2023-03-15 16:00:52 +00:00
|
|
|
// Copyright (c) HashiCorp, Inc.
|
|
|
|
// SPDX-License-Identifier: MPL-2.0
|
|
|
|
|
2018-10-19 21:43:57 +00:00
|
|
|
package vault
|
|
|
|
|
|
|
|
import (
|
2021-11-10 20:46:07 +00:00
|
|
|
"bytes"
|
2018-10-19 21:43:57 +00:00
|
|
|
"context"
|
|
|
|
"crypto/subtle"
|
|
|
|
"encoding/json"
|
|
|
|
"fmt"
|
2021-11-10 20:46:07 +00:00
|
|
|
mathrand "math/rand"
|
|
|
|
"sync"
|
2018-10-19 21:43:57 +00:00
|
|
|
"sync/atomic"
|
2021-11-10 20:46:07 +00:00
|
|
|
"time"
|
2018-10-19 21:43:57 +00:00
|
|
|
|
2023-05-04 18:22:30 +00:00
|
|
|
aeadwrapper "github.com/hashicorp/go-kms-wrapping/wrappers/aead/v2"
|
|
|
|
|
2018-10-19 21:43:57 +00:00
|
|
|
proto "github.com/golang/protobuf/proto"
|
2019-10-03 20:40:18 +00:00
|
|
|
log "github.com/hashicorp/go-hclog"
|
2022-08-23 19:37:16 +00:00
|
|
|
wrapping "github.com/hashicorp/go-kms-wrapping/v2"
|
2019-04-12 21:54:35 +00:00
|
|
|
"github.com/hashicorp/vault/sdk/physical"
|
2018-10-19 21:43:57 +00:00
|
|
|
"github.com/hashicorp/vault/vault/seal"
|
|
|
|
)
|
|
|
|
|
|
|
|
// barrierTypeUpgradeCheck checks for backwards compat on barrier type, not
|
|
|
|
// applicable in the OSS side
|
2021-11-10 20:46:07 +00:00
|
|
|
var (
|
2022-08-23 19:37:16 +00:00
|
|
|
barrierTypeUpgradeCheck = func(_ wrapping.WrapperType, _ *SealConfig) {}
|
2021-11-10 20:46:07 +00:00
|
|
|
autoSealUnavailableDuration = []string{"seal", "unreachable", "time"}
|
|
|
|
// vars for unit testings
|
|
|
|
sealHealthTestIntervalNominal = 10 * time.Minute
|
|
|
|
sealHealthTestIntervalUnhealthy = 1 * time.Minute
|
|
|
|
sealHealthTestTimeout = 1 * time.Minute
|
|
|
|
)
|
2018-10-19 21:43:57 +00:00
|
|
|
|
|
|
|
// autoSeal is a Seal implementation that contains logic for encrypting and
|
|
|
|
// decrypting stored keys via an underlying AutoSealAccess implementation, as
|
|
|
|
// well as logic related to recovery keys and barrier config.
|
|
|
|
type autoSeal struct {
|
2023-05-04 18:22:30 +00:00
|
|
|
seal.Access
|
2018-10-19 21:43:57 +00:00
|
|
|
|
2023-05-04 18:22:30 +00:00
|
|
|
barrierType wrapping.WrapperType
|
2018-10-19 21:43:57 +00:00
|
|
|
barrierConfig atomic.Value
|
|
|
|
recoveryConfig atomic.Value
|
|
|
|
core *Core
|
2019-10-03 20:40:18 +00:00
|
|
|
logger log.Logger
|
2021-11-10 20:46:07 +00:00
|
|
|
|
|
|
|
hcLock sync.Mutex
|
|
|
|
healthCheckStop chan struct{}
|
2018-10-19 21:43:57 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Ensure we are implementing the Seal interface
|
|
|
|
var _ Seal = (*autoSeal)(nil)
|
|
|
|
|
2023-05-04 18:22:30 +00:00
|
|
|
func NewAutoSeal(lowLevel seal.Access) (*autoSeal, error) {
|
2018-10-19 21:43:57 +00:00
|
|
|
ret := &autoSeal{
|
|
|
|
Access: lowLevel,
|
|
|
|
}
|
|
|
|
ret.barrierConfig.Store((*SealConfig)(nil))
|
|
|
|
ret.recoveryConfig.Store((*SealConfig)(nil))
|
2022-08-23 19:37:16 +00:00
|
|
|
|
2023-05-04 18:22:30 +00:00
|
|
|
// Having the wrapper type in a field is just a convenience since Seal.BarrierType()
|
|
|
|
// does not return an error.
