open-vault/builtin/logical/transit/path_keys.go

package transit

import (
	"fmt"
	"strconv"

	"github.com/hashicorp/vault/logical"
	"github.com/hashicorp/vault/logical/framework"
)

func pathKeys() *framework.Path {
	return &framework.Path{
		Pattern: "keys/" + framework.GenericNameRegex("name"),
		Fields: map[string]*framework.FieldSchema{
			"name": &framework.FieldSchema{
				Type:        framework.TypeString,
				Description: "Name of the key",
			},

			"derived": &framework.FieldSchema{
				Type:        framework.TypeBool,
				Description: "Enables key derivation mode. This allows for per-transaction unique keys",
			},
		},

		Callbacks: map[logical.Operation]framework.OperationFunc{
			logical.UpdateOperation: pathPolicyWrite,
			logical.DeleteOperation: pathPolicyDelete,
			logical.ReadOperation:   pathPolicyRead,
		},

		HelpSynopsis:    pathPolicyHelpSyn,
		HelpDescription: pathPolicyHelpDesc,
	}
}

func pathPolicyWrite(
	req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	name := d.Get("name").(string)
	derived := d.Get("derived").(bool)

	// Check if the policy already exists
	existing, err := getPolicy(req, name)
	if err != nil {
		return nil, err
	}
	if existing != nil {
		return nil, nil
	}

	// Generate the policy
	_, err = generatePolicy(req.Storage, name, derived)
	return nil, err
}

func pathPolicyRead(
	req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	name := d.Get("name").(string)

	p, err := getPolicy(req, name)
	if err != nil {
		return nil, err
	}
	if p == nil {
		return nil, nil
	}

	// Return the response
	resp := &logical.Response{
		Data: map[string]interface{}{
			"name":                   p.Name,
			"cipher_mode":            p.CipherMode,
			"derived":                p.Derived,
			"deletion_allowed":       p.DeletionAllowed,
			"min_decryption_version": p.MinDecryptionVersion,
			"latest_version":         p.LatestVersion,
		},
	}
	if p.Derived {
		resp.Data["kdf_mode"] = p.KDFMode
	}

	retKeys := map[string]int64{}
	for k, v := range p.Keys {
		retKeys[strconv.Itoa(k)] = v.CreationTime
	}
	resp.Data["keys"] = retKeys

	return resp, nil
}

func pathPolicyDelete(
	req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	name := d.Get("name").(string)

	p, err := getPolicy(req, name)
	if err != nil {
		return logical.ErrorResponse(fmt.Sprintf("error looking up policy %s, error is %s", name, err)), err
	}
	if p == nil {
		return logical.ErrorResponse(fmt.Sprintf("no such key %s", name)), logical.ErrInvalidRequest
	}

	if !p.DeletionAllowed {
		return logical.ErrorResponse(fmt.Sprintf("'allow_deletion' config value is not set")), logical.ErrInvalidRequest
	}

	err = req.Storage.Delete("policy/" + name)
	if err != nil {
		return logical.ErrorResponse(fmt.Sprintf("error deleting policy %s: %s", name, err)), err
	}

	err = req.Storage.Delete("archive/" + name)
	if err != nil {
		return logical.ErrorResponse(fmt.Sprintf("error deleting archive %s: %s", name, err)), err
	}

	return nil, nil
}

const pathPolicyHelpSyn = `Managed named encryption keys`

const pathPolicyHelpDesc = `
This path is used to manage the named keys that are available.
Doing a write with no value against a new named key will create
it using a randomly generated key.
`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`package transit`

