a08ccbffa7
* Port awskms autoseal * Rename files * WIP autoseal * Fix protobuf conflict * Expose some structs to properly allow encrypting stored keys * Update awskms with the latest changes * Add KeyGuard implementation to abstract encryption/decryption of keys * Fully decouple seal.Access implementations from sealwrap structs * Add extra line to proto files, comment update * Update seal_access_entry.go * govendor sync * Add endpoint info to configureAWSKMSSeal * Update comment * Refactor structs * Update make proto * Remove remove KeyGuard, move encrypt/decrypt to autoSeal * Add rest of seals, update VerifyRecoveryKeys, add deps * Fix some merge conflicts via govendor updates * Rename SealWrapEntry to EncryptedBlobInfo * Remove barrier type upgrade check in oss * Add key to EncryptedBlobInfo proto * Update barrierTypeUpgradeCheck signature
236 lines
6.4 KiB
Go
236 lines
6.4 KiB
Go
package alicloudkms
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
"fmt"
|
|
"os"
|
|
"sync/atomic"
|
|
|
|
"github.com/aliyun/alibaba-cloud-sdk-go/sdk"
|
|
"github.com/aliyun/alibaba-cloud-sdk-go/sdk/auth/credentials/providers"
|
|
"github.com/aliyun/alibaba-cloud-sdk-go/services/kms"
|
|
"github.com/hashicorp/errwrap"
|
|
log "github.com/hashicorp/go-hclog"
|
|
"github.com/hashicorp/vault/physical"
|
|
"github.com/hashicorp/vault/vault/seal"
|
|
)
|
|
|
|
const (
|
|
EnvAliCloudKMSSealKeyID = "VAULT_ALICLOUDKMS_SEAL_KEY_ID"
|
|
)
|
|
|
|
type AliCloudKMSSeal struct {
|
|
logger log.Logger
|
|
client kmsClient
|
|
domain string
|
|
keyID string
|
|
currentKeyID *atomic.Value
|
|
}
|
|
|
|
// Ensure that we are implementing AutoSealAccess
|
|
var _ seal.Access = (*AliCloudKMSSeal)(nil)
|
|
|
|
func NewSeal(logger log.Logger) *AliCloudKMSSeal {
|
|
k := &AliCloudKMSSeal{
|
|
logger: logger,
|
|
currentKeyID: new(atomic.Value),
|
|
}
|
|
k.currentKeyID.Store("")
|
|
return k
|
|
}
|
|
|
|
// SetConfig sets the fields on the AliCloudKMSSeal object based on
|
|
// values from the config parameter.
|
|
//
|
|
// Order of precedence AliCloud values:
|
|
// * Environment variable
|
|
// * Value from Vault configuration file
|
|
// * Instance metadata role (access key and secret key)
|
|
func (k *AliCloudKMSSeal) SetConfig(config map[string]string) (map[string]string, error) {
|
|
if config == nil {
|
|
config = map[string]string{}
|
|
}
|
|
|
|
// Check and set KeyID
|
|
switch {
|
|
case os.Getenv(EnvAliCloudKMSSealKeyID) != "":
|
|
k.keyID = os.Getenv(EnvAliCloudKMSSealKeyID)
|
|
case config["kms_key_id"] != "":
|
|
k.keyID = config["kms_key_id"]
|
|
default:
|
|
return nil, fmt.Errorf("'kms_key_id' not found for AliCloud KMS sealconfiguration")
|
|
}
|
|
|
|
region := ""
|
|
if k.client == nil {
|
|
|
|
// Check and set region.
|
|
region = os.Getenv("ALICLOUD_REGION")
|
|
if region == "" {
|
|
ok := false
|
|
if region, ok = config["region"]; !ok {
|
|
region = "us-east-1"
|
|
}
|
|
}
|
|
|
|
// A domain isn't required, but it can be used to override the endpoint
|
|
// returned by the region. An example value for a domain would be:
|
|
// "kms.us-east-1.aliyuncs.com".
|
|
k.domain = os.Getenv("ALICLOUD_DOMAIN")
|
|
if k.domain == "" {
|
|
k.domain = config["domain"]
|
|
}
|
|
|
|
// Build the optional, configuration-based piece of the credential chain.
