open-vault/http/sys_init.go

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0

package http

import (
	"context"
	"encoding/base64"
	"encoding/hex"
	"fmt"
	"net/http"
	"strings"

	"github.com/hashicorp/vault/vault"
)

func handleSysInit(core *vault.Core) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		switch r.Method {
		case "GET":
			handleSysInitGet(core, w, r)
		case "PUT", "POST":
			handleSysInitPut(core, w, r)
		default:
			respondError(w, http.StatusMethodNotAllowed, nil)
		}
	})
}

func handleSysInitGet(core *vault.Core, w http.ResponseWriter, r *http.Request) {
	init, err := core.Initialized(context.Background())
	if err != nil {
		respondError(w, http.StatusInternalServerError, err)
		return
	}

	respondOk(w, &InitStatusResponse{
		Initialized: init,
	})
}

func handleSysInitPut(core *vault.Core, w http.ResponseWriter, r *http.Request) {
	ctx := context.Background()

	// Parse the request
	var req InitRequest
	if _, err := parseJSONRequest(core.PerfStandby(), r, w, &req); err != nil {
		respondError(w, http.StatusBadRequest, err)
		return
	}

	// Validate init request parameters
	if err := validateInitParameters(core, req); err != nil {
		respondError(w, http.StatusBadRequest, err)
		return
	}

	// Initialize
	barrierConfig := &vault.SealConfig{
		SecretShares:    req.SecretShares,
		SecretThreshold: req.SecretThreshold,
		StoredShares:    req.StoredShares,
		PGPKeys:         req.PGPKeys,
	}

	recoveryConfig := &vault.SealConfig{
		SecretShares:    req.RecoveryShares,
		SecretThreshold: req.RecoveryThreshold,
		PGPKeys:         req.RecoveryPGPKeys,
	}

	initParams := &vault.InitParams{
		BarrierConfig:   barrierConfig,
		RecoveryConfig:  recoveryConfig,
		RootTokenPGPKey: req.RootTokenPGPKey,
	}

	result, initErr := core.Initialize(ctx, initParams)
	if initErr != nil {
		if vault.IsFatalError(initErr) {
			respondError(w, http.StatusBadRequest, initErr)
			return
		} else {
			// Add a warnings field? The error will be logged in the vault log
			// already.
		}
	}

	// Encode the keys
	keys := make([]string, 0, len(result.SecretShares))
	keysB64 := make([]string, 0, len(result.SecretShares))
	for _, k := range result.SecretShares {
		keys = append(keys, hex.EncodeToString(k))
		keysB64 = append(keysB64, base64.StdEncoding.EncodeToString(k))
	}

	resp := &InitResponse{
		Keys:      keys,
		KeysB64:   keysB64,
		RootToken: result.RootToken,
	}

	if len(result.RecoveryShares) > 0 {
		resp.RecoveryKeys = make([]string, 0, len(result.RecoveryShares))
		resp.RecoveryKeysB64 = make([]string, 0, len(result.RecoveryShares))
		for _, k := range result.RecoveryShares {
			resp.RecoveryKeys = append(resp.RecoveryKeys, hex.EncodeToString(k))
			resp.RecoveryKeysB64 = append(resp.RecoveryKeysB64, base64.StdEncoding.EncodeToString(k))
		}
	}

	if err := core.UnsealWithStoredKeys(ctx); err != nil {
		respondError(w, http.StatusInternalServerError, err)
		return
	}

	respondOk(w, resp)
}

type InitRequest struct {
	SecretShares      int      `json:"secret_shares"`
	SecretThreshold   int      `json:"secret_threshold"`
	StoredShares      int      `json:"stored_shares"`
	PGPKeys           []string `json:"pgp_keys"`
	RecoveryShares    int      `json:"recovery_shares"`
	RecoveryThreshold int      `json:"recovery_threshold"`
	RecoveryPGPKeys   []string `json:"recovery_pgp_keys"`
	RootTokenPGPKey   string   `json:"root_token_pgp_key"`
}

type InitResponse struct {
	Keys            []string `json:"keys"`
	KeysB64         []string `json:"keys_base64"`
	RecoveryKeys    []string `json:"recovery_keys,omitempty"`
	RecoveryKeysB64 []string `json:"recovery_keys_base64,omitempty"`
	RootToken       string   `json:"root_token"`
}

