2022-05-12 20:29:52 +00:00
|
|
|
package structs
|
|
|
|
|
2022-05-19 18:19:56 +00:00
|
|
|
import (
|
2022-06-27 19:51:01 +00:00
|
|
|
"bytes"
|
2022-06-14 17:28:10 +00:00
|
|
|
"errors"
|
2022-05-25 19:05:30 +00:00
|
|
|
"fmt"
|
2022-05-27 13:33:41 +00:00
|
|
|
"reflect"
|
2022-07-19 20:17:34 +00:00
|
|
|
"strings"
|
2022-05-19 18:19:56 +00:00
|
|
|
"time"
|
|
|
|
|
2022-05-25 19:05:30 +00:00
|
|
|
// note: this is aliased so that it's more noticeable if someone
|
|
|
|
// accidentally swaps it out for math/rand via running goimports
|
|
|
|
cryptorand "crypto/rand"
|
|
|
|
|
|
|
|
"github.com/hashicorp/nomad/helper"
|
2022-05-19 18:19:56 +00:00
|
|
|
"github.com/hashicorp/nomad/helper/uuid"
|
|
|
|
)
|
2022-05-12 20:29:52 +00:00
|
|
|
|
2022-05-27 13:33:41 +00:00
|
|
|
const (
|
2022-08-15 15:19:53 +00:00
|
|
|
// SecureVariablesApplyRPCMethod is the RPC method for upserting or
|
|
|
|
// deleting a secure variable by its namespace and path, with optional
|
|
|
|
// conflict detection.
|
2022-05-27 13:33:41 +00:00
|
|
|
//
|
2022-08-15 15:19:53 +00:00
|
|
|
// Args: SecureVariablesApplyRequest
|
|
|
|
// Reply: SecureVariablesApplyResponse
|
|
|
|
SecureVariablesApplyRPCMethod = "SecureVariables.Apply"
|
2022-05-27 13:33:41 +00:00
|
|
|
|
|
|
|
// SecureVariablesListRPCMethod is the RPC method for listing secure
|
|
|
|
// variables within Nomad.
|
|
|
|
//
|
|
|
|
// Args: SecureVariablesListRequest
|
|
|
|
// Reply: SecureVariablesListResponse
|
|
|
|
SecureVariablesListRPCMethod = "SecureVariables.List"
|
|
|
|
|
|
|
|
// SecureVariablesGetServiceRPCMethod is the RPC method for fetching a
|
|
|
|
// secure variable according to its namepace and path.
|
|
|
|
//
|
|
|
|
// Args: SecureVariablesByNameRequest
|
|
|
|
// Reply: SecureVariablesByNameResponse
|
|
|
|
SecureVariablesReadRPCMethod = "SecureVariables.Read"
|
2022-07-20 18:46:43 +00:00
|
|
|
|
|
|
|
// maxVariableSize is the maximum size of the unencrypted contents of
|
|
|
|
// a variable. This size is deliberately set low and is not
|
|
|
|
// configurable, to discourage DoS'ing the cluster
|
|
|
|
maxVariableSize = 16384
|
2022-05-27 13:33:41 +00:00
|
|
|
)
|
|
|
|
|
2022-06-14 17:28:10 +00:00
|
|
|
// SecureVariableMetadata is the metadata envelope for a Secure Variable, it
|
|
|
|
// is the list object and is shared data between an SecureVariableEncrypted and
|
|
|
|
// a SecureVariableDecrypted object.
|
|
|
|
type SecureVariableMetadata struct {
|
2022-05-12 20:29:52 +00:00
|
|
|
Namespace string
|
|
|
|
Path string
|
|
|
|
CreateIndex uint64
|
2022-06-27 19:51:01 +00:00
|
|
|
CreateTime int64
|
2022-05-12 20:29:52 +00:00
|
|
|
ModifyIndex uint64
|
2022-06-27 19:51:01 +00:00
|
|
|
ModifyTime int64
|
2022-06-14 17:28:10 +00:00
|
|
|
}
|
2022-05-12 20:29:52 +00:00
|
|
|
|
2022-06-14 17:28:10 +00:00
|
|
|
// SecureVariableEncrypted structs are returned from the Encrypter's encrypt
|
|
|
|
// method. They are the only form that should ever be persisted to storage.
