krd/vault-redux
1
0
Fork 0
Code
c3f569436c
vault-redux/vault/rekey.go

1033 lines
36 KiB
Go
Raw Normal View History

adding copyright header (#19555) * adding copyright header * fix fmt and a test
2023-03-15 19:00:52 +03:00
// Copyright (c) HashiCorp, Inc.
[DO NOT MERGE UNTIL EOY] EOY license fixes 1.14.x (#24390)
2024-01-02 21:36:20 +03:00
// SPDX-License-Identifier: BUSL-1.1
adding copyright header (#19555) * adding copyright header * fix fmt and a test
2023-03-15 19:00:52 +03:00
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
package vault
import (
"bytes"
Add context to storage backends and wire it through a lot of places (#3817)
2018-01-19 09:44:44 +03:00
"context"
WIP
2018-05-18 04:17:52 +03:00
"crypto/subtle"
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
"encoding/hex"
"encoding/json"
"fmt"
Update rekey methods to indicate proper error codes in responses
2018-05-20 06:43:48 +03:00
"net/http"
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
OSS portion of wrapper-v2 (#16811) * OSS portion of wrapper-v2 * Prefetch barrier type to avoid encountering an error in the simple BarrierType() getter * Rename the OveriddenType to WrapperType and use it for the barrier type prefetch * Fix unit test
2022-08-23 22:37:16 +03:00
wrapping "github.com/hashicorp/go-kms-wrapping/v2"
aeadwrapper "github.com/hashicorp/go-kms-wrapping/wrappers/aead/v2"
Shamir seals now come in two varieties: legacy and new-style. (#7694) Shamir seals now come in two varieties: legacy and new-style. Legacy Shamir is automatically converted to new-style when a rekey operation is performed. All new Vault initializations using Shamir are new-style. New-style Shamir writes an encrypted master key to storage, just like AutoUnseal. The stored master key is encrypted using the shared key that is split via Shamir's algorithm. Thus when unsealing, we take the key fragments given, combine them into a Key-Encryption-Key, and use that to decrypt the master key on disk. Then the master key is used to read the keyring that decrypts the barrier.
2019-10-18 21:46:00 +03:00
"github.com/hashicorp/go-uuid"
Switch to go modules (#6585) * Switch to go modules * Make fmt
2019-04-13 10:44:06 +03:00
"github.com/hashicorp/vault/helper/pgpkeys"
Create sdk/ and api/ submodules (#6583)
2019-04-13 00:54:35 +03:00
"github.com/hashicorp/vault/sdk/helper/consts"
"github.com/hashicorp/vault/sdk/helper/jsonutil"
"github.com/hashicorp/vault/sdk/logical"
"github.com/hashicorp/vault/sdk/physical"
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
"github.com/hashicorp/vault/shamir"
Raft Storage Backend (#6888) * Work on raft backend * Add logstore locally * Add encryptor and unsealable interfaces * Add clustering support to raft * Remove client and handler * Bootstrap raft on init * Cleanup raft logic a bit * More raft work * Work on TLS config * More work on bootstrapping * Fix build * More work on bootstrapping * More bootstrapping work * fix build * Remove consul dep * Fix build * merged oss/master into raft-storage * Work on bootstrapping * Get bootstrapping to work * Clean up FMS and node-id * Update local node ID logic * Cleanup node-id change * Work on snapshotting * Raft: Add remove peer API (#906) * Add remove peer API * Add some comments * Fix existing snapshotting (#909) * Raft get peers API (#912) * Read raft configuration * address review feedback * Use the Leadership Transfer API to step-down the active node (#918) * Raft join and unseal using Shamir keys (#917) * Raft join using shamir * Store AEAD instead of master key * Split the raft join process to answer the challenge after a successful unseal * get the follower to standby state * Make unseal work * minor changes * Some input checks * reuse the shamir seal access instead of new default seal access * refactor joinRaftSendAnswer function * Synchronously send answer in auto-unseal case * Address review feedback * Raft snapshots (#910) * Fix existing snapshotting * implement the noop snapshotting * Add comments and switch log libraries * add some snapshot tests * add snapshot test file * add TODO * More work on raft snapshotting * progress on the ConfigStore strategy * Don't use two buckets * Update the snapshot store logic to hide the file logic * Add more backend tests * Cleanup code a bit * [WIP] Raft recovery (#938) * Add recovery functionality * remove fmt.Printfs * Fix a few fsm bugs * Add max size value for raft backend (#942) * Add max size value for raft backend * Include physical.ErrValueTooLarge in the message * Raft snapshot Take/Restore API (#926) * Inital work on raft snapshot APIs * Always redirect snapshot install/download requests * More work on the snapshot APIs * Cleanup code a bit * On restore handle special cases * Use the seal to encrypt the sha sum file * Add sealer mechanism and fix some bugs * Call restore while state lock is held * Send restore cb trigger through raft log * Make error messages nicer * Add test helpers * Add snapshot test * Add shamir unseal test * Add more raft snapshot API tests * Fix locking * Change working to initalize * Add underlying raw object to test cluster core * Move leaderUUID to core * Add raft TLS rotation logic (#950) * Add TLS rotation logic * Cleanup logic a bit * Add/Remove from follower state on add/remove peer * add comments * Update more comments * Update request_forwarding_service.proto * Make sure we populate all nodes in the followerstate obj * Update times * Apply review feedback * Add more raft config setting (#947) * Add performance config setting * Add more config options and fix tests * Test Raft Recovery (#944) * Test raft recovery * Leave out a node during recovery * remove unused struct * Update physical/raft/snapshot_test.go * Update physical/raft/snapshot_test.go * fix vendoring * Switch to new raft interface * Remove unused files * Switch a gogo -> proto instance * Remove unneeded vault dep in go.sum * Update helper/testhelpers/testhelpers.go Co-Authored-By: Calvin Leung Huang <cleung2010@gmail.com> * Update vault/cluster/cluster.go * track active key within the keyring itself (#6915) * track active key within the keyring itself * lookup and store using the active key ID * update docstring * minor refactor * Small text fixes (#6912) * Update physical/raft/raft.go Co-Authored-By: Calvin Leung Huang <cleung2010@gmail.com> * review feedback * Move raft logical system into separate file * Update help text a bit * Enforce cluster addr is set and use it for raft bootstrapping * Fix tests * fix http test panic * Pull in latest raft-snapshot library * Add comment
2019-06-20 22:14:58 +03:00
"github.com/hashicorp/vault/vault/seal"
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
)
SealInterface
2016-04-04 17:44:22 +03:00
const (
Spelling (#4119)
2018-03-20 21:54:10 +03:00
// coreUnsealKeysBackupPath is the path used to backup encrypted unseal
SealInterface
2016-04-04 17:44:22 +03:00
// keys if specified during a rekey operation. This is outside of the
// barrier.
coreBarrierUnsealKeysBackupPath = "core/unseal-keys-backup"
Spelling (#4119)
2018-03-20 21:54:10 +03:00
// coreRecoveryUnsealKeysBackupPath is the path used to backup encrypted
SealInterface
2016-04-04 17:44:22 +03:00
// recovery keys if specified during a rekey operation. This is outside of
// the barrier.
coreRecoveryUnsealKeysBackupPath = "core/recovery-keys-backup"
)
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
// RekeyResult is used to provide the key parts back after
// they are generated as part of the rekey.
type RekeyResult struct {
WIP
2018-05-18 04:17:52 +03:00
SecretShares [][]byte
PGPFingerprints []string
Backup bool
RecoveryKey bool
VerificationRequired bool
VerificationNonce string
}
type RekeyVerifyResult struct {
Fix introduced bug in refactor
2018-05-22 03:54:20 +03:00
Complete bool
Nonce string
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
}
// RekeyBackup stores the backup copy of PGP-encrypted keys
type RekeyBackup struct {
Nonce string
Keys map[string][]string
}
Sync
2017-10-23 21:59:37 +03:00
// RekeyThreshold returns the secret threshold for the current seal
// config. This threshold can either be the barrier key threshold or
// the recovery key threshold, depending on whether rekey is being
// performed on the recovery key, or whether the seal supports
// recovery keys.
Update rekey methods to indicate proper error codes in responses
2018-05-20 06:43:48 +03:00
func (c *Core) RekeyThreshold(ctx context.Context, recovery bool) (int, logical.HTTPCodedError) {
SealInterface
2016-04-04 17:44:22 +03:00
c.stateLock.RLock()
defer c.stateLock.RUnlock()
Tackle #4929 a different way (#4932) * Tackle #4929 a different way This turns c.sealed into an atomic, which allows us to call sealInternal without a lock. By doing so we can better control lock grabbing when a condition causing the standby loop to get out of active happens. This encapsulates that logic into two distinct pieces (although they could be combined into one), and makes lock guarding more understandable. * Re-add context canceling to the non-HA version of sealInternal * Return explicitly after stopCh triggered
2018-07-24 23:57:25 +03:00
if c.Sealed() {
Update rekey methods to indicate proper error codes in responses
2018-05-20 06:43:48 +03:00
return 0, logical.CodedError(http.StatusServiceUnavailable, consts.ErrSealed.Error())
SealInterface
2016-04-04 17:44:22 +03:00
}
if c.standby {
Update rekey methods to indicate proper error codes in responses
2018-05-20 06:43:48 +03:00
return 0, logical.CodedError(http.StatusBadRequest, consts.ErrStandby.Error())
SealInterface
2016-04-04 17:44:22 +03:00
}
c.rekeyLock.RLock()
defer c.rekeyLock.RUnlock()
var config *SealConfig
var err error
Sync
2017-10-23 21:59:37 +03:00
// If we are rekeying the recovery key, or if the seal supports
// recovery keys and we are rekeying the barrier key, we use the
// recovery config as the threshold instead.
Remove context from a few extraneous places
2018-01-19 11:44:06 +03:00
if recovery || c.seal.RecoveryKeySupported() {
Add context to storage backends and wire it through a lot of places (#3817)
2018-01-19 09:44:44 +03:00
config, err = c.seal.RecoveryConfig(ctx)
SealInterface
2016-04-04 17:44:22 +03:00
} else {
Add context to storage backends and wire it through a lot of places (#3817)
2018-01-19 09:44:44 +03:00
config, err = c.seal.BarrierConfig(ctx)
SealInterface
2016-04-04 17:44:22 +03:00
}
if err != nil {
vault: deprecate errwrap.Wrapf() (#11577)
2021-05-11 20:12:54 +03:00
return 0, logical.CodedError(http.StatusInternalServerError, fmt.Errorf("unable to look up config: %w", err).Error())
Update rekey methods to indicate proper error codes in responses
2018-05-20 06:43:48 +03:00
}
if config == nil {
return 0, logical.CodedError(http.StatusBadRequest, ErrNotInit.Error())
SealInterface
2016-04-04 17:44:22 +03:00
}
return config.SecretThreshold, nil
}
Sync
2017-10-23 21:59:37 +03:00
// RekeyProgress is used to return the rekey progress (num shares).
Builds on top of #4600 to provide CLI support (#4605)
2018-05-28 07:39:53 +03:00
func (c *Core) RekeyProgress(recovery, verification bool) (bool, int, logical.HTTPCodedError) {
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
c.stateLock.RLock()
defer c.stateLock.RUnlock()
Tackle #4929 a different way (#4932) * Tackle #4929 a different way This turns c.sealed into an atomic, which allows us to call sealInternal without a lock. By doing so we can better control lock grabbing when a condition causing the standby loop to get out of active happens. This encapsulates that logic into two distinct pieces (although they could be combined into one), and makes lock guarding more understandable. * Re-add context canceling to the non-HA version of sealInternal * Return explicitly after stopCh triggered
2018-07-24 23:57:25 +03:00
if c.Sealed() {
Builds on top of #4600 to provide CLI support (#4605)
2018-05-28 07:39:53 +03:00
return false, 0, logical.CodedError(http.StatusServiceUnavailable, consts.ErrSealed.Error())
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
}
if c.standby {
Builds on top of #4600 to provide CLI support (#4605)
2018-05-28 07:39:53 +03:00
return false, 0, logical.CodedError(http.StatusBadRequest, consts.ErrStandby.Error())
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
}
SealInterface
2016-04-04 17:44:22 +03:00
c.rekeyLock.RLock()
defer c.rekeyLock.RUnlock()
Factor out a bunch of shared code
2018-05-22 00:46:32 +03:00
var conf *SealConfig
SealInterface
2016-04-04 17:44:22 +03:00
if recovery {
Factor out a bunch of shared code
2018-05-22 00:46:32 +03:00
conf = c.recoveryRekeyConfig
} else {
conf = c.barrierRekeyConfig
SealInterface
2016-04-04 17:44:22 +03:00
}
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
Builds on top of #4600 to provide CLI support (#4605)
2018-05-28 07:39:53 +03:00
if conf == nil {
return false, 0, logical.CodedError(http.StatusBadRequest, "rekey operation not in progress")
}
Factor out a bunch of shared code
2018-05-22 00:46:32 +03:00
if verification {
Builds on top of #4600 to provide CLI support (#4605)
2018-05-28 07:39:53 +03:00
return len(conf.VerificationKey) > 0, len(conf.VerificationProgress), nil
WIP
2018-05-18 04:17:52 +03:00
}
Builds on top of #4600 to provide CLI support (#4605)
2018-05-28 07:39:53 +03:00
return true, len(conf.RekeyProgress), nil
WIP
2018-05-18 04:17:52 +03:00
}
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
// RekeyConfig is used to read the rekey configuration
Update rekey methods to indicate proper error codes in responses
2018-05-20 06:43:48 +03:00
func (c *Core) RekeyConfig(recovery bool) (*SealConfig, logical.HTTPCodedError) {
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
c.stateLock.RLock()
defer c.stateLock.RUnlock()
Tackle #4929 a different way (#4932) * Tackle #4929 a different way This turns c.sealed into an atomic, which allows us to call sealInternal without a lock. By doing so we can better control lock grabbing when a condition causing the standby loop to get out of active happens. This encapsulates that logic into two distinct pieces (although they could be combined into one), and makes lock guarding more understandable. * Re-add context canceling to the non-HA version of sealInternal * Return explicitly after stopCh triggered
2018-07-24 23:57:25 +03:00
if c.Sealed() {
Update rekey methods to indicate proper error codes in responses
2018-05-20 06:43:48 +03:00
return nil, logical.CodedError(http.StatusServiceUnavailable, consts.ErrSealed.Error())
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
}
if c.standby {
Update rekey methods to indicate proper error codes in responses
2018-05-20 06:43:48 +03:00
return nil, logical.CodedError(http.StatusBadRequest, consts.ErrStandby.Error())
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
}
c.rekeyLock.Lock()
defer c.rekeyLock.Unlock()
// Copy the seal config if any
var conf *SealConfig
SealInterface
2016-04-04 17:44:22 +03:00
if recovery {
if c.recoveryRekeyConfig != nil {
conf = c.recoveryRekeyConfig.Clone()
}
} else {
if c.barrierRekeyConfig != nil {
conf = c.barrierRekeyConfig.Clone()
}
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
}
SealInterface
2016-04-04 17:44:22 +03:00
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
return conf, nil
}
Sync
2017-10-23 21:59:37 +03:00
// RekeyInit will either initialize the rekey of barrier or recovery key.
// recovery determines whether this is a rekey on the barrier or recovery key.
