open-vault/http/sys_rekey.go

package http

import (
	"encoding/base64"
	"encoding/hex"
	"errors"
	"fmt"
	"net/http"

	"github.com/hashicorp/vault/helper/pgpkeys"
	"github.com/hashicorp/vault/vault"
)

func handleSysRekeyInit(core *vault.Core, recovery bool) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		standby, _ := core.Standby()
		if standby {
			respondStandby(core, w, r.URL)
			return
		}

		switch {
		case recovery && !core.SealAccess().RecoveryKeySupported():
			respondError(w, http.StatusBadRequest, fmt.Errorf("recovery rekeying not supported"))
		case r.Method == "GET":
			handleSysRekeyInitGet(core, recovery, w, r)
		case r.Method == "POST" || r.Method == "PUT":
			handleSysRekeyInitPut(core, recovery, w, r)
		case r.Method == "DELETE":
			handleSysRekeyInitDelete(core, recovery, w, r)
		default:
			respondError(w, http.StatusMethodNotAllowed, nil)
		}
	})
}

func handleSysRekeyInitGet(core *vault.Core, recovery bool, w http.ResponseWriter, r *http.Request) {
	barrierConfig, err := core.SealAccess().BarrierConfig()
	if err != nil {
		respondError(w, http.StatusInternalServerError, err)
		return
	}
	if barrierConfig == nil {
		respondError(w, http.StatusBadRequest, fmt.Errorf(
			"server is not yet initialized"))
		return
	}

	// Get the rekey configuration
	rekeyConf, err := core.RekeyConfig(recovery)
	if err != nil {
		respondError(w, http.StatusInternalServerError, err)
		return
	}

	// Get the progress
	progress, err := core.RekeyProgress(recovery)
	if err != nil {
		respondError(w, http.StatusInternalServerError, err)
		return
	}

	sealThreshold, err := core.RekeyThreshold(recovery)
	if err != nil {
		respondError(w, http.StatusInternalServerError, err)
		return
	}

	// Format the status
	status := &RekeyStatusResponse{
		Started:  false,
		T:        0,
		N:        0,
		Progress: progress,
		Required: sealThreshold,
	}
	if rekeyConf != nil {
		status.Nonce = rekeyConf.Nonce
		status.Started = true
		status.T = rekeyConf.SecretThreshold
		status.N = rekeyConf.SecretShares
		if rekeyConf.PGPKeys != nil && len(rekeyConf.PGPKeys) != 0 {
			pgpFingerprints, err := pgpkeys.GetFingerprints(rekeyConf.PGPKeys, nil)
			if err != nil {
				respondError(w, http.StatusInternalServerError, err)
				return
			}
			status.PGPFingerprints = pgpFingerprints
			status.Backup = rekeyConf.Backup
		}
	}
	respondOk(w, status)
}

func handleSysRekeyInitPut(core *vault.Core, recovery bool, w http.ResponseWriter, r *http.Request) {
	// Parse the request
	var req RekeyRequest
	if err := parseRequest(r, w, &req); err != nil {
		respondError(w, http.StatusBadRequest, err)
		return
	}

	if req.Backup && len(req.PGPKeys) == 0 {
		respondError(w, http.StatusBadRequest, fmt.Errorf("cannot request a backup of the new keys without providing PGP keys for encryption"))
		return
	}

	// Right now we don't support this, but the rest of the code is ready for
	// when we do, hence the check below for this to be false if
	// StoredShares is greater than zero
	if core.SealAccess().StoredKeysSupported() {
		respondError(w, http.StatusBadRequest, fmt.Errorf("rekeying of barrier not supported when stored key support is available"))
		return
	}

	if len(req.PGPKeys) > 0 && len(req.PGPKeys) != req.SecretShares-req.StoredShares {
		respondError(w, http.StatusBadRequest, fmt.Errorf("incorrect number of PGP keys for rekey"))
		return
	}