type InitStatusResponse struct {
	Initialized bool `json:"initialized"`
}

// Validates if the right parameters are used based on AutoUnseal
func validateInitParameters(core *vault.Core, req InitRequest) error {
	recoveryFlags := make([]string, 0)
	barrierFlags := make([]string, 0)

	if req.SecretShares != 0 {
		barrierFlags = append(barrierFlags, "secret_shares")
	}
	if req.SecretThreshold != 0 {
		barrierFlags = append(barrierFlags, "secret_threshold")
	}
	if len(req.PGPKeys) != 0 {
		barrierFlags = append(barrierFlags, "pgp_keys")
	}
	if req.RecoveryShares != 0 {
		recoveryFlags = append(recoveryFlags, "recovery_shares")
	}
	if req.RecoveryThreshold != 0 {
		recoveryFlags = append(recoveryFlags, "recovery_threshold")
	}
	if len(req.RecoveryPGPKeys) != 0 {
		recoveryFlags = append(recoveryFlags, "recovery_pgp_keys")
	}

	switch core.SealAccess().RecoveryKeySupported() {
	case true:
		if len(barrierFlags) > 0 {
			return fmt.Errorf("parameters %s not applicable to seal type %s", strings.Join(barrierFlags, ","), core.SealAccess().BarrierType())
		}
	default:
		if len(recoveryFlags) > 0 {
			return fmt.Errorf("parameters %s not applicable to seal type %s", strings.Join(recoveryFlags, ","), core.SealAccess().BarrierType())
		}

	}
	return nil
}
adding copyright header (#19555) * adding copyright header * fix fmt and a test 2023-03-15 16:00:52 +00:00			`// Copyright (c) HashiCorp, Inc.`
			`// SPDX-License-Identifier: MPL-2.0`

http: init endpoints 2015-03-12 19:37:41 +00:00			`package http`

			`import (`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`"context"`
Provide base64 keys in addition to hex encoded. (#1734) * Provide base64 keys in addition to hex encoded. Accept these at unseal/rekey time. Also fix a bug where backup would not be honored when doing a rekey with no operation currently ongoing. 2016-08-15 20:01:15 +00:00			`"encoding/base64"`
http: init endpoints 2015-03-12 19:37:41 +00:00			`"encoding/hex"`
Validate parameters for vault operator init (#16379) * adding code changes to check parameters for vault operator init * fixing defaults in cli * fixing comments * remove unused consts * adding validate parameters test * add changelog * adding changes to validation * adding fmt changes * fixing test * add test for auto unseal 2022-07-25 19:45:04 +00:00			`"fmt"`
http: init endpoints 2015-03-12 19:37:41 +00:00			`"net/http"`
Validate parameters for vault operator init (#16379) * adding code changes to check parameters for vault operator init * fixing defaults in cli * fixing comments * remove unused consts * adding validate parameters test * add changelog * adding changes to validation * adding fmt changes * fixing test * add test for auto unseal 2022-07-25 19:45:04 +00:00			`"strings"`
http: init endpoints 2015-03-12 19:37:41 +00:00
			`"github.com/hashicorp/vault/vault"`
			`)`

			`func handleSysInit(core *vault.Core) http.Handler {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`switch r.Method {`
			`case "GET":`
			`handleSysInitGet(core, w, r)`
We treat put/post the same, so allow init to use POST 2016-02-23 01:22:31 +00:00			`case "PUT", "POST":`
http: init endpoints 2015-03-12 19:37:41 +00:00			`handleSysInitPut(core, w, r)`
			`default:`
			`respondError(w, http.StatusMethodNotAllowed, nil)`
			`}`
			`})`
			`}`

			`func handleSysInitGet(core vault.Core, w http.ResponseWriter, r http.Request) {`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`init, err := core.Initialized(context.Background())`
http: init endpoints 2015-03-12 19:37:41 +00:00			`if err != nil {`
			`respondError(w, http.StatusInternalServerError, err)`
			`return`
			`}`

