open-vault/builtin/logical/transit/path_policy.go
2015-04-27 12:47:09 -07:00

152 lines
3.1 KiB
Go

package transit
import (
"crypto/rand"
"encoding/json"
"github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework"
)
// Policy is the struct used to store metadata
type Policy struct {
Name string `json:"name"`
Key []byte `json:"key"`
CipherMode string `json:"cipher"`
}
func (p *Policy) Serialize() ([]byte, error) {
return json.Marshal(p)
}
func DeserializePolicy(buf []byte) (*Policy, error) {
p := new(Policy)
if err := json.Unmarshal(buf, p); err != nil {
return nil, err
}
return p, nil
}
func getPolicy(req *logical.Request, name string) (*Policy, error) {
// Check if the policy already exists
raw, err := req.Storage.Get("policy/" + name)
if err != nil {
return nil, err
}
if raw == nil {
return nil, nil
}
// Decode the policy
p, err := DeserializePolicy(raw.Value)
if err != nil {
return nil, err
}
return p, nil
}
func pathPolicy() *framework.Path {
return &framework.Path{
Pattern: `policy/(?P<name>\w+)`,
Fields: map[string]*framework.FieldSchema{
"name": &framework.FieldSchema{
Type: framework.TypeString,
Description: "Name of the policy",
},
},
Callbacks: map[logical.Operation]framework.OperationFunc{
logical.WriteOperation: pathPolicyWrite,
logical.DeleteOperation: pathPolicyDelete,
logical.ReadOperation: pathPolicyRead,
},
HelpSynopsis: pathPolicyHelpSyn,
HelpDescription: pathPolicyHelpDesc,
}
}
func pathPolicyWrite(
req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
name := d.Get("name").(string)
// Check if the policy already exists
existing, err := getPolicy(req, name)
if err != nil {
return nil, err
}
if existing != nil {
return nil, nil
}
// Create the policy object
p := &Policy{
Name: name,
CipherMode: "aes-gcm",
}
// Generate a 256bit key
p.Key = make([]byte, 32)
_, err = rand.Read(p.Key)
if err != nil {
return nil, err
}
// Encode the policy
buf, err := p.Serialize()
if err != nil {
return nil, err
}
// Write the policy into storage
err = req.Storage.Put(&logical.StorageEntry{
Key: "policy/" + name,
Value: buf,
})
if err != nil {
return nil, err
}
return nil, nil
}
func pathPolicyRead(
req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
name := d.Get("name").(string)
p, err := getPolicy(req, name)
if err != nil {
return nil, err
}
if p == nil {
return nil, nil
}
// Return the response
resp := &logical.Response{
Data: map[string]interface{}{
"name": p.Name,
"key": p.Key,
"cipher_mode": p.CipherMode,
},
}
return resp, nil
}
func pathPolicyDelete(
req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
name := d.Get("name").(string)
err := req.Storage.Delete("policy/" + name)
if err != nil {
return nil, err
}
return nil, nil
}
const pathPolicyHelpSyn = `Managed named encrption keys`
const pathPolicyHelpDesc = `
This path is used to manage the named keys that are available.
Doing a write with no value against a new named key will create
it using a randomly generated key.
`