported")
 
 		return
@@ -417,7 +417,7 @@ func Download(c *gin.Context) {
 		}
 	default:
 		// Reencrypt header for use with the loaded internal key
-		newHeader, err := reencryptHeader(fileDetails.Header, config.Config.App.Crypt4GHPublicKeyB64)
+		newHeader, err := reencryptHeader(fileDetails.Header, config.Config.C4GH.PublicKeyB64)
 		if err != nil {
 			log.Errorf("Failed to reencrypt the file header, reason: %v", err)
 			c.String(http.StatusInternalServerError, "file re-encryption error")
@@ -440,7 +440,7 @@ func Download(c *gin.Context) {
 			}
 		}
 
-		c4ghfileStream, err := streaming.NewCrypt4GHReader(fileStream, config.Config.App.Crypt4GHPrivateKey, nil)
+		c4ghfileStream, err := streaming.NewCrypt4GHReader(fileStream, config.Config.C4GH.PrivateKey, nil)
 		defer c4ghfileStream.Close()
 		if err != nil {
 			log.Errorf("could not prepare file for streaming, %s", err)

diff --git a/sda-download/api/sda/sda_test.go b/sda-download/api/sda/sda_test.go
@@ -341,8 +341,8 @@ func TestFiles_Success(t *testing.T) {
 func TestDownload_Fail_UnencryptedDownloadNotAllowed(t *testing.T) {
 
 	// Save original to-be-mocked config
-	originalServeUnencryptedDataTrigger := config.Config.App.Crypt4GHPublicKeyB64
-	config.Config.App.Crypt4GHPublicKeyB64 = ""
+	originalServeUnencryptedDataTrigger := config.Config.C4GH.PublicKeyB64
+	config.Config.C4GH.PublicKeyB64 = ""
 
 	// Mock request and response holders
 	w := httptest.NewRecorder()
@@ -375,7 +375,7 @@ func TestDownload_Fail_UnencryptedDownloadNotAllowed(t *testing.T) {
 	assert.Equal(t, expectedBody, body, "Unexpected body from download")
 
 	// Test downloading from unencrypted file serving /s3 when passing a c4gh pubkey, should fail
-	config.Config.App.Crypt4GHPublicKeyB64 = "somepubkeyBase64"
+	config.Config.C4GH.PublicKeyB64 = "somepubkeyBase64"
 	w = httptest.NewRecorder()
 	c, _ = gin.CreateTestContext(w)
 	c.Request = &http.Request{Method: "GET"}
@@ -392,7 +392,7 @@ func TestDownload_Fail_UnencryptedDownloadNotAllowed(t *testing.T) {
 	assert.Equal(t, expectedBody, body, "Unexpected body from download")
 
 	// Return mock config to originals
-	config.Config.App.Crypt4GHPublicKeyB64 = originalServeUnencryptedDataTrigger
+	config.Config.C4GH.PublicKeyB64 = originalServeUnencryptedDataTrigger
 }
 
 func TestDownload_Fail_FileNotFound(t *testing.T) {
@@ -402,17 +402,17 @@ func TestDownload_Fail_FileNotFound(t *testing.T) {
 
 	// Save original to-be-mocked functions and config
 	originalCheckFilePermission := database.CheckFilePermission
-	originalServeUnencryptedDataTrigger := config.Config.App.Crypt4GHPublicKeyB64
-	originalC4ghPrivateKeyFilepath := config.Config.App.Crypt4GHPrivateKey
+	originalServeUnencryptedDataTrigger := config.Config.C4GH.PublicKeyB64
+	originalC4ghPrivateKeyFilepath := config.Config.C4GH.PrivateKey
 
 	// Substitute mock functions
 	database.CheckFilePermission = func(_ string) (string, error) {
 		return "", errors.New("file not found")
 	}
 
-	viper.Set("app.c4gh.privateKeyPath", privateKeyFilePath)
-	viper.Set("app.c4gh.passphrase", "password")
-	config.Config.App.Crypt4GHPrivateKey, config.Config.App.Crypt4GHPublicKeyB64, err = config.GetC4GHKeys()
+	viper.Set("c4gh.transientKeyPath", privateKeyFilePath)
+	viper.Set("c4gh.transientPassphrase", "password")
+	config.Config.C4GH.PrivateKey, config.Config.C4GH.PublicKeyB64, err = config.GetC4GHKeys()
 	assert.NoError(t, err, "Could not load c4gh keys")
 