	// Initialize the rekey
	err := core.RekeyInit(&vault.SealConfig{
		SecretShares:    req.SecretShares,
		SecretThreshold: req.SecretThreshold,
		StoredShares:    req.StoredShares,
		PGPKeys:         req.PGPKeys,
		Backup:          req.Backup,
	}, recovery)
	if err != nil {
		respondError(w, http.StatusBadRequest, err)
		return
	}

	handleSysRekeyInitGet(core, recovery, w, r)
}

func handleSysRekeyInitDelete(core *vault.Core, recovery bool, w http.ResponseWriter, r *http.Request) {
	err := core.RekeyCancel(recovery)
	if err != nil {
		respondError(w, http.StatusInternalServerError, err)
		return
	}
	respondOk(w, nil)
}

func handleSysRekeyUpdate(core *vault.Core, recovery bool) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		standby, _ := core.Standby()
		if standby {
			respondStandby(core, w, r.URL)
			return
		}

		// Parse the request
		var req RekeyUpdateRequest
		if err := parseRequest(r, w, &req); err != nil {
			respondError(w, http.StatusBadRequest, err)
			return
		}
		if req.Key == "" {
			respondError(
				w, http.StatusBadRequest,
				errors.New("'key' must specified in request body as JSON"))
			return
		}

		// Decode the key, which is base64 or hex encoded
		min, max := core.BarrierKeyLength()
		key, err := hex.DecodeString(req.Key)
		// We check min and max here to ensure that a string that is base64
		// encoded but also valid hex will not be valid and we instead base64
		// decode it
		if err != nil || len(key) < min || len(key) > max {
			key, err = base64.StdEncoding.DecodeString(req.Key)
			if err != nil {
				respondError(
					w, http.StatusBadRequest,
					errors.New("'key' must be a valid hex or base64 string"))
				return
			}
		}

		// Use the key to make progress on rekey
		result, err := core.RekeyUpdate(key, req.Nonce, recovery)
		if err != nil {
			respondError(w, http.StatusBadRequest, err)
			return
		}

		// Format the response
		resp := &RekeyUpdateResponse{}
		if result != nil {
			resp.Complete = true
			resp.Nonce = req.Nonce
			resp.Backup = result.Backup
			resp.PGPFingerprints = result.PGPFingerprints

			// Encode the keys
			keys := make([]string, 0, len(result.SecretShares))
			keysB64 := make([]string, 0, len(result.SecretShares))
			for _, k := range result.SecretShares {
				keys = append(keys, hex.EncodeToString(k))
				keysB64 = append(keysB64, base64.StdEncoding.EncodeToString(k))
			}
			resp.Keys = keys
			resp.KeysB64 = keysB64
		}
		respondOk(w, resp)
	})
}

type RekeyRequest struct {
	SecretShares    int      `json:"secret_shares"`
	SecretThreshold int      `json:"secret_threshold"`
	StoredShares    int      `json:"stored_shares"`
	PGPKeys         []string `json:"pgp_keys"`
	Backup          bool     `json:"backup"`
}

type RekeyStatusResponse struct {
	Nonce           string   `json:"nonce"`
	Started         bool     `json:"started"`
	T               int      `json:"t"`
	N               int      `json:"n"`
	Progress        int      `json:"progress"`
	Required        int      `json:"required"`
	PGPFingerprints []string `json:"pgp_fingerprints"`
	Backup          bool     `json:"backup"`
}

type RekeyUpdateRequest struct {
	Nonce string
	Key   string
}

type RekeyUpdateResponse struct {
	Nonce           string   `json:"nonce"`
	Complete        bool     `json:"complete"`
	Keys            []string `json:"keys"`
	KeysB64         []string `json:"keys_base64"`
	PGPFingerprints []string `json:"pgp_fingerprints"`
	Backup          bool     `json:"backup"`
}
http: adding rekey handlers 2015-05-28 21:28:50 +00:00			`package http`

			`import (`
Provide base64 keys in addition to hex encoded. (#1734) * Provide base64 keys in addition to hex encoded. Accept these at unseal/rekey time. Also fix a bug where backup would not be honored when doing a rekey with no operation currently ongoing. 2016-08-15 20:01:15 +00:00			`"encoding/base64"`
http: adding rekey handlers 2015-05-28 21:28:50 +00:00			`"encoding/hex"`
			`"errors"`
			`"fmt"`
			`"net/http"`

