open-vault/builtin/logical/transit/path_rotate.go

package transit

import (
	"fmt"

	"github.com/hashicorp/vault/logical"
	"github.com/hashicorp/vault/logical/framework"
)

func pathRotate() *framework.Path {
	return &framework.Path{
		Pattern: "keys/" + framework.GenericNameRegex("name") + "/rotate",
		Fields: map[string]*framework.FieldSchema{
			"name": &framework.FieldSchema{
				Type:        framework.TypeString,
				Description: "Name of the key",
			},
		},

		Callbacks: map[logical.Operation]framework.OperationFunc{
			logical.WriteOperation: pathRotateWrite,
		},

		HelpSynopsis:    pathRotateHelpSyn,
		HelpDescription: pathRotateHelpDesc,
	}
}

func pathRotateWrite(
	req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	name := d.Get("name").(string)

	// Check if the policy already exists
	policy, err := getPolicy(req, name)
	if err != nil {
		return nil, err
	}
	if policy == nil {
		return logical.ErrorResponse(
				fmt.Sprintf("no existing role named %s could be found", name)),
			logical.ErrInvalidRequest
	}

	// Generate the policy
	err = policy.rotate(req.Storage)

	return nil, err
}

const pathRotateHelpSyn = `Rotate named encryption key`

const pathRotateHelpDesc = `
This path is used to rotate the named key. After rotation,
new encryption requests using this name will use the new key,
but decryption will still be supported for older versions.
`
Enhance transit backend: * Remove raw endpoint from transit * Add multi-key structure * Add enable, disable, rewrap, and rotate functionality * Upgrade functionality, and record creation time of keys in metadata. Add flag in config function to control the minimum decryption version, and enforce that in the decrypt function * Unit tests for everything 2015-09-14 20:28:46 +00:00			`package transit`

			`import (`
			`"fmt"`

			`"github.com/hashicorp/vault/logical"`
			`"github.com/hashicorp/vault/logical/framework"`
			`)`

			`func pathRotate() *framework.Path {`
			`return &framework.Path{`
			`Pattern: "keys/" + framework.GenericNameRegex("name") + "/rotate",`
			`Fields: map[string]*framework.FieldSchema{`
			`"name": &framework.FieldSchema{`
			`Type: framework.TypeString,`
			`Description: "Name of the key",`
			`},`
			`},`

			`Callbacks: map[logical.Operation]framework.OperationFunc{`
			`logical.WriteOperation: pathRotateWrite,`
			`},`

			`HelpSynopsis: pathRotateHelpSyn,`
			`HelpDescription: pathRotateHelpDesc,`
			`}`
			`}`

			`func pathRotateWrite(`
			`req logical.Request, d framework.FieldData) (*logical.Response, error) {`
			`name := d.Get("name").(string)`

			`// Check if the policy already exists`
			`policy, err := getPolicy(req, name)`
			`if err != nil {`
			`return nil, err`
			`}`
			`if policy == nil {`
			`return logical.ErrorResponse(`
			`fmt.Sprintf("no existing role named %s could be found", name)),`
			`logical.ErrInvalidRequest`
			`}`

			`// Generate the policy`
			`err = policy.rotate(req.Storage)`

			`return nil, err`
			`}`

			const pathRotateHelpSyn = `Rotate named encryption key`

			const pathRotateHelpDesc = `
			`This path is used to rotate the named key. After rotation,`
			`new encryption requests using this name will use the new key,`
			`but decryption will still be supported for older versions.`
			`