Update rekey methods to indicate proper error codes in responses
2018-05-20 06:43:48 +03:00
func (c *Core) RekeyInit(config *SealConfig, recovery bool) logical.HTTPCodedError {
Re-add removed check between shares/threshold
2018-05-30 01:38:14 +03:00
if config.SecretThreshold > config.SecretShares {
return logical.CodedError(http.StatusBadRequest, "provided threshold greater than the total shares")
}
SealInterface
2016-04-04 17:44:22 +03:00
if recovery {
Remove context from a few extraneous places
2018-01-19 11:44:06 +03:00
return c.RecoveryRekeyInit(config)
SealInterface
2016-04-04 17:44:22 +03:00
}
Remove context from a few extraneous places
2018-01-19 11:44:06 +03:00
return c.BarrierRekeyInit(config)
SealInterface
2016-04-04 17:44:22 +03:00
}
// BarrierRekeyInit is used to initialize the rekey settings for the barrier key
Update rekey methods to indicate proper error codes in responses
2018-05-20 06:43:48 +03:00
func (c *Core) BarrierRekeyInit(config *SealConfig) logical.HTTPCodedError {
Shamir seals now come in two varieties: legacy and new-style. (#7694) Shamir seals now come in two varieties: legacy and new-style. Legacy Shamir is automatically converted to new-style when a rekey operation is performed. All new Vault initializations using Shamir are new-style. New-style Shamir writes an encrypted master key to storage, just like AutoUnseal. The stored master key is encrypted using the shared key that is split via Shamir's algorithm. Thus when unsealing, we take the key fragments given, combine them into a Key-Encryption-Key, and use that to decrypt the master key on disk. Then the master key is used to read the keyring that decrypts the barrier.
2019-10-18 21:46:00 +03:00
switch c.seal.BarrierType() {
OSS portion of wrapper-v2 (#16811) * OSS portion of wrapper-v2 * Prefetch barrier type to avoid encountering an error in the simple BarrierType() getter * Rename the OveriddenType to WrapperType and use it for the barrier type prefetch * Fix unit test
2022-08-23 22:37:16 +03:00
case wrapping.WrapperTypeShamir:
Shamir seals now come in two varieties: legacy and new-style. (#7694) Shamir seals now come in two varieties: legacy and new-style. Legacy Shamir is automatically converted to new-style when a rekey operation is performed. All new Vault initializations using Shamir are new-style. New-style Shamir writes an encrypted master key to storage, just like AutoUnseal. The stored master key is encrypted using the shared key that is split via Shamir's algorithm. Thus when unsealing, we take the key fragments given, combine them into a Key-Encryption-Key, and use that to decrypt the master key on disk. Then the master key is used to read the keyring that decrypts the barrier.
2019-10-18 21:46:00 +03:00
// As of Vault 1.3 all seals use StoredShares==1. The one exception is
// legacy shamir seals, which we can read but not write (by design).
// So if someone does a rekey, regardless of their intention, we're going
// to migrate them to a non-legacy Shamir seal.
if config.StoredShares != 1 {
c.logger.Warn("shamir stored keys supported, forcing rekey shares/threshold to 1")
config.StoredShares = 1
}
default:
if config.StoredShares != 1 {
c.logger.Warn("stored keys supported, forcing rekey shares/threshold to 1")
config.StoredShares = 1
}
Fix panic and update some text
2018-05-29 20:13:47 +03:00
config.SecretShares = 1
config.SecretThreshold = 1
SealInterface
2016-04-04 17:44:22 +03:00
if len(config.PGPKeys) > 0 {
Update rekey methods to indicate proper error codes in responses
2018-05-20 06:43:48 +03:00
return logical.CodedError(http.StatusBadRequest, "PGP key encryption not supported when using stored keys")
SealInterface
2016-04-04 17:44:22 +03:00
}
if config.Backup {
Update rekey methods to indicate proper error codes in responses
2018-05-20 06:43:48 +03:00
return logical.CodedError(http.StatusBadRequest, "key backup not supported when using stored keys")
SealInterface
2016-04-04 17:44:22 +03:00
}
Shamir seals now come in two varieties: legacy and new-style. (#7694) Shamir seals now come in two varieties: legacy and new-style. Legacy Shamir is automatically converted to new-style when a rekey operation is performed. All new Vault initializations using Shamir are new-style. New-style Shamir writes an encrypted master key to storage, just like AutoUnseal. The stored master key is encrypted using the shared key that is split via Shamir's algorithm. Thus when unsealing, we take the key fragments given, combine them into a Key-Encryption-Key, and use that to decrypt the master key on disk. Then the master key is used to read the keyring that decrypts the barrier.
2019-10-18 21:46:00 +03:00
}
SealInterface
2016-04-04 17:44:22 +03:00
Shamir seals now come in two varieties: legacy and new-style. (#7694) Shamir seals now come in two varieties: legacy and new-style. Legacy Shamir is automatically converted to new-style when a rekey operation is performed. All new Vault initializations using Shamir are new-style. New-style Shamir writes an encrypted master key to storage, just like AutoUnseal. The stored master key is encrypted using the shared key that is split via Shamir's algorithm. Thus when unsealing, we take the key fragments given, combine them into a Key-Encryption-Key, and use that to decrypt the master key on disk. Then the master key is used to read the keyring that decrypts the barrier.
2019-10-18 21:46:00 +03:00
if c.seal.RecoveryKeySupported() {
if config.VerificationRequired {
return logical.CodedError(http.StatusBadRequest, "requiring verification not supported when rekeying the barrier key with recovery keys")
WIP
2018-05-18 04:17:52 +03:00
}
Shamir seals now come in two varieties: legacy and new-style. (#7694) Shamir seals now come in two varieties: legacy and new-style. Legacy Shamir is automatically converted to new-style when a rekey operation is performed. All new Vault initializations using Shamir are new-style. New-style Shamir writes an encrypted master key to storage, just like AutoUnseal. The stored master key is encrypted using the shared key that is split via Shamir's algorithm. Thus when unsealing, we take the key fragments given, combine them into a Key-Encryption-Key, and use that to decrypt the master key on disk. Then the master key is used to read the keyring that decrypts the barrier.
2019-10-18 21:46:00 +03:00
c.logger.Debug("using recovery seal configuration to rekey barrier key")
Sync
2017-10-23 21:59:37 +03:00
}
Speling police
2016-05-15 19:58:36 +03:00
// Check if the seal configuration is valid
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
if err := config.Validate(); err != nil {
Move to "github.com/hashicorp/go-hclog" (#4227) * logbridge with hclog and identical output * Initial search & replace This compiles, but there is a fair amount of TODO and commented out code, especially around the plugin logclient/logserver code. * strip logbridge * fix majority of tests * update logxi aliases * WIP fixing tests * more test fixes * Update test to hclog * Fix format * Rename hclog -> log * WIP making hclog and logxi love each other * update logger_test.go * clean up merged comments * Replace RawLogger interface with a Logger * Add some logger names * Replace Trace with Debug * update builtin logical logging patterns * Fix build errors * More log updates * update log approach in command and builtin * More log updates * update helper, http, and logical directories * Update loggers * Log updates * Update logging * Update logging * Update logging * Update logging * update logging in physical * prefixing and lowercase * Update logging * Move phyisical logging name to server command * Fix som tests * address jims feedback so far * incorporate brians feedback so far * strip comments * move vault.go to logging package * update Debug to Trace * Update go-plugin deps * Update logging based on review comments * Updates from review * Unvendor logxi * Remove null_logger.go
2018-04-03 03:46:59 +03:00
c.logger.Error("invalid rekey seal configuration", "error", err)
vault: deprecate errwrap.Wrapf() (#11577)
2021-05-11 20:12:54 +03:00
return logical.CodedError(http.StatusInternalServerError, fmt.Errorf("invalid rekey seal configuration: %w", err).Error())
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
}
c.stateLock.RLock()
defer c.stateLock.RUnlock()
Tackle #4929 a different way (#4932) * Tackle #4929 a different way This turns c.sealed into an atomic, which allows us to call sealInternal without a lock. By doing so we can better control lock grabbing when a condition causing the standby loop to get out of active happens. This encapsulates that logic into two distinct pieces (although they could be combined into one), and makes lock guarding more understandable. * Re-add context canceling to the non-HA version of sealInternal * Return explicitly after stopCh triggered
2018-07-24 23:57:25 +03:00
if c.Sealed() {
Update rekey methods to indicate proper error codes in responses
2018-05-20 06:43:48 +03:00
return logical.CodedError(http.StatusServiceUnavailable, consts.ErrSealed.Error())
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
}
if c.standby {
Update rekey methods to indicate proper error codes in responses
2018-05-20 06:43:48 +03:00
return logical.CodedError(http.StatusBadRequest, consts.ErrStandby.Error())
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
}
SealInterface
2016-04-04 17:44:22 +03:00
c.rekeyLock.Lock()
defer c.rekeyLock.Unlock()
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
// Prevent multiple concurrent re-keys
SealInterface
2016-04-04 17:44:22 +03:00
if c.barrierRekeyConfig != nil {
Update rekey methods to indicate proper error codes in responses
2018-05-20 06:43:48 +03:00
return logical.CodedError(http.StatusBadRequest, "rekey already in progress")
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
}
// Copy the configuration
SealInterface
2016-04-04 17:44:22 +03:00
c.barrierRekeyConfig = config.Clone()
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
// Initialize the nonce
nonce, err := uuid.GenerateUUID()
if err != nil {
SealInterface
2016-04-04 17:44:22 +03:00
c.barrierRekeyConfig = nil
vault: deprecate errwrap.Wrapf() (#11577)
2021-05-11 20:12:54 +03:00
return logical.CodedError(http.StatusInternalServerError, fmt.Errorf("error generating nonce for procedure: %w", err).Error())
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
}
SealInterface
2016-04-04 17:44:22 +03:00
c.barrierRekeyConfig.Nonce = nonce
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
Convert to logxi
2016-08-19 23:45:17 +03:00
if c.logger.IsInfo() {
WIP
2018-05-18 04:17:52 +03:00
c.logger.Info("rekey initialized", "nonce", c.barrierRekeyConfig.Nonce, "shares", c.barrierRekeyConfig.SecretShares, "threshold", c.barrierRekeyConfig.SecretThreshold, "validation_required", c.barrierRekeyConfig.VerificationRequired)
Convert to logxi
2016-08-19 23:45:17 +03:00
}
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
return nil
}
SealInterface
2016-04-04 17:44:22 +03:00
// RecoveryRekeyInit is used to initialize the rekey settings for the recovery key
Update rekey methods to indicate proper error codes in responses
2018-05-20 06:43:48 +03:00
func (c *Core) RecoveryRekeyInit(config *SealConfig) logical.HTTPCodedError {
SealInterface
2016-04-04 17:44:22 +03:00
if config.StoredShares > 0 {
Update rekey methods to indicate proper error codes in responses
2018-05-20 06:43:48 +03:00
return logical.CodedError(http.StatusBadRequest, "stored shares not supported by recovery key")
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
}
SealInterface
2016-04-04 17:44:22 +03:00
Speling police
2016-05-15 19:58:36 +03:00
// Check if the seal configuration is valid
SealInterface
2016-04-04 17:44:22 +03:00
if err := config.Validate(); err != nil {
Move to "github.com/hashicorp/go-hclog" (#4227) * logbridge with hclog and identical output * Initial search & replace This compiles, but there is a fair amount of TODO and commented out code, especially around the plugin logclient/logserver code. * strip logbridge * fix majority of tests * update logxi aliases * WIP fixing tests * more test fixes * Update test to hclog * Fix format * Rename hclog -> log * WIP making hclog and logxi love each other * update logger_test.go * clean up merged comments * Replace RawLogger interface with a Logger * Add some logger names * Replace Trace with Debug * update builtin logical logging patterns * Fix build errors * More log updates * update log approach in command and builtin * More log updates * update helper, http, and logical directories * Update loggers * Log updates * Update logging * Update logging * Update logging * Update logging * update logging in physical * prefixing and lowercase * Update logging * Move phyisical logging name to server command * Fix som tests * address jims feedback so far * incorporate brians feedback so far * strip comments * move vault.go to logging package * update Debug to Trace * Update go-plugin deps * Update logging based on review comments * Updates from review * Unvendor logxi * Remove null_logger.go
2018-04-03 03:46:59 +03:00
c.logger.Error("invalid recovery configuration", "error", err)
vault: deprecate errwrap.Wrapf() (#11577)
2021-05-11 20:12:54 +03:00
return logical.CodedError(http.StatusInternalServerError, fmt.Errorf("invalid recovery configuration: %w", err).Error())
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
}
Revert #18683 (#18942) * Revert "Don't execute the seal recovery tests on ENT. (#18841)" This reverts commit 990d3bacc203c229d0f6729929d7562e678a1ac2. * Revert "Add the ability to unseal using recovery keys via an explicit seal option. (#18683)" This reverts commit 2ffe49aab0fc1a527c5182637c8fa3ac39b08d45.
2023-02-01 22:34:53 +03:00
Remove context from a few extraneous places
2018-01-19 11:44:06 +03:00
if !c.seal.RecoveryKeySupported() {
Update rekey methods to indicate proper error codes in responses
2018-05-20 06:43:48 +03:00
return logical.CodedError(http.StatusBadRequest, "recovery keys not supported")
SealInterface
2016-04-04 17:44:22 +03:00
}
c.stateLock.RLock()
defer c.stateLock.RUnlock()
Tackle #4929 a different way (#4932) * Tackle #4929 a different way This turns c.sealed into an atomic, which allows us to call sealInternal without a lock. By doing so we can better control lock grabbing when a condition causing the standby loop to get out of active happens. This encapsulates that logic into two distinct pieces (although they could be combined into one), and makes lock guarding more understandable. * Re-add context canceling to the non-HA version of sealInternal * Return explicitly after stopCh triggered
2018-07-24 23:57:25 +03:00
if c.Sealed() {
Update rekey methods to indicate proper error codes in responses
2018-05-20 06:43:48 +03:00
return logical.CodedError(http.StatusServiceUnavailable, consts.ErrSealed.Error())
SealInterface
2016-04-04 17:44:22 +03:00
}
if c.standby {
Update rekey methods to indicate proper error codes in responses
2018-05-20 06:43:48 +03:00
return logical.CodedError(http.StatusBadRequest, consts.ErrStandby.Error())
SealInterface
2016-04-04 17:44:22 +03:00
}
c.rekeyLock.Lock()
defer c.rekeyLock.Unlock()
// Prevent multiple concurrent re-keys
if c.recoveryRekeyConfig != nil {
Update rekey methods to indicate proper error codes in responses
2018-05-20 06:43:48 +03:00
return logical.CodedError(http.StatusBadRequest, "rekey already in progress")
SealInterface
2016-04-04 17:44:22 +03:00
}
// Copy the configuration
c.recoveryRekeyConfig = config.Clone()
// Initialize the nonce
nonce, err := uuid.GenerateUUID()
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
if err != nil {
SealInterface
2016-04-04 17:44:22 +03:00
c.recoveryRekeyConfig = nil
vault: deprecate errwrap.Wrapf() (#11577)
2021-05-11 20:12:54 +03:00
return logical.CodedError(http.StatusInternalServerError, fmt.Errorf("error generating nonce for procedure: %w", err).Error())
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
}
SealInterface
2016-04-04 17:44:22 +03:00
c.recoveryRekeyConfig.Nonce = nonce
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
Convert to logxi
2016-08-19 23:45:17 +03:00
if c.logger.IsInfo() {
WIP
2018-05-18 04:17:52 +03:00
c.logger.Info("rekey initialized", "nonce", c.recoveryRekeyConfig.Nonce, "shares", c.recoveryRekeyConfig.SecretShares, "threshold", c.recoveryRekeyConfig.SecretThreshold, "validation_required", c.recoveryRekeyConfig.VerificationRequired)
Convert to logxi
2016-08-19 23:45:17 +03:00
}
SealInterface
2016-04-04 17:44:22 +03:00
return nil
}
Sync
2017-10-23 21:59:37 +03:00
// RekeyUpdate is used to provide a new key part for the barrier or recovery key.
