894046ef5a
- DAG architecture: `dag show/validate/export` (nulib/main_provisioning/dag.nu),
config loader (lib_provisioning/config/loader/dag.nu), taskserv dag-executor.
Backed by schemas/lib/dag/*.ncl; orchestrator emits NATS events via
WorkspaceComposition::into_workflow. See ADR-020, ADR-021.
- Unified Component Architecture: components/mod.nu, main_provisioning/
{components,workflow,extensions,ontoref-queries}.nu. Full workflow engine with
topological sort and NATS subject emission. Blocks A-H complete (libre-daoshi).
- Commands-registry: nulib/commands-registry.ncl (Nickel source, 314 lines) +
JSON cache at ~/.cache/provisioning/commands-registry.json rebuilt on source
change. cli/provisioning fast-path alias expansion avoids cold Nu startup.
ADDING_COMMANDS.md documents new-command workflow.
- Platform service manager: service-manager.nu (+573), startup.nu (+611),
service-check.nu (+255); autostart/bootstrap/health/target refactored.
- Nushell 0.112.2 migration: removed all try/catch and bash redirections;
external commands prefixed with ^; type signatures enforced. Driven by
scripts/refactor-try-catch{,-simplified}.nu.
- TTY stack: removed shlib/*-tty.sh; replaced by cli/tty-dispatch.sh,
tty-filter.sh, tty-commands.conf.
- New domain modules: images/ (golden image lifecycle), workspace/{state,sync}.nu,
main_provisioning/{bootstrap,cluster-deploy,fip,state}.nu, commands/{state,
build,integrations/auth,utilities/alias}.nu, platform.nu expanded (+874).
- Config loader overhaul: loader/core.nu slimmed (-759), cache/core.nu
refactored (-454), removed legacy loaders/file_loader.nu (-330).
- Thirteen new provisioning-<domain>.nu top-level modules for bash dispatcher.
- Tests: test_workspace_state.nu (+351); updates to test_oci_registry,
test_services.
- README + CHANGELOG updated.
377 lines
10 KiB
Text
377 lines
10 KiB
Text
# KMS Plugin Wrapper with HTTP Fallback
|
|
# Provides graceful degradation to HTTP/CLI when nu_plugin_kms is unavailable
|
|
|
|
use ../config/accessor.nu *
|
|
|
|
# Check if KMS plugin is available (registered with Nushell)
|
|
def is-plugin-available [] {
|
|
let installed = (version | get installed_plugins)
|
|
$installed | str contains "kms"
|
|
}
|
|
|
|
# Check if KMS plugin is enabled in config
|
|
def is-plugin-enabled [] {
|
|
config-get "plugins.kms_enabled" true
|
|
}
|
|
|
|
# Get KMS service base URL
|
|
def get-kms-url [] {
|
|
config-get "platform.kms_service.url" "http://localhost:8090"
|
|
}
|
|
|
|
# Get default KMS backend
|
|
def get-default-backend [] {
|
|
config-get "security.kms.backend" "rustyvault"
|
|
}
|
|
|
|
# Helper to safely execute a closure and return null on error
|
|
def try-plugin [callback: closure] {
|
|
do -i $callback
|
|
}
|
|
|
|
# Encrypt data using KMS
|
|
export def plugin-kms-encrypt [
|
|
data: string
|
|
--backend: string = "" # rustyvault, age, vault, cosmian, aws-kms
|
|
--context: string = "" # Additional authenticated data
|
|
--key-id: string = "" # Specific key ID
|
|
] {
|
|
let enabled = is-plugin-enabled
|
|
let available = is-plugin-available
|
|
let backend_name = if ($backend | is-empty) { get-default-backend } else { $backend }
|
|
|
|
if $enabled and $available {
|
|
let plugin_result = (try-plugin {
|
|
let args = if ($context | is-empty) and ($key_id | is-empty) {
|
|
[encrypt $data --backend $backend_name]
|
|
} else if ($context | is-empty) {
|
|
[encrypt $data --backend $backend_name --key-id $key_id]
|
|
} else if ($key_id | is-empty) {
|
|
[encrypt $data --backend $backend_name --context $context]
|
|
} else {
|
|
[encrypt $data --backend $backend_name --context $context --key-id $key_id]
|
|
}
|
|
|
|
kms ...$args
|
|
})
|
|
|
|
if $plugin_result != null {
|
|
return $plugin_result
|
|
}
|
|
|
|
print "⚠️ Plugin KMS encrypt failed, falling back to HTTP/CLI"
|
|
}
|
|
|
|
# HTTP fallback - call KMS service directly
|
|
print "⚠️ nu_plugin_kms not available - using HTTP fallback for key management"
|
|
|
|
let kms_url = (get-kms-url)
|
|
let url = $"($kms_url)/api/encrypt"
|
|
|
|
