deb.open-vault/http/sys_init.go

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0

package http

import (
	"context"
	"encoding/base64"
	"encoding/hex"
	"fmt"
	"net/http"
	"strings"

	"github.com/hashicorp/vault/vault"
)

func handleSysInit(core *vault.Core) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		switch r.Method {
		case "GET":
			handleSysInitGet(core, w, r)
		case "PUT", "POST":
			handleSysInitPut(core, w, r)
		default:
			respondError(w, http.StatusMethodNotAllowed, nil)
		}
	})
}

func handleSysInitGet(core *vault.Core, w http.ResponseWriter, r *http.Request) {
	init, err := core.Initialized(context.Background())
	if err != nil {
		respondError(w, http.StatusInternalServerError, err)
		return
	}

	respondOk(w, &InitStatusResponse{
		Initialized: init,
	})
}

func handleSysInitPut(core *vault.Core, w http.ResponseWriter, r *http.Request) {
	ctx := context.Background()

	// Parse the request
	var req InitRequest
	if _, err := parseJSONRequest(core.PerfStandby(), r, w, &req); err != nil {
		respondError(w, http.StatusBadRequest, err)
		return
	}

	// Validate init request parameters
	if err := validateInitParameters(core, req); err != nil {
		respondError(w, http.StatusBadRequest, err)
		return
	}

	// Initialize
	barrierConfig := &vault.SealConfig{
		SecretShares:    req.SecretShares,
		SecretThreshold: req.SecretThreshold,
		StoredShares:    req.StoredShares,
		PGPKeys:         req.PGPKeys,
	}

	recoveryConfig := &vault.SealConfig{
		SecretShares:    req.RecoveryShares,
		SecretThreshold: req.RecoveryThreshold,
		PGPKeys:         req.RecoveryPGPKeys,
	}

	initParams := &vault.InitParams{
		BarrierConfig:   barrierConfig,
		RecoveryConfig:  recoveryConfig,
		RootTokenPGPKey: req.RootTokenPGPKey,
	}

	result, initErr := core.Initialize(ctx, initParams)
	if initErr != nil {
		if vault.IsFatalError(initErr) {
			respondError(w, http.StatusBadRequest, initErr)
			return
		} else {
			// Add a warnings field? The error will be logged in the vault log
			// already.
		}
	}

	// Encode the keys
	keys := make([]string, 0, len(result.SecretShares))
	keysB64 := make([]string, 0, len(result.SecretShares))
	for _, k := range result.SecretShares {
		keys = append(keys, hex.EncodeToString(k))
		keysB64 = append(keysB64, base64.StdEncoding.EncodeToString(k))
	}

	resp := &InitResponse{
		Keys:      keys,
		KeysB64:   keysB64,
		RootToken: result.RootToken,
	}

	if len(result.RecoveryShares) > 0 {
		resp.RecoveryKeys = make([]string, 0, len(result.RecoveryShares))
		resp.RecoveryKeysB64 = make([]string, 0, len(result.RecoveryShares))
		for _, k := range result.RecoveryShares {
			resp.RecoveryKeys = append(resp.RecoveryKeys, hex.EncodeToString(k))
			resp.RecoveryKeysB64 = append(resp.RecoveryKeysB64, base64.StdEncoding.EncodeToString(k))
		}
	}

	if err := core.UnsealWithStoredKeys(ctx); err != nil {
		respondError(w, http.StatusInternalServerError, err)
		return
	}

	respondOk(w, resp)
}

type InitRequest struct {
	SecretShares      int      `json:"secret_shares"`
	SecretThreshold   int      `json:"secret_threshold"`
	StoredShares      int      `json:"stored_shares"`
	PGPKeys           []string `json:"pgp_keys"`
	RecoveryShares    int      `json:"recovery_shares"`
	RecoveryThreshold int      `json:"recovery_threshold"`
	RecoveryPGPKeys   []string `json:"recovery_pgp_keys"`
	RootTokenPGPKey   string   `json:"root_token_pgp_key"`
}

type InitResponse struct {
	Keys            []string `json:"keys"`
	KeysB64         []string `json:"keys_base64"`
	RecoveryKeys    []string `json:"recovery_keys,omitempty"`
	RecoveryKeysB64 []string `json:"recovery_keys_base64,omitempty"`
	RootToken       string   `json:"root_token"`
}