			`import (`
secret/transit: support key derivation in encrypt/decrypt 2015-07-05 21:19:24 +00:00			`"fmt"`
Remove enable/disable and make deletion_allowed a configurable property. On read, return the version and creation time of each key 2015-09-17 22:49:50 +00:00			`"strconv"`
Adding transit logical backend 2015-04-16 00:08:12 +00:00
			`"github.com/hashicorp/vault/logical"`
			`"github.com/hashicorp/vault/logical/framework"`
			`)`

secret/transit: rename policy to keys 2015-04-27 20:52:47 +00:00			`func pathKeys() *framework.Path {`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`return &framework.Path{`
Vault: Fix wild card paths for all backends 2015-08-21 07:56:13 +00:00			`Pattern: "keys/" + framework.GenericNameRegex("name"),`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`Fields: map[string]*framework.FieldSchema{`
			`"name": &framework.FieldSchema{`
			`Type: framework.TypeString,`
secret/transit: rename policy to keys 2015-04-27 20:52:47 +00:00			`Description: "Name of the key",`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`},`
secret/transit: support derived keys 2015-07-05 21:11:02 +00:00
			`"derived": &framework.FieldSchema{`
			`Type: framework.TypeBool,`
			`Description: "Enables key derivation mode. This allows for per-transaction unique keys",`
			`},`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`},`

			`Callbacks: map[logical.Operation]framework.OperationFunc{`
Fix logic bug when restoring keys 2016-01-21 22:44:40 +00:00			`logical.UpdateOperation: pathPolicyWrite,`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`logical.DeleteOperation: pathPolicyDelete,`
			`logical.ReadOperation: pathPolicyRead,`
			`},`
secret/transit: Adding more help. Fixes #41 2015-04-27 19:47:09 +00:00
			`HelpSynopsis: pathPolicyHelpSyn,`
			`HelpDescription: pathPolicyHelpDesc,`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`}`
			`}`

			`func pathPolicyWrite(`
			`req logical.Request, d framework.FieldData) (*logical.Response, error) {`
			`name := d.Get("name").(string)`
secret/transit: support derived keys 2015-07-05 21:11:02 +00:00			`derived := d.Get("derived").(bool)`
Adding transit logical backend 2015-04-16 00:08:12 +00:00
			`// Check if the policy already exists`
			`existing, err := getPolicy(req, name)`
			`if err != nil {`
			`return nil, err`
			`}`
			`if existing != nil {`
			`return nil, nil`
			`}`

secret/transit: allow policies to be upserted 2015-06-18 01:51:05 +00:00			`// Generate the policy`
secret/transit: support derived keys 2015-07-05 21:11:02 +00:00			`_, err = generatePolicy(req.Storage, name, derived)`
secret/transit: allow policies to be upserted 2015-06-18 01:51:05 +00:00			`return nil, err`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`}`

			`func pathPolicyRead(`
			`req logical.Request, d framework.FieldData) (*logical.Response, error) {`
			`name := d.Get("name").(string)`
Enhance transit backend: * Remove raw endpoint from transit * Add multi-key structure * Add enable, disable, rewrap, and rotate functionality * Upgrade functionality, and record creation time of keys in metadata. Add flag in config function to control the minimum decryption version, and enforce that in the decrypt function * Unit tests for everything 2015-09-14 20:28:46 +00:00
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`p, err := getPolicy(req, name)`
			`if err != nil {`
			`return nil, err`
			`}`
			`if p == nil {`
			`return nil, nil`
			`}`

			`// Return the response`
			`resp := &logical.Response{`
			`Data: map[string]interface{}{`
Update transit backend documentation, and also return the min decryption value in a read operation on the key. 2015-09-21 16:24:17 +00:00			`"name": p.Name,`
			`"cipher_mode": p.CipherMode,`
			`"derived": p.Derived,`
			`"deletion_allowed": p.DeletionAllowed,`
			`"min_decryption_version": p.MinDecryptionVersion,`
Fix logic bug when restoring keys 2016-01-21 22:44:40 +00:00			`"latest_version": p.LatestVersion,`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`},`
			`}`
secret/transit: address PR feedback 2015-07-06 01:58:31 +00:00			`if p.Derived {`
			`resp.Data["kdf_mode"] = p.KDFMode`
			`}`
Remove enable/disable and make deletion_allowed a configurable property. On read, return the version and creation time of each key 2015-09-17 22:49:50 +00:00
			`retKeys := map[string]int64{}`
			`for k, v := range p.Keys {`
			`retKeys[strconv.Itoa(k)] = v.CreationTime`
			`}`
			`resp.Data["keys"] = retKeys`