Update rekey methods to indicate proper error codes in responses
2018-05-20 06:43:48 +03:00
func (c *Core) RekeyUpdate(ctx context.Context, key []byte, nonce string, recovery bool) (*RekeyResult, logical.HTTPCodedError) {
SealInterface
2016-04-04 17:44:22 +03:00
if recovery {
Add context to storage backends and wire it through a lot of places (#3817)
2018-01-19 09:44:44 +03:00
return c.RecoveryRekeyUpdate(ctx, key, nonce)
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
}
Add context to storage backends and wire it through a lot of places (#3817)
2018-01-19 09:44:44 +03:00
return c.BarrierRekeyUpdate(ctx, key, nonce)
SealInterface
2016-04-04 17:44:22 +03:00
}
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
Sync
2017-10-23 21:59:37 +03:00
// BarrierRekeyUpdate is used to provide a new key part. Barrier rekey can be done
// with unseal keys, or recovery keys if that's supported and we are storing the barrier
// key.
//
// N.B.: If recovery keys are used to rekey, the new barrier key shares are not returned.
Update rekey methods to indicate proper error codes in responses
2018-05-20 06:43:48 +03:00
func (c *Core) BarrierRekeyUpdate(ctx context.Context, key []byte, nonce string) (*RekeyResult, logical.HTTPCodedError) {
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
// Ensure we are already unsealed
c.stateLock.RLock()
defer c.stateLock.RUnlock()
Tackle #4929 a different way (#4932) * Tackle #4929 a different way This turns c.sealed into an atomic, which allows us to call sealInternal without a lock. By doing so we can better control lock grabbing when a condition causing the standby loop to get out of active happens. This encapsulates that logic into two distinct pieces (although they could be combined into one), and makes lock guarding more understandable. * Re-add context canceling to the non-HA version of sealInternal * Return explicitly after stopCh triggered
2018-07-24 23:57:25 +03:00
if c.Sealed() {
Update rekey methods to indicate proper error codes in responses
2018-05-20 06:43:48 +03:00
return nil, logical.CodedError(http.StatusServiceUnavailable, consts.ErrSealed.Error())
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
}
if c.standby {
Update rekey methods to indicate proper error codes in responses
2018-05-20 06:43:48 +03:00
return nil, logical.CodedError(http.StatusBadRequest, consts.ErrStandby.Error())
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
}
SealInterface
2016-04-04 17:44:22 +03:00
// Verify the key length
min, max := c.barrier.KeyLength()
max += shamir.ShareOverhead
if len(key) < min {
Update rekey methods to indicate proper error codes in responses
2018-05-20 06:43:48 +03:00
return nil, logical.CodedError(http.StatusBadRequest, fmt.Sprintf("key is shorter than minimum %d bytes", min))
SealInterface
2016-04-04 17:44:22 +03:00
}
if len(key) > max {
Update rekey methods to indicate proper error codes in responses
2018-05-20 06:43:48 +03:00
return nil, logical.CodedError(http.StatusBadRequest, fmt.Sprintf("key is longer than maximum %d bytes", max))
SealInterface
2016-04-04 17:44:22 +03:00
}
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
c.rekeyLock.Lock()
defer c.rekeyLock.Unlock()
SealInterface
2016-04-04 17:44:22 +03:00
// Get the seal configuration
Sync
2017-10-23 21:59:37 +03:00
var existingConfig *SealConfig
var err error
Rename master key to root key (#13324) * See what it looks like to replace "master key" with "root key". There are two places that would require more challenging code changes: the storage path `core/master`, and its contents (the JSON-serialized EncodedKeyringtructure.) * Restore accidentally deleted line * Add changelog * Update root->recovery * Fix test Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
2021-12-07 04:12:20 +03:00
var useRecovery bool // Determines whether recovery key is being used to rekey the root key
Migrate built in auto seal to go-kms-wrapping (#8118)
2020-01-11 04:39:52 +03:00
if c.seal.StoredKeysSupported() == seal.StoredKeysSupportedGeneric && c.seal.RecoveryKeySupported() {
Add context to storage backends and wire it through a lot of places (#3817)
2018-01-19 09:44:44 +03:00
existingConfig, err = c.seal.RecoveryConfig(ctx)
Sync
2017-10-23 21:59:37 +03:00
useRecovery = true
} else {
Add context to storage backends and wire it through a lot of places (#3817)
2018-01-19 09:44:44 +03:00
existingConfig, err = c.seal.BarrierConfig(ctx)
Sync
2017-10-23 21:59:37 +03:00
}
SealInterface
2016-04-04 17:44:22 +03:00
if err != nil {
vault: deprecate errwrap.Wrapf() (#11577)
2021-05-11 20:12:54 +03:00
return nil, logical.CodedError(http.StatusInternalServerError, fmt.Errorf("failed to fetch existing config: %w", err).Error())
SealInterface
2016-04-04 17:44:22 +03:00
}
// Ensure the barrier is initialized
if existingConfig == nil {
Update rekey methods to indicate proper error codes in responses
2018-05-20 06:43:48 +03:00
return nil, logical.CodedError(http.StatusBadRequest, ErrNotInit.Error())
SealInterface
2016-04-04 17:44:22 +03:00
}
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
// Ensure a rekey is in progress
SealInterface
2016-04-04 17:44:22 +03:00
if c.barrierRekeyConfig == nil {
Update rekey methods to indicate proper error codes in responses
2018-05-20 06:43:48 +03:00
return nil, logical.CodedError(http.StatusBadRequest, "no barrier rekey in progress")
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
}
Don't allow providing original key shares once we've moved on to verification
2018-05-22 04:02:45 +03:00
if len(c.barrierRekeyConfig.VerificationKey) > 0 {
return nil, logical.CodedError(http.StatusBadRequest, fmt.Sprintf("rekey operation already finished; verification must be performed; nonce for the verification operation is %q", c.barrierRekeyConfig.VerificationNonce))
}
SealInterface
2016-04-04 17:44:22 +03:00
if nonce != c.barrierRekeyConfig.Nonce {
Update rekey methods to indicate proper error codes in responses
2018-05-20 06:43:48 +03:00
return nil, logical.CodedError(http.StatusBadRequest, fmt.Sprintf("incorrect nonce supplied; nonce for this rekey operation is %q", c.barrierRekeyConfig.Nonce))
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
}
// Check if we already have this piece
Factor out a bunch of shared code
2018-05-22 00:46:32 +03:00
for _, existing := range c.barrierRekeyConfig.RekeyProgress {
WIP
2018-05-18 04:30:39 +03:00
if subtle.ConstantTimeCompare(existing, key) == 1 {
Update rekey methods to indicate proper error codes in responses
2018-05-20 06:43:48 +03:00
return nil, logical.CodedError(http.StatusBadRequest, "given key has already been provided during this generation operation")
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
}
}
// Store this key
Factor out a bunch of shared code
2018-05-22 00:46:32 +03:00
c.barrierRekeyConfig.RekeyProgress = append(c.barrierRekeyConfig.RekeyProgress, key)
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
// Check if we don't have enough keys to unlock
Factor out a bunch of shared code
2018-05-22 00:46:32 +03:00
if len(c.barrierRekeyConfig.RekeyProgress) < existingConfig.SecretThreshold {
Convert to logxi
2016-08-19 23:45:17 +03:00
if c.logger.IsDebug() {
Factor out a bunch of shared code
2018-05-22 00:46:32 +03:00
c.logger.Debug("cannot rekey yet, not enough keys", "keys", len(c.barrierRekeyConfig.RekeyProgress), "threshold", existingConfig.SecretThreshold)
Convert to logxi
2016-08-19 23:45:17 +03:00
}
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
return nil, nil
}
Rename master key to root key (#13324) * See what it looks like to replace "master key" with "root key". There are two places that would require more challenging code changes: the storage path `core/master`, and its contents (the JSON-serialized EncodedKeyringtructure.) * Restore accidentally deleted line * Add changelog * Update root->recovery * Fix test Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
2021-12-07 04:12:20 +03:00
// Recover the root key or recovery key
Sync
2017-10-23 21:59:37 +03:00
var recoveredKey []byte
SealInterface
2016-04-04 17:44:22 +03:00
if existingConfig.SecretThreshold == 1 {
Factor out a bunch of shared code
2018-05-22 00:46:32 +03:00
recoveredKey = c.barrierRekeyConfig.RekeyProgress[0]
Reset rekey progress once threshold has been met (#5743) * Reset rekey progress once threshold has been met * Reverting log message changes * Add progress check on invalid rekey test * Minor comment update
2018-11-20 04:03:07 +03:00
c.barrierRekeyConfig.RekeyProgress = nil
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
} else {
Factor out a bunch of shared code
2018-05-22 00:46:32 +03:00
recoveredKey, err = shamir.Combine(c.barrierRekeyConfig.RekeyProgress)
Reset rekey progress once threshold has been met (#5743) * Reset rekey progress once threshold has been met * Reverting log message changes * Add progress check on invalid rekey test * Minor comment update
2018-11-20 04:03:07 +03:00
c.barrierRekeyConfig.RekeyProgress = nil
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
if err != nil {
Rename master key to root key (#13324) * See what it looks like to replace "master key" with "root key". There are two places that would require more challenging code changes: the storage path `core/master`, and its contents (the JSON-serialized EncodedKeyringtructure.) * Restore accidentally deleted line * Add changelog * Update root->recovery * Fix test Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
2021-12-07 04:12:20 +03:00
return nil, logical.CodedError(http.StatusInternalServerError, fmt.Errorf("failed to compute root key: %w", err).Error())
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
}
}
Shamir seals now come in two varieties: legacy and new-style. (#7694) Shamir seals now come in two varieties: legacy and new-style. Legacy Shamir is automatically converted to new-style when a rekey operation is performed. All new Vault initializations using Shamir are new-style. New-style Shamir writes an encrypted master key to storage, just like AutoUnseal. The stored master key is encrypted using the shared key that is split via Shamir's algorithm. Thus when unsealing, we take the key fragments given, combine them into a Key-Encryption-Key, and use that to decrypt the master key on disk. Then the master key is used to read the keyring that decrypts the barrier.
2019-10-18 21:46:00 +03:00
switch {
case useRecovery:
Add context to storage backends and wire it through a lot of places (#3817)
2018-01-19 09:44:44 +03:00
if err := c.seal.VerifyRecoveryKey(ctx, recoveredKey); err != nil {
Update rekey methods to indicate proper error codes in responses
2018-05-20 06:43:48 +03:00
c.logger.Error("rekey recovery key verification failed", "error", err)
vault: deprecate errwrap.Wrapf() (#11577)
2021-05-11 20:12:54 +03:00
return nil, logical.CodedError(http.StatusBadRequest, fmt.Errorf("recovery key verification failed: %w", err).Error())
Sync
2017-10-23 21:59:37 +03:00
}
OSS portion of wrapper-v2 (#16811) * OSS portion of wrapper-v2 * Prefetch barrier type to avoid encountering an error in the simple BarrierType() getter * Rename the OveriddenType to WrapperType and use it for the barrier type prefetch * Fix unit test
2022-08-23 22:37:16 +03:00
case c.seal.BarrierType() == wrapping.WrapperTypeShamir:
Rename master key to root key (#13324) * See what it looks like to replace "master key" with "root key". There are two places that would require more challenging code changes: the storage path `core/master`, and its contents (the JSON-serialized EncodedKeyringtructure.) * Restore accidentally deleted line * Add changelog * Update root->recovery * Fix test Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
2021-12-07 04:12:20 +03:00
if c.seal.StoredKeysSupported() == seal.StoredKeysSupportedShamirRoot {
Convert seal.Access struct into a interface (OSS) (#20510) * Move seal barrier type field from Access to autoSeal struct. Remove method Access.SetType(), which was only being used by a single test, and which can use the name option of NewTestSeal() to specify the type. * Change method signatures of Access to match those of Wrapper. * Turn seal.Access struct into an interface. * Tweak Access implementation. Change `access` struct to have a field of type wrapping.Wrapper, rather than extending it. * Add method Seal.GetShamirWrapper(). Add method Seal.GetShamirWrapper() for use by code that need to perform Shamir-specific operations.
2023-05-04 21:22:30 +03:00
shamirWrapper := aeadwrapper.NewShamirWrapper()
testseal := NewDefaultSeal(seal.NewAccess(shamirWrapper))
Shamir seals now come in two varieties: legacy and new-style. (#7694) Shamir seals now come in two varieties: legacy and new-style. Legacy Shamir is automatically converted to new-style when a rekey operation is performed. All new Vault initializations using Shamir are new-style. New-style Shamir writes an encrypted master key to storage, just like AutoUnseal. The stored master key is encrypted using the shared key that is split via Shamir's algorithm. Thus when unsealing, we take the key fragments given, combine them into a Key-Encryption-Key, and use that to decrypt the master key on disk. Then the master key is used to read the keyring that decrypts the barrier.
2019-10-18 21:46:00 +03:00
testseal.SetCore(c)
Convert seal.Access struct into a interface (OSS) (#20510) * Move seal barrier type field from Access to autoSeal struct. Remove method Access.SetType(), which was only being used by a single test, and which can use the name option of NewTestSeal() to specify the type. * Change method signatures of Access to match those of Wrapper. * Turn seal.Access struct into an interface. * Tweak Access implementation. Change `access` struct to have a field of type wrapping.Wrapper, rather than extending it. * Add method Seal.GetShamirWrapper(). Add method Seal.GetShamirWrapper() for use by code that need to perform Shamir-specific operations.
2023-05-04 21:22:30 +03:00
err = shamirWrapper.SetAesGcmKeyBytes(recoveredKey)
Shamir seals now come in two varieties: legacy and new-style. (#7694) Shamir seals now come in two varieties: legacy and new-style. Legacy Shamir is automatically converted to new-style when a rekey operation is performed. All new Vault initializations using Shamir are new-style. New-style Shamir writes an encrypted master key to storage, just like AutoUnseal. The stored master key is encrypted using the shared key that is split via Shamir's algorithm. Thus when unsealing, we take the key fragments given, combine them into a Key-Encryption-Key, and use that to decrypt the master key on disk. Then the master key is used to read the keyring that decrypts the barrier.
2019-10-18 21:46:00 +03:00
if err != nil {
vault: deprecate errwrap.Wrapf() (#11577)
2021-05-11 20:12:54 +03:00
return nil, logical.CodedError(http.StatusInternalServerError, fmt.Errorf("failed to setup unseal key: %w", err).Error())
Shamir seals now come in two varieties: legacy and new-style. (#7694) Shamir seals now come in two varieties: legacy and new-style. Legacy Shamir is automatically converted to new-style when a rekey operation is performed. All new Vault initializations using Shamir are new-style. New-style Shamir writes an encrypted master key to storage, just like AutoUnseal. The stored master key is encrypted using the shared key that is split via Shamir's algorithm. Thus when unsealing, we take the key fragments given, combine them into a Key-Encryption-Key, and use that to decrypt the master key on disk. Then the master key is used to read the keyring that decrypts the barrier.
