blob: ed60035df20de0fce215b3f6dc29a57b938cbbf3 [file] [log] [blame]
# Copyright 2018 The Fuchsia Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
declare_args() {
# Location of CloudKMS crypto keys within the fuchsia infra GCE project.
cloudkms_key_dir =
"projects/fuchsia-infra/locations/global/keyRings/test-secrets/cryptoKeys"
}
# Describes a 'secret', a plaintext to be supplied to a test at runtime. The
# JSON spec of the secret and its associated ciphertext file will be written to
# $root_build_dir/secret_specs/$target_name.json
# and
# $root_build_dir/secret_spec/ciphertext/$target_name.ciphertext
# respectively.
#
# Parameters
#
# key_name
# Required: Name of the private key used for encryption. It is assumed that this key
# lives in CloudKMS at
# projects/fuchsia-infra/locations/global/keyRings/test-secrets/cryptoKeys/<key_name>
#
# ciphertext_file
# Required: Relative path to a text file containing the encrypted plaintext
# (maximum 64KiB)
template("secret_spec") {
assert(defined(invoker.key_name), "key_name must be defined.")
assert(defined(invoker.ciphertext_file), "ciphertext_file must be defined.")
secret_spec_dir = "$root_build_dir/secret_specs"
copy(target_name) {
sources = [
invoker.ciphertext_file,
]
outputs = [
"$secret_spec_dir/ciphertext/$target_name.ciphertext",
]
}
secret_spec = {
cloudkms_key_path = "$cloudkms_key_dir/${invoker.key_name}"
ciphertext_file = invoker.ciphertext_file
}
write_file("$secret_spec_dir/$target_name.json", secret_spec, "json")
}