Add rekey nonce/backup. 2015-12-16 21:56:15 +00:00			`"github.com/hashicorp/vault/helper/pgpkeys"`
http: adding rekey handlers 2015-05-28 21:28:50 +00:00			`"github.com/hashicorp/vault/vault"`
			`)`

SealInterface 2016-04-04 14:44:22 +00:00			`func handleSysRekeyInit(core *vault.Core, recovery bool) http.Handler {`
http: adding rekey handlers 2015-05-28 21:28:50 +00:00			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
Redirect rekey operation from standby to master (#1868) 2016-09-13 15:59:12 +00:00			`standby, _ := core.Standby()`
			`if standby {`
			`respondStandby(core, w, r.URL)`
			`return`
			`}`

SealInterface 2016-04-04 14:44:22 +00:00			`switch {`
			`case recovery && !core.SealAccess().RecoveryKeySupported():`
			`respondError(w, http.StatusBadRequest, fmt.Errorf("recovery rekeying not supported"))`
			`case r.Method == "GET":`
			`handleSysRekeyInitGet(core, recovery, w, r)`
			`case r.Method == "POST" \|\| r.Method == "PUT":`
			`handleSysRekeyInitPut(core, recovery, w, r)`
			`case r.Method == "DELETE":`
			`handleSysRekeyInitDelete(core, recovery, w, r)`
http: adding rekey handlers 2015-05-28 21:28:50 +00:00			`default:`
			`respondError(w, http.StatusMethodNotAllowed, nil)`
			`}`
			`})`
			`}`

SealInterface 2016-04-04 14:44:22 +00:00			`func handleSysRekeyInitGet(core vault.Core, recovery bool, w http.ResponseWriter, r http.Request) {`
			`barrierConfig, err := core.SealAccess().BarrierConfig()`
http: adding rekey handlers 2015-05-28 21:28:50 +00:00			`if err != nil {`
			`respondError(w, http.StatusInternalServerError, err)`
			`return`
			`}`
SealInterface 2016-04-04 14:44:22 +00:00			`if barrierConfig == nil {`
http: adding rekey handlers 2015-05-28 21:28:50 +00:00			`respondError(w, http.StatusBadRequest, fmt.Errorf(`
			`"server is not yet initialized"))`
			`return`
			`}`

			`// Get the rekey configuration`
SealInterface 2016-04-04 14:44:22 +00:00			`rekeyConf, err := core.RekeyConfig(recovery)`
http: adding rekey handlers 2015-05-28 21:28:50 +00:00			`if err != nil {`
			`respondError(w, http.StatusInternalServerError, err)`
			`return`
			`}`

			`// Get the progress`
SealInterface 2016-04-04 14:44:22 +00:00			`progress, err := core.RekeyProgress(recovery)`
http: adding rekey handlers 2015-05-28 21:28:50 +00:00			`if err != nil {`
			`respondError(w, http.StatusInternalServerError, err)`
			`return`
			`}`

SealInterface 2016-04-04 14:44:22 +00:00			`sealThreshold, err := core.RekeyThreshold(recovery)`
			`if err != nil {`
			`respondError(w, http.StatusInternalServerError, err)`
Add seal tests and update generate-root and others to handle dualseal. 2016-04-25 19:39:04 +00:00			`return`
SealInterface 2016-04-04 14:44:22 +00:00			`}`