2019-10-18 21:46:00 +03:00
}
cfg, err := c.seal.BarrierConfig(ctx)
if err != nil {
vault: deprecate errwrap.Wrapf() (#11577)
2021-05-11 20:12:54 +03:00
return nil, logical.CodedError(http.StatusInternalServerError, fmt.Errorf("failed to setup test barrier config: %w", err).Error())
Shamir seals now come in two varieties: legacy and new-style. (#7694) Shamir seals now come in two varieties: legacy and new-style. Legacy Shamir is automatically converted to new-style when a rekey operation is performed. All new Vault initializations using Shamir are new-style. New-style Shamir writes an encrypted master key to storage, just like AutoUnseal. The stored master key is encrypted using the shared key that is split via Shamir's algorithm. Thus when unsealing, we take the key fragments given, combine them into a Key-Encryption-Key, and use that to decrypt the master key on disk. Then the master key is used to read the keyring that decrypts the barrier.
2019-10-18 21:46:00 +03:00
}
testseal.SetCachedBarrierConfig(cfg)
stored, err := testseal.GetStoredKeys(ctx)
if err != nil {
Rename master key to root key (#13324) * See what it looks like to replace "master key" with "root key". There are two places that would require more challenging code changes: the storage path `core/master`, and its contents (the JSON-serialized EncodedKeyringtructure.) * Restore accidentally deleted line * Add changelog * Update root->recovery * Fix test Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
2021-12-07 04:12:20 +03:00
return nil, logical.CodedError(http.StatusInternalServerError, fmt.Errorf("failed to read root key: %w", err).Error())
Shamir seals now come in two varieties: legacy and new-style. (#7694) Shamir seals now come in two varieties: legacy and new-style. Legacy Shamir is automatically converted to new-style when a rekey operation is performed. All new Vault initializations using Shamir are new-style. New-style Shamir writes an encrypted master key to storage, just like AutoUnseal. The stored master key is encrypted using the shared key that is split via Shamir's algorithm. Thus when unsealing, we take the key fragments given, combine them into a Key-Encryption-Key, and use that to decrypt the master key on disk. Then the master key is used to read the keyring that decrypts the barrier.
2019-10-18 21:46:00 +03:00
}
recoveredKey = stored[0]
}
Rename master key to root key (#13324) * See what it looks like to replace "master key" with "root key". There are two places that would require more challenging code changes: the storage path `core/master`, and its contents (the JSON-serialized EncodedKeyringtructure.) * Restore accidentally deleted line * Add changelog * Update root->recovery * Fix test Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
2021-12-07 04:12:20 +03:00
if err := c.barrier.VerifyRoot(recoveredKey); err != nil {
c.logger.Error("root key verification failed", "error", err)
return nil, logical.CodedError(http.StatusBadRequest, fmt.Errorf("rootter key verification failed: %w", err).Error())
Sync
2017-10-23 21:59:37 +03:00
}
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
}
Rename master key to root key (#13324) * See what it looks like to replace "master key" with "root key". There are two places that would require more challenging code changes: the storage path `core/master`, and its contents (the JSON-serialized EncodedKeyringtructure.) * Restore accidentally deleted line * Add changelog * Update root->recovery * Fix test Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
2021-12-07 04:12:20 +03:00
// Generate a new key: for AutoUnseal, this is a new root key; for Shamir,
Shamir seals now come in two varieties: legacy and new-style. (#7694) Shamir seals now come in two varieties: legacy and new-style. Legacy Shamir is automatically converted to new-style when a rekey operation is performed. All new Vault initializations using Shamir are new-style. New-style Shamir writes an encrypted master key to storage, just like AutoUnseal. The stored master key is encrypted using the shared key that is split via Shamir's algorithm. Thus when unsealing, we take the key fragments given, combine them into a Key-Encryption-Key, and use that to decrypt the master key on disk. Then the master key is used to read the keyring that decrypts the barrier.
2019-10-18 21:46:00 +03:00
// this is a new unseal key, and performBarrierRekey will also generate a
Rename master key to root key (#13324) * See what it looks like to replace "master key" with "root key". There are two places that would require more challenging code changes: the storage path `core/master`, and its contents (the JSON-serialized EncodedKeyringtructure.) * Restore accidentally deleted line * Add changelog * Update root->recovery * Fix test Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
2021-12-07 04:12:20 +03:00
// new root key.
Shamir seals now come in two varieties: legacy and new-style. (#7694) Shamir seals now come in two varieties: legacy and new-style. Legacy Shamir is automatically converted to new-style when a rekey operation is performed. All new Vault initializations using Shamir are new-style. New-style Shamir writes an encrypted master key to storage, just like AutoUnseal. The stored master key is encrypted using the shared key that is split via Shamir's algorithm. Thus when unsealing, we take the key fragments given, combine them into a Key-Encryption-Key, and use that to decrypt the master key on disk. Then the master key is used to read the keyring that decrypts the barrier.
2019-10-18 21:46:00 +03:00
newKey, err := c.barrier.GenerateKey(c.secureRandomReader)
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
if err != nil {
Rename master key to root key (#13324) * See what it looks like to replace "master key" with "root key". There are two places that would require more challenging code changes: the storage path `core/master`, and its contents (the JSON-serialized EncodedKeyringtructure.) * Restore accidentally deleted line * Add changelog * Update root->recovery * Fix test Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
2021-12-07 04:12:20 +03:00
c.logger.Error("failed to generate root key", "error", err)
return nil, logical.CodedError(http.StatusInternalServerError, fmt.Errorf("root key generation failed: %w", err).Error())
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
}
results := &RekeyResult{
SealInterface
2016-04-04 17:44:22 +03:00
Backup: c.barrierRekeyConfig.Backup,
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
}
Migrate built in auto seal to go-kms-wrapping (#8118)
2020-01-11 04:39:52 +03:00
if c.seal.StoredKeysSupported() != seal.StoredKeysSupportedGeneric {
Shamir seals now come in two varieties: legacy and new-style. (#7694) Shamir seals now come in two varieties: legacy and new-style. Legacy Shamir is automatically converted to new-style when a rekey operation is performed. All new Vault initializations using Shamir are new-style. New-style Shamir writes an encrypted master key to storage, just like AutoUnseal. The stored master key is encrypted using the shared key that is split via Shamir's algorithm. Thus when unsealing, we take the key fragments given, combine them into a Key-Encryption-Key, and use that to decrypt the master key on disk. Then the master key is used to read the keyring that decrypts the barrier.
2019-10-18 21:46:00 +03:00
// Set result.SecretShares to the new key itself if only a single key
// part is used -- no Shamir split required.
if c.barrierRekeyConfig.SecretShares == 1 {
results.SecretShares = append(results.SecretShares, newKey)
} else {
// Split the new key using the Shamir algorithm
shares, err := shamir.Split(newKey, c.barrierRekeyConfig.SecretShares, c.barrierRekeyConfig.SecretThreshold)
if err != nil {
c.logger.Error("failed to generate shares", "error", err)
vault: deprecate errwrap.Wrapf() (#11577)
2021-05-11 20:12:54 +03:00
return nil, logical.CodedError(http.StatusInternalServerError, fmt.Errorf("failed to generate shares: %w", err).Error())
Shamir seals now come in two varieties: legacy and new-style. (#7694) Shamir seals now come in two varieties: legacy and new-style. Legacy Shamir is automatically converted to new-style when a rekey operation is performed. All new Vault initializations using Shamir are new-style. New-style Shamir writes an encrypted master key to storage, just like AutoUnseal. The stored master key is encrypted using the shared key that is split via Shamir's algorithm. Thus when unsealing, we take the key fragments given, combine them into a Key-Encryption-Key, and use that to decrypt the master key on disk. Then the master key is used to read the keyring that decrypts the barrier.
2019-10-18 21:46:00 +03:00
}
results.SecretShares = shares
SealInterface
2016-04-04 17:44:22 +03:00
}
}
Sync
2017-10-23 21:59:37 +03:00
// If PGP keys are passed in, encrypt shares with corresponding PGP keys.
SealInterface
2016-04-04 17:44:22 +03:00
if len(c.barrierRekeyConfig.PGPKeys) > 0 {
Fix lost code after rebase
2016-01-20 03:19:07 +03:00
hexEncodedShares := make([][]byte, len(results.SecretShares))
Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor
2021-04-08 19:43:39 +03:00
for i := range results.SecretShares {
Fix lost code after rebase
2016-01-20 03:19:07 +03:00
hexEncodedShares[i] = []byte(hex.EncodeToString(results.SecretShares[i]))
}
SealInterface
2016-04-04 17:44:22 +03:00
results.PGPFingerprints, results.SecretShares, err = pgpkeys.EncryptShares(hexEncodedShares, c.barrierRekeyConfig.PGPKeys)
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
if err != nil {
vault: deprecate errwrap.Wrapf() (#11577)
2021-05-11 20:12:54 +03:00
return nil, logical.CodedError(http.StatusInternalServerError, fmt.Errorf("failed to encrypt shares: %w", err).Error())
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
}
Sync
2017-10-23 21:59:37 +03:00
// If backup is enabled, store backup info in vault.coreBarrierUnsealKeysBackupPath
SealInterface
2016-04-04 17:44:22 +03:00
if c.barrierRekeyConfig.Backup {
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
backupInfo := map[string][]string{}
for i := 0; i < len(results.PGPFingerprints); i++ {
encShare := bytes.NewBuffer(results.SecretShares[i])
if backupInfo[results.PGPFingerprints[i]] == nil {
backupInfo[results.PGPFingerprints[i]] = []string{hex.EncodeToString(encShare.Bytes())}
} else {
backupInfo[results.PGPFingerprints[i]] = append(backupInfo[results.PGPFingerprints[i]], hex.EncodeToString(encShare.Bytes()))
}
}
backupVals := &RekeyBackup{
SealInterface
2016-04-04 17:44:22 +03:00
Nonce: c.barrierRekeyConfig.Nonce,
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
Keys: backupInfo,
}
buf, err := json.Marshal(backupVals)
if err != nil {
Move to "github.com/hashicorp/go-hclog" (#4227) * logbridge with hclog and identical output * Initial search & replace This compiles, but there is a fair amount of TODO and commented out code, especially around the plugin logclient/logserver code. * strip logbridge * fix majority of tests * update logxi aliases * WIP fixing tests * more test fixes * Update test to hclog * Fix format * Rename hclog -> log * WIP making hclog and logxi love each other * update logger_test.go * clean up merged comments * Replace RawLogger interface with a Logger * Add some logger names * Replace Trace with Debug * update builtin logical logging patterns * Fix build errors * More log updates * update log approach in command and builtin * More log updates * update helper, http, and logical directories * Update loggers * Log updates * Update logging * Update logging * Update logging * Update logging * update logging in physical * prefixing and lowercase * Update logging * Move phyisical logging name to server command * Fix som tests * address jims feedback so far * incorporate brians feedback so far * strip comments * move vault.go to logging package * update Debug to Trace * Update go-plugin deps * Update logging based on review comments * Updates from review * Unvendor logxi * Remove null_logger.go
2018-04-03 03:46:59 +03:00
c.logger.Error("failed to marshal unseal key backup", "error", err)
vault: deprecate errwrap.Wrapf() (#11577)
2021-05-11 20:12:54 +03:00
return nil, logical.CodedError(http.StatusInternalServerError, fmt.Errorf("failed to marshal unseal key backup: %w", err).Error())
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
}
pe := &physical.Entry{
SealInterface
2016-04-04 17:44:22 +03:00
Key: coreBarrierUnsealKeysBackupPath,
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
Value: buf,
}
Add context to storage backends and wire it through a lot of places (#3817)
2018-01-19 09:44:44 +03:00
if err = c.physical.Put(ctx, pe); err != nil {
Move to "github.com/hashicorp/go-hclog" (#4227) * logbridge with hclog and identical output * Initial search & replace This compiles, but there is a fair amount of TODO and commented out code, especially around the plugin logclient/logserver code. * strip logbridge * fix majority of tests * update logxi aliases * WIP fixing tests * more test fixes * Update test to hclog * Fix format * Rename hclog -> log * WIP making hclog and logxi love each other * update logger_test.go * clean up merged comments * Replace RawLogger interface with a Logger * Add some logger names * Replace Trace with Debug * update builtin logical logging patterns * Fix build errors * More log updates * update log approach in command and builtin * More log updates * update helper, http, and logical directories * Update loggers * Log updates * Update logging * Update logging * Update logging * Update logging * update logging in physical * prefixing and lowercase * Update logging * Move phyisical logging name to server command * Fix som tests * address jims feedback so far * incorporate brians feedback so far * strip comments * move vault.go to logging package * update Debug to Trace * Update go-plugin deps * Update logging based on review comments * Updates from review * Unvendor logxi * Remove null_logger.go
2018-04-03 03:46:59 +03:00
c.logger.Error("failed to save unseal key backup", "error", err)
vault: deprecate errwrap.Wrapf() (#11577)
2021-05-11 20:12:54 +03:00
return nil, logical.CodedError(http.StatusInternalServerError, fmt.Errorf("failed to save unseal key backup: %w", err).Error())
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
}
}
}
WIP
2018-05-18 04:17:52 +03:00
// If we are requiring validation, return now; otherwise rekey the barrier
if c.barrierRekeyConfig.VerificationRequired {
nonce, err := uuid.GenerateUUID()
if err != nil {
c.barrierRekeyConfig = nil
vault: deprecate errwrap.Wrapf() (#11577)
2021-05-11 20:12:54 +03:00
return nil, logical.CodedError(http.StatusInternalServerError, fmt.Errorf("failed to generate verification nonce: %w", err).Error())
WIP
2018-05-18 04:17:52 +03:00
}
c.barrierRekeyConfig.VerificationNonce = nonce
Shamir seals now come in two varieties: legacy and new-style. (#7694) Shamir seals now come in two varieties: legacy and new-style. Legacy Shamir is automatically converted to new-style when a rekey operation is performed. All new Vault initializations using Shamir are new-style. New-style Shamir writes an encrypted master key to storage, just like AutoUnseal. The stored master key is encrypted using the shared key that is split via Shamir's algorithm. Thus when unsealing, we take the key fragments given, combine them into a Key-Encryption-Key, and use that to decrypt the master key on disk. Then the master key is used to read the keyring that decrypts the barrier.
2019-10-18 21:46:00 +03:00
c.barrierRekeyConfig.VerificationKey = newKey
WIP
2018-05-18 04:17:52 +03:00
results.VerificationRequired = true
results.VerificationNonce = nonce
return results, nil
}
Shamir seals now come in two varieties: legacy and new-style. (#7694) Shamir seals now come in two varieties: legacy and new-style. Legacy Shamir is automatically converted to new-style when a rekey operation is performed. All new Vault initializations using Shamir are new-style. New-style Shamir writes an encrypted master key to storage, just like AutoUnseal. The stored master key is encrypted using the shared key that is split via Shamir's algorithm. Thus when unsealing, we take the key fragments given, combine them into a Key-Encryption-Key, and use that to decrypt the master key on disk. Then the master key is used to read the keyring that decrypts the barrier.