 	// Mock request and response holders
@@ -441,10 +441,10 @@ func TestDownload_Fail_FileNotFound(t *testing.T) {
 
 	// Return mock functions to originals
 	database.CheckFilePermission = originalCheckFilePermission
-	config.Config.App.Crypt4GHPublicKeyB64 = originalServeUnencryptedDataTrigger
-	config.Config.App.Crypt4GHPrivateKey = originalC4ghPrivateKeyFilepath
-	viper.Set("app.c4gh.privateKeyPath", "")
-	viper.Set("app.c4gh.passphrase", "")
+	config.Config.C4GH.PublicKeyB64 = originalServeUnencryptedDataTrigger
+	config.Config.C4GH.PrivateKey = originalC4ghPrivateKeyFilepath
+	viper.Set("c4gh.transientKeyPath", "")
+	viper.Set("c4gh.transientPassphrase", "")
 
 }
 
@@ -456,8 +456,8 @@ func TestDownload_Fail_NoPermissions(t *testing.T) {
 	// Save original to-be-mocked functions
 	originalCheckFilePermission := database.CheckFilePermission
 	originalGetCacheFromContext := middleware.GetCacheFromContext
-	originalServeUnencryptedDataTrigger := config.Config.App.Crypt4GHPublicKeyB64
-	originalC4ghPrivateKeyFilepath := config.Config.App.Crypt4GHPrivateKey
+	originalServeUnencryptedDataTrigger := config.Config.C4GH.PublicKeyB64
+	originalC4ghPrivateKeyFilepath := config.Config.C4GH.PrivateKey
 
 	// Substitute mock functions
 	database.CheckFilePermission = func(_ string) (string, error) {
@@ -468,9 +468,9 @@ func TestDownload_Fail_NoPermissions(t *testing.T) {
 		return session.Cache{}
 	}
 
-	viper.Set("app.c4gh.privateKeyPath", privateKeyFilePath)
-	viper.Set("app.c4gh.passphrase", "password")
-	config.Config.App.Crypt4GHPrivateKey, config.Config.App.Crypt4GHPublicKeyB64, err = config.GetC4GHKeys()
+	viper.Set("c4gh.transientKeyPath", privateKeyFilePath)
+	viper.Set("c4gh.transientPassphrase", "password")
+	config.Config.C4GH.PrivateKey, config.Config.C4GH.PublicKeyB64, err = config.GetC4GHKeys()
 	assert.NoError(t, err, "Could not load c4gh keys")
 
 	// Mock request and response holders
@@ -500,10 +500,10 @@ func TestDownload_Fail_NoPermissions(t *testing.T) {
 	// Return mock functions to originals
 	database.CheckFilePermission = originalCheckFilePermission
 	middleware.GetCacheFromContext = originalGetCacheFromContext
-	config.Config.App.Crypt4GHPublicKeyB64 = originalServeUnencryptedDataTrigger
-	config.Config.App.Crypt4GHPrivateKey = originalC4ghPrivateKeyFilepath
-	viper.Set("app.c4gh.privateKeyPath", "")
-	viper.Set("app.c4gh.passphrase", "")
+	config.Config.C4GH.PublicKeyB64 = originalServeUnencryptedDataTrigger
+	config.Config.C4GH.PrivateKey = originalC4ghPrivateKeyFilepath
+	viper.Set("c4gh.transientKeyPath", "")
+	viper.Set("c4gh.transientPassphrase", "")
 
 }
 
@@ -516,8 +516,8 @@ func TestDownload_Fail_GetFile(t *testing.T) {
 	originalCheckFilePermission := database.CheckFilePermission
 	originalGetCacheFromContext := middleware.GetCacheFromContext
 	originalGetFile := database.GetFile
-	originalServeUnencryptedDataTrigger := config.Config.App.Crypt4GHPublicKeyB64
-	originalC4ghPrivateKeyFilepath := config.Config.App.Crypt4GHPrivateKey
+	originalServeUnencryptedDataTrigger := config.Config.C4GH.PublicKeyB64
+	originalC4ghPrivateKeyFilepath := config.Config.C4GH.PrivateKey
 
