open-vault/builtin/logical/transit/path_keys.go

package transit

import (
	"fmt"
	"strconv"

	"github.com/hashicorp/vault/logical"
	"github.com/hashicorp/vault/logical/framework"
)

func (b *backend) pathKeys() *framework.Path {
	return &framework.Path{
		Pattern: "keys/" + framework.GenericNameRegex("name"),
		Fields: map[string]*framework.FieldSchema{
			"name": &framework.FieldSchema{
				Type:        framework.TypeString,
				Description: "Name of the key",
			},

			"derived": &framework.FieldSchema{
				Type: framework.TypeBool,
				Description: `Enables key derivation mode. This
allows for per-transaction unique keys.`,
			},

			"convergent_encryption": &framework.FieldSchema{
				Type: framework.TypeBool,
				Description: `Whether to support convergent encryption.
This is only supported when using a key with
key derivation enabled and will require all
requests to carry both a context and 96-bit
(12-byte) nonce, unless the "context_as_nonce"
feature is also enabled. The given nonce will
be used in place of a randomly generated nonce.
As a result, when the same context and nonce
(or context, if "context_as_nonce" is enabled)
are supplied, the same ciphertext is emitted
from the encryption function. It is *very
important* when using this mode that you ensure
that all nonces are unique for a given context,
or, when using "context_as_nonce", that all
contexts are unique for a given key. Failing to
do so will severely impact the ciphertext's
security.`,
			},

			"context_as_nonce": &framework.FieldSchema{
				Type: framework.TypeBool,
				Description: `Whether to use the context value as the
nonce in the convergent encryption operation
mode. If set true, the user will have to
supply a 96-bit (12-byte) context value.
It is *very important* when using this
mode that you ensure that all contexts are
*globally unique*. Failing to do so will
severely impact the security of the key.`,
			},
		},

		Callbacks: map[logical.Operation]framework.OperationFunc{
			logical.UpdateOperation: b.pathPolicyWrite,
			logical.DeleteOperation: b.pathPolicyDelete,
			logical.ReadOperation:   b.pathPolicyRead,
		},

		HelpSynopsis:    pathPolicyHelpSyn,
		HelpDescription: pathPolicyHelpDesc,
	}
}

func (b *backend) pathPolicyWrite(
	req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	name := d.Get("name").(string)
	derived := d.Get("derived").(bool)
	convergent := d.Get("convergent_encryption").(bool)
	contextAsNonce := d.Get("context_as_nonce").(bool)

	if !derived && convergent {
		return logical.ErrorResponse("convergent encryption requires derivation to be enabled"), nil
	}

	p, lock, upserted, err := b.lm.GetPolicyUpsert(req.Storage, name, derived, convergent, contextAsNonce)
	if lock != nil {
		defer lock.RUnlock()
	}
	if err != nil {
		return nil, err
	}
	if p == nil {
		return nil, fmt.Errorf("error generating key: returned policy was nil")
	}

	resp := &logical.Response{}
	if !upserted {
		resp.AddWarning(fmt.Sprintf("key %s already existed", name))
	}

	return nil, nil
}

func (b *backend) pathPolicyRead(
	req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	name := d.Get("name").(string)

	p, lock, err := b.lm.GetPolicyShared(req.Storage, name)
	if lock != nil {
		defer lock.RUnlock()
	}
	if err != nil {
		return nil, err
	}
	if p == nil {
		return nil, nil
	}

	// Return the response
	resp := &logical.Response{
		Data: map[string]interface{}{
			"name":                   p.Name,
			"cipher_mode":            p.CipherMode,
			"derived":                p.Derived,
			"deletion_allowed":       p.DeletionAllowed,
			"min_decryption_version": p.MinDecryptionVersion,
			"latest_version":         p.LatestVersion,
		},
	}
	if p.Derived {
		resp.Data["kdf_mode"] = p.KDFMode
		resp.Data["convergent_encryption"] = p.ConvergentEncryption
		if p.ContextAsNonce != nil {
			resp.Data["context_as_nonce"] = *p.ContextAsNonce
		}
	}

	retKeys := map[string]int64{}
	for k, v := range p.Keys {
		retKeys[strconv.Itoa(k)] = v.CreationTime
	}
	resp.Data["keys"] = retKeys

	return resp, nil
}

func (b *backend) pathPolicyDelete(
	req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	name := d.Get("name").(string)