			`respondOk(w, &InitStatusResponse{`
			`Initialized: init,`
			`})`
			`}`

			`func handleSysInitPut(core vault.Core, w http.ResponseWriter, r http.Request) {`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`ctx := context.Background()`

http: init endpoints 2015-03-12 19:37:41 +00:00			`// Parse the request`
			`var req InitRequest`
Support processing parameters sent as a URL-encoded form (#8325) 2020-02-12 22:20:22 +00:00			`if _, err := parseJSONRequest(core.PerfStandby(), r, w, &req); err != nil {`
http: init endpoints 2015-03-12 19:37:41 +00:00			`respondError(w, http.StatusBadRequest, err)`
			`return`
			`}`

Validate parameters for vault operator init (#16379) * adding code changes to check parameters for vault operator init * fixing defaults in cli * fixing comments * remove unused consts * adding validate parameters test * add changelog * adding changes to validation * adding fmt changes * fixing test * add test for auto unseal 2022-07-25 19:45:04 +00:00			`// Validate init request parameters`
			`if err := validateInitParameters(core, req); err != nil {`
			`respondError(w, http.StatusBadRequest, err)`
			`return`
			`}`

http: init endpoints 2015-03-12 19:37:41 +00:00			`// Initialize`
SealInterface 2016-04-04 14:44:22 +00:00			`barrierConfig := &vault.SealConfig{`
http: init endpoints 2015-03-12 19:37:41 +00:00			`SecretShares: req.SecretShares,`
			`SecretThreshold: req.SecretThreshold,`
SealInterface 2016-04-04 14:44:22 +00:00			`StoredShares: req.StoredShares,`
Address comments from review. 2015-08-25 22:33:58 +00:00			`PGPKeys: req.PGPKeys,`
SealInterface 2016-04-04 14:44:22 +00:00			`}`

			`recoveryConfig := &vault.SealConfig{`
Revert #18683 (#18942) * Revert "Don't execute the seal recovery tests on ENT. (#18841)" This reverts commit 990d3bacc203c229d0f6729929d7562e678a1ac2. * Revert "Add the ability to unseal using recovery keys via an explicit seal option. (#18683)" This reverts commit 2ffe49aab0fc1a527c5182637c8fa3ac39b08d45. 2023-02-01 19:34:53 +00:00			`SecretShares: req.RecoveryShares,`
			`SecretThreshold: req.RecoveryThreshold,`
			`PGPKeys: req.RecoveryPGPKeys,`
SealInterface 2016-04-04 14:44:22 +00:00			`}`

Add support for PGP encrypting the initial root token. (#1883) 2016-09-13 22:42:24 +00:00			`initParams := &vault.InitParams{`
			`BarrierConfig: barrierConfig,`
			`RecoveryConfig: recoveryConfig,`
			`RootTokenPGPKey: req.RootTokenPGPKey,`
			`}`

Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`result, initErr := core.Initialize(ctx, initParams)`
SealInterface 2016-04-04 14:44:22 +00:00			`if initErr != nil {`
Continuously attempt to unseal if sealed keys are supported (#6039) * Add helper for checking if an error is a fatal error The double-double negative was really confusing, and this pattern is used a few places in Vault. This negates the double negative, making the devx a bit easier to follow. * Check return value of UnsealWithStoredKeys in sys/init * Return proper error types when attempting unseal with stored key Prior to this commit, "nil" could have meant unsupported auto-unseal, a transient error, or success. This updates the function to return the correct error type, signaling to the caller whether they should retry or fail. * Continuously attempt to unseal if sealed keys are supported This fixes a bug that occurs on bootstrapping an initial cluster. Given a collection of Vault nodes and an initialized storage backend, they will all go into standby waiting for initialization. After one node is initialized, the other nodes had no mechanism by which they "re-check" to see if unseal keys are present. This adds a goroutine to the server command which continually waits for unseal keys to exist. It exits in the following conditions: - the node is unsealed - the node does not support stored keys - a fatal error occurs (as defined by Vault) - the server is shutting down In all other situations, the routine wakes up at the specified interval and attempts to unseal with the stored keys. 2019-01-23 21:34:34 +00:00			`if vault.IsFatalError(initErr) {`
SealInterface 2016-04-04 14:44:22 +00:00			`respondError(w, http.StatusBadRequest, initErr)`
			`return`
			`} else {`
			`// Add a warnings field? The error will be logged in the vault log`
			`// already.`
			`}`
http: init endpoints 2015-03-12 19:37:41 +00:00			`}`

