Add symmetric encryption methods

.vscode/settings.json

@@ -11,6 +11,17 @@
         "./crates/infisical-c/Cargo.toml",
         "./crates/infisical-py/Cargo.toml"
     ],
-    "cSpell.words": ["dotenv", "infisical", "libinfisical", "openapi", "openapitools", "quicktype", "reqwest"],
+    "cSpell.words": [
+        "ciphertext",
+        "dotenv",
+        "indicies",
+        "infisical",
+        "libinfisical",
+        "openapi",
+        "openapitools",
+        "quicktype",
+        "reqwest",
+        "rngs"
+    ],
     "java.configuration.updateBuildConfiguration": "interactive"
 }

crates/infisical-json/src/client.rs

@@ -29,11 +29,23 @@ impl Client {
         };
 
         match cmd {
+            // Infisical secrets
             Command::GetSecret(req) => self.0.secrets().get(&req).await.into_string(),
             Command::ListSecrets(req) => self.0.secrets().list(&req).await.into_string(),
             Command::CreateSecret(req) => self.0.secrets().create(&req).await.into_string(),
             Command::UpdateSecret(req) => self.0.secrets().update(&req).await.into_string(),
             Command::DeleteSecret(req) => self.0.secrets().delete(&req).await.into_string(),
+
+            // Symmetric cryptography
+            Command::DecryptSymmetric(req) => {
+                self.0.cryptography().decrypt_symmetric(&req).into_string()
+            }
+            Command::EncryptSymmetric(req) => {
+                self.0.cryptography().encrypt_symmetric(&req).into_string()
+            }
+            Command::CreateSymmetricKey(_) => {
+                self.0.cryptography().create_symmetric_key().into_string()
+            }
         }
     }
 

crates/infisical-json/src/command.rs

@@ -1,18 +1,31 @@
-use infisical::manager::{
-    client_secrets::{CreateSecretOptions, GetSecretOptions, UpdateSecretOptions},
-    secrets::{DeleteSecretOptions, ListSecretsOptions},
+use infisical::manager::secrets::{
+    CreateSecretOptions, DeleteSecretOptions, GetSecretOptions, ListSecretsOptions,
+    UpdateSecretOptions,
 };
+
+use infisical::manager::cryptography::{DecryptSymmetricOptions, EncryptSymmetricOptions};
+
 use schemars::JsonSchema;
 use serde::{Deserialize, Serialize};
 
 #[derive(Serialize, Deserialize, JsonSchema, Debug)]
 #[serde(rename_all = "camelCase", deny_unknown_fields)]
+// QuickType (our type generator), won't recognize the CreateSymmetricKey command unless it has an input. Super annoying, and this is quite a hacky workaround.
+// This should be revised in the future.
+pub struct ArbitraryOptions {
+    pub data: String,
+}
 
-// We expand this later
+#[derive(Serialize, Deserialize, JsonSchema, Debug)]
+#[serde(rename_all = "camelCase", deny_unknown_fields)]
 pub enum Command {
     GetSecret(GetSecretOptions),
     ListSecrets(ListSecretsOptions),
     CreateSecret(CreateSecretOptions),
     UpdateSecret(UpdateSecretOptions),
     DeleteSecret(DeleteSecretOptions),
+
+    CreateSymmetricKey(ArbitraryOptions),
+    EncryptSymmetric(EncryptSymmetricOptions),
+    DecryptSymmetric(DecryptSymmetricOptions),
 }

crates/infisical-py/infisical_client/__init__.py

@@ -7,4 +7,10 @@
 from .schemas import CreateSecretOptions as CreateSecretOptions
 from .schemas import ListSecretsOptions as ListSecretsOptions
 from .schemas import ClientSettings as ClientSettings
-from .schemas import SecretElement as SecretElement
+from .schemas import SecretElement as SecretElement
+
+from .schemas import EncryptSymmetricOptions as EncryptSymmetricOptions
+from .schemas import EncryptSymmetricResponse as EncryptSymmetricResponse
+
+from .schemas import DecryptSymmetricOptions as DecryptSymmetricOptions
+from .schemas import DecryptSymmetricResponse as DecryptSymmetricResponse