let result = (do -i {
|
|
let body = {data: $data, backend: $backend_name}
|
|
http post $url $body
|
|
})
|
|
|
|
if $result != null {
|
|
return $result
|
|
}
|
|
|
|
error make {
|
|
msg: "KMS encryption failed"
|
|
label: {
|
|
text: $"Failed to encrypt data with backend ($backend_name)"
|
|
span: (metadata $data).span
|
|
}
|
|
}
|
|
}
|
|
|
|
# Decrypt data using KMS
|
|
export def plugin-kms-decrypt [
|
|
ciphertext: string
|
|
--backend: string = "" # rustyvault, age, vault, cosmian, aws-kms
|
|
--context: string = "" # Additional authenticated data
|
|
--key-id: string = "" # Specific key ID
|
|
] {
|
|
let enabled = is-plugin-enabled
|
|
let available = is-plugin-available
|
|
let backend_name = if ($backend | is-empty) { get-default-backend } else { $backend }
|
|
|
|
if $enabled and $available {
|
|
let plugin_result = (try-plugin {
|
|
let args = if ($context | is-empty) and ($key_id | is-empty) {
|
|
[decrypt $ciphertext --backend $backend_name]
|
|
} else if ($context | is-empty) {
|
|
[decrypt $ciphertext --backend $backend_name --key-id $key_id]
|
|
} else if ($key_id | is-empty) {
|
|
[decrypt $ciphertext --backend $backend_name --context $context]
|
|
} else {
|
|
[decrypt $ciphertext --backend $backend_name --context $context --key-id $key_id]
|
|
}
|
|
|
|
kms ...$args
|
|
})
|
|
|
|
if $plugin_result != null {
|
|
return $plugin_result
|
|
}
|
|
|
|
print "⚠️ Plugin KMS decrypt failed, falling back to HTTP/CLI"
|
|
}
|
|
|
|
# HTTP fallback - call KMS service directly
|
|
print "⚠️ nu_plugin_kms not available - using HTTP fallback for key management"
|
|
|
|
let kms_url = (get-kms-url)
|
|
let url = $"($kms_url)/api/decrypt"
|
|
|
|
let result = (do -i {
|
|
let body = {ciphertext: $ciphertext, backend: $backend_name}
|
|
http post $url $body
|
|
})
|
|
|
|
if $result != null {
|
|
return $result
|
|
}
|
|
|
|
error make {
|
|
msg: "KMS decryption failed"
|
|
label: {
|
|
text: $"Failed to decrypt data with backend ($backend_name)"
|
|
span: (metadata $ciphertext).span
|
|
}
|
|
}
|
|
}
|
|
|
|
# Generate new encryption key
|
|
export def plugin-kms-generate-key [
|
|
--backend: string = "" # rustyvault, age, vault, cosmian, aws-kms
|
|
--key-type: string = "aes256" # aes256, rsa2048, rsa4096, ed25519
|
|
--name: string = "" # Key name/alias
|
|
] {
|
|
let enabled = is-plugin-enabled
|
|
let available = is-plugin-available
|
|
let backend_name = if ($backend | is-empty) { get-default-backend } else { $backend }
|
|
|
|
if $enabled and $available {
|
|
let plugin_result = (try-plugin {
|
|
let args = if ($name | is-empty) {
|
|
[generate-key --backend $backend_name --key-type $key_type]
|
|
} else {
|
|
[generate-key --backend $backend_name --key-type $key_type --name $name]
|
|
}
|
|
|
|
kms ...$args
|
|
})
|
|
|
|
if $plugin_result != null {
|
|
return $plugin_result
|
|
}
|
|
|
|
print "⚠️ Plugin KMS generate-key failed, falling back to HTTP"
|
|
}
|
|
|
|
# HTTP fallback
|
|
print "⚠️ nu_plugin_kms not available - using HTTP fallback for key management"
|
|
|
|
let kms_url = (get-kms-url)
|
|
let url = $"($kms_url)/api/keys/generate"
|
|
|
|
let body = if ($name | is-empty) {
|
|
{backend: $backend_name, key_type: $key_type}
|
|
} else {
|
|
{backend: $backend_name, key_type: $key_type, name: $name}
|
|
}
|
|
|
|
let result = (do -i {
|
|
http post $url $body
|
|
})
|
|
|
|
if $result != null {
|
|
return $result
|
|
}
|
|
|
|
error make {
|
|
msg: "KMS key generation failed"
|
|
label: {
|
|
text: $"Failed to generate key with backend ($backend_name)"
|
|
}
|
|
}
|
|
}
|
|
|
|
# Get KMS service status
|
|
export def plugin-kms-status [] {
|
|
let enabled = is-plugin-enabled
|
|
let available = is-plugin-available
|
|
|
|
if $enabled and $available {
|
|
let plugin_result = (try-plugin {
|
|
kms status
|
|
})
|
|
|
|
if $plugin_result != null {
|
|
return $plugin_result
|
|
}
|
|
|
|
print "⚠️ Plugin KMS status failed, falling back to HTTP"
|
|
}
|
|
|
|
# HTTP fallback
|
|
print "⚠️ nu_plugin_kms not available - using HTTP fallback for key management"
|
