Asherah是一款多语言、跨平台的应用加密SDK.zip

# Encrypt/decrypt sample application for AWS Lambda The encrypt/decrypt sample application demonstrates the use of Asherah SDK to perform application-level encryption operations in an AWS Lambda function. > This example is based on the [Blank function sample application](https://github.com/awsdocs/aws-lambda-developer-guide/tree/main/sample-apps/blank-go) found in the [AWS Developer Guide](https://docs.aws.amazon.com/lambda/latest/dg/welcome.html). ### Prerequisites * [The AWS CLI (version 2)](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html) and access to an AWS account * [Go v1.15+](https://golang.org/doc/install) * The Bash shell * [jq](https://stedolan.github.io/jq/) - a lightweight and flexible command-line JSON processor In addition, the steps that follow assume the `lambda-exec` role already exists within your AWS account. If you know this function execution role already exists, you're ready to [get started](#setup). Otherwise, see [this section](https://docs.aws.amazon.com/lambda/latest/dg/gettingstarted-awscli.html#with-userapp-walkthrough-custom-events-create-iam-role) of the AWS Lambda tutorial for more information. Likewise, the sample application is configured to use AWS KMS for master key operations and DynamoDB as a metastore. You will need to ensure the above role has sufficient access to these services and associated resources or function execution will result in error. For more information on these topics see [Key Management Service](/docs/KeyManagementService.md) and [Metastore](/docs/Metastore.md) in the Asherah documentation. ## Setup Clone this repository and navigate to the sample application's root directory. ```console $ git clone git@github.com:godaddy/asherah.git $ cd asherah/samples/go/aws/lambda ``` Add the following to your [configuration file](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html) (`~/.aws/config`) to enable loading of raw JSON events with the AWS CLI v2: ``` cli_binary_format=raw-in-base64-out ``` Create the `lambda-exec` role, if needed. ```console $ aws iam create-role --role-name lambda-exec --assume-role-policy-document file://policy.json { "Role": { "Path": "/", "RoleName": "lambda-exec", "RoleId": "AROAWOYE3S3E7IEJN54CD", "Arn": "arn:aws:iam::123456789012:role/lambda-exec", "CreateDate": "2021-01-10T20:05:52+00:00", "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } } } ``` The file `policy.json` is a JSON document in the current directory that defines the trust policy for the role. In this case the policy allows Lambda to use the role's permissions via the `AssumeRole` action. Example `policy.json` ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } ``` Now you can add permissions to the role, starting with the `AWSLambdaBasicExecutionRole` managed policy. ```console $ aws iam attach-role-policy \ --role-name lambda-exec \ --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole ``` The above command will need to be repeated for any additional permissions. The sample application will also need permissions granted by the following policies: * `arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess`: a managed policy granting write only permissions to AWS X-Ray * `arn:aws:iam::123456789012:policy/asherah-kms-access`: a customer managed policy granting access to a customer master key, see [KMS Permissions](/docs/KeyManagementService.md#creating-an-aws-kms-key). * `arn:aws:iam::123456789012:policy/asherah-dynamodb-access`: a customer managed policy granting access to a DynamoDB table, see [Metastore: DynamoDB](/docs/Metastore.md#dynamodb) Modify the provided [template.yml](template.yml) file by replacing the placeholder KMS Key and Role ARNs. Your updated `template.yml` file should now resemble the following: ```yaml AWSTemplateFormatVersion: '2010-09-09' Transform: 'AWS::Serverless-2016-10-31' Description: An AWS Lambda application that demonstrates Asherah encrypt/decrypt operations. Resources: function: Type: AWS::Serverless::Function Properties: Environment: Variables: ASHERAH_KMS_KEY_ARN: arn:aws:kms:us-west-2:123456789012:key/1234abcd-56ef-78ab-90cd-1a2b3c4d5e6f ASHERAH_METASTORE_TABLE_NAME: EncryptionKey Handler: main Runtime: go1.x CodeUri: function/. Description: Performs encrypt/decrypt operations via the Asherah SDK Timeout: 5 # Function's execution role Role: arn:aws:iam::123456789012:role/lambda-exec Tracing: Active ``` Create a new bucket for deployment artifacts, run `1-create-bucket.sh`. ```console $ ./1-create-bucket.sh make_bucket: lambda-artifacts-dc816d4fef315985 ``` ## Deploy To deploy the application, run `2-deploy.sh`. ```console $ ./2-deploy.sh Successfully packaged artifacts and wrote output template to file out/out.yml. Waiting for changeset to be created.. Waiting for stack create/update to complete Successfully created/updated stack - sample-lambda-go ``` This script uses AWS CloudFormation to deploy the Lambda function. If the AWS CloudFormation stack that contains the resources already exists, the script updates it with any changes to the template or function code. ## Test To invoke the function, run `3-invoke.sh`. ```console $ ./3-invoke.sh Encrypt ======= invoking function with encrypt payload: {"Name":"encrypt-partition-1","Partition":"partition-1","Payload":"bXlzdXBlcnNlY3JldHRleHQ="} ------- Response received (modified): {"Results":{"Key":{"Created":1610062226,"Key":"Uz4jvKT4EiRMfee7pmgW/r1etnLvu/vChsGGsQ3dJHvm8OXK9eeODxP+mPJoM/0i/yytwA48wP1jsM03","ParentKeyMeta":{"KeyId":"_IK_partition-1_asherah-samples_lambda-sample-app","Created":1607473080}},"Data":"gapc/YbQrhAgCAmovpI/Q64ICs3kQSv2QVNkcaCtsIFy3fAIV1C4+11ObOHO"},"Metrics":{"InvocationCount":1,"SecretsAllocated":3,"SecretsInUse":2}} Decrypt ======= invoking function with decrypt payload: {"Name":"decrypt-partition-1","Partition":"partition-1","DRR":{"Key":{"Created":1610062226,"Key":"Uz4jvKT4EiRMfee7pmgW/r1etnLvu/vChsGGsQ3dJHvm8OXK9eeODxP+mPJoM/0i/yytwA48wP1jsM03","ParentKeyMeta":{"KeyId":"_IK_partition-1_asherah-samples_lambda-sample-app","Created":1607473080}},"Data":"gapc/YbQrhAgCAmovpI/Q64ICs3kQSv2QVNkcaCtsIFy3fAIV1C4+11ObOHO"}} ------- Response received (modified): {"Results":"mysupersecrettext","Metrics":{"InvocationCount":2,"SecretsAllocated":3,"SecretsInUse":2}} ``` Now, assuming all went as planned, your console output should resemble the above. Cool, but what just happened? ### Taking a closer look... The script invokes the function two times, printing the results as it goes, then exits. As seen above, the payload used for the first is a string that contains an event in JSON format. ```json {"Name":"encrypt-partition-1","Partition":"partition-1","Payload":"bXlzdXBlcnNlY3JldHRleHQ="} ``` This event is handled by the sample application as an _encryption request_, prompting the app to use the Asherah SDK to encrypt the provided payload and return the encryption result. Next, the script invokes the function with the following: ```json {"Name":"decrypt-partition-1","Partition":"partition-1","DRR":{...}} ``` This time the event handled as a _decryption request_, prompting the app to use the Asherah SDK to decrypt the cyphertext contained in this payload's DRR. Note that the DRR embedded in this payload is the same DRR provided by the encryption result above. ## The code The Go module containing