type InitStatusResponse struct {
	Initialized bool `json:"initialized"`
}

// Validates if the right parameters are used based on AutoUnseal
func validateInitParameters(core *vault.Core, req InitRequest) error {
	recoveryFlags := make([]string, 0)
	barrierFlags := make([]string, 0)

	if req.SecretShares != 0 {
		barrierFlags = append(barrierFlags, "secret_shares")
	}
	if req.SecretThreshold != 0 {
		barrierFlags = append(barrierFlags, "secret_threshold")
	}
	if len(req.PGPKeys) != 0 {
		barrierFlags = append(barrierFlags, "pgp_keys")
	}
	if req.RecoveryShares != 0 {
		recoveryFlags = append(recoveryFlags, "recovery_shares")
	}
	if req.RecoveryThreshold != 0 {
		recoveryFlags = append(recoveryFlags, "recovery_threshold")
	}
	if len(req.RecoveryPGPKeys) != 0 {
		recoveryFlags = append(recoveryFlags, "recovery_pgp_keys")
	}

	switch core.SealAccess().RecoveryKeySupported() {
	case true:
		if len(barrierFlags) > 0 {
			return fmt.Errorf("parameters %s not applicable to seal type %s", strings.Join(barrierFlags, ","), core.SealAccess().BarrierType())
		}
	default:
		if len(recoveryFlags) > 0 {
			return fmt.Errorf("parameters %s not applicable to seal type %s", strings.Join(recoveryFlags, ","), core.SealAccess().BarrierType())
		}

	}
	return nil
}
New upstream version 1.14.8 2024-04-20 12:23:50 +00:00			`// Copyright (c) HashiCorp, Inc.`
			`// SPDX-License-Identifier: MPL-2.0`

			`package http`

			`import (`
			`"context"`
			`"encoding/base64"`
			`"encoding/hex"`
			`"fmt"`
			`"net/http"`
			`"strings"`

			`"github.com/hashicorp/vault/vault"`
			`)`

			`func handleSysInit(core *vault.Core) http.Handler {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`switch r.Method {`
			`case "GET":`
			`handleSysInitGet(core, w, r)`
			`case "PUT", "POST":`
			`handleSysInitPut(core, w, r)`
			`default:`
			`respondError(w, http.StatusMethodNotAllowed, nil)`
			`}`
			`})`
			`}`

			`func handleSysInitGet(core vault.Core, w http.ResponseWriter, r http.Request) {`
			`init, err := core.Initialized(context.Background())`
			`if err != nil {`
			`respondError(w, http.StatusInternalServerError, err)`
			`return`
			`}`

			`respondOk(w, &InitStatusResponse{`
			`Initialized: init,`
			`})`
			`}`

			`func handleSysInitPut(core vault.Core, w http.ResponseWriter, r http.Request) {`
			`ctx := context.Background()`

			`// Parse the request`
			`var req InitRequest`
			`if _, err := parseJSONRequest(core.PerfStandby(), r, w, &req); err != nil {`
			`respondError(w, http.StatusBadRequest, err)`
			`return`
			`}`

			`// Validate init request parameters`
			`if err := validateInitParameters(core, req); err != nil {`
			`respondError(w, http.StatusBadRequest, err)`
			`return`
			`}`

			`// Initialize`
			`barrierConfig := &vault.SealConfig{`
			`SecretShares: req.SecretShares,`
			`SecretThreshold: req.SecretThreshold,`
			`StoredShares: req.StoredShares,`
			`PGPKeys: req.PGPKeys,`
			`}`

			`recoveryConfig := &vault.SealConfig{`
			`SecretShares: req.RecoveryShares,`
			`SecretThreshold: req.RecoveryThreshold,`
			`PGPKeys: req.RecoveryPGPKeys,`
			`}`

			`initParams := &vault.InitParams{`
			`BarrierConfig: barrierConfig,`
			`RecoveryConfig: recoveryConfig,`
			`RootTokenPGPKey: req.RootTokenPGPKey,`
			`}`