|
2022-08-23 19:37:16 +00:00
|
|
|
var err error
|
2023-05-04 18:22:30 +00:00
|
|
|
ret.barrierType, err = ret.Type(context.Background())
|
2022-08-23 19:37:16 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2023-05-04 18:22:30 +00:00
|
|
|
|
2022-08-23 19:37:16 +00:00
|
|
|
return ret, nil
|
2018-10-19 21:43:57 +00:00
|
|
|
}
|
|
|
|
|
2019-10-18 18:46:00 +00:00
|
|
|
func (d *autoSeal) SealWrapable() bool {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
|
2023-05-04 18:22:30 +00:00
|
|
|
func (d *autoSeal) GetAccess() seal.Access {
|
2019-06-20 19:14:58 +00:00
|
|
|
return d.Access
|
|
|
|
}
|
|
|
|
|
2018-10-19 21:43:57 +00:00
|
|
|
func (d *autoSeal) checkCore() error {
|
|
|
|
if d.core == nil {
|
|
|
|
return fmt.Errorf("seal does not have a core set")
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (d *autoSeal) SetCore(core *Core) {
|
|
|
|
d.core = core
|
2019-10-03 20:40:18 +00:00
|
|
|
if d.logger == nil {
|
|
|
|
d.logger = d.core.Logger().Named("autoseal")
|
|
|
|
d.core.AddLogger(d.logger)
|
|
|
|
}
|
2018-10-19 21:43:57 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func (d *autoSeal) Init(ctx context.Context) error {
|
|
|
|
return d.Access.Init(ctx)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (d *autoSeal) Finalize(ctx context.Context) error {
|
|
|
|
return d.Access.Finalize(ctx)
|
|
|
|
}
|
|
|
|
|
2022-08-23 19:37:16 +00:00
|
|
|
func (d *autoSeal) BarrierType() wrapping.WrapperType {
|
2023-05-04 18:22:30 +00:00
|
|
|
return d.barrierType
|
|
|
|
}
|
|
|
|
|
|
|
|
func (d *autoSeal) GetShamirWrapper() (*aeadwrapper.ShamirWrapper, error) {
|
|
|
|
return nil, fmt.Errorf("autoSeal does not use a ShamirWrapper")
|
2018-10-19 21:43:57 +00:00
|
|
|
}
|
|
|
|
|
2020-01-11 01:39:52 +00:00
|
|
|
func (d *autoSeal) StoredKeysSupported() seal.StoredKeysSupport {
|
|
|
|
return seal.StoredKeysSupportedGeneric
|
2018-10-19 21:43:57 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func (d *autoSeal) RecoveryKeySupported() bool {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
|
|
|
|
// SetStoredKeys uses the autoSeal.Access.Encrypts method to wrap the keys. The stored entry
|
|
|
|
// does not need to be seal wrapped in this case.
|
|
|
|
func (d *autoSeal) SetStoredKeys(ctx context.Context, keys [][]byte) error {
|
2023-02-01 19:34:53 +00:00
|
|
|
return writeStoredKeys(ctx, d.core.physical, d.Access, keys)
|
2018-10-19 21:43:57 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// GetStoredKeys retrieves the key shares by unwrapping the encrypted key using the
|
|
|
|
// autoseal.