|
|
credConfig := &providers.Configuration{}
|
|
|
|
if accessKey, ok := config["access_key"]; ok {
|
|
credConfig.AccessKeyID = accessKey
|
|
}
|
|
|
|
if accessSecret, ok := config["access_secret"]; ok {
|
|
credConfig.AccessKeySecret = accessSecret
|
|
}
|
|
|
|
credentialChain := []providers.Provider{
|
|
providers.NewEnvCredentialProvider(),
|
|
providers.NewConfigurationCredentialProvider(credConfig),
|
|
providers.NewInstanceMetadataProvider(),
|
|
}
|
|
credProvider := providers.NewChainProvider(credentialChain)
|
|
|
|
creds, err := credProvider.Retrieve()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
clientConfig := sdk.NewConfig()
|
|
clientConfig.Scheme = "https"
|
|
client, err := kms.NewClientWithOptions(region, clientConfig, creds)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
k.client = client
|
|
}
|
|
|
|
// Test the client connection using provided key ID
|
|
input := kms.CreateDescribeKeyRequest()
|
|
input.KeyId = k.keyID
|
|
input.Domain = k.domain
|
|
|
|
keyInfo, err := k.client.DescribeKey(input)
|
|
if err != nil {
|
|
return nil, errwrap.Wrapf("error fetching AliCloud KMS sealkey information: {{err}}", err)
|
|
}
|
|
if keyInfo == nil || keyInfo.KeyMetadata.KeyId == "" {
|
|
return nil, errors.New("no key information returned")
|
|
}
|
|
k.currentKeyID.Store(keyInfo.KeyMetadata.KeyId)
|
|
|
|
// Map that holds non-sensitive configuration info
|
|
sealInfo := make(map[string]string)
|
|
sealInfo["region"] = region
|
|
sealInfo["kms_key_id"] = k.keyID
|
|
if k.domain != "" {
|
|
sealInfo["domain"] = k.domain
|
|
}
|
|
|
|
return sealInfo, nil
|
|
}
|
|
|
|
// Init is called during core.Initialize. No-op at the moment.
|
|
func (k *AliCloudKMSSeal) Init(_ context.Context) error {
|
|
return nil
|
|
}
|
|
|
|
// Finalize is called during shutdown. This is a no-op since
|
|
// AliCloudKMSSeal doesn't require any cleanup.
|
|
func (k *AliCloudKMSSeal) Finalize(_ context.Context) error {
|
|
return nil
|
|
}
|
|
|
|
// SealType returns the seal type for this particular seal implementation.
|
|
func (k *AliCloudKMSSeal) SealType() string {
|
|
return seal.AliCloudKMS
|
|
}
|
|
|
|
// KeyID returns the last known key id.
|
|
func (k *AliCloudKMSSeal) KeyID() string {
|
|
return k.currentKeyID.Load().(string)
|
|
}
|
|
|
|
// Encrypt is used to encrypt the master key using the the AliCloud CMK.
|
|
// This returns the ciphertext, and/or any errors from this
|
|
// call. This should be called after the KMS client has been instantiated.
|
|
func (k *AliCloudKMSSeal) Encrypt(_ context.Context, plaintext []byte) (*physical.EncryptedBlobInfo, error) {
|
|
if plaintext == nil {
|
|
return nil, fmt.Errorf("given plaintext for encryption is nil")
|
|
}
|
|
|
|
env, err := seal.NewEnvelope().Encrypt(plaintext)
|
|
if err != nil {
|
|
return nil, errwrap.Wrapf("error wrapping data: {{err}}", err)
|
|
}
|
|
|
|
input := kms.CreateEncryptRequest()
|
|
input.KeyId = k.keyID
|
|
input.Plaintext = string(env.Key)
|
|
input.Domain = k.domain
|
|
|
|
output, err := k.client.Encrypt(input)
|
|
if err != nil {
|
|
return nil, errwrap.Wrapf("error encrypting data: {{err}}", err)
|
|
}
|
|
|
|
// Store the current key id.
|
|
keyID := output.KeyId
|
|
k.currentKeyID.Store(keyID)
|
|
|
|
ret := &physical.EncryptedBlobInfo{
|
|
Ciphertext: env.Ciphertext,
|
|
IV: env.IV,
|
|
KeyInfo: &physical.SealKeyInfo{
|
|
KeyID: keyID,
|
|
WrappedKey: []byte(output.CiphertextBlob),
|
|
},
|
|
}
|
|
|
|
return ret, nil
|
|
}
|
|
|
|
// Decrypt is used to decrypt the ciphertext. This should be called after Init.
|
|
func (k *AliCloudKMSSeal) Decrypt(_ context.Context, in *physical.EncryptedBlobInfo) ([]byte, error) {
|
|
if in == nil {
|
|
return nil, fmt.Errorf("given input for decryption is nil")
|
|
}
|
|
|
|
// KeyID is not passed to this call because AWS handles this
|
|
// internally based on the metadata stored with the encrypted data
|
|
input := kms.CreateDecryptRequest()
|
|
input.CiphertextBlob = string(in.KeyInfo.WrappedKey)
|
|
input.Domain = k.domain
|
|
|
|
output, err := k.client.Decrypt(input)
|
|
if err != nil {
|
|
return nil, errwrap.Wrapf("error decrypting data encryption key: {{err}}", err)
|
|
}
|
|
|
|
envInfo := &seal.EnvelopeInfo{
|
|
Key: []byte(output.Plaintext),
|
|
IV: in.IV,
|
|
Ciphertext: in.Ciphertext,
|
|
}
|
|
plaintext, err := seal.NewEnvelope().Decrypt(envInfo)
|
|
if err != nil {
|
|
return nil, errwrap.Wrapf("error decrypting data: {{err}}", err)
|
|
}
|
|
|
|
return plaintext, nil
|
|
}
|
|
|
|
type kmsClient interface {
|
|
Decrypt(request *kms.DecryptRequest) (response *kms.DecryptResponse, err error)
|
|
DescribeKey(request *kms.DescribeKeyRequest) (response *kms.DescribeKeyResponse, err error)
|
|
Encrypt(request *kms.EncryptRequest) (response *kms.EncryptResponse, err error)
|
|
}
|