open-vault/builtin/logical/transit/path_keys.go

package transit

import (
	"fmt"
	"strconv"

	"github.com/hashicorp/vault/logical"
	"github.com/hashicorp/vault/logical/framework"
)

func (b *backend) pathKeys() *framework.Path {
	return &framework.Path{
		Pattern: "keys/" + framework.GenericNameRegex("name"),
		Fields: map[string]*framework.FieldSchema{
			"name": &framework.FieldSchema{
				Type:        framework.TypeString,
				Description: "Name of the key",
			},

			"derived": &framework.FieldSchema{
				Type:        framework.TypeBool,
				Description: "Enables key derivation mode. This allows for per-transaction unique keys",
			},
		},

		Callbacks: map[logical.Operation]framework.OperationFunc{
			logical.UpdateOperation: b.pathPolicyWrite,
			logical.DeleteOperation: b.pathPolicyDelete,
			logical.ReadOperation:   b.pathPolicyRead,
		},

		HelpSynopsis:    pathPolicyHelpSyn,
		HelpDescription: pathPolicyHelpDesc,
	}
}

func (b *backend) pathPolicyWrite(
	req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	name := d.Get("name").(string)
	derived := d.Get("derived").(bool)

	p, lock, upserted, err := b.lm.GetPolicyUpsert(req.Storage, name, derived)
	if lock != nil {
		defer lock.RUnlock()
	}
	if err != nil {
		return nil, err
	}
	if p == nil {
		return nil, fmt.Errorf("error generating key: returned policy was nil")
	}

	resp := &logical.Response{}
	if !upserted {
		resp.AddWarning(fmt.Sprintf("key %s already existed", name))
	}

	return nil, nil
}

func (b *backend) pathPolicyRead(
	req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	name := d.Get("name").(string)

	p, lock, err := b.lm.GetPolicyShared(req.Storage, name)
	if lock != nil {
		defer lock.RUnlock()
	}
	if err != nil {
		return nil, err
	}
	if p == nil {
		return nil, nil
	}

	// Return the response
	resp := &logical.Response{
		Data: map[string]interface{}{
			"name":                   p.Name,
			"cipher_mode":            p.CipherMode,
			"derived":                p.Derived,
			"deletion_allowed":       p.DeletionAllowed,
			"min_decryption_version": p.MinDecryptionVersion,
			"latest_version":         p.LatestVersion,
		},
	}
	if p.Derived {
		resp.Data["kdf_mode"] = p.KDFMode
	}

	retKeys := map[string]int64{}
	for k, v := range p.Keys {
		retKeys[strconv.Itoa(k)] = v.CreationTime
	}
	resp.Data["keys"] = retKeys

	return resp, nil
}

func (b *backend) pathPolicyDelete(
	req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	name := d.Get("name").(string)

	// Delete does its own locking
	err := b.lm.DeletePolicy(req.Storage, name)
	if err != nil {
		return logical.ErrorResponse(fmt.Sprintf("error deleting policy %s: %s", name, err)), err
	}

	return nil, nil
}

const pathPolicyHelpSyn = `Managed named encryption keys`

const pathPolicyHelpDesc = `
This path is used to manage the named keys that are available.
Doing a write with no value against a new named key will create
it using a randomly generated key.
`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`package transit`

			`import (`
secret/transit: support key derivation in encrypt/decrypt 2015-07-05 21:19:24 +00:00			`"fmt"`
Remove enable/disable and make deletion_allowed a configurable property. On read, return the version and creation time of each key 2015-09-17 22:49:50 +00:00			`"strconv"`
Adding transit logical backend 2015-04-16 00:08:12 +00:00
			`"github.com/hashicorp/vault/logical"`
			`"github.com/hashicorp/vault/logical/framework"`
			`)`

