OSS portion of wrapper-v2 (#16811)
* OSS portion of wrapper-v2 * Prefetch barrier type to avoid encountering an error in the simple BarrierType() getter * Rename the OveriddenType to WrapperType and use it for the barrier type prefetch * Fix unit test
This commit is contained in:
Scott Miller
GitHub
parent
231f422822
commit
3bd38fd5dc
|
|
@ -593,7 +593,7 @@ func (c *AgentCommand) Run(args []string) int {
|
|||
c.UI.Warn(fmt.Sprintf("Failed to close persistent cache file after getting retrieval token: %s", err))
|
||||
}
|
||||
|
||||
km, err := keymanager.NewPassthroughKeyManager(token)
|
||||
km, err := keymanager.NewPassthroughKeyManager(ctx, token)
|
||||
if err != nil {
|
||||
c.UI.Error(fmt.Sprintf("failed to configure persistence encryption for cache: %s", err))
|
||||
return 1
|
||||
|
|
@ -657,7 +657,7 @@ func (c *AgentCommand) Run(args []string) int {
|
|||
}
|
||||
}
|
||||
} else {
|
||||
km, err := keymanager.NewPassthroughKeyManager(nil)
|
||||
km, err := keymanager.NewPassthroughKeyManager(ctx, nil)
|
||||
if err != nil {
|
||||
c.UI.Error(fmt.Sprintf("failed to configure persistence encryption for cache: %s", err))
|
||||
return 1
|
||||
|
|
@ -675,7 +675,7 @@ func (c *AgentCommand) Run(args []string) int {
|
|||
cacheLogger.Info("configured persistent storage", "path", config.Cache.Persist.Path)
|
||||
|
||||
// Stash the key material in bolt
|
||||
token, err := km.RetrievalToken()
|
||||
token, err := km.RetrievalToken(ctx)
|
||||
if err != nil {
|
||||
c.UI.Error(fmt.Sprintf("Error getting persistent key: %s", err))
|
||||
return 1
|
||||
|
|
|
|||
|
|
@ -10,7 +10,7 @@ import (
|
|||
|
||||
"github.com/golang/protobuf/proto"
|
||||
"github.com/hashicorp/go-hclog"
|
||||
wrapping "github.com/hashicorp/go-kms-wrapping"
|
||||
wrapping "github.com/hashicorp/go-kms-wrapping/v2"
|
||||
"github.com/hashicorp/go-multierror"
|
||||
bolt "go.etcd.io/bbolt"
|
||||
)
|
||||
|
|
@ -228,7 +228,7 @@ func autoIncrementedLeaseKey(tx *bolt.Tx, id string) ([]byte, error) {
|
|||
|
||||
// Set an index (token or lease) in bolt storage
|
||||
func (b *BoltStorage) Set(ctx context.Context, id string, plaintext []byte, indexType string) error {
|
||||
blob, err := b.wrapper.Encrypt(ctx, plaintext, []byte(b.aad))
|
||||
blob, err := b.wrapper.Encrypt(ctx, plaintext, wrapping.WithAad([]byte(b.aad)))
|
||||
if err != nil {
|
||||
return fmt.Errorf("error encrypting %s index: %w", indexType, err)
|
||||
}
|
||||
|
|
@ -296,12 +296,12 @@ func (b *BoltStorage) Delete(id string, indexType string) error {
|
|||
}
|
||||
|
||||
func (b *BoltStorage) decrypt(ctx context.Context, ciphertext []byte) ([]byte, error) {
|
||||
var blob wrapping.EncryptedBlobInfo
|
||||
var blob wrapping.BlobInfo
|
||||
if err := proto.Unmarshal(ciphertext, &blob); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return b.wrapper.Decrypt(ctx, &blob, []byte(b.aad))
|
||||
return b.wrapper.Decrypt(ctx, &blob, wrapping.WithAad([]byte(b.aad)))
|
||||
}
|
||||
|
||||
// GetByType returns a list of stored items of the specified type
|
||||
|
|
|
|||
|
|
@ -22,7 +22,7 @@ import (
|
|||
func getTestKeyManager(t *testing.T) keymanager.KeyManager {
|
||||
t.Helper()
|
||||
|
||||
km, err := keymanager.NewPassthroughKeyManager(nil)
|
||||
km, err := keymanager.NewPassthroughKeyManager(context.Background(), nil)
|
||||
require.NoError(t, err)
|
||||
|
||||
return km
|
||||
|
|
@ -286,7 +286,7 @@ func TestBolt_MigrateFromV1ToV2Schema(t *testing.T) {
|
|||
|
||||
// Manually insert some items into the v1 schema.
|
||||
err = db.Update(func(tx *bolt.Tx) error {
|
||||
blob, err := b.wrapper.Encrypt(ctx, []byte("ignored-contents"), []byte(""))
|
||||
blob, err := b.wrapper.Encrypt(ctx, []byte("ignored-contents"))
|
||||
if err != nil {
|
||||
return fmt.Errorf("error encrypting contents: %w", err)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,6 +1,10 @@
|
|||
package keymanager
|
||||
|
||||
import wrapping "github.com/hashicorp/go-kms-wrapping"
|
||||
import (
|
||||
"context"
|
||||
|
||||
wrapping "github.com/hashicorp/go-kms-wrapping/v2"
|
||||
)
|
||||
|
||||
const (
|
||||
KeyID = "root"
|
||||
|
|
@ -12,5 +16,5 @@ type KeyManager interface {
|
|||
// RetrievalToken is the material returned which can be used to source back the
|
||||
// encryption key. Depending on the implementation, the token can be the
|
||||
// encryption key itself or a token/identifier used to exchange the token.
|
||||
RetrievalToken() ([]byte, error)
|
||||
RetrievalToken(ctx context.Context) ([]byte, error)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,11 +1,12 @@
|
|||
package keymanager
|
||||
|
||||
import (
|
||||
"context"
|
||||
"crypto/rand"
|
||||
"fmt"
|
||||
|
||||
wrapping "github.com/hashicorp/go-kms-wrapping"
|
||||
"github.com/hashicorp/go-kms-wrapping/wrappers/aead"
|
||||
wrapping "github.com/hashicorp/go-kms-wrapping/v2"
|
||||
"github.com/hashicorp/go-kms-wrapping/wrappers/aead/v2"
|
||||
)
|
||||
|
||||
var _ KeyManager = (*PassthroughKeyManager)(nil)
|
||||
|
|
@ -17,7 +18,7 @@ type PassthroughKeyManager struct {
|
|||
// NewPassthroughKeyManager returns a new instance of the Kube encryption key.
|
||||
// If a key is provided, it will be used as the encryption key for the wrapper,
|
||||
// otherwise one will be generated.
|
||||
func NewPassthroughKeyManager(key []byte) (*PassthroughKeyManager, error) {
|
||||
func NewPassthroughKeyManager(ctx context.Context, key []byte) (*PassthroughKeyManager, error) {
|
||||
var rootKey []byte = nil
|
||||
switch len(key) {
|
||||
case 0:
|
||||
|
|
@ -33,13 +34,13 @@ func NewPassthroughKeyManager(key []byte) (*PassthroughKeyManager, error) {
|
|||
return nil, fmt.Errorf("invalid key size, should be 32, got %d", len(key))
|
||||
}
|
||||
|
||||
wrapper := aead.NewWrapper(nil)
|
||||
wrapper := aead.NewWrapper()
|
||||
|
||||
if _, err := wrapper.SetConfig(map[string]string{"key_id": KeyID}); err != nil {
|
||||
if _, err := wrapper.SetConfig(ctx, wrapping.WithConfigMap(map[string]string{"key_id": KeyID})); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if err := wrapper.SetAESGCMKeyBytes(rootKey); err != nil {
|
||||
if err := wrapper.SetAesGcmKeyBytes(rootKey); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
|
|
@ -58,10 +59,10 @@ func (w *PassthroughKeyManager) Wrapper() wrapping.Wrapper {
|
|||
// RetrievalToken returns the key that was used on the wrapper since this key
|
||||
// manager is simply a passthrough and does not provide a mechanism to abstract
|
||||
// this key.
|
||||
func (w *PassthroughKeyManager) RetrievalToken() ([]byte, error) {
|
||||
func (w *PassthroughKeyManager) RetrievalToken(ctx context.Context) ([]byte, error) {
|
||||
if w.wrapper == nil {
|
||||
return nil, fmt.Errorf("unable to get wrapper for token retrieval")
|
||||
}
|
||||
|
||||
return w.wrapper.GetKeyBytes(), nil
|
||||
return w.wrapper.KeyBytes(ctx)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2,6 +2,7 @@ package keymanager
|
|||
|
||||
import (
|
||||
"bytes"
|
||||
"context"
|
||||
"testing"
|
||||
|
||||
"github.com/stretchr/testify/require"
|
||||
|
|
@ -30,9 +31,10 @@ func TestKeyManager_PassthrougKeyManager(t *testing.T) {
|
|||
},
|
||||
}
|
||||
|
||||
ctx := context.Background()
|
||||
for _, tc := range tests {
|
||||
t.Run(tc.name, func(t *testing.T) {
|
||||
m, err := NewPassthroughKeyManager(tc.key)
|
||||
m, err := NewPassthroughKeyManager(ctx, tc.key)
|
||||
if tc.wantErr {
|
||||
require.Error(t, err)
|
||||
return
|
||||
|
|
@ -43,7 +45,7 @@ func TestKeyManager_PassthrougKeyManager(t *testing.T) {
|
|||
t.Fatalf("expected non-nil wrapper from the key manager")
|
||||
}
|
||||
|
||||
token, err := m.RetrievalToken()
|
||||
token, err := m.RetrievalToken(ctx)
|
||||
if err != nil {
|
||||
t.Fatalf("unable to retrieve token: %s", err)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -699,7 +699,7 @@ func TestLeaseCache_Concurrent_Cacheable(t *testing.T) {
|
|||
func setupBoltStorage(t *testing.T) (tempCacheDir string, boltStorage *cacheboltdb.BoltStorage) {
|
||||
t.Helper()
|
||||
|
||||
km, err := keymanager.NewPassthroughKeyManager(nil)
|
||||
km, err := keymanager.NewPassthroughKeyManager(context.Background(), nil)
|
||||
require.NoError(t, err)
|
||||
|
||||
tempCacheDir, err = ioutil.TempDir("", "agent-cache-test")
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ import (
|
|||
|
||||
"golang.org/x/term"
|
||||
|
||||
wrapping "github.com/hashicorp/go-kms-wrapping"
|
||||
wrapping "github.com/hashicorp/go-kms-wrapping/v2"
|
||||
|
||||
"github.com/docker/docker/pkg/ioutils"
|
||||
"github.com/hashicorp/consul/api"
|
||||
|
|
@ -455,7 +455,7 @@ func (c *OperatorDiagnoseCommand) offlineDiagnostics(ctx context.Context) error
|
|||
}
|
||||
// Ensure that the seal finalizer is called, even if using verify-only
|
||||
defer func(seal *vault.Seal) {
|
||||
sealType := diagnose.CapitalizeFirstLetter((*seal).BarrierType())
|
||||
sealType := diagnose.CapitalizeFirstLetter((*seal).BarrierType().String())
|
||||
finalizeSealContext, finalizeSealSpan := diagnose.StartSpan(ctx, "Finalize "+sealType+" Seal")
|
||||
err = (*seal).Finalize(finalizeSealContext)
|
||||
if err != nil {
|
||||
|
|
@ -675,7 +675,7 @@ SEALFAIL:
|
|||
if barrierSeal == nil {
|
||||
return fmt.Errorf("Diagnose could not create a barrier seal object.")
|
||||
}
|
||||
if barrierSeal.BarrierType() == wrapping.Shamir {
|
||||
if barrierSeal.BarrierType() == wrapping.WrapperTypeShamir {
|
||||
diagnose.Skipped(ctx, "Skipping barrier encryption test. Only supported for auto-unseal.")