	// Delete does its own locking
	err := b.lm.DeletePolicy(req.Storage, name)
	if err != nil {
		return logical.ErrorResponse(fmt.Sprintf("error deleting policy %s: %s", name, err)), err
	}

	return nil, nil
}

const pathPolicyHelpSyn = `Managed named encryption keys`

const pathPolicyHelpDesc = `
This path is used to manage the named keys that are available.
Doing a write with no value against a new named key will create
it using a randomly generated key.
`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`package transit`

			`import (`
secret/transit: support key derivation in encrypt/decrypt 2015-07-05 21:19:24 +00:00			`"fmt"`
Remove enable/disable and make deletion_allowed a configurable property. On read, return the version and creation time of each key 2015-09-17 22:49:50 +00:00			`"strconv"`
Adding transit logical backend 2015-04-16 00:08:12 +00:00
			`"github.com/hashicorp/vault/logical"`
			`"github.com/hashicorp/vault/logical/framework"`
			`)`

Implement locking in the transit backend. This ensures that we can safely rotate and modify configuration parameters with multiple requests in flight. As a side effect we also get a cache, which should provide a nice speedup since we don't need to decrypt/deserialize constantly, which would happen even with the physical LRU. 2016-01-27 21:24:11 +00:00			`func (b backend) pathKeys() framework.Path {`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`return &framework.Path{`
Vault: Fix wild card paths for all backends 2015-08-21 07:56:13 +00:00			`Pattern: "keys/" + framework.GenericNameRegex("name"),`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`Fields: map[string]*framework.FieldSchema{`
			`"name": &framework.FieldSchema{`
			`Type: framework.TypeString,`
secret/transit: rename policy to keys 2015-04-27 20:52:47 +00:00			`Description: "Name of the key",`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`},`
secret/transit: support derived keys 2015-07-05 21:11:02 +00:00
			`"derived": &framework.FieldSchema{`
Refactor convergent encryption to make specifying a nonce in addition to context possible 2016-08-05 21:52:44 +00:00			`Type: framework.TypeBool,`
			Description: `Enables key derivation mode. This
			allows for per-transaction unique keys.`,
secret/transit: support derived keys 2015-07-05 21:11:02 +00:00			`},`
Add convergent encryption option to transit. Fixes #1537 2016-06-20 17:17:48 +00:00
			`"convergent_encryption": &framework.FieldSchema{`
			`Type: framework.TypeBool,`
Refactor convergent encryption to make specifying a nonce in addition to context possible 2016-08-05 21:52:44 +00:00			Description: `Whether to support convergent encryption.
Add convergent encryption option to transit. Fixes #1537 2016-06-20 17:17:48 +00:00			`This is only supported when using a key with`
			`key derivation enabled and will require all`
Refactor convergent encryption to make specifying a nonce in addition to context possible 2016-08-05 21:52:44 +00:00			`requests to carry both a context and 96-bit`
			`(12-byte) nonce, unless the "context_as_nonce"`
			`feature is also enabled. The given nonce will`
			`be used in place of a randomly generated nonce.`
			`As a result, when the same context and nonce`
			`(or context, if "context_as_nonce" is enabled)`
			`are supplied, the same ciphertext is emitted`
			`from the encryption function. It is *very`
			`important* when using this mode that you ensure`
			`that all nonces are unique for a given context,`
			`or, when using "context_as_nonce", that all`
			`contexts are unique for a given key. Failing to`
			`do so will severely impact the ciphertext's`
			security.`,
			`},`

			`"context_as_nonce": &framework.FieldSchema{`
			`Type: framework.TypeBool,`
			Description: `Whether to use the context value as the
			`nonce in the convergent encryption operation`
			`mode. If set true, the user will have to`
			`supply a 96-bit (12-byte) context value.`
			`It is very important when using this`
			`mode that you ensure that all contexts are`
			`globally unique. Failing to do so will`
Add convergent encryption option to transit. Fixes #1537 2016-06-20 17:17:48 +00:00			severely impact the security of the key.`,
			`},`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`},`

