7f2717b74a
* transit: change batch input format * transit: no json-in-json for batch response * docs: transit: update batch input format * transit: fix tests after changing response format
166 lines
4.4 KiB
Go
166 lines
4.4 KiB
Go
package transit
|
|
|
|
import (
|
|
"encoding/base64"
|
|
"fmt"
|
|
|
|
"github.com/hashicorp/vault/helper/errutil"
|
|
"github.com/hashicorp/vault/logical"
|
|
"github.com/hashicorp/vault/logical/framework"
|
|
"github.com/mitchellh/mapstructure"
|
|
)
|
|
|
|
func (b *backend) pathDecrypt() *framework.Path {
|
|
return &framework.Path{
|
|
Pattern: "decrypt/" + framework.GenericNameRegex("name"),
|
|
Fields: map[string]*framework.FieldSchema{
|
|
"name": &framework.FieldSchema{
|
|
Type: framework.TypeString,
|
|
Description: "Name of the policy",
|
|
},
|
|
|
|
"ciphertext": &framework.FieldSchema{
|
|
Type: framework.TypeString,
|
|
Description: `
|
|
The ciphertext to decrypt, provided as returned by encrypt.`,
|
|
},
|
|
|
|
"context": &framework.FieldSchema{
|
|
Type: framework.TypeString,
|
|
Description: `
|
|
Base64 encoded context for key derivation. Required if key derivation is
|
|
enabled.`,
|
|
},
|
|
|
|
"nonce": &framework.FieldSchema{
|
|
Type: framework.TypeString,
|
|
Description: `
|
|
Base64 encoded nonce value used during encryption. Must be provided if
|
|
convergent encryption is enabled for this key and the key was generated with
|
|
Vault 0.6.1. Not required for keys created in 0.6.2+.`,
|
|
},
|
|
},
|
|
|
|
Callbacks: map[logical.Operation]framework.OperationFunc{
|
|
logical.UpdateOperation: b.pathDecryptWrite,
|
|
},
|
|
|
|
HelpSynopsis: pathDecryptHelpSyn,
|
|
HelpDescription: pathDecryptHelpDesc,
|
|
}
|
|
}
|
|
|
|
func (b *backend) pathDecryptWrite(
|
|
req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
|
|
batchInputRaw := d.Raw["batch_input"]
|
|
var batchInputItems []BatchRequestItem
|
|
var err error
|
|
if batchInputRaw != nil {
|
|
err = mapstructure.Decode(batchInputRaw, &batchInputItems)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to parse batch input: %v", err)
|
|
}
|
|
|
|
if len(batchInputItems) == 0 {
|
|
return logical.ErrorResponse("missing batch input to process"), logical.ErrInvalidRequest
|
|
}
|
|
} else {
|
|
ciphertext := d.Get("ciphertext").(string)
|
|
if len(ciphertext) == 0 {
|
|
return logical.ErrorResponse("missing ciphertext to decrypt"), logical.ErrInvalidRequest
|
|
}
|
|
|
|
batchInputItems = make([]BatchRequestItem, 1)
|
|
batchInputItems[0] = BatchRequestItem{
|
|
Ciphertext: ciphertext,
|
|
Context: d.Get("context").(string),
|
|
Nonce: d.Get("nonce").(string),
|
|
}
|
|
}
|
|
|
|
batchResponseItems := make([]BatchResponseItem, len(batchInputItems))
|
|
contextSet := len(batchInputItems[0].Context) != 0
|
|
|
|
for i, item := range batchInputItems {
|
|
if (len(item.Context) == 0 && contextSet) || (len(item.Context) != 0 && !contextSet) {
|
|
return logical.ErrorResponse("context should be set either in all the request blocks or in none"), logical.ErrInvalidRequest
|
|
}
|
|
|
|
if item.Ciphertext == "" {
|
|
batchResponseItems[i].Error = "missing ciphertext to decrypt"
|
|
continue
|
|
}
|
|
|
|
// Decode the context
|
|
if len(item.Context) != 0 {
|
|
batchInputItems[i].DecodedContext, err = base64.StdEncoding.DecodeString(item.Context)
|
|
if err != nil {
|
|
batchResponseItems[i].Error = err.Error()
|
|
continue
|
|
}
|
|
}
|
|
|
|
// Decode the nonce
|
|
if len(item.Nonce) != 0 {
|
|
batchInputItems[i].DecodedNonce, err = base64.StdEncoding.DecodeString(item.Nonce)
|
|
if err != nil {
|
|
batchResponseItems[i].Error = err.Error()
|
|
continue
|
|
}
|
|
}
|
|
}
|
|
|
|
// Get the policy
|
|
p, lock, err := b.lm.GetPolicyShared(req.Storage, d.Get("name").(string))
|
|
if lock != nil {
|
|
defer lock.RUnlock()
|
|
}
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if p == nil {
|
|
return logical.ErrorResponse("policy not found"), logical.ErrInvalidRequest
|
|
}
|
|
|
|
for i, item := range batchInputItems {
|
|
if batchResponseItems[i].Error != "" {
|
|
continue
|
|
}
|
|
|
|
plaintext, err := p.Decrypt(item.DecodedContext, item.DecodedNonce, item.Ciphertext)
|
|
if err != nil {
|
|
switch err.(type) {
|
|
case errutil.UserError:
|
|
batchResponseItems[i].Error = err.Error()
|
|
continue
|
|
default:
|
|
return nil, err
|
|
}
|
|
}
|
|
batchResponseItems[i].Plaintext = plaintext
|
|
}
|
|
|
|
resp := &logical.Response{}
|
|
if batchInputRaw != nil {
|
|
resp.Data = map[string]interface{}{
|
|
"batch_results": batchResponseItems,
|
|
}
|
|
} else {
|
|
if batchResponseItems[0].Error != "" {
|
|
return logical.ErrorResponse(batchResponseItems[0].Error), logical.ErrInvalidRequest
|
|
}
|
|
resp.Data = map[string]interface{}{
|
|
"plaintext": batchResponseItems[0].Plaintext,
|
|
}
|
|
}
|
|
|
|
return resp, nil
|
|
}
|
|
|
|
const pathDecryptHelpSyn = `Decrypt a ciphertext value using a named key`
|
|
|
|
const pathDecryptHelpDesc = `
|
|
This path uses the named key from the request path to decrypt a user
|
|
provided ciphertext. The plaintext is returned base64 encoded.
|
|
`
|