open-vault/builtin/logical/transit/path_decrypt.go

package transit

import (
	"encoding/base64"
	"fmt"

	"github.com/hashicorp/vault/helper/errutil"
	"github.com/hashicorp/vault/logical"
	"github.com/hashicorp/vault/logical/framework"
)

func (b *backend) pathDecrypt() *framework.Path {
	return &framework.Path{
		Pattern: "decrypt/" + framework.GenericNameRegex("name"),
		Fields: map[string]*framework.FieldSchema{
			"name": &framework.FieldSchema{
				Type:        framework.TypeString,
				Description: "Name of the policy",
			},

			"ciphertext": &framework.FieldSchema{
				Type:        framework.TypeString,
				Description: "Ciphertext value to decrypt",
			},

			"context": &framework.FieldSchema{
				Type:        framework.TypeString,
				Description: "Context for key derivation. Required for derived keys.",
			},
		},

		Callbacks: map[logical.Operation]framework.OperationFunc{
			logical.UpdateOperation: b.pathDecryptWrite,
		},

		HelpSynopsis:    pathDecryptHelpSyn,
		HelpDescription: pathDecryptHelpDesc,
	}
}

func (b *backend) pathDecryptWrite(
	req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	name := d.Get("name").(string)
	ciphertext := d.Get("ciphertext").(string)
	if len(ciphertext) == 0 {
		return logical.ErrorResponse("missing ciphertext to decrypt"), logical.ErrInvalidRequest
	}

	// Decode the context if any
	contextRaw := d.Get("context").(string)
	var context []byte
	if len(contextRaw) != 0 {
		var err error
		context, err = base64.StdEncoding.DecodeString(contextRaw)
		if err != nil {
			return logical.ErrorResponse("failed to decode context as base64"), logical.ErrInvalidRequest
		}
	}

	// Get the policy
	p, lock, err := b.lm.GetPolicyShared(req.Storage, name)
	if lock != nil {
		defer lock.RUnlock()
	}
	if err != nil {
		return nil, err
	}
	if p == nil {
		return logical.ErrorResponse("policy not found"), logical.ErrInvalidRequest
	}

	plaintext, err := p.Decrypt(context, ciphertext)
	if err != nil {
		switch err.(type) {
		case errutil.UserError:
			return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
		case errutil.InternalError:
			return nil, err
		default:
			return nil, err
		}
	}

	if plaintext == "" {
		return nil, fmt.Errorf("empty plaintext returned")
	}

	// Generate the response
	resp := &logical.Response{
		Data: map[string]interface{}{
			"plaintext": plaintext,
		},
	}
	return resp, nil
}

const pathDecryptHelpSyn = `Decrypt a ciphertext value using a named key`

const pathDecryptHelpDesc = `
This path uses the named key from the request path to decrypt a user
provided ciphertext. The plaintext is returned base64 encoded.
`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`package transit`

			`import (`
			`"encoding/base64"`
Enhance transit backend: * Remove raw endpoint from transit * Add multi-key structure * Add enable, disable, rewrap, and rotate functionality * Upgrade functionality, and record creation time of keys in metadata. Add flag in config function to control the minimum decryption version, and enforce that in the decrypt function * Unit tests for everything 2015-09-14 20:28:46 +00:00			`"fmt"`
Adding transit logical backend 2015-04-16 00:08:12 +00:00
Fix invalid input getting marked as internal error 2016-07-28 19:19:27 +00:00			`"github.com/hashicorp/vault/helper/errutil"`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`"github.com/hashicorp/vault/logical"`
			`"github.com/hashicorp/vault/logical/framework"`
			`)`

Implement locking in the transit backend. This ensures that we can safely rotate and modify configuration parameters with multiple requests in flight. As a side effect we also get a cache, which should provide a nice speedup since we don't need to decrypt/deserialize constantly, which would happen even with the physical LRU. 2016-01-27 21:24:11 +00:00			`func (b backend) pathDecrypt() framework.Path {`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`return &framework.Path{`
Vault: Fix wild card paths for all backends 2015-08-21 07:56:13 +00:00			`Pattern: "decrypt/" + framework.GenericNameRegex("name"),`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`Fields: map[string]*framework.FieldSchema{`
			`"name": &framework.FieldSchema{`
			`Type: framework.TypeString,`
			`Description: "Name of the policy",`
			`},`

			`"ciphertext": &framework.FieldSchema{`
			`Type: framework.TypeString,`
			`Description: "Ciphertext value to decrypt",`
			`},`
secret/transit: check for context for derived keys 2015-07-05 21:12:07 +00:00
			`"context": &framework.FieldSchema{`
			`Type: framework.TypeString,`
			`Description: "Context for key derivation. Required for derived keys.",`
			`},`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`},`

			`Callbacks: map[logical.Operation]framework.OperationFunc{`
Implement locking in the transit backend. This ensures that we can safely rotate and modify configuration parameters with multiple requests in flight. As a side effect we also get a cache, which should provide a nice speedup since we don't need to decrypt/deserialize constantly, which would happen even with the physical LRU. 2016-01-27 21:24:11 +00:00			`logical.UpdateOperation: b.pathDecryptWrite,`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`},`
secret/transit: Adding more help. Fixes #41 2015-04-27 19:47:09 +00:00
			`HelpSynopsis: pathDecryptHelpSyn,`
			`HelpDescription: pathDecryptHelpDesc,`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`}`
			`}`