|
|
|
|
type SecureVariableEncrypted struct {
|
|
|
|
SecureVariableMetadata
|
|
|
|
SecureVariableData
|
2022-05-12 20:29:52 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// SecureVariableData is the secret data for a Secure Variable
|
|
|
|
type SecureVariableData struct {
|
|
|
|
Data []byte // includes nonce
|
|
|
|
KeyID string // ID of root key used to encrypt this entry
|
|
|
|
}
|
|
|
|
|
2022-06-14 17:28:10 +00:00
|
|
|
// SecureVariableDecrypted structs are returned from the Encrypter's decrypt
|
|
|
|
// method. Since they contains sensitive material, they should never be
|
|
|
|
// persisted to disk.
|
|
|
|
type SecureVariableDecrypted struct {
|
|
|
|
SecureVariableMetadata
|
|
|
|
Items SecureVariableItems
|
|
|
|
}
|
|
|
|
|
|
|
|
// SecureVariableItems are the actual secrets stored in a secure variable. They
|
|
|
|
// are always encrypted and decrypted as a single unit.
|
|
|
|
type SecureVariableItems map[string]string
|
|
|
|
|
2022-07-20 18:46:43 +00:00
|
|
|
func (svi SecureVariableItems) Size() uint64 {
|
|
|
|
var out uint64
|
|
|
|
for k, v := range svi {
|
|
|
|
out += uint64(len(k))
|
|
|
|
out += uint64(len(v))
|
|
|
|
}
|
|
|
|
return out
|
|
|
|
}
|
|
|
|
|
2022-06-27 19:51:01 +00:00
|
|
|
// Equals checks both the metadata and items in a SecureVariableDecrypted
|
|
|
|
// struct
|
|
|
|
func (v1 SecureVariableDecrypted) Equals(v2 SecureVariableDecrypted) bool {
|
|
|
|
return v1.SecureVariableMetadata.Equals(v2.SecureVariableMetadata) &&
|
|
|
|
v1.Items.Equals(v2.Items)
|
2022-06-14 17:28:10 +00:00
|
|
|
}
|
|
|
|
|
2022-06-27 19:51:01 +00:00
|
|
|
// Equals is a convenience method to provide similar equality checking
|
|
|
|
// syntax for metadata and the SecureVariablesData or SecureVariableItems
|
|
|
|
// struct
|
2022-06-14 17:28:10 +00:00
|
|
|
func (sv SecureVariableMetadata) Equals(sv2 SecureVariableMetadata) bool {
|
|
|
|
return sv == sv2
|
|
|
|
}
|
|
|
|
|
2022-06-27 19:51:01 +00:00
|
|
|
// Equals performs deep equality checking on the cleartext items
|
|
|
|
// of a SecureVariableDecrypted. Uses reflect.DeepEqual
|
|
|
|
func (i1 SecureVariableItems) Equals(i2 SecureVariableItems) bool {
|
|
|
|
return reflect.DeepEqual(i1, i2)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Equals checks both the metadata and encrypted data for a
|
|
|
|
// SecureVariableEncrypted struct
|
|
|
|
func (v1 SecureVariableEncrypted) Equals(v2 SecureVariableEncrypted) bool {
|
|
|
|
return v1.SecureVariableMetadata.Equals(v2.SecureVariableMetadata) &&
|
|
|
|
v1.SecureVariableData.Equals(v2.SecureVariableData)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Equals performs deep equality checking on the encrypted data part
|
|
|
|
// of a SecureVariableEncrypted
|
|
|
|
func (d1 SecureVariableData) Equals(d2 SecureVariableData) bool {
|
|
|
|
return d1.KeyID == d2.KeyID &&
|
|
|
|
bytes.Equal(d1.Data, d2.Data)
|
2022-06-14 17:28:10 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func (sv SecureVariableDecrypted) Copy() SecureVariableDecrypted {
|
2022-06-27 19:51:01 +00:00
|
|
|
return SecureVariableDecrypted{
|
2022-06-14 17:28:10 +00:00
|
|
|
