vault-redux/vault/generate_root_recovery.go

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1

package vault

import (
	"context"
	"fmt"

	"github.com/hashicorp/go-secure-stdlib/base62"
	"github.com/hashicorp/vault/sdk/helper/consts"
	"go.uber.org/atomic"
)

// GenerateRecoveryTokenStrategy is the strategy used to generate a
// recovery token
func GenerateRecoveryTokenStrategy(token *atomic.String) GenerateRootStrategy {
	return &generateRecoveryToken{token: token}
}

// generateRecoveryToken implements the GenerateRootStrategy and is in
// charge of creating recovery tokens.
type generateRecoveryToken struct {
	token *atomic.String
}

func (g *generateRecoveryToken) authenticate(ctx context.Context, c *Core, combinedKey []byte) error {
	key, err := c.unsealKeyToRootKeyPostUnseal(ctx, combinedKey)
	if err != nil {
		return fmt.Errorf("unable to authenticate: %w", err)
	}

	// Use the retrieved root key to unseal the barrier
	if err := c.barrier.Unseal(ctx, key); err != nil {
		return fmt.Errorf("recovery operation token generation failed, cannot unseal barrier: %w", err)
	}

	for _, v := range c.postRecoveryUnsealFuncs {
		if err := v(); err != nil {
			return fmt.Errorf("failed to run post unseal func: %w", err)
		}
	}
	return nil
}

func (g *generateRecoveryToken) generate(ctx context.Context, c *Core) (string, func(), error) {
	var id string
	var err error
	id, err = base62.Random(TokenLength)
	if err != nil {
		return "", nil, err
	}
	var token string
	if c.DisableSSCTokens() {
		token = consts.LegacyRecoveryTokenPrefix + id
	} else {
		token = consts.RecoveryTokenPrefix + id
	}
	g.token.Store(token)

	return token, func() { g.token.Store("") }, nil
}
adding copyright header (#19555) * adding copyright header * fix fmt and a test 2023-03-15 19:00:52 +03:00			`// Copyright (c) HashiCorp, Inc.`
[DO NOT MERGE UNTIL EOY] EOY license fixes 1.14.x (#24390) 2024-01-02 21:36:20 +03:00			`// SPDX-License-Identifier: BUSL-1.1`
adding copyright header (#19555) * adding copyright header * fix fmt and a test 2023-03-15 19:00:52 +03:00
Recovery Mode (#7559) * Initial work * rework * s/dr/recovery * Add sys/raw support to recovery mode (#7577) * Factor the raw paths out so they can be run with a SystemBackend. # Conflicts: # vault/logical_system.go * Add handleLogicalRecovery which is like handleLogical but is only sufficient for use with the sys-raw endpoint in recovery mode. No authentication is done yet. * Integrate with recovery-mode. We now handle unauthenticated sys/raw requests, albeit on path v1/raw instead v1/sys/raw. * Use sys/raw instead raw during recovery. * Don't bother persisting the recovery token. Authenticate sys/raw requests with it. * RecoveryMode: Support generate-root for autounseals (#7591) * Recovery: Abstract config creation and log settings * Recovery mode integration test. (#7600) * Recovery: Touch up (#7607) * Recovery: Touch up * revert the raw backend creation changes * Added recovery operation token prefix * Move RawBackend to its own file * Update API path and hit it using CLI flag on generate-root * Fix a panic triggered when handling a request that yields a nil response. (#7618) * Improve integ test to actually make changes while in recovery mode and verify they're still there after coming back in regular mode. * Refuse to allow a second recovery token to be generated. * Resize raft cluster to size 1 and start as leader (#7626) * RecoveryMode: Setup raft cluster post unseal (#7635) * Setup raft cluster post unseal in recovery mode * Remove marking as unsealed as its not needed * Address review comments * Accept only one seal config in recovery mode as there is no scope for migration 2019-10-15 07:55:31 +03:00			`package vault`