http: adding rekey handlers 2015-05-28 21:28:50 +00:00			`// Format the status`
			`status := &RekeyStatusResponse{`
			`Started: false,`
			`T: 0,`
			`N: 0,`
			`Progress: progress,`
SealInterface 2016-04-04 14:44:22 +00:00			`Required: sealThreshold,`
http: adding rekey handlers 2015-05-28 21:28:50 +00:00			`}`
			`if rekeyConf != nil {`
Add rekey nonce/backup. 2015-12-16 21:56:15 +00:00			`status.Nonce = rekeyConf.Nonce`
http: adding rekey handlers 2015-05-28 21:28:50 +00:00			`status.Started = true`
			`status.T = rekeyConf.SecretThreshold`
			`status.N = rekeyConf.SecretShares`
Add rekey nonce/backup. 2015-12-16 21:56:15 +00:00			`if rekeyConf.PGPKeys != nil && len(rekeyConf.PGPKeys) != 0 {`
			`pgpFingerprints, err := pgpkeys.GetFingerprints(rekeyConf.PGPKeys, nil)`
			`if err != nil {`
			`respondError(w, http.StatusInternalServerError, err)`
Add seal tests and update generate-root and others to handle dualseal. 2016-04-25 19:39:04 +00:00			`return`
Add rekey nonce/backup. 2015-12-16 21:56:15 +00:00			`}`
			`status.PGPFingerprints = pgpFingerprints`
			`status.Backup = rekeyConf.Backup`
			`}`
http: adding rekey handlers 2015-05-28 21:28:50 +00:00			`}`
			`respondOk(w, status)`
			`}`

SealInterface 2016-04-04 14:44:22 +00:00			`func handleSysRekeyInitPut(core vault.Core, recovery bool, w http.ResponseWriter, r http.Request) {`
http: adding rekey handlers 2015-05-28 21:28:50 +00:00			`// Parse the request`
			`var req RekeyRequest`
Use 'http.MaxBytesReader' to limit request size (#2131) Fix 'connection reset by peer' error introduced by 300b72e 2016-12-01 18:59:00 +00:00			`if err := parseRequest(r, w, &req); err != nil {`
http: adding rekey handlers 2015-05-28 21:28:50 +00:00			`respondError(w, http.StatusBadRequest, err)`
			`return`
			`}`

Add rekey nonce/backup. 2015-12-16 21:56:15 +00:00			`if req.Backup && len(req.PGPKeys) == 0 {`
			`respondError(w, http.StatusBadRequest, fmt.Errorf("cannot request a backup of the new keys without providing PGP keys for encryption"))`
Add seal tests and update generate-root and others to handle dualseal. 2016-04-25 19:39:04 +00:00			`return`
			`}`

			`// Right now we don't support this, but the rest of the code is ready for`
			`// when we do, hence the check below for this to be false if`
			`// StoredShares is greater than zero`
			`if core.SealAccess().StoredKeysSupported() {`
			`respondError(w, http.StatusBadRequest, fmt.Errorf("rekeying of barrier not supported when stored key support is available"))`
			`return`
Add rekey nonce/backup. 2015-12-16 21:56:15 +00:00			`}`

rekey: pgp keys input validation 2017-01-12 05:05:41 +00:00			`if len(req.PGPKeys) > 0 && len(req.PGPKeys) != req.SecretShares-req.StoredShares {`
			`respondError(w, http.StatusBadRequest, fmt.Errorf("incorrect number of PGP keys for rekey"))`
			`return`
			`}`

http: adding rekey handlers 2015-05-28 21:28:50 +00:00			`// Initialize the rekey`
			`err := core.RekeyInit(&vault.SealConfig{`
			`SecretShares: req.SecretShares,`
			`SecretThreshold: req.SecretThreshold,`
SealInterface 2016-04-04 14:44:22 +00:00			`StoredShares: req.StoredShares,`
Address comments from review. 2015-08-25 22:33:58 +00:00			`PGPKeys: req.PGPKeys,`
Add rekey nonce/backup. 2015-12-16 21:56:15 +00:00			`Backup: req.Backup,`
SealInterface 2016-04-04 14:44:22 +00:00			`}, recovery)`
http: adding rekey handlers 2015-05-28 21:28:50 +00:00			`if err != nil {`
			`respondError(w, http.StatusBadRequest, err)`
			`return`
			`}`
Return status for rekey/root generation at init time. This mitigates a (very unlikely) potential timing attack between init-ing and fetching status. Fixes #1054 2016-02-12 19:24:36 +00:00
SealInterface 2016-04-04 14:44:22 +00:00			`handleSysRekeyInitGet(core, recovery, w, r)`
http: adding rekey handlers 2015-05-28 21:28:50 +00:00			`}`