SecureVariableMetadata: sv.SecureVariableMetadata,
|
2022-06-27 19:51:01 +00:00
|
|
|
Items: sv.Items.Copy(),
|
2022-05-13 17:11:27 +00:00
|
|
|
}
|
2022-06-27 19:51:01 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func (sv SecureVariableItems) Copy() SecureVariableItems {
|
|
|
|
out := make(SecureVariableItems, len(sv))
|
|
|
|
for k, v := range sv {
|
|
|
|
out[k] = v
|
2022-05-13 17:11:27 +00:00
|
|
|
}
|
2022-06-14 17:28:10 +00:00
|
|
|
return out
|
2022-05-13 17:11:27 +00:00
|
|
|
}
|
|
|
|
|
2022-06-27 19:51:01 +00:00
|
|
|
func (sv SecureVariableEncrypted) Copy() SecureVariableEncrypted {
|
|
|
|
return SecureVariableEncrypted{
|
|
|
|
SecureVariableMetadata: sv.SecureVariableMetadata,
|
|
|
|
SecureVariableData: sv.SecureVariableData.Copy(),
|
|
|
|
}
|
|
|
|
}
|
2022-06-14 17:28:10 +00:00
|
|
|
|
2022-06-27 19:51:01 +00:00
|
|
|
func (sv SecureVariableData) Copy() SecureVariableData {
|
|
|
|
out := make([]byte, len(sv.Data))
|
|
|
|
copy(out, sv.Data)
|
|
|
|
return SecureVariableData{
|
|
|
|
Data: out,
|
|
|
|
KeyID: sv.KeyID,
|
|
|
|
}
|
2022-05-27 13:33:41 +00:00
|
|
|
}
|
|
|
|
|
2022-06-14 17:28:10 +00:00
|
|
|
func (sv SecureVariableDecrypted) Validate() error {
|
2022-07-19 20:17:34 +00:00
|
|
|
|
|
|
|
if len(sv.Path) == 0 {
|
|
|
|
return fmt.Errorf("variable requires path")
|
|
|
|
}
|
|
|
|
parts := strings.Split(sv.Path, "/")
|
|
|
|
switch {
|
|
|
|
case len(parts) == 1 && parts[0] == "nomad":
|
|
|
|
return fmt.Errorf("\"nomad\" is a reserved top-level directory path, but you may write variables to \"nomad/jobs\" or below")
|
|
|
|
case len(parts) >= 2 && parts[0] == "nomad" && parts[1] != "jobs":
|
|
|
|
return fmt.Errorf("only paths at \"nomad/jobs\" or below are valid paths under the top-level \"nomad\" directory")
|
|
|
|
}
|
|
|
|
|
2022-06-14 17:28:10 +00:00
|
|
|
if len(sv.Items) == 0 {
|
|
|
|
return errors.New("empty variables are invalid")
|
|
|
|
}
|
2022-07-20 18:46:43 +00:00
|
|
|
if sv.Items.Size() > maxVariableSize {
|
|
|
|
return errors.New("variables are limited to 16KiB in total size")
|
|
|
|
}
|
2022-07-12 15:15:57 +00:00
|
|
|
if sv.Namespace == AllNamespacesSentinel {
|
|
|
|
return errors.New("can not target wildcard (\"*\")namespace")
|
|
|
|
}
|
2022-05-27 13:33:41 +00:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2022-06-14 17:28:10 +00:00
|
|
|
func (sv *SecureVariableDecrypted) Canonicalize() {
|
2022-05-27 13:33:41 +00:00
|
|
|
if sv.Namespace == "" {
|
|
|
|
sv.Namespace = DefaultNamespace
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-06-27 19:51:01 +00:00
|
|
|
// GetNamespace returns the secure variable's namespace. Used for pagination.
|
|
|
|
func (sv *SecureVariableMetadata) Copy() *SecureVariableMetadata {
|
|
|
|
var out SecureVariableMetadata = *sv
|
|
|
|
return &out
|
|
|
|
}
|
|
|
|
|
2022-05-27 13:33:41 +00:00
|
|
|
// GetNamespace returns the secure variable's namespace. Used for pagination.
|
2022-06-14 17:28:10 +00:00
|
|
|
func (sv SecureVariableMetadata) GetNamespace() string {
|
2022-05-27 13:33:41 +00:00
|
|
|
return sv.Namespace
|
|
|
|
}
|
|
|
|
|
|
|
|
// GetID returns the secure variable's path. Used for pagination.