|
|
|
let kms_url = (get-kms-url)
|
|
let url = $"($kms_url)/health"
|
|
|
|
let result = (do -i {
|
|
http get $url
|
|
})
|
|
|
|
if $result != null {
|
|
return $result
|
|
}
|
|
|
|
{
|
|
status: "unavailable"
|
|
message: "KMS service unreachable"
|
|
}
|
|
}
|
|
|
|
# List available KMS backends
|
|
export def plugin-kms-backends [] {
|
|
let enabled = is-plugin-enabled
|
|
let available = is-plugin-available
|
|
|
|
if $enabled and $available {
|
|
let plugin_result = (try-plugin {
|
|
kms backends
|
|
})
|
|
|
|
if $plugin_result != null {
|
|
return $plugin_result
|
|
}
|
|
|
|
print "⚠️ Plugin KMS backends failed, falling back to HTTP"
|
|
}
|
|
|
|
# HTTP fallback
|
|
print "⚠️ nu_plugin_kms not available - using HTTP fallback for key management"
|
|
|
|
let kms_url = (get-kms-url)
|
|
let url = $"($kms_url)/api/backends"
|
|
|
|
let result = (do -i {
|
|
let response = (http get $url)
|
|
$response.backends? | default []
|
|
})
|
|
|
|
if $result != null {
|
|
return $result
|
|
}
|
|
|
|
# Return known backends as fallback
|
|
[
|
|
{name: "rustyvault", available: true, description: "RustyVault KMS (primary)"}
|
|
{name: "age", available: true, description: "Age encryption"}
|
|
{name: "vault", available: false, description: "HashiCorp Vault"}
|
|
{name: "cosmian", available: false, description: "Cosmian KMS"}
|
|
{name: "aws-kms", available: false, description: "AWS Key Management Service"}
|
|
]
|
|
}
|
|
|
|
# Rotate encryption key
|
|
export def plugin-kms-rotate-key [
|
|
key_id: string
|
|
--backend: string = "" # rustyvault, age, vault, cosmian, aws-kms
|
|
] {
|
|
let enabled = is-plugin-enabled
|
|
let available = is-plugin-available
|
|
let backend_name = if ($backend | is-empty) { get-default-backend } else { $backend }
|
|
|
|
if $enabled and $available {
|
|
let plugin_result = (try-plugin {
|
|
kms rotate-key $key_id --backend $backend_name
|
|
})
|
|
|
|
if $plugin_result != null {
|
|
return $plugin_result
|
|
}
|
|
|
|
print "⚠️ Plugin KMS rotate-key failed, falling back to HTTP"
|
|
}
|
|
|
|
# HTTP fallback
|
|
print "⚠️ nu_plugin_kms not available - using HTTP fallback for key management"
|
|
|
|
let kms_url = (get-kms-url)
|
|
let url = $"($kms_url)/api/keys/rotate"
|
|
|
|
let result = (do -i {
|
|
http post $url {backend: $backend_name, key_id: $key_id}
|
|
})
|
|
|
|
if $result != null {
|
|
return $result
|
|
}
|
|
|
|
error make {
|
|
msg: "KMS key rotation failed"
|
|
label: {
|
|
text: $"Failed to rotate key ($key_id) with backend ($backend_name)"
|
|
span: (metadata $key_id).span
|
|
}
|
|
}
|
|
}
|
|
|
|
# List encryption keys
|
|
export def plugin-kms-list-keys [
|
|
--backend: string = "" # rustyvault, age, vault, cosmian, aws-kms
|
|
] {
|
|
let enabled = is-plugin-enabled
|
|
let available = is-plugin-available
|
|
let backend_name = if ($backend | is-empty) { get-default-backend } else { $backend }
|
|
|
|
if $enabled and $available {
|
|
let plugin_result = (try-plugin {
|
|
kms list-keys --backend $backend_name
|
|
})
|
|
|
|
if $plugin_result != null {
|
|
return $plugin_result
|
|
}
|
|
|
|
print "⚠️ Plugin KMS list-keys failed, falling back to HTTP"
|
|
}
|
|
|
|
# HTTP fallback
|
|
print "⚠️ nu_plugin_kms not available - using HTTP fallback for key management"
|
|
|
|
let kms_url = (get-kms-url)
|
|
let url = $"($kms_url)/api/keys?backend=($backend_name)"
|
|
|
|
let result = (do -i {
|
|
let response = (http get $url)
|
|
$response.keys? | default []
|
|
})
|
|
|
|
if $result != null {
|
|
return $result
|
|
}
|
|
|
|
[]
|
|
}
|
|
|
|
# Get KMS plugin status and configuration
|
|
export def plugin-kms-info [] {
|
|
let plugin_available = is-plugin-available
|
|
let plugin_enabled = is-plugin-enabled
|
|
let default_backend = get-default-backend
|
|
let kms_url = get-kms-url
|
|
|
|
{
|
|
plugin_available: $plugin_available
|
|
plugin_enabled: $plugin_enabled
|
|
default_backend: $default_backend
|
|
kms_service_url: $kms_url
|
|
mode: (if ($plugin_enabled and $plugin_available) { "plugin" } else { "http" })
|
|
}
|
|
}
|