open-vault/builtin/logical/pki/path_acme_eab.go
hc-github-team-secure-vault-core 649715eeb4
backport of commit e3b3c7a8de6f7c3c240ecf798470bbb24c2aaf60 (#21468)
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
2023-06-27 13:14:38 +00:00

295 lines
8.5 KiB
Go

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0
package pki
import (
"context"
"crypto/rand"
"encoding/base64"
"fmt"
"net/http"
"path"
"strings"
"time"
"github.com/hashicorp/go-uuid"
"github.com/hashicorp/vault/sdk/framework"
"github.com/hashicorp/vault/sdk/logical"
)
var decodedTokenPrefix = mustBase64Decode("vault-eab-0-")
func mustBase64Decode(s string) []byte {
bytes, err := base64.RawURLEncoding.DecodeString(s)
if err != nil {
panic(fmt.Sprintf("Token prefix value: %s failed decoding: %v", s, err))
}
// Should be dividable by 3 otherwise our prefix will not be properly honored.
if len(bytes)%3 != 0 {
panic(fmt.Sprintf("Token prefix value: %s is not dividable by 3, will not prefix properly", s))
}
return bytes
}
/*
* This file unlike the other path_acme_xxx.go are VAULT APIs to manage the
* ACME External Account Bindings, this isn't providing any APIs that an ACME
* client would use.
*/
func pathAcmeEabList(b *backend) *framework.Path {
return &framework.Path{
Pattern: "eab/?$",
Fields: map[string]*framework.FieldSchema{},
Operations: map[logical.Operation]framework.OperationHandler{
logical.ListOperation: &framework.PathOperation{
Callback: b.pathAcmeListEab,
DisplayAttrs: &framework.DisplayAttributes{
OperationPrefix: operationPrefixPKI,
OperationVerb: "list-eab-keys",
Description: "List all eab key identifiers yet to be used.",
},
Responses: map[int][]framework.Response{
http.StatusOK: {{
Description: "OK",
Fields: map[string]*framework.FieldSchema{
"keys": {
Type: framework.TypeStringSlice,
Description: `A list of unused eab keys`,
Required: true,
},
"key_info": {
Type: framework.TypeMap,
Description: `EAB details keyed by the eab key id`,
Required: false,
},
},
}},
},
},
},
HelpSynopsis: "list external account bindings to be used for ACME",
HelpDescription: `list identifiers that have been generated but yet to be used.`,
}
}
func pathAcmeNewEab(b *backend) []*framework.Path {
return buildAcmeFrameworkPaths(b, patternAcmeNewEab, "/new-eab")
}
func patternAcmeNewEab(b *backend, pattern string) *framework.Path {
fields := map[string]*framework.FieldSchema{}
addFieldsForACMEPath(fields, pattern)
opSuffix := getAcmeOperationSuffix(pattern)
return &framework.Path{
Pattern: pattern,
Fields: fields,
Operations: map[logical.Operation]framework.OperationHandler{
logical.UpdateOperation: &framework.PathOperation{
Callback: b.pathAcmeCreateEab,
ForwardPerformanceSecondary: false,
ForwardPerformanceStandby: true,
DisplayAttrs: &framework.DisplayAttributes{
OperationPrefix: operationPrefixPKI,
OperationVerb: "generate-eab-key",
OperationSuffix: opSuffix,
Description: "Generate an ACME EAB token for a directory",
},
Responses: map[int][]framework.Response{
http.StatusOK: {{
Description: "OK",
Fields: map[string]*framework.FieldSchema{
"id": {
Type: framework.TypeString,
Description: `The EAB key identifier`,
Required: true,
},
"key_type": {
Type: framework.TypeString,
Description: `The EAB key type`,
Required: true,
},
"key": {
Type: framework.TypeString,
Description: `The EAB hmac key`,
Required: true,
},
"acme_directory": {
Type: framework.TypeString,
Description: `The ACME directory to which the key belongs`,
Required: true,
},
"created_on": {
Type: framework.TypeTime,
Description: `An RFC3339 formatted date time when the EAB token was created`,
Required: true,
},
},
}},
},
},
},
HelpSynopsis: "Generate external account bindings to be used for ACME",
HelpDescription: `Generate single use id/key pairs to be used for ACME EAB.`,
}
}
func pathAcmeEabDelete(b *backend) *framework.Path {
return &framework.Path{
Pattern: "eab/" + uuidNameRegex("key_id"),
Fields: map[string]*framework.FieldSchema{
"key_id": {
Type: framework.TypeString,
Description: "EAB key identifier",