Implement locking in the transit backend. This ensures that we can safely rotate and modify configuration parameters with multiple requests in flight. As a side effect we also get a cache, which should provide a nice speedup since we don't need to decrypt/deserialize constantly, which would happen even with the physical LRU. 2016-01-27 21:24:11 +00:00			`func (b *backend) pathDecryptWrite(`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`req logical.Request, d framework.FieldData) (*logical.Response, error) {`
			`name := d.Get("name").(string)`
Enhance transit backend: * Remove raw endpoint from transit * Add multi-key structure * Add enable, disable, rewrap, and rotate functionality * Upgrade functionality, and record creation time of keys in metadata. Add flag in config function to control the minimum decryption version, and enforce that in the decrypt function * Unit tests for everything 2015-09-14 20:28:46 +00:00			`ciphertext := d.Get("ciphertext").(string)`
			`if len(ciphertext) == 0 {`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`return logical.ErrorResponse("missing ciphertext to decrypt"), logical.ErrInvalidRequest`
			`}`
secret/transit: use base64 for context to allow binary 2015-07-05 21:37:51 +00:00
			`// Decode the context if any`
			`contextRaw := d.Get("context").(string)`
			`var context []byte`
			`if len(contextRaw) != 0 {`
			`var err error`
			`context, err = base64.StdEncoding.DecodeString(contextRaw)`
			`if err != nil {`
			`return logical.ErrorResponse("failed to decode context as base64"), logical.ErrInvalidRequest`
			`}`
			`}`
Adding transit logical backend 2015-04-16 00:08:12 +00:00
			`// Get the policy`
Massively simplify lock handling based on feedback 2016-05-03 03:46:39 +00:00			`p, lock, err := b.lm.GetPolicyShared(req.Storage, name)`
			`if lock != nil {`
			`defer lock.RUnlock()`
			`}`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`if err != nil {`
			`return nil, err`
			`}`
Switch to lockManager 2016-04-26 15:39:19 +00:00			`if p == nil {`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`return logical.ErrorResponse("policy not found"), logical.ErrInvalidRequest`
			`}`

Switch to lockManager 2016-04-26 15:39:19 +00:00			`plaintext, err := p.Decrypt(context, ciphertext)`
secret/transit: support key derivation in encrypt/decrypt 2015-07-05 21:19:24 +00:00			`if err != nil {`
Enhance transit backend: * Remove raw endpoint from transit * Add multi-key structure * Add enable, disable, rewrap, and rotate functionality * Upgrade functionality, and record creation time of keys in metadata. Add flag in config function to control the minimum decryption version, and enforce that in the decrypt function * Unit tests for everything 2015-09-14 20:28:46 +00:00			`switch err.(type) {`
Fix invalid input getting marked as internal error 2016-07-28 19:19:27 +00:00			`case errutil.UserError:`
Enhance transit backend: * Remove raw endpoint from transit * Add multi-key structure * Add enable, disable, rewrap, and rotate functionality * Upgrade functionality, and record creation time of keys in metadata. Add flag in config function to control the minimum decryption version, and enforce that in the decrypt function * Unit tests for everything 2015-09-14 20:28:46 +00:00			`return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest`
Fix invalid input getting marked as internal error 2016-07-28 19:19:27 +00:00			`case errutil.InternalError:`
Enhance transit backend: * Remove raw endpoint from transit * Add multi-key structure * Add enable, disable, rewrap, and rotate functionality * Upgrade functionality, and record creation time of keys in metadata. Add flag in config function to control the minimum decryption version, and enforce that in the decrypt function * Unit tests for everything 2015-09-14 20:28:46 +00:00			`return nil, err`
			`default:`
			`return nil, err`
			`}`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`}`

Enhance transit backend: * Remove raw endpoint from transit * Add multi-key structure * Add enable, disable, rewrap, and rotate functionality * Upgrade functionality, and record creation time of keys in metadata. Add flag in config function to control the minimum decryption version, and enforce that in the decrypt function * Unit tests for everything 2015-09-14 20:28:46 +00:00			`if plaintext == "" {`
			`return nil, fmt.Errorf("empty plaintext returned")`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`}`

			`// Generate the response`
			`resp := &logical.Response{`
			`Data: map[string]interface{}{`
Enhance transit backend: * Remove raw endpoint from transit * Add multi-key structure * Add enable, disable, rewrap, and rotate functionality * Upgrade functionality, and record creation time of keys in metadata. Add flag in config function to control the minimum decryption version, and enforce that in the decrypt function * Unit tests for everything 2015-09-14 20:28:46 +00:00			`"plaintext": plaintext,`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`},`
			`}`
			`return resp, nil`
			`}`
secret/transit: Adding more help. Fixes #41 2015-04-27 19:47:09 +00:00
			const pathDecryptHelpSyn = `Decrypt a ciphertext value using a named key`

			const pathDecryptHelpDesc = `
			`This path uses the named key from the request path to decrypt a user`
			`provided ciphertext. The plaintext is returned base64 encoded.`
			`