open-vault/builtin/logical/transit/path_rotate.go

package transit

import (
	"github.com/hashicorp/vault/logical"
	"github.com/hashicorp/vault/logical/framework"
)

func (b *backend) pathRotate() *framework.Path {
	return &framework.Path{
		Pattern: "keys/" + framework.GenericNameRegex("name") + "/rotate",
		Fields: map[string]*framework.FieldSchema{
			"name": &framework.FieldSchema{
				Type:        framework.TypeString,
				Description: "Name of the key",
			},
		},

		Callbacks: map[logical.Operation]framework.OperationFunc{
			logical.UpdateOperation: b.pathRotateWrite,
		},

		HelpSynopsis:    pathRotateHelpSyn,
		HelpDescription: pathRotateHelpDesc,
	}
}

func (b *backend) pathRotateWrite(
	req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	name := d.Get("name").(string)

	// Get the policy
	p, lock, err := b.lm.GetPolicyExclusive(req.Storage, name)
	if lock != nil {
		defer lock.Unlock()
	}
	if err != nil {
		return nil, err
	}
	if p == nil {
		return logical.ErrorResponse("key not found"), logical.ErrInvalidRequest
	}

	// Rotate the policy
	err = p.rotate(req.Storage)

	return nil, err
}

const pathRotateHelpSyn = `Rotate named encryption key`

const pathRotateHelpDesc = `
This path is used to rotate the named key. After rotation,
new encryption requests using this name will use the new key,
but decryption will still be supported for older versions.
`
Enhance transit backend: * Remove raw endpoint from transit * Add multi-key structure * Add enable, disable, rewrap, and rotate functionality * Upgrade functionality, and record creation time of keys in metadata. Add flag in config function to control the minimum decryption version, and enforce that in the decrypt function * Unit tests for everything 2015-09-14 20:28:46 +00:00			`package transit`

			`import (`
			`"github.com/hashicorp/vault/logical"`
			`"github.com/hashicorp/vault/logical/framework"`
			`)`

Implement locking in the transit backend. This ensures that we can safely rotate and modify configuration parameters with multiple requests in flight. As a side effect we also get a cache, which should provide a nice speedup since we don't need to decrypt/deserialize constantly, which would happen even with the physical LRU. 2016-01-27 21:24:11 +00:00			`func (b backend) pathRotate() framework.Path {`
Enhance transit backend: * Remove raw endpoint from transit * Add multi-key structure * Add enable, disable, rewrap, and rotate functionality * Upgrade functionality, and record creation time of keys in metadata. Add flag in config function to control the minimum decryption version, and enforce that in the decrypt function * Unit tests for everything 2015-09-14 20:28:46 +00:00			`return &framework.Path{`
			`Pattern: "keys/" + framework.GenericNameRegex("name") + "/rotate",`
			`Fields: map[string]*framework.FieldSchema{`
			`"name": &framework.FieldSchema{`
			`Type: framework.TypeString,`
			`Description: "Name of the key",`
			`},`
			`},`

			`Callbacks: map[logical.Operation]framework.OperationFunc{`
Implement locking in the transit backend. This ensures that we can safely rotate and modify configuration parameters with multiple requests in flight. As a side effect we also get a cache, which should provide a nice speedup since we don't need to decrypt/deserialize constantly, which would happen even with the physical LRU. 2016-01-27 21:24:11 +00:00			`logical.UpdateOperation: b.pathRotateWrite,`
Enhance transit backend: * Remove raw endpoint from transit * Add multi-key structure * Add enable, disable, rewrap, and rotate functionality * Upgrade functionality, and record creation time of keys in metadata. Add flag in config function to control the minimum decryption version, and enforce that in the decrypt function * Unit tests for everything 2015-09-14 20:28:46 +00:00			`},`

			`HelpSynopsis: pathRotateHelpSyn,`
			`HelpDescription: pathRotateHelpDesc,`
			`}`
			`}`

Implement locking in the transit backend. This ensures that we can safely rotate and modify configuration parameters with multiple requests in flight. As a side effect we also get a cache, which should provide a nice speedup since we don't need to decrypt/deserialize constantly, which would happen even with the physical LRU. 2016-01-27 21:24:11 +00:00			`func (b *backend) pathRotateWrite(`
Enhance transit backend: * Remove raw endpoint from transit * Add multi-key structure * Add enable, disable, rewrap, and rotate functionality * Upgrade functionality, and record creation time of keys in metadata. Add flag in config function to control the minimum decryption version, and enforce that in the decrypt function * Unit tests for everything 2015-09-14 20:28:46 +00:00			`req logical.Request, d framework.FieldData) (*logical.Response, error) {`
			`name := d.Get("name").(string)`

Implement locking in the transit backend. This ensures that we can safely rotate and modify configuration parameters with multiple requests in flight. As a side effect we also get a cache, which should provide a nice speedup since we don't need to decrypt/deserialize constantly, which would happen even with the physical LRU. 2016-01-27 21:24:11 +00:00			`// Get the policy`
Massively simplify lock handling based on feedback 2016-05-03 03:46:39 +00:00			`p, lock, err := b.lm.GetPolicyExclusive(req.Storage, name)`
			`if lock != nil {`
			`defer lock.Unlock()`
Implement locking in the transit backend. This ensures that we can safely rotate and modify configuration parameters with multiple requests in flight. As a side effect we also get a cache, which should provide a nice speedup since we don't need to decrypt/deserialize constantly, which would happen even with the physical LRU. 2016-01-27 21:24:11 +00:00			`}`
Make a non-caching but still locking variant of transit for when caches are disabled 2016-04-21 20:32:06 +00:00			`if err != nil {`
			`return nil, err`
			`}`
Switch to lockManager 2016-04-26 15:39:19 +00:00			`if p == nil {`
Massively simplify lock handling based on feedback 2016-05-03 03:46:39 +00:00			`return logical.ErrorResponse("key not found"), logical.ErrInvalidRequest`
Enhance transit backend: * Remove raw endpoint from transit * Add multi-key structure * Add enable, disable, rewrap, and rotate functionality * Upgrade functionality, and record creation time of keys in metadata. Add flag in config function to control the minimum decryption version, and enforce that in the decrypt function * Unit tests for everything 2015-09-14 20:28:46 +00:00			`}`

Make a non-caching but still locking variant of transit for when caches are disabled 2016-04-21 20:32:06 +00:00			`// Rotate the policy`
Switch to lockManager 2016-04-26 15:39:19 +00:00			`err = p.rotate(req.Storage)`
Enhance transit backend: * Remove raw endpoint from transit * Add multi-key structure * Add enable, disable, rewrap, and rotate functionality * Upgrade functionality, and record creation time of keys in metadata. Add flag in config function to control the minimum decryption version, and enforce that in the decrypt function * Unit tests for everything 2015-09-14 20:28:46 +00:00
			`return nil, err`
			`}`

			const pathRotateHelpSyn = `Rotate named encryption key`

			const pathRotateHelpDesc = `
			`This path is used to rotate the named key. After rotation,`
			`new encryption requests using this name will use the new key,`
			`but decryption will still be supported for older versions.`
			`