			`import (`
			`"context"`
vault: deprecate errwrap.Wrapf() (#11577) 2021-05-11 20:12:54 +03:00			`"fmt"`
Run go fmt (#7823) 2019-11-07 19:54:34 +03:00
Migrate to sdk/internalshared libs in go-secure-stdlib (#12090) * Swap sdk/helper libs to go-secure-stdlib * Migrate to go-secure-stdlib reloadutil * Migrate to go-secure-stdlib kv-builder * Migrate to go-secure-stdlib gatedwriter 2021-07-16 03:17:31 +03:00			`"github.com/hashicorp/go-secure-stdlib/base62"`
SSCT Tokens Feature [OSS] (#14109) * port SSCT OSS * port header hmac key to ent and generate token proto without make command * remove extra nil check in request handling * add changelog * add comment to router.go * change test var to use length constants * remove local index is 0 check and extra defer which can be removed after use of ExternalID 2022-02-17 22:43:07 +03:00			`"github.com/hashicorp/vault/sdk/helper/consts"`
Recovery Mode (#7559) * Initial work * rework * s/dr/recovery * Add sys/raw support to recovery mode (#7577) * Factor the raw paths out so they can be run with a SystemBackend. # Conflicts: # vault/logical_system.go * Add handleLogicalRecovery which is like handleLogical but is only sufficient for use with the sys-raw endpoint in recovery mode. No authentication is done yet. * Integrate with recovery-mode. We now handle unauthenticated sys/raw requests, albeit on path v1/raw instead v1/sys/raw. * Use sys/raw instead raw during recovery. * Don't bother persisting the recovery token. Authenticate sys/raw requests with it. * RecoveryMode: Support generate-root for autounseals (#7591) * Recovery: Abstract config creation and log settings * Recovery mode integration test. (#7600) * Recovery: Touch up (#7607) * Recovery: Touch up * revert the raw backend creation changes * Added recovery operation token prefix * Move RawBackend to its own file * Update API path and hit it using CLI flag on generate-root * Fix a panic triggered when handling a request that yields a nil response. (#7618) * Improve integ test to actually make changes while in recovery mode and verify they're still there after coming back in regular mode. * Refuse to allow a second recovery token to be generated. * Resize raft cluster to size 1 and start as leader (#7626) * RecoveryMode: Setup raft cluster post unseal (#7635) * Setup raft cluster post unseal in recovery mode * Remove marking as unsealed as its not needed * Address review comments * Accept only one seal config in recovery mode as there is no scope for migration 2019-10-15 07:55:31 +03:00			`"go.uber.org/atomic"`
			`)`

			`// GenerateRecoveryTokenStrategy is the strategy used to generate a`
			`// recovery token`
			`func GenerateRecoveryTokenStrategy(token *atomic.String) GenerateRootStrategy {`
			`return &generateRecoveryToken{token: token}`
			`}`

			`// generateRecoveryToken implements the GenerateRootStrategy and is in`
			`// charge of creating recovery tokens.`
			`type generateRecoveryToken struct {`
			`token *atomic.String`
			`}`

Abstract generate-root authentication into the strategy interface (#7698) * Abstract generate-root authentication into the strategy interface * Generate root strategy ncabatoff (#7700) * Adapt to new shamir-as-kek reality. * Don't try to verify the master key when we might still be sealed (in recovery mode). Instead, verify it in the authenticate methods. 2019-10-23 19:52:28 +03:00			`func (g generateRecoveryToken) authenticate(ctx context.Context, c Core, combinedKey []byte) error {`
Rename master key to root key (#13324) * See what it looks like to replace "master key" with "root key". There are two places that would require more challenging code changes: the storage path `core/master`, and its contents (the JSON-serialized EncodedKeyringtructure.) * Restore accidentally deleted line * Add changelog * Update root->recovery * Fix test Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com> 2021-12-07 04:12:20 +03:00			`key, err := c.unsealKeyToRootKeyPostUnseal(ctx, combinedKey)`
Abstract generate-root authentication into the strategy interface (#7698) * Abstract generate-root authentication into the strategy interface * Generate root strategy ncabatoff (#7700) * Adapt to new shamir-as-kek reality. * Don't try to verify the master key when we might still be sealed (in recovery mode). Instead, verify it in the authenticate methods. 2019-10-23 19:52:28 +03:00			`if err != nil {`
vault: deprecate errwrap.Wrapf() (#11577) 2021-05-11 20:12:54 +03:00			`return fmt.Errorf("unable to authenticate: %w", err)`
Abstract generate-root authentication into the strategy interface (#7698) * Abstract generate-root authentication into the strategy interface * Generate root strategy ncabatoff (#7700) * Adapt to new shamir-as-kek reality. * Don't try to verify the master key when we might still be sealed (in recovery mode). Instead, verify it in the authenticate methods. 2019-10-23 19:52:28 +03:00			`}`

