feat: add master key as param

cmd/vc-rest/startcmd/params.go

@@ -50,6 +50,11 @@ const (
 	aliasPrefixFlagUsage = "alias prefix" +
 		commonEnvVarUsageText + aliasPrefixEnvKey
 
+	masterKeyFlagName  = "local-kms-master-key"
+	masterKeyEnvKey    = "VC_REST_LOCAL_KMS_MASTER_KEY"
+	masterKeyFlagUsage = "Local KMS master key" +
+		commonEnvVarUsageText + masterKeyEnvKey
+
 	// Linter gosec flags these as "potential hardcoded credentials". They are not, hence the nolint annotations.
 	kmsSecretsDatabaseTypeFlagName      = "default-kms-secrets-database-type"         //nolint: gosec
 	kmsSecretsDatabaseTypeEnvKey        = "VC_REST_DEFAULT_KMS_SECRETS_DATABASE_TYPE" //nolint: gosec
@@ -490,6 +495,7 @@ type kmsParameters struct {
 	kmsSecretsDatabasePrefix string
 	secretLockKeyPath        string
 	aliasPrefix              string
+	masterKey                string
 }
 
 // nolint: gocyclo,funlen
@@ -953,6 +959,8 @@ func getKMSParameters(cmd *cobra.Command) (*kmsParameters, error) {
 	secretLockKeyPath := cmdutils.GetUserSetOptionalVarFromString(cmd, secretLockKeyPathFlagName, secretLockKeyPathEnvKey)
 	aliasPrefix := cmdutils.GetUserSetOptionalVarFromString(cmd, aliasPrefixFlagName, aliasPrefixEnvKey)
 
+	masterKey := cmdutils.GetUserSetOptionalVarFromString(cmd, masterKeyFlagName, masterKeyEnvKey)
+
 	keyDatabaseType, err := cmdutils.GetUserSetVarFromString(cmd, kmsSecretsDatabaseTypeFlagName,
 		kmsSecretsDatabaseTypeEnvKey, kmsType != kms.Local)
 	if err != nil {
@@ -972,6 +980,7 @@ func getKMSParameters(cmd *cobra.Command) (*kmsParameters, error) {
 		kmsSecretsDatabaseURL:    keyDatabaseURL,
 		kmsSecretsDatabasePrefix: keyDatabasePrefix,
 		aliasPrefix:              aliasPrefix,
+		masterKey:                masterKey,
 	}, nil
 }
 
@@ -1150,6 +1159,7 @@ func createFlags(startCmd *cobra.Command) {
 	startCmd.Flags().String(kmsEndpointFlagName, "", kmsEndpointFlagUsage)
 	startCmd.Flags().String(secretLockKeyPathFlagName, "", secretLockKeyPathFlagUsage)
 	startCmd.Flags().String(aliasPrefixFlagName, "", aliasPrefixFlagUsage)
+	startCmd.Flags().String(masterKeyFlagName, "", masterKeyFlagUsage)
 	startCmd.Flags().String(kmsRegionFlagName, "", kmsRegionFlagUsage)
 	startCmd.Flags().StringP(tlsCertificateFlagName, "", "", tlsCertificateFlagUsage)
 	startCmd.Flags().StringP(tlsKeyFlagName, "", "", tlsKeyFlagUsage)

cmd/vc-rest/startcmd/start.go

@@ -460,6 +460,7 @@ func buildEchoHandler(
 		DBURL:             conf.StartupParameters.dbParameters.databaseURL,
 		DBPrefix:          conf.StartupParameters.dbParameters.databasePrefix,
 		AliasPrefix:       conf.StartupParameters.kmsParameters.aliasPrefix,
+		MasterKey:         conf.StartupParameters.kmsParameters.masterKey,
 	}
 
 	defaultVCSKeyManager, err := kms.NewAriesKeyManager(&defaultKmsConfig, metrics)

pkg/kms/arieskms.go

@@ -8,10 +8,8 @@ package kms
 
 import (
 	"context"
-	"errors"
 	"fmt"
 	"io"
-	"os"
 	"strings"
 	"time"
 