|
2022-06-14 17:28:10 +00:00
|
|
|
func (sv SecureVariableMetadata) GetID() string {
|
2022-05-27 13:33:41 +00:00
|
|
|
return sv.Path
|
|
|
|
}
|
|
|
|
|
|
|
|
// GetCreateIndex returns the secure variable's create index. Used for pagination.
|
2022-06-14 17:28:10 +00:00
|
|
|
func (sv SecureVariableMetadata) GetCreateIndex() uint64 {
|
2022-05-27 13:33:41 +00:00
|
|
|
return sv.CreateIndex
|
|
|
|
}
|
|
|
|
|
2022-08-02 13:32:09 +00:00
|
|
|
// SecureVariablesQuota is used to track the total size of secure variables
|
|
|
|
// entries per namespace. The total length of SecureVariable.EncryptedData in
|
|
|
|
// bytes will be added to the SecureVariablesQuota table in the same transaction
|
|
|
|
// as a write, update, or delete. This tracking effectively caps the maximum
|
|
|
|
// size of secure variables in a given namespace to MaxInt64 bytes.
|
2022-05-12 20:29:52 +00:00
|
|
|
type SecureVariablesQuota struct {
|
|
|
|
Namespace string
|
2022-08-02 13:32:09 +00:00
|
|
|
Size int64
|
2022-05-12 20:29:52 +00:00
|
|
|
CreateIndex uint64
|
|
|
|
ModifyIndex uint64
|
|
|
|
}
|
|
|
|
|
2022-06-27 17:17:22 +00:00
|
|
|
func (svq *SecureVariablesQuota) Copy() *SecureVariablesQuota {
|
|
|
|
if svq == nil {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
nq := new(SecureVariablesQuota)
|
|
|
|
*nq = *svq
|
|
|
|
return nq
|
|
|
|
}
|
|
|
|
|
2022-08-15 15:19:53 +00:00
|
|
|
// ---------------------------------------
|
|
|
|
// RPC and FSM request/response objects
|
|
|
|
|
|
|
|
// SVOp constants give possible operations available in a transaction.
|
|
|
|
type SVOp string
|
|
|
|
|
|
|
|
const (
|
|
|
|
SVOpSet SVOp = "set"
|
|
|
|
SVOpDelete SVOp = "delete"
|
|
|
|
SVOpDeleteCAS SVOp = "delete-cas"
|
|
|
|
SVOpCAS SVOp = "cas"
|
|
|
|
)
|
|
|
|
|
|
|
|
// SVOpResult constants give possible operations results from a transaction.
|
|
|
|
type SVOpResult string
|
|
|
|
|
|
|
|
const (
|
|
|
|
SVOpResultOk SVOpResult = "ok"
|
|
|
|
SVOpResultConflict SVOpResult = "conflict"
|
|
|
|
SVOpResultRedacted SVOpResult = "conflict-redacted"
|
|
|
|
SVOpResultError SVOpResult = "error"
|
|
|
|
)
|
|
|
|
|
|
|
|
// SecureVariablesApplyRequest is used by users to operate on the secure variable store
|
|
|
|
type SecureVariablesApplyRequest struct {
|
|
|
|
Op SVOp // Operation to be performed during apply
|
|
|
|
Var *SecureVariableDecrypted // Variable-shaped request data
|
2022-05-27 13:33:41 +00:00
|
|
|
WriteRequest
|
|
|
|
}
|
|
|
|
|
2022-08-15 15:19:53 +00:00
|
|
|
// SecureVariablesApplyResponse is sent back to the user to inform them of success or failure
|
|
|
|
type SecureVariablesApplyResponse struct {
|
|
|
|
Op SVOp // Operation performed
|
|
|
|
Input *SecureVariableDecrypted // Input supplied
|
|
|
|
Result SVOpResult // Return status from operation
|
|
|
|
Error error // Error if any
|
|
|
|
Conflict *SecureVariableDecrypted // Conflicting value if applicable
|
|
|
|
Output *SecureVariableDecrypted // Operation Result if successful; nil for successful deletes
|
|
|
|
WriteMeta
|
|
|
|
}
|
|
|
|
|
|
