[Review Only] Autoseal OSS port (#757)

* Port awskms autoseal * Rename files * WIP autoseal * Fix protobuf conflict * Expose some structs to properly allow encrypting stored keys * Update awskms with the latest changes * Add KeyGuard implementation to abstract encryption/decryption of keys * Fully decouple seal.Access implementations from sealwrap structs * Add extra line to proto files, comment update * Update seal_access_entry.go * govendor sync * Add endpoint info to configureAWSKMSSeal * Update comment * Refactor structs * Update make proto * Remove remove KeyGuard, move encrypt/decrypt to autoSeal * Add rest of seals, update VerifyRecoveryKeys, add deps * Fix some merge conflicts via govendor updates * Rename SealWrapEntry to EncryptedBlobInfo * Remove barrier type upgrade check in oss * Add key to EncryptedBlobInfo proto * Update barrierTypeUpgradeCheck signature
hashicorp · Oct 19, 2018 · 3d1f0d7 · 3d1f0d7 · richard-mauri · Oct 30, 2018
1 parent db2bdbb
commit 3d1f0d7
Show file tree

Hide file tree

Showing 65 changed files with 29,804 additions and 41 deletions.
diff --git a/Makefile b/Makefile
@@ -147,9 +147,9 @@ proto:
 	protoc helper/identity/types.proto --go_out=plugins=grpc:../../..
 	protoc builtin/logical/database/dbplugin/*.proto --go_out=plugins=grpc:../../..
 	protoc logical/plugin/pb/*.proto --go_out=plugins=grpc:../../..
-	sed -i '1s;^;// +build !enterprise\n;' physical/types.pb.go
 	sed -i '1s;^;// +build !enterprise\n;' helper/identity/mfa/types.pb.go
 	sed -i -e 's/Idp/IDP/' -e 's/Url/URL/' -e 's/Id/ID/' -e 's/IDentity/Identity/' -e 's/EntityId/EntityID/' -e 's/Api/API/' -e 's/Qr/QR/' -e 's/Totp/TOTP/' -e 's/Mfa/MFA/' -e 's/Pingid/PingID/' -e 's/protobuf:"/sentinel:"" protobuf:"/' -e 's/namespaceId/namespaceID/' -e 's/Ttl/TTL/' -e 's/BoundCidrs/BoundCIDRs/' helper/identity/types.pb.go helper/storagepacker/types.pb.go logical/plugin/pb/backend.pb.go logical/identity.pb.go
+	sed -i -e 's/Iv/IV/' -e 's/Hmac/HMAC/' physical/types.pb.go
 
 fmtcheck:
 	@true

diff --git a/command/server/config.go b/command/server/config.go
@@ -735,6 +735,7 @@ func parseSeal(result *Config, list *ast.ObjectList, blockName string) error {
 	// Valid parameter for the Seal types
 	switch key {
 	case "pkcs11":
+	case "alicloudkms":
 	case "awskms":
 	case "gcpckms":
 	case "azurekeyvault":

diff --git a/command/server/seal/server_seal.go b/command/server/seal/server_seal.go
@@ -1,6 +1,9 @@
 package seal
 
 import (
+	"fmt"
+	"os"
+
 	log "github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/vault/command/server"
 	"github.com/hashicorp/vault/vault"
@@ -11,5 +14,32 @@ var (
 )
 