 	// Substitute mock functions
 	database.CheckFilePermission = func(_ string) (string, error) {
@@ -532,9 +532,9 @@ func TestDownload_Fail_GetFile(t *testing.T) {
 		return nil, errors.New("database error")
 	}
 
-	viper.Set("app.c4gh.privateKeyPath", privateKeyFilePath)
-	viper.Set("app.c4gh.passphrase", "password")
-	config.Config.App.Crypt4GHPrivateKey, config.Config.App.Crypt4GHPublicKeyB64, err = config.GetC4GHKeys()
+	viper.Set("c4gh.transientKeyPath", privateKeyFilePath)
+	viper.Set("c4gh.transientPassphrase", "password")
+	config.Config.C4GH.PrivateKey, config.Config.C4GH.PublicKeyB64, err = config.GetC4GHKeys()
 	assert.NoError(t, err, "Could not load c4gh keys")
 
 	// Mock request and response holders
@@ -565,10 +565,10 @@ func TestDownload_Fail_GetFile(t *testing.T) {
 	database.CheckFilePermission = originalCheckFilePermission
 	middleware.GetCacheFromContext = originalGetCacheFromContext
 	database.GetFile = originalGetFile
-	config.Config.App.Crypt4GHPublicKeyB64 = originalServeUnencryptedDataTrigger
-	config.Config.App.Crypt4GHPrivateKey = originalC4ghPrivateKeyFilepath
-	viper.Set("app.c4gh.privateKeyPath", "")
-	viper.Set("app.c4gh.passphrase", "")
+	config.Config.C4GH.PublicKeyB64 = originalServeUnencryptedDataTrigger
+	config.Config.C4GH.PrivateKey = originalC4ghPrivateKeyFilepath
+	viper.Set("c4gh.transientKeyPath", "")
+	viper.Set("c4gh.transientPassphrase", "")
 
 }
 
@@ -581,8 +581,8 @@ func TestDownload_Fail_OpenFile(t *testing.T) {
 	originalCheckFilePermission := database.CheckFilePermission
 	originalGetCacheFromContext := middleware.GetCacheFromContext
 	originalGetFile := database.GetFile
-	originalServeUnencryptedDataTrigger := config.Config.App.Crypt4GHPublicKeyB64
-	originalC4ghPrivateKeyFilepath := config.Config.App.Crypt4GHPrivateKey
+	originalServeUnencryptedDataTrigger := config.Config.C4GH.PublicKeyB64
+	originalC4ghPrivateKeyFilepath := config.Config.C4GH.PrivateKey
 	Backend, _ = storage.NewBackend(config.Config.Archive)
 
 	// Substitute mock functions
@@ -604,9 +604,9 @@ func TestDownload_Fail_OpenFile(t *testing.T) {
 		return fileDetails, nil
 	}
 
-	viper.Set("app.c4gh.privateKeyPath", privateKeyFilePath)
-	viper.Set("app.c4gh.passphrase", "password")
-	config.Config.App.Crypt4GHPrivateKey, config.Config.App.Crypt4GHPublicKeyB64, err = config.GetC4GHKeys()
+	viper.Set("c4gh.transientKeyPath", privateKeyFilePath)
+	viper.Set("c4gh.transientPassphrase", "password")
+	config.Config.C4GH.PrivateKey, config.Config.C4GH.PublicKeyB64, err = config.GetC4GHKeys()
 	assert.NoError(t, err, "Could not load c4gh keys")
 
 	// Mock request and response holders and initialize headers
@@ -640,10 +640,10 @@ func TestDownload_Fail_OpenFile(t *testing.T) {
 	database.CheckFilePermission = originalCheckFilePermission
 	middleware.GetCacheFromContext = originalGetCacheFromContext
 	database.GetFile = originalGetFile
-	config.Config.App.Crypt4GHPublicKeyB64 = originalServeUnencryptedDataTrigger
-	config.Config.App.Crypt4GHPrivateKey = originalC4ghPrivateKeyFilepath
-	viper.Set("app.c4gh.privateKeyPath", "")
-	viper.Set("app.c4gh.passphrase", "")
+	config.Config.C4GH.PublicKeyB64 = originalServeUnencryptedDataTrigger
+	config.Config.C4GH.PrivateKey = originalC4ghPrivateKeyFilepath
+	viper.Set("c4gh.transientKeyPath", "")
+	viper.Set("c4gh.transientPassphrase", "")
 }
 
