/builtin/logical/transit/path_config.go

https://github.com/hashicorp/vault · Go · 212 lines · 170 code · 34 blank · 8 comment · 40 complexity · 6366f7ba0cb58fbaeee36ec155397d29 MD5 · raw file 

    

  1. package transit
    2. 

  2. 

  3. import (
    4. 

  4. 	"context"
    5. 

  5. 	"fmt"
    6. 

  6. 

  7. 	"github.com/hashicorp/vault/sdk/framework"
    8. 

  8. 	"github.com/hashicorp/vault/sdk/helper/keysutil"
    9. 

  9. 	"github.com/hashicorp/vault/sdk/logical"
    10. 

  10. )
    11. 

  11. 

  12. func (b *backend) pathConfig() *framework.Path {
    13. 

  13. 	return &framework.Path{
    14. 

  14. 		Pattern: "keys/" + framework.GenericNameRegex("name") + "/config",
    15. 

  15. 		Fields: map[string]*framework.FieldSchema{
    16. 

  16. 			"name": &framework.FieldSchema{
    17. 

  17. 				Type:        framework.TypeString,
    18. 

  18. 				Description: "Name of the key",
    19. 

  19. 			},
    20. 

  20. 

  21. 			"min_decryption_version": &framework.FieldSchema{
    22. 

  22. 				Type: framework.TypeInt,
    23. 

  23. 				Description: `If set, the minimum version of the key allowed
    24. 

  24. to be decrypted. For signing keys, the minimum
    25. 

  25. version allowed to be used for verification.`,
    26. 

  26. 			},
    27. 

  27. 

  28. 			"min_encryption_version": &framework.FieldSchema{
    29. 

  29. 				Type: framework.TypeInt,
    30. 

  30. 				Description: `If set, the minimum version of the key allowed
    31. 

  31. to be used for encryption; or for signing keys,
    32. 

  32. to be used for signing. If set to zero, only
    33. 

  33. the latest version of the key is allowed.`,
    34. 

  34. 			},
    35. 

  35. 

  36. 			"deletion_allowed": &framework.FieldSchema{
    37. 

  37. 				Type:        framework.TypeBool,
    38. 

  38. 				Description: "Whether to allow deletion of the key",
    39. 

  39. 			},
    40. 

  40. 

  41. 			"exportable": &framework.FieldSchema{
    42. 

  42. 				Type:        framework.TypeBool,
    43. 

  43. 				Description: `Enables export of the key. Once set, this cannot be disabled.`,
    44. 

  44. 			},
    45. 

  45. 

  46. 			"allow_plaintext_backup": &framework.FieldSchema{
    47. 

  47. 				Type:        framework.TypeBool,
    48. 

  48. 				Description: `Enables taking a backup of the named key in plaintext format. Once set, this cannot be disabled.`,
    49. 

  49. 			},
    50. 

  50. 		},
    51. 

  51. 

  52. 		Callbacks: map[logical.Operation]framework.OperationFunc{
    53. 

  53. 			logical.UpdateOperation: b.pathConfigWrite,
    54. 

  54. 		},
    55. 

  55. 

  56. 		HelpSynopsis:    pathConfigHelpSyn,
    57. 

  57. 		HelpDescription: pathConfigHelpDesc,
    58. 

  58. 	}
    59. 

  59. }
    60. 

  60. 

  61. func (b *backend) pathConfigWrite(ctx context.Context, req *logical.Request, d *framework.FieldData) (resp *logical.Response, retErr error) {
    62. 

  62. 	name := d.Get("name").(string)
    63. 

  63. 

  64. 	// Check if the policy already exists before we lock everything
    65. 

  65. 	p, _, err := b.lm.GetPolicy(ctx, keysutil.PolicyRequest{
    66. 

  66. 		Storage: req.Storage,
    67. 

  67. 		Name:    name,
    68. 

  68. 	}, b.GetRandomReader())
    69. 

  69. 	if err != nil {
    70. 

  70. 		return nil, err
    71. 

  71. 	}
    72. 