|
|
func (r *SecureVariablesApplyResponse) IsOk() bool {
|
|
|
|
return r.Result == SVOpResultOk
|
2022-06-27 19:51:01 +00:00
|
|
|
}
|
|
|
|
|
2022-08-15 15:19:53 +00:00
|
|
|
func (r *SecureVariablesApplyResponse) IsConflict() bool {
|
|
|
|
return r.Result == SVOpResultConflict || r.Result == SVOpResultRedacted
|
|
|
|
}
|
|
|
|
|
|
|
|
func (r *SecureVariablesApplyResponse) IsError() bool {
|
|
|
|
return r.Result == SVOpResultError
|
|
|
|
}
|
|
|
|
|
|
|
|
func (r *SecureVariablesApplyResponse) IsRedacted() bool {
|
|
|
|
return r.Result == SVOpResultRedacted
|
|
|
|
}
|
|
|
|
|
|
|
|
// SVApplyStateRequest is used by the FSM to modify the secure variable store
|
|
|
|
type SVApplyStateRequest struct {
|
|
|
|
Op SVOp // Which operation are we performing
|
|
|
|
Var *SecureVariableEncrypted // Which directory entry
|
2022-05-12 20:29:52 +00:00
|
|
|
WriteRequest
|
|
|
|
}
|
|
|
|
|
2022-08-15 15:19:53 +00:00
|
|
|
// SVApplyStateResponse is used by the FSM to inform the RPC layer of success or failure
|
|
|
|
type SVApplyStateResponse struct {
|
|
|
|
Op SVOp // Which operation were we performing
|
|
|
|
Result SVOpResult // What happened (ok, conflict, error)
|
|
|
|
Error error // error if any
|
|
|
|
Conflict *SecureVariableEncrypted // conflicting secure variable if applies
|
|
|
|
WrittenSVMeta *SecureVariableMetadata // for making the SecureVariablesApplyResponse
|
2022-05-12 20:29:52 +00:00
|
|
|
WriteMeta
|
|
|
|
}
|
|
|
|
|
2022-08-15 15:19:53 +00:00
|
|
|
func (r *SVApplyStateRequest) ErrorResponse(raftIndex uint64, err error) *SVApplyStateResponse {
|
|
|
|
return &SVApplyStateResponse{
|
|
|
|
Op: r.Op,
|
|
|
|
Result: SVOpResultError,
|
|
|
|
Error: err,
|
|
|
|
WriteMeta: WriteMeta{Index: raftIndex},
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func (r *SVApplyStateRequest) SuccessResponse(raftIndex uint64, meta *SecureVariableMetadata) *SVApplyStateResponse {
|
|
|
|
return &SVApplyStateResponse{
|
|
|
|
Op: r.Op,
|
|
|
|
Result: SVOpResultOk,
|
|
|
|
WrittenSVMeta: meta,
|
|
|
|
WriteMeta: WriteMeta{Index: raftIndex},
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func (r *SVApplyStateRequest) ConflictResponse(raftIndex uint64, cv *SecureVariableEncrypted) *SVApplyStateResponse {
|
|
|
|
var cvCopy SecureVariableEncrypted
|
|
|
|
if cv != nil {
|
|
|
|
// make a copy so that we aren't sending
|
|
|
|
// the live state store version
|
|
|
|
cvCopy = cv.Copy()
|
|
|
|
}
|
|
|
|
return &SVApplyStateResponse{
|
|
|
|
Op: r.Op,
|
|
|
|
Result: SVOpResultConflict,
|
|
|
|
Conflict: &cvCopy,
|
|
|
|
WriteMeta: WriteMeta{Index: raftIndex},
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func (r *SVApplyStateResponse) IsOk() bool {
|
|
|
|
return r.Result == SVOpResultOk
|
|
|
|
}
|
|
|
|
|
|
|
|
func (r *SVApplyStateResponse) IsConflict() bool {
|
|
|
|
return r.Result == SVOpResultConflict
|
|
|
|
}
|
|
|
|
|
|
|
|
func (r *SVApplyStateResponse) IsError() bool {
|
|
|
|
// FIXME: This is brittle and requires immense faith that
|
|
|
|
// the response is properly managed.
