From 863e51a03ad881694c9e8acf7cdc26f116a70f9f Mon Sep 17 00:00:00 2001
From: Jack Warren <jack@jackwarren.info>
Date: Tue, 23 Jul 2024 10:55:46 -0400
Subject: [PATCH] explicit enable

---
 sherlock/config/default_config.yaml   | 12 ++++++++----
 sherlock/internal/oidc_models/boot.go | 12 ++++++++----
 2 files changed, 16 insertions(+), 8 deletions(-)

diff --git a/sherlock/config/default_config.yaml b/sherlock/config/default_config.yaml
index 8758eb91d..a2577384c 100644
--- a/sherlock/config/default_config.yaml
+++ b/sherlock/config/default_config.yaml
@@ -109,10 +109,14 @@ oidc:
   # after it has been rotated. This should be longer than all token durations so that we
   # continue to respect our own signatures until they'd expire on their own.
   signingKeyPostRotationDuration: 2h
-  # When passed, Sherlock will use Google Cloud KMS to symmetrically encrypt the private keys it
-  # stores in its own database. This is a defense-in-depth measure to prevent key leakage in the
-  # event of SQL injection or other database compromise.
-  signingKeyEncryptionKMSKeyName:
+  # When enabled, Sherlock will use Google Cloud KMS to symmetrically encrypt the private keys
+  # it stores in its own database. This is a defense-in-depth measure to prevent key leakage in
+  # the event of SQL injection or other database compromise.
+  #
+  # This must be true when mode is not "debug".
+  signingKeyEncryptionKMSEnable: false
+  # The fully-qualified name of the KMS key to use when signingKeyEncryptionKMSEnable is true.
+  signingKeyEncryptionKMSKeyName: projects/some-project/locations/some-location/keyRings/some-key-ring/cryptoKeys/some-key
 
 
 auth:
diff --git a/sherlock/internal/oidc_models/boot.go b/sherlock/internal/oidc_models/boot.go
index 08bc38a4f..a37351526 100644
--- a/sherlock/internal/oidc_models/boot.go
+++ b/sherlock/internal/oidc_models/boot.go
@@ -17,9 +17,9 @@ var (
 )
 
 func Init(ctx context.Context, db *gorm.DB) error {
-	kmsKey = config.Config.String("oidc.signingKeyEncryptionKMSKeyName")
-	var err error
-	if kmsKey != "" {
+	if config.Config.Bool("oidc.signingKeyEncryptionKMSEnable") {
+		kmsKey = config.Config.String("oidc.signingKeyEncryptionKMSKeyName")
+		var err error
 		kmsClient, err = kms.NewKeyManagementClient(ctx)
 		if err != nil {
 			return fmt.Errorf("error creating KMS client: %w", err)
@@ -32,10 +32,14 @@ func Init(ctx context.Context, db *gorm.DB) error {
 		} else if response.Purpose != kmspb.CryptoKey_ENCRYPT_DECRYPT {
 			return fmt.Errorf("KMS key '%s' is not an encrypt/decrypt key", kmsKey)
 		}
+	} else if config.Config.String("mode") != "debug" {
+		return fmt.Errorf("oidc.signingKeyEncryptionKMSEnable is false, but mode is not debug")
 	}
-	if err = rotateSigningKeys(ctx, db); err != nil {
+
+	if err := rotateSigningKeys(ctx, db); err != nil {
 		return fmt.Errorf("error rotating oidc signing keys: %w", err)
 	}
+
 	return initProvider(db)
 }