Required: true,
},
},
Operations: map[logical.Operation]framework.OperationHandler{
logical.DeleteOperation: &framework.PathOperation{
Callback: b.pathAcmeDeleteEab,
ForwardPerformanceSecondary: false,
ForwardPerformanceStandby: true,
DisplayAttrs: &framework.DisplayAttributes{
OperationPrefix: operationPrefixPKI,
OperationVerb: "delete-eab-key",
Description: "Delete an unused EAB token",
},
},
},
HelpSynopsis: "Delete an external account binding id prior to its use within an ACME account",
HelpDescription: `Allows an operator to delete an external account binding,
before its bound to a new ACME account. If the identifier provided does not exist or
was already consumed by an ACME account a successful response is returned along with
a warning that it did not exist.`,
}
}
type eabType struct {
KeyID string `json:"-"`
KeyType string `json:"key-type"`
PrivateBytes []byte `json:"private-bytes"`
AcmeDirectory string `json:"acme-directory"`
CreatedOn time.Time `json:"created-on"`
}
func (b *backend) pathAcmeListEab(ctx context.Context, r *logical.Request, _ *framework.FieldData) (*logical.Response, error) {
sc := b.makeStorageContext(ctx, r.Storage)
eabIds, err := b.acmeState.ListEabIds(sc)
if err != nil {
return nil, err
}
var warnings []string
var keyIds []string
keyInfos := map[string]interface{}{}
for _, eabKey := range eabIds {
eab, err := b.acmeState.LoadEab(sc, eabKey)
if err != nil {
warnings = append(warnings, fmt.Sprintf("failed loading eab entry %s: %v", eabKey, err))
continue
}
keyIds = append(keyIds, eab.KeyID)
keyInfos[eab.KeyID] = map[string]interface{}{
"key_type": eab.KeyType,
"acme_directory": path.Join(eab.AcmeDirectory, "directory"),
"created_on": eab.CreatedOn.Format(time.RFC3339),
}
}
resp := logical.ListResponseWithInfo(keyIds, keyInfos)
for _, warning := range warnings {
resp.AddWarning(warning)
}
return resp, nil
}
func (b *backend) pathAcmeCreateEab(ctx context.Context, r *logical.Request, data *framework.FieldData) (*logical.Response, error) {
kid := genUuid()
size := 32
bytes, err := uuid.GenerateRandomBytesWithReader(size, rand.Reader)
if err != nil {
return nil, fmt.Errorf("failed generating eab key: %w", err)
}
acmeDirectory, err := getAcmeDirectory(r)
if err != nil {
return nil, err
}
eab := &eabType{
KeyID: kid,
KeyType: "hs",
PrivateBytes: append(decodedTokenPrefix, bytes...), // we do this to avoid generating tokens that start with -
AcmeDirectory: acmeDirectory,
CreatedOn: time.Now(),
}
sc := b.makeStorageContext(ctx, r.Storage)
err = b.acmeState.SaveEab(sc, eab)
if err != nil {
return nil, fmt.Errorf("failed saving generated eab: %w", err)
}
encodedKey := base64.RawURLEncoding.EncodeToString(eab.PrivateBytes)
return &logical.Response{
Data: map[string]interface{}{
"id": eab.KeyID,
"key_type": eab.KeyType,
"key": encodedKey,
"acme_directory": path.Join(eab.AcmeDirectory, "directory"),
"created_on": eab.CreatedOn.Format(time.RFC3339),
},
}, nil
}
func (b *backend) pathAcmeDeleteEab(ctx context.Context, r *logical.Request, d *framework.FieldData) (*logical.Response, error) {
sc := b.makeStorageContext(ctx, r.Storage)
keyId := d.Get("key_id").(string)
_, err := uuid.ParseUUID(keyId)
if err != nil {
return nil, fmt.Errorf("badly formatted key_id field")
}
deleted, err := b.acmeState.DeleteEab(sc, keyId)
if err != nil {
return nil, fmt.Errorf("failed deleting key id: %w", err)
}
resp := &logical.Response{}
if !deleted {
resp.AddWarning("No key id found with id: " + keyId)
}
return resp, nil
}
// getAcmeOperationSuffix used mainly to compute the OpenAPI spec suffix value to distinguish
// different versions of ACME Vault APIs based on directory paths
func getAcmeOperationSuffix(pattern string) string {
hasRole := strings.Contains(pattern, framework.GenericNameRegex("role"))
hasIssuer := strings.Contains(pattern, framework.GenericNameRegex(issuerRefParam))
switch {
case hasRole && hasIssuer:
return "for-issuer-and-role"
case hasRole:
return "for-role"
case hasIssuer:
return "for-issuer"
default:
return ""
}
}