2019-10-18 21:46:00 +03:00
if err := c.performBarrierRekey(ctx, newKey); err != nil {
vault: deprecate errwrap.Wrapf() (#11577)
2021-05-11 20:12:54 +03:00
return nil, logical.CodedError(http.StatusInternalServerError, fmt.Errorf("failed to perform barrier rekey: %w", err).Error())
WIP
2018-05-18 04:17:52 +03:00
}
c.barrierRekeyConfig = nil
return results, nil
}
Shamir seals now come in two varieties: legacy and new-style. (#7694) Shamir seals now come in two varieties: legacy and new-style. Legacy Shamir is automatically converted to new-style when a rekey operation is performed. All new Vault initializations using Shamir are new-style. New-style Shamir writes an encrypted master key to storage, just like AutoUnseal. The stored master key is encrypted using the shared key that is split via Shamir's algorithm. Thus when unsealing, we take the key fragments given, combine them into a Key-Encryption-Key, and use that to decrypt the master key on disk. Then the master key is used to read the keyring that decrypts the barrier.
2019-10-18 21:46:00 +03:00
func (c *Core) performBarrierRekey(ctx context.Context, newSealKey []byte) logical.HTTPCodedError {
Migrate built in auto seal to go-kms-wrapping (#8118)
2020-01-11 04:39:52 +03:00
legacyUpgrade := c.seal.StoredKeysSupported() == seal.StoredKeysNotSupported
Shamir seals now come in two varieties: legacy and new-style. (#7694) Shamir seals now come in two varieties: legacy and new-style. Legacy Shamir is automatically converted to new-style when a rekey operation is performed. All new Vault initializations using Shamir are new-style. New-style Shamir writes an encrypted master key to storage, just like AutoUnseal. The stored master key is encrypted using the shared key that is split via Shamir's algorithm. Thus when unsealing, we take the key fragments given, combine them into a Key-Encryption-Key, and use that to decrypt the master key on disk. Then the master key is used to read the keyring that decrypts the barrier.
2019-10-18 21:46:00 +03:00
if legacyUpgrade {
// We won't be able to call SetStoredKeys without setting StoredShares=1.
existingConfig, err := c.seal.BarrierConfig(ctx)
if err != nil {
vault: deprecate errwrap.Wrapf() (#11577)
2021-05-11 20:12:54 +03:00
return logical.CodedError(http.StatusInternalServerError, fmt.Errorf("failed to fetch existing config: %w", err).Error())
Shamir seals now come in two varieties: legacy and new-style. (#7694) Shamir seals now come in two varieties: legacy and new-style. Legacy Shamir is automatically converted to new-style when a rekey operation is performed. All new Vault initializations using Shamir are new-style. New-style Shamir writes an encrypted master key to storage, just like AutoUnseal. The stored master key is encrypted using the shared key that is split via Shamir's algorithm. Thus when unsealing, we take the key fragments given, combine them into a Key-Encryption-Key, and use that to decrypt the master key on disk. Then the master key is used to read the keyring that decrypts the barrier.
2019-10-18 21:46:00 +03:00
}
existingConfig.StoredShares = 1
c.seal.SetCachedBarrierConfig(existingConfig)
}
Migrate built in auto seal to go-kms-wrapping (#8118)
2020-01-11 04:39:52 +03:00
if c.seal.StoredKeysSupported() != seal.StoredKeysSupportedGeneric {
Convert seal.Access struct into a interface (OSS) (#20510) * Move seal barrier type field from Access to autoSeal struct. Remove method Access.SetType(), which was only being used by a single test, and which can use the name option of NewTestSeal() to specify the type. * Change method signatures of Access to match those of Wrapper. * Turn seal.Access struct into an interface. * Tweak Access implementation. Change `access` struct to have a field of type wrapping.Wrapper, rather than extending it. * Add method Seal.GetShamirWrapper(). Add method Seal.GetShamirWrapper() for use by code that need to perform Shamir-specific operations.
2023-05-04 21:22:30 +03:00
shamirWrapper, err := c.seal.GetShamirWrapper()
if err == nil {
err = shamirWrapper.SetAesGcmKeyBytes(newSealKey)
}
Shamir seals now come in two varieties: legacy and new-style. (#7694) Shamir seals now come in two varieties: legacy and new-style. Legacy Shamir is automatically converted to new-style when a rekey operation is performed. All new Vault initializations using Shamir are new-style. New-style Shamir writes an encrypted master key to storage, just like AutoUnseal. The stored master key is encrypted using the shared key that is split via Shamir's algorithm. Thus when unsealing, we take the key fragments given, combine them into a Key-Encryption-Key, and use that to decrypt the master key on disk. Then the master key is used to read the keyring that decrypts the barrier.
2019-10-18 21:46:00 +03:00
if err != nil {
vault: deprecate errwrap.Wrapf() (#11577)
2021-05-11 20:12:54 +03:00
return logical.CodedError(http.StatusInternalServerError, fmt.Errorf("failed to update barrier seal key: %w", err).Error())
Shamir seals now come in two varieties: legacy and new-style. (#7694) Shamir seals now come in two varieties: legacy and new-style. Legacy Shamir is automatically converted to new-style when a rekey operation is performed. All new Vault initializations using Shamir are new-style. New-style Shamir writes an encrypted master key to storage, just like AutoUnseal. The stored master key is encrypted using the shared key that is split via Shamir's algorithm. Thus when unsealing, we take the key fragments given, combine them into a Key-Encryption-Key, and use that to decrypt the master key on disk. Then the master key is used to read the keyring that decrypts the barrier.
2019-10-18 21:46:00 +03:00
}
}
Rename master key to root key (#13324) * See what it looks like to replace "master key" with "root key". There are two places that would require more challenging code changes: the storage path `core/master`, and its contents (the JSON-serialized EncodedKeyringtructure.) * Restore accidentally deleted line * Add changelog * Update root->recovery * Fix test Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
2021-12-07 04:12:20 +03:00
newRootKey, err := c.barrier.GenerateKey(c.secureRandomReader)
Shamir seals now come in two varieties: legacy and new-style. (#7694) Shamir seals now come in two varieties: legacy and new-style. Legacy Shamir is automatically converted to new-style when a rekey operation is performed. All new Vault initializations using Shamir are new-style. New-style Shamir writes an encrypted master key to storage, just like AutoUnseal. The stored master key is encrypted using the shared key that is split via Shamir's algorithm. Thus when unsealing, we take the key fragments given, combine them into a Key-Encryption-Key, and use that to decrypt the master key on disk. Then the master key is used to read the keyring that decrypts the barrier.
2019-10-18 21:46:00 +03:00
if err != nil {
vault: deprecate errwrap.Wrapf() (#11577)
2021-05-11 20:12:54 +03:00
return logical.CodedError(http.StatusInternalServerError, fmt.Errorf("failed to perform rekey: %w", err).Error())
Shamir seals now come in two varieties: legacy and new-style. (#7694) Shamir seals now come in two varieties: legacy and new-style. Legacy Shamir is automatically converted to new-style when a rekey operation is performed. All new Vault initializations using Shamir are new-style. New-style Shamir writes an encrypted master key to storage, just like AutoUnseal. The stored master key is encrypted using the shared key that is split via Shamir's algorithm. Thus when unsealing, we take the key fragments given, combine them into a Key-Encryption-Key, and use that to decrypt the master key on disk. Then the master key is used to read the keyring that decrypts the barrier.
2019-10-18 21:46:00 +03:00
}
Rename master key to root key (#13324) * See what it looks like to replace "master key" with "root key". There are two places that would require more challenging code changes: the storage path `core/master`, and its contents (the JSON-serialized EncodedKeyringtructure.) * Restore accidentally deleted line * Add changelog * Update root->recovery * Fix test Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
2021-12-07 04:12:20 +03:00
if err := c.seal.SetStoredKeys(ctx, [][]byte{newRootKey}); err != nil {
Shamir seals now come in two varieties: legacy and new-style. (#7694) Shamir seals now come in two varieties: legacy and new-style. Legacy Shamir is automatically converted to new-style when a rekey operation is performed. All new Vault initializations using Shamir are new-style. New-style Shamir writes an encrypted master key to storage, just like AutoUnseal. The stored master key is encrypted using the shared key that is split via Shamir's algorithm. Thus when unsealing, we take the key fragments given, combine them into a Key-Encryption-Key, and use that to decrypt the master key on disk. Then the master key is used to read the keyring that decrypts the barrier.
2019-10-18 21:46:00 +03:00
c.logger.Error("failed to store keys", "error", err)
vault: deprecate errwrap.Wrapf() (#11577)
2021-05-11 20:12:54 +03:00
return logical.CodedError(http.StatusInternalServerError, fmt.Errorf("failed to store keys: %w", err).Error())
Shamir seals now come in two varieties: legacy and new-style. (#7694) Shamir seals now come in two varieties: legacy and new-style. Legacy Shamir is automatically converted to new-style when a rekey operation is performed. All new Vault initializations using Shamir are new-style. New-style Shamir writes an encrypted master key to storage, just like AutoUnseal. The stored master key is encrypted using the shared key that is split via Shamir's algorithm. Thus when unsealing, we take the key fragments given, combine them into a Key-Encryption-Key, and use that to decrypt the master key on disk. Then the master key is used to read the keyring that decrypts the barrier.
2019-10-18 21:46:00 +03:00
}
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
// Rekey the barrier
Rename master key to root key (#13324) * See what it looks like to replace "master key" with "root key". There are two places that would require more challenging code changes: the storage path `core/master`, and its contents (the JSON-serialized EncodedKeyringtructure.) * Restore accidentally deleted line * Add changelog * Update root->recovery * Fix test Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
2021-12-07 04:12:20 +03:00
if err := c.barrier.Rekey(ctx, newRootKey); err != nil {
Move to "github.com/hashicorp/go-hclog" (#4227) * logbridge with hclog and identical output * Initial search & replace This compiles, but there is a fair amount of TODO and commented out code, especially around the plugin logclient/logserver code. * strip logbridge * fix majority of tests * update logxi aliases * WIP fixing tests * more test fixes * Update test to hclog * Fix format * Rename hclog -> log * WIP making hclog and logxi love each other * update logger_test.go * clean up merged comments * Replace RawLogger interface with a Logger * Add some logger names * Replace Trace with Debug * update builtin logical logging patterns * Fix build errors * More log updates * update log approach in command and builtin * More log updates * update helper, http, and logical directories * Update loggers * Log updates * Update logging * Update logging * Update logging * Update logging * update logging in physical * prefixing and lowercase * Update logging * Move phyisical logging name to server command * Fix som tests * address jims feedback so far * incorporate brians feedback so far * strip comments * move vault.go to logging package * update Debug to Trace * Update go-plugin deps * Update logging based on review comments * Updates from review * Unvendor logxi * Remove null_logger.go
2018-04-03 03:46:59 +03:00
c.logger.Error("failed to rekey barrier", "error", err)
vault: deprecate errwrap.Wrapf() (#11577)
2021-05-11 20:12:54 +03:00
return logical.CodedError(http.StatusInternalServerError, fmt.Errorf("failed to rekey barrier: %w", err).Error())
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
}
Convert to logxi
2016-08-19 23:45:17 +03:00
if c.logger.IsInfo() {
Shamir seals now come in two varieties: legacy and new-style. (#7694) Shamir seals now come in two varieties: legacy and new-style. Legacy Shamir is automatically converted to new-style when a rekey operation is performed. All new Vault initializations using Shamir are new-style. New-style Shamir writes an encrypted master key to storage, just like AutoUnseal. The stored master key is encrypted using the shared key that is split via Shamir's algorithm. Thus when unsealing, we take the key fragments given, combine them into a Key-Encryption-Key, and use that to decrypt the master key on disk. Then the master key is used to read the keyring that decrypts the barrier.
2019-10-18 21:46:00 +03:00
c.logger.Info("security barrier rekeyed", "stored", c.barrierRekeyConfig.StoredShares, "shares", c.barrierRekeyConfig.SecretShares, "threshold", c.barrierRekeyConfig.SecretThreshold)
}
if len(newSealKey) > 0 {
err := c.barrier.Put(ctx, &logical.StorageEntry{
Key: shamirKekPath,
Value: newSealKey,
})
if err != nil {
c.logger.Error("failed to store new seal key", "error", err)
vault: deprecate errwrap.Wrapf() (#11577)
2021-05-11 20:12:54 +03:00
return logical.CodedError(http.StatusInternalServerError, fmt.Errorf("failed to store new seal key: %w", err).Error())
Shamir seals now come in two varieties: legacy and new-style. (#7694) Shamir seals now come in two varieties: legacy and new-style. Legacy Shamir is automatically converted to new-style when a rekey operation is performed. All new Vault initializations using Shamir are new-style. New-style Shamir writes an encrypted master key to storage, just like AutoUnseal. The stored master key is encrypted using the shared key that is split via Shamir's algorithm. Thus when unsealing, we take the key fragments given, combine them into a Key-Encryption-Key, and use that to decrypt the master key on disk. Then the master key is used to read the keyring that decrypts the barrier.
2019-10-18 21:46:00 +03:00
}
Convert to logxi
2016-08-19 23:45:17 +03:00
}
WIP
2018-05-18 04:17:52 +03:00
c.barrierRekeyConfig.VerificationKey = nil
Add context to storage backends and wire it through a lot of places (#3817)
2018-01-19 09:44:44 +03:00
if err := c.seal.SetBarrierConfig(ctx, c.barrierRekeyConfig); err != nil {
Move to "github.com/hashicorp/go-hclog" (#4227) * logbridge with hclog and identical output * Initial search & replace This compiles, but there is a fair amount of TODO and commented out code, especially around the plugin logclient/logserver code. * strip logbridge * fix majority of tests * update logxi aliases * WIP fixing tests * more test fixes * Update test to hclog * Fix format * Rename hclog -> log * WIP making hclog and logxi love each other * update logger_test.go * clean up merged comments * Replace RawLogger interface with a Logger * Add some logger names * Replace Trace with Debug * update builtin logical logging patterns * Fix build errors * More log updates * update log approach in command and builtin * More log updates * update helper, http, and logical directories * Update loggers * Log updates * Update logging * Update logging * Update logging * Update logging * update logging in physical * prefixing and lowercase * Update logging * Move phyisical logging name to server command * Fix som tests * address jims feedback so far * incorporate brians feedback so far * strip comments * move vault.go to logging package * update Debug to Trace * Update go-plugin deps * Update logging based on review comments * Updates from review * Unvendor logxi * Remove null_logger.go
2018-04-03 03:46:59 +03:00
c.logger.Error("error saving rekey seal configuration", "error", err)
vault: deprecate errwrap.Wrapf() (#11577)
2021-05-11 20:12:54 +03:00
return logical.CodedError(http.StatusInternalServerError, fmt.Errorf("failed to save rekey seal configuration: %w", err).Error())
SealInterface
2016-04-04 17:44:22 +03:00
}
Do some porting to make diffing easier
2017-02-24 18:45:29 +03:00
// Write to the canary path, which will force a synchronous truing during
// replication
Split SubView functionality into logical.StorageView (#6141) This lets other parts of Vault that can't depend on the vault package take advantage of the subview functionality. This also allows getting rid of BarrierStorage and vault.Entry, two totally redundant abstractions.