			`Callbacks: map[logical.Operation]framework.OperationFunc{`
Implement locking in the transit backend. This ensures that we can safely rotate and modify configuration parameters with multiple requests in flight. As a side effect we also get a cache, which should provide a nice speedup since we don't need to decrypt/deserialize constantly, which would happen even with the physical LRU. 2016-01-27 21:24:11 +00:00			`logical.UpdateOperation: b.pathPolicyWrite,`
			`logical.DeleteOperation: b.pathPolicyDelete,`
			`logical.ReadOperation: b.pathPolicyRead,`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`},`
secret/transit: Adding more help. Fixes #41 2015-04-27 19:47:09 +00:00
			`HelpSynopsis: pathPolicyHelpSyn,`
			`HelpDescription: pathPolicyHelpDesc,`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`}`
			`}`

Implement locking in the transit backend. This ensures that we can safely rotate and modify configuration parameters with multiple requests in flight. As a side effect we also get a cache, which should provide a nice speedup since we don't need to decrypt/deserialize constantly, which would happen even with the physical LRU. 2016-01-27 21:24:11 +00:00			`func (b *backend) pathPolicyWrite(`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`req logical.Request, d framework.FieldData) (*logical.Response, error) {`
			`name := d.Get("name").(string)`
secret/transit: support derived keys 2015-07-05 21:11:02 +00:00			`derived := d.Get("derived").(bool)`
Add convergent encryption option to transit. Fixes #1537 2016-06-20 17:17:48 +00:00			`convergent := d.Get("convergent_encryption").(bool)`
Refactor convergent encryption to make specifying a nonce in addition to context possible 2016-08-05 21:52:44 +00:00			`contextAsNonce := d.Get("context_as_nonce").(bool)`
Add convergent encryption option to transit. Fixes #1537 2016-06-20 17:17:48 +00:00
			`if !derived && convergent {`
			`return logical.ErrorResponse("convergent encryption requires derivation to be enabled"), nil`
			`}`
Adding transit logical backend 2015-04-16 00:08:12 +00:00
Refactor convergent encryption to make specifying a nonce in addition to context possible 2016-08-05 21:52:44 +00:00			`p, lock, upserted, err := b.lm.GetPolicyUpsert(req.Storage, name, derived, convergent, contextAsNonce)`
Massively simplify lock handling based on feedback 2016-05-03 03:46:39 +00:00			`if lock != nil {`
			`defer lock.RUnlock()`
			`}`
Switch to lockManager 2016-04-26 15:39:19 +00:00			`if err != nil {`
			`return nil, err`
			`}`
			`if p == nil {`
			`return nil, fmt.Errorf("error generating key: returned policy was nil")`
			`}`

			`resp := &logical.Response{}`
			`if !upserted {`
			`resp.AddWarning(fmt.Sprintf("key %s already existed", name))`
			`}`

			`return nil, nil`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`}`

Implement locking in the transit backend. This ensures that we can safely rotate and modify configuration parameters with multiple requests in flight. As a side effect we also get a cache, which should provide a nice speedup since we don't need to decrypt/deserialize constantly, which would happen even with the physical LRU. 2016-01-27 21:24:11 +00:00			`func (b *backend) pathPolicyRead(`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`req logical.Request, d framework.FieldData) (*logical.Response, error) {`
			`name := d.Get("name").(string)`
Enhance transit backend: * Remove raw endpoint from transit * Add multi-key structure * Add enable, disable, rewrap, and rotate functionality * Upgrade functionality, and record creation time of keys in metadata. Add flag in config function to control the minimum decryption version, and enforce that in the decrypt function * Unit tests for everything 2015-09-14 20:28:46 +00:00
Massively simplify lock handling based on feedback 2016-05-03 03:46:39 +00:00			`p, lock, err := b.lm.GetPolicyShared(req.Storage, name)`
			`if lock != nil {`
			`defer lock.RUnlock()`
			`}`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`if err != nil {`
			`return nil, err`
			`}`
Switch to lockManager 2016-04-26 15:39:19 +00:00			`if p == nil {`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`return nil, nil`
			`}`

