explicit enable

broadinstitute · Jul 23, 2024 · 863e51a · 863e51a
1 parent 309cd26
commit 863e51a
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 8 deletions.
diff --git a/sherlock/config/default_config.yaml b/sherlock/config/default_config.yaml
@@ -109,10 +109,14 @@ oidc:
   # after it has been rotated. This should be longer than all token durations so that we
   # continue to respect our own signatures until they'd expire on their own.
   signingKeyPostRotationDuration: 2h
-  # When passed, Sherlock will use Google Cloud KMS to symmetrically encrypt the private keys it
-  # stores in its own database. This is a defense-in-depth measure to prevent key leakage in the
-  # event of SQL injection or other database compromise.
-  signingKeyEncryptionKMSKeyName:
+  # When enabled, Sherlock will use Google Cloud KMS to symmetrically encrypt the private keys
+  # it stores in its own database. This is a defense-in-depth measure to prevent key leakage in
+  # the event of SQL injection or other database compromise.
+  #
+  # This must be true when mode is not "debug".
+  signingKeyEncryptionKMSEnable: false
+  # The fully-qualified name of the KMS key to use when signingKeyEncryptionKMSEnable is true.
+  signingKeyEncryptionKMSKeyName: projects/some-project/locations/some-location/keyRings/some-key-ring/cryptoKeys/some-key
 
 
 auth:

diff --git a/sherlock/internal/oidc_models/boot.go b/sherlock/internal/oidc_models/boot.go
@@ -17,9 +17,9 @@ var (
 )
 
 func Init(ctx context.Context, db *gorm.DB) error {
-	kmsKey = config.Config.String("oidc.signingKeyEncryptionKMSKeyName")
-	var err error
-	if kmsKey != "" {
+	if config.Config.Bool("oidc.signingKeyEncryptionKMSEnable") {
+		kmsKey = config.Config.String("oidc.signingKeyEncryptionKMSKeyName")
+		var err error
 		kmsClient, err = kms.NewKeyManagementClient(ctx)
 		if err != nil {
 			return fmt.Errorf("error creating KMS client: %w", err)
@@ -32,10 +32,14 @@ func Init(ctx context.Context, db *gorm.DB) error {
 		} else if response.Purpose != kmspb.CryptoKey_ENCRYPT_DECRYPT {
 			return fmt.Errorf("KMS key '%s' is not an encrypt/decrypt key", kmsKey)
 		}
+	} else if config.Config.String("mode") != "debug" {
+		return fmt.Errorf("oidc.signingKeyEncryptionKMSEnable is false, but mode is not debug")
 	}
-	if err = rotateSigningKeys(ctx, db); err != nil {
+
+	if err := rotateSigningKeys(ctx, db); err != nil {
 		return fmt.Errorf("error rotating oidc signing keys: %w", err)
 	}
+
 	return initProvider(db)
 }