Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Re-add lost stored-shares parameter to operator rekey command. #3974

Merged
merged 2 commits into from
Feb 14, 2018
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 10 additions & 10 deletions command/operator_init.go
Original file line number Diff line number Diff line change
Expand Up @@ -196,15 +196,6 @@ func (c *OperatorInitCommand) Flags() *FlagSets {
"is only used in HSM mode.",
})

f.IntVar(&IntVar{
Name: "stored-shares",
Target: &c.flagStoredShares,
Default: 0, // No default, because we need to check if was supplied
Completion: complete.PredictAnything,
Usage: "Number of unseal keys to store on an HSM. This must be equal to " +
"-key-shares. This is only used in HSM mode.",
})

// Deprecations
// TODO: remove in 0.9.0
f.BoolVar(&BoolVar{
Expand All @@ -222,6 +213,15 @@ func (c *OperatorInitCommand) Flags() *FlagSets {
Usage: "",
})

// Kept to keep scripts passing the flag working, but not used
f.IntVar(&IntVar{
Name: "stored-shares",
Target: &c.flagStoredShares,
Default: 0,
Hidden: true,
Usage: "",
})

return set
}

Expand Down Expand Up @@ -456,7 +456,7 @@ func (c *OperatorInitCommand) init(client *api.Client, req *api.InitRequest) int
c.UI.Output("")
c.UI.Output(fmt.Sprintf("Initial Root Token: %s", resp.RootToken))

if req.StoredShares < 1 {
if len(resp.Keys) > 0 {
c.UI.Output("")
c.UI.Output(wrapAtLength(fmt.Sprintf(
"Vault initialized with %d key shares and a key threshold of %d. Please "+
Expand Down
17 changes: 14 additions & 3 deletions command/operator_rekey.go
Original file line number Diff line number Diff line change
Expand Up @@ -37,9 +37,10 @@ type OperatorRekeyCommand struct {

// Deprecations
// TODO: remove in 0.9.0
flagDelete bool
flagRecoveryKey bool
flagRetrieve bool
flagDelete bool
flagRecoveryKey bool
flagRetrieve bool
flagStoredShares int

testStdin io.Reader // for tests
}
Expand Down Expand Up @@ -231,6 +232,15 @@ func (c *OperatorRekeyCommand) Flags() *FlagSets {
Usage: "",
})

// Kept to keep scripts passing the flag working, but not used
f.IntVar(&IntVar{
Name: "stored-shares",
Target: &c.flagStoredShares,
Default: 0,
Hidden: true,
Usage: "",
})

return set
}

Expand Down Expand Up @@ -323,6 +333,7 @@ func (c *OperatorRekeyCommand) init(client *api.Client) int {
status, err := fn(&api.RekeyInitRequest{
SecretShares: c.flagKeyShares,
SecretThreshold: c.flagKeyThreshold,
StoredShares: c.flagStoredShares,
PGPKeys: c.flagPGPKeys,
Backup: c.flagBackup,
})
Expand Down
24 changes: 8 additions & 16 deletions http/sys_init.go
Original file line number Diff line number Diff line change
Expand Up @@ -69,36 +69,28 @@ func handleSysInitPut(core *vault.Core, w http.ResponseWriter, r *http.Request)
// need to be a way to actually allow fetching of the generated keys by
// operators.
if core.SealAccess().StoredKeysSupported() {
if barrierConfig.SecretShares != 1 {
respondError(w, http.StatusBadRequest, fmt.Errorf("secret shares must be 1"))
return
}
if barrierConfig.SecretThreshold != barrierConfig.SecretShares {
respondError(w, http.StatusBadRequest, fmt.Errorf("secret threshold must be same as secret shares"))
return
}
if barrierConfig.StoredShares != barrierConfig.SecretShares {
respondError(w, http.StatusBadRequest, fmt.Errorf("stored shares must be same as secret shares"))
return
}
if barrierConfig.PGPKeys != nil && len(barrierConfig.PGPKeys) > 0 {
if len(barrierConfig.PGPKeys) > 0 {
respondError(w, http.StatusBadRequest, fmt.Errorf("PGP keys not supported when storing shares"))
return
}
barrierConfig.SecretShares = 1
barrierConfig.SecretThreshold = 1
barrierConfig.StoredShares = 1
core.Logger().Warn("init: stored keys supported, forcing shares/threshold to 1")
} else {
if barrierConfig.StoredShares > 0 {
respondError(w, http.StatusBadRequest, fmt.Errorf("stored keys are not supported"))
respondError(w, http.StatusBadRequest, fmt.Errorf("stored keys are not supported by the current seal type"))
return
}
}

if len(barrierConfig.PGPKeys) > 0 && len(barrierConfig.PGPKeys) != barrierConfig.SecretShares-barrierConfig.StoredShares {
if len(barrierConfig.PGPKeys) > 0 && len(barrierConfig.PGPKeys) != barrierConfig.SecretShares {
respondError(w, http.StatusBadRequest, fmt.Errorf("incorrect number of PGP keys"))
return
}

if core.SealAccess().RecoveryKeySupported() {
if len(recoveryConfig.PGPKeys) > 0 && len(recoveryConfig.PGPKeys) != recoveryConfig.SecretShares-recoveryConfig.StoredShares {
if len(recoveryConfig.PGPKeys) > 0 && len(recoveryConfig.PGPKeys) != recoveryConfig.SecretShares {
respondError(w, http.StatusBadRequest, fmt.Errorf("incorrect number of PGP keys for recovery"))
return
}
Expand Down
17 changes: 11 additions & 6 deletions http/sys_rekey.go
Original file line number Diff line number Diff line change
Expand Up @@ -117,16 +117,21 @@ func handleSysRekeyInitPut(ctx context.Context, core *vault.Core, recovery bool,
return
}

// If the seal supports recovery keys and stored keys, then we allow rekeying the barrier key
// iff the secret shares, secret threshold, and stored shares are set to 1.
if !recovery && core.SealAccess().RecoveryKeySupported() && core.SealAccess().StoredKeysSupported() {
if req.SecretShares != 1 || req.SecretThreshold != 1 || req.StoredShares != 1 {
respondError(w, http.StatusBadRequest, fmt.Errorf("secret shares, secret threshold, and stored shares must be set to 1"))
// If the seal supports stored keys, and we are rekeying the barrier key,
// force the shares to 1
if !recovery && core.SealAccess().StoredKeysSupported() {
req.SecretShares = 1
req.SecretThreshold = 1
req.StoredShares = 1
core.Logger().Warn("rekey: stored keys supported, forcing shares/threshold to 1")
} else {
if req.StoredShares != 0 {
respondError(w, http.StatusBadRequest, fmt.Errorf("stored keys are not supported by the current seal type"))
return
}
}

if len(req.PGPKeys) > 0 && len(req.PGPKeys) != req.SecretShares-req.StoredShares {
if len(req.PGPKeys) > 0 && len(req.PGPKeys) != req.SecretShares {
respondError(w, http.StatusBadRequest, fmt.Errorf("incorrect number of PGP keys for rekey"))
return
}
Expand Down