/
path_keys_config.go
130 lines (109 loc) · 3.46 KB
/
path_keys_config.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
package awskms
import (
"context"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/sdk/framework"
"github.com/hashicorp/vault/sdk/logical"
)
func (b *backend) pathKeysConfigCRUD() *framework.Path {
return &framework.Path{
Pattern: "keys/config/" + framework.GenericNameRegex("key"),
HelpSynopsis: "Configure the key in Vault",
HelpDescription: `
Update the Vault's configuration of this key such as the minimum allowed key
version and other metadata.
`,
Fields: map[string]*framework.FieldSchema{
"key": &framework.FieldSchema{
Type: framework.TypeString,
Description: `
Name of the key in Vault.
`,
},
"min_version": &framework.FieldSchema{
Type: framework.TypeInt,
Description: `
Minimum allowed crypto key version. If set to a positive value, key versions
less than the given value are not permitted to be used. If set to 0 or a
negative value, there is no minimum key version. This value only affects
encryption/re-encryption, not decryption. To restrict old values from being
decrypted, increase this value and then perform a trim operation.
`,
},
"max_version": &framework.FieldSchema{
Type: framework.TypeInt,
Description: `
Maximum allowed crypto key version. If set to a positive value, key versions
greater than the given value are not permitted to be used. If set to 0 or a
negative value, there is no maximum key version.
`,
},
},
ExistenceCheck: b.pathKeysExistenceCheck,
Callbacks: map[logical.Operation]framework.OperationFunc{
logical.ReadOperation: withFieldValidator(b.pathKeysConfigRead),
logical.CreateOperation: withFieldValidator(b.pathKeysConfigWrite),
logical.UpdateOperation: withFieldValidator(b.pathKeysConfigWrite),
},
}
}
// pathKeysConfigRead corresponds to GET awskms/keys/config/:name and is used to
// show information about the key configuration in Vault.
func (b *backend) pathKeysConfigRead(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
key := d.Get("key").(string)
k, err := b.Key(ctx, req.Storage, key)
if err != nil {
if err == ErrKeyNotFound {
return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
}
return nil, err
}
data := map[string]interface{}{
"name": k.Name,
"crypto_key": k.CryptoKeyID,
}
if k.MinVersion > 0 {
data["min_version"] = k.MinVersion
}
if k.MaxVersion > 0 {
data["max_version"] = k.MaxVersion
}
return &logical.Response{
Data: data,
}, nil
}
// pathKeysConfigWrite corresponds to PUT/POST awskms/keys/config/:key and
// configures information about the key in Vault.
func (b *backend) pathKeysConfigWrite(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
key := d.Get("key").(string)
k, err := b.Key(ctx, req.Storage, key)
if err != nil {
if err == ErrKeyNotFound {
return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
}
return nil, err
}
if v, ok := d.GetOk("min_version"); ok {
if v.(int) <= 0 {
k.MinVersion = 0
} else {
k.MinVersion = v.(int)
}
}
if v, ok := d.GetOk("max_version"); ok {
if v.(int) <= 0 {
k.MaxVersion = 0
} else {
k.MaxVersion = v.(int)
}
}
// Save it
entry, err := logical.StorageEntryJSON("keys/"+key, k)
if err != nil {
return nil, errwrap.Wrapf("failed to create storage entry: {{err}}", err)
}
if err := req.Storage.Put(ctx, entry); err != nil {
return nil, errwrap.Wrapf("failed to write to storage: {{err}}", err)
}
return nil, nil
}