-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Transit: Key Trim #5388
Merged
Merged
Transit: Key Trim #5388
Changes from 13 commits
Commits
Show all changes
14 commits
Select commit
Hold shift + click to select a range
d820d1f
Support key trimming
vishalnayak c041bb0
Merge branch 'master-oss' into transit-key-trim
vishalnayak 07689b1
Add doc
vishalnayak e9147fb
Merge branch 'master-oss' into transit-key-trim
vishalnayak 0bfd5fc
Move trimming to its own endpoint
vishalnayak fb43329
Remove trimmed_min_version field from config endpoint
vishalnayak e472dff
Fix description
vishalnayak f3195a2
Doc updates
vishalnayak 4dae783
Merge branch 'master-oss' into transit-key-trim
vishalnayak 341ad43
Fix response json in docs
vishalnayak 24589c0
Address review feedback
vishalnayak 6687dcb
s/min_version/min_available_version
vishalnayak f09c5fc
Commenting and error statement updates
vishalnayak 8cbbc09
Merge branch 'master-oss' into transit-key-trim
vishalnayak File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,99 @@ | ||
package transit | ||
|
||
import ( | ||
"context" | ||
|
||
"github.com/hashicorp/vault/helper/keysutil" | ||
"github.com/hashicorp/vault/logical" | ||
"github.com/hashicorp/vault/logical/framework" | ||
) | ||
|
||
func (b *backend) pathTrim() *framework.Path { | ||
return &framework.Path{ | ||
Pattern: "keys/" + framework.GenericNameRegex("name") + "/trim", | ||
Fields: map[string]*framework.FieldSchema{ | ||
"name": &framework.FieldSchema{ | ||
Type: framework.TypeString, | ||
Description: "Name of the key", | ||
}, | ||
"min_available_version": &framework.FieldSchema{ | ||
Type: framework.TypeInt, | ||
Description: ` | ||
The minimum available version for the key ring. All versions before this | ||
version will be permanently deleted. This value can at most be equal to the | ||
lesser of 'min_decryption_version' and 'min_encryption_version'. This is not | ||
allowed to be set when either 'min_encryption_version' or | ||
'min_decryption_version' is set to zero.`, | ||
}, | ||
}, | ||
|
||
Callbacks: map[logical.Operation]framework.OperationFunc{ | ||
logical.UpdateOperation: b.pathTrimUpdate(), | ||
}, | ||
|
||
HelpSynopsis: pathTrimHelpSyn, | ||
HelpDescription: pathTrimHelpDesc, | ||
} | ||
} | ||
|
||
func (b *backend) pathTrimUpdate() framework.OperationFunc { | ||
return func(ctx context.Context, req *logical.Request, d *framework.FieldData) (resp *logical.Response, retErr error) { | ||
name := d.Get("name").(string) | ||
|
||
p, _, err := b.lm.GetPolicy(ctx, keysutil.PolicyRequest{ | ||
Storage: req.Storage, | ||
Name: name, | ||
}) | ||
if err != nil { | ||
return nil, err | ||
} | ||
if p == nil { | ||
return logical.ErrorResponse("invalid key name"), logical.ErrInvalidRequest | ||
} | ||
if !b.System().CachingDisabled() { | ||
p.Lock(true) | ||
} | ||
defer p.Unlock() | ||
|
||
minAvailableVersionRaw, ok := d.GetOk("min_available_version") | ||
if !ok { | ||
return logical.ErrorResponse("missing min_available_version"), nil | ||
} | ||
minAvailableVersion := minAvailableVersionRaw.(int) | ||
|
||
originalMinAvailableVersion := p.MinAvailableVersion | ||
|
||
switch { | ||
case minAvailableVersion < originalMinAvailableVersion: | ||
return logical.ErrorResponse("minimum available version cannot be decremented"), nil | ||
case p.MinEncryptionVersion == 0: | ||
return logical.ErrorResponse("minimum available version cannot be set when minimum encryption version is not set"), nil | ||
case p.MinDecryptionVersion == 0: | ||
return logical.ErrorResponse("minimum available version cannot be set when minimum decryption version is not set"), nil | ||
case minAvailableVersion > p.MinEncryptionVersion: | ||
return logical.ErrorResponse("minimum available version cannot be greater than minmum encryption version"), nil | ||
case minAvailableVersion > p.MinDecryptionVersion: | ||
return logical.ErrorResponse("minimum available version cannot be greater than minimum decryption version"), nil | ||
case minAvailableVersion < 0: | ||
return logical.ErrorResponse("minimum available version cannot be negative"), nil | ||
case minAvailableVersion == 0: | ||
return logical.ErrorResponse("minimum available version should be positive"), nil | ||
} | ||
|
||
// Ensure that cache doesn't get corrupted in error cases | ||
p.MinAvailableVersion = minAvailableVersion | ||
if err := p.Persist(ctx, req.Storage); err != nil { | ||
p.MinAvailableVersion = originalMinAvailableVersion | ||
return nil, err | ||
} | ||
|
||
return nil, nil | ||
} | ||
} | ||
|
||
const pathTrimHelpSyn = `Trim key versions of a named key` | ||
|
||
const pathTrimHelpDesc = ` | ||
This path is used to trim key versions of a named key. Trimming only happens | ||
from the lower end of version numbers. | ||
` |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess the intent is that
p.Persist
in thereturn
restores the old values. Does thisdefer
approach work? Won't the updates top
take place after thePersist
call runs? Or did you intend to call Persist in this function? Maybe one of the test case demonstrates this but it wasn't obvious which one.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The policy is responded from the cache. The pointer to the policy is being modified in this function. Even if this function errors out, the policy in the cache gets modified accidentally. This is even before the
p.Persist
is being called.p.Persist
however is already doing the right thing. So, this function is only trying to restore values in policy that it is touching.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, didn't notice that
p
is pointing into the cache. Makes sense then.