gomods · wburningham · Feb 11, 2020 · Feb 15, 2020
@@ -28,8 +28,15 @@ func App(conf *config.Config) (http.Handler, error) {
 	ENV := conf.GoEnv
 	store, err := GetStorage(conf.StorageType, conf.Storage, conf.TimeoutDuration())
 	if err != nil {
-		err = fmt.Errorf("error getting storage configuration (%s)", err)
-		return nil, err
+		return nil, fmt.Errorf("error getting storage configuration (%s)", err)
+	}
+
+	if conf.StorageEncryptionKey != "" {
+		var err error
+		store, err = wrapStorageWithEncryption(store, conf.StorageEncryptionKey)
+		if err != nil {
+			return nil, fmt.Errorf("error configuring storage encryption (%s)", err)
+		}
 	}
 
 	if conf.GithubToken != "" {

@@ -9,6 +9,7 @@ import (
 	"github.com/gomods/athens/pkg/errors"
 	"github.com/gomods/athens/pkg/storage"
 	"github.com/gomods/athens/pkg/storage/azureblob"
+	"github.com/gomods/athens/pkg/storage/encryption"
 	"github.com/gomods/athens/pkg/storage/fs"
 	"github.com/gomods/athens/pkg/storage/gcp"
 	"github.com/gomods/athens/pkg/storage/mem"
@@ -64,3 +65,7 @@ func GetStorage(storageType string, storageConfig *config.StorageConfig, timeout
 		return nil, fmt.Errorf("storage type %s is unknown", storageType)
 	}
 }
+
+func wrapStorageWithEncryption(store storage.Backend, encryptionKey string) (storage.Backend, error) {
+	return encryption.Wrap(store, encryptionKey)
+}
@@ -118,6 +118,11 @@ Timeout = 300
 # Env override: ATHENS_STORAGE_TYPE
 StorageType = "memory"
 
+# StorageEncryptionKey sets encryption key for encrypting and decrypting data sent to and received from the storage layer.
+# Key lenght must equal 32
+# Env override: ATHENS_STORAGE_ENCRYPTION_KEY
+StorageEncryptionKey = ""
+
 # Certificate and key to make athens serve using https instead of plain text http.
 # Set both to enable.
 # Env override: ATHENS_TLSCERT_FILE, ATHENS_TLSKEY_FILE