|
|
|
|
func (d *autoSeal) GetStoredKeys(ctx context.Context) ([][]byte, error) {
|
2023-02-01 19:34:53 +00:00
|
|
|
return readStoredKeys(ctx, d.core.physical, d.Access)
|
2018-10-19 21:43:57 +00:00
|
|
|
}
|
|
|
|
|
2019-10-03 20:40:18 +00:00
|
|
|
func (d *autoSeal) upgradeStoredKeys(ctx context.Context) error {
|
|
|
|
pe, err := d.core.physical.Get(ctx, StoredBarrierKeysPath)
|
|
|
|
if err != nil {
|
2021-05-11 17:12:54 +00:00
|
|
|
return fmt.Errorf("failed to fetch stored keys: %w", err)
|
2019-10-03 20:40:18 +00:00
|
|
|
}
|
|
|
|
if pe == nil {
|
|
|
|
return fmt.Errorf("no stored keys found")
|
|
|
|
}
|
|
|
|
|
2022-08-23 19:37:16 +00:00
|
|
|
blobInfo := &wrapping.BlobInfo{}
|
2019-10-03 20:40:18 +00:00
|
|
|
if err := proto.Unmarshal(pe.Value, blobInfo); err != nil {
|
2021-05-11 17:12:54 +00:00
|
|
|
return fmt.Errorf("failed to proto decode stored keys: %w", err)
|
2019-10-03 20:40:18 +00:00
|
|
|
}
|
|
|
|
|
2022-08-23 19:37:16 +00:00
|
|
|
keyId, err := d.Access.KeyId(ctx)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
if blobInfo.KeyInfo != nil && blobInfo.KeyInfo.KeyId != keyId {
|
2019-10-03 20:40:18 +00:00
|
|
|
d.logger.Info("upgrading stored keys")
|
|
|
|
|
2020-01-11 01:39:52 +00:00
|
|
|
pt, err := d.Decrypt(ctx, blobInfo, nil)
|
2019-10-03 20:40:18 +00:00
|
|
|
if err != nil {
|
2021-05-11 17:12:54 +00:00
|
|
|
return fmt.Errorf("failed to decrypt encrypted stored keys: %w", err)
|
2019-10-03 20:40:18 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Decode the barrier entry
|
|
|
|
var keys [][]byte
|
|
|
|
if err := json.Unmarshal(pt, &keys); err != nil {
|
2021-05-11 17:12:54 +00:00
|
|
|
return fmt.Errorf("failed to decode stored keys: %w", err)
|
2019-10-03 20:40:18 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if err := d.SetStoredKeys(ctx, keys); err != nil {
|
2021-05-11 17:12:54 +00:00
|
|
|
return fmt.Errorf("failed to save upgraded stored keys: %w", err)
|
2019-10-03 20:40:18 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// UpgradeKeys re-encrypts and saves the stored keys and the recovery key
|
2022-08-23 19:37:16 +00:00
|
|
|
// with the current key if the current KeyId is different from the KeyId
|
2019-10-03 20:40:18 +00:00
|
|
|
// the stored keys and the recovery key are encrypted with. The provided
|
|
|
|
// Context must be non-nil.
|
|
|
|
func (d *autoSeal) UpgradeKeys(ctx context.Context) error {
|
2022-08-23 19:37:16 +00:00
|
|
|
// Many of the seals update their keys to the latest KeyId when Encrypt
|
2019-10-03 20:40:18 +00:00
|
|
|
// is called.
|
2020-01-11 01:39:52 +00:00
|
|
|
if _, err := d.Encrypt(ctx, []byte("a"), nil); err != nil {
|
2019-10-03 20:40:18 +00:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
if err := d.upgradeRecoveryKey(ctx); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
if err := d.upgradeStoredKeys(ctx); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2018-10-19 21:43:57 +00:00
|
|
|
func (d *autoSeal) BarrierConfig(ctx context.Context) (*SealConfig, error) {
|
|
|
|
if d.barrierConfig.Load().(*SealConfig) != nil {
|
|
|
|
return d.barrierConfig.Load().(*SealConfig).Clone(), nil
|
|
|
|
}
|
|
|
|
|
|
|
|
if err := d.checkCore(); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
sealType := "barrier"
|
|
|
|
|
|
|
|
entry, err := d.core.physical.Get(ctx, barrierSealConfigPath)
|
|
|
|
if err != nil {
|
2019-10-03 20:40:18 +00:00
|
|
|
d.logger.Error("failed to read seal configuration", "seal_type", sealType, "error", err)
|
2021-05-11 17:12:54 +00:00
|
|
|