2019-01-31 17:25:18 +03:00
if err := c.barrier.Put(ctx, &logical.StorageEntry{
Do some porting to make diffing easier
2017-02-24 18:45:29 +03:00
Key: coreKeyringCanaryPath,
Value: []byte(c.barrierRekeyConfig.Nonce),
}); err != nil {
Move to "github.com/hashicorp/go-hclog" (#4227) * logbridge with hclog and identical output * Initial search & replace This compiles, but there is a fair amount of TODO and commented out code, especially around the plugin logclient/logserver code. * strip logbridge * fix majority of tests * update logxi aliases * WIP fixing tests * more test fixes * Update test to hclog * Fix format * Rename hclog -> log * WIP making hclog and logxi love each other * update logger_test.go * clean up merged comments * Replace RawLogger interface with a Logger * Add some logger names * Replace Trace with Debug * update builtin logical logging patterns * Fix build errors * More log updates * update log approach in command and builtin * More log updates * update helper, http, and logical directories * Update loggers * Log updates * Update logging * Update logging * Update logging * Update logging * update logging in physical * prefixing and lowercase * Update logging * Move phyisical logging name to server command * Fix som tests * address jims feedback so far * incorporate brians feedback so far * strip comments * move vault.go to logging package * update Debug to Trace * Update go-plugin deps * Update logging based on review comments * Updates from review * Unvendor logxi * Remove null_logger.go
2018-04-03 03:46:59 +03:00
c.logger.Error("error saving keyring canary", "error", err)
vault: deprecate errwrap.Wrapf() (#11577)
2021-05-11 20:12:54 +03:00
return logical.CodedError(http.StatusInternalServerError, fmt.Errorf("failed to save keyring canary: %w", err).Error())
Do some porting to make diffing easier
2017-02-24 18:45:29 +03:00
}
Fix panic and update some text
2018-05-29 20:13:47 +03:00
c.barrierRekeyConfig.RekeyProgress = nil
WIP
2018-05-18 04:17:52 +03:00
return nil
SealInterface
2016-04-04 17:44:22 +03:00
}
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
SealInterface
2016-04-04 17:44:22 +03:00
// RecoveryRekeyUpdate is used to provide a new key part
Update rekey methods to indicate proper error codes in responses
2018-05-20 06:43:48 +03:00
func (c *Core) RecoveryRekeyUpdate(ctx context.Context, key []byte, nonce string) (*RekeyResult, logical.HTTPCodedError) {
SealInterface
2016-04-04 17:44:22 +03:00
// Ensure we are already unsealed
c.stateLock.RLock()
defer c.stateLock.RUnlock()
Tackle #4929 a different way (#4932) * Tackle #4929 a different way This turns c.sealed into an atomic, which allows us to call sealInternal without a lock. By doing so we can better control lock grabbing when a condition causing the standby loop to get out of active happens. This encapsulates that logic into two distinct pieces (although they could be combined into one), and makes lock guarding more understandable. * Re-add context canceling to the non-HA version of sealInternal * Return explicitly after stopCh triggered
2018-07-24 23:57:25 +03:00
if c.Sealed() {
Update rekey methods to indicate proper error codes in responses
2018-05-20 06:43:48 +03:00
return nil, logical.CodedError(http.StatusServiceUnavailable, consts.ErrSealed.Error())
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
}
SealInterface
2016-04-04 17:44:22 +03:00
if c.standby {
Update rekey methods to indicate proper error codes in responses
2018-05-20 06:43:48 +03:00
return nil, logical.CodedError(http.StatusBadRequest, consts.ErrStandby.Error())
SealInterface
2016-04-04 17:44:22 +03:00
}
// Verify the key length
min, max := c.barrier.KeyLength()
max += shamir.ShareOverhead
if len(key) < min {
Update rekey methods to indicate proper error codes in responses
2018-05-20 06:43:48 +03:00
return nil, logical.CodedError(http.StatusBadRequest, fmt.Sprintf("key is shorter than minimum %d bytes", min))
SealInterface
2016-04-04 17:44:22 +03:00
}
if len(key) > max {
Update rekey methods to indicate proper error codes in responses
2018-05-20 06:43:48 +03:00
return nil, logical.CodedError(http.StatusBadRequest, fmt.Sprintf("key is longer than maximum %d bytes", max))
SealInterface
2016-04-04 17:44:22 +03:00
}
c.rekeyLock.Lock()
defer c.rekeyLock.Unlock()
// Get the seal configuration
Add context to storage backends and wire it through a lot of places (#3817)
2018-01-19 09:44:44 +03:00
existingConfig, err := c.seal.RecoveryConfig(ctx)
SealInterface
2016-04-04 17:44:22 +03:00
if err != nil {
vault: deprecate errwrap.Wrapf() (#11577)
2021-05-11 20:12:54 +03:00
return nil, logical.CodedError(http.StatusInternalServerError, fmt.Errorf("failed to fetch existing recovery config: %w", err).Error())
SealInterface
2016-04-04 17:44:22 +03:00
}
Sync
2017-10-23 21:59:37 +03:00
// Ensure the seal is initialized
if existingConfig == nil {
Update rekey methods to indicate proper error codes in responses
2018-05-20 06:43:48 +03:00
return nil, logical.CodedError(http.StatusBadRequest, ErrNotInit.Error())
SealInterface
2016-04-04 17:44:22 +03:00
}
// Ensure a rekey is in progress
if c.recoveryRekeyConfig == nil {
Update rekey methods to indicate proper error codes in responses
2018-05-20 06:43:48 +03:00
return nil, logical.CodedError(http.StatusBadRequest, "no recovery rekey in progress")
SealInterface
2016-04-04 17:44:22 +03:00
}
Don't allow providing original key shares once we've moved on to verification
2018-05-22 04:02:45 +03:00
if len(c.recoveryRekeyConfig.VerificationKey) > 0 {
return nil, logical.CodedError(http.StatusBadRequest, fmt.Sprintf("rekey operation already finished; verification must be performed; nonce for the verification operation is %q", c.recoveryRekeyConfig.VerificationNonce))
}
SealInterface
2016-04-04 17:44:22 +03:00
if nonce != c.recoveryRekeyConfig.Nonce {
Update rekey methods to indicate proper error codes in responses
2018-05-20 06:43:48 +03:00
return nil, logical.CodedError(http.StatusBadRequest, fmt.Sprintf("incorrect nonce supplied; nonce for this rekey operation is %q", c.recoveryRekeyConfig.Nonce))
SealInterface
2016-04-04 17:44:22 +03:00
}
// Check if we already have this piece
Factor out a bunch of shared code
2018-05-22 00:46:32 +03:00
for _, existing := range c.recoveryRekeyConfig.RekeyProgress {
WIP
2018-05-18 04:30:39 +03:00
if subtle.ConstantTimeCompare(existing, key) == 1 {
Update rekey methods to indicate proper error codes in responses
2018-05-20 06:43:48 +03:00
return nil, logical.CodedError(http.StatusBadRequest, "given key has already been provided during this rekey operation")
SealInterface
2016-04-04 17:44:22 +03:00
}
}
// Store this key
Factor out a bunch of shared code
2018-05-22 00:46:32 +03:00
c.recoveryRekeyConfig.RekeyProgress = append(c.recoveryRekeyConfig.RekeyProgress, key)
SealInterface
2016-04-04 17:44:22 +03:00
// Check if we don't have enough keys to unlock
Factor out a bunch of shared code
2018-05-22 00:46:32 +03:00
if len(c.recoveryRekeyConfig.RekeyProgress) < existingConfig.SecretThreshold {
Convert to logxi
2016-08-19 23:45:17 +03:00
if c.logger.IsDebug() {
Factor out a bunch of shared code
2018-05-22 00:46:32 +03:00
c.logger.Debug("cannot rekey yet, not enough keys", "keys", len(c.recoveryRekeyConfig.RekeyProgress), "threshold", existingConfig.SecretThreshold)
Convert to logxi
2016-08-19 23:45:17 +03:00
}
SealInterface
2016-04-04 17:44:22 +03:00
return nil, nil
}
Rename master key to root key (#13324) * See what it looks like to replace "master key" with "root key". There are two places that would require more challenging code changes: the storage path `core/master`, and its contents (the JSON-serialized EncodedKeyringtructure.) * Restore accidentally deleted line * Add changelog * Update root->recovery * Fix test Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
2021-12-07 04:12:20 +03:00
// Recover the root key
Sync
2017-10-23 21:59:37 +03:00
var recoveryKey []byte
SealInterface
2016-04-04 17:44:22 +03:00
if existingConfig.SecretThreshold == 1 {
Factor out a bunch of shared code
2018-05-22 00:46:32 +03:00
recoveryKey = c.recoveryRekeyConfig.RekeyProgress[0]
Reset rekey progress once threshold has been met (#5743) * Reset rekey progress once threshold has been met * Reverting log message changes * Add progress check on invalid rekey test * Minor comment update
2018-11-20 04:03:07 +03:00
c.recoveryRekeyConfig.RekeyProgress = nil
SealInterface
2016-04-04 17:44:22 +03:00
} else {
Factor out a bunch of shared code
2018-05-22 00:46:32 +03:00
recoveryKey, err = shamir.Combine(c.recoveryRekeyConfig.RekeyProgress)
Reset rekey progress once threshold has been met (#5743) * Reset rekey progress once threshold has been met * Reverting log message changes * Add progress check on invalid rekey test * Minor comment update
2018-11-20 04:03:07 +03:00
c.recoveryRekeyConfig.RekeyProgress = nil
SealInterface
2016-04-04 17:44:22 +03:00
if err != nil {
vault: deprecate errwrap.Wrapf() (#11577)
2021-05-11 20:12:54 +03:00
return nil, logical.CodedError(http.StatusInternalServerError, fmt.Errorf("failed to compute recovery key: %w", err).Error())
SealInterface
2016-04-04 17:44:22 +03:00
}
}
// Verify the recovery key
Add context to storage backends and wire it through a lot of places (#3817)
2018-01-19 09:44:44 +03:00
if err := c.seal.VerifyRecoveryKey(ctx, recoveryKey); err != nil {
Update rekey methods to indicate proper error codes in responses
2018-05-20 06:43:48 +03:00
c.logger.Error("recovery key verification failed", "error", err)
vault: deprecate errwrap.Wrapf() (#11577)
2021-05-11 20:12:54 +03:00
return nil, logical.CodedError(http.StatusBadRequest, fmt.Errorf("recovery key verification failed: %w", err).Error())
SealInterface
2016-04-04 17:44:22 +03:00
}
Rename master key to root key (#13324) * See what it looks like to replace "master key" with "root key". There are two places that would require more challenging code changes: the storage path `core/master`, and its contents (the JSON-serialized EncodedKeyringtructure.) * Restore accidentally deleted line * Add changelog * Update root->recovery * Fix test Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
2021-12-07 04:12:20 +03:00
// Generate a new root key
newRecoveryKey, err := c.barrier.GenerateKey(c.secureRandomReader)
SealInterface
2016-04-04 17:44:22 +03:00
if err != nil {
Move to "github.com/hashicorp/go-hclog" (#4227) * logbridge with hclog and identical output * Initial search & replace This compiles, but there is a fair amount of TODO and commented out code, especially around the plugin logclient/logserver code. * strip logbridge * fix majority of tests * update logxi aliases * WIP fixing tests * more test fixes * Update test to hclog * Fix format * Rename hclog -> log * WIP making hclog and logxi love each other * update logger_test.go * clean up merged comments * Replace RawLogger interface with a Logger * Add some logger names * Replace Trace with Debug * update builtin logical logging patterns * Fix build errors * More log updates * update log approach in command and builtin * More log updates * update helper, http, and logical directories * Update loggers * Log updates * Update logging * Update logging * Update logging * Update logging * update logging in physical * prefixing and lowercase * Update logging * Move phyisical logging name to server command * Fix som tests * address jims feedback so far * incorporate brians feedback so far * strip comments * move vault.go to logging package * update Debug to Trace * Update go-plugin deps * Update logging based on review comments * Updates from review * Unvendor logxi * Remove null_logger.go
2018-04-03 03:46:59 +03:00
c.logger.Error("failed to generate recovery key", "error", err)
vault: deprecate errwrap.Wrapf() (#11577)
2021-05-11 20:12:54 +03:00
return nil, logical.CodedError(http.StatusInternalServerError, fmt.Errorf("recovery key generation failed: %w", err).Error())
SealInterface
2016-04-04 17:44:22 +03:00
}
Rename master key to root key (#13324) * See what it looks like to replace "master key" with "root key". There are two places that would require more challenging code changes: the storage path `core/master`, and its contents (the JSON-serialized EncodedKeyringtructure.) * Restore accidentally deleted line * Add changelog * Update root->recovery * Fix test Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
2021-12-07 04:12:20 +03:00
// Return the root key if only a single key part is used
SealInterface
2016-04-04 17:44:22 +03:00
results := &RekeyResult{
Backup: c.recoveryRekeyConfig.Backup,
}
if c.recoveryRekeyConfig.SecretShares == 1 {
Rename master key to root key (#13324) * See what it looks like to replace "master key" with "root key". There are two places that would require more challenging code changes: the storage path `core/master`, and its contents (the JSON-serialized EncodedKeyringtructure.) * Restore accidentally deleted line * Add changelog * Update root->recovery * Fix test Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
2021-12-07 04:12:20 +03:00
results.SecretShares = append(results.SecretShares, newRecoveryKey)
SealInterface
2016-04-04 17:44:22 +03:00
} else {
Rename master key to root key (#13324) * See what it looks like to replace "master key" with "root key". There are two places that would require more challenging code changes: the storage path `core/master`, and its contents (the JSON-serialized EncodedKeyringtructure.) * Restore accidentally deleted line * Add changelog * Update root->recovery * Fix test Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