			`result, initErr := core.Initialize(ctx, initParams)`
			`if initErr != nil {`
			`if vault.IsFatalError(initErr) {`
			`respondError(w, http.StatusBadRequest, initErr)`
			`return`
			`} else {`
			`// Add a warnings field? The error will be logged in the vault log`
			`// already.`
			`}`
			`}`

			`// Encode the keys`
			`keys := make([]string, 0, len(result.SecretShares))`
			`keysB64 := make([]string, 0, len(result.SecretShares))`
			`for _, k := range result.SecretShares {`
			`keys = append(keys, hex.EncodeToString(k))`
			`keysB64 = append(keysB64, base64.StdEncoding.EncodeToString(k))`
			`}`

			`resp := &InitResponse{`
			`Keys: keys,`
			`KeysB64: keysB64,`
			`RootToken: result.RootToken,`
			`}`

			`if len(result.RecoveryShares) > 0 {`
			`resp.RecoveryKeys = make([]string, 0, len(result.RecoveryShares))`
			`resp.RecoveryKeysB64 = make([]string, 0, len(result.RecoveryShares))`
			`for _, k := range result.RecoveryShares {`
			`resp.RecoveryKeys = append(resp.RecoveryKeys, hex.EncodeToString(k))`
			`resp.RecoveryKeysB64 = append(resp.RecoveryKeysB64, base64.StdEncoding.EncodeToString(k))`
			`}`
			`}`

			`if err := core.UnsealWithStoredKeys(ctx); err != nil {`
			`respondError(w, http.StatusInternalServerError, err)`
			`return`
			`}`

			`respondOk(w, resp)`
			`}`

			`type InitRequest struct {`
			SecretShares int `json:"secret_shares"`
			SecretThreshold int `json:"secret_threshold"`
			StoredShares int `json:"stored_shares"`
			PGPKeys []string `json:"pgp_keys"`
			RecoveryShares int `json:"recovery_shares"`
			RecoveryThreshold int `json:"recovery_threshold"`
			RecoveryPGPKeys []string `json:"recovery_pgp_keys"`
			RootTokenPGPKey string `json:"root_token_pgp_key"`
			`}`

			`type InitResponse struct {`
			Keys []string `json:"keys"`
			KeysB64 []string `json:"keys_base64"`
			RecoveryKeys []string `json:"recovery_keys,omitempty"`
			RecoveryKeysB64 []string `json:"recovery_keys_base64,omitempty"`
			RootToken string `json:"root_token"`
			`}`

			`type InitStatusResponse struct {`
			Initialized bool `json:"initialized"`
			`}`

			`// Validates if the right parameters are used based on AutoUnseal`
			`func validateInitParameters(core *vault.Core, req InitRequest) error {`
			`recoveryFlags := make([]string, 0)`
			`barrierFlags := make([]string, 0)`

			`if req.SecretShares != 0 {`
			`barrierFlags = append(barrierFlags, "secret_shares")`
			`}`
			`if req.SecretThreshold != 0 {`
			`barrierFlags = append(barrierFlags, "secret_threshold")`
			`}`
			`if len(req.PGPKeys) != 0 {`
			`barrierFlags = append(barrierFlags, "pgp_keys")`
			`}`
			`if req.RecoveryShares != 0 {`
			`recoveryFlags = append(recoveryFlags, "recovery_shares")`
			`}`
			`if req.RecoveryThreshold != 0 {`
			`recoveryFlags = append(recoveryFlags, "recovery_threshold")`
			`}`
			`if len(req.RecoveryPGPKeys) != 0 {`
			`recoveryFlags = append(recoveryFlags, "recovery_pgp_keys")`
			`}`

			`switch core.SealAccess().RecoveryKeySupported() {`
			`case true:`
			`if len(barrierFlags) > 0 {`
			`return fmt.Errorf("parameters %s not applicable to seal type %s", strings.Join(barrierFlags, ","), core.SealAccess().BarrierType())`
			`}`
			`default:`
			`if len(recoveryFlags) > 0 {`
			`return fmt.Errorf("parameters %s not applicable to seal type %s", strings.Join(recoveryFlags, ","), core.SealAccess().BarrierType())`
			`}`

			`}`
			`return nil`
			`}`