refactor: kms encrypt blake3 hash key (#35)

juspay · Dec 18, 2024 · 333c8f7 · 333c8f7
1 parent b54bf8f
commit 333c8f7
Show file tree

Hide file tree

Showing 8 changed files with 244 additions and 18 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/src/app.rs b/src/app.rs
@@ -1,14 +1,15 @@
 #[cfg(feature = "mtls")]
 pub mod tls;
 
-use crate::{config::Config, crypto::KeyManagerClient, storage::DbState};
+use crate::{config::Config, crypto::blake3::Blake3, crypto::KeyManagerClient, storage::DbState};
 use rayon::{ThreadPool, ThreadPoolBuilder};
 
 pub struct AppState {
     pub conf: Config,
     pub db_pool: DbState,
     pub keymanager_client: KeyManagerClient,
     pub thread_pool: ThreadPool,
+    pub hash_client: Blake3,
 }
 
 impl AppState {
@@ -20,11 +21,13 @@ impl AppState {
         let secrets = config.secrets.clone();
         let db_pool = DbState::from_config(&config).await;
         let num_threads = config.pool_config.pool;
+        let hash_client = Blake3::from_config(&config).await;
 
         Self {
             conf: config,
             keymanager_client: secrets.create_keymanager_client().await,
             db_pool,
+            hash_client,
             thread_pool: ThreadPoolBuilder::new()
                 .num_threads(num_threads)
                 .build()

diff --git a/src/config.rs b/src/config.rs
@@ -157,15 +157,15 @@ pub struct Certs {
     pub root_ca: SecretContainer,
 }
 
-#[derive(Deserialize, Debug, Clone, Default)]
+#[derive(Deserialize, Debug, Clone)]
 pub struct Secrets {
     #[serde(default)]
     pub master_key: GcmAes256,
     #[serde(default)]
     pub kms_config: AwsKmsConfig,
     #[serde(default)]
     pub vault_config: VaultSettings,
-    pub access_token: masking::Secret<String>,
+    pub access_token: SecretContainer,
     pub hash_context: masking::Secret<String>,
 }
 

diff --git a/src/core/crypto/custodian.rs b/src/core/crypto/custodian.rs
@@ -25,7 +25,7 @@ impl Custodian {
     pub fn into_access_token(self, state: &AppState) -> Option<StrongSecret<String>> {
         self.keys
             .map(|(x, y)| format!("{}:{}", x.peek(), y.peek()))
-            .map(|key| crate::crypto::blake3::Blake3::hash(state, Secret::new(key)))
+            .map(|token| state.hash_client.hash(Secret::new(token)))
             .map(hex::encode)
             .map(StrongSecret::new)
     }

diff --git a/src/crypto/aes256.rs b/src/crypto/aes256.rs
@@ -98,7 +98,7 @@ impl<'de> Deserialize<'de> for GcmAes256 {
     {
         struct Aes256Visitor;
 
-        impl<'de> Visitor<'de> for Aes256Visitor {
+        impl Visitor<'_> for Aes256Visitor {
             type Value = GcmAes256;
 
             fn expecting(&self, formatter: &mut fmt::Formatter<'_>) -> fmt::Result {