2021-12-07 04:12:20 +03:00
// Split the root key using the Shamir algorithm
shares, err := shamir.Split(newRecoveryKey, c.recoveryRekeyConfig.SecretShares, c.recoveryRekeyConfig.SecretThreshold)
SealInterface
2016-04-04 17:44:22 +03:00
if err != nil {
Move to "github.com/hashicorp/go-hclog" (#4227) * logbridge with hclog and identical output * Initial search & replace This compiles, but there is a fair amount of TODO and commented out code, especially around the plugin logclient/logserver code. * strip logbridge * fix majority of tests * update logxi aliases * WIP fixing tests * more test fixes * Update test to hclog * Fix format * Rename hclog -> log * WIP making hclog and logxi love each other * update logger_test.go * clean up merged comments * Replace RawLogger interface with a Logger * Add some logger names * Replace Trace with Debug * update builtin logical logging patterns * Fix build errors * More log updates * update log approach in command and builtin * More log updates * update helper, http, and logical directories * Update loggers * Log updates * Update logging * Update logging * Update logging * Update logging * update logging in physical * prefixing and lowercase * Update logging * Move phyisical logging name to server command * Fix som tests * address jims feedback so far * incorporate brians feedback so far * strip comments * move vault.go to logging package * update Debug to Trace * Update go-plugin deps * Update logging based on review comments * Updates from review * Unvendor logxi * Remove null_logger.go
2018-04-03 03:46:59 +03:00
c.logger.Error("failed to generate shares", "error", err)
vault: deprecate errwrap.Wrapf() (#11577)
2021-05-11 20:12:54 +03:00
return nil, logical.CodedError(http.StatusInternalServerError, fmt.Errorf("failed to generate shares: %w", err).Error())
SealInterface
2016-04-04 17:44:22 +03:00
}
results.SecretShares = shares
}
if len(c.recoveryRekeyConfig.PGPKeys) > 0 {
hexEncodedShares := make([][]byte, len(results.SecretShares))
Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor
2021-04-08 19:43:39 +03:00
for i := range results.SecretShares {
SealInterface
2016-04-04 17:44:22 +03:00
hexEncodedShares[i] = []byte(hex.EncodeToString(results.SecretShares[i]))
}
results.PGPFingerprints, results.SecretShares, err = pgpkeys.EncryptShares(hexEncodedShares, c.recoveryRekeyConfig.PGPKeys)
if err != nil {
vault: deprecate errwrap.Wrapf() (#11577)
2021-05-11 20:12:54 +03:00
return nil, logical.CodedError(http.StatusInternalServerError, fmt.Errorf("failed to encrypt shares: %w", err).Error())
SealInterface
2016-04-04 17:44:22 +03:00
}
if c.recoveryRekeyConfig.Backup {
backupInfo := map[string][]string{}
for i := 0; i < len(results.PGPFingerprints); i++ {
encShare := bytes.NewBuffer(results.SecretShares[i])
if backupInfo[results.PGPFingerprints[i]] == nil {
backupInfo[results.PGPFingerprints[i]] = []string{hex.EncodeToString(encShare.Bytes())}
} else {
backupInfo[results.PGPFingerprints[i]] = append(backupInfo[results.PGPFingerprints[i]], hex.EncodeToString(encShare.Bytes()))
}
}
backupVals := &RekeyBackup{
Nonce: c.recoveryRekeyConfig.Nonce,
Keys: backupInfo,
}
buf, err := json.Marshal(backupVals)
if err != nil {
Move to "github.com/hashicorp/go-hclog" (#4227) * logbridge with hclog and identical output * Initial search & replace This compiles, but there is a fair amount of TODO and commented out code, especially around the plugin logclient/logserver code. * strip logbridge * fix majority of tests * update logxi aliases * WIP fixing tests * more test fixes * Update test to hclog * Fix format * Rename hclog -> log * WIP making hclog and logxi love each other * update logger_test.go * clean up merged comments * Replace RawLogger interface with a Logger * Add some logger names * Replace Trace with Debug * update builtin logical logging patterns * Fix build errors * More log updates * update log approach in command and builtin * More log updates * update helper, http, and logical directories * Update loggers * Log updates * Update logging * Update logging * Update logging * Update logging * update logging in physical * prefixing and lowercase * Update logging * Move phyisical logging name to server command * Fix som tests * address jims feedback so far * incorporate brians feedback so far * strip comments * move vault.go to logging package * update Debug to Trace * Update go-plugin deps * Update logging based on review comments * Updates from review * Unvendor logxi * Remove null_logger.go
2018-04-03 03:46:59 +03:00
c.logger.Error("failed to marshal recovery key backup", "error", err)
vault: deprecate errwrap.Wrapf() (#11577)
2021-05-11 20:12:54 +03:00
return nil, logical.CodedError(http.StatusInternalServerError, fmt.Errorf("failed to marshal recovery key backup: %w", err).Error())
SealInterface
2016-04-04 17:44:22 +03:00
}
pe := &physical.Entry{
Key: coreRecoveryUnsealKeysBackupPath,
Value: buf,
}
Add context to storage backends and wire it through a lot of places (#3817)
2018-01-19 09:44:44 +03:00
if err = c.physical.Put(ctx, pe); err != nil {
Move to "github.com/hashicorp/go-hclog" (#4227) * logbridge with hclog and identical output * Initial search & replace This compiles, but there is a fair amount of TODO and commented out code, especially around the plugin logclient/logserver code. * strip logbridge * fix majority of tests * update logxi aliases * WIP fixing tests * more test fixes * Update test to hclog * Fix format * Rename hclog -> log * WIP making hclog and logxi love each other * update logger_test.go * clean up merged comments * Replace RawLogger interface with a Logger * Add some logger names * Replace Trace with Debug * update builtin logical logging patterns * Fix build errors * More log updates * update log approach in command and builtin * More log updates * update helper, http, and logical directories * Update loggers * Log updates * Update logging * Update logging * Update logging * Update logging * update logging in physical * prefixing and lowercase * Update logging * Move phyisical logging name to server command * Fix som tests * address jims feedback so far * incorporate brians feedback so far * strip comments * move vault.go to logging package * update Debug to Trace * Update go-plugin deps * Update logging based on review comments * Updates from review * Unvendor logxi * Remove null_logger.go
2018-04-03 03:46:59 +03:00
c.logger.Error("failed to save unseal key backup", "error", err)
vault: deprecate errwrap.Wrapf() (#11577)
2021-05-11 20:12:54 +03:00
return nil, logical.CodedError(http.StatusInternalServerError, fmt.Errorf("failed to save unseal key backup: %w", err).Error())
SealInterface
2016-04-04 17:44:22 +03:00
}
}
}
WIP
2018-05-18 04:17:52 +03:00
// If we are requiring validation, return now; otherwise save the recovery
// key
if c.recoveryRekeyConfig.VerificationRequired {
nonce, err := uuid.GenerateUUID()
if err != nil {
c.recoveryRekeyConfig = nil
vault: deprecate errwrap.Wrapf() (#11577)
2021-05-11 20:12:54 +03:00
return nil, logical.CodedError(http.StatusInternalServerError, fmt.Errorf("failed to generate verification nonce: %w", err).Error())
WIP
2018-05-18 04:17:52 +03:00
}
c.recoveryRekeyConfig.VerificationNonce = nonce
Rename master key to root key (#13324) * See what it looks like to replace "master key" with "root key". There are two places that would require more challenging code changes: the storage path `core/master`, and its contents (the JSON-serialized EncodedKeyringtructure.) * Restore accidentally deleted line * Add changelog * Update root->recovery * Fix test Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
2021-12-07 04:12:20 +03:00
c.recoveryRekeyConfig.VerificationKey = newRecoveryKey
WIP
2018-05-18 04:17:52 +03:00
results.VerificationRequired = true
results.VerificationNonce = nonce
return results, nil
}
Rename master key to root key (#13324) * See what it looks like to replace "master key" with "root key". There are two places that would require more challenging code changes: the storage path `core/master`, and its contents (the JSON-serialized EncodedKeyringtructure.) * Restore accidentally deleted line * Add changelog * Update root->recovery * Fix test Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
2021-12-07 04:12:20 +03:00
if err := c.performRecoveryRekey(ctx, newRecoveryKey); err != nil {
vault: deprecate errwrap.Wrapf() (#11577)
2021-05-11 20:12:54 +03:00
return nil, logical.CodedError(http.StatusInternalServerError, fmt.Errorf("failed to perform recovery rekey: %w", err).Error())
WIP
2018-05-18 04:17:52 +03:00
}
c.recoveryRekeyConfig = nil
return results, nil
}
Rename master key to root key (#13324) * See what it looks like to replace "master key" with "root key". There are two places that would require more challenging code changes: the storage path `core/master`, and its contents (the JSON-serialized EncodedKeyringtructure.) * Restore accidentally deleted line * Add changelog * Update root->recovery * Fix test Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
2021-12-07 04:12:20 +03:00
func (c *Core) performRecoveryRekey(ctx context.Context, newRootKey []byte) logical.HTTPCodedError {
if err := c.seal.SetRecoveryKey(ctx, newRootKey); err != nil {
Move to "github.com/hashicorp/go-hclog" (#4227) * logbridge with hclog and identical output * Initial search & replace This compiles, but there is a fair amount of TODO and commented out code, especially around the plugin logclient/logserver code. * strip logbridge * fix majority of tests * update logxi aliases * WIP fixing tests * more test fixes * Update test to hclog * Fix format * Rename hclog -> log * WIP making hclog and logxi love each other * update logger_test.go * clean up merged comments * Replace RawLogger interface with a Logger * Add some logger names * Replace Trace with Debug * update builtin logical logging patterns * Fix build errors * More log updates * update log approach in command and builtin * More log updates * update helper, http, and logical directories * Update loggers * Log updates * Update logging * Update logging * Update logging * Update logging * update logging in physical * prefixing and lowercase * Update logging * Move phyisical logging name to server command * Fix som tests * address jims feedback so far * incorporate brians feedback so far * strip comments * move vault.go to logging package * update Debug to Trace * Update go-plugin deps * Update logging based on review comments * Updates from review * Unvendor logxi * Remove null_logger.go
2018-04-03 03:46:59 +03:00
c.logger.Error("failed to set recovery key", "error", err)
vault: deprecate errwrap.Wrapf() (#11577)
2021-05-11 20:12:54 +03:00
return logical.CodedError(http.StatusInternalServerError, fmt.Errorf("failed to set recovery key: %w", err).Error())
SealInterface
2016-04-04 17:44:22 +03:00
}
WIP
2018-05-18 04:17:52 +03:00
c.recoveryRekeyConfig.VerificationKey = nil
Add context to storage backends and wire it through a lot of places (#3817)
2018-01-19 09:44:44 +03:00
if err := c.seal.SetRecoveryConfig(ctx, c.recoveryRekeyConfig); err != nil {
Move to "github.com/hashicorp/go-hclog" (#4227) * logbridge with hclog and identical output * Initial search & replace This compiles, but there is a fair amount of TODO and commented out code, especially around the plugin logclient/logserver code. * strip logbridge * fix majority of tests * update logxi aliases * WIP fixing tests * more test fixes * Update test to hclog * Fix format * Rename hclog -> log * WIP making hclog and logxi love each other * update logger_test.go * clean up merged comments * Replace RawLogger interface with a Logger * Add some logger names * Replace Trace with Debug * update builtin logical logging patterns * Fix build errors * More log updates * update log approach in command and builtin * More log updates * update helper, http, and logical directories * Update loggers * Log updates * Update logging * Update logging * Update logging * Update logging * update logging in physical * prefixing and lowercase * Update logging * Move phyisical logging name to server command * Fix som tests * address jims feedback so far * incorporate brians feedback so far * strip comments * move vault.go to logging package * update Debug to Trace * Update go-plugin deps * Update logging based on review comments * Updates from review * Unvendor logxi * Remove null_logger.go
2018-04-03 03:46:59 +03:00
c.logger.Error("error saving rekey seal configuration", "error", err)
vault: deprecate errwrap.Wrapf() (#11577)
2021-05-11 20:12:54 +03:00
return logical.CodedError(http.StatusInternalServerError, fmt.Errorf("failed to save rekey seal configuration: %w", err).Error())
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
}
Do some porting to make diffing easier
2017-02-24 18:45:29 +03:00
// Write to the canary path, which will force a synchronous truing during
// replication
Split SubView functionality into logical.StorageView (#6141) This lets other parts of Vault that can't depend on the vault package take advantage of the subview functionality. This also allows getting rid of BarrierStorage and vault.Entry, two totally redundant abstractions.