return nil, fmt.Errorf("failed to read %q seal configuration: %w", sealType, err)
|
2018-10-19 21:43:57 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// If the seal configuration is missing, we are not initialized
|
|
|
|
if entry == nil {
|
2019-10-03 20:40:18 +00:00
|
|
|
if d.logger.IsInfo() {
|
|
|
|
d.logger.Info("seal configuration missing, not initialized", "seal_type", sealType)
|
2018-10-19 21:43:57 +00:00
|
|
|
}
|
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
conf := &SealConfig{}
|
|
|
|
err = json.Unmarshal(entry.Value, conf)
|
|
|
|
if err != nil {
|
2019-10-03 20:40:18 +00:00
|
|
|
d.logger.Error("failed to decode seal configuration", "seal_type", sealType, "error", err)
|
2021-05-11 17:12:54 +00:00
|
|
|
return nil, fmt.Errorf("failed to decode %q seal configuration: %w", sealType, err)
|
2018-10-19 21:43:57 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Check for a valid seal configuration
|
|
|
|
if err := conf.Validate(); err != nil {
|
2019-10-03 20:40:18 +00:00
|
|
|
d.logger.Error("invalid seal configuration", "seal_type", sealType, "error", err)
|
2021-05-11 17:12:54 +00:00
|
|
|
return nil, fmt.Errorf("%q seal validation failed: %w", sealType, err)
|
2018-10-19 21:43:57 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
barrierTypeUpgradeCheck(d.BarrierType(), conf)
|
|
|
|
|
2022-08-23 19:37:16 +00:00
|
|
|
if conf.Type != d.BarrierType().String() {
|
2019-10-03 20:40:18 +00:00
|
|
|
d.logger.Error("barrier seal type does not match loaded type", "seal_type", conf.Type, "loaded_type", d.BarrierType())
|
2018-10-19 21:43:57 +00:00
|
|
|
return nil, fmt.Errorf("barrier seal type of %q does not match loaded type of %q", conf.Type, d.BarrierType())
|
|
|
|
}
|
|
|
|
|
2020-08-10 12:35:57 +00:00
|
|
|
d.SetCachedBarrierConfig(conf)
|
2018-10-19 21:43:57 +00:00
|
|
|
return conf.Clone(), nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (d *autoSeal) SetBarrierConfig(ctx context.Context, conf *SealConfig) error {
|
|
|
|
if err := d.checkCore(); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
if conf == nil {
|
|
|
|
d.barrierConfig.Store((*SealConfig)(nil))
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2022-08-23 19:37:16 +00:00
|
|
|
conf.Type = d.BarrierType().String()
|
2018-10-19 21:43:57 +00:00
|
|
|
|
|
|
|
// Encode the seal configuration
|
|
|
|
buf, err := json.Marshal(conf)
|
|
|
|
if err != nil {
|
2021-05-11 17:12:54 +00:00
|
|
|
return fmt.Errorf("failed to encode barrier seal configuration: %w", err)
|
2018-10-19 21:43:57 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Store the seal configuration
|
|
|
|
pe := &physical.Entry{
|
|
|
|
Key: barrierSealConfigPath,
|
|
|
|
Value: buf,
|
|
|
|
}
|
|
|
|
|
|
|
|
if err := d.core.physical.Put(ctx, pe); err != nil {
|
2019-10-03 20:40:18 +00:00
|
|
|
d.logger.Error("failed to write barrier seal configuration", "error", err)
|
2021-05-11 17:12:54 +00:00
|
|
|
return fmt.Errorf("failed to write barrier seal configuration: %w", err)
|
2018-10-19 21:43:57 +00:00
|
|
|
}
|
|
|
|
|
2020-08-10 12:35:57 +00:00
|
|
|
d.SetCachedBarrierConfig(conf.Clone())
|
2018-10-19 21:43:57 +00:00
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2018-10-23 06:34:02 +00:00
|
|
|
func (d *autoSeal) SetCachedBarrierConfig(config *SealConfig) {
|
|
|
|
d.barrierConfig.Store(config)
|
|
|
|
}
|
|
|
|
|
2018-10-19 21:43:57 +00:00
|
|
|
func (d *autoSeal) RecoveryType() string {
|
|
|
|
return RecoveryTypeShamir
|
|
|
|
}
|
|
|
|
|
|
|
|
// RecoveryConfig returns the recovery config on recoverySealConfigPlaintextPath.