|
||||
return nil
|
||||
}
|
||||
|
|
|
|||
|
|
@ -24,8 +24,8 @@ import (
|
|||
systemd "github.com/coreos/go-systemd/daemon"
|
||||
"github.com/hashicorp/errwrap"
|
||||
"github.com/hashicorp/go-hclog"
|
||||
wrapping "github.com/hashicorp/go-kms-wrapping"
|
||||
aeadwrapper "github.com/hashicorp/go-kms-wrapping/wrappers/aead"
|
||||
wrapping "github.com/hashicorp/go-kms-wrapping/v2"
|
||||
aeadwrapper "github.com/hashicorp/go-kms-wrapping/wrappers/aead/v2"
|
||||
"github.com/hashicorp/go-multierror"
|
||||
"github.com/hashicorp/go-secure-stdlib/gatedwriter"
|
||||
"github.com/hashicorp/go-secure-stdlib/mlock"
|
||||
|
|
@ -556,7 +556,7 @@ func (c *ServerCommand) runRecoveryMode() int {
|
|||
var wrapper wrapping.Wrapper
|
||||
|
||||
if len(config.Seals) == 0 {
|
||||
config.Seals = append(config.Seals, &configutil.KMS{Type: wrapping.Shamir})
|
||||
config.Seals = append(config.Seals, &configutil.KMS{Type: wrapping.WrapperTypeShamir.String()})
|
||||
}
|
||||
|
||||
if len(config.Seals) > 1 {
|
||||
|
|
@ -565,7 +565,7 @@ func (c *ServerCommand) runRecoveryMode() int {
|
|||
}
|
||||
|
||||
configSeal := config.Seals[0]
|
||||
sealType := wrapping.Shamir
|
||||
sealType := wrapping.WrapperTypeShamir.String()
|
||||
if !configSeal.Disabled && os.Getenv("VAULT_SEAL_TYPE") != "" {
|
||||
sealType = os.Getenv("VAULT_SEAL_TYPE")
|
||||
configSeal.Type = sealType
|
||||
|
|
@ -578,9 +578,7 @@ func (c *ServerCommand) runRecoveryMode() int {
|
|||
|
||||
var seal vault.Seal
|
||||
defaultSeal := vault.NewDefaultSeal(&vaultseal.Access{
|
||||
Wrapper: aeadwrapper.NewShamirWrapper(&wrapping.WrapperOptions{
|
||||
Logger: c.logger.Named("shamir"),
|
||||
}),
|
||||
Wrapper: aeadwrapper.NewShamirWrapper(),
|
||||
})
|
||||
sealLogger := c.logger.ResetNamed(fmt.Sprintf("seal.%s", sealType))
|
||||
wrapper, sealConfigError = configutil.ConfigureWrapper(configSeal, &infoKeys, &info, sealLogger)
|
||||
|
|
@ -594,9 +592,12 @@ func (c *ServerCommand) runRecoveryMode() int {
|
|||
if wrapper == nil {
|
||||
seal = defaultSeal
|
||||
} else {
|
||||
seal = vault.NewAutoSeal(&vaultseal.Access{
|
||||
seal, err = vault.NewAutoSeal(&vaultseal.Access{
|
||||
Wrapper: wrapper,
|
||||
})
|
||||
if err != nil {
|
||||
c.UI.Error(fmt.Sprintf("error creating auto seal: %v", err))
|
||||
}
|
||||
}
|
||||
barrierSeal = seal
|
||||
|
||||
|
|
@ -2350,24 +2351,28 @@ func setSeal(c *ServerCommand, config *server.Config, infoKeys []string, info ma
|
|||
var wrapper wrapping.Wrapper
|
||||
var barrierWrapper wrapping.Wrapper
|
||||
if c.flagDevAutoSeal {
|
||||
barrierSeal = vault.NewAutoSeal(vaultseal.NewTestSeal(nil))
|
||||
var err error
|
||||
barrierSeal, err = vault.NewAutoSeal(vaultseal.NewTestSeal(nil))
|
||||
if err != nil {
|
||||
return nil, nil, nil, nil, nil, err
|
||||
}
|
||||
return barrierSeal, nil, nil, nil, nil, nil
|
||||
}
|
||||
|
||||
// Handle the case where no seal is provided
|
||||
switch len(config.Seals) {
|
||||
case 0:
|
||||
config.Seals = append(config.Seals, &configutil.KMS{Type: wrapping.Shamir})
|
||||
config.Seals = append(config.Seals, &configutil.KMS{Type: wrapping.WrapperTypeShamir.String()})
|
||||
case 1:
|
||||
// If there's only one seal and it's disabled assume they want to
|
||||
// migrate to a shamir seal and simply didn't provide it
|
||||
if config.Seals[0].Disabled {
|
||||
config.Seals = append(config.Seals, &configutil.KMS{Type: wrapping.Shamir})
|
||||
config.Seals = append(config.Seals, &configutil.KMS{Type: wrapping.WrapperTypeShamir.String()})
|
||||
}
|
||||
}
|
||||
var createdSeals []vault.Seal = make([]vault.Seal, len(config.Seals))
|
||||
for _, configSeal := range config.Seals {
|
||||
sealType := wrapping.Shamir
|
||||
sealType := wrapping.WrapperTypeShamir.String()
|
||||
if !configSeal.Disabled && os.Getenv("VAULT_SEAL_TYPE") != "" {
|
||||
sealType = os.Getenv("VAULT_SEAL_TYPE")
|
||||
configSeal.Type = sealType
|
||||
|
|
@ -2379,9 +2384,7 @@ func setSeal(c *ServerCommand, config *server.Config, infoKeys []string, info ma
|
|||
sealLogger := c.logger.ResetNamed(fmt.Sprintf("seal.%s", sealType))
|
||||
c.allLoggers = append(c.allLoggers, sealLogger)
|
||||
defaultSeal := vault.NewDefaultSeal(&vaultseal.Access{
|
||||
Wrapper: aeadwrapper.NewShamirWrapper(&wrapping.WrapperOptions{
|
||||
Logger: c.logger.Named("shamir"),
|
||||
}),
|
||||
Wrapper: aeadwrapper.NewShamirWrapper(),
|
||||
})
|
||||
var sealInfoKeys []string
|
||||
sealInfoMap := map[string]string{}
|
||||
|
|
@ -2395,9 +2398,13 @@ func setSeal(c *ServerCommand, config *server.Config, infoKeys []string, info ma
|
|||
if wrapper == nil {
|
||||
seal = defaultSeal
|
||||
} else {
|
||||
seal = vault.NewAutoSeal(&vaultseal.Access{
|
||||
var err error
|
||||
seal, err = vault.NewAutoSeal(&vaultseal.Access{
|
||||
Wrapper: wrapper,
|
||||
})
|
||||
if err != nil {
|
||||
return nil, nil, nil, nil, nil, err
|
||||
}
|
||||
}
|
||||
infoPrefix := ""
|
||||
if configSeal.Disabled {
|
||||
|
|
|
|||
|
|
@ -26,7 +26,7 @@ func TestTransitWrapper_Lifecycle(t *testing.T) {
|
|||
"key_name": config.keyName,
|
||||
}
|
||||
|
||||
kms, _, err := configutil.GetTransitKMSFunc(nil, &configutil.KMS{Config: wrapperConfig})
|
||||
kms, _, err := configutil.GetTransitKMSFunc(&configutil.KMS{Config: wrapperConfig})
|
||||
if err != nil {
|
||||
t.Fatalf("error setting wrapper config: %v", err)
|
||||
}
|
||||
|
|
@ -72,7 +72,7 @@ func TestTransitSeal_TokenRenewal(t *testing.T) {
|
|||
"mount_path": config.mountPath,
|
||||
"key_name": config.keyName,
|
||||
}
|
||||
kms, _, err := configutil.GetTransitKMSFunc(nil, &configutil.KMS{Config: wrapperConfig})
|
||||
kms, _, err := configutil.GetTransitKMSFunc(&configutil.KMS{Config: wrapperConfig})
|
||||
if err != nil {
|
||||
t.Fatalf("error setting wrapper config: %v", err)
|
||||
}
|
||||
|
|
|
|||
20
go.mod
20
go.mod
|
|
@ -25,13 +25,13 @@ require (
|
|||
github.com/SAP/go-hdb v0.14.1
|
||||
github.com/Sectorbob/mlab-ns2 v0.0.0-20171030222938-d3aa0c295a8a
|
||||
github.com/aerospike/aerospike-client-go/v5 v5.6.0
|
||||
github.com/aliyun/alibaba-cloud-sdk-go v0.0.0-20190620160927-9418d7b0cd0f
|
||||
github.com/aliyun/alibaba-cloud-sdk-go v1.61.1499
|
||||
github.com/aliyun/aliyun-oss-go-sdk v0.0.0-20190307165228-86c17b95fcd5
|
||||
github.com/apple/foundationdb/bindings/go v0.0.0-20190411004307-cd5c9d91fad2
|
||||
github.com/armon/go-metrics v0.4.0
|
||||
github.com/armon/go-radix v1.0.0
|
||||
github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a
|
||||
github.com/aws/aws-sdk-go v1.43.4
|
||||
github.com/aws/aws-sdk-go v1.43.8
|
||||
github.com/axiomhq/hyperloglog v0.0.0-20220105174342-98591331716a
|
||||
github.com/cenkalti/backoff/v3 v3.2.2
|
||||
github.com/chrismalek/oktasdk-go v0.0.0-20181212195951-3430665dfaa0
|
||||
|
|
@ -66,7 +66,15 @@ require (
|
|||
github.com/hashicorp/go-discover v0.0.0-20210818145131-c573d69da192
|
||||
github.com/hashicorp/go-gcp-common v0.8.0
|
||||
github.com/hashicorp/go-hclog v1.2.2
|
||||
github.com/hashicorp/go-kms-wrapping v0.7.0
|
||||
github.com/hashicorp/go-kms-wrapping v0.7.1
|
||||
github.com/hashicorp/go-kms-wrapping/v2 v2.0.6-0.20220722192355-a843f53fa48d
|
||||
github.com/hashicorp/go-kms-wrapping/wrappers/aead/v2 v2.0.4
|
||||
github.com/hashicorp/go-kms-wrapping/wrappers/alicloudkms/v2 v2.0.1
|
||||
github.com/hashicorp/go-kms-wrapping/wrappers/awskms/v2 v2.0.0
|
||||
github.com/hashicorp/go-kms-wrapping/wrappers/azurekeyvault/v2 v2.0.1
|
||||
github.com/hashicorp/go-kms-wrapping/wrappers/gcpckms/v2 v2.0.0
|
||||
github.com/hashicorp/go-kms-wrapping/wrappers/ocikms/v2 v2.0.0
|
||||
github.com/hashicorp/go-kms-wrapping/wrappers/transit/v2 v2.0.1
|
||||
github.com/hashicorp/go-memdb v1.3.3
|
||||
github.com/hashicorp/go-msgpack v1.1.5
|
||||
github.com/hashicorp/go-multierror v1.1.1
|
||||
|
|
@ -203,7 +211,7 @@ require (
|
|||
cloud.google.com/go/kms v1.4.0 // indirect
|
||||
code.cloudfoundry.org/gofileutils v0.0.0-20170111115228-4d0c80011a0f // indirect
|
||||
github.com/Azure/azure-pipeline-go v0.2.3 // indirect
|
||||
github.com/Azure/azure-sdk-for-go v61.4.0+incompatible // indirect
|
||||
github.com/Azure/azure-sdk-for-go v62.0.0+incompatible // indirect
|
||||
github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
|
||||
github.com/Azure/go-autorest v14.2.0+incompatible // indirect
|
||||
github.com/Azure/go-autorest/autorest/azure/auth v0.5.11 // indirect
|
||||
|
|
@ -341,6 +349,7 @@ require (
|
|||
github.com/opencontainers/image-spec v1.0.2 // indirect
|
||||
github.com/opencontainers/runc v1.0.2 // indirect
|
||||
github.com/openlyinc/pointy v1.1.2 // indirect
|
||||
github.com/oracle/oci-go-sdk/v60 v60.0.0 // indirect
|
||||
github.com/packethost/packngo v0.1.1-0.20180711074735-b9cb5096f54c // indirect
|
||||
github.com/petermattis/goid v0.0.0-20180202154549-b0b1615b78e5 // indirect
|
||||
github.com/pierrec/lz4 v2.6.1+incompatible // indirect
|
||||
|
|
@ -356,6 +365,7 @@ require (
|
|||
github.com/sirupsen/logrus v1.8.1 // indirect
|
||||
github.com/snowflakedb/gosnowflake v1.6.3 // indirect
|
||||
github.com/softlayer/softlayer-go v0.0.0-20180806151055-260589d94c7d // indirect
|
||||
github.com/sony/gobreaker v0.4.2-0.20210216022020-dd874f9dd33b // indirect
|
||||
github.com/spf13/pflag v1.0.5 // indirect
|
||||
github.com/stretchr/objx v0.4.0 // indirect
|
||||
github.com/tencentcloud/tencentcloud-sdk-go v1.0.162 // indirect
|
||||
|
|
@ -387,7 +397,7 @@ require (
|
|||
google.golang.org/appengine v1.6.7 // indirect
|
||||
google.golang.org/genproto v0.0.0-20220602131408-e326c6e8e9c8 // indirect
|
||||
gopkg.in/inf.v0 v0.9.1 // indirect
|
||||
gopkg.in/ini.v1 v1.62.0 // indirect
|
||||
gopkg.in/ini.v1 v1.66.2 // indirect
|
||||
gopkg.in/jcmturner/goidentity.v3 v3.0.0 // indirect
|
||||
gopkg.in/resty.v1 v1.12.0 // indirect
|
||||
gopkg.in/yaml.v2 v2.4.0 // indirect
|
||||
|
|
|
|||
38
go.sum
38
go.sum
|
|
@ -75,8 +75,8 @@ github.com/Azure/azure-sdk-for-go v16.2.1+incompatible/go.mod h1:9XXNKU+eRnpl9mo
|
|||
github.com/Azure/azure-sdk-for-go v36.2.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
|
||||
github.com/Azure/azure-sdk-for-go v44.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
|
||||
github.com/Azure/azure-sdk-for-go v58.3.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
|
||||
github.com/Azure/azure-sdk-for-go v61.4.0+incompatible h1:BF2Pm3aQWIa6q9KmxyF1JYKYXtVw67vtvu2Wd54NGuY=
|
||||
github.com/Azure/azure-sdk-for-go v61.4.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
|
||||
github.com/Azure/azure-sdk-for-go v62.0.0+incompatible h1:8N2k27SYtc12qj5nTsuFMFJPZn5CGmgMWqTy4y9I7Jw=
|
||||
github.com/Azure/azure-sdk-for-go v62.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
|
||||
github.com/Azure/azure-sdk-for-go/sdk/azcore v0.19.0/go.mod h1:h6H6c8enJmmocHUbLiiGY6sx7f9i+X3m1CHdd5c6Rdw=
|
||||
github.com/Azure/azure-sdk-for-go/sdk/azidentity v0.11.0/go.mod h1:HcM1YX14R7CJcghJGOYCgdezslRSVzqwLf/q+4Y2r/0=
|
||||
github.com/Azure/azure-sdk-for-go/sdk/internal v0.7.0/go.mod h1:yqy467j36fJxcRV2TzfVZ1pCb5vxm4BtZPUdYWe/Xo8=
|
||||
|
|
@ -212,8 +212,9 @@ github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRF
|
|||
github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
|
||||
github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho=
|
||||
github.com/alexflint/go-filemutex v0.0.0-20171022225611-72bdc8eae2ae/go.mod h1:CgnQgUtFrFz9mxFNtED3jI5tLDjKlOM+oUF/sTk6ps0=
|
||||
github.com/aliyun/alibaba-cloud-sdk-go v0.0.0-20190620160927-9418d7b0cd0f h1:oRD16bhpKNAanfcDDVU+J0NXqsgHIvGbbe/sy+r6Rs0=
|
||||
github.com/aliyun/alibaba-cloud-sdk-go v0.0.0-20190620160927-9418d7b0cd0f/go.mod h1:myCDvQSzCW+wB1WAlocEru4wMGJxy+vlxHdhegi1CDQ=
|
||||
github.com/aliyun/alibaba-cloud-sdk-go v1.61.1499 h1:P2FUu1/xkj4abuHcqdRQO9ZAYc9hSWG5c5gifsU/Ogc=
|
||||
github.com/aliyun/alibaba-cloud-sdk-go v1.61.1499/go.mod h1:RcDobYh8k5VP6TNybz9m++gL3ijVI5wueVr0EM10VsU=
|
||||
github.com/aliyun/aliyun-oss-go-sdk v0.0.0-20190307165228-86c17b95fcd5 h1:nWDRPCyCltiTsANwC/n3QZH7Vww33Npq9MKqlwRzI/c=
|
||||
github.com/aliyun/aliyun-oss-go-sdk v0.0.0-20190307165228-86c17b95fcd5/go.mod h1:T/Aws4fEfogEE9v+HPhhw+CntffsBHJ8nXQCwKr0/g8=
|
||||
github.com/andybalholm/brotli v1.0.1/go.mod h1:loMXtMfwqflxFJPmdbJO0a3KNoPuLBgiu3qAvBg8x/Y=
|
||||
|
|
@ -242,8 +243,8 @@ github.com/aws/aws-sdk-go v1.15.11/go.mod h1:mFuSZ37Z9YOHbQEwBWztmVzqXrEkub65tZo
|
|||
github.com/aws/aws-sdk-go v1.25.41/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
|
||||
github.com/aws/aws-sdk-go v1.30.27/go.mod h1:5zCpMtNQVjRREroY7sYe8lOMRSxkhG6MZveU8YkpAk0=
|
||||
github.com/aws/aws-sdk-go v1.36.29/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro=
|
||||
github.com/aws/aws-sdk-go v1.43.4 h1:EtsGbtOB+1548T6Nb62XCOofgXtMHwf+WZh5gQc3xTY=
|
||||
github.com/aws/aws-sdk-go v1.43.4/go.mod h1:OGr6lGMAKGlG9CVrYnWYDKIyb829c6EVBRjxqjmPepc=
|
||||
github.com/aws/aws-sdk-go v1.43.8 h1:8a/M9C4l5CxFNM6IuNx4F1p+ITJEX12VxWxUQo61cbc=
|
||||
github.com/aws/aws-sdk-go v1.43.8/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo=
|
||||
github.com/aws/aws-sdk-go-v2 v1.8.0 h1:HcN6yDnHV9S7D69E7To0aUppJhiJNEzQSNcUxc7r3qo=
|
||||
github.com/aws/aws-sdk-go-v2 v1.8.0/go.mod h1:xEFuWz+3TYdlPRuo+CqATbeDWIWyaT5uAPwPaWtgse0=