SealInterface 2016-04-04 14:44:22 +00:00			`func handleSysRekeyInitDelete(core vault.Core, recovery bool, w http.ResponseWriter, r http.Request) {`
			`err := core.RekeyCancel(recovery)`
http: adding rekey handlers 2015-05-28 21:28:50 +00:00			`if err != nil {`
			`respondError(w, http.StatusInternalServerError, err)`
			`return`
			`}`
			`respondOk(w, nil)`
			`}`

SealInterface 2016-04-04 14:44:22 +00:00			`func handleSysRekeyUpdate(core *vault.Core, recovery bool) http.Handler {`
http: adding rekey handlers 2015-05-28 21:28:50 +00:00			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
Redirect rekey operation from standby to master (#1868) 2016-09-13 15:59:12 +00:00			`standby, _ := core.Standby()`
			`if standby {`
			`respondStandby(core, w, r.URL)`
			`return`
			`}`

http: adding rekey handlers 2015-05-28 21:28:50 +00:00			`// Parse the request`
			`var req RekeyUpdateRequest`
Use 'http.MaxBytesReader' to limit request size (#2131) Fix 'connection reset by peer' error introduced by 300b72e 2016-12-01 18:59:00 +00:00			`if err := parseRequest(r, w, &req); err != nil {`
http: adding rekey handlers 2015-05-28 21:28:50 +00:00			`respondError(w, http.StatusBadRequest, err)`
			`return`
			`}`
			`if req.Key == "" {`
			`respondError(`
			`w, http.StatusBadRequest,`
			`errors.New("'key' must specified in request body as JSON"))`
			`return`
			`}`

Provide base64 keys in addition to hex encoded. (#1734) * Provide base64 keys in addition to hex encoded. Accept these at unseal/rekey time. Also fix a bug where backup would not be honored when doing a rekey with no operation currently ongoing. 2016-08-15 20:01:15 +00:00			`// Decode the key, which is base64 or hex encoded`
			`min, max := core.BarrierKeyLength()`
http: adding rekey handlers 2015-05-28 21:28:50 +00:00			`key, err := hex.DecodeString(req.Key)`
Provide base64 keys in addition to hex encoded. (#1734) * Provide base64 keys in addition to hex encoded. Accept these at unseal/rekey time. Also fix a bug where backup would not be honored when doing a rekey with no operation currently ongoing. 2016-08-15 20:01:15 +00:00			`// We check min and max here to ensure that a string that is base64`
			`// encoded but also valid hex will not be valid and we instead base64`
			`// decode it`
			`if err != nil \|\| len(key) < min \|\| len(key) > max {`
			`key, err = base64.StdEncoding.DecodeString(req.Key)`
			`if err != nil {`
			`respondError(`
			`w, http.StatusBadRequest,`
			`errors.New("'key' must be a valid hex or base64 string"))`
			`return`
			`}`
http: adding rekey handlers 2015-05-28 21:28:50 +00:00			`}`

			`// Use the key to make progress on rekey`
SealInterface 2016-04-04 14:44:22 +00:00			`result, err := core.RekeyUpdate(key, req.Nonce, recovery)`
http: adding rekey handlers 2015-05-28 21:28:50 +00:00			`if err != nil {`
			`respondError(w, http.StatusBadRequest, err)`
			`return`
			`}`