 func Test_CalucalateCoords(t *testing.T) {
@@ -750,8 +750,8 @@ func TestDownload_Whole_Range_Encrypted(t *testing.T) {
 	originalCheckFilePermission := database.CheckFilePermission
 	originalGetCacheFromContext := middleware.GetCacheFromContext
 	originalGetFile := database.GetFile
-	originalServeUnencryptedDataTrigger := config.Config.App.Crypt4GHPublicKeyB64
-	originalC4ghPrivateKeyFilepath := config.Config.App.Crypt4GHPrivateKey
+	originalServeUnencryptedDataTrigger := config.Config.C4GH.PublicKeyB64
+	originalC4ghPrivateKeyFilepath := config.Config.C4GH.PrivateKey
 	archive := config.Config.Archive
 	archive.Posix.Location = "."
 	Backend, _ = storage.NewBackend(archive)
@@ -795,9 +795,9 @@ func TestDownload_Whole_Range_Encrypted(t *testing.T) {
 	config.Config.Reencrypt.ClientKey = keyfile.Name()
 	config.Config.Reencrypt.Timeout = 10
 
-	viper.Set("app.c4gh.privateKeyPath", privateKeyFilePath)
-	viper.Set("app.c4gh.passphrase", "password")
-	config.Config.App.Crypt4GHPrivateKey, config.Config.App.Crypt4GHPublicKeyB64, err = config.GetC4GHKeys()
+	viper.Set("c4gh.transientKeyPath", privateKeyFilePath)
+	viper.Set("c4gh.transientPassphrase", "password")
+	config.Config.C4GH.PrivateKey, config.Config.C4GH.PublicKeyB64, err = config.GetC4GHKeys()
 	assert.NoError(t, err, "Could not load c4gh keys")
 
 	// Make a file to hold the archive file
@@ -806,7 +806,7 @@ func TestDownload_Whole_Range_Encrypted(t *testing.T) {
 	datafileName := datafile.Name()
 	defer os.Remove(datafileName)
 
-	tempKey, err := base64.StdEncoding.DecodeString(config.Config.App.Crypt4GHPublicKeyB64)
+	tempKey, err := base64.StdEncoding.DecodeString(config.Config.C4GH.PublicKeyB64)
 	assert.NoError(t, err, "Could not decode public key envelope")
 
 	// Decode public key
@@ -820,7 +820,7 @@ func TestDownload_Whole_Range_Encrypted(t *testing.T) {
 	faker.pubkey = [32]byte(publicKey)
 
 	bufferWriter := bytes.Buffer{}
-	dataWriter, err := streaming.NewCrypt4GHWriter(&bufferWriter, config.Config.App.Crypt4GHPrivateKey, readerPublicKeyList, nil)
+	dataWriter, err := streaming.NewCrypt4GHWriter(&bufferWriter, config.Config.C4GH.PrivateKey, readerPublicKeyList, nil)
 	assert.NoError(t, err, "Could not make crypt4gh writer for test")
 
 	// Write some data to the file
@@ -891,7 +891,7 @@ func TestDownload_Whole_Range_Encrypted(t *testing.T) {
 	w = httptest.NewRecorder()
 	c, _ = gin.CreateTestContext(w)
 	c.Request = &http.Request{Method: "GET", URL: &url.URL{Path: "/mocks3/somepath", RawQuery: "filename=somepath"}}
-	c.Request.Header = http.Header{"Client-Public-Key": []string{config.Config.App.Crypt4GHPublicKeyB64},
+	c.Request.Header = http.Header{"Client-Public-Key": []string{config.Config.C4GH.PublicKeyB64},
 		"Range": []string{"bytes=0-10"}}
 
