luxolus/open-vault
2
0
Fork 0
Code Issues 1 Pull requests Releases Activity
open-vault/vault/seal/shamir/shamir.go
Brian Kassouf ed14061578
Raft Storage Backend (#6888) 
* Work on raft backend

* Add logstore locally

* Add encryptor and unsealable interfaces

* Add clustering support to raft

* Remove client and handler

* Bootstrap raft on init

* Cleanup raft logic a bit

* More raft work

* Work on TLS config

* More work on bootstrapping

* Fix build

* More work on bootstrapping

* More bootstrapping work

* fix build

* Remove consul dep

* Fix build

* merged oss/master into raft-storage

* Work on bootstrapping

* Get bootstrapping to work

* Clean up FMS and node-id

* Update local node ID logic

* Cleanup node-id change

* Work on snapshotting

* Raft: Add remove peer API (#906)

* Add remove peer API

* Add some comments

* Fix existing snapshotting (#909)

* Raft get peers API (#912)

* Read raft configuration

* address review feedback

* Use the Leadership Transfer API to step-down the active node (#918)

* Raft join and unseal using Shamir keys (#917)

* Raft join using shamir

* Store AEAD instead of master key

* Split the raft join process to answer the challenge after a successful unseal

* get the follower to standby state

* Make unseal work

* minor changes

* Some input checks

* reuse the shamir seal access instead of new default seal access

* refactor joinRaftSendAnswer function

* Synchronously send answer in auto-unseal case

* Address review feedback

* Raft snapshots (#910)

* Fix existing snapshotting

* implement the noop snapshotting

* Add comments and switch log libraries

* add some snapshot tests

* add snapshot test file

* add TODO

* More work on raft snapshotting

* progress on the ConfigStore strategy

* Don't use two buckets

* Update the snapshot store logic to hide the file logic

* Add more backend tests

* Cleanup code a bit

* [WIP] Raft recovery (#938)

* Add recovery functionality

* remove fmt.Printfs

* Fix a few fsm bugs

* Add max size value for raft backend (#942)

* Add max size value for raft backend

* Include physical.ErrValueTooLarge in the message

* Raft snapshot Take/Restore API  (#926)

* Inital work on raft snapshot APIs

* Always redirect snapshot install/download requests

* More work on the snapshot APIs

* Cleanup code a bit

* On restore handle special cases

* Use the seal to encrypt the sha sum file

* Add sealer mechanism and fix some bugs

* Call restore while state lock is held

* Send restore cb trigger through raft log

* Make error messages nicer

* Add test helpers

* Add snapshot test

* Add shamir unseal test

* Add more raft snapshot API tests

* Fix locking

* Change working to initalize

* Add underlying raw object to test cluster core

* Move leaderUUID to core

* Add raft TLS rotation logic (#950)

* Add TLS rotation logic

* Cleanup logic a bit

* Add/Remove from follower state on add/remove peer

* add comments

* Update more comments

* Update request_forwarding_service.proto

* Make sure we populate all nodes in the followerstate obj

* Update times

* Apply review feedback

* Add more raft config setting (#947)

* Add performance config setting

* Add more config options and fix tests

* Test Raft Recovery (#944)

* Test raft recovery

* Leave out a node during recovery

* remove unused struct

* Update physical/raft/snapshot_test.go

* Update physical/raft/snapshot_test.go

* fix vendoring

* Switch to new raft interface

* Remove unused files

* Switch a gogo -> proto instance

* Remove unneeded vault dep in go.sum

* Update helper/testhelpers/testhelpers.go

Co-Authored-By: Calvin Leung Huang <cleung2010@gmail.com>

* Update vault/cluster/cluster.go

* track active key within the keyring itself (#6915)

* track active key within the keyring itself

* lookup and store using the active key ID

* update docstring

* minor refactor

* Small text fixes (#6912)

* Update physical/raft/raft.go

Co-Authored-By: Calvin Leung Huang <cleung2010@gmail.com>

* review feedback

* Move raft logical system into separate file

* Update help text a bit

* Enforce cluster addr is set and use it for raft bootstrapping

* Fix tests

* fix http test panic

* Pull in latest raft-snapshot library

* Add comment
2019-06-20 12:14:58 -07:00

126 lines
2.8 KiB
Go
Raw Blame History

package shamir
import (
"context"
"crypto/aes"
"crypto/cipher"
"encoding/base64"
"errors"
"fmt"
log "github.com/hashicorp/go-hclog"
"github.com/hashicorp/go-uuid"
"github.com/hashicorp/vault/sdk/physical"
"github.com/hashicorp/vault/vault/seal"
)
// ShamirSeal implements the seal.Access interface for Shamir unseal
type ShamirSeal struct {
logger log.Logger
aead cipher.AEAD
}
// Ensure that we are implementing AutoSealAccess
var _ seal.Access = (*ShamirSeal)(nil)
// NewSeal creates a new ShamirSeal with the provided logger
func NewSeal(logger log.Logger) *ShamirSeal {
seal := &ShamirSeal{
logger: logger,
}
return seal
}
// SetConfig sets the fields on the ShamirSeal object based on
// values from the config parameter.
func (s *ShamirSeal) SetConfig(config map[string]string) (map[string]string, error) {
// Map that holds non-sensitive configuration info
sealInfo := make(map[string]string)
if config == nil || config["key"] == "" {
return sealInfo, nil
}
keyB64 := config["key"]
key, err := base64.StdEncoding.DecodeString(keyB64)
if err != nil {
return sealInfo, err
}
aesCipher, err := aes.NewCipher(key)
if err != nil {
return sealInfo, err
}
aead, err := cipher.NewGCM(aesCipher)
if err != nil {
return sealInfo, err
}
s.aead = aead
return sealInfo, nil
}
// Init is called during core.Initialize. No-op at the moment.
func (s *ShamirSeal) Init(_ context.Context) error {
return nil
}
// Finalize is called during shutdown. This is a no-op since
// ShamirSeal doesn't require any cleanup.
func (s *ShamirSeal) Finalize(_ context.Context) error {
return nil
}
// SealType returns the seal type for this particular seal implementation.
func (s *ShamirSeal) SealType() string {
return seal.Shamir
}
// KeyID returns the last known key id.
func (s *ShamirSeal) KeyID() string {
return ""
}
// Encrypt is used to encrypt the plaintext using the aead held by the seal.
func (s *ShamirSeal) Encrypt(_ context.Context, plaintext []byte) (*physical.EncryptedBlobInfo, error) {
if plaintext == nil {
return nil, fmt.Errorf("given plaintext for encryption is nil")
}
if s.aead == nil {
return nil, errors.New("aead is not configured in the seal")
}
iv, err := uuid.GenerateRandomBytes(12)
if err != nil {
return nil, err
}
ciphertext := s.aead.Seal(nil, iv, plaintext, nil)
return &physical.EncryptedBlobInfo{
Ciphertext: append(iv, ciphertext...),
}, nil
}
func (s *ShamirSeal) Decrypt(_ context.Context, in *physical.EncryptedBlobInfo) ([]byte, error) {
if in == nil {
return nil, fmt.Errorf("given plaintext for encryption is nil")
}
if s.aead == nil {
return nil, errors.New("aead is not configured in the seal")
}
iv, ciphertext := in.Ciphertext[:12], in.Ciphertext[12:]
plaintext, err := s.aead.Open(nil, iv, ciphertext, nil)
if err != nil {
return nil, err
}
return plaintext, nil
}
Reference in a new issue View git blame Copy permalink