Google KMS plugin

Author: alex-codefresh

README.md

@@ -20,3 +20,4 @@ See each plugin readme for more info and usage instructions.
 | [Twistlock](plugins/cfstep-twistlock) | Security scanning of docker images using Twistlock | `security` |
 | [Clair](plugins/clair/README.md) |  Security scanning of Docker images using Clair | `security` |
 | [Import Docker Images](plugins/import-docker-images/README.md) | Import Docker images metadata into Codefresh| `docker` `codefresh`|
+| [Google KMS](plugins/google-kms/README.md) | Encryption/Decryption with Google KMS| `KMS` `codefresh`|

plugins/google-kms/Dockerfile

@@ -0,0 +1,10 @@
+FROM google/cloud-sdk:alpine
+
+WORKDIR /kms
+
+RUN apk -U add jq bash 
+ENV PATH=${PATH}:/kms
+
+COPY google-kms.sh ./kms
+
+

plugins/google-kms/README.md

@@ -0,0 +1,27 @@
+odefresh Google KMS plugin
+
+This plugin facilitates work with Google Key Management Service for such operations like *encrypting* and *decrypting*
+
+# Usage
+
+kms [OPERATION] [VALUE_1] [VALUE_n...]
+
+Set the plugin required environment variables for the pipeline and use the plugin as a freestyle step with a command like:
+
+```yaml
+GoogleKMS:
+    image: codefresh/google-kms
+    commands: 
+      - kms encrypt VALUE_1 VALUE_n
+```
+where VALUE_1 and VALUE_n are the **names** of the environment variables containing the values you need to encrypt or decrypt.
+
+The operation is mutable and when the step finishes the variables with the same names will contain encrypted values. For decryption the process is similar
+
+# Required environment variables
+
+- `KMS_PROJECT` - GCP project name in which your KMS entities are present
+- `KMS_LOCATION` - Google KMS location
+- `KMS_KEYRING` - Google KMS keyring
+- `KMS_KEY` - Google KMS key
+- `GCP_SA_KEY` - [Google Service Account Key (JSON)](https://cloud.google.com/iam/docs/creating-managing-service-account-keys)

plugins/google-kms/google-kms.sh

@@ -0,0 +1,35 @@
+#!/bin/bash
+
+for pluginVar in KMS_PROJECT KMS_LOCATION KMS_KEYRING KMS_KEY
+    do
+        if [ -z ${!pluginVar} ]; then echo $pluginVar is not set, stopping...; exit 1; fi
+    done
+
+echo $GCP_SA_KEY > google-app-creds.json
+export GOOGLE_APPLICATION_CREDENTIALS=$(realpath google-app-creds.json)
+operation=$1
+
+
+function encrypt () {
+
+    hashedtext=$(echo $2 | base64 | tr -d '\n') 
+    cf_export $1=$(curl -s -X POST "https://cloudkms.googleapis.com/v1/projects/$KMS_PROJECT/locations/$KMS_LOCATION/keyRings/$KMS_KEYRING/cryptoKeys/$KMS_KEY:encrypt" \
+        -d "{\"plaintext\":\"$hashedtext\"}" \
+        -H "Authorization:Bearer $(gcloud auth application-default print-access-token)" \
+        -H "Content-Type:application/json" | jq '.ciphertext' --raw-output )
+
+    }
+
+function decrypt {
+
+	cf_export $1=$(curl -s -X POST "https://cloudkms.googleapis.com/v1/projects/$KMS_PROJECT/locations/$KMS_LOCATION/keyRings/$KMS_KEYRING/cryptoKeys/$KMS_KEY:decrypt" \
+        -d "{\"ciphertext\":\"$2\"}" \
+        -H "Authorization:Bearer $(gcloud auth application-default print-access-token)" \
+        -H "Content-Type:application/json" | jq '.plaintext' --raw-output | base64 -d)
+    
+    }
+
+for secret in "${@: 2}"
+    do
+        $operation $secret ${!secret}
+    done