ENG-1632: Add org key custody backend (client-hosted HTTPS key service)#3814
Open
mitchell-as wants to merge 1 commit into
Open
ENG-1632: Add org key custody backend (client-hosted HTTPS key service)#3814mitchell-as wants to merge 1 commit into
mitchell-as wants to merge 1 commit into
Conversation
Add the key-custody backend for private ingredients: a provider that fetches the organization's single AES-256 key from the customer-hosted HTTPS key service, validates it, and caches it for the run. - internal/runbits/orgkey: the Provider, the v1 org-key contract validation (schema/org/algorithm/encoding, base64 decode, fingerprint match via artifactcrypto), and the HTTPS backend (https-only, TLS 1.2+ with a configured CA or pinned cert, optional mTLS, bearer token from an env var or file, bounded timeout, no redirects). The key is held in memory for the run with an opt-in 0600 on-disk cache for headless/offline/CI. - Config options for the URL, CA, mTLS cert/key, bearer-token source, and the on-disk cache opt-in, registered in the package's init() and settable via state config. - subshell scrubs the configured bearer-token env var from child process environments. - pkg/runtime gains a WithDecryptionKey option as the consume-side injection seam, and orgkey exposes a header pre-flight key check. The custody backend lives caller-side and is not imported by pkg/runtime, which stays CGO-free. Wiring into the publish and consume flows lands with ENG-1634 and ENG-1635. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
ENG-1632: Add org key custody backend: client-hosted HTTPS key service
The next piece of the private ingredient work (ENG-1563). It lets the State Tool fetch an organization's single encryption key from the customer's own HTTPS key service, verify it's the right key, and reuse it for the run. The key is read only from the customer's service and never reaches ActiveState.
This adds the key provider, its configuration (settable via
state config), and the seams the publish and consume flows will use. The actual wiring into publish and pull lands with ENG-1634 and ENG-1635.Base branch: this targets
mitchell/eng-1631(in review as #3813) so the diff shows only this change. Once that merges, GitHub will retarget this PR toversion/0-48-1-RC2.Covered by tests for the fetch paths, TLS enforcement, key validation, caching, and the env scrub.
🤖 Generated with Claude Code