zhars/extend_acra_keys_destroy (#625)

Extend acra-keys destroy with keys
cossacklabs · Jan 27, 2023 · 6f544a9 · 6f544a9
1 parent 1df8594
commit 6f544a9
Show file tree

Hide file tree

Showing 12 changed files with 599 additions and 30 deletions.
diff --git a/CHANGELOG_DEV.md b/CHANGELOG_DEV.md
@@ -1,6 +1,9 @@
 # 0.94.0 - 2023-01-24
 - Remove testing on the old versions of golang, leave only last fresh version
 
+# 0.94.0 - 2023-01-11
+- Extend `acra-keys` `destroy` tools with all key types destruction support;
+
 # 0.94.0 - 2023-01-11
 - Improved TLS configuration, `tls_ocsp_*` and `tls_crl_*` applied for TLS connections without `tls_ocsp_[client|database]_*`/`tls_crl_[client|database]_*` flags.g
 

diff --git a/cmd/acra-keys/keys/command-line.go b/cmd/acra-keys/keys/command-line.go
@@ -23,11 +23,12 @@ import (
 	"os"
 	"strings"
 
+	log "github.com/sirupsen/logrus"
+
 	"github.com/cossacklabs/acra/cmd"
 	keystoreV1 "github.com/cossacklabs/acra/keystore"
 	"github.com/cossacklabs/acra/logging"
 	"github.com/cossacklabs/acra/utils"
-	log "github.com/sirupsen/logrus"
 )
 
 // ServiceName constant for logging and configuration parsing.
@@ -53,14 +54,16 @@ const (
 
 // Key kind constants:
 const (
-	KeyPoisonKeypair  = "poison-keypair"
-	KeyPoisonPublic   = "poison-public"
-	KeyPoisonPrivate  = "poison-private"
-	KeyStorageKeypair = "storage-keypair"
-	KeyStoragePublic  = "storage-public"
-	KeyStoragePrivate = "storage-private"
+	KeyPoisonKeypair   = "poison-keypair"
+	KeyPoisonSymmetric = "poison-symmetric"
+	KeyPoisonPublic    = "poison-public"
+	KeyPoisonPrivate   = "poison-private"
+	KeyStorageKeypair  = "storage-keypair"
+	KeyStoragePublic   = "storage-public"
+	KeyStoragePrivate  = "storage-private"
 
 	KeySymmetric = "symmetric-key"
+	KeySearch    = "hmac-key"
 )
 
 // Comman-line parsing errors:
@@ -158,6 +161,8 @@ func ParseKeyKind(keyID string) (string, []byte, error) {
 		switch parts[0] {
 		case "poison-record":
 			return KeyPoisonKeypair, nil, nil
+		case "poison-record-symmetric":
+			return KeyPoisonSymmetric, nil, nil
 		}
 	}
 	if len(parts) == 3 {
@@ -168,6 +173,8 @@ func ParseKeyKind(keyID string) (string, []byte, error) {
 				return KeySymmetric, id, nil
 			case "storage":
 				return KeyStorageKeypair, id, nil
+			case "searchable":
+				return KeySearch, id, nil
 			}
 		}
 		log.Warningln("Zone keys are deprecated since 0.94.0 and will be removed soon.")

diff --git a/cmd/acra-keys/keys/destroy-key.go b/cmd/acra-keys/keys/destroy-key.go
@@ -21,9 +21,10 @@ import (
 	"fmt"
 	"os"
 
+	log "github.com/sirupsen/logrus"
+
 	"github.com/cossacklabs/acra/cmd"
 	"github.com/cossacklabs/acra/keystore"
-	log "github.com/sirupsen/logrus"
 )
 
 // SupportedDestroyKeyKinds is a list of keys supported by `destroy-key` subcommand.
@@ -82,14 +83,23 @@ func (p *DestroyKeySubcommand) Parse(arguments []string) error {
 		log.Errorf("\"%s\" command does not support more than one key kind", CmdDestroyKey)
 		return ErrMultipleKeyKinds
 	}
-	coarseKind, _, err := ParseKeyKind(args[0])
+
+	coarseKind, id, err := ParseKeyKind(args[0])
 	if err != nil {
 		return err
 	}
 	switch coarseKind {
+	case KeyPoisonKeypair, KeyPoisonSymmetric:
+		p.destroyKeyKind = coarseKind
+
+	case KeySymmetric, KeyStorageKeypair, KeySearch:
+		p.destroyKeyKind = coarseKind
+		p.contextID = id
 	default:
 		return ErrUnknownKeyKind
 	}
+
+	return nil
 }
 
 // Execute this subcommand.
@@ -115,7 +125,43 @@ func (p *DestroyKeySubcommand) ClientID() []byte {
 func DestroyKey(params DestroyKeyParams, keyStore keystore.KeyMaking) error {
 	kind := params.DestroyKeyKind()
 	switch kind {
-	// TODO: without transport keys the command looks strange - update `destroy` to support other keys
+	case KeyPoisonKeypair:
+		err := keyStore.DestroyPoisonKeyPair()
+		if err != nil {
+			log.WithError(err).Error("Cannot destroy poison record key pair")
+			return err
+		}
+		return nil
+	case KeyPoisonSymmetric:
+		err := keyStore.DestroyPoisonSymmetricKey()
+		if err != nil {
+			log.WithError(err).Error("Cannot destroy poison record symmetric key")
+			return err
+		}
+		return nil
+
+	case KeyStorageKeypair:
+		err := keyStore.DestroyClientIDEncryptionKeyPair(params.ClientID())
+		if err != nil {
+			log.WithError(err).Error("Cannot destroy client storage key pair")
+			return err
+		}
+		return nil
+
+	case KeySymmetric:
+		err := keyStore.DestroyClientIDSymmetricKey(params.ClientID())
+		if err != nil {
+			log.WithError(err).Error("Cannot destroy client symmetric key")
+			return err
+		}
+		return nil
+	case KeySearch:
+		err := keyStore.DestroyHmacSecretKey(params.ClientID())
+		if err != nil {
+			log.WithError(err).Error("Cannot destroy client hmac key")
+			return err
+		}
+		return nil
 	default:
 		log.WithField("expected", SupportedDestroyKeyKinds).Errorf("Unknown key kind: %s", kind)
 		return ErrUnknownKeyKind