Rename master key to root key (#13324) * See what it looks like to replace "master key" with "root key". There are two places that would require more challenging code changes: the storage path `core/master`, and its contents (the JSON-serialized EncodedKeyringtructure.) * Restore accidentally deleted line * Add changelog * Update root->recovery * Fix test Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com> 2021-12-07 04:12:20 +03:00			`// Use the retrieved root key to unseal the barrier`
Abstract generate-root authentication into the strategy interface (#7698) * Abstract generate-root authentication into the strategy interface * Generate root strategy ncabatoff (#7700) * Adapt to new shamir-as-kek reality. * Don't try to verify the master key when we might still be sealed (in recovery mode). Instead, verify it in the authenticate methods. 2019-10-23 19:52:28 +03:00			`if err := c.barrier.Unseal(ctx, key); err != nil {`
vault: deprecate errwrap.Wrapf() (#11577) 2021-05-11 20:12:54 +03:00			`return fmt.Errorf("recovery operation token generation failed, cannot unseal barrier: %w", err)`
Abstract generate-root authentication into the strategy interface (#7698) * Abstract generate-root authentication into the strategy interface * Generate root strategy ncabatoff (#7700) * Adapt to new shamir-as-kek reality. * Don't try to verify the master key when we might still be sealed (in recovery mode). Instead, verify it in the authenticate methods. 2019-10-23 19:52:28 +03:00			`}`

			`for _, v := range c.postRecoveryUnsealFuncs {`
			`if err := v(); err != nil {`
vault: deprecate errwrap.Wrapf() (#11577) 2021-05-11 20:12:54 +03:00			`return fmt.Errorf("failed to run post unseal func: %w", err)`
Abstract generate-root authentication into the strategy interface (#7698) * Abstract generate-root authentication into the strategy interface * Generate root strategy ncabatoff (#7700) * Adapt to new shamir-as-kek reality. * Don't try to verify the master key when we might still be sealed (in recovery mode). Instead, verify it in the authenticate methods. 2019-10-23 19:52:28 +03:00			`}`
			`}`
			`return nil`
			`}`