|
|
|
|
return r.Result == SVOpResultError
|
|
|
|
}
|
|
|
|
|
2022-05-12 20:29:52 +00:00
|
|
|
type SecureVariablesListRequest struct {
|
|
|
|
QueryOptions
|
|
|
|
}
|
|
|
|
|
|
|
|
type SecureVariablesListResponse struct {
|
2022-06-14 17:28:10 +00:00
|
|
|
Data []*SecureVariableMetadata
|
2022-05-12 20:29:52 +00:00
|
|
|
QueryMeta
|
|
|
|
}
|
|
|
|
|
|
|
|
type SecureVariablesReadRequest struct {
|
|
|
|
Path string
|
|
|
|
QueryOptions
|
|
|
|
}
|
|
|
|
|
|
|
|
type SecureVariablesReadResponse struct {
|
2022-06-14 17:28:10 +00:00
|
|
|
Data *SecureVariableDecrypted
|
2022-05-12 20:29:52 +00:00
|
|
|
QueryMeta
|
|
|
|
}
|
|
|
|
|
2022-08-15 15:19:53 +00:00
|
|
|
// ---------------------------------------
|
|
|
|
// Keyring state and RPC objects
|
2022-05-12 20:29:52 +00:00
|
|
|
|
|
|
|
// RootKey is used to encrypt and decrypt secure variables. It is
|
|
|
|
// never stored in raft.
|
|
|
|
type RootKey struct {
|
2022-05-19 20:27:59 +00:00
|
|
|
Meta *RootKeyMeta
|
2022-05-12 20:29:52 +00:00
|
|
|
Key []byte // serialized to keystore as base64 blob
|
|
|
|
}
|
|
|
|
|
2022-05-25 19:05:30 +00:00
|
|
|
// NewRootKey returns a new root key and its metadata.
|
|
|
|
func NewRootKey(algorithm EncryptionAlgorithm) (*RootKey, error) {
|
|
|
|
meta := NewRootKeyMeta()
|
|
|
|
meta.Algorithm = algorithm
|
|
|
|
|
|
|
|
rootKey := &RootKey{
|
|
|
|
Meta: meta,
|
|
|
|
}
|
|
|
|
|
|
|
|
switch algorithm {
|
|
|
|
case EncryptionAlgorithmAES256GCM:
|
2022-06-20 15:06:44 +00:00
|
|
|
const keyBytes = 32
|
|
|
|
key := make([]byte, keyBytes)
|
|
|
|
n, err := cryptorand.Read(key)
|
|
|
|
if err != nil {
|
2022-05-25 19:05:30 +00:00
|
|
|
return nil, err
|
|
|
|
}
|
2022-06-20 15:06:44 +00:00
|
|
|
if n < keyBytes {
|
|
|
|
return nil, fmt.Errorf("failed to generate key: entropy exhausted")
|
|
|
|
}
|
2022-05-25 19:05:30 +00:00
|
|
|
rootKey.Key = key
|
|
|
|
}
|
|
|
|
|
|
|
|
return rootKey, nil
|
|
|
|
}
|
|
|
|
|
2022-05-12 20:29:52 +00:00
|
|
|
// RootKeyMeta is the metadata used to refer to a RootKey. It is
|
|
|
|
// stored in raft.
|
|
|
|
type RootKeyMeta struct {
|
2022-06-02 17:41:59 +00:00
|
|
|
KeyID string // UUID
|
|
|
|
Algorithm EncryptionAlgorithm
|
2022-07-20 18:46:57 +00:00
|
|
|
CreateTime int64
|
2022-06-02 17:41:59 +00:00
|
|
|
CreateIndex uint64
|
|
|
|
ModifyIndex uint64
|
2022-07-07 17:48:38 +00:00
|
|
|
State RootKeyState
|
2022-05-12 20:29:52 +00:00
|
|
|
}
|
|
|
|
|
2022-07-07 17:48:38 +00:00
|
|
|
// RootKeyState enum describes the lifecycle of a root key.