@@ -128,7 +126,10 @@ func NewAriesKeyManager(cfg *Config, metrics metricsProvider) (*KeyManager, erro
 }
 
 func createLocalKMS(cfg *Config) (api.Suite, error) {
-	secretLockService, err := createLocalSecretLock(cfg.SecretLockKeyPath)
+	secretLockService, err := createLocalSecretLock(
+		cfg.SecretLockKeyPath,
+		cfg.MasterKey,
+	)
 	if err != nil {
 		return nil, err
 	}
@@ -190,17 +191,16 @@ func (km *KeyManager) NewVCSigner(
 	return signer.NewKMSSigner(fks, signatureType, km.metrics), nil
 }
 
-func createLocalSecretLock(keyPath string) (secretlock.Service, error) {
-	var primaryKeyReader io.Reader
+func createLocalSecretLock(
+	keyPath string,
+	kmsMasterKey string,
+) (secretlock.Service, error) {
 	var err error
-	if os.Getenv("VCS_LOCAL_KMS_MASTER_KEY") != "" {
-		primaryKeyReader, err = local.MasterKeyFromEnv("VCS_LOCAL_KMS_", "MASTER_KEY")
-		if err != nil {
-			return nil, errors.Join(err, errors.New("failed to create MasterKeyFromEnv"))
-		}
-	}
+	var primaryKeyReader io.Reader
 
-	if primaryKeyReader == nil {
+	if kmsMasterKey != "" {
+		primaryKeyReader = strings.NewReader(kmsMasterKey)
+	} else {
 		if keyPath == "" {
 			return nil, fmt.Errorf("no key defined for local secret lock")
 		}

pkg/kms/arieskms_test.go

@@ -91,8 +91,6 @@ func TestNewLocalKeyManager(t *testing.T) {
 	t.Run("Success env", func(t *testing.T) {
 		pool, mongoDBResource := startMongoDBContainer(t)
 
-		t.Setenv("VCS_LOCAL_KMS_MASTER_KEY", "00kIMo3wwfp1r8OOR8QMSkyIByY8ZHBKJy4l0u2i9f4=")
-
 		defer func() {
 			require.NoError(t, pool.Purge(mongoDBResource), "failed to purge MongoDB resource")
 		}()
@@ -103,6 +101,7 @@ func TestNewLocalKeyManager(t *testing.T) {
 			DBType:            "mongodb",
 			DBURL:             mongoDBConnString,
 			DBPrefix:          "test",
+			MasterKey:         "00kIMo3wwfp1r8OOR8QMSkyIByY8ZHBKJy4l0u2i9f4=",
 		}, nil)
 
 		require.NoError(t, err)

pkg/kms/kms.go

@@ -38,6 +38,7 @@ type Config struct {
 	DBType            string
 	DBURL             string
 	DBPrefix          string
+	MasterKey         string
 }
 
 type VCSKeyManager interface {

pkg/kms/registry.go

@@ -31,6 +31,9 @@ func (r *Registry) GetKeyManager(config *Config) (VCSKeyManager, error) {
 
 	cfgCopy := r.defaultConfig
 	cfgCopy.KMSType = config.KMSType
+	if config.MasterKey != "" {
+		cfgCopy.MasterKey = config.MasterKey
+	}
 
 	return NewAriesKeyManager(&cfgCopy, r.defaultMetricProvider)
 }

test/bdd/fixtures/docker-compose.yml

@@ -47,7 +47,7 @@ services:
       - VC_TRANSIENT_DATA_STORE_TYPE=redis
       - VC_REDIS_URL=redis.example.com:6379
       - VC_REDIS_DISABLE_TLS=true
-      - VCS_LOCAL_KMS_MASTER_KEY=00kIMo3wwfp1r8OOR8QMSkyIByY8ZHBKJy4l0u2i9f4=
+      - VC_REST_LOCAL_KMS_MASTER_KEY=00kIMo3wwfp1r8OOR8QMSkyIByY8ZHBKJy4l0u2i9f4=
     ports:
       - "8075:8075"
       - "48127:48127"