 	c.Params = make(gin.Params, 1)
@@ -909,7 +909,7 @@ func TestDownload_Whole_Range_Encrypted(t *testing.T) {
 	w = httptest.NewRecorder()
 	c, _ = gin.CreateTestContext(w)
 	c.Request = &http.Request{Method: "GET", URL: &url.URL{Path: "/mocks3/somepath", RawQuery: "filename=somepath"}}
-	c.Request.Header = http.Header{"Client-Public-Key": []string{config.Config.App.Crypt4GHPublicKeyB64},
+	c.Request.Header = http.Header{"Client-Public-Key": []string{config.Config.C4GH.PublicKeyB64},
 		"Range": []string{"bytes=0-10"}}
 
 	c.Params = make(gin.Params, 1)
@@ -942,10 +942,10 @@ func TestDownload_Whole_Range_Encrypted(t *testing.T) {
 	database.CheckFilePermission = originalCheckFilePermission
 	middleware.GetCacheFromContext = originalGetCacheFromContext
 	database.GetFile = originalGetFile
-	config.Config.App.Crypt4GHPublicKeyB64 = originalServeUnencryptedDataTrigger
-	config.Config.App.Crypt4GHPrivateKey = originalC4ghPrivateKeyFilepath
-	viper.Set("app.c4gh.privateKeyPath", "")
-	viper.Set("app.c4gh.passphrase", "")
+	config.Config.C4GH.PublicKeyB64 = originalServeUnencryptedDataTrigger
+	config.Config.C4GH.PrivateKey = originalC4ghPrivateKeyFilepath
+	viper.Set("c4gh.transientKeyPath", "")
+	viper.Set("c4gh.transientPassphrase", "")
 }
 
 func GenerateTestC4ghKey(t *testing.T) (string, error) {

diff --git a/sda-download/cmd/main.go b/sda-download/cmd/main.go
@@ -76,7 +76,7 @@ func main() {
 	// Start the server
 	log.Info("(5/5) Starting web server")
 
-	if config.Config.App.Crypt4GHPublicKeyB64 != "" {
+	if config.Config.C4GH.PublicKeyB64 != "" {
 		log.Warningln("Serving unencrypted data")
 	}
 

diff --git a/sda-download/dev_utils/compose-no-tls.yml b/sda-download/dev_utils/compose-no-tls.yml
@@ -88,8 +88,8 @@ services:
       - ARCHIVE_URL=http://s3
       - ARCHIVE_TYPE=s3
       - DB_HOST=db
-      - APP_C4GH_PRIVATEKEYPATH=/dev_utils/c4gh.sec.pem
-      - APP_C4GH_PASSPHRASE=oaagCP1YgAZeEyl2eJAkHv9lkcWXWFgm
+      - C4GH_TRANSIENTKEYPATH=/dev_utils/c4gh.sec.pem
+      - C4GH_TRANSIENTPASSPHRASE=oaagCP1YgAZeEyl2eJAkHv9lkcWXWFgm
     image: neicnordic/sda-download:latest
     build:
       context: ..

diff --git a/sda-download/dev_utils/compose.yml b/sda-download/dev_utils/compose.yml
@@ -121,8 +121,8 @@ services:
         condition: service_started
     env_file: ./env.download
     environment:
-      - APP_C4GH_PRIVATEKEYPATH=/dev_utils/c4gh.sec.pem
-      - APP_C4GH_PASSPHRASE=oaagCP1YgAZeEyl2eJAkHv9lkcWXWFgm
+      - C4GH_TRANSIENTKEYPATH=/dev_utils/c4gh.sec.pem
+      - C4GH_TRANSIENTPASSPHRASE=oaagCP1YgAZeEyl2eJAkHv9lkcWXWFgm
     image: neicnordic/sda-download:latest
     volumes:
       - ./config.yaml:/config.yaml

diff --git a/sda-download/dev_utils/config.yaml b/sda-download/dev_utils/config.yaml
@@ -4,9 +4,6 @@ app:
   serverkey: "./dev_utils/certs/download-key.pem"
   port: "8443"
   middleware: "default"
-  c4gh:
-    passphrase: ""
-    privateKeyPath:  ""
 
 log:
   level: "debug"
@@ -46,6 +43,8 @@ session:
 c4gh:
   passphrase: "oaagCP1YgAZeEyl2eJAkHv9lkcWXWFgm"
   filepath: "./dev_utils/c4gh.sec.pem"
+  transientPassphrase: ""
+  transientKeyPath: ""
 
 grpc:
     host: "reencrypt"