@@ -21,41 +21,42 @@ const defaultConfigFile = "athens.toml"
 // Config provides configuration values for all components
 type Config struct {
 	TimeoutConf
-	GoEnv            string    `validate:"required" envconfig:"GO_ENV"`
-	GoBinary         string    `validate:"required" envconfig:"GO_BINARY_PATH"`
-	GoProxy          string    `envconfig:"GOPROXY"`
-	GoBinaryEnvVars  EnvList   `envconfig:"ATHENS_GO_BINARY_ENV_VARS"`
-	GoGetWorkers     int       `validate:"required" envconfig:"ATHENS_GOGET_WORKERS"`
-	ProtocolWorkers  int       `validate:"required" envconfig:"ATHENS_PROTOCOL_WORKERS"`
-	LogLevel         string    `validate:"required" envconfig:"ATHENS_LOG_LEVEL"`
-	CloudRuntime     string    `validate:"required" envconfig:"ATHENS_CLOUD_RUNTIME"`
-	EnablePprof      bool      `envconfig:"ATHENS_ENABLE_PPROF"`
-	PprofPort        string    `envconfig:"ATHENS_PPROF_PORT"`
-	FilterFile       string    `envconfig:"ATHENS_FILTER_FILE"`
-	TraceExporterURL string    `envconfig:"ATHENS_TRACE_EXPORTER_URL"`
-	TraceExporter    string    `envconfig:"ATHENS_TRACE_EXPORTER"`
-	StatsExporter    string    `envconfig:"ATHENS_STATS_EXPORTER"`
-	StorageType      string    `validate:"required" envconfig:"ATHENS_STORAGE_TYPE"`
-	GlobalEndpoint   string    `envconfig:"ATHENS_GLOBAL_ENDPOINT"` // This feature is not yet implemented
-	Port             string    `envconfig:"ATHENS_PORT"`
-	BasicAuthUser    string    `envconfig:"BASIC_AUTH_USER"`
-	BasicAuthPass    string    `envconfig:"BASIC_AUTH_PASS"`
-	ForceSSL         bool      `envconfig:"PROXY_FORCE_SSL"`
-	ValidatorHook    string    `envconfig:"ATHENS_PROXY_VALIDATOR"`
-	PathPrefix       string    `envconfig:"ATHENS_PATH_PREFIX"`
-	NETRCPath        string    `envconfig:"ATHENS_NETRC_PATH"`
-	GithubToken      string    `envconfig:"ATHENS_GITHUB_TOKEN"`
-	HGRCPath         string    `envconfig:"ATHENS_HGRC_PATH"`
-	TLSCertFile      string    `envconfig:"ATHENS_TLSCERT_FILE"`
-	TLSKeyFile       string    `envconfig:"ATHENS_TLSKEY_FILE"`
-	SumDBs           []string  `envconfig:"ATHENS_SUM_DBS"`
-	NoSumPatterns    []string  `envconfig:"ATHENS_GONOSUM_PATTERNS"`
-	DownloadMode     mode.Mode `envconfig:"ATHENS_DOWNLOAD_MODE"`
-	DownloadURL      string    `envconfig:"ATHENS_DOWNLOAD_URL"`
-	SingleFlightType string    `envconfig:"ATHENS_SINGLE_FLIGHT_TYPE"`
-	RobotsFile       string    `envconfig:"ATHENS_ROBOTS_FILE"`
-	SingleFlight     *SingleFlight
-	Storage          *StorageConfig
+	GoEnv                string    `validate:"required" envconfig:"GO_ENV"`
+	GoBinary             string    `validate:"required" envconfig:"GO_BINARY_PATH"`
+	GoProxy              string    `envconfig:"GOPROXY"`
+	GoBinaryEnvVars      EnvList   `envconfig:"ATHENS_GO_BINARY_ENV_VARS"`
+	GoGetWorkers         int       `validate:"required" envconfig:"ATHENS_GOGET_WORKERS"`
+	ProtocolWorkers      int       `validate:"required" envconfig:"ATHENS_PROTOCOL_WORKERS"`
+	LogLevel             string    `validate:"required" envconfig:"ATHENS_LOG_LEVEL"`
+	CloudRuntime         string    `validate:"required" envconfig:"ATHENS_CLOUD_RUNTIME"`
+	EnablePprof          bool      `envconfig:"ATHENS_ENABLE_PPROF"`
+	PprofPort            string    `envconfig:"ATHENS_PPROF_PORT"`
+	FilterFile           string    `envconfig:"ATHENS_FILTER_FILE"`
+	TraceExporterURL     string    `envconfig:"ATHENS_TRACE_EXPORTER_URL"`
+	TraceExporter        string    `envconfig:"ATHENS_TRACE_EXPORTER"`
+	StatsExporter        string    `envconfig:"ATHENS_STATS_EXPORTER"`
+	StorageType          string    `validate:"required" envconfig:"ATHENS_STORAGE_TYPE"`
+	StorageEncryptionKey string    `envconfig:"ATHENS_STORAGE_ENCRYPTION_KEY"`
+	GlobalEndpoint       string    `envconfig:"ATHENS_GLOBAL_ENDPOINT"` // This feature is not yet implemented
+	Port                 string    `envconfig:"ATHENS_PORT"`
+	BasicAuthUser        string    `envconfig:"BASIC_AUTH_USER"`
+	BasicAuthPass        string    `envconfig:"BASIC_AUTH_PASS"`
+	ForceSSL             bool      `envconfig:"PROXY_FORCE_SSL"`
+	ValidatorHook        string    `envconfig:"ATHENS_PROXY_VALIDATOR"`
+	PathPrefix           string    `envconfig:"ATHENS_PATH_PREFIX"`
+	NETRCPath            string    `envconfig:"ATHENS_NETRC_PATH"`
+	GithubToken          string    `envconfig:"ATHENS_GITHUB_TOKEN"`
+	HGRCPath             string    `envconfig:"ATHENS_HGRC_PATH"`
+	TLSCertFile          string    `envconfig:"ATHENS_TLSCERT_FILE"`
+	TLSKeyFile           string    `envconfig:"ATHENS_TLSKEY_FILE"`
+	SumDBs               []string  `envconfig:"ATHENS_SUM_DBS"`
+	NoSumPatterns        []string  `envconfig:"ATHENS_GONOSUM_PATTERNS"`
+	DownloadMode         mode.Mode `envconfig:"ATHENS_DOWNLOAD_MODE"`
+	DownloadURL          string    `envconfig:"ATHENS_DOWNLOAD_URL"`
+	SingleFlightType     string    `envconfig:"ATHENS_SINGLE_FLIGHT_TYPE"`
+	RobotsFile           string    `envconfig:"ATHENS_ROBOTS_FILE"`
+	SingleFlight         *SingleFlight
+	Storage              *StorageConfig
 }
 