			`// Format the response`
			`resp := &RekeyUpdateResponse{}`
			`if result != nil {`
			`resp.Complete = true`
Add rekey nonce/backup. 2015-12-16 21:56:15 +00:00			`resp.Nonce = req.Nonce`
Provide base64 keys in addition to hex encoded. (#1734) * Provide base64 keys in addition to hex encoded. Accept these at unseal/rekey time. Also fix a bug where backup would not be honored when doing a rekey with no operation currently ongoing. 2016-08-15 20:01:15 +00:00			`resp.Backup = result.Backup`
			`resp.PGPFingerprints = result.PGPFingerprints`
http: adding rekey handlers 2015-05-28 21:28:50 +00:00
			`// Encode the keys`
			`keys := make([]string, 0, len(result.SecretShares))`
Provide base64 keys in addition to hex encoded. (#1734) * Provide base64 keys in addition to hex encoded. Accept these at unseal/rekey time. Also fix a bug where backup would not be honored when doing a rekey with no operation currently ongoing. 2016-08-15 20:01:15 +00:00			`keysB64 := make([]string, 0, len(result.SecretShares))`
http: adding rekey handlers 2015-05-28 21:28:50 +00:00			`for _, k := range result.SecretShares {`
			`keys = append(keys, hex.EncodeToString(k))`
Provide base64 keys in addition to hex encoded. (#1734) * Provide base64 keys in addition to hex encoded. Accept these at unseal/rekey time. Also fix a bug where backup would not be honored when doing a rekey with no operation currently ongoing. 2016-08-15 20:01:15 +00:00			`keysB64 = append(keysB64, base64.StdEncoding.EncodeToString(k))`
http: adding rekey handlers 2015-05-28 21:28:50 +00:00			`}`
			`resp.Keys = keys`
Provide base64 keys in addition to hex encoded. (#1734) * Provide base64 keys in addition to hex encoded. Accept these at unseal/rekey time. Also fix a bug where backup would not be honored when doing a rekey with no operation currently ongoing. 2016-08-15 20:01:15 +00:00			`resp.KeysB64 = keysB64`
http: adding rekey handlers 2015-05-28 21:28:50 +00:00			`}`
			`respondOk(w, resp)`
			`})`
			`}`

			`type RekeyRequest struct {`
Add support for pgp-keys argument to rekey, as well as tests, plus refactor common bits out of init. 2015-08-25 21:24:19 +00:00			SecretShares int `json:"secret_shares"`
			SecretThreshold int `json:"secret_threshold"`
SealInterface 2016-04-04 14:44:22 +00:00			StoredShares int `json:"stored_shares"`
Address comments from review. 2015-08-25 22:33:58 +00:00			PGPKeys []string `json:"pgp_keys"`
Add rekey nonce/backup. 2015-12-16 21:56:15 +00:00			Backup bool `json:"backup"`
http: adding rekey handlers 2015-05-28 21:28:50 +00:00			`}`

			`type RekeyStatusResponse struct {`
Add rekey nonce/backup. 2015-12-16 21:56:15 +00:00			Nonce string `json:"nonce"`
			Started bool `json:"started"`
			T int `json:"t"`
			N int `json:"n"`
			Progress int `json:"progress"`
			Required int `json:"required"`
			PGPFingerprints []string `json:"pgp_fingerprints"`
			Backup bool `json:"backup"`
http: adding rekey handlers 2015-05-28 21:28:50 +00:00			`}`

			`type RekeyUpdateRequest struct {`
Add rekey nonce/backup. 2015-12-16 21:56:15 +00:00			`Nonce string`
			`Key string`
http: adding rekey handlers 2015-05-28 21:28:50 +00:00			`}`

			`type RekeyUpdateResponse struct {`
Add rekey nonce/backup. 2015-12-16 21:56:15 +00:00			Nonce string `json:"nonce"`
			Complete bool `json:"complete"`
			Keys []string `json:"keys"`
Provide base64 keys in addition to hex encoded. (#1734) * Provide base64 keys in addition to hex encoded. Accept these at unseal/rekey time. Also fix a bug where backup would not be honored when doing a rekey with no operation currently ongoing. 2016-08-15 20:01:15 +00:00			KeysB64 []string `json:"keys_base64"`
Add rekey nonce/backup. 2015-12-16 21:56:15 +00:00			PGPFingerprints []string `json:"pgp_fingerprints"`
			Backup bool `json:"backup"`
http: adding rekey handlers 2015-05-28 21:28:50 +00:00			`}`