|
||||
github.com/aws/aws-sdk-go-v2/config v1.6.0 h1:rtoCnNObhVm7me+v9sA2aY+NtHNZjjWWC3ifXVci+wE=
|
||||
|
|
@ -878,10 +879,26 @@ github.com/hashicorp/go-immutable-radix v1.1.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjh
|
|||
github.com/hashicorp/go-immutable-radix v1.3.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
|
||||
github.com/hashicorp/go-immutable-radix v1.3.1 h1:DKHmCUm2hRBK510BaiZlwvpD40f8bJFeZnpfm2KLowc=
|
||||
github.com/hashicorp/go-immutable-radix v1.3.1/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
|
||||
github.com/hashicorp/go-kms-wrapping v0.7.0 h1:UBagVJn4nSNOSjjtpkR370VOEBLnGMXfQcIlE/WL/7o=
|
||||
github.com/hashicorp/go-kms-wrapping v0.7.0/go.mod h1:rmGmNzO/DIBzUyisFjeocXvazOlxgO5K8vsFQkUn7Hk=
|
||||
github.com/hashicorp/go-kms-wrapping v0.7.1 h1:SPdvddcmGjYkFrMROhRuW3VkOeVsNuEbpmfT7B1qSGM=
|
||||
github.com/hashicorp/go-kms-wrapping v0.7.1/go.mod h1:rmGmNzO/DIBzUyisFjeocXvazOlxgO5K8vsFQkUn7Hk=
|
||||
github.com/hashicorp/go-kms-wrapping/entropy v0.1.0 h1:xuTi5ZwjimfpvpL09jDE71smCBRpnF5xfo871BSX4gs=
|
||||
github.com/hashicorp/go-kms-wrapping/entropy v0.1.0/go.mod h1:d1g9WGtAunDNpek8jUIEJnBlbgKS1N2Q61QkHiZyR1g=
|
||||
github.com/hashicorp/go-kms-wrapping/v2 v2.0.6-0.20220722192355-a843f53fa48d h1:mOtPXWIp4cWKNt9S55IuYAdyUgNtCfUAEVIjcXDx59E=
|
||||
github.com/hashicorp/go-kms-wrapping/v2 v2.0.6-0.20220722192355-a843f53fa48d/go.mod h1:sDQAfwJGv25uGPZA04x87ERglCG6avnRcBT9wYoMII8=
|
||||
github.com/hashicorp/go-kms-wrapping/wrappers/aead/v2 v2.0.4 h1:ws2CPDuXMKwaBb2z/duBCdnB9pSxlN2nuDZWXcVj6RU=
|
||||
github.com/hashicorp/go-kms-wrapping/wrappers/aead/v2 v2.0.4/go.mod h1:dDxt3GXi5QONVHYrJi2+EjsJLCUs59FktZQA8ZMnm+U=
|
||||
github.com/hashicorp/go-kms-wrapping/wrappers/alicloudkms/v2 v2.0.1 h1:ydUCtmr8f9F+mHZ1iCsvzqFTXqNVpewX3s9zcYipMKI=
|
||||
github.com/hashicorp/go-kms-wrapping/wrappers/alicloudkms/v2 v2.0.1/go.mod h1:Sl/ffzV57UAyjtSg1h5Km0rN5+dtzZJm1CUztkoCW2c=
|
||||
github.com/hashicorp/go-kms-wrapping/wrappers/awskms/v2 v2.0.0 h1:RnTa2yQXHPP7CocgTAciNXcn5OG4wsqqENlMuUTXl74=
|
||||
github.com/hashicorp/go-kms-wrapping/wrappers/awskms/v2 v2.0.0/go.mod h1:3D5UB9fjot4oUTYGQ5gGmhLJKreyLZeI0XB+NxcLTKs=
|
||||
github.com/hashicorp/go-kms-wrapping/wrappers/azurekeyvault/v2 v2.0.1 h1:6joKpqCFveaNMEwC3qna67usws6DjdxqfCuQEHSM0aM=
|
||||
github.com/hashicorp/go-kms-wrapping/wrappers/azurekeyvault/v2 v2.0.1/go.mod h1:sDmsWR/W2LqwU217o32RzdHMb/FywGLF72PVIhpZ3hE=
|
||||
github.com/hashicorp/go-kms-wrapping/wrappers/gcpckms/v2 v2.0.0 h1:UE5bUOSPYqAUK+hV9ngxkQthltjhrYZHEbwqeh7hEq4=
|
||||
github.com/hashicorp/go-kms-wrapping/wrappers/gcpckms/v2 v2.0.0/go.mod h1:YRtkersQ2N3iHlPDG5B3xBQtBsNZ3bjmlCwnrl26jVE=
|
||||
github.com/hashicorp/go-kms-wrapping/wrappers/ocikms/v2 v2.0.0 h1:FnWV2E0NLj+yYdhToUQjU81ayCMgURiL2WbJ0V7u/XY=
|
||||
github.com/hashicorp/go-kms-wrapping/wrappers/ocikms/v2 v2.0.0/go.mod h1:17twrc0lM8IpfGqIv69WQvwgDiu3nRwWlk5YfCSQduY=
|
||||
github.com/hashicorp/go-kms-wrapping/wrappers/transit/v2 v2.0.1 h1:72zlIBTJd2pvYmINqotpvcI4ZXLxhRq2cVPTuqv0xqY=
|
||||
github.com/hashicorp/go-kms-wrapping/wrappers/transit/v2 v2.0.1/go.mod h1:JytRAxdJViV+unUUWedb7uzEy5pgu7OurbqX0eHEikE=
|
||||
github.com/hashicorp/go-memdb v1.3.3 h1:oGfEWrFuxtIUF3W2q/Jzt6G85TrMk9ey6XfYLvVe1Wo=
|
||||
github.com/hashicorp/go-memdb v1.3.3/go.mod h1:uBTr1oQbtuMgd1SSGoR8YV27eT3sBHbYiNm53bMpgSg=
|
||||
github.com/hashicorp/go-msgpack v0.5.3/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM=
|
||||
|
|
@ -1403,6 +1420,8 @@ github.com/openlyinc/pointy v1.1.2/go.mod h1:w2Sytx+0FVuMKn37xpXIAyBNhFNBIJGR/v2
|
|||
github.com/oracle/oci-go-sdk v7.0.0+incompatible/go.mod h1:VQb79nF8Z2cwLkLS35ukwStZIg5F66tcBccjip/j888=
|
||||
github.com/oracle/oci-go-sdk v13.1.0+incompatible h1:inwbT0b/mMbnTfzYoW2xcU1cCMIlU6Fz973at5phRXM=
|
||||
github.com/oracle/oci-go-sdk v13.1.0+incompatible/go.mod h1:VQb79nF8Z2cwLkLS35ukwStZIg5F66tcBccjip/j888=
|
||||
github.com/oracle/oci-go-sdk/v60 v60.0.0 h1:EJAWjEi4SY5Raha6iUzq4LTQ0uM5YFw/wat/L1ehIEM=
|
||||
github.com/oracle/oci-go-sdk/v60 v60.0.0/go.mod h1:krz+2gkSzlSL/L4PvP0Z9pZpag9HYLNtsMd1PmxlA2w=
|
||||
github.com/ory/dockertest v3.3.5+incompatible h1:iLLK6SQwIhcbrG783Dghaaa3WPzGc+4Emza6EbVUUGA=
|
||||
github.com/ory/dockertest v3.3.5+incompatible/go.mod h1:1vX4m9wsvi00u5bseYwXaSnhNrne+V0E6LAcBILJdPs=
|
||||
github.com/ory/dockertest/v3 v3.8.0 h1:i5b0cJCd801qw0cVQUOH6dSpI9fT3j5tdWu0jKu90ks=
|
||||
|
|
@ -1561,6 +1580,8 @@ github.com/snowflakedb/gosnowflake v1.6.3/go.mod h1:6hLajn6yxuJ4xUHZegMekpq9rnQb
|
|||
github.com/softlayer/softlayer-go v0.0.0-20180806151055-260589d94c7d h1:bVQRCxQvfjNUeRqaY/uT0tFuvuFY0ulgnczuR684Xic=
|
||||
github.com/softlayer/softlayer-go v0.0.0-20180806151055-260589d94c7d/go.mod h1:Cw4GTlQccdRGSEf6KiMju767x0NEHE0YIVPJSaXjlsw=
|
||||
github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM=
|
||||
github.com/sony/gobreaker v0.4.2-0.20210216022020-dd874f9dd33b h1:br+bPNZsJWKicw/5rALEo67QHs5weyD5tf8WST+4sJ0=
|
||||
github.com/sony/gobreaker v0.4.2-0.20210216022020-dd874f9dd33b/go.mod h1:ZKptC7FHNvhBz7dN2LGjPVBz2sZJmc0/PkyDJOjmxWY=
|
||||
github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
|
||||
github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
|
||||
github.com/spf13/afero v1.2.1/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
|
||||
|
|
@ -2393,8 +2414,9 @@ gopkg.in/inconshreveable/log15.v2 v2.0.0-20180818164646-67afb5ed74ec/go.mod h1:a
|
|||
gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
|
||||
gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
|
||||
gopkg.in/ini.v1 v1.42.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
|
||||
gopkg.in/ini.v1 v1.62.0 h1:duBzk771uxoUuOlyRLkHsygud9+5lrlGjdFBb4mSKDU=
|
||||
gopkg.in/ini.v1 v1.62.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
|
||||
gopkg.in/ini.v1 v1.66.2 h1:XfR1dOYubytKy4Shzc2LHrrGhU0lDCfDGG1yLPmpgsI=
|
||||
gopkg.in/ini.v1 v1.66.2/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
|
||||
gopkg.in/jcmturner/goidentity.v3 v3.0.0 h1:1duIyWiTaYvVx3YX2CYtpJbUFd7/UuPYCfgXtQ3VTbI=
|
||||
gopkg.in/jcmturner/goidentity.v3 v3.0.0/go.mod h1:oG2kH0IvSYNIu80dVAyu/yoefjq1mNfM5bm88whjWx4=
|
||||
gopkg.in/mgo.v2 v2.0.0-20180705113604-9856a29383ce h1:xcEWjVhvbDy+nHP67nPDDpbYrY+ILlfndk4bRioVHaU=
|
||||
|
|
|
|||
|
|
@ -57,7 +57,7 @@ func (tss *TransitSealServer) MakeKey(t testing.T, key string) {
|
|||
}
|
||||
}
|
||||
|
||||
func (tss *TransitSealServer) MakeSeal(t testing.T, key string) vault.Seal {
|
||||
func (tss *TransitSealServer) MakeSeal(t testing.T, key string) (vault.Seal, error) {
|
||||
client := tss.Cores[0].Client
|
||||
wrapperConfig := map[string]string{
|
||||
"address": client.Address(),
|
||||
|
|
@ -66,7 +66,7 @@ func (tss *TransitSealServer) MakeSeal(t testing.T, key string) vault.Seal {
|
|||
"key_name": key,
|
||||
"tls_ca_cert": tss.CACertPEMFile,
|
||||
}
|
||||
transitSeal, _, err := configutil.GetTransitKMSFunc(nil, &configutil.KMS{Config: wrapperConfig})
|
||||
transitSeal, _, err := configutil.GetTransitKMSFunc(&configutil.KMS{Config: wrapperConfig})
|
||||
if err != nil {
|
||||
t.Fatalf("error setting wrapper config: %v", err)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -151,7 +151,10 @@ func TestSysInit_Put_ValidateParams(t *testing.T) {
|
|||
|
||||
func TestSysInit_Put_ValidateParams_AutoUnseal(t *testing.T) {
|
||||
testSeal := seal.NewTestSeal(nil)
|
||||
autoSeal := vault.NewAutoSeal(testSeal)
|
||||
autoSeal, err := vault.NewAutoSeal(testSeal)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
autoSeal.SetType("transit")
|
||||
|
||||
// Create the transit server.
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@ import (
|
|||
"fmt"
|
||||
"regexp"
|
||||
|
||||
wrapping "github.com/hashicorp/go-kms-wrapping"
|
||||
wrapping "github.com/hashicorp/go-kms-wrapping/v2"
|
||||
"google.golang.org/protobuf/proto"
|
||||
)
|
||||
|
||||
|
|
@ -71,7 +71,7 @@ func EncryptDecrypt(rawStr string, decrypt, strip bool, wrapper wrapping.Wrapper
|
|||
if err != nil {
|
||||
return "", fmt.Errorf("error decoding encrypted parameter: %w", err)
|
||||
}
|
||||
inBlob := new(wrapping.EncryptedBlobInfo)
|
||||
inBlob := new(wrapping.BlobInfo)
|
||||
if err := proto.Unmarshal(inMsg, inBlob); err != nil {
|
||||
return "", fmt.Errorf("error unmarshaling encrypted parameter: %w", err)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@ import (
|
|||
"encoding/base64"
|
||||
"testing"
|
||||
|
||||
wrapping "github.com/hashicorp/go-kms-wrapping"
|
||||
wrapping "github.com/hashicorp/go-kms-wrapping/v2"
|
||||
"google.golang.org/protobuf/proto"
|
||||
)
|
||||
|
||||
|
|
@ -51,7 +51,7 @@ telemetry {
|
|||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
inBlob := new(wrapping.EncryptedBlobInfo)
|
||||
inBlob := new(wrapping.BlobInfo)
|
||||
if err := proto.Unmarshal(inMsg, inBlob); err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
|
@ -89,18 +89,24 @@ telemetry {
|
|||
|
||||
type reversingWrapper struct{}
|
||||
|
||||
func (r *reversingWrapper) Type() string { return "reversing" }
|
||||
func (r *reversingWrapper) KeyID() string { return "reverser" }
|
||||
func (r *reversingWrapper) HMACKeyID() string { return "" }
|
||||
func (r *reversingWrapper) Init(_ context.Context) error { return nil }
|
||||
func (r *reversingWrapper) Finalize(_ context.Context) error { return nil }
|
||||
func (r *reversingWrapper) Encrypt(_ context.Context, input []byte, _ []byte) (*wrapping.EncryptedBlobInfo, error) {
|
||||
return &wrapping.EncryptedBlobInfo{
|
||||
func (r *reversingWrapper) Type(_ context.Context) (wrapping.WrapperType, error) {
|
||||
return "reverser", nil
|
||||
}
|
||||
func (r *reversingWrapper) KeyId(_ context.Context) (string, error) { return "reverser", nil }
|
||||
func (r *reversingWrapper) HMACKeyID() string { return "" }
|
||||
func (r *reversingWrapper) Init(_ context.Context) error { return nil }
|
||||
func (r *reversingWrapper) Finalize(_ context.Context) error { return nil }
|
||||
func (r *reversingWrapper) SetConfig(_ context.Context, opts ...wrapping.Option) (*wrapping.WrapperConfig, error) {
|
||||
return &wrapping.WrapperConfig{}, nil
|
||||
}
|
||||
|
||||
func (r *reversingWrapper) Encrypt(_ context.Context, input []byte, _ ...wrapping.Option) (*wrapping.BlobInfo, error) {
|
||||
return &wrapping.BlobInfo{
|
||||
Ciphertext: r.reverse(input),
|
||||
}, nil
|
||||
}
|
||||
|
||||
func (r *reversingWrapper) Decrypt(_ context.Context, input *wrapping.EncryptedBlobInfo, _ []byte) ([]byte, error) {
|
||||
func (r *reversingWrapper) Decrypt(_ context.Context, input *wrapping.BlobInfo, _ ...wrapping.Option) ([]byte, error) {
|
||||
return r.reverse(input.Ciphertext), nil
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -1,6 +1,7 @@
|
|||
package configutil
|
||||
|
||||
import (
|
||||
"context"
|
||||
"crypto/rand"
|
||||
"fmt"
|
||||
"io"
|
||||
|
|
@ -8,14 +9,14 @@ import (
|
|||
|
||||
"github.com/hashicorp/errwrap"
|
||||
"github.com/hashicorp/go-hclog"
|
||||
wrapping "github.com/hashicorp/go-kms-wrapping"
|
||||
aeadwrapper "github.com/hashicorp/go-kms-wrapping/wrappers/aead"
|
||||
"github.com/hashicorp/go-kms-wrapping/wrappers/alicloudkms"
|
||||
"github.com/hashicorp/go-kms-wrapping/wrappers/awskms"
|
||||
"github.com/hashicorp/go-kms-wrapping/wrappers/azurekeyvault"
|
||||
"github.com/hashicorp/go-kms-wrapping/wrappers/gcpckms"
|
||||
"github.com/hashicorp/go-kms-wrapping/wrappers/ocikms"
|
||||
"github.com/hashicorp/go-kms-wrapping/wrappers/transit"
|
||||
wrapping "github.com/hashicorp/go-kms-wrapping/v2"
|
||||
aeadwrapper "github.com/hashicorp/go-kms-wrapping/wrappers/aead/v2"
|
||||
"github.com/hashicorp/go-kms-wrapping/wrappers/alicloudkms/v2"
|
||||
"github.com/hashicorp/go-kms-wrapping/wrappers/awskms/v2"
|
||||
"github.com/hashicorp/go-kms-wrapping/wrappers/azurekeyvault/v2"
|
||||
"github.com/hashicorp/go-kms-wrapping/wrappers/gcpckms/v2"
|
||||
"github.com/hashicorp/go-kms-wrapping/wrappers/ocikms/v2"
|
||||
"github.com/hashicorp/go-kms-wrapping/wrappers/transit/v2"
|
||||
"github.com/hashicorp/go-multierror"
|
||||
"github.com/hashicorp/go-secure-stdlib/parseutil"
|
||||
"github.com/hashicorp/hcl"
|
||||
|
|
@ -159,41 +160,37 @@ func ParseKMSes(d string) ([]*KMS, error) {
|
|||
return result.Seals, nil
|
||||
}
|
||||
|
||||
func configureWrapper(configKMS *KMS, infoKeys *[]string, info *map[string]string, logger hclog.Logger) (wrapping.Wrapper, error) {
|
||||
func configureWrapper(configKMS *KMS, infoKeys *[]string, info *map[string]string, logger hclog.Logger, opts ...wrapping.Option) (wrapping.Wrapper, error) {
|
||||
var wrapper wrapping.Wrapper
|
||||
var kmsInfo map[string]string
|
||||
var err error
|
||||
|
||||
opts := &wrapping.WrapperOptions{
|
||||
Logger: logger,
|
||||
}
|
||||
|
||||
switch configKMS.Type {
|
||||
case wrapping.Shamir:
|
||||
switch wrapping.WrapperType(configKMS.Type) {
|
||||
case wrapping.WrapperTypeShamir:
|
||||
return nil, nil
|
||||
|
||||
case wrapping.AEAD:
|
||||
wrapper, kmsInfo, err = GetAEADKMSFunc(opts, configKMS)
|
||||
case wrapping.WrapperTypeAead:
|
||||
wrapper, kmsInfo, err = GetAEADKMSFunc(configKMS, opts...)