 // EnvList is a list of key-value environment

@@ -0,0 +1,162 @@
+package encryption
+
+import (
+	"bytes"
+	"context"
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/rand"
+	"errors"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"sync"
+
+	"github.com/gomods/athens/pkg/storage"
+)
+
+// MustWrap will wrap an athen's storage.Backend with an encrypt/decrypt layer and panic if there is an error.
+func MustWrap(store storage.Backend, key string) storage.Backend {
+	b, err := Wrap(store, key)
+	if err != nil {
+		panic(err)
+	}
+	return b
+}
+
+// Wrap will wrap an athen's storage.Backend with an encrypt/decrypt layer.
+func Wrap(store storage.Backend, key string) (storage.Backend, error) {
+
+	if len(key) != 32 {
+		return nil, fmt.Errorf("length of encryption key must be 32; found key of length: %d", len(key))
+	}
+
+	block, err := aes.NewCipher([]byte(key))
+	if err != nil {
+		return nil, err
+	}
+
+	aead, err := cipher.NewGCM(block)
+	if err != nil {
+		return nil, err
+	}
+
+	return &backend{
+		Store: store,
+		AEAD:  aead,
+	}, nil
+}
+
+// backend defines a backend that is wrapped with an encrypt/decrypt layer.
+type backend struct {
+	Store storage.Backend
+	AEAD  cipher.AEAD
+
+	initOnce   sync.Once
+	randReader io.Reader
+}
+
+func (b *backend) init() {
+	if b.randReader == nil {
+		b.randReader = rand.Reader
+	}
+}
+
+func (b *backend) List(ctx context.Context, module string) ([]string, error) {
+	b.initOnce.Do(b.init)
+	return b.Store.List(ctx, module)
+}
+
+func (b *backend) Exists(ctx context.Context, module, version string) (bool, error) {
+	b.initOnce.Do(b.init)
+	return b.Store.Exists(ctx, module, version)
+}
+
+func (b *backend) Info(ctx context.Context, module, vsn string) ([]byte, error) {
+	b.initOnce.Do(b.init)
+	return b.open(b.Store.Info(ctx, module, vsn))
+}
+
+func (b *backend) GoMod(ctx context.Context, module, vsn string) ([]byte, error) {
+	b.initOnce.Do(b.init)
+	return b.open(b.Store.GoMod(ctx, module, vsn))
+}
+
+func (b *backend) Zip(ctx context.Context, module, vsn string) (io.ReadCloser, error) {
+	b.initOnce.Do(b.init)
+	return b.openReadCloserer(b.Store.Zip(ctx, module, vsn))
+}
+
+func (b *backend) Save(ctx context.Context, module, version string, mod []byte, zip io.Reader, info []byte) error {
+	b.initOnce.Do(b.init)
+	zipReader, err := b.sealReader(zip)
+	if err != nil {
+		return err
+	}
+	sealedMod, err := b.seal(mod)
+	if err != nil {
+		return err
+	}
+	sealedInfo, err := b.seal(info)
+	if err != nil {
+		return err
+	}
+	return b.Store.Save(ctx, module, version, sealedMod, zipReader, sealedInfo)
+}
+
+func (b *backend) Delete(ctx context.Context, module, vsn string) error {
+	b.initOnce.Do(b.init)
+	return b.Store.Delete(ctx, module, vsn)
+}
+
+func (b *backend) seal(data []byte) ([]byte, error) {
+	nonce := make([]byte, b.AEAD.NonceSize())
+
+	_, err := io.ReadFull(b.randReader, nonce)
+	if err != nil {
+		return nil, err
+	}
+	encryptedData := b.AEAD.Seal(nil, nonce, data, nil)
+
+	return bytes.Join([][]byte{nonce, encryptedData}, nil), nil
+}
+
+func (b *backend) sealReader(w io.Reader) (io.Reader, error) {
+
+	plaintextData, err := ioutil.ReadAll(w)
+	if err != nil {
+		return nil, err
+	}
+	d, err := b.seal(plaintextData)
+	if err != nil {
+		return nil, err
+	}
+	return bytes.NewBuffer(d), nil
+}
+
+func (b *backend) open(cipherdata []byte, err error) ([]byte, error) {
+	if err != nil {
+		return nil, err
+	}
+
+	nonceSize := b.AEAD.NonceSize()
+	if len(cipherdata) < nonceSize {
+		return nil, errors.New("encrypted data too short")
+	}
+
+	nonce, cipherdata := cipherdata[:nonceSize], cipherdata[nonceSize:]
+	return b.AEAD.Open(nil, nonce, cipherdata, nil)
+}
+
+func (b *backend) openReadCloserer(rc io.ReadCloser, err error) (io.ReadCloser, error) {
+	if err != nil {
+		return nil, err
+	}
+	plaintextdata, err := b.open(ioutil.ReadAll(rc))
+	if err != nil {
+		return nil, err
+	}
+	defer rc.Close()
+
+	return ioutil.NopCloser(bytes.NewBuffer(plaintextdata)), nil
+}