|
|
|
|
func (d *autoSeal) RecoveryConfig(ctx context.Context) (*SealConfig, error) {
|
|
|
|
if d.recoveryConfig.Load().(*SealConfig) != nil {
|
|
|
|
return d.recoveryConfig.Load().(*SealConfig).Clone(), nil
|
|
|
|
}
|
|
|
|
|
|
|
|
if err := d.checkCore(); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
sealType := "recovery"
|
|
|
|
|
|
|
|
var entry *physical.Entry
|
|
|
|
var err error
|
|
|
|
entry, err = d.core.physical.Get(ctx, recoverySealConfigPlaintextPath)
|
|
|
|
if err != nil {
|
2019-10-03 20:40:18 +00:00
|
|
|
d.logger.Error("failed to read seal configuration", "seal_type", sealType, "error", err)
|
2021-05-11 17:12:54 +00:00
|
|
|
return nil, fmt.Errorf("failed to read %q seal configuration: %w", sealType, err)
|
2018-10-19 21:43:57 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if entry == nil {
|
|
|
|
if d.core.Sealed() {
|
2019-10-03 20:40:18 +00:00
|
|
|
d.logger.Info("seal configuration missing, but cannot check old path as core is sealed", "seal_type", sealType)
|
2018-10-19 21:43:57 +00:00
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// Check the old recovery seal config path so an upgraded standby will
|
|
|
|
// return the correct seal config
|
|
|
|
be, err := d.core.barrier.Get(ctx, recoverySealConfigPath)
|
|
|
|
if err != nil {
|
2021-05-11 17:12:54 +00:00
|
|
|
return nil, fmt.Errorf("failed to read old recovery seal configuration: %w", err)
|
2018-10-19 21:43:57 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// If the seal configuration is missing, then we are not initialized.
|
|
|
|
if be == nil {
|
2019-10-03 20:40:18 +00:00
|
|
|
if d.logger.IsInfo() {
|
|
|
|
d.logger.Info("seal configuration missing, not initialized", "seal_type", sealType)
|
2018-10-19 21:43:57 +00:00
|
|
|
}
|
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// Reconstruct the physical entry
|
|
|
|
entry = &physical.Entry{
|
|
|
|
Key: be.Key,
|
|
|
|
Value: be.Value,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
conf := &SealConfig{}
|
|
|
|
if err := json.Unmarshal(entry.Value, conf); err != nil {
|
2019-10-03 20:40:18 +00:00
|
|
|
d.logger.Error("failed to decode seal configuration", "seal_type", sealType, "error", err)
|
2021-05-11 17:12:54 +00:00
|
|
|
return nil, fmt.Errorf("failed to decode %q seal configuration: %w", sealType, err)
|
2018-10-19 21:43:57 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Check for a valid seal configuration
|
|
|
|
if err := conf.Validate(); err != nil {
|
2019-10-03 20:40:18 +00:00
|
|
|
d.logger.Error("invalid seal configuration", "seal_type", sealType, "error", err)
|
2021-05-11 17:12:54 +00:00
|
|
|
return nil, fmt.Errorf("%q seal validation failed: %w", sealType, err)
|
2018-10-19 21:43:57 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if conf.Type != d.RecoveryType() {
|
2019-10-03 20:40:18 +00:00
|
|
|
d.logger.Error("recovery seal type does not match loaded type", "seal_type", conf.Type, "loaded_type", d.RecoveryType())
|
2018-10-19 21:43:57 +00:00
|
|
|
return nil, fmt.Errorf("recovery seal type of %q does not match loaded type of %q", conf.Type, d.RecoveryType())
|
|
|
|
}
|
|
|
|
|
|
|
|
d.recoveryConfig.Store(conf)
|
|
|
|
return conf.Clone(), nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// SetRecoveryConfig writes the recovery configuration to the physical storage
|
|
|
|
// and sets it as the seal's recoveryConfig.
|
|
|
|
func (d *autoSeal) SetRecoveryConfig(ctx context.Context, conf *SealConfig) error {
|
|
|
|
if err := d.checkCore(); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
// Perform migration if applicable
|
|
|
|
if err := d.migrateRecoveryConfig(ctx); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
if conf == nil {
|
|
|
|
d.recoveryConfig.Store((*SealConfig)(nil))
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
conf.Type = d.RecoveryType()
|
|
|
|
|
|
|
|
// Encode the seal configuration
|
|
|
|