 func configureSeal(config *server.Config, infoKeys *[]string, info *map[string]string, logger log.Logger, inseal vault.Seal) (seal vault.Seal, err error) {
+	if config.Seal != nil || os.Getenv("VAULT_SEAL_TYPE") != "" {
+		if config.Seal == nil {
+			config.Seal = &server.Seal{
+				Type: os.Getenv("VAULT_SEAL_TYPE"),
+			}
+		}
+		switch config.Seal.Type {
+		case "alicloudkms":
+			return configureAliCloudKMSSeal(config, infoKeys, info, logger, inseal)
+
+		case "awskms":
+			return configureAWSKMSSeal(config, infoKeys, info, logger, inseal)
+
+		case "gcpckms":
+			return configureGCPCKMSSeal(config, infoKeys, info, logger, inseal)
+
+		case "azurekeyvault":
+			return configureAzureKeyVaultSeal(config, infoKeys, info, logger, inseal)
+
+		case "pkcs11":
+			return nil, fmt.Errorf("Seal type 'pkcs11' requires the Vault Enterprise HSM binary")
+
+		default:
+			return nil, fmt.Errorf("Unknown seal type %q", config.Seal.Type)
+		}
+	}
+
 	return inseal, nil
 }
diff --git a/command/server/seal/server_seal_alicloudkms.go b/command/server/seal/server_seal_alicloudkms.go
@@ -0,0 +1,33 @@
+package seal
+
+import (
+	"github.com/hashicorp/errwrap"
+	log "github.com/hashicorp/go-hclog"
+	"github.com/hashicorp/vault/command/server"
+	"github.com/hashicorp/vault/logical"
+	"github.com/hashicorp/vault/vault"
+	"github.com/hashicorp/vault/vault/seal/alicloudkms"
+)
+
+func configureAliCloudKMSSeal(config *server.Config, infoKeys *[]string, info *map[string]string, logger log.Logger, inseal vault.Seal) (vault.Seal, error) {
+	kms := alicloudkms.NewSeal(logger)
+	kmsInfo, err := kms.SetConfig(config.Seal.Config)
+	if err != nil {
+		// If the error is any other than logical.KeyNotFoundError, return the error
+		if !errwrap.ContainsType(err, new(logical.KeyNotFoundError)) {
+			return nil, err
+		}
+	}
+	autoseal := vault.NewAutoSeal(kms)
+	if kmsInfo != nil {
+		*infoKeys = append(*infoKeys, "Seal Type", "AliCloud KMS Region", "AliCloud KMS KeyID")
+		(*info)["Seal Type"] = config.Seal.Type
+		(*info)["AliCloud KMS Region"] = kmsInfo["region"]
+		(*info)["AliCloud KMS KeyID"] = kmsInfo["kms_key_id"]
+		if domain, ok := kmsInfo["domain"]; ok {
+			*infoKeys = append(*infoKeys, "AliCloud KMS Domain")
+			(*info)["AliCloud KMS Domain"] = domain
+		}
+	}
+	return autoseal, nil
+}
diff --git a/command/server/seal/server_seal_awskms.go b/command/server/seal/server_seal_awskms.go
@@ -0,0 +1,33 @@
+package seal
+
+import (
+	"github.com/hashicorp/errwrap"
+	log "github.com/hashicorp/go-hclog"
+	"github.com/hashicorp/vault/command/server"
+	"github.com/hashicorp/vault/logical"
+	"github.com/hashicorp/vault/vault"
+	"github.com/hashicorp/vault/vault/seal/awskms"
+)
+
+func configureAWSKMSSeal(config *server.Config, infoKeys *[]string, info *map[string]string, logger log.Logger, inseal vault.Seal) (vault.Seal, error) {
+	kms := awskms.NewSeal(logger)
+	kmsInfo, err := kms.SetConfig(config.Seal.Config)
+	if err != nil {
+		// If the error is any other than logical.KeyNotFoundError, return the error
+		if !errwrap.ContainsType(err, new(logical.KeyNotFoundError)) {
+			return nil, err
+		}
+	}
+	autoseal := vault.NewAutoSeal(kms)
+	if kmsInfo != nil {
+		*infoKeys = append(*infoKeys, "Seal Type", "AWS KMS Region", "AWS KMS KeyID")
+		(*info)["Seal Type"] = config.Seal.Type
+		(*info)["AWS KMS Region"] = kmsInfo["region"]
+		(*info)["AWS KMS KeyID"] = kmsInfo["kms_key_id"]
+		if endpoint, ok := kmsInfo["endpoint"]; ok {
+			*infoKeys = append(*infoKeys, "AWS KMS Endpoint")
+			(*info)["AWS KMS Endpoint"] = endpoint
+		}
+	}
+	return autoseal, nil
+}
diff --git a/command/server/seal/server_seal_azurekeyvault.go b/command/server/seal/server_seal_azurekeyvault.go
@@ -0,0 +1,30 @@
+package seal
+
+import (
+	"github.com/hashicorp/errwrap"
+	log "github.com/hashicorp/go-hclog"
+	"github.com/hashicorp/vault/command/server"
+	"github.com/hashicorp/vault/logical"
+	"github.com/hashicorp/vault/vault"
+	"github.com/hashicorp/vault/vault/seal/azurekeyvault"
+)
+
+func configureAzureKeyVaultSeal(config *server.Config, infoKeys *[]string, info *map[string]string, logger log.Logger, inseal vault.Seal) (vault.Seal, error) {
+	kv := azurekeyvault.NewSeal(logger)
+	kvInfo, err := kv.SetConfig(config.Seal.Config)
+	if err != nil {
+		// If the error is any other than logical.KeyNotFoundError, return the error
+		if !errwrap.ContainsType(err, new(logical.KeyNotFoundError)) {
+			return nil, err
+		}
+	}
+	autoseal := vault.NewAutoSeal(kv)
+	if kvInfo != nil {
+		*infoKeys = append(*infoKeys, "Seal Type", "Azure Environment", "Azure Vault Name", "Azure Key Name")
+		(*info)["Seal Type"] = config.Seal.Type
+		(*info)["Azure Environment"] = kvInfo["environment"]
+		(*info)["Azure Vault Name"] = kvInfo["vault_name"]
+		(*info)["Azure Key Name"] = kvInfo["key_name"]
+	}
+	return autoseal, nil
+}
diff --git a/command/server/seal/server_seal_gcpckms.go b/command/server/seal/server_seal_gcpckms.go
@@ -0,0 +1,31 @@
+package seal
+
+import (
+	"github.com/hashicorp/errwrap"
+	log "github.com/hashicorp/go-hclog"
+	"github.com/hashicorp/vault/command/server"
+	"github.com/hashicorp/vault/logical"
+	"github.com/hashicorp/vault/vault"
+	"github.com/hashicorp/vault/vault/seal/gcpckms"
+)
+
+func configureGCPCKMSSeal(config *server.Config, infoKeys *[]string, info *map[string]string, logger log.Logger, inseal vault.Seal) (vault.Seal, error) {
+	kms := gcpckms.NewSeal(logger)
+	kmsInfo, err := kms.SetConfig(config.Seal.Config)
+	if err != nil {
+		// If the error is any other than logical.KeyNotFoundError, return the error
+		if !errwrap.ContainsType(err, new(logical.KeyNotFoundError)) {
+			return nil, err
+		}
+	}
+	autoseal := vault.NewAutoSeal(kms)
+	if kmsInfo != nil {
+		*infoKeys = append(*infoKeys, "Seal Type", "GCP KMS Project", "GCP KMS Region", "GCP KMS Key Ring", "GCP KMS Crypto Key")
+		(*info)["Seal Type"] = config.Seal.Type
+		(*info)["GCP KMS Project"] = kmsInfo["project"]
+		(*info)["GCP KMS Region"] = kmsInfo["region"]
+		(*info)["GCP KMS Key Ring"] = kmsInfo["key_ring"]
+		(*info)["GCP KMS Crypto Key"] = kmsInfo["crypto_key"]
+	}
+	return autoseal, nil
+}