  72. 	if p == nil {
    73. 

  73. 		return logical.ErrorResponse(
    74. 

  74. 				fmt.Sprintf("no existing key named %s could be found", name)),
    75. 

  75. 			logical.ErrInvalidRequest
    76. 

  76. 	}
    77. 

  77. 	if !b.System().CachingDisabled() {
    78. 

  78. 		p.Lock(true)
    79. 

  79. 	}
    80. 

  80. 	defer p.Unlock()
    81. 

  81. 

  82. 	originalMinDecryptionVersion := p.MinDecryptionVersion
    83. 

  83. 	originalMinEncryptionVersion := p.MinEncryptionVersion
    84. 

  84. 	originalDeletionAllowed := p.DeletionAllowed
    85. 

  85. 	originalExportable := p.Exportable
    86. 

  86. 	originalAllowPlaintextBackup := p.AllowPlaintextBackup
    87. 

  87. 

  88. 	defer func() {
    89. 

  89. 		if retErr != nil || (resp != nil && resp.IsError()) {
    90. 

  90. 			p.MinDecryptionVersion = originalMinDecryptionVersion
    91. 

  91. 			p.MinEncryptionVersion = originalMinEncryptionVersion
    92. 

  92. 			p.DeletionAllowed = originalDeletionAllowed
    93. 

  93. 			p.Exportable = originalExportable
    94. 

  94. 			p.AllowPlaintextBackup = originalAllowPlaintextBackup
    95. 

  95. 		}
    96. 

  96. 	}()
    97. 

  97. 

  98. 	resp = &logical.Response{}
    99. 

  99. 

  100. 	persistNeeded := false
    101. 

  101. 

  102. 	minDecryptionVersionRaw, ok := d.GetOk("min_decryption_version")
    103. 

  103. 	if ok {
    104. 

  104. 		minDecryptionVersion := minDecryptionVersionRaw.(int)
    105. 

  105. 

  106. 		if minDecryptionVersion < 0 {
    107. 

  107. 			return logical.ErrorResponse("min decryption version cannot be negative"), nil
    108. 

  108. 		}
    109. 

  109. 

  110. 		if minDecryptionVersion == 0 {
    111. 

  111. 			minDecryptionVersion = 1
    112. 

  112. 			resp.AddWarning("since Vault 0.3, transit key numbering starts at 1; forcing minimum to 1")
    113. 

  113. 		}
    114. 

  114. 

  115. 		if minDecryptionVersion != p.MinDecryptionVersion {
    116. 

  116. 			if minDecryptionVersion > p.LatestVersion {
    117. 

  117. 				return logical.ErrorResponse(
    118. 

  118. 					fmt.Sprintf("cannot set min decryption version of %d, latest key version is %d", minDecryptionVersion, p.LatestVersion)), nil
    119. 

  119. 			}
    120. 

  120. 			p.MinDecryptionVersion = minDecryptionVersion
    121. 

  121. 			persistNeeded = true
    122. 

  122. 		}
    123. 

  123. 	}
    124. 

  124. 

  125. 	minEncryptionVersionRaw, ok := d.GetOk("min_encryption_version")
    126. 

  126. 	if ok {
    127. 

  127. 		minEncryptionVersion := minEncryptionVersionRaw.(int)
    128. 

  128. 

  129. 		if minEncryptionVersion < 0 {
    130. 

  130. 			return logical.ErrorResponse("min encryption version cannot be negative"), nil
    131. 

  131. 		}
    132. 

  132. 

  133. 		if minEncryptionVersion != p.MinEncryptionVersion {
    134. 

  134. 			if minEncryptionVersion > p.LatestVersion {
    135. 

  135. 				return logical.ErrorResponse(
    136. 

  136. 					fmt.Sprintf("cannot set min encryption version of %d, latest key version is %d", minEncryptionVersion, p.LatestVersion)), nil
    137. 

  137. 			}
    138. 

  138. 			p.MinEncryptionVersion = minEncryptionVersion
    139. 

  139. 			persistNeeded = true
    140. 