buf, err := json.Marshal(conf)
|
|
|
|
if err != nil {
|
2021-05-11 17:12:54 +00:00
|
|
|
return fmt.Errorf("failed to encode recovery seal configuration: %w", err)
|
2018-10-19 21:43:57 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Store the seal configuration directly in the physical storage
|
|
|
|
pe := &physical.Entry{
|
|
|
|
Key: recoverySealConfigPlaintextPath,
|
|
|
|
Value: buf,
|
|
|
|
}
|
|
|
|
|
|
|
|
if err := d.core.physical.Put(ctx, pe); err != nil {
|
2019-10-03 20:40:18 +00:00
|
|
|
d.logger.Error("failed to write recovery seal configuration", "error", err)
|
2021-05-11 17:12:54 +00:00
|
|
|
return fmt.Errorf("failed to write recovery seal configuration: %w", err)
|
2018-10-19 21:43:57 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
d.recoveryConfig.Store(conf.Clone())
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2018-10-23 06:34:02 +00:00
|
|
|
func (d *autoSeal) SetCachedRecoveryConfig(config *SealConfig) {
|
|
|
|
d.recoveryConfig.Store(config)
|
|
|
|
}
|
|
|
|
|
2018-10-19 21:43:57 +00:00
|
|
|
func (d *autoSeal) VerifyRecoveryKey(ctx context.Context, key []byte) error {
|
|
|
|
if key == nil {
|
|
|
|
return fmt.Errorf("recovery key to verify is nil")
|
|
|
|
}
|
|
|
|
|
2019-03-04 22:11:56 +00:00
|
|
|
pt, err := d.getRecoveryKeyInternal(ctx)
|
2018-10-19 21:43:57 +00:00
|
|
|
if err != nil {
|
2019-02-01 19:29:55 +00:00
|
|
|
return err
|
2018-10-19 21:43:57 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if subtle.ConstantTimeCompare(key, pt) != 1 {
|
|
|
|
return fmt.Errorf("recovery key does not match submitted values")
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (d *autoSeal) SetRecoveryKey(ctx context.Context, key []byte) error {
|
|
|
|
if err := d.checkCore(); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
if key == nil {
|
|
|
|
return fmt.Errorf("recovery key to store is nil")
|
|
|
|
}
|
|
|
|
|
|
|
|
// Encrypt and marshal the keys
|
2020-01-11 01:39:52 +00:00
|
|
|
blobInfo, err := d.Encrypt(ctx, key, nil)
|
2018-10-19 21:43:57 +00:00
|
|
|
if err != nil {
|
2021-05-11 17:12:54 +00:00
|
|
|
return fmt.Errorf("failed to encrypt keys for storage: %w", err)
|
2018-10-19 21:43:57 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
value, err := proto.Marshal(blobInfo)
|
|
|
|
if err != nil {
|
2021-05-11 17:12:54 +00:00
|
|
|
return fmt.Errorf("failed to marshal value for storage: %w", err)
|
2018-10-19 21:43:57 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
be := &physical.Entry{
|
|
|
|
Key: recoveryKeyPath,
|
|
|
|
Value: value,
|
|
|
|
}
|
|
|
|
|
|
|
|
if err := d.core.physical.Put(ctx, be); err != nil {
|
2019-10-03 20:40:18 +00:00
|
|
|
d.logger.Error("failed to write recovery key", "error", err)
|
2021-05-11 17:12:54 +00:00
|
|
|
return fmt.Errorf("failed to write recovery key: %w", err)
|
2018-10-19 21:43:57 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2019-03-04 22:11:56 +00:00
|
|
|
func (d *autoSeal) RecoveryKey(ctx context.Context) ([]byte, error) {
|
|
|
|
return d.getRecoveryKeyInternal(ctx)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (d *autoSeal) getRecoveryKeyInternal(ctx context.Context) ([]byte, error) {
|
2023-02-01 19:34:53 +00:00
|
|
|
pe, err := d.core.physical.Get(ctx, recoveryKeyPath)
|
2019-03-04 22:11:56 +00:00
|
|
|
if err != nil {
|
2023-02-01 19:34:53 +00:00
|
|
|
d.logger.Error("failed to read recovery key", "error", err)
|
2021-05-11 17:12:54 +00:00
|
|
|
return nil, fmt.Errorf("failed to read recovery key: %w", err)
|
2019-03-04 22:11:56 +00:00
|
|
|
}
|
|
|
|
if pe == nil {
|
2023-02-01 19:34:53 +00:00
|
|
|
d.logger.Warn("no recovery key found")
|
2019-03-04 22:11:56 +00:00
|
|
|
return nil, fmt.Errorf("no recovery key found")
|
|
|
|
}
|
|
|
|
|
2022-08-23 19:37:16 +00:00
|
|
|
blobInfo := &wrapping.BlobInfo{}
|
2019-03-04 22:11:56 +00:00
|
|
|
if err := proto.Unmarshal(pe.Value, blobInfo); err != nil {
|