Adding transit logical backend 2015-04-16 00:08:12 +00:00			`return resp, nil`
			`}`

			`func pathPolicyDelete(`
			`req logical.Request, d framework.FieldData) (*logical.Response, error) {`
			`name := d.Get("name").(string)`

Enhance transit backend: * Remove raw endpoint from transit * Add multi-key structure * Add enable, disable, rewrap, and rotate functionality * Upgrade functionality, and record creation time of keys in metadata. Add flag in config function to control the minimum decryption version, and enforce that in the decrypt function * Unit tests for everything 2015-09-14 20:28:46 +00:00			`p, err := getPolicy(req, name)`
			`if err != nil {`
Remove enable/disable and make deletion_allowed a configurable property. On read, return the version and creation time of each key 2015-09-17 22:49:50 +00:00			`return logical.ErrorResponse(fmt.Sprintf("error looking up policy %s, error is %s", name, err)), err`
Enhance transit backend: * Remove raw endpoint from transit * Add multi-key structure * Add enable, disable, rewrap, and rotate functionality * Upgrade functionality, and record creation time of keys in metadata. Add flag in config function to control the minimum decryption version, and enforce that in the decrypt function * Unit tests for everything 2015-09-14 20:28:46 +00:00			`}`
			`if p == nil {`
			`return logical.ErrorResponse(fmt.Sprintf("no such key %s", name)), logical.ErrInvalidRequest`
			`}`

Remove enable/disable and make deletion_allowed a configurable property. On read, return the version and creation time of each key 2015-09-17 22:49:50 +00:00			`if !p.DeletionAllowed {`
			`return logical.ErrorResponse(fmt.Sprintf("'allow_deletion' config value is not set")), logical.ErrInvalidRequest`
Enhance transit backend: * Remove raw endpoint from transit * Add multi-key structure * Add enable, disable, rewrap, and rotate functionality * Upgrade functionality, and record creation time of keys in metadata. Add flag in config function to control the minimum decryption version, and enforce that in the decrypt function * Unit tests for everything 2015-09-14 20:28:46 +00:00			`}`

			`err = req.Storage.Delete("policy/" + name)`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`if err != nil {`
Remove enable/disable and make deletion_allowed a configurable property. On read, return the version and creation time of each key 2015-09-17 22:49:50 +00:00			`return logical.ErrorResponse(fmt.Sprintf("error deleting policy %s: %s", name, err)), err`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`}`
Move archive location; also detect first load of a policy after archive is added and cause the keys to be copied to the archive. 2016-01-27 17:02:32 +00:00
			`err = req.Storage.Delete("archive/" + name)`
			`if err != nil {`
			`return logical.ErrorResponse(fmt.Sprintf("error deleting archive %s: %s", name, err)), err`
			`}`

Adding transit logical backend 2015-04-16 00:08:12 +00:00			`return nil, nil`
			`}`
secret/transit: Adding more help. Fixes #41 2015-04-27 19:47:09 +00:00
Enhance transit backend: * Remove raw endpoint from transit * Add multi-key structure * Add enable, disable, rewrap, and rotate functionality * Upgrade functionality, and record creation time of keys in metadata. Add flag in config function to control the minimum decryption version, and enforce that in the decrypt function * Unit tests for everything 2015-09-14 20:28:46 +00:00			const pathPolicyHelpSyn = `Managed named encryption keys`
secret/transit: Adding more help. Fixes #41 2015-04-27 19:47:09 +00:00
			const pathPolicyHelpDesc = `
			`This path is used to manage the named keys that are available.`
			`Doing a write with no value against a new named key will create`
			`it using a randomly generated key.`
			`