func()

in aws/pkg/tasks/container/identity.go [57:135]

• 53 lines of code
• 12 McCabe index (conditional complexity)

func (t *IdentityTask) Run(ctx context.Context) error {
	// Check arguments
	if t.Description == "" {
		return fmt.Errorf("description must not be blank")
	}

	// Select appropriate strategy.
	var generator identity.PrivateKeyGeneratorFunc

	if fips.Enabled() {
		generator = key.P384
	} else {
		switch t.Version {
		case LegacyIdentity:
			generator = key.Legacy
		case ModernIdentity:
			generator = key.Ed25519
		case NISTIdentity:
			generator = key.P384
		default:
			return fmt.Errorf("invalid or unsupported identity version '%d'", t.Version)
		}
	}

	// Create identity
	id, payload, err := identity.New(rand.Reader, t.Description, generator)
	if err != nil {
		return fmt.Errorf("unable to create new identity: %w", err)
	}

	// Prepare AWS KMS client
	sess := session.Must(session.NewSessionWithOptions(session.Options{
		SharedConfigState: session.SharedConfigEnable,
	}))

	// Assemble an envelope value transformer
	awsKmsClient := kms.New(sess)

	// Initialize Key encryption transformer
	awsKMSService, err := awskms.Service(awsKmsClient, t.KeyID)
	if err != nil {
		return fmt.Errorf("unable to initialize KMS service: %w", err)
	}

	// Initialize Data encryption transformer
	transformer, err := envelope.Transformer(awsKMSService, aead.Chacha20Poly1305)
	if err != nil {
		return fmt.Errorf("unable to initialize KMS service: %w", err)
	}

	// Apply transformation
	cipherText, err := transformer.To(ctx, payload)
	if err != nil {
		return fmt.Errorf("unable to encrypt identity payload: %w", err)
	}

	// Prepare key ID
	h := blake2b.Sum256([]byte(t.KeyID))

	// Wrap private key
	id.Private = &identity.PrivateKey{
		Encoding: fmt.Sprintf("kms:aws:%s", base64.RawURLEncoding.EncodeToString(h[:])),
		Content:  base64.RawURLEncoding.EncodeToString(cipherText),
	}

	// Retrieve output writer
	writer, err := t.OutputWriter(ctx)
	if err != nil {
		return fmt.Errorf("unable to retrieve output writer handle: %w", err)
	}

	// Create identity output
	if err := json.NewEncoder(writer).Encode(id); err != nil {
		return fmt.Errorf("unable to serialize final identity: %w", err)
	}

	// No error
	return nil
}