2021-05-11 17:12:54 +00:00
|
|
|
return nil, fmt.Errorf("failed to proto decode stored keys: %w", err)
|
2019-03-04 22:11:56 +00:00
|
|
|
}
|
|
|
|
|
2023-02-01 19:34:53 +00:00
|
|
|
pt, err := d.Decrypt(ctx, blobInfo, nil)
|
2019-03-04 22:11:56 +00:00
|
|
|
if err != nil {
|
2021-05-11 17:12:54 +00:00
|
|
|
return nil, fmt.Errorf("failed to decrypt encrypted stored keys: %w", err)
|
2019-03-04 22:11:56 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
return pt, nil
|
|
|
|
}
|
|
|
|
|
2019-10-03 20:40:18 +00:00
|
|
|
func (d *autoSeal) upgradeRecoveryKey(ctx context.Context) error {
|
|
|
|
pe, err := d.core.physical.Get(ctx, recoveryKeyPath)
|
|
|
|
if err != nil {
|
2021-05-11 17:12:54 +00:00
|
|
|
return fmt.Errorf("failed to fetch recovery key: %w", err)
|
2019-10-03 20:40:18 +00:00
|
|
|
}
|
|
|
|
if pe == nil {
|
|
|
|
return fmt.Errorf("no recovery key found")
|
|
|
|
}
|
|
|
|
|
2022-08-23 19:37:16 +00:00
|
|
|
blobInfo := &wrapping.BlobInfo{}
|
2019-10-03 20:40:18 +00:00
|
|
|
if err := proto.Unmarshal(pe.Value, blobInfo); err != nil {
|
2021-05-11 17:12:54 +00:00
|
|
|
return fmt.Errorf("failed to proto decode recovery key: %w", err)
|
2019-10-03 20:40:18 +00:00
|
|
|
}
|
|
|
|
|
2022-08-23 19:37:16 +00:00
|
|
|
keyId, err := d.Access.KeyId(ctx)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
if blobInfo.KeyInfo != nil && blobInfo.KeyInfo.KeyId != keyId {
|
2019-10-03 20:40:18 +00:00
|
|
|
d.logger.Info("upgrading recovery key")
|
|
|
|
|
2020-01-11 01:39:52 +00:00
|
|
|
pt, err := d.Decrypt(ctx, blobInfo, nil)
|
2019-10-03 20:40:18 +00:00
|
|
|
if err != nil {
|
2021-05-11 17:12:54 +00:00
|
|
|
return fmt.Errorf("failed to decrypt encrypted recovery key: %w", err)
|
2019-10-03 20:40:18 +00:00
|
|
|
}
|
|
|
|
if err := d.SetRecoveryKey(ctx, pt); err != nil {
|
2021-05-11 17:12:54 +00:00
|
|
|
return fmt.Errorf("failed to save upgraded recovery key: %w", err)
|
2019-10-03 20:40:18 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2018-10-19 21:43:57 +00:00
|
|
|
// migrateRecoveryConfig is a helper func to migrate the recovery config to
|
|
|
|
// live outside the barrier. This is called from SetRecoveryConfig which is
|
|
|
|
// always called with the stateLock.
|
|
|
|
func (d *autoSeal) migrateRecoveryConfig(ctx context.Context) error {
|
|
|
|
// Get config from the old recoverySealConfigPath path
|
|
|
|
be, err := d.core.barrier.Get(ctx, recoverySealConfigPath)
|
|
|
|
if err != nil {
|
2021-05-11 17:12:54 +00:00
|
|
|
return fmt.Errorf("failed to read old recovery seal configuration during migration: %w", err)
|
2018-10-19 21:43:57 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// If this entry is nil, then skip migration
|
|
|
|
if be == nil {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// Only log if we are performing the migration
|
2019-10-03 20:40:18 +00:00
|
|
|
d.logger.Debug("migrating recovery seal configuration")
|
|
|
|
defer d.logger.Debug("done migrating recovery seal configuration")
|
2018-10-19 21:43:57 +00:00
|
|
|
|
|
|
|
// Perform migration
|
|
|
|
pe := &physical.Entry{
|
|
|
|
Key: recoverySealConfigPlaintextPath,
|
|
|
|
Value: be.Value,
|
|
|
|
}
|
|
|
|
|
|
|
|
if err := d.core.physical.Put(ctx, pe); err != nil {
|
2021-05-11 17:12:54 +00:00
|
|
|
return fmt.Errorf("failed to write recovery seal configuration during migration: %w", err)
|
2018-10-19 21:43:57 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Perform deletion of the old entry
|
|
|
|
if err := d.core.barrier.Delete(ctx, recoverySealConfigPath); err != nil {
|
2021-05-11 17:12:54 +00:00
|
|
|
return fmt.Errorf("failed to delete old recovery seal configuration during migration: %w", err)
|
2018-10-19 21:43:57 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
2021-11-10 20:46:07 +00:00
|
|
|
|
|
|
|
// StartHealthCheck starts a goroutine that tests the health of the auto-unseal backend once every 10 minutes.