crates/infisical-py/infisical_client/infisical_client.py

@@ -6,6 +6,12 @@
 from .schemas import UpdateSecretOptions, ResponseForUpdateSecretResponse
 from .schemas import DeleteSecretOptions, ResponseForDeleteSecretResponse
 from .schemas import CreateSecretOptions, ResponseForCreateSecretResponse
+
+from .schemas import EncryptSymmetricOptions, EncryptSymmetricResponse, ResponseForEncryptSymmetricResponse
+from .schemas import DecryptSymmetricOptions, DecryptSymmetricResponse, ResponseForDecryptSymmetricResponse
+
+from .schemas import ArbitraryOptions, ResponseForCreateSymmetricKeyResponse
+
 import infisical_py
 import os
 
@@ -58,4 +64,22 @@ def deleteSecret(self, options: DeleteSecretOptions) -> SecretElement:
     def createSecret(self, options: CreateSecretOptions) -> SecretElement:
         result = self._run_command(Command(create_secret=options))
 
-        return ResponseForCreateSecretResponse.from_dict(result).data.secret
+        return ResponseForCreateSecretResponse.from_dict(result).data.secret
+
+    def createSymmetricKey(self) -> str:
+
+        arbitraryOptions = ArbitraryOptions(data="")
+
+        result = self._run_command(Command(create_symmetric_key=arbitraryOptions))
+
+        return ResponseForCreateSymmetricKeyResponse.from_dict(result).data.key
+
+    def encryptSymmetric(self, options: EncryptSymmetricOptions) -> EncryptSymmetricResponse:
+        result = self._run_command(Command(encrypt_symmetric=options))
+
+        return ResponseForEncryptSymmetricResponse.from_dict(result).data
+
+    def decryptSymmetric(self, options: DecryptSymmetricOptions) -> str:
+        result = self._run_command(Command(decrypt_symmetric=options))
+
+        return ResponseForDecryptSymmetricResponse.from_dict(result).data.decrypted

crates/infisical/Cargo.toml

@@ -46,3 +46,4 @@ env_logger = "0.10.1"
 seeded-random = "0.6.0"
 serial_test = "2.0.0"
 dotenv = "0.15.0"
+aes-gcm = "0.10.3"

crates/infisical/src/api/secrets/update_secret.rs

@@ -3,7 +3,6 @@ use crate::error::api_error_handler;
 use crate::helper::build_base_request;
 use crate::manager::secrets::{UpdateSecretOptions, UpdateSecretResponse};
 use crate::{error::Result, Client};
-use log::debug;
 use reqwest::StatusCode;
 
 pub async fn update_secret_request(
@@ -34,15 +33,6 @@ pub async fn update_secret_request(
         Err(e) => return Err(e),
     };
 
-    let token = match client.auth.access_token {
-        Some(ref token) => format!("Bearer {}", token),
-        None => "".to_string(),
-    };
-
-    debug!("Creating secret with token: {}", token);
-    debug!("Creating secret with JSON body: {:?}", json);
-    debug!("Creating secret with url: {}", base_url);
-
     let response = request.json(json).send().await?;
     let status = response.status();
 

crates/infisical/src/error.rs

@@ -18,6 +18,15 @@ pub enum Error {
     #[error("Something unexpected went wrong.")]
     UnknownError,
 
+    #[error("Failed to create symmetric key: {}", .message)]
+    CreateSymmetricKeyError { message: String },
+
+    #[error("Failed to encrypt symmetric key: {}", .message)]
+    EncryptSymmetricKeyError { message: String },
+
+    #[error("Failed to decrypt symmetric key: {}", .message)]
+    DecryptSymmetricKeyError { message: String },
+
     #[error("Missing access token.")]
     MissingAccessToken,
 