|
||||
|
||||
case wrapping.AliCloudKMS:
|
||||
wrapper, kmsInfo, err = GetAliCloudKMSFunc(opts, configKMS)
|
||||
case wrapping.WrapperTypeAliCloudKms:
|
||||
wrapper, kmsInfo, err = GetAliCloudKMSFunc(configKMS, opts...)
|
||||
|
||||
case wrapping.AWSKMS:
|
||||
wrapper, kmsInfo, err = GetAWSKMSFunc(opts, configKMS)
|
||||
case wrapping.WrapperTypeAwsKms:
|
||||
wrapper, kmsInfo, err = GetAWSKMSFunc(configKMS, opts...)
|
||||
|
||||
case wrapping.AzureKeyVault:
|
||||
wrapper, kmsInfo, err = GetAzureKeyVaultKMSFunc(opts, configKMS)
|
||||
case wrapping.WrapperTypeAzureKeyVault:
|
||||
wrapper, kmsInfo, err = GetAzureKeyVaultKMSFunc(configKMS, opts...)
|
||||
|
||||
case wrapping.GCPCKMS:
|
||||
wrapper, kmsInfo, err = GetGCPCKMSKMSFunc(opts, configKMS)
|
||||
case wrapping.WrapperTypeGcpCkms:
|
||||
wrapper, kmsInfo, err = GetGCPCKMSKMSFunc(configKMS, opts...)
|
||||
|
||||
case wrapping.OCIKMS:
|
||||
wrapper, kmsInfo, err = GetOCIKMSKMSFunc(opts, configKMS)
|
||||
case wrapping.WrapperTypeOciKms:
|
||||
wrapper, kmsInfo, err = GetOCIKMSKMSFunc(configKMS, opts...)
|
||||
|
||||
case wrapping.Transit:
|
||||
wrapper, kmsInfo, err = GetTransitKMSFunc(opts, configKMS)
|
||||
case wrapping.WrapperTypeTransit:
|
||||
wrapper, kmsInfo, err = GetTransitKMSFunc(configKMS, opts...)
|
||||
|
||||
case wrapping.PKCS11:
|
||||
case wrapping.WrapperTypePkcs11:
|
||||
return nil, fmt.Errorf("KMS type 'pkcs11' requires the Vault Enterprise HSM binary")
|
||||
|
||||
default:
|
||||
|
|
@ -214,9 +211,9 @@ func configureWrapper(configKMS *KMS, infoKeys *[]string, info *map[string]strin
|
|||
return wrapper, nil
|
||||
}
|
||||
|
||||
func GetAEADKMSFunc(opts *wrapping.WrapperOptions, kms *KMS) (wrapping.Wrapper, map[string]string, error) {
|
||||
wrapper := aeadwrapper.NewWrapper(opts)
|
||||
wrapperInfo, err := wrapper.SetConfig(kms.Config)
|
||||
func GetAEADKMSFunc(kms *KMS, opts ...wrapping.Option) (wrapping.Wrapper, map[string]string, error) {
|
||||
wrapper := aeadwrapper.NewWrapper()
|
||||
wrapperInfo, err := wrapper.SetConfig(context.Background(), opts...)
|
||||
if err != nil {
|
||||
return nil, nil, err
|
||||
}
|
||||
|
|
@ -226,14 +223,14 @@ func GetAEADKMSFunc(opts *wrapping.WrapperOptions, kms *KMS) (wrapping.Wrapper,
|
|||
if len(kms.Purpose) > 0 {
|
||||
str = fmt.Sprintf("%v %s", kms.Purpose, str)
|
||||
}
|
||||
info[str] = wrapperInfo["aead_type"]
|
||||
info[str] = wrapperInfo.Metadata["aead_type"]
|
||||
}
|
||||
return wrapper, info, nil
|
||||
}
|
||||
|
||||
func GetAliCloudKMSFunc(opts *wrapping.WrapperOptions, kms *KMS) (wrapping.Wrapper, map[string]string, error) {
|
||||
wrapper := alicloudkms.NewWrapper(opts)
|
||||
wrapperInfo, err := wrapper.SetConfig(kms.Config)
|
||||
func GetAliCloudKMSFunc(kms *KMS, opts ...wrapping.Option) (wrapping.Wrapper, map[string]string, error) {
|
||||
wrapper := alicloudkms.NewWrapper()
|
||||
wrapperInfo, err := wrapper.SetConfig(context.Background(), wrapping.WithConfigMap(kms.Config))
|
||||
if err != nil {
|
||||
// If the error is any other than logical.KeyNotFoundError, return the error
|
||||
if !errwrap.ContainsType(err, new(logical.KeyNotFoundError)) {
|
||||
|
|
@ -242,18 +239,18 @@ func GetAliCloudKMSFunc(opts *wrapping.WrapperOptions, kms *KMS) (wrapping.Wrapp
|
|||
}
|
||||
info := make(map[string]string)
|
||||
if wrapperInfo != nil {
|
||||
info["AliCloud KMS Region"] = wrapperInfo["region"]
|
||||
info["AliCloud KMS KeyID"] = wrapperInfo["kms_key_id"]
|
||||
if domain, ok := wrapperInfo["domain"]; ok {
|
||||
info["AliCloud KMS Region"] = wrapperInfo.Metadata["region"]
|
||||
info["AliCloud KMS KeyID"] = wrapperInfo.Metadata["kms_key_id"]
|
||||
if domain, ok := wrapperInfo.Metadata["domain"]; ok {
|
||||
info["AliCloud KMS Domain"] = domain
|
||||
}
|
||||
}
|
||||
return wrapper, info, nil
|
||||
}
|
||||
|
||||
var GetAWSKMSFunc = func(opts *wrapping.WrapperOptions, kms *KMS) (wrapping.Wrapper, map[string]string, error) {
|
||||
wrapper := awskms.NewWrapper(opts)
|
||||
wrapperInfo, err := wrapper.SetConfig(kms.Config)
|
||||
var GetAWSKMSFunc = func(kms *KMS, opts ...wrapping.Option) (wrapping.Wrapper, map[string]string, error) {
|
||||
wrapper := awskms.NewWrapper()
|
||||
wrapperInfo, err := wrapper.SetConfig(context.Background(), wrapping.WithConfigMap(kms.Config))
|
||||
if err != nil {
|
||||
// If the error is any other than logical.KeyNotFoundError, return the error
|
||||
if !errwrap.ContainsType(err, new(logical.KeyNotFoundError)) {
|
||||
|
|
@ -262,18 +259,18 @@ var GetAWSKMSFunc = func(opts *wrapping.WrapperOptions, kms *KMS) (wrapping.Wrap
|
|||
}
|
||||
info := make(map[string]string)
|
||||
if wrapperInfo != nil {
|
||||
info["AWS KMS Region"] = wrapperInfo["region"]
|
||||
info["AWS KMS KeyID"] = wrapperInfo["kms_key_id"]
|
||||
if endpoint, ok := wrapperInfo["endpoint"]; ok {
|
||||
info["AWS KMS Region"] = wrapperInfo.Metadata["region"]
|
||||
info["AWS KMS KeyID"] = wrapperInfo.Metadata["kms_key_id"]
|
||||
if endpoint, ok := wrapperInfo.Metadata["endpoint"]; ok {
|
||||
info["AWS KMS Endpoint"] = endpoint
|
||||
}
|
||||
}
|
||||
return wrapper, info, nil
|
||||
}
|
||||
|
||||
func GetAzureKeyVaultKMSFunc(opts *wrapping.WrapperOptions, kms *KMS) (wrapping.Wrapper, map[string]string, error) {
|
||||
wrapper := azurekeyvault.NewWrapper(opts)
|
||||
wrapperInfo, err := wrapper.SetConfig(kms.Config)
|
||||
func GetAzureKeyVaultKMSFunc(kms *KMS, opts ...wrapping.Option) (wrapping.Wrapper, map[string]string, error) {
|
||||
wrapper := azurekeyvault.NewWrapper()
|
||||
wrapperInfo, err := wrapper.SetConfig(context.Background(), wrapping.WithConfigMap(kms.Config))
|
||||
if err != nil {
|
||||
// If the error is any other than logical.KeyNotFoundError, return the error
|
||||
if !errwrap.ContainsType(err, new(logical.KeyNotFoundError)) {
|
||||
|
|
@ -282,16 +279,16 @@ func GetAzureKeyVaultKMSFunc(opts *wrapping.WrapperOptions, kms *KMS) (wrapping.
|
|||
}
|
||||
info := make(map[string]string)
|
||||
if wrapperInfo != nil {
|
||||
info["Azure Environment"] = wrapperInfo["environment"]
|
||||
info["Azure Vault Name"] = wrapperInfo["vault_name"]
|
||||
info["Azure Key Name"] = wrapperInfo["key_name"]
|
||||
info["Azure Environment"] = wrapperInfo.Metadata["environment"]
|
||||
info["Azure Vault Name"] = wrapperInfo.Metadata["vault_name"]
|
||||
info["Azure Key Name"] = wrapperInfo.Metadata["key_name"]
|
||||
}
|
||||
return wrapper, info, nil
|
||||
}
|
||||
|
||||
func GetGCPCKMSKMSFunc(opts *wrapping.WrapperOptions, kms *KMS) (wrapping.Wrapper, map[string]string, error) {
|
||||
wrapper := gcpckms.NewWrapper(opts)
|
||||
wrapperInfo, err := wrapper.SetConfig(kms.Config)
|
||||
func GetGCPCKMSKMSFunc(kms *KMS, opts ...wrapping.Option) (wrapping.Wrapper, map[string]string, error) {
|
||||
wrapper := gcpckms.NewWrapper()
|
||||
wrapperInfo, err := wrapper.SetConfig(context.Background(), wrapping.WithConfigMap(kms.Config))
|
||||
if err != nil {
|
||||
// If the error is any other than logical.KeyNotFoundError, return the error
|
||||
if !errwrap.ContainsType(err, new(logical.KeyNotFoundError)) {
|
||||
|
|
@ -300,33 +297,33 @@ func GetGCPCKMSKMSFunc(opts *wrapping.WrapperOptions, kms *KMS) (wrapping.Wrappe
|
|||
}
|
||||
info := make(map[string]string)
|
||||
if wrapperInfo != nil {
|
||||
info["GCP KMS Project"] = wrapperInfo["project"]
|
||||
info["GCP KMS Region"] = wrapperInfo["region"]
|
||||
info["GCP KMS Key Ring"] = wrapperInfo["key_ring"]
|
||||
info["GCP KMS Crypto Key"] = wrapperInfo["crypto_key"]
|
||||
info["GCP KMS Project"] = wrapperInfo.Metadata["project"]
|
||||
info["GCP KMS Region"] = wrapperInfo.Metadata["region"]
|
||||
info["GCP KMS Key Ring"] = wrapperInfo.Metadata["key_ring"]
|
||||
info["GCP KMS Crypto Key"] = wrapperInfo.Metadata["crypto_key"]
|
||||
}
|
||||
return wrapper, info, nil
|
||||
}
|
||||
|
||||
func GetOCIKMSKMSFunc(opts *wrapping.WrapperOptions, kms *KMS) (wrapping.Wrapper, map[string]string, error) {
|
||||
wrapper := ocikms.NewWrapper(opts)
|
||||
wrapperInfo, err := wrapper.SetConfig(kms.Config)
|
||||
func GetOCIKMSKMSFunc(kms *KMS, opts ...wrapping.Option) (wrapping.Wrapper, map[string]string, error) {
|
||||
wrapper := ocikms.NewWrapper()
|
||||
wrapperInfo, err := wrapper.SetConfig(context.Background(), wrapping.WithConfigMap(kms.Config))
|
||||
if err != nil {
|
||||
return nil, nil, err
|
||||
}
|
||||
info := make(map[string]string)
|
||||
if wrapperInfo != nil {
|
||||
info["OCI KMS KeyID"] = wrapperInfo[ocikms.KMSConfigKeyID]
|
||||
info["OCI KMS Crypto Endpoint"] = wrapperInfo[ocikms.KMSConfigCryptoEndpoint]
|
||||
info["OCI KMS Management Endpoint"] = wrapperInfo[ocikms.KMSConfigManagementEndpoint]
|
||||
info["OCI KMS Principal Type"] = wrapperInfo["principal_type"]
|
||||
info["OCI KMS KeyID"] = wrapperInfo.Metadata[ocikms.KmsConfigKeyId]
|
||||
info["OCI KMS Crypto Endpoint"] = wrapperInfo.Metadata[ocikms.KmsConfigCryptoEndpoint]
|
||||
info["OCI KMS Management Endpoint"] = wrapperInfo.Metadata[ocikms.KmsConfigManagementEndpoint]
|
||||
info["OCI KMS Principal Type"] = wrapperInfo.Metadata["principal_type"]
|
||||
}
|
||||
return wrapper, info, nil
|
||||
}
|
||||
|
||||
var GetTransitKMSFunc = func(opts *wrapping.WrapperOptions, kms *KMS) (wrapping.Wrapper, map[string]string, error) {
|
||||
wrapper := transit.NewWrapper(opts)
|
||||
wrapperInfo, err := wrapper.SetConfig(kms.Config)
|
||||
var GetTransitKMSFunc = func(kms *KMS, opts ...wrapping.Option) (wrapping.Wrapper, map[string]string, error) {
|
||||
wrapper := transit.NewWrapper()
|
||||
wrapperInfo, err := wrapper.SetConfig(context.Background(), wrapping.WithConfigMap(kms.Config))
|
||||
if err != nil {
|
||||
// If the error is any other than logical.KeyNotFoundError, return the error
|
||||
if !errwrap.ContainsType(err, new(logical.KeyNotFoundError)) {
|
||||
|
|
@ -335,10 +332,10 @@ var GetTransitKMSFunc = func(opts *wrapping.WrapperOptions, kms *KMS) (wrapping.