|
|
|
|
type RootKeyState string
|
|
|
|
|
|
|
|
const (
|
|
|
|
RootKeyStateInactive RootKeyState = "inactive"
|
|
|
|
RootKeyStateActive = "active"
|
|
|
|
RootKeyStateRekeying = "rekeying"
|
|
|
|
RootKeyStateDeprecated = "deprecated"
|
|
|
|
)
|
|
|
|
|
2022-05-19 18:19:56 +00:00
|
|
|
// NewRootKeyMeta returns a new RootKeyMeta with default values
|
|
|
|
func NewRootKeyMeta() *RootKeyMeta {
|
2022-07-20 18:46:57 +00:00
|
|
|
now := time.Now().UTC().UnixNano()
|
2022-05-19 18:19:56 +00:00
|
|
|
return &RootKeyMeta{
|
|
|
|
KeyID: uuid.Generate(),
|
2022-06-02 17:41:59 +00:00
|
|
|
Algorithm: EncryptionAlgorithmAES256GCM,
|
2022-07-07 17:48:38 +00:00
|
|
|
State: RootKeyStateInactive,
|
2022-07-20 18:46:57 +00:00
|
|
|
CreateTime: now,
|
2022-05-19 18:19:56 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-05-25 19:05:30 +00:00
|
|
|
// RootKeyMetaStub is for serializing root key metadata to the
|
|
|
|
// keystore, not for the List API. It excludes frequently-changing
|
2022-06-02 17:41:59 +00:00
|
|
|
// fields such as ModifyIndex so we don't have to sync them to the
|
|
|
|
// on-disk keystore when the fields are already in raft.
|
2022-05-25 19:05:30 +00:00
|
|
|
type RootKeyMetaStub struct {
|
|
|
|
KeyID string
|
|
|
|
Algorithm EncryptionAlgorithm
|
2022-07-20 18:46:57 +00:00
|
|
|
CreateTime int64
|
2022-07-07 17:48:38 +00:00
|
|
|
State RootKeyState
|
|
|
|
}
|
|
|
|
|
|
|
|
// Active indicates his key is the one currently being used for
|
|
|
|
// crypto operations (at most one key can be Active)
|
|
|
|
func (rkm *RootKeyMeta) Active() bool {
|
|
|
|
return rkm.State == RootKeyStateActive
|
|
|
|
}
|
|
|
|
|
|
|
|
func (rkm *RootKeyMeta) SetActive() {
|
|
|
|
rkm.State = RootKeyStateActive
|
|
|
|
}
|
|
|
|
|
|
|
|
// Rekeying indicates that variables encrypted with this key should be
|
|
|
|
// rekeyed
|
|
|
|
func (rkm *RootKeyMeta) Rekeying() bool {
|
|
|
|
return rkm.State == RootKeyStateRekeying
|
|
|
|
}
|
|
|
|
|
|
|
|
func (rkm *RootKeyMeta) SetRekeying() {
|
|
|
|
rkm.State = RootKeyStateRekeying
|
|
|
|
}
|
|
|
|
|
|
|
|
func (rkm *RootKeyMeta) SetInactive() {
|
|
|
|
rkm.State = RootKeyStateInactive
|
|
|
|
}
|
|
|
|
|
|
|
|
// Deprecated indicates that variables encrypted with this key
|
|
|
|
// have been rekeyed
|
|
|
|
func (rkm *RootKeyMeta) Deprecated() bool {
|
|
|
|
return rkm.State == RootKeyStateDeprecated
|
|
|
|
}
|
|
|
|
|
|
|
|
func (rkm *RootKeyMeta) SetDeprecated() {
|
|
|
|
rkm.State = RootKeyStateDeprecated
|
2022-05-25 19:05:30 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func (rkm *RootKeyMeta) Stub() *RootKeyMetaStub {
|
|
|
|
if rkm == nil {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
return &RootKeyMetaStub{
|
|
|
|
KeyID: rkm.KeyID,
|
|
|
|
Algorithm: rkm.Algorithm,
|
|
|
|
CreateTime: rkm.CreateTime,
|
2022-07-07 17:48:38 +00:00
|
|
|
State: rkm.State,
|
2022-05-25 19:05:30 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
}
|
2022-05-19 18:19:56 +00:00
|
|
|
func (rkm *RootKeyMeta) Copy() *RootKeyMeta {
|
|
|
|
if rkm == nil {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
out := *rkm
|
|
|
|
return &out
|
|
|
|
}
|
|
|
|
|
2022-05-25 19:05:30 +00:00