			`// Encode the keys`
			`keys := make([]string, 0, len(result.SecretShares))`
Provide base64 keys in addition to hex encoded. (#1734) * Provide base64 keys in addition to hex encoded. Accept these at unseal/rekey time. Also fix a bug where backup would not be honored when doing a rekey with no operation currently ongoing. 2016-08-15 20:01:15 +00:00			`keysB64 := make([]string, 0, len(result.SecretShares))`
http: init endpoints 2015-03-12 19:37:41 +00:00			`for _, k := range result.SecretShares {`
			`keys = append(keys, hex.EncodeToString(k))`
Provide base64 keys in addition to hex encoded. (#1734) * Provide base64 keys in addition to hex encoded. Accept these at unseal/rekey time. Also fix a bug where backup would not be honored when doing a rekey with no operation currently ongoing. 2016-08-15 20:01:15 +00:00			`keysB64 = append(keysB64, base64.StdEncoding.EncodeToString(k))`
http: init endpoints 2015-03-12 19:37:41 +00:00			`}`

SealInterface 2016-04-04 14:44:22 +00:00			`resp := &InitResponse{`
http: root token in init 2015-03-29 23:22:09 +00:00			`Keys: keys,`
Provide base64 keys in addition to hex encoded. (#1734) * Provide base64 keys in addition to hex encoded. Accept these at unseal/rekey time. Also fix a bug where backup would not be honored when doing a rekey with no operation currently ongoing. 2016-08-15 20:01:15 +00:00			`KeysB64: keysB64,`
http: root token in init 2015-03-29 23:22:09 +00:00			`RootToken: result.RootToken,`
SealInterface 2016-04-04 14:44:22 +00:00			`}`

			`if len(result.RecoveryShares) > 0 {`
			`resp.RecoveryKeys = make([]string, 0, len(result.RecoveryShares))`
Provide base64 keys in addition to hex encoded. (#1734) * Provide base64 keys in addition to hex encoded. Accept these at unseal/rekey time. Also fix a bug where backup would not be honored when doing a rekey with no operation currently ongoing. 2016-08-15 20:01:15 +00:00			`resp.RecoveryKeysB64 = make([]string, 0, len(result.RecoveryShares))`
SealInterface 2016-04-04 14:44:22 +00:00			`for _, k := range result.RecoveryShares {`
			`resp.RecoveryKeys = append(resp.RecoveryKeys, hex.EncodeToString(k))`
Provide base64 keys in addition to hex encoded. (#1734) * Provide base64 keys in addition to hex encoded. Accept these at unseal/rekey time. Also fix a bug where backup would not be honored when doing a rekey with no operation currently ongoing. 2016-08-15 20:01:15 +00:00			`resp.RecoveryKeysB64 = append(resp.RecoveryKeysB64, base64.StdEncoding.EncodeToString(k))`
SealInterface 2016-04-04 14:44:22 +00:00			`}`
			`}`

Continuously attempt to unseal if sealed keys are supported (#6039) * Add helper for checking if an error is a fatal error The double-double negative was really confusing, and this pattern is used a few places in Vault. This negates the double negative, making the devx a bit easier to follow. * Check return value of UnsealWithStoredKeys in sys/init * Return proper error types when attempting unseal with stored key Prior to this commit, "nil" could have meant unsupported auto-unseal, a transient error, or success. This updates the function to return the correct error type, signaling to the caller whether they should retry or fail. * Continuously attempt to unseal if sealed keys are supported This fixes a bug that occurs on bootstrapping an initial cluster. Given a collection of Vault nodes and an initialized storage backend, they will all go into standby waiting for initialization. After one node is initialized, the other nodes had no mechanism by which they "re-check" to see if unseal keys are present. This adds a goroutine to the server command which continually waits for unseal keys to exist. It exits in the following conditions: - the node is unsealed - the node does not support stored keys - a fatal error occurs (as defined by Vault) - the server is shutting down In all other situations, the routine wakes up at the specified interval and attempts to unseal with the stored keys. 2019-01-23 21:34:34 +00:00			`if err := core.UnsealWithStoredKeys(ctx); err != nil {`
			`respondError(w, http.StatusInternalServerError, err)`
			`return`
			`}`
Check for seal status when initing and change logic order to avoid defer 2016-04-14 01:12:58 +00:00
SealInterface 2016-04-04 14:44:22 +00:00			`respondOk(w, resp)`
http: init endpoints 2015-03-12 19:37:41 +00:00			`}`