|
|||
}
|
||||
info := make(map[string]string)
|
||||
if wrapperInfo != nil {
|
||||
info["Transit Address"] = wrapperInfo["address"]
|
||||
info["Transit Mount Path"] = wrapperInfo["mount_path"]
|
||||
info["Transit Key Name"] = wrapperInfo["key_name"]
|
||||
if namespace, ok := wrapperInfo["namespace"]; ok {
|
||||
info["Transit Address"] = wrapperInfo.Metadata["address"]
|
||||
info["Transit Mount Path"] = wrapperInfo.Metadata["mount_path"]
|
||||
info["Transit Key Name"] = wrapperInfo.Metadata["key_name"]
|
||||
if namespace, ok := wrapperInfo.Metadata["namespace"]; ok {
|
||||
info["Transit Namespace"] = namespace
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -17,7 +17,7 @@ import (
|
|||
"github.com/armon/go-metrics"
|
||||
"github.com/golang/protobuf/proto"
|
||||
log "github.com/hashicorp/go-hclog"
|
||||
wrapping "github.com/hashicorp/go-kms-wrapping"
|
||||
wrapping "github.com/hashicorp/go-kms-wrapping/v2"
|
||||
"github.com/hashicorp/go-raftchunking"
|
||||
"github.com/hashicorp/go-secure-stdlib/tlsutil"
|
||||
"github.com/hashicorp/go-uuid"
|
||||
|
|
@ -1801,7 +1801,7 @@ func (s sealer) Open(ctx context.Context, ct []byte) ([]byte, error) {
|
|||
return nil, errors.New("no seal access available")
|
||||
}
|
||||
|
||||
var eblob wrapping.EncryptedBlobInfo
|
||||
var eblob wrapping.BlobInfo
|
||||
err := proto.Unmarshal(ct, &eblob)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
|
|
|
|||
|
|
@ -22,11 +22,13 @@ import (
|
|||
"sync/atomic"
|
||||
"time"
|
||||
|
||||
"github.com/hashicorp/go-kms-wrapping/wrappers/awskms/v2"
|
||||
|
||||
"github.com/armon/go-metrics"
|
||||
"github.com/hashicorp/errwrap"
|
||||
log "github.com/hashicorp/go-hclog"
|
||||
wrapping "github.com/hashicorp/go-kms-wrapping"
|
||||
aeadwrapper "github.com/hashicorp/go-kms-wrapping/wrappers/aead"
|
||||
wrapping "github.com/hashicorp/go-kms-wrapping/v2"
|
||||
aeadwrapper "github.com/hashicorp/go-kms-wrapping/wrappers/aead/v2"
|
||||
"github.com/hashicorp/go-multierror"
|
||||
"github.com/hashicorp/go-secure-stdlib/mlock"
|
||||
"github.com/hashicorp/go-secure-stdlib/reloadutil"
|
||||
|
|
@ -93,6 +95,8 @@ const (
|
|||
// forwardToActive to trigger forwarding if a perf standby encounters
|
||||
// an SSC Token that it does not have the WAL state for.
|
||||
ForwardSSCTokenToActive = "new_token"
|
||||
|
||||
WrapperTypeHsmAutoDeprecated = wrapping.WrapperType("hsm-auto")
|
||||
)
|
||||
|
||||
var (
|
||||
|
|
@ -190,7 +194,7 @@ type unlockInformation struct {
|
|||
}
|
||||
|
||||
type raftInformation struct {
|
||||
challenge *wrapping.EncryptedBlobInfo
|
||||
challenge *wrapping.BlobInfo
|
||||
leaderClient *api.Client
|
||||
leaderBarrierConfig *SealConfig
|
||||
nonVoter bool
|
||||
|
|
@ -961,10 +965,11 @@ func CreateCore(conf *CoreConfig) (*Core, error) {
|
|||
}
|
||||
|
||||
if c.seal == nil {
|
||||
wrapper := aeadwrapper.NewShamirWrapper()
|
||||
wrapper.SetConfig(context.Background(), awskms.WithLogger(c.logger.Named("shamir")))
|
||||
|
||||
c.seal = NewDefaultSeal(&vaultseal.Access{
|
||||
Wrapper: aeadwrapper.NewShamirWrapper(&wrapping.WrapperOptions{
|
||||
Logger: c.logger.Named("shamir"),
|
||||
}),
|
||||
Wrapper: wrapper,
|
||||
})
|
||||
}
|
||||
c.seal.SetCore(c)
|
||||
|
|
@ -1368,10 +1373,10 @@ func (c *Core) unsealFragment(key []byte, migrate bool) error {
|
|||
func (c *Core) unsealWithRaft(combinedKey []byte) error {
|
||||
ctx := context.Background()
|
||||
|
||||
if c.seal.BarrierType() == wrapping.Shamir {
|
||||
if c.seal.BarrierType() == wrapping.WrapperTypeShamir {
|
||||
// If this is a legacy shamir seal this serves no purpose but it
|
||||
// doesn't hurt.
|
||||
err := c.seal.GetAccess().Wrapper.(*aeadwrapper.ShamirWrapper).SetAESGCMKeyBytes(combinedKey)
|
||||
err := c.seal.GetAccess().Wrapper.(*aeadwrapper.ShamirWrapper).SetAesGcmKeyBytes(combinedKey)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
|
@ -1540,7 +1545,7 @@ func (c *Core) sealMigrated(ctx context.Context) (bool, error) {
|
|||
return false, err
|
||||
}
|
||||
|
||||
if existBarrierSealConfig.Type != c.seal.BarrierType() {
|
||||
if existBarrierSealConfig.Type != c.seal.BarrierType().String() {
|
||||
return false, nil
|
||||
}
|
||||
if c.seal.RecoveryKeySupported() && existRecoverySealConfig.Type != c.seal.RecoveryType() {
|
||||
|
|
@ -1622,7 +1627,7 @@ func (c *Core) migrateSeal(ctx context.Context) error {
|
|||
}
|
||||
|
||||
// We have recovery keys; we're going to use them as the new shamir KeK.
|
||||
err = c.seal.GetAccess().Wrapper.(*aeadwrapper.ShamirWrapper).SetAESGCMKeyBytes(recoveryKey)
|
||||
err = c.seal.GetAccess().Wrapper.(*aeadwrapper.ShamirWrapper).SetAesGcmKeyBytes(recoveryKey)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to set master key in seal: %w", err)
|
||||
}
|
||||
|
|
@ -2496,7 +2501,7 @@ func (c *Core) PhysicalSealConfigs(ctx context.Context) (*SealConfig, *SealConfi
|
|||
// In older versions of vault the default seal would not store a type. This
|
||||
// is here to offer backwards compatibility for older seal configs.
|
||||
if barrierConf.Type == "" {
|
||||
barrierConf.Type = wrapping.Shamir
|
||||
barrierConf.Type = wrapping.WrapperTypeShamir.String()
|
||||
}
|
||||
|
||||
var recoveryConf *SealConfig
|
||||
|
|
@ -2516,7 +2521,7 @@ func (c *Core) PhysicalSealConfigs(ctx context.Context) (*SealConfig, *SealConfi
|
|||
// In older versions of vault the default seal would not store a type. This
|
||||
// is here to offer backwards compatibility for older seal configs.
|
||||
if recoveryConf.Type == "" {
|
||||
recoveryConf.Type = wrapping.Shamir
|
||||
recoveryConf.Type = wrapping.WrapperTypeShamir.String()
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -2551,31 +2556,30 @@ func (c *Core) adjustForSealMigration(unwrapSeal Seal) error {
|
|||
|
||||
// If we don't have an existing config or if it's the deprecated auto seal
|
||||
// which needs an upgrade, skip out
|
||||
if existBarrierSealConfig == nil || existBarrierSealConfig.Type == wrapping.HSMAutoDeprecated {
|
||||
if existBarrierSealConfig == nil || existBarrierSealConfig.Type == WrapperTypeHsmAutoDeprecated.String() {
|
||||
return nil
|
||||
}
|
||||
|
||||
if unwrapSeal == nil {
|
||||
// With unwrapSeal==nil, either we're not migrating, or we're migrating
|
||||
// from shamir.
|
||||
|
||||
switch {
|
||||
case existBarrierSealConfig.Type == c.seal.BarrierType():
|
||||
case existBarrierSealConfig.Type == c.seal.BarrierType().String():
|
||||
// We have the same barrier type and the unwrap seal is nil so we're not
|
||||
// migrating from same to same, IOW we assume it's not a migration.
|
||||
return nil
|
||||
case c.seal.BarrierType() == wrapping.Shamir:
|
||||
case c.seal.BarrierType() == wrapping.WrapperTypeShamir:
|
||||
// The stored barrier config is not shamir, there is no disabled seal
|
||||
// in config, and either no configured seal (which equates to Shamir)
|
||||
// or an explicitly configured Shamir seal.
|
||||
return fmt.Errorf("cannot seal migrate from %q to Shamir, no disabled seal in configuration",
|
||||
existBarrierSealConfig.Type)
|
||||
case existBarrierSealConfig.Type == wrapping.Shamir:
|
||||
case existBarrierSealConfig.Type == wrapping.WrapperTypeShamir.String():
|
||||
// The configured seal is not Shamir, the stored seal config is Shamir.
|
||||
// This is a migration away from Shamir.
|
||||
unwrapSeal = NewDefaultSeal(&vaultseal.Access{
|
||||
Wrapper: aeadwrapper.NewShamirWrapper(&wrapping.WrapperOptions{
|
||||
Logger: c.logger.Named("shamir"),
|
||||
}),
|
||||
Wrapper: aeadwrapper.NewShamirWrapper(),
|
||||
})
|
||||
default:
|
||||
// We know at this point that there is a configured non-Shamir seal,
|
||||
|
|
@ -2587,7 +2591,8 @@ func (c *Core) adjustForSealMigration(unwrapSeal Seal) error {
|
|||
} else {
|
||||
// If we're not coming from Shamir we expect the previous seal to be
|
||||
// in the config and disabled.
|
||||
if unwrapSeal.BarrierType() == wrapping.Shamir {
|
||||
|
||||
if unwrapSeal.BarrierType() == wrapping.WrapperTypeShamir {
|
||||
return errors.New("Shamir seals cannot be set disabled (they should simply not be set)")
|
||||
}
|
||||
}
|
||||
|
|
@ -2597,7 +2602,7 @@ func (c *Core) adjustForSealMigration(unwrapSeal Seal) error {
|
|||
unwrapSeal.SetCore(c)
|
||||
|
||||
// No stored recovery seal config found, what about the legacy recovery config?
|
||||
if existBarrierSealConfig.Type != wrapping.Shamir && existRecoverySealConfig == nil {
|
||||
if existBarrierSealConfig.Type != wrapping.WrapperTypeShamir.String() && existRecoverySealConfig == nil {
|
||||
entry, err := c.physical.Get(ctx, recoverySealConfigPath)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to read %q recovery seal configuration: %w", existBarrierSealConfig.Type, err)
|
||||
|
|
@ -2611,7 +2616,7 @@ func (c *Core) adjustForSealMigration(unwrapSeal Seal) error {
|
|||
c.migrationInfo = &migrationInformation{
|
||||
seal: unwrapSeal,
|
||||
}
|
||||
if existBarrierSealConfig.Type != c.seal.BarrierType() {
|
||||
if existBarrierSealConfig.Type != c.seal.BarrierType().String() {
|
||||
// It's unnecessary to call this when doing an auto->auto
|
||||
// same-seal-type migration, since they'll have the same configs before
|
||||
// and after migration.
|
||||
|
|
@ -2645,7 +2650,7 @@ func (c *Core) migrateSealConfig(ctx context.Context) error {
|
|||
// recovery config to a clone of shamir's barrier config with stored
|
||||
// keys set to 0.
|
||||
bc = &SealConfig{
|
||||
Type: c.seal.BarrierType(),
|
||||
Type: c.seal.BarrierType().String(),
|
||||
SecretShares: 1,
|
||||
SecretThreshold: 1,
|
||||
StoredShares: 1,
|
||||
|
|
@ -2684,7 +2689,7 @@ func (c *Core) adjustSealConfigDuringMigration(existBarrierSealConfig, existReco
|
|||
// recovery config to a clone of shamir's barrier config with stored
|
||||
// keys set to 0.
|
||||
newBarrierSealConfig := &SealConfig{
|
||||
Type: c.seal.BarrierType(),
|
||||
Type: c.seal.BarrierType().String(),
|
||||
SecretShares: 1,
|
||||
SecretThreshold: 1,
|
||||
StoredShares: 1,
|
||||
|
|
@ -2739,9 +2744,7 @@ func (c *Core) unsealKeyToMasterKey(ctx context.Context, seal Seal, combinedKey
|
|||
case vaultseal.StoredKeysSupportedShamirRoot:
|
||||
if useTestSeal {
|
||||
testseal := NewDefaultSeal(&vaultseal.Access{
|
||||
Wrapper: aeadwrapper.NewShamirWrapper(&wrapping.WrapperOptions{
|
||||
Logger: c.logger.Named("testseal"),
|
||||
}),
|
||||
Wrapper: aeadwrapper.NewShamirWrapper(),
|
||||
})
|
||||
testseal.SetCore(c)
|
||||
cfg, err := seal.BarrierConfig(ctx)
|
||||
|
|
@ -2752,7 +2755,7 @@ func (c *Core) unsealKeyToMasterKey(ctx context.Context, seal Seal, combinedKey
|
|||
seal = testseal
|
||||
}
|
||||
|
||||
err := seal.GetAccess().Wrapper.(*aeadwrapper.ShamirWrapper).SetAESGCMKeyBytes(combinedKey)
|
||||
err := seal.GetAccess().Wrapper.(*aeadwrapper.ShamirWrapper).SetAesGcmKeyBytes(combinedKey)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to setup unseal key: %w", err)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -549,9 +549,13 @@ func TestRaft_SnapshotAPI_MidstreamFailure(t *testing.T) {
|
|||
t.Parallel()
|
||||
|
||||
seal, setErr := vaultseal.NewToggleableTestSeal(nil)
|
||||
autoSeal, err := vault.NewAutoSeal(seal)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
cluster := raftCluster(t, &RaftClusterOpts{
|
||||
NumCores: 1,
|
||||
Seal: vault.NewAutoSeal(seal),
|
||||
Seal: autoSeal,
|
||||
})
|
||||
defer cluster.Cleanup()
|
||||
|
||||
|
|
@ -582,7 +586,7 @@ func TestRaft_SnapshotAPI_MidstreamFailure(t *testing.T) {
|
|||
|
||||
setErr(errors.New("seal failure"))
|
||||
// Take a snapshot
|
||||
err := leaderClient.Sys().RaftSnapshot(w)
|
||||
err = leaderClient.Sys().RaftSnapshot(w)
|
||||
w.Close()
|
||||
if err == nil || err != api.ErrIncompleteSnapshot {
|
||||
t.Fatalf("expected err=%v, got: %v", api.ErrIncompleteSnapshot, err)
|
||||
|
|
|
|||
|
|
@ -132,7 +132,11 @@ func ParamTestSealMigrationShamirToTransit_Post14(t *testing.T, logger hclog.Log
|
|||
|
||||
// Migrate the backend from shamir to transit.