2019-01-31 17:25:18 +03:00
if err := c.barrier.Put(ctx, &logical.StorageEntry{
Do some porting to make diffing easier
2017-02-24 18:45:29 +03:00
Key: coreKeyringCanaryPath,
Value: []byte(c.recoveryRekeyConfig.Nonce),
}); err != nil {
Move to "github.com/hashicorp/go-hclog" (#4227) * logbridge with hclog and identical output * Initial search & replace This compiles, but there is a fair amount of TODO and commented out code, especially around the plugin logclient/logserver code. * strip logbridge * fix majority of tests * update logxi aliases * WIP fixing tests * more test fixes * Update test to hclog * Fix format * Rename hclog -> log * WIP making hclog and logxi love each other * update logger_test.go * clean up merged comments * Replace RawLogger interface with a Logger * Add some logger names * Replace Trace with Debug * update builtin logical logging patterns * Fix build errors * More log updates * update log approach in command and builtin * More log updates * update helper, http, and logical directories * Update loggers * Log updates * Update logging * Update logging * Update logging * Update logging * update logging in physical * prefixing and lowercase * Update logging * Move phyisical logging name to server command * Fix som tests * address jims feedback so far * incorporate brians feedback so far * strip comments * move vault.go to logging package * update Debug to Trace * Update go-plugin deps * Update logging based on review comments * Updates from review * Unvendor logxi * Remove null_logger.go
2018-04-03 03:46:59 +03:00
c.logger.Error("error saving keyring canary", "error", err)
vault: deprecate errwrap.Wrapf() (#11577)
2021-05-11 20:12:54 +03:00
return logical.CodedError(http.StatusInternalServerError, fmt.Errorf("failed to save keyring canary: %w", err).Error())
Do some porting to make diffing easier
2017-02-24 18:45:29 +03:00
}
Fix panic and update some text
2018-05-29 20:13:47 +03:00
c.recoveryRekeyConfig.RekeyProgress = nil
WIP
2018-05-18 04:17:52 +03:00
return nil
}
Factor out a bunch of shared code
2018-05-22 00:46:32 +03:00
func (c *Core) RekeyVerify(ctx context.Context, key []byte, nonce string, recovery bool) (ret *RekeyVerifyResult, retErr logical.HTTPCodedError) {
WIP
2018-05-18 04:17:52 +03:00
// Ensure we are already unsealed
c.stateLock.RLock()
defer c.stateLock.RUnlock()
Tackle #4929 a different way (#4932) * Tackle #4929 a different way This turns c.sealed into an atomic, which allows us to call sealInternal without a lock. By doing so we can better control lock grabbing when a condition causing the standby loop to get out of active happens. This encapsulates that logic into two distinct pieces (although they could be combined into one), and makes lock guarding more understandable. * Re-add context canceling to the non-HA version of sealInternal * Return explicitly after stopCh triggered
2018-07-24 23:57:25 +03:00
if c.Sealed() {
Update rekey methods to indicate proper error codes in responses
2018-05-20 06:43:48 +03:00
return nil, logical.CodedError(http.StatusServiceUnavailable, consts.ErrSealed.Error())
WIP
2018-05-18 04:17:52 +03:00
}
if c.standby {
Update rekey methods to indicate proper error codes in responses
2018-05-20 06:43:48 +03:00
return nil, logical.CodedError(http.StatusBadRequest, consts.ErrStandby.Error())
WIP
2018-05-18 04:17:52 +03:00
}
// Verify the key length
min, max := c.barrier.KeyLength()
max += shamir.ShareOverhead
if len(key) < min {
Update rekey methods to indicate proper error codes in responses
2018-05-20 06:43:48 +03:00
return nil, logical.CodedError(http.StatusBadRequest, fmt.Sprintf("key is shorter than minimum %d bytes", min))
WIP
2018-05-18 04:17:52 +03:00
}
if len(key) > max {
Update rekey methods to indicate proper error codes in responses
2018-05-20 06:43:48 +03:00
return nil, logical.CodedError(http.StatusBadRequest, fmt.Sprintf("key is longer than maximum %d bytes", max))
WIP
2018-05-18 04:17:52 +03:00
}
c.rekeyLock.Lock()
defer c.rekeyLock.Unlock()
Factor out a bunch of shared code
2018-05-22 00:46:32 +03:00
config := c.barrierRekeyConfig
if recovery {
config = c.recoveryRekeyConfig
}
WIP
2018-05-18 04:17:52 +03:00
// Ensure a rekey is in progress
Factor out a bunch of shared code
2018-05-22 00:46:32 +03:00
if config == nil {
return nil, logical.CodedError(http.StatusBadRequest, "no rekey in progress")
WIP
2018-05-18 04:17:52 +03:00
}
Fix panic and update some text
2018-05-29 20:13:47 +03:00
if len(config.VerificationKey) == 0 {
Builds on top of #4600 to provide CLI support (#4605)
2018-05-28 07:39:53 +03:00
return nil, logical.CodedError(http.StatusBadRequest, "no rekey verification in progress")
}
Factor out a bunch of shared code
2018-05-22 00:46:32 +03:00
if nonce != config.VerificationNonce {
return nil, logical.CodedError(http.StatusBadRequest, fmt.Sprintf("incorrect nonce supplied; nonce for this verify operation is %q", config.VerificationNonce))
Finish non-recovery test
2018-05-20 09:42:15 +03:00
}
WIP
2018-05-18 04:17:52 +03:00
// Check if we already have this piece
Factor out a bunch of shared code
2018-05-22 00:46:32 +03:00
for _, existing := range config.VerificationProgress {
WIP
2018-05-18 04:30:39 +03:00
if subtle.ConstantTimeCompare(existing, key) == 1 {
Update rekey methods to indicate proper error codes in responses
2018-05-20 06:43:48 +03:00
return nil, logical.CodedError(http.StatusBadRequest, "given key has already been provided during this verify operation")
WIP
2018-05-18 04:17:52 +03:00
}
}
// Store this key
Factor out a bunch of shared code
2018-05-22 00:46:32 +03:00
config.VerificationProgress = append(config.VerificationProgress, key)
WIP
2018-05-18 04:17:52 +03:00
// Check if we don't have enough keys to unlock
Factor out a bunch of shared code
2018-05-22 00:46:32 +03:00
if len(config.VerificationProgress) < config.SecretThreshold {
WIP
2018-05-18 04:17:52 +03:00
if c.logger.IsDebug() {
Factor out a bunch of shared code
2018-05-22 00:46:32 +03:00
c.logger.Debug("cannot verify yet, not enough keys", "keys", len(config.VerificationProgress), "threshold", config.SecretThreshold)
WIP
2018-05-18 04:17:52 +03:00
}
return nil, nil
}
// Schedule the progress for forgetting and rotate the nonce if possible
defer func() {
Factor out a bunch of shared code
2018-05-22 00:46:32 +03:00
config.VerificationProgress = nil
Fix introduced bug in refactor
2018-05-22 03:54:20 +03:00
if ret != nil && ret.Complete {
return
}
// Not complete, so rotate nonce
Factor out a bunch of shared code
2018-05-22 00:46:32 +03:00
nonce, err := uuid.GenerateUUID()
Address feedback
2018-05-22 01:25:58 +03:00
if err == nil {
config.VerificationNonce = nonce
if ret != nil {
ret.Nonce = nonce
WIP
2018-05-18 04:17:52 +03:00
}
}
}()
Rename master key to root key (#13324) * See what it looks like to replace "master key" with "root key". There are two places that would require more challenging code changes: the storage path `core/master`, and its contents (the JSON-serialized EncodedKeyringtructure.) * Restore accidentally deleted line * Add changelog * Update root->recovery * Fix test Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
2021-12-07 04:12:20 +03:00
// Recover the root key or recovery key
WIP
2018-05-18 04:17:52 +03:00
var recoveredKey []byte
Factor out a bunch of shared code
2018-05-22 00:46:32 +03:00
if config.SecretThreshold == 1 {
recoveredKey = config.VerificationProgress[0]
WIP
2018-05-18 04:17:52 +03:00
} else {
Address review feedback
2018-05-21 21:47:00 +03:00
var err error
Factor out a bunch of shared code
2018-05-22 00:46:32 +03:00
recoveredKey, err = shamir.Combine(config.VerificationProgress)
WIP
2018-05-18 04:17:52 +03:00
if err != nil {
vault: deprecate errwrap.Wrapf() (#11577)
2021-05-11 20:12:54 +03:00
return nil, logical.CodedError(http.StatusInternalServerError, fmt.Errorf("failed to compute key for verification: %w", err).Error())
WIP
2018-05-18 04:17:52 +03:00
}
}
Factor out a bunch of shared code
2018-05-22 00:46:32 +03:00
if subtle.ConstantTimeCompare(recoveredKey, config.VerificationKey) != 1 {
WIP
2018-05-18 04:17:52 +03:00
c.logger.Error("rekey verification failed")
Failure to provide correct key shares isn't an internal error, it's a user error
2018-05-22 04:06:38 +03:00
return nil, logical.CodedError(http.StatusBadRequest, "rekey verification failed; incorrect key shares supplied")
WIP
2018-05-18 04:30:39 +03:00
}
Factor out a bunch of shared code
2018-05-22 00:46:32 +03:00
switch recovery {
case false:
if err := c.performBarrierRekey(ctx, recoveredKey); err != nil {
vault: deprecate errwrap.Wrapf() (#11577)
2021-05-11 20:12:54 +03:00
return nil, logical.CodedError(http.StatusInternalServerError, fmt.Errorf("failed to perform rekey: %w", err).Error())
WIP
2018-05-18 04:30:39 +03:00
}
Factor out a bunch of shared code
2018-05-22 00:46:32 +03:00
c.barrierRekeyConfig = nil
default:
if err := c.performRecoveryRekey(ctx, recoveredKey); err != nil {
vault: deprecate errwrap.Wrapf() (#11577)
2021-05-11 20:12:54 +03:00
return nil, logical.CodedError(http.StatusInternalServerError, fmt.Errorf("failed to perform recovery key rekey: %w", err).Error())
WIP
2018-05-18 04:30:39 +03:00
}
Factor out a bunch of shared code
2018-05-22 00:46:32 +03:00
c.recoveryRekeyConfig = nil
WIP
2018-05-18 04:30:39 +03:00
}
res := &RekeyVerifyResult{
Fix introduced bug in refactor
2018-05-22 03:54:20 +03:00
Nonce: config.VerificationNonce,
Complete: true,
WIP
2018-05-18 04:30:39 +03:00
}
return res, nil
}
// RekeyCancel is used to cancel an in-progress rekey
Update rekey methods to indicate proper error codes in responses
2018-05-20 06:43:48 +03:00
func (c *Core) RekeyCancel(recovery bool) logical.HTTPCodedError {
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
c.stateLock.RLock()
defer c.stateLock.RUnlock()
Tackle #4929 a different way (#4932) * Tackle #4929 a different way This turns c.sealed into an atomic, which allows us to call sealInternal without a lock. By doing so we can better control lock grabbing when a condition causing the standby loop to get out of active happens. This encapsulates that logic into two distinct pieces (although they could be combined into one), and makes lock guarding more understandable. * Re-add context canceling to the non-HA version of sealInternal * Return explicitly after stopCh triggered
2018-07-24 23:57:25 +03:00
if c.Sealed() {
Update rekey methods to indicate proper error codes in responses
2018-05-20 06:43:48 +03:00
return logical.CodedError(http.StatusServiceUnavailable, consts.ErrSealed.Error())
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
}
if c.standby {
Update rekey methods to indicate proper error codes in responses
2018-05-20 06:43:48 +03:00
return logical.CodedError(http.StatusBadRequest, consts.ErrStandby.Error())
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
}
SealInterface
2016-04-04 17:44:22 +03:00
c.rekeyLock.Lock()
defer c.rekeyLock.Unlock()
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
// Clear any progress or config
SealInterface
2016-04-04 17:44:22 +03:00
if recovery {
c.recoveryRekeyConfig = nil
} else {
c.barrierRekeyConfig = nil
}
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
return nil
}
Builds on top of #4600 to provide CLI support (#4605)
2018-05-28 07:39:53 +03:00
// RekeyVerifyRestart is used to start the verification process over
Update rekey methods to indicate proper error codes in responses
2018-05-20 06:43:48 +03:00
func (c *Core) RekeyVerifyRestart(recovery bool) logical.HTTPCodedError {
WIP
2018-05-18 04:17:52 +03:00
c.stateLock.RLock()
defer c.stateLock.RUnlock()
Tackle #4929 a different way (#4932) * Tackle #4929 a different way This turns c.sealed into an atomic, which allows us to call sealInternal without a lock. By doing so we can better control lock grabbing when a condition causing the standby loop to get out of active happens. This encapsulates that logic into two distinct pieces (although they could be combined into one), and makes lock guarding more understandable. * Re-add context canceling to the non-HA version of sealInternal * Return explicitly after stopCh triggered
2018-07-24 23:57:25 +03:00
if c.Sealed() {
Update rekey methods to indicate proper error codes in responses
2018-05-20 06:43:48 +03:00
return logical.CodedError(http.StatusServiceUnavailable, consts.ErrSealed.Error())
WIP
2018-05-18 04:17:52 +03:00
}
if c.standby {
Update rekey methods to indicate proper error codes in responses
2018-05-20 06:43:48 +03:00
return logical.CodedError(http.StatusBadRequest, consts.ErrStandby.Error())
WIP
2018-05-18 04:17:52 +03:00
}
c.rekeyLock.Lock()
defer c.rekeyLock.Unlock()
// Attempt to generate a new nonce, but don't bail if it doesn't succeed
// (which is extraordinarily unlikely)
nonce, nonceErr := uuid.GenerateUUID()
// Clear any progress or config
if recovery {
Fix panic in RekeyVerifyRestart (#9930) (#10099)
2020-10-07 21:06:17 +03:00
if c.recoveryRekeyConfig != nil {
c.recoveryRekeyConfig.VerificationProgress = nil
if nonceErr == nil {
c.recoveryRekeyConfig.VerificationNonce = nonce
}
WIP
2018-05-18 04:17:52 +03:00
}
} else {
Fix panic in RekeyVerifyRestart (#9930) (#10099)
2020-10-07 21:06:17 +03:00
if c.barrierRekeyConfig != nil {
c.barrierRekeyConfig.VerificationProgress = nil
if nonceErr == nil {
c.barrierRekeyConfig.VerificationNonce = nonce
}
WIP
2018-05-18 04:17:52 +03:00
}
}
return nil
}
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
// RekeyRetrieveBackup is used to retrieve any backed-up PGP-encrypted unseal
// keys
Update rekey methods to indicate proper error codes in responses
2018-05-20 06:43:48 +03:00
func (c *Core) RekeyRetrieveBackup(ctx context.Context, recovery bool) (*RekeyBackup, logical.HTTPCodedError) {
Tackle #4929 a different way (#4932) * Tackle #4929 a different way This turns c.sealed into an atomic, which allows us to call sealInternal without a lock. By doing so we can better control lock grabbing when a condition causing the standby loop to get out of active happens. This encapsulates that logic into two distinct pieces (although they could be combined into one), and makes lock guarding more understandable. * Re-add context canceling to the non-HA version of sealInternal * Return explicitly after stopCh triggered
2018-07-24 23:57:25 +03:00
if c.Sealed() {
Update rekey methods to indicate proper error codes in responses
2018-05-20 06:43:48 +03:00
return nil, logical.CodedError(http.StatusServiceUnavailable, consts.ErrSealed.Error())
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
}
if c.standby {
Update rekey methods to indicate proper error codes in responses
2018-05-20 06:43:48 +03:00
return nil, logical.CodedError(http.StatusBadRequest, consts.ErrStandby.Error())
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
}
SealInterface
2016-04-04 17:44:22 +03:00
c.rekeyLock.RLock()
defer c.rekeyLock.RUnlock()
var entry *physical.Entry
var err error
if recovery {
Add context to storage backends and wire it through a lot of places (#3817)
2018-01-19 09:44:44 +03:00
entry, err = c.physical.Get(ctx, coreRecoveryUnsealKeysBackupPath)
SealInterface
2016-04-04 17:44:22 +03:00
} else {
Add context to storage backends and wire it through a lot of places (#3817)
2018-01-19 09:44:44 +03:00
entry, err = c.physical.Get(ctx, coreBarrierUnsealKeysBackupPath)
SealInterface
2016-04-04 17:44:22 +03:00
}
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
if err != nil {
vault: deprecate errwrap.Wrapf() (#11577)
2021-05-11 20:12:54 +03:00
return nil, logical.CodedError(http.StatusInternalServerError, fmt.Errorf("error getting keys from backup: %w", err).Error())
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
}
if entry == nil {
return nil, nil
}
ret := &RekeyBackup{}
Added JSON Decode and Encode helpers. Changed all the occurances of Unmarshal to use the helpers. Fixed http/ package tests.
2016-07-06 19:25:40 +03:00
err = jsonutil.DecodeJSON(entry.Value, ret)
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
if err != nil {
vault: deprecate errwrap.Wrapf() (#11577)
2021-05-11 20:12:54 +03:00
return nil, logical.CodedError(http.StatusInternalServerError, fmt.Errorf("error decoding backup keys: %w", err).Error())
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
}
return ret, nil
}
// RekeyDeleteBackup is used to delete any backed-up PGP-encrypted unseal keys
Update rekey methods to indicate proper error codes in responses
2018-05-20 06:43:48 +03:00
func (c *Core) RekeyDeleteBackup(ctx context.Context, recovery bool) logical.HTTPCodedError {
Tackle #4929 a different way (#4932) * Tackle #4929 a different way This turns c.sealed into an atomic, which allows us to call sealInternal without a lock. By doing so we can better control lock grabbing when a condition causing the standby loop to get out of active happens. This encapsulates that logic into two distinct pieces (although they could be combined into one), and makes lock guarding more understandable. * Re-add context canceling to the non-HA version of sealInternal * Return explicitly after stopCh triggered
2018-07-24 23:57:25 +03:00
if c.Sealed() {
Update rekey methods to indicate proper error codes in responses
2018-05-20 06:43:48 +03:00
return logical.CodedError(http.StatusServiceUnavailable, consts.ErrSealed.Error())
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
}
if c.standby {
Update rekey methods to indicate proper error codes in responses
2018-05-20 06:43:48 +03:00
return logical.CodedError(http.StatusBadRequest, consts.ErrStandby.Error())
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
}
SealInterface
2016-04-04 17:44:22 +03:00
c.rekeyLock.Lock()
defer c.rekeyLock.Unlock()
if recovery {
Update rekey methods to indicate proper error codes in responses
2018-05-20 06:43:48 +03:00
err := c.physical.Delete(ctx, coreRecoveryUnsealKeysBackupPath)
if err != nil {
vault: deprecate errwrap.Wrapf() (#11577)
2021-05-11 20:12:54 +03:00
return logical.CodedError(http.StatusInternalServerError, fmt.Errorf("error deleting backup keys: %w", err).Error())
Update rekey methods to indicate proper error codes in responses
2018-05-20 06:43:48 +03:00
}
return nil
}
err := c.physical.Delete(ctx, coreBarrierUnsealKeysBackupPath)
if err != nil {
vault: deprecate errwrap.Wrapf() (#11577)
2021-05-11 20:12:54 +03:00
return logical.CodedError(http.StatusInternalServerError, fmt.Errorf("error deleting backup keys: %w", err).Error())
SealInterface
2016-04-04 17:44:22 +03:00
}
Update rekey methods to indicate proper error codes in responses
2018-05-20 06:43:48 +03:00
return nil
Move rekey to its own files for cleanliness
2016-01-15 01:01:04 +03:00
}
Copy Permalink