|
|
|
func (rkm *RootKeyMeta) Validate() error {
|
|
|
|
if rkm == nil {
|
|
|
|
return fmt.Errorf("root key metadata is required")
|
|
|
|
}
|
|
|
|
if rkm.KeyID == "" || !helper.IsUUID(rkm.KeyID) {
|
|
|
|
return fmt.Errorf("root key UUID is required")
|
|
|
|
}
|
|
|
|
if rkm.Algorithm == "" {
|
|
|
|
return fmt.Errorf("root key algorithm is required")
|
|
|
|
}
|
2022-07-07 17:48:38 +00:00
|
|
|
switch rkm.State {
|
|
|
|
case RootKeyStateInactive, RootKeyStateActive,
|
|
|
|
RootKeyStateRekeying, RootKeyStateDeprecated:
|
|
|
|
default:
|
|
|
|
return fmt.Errorf("root key state %q is invalid", rkm.State)
|
|
|
|
}
|
2022-05-25 19:05:30 +00:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2022-05-12 20:29:52 +00:00
|
|
|
// EncryptionAlgorithm chooses which algorithm is used for
|
|
|
|
// encrypting / decrypting entries with this key
|
|
|
|
type EncryptionAlgorithm string
|
|
|
|
|
|
|
|
const (
|
|
|
|
EncryptionAlgorithmAES256GCM EncryptionAlgorithm = "aes256-gcm"
|
|
|
|
)
|
|
|
|
|
|
|
|
type KeyringRotateRootKeyRequest struct {
|
|
|
|
Algorithm EncryptionAlgorithm
|
|
|
|
Full bool
|
|
|
|
WriteRequest
|
|
|
|
}
|
|
|
|
|
|
|
|
// KeyringRotateRootKeyResponse returns the full key metadata
|
|
|
|
type KeyringRotateRootKeyResponse struct {
|
|
|
|
Key *RootKeyMeta
|
|
|
|
WriteMeta
|
|
|
|
}
|
|
|
|
|
|
|
|
type KeyringListRootKeyMetaRequest struct {
|
|
|
|
// TODO: do we need any fields here?
|
|
|
|
QueryOptions
|
|
|
|
}
|
|
|
|
|
|
|
|
type KeyringListRootKeyMetaResponse struct {
|
|
|
|
Keys []*RootKeyMeta
|
|
|
|
QueryMeta
|
|
|
|
}
|
|
|
|
|
|
|
|
// KeyringUpdateRootKeyRequest is used internally for key replication
|
|
|
|
// only and for keyring restores. The RootKeyMeta will be extracted
|
|
|
|
// for applying to the FSM with the KeyringUpdateRootKeyMetaRequest
|
|
|
|
// (see below)
|
|
|
|
type KeyringUpdateRootKeyRequest struct {
|
|
|
|
RootKey *RootKey
|
2022-07-07 17:48:38 +00:00
|
|
|
Rekey bool
|
2022-05-12 20:29:52 +00:00
|
|
|
WriteRequest
|
|
|
|
}
|
|
|
|
|
|
|
|
type KeyringUpdateRootKeyResponse struct {
|
|
|
|
WriteMeta
|
|
|
|
}
|
|
|
|
|
2022-05-19 20:27:59 +00:00
|
|
|
// KeyringGetRootKeyRequest is used internally for key replication
|
|
|
|
// only and for keyring restores.
|
|
|
|
type KeyringGetRootKeyRequest struct {
|
|
|
|
KeyID string
|
|
|
|
QueryOptions
|
|
|
|
}
|
|
|
|
|
|
|
|
type KeyringGetRootKeyResponse struct {
|
|
|
|
Key *RootKey
|
|
|
|
QueryMeta
|
|
|
|
}
|
|
|
|
|
2022-05-12 20:29:52 +00:00
|
|
|
// KeyringUpdateRootKeyMetaRequest is used internally for key
|
|
|
|
// replication so that we have a request wrapper for writing the
|
|
|
|
// metadata to the FSM without including the key material
|
|
|
|
type KeyringUpdateRootKeyMetaRequest struct {
|
|
|
|
RootKeyMeta *RootKeyMeta
|
2022-07-07 17:48:38 +00:00
|
|
|
Rekey bool
|
2022-05-12 20:29:52 +00:00
|
|
|
WriteRequest
|
|
|
|
}
|
|
|
|
|
|
|
|
type KeyringUpdateRootKeyMetaResponse struct {
|
|
|
|
WriteMeta
|
|
|
|
}
|
|
|
|
|
|
|
|
type KeyringDeleteRootKeyRequest struct {
|
|
|
|
KeyID string
|
|
|
|
WriteRequest
|
|
|
|
}
|
|
|
|
|
|
|
|
type KeyringDeleteRootKeyResponse struct {
|
|
|
|
WriteMeta
|
|
|
|
}
|