|
||||
opts.SealFunc = func() vault.Seal {
|
||||
return tss.MakeSeal(t, sealKeyName)
|
||||
seal, err := tss.MakeSeal(t, sealKeyName)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
return seal
|
||||
}
|
||||
|
||||
// Restart each follower with the new config, and migrate to Transit.
|
||||
|
|
@ -173,7 +177,11 @@ func ParamTestSealMigration_TransitToTransit(t *testing.T, logger hclog.Logger,
|
|||
// Migrate the backend from transit to transit.
|
||||
opts.UnwrapSealFunc = opts.SealFunc
|
||||
opts.SealFunc = func() vault.Seal {
|
||||
return tss2.MakeSeal(t, "transit-seal-key-2")
|
||||
seal, err := tss2.MakeSeal(t, "transit-seal-key-2")
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
return seal
|
||||
}
|
||||
leaderIdx := migratePost14(t, storage, cluster, opts, cluster.RecoveryKeys)
|
||||
validateMigration(t, storage, cluster, leaderIdx, verifySealConfigTransit)
|
||||
|
|
@ -279,7 +287,11 @@ func migrateFromShamirToTransit_Pre14(t *testing.T, logger hclog.Logger, storage
|
|||
SkipInit: true,
|
||||
// N.B. Providing a transit seal puts us in migration mode.
|
||||
SealFunc: func() vault.Seal {
|
||||
return tss.MakeSeal(t, "transit-seal-key")
|
||||
seal, err := tss.MakeSeal(t, "transit-seal-key")
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
return seal
|
||||
},
|
||||
}
|
||||
storage.Setup(&conf, &opts)
|
||||
|
|
@ -697,7 +709,11 @@ func InitializeTransit(t *testing.T, logger hclog.Logger, storage teststorage.Re
|
|||
BaseListenAddress: fmt.Sprintf("127.0.0.1:%d", basePort),
|
||||
BaseClusterListenPort: baseClusterPort,
|
||||
SealFunc: func() vault.Seal {
|
||||
return tss.MakeSeal(t, sealKeyName)
|
||||
seal, err := tss.MakeSeal(t, sealKeyName)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
return seal
|
||||
},
|
||||
}
|
||||
storage.Setup(&conf, &opts)
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ import (
|
|||
|
||||
"github.com/armon/go-metrics"
|
||||
"github.com/hashicorp/errwrap"
|
||||
aeadwrapper "github.com/hashicorp/go-kms-wrapping/wrappers/aead"
|
||||
aeadwrapper "github.com/hashicorp/go-kms-wrapping/wrappers/aead/v2"
|
||||
"github.com/hashicorp/go-multierror"
|
||||
"github.com/hashicorp/go-uuid"
|
||||
"github.com/hashicorp/vault/helper/namespace"
|
||||
|
|
@ -869,7 +869,7 @@ func (c *Core) reloadShamirKey(ctx context.Context) error {
|
|||
}
|
||||
shamirKey = keyring.rootKey
|
||||
}
|
||||
return c.seal.GetAccess().Wrapper.(*aeadwrapper.ShamirWrapper).SetAESGCMKeyBytes(shamirKey)
|
||||
return c.seal.GetAccess().Wrapper.(*aeadwrapper.ShamirWrapper).SetAesGcmKeyBytes(shamirKey)
|
||||
}
|
||||
|
||||
func (c *Core) performKeyUpgrades(ctx context.Context) error {
|
||||
|
|
|
|||
|
|
@ -1774,7 +1774,7 @@ func (i *IdentityStore) expireOIDCPublicKeys(ctx context.Context, s logical.Stor
|
|||
nextExpiration = k.ExpireAt
|
||||
}
|
||||
|
||||
// Mark the KeyID as in use so it doesn't get deleted in the next step
|
||||
// Mark the KeyId as in use so it doesn't get deleted in the next step
|
||||
usedKeys = append(usedKeys, k.KeyID)
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -9,11 +9,11 @@ import (
|
|||
"net/url"
|
||||
"sync/atomic"
|
||||
|
||||
wrapping "github.com/hashicorp/go-kms-wrapping"
|
||||
wrapping "github.com/hashicorp/go-kms-wrapping/v2"
|
||||
"github.com/hashicorp/vault/physical/raft"
|
||||
"github.com/hashicorp/vault/vault/seal"
|
||||
|
||||
aeadwrapper "github.com/hashicorp/go-kms-wrapping/wrappers/aead"
|
||||
aeadwrapper "github.com/hashicorp/go-kms-wrapping/wrappers/aead/v2"
|
||||
"github.com/hashicorp/vault/helper/namespace"
|
||||
"github.com/hashicorp/vault/helper/pgpkeys"
|
||||
"github.com/hashicorp/vault/shamir"
|
||||
|
|
@ -276,7 +276,8 @@ func (c *Core) Initialize(ctx context.Context, initParams *InitParams) (*InitRes
|
|||
|
||||
var sealKey []byte
|
||||
var sealKeyShares [][]byte
|
||||
if barrierConfig.StoredShares == 1 && c.seal.BarrierType() == wrapping.Shamir {
|
||||
|
||||
if barrierConfig.StoredShares == 1 && c.seal.BarrierType() == wrapping.WrapperTypeShamir {
|
||||
sealKey, sealKeyShares, err = c.generateShares(barrierConfig)
|
||||
if err != nil {
|
||||
c.logger.Error("error generating shares", "error", err)
|
||||
|
|
@ -324,7 +325,7 @@ func (c *Core) Initialize(ctx context.Context, initParams *InitParams) (*InitRes
|
|||
switch c.seal.StoredKeysSupported() {
|
||||
case seal.StoredKeysSupportedShamirRoot:
|
||||
keysToStore := [][]byte{barrierKey}
|
||||
if err := c.seal.GetAccess().Wrapper.(*aeadwrapper.ShamirWrapper).SetAESGCMKeyBytes(sealKey); err != nil {
|
||||
if err := c.seal.GetAccess().Wrapper.(*aeadwrapper.ShamirWrapper).SetAesGcmKeyBytes(sealKey); err != nil {
|
||||
c.logger.Error("failed to set seal key", "error", err)
|
||||
return nil, fmt.Errorf("failed to set seal key: %w", err)
|
||||
}
|
||||
|
|
@ -439,7 +440,7 @@ func (c *Core) UnsealWithStoredKeys(ctx context.Context) error {
|
|||
c.unsealWithStoredKeysLock.Lock()
|
||||
defer c.unsealWithStoredKeysLock.Unlock()
|
||||
|
||||
if c.seal.BarrierType() == wrapping.Shamir {
|
||||
if c.seal.BarrierType() == wrapping.WrapperTypeShamir {
|
||||
return nil
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@ import (
|
|||
"testing"
|
||||
|
||||
log "github.com/hashicorp/go-hclog"
|
||||
wrapping "github.com/hashicorp/go-kms-wrapping"
|
||||
wrapping "github.com/hashicorp/go-kms-wrapping/v2"
|
||||
"github.com/hashicorp/vault/sdk/helper/logging"
|
||||
"github.com/hashicorp/vault/sdk/logical"
|
||||
"github.com/hashicorp/vault/sdk/physical/inmem"
|
||||
|
|
@ -89,7 +89,7 @@ func testCore_Init_Common(t *testing.T, c *Core, conf *CoreConfig, barrierConf,
|
|||
t.Fatalf("err: %v", err)
|
||||
}
|
||||
|
||||
if c.seal.BarrierType() == wrapping.Shamir && len(res.SecretShares) != barrierConf.SecretShares {
|
||||
if c.seal.BarrierType() == wrapping.WrapperTypeShamir && len(res.SecretShares) != barrierConf.SecretShares {
|
||||
t.Fatalf("Bad: got\n%#v\nexpected conf matching\n%#v\n", *res, *barrierConf)
|
||||
}
|
||||
if recoveryConf != nil {
|
||||
|
|
|
|||
|
|
@ -4181,7 +4181,7 @@ func (core *Core) GetSealStatus(ctx context.Context) (*SealStatusResponse, error
|
|||
|
||||
if sealConfig == nil {
|
||||
return &SealStatusResponse{
|
||||
Type: core.SealAccess().BarrierType(),
|
||||
Type: core.SealAccess().BarrierType().String(),
|
||||
Initialized: initialized,
|
||||
Sealed: true,
|
||||
RecoverySeal: core.SealAccess().RecoveryKeySupported(),
|
||||
|
|
|
|||
|
|
@ -10,7 +10,7 @@ import (
|
|||
"time"
|
||||
|
||||
"github.com/golang/protobuf/proto"
|
||||
wrapping "github.com/hashicorp/go-kms-wrapping"
|
||||
wrapping "github.com/hashicorp/go-kms-wrapping/v2"
|
||||
"github.com/hashicorp/go-uuid"
|
||||
"github.com/hashicorp/vault/helper/constants"
|
||||
"github.com/hashicorp/vault/helper/namespace"
|
||||
|
|
@ -572,7 +572,7 @@ func (b *SystemBackend) handleStorageRaftSnapshotWrite(force bool) framework.Ope
|
|||
case err == nil:
|
||||
case strings.Contains(err.Error(), "failed to open the sealed hashes"):
|
||||
switch b.Core.seal.BarrierType() {
|
||||
case wrapping.Shamir:
|
||||
case wrapping.WrapperTypeShamir:
|
||||
return logical.ErrorResponse("could not verify hash file, possibly the snapshot is using a different set of unseal keys; use the snapshot-force API to bypass this check"), logical.ErrInvalidRequest
|
||||
default:
|
||||
return logical.ErrorResponse("could not verify hash file, possibly the snapshot is using a different autoseal key; use the snapshot-force API to bypass this check"), logical.ErrInvalidRequest
|
||||
|
|
|
|||
|
|
@ -17,7 +17,7 @@ import (
|
|||
"github.com/hashicorp/go-discover"
|
||||
discoverk8s "github.com/hashicorp/go-discover/provider/k8s"
|
||||
"github.com/hashicorp/go-hclog"
|
||||
wrapping "github.com/hashicorp/go-kms-wrapping"
|
||||
wrapping "github.com/hashicorp/go-kms-wrapping/v2"
|
||||
"github.com/hashicorp/go-secure-stdlib/tlsutil"
|
||||
"github.com/hashicorp/go-uuid"
|
||||
"github.com/hashicorp/vault/api"
|
||||
|
|
@ -660,7 +660,7 @@ func (c *Core) raftSnapshotRestoreCallback(grabLock bool, sealNode bool) func(co
|
|||
// The snapshot contained a root key or keyring we couldn't
|
||||
// recover
|
||||
switch c.seal.BarrierType() {
|
||||
case wrapping.Shamir:
|
||||
case wrapping.WrapperTypeShamir:
|
||||
// If we are a shamir seal we can't do anything. Just
|
||||
// seal all nodes.
|
||||
|
||||
|
|
@ -804,7 +804,7 @@ func (c *Core) getRaftChallenge(leaderInfo *raft.LeaderJoinInfo) (*raftInformati
|
|||
return nil, err
|
||||
}
|
||||
|
||||
if sealConfig.Type != c.seal.BarrierType() {
|
||||
if sealConfig.Type != c.seal.BarrierType().String() {
|
||||
return nil, fmt.Errorf("mismatching seal types between raft leader (%s) and follower (%s)", sealConfig.Type, c.seal.BarrierType())
|
||||
}
|
||||
|
||||
|
|
@ -817,7 +817,7 @@ func (c *Core) getRaftChallenge(leaderInfo *raft.LeaderJoinInfo) (*raftInformati
|
|||
return nil, fmt.Errorf("error decoding raft bootstrap challenge: %w", err)
|
||||
}
|
||||
|
||||
eBlob := &wrapping.EncryptedBlobInfo{}
|
||||
eBlob := &wrapping.BlobInfo{}
|
||||
if err := proto.Unmarshal(challengeRaw, eBlob); err != nil {
|
||||
return nil, fmt.Errorf("error decoding raft bootstrap challenge: %w", err)
|
||||
}
|
||||
|
|
@ -913,7 +913,7 @@ func (c *Core) JoinRaftCluster(ctx context.Context, leaderInfos []*raft.LeaderJo
|
|||
// If we're using Shamir and using raft for both physical and HA, we
|
||||
// need to block until the node is unsealed, unless retry is set to
|
||||
// false.
|
||||
if c.seal.BarrierType() == wrapping.Shamir && !c.isRaftHAOnly() {
|
||||
if c.seal.BarrierType() == wrapping.WrapperTypeShamir && !c.isRaftHAOnly() {
|
||||
c.raftInfo.Store(raftInfo)
|
||||
if err := c.seal.SetBarrierConfig(ctx, raftInfo.leaderBarrierConfig); err != nil {
|
||||
return err
|
||||
|
|
@ -936,7 +936,7 @@ func (c *Core) JoinRaftCluster(ctx context.Context, leaderInfos []*raft.LeaderJo
|
|||
return fmt.Errorf("failed to send answer to raft leader node: %w", err)
|
||||
}
|
||||
|
||||
if c.seal.BarrierType() == wrapping.Shamir && !isRaftHAOnly {
|
||||
if c.seal.BarrierType() == wrapping.WrapperTypeShamir && !isRaftHAOnly {
|
||||
// Reset the state
|
||||
c.raftInfo.Store((*raftInformation)(nil))
|
||||
|
||||
|
|
|
|||
|
|
@ -9,8 +9,8 @@ import (
|
|||
"fmt"
|
||||
"net/http"
|
||||
|
||||
wrapping "github.com/hashicorp/go-kms-wrapping"
|
||||
aeadwrapper "github.com/hashicorp/go-kms-wrapping/wrappers/aead"
|
||||
wrapping "github.com/hashicorp/go-kms-wrapping/v2"
|
||||
aeadwrapper "github.com/hashicorp/go-kms-wrapping/wrappers/aead/v2"
|
||||
"github.com/hashicorp/go-uuid"
|
||||
"github.com/hashicorp/vault/helper/pgpkeys"
|
||||
"github.com/hashicorp/vault/sdk/helper/consts"
|
||||
|
|
@ -169,7 +169,7 @@ func (c *Core) RekeyInit(config *SealConfig, recovery bool) logical.HTTPCodedErr
|
|||
// BarrierRekeyInit is used to initialize the rekey settings for the barrier key
|
||||
func (c *Core) BarrierRekeyInit(config *SealConfig) logical.HTTPCodedError {
|
||||
switch c.seal.BarrierType() {
|
||||
case wrapping.Shamir:
|
||||
case wrapping.WrapperTypeShamir:
|
||||
// As of Vault 1.3 all seals use StoredShares==1. The one exception is
|
||||
// legacy shamir seals, which we can read but not write (by design).