crates/infisical/src/manager/client_cryptography.rs

@@ -0,0 +1,40 @@
+use crate::{error::Result, Client};
+
+// DELETE SECRET
+use super::cryptography::{
+    decrypt_symmetric::{decrypt_symmetric, DecryptSymmetricOptions},
+    encrypt_symmetric::{encrypt_symmetric, EncryptSymmetricOptions, EncryptSymmetricResponse},
+    CreateSymmetricKeyResponse, DecryptSymmetricResponse,
+};
+pub use crate::manager::cryptography::create_symmetric_key::create_symmetric_key;
+
+#[allow(dead_code)]
+pub struct ClientCryptography<'a> {
+    pub(crate) client: &'a mut crate::Client,
+}
+
+impl<'a> ClientCryptography<'a> {
+    pub fn create_symmetric_key(&'a mut self) -> Result<CreateSymmetricKeyResponse> {
+        create_symmetric_key()
+    }
+
+    pub fn encrypt_symmetric(
+        &'a mut self,
+        input: &EncryptSymmetricOptions,
+    ) -> Result<EncryptSymmetricResponse> {
+        encrypt_symmetric(input)
+    }
+
+    pub fn decrypt_symmetric(
+        &'a mut self,
+        input: &DecryptSymmetricOptions,
+    ) -> Result<DecryptSymmetricResponse> {
+        decrypt_symmetric(input)
+    }
+}
+
+impl<'a> Client {
+    pub fn cryptography(&'a mut self) -> ClientCryptography<'a> {
+        ClientCryptography { client: self }
+    }
+}

crates/infisical/src/manager/cryptography/create_symmetric_key.rs

@@ -0,0 +1,26 @@
+use crate::error::Result;
+use base64::engine::Engine;
+use rand::Rng;
+use schemars::JsonSchema;
+use serde::{Deserialize, Serialize};
+
+macro_rules! b64_encode {
+    ($key:expr) => {
+        base64::engine::general_purpose::STANDARD.encode($key)
+    };
+}
+
+#[derive(Serialize, Deserialize, Debug, JsonSchema)]
+#[serde(rename_all = "camelCase")]
+pub struct CreateSymmetricKeyResponse {
+    pub key: String,
+}
+
+pub fn create_symmetric_key() -> Result<CreateSymmetricKeyResponse> {
+    // Generate a 256-bit key (32 bytes * 8 bits/byte)
+    let key: Vec<u8> = rand::thread_rng().gen::<[u8; 32]>().to_vec();
+
+    let encoded_key = b64_encode!(key);
+
+    return Ok(CreateSymmetricKeyResponse { key: encoded_key });
+}

crates/infisical/src/manager/cryptography/decrypt_symmetric.rs

@@ -0,0 +1,71 @@
+use crate::error::{Error, Result};
+use aes::cipher::generic_array::GenericArray;
+use aes_gcm::{
+    aead::{Aead, KeyInit},
+    Aes256Gcm,
+};
+use base64::engine::Engine;
+use schemars::JsonSchema;
+use serde::{Deserialize, Serialize}; // Assuming you are using the 'aes-gcm' crate
+
+macro_rules! b64_decode {
+    ($key:expr) => {
+        base64::engine::general_purpose::STANDARD.decode($key)
+    };
+}
+
+#[derive(Serialize, Deserialize, Debug, JsonSchema)]
+#[serde(rename_all = "camelCase")]
+pub struct DecryptSymmetricOptions {
+    pub key: String,
+    pub ciphertext: String,
+    pub iv: String,
+    pub tag: String,
+}
+
+#[derive(Serialize, Deserialize, Debug, JsonSchema)]
+#[serde(rename_all = "camelCase")]
+pub struct DecryptSymmetricResponse {
+    pub decrypted: String,
+}
+
+pub fn decrypt_symmetric(input: &DecryptSymmetricOptions) -> Result<DecryptSymmetricResponse> {
+    let decoded_tag = b64_decode!(&input.tag).map_err(|e| Error::DecryptSymmetricKeyError {
+        message: e.to_string(),
+    })?;
+    let decoded_key = b64_decode!(&input.key).map_err(|e| Error::DecryptSymmetricKeyError {
+        message: e.to_string(),
+    })?;
+    let iv = b64_decode!(&input.iv).map_err(|e| Error::DecryptSymmetricKeyError {
+        message: e.to_string(),
+    })?;
+    let mut decoded_ciphertext =
+        b64_decode!(&input.ciphertext).map_err(|e| Error::DecryptSymmetricKeyError {
+            message: e.to_string(),
+        })?;
+
+    // We modify the ciphertext a little bit here to remove the pre-existing tag, and append the tag that was provided as a parameter.
+    //decoded_ciphertext.truncate(decoded_ciphertext.len() - 16);
+    decoded_ciphertext.extend_from_slice(&decoded_tag);
+
+    let nonce = GenericArray::from_slice(&iv);
+
+    let cipher =
+        Aes256Gcm::new_from_slice(&decoded_key).map_err(|e| Error::DecryptSymmetricKeyError {
+            message: e.to_string(),
+        })?;
+
+    let plaintext_bytes = cipher
+        .decrypt(nonce, decoded_ciphertext.as_ref())
+        .map_err(|e| Error::DecryptSymmetricKeyError {
+            message: e.to_string(),
+        })?;
+
+    return Ok(DecryptSymmetricResponse {
+        decrypted: String::from_utf8(plaintext_bytes)
+            .map_err(|e| Error::DecryptSymmetricKeyError {
+                message: e.to_string(),
+            })
+            .expect("Failed to convert bytes to string."),
+    });
+}