Recovery Mode (#7559) * Initial work * rework * s/dr/recovery * Add sys/raw support to recovery mode (#7577) * Factor the raw paths out so they can be run with a SystemBackend. # Conflicts: # vault/logical_system.go * Add handleLogicalRecovery which is like handleLogical but is only sufficient for use with the sys-raw endpoint in recovery mode. No authentication is done yet. * Integrate with recovery-mode. We now handle unauthenticated sys/raw requests, albeit on path v1/raw instead v1/sys/raw. * Use sys/raw instead raw during recovery. * Don't bother persisting the recovery token. Authenticate sys/raw requests with it. * RecoveryMode: Support generate-root for autounseals (#7591) * Recovery: Abstract config creation and log settings * Recovery mode integration test. (#7600) * Recovery: Touch up (#7607) * Recovery: Touch up * revert the raw backend creation changes * Added recovery operation token prefix * Move RawBackend to its own file * Update API path and hit it using CLI flag on generate-root * Fix a panic triggered when handling a request that yields a nil response. (#7618) * Improve integ test to actually make changes while in recovery mode and verify they're still there after coming back in regular mode. * Refuse to allow a second recovery token to be generated. * Resize raft cluster to size 1 and start as leader (#7626) * RecoveryMode: Setup raft cluster post unseal (#7635) * Setup raft cluster post unseal in recovery mode * Remove marking as unsealed as its not needed * Address review comments * Accept only one seal config in recovery mode as there is no scope for migration 2019-10-15 07:55:31 +03:00			`func (g generateRecoveryToken) generate(ctx context.Context, c Core) (string, func(), error) {`
SSCT Tokens Feature [OSS] (#14109) * port SSCT OSS * port header hmac key to ent and generate token proto without make command * remove extra nil check in request handling * add changelog * add comment to router.go * change test var to use length constants * remove local index is 0 check and extra defer which can be removed after use of ExternalID 2022-02-17 22:43:07 +03:00			`var id string`
			`var err error`
			`id, err = base62.Random(TokenLength)`
Recovery Mode (#7559) * Initial work * rework * s/dr/recovery * Add sys/raw support to recovery mode (#7577) * Factor the raw paths out so they can be run with a SystemBackend. # Conflicts: # vault/logical_system.go * Add handleLogicalRecovery which is like handleLogical but is only sufficient for use with the sys-raw endpoint in recovery mode. No authentication is done yet. * Integrate with recovery-mode. We now handle unauthenticated sys/raw requests, albeit on path v1/raw instead v1/sys/raw. * Use sys/raw instead raw during recovery. * Don't bother persisting the recovery token. Authenticate sys/raw requests with it. * RecoveryMode: Support generate-root for autounseals (#7591) * Recovery: Abstract config creation and log settings * Recovery mode integration test. (#7600) * Recovery: Touch up (#7607) * Recovery: Touch up * revert the raw backend creation changes * Added recovery operation token prefix * Move RawBackend to its own file * Update API path and hit it using CLI flag on generate-root * Fix a panic triggered when handling a request that yields a nil response. (#7618) * Improve integ test to actually make changes while in recovery mode and verify they're still there after coming back in regular mode. * Refuse to allow a second recovery token to be generated. * Resize raft cluster to size 1 and start as leader (#7626) * RecoveryMode: Setup raft cluster post unseal (#7635) * Setup raft cluster post unseal in recovery mode * Remove marking as unsealed as its not needed * Address review comments * Accept only one seal config in recovery mode as there is no scope for migration 2019-10-15 07:55:31 +03:00			`if err != nil {`
			`return "", nil, err`
			`}`
SSCT Tokens Feature [OSS] (#14109) * port SSCT OSS * port header hmac key to ent and generate token proto without make command * remove extra nil check in request handling * add changelog * add comment to router.go * change test var to use length constants * remove local index is 0 check and extra defer which can be removed after use of ExternalID 2022-02-17 22:43:07 +03:00			`var token string`
			`if c.DisableSSCTokens() {`
			`token = consts.LegacyRecoveryTokenPrefix + id`
			`} else {`
			`token = consts.RecoveryTokenPrefix + id`
			`}`
Recovery Mode (#7559) * Initial work * rework * s/dr/recovery * Add sys/raw support to recovery mode (#7577) * Factor the raw paths out so they can be run with a SystemBackend. # Conflicts: # vault/logical_system.go * Add handleLogicalRecovery which is like handleLogical but is only sufficient for use with the sys-raw endpoint in recovery mode. No authentication is done yet. * Integrate with recovery-mode. We now handle unauthenticated sys/raw requests, albeit on path v1/raw instead v1/sys/raw. * Use sys/raw instead raw during recovery. * Don't bother persisting the recovery token. Authenticate sys/raw requests with it. * RecoveryMode: Support generate-root for autounseals (#7591) * Recovery: Abstract config creation and log settings * Recovery mode integration test. (#7600) * Recovery: Touch up (#7607) * Recovery: Touch up * revert the raw backend creation changes * Added recovery operation token prefix * Move RawBackend to its own file * Update API path and hit it using CLI flag on generate-root * Fix a panic triggered when handling a request that yields a nil response. (#7618) * Improve integ test to actually make changes while in recovery mode and verify they're still there after coming back in regular mode. * Refuse to allow a second recovery token to be generated. * Resize raft cluster to size 1 and start as leader (#7626) * RecoveryMode: Setup raft cluster post unseal (#7635) * Setup raft cluster post unseal in recovery mode * Remove marking as unsealed as its not needed * Address review comments * Accept only one seal config in recovery mode as there is no scope for migration 2019-10-15 07:55:31 +03:00			`g.token.Store(token)`

			`return token, func() { g.token.Store("") }, nil`
			`}`