|
||||
// So if someone does a rekey, regardless of their intention, we're going
|
||||
|
|
@ -396,15 +396,13 @@ func (c *Core) BarrierRekeyUpdate(ctx context.Context, key []byte, nonce string)
|
|||
c.logger.Error("rekey recovery key verification failed", "error", err)
|
||||
return nil, logical.CodedError(http.StatusBadRequest, fmt.Errorf("recovery key verification failed: %w", err).Error())
|
||||
}
|
||||
case c.seal.BarrierType() == wrapping.Shamir:
|
||||
case c.seal.BarrierType() == wrapping.WrapperTypeShamir:
|
||||
if c.seal.StoredKeysSupported() == seal.StoredKeysSupportedShamirRoot {
|
||||
testseal := NewDefaultSeal(&seal.Access{
|
||||
Wrapper: aeadwrapper.NewShamirWrapper(&wrapping.WrapperOptions{
|
||||
Logger: c.logger.Named("testseal"),
|
||||
}),
|
||||
Wrapper: aeadwrapper.NewShamirWrapper(),
|
||||
})
|
||||
testseal.SetCore(c)
|
||||
err = testseal.GetAccess().Wrapper.(*aeadwrapper.ShamirWrapper).SetAESGCMKeyBytes(recoveredKey)
|
||||
err = testseal.GetAccess().Wrapper.(*aeadwrapper.ShamirWrapper).SetAesGcmKeyBytes(recoveredKey)
|
||||
if err != nil {
|
||||
return nil, logical.CodedError(http.StatusInternalServerError, fmt.Errorf("failed to setup unseal key: %w", err).Error())
|
||||
}
|
||||
|
|
@ -532,7 +530,7 @@ func (c *Core) performBarrierRekey(ctx context.Context, newSealKey []byte) logic
|
|||
}
|
||||
|
||||
if c.seal.StoredKeysSupported() != seal.StoredKeysSupportedGeneric {
|
||||
err := c.seal.GetAccess().Wrapper.(*aeadwrapper.ShamirWrapper).SetAESGCMKeyBytes(newSealKey)
|
||||
err := c.seal.GetAccess().Wrapper.(*aeadwrapper.ShamirWrapper).SetAesGcmKeyBytes(newSealKey)
|
||||
if err != nil {
|
||||
return logical.CodedError(http.StatusInternalServerError, fmt.Errorf("failed to update barrier seal key: %w", err).Error())
|
||||
}
|
||||
|
|
|
|||
|
|
@ -154,7 +154,7 @@ func testCore_Rekey_Update_Common(t *testing.T, c *Core, keys [][]byte, root str
|
|||
if recovery {
|
||||
expType = c.seal.RecoveryType()
|
||||
} else {
|
||||
expType = c.seal.BarrierType()
|
||||
expType = c.seal.BarrierType().String()
|
||||
}
|
||||
|
||||
newConf := &SealConfig{
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ import (
|
|||
"github.com/hashicorp/vault/sdk/physical"
|
||||
|
||||
"github.com/golang/protobuf/proto"
|
||||
wrapping "github.com/hashicorp/go-kms-wrapping"
|
||||
wrapping "github.com/hashicorp/go-kms-wrapping/v2"
|
||||
"github.com/hashicorp/vault/vault/seal"
|
||||
"github.com/keybase/go-crypto/openpgp"
|
||||
"github.com/keybase/go-crypto/openpgp/packet"
|
||||
|
|
@ -59,7 +59,7 @@ type Seal interface {
|
|||
SealWrapable() bool
|
||||
SetStoredKeys(context.Context, [][]byte) error
|
||||
GetStoredKeys(context.Context) ([][]byte, error)
|
||||
BarrierType() string
|
||||
BarrierType() wrapping.WrapperType
|
||||
BarrierConfig(context.Context) (*SealConfig, error)
|
||||
SetBarrierConfig(context.Context, *SealConfig) error
|
||||
SetCachedBarrierConfig(*SealConfig)
|
||||
|
|
@ -119,8 +119,8 @@ func (d *defaultSeal) Finalize(ctx context.Context) error {
|
|||
return nil
|
||||
}
|
||||
|
||||
func (d *defaultSeal) BarrierType() string {
|
||||
return wrapping.Shamir
|
||||
func (d *defaultSeal) BarrierType() wrapping.WrapperType {
|
||||
return wrapping.WrapperTypeShamir
|
||||
}
|
||||
|
||||
func (d *defaultSeal) StoredKeysSupported() seal.StoredKeysSupport {
|
||||
|
|
@ -193,8 +193,8 @@ func (d *defaultSeal) BarrierConfig(ctx context.Context) (*SealConfig, error) {
|
|||
switch conf.Type {
|
||||
// This case should not be valid for other types as only this is the default
|
||||
case "":
|
||||
conf.Type = d.BarrierType()
|
||||
case d.BarrierType():
|
||||
conf.Type = d.BarrierType().String()
|
||||
case d.BarrierType().String():
|
||||
default:
|
||||
d.core.logger.Error("barrier seal type does not match expected type", "barrier_seal_type", conf.Type, "loaded_seal_type", d.BarrierType())
|
||||
return nil, fmt.Errorf("barrier seal type of %q does not match expected type of %q", conf.Type, d.BarrierType())
|
||||
|
|
@ -222,7 +222,7 @@ func (d *defaultSeal) SetBarrierConfig(ctx context.Context, config *SealConfig)
|
|||
return nil
|
||||
}
|
||||
|
||||
config.Type = d.BarrierType()
|
||||
config.Type = d.BarrierType().String()
|
||||
|
||||
// If we are doing a raft unseal we do not want to persist the barrier config
|
||||
// because storage isn't setup yet.
|
||||
|
|
@ -477,7 +477,7 @@ func readStoredKeys(ctx context.Context, storage physical.Backend, encryptor *se
|
|||
return nil, nil
|
||||
}
|
||||
|
||||
blobInfo := &wrapping.EncryptedBlobInfo{}
|
||||
blobInfo := &wrapping.BlobInfo{}
|
||||
if err := proto.Unmarshal(pe.Value, blobInfo); err != nil {
|
||||
return nil, fmt.Errorf("failed to proto decode stored keys: %w", err)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -5,11 +5,11 @@ import (
|
|||
"time"
|
||||
|
||||
metrics "github.com/armon/go-metrics"
|
||||
wrapping "github.com/hashicorp/go-kms-wrapping"
|
||||
wrapping "github.com/hashicorp/go-kms-wrapping/v2"
|
||||
)
|
||||
|
||||
type Envelope struct {
|
||||
envelope *wrapping.Envelope
|
||||
envelope *wrapping.EnvelopeInfo
|
||||
once sync.Once
|
||||
}
|
||||
|
||||
|
|
@ -18,19 +18,19 @@ func NewEnvelope() *Envelope {
|
|||
}
|
||||
|
||||
func (e *Envelope) init() {
|
||||
e.envelope = new(wrapping.Envelope)
|
||||
e.envelope = new(wrapping.EnvelopeInfo)
|
||||
}
|
||||
|
||||
func (e *Envelope) Encrypt(plaintext, aad []byte) (*wrapping.EnvelopeInfo, error) {
|
||||
defer metrics.MeasureSince([]string{"seal", "envelope", "encrypt"}, time.Now())
|
||||
e.once.Do(e.init)
|
||||
|
||||
return e.envelope.Encrypt(plaintext, aad)
|
||||
return wrapping.EnvelopeEncrypt(plaintext, wrapping.WithAad(aad))
|
||||
}
|
||||
|
||||
func (e *Envelope) Decrypt(data *wrapping.EnvelopeInfo, aad []byte) ([]byte, error) {
|
||||
defer metrics.MeasureSince([]string{"seal", "envelope", "decrypt"}, time.Now())
|
||||
e.once.Do(e.init)
|
||||
|
||||
return e.envelope.Decrypt(data, aad)
|
||||
return wrapping.EnvelopeDecrypt(data, wrapping.WithAad(aad))
|
||||
}
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@ import (
|
|||
"time"
|
||||
|
||||
metrics "github.com/armon/go-metrics"
|
||||
wrapping "github.com/hashicorp/go-kms-wrapping"
|
||||
wrapping "github.com/hashicorp/go-kms-wrapping/v2"
|
||||
)
|
||||
|
||||
type StoredKeysSupport int
|
||||
|
|
@ -35,54 +35,74 @@ func (s StoredKeysSupport) String() string {
|
|||
// specific to encrypting and decrypting data, or in this case keys.
|
||||
type Access struct {
|
||||
wrapping.Wrapper
|
||||
OverriddenType string
|
||||
WrapperType wrapping.WrapperType
|
||||
}
|
||||
|
||||
func (a *Access) SetType(t string) {
|
||||
a.OverriddenType = t
|
||||
}
|
||||
|
||||
func (a *Access) Type() string {
|
||||
if a.OverriddenType != "" {
|
||||
return a.OverriddenType
|
||||
func (a *Access) Init(ctx context.Context) error {
|
||||
if initWrapper, ok := a.Wrapper.(wrapping.InitFinalizer); ok {
|
||||
return initWrapper.Init(ctx)
|
||||
}
|
||||
return a.Wrapper.Type()
|
||||
return nil
|
||||
}
|
||||
|
||||
func (a *Access) SetType(t wrapping.WrapperType) {
|
||||
a.WrapperType = t
|
||||
}
|
||||
|
||||
func (a *Access) Type(ctx context.Context) (wrapping.WrapperType, error) {
|
||||
if a != nil && a.WrapperType != "" {
|
||||
return a.WrapperType, nil
|
||||
}
|
||||
return a.Wrapper.Type(ctx)
|
||||
}
|
||||
|
||||
// Encrypt uses the underlying seal to encrypt the plaintext and returns it.
|
||||
func (a *Access) Encrypt(ctx context.Context, plaintext, aad []byte) (blob *wrapping.EncryptedBlobInfo, err error) {
|
||||
func (a *Access) Encrypt(ctx context.Context, plaintext, aad []byte) (blob *wrapping.BlobInfo, err error) {
|
||||
wTyp, err := a.Wrapper.Type(ctx)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
defer func(now time.Time) {
|
||||
metrics.MeasureSince([]string{"seal", "encrypt", "time"}, now)
|
||||
metrics.MeasureSince([]string{"seal", a.Wrapper.Type(), "encrypt", "time"}, now)
|
||||
metrics.MeasureSince([]string{"seal", wTyp.String(), "encrypt", "time"}, now)
|
||||
|
||||
if err != nil {
|
||||
metrics.IncrCounter([]string{"seal", "encrypt", "error"}, 1)
|
||||
metrics.IncrCounter([]string{"seal", a.Wrapper.Type(), "encrypt", "error"}, 1)
|
||||
metrics.IncrCounter([]string{"seal", wTyp.String(), "encrypt", "error"}, 1)
|
||||
}
|
||||
}(time.Now())
|
||||
|
||||
metrics.IncrCounter([]string{"seal", "encrypt"}, 1)
|
||||
metrics.IncrCounter([]string{"seal", a.Wrapper.Type(), "encrypt"}, 1)
|
||||
metrics.IncrCounter([]string{"seal", wTyp.String(), "encrypt"}, 1)
|
||||
|
||||
return a.Wrapper.Encrypt(ctx, plaintext, aad)
|
||||
return a.Wrapper.Encrypt(ctx, plaintext, wrapping.WithAad(aad))
|
||||
}
|
||||
|
||||
// Decrypt uses the underlying seal to decrypt the cryptotext and returns it.
|
||||
// Note that it is possible depending on the wrapper used that both pt and err
|
||||
// are populated.
|
||||
func (a *Access) Decrypt(ctx context.Context, data *wrapping.EncryptedBlobInfo, aad []byte) (pt []byte, err error) {
|
||||
func (a *Access) Decrypt(ctx context.Context, data *wrapping.BlobInfo, aad []byte) (pt []byte, err error) {
|
||||
wTyp, err := a.Wrapper.Type(ctx)
|
||||
defer func(now time.Time) {
|
||||
metrics.MeasureSince([]string{"seal", "decrypt", "time"}, now)
|
||||
metrics.MeasureSince([]string{"seal", a.Wrapper.Type(), "decrypt", "time"}, now)
|
||||
metrics.MeasureSince([]string{"seal", wTyp.String(), "decrypt", "time"}, now)
|
||||
|
||||
if err != nil {
|
||||
metrics.IncrCounter([]string{"seal", "decrypt", "error"}, 1)
|
||||
metrics.IncrCounter([]string{"seal", a.Wrapper.Type(), "decrypt", "error"}, 1)
|
||||
metrics.IncrCounter([]string{"seal", wTyp.String(), "decrypt", "error"}, 1)
|
||||
}
|
||||
}(time.Now())
|
||||
|
||||
metrics.IncrCounter([]string{"seal", "decrypt"}, 1)
|
||||
metrics.IncrCounter([]string{"seal", a.Wrapper.Type(), "decrypt"}, 1)
|
||||
metrics.IncrCounter([]string{"seal", wTyp.String(), "decrypt"}, 1)
|
||||
|
||||
return a.Wrapper.Decrypt(ctx, data, aad)
|
||||
return a.Wrapper.Decrypt(ctx, data, wrapping.WithAad(aad))
|
||||
}
|
||||
|
||||
func (a *Access) Finalize(ctx context.Context) error {
|
||||
if finalizeWrapper, ok := a.Wrapper.(wrapping.InitFinalizer); ok {
|
||||
return finalizeWrapper.Finalize(ctx)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
|
|
|||
|
|
@ -5,14 +5,14 @@ import (
|
|||
"sync"
|
||||
|
||||
"github.com/hashicorp/go-hclog"
|
||||
wrapping "github.com/hashicorp/go-kms-wrapping"
|
||||
wrapping "github.com/hashicorp/go-kms-wrapping/v2"
|
||||
)
|
||||
|
||||
type TestSealOpts struct {
|
||||
Logger hclog.Logger
|
||||
StoredKeys StoredKeysSupport
|
||||
Secret []byte
|
||||
Name string
|
||||
Name wrapping.WrapperType
|
||||
}
|
||||
|
||||
func NewTestSeal(opts *TestSealOpts) *Access {
|
||||
|
|
@ -21,8 +21,8 @@ func NewTestSeal(opts *TestSealOpts) *Access {
|
|||
}
|
||||
|
||||
return &Access{
|
||||
Wrapper: wrapping.NewTestWrapper(opts.Secret),
|
||||
OverriddenType: opts.Name,
|
||||
Wrapper: wrapping.NewTestWrapper(opts.Secret),
|
||||
WrapperType: opts.Name,
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -33,8 +33,8 @@ func NewToggleableTestSeal(opts *TestSealOpts) (*Access, func(error)) {
|
|||
|
||||
w := &ToggleableWrapper{Wrapper: wrapping.NewTestWrapper(opts.Secret)}
|
||||
return &Access{
|
||||
Wrapper: w,
|
||||
OverriddenType: opts.Name,
|
||||
Wrapper: w,
|
||||
WrapperType: opts.Name,
|
||||
}, w.SetError
|
||||
}
|
||||
|
||||
|
|
@ -44,22 +44,22 @@ type ToggleableWrapper struct {
|
|||
l sync.RWMutex
|
||||
}
|
||||
|
||||
func (t *ToggleableWrapper) Encrypt(ctx context.Context, bytes []byte, bytes2 []byte) (*wrapping.EncryptedBlobInfo, error) {
|
||||
func (t *ToggleableWrapper) Encrypt(ctx context.Context, bytes []byte, opts ...wrapping.Option) (*wrapping.BlobInfo, error) {
|
||||
t.l.RLock()
|
||||
defer t.l.RUnlock()
|
||||
if t.error != nil {
|
||||
return nil, t.error
|
||||
}
|
||||
return t.Wrapper.Encrypt(ctx, bytes, bytes2)
|
||||
return t.Wrapper.Encrypt(ctx, bytes, opts...)
|
||||
}
|
||||
|
||||
func (t ToggleableWrapper) Decrypt(ctx context.Context, info *wrapping.EncryptedBlobInfo, bytes []byte) ([]byte, error) {
|
||||
func (t ToggleableWrapper) Decrypt(ctx context.Context, info *wrapping.BlobInfo, opts ...wrapping.Option) ([]byte, error) {
|
||||
t.l.RLock()
|
||||
defer t.l.RUnlock()
|
||||
if t.error != nil {
|
||||
return nil, t.error
|
||||
}
|
||||
return t.Wrapper.Decrypt(ctx, info, bytes)
|
||||
return t.Wrapper.Decrypt(ctx, info, opts...)
