Transit: Key Trim

builtin/logical/transit/backend.go

@@ -46,6 +46,7 @@ func Backend(conf *logical.BackendConfig) *backend {
 			b.pathVerify(),
 			b.pathBackup(),
 			b.pathRestore(),
+			b.pathTrim(),
 		},
 
 		Secrets:     []*framework.Secret{},

builtin/logical/transit/path_config.go

@@ -58,7 +58,7 @@ the latest version of the key is allowed.`,
 	}
 }
 
-func (b *backend) pathConfigWrite(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+func (b *backend) pathConfigWrite(ctx context.Context, req *logical.Request, d *framework.FieldData) (resp *logical.Response, retErr error) {
 	name := d.Get("name").(string)
 
 	// Check if the policy already exists before we lock everything
@@ -79,7 +79,23 @@ func (b *backend) pathConfigWrite(ctx context.Context, req *logical.Request, d *
 	}
 	defer p.Unlock()
 
-	resp := &logical.Response{}
+	originalMinDecryptionVersion := p.MinDecryptionVersion
+	originalMinEncryptionVersion := p.MinEncryptionVersion
+	originalDeletionAllowed := p.DeletionAllowed
+	originalExportable := p.Exportable
+	originalAllowPlaintextBackup := p.AllowPlaintextBackup
+
+	defer func() {
+		if retErr != nil || (resp != nil && resp.IsError()) {
+			p.MinDecryptionVersion = originalMinDecryptionVersion
+			p.MinEncryptionVersion = originalMinEncryptionVersion
+			p.DeletionAllowed = originalDeletionAllowed
+			p.Exportable = originalExportable
+			p.AllowPlaintextBackup = originalAllowPlaintextBackup
+		}
+	}()
+
+	resp = &logical.Response{}
 
 	persistNeeded := false
 
@@ -173,6 +189,13 @@ func (b *backend) pathConfigWrite(ctx context.Context, req *logical.Request, d *
 		return nil, nil
 	}
 
+	switch {
+	case p.MinVersion > p.MinEncryptionVersion:
+		return logical.ErrorResponse("min encryption version should not be less than min version"), nil
+	case p.MinVersion > p.MinDecryptionVersion:
+		return logical.ErrorResponse("min decryption version should not be less then min version"), nil
+	}
+
 	if len(resp.Warnings) == 0 {
 		return nil, p.Persist(ctx, req.Storage)
 	}

builtin/logical/transit/path_config_test.go

@@ -14,7 +14,7 @@ func TestTransit_ConfigSettings(t *testing.T) {
 
 	doReq := func(req *logical.Request) *logical.Response {
 		resp, err := b.HandleRequest(context.Background(), req)
-		if err != nil {
+		if err != nil || (resp != nil && resp.IsError()) {
 			t.Fatalf("got err:\n%#v\nreq:\n%#v\n", err, *req)
 		}
 		return resp

builtin/logical/transit/path_keys.go

@@ -206,6 +206,7 @@ func (b *backend) pathPolicyRead(ctx context.Context, req *logical.Request, d *f
 			"type":                   p.Type.String(),
 			"derived":                p.Derived,
 			"deletion_allowed":       p.DeletionAllowed,
+			"min_version":            p.MinVersion,
 			"min_decryption_version": p.MinDecryptionVersion,
 			"min_encryption_version": p.MinEncryptionVersion,
 			"latest_version":         p.LatestVersion,

builtin/logical/transit/path_trim.go

@@ -0,0 +1,101 @@
+package transit
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/hashicorp/vault/helper/keysutil"
+	"github.com/hashicorp/vault/logical"
+	"github.com/hashicorp/vault/logical/framework"
+)
+
+func (b *backend) pathTrim() *framework.Path {
+	return &framework.Path{
+		Pattern: "keys/" + framework.GenericNameRegex("name") + "/trim",
+		Fields: map[string]*framework.FieldSchema{
+			"name": &framework.FieldSchema{
+				Type:        framework.TypeString,
+				Description: "Name of the key",
+			},
+			"min_version": &framework.FieldSchema{
+				Type: framework.TypeInt,
+				Description: `The minimum version for the key ring. All versions before this version will be
+permanently deleted. This value can at most be equal to the lesser of
+'min_decryption_version' and 'min_encryption_version'. This is not allowed to
+be set when either 'min_encryption_version' or 'min_decryption_version' is set
+to zero.`,
+			},
+		},
+
+		Callbacks: map[logical.Operation]framework.OperationFunc{
+			logical.UpdateOperation: b.pathTrimUpdate(),
+		},
+
+		HelpSynopsis:    pathTrimHelpSyn,
+		HelpDescription: pathTrimHelpDesc,
+	}
+}
+
+func (b *backend) pathTrimUpdate() framework.OperationFunc {
+	return func(ctx context.Context, req *logical.Request, d *framework.FieldData) (resp *logical.Response, retErr error) {
+		name := d.Get("name").(string)
+
+		p, _, err := b.lm.GetPolicy(ctx, keysutil.PolicyRequest{
+			Storage: req.Storage,
+			Name:    name,
+		})
+		if err != nil {
+			return nil, err
+		}
+		if p == nil {
+			return logical.ErrorResponse("invalid key name"), logical.ErrInvalidRequest
+		}
+		if !b.System().CachingDisabled() {
+			p.Lock(true)
+		}
+		defer p.Unlock()
+
+		minVersionRaw, ok := d.GetOk("min_version")
+		if !ok {
+			return logical.ErrorResponse("missing min_version"), nil
+		}
+
+		// Ensure that cache doesn't get corrupted in error cases
+		originalMinVersion := p.MinVersion
+		defer func() {
+			if retErr != nil || (resp != nil && resp.IsError()) {
+				p.MinVersion = originalMinVersion
+			}
+		}()
+
+		p.MinVersion = minVersionRaw.(int)
+
+		switch {
+		case p.MinVersion < originalMinVersion:
+			return logical.ErrorResponse("minimum version cannot be decremented"), nil
+		case p.MinEncryptionVersion == 0:
+			return logical.ErrorResponse("minimum version cannot be set when minimum encryption version is not set"), nil
+		case p.MinDecryptionVersion == 0:
+			return logical.ErrorResponse("minimum version cannot be set when minimum decryption version is not set"), nil
+		case p.MinVersion > p.MinEncryptionVersion:
+			return logical.ErrorResponse("minimum version cannot be greater than minmum encryption version"), nil
+		case p.MinVersion > p.MinDecryptionVersion:
+			return logical.ErrorResponse("minimum version cannot be greater than minimum decryption version"), nil
+		case p.MinVersion < 0:
+			return logical.ErrorResponse("minimum version cannot be negative"), nil
+		case p.MinVersion == 0:
+			return logical.ErrorResponse("minimum version should be positive"), nil
+		case p.MinVersion < p.MinVersion:
+			return logical.ErrorResponse(fmt.Sprintf("minimum version cannot be less than the already set value of %d", p.MinVersion)), nil
+		}
+
+		return nil, p.Persist(ctx, req.Storage)
+	}
+}
+
+const pathTrimHelpSyn = `Trim key versions of a named key`
+
+const pathTrimHelpDesc = `
+This path is used to trim key versions of a named key. Trimming only happens
+from the lower end of version numbers.
+`