			`// Return the response`
			`resp := &logical.Response{`
			`Data: map[string]interface{}{`
Switch to lockManager 2016-04-26 15:39:19 +00:00			`"name": p.Name,`
			`"cipher_mode": p.CipherMode,`
			`"derived": p.Derived,`
			`"deletion_allowed": p.DeletionAllowed,`
			`"min_decryption_version": p.MinDecryptionVersion,`
			`"latest_version": p.LatestVersion,`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`},`
			`}`
Switch to lockManager 2016-04-26 15:39:19 +00:00			`if p.Derived {`
			`resp.Data["kdf_mode"] = p.KDFMode`
Add convergent encryption option to transit. Fixes #1537 2016-06-20 17:17:48 +00:00			`resp.Data["convergent_encryption"] = p.ConvergentEncryption`
Refactor convergent encryption to make specifying a nonce in addition to context possible 2016-08-05 21:52:44 +00:00			`if p.ContextAsNonce != nil {`
			`resp.Data["context_as_nonce"] = *p.ContextAsNonce`
			`}`
secret/transit: address PR feedback 2015-07-06 01:58:31 +00:00			`}`
Remove enable/disable and make deletion_allowed a configurable property. On read, return the version and creation time of each key 2015-09-17 22:49:50 +00:00
			`retKeys := map[string]int64{}`
Switch to lockManager 2016-04-26 15:39:19 +00:00			`for k, v := range p.Keys {`
Remove enable/disable and make deletion_allowed a configurable property. On read, return the version and creation time of each key 2015-09-17 22:49:50 +00:00			`retKeys[strconv.Itoa(k)] = v.CreationTime`
			`}`
			`resp.Data["keys"] = retKeys`

Adding transit logical backend 2015-04-16 00:08:12 +00:00			`return resp, nil`
			`}`

Implement locking in the transit backend. This ensures that we can safely rotate and modify configuration parameters with multiple requests in flight. As a side effect we also get a cache, which should provide a nice speedup since we don't need to decrypt/deserialize constantly, which would happen even with the physical LRU. 2016-01-27 21:24:11 +00:00			`func (b *backend) pathPolicyDelete(`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`req logical.Request, d framework.FieldData) (*logical.Response, error) {`
			`name := d.Get("name").(string)`

Massively simplify lock handling based on feedback 2016-05-03 03:46:39 +00:00			`// Delete does its own locking`
			`err := b.lm.DeletePolicy(req.Storage, name)`
Move archive location; also detect first load of a policy after archive is added and cause the keys to be copied to the archive. 2016-01-27 17:02:32 +00:00			`if err != nil {`
Implement locking in the transit backend. This ensures that we can safely rotate and modify configuration parameters with multiple requests in flight. As a side effect we also get a cache, which should provide a nice speedup since we don't need to decrypt/deserialize constantly, which would happen even with the physical LRU. 2016-01-27 21:24:11 +00:00			`return logical.ErrorResponse(fmt.Sprintf("error deleting policy %s: %s", name, err)), err`
Move archive location; also detect first load of a policy after archive is added and cause the keys to be copied to the archive. 2016-01-27 17:02:32 +00:00			`}`

Adding transit logical backend 2015-04-16 00:08:12 +00:00			`return nil, nil`
			`}`
secret/transit: Adding more help. Fixes #41 2015-04-27 19:47:09 +00:00
Enhance transit backend: * Remove raw endpoint from transit * Add multi-key structure * Add enable, disable, rewrap, and rotate functionality * Upgrade functionality, and record creation time of keys in metadata. Add flag in config function to control the minimum decryption version, and enforce that in the decrypt function * Unit tests for everything 2015-09-14 20:28:46 +00:00			const pathPolicyHelpSyn = `Managed named encryption keys`
secret/transit: Adding more help. Fixes #41 2015-04-27 19:47:09 +00:00
			const pathPolicyHelpDesc = `
			`This path is used to manage the named keys that are available.`
			`Doing a write with no value against a new named key will create`
			`it using a randomly generated key.`
			`