crates/infisical/src/manager/cryptography/encrypt_symmetric.rs

@@ -0,0 +1,79 @@
+use crate::error::{Error, Result};
+use aes_gcm::{
+    aead::{Aead, KeyInit},
+    Aes256Gcm,
+};
+use base64::engine::Engine;
+use rand::{rngs::OsRng, RngCore};
+use schemars::JsonSchema;
+use serde::{Deserialize, Serialize};
+
+macro_rules! b64_encode {
+    ($key:expr) => {
+        base64::engine::general_purpose::STANDARD.encode($key)
+    };
+}
+
+macro_rules! b64_decode {
+    ($key:expr) => {
+        base64::engine::general_purpose::STANDARD.decode($key)
+    };
+}
+
+#[derive(Serialize, Deserialize, Debug, JsonSchema)]
+#[serde(rename_all = "camelCase")]
+pub struct EncryptSymmetricOptions {
+    pub key: String,
+    pub plaintext: String,
+}
+
+#[derive(Serialize, Deserialize, Debug, JsonSchema)]
+#[serde(rename_all = "camelCase")]
+pub struct EncryptSymmetricResponse {
+    pub ciphertext: String,
+    pub iv: String,
+    pub tag: String,
+}
+
+pub fn encrypt_symmetric(input: &EncryptSymmetricOptions) -> Result<EncryptSymmetricResponse> {
+    let key = &input.key;
+    let plaintext = &input.plaintext;
+
+    // Generate a random IV
+    let mut iv = [0u8; 12];
+    OsRng.fill_bytes(&mut iv);
+
+    let decoded_key = b64_decode!(key).map_err(|e| Error::EncryptSymmetricKeyError {
+        message: e.to_string(),
+    })?;
+
+    // Create a new AES256-GCM instance
+    let cipher = Aes256Gcm::new_from_slice(decoded_key.as_slice()).map_err(|e| {
+        Error::EncryptSymmetricKeyError {
+            message: e.to_string(),
+        }
+    })?;
+
+    let ciphertext_r = &cipher
+        .encrypt(&iv.into(), plaintext.as_bytes())
+        .map_err(|e| Error::EncryptSymmetricKeyError {
+            message: e.to_string(),
+        });
+
+    let mut ciphertext = ciphertext_r.as_ref().unwrap().clone();
+
+    // we need to take the last 16 bytes of the ciphertext and remove it from the ciphertext, and append it to the tag.
+
+    let encryption_tag = &ciphertext.clone()[&ciphertext.clone().len() - 16..]; // This line is a bit confusing, but it basically takes the last 16 bytes of the ciphertext and stores it in a variable.
+    ciphertext.truncate(ciphertext.len() - 16); // This line removes the last 16 bytes of the ciphertext.
+
+    let encoded_ciphertext = b64_encode!(&ciphertext.clone());
+    let encoded_iv = b64_encode!(iv);
+    let encoded_tag = b64_encode!(encryption_tag);
+
+    return Ok(EncryptSymmetricResponse {
+        ciphertext: encoded_ciphertext,
+        iv: encoded_iv,
+        tag: encoded_tag,
+    });
+}