			`type InitRequest struct {`
Revert #18683 (#18942) * Revert "Don't execute the seal recovery tests on ENT. (#18841)" This reverts commit 990d3bacc203c229d0f6729929d7562e678a1ac2. * Revert "Add the ability to unseal using recovery keys via an explicit seal option. (#18683)" This reverts commit 2ffe49aab0fc1a527c5182637c8fa3ac39b08d45. 2023-02-01 19:34:53 +00:00			SecretShares int `json:"secret_shares"`
			SecretThreshold int `json:"secret_threshold"`
			StoredShares int `json:"stored_shares"`
			PGPKeys []string `json:"pgp_keys"`
			RecoveryShares int `json:"recovery_shares"`
			RecoveryThreshold int `json:"recovery_threshold"`
			RecoveryPGPKeys []string `json:"recovery_pgp_keys"`
			RootTokenPGPKey string `json:"root_token_pgp_key"`
http: init endpoints 2015-03-12 19:37:41 +00:00			`}`

			`type InitResponse struct {`
Provide base64 keys in addition to hex encoded. (#1734) * Provide base64 keys in addition to hex encoded. Accept these at unseal/rekey time. Also fix a bug where backup would not be honored when doing a rekey with no operation currently ongoing. 2016-08-15 20:01:15 +00:00			Keys []string `json:"keys"`
			KeysB64 []string `json:"keys_base64"`
			RecoveryKeys []string `json:"recovery_keys,omitempty"`
			RecoveryKeysB64 []string `json:"recovery_keys_base64,omitempty"`
			RootToken string `json:"root_token"`
http: init endpoints 2015-03-12 19:37:41 +00:00			`}`

			`type InitStatusResponse struct {`
			Initialized bool `json:"initialized"`
			`}`
Validate parameters for vault operator init (#16379) * adding code changes to check parameters for vault operator init * fixing defaults in cli * fixing comments * remove unused consts * adding validate parameters test * add changelog * adding changes to validation * adding fmt changes * fixing test * add test for auto unseal 2022-07-25 19:45:04 +00:00
			`// Validates if the right parameters are used based on AutoUnseal`
			`func validateInitParameters(core *vault.Core, req InitRequest) error {`
			`recoveryFlags := make([]string, 0)`
			`barrierFlags := make([]string, 0)`

			`if req.SecretShares != 0 {`
			`barrierFlags = append(barrierFlags, "secret_shares")`
			`}`
			`if req.SecretThreshold != 0 {`
			`barrierFlags = append(barrierFlags, "secret_threshold")`
			`}`
			`if len(req.PGPKeys) != 0 {`
			`barrierFlags = append(barrierFlags, "pgp_keys")`
			`}`
			`if req.RecoveryShares != 0 {`
			`recoveryFlags = append(recoveryFlags, "recovery_shares")`
			`}`
			`if req.RecoveryThreshold != 0 {`
			`recoveryFlags = append(recoveryFlags, "recovery_threshold")`
			`}`
			`if len(req.RecoveryPGPKeys) != 0 {`
			`recoveryFlags = append(recoveryFlags, "recovery_pgp_keys")`
			`}`

			`switch core.SealAccess().RecoveryKeySupported() {`
			`case true:`
			`if len(barrierFlags) > 0 {`
			`return fmt.Errorf("parameters %s not applicable to seal type %s", strings.Join(barrierFlags, ","), core.SealAccess().BarrierType())`
			`}`
			`default:`
			`if len(recoveryFlags) > 0 {`
			`return fmt.Errorf("parameters %s not applicable to seal type %s", strings.Join(recoveryFlags, ","), core.SealAccess().BarrierType())`
			`}`

			`}`
			`return nil`
			`}`