Implement locking in the transit backend. This ensures that we can safely rotate and modify configuration parameters with multiple requests in flight. As a side effect we also get a cache, which should provide a nice speedup since we don't need to decrypt/deserialize constantly, which would happen even with the physical LRU. 2016-01-27 21:24:11 +00:00			`func (b backend) pathKeys() framework.Path {`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`return &framework.Path{`
Vault: Fix wild card paths for all backends 2015-08-21 07:56:13 +00:00			`Pattern: "keys/" + framework.GenericNameRegex("name"),`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`Fields: map[string]*framework.FieldSchema{`
			`"name": &framework.FieldSchema{`
			`Type: framework.TypeString,`
secret/transit: rename policy to keys 2015-04-27 20:52:47 +00:00			`Description: "Name of the key",`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`},`
secret/transit: support derived keys 2015-07-05 21:11:02 +00:00
			`"derived": &framework.FieldSchema{`
			`Type: framework.TypeBool,`
			`Description: "Enables key derivation mode. This allows for per-transaction unique keys",`
			`},`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`},`

			`Callbacks: map[logical.Operation]framework.OperationFunc{`
Implement locking in the transit backend. This ensures that we can safely rotate and modify configuration parameters with multiple requests in flight. As a side effect we also get a cache, which should provide a nice speedup since we don't need to decrypt/deserialize constantly, which would happen even with the physical LRU. 2016-01-27 21:24:11 +00:00			`logical.UpdateOperation: b.pathPolicyWrite,`
			`logical.DeleteOperation: b.pathPolicyDelete,`
			`logical.ReadOperation: b.pathPolicyRead,`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`},`
secret/transit: Adding more help. Fixes #41 2015-04-27 19:47:09 +00:00
			`HelpSynopsis: pathPolicyHelpSyn,`
			`HelpDescription: pathPolicyHelpDesc,`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`}`
			`}`

Implement locking in the transit backend. This ensures that we can safely rotate and modify configuration parameters with multiple requests in flight. As a side effect we also get a cache, which should provide a nice speedup since we don't need to decrypt/deserialize constantly, which would happen even with the physical LRU. 2016-01-27 21:24:11 +00:00			`func (b *backend) pathPolicyWrite(`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`req logical.Request, d framework.FieldData) (*logical.Response, error) {`
			`name := d.Get("name").(string)`
secret/transit: support derived keys 2015-07-05 21:11:02 +00:00			`derived := d.Get("derived").(bool)`
Adding transit logical backend 2015-04-16 00:08:12 +00:00
Massively simplify lock handling based on feedback 2016-05-03 03:46:39 +00:00			`p, lock, upserted, err := b.lm.GetPolicyUpsert(req.Storage, name, derived)`
			`if lock != nil {`
			`defer lock.RUnlock()`
			`}`
Switch to lockManager 2016-04-26 15:39:19 +00:00			`if err != nil {`
			`return nil, err`
			`}`
			`if p == nil {`
			`return nil, fmt.Errorf("error generating key: returned policy was nil")`
			`}`

			`resp := &logical.Response{}`
			`if !upserted {`
			`resp.AddWarning(fmt.Sprintf("key %s already existed", name))`
			`}`

			`return nil, nil`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`}`

Implement locking in the transit backend. This ensures that we can safely rotate and modify configuration parameters with multiple requests in flight. As a side effect we also get a cache, which should provide a nice speedup since we don't need to decrypt/deserialize constantly, which would happen even with the physical LRU. 2016-01-27 21:24:11 +00:00			`func (b *backend) pathPolicyRead(`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`req logical.Request, d framework.FieldData) (*logical.Response, error) {`
			`name := d.Get("name").(string)`
Enhance transit backend: * Remove raw endpoint from transit * Add multi-key structure * Add enable, disable, rewrap, and rotate functionality * Upgrade functionality, and record creation time of keys in metadata. Add flag in config function to control the minimum decryption version, and enforce that in the decrypt function * Unit tests for everything 2015-09-14 20:28:46 +00:00
Massively simplify lock handling based on feedback 2016-05-03 03:46:39 +00:00			`p, lock, err := b.lm.GetPolicyShared(req.Storage, name)`
			`if lock != nil {`
			`defer lock.RUnlock()`
			`}`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`if err != nil {`
			`return nil, err`
			`}`
Switch to lockManager 2016-04-26 15:39:19 +00:00			`if p == nil {`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`return nil, nil`
			`}`