|
||||
}
|
||||
|
||||
func (t *ToggleableWrapper) SetError(err error) {
|
||||
|
|
|
|||
|
|
@ -3,6 +3,8 @@ package vault
|
|||
import (
|
||||
"context"
|
||||
|
||||
wrapping "github.com/hashicorp/go-kms-wrapping/v2"
|
||||
|
||||
"github.com/hashicorp/vault/vault/seal"
|
||||
)
|
||||
|
||||
|
|
@ -21,7 +23,7 @@ func (s *SealAccess) StoredKeysSupported() seal.StoredKeysSupport {
|
|||
return s.seal.StoredKeysSupported()
|
||||
}
|
||||
|
||||
func (s *SealAccess) BarrierType() string {
|
||||
func (s *SealAccess) BarrierType() wrapping.WrapperType {
|
||||
return s.seal.BarrierType()
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ import (
|
|||
|
||||
proto "github.com/golang/protobuf/proto"
|
||||
log "github.com/hashicorp/go-hclog"
|
||||
wrapping "github.com/hashicorp/go-kms-wrapping"
|
||||
wrapping "github.com/hashicorp/go-kms-wrapping/v2"
|
||||
"github.com/hashicorp/vault/sdk/physical"
|
||||
"github.com/hashicorp/vault/vault/seal"
|
||||
)
|
||||
|
|
@ -21,7 +21,7 @@ import (
|
|||
// barrierTypeUpgradeCheck checks for backwards compat on barrier type, not
|
||||
// applicable in the OSS side
|
||||
var (
|
||||
barrierTypeUpgradeCheck = func(_ string, _ *SealConfig) {}
|
||||
barrierTypeUpgradeCheck = func(_ wrapping.WrapperType, _ *SealConfig) {}
|
||||
autoSealUnavailableDuration = []string{"seal", "unreachable", "time"}
|
||||
// vars for unit testings
|
||||
sealHealthTestIntervalNominal = 10 * time.Minute
|
||||
|
|
@ -47,13 +47,19 @@ type autoSeal struct {
|
|||
// Ensure we are implementing the Seal interface
|
||||
var _ Seal = (*autoSeal)(nil)
|
||||
|
||||
func NewAutoSeal(lowLevel *seal.Access) *autoSeal {
|
||||
func NewAutoSeal(lowLevel *seal.Access) (*autoSeal, error) {
|
||||
ret := &autoSeal{
|
||||
Access: lowLevel,
|
||||
}
|
||||
ret.barrierConfig.Store((*SealConfig)(nil))
|
||||
ret.recoveryConfig.Store((*SealConfig)(nil))
|
||||
return ret
|
||||
|
||||
var err error
|
||||
ret.WrapperType, err = ret.Type(context.Background())
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return ret, nil
|
||||
}
|
||||
|
||||
func (d *autoSeal) SealWrapable() bool {
|
||||
|
|
@ -87,8 +93,8 @@ func (d *autoSeal) Finalize(ctx context.Context) error {
|
|||
return d.Access.Finalize(ctx)
|
||||
}
|
||||
|
||||
func (d *autoSeal) BarrierType() string {
|
||||
return d.Type()
|
||||
func (d *autoSeal) BarrierType() wrapping.WrapperType {
|
||||
return d.WrapperType
|
||||
}
|
||||
|
||||
func (d *autoSeal) StoredKeysSupported() seal.StoredKeysSupport {
|
||||
|
|
@ -120,12 +126,16 @@ func (d *autoSeal) upgradeStoredKeys(ctx context.Context) error {
|
|||
return fmt.Errorf("no stored keys found")
|
||||
}
|
||||
|
||||
blobInfo := &wrapping.EncryptedBlobInfo{}
|
||||
blobInfo := &wrapping.BlobInfo{}
|
||||
if err := proto.Unmarshal(pe.Value, blobInfo); err != nil {
|
||||
return fmt.Errorf("failed to proto decode stored keys: %w", err)
|
||||
}
|
||||
|
||||
if blobInfo.KeyInfo != nil && blobInfo.KeyInfo.KeyID != d.Access.KeyID() {
|
||||
keyId, err := d.Access.KeyId(ctx)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if blobInfo.KeyInfo != nil && blobInfo.KeyInfo.KeyId != keyId {
|
||||
d.logger.Info("upgrading stored keys")
|
||||
|
||||
pt, err := d.Decrypt(ctx, blobInfo, nil)
|
||||
|
|
@ -147,11 +157,11 @@ func (d *autoSeal) upgradeStoredKeys(ctx context.Context) error {
|
|||
}
|
||||
|
||||
// UpgradeKeys re-encrypts and saves the stored keys and the recovery key
|
||||
// with the current key if the current KeyID is different from the KeyID
|
||||
// with the current key if the current KeyId is different from the KeyId
|
||||
// the stored keys and the recovery key are encrypted with. The provided
|
||||
// Context must be non-nil.
|
||||
func (d *autoSeal) UpgradeKeys(ctx context.Context) error {
|
||||
// Many of the seals update their keys to the latest KeyID when Encrypt
|
||||
// Many of the seals update their keys to the latest KeyId when Encrypt
|
||||
// is called.
|
||||
if _, err := d.Encrypt(ctx, []byte("a"), nil); err != nil {
|
||||
return err
|
||||
|
|
@ -206,7 +216,7 @@ func (d *autoSeal) BarrierConfig(ctx context.Context) (*SealConfig, error) {
|
|||
|
||||
barrierTypeUpgradeCheck(d.BarrierType(), conf)
|
||||
|
||||
if conf.Type != d.BarrierType() {
|
||||
if conf.Type != d.BarrierType().String() {
|
||||
d.logger.Error("barrier seal type does not match loaded type", "seal_type", conf.Type, "loaded_type", d.BarrierType())
|
||||
return nil, fmt.Errorf("barrier seal type of %q does not match loaded type of %q", conf.Type, d.BarrierType())
|
||||
}
|
||||
|
|
@ -225,7 +235,7 @@ func (d *autoSeal) SetBarrierConfig(ctx context.Context, conf *SealConfig) error
|
|||
return nil
|
||||
}
|
||||
|
||||
conf.Type = d.BarrierType()
|
||||
conf.Type = d.BarrierType().String()
|
||||
|
||||
// Encode the seal configuration
|
||||
buf, err := json.Marshal(conf)
|
||||
|
|
@ -436,7 +446,7 @@ func (d *autoSeal) getRecoveryKeyInternal(ctx context.Context) ([]byte, error) {
|
|||
return nil, fmt.Errorf("no recovery key found")
|
||||
}
|
||||
|
||||
blobInfo := &wrapping.EncryptedBlobInfo{}
|
||||
blobInfo := &wrapping.BlobInfo{}
|
||||
if err := proto.Unmarshal(pe.Value, blobInfo); err != nil {
|
||||
return nil, fmt.Errorf("failed to proto decode stored keys: %w", err)
|
||||
}
|
||||
|
|
@ -458,12 +468,17 @@ func (d *autoSeal) upgradeRecoveryKey(ctx context.Context) error {
|
|||
return fmt.Errorf("no recovery key found")
|
||||
}
|
||||
|
||||
blobInfo := &wrapping.EncryptedBlobInfo{}
|
||||
blobInfo := &wrapping.BlobInfo{}
|
||||
if err := proto.Unmarshal(pe.Value, blobInfo); err != nil {
|
||||
return fmt.Errorf("failed to proto decode recovery key: %w", err)
|
||||
}
|
||||
|
||||
if blobInfo.KeyInfo != nil && blobInfo.KeyInfo.KeyID != d.Access.KeyID() {
|
||||
keyId, err := d.Access.KeyId(ctx)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if blobInfo.KeyInfo != nil && blobInfo.KeyInfo.KeyId != keyId {
|
||||
d.logger.Info("upgrading recovery key")
|
||||
|
||||
pt, err := d.Decrypt(ctx, blobInfo, nil)
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ import (
|
|||
"github.com/hashicorp/vault/helper/metricsutil"
|
||||
|
||||
proto "github.com/golang/protobuf/proto"
|
||||
wrapping "github.com/hashicorp/go-kms-wrapping"
|
||||
wrapping "github.com/hashicorp/go-kms-wrapping/v2"
|
||||
"github.com/hashicorp/vault/sdk/physical"
|
||||
"github.com/hashicorp/vault/vault/seal"
|
||||
)
|
||||
|
|
@ -71,13 +71,17 @@ func TestAutoSeal_UpgradeKeys(t *testing.T) {
|
|||
var encKeys []string
|
||||
changeKey := func(key string) {
|
||||
encKeys = append(encKeys, key)
|
||||
testSeal.Wrapper.(*wrapping.TestWrapper).SetKeyID(key)
|
||||
testSeal.Wrapper.(*wrapping.TestWrapper).SetKeyId(key)
|
||||
}
|
||||
|
||||
// Set initial encryption key.
|
||||
changeKey("kaz")
|
||||
|
||||
autoSeal := NewAutoSeal(testSeal)
|
||||
autoSeal, err := NewAutoSeal(testSeal)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
autoSeal.SetCore(core)
|
||||
pBackend := newTestBackend(t)
|
||||
core.physical = pBackend
|
||||
|
|
@ -130,14 +134,14 @@ func TestAutoSeal_UpgradeKeys(t *testing.T) {
|
|||
// in encKeys. Iterate over each phyEntry and verify it was
|
||||
// encrypted with its corresponding key in encKeys.
|
||||
for i, phyEntry := range phyEntries {
|
||||
blobInfo := &wrapping.EncryptedBlobInfo{}
|
||||
blobInfo := &wrapping.BlobInfo{}
|
||||
if err := proto.Unmarshal(phyEntry.Value, blobInfo); err != nil {
|
||||
t.Errorf("phyKey = %s: failed to proto decode stored keys: %s", phyKey, err)
|
||||
}
|
||||
if blobInfo.KeyInfo == nil {
|
||||
t.Errorf("phyKey = %s: KeyInfo missing: %+v", phyKey, blobInfo)
|
||||
}
|
||||
if want, got := encKeys[i], blobInfo.KeyInfo.KeyID; want != got {
|
||||
if want, got := encKeys[i], blobInfo.KeyInfo.KeyId; want != got {
|
||||
t.Errorf("phyKey = %s: Incorrect encryption key: want %s, got %s", phyKey, want, got)
|
||||
}
|
||||
}
|
||||
|
|
@ -185,7 +189,11 @@ func TestAutoSeal_HealthCheck(t *testing.T) {
|
|||
})
|
||||
sealHealthTestIntervalNominal = 10 * time.Millisecond
|
||||
sealHealthTestIntervalUnhealthy = 10 * time.Millisecond
|
||||
autoSeal := NewAutoSeal(testSealAccess)
|
||||
autoSeal, err := NewAutoSeal(testSealAccess)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
autoSeal.SetCore(core)
|
||||
core.seal = autoSeal
|
||||
autoSeal.StartHealthCheck()
|
||||
|
|
|
|||
|
|
@ -2,8 +2,7 @@ package vault
|
|||
|
||||
import (
|
||||
"github.com/hashicorp/go-hclog"
|
||||
wrapping "github.com/hashicorp/go-kms-wrapping"
|
||||
aeadwrapper "github.com/hashicorp/go-kms-wrapping/wrappers/aead"
|
||||
aeadwrapper "github.com/hashicorp/go-kms-wrapping/wrappers/aead/v2"
|
||||
"github.com/hashicorp/vault/sdk/helper/logging"
|
||||
"github.com/hashicorp/vault/vault/seal"
|
||||
testing "github.com/mitchellh/go-testing-interface"
|
||||
|
|
@ -21,9 +20,7 @@ func NewTestSeal(t testing.T, opts *seal.TestSealOpts) Seal {
|
|||
switch opts.StoredKeys {
|
||||
case seal.StoredKeysSupportedShamirRoot:
|
||||
newSeal := NewDefaultSeal(&seal.Access{
|
||||
Wrapper: aeadwrapper.NewShamirWrapper(&wrapping.WrapperOptions{
|
||||
Logger: opts.Logger,
|
||||
}),
|
||||
Wrapper: aeadwrapper.NewShamirWrapper(),
|
||||
})
|
||||
// Need StoredShares set or this will look like a legacy shamir seal.
|
||||
newSeal.SetCachedBarrierConfig(&SealConfig{
|
||||
|
|
@ -34,9 +31,7 @@ func NewTestSeal(t testing.T, opts *seal.TestSealOpts) Seal {
|
|||
return newSeal
|
||||
case seal.StoredKeysNotSupported:
|
||||
newSeal := NewDefaultSeal(&seal.Access{
|
||||
Wrapper: aeadwrapper.NewShamirWrapper(&wrapping.WrapperOptions{
|
||||
Logger: opts.Logger,
|
||||
}),
|
||||
Wrapper: aeadwrapper.NewShamirWrapper(),
|
||||
})
|
||||
newSeal.SetCachedBarrierConfig(&SealConfig{
|
||||
StoredShares: 0,
|
||||
|
|
@ -45,6 +40,10 @@ func NewTestSeal(t testing.T, opts *seal.TestSealOpts) Seal {
|
|||
})
|
||||
return newSeal
|
||||
default:
|
||||
return NewAutoSeal(seal.NewTestSeal(opts))
|
||||
seal, err := NewAutoSeal(seal.NewTestSeal(opts))
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
return seal
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ import (
|
|||
|
||||
proto "github.com/golang/protobuf/proto"
|
||||
log "github.com/hashicorp/go-hclog"
|
||||
wrapping "github.com/hashicorp/go-kms-wrapping"
|
||||
wrapping "github.com/hashicorp/go-kms-wrapping/v2"
|
||||
"github.com/hashicorp/vault/sdk/helper/locksutil"
|
||||
"github.com/hashicorp/vault/sdk/physical"
|
||||
)
|
||||
|
|
@ -72,7 +72,7 @@ func (d *sealUnwrapper) Get(ctx context.Context, key string) (*physical.Entry, e
|
|||
}
|
||||
|
||||
var performUnwrap bool
|
||||
se := &wrapping.EncryptedBlobInfo{}
|
||||
se := &wrapping.BlobInfo{}
|
||||
// If the value ends in our canary value, try to decode the bytes.
|
||||
eLen := len(entry.Value)
|
||||
if eLen > 0 && entry.Value[eLen-1] == 's' {
|
||||
|
|
@ -109,7 +109,7 @@ func (d *sealUnwrapper) Get(ctx context.Context, key string) (*physical.Entry, e
|
|||
}
|
||||
|
||||
performUnwrap = false
|
||||
se = &wrapping.EncryptedBlobInfo{}
|
||||
se = &wrapping.BlobInfo{}
|
||||
// If the value ends in our canary value, try to decode the bytes.
|
||||
eLen = len(entry.Value)
|
||||
if eLen > 0 && entry.Value[eLen-1] == 's' {
|
||||
|
|
|
|||
|
|
@ -10,7 +10,7 @@ import (
|
|||
|
||||
proto "github.com/golang/protobuf/proto"
|
||||
log "github.com/hashicorp/go-hclog"
|
||||
wrapping "github.com/hashicorp/go-kms-wrapping"
|
||||
wrapping "github.com/hashicorp/go-kms-wrapping/v2"
|
||||
"github.com/hashicorp/vault/sdk/physical"
|
||||
"github.com/hashicorp/vault/sdk/physical/inmem"
|
||||
)
|
||||
|
|
@ -57,7 +57,7 @@ func performTestSealUnwrapper(t *testing.T, phys physical.Backend, logger log.Lo
|
|||
// Save the original for comparison later
|
||||
origBytes := make([]byte, len(entry.Value))
|
||||
copy(origBytes, entry.Value)
|
||||
se := &wrapping.EncryptedBlobInfo{
|
||||
se := &wrapping.BlobInfo{
|
||||
Ciphertext: entry.Value,
|
||||
}
|
||||
seb, err := proto.Marshal(se)
|
||||
|
|
|
|||
Loading…
Reference in New Issue