|
|
|
|
// If unhealthy, logs a warning on the condition and begins testing every one minute until healthy again.
|
|
|
|
func (d *autoSeal) StartHealthCheck() {
|
|
|
|
d.StopHealthCheck()
|
|
|
|
d.hcLock.Lock()
|
|
|
|
defer d.hcLock.Unlock()
|
|
|
|
|
|
|
|
healthCheck := time.NewTicker(sealHealthTestIntervalNominal)
|
|
|
|
d.healthCheckStop = make(chan struct{})
|
|
|
|
healthCheckStop := d.healthCheckStop
|
2021-11-12 21:58:46 +00:00
|
|
|
ctx := d.core.activeContext
|
2021-11-10 20:46:07 +00:00
|
|
|
|
|
|
|
go func() {
|
|
|
|
lastTestOk := true
|
|
|
|
lastSeenOk := time.Now()
|
|
|
|
|
|
|
|
fail := func(msg string, args ...interface{}) {
|
|
|
|
d.logger.Warn(msg, args...)
|
|
|
|
if lastTestOk {
|
|
|
|
healthCheck.Reset(sealHealthTestIntervalUnhealthy)
|
|
|
|
}
|
|
|
|
lastTestOk = false
|
|
|
|
d.core.MetricSink().SetGauge(autoSealUnavailableDuration, float32(time.Since(lastSeenOk).Milliseconds()))
|
|
|
|
}
|
|
|
|
for {
|
|
|
|
select {
|
|
|
|
case <-healthCheckStop:
|
|
|
|
if healthCheck != nil {
|
|
|
|
healthCheck.Stop()
|
|
|
|
}
|
|
|
|
healthCheckStop = nil
|
|
|
|
return
|
|
|
|
case t := <-healthCheck.C:
|
|
|
|
func() {
|
|
|
|
ctx, cancel := context.WithTimeout(ctx, sealHealthTestTimeout)
|
|
|
|
defer cancel()
|
|
|
|
|
|
|
|
testVal := fmt.Sprintf("Heartbeat %d", mathrand.Intn(1000))
|
|
|
|
ciphertext, err := d.Access.Encrypt(ctx, []byte(testVal), nil)
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
fail("failed to encrypt seal health test value, seal backend may be unreachable", "error", err)
|
|
|
|
} else {
|
|
|
|
func() {
|
|
|
|
ctx, cancel := context.WithTimeout(ctx, sealHealthTestTimeout)
|
|
|
|
defer cancel()
|
|
|
|
plaintext, err := d.Access.Decrypt(ctx, ciphertext, nil)
|
|
|
|
if err != nil {
|
|
|
|
fail("failed to decrypt seal health test value, seal backend may be unreachable", "error", err)
|
|
|
|
}
|
|
|
|
if !bytes.Equal([]byte(testVal), plaintext) {
|
|
|
|
fail("seal health test value failed to decrypt to expected value")
|
|
|
|
} else {
|
|
|
|
d.logger.Debug("seal health test passed")
|
|
|
|
if !lastTestOk {
|
|
|
|
d.logger.Info("seal backend is now healthy again", "downtime", t.Sub(lastSeenOk).String())
|
|
|
|
healthCheck.Reset(sealHealthTestIntervalNominal)
|
|
|
|
}
|
|
|
|
lastTestOk = true
|
|
|
|
lastSeenOk = t
|
|
|
|
d.core.MetricSink().SetGauge(autoSealUnavailableDuration, 0)
|
|
|
|
}
|
|
|
|
}()
|
|
|
|
}
|
|
|
|
}()
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}()
|
|
|
|
}
|
|
|
|
|
|
|
|
func (d *autoSeal) StopHealthCheck() {
|
|
|
|
d.hcLock.Lock()
|
|
|
|
defer d.hcLock.Unlock()
|
|
|
|
if d.healthCheckStop != nil {
|
|
|
|
close(d.healthCheckStop)
|
|
|
|
d.healthCheckStop = nil
|
|
|
|
}
|
|
|
|
}
|