			`// Return the response`
			`resp := &logical.Response{`
			`Data: map[string]interface{}{`
Switch to lockManager 2016-04-26 15:39:19 +00:00			`"name": p.Name,`
			`"cipher_mode": p.CipherMode,`
			`"derived": p.Derived,`
			`"deletion_allowed": p.DeletionAllowed,`
			`"min_decryption_version": p.MinDecryptionVersion,`
			`"latest_version": p.LatestVersion,`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`},`
			`}`
Switch to lockManager 2016-04-26 15:39:19 +00:00			`if p.Derived {`
			`resp.Data["kdf_mode"] = p.KDFMode`
secret/transit: address PR feedback 2015-07-06 01:58:31 +00:00			`}`
Remove enable/disable and make deletion_allowed a configurable property. On read, return the version and creation time of each key 2015-09-17 22:49:50 +00:00
			`retKeys := map[string]int64{}`
Switch to lockManager 2016-04-26 15:39:19 +00:00			`for k, v := range p.Keys {`
Remove enable/disable and make deletion_allowed a configurable property. On read, return the version and creation time of each key 2015-09-17 22:49:50 +00:00			`retKeys[strconv.Itoa(k)] = v.CreationTime`
			`}`
			`resp.Data["keys"] = retKeys`

Adding transit logical backend 2015-04-16 00:08:12 +00:00			`return resp, nil`
			`}`

Implement locking in the transit backend. This ensures that we can safely rotate and modify configuration parameters with multiple requests in flight. As a side effect we also get a cache, which should provide a nice speedup since we don't need to decrypt/deserialize constantly, which would happen even with the physical LRU. 2016-01-27 21:24:11 +00:00			`func (b *backend) pathPolicyDelete(`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`req logical.Request, d framework.FieldData) (*logical.Response, error) {`
			`name := d.Get("name").(string)`

Massively simplify lock handling based on feedback 2016-05-03 03:46:39 +00:00			`// Delete does its own locking`
			`err := b.lm.DeletePolicy(req.Storage, name)`
Move archive location; also detect first load of a policy after archive is added and cause the keys to be copied to the archive. 2016-01-27 17:02:32 +00:00			`if err != nil {`
Implement locking in the transit backend. This ensures that we can safely rotate and modify configuration parameters with multiple requests in flight. As a side effect we also get a cache, which should provide a nice speedup since we don't need to decrypt/deserialize constantly, which would happen even with the physical LRU. 2016-01-27 21:24:11 +00:00			`return logical.ErrorResponse(fmt.Sprintf("error deleting policy %s: %s", name, err)), err`
Move archive location; also detect first load of a policy after archive is added and cause the keys to be copied to the archive. 2016-01-27 17:02:32 +00:00			`}`

Adding transit logical backend 2015-04-16 00:08:12 +00:00			`return nil, nil`
			`}`
secret/transit: Adding more help. Fixes #41 2015-04-27 19:47:09 +00:00
Enhance transit backend: * Remove raw endpoint from transit * Add multi-key structure * Add enable, disable, rewrap, and rotate functionality * Upgrade functionality, and record creation time of keys in metadata. Add flag in config function to control the minimum decryption version, and enforce that in the decrypt function * Unit tests for everything 2015-09-14 20:28:46 +00:00			const pathPolicyHelpSyn = `Managed named encryption keys`
secret/transit: Adding more help. Fixes #41 2015-04-27 19:47:09 +00:00
			const pathPolicyHelpDesc = `
			`This path is used to manage the named keys that are available.`
			`Doing a write with no value against a new named key will create`
			`it using a randomly generated key.`
			`