  140. 		}
    141. 

  141. 	}
    142. 

  142. 

  143. 	// Check here to get the final picture after the logic on each
    144. 

  144. 	// individually. MinDecryptionVersion will always be 1 or above.
    145. 

  145. 	if p.MinEncryptionVersion > 0 &&
    146. 

  146. 		p.MinEncryptionVersion < p.MinDecryptionVersion {
    147. 

  147. 		return logical.ErrorResponse(
    148. 

  148. 			fmt.Sprintf("cannot set min encryption/decryption values; min encryption version of %d must be greater than or equal to min decryption version of %d", p.MinEncryptionVersion, p.MinDecryptionVersion)), nil
    149. 

  149. 	}
    150. 

  150. 

  151. 	allowDeletionInt, ok := d.GetOk("deletion_allowed")
    152. 

  152. 	if ok {
    153. 

  153. 		allowDeletion := allowDeletionInt.(bool)
    154. 

  154. 		if allowDeletion != p.DeletionAllowed {
    155. 

  155. 			p.DeletionAllowed = allowDeletion
    156. 

  156. 			persistNeeded = true
    157. 

  157. 		}
    158. 

  158. 	}
    159. 

  159. 

  160. 	// Add this as a guard here before persisting since we now require the min
    161. 

  161. 	// decryption version to start at 1; even if it's not explicitly set here,
    162. 

  162. 	// force the upgrade
    163. 

  163. 	if p.MinDecryptionVersion == 0 {
    164. 

  164. 		p.MinDecryptionVersion = 1
    165. 

  165. 		persistNeeded = true
    166. 

  166. 	}
    167. 

  167. 

  168. 	exportableRaw, ok := d.GetOk("exportable")
    169. 

  169. 	if ok {
    170. 

  170. 		exportable := exportableRaw.(bool)
    171. 

  171. 		// Don't unset the already set value
    172. 

  172. 		if exportable && !p.Exportable {
    173. 

  173. 			p.Exportable = exportable
    174. 

  174. 			persistNeeded = true
    175. 

  175. 		}
    176. 

  176. 	}
    177. 

  177. 

  178. 	allowPlaintextBackupRaw, ok := d.GetOk("allow_plaintext_backup")
    179. 

  179. 	if ok {
    180. 

  180. 		allowPlaintextBackup := allowPlaintextBackupRaw.(bool)
    181. 

  181. 		// Don't unset the already set value
    182. 

  182. 		if allowPlaintextBackup && !p.AllowPlaintextBackup {
    183. 

  183. 			p.AllowPlaintextBackup = allowPlaintextBackup
    184. 

  184. 			persistNeeded = true
    185. 

  185. 		}
    186. 

  186. 	}
    187. 

  187. 

  188. 	if !persistNeeded {
    189. 

  189. 		return nil, nil
    190. 

  190. 	}
    191. 

  191. 

  192. 	switch {
    193. 

  193. 	case p.MinAvailableVersion > p.MinEncryptionVersion:
    194. 

  194. 		return logical.ErrorResponse("min encryption version should not be less than min available version"), nil
    195. 

  195. 	case p.MinAvailableVersion > p.MinDecryptionVersion:
    196. 

  196. 		return logical.ErrorResponse("min decryption version should not be less then min available version"), nil
    197. 

  197. 	}
    198. 

  198. 

  199. 	if len(resp.Warnings) == 0 {
    200. 

  200. 		return nil, p.Persist(ctx, req.Storage)
    201. 

  201. 	}
    202. 

  202. 

  203. 	return resp, p.Persist(ctx, req.Storage)
    204. 

  204. }
    205. 

  205. 

  206. const pathConfigHelpSyn = `Configure a named encryption key`
    207. 

  207. 

  208. const pathConfigHelpDesc = `
    209. 

  209. This path is used to configure the named key. Currently, this
    210. 

  210. supports adjusting the minimum version of the key allowed to
    211. 

  211. be used for decryption via the min_decryption_version parameter.
    212. 

  212. `
    213.