Exemplo n.º 1
0
func (c *ServerCommand) enableDev(core *vault.Core) (*vault.InitResult, error) {
	// Initialize it with a basic single key
	init, err := core.Initialize(&vault.SealConfig{
		SecretShares:    1,
		SecretThreshold: 1,
	})
	if err != nil {
		return nil, err
	}

	// Copy the key so that it can be zeroed
	key := make([]byte, len(init.SecretShares[0]))
	copy(key, init.SecretShares[0])

	// Unseal the core
	unsealed, err := core.Unseal(key)
	if err != nil {
		return nil, err
	}
	if !unsealed {
		return nil, fmt.Errorf("failed to unseal Vault for dev mode")
	}

	// Set the token
	tokenHelper, err := c.TokenHelper()
	if err != nil {
		return nil, err
	}
	if err := tokenHelper.Store(init.RootToken); err != nil {
		return nil, err
	}

	return init, nil
}
Exemplo n.º 2
0
func handleSysUnseal(core *vault.Core) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		switch r.Method {
		case "PUT":
		case "POST":
		default:
			respondError(w, http.StatusMethodNotAllowed, nil)
			return
		}

		// Parse the request
		var req UnsealRequest
		if err := parseRequest(r, &req); err != nil {
			respondError(w, http.StatusBadRequest, err)
			return
		}
		if !req.Reset && req.Key == "" {
			respondError(
				w, http.StatusBadRequest,
				errors.New("'key' must specified in request body as JSON, or 'reset' set to true"))
			return
		}

		if req.Reset {
			sealed, err := core.Sealed()
			if err != nil {
				respondError(w, http.StatusInternalServerError, err)
				return
			}
			if !sealed {
				respondError(w, http.StatusBadRequest, errors.New("vault is unsealed"))
				return
			}
			core.ResetUnsealProcess()
		} else {
			// Decode the key, which is hex encoded
			key, err := hex.DecodeString(req.Key)
			if err != nil {
				respondError(
					w, http.StatusBadRequest,
					errors.New("'key' must be a valid hex-string"))
				return
			}

			// Attempt the unseal
			if _, err := core.Unseal(key); err != nil {
				// Ignore ErrInvalidKey because its a user error that we
				// mask away. We just show them the seal status.
				if !errwrap.ContainsType(err, new(vault.ErrInvalidKey)) {
					respondError(w, http.StatusInternalServerError, err)
					return
				}
			}
		}

		// Return the seal status
		handleSysSealStatusRaw(core, w, r)
	})
}
Exemplo n.º 3
0
func parseDecryptAndTestUnsealKeys(t *testing.T,
	input, rootToken string,
	fingerprints bool,
	backupKeys map[string][]string,
	core *vault.Core) {
	decoder := base64.StdEncoding
	priv1Bytes, err := decoder.DecodeString(privKey1)
	if err != nil {
		t.Fatalf("Error decoding bytes for private key 1: %s", err)
	}
	priv2Bytes, err := decoder.DecodeString(privKey2)
	if err != nil {
		t.Fatalf("Error decoding bytes for private key 2: %s", err)
	}
	priv3Bytes, err := decoder.DecodeString(privKey3)
	if err != nil {
		t.Fatalf("Error decoding bytes for private key 3: %s", err)
	}

	privBytes := [][]byte{
		priv1Bytes,
		priv2Bytes,
		priv3Bytes,
	}

	var re *regexp.Regexp
	if fingerprints {
		re, err = regexp.Compile("\\s*Key\\s+\\d+\\s+fingerprint:\\s+([0-9a-fA-F]+);\\s+value:\\s+(.*)")
	} else {
		re, err = regexp.Compile("\\s*Key\\s+\\d+:\\s+(.*)")
	}
	if err != nil {
		t.Fatalf("Error compiling regex: %s", err)
	}
	matches := re.FindAllStringSubmatch(input, -1)
	if len(matches) != 3 {
		t.Fatalf("Unexpected number of keys returned, got %d, matches was \n\n%#v\n\n, input was \n\n%s\n\n", len(matches), matches, input)
	}

	encodedKeys := []string{}
	matchedFingerprints := []string{}
	for _, tuple := range matches {
		if fingerprints {
			if len(tuple) != 3 {
				t.Fatalf("Key not found: %#v", tuple)
			}
			matchedFingerprints = append(matchedFingerprints, tuple[1])
			encodedKeys = append(encodedKeys, tuple[2])
		} else {
			if len(tuple) != 2 {
				t.Fatalf("Key not found: %#v", tuple)
			}
			encodedKeys = append(encodedKeys, tuple[1])
		}
	}

	if backupKeys != nil && len(matchedFingerprints) != 0 {
		testMap := map[string][]string{}
		for i, v := range matchedFingerprints {
			testMap[v] = append(testMap[v], encodedKeys[i])
			sort.Strings(testMap[v])
		}
		if !reflect.DeepEqual(testMap, backupKeys) {
			t.Fatalf("test map and backup map do not match, test map is\n%#v\nbackup map is\n%#v", testMap, backupKeys)
		}
	}

	unsealKeys := []string{}
	ptBuf := bytes.NewBuffer(nil)
	for i, keyHex := range privBytes {
		if i > 2 {
			break
		}
		ptBuf.Reset()
		entity, err := openpgp.ReadEntity(packet.NewReader(bytes.NewBuffer(keyHex)))
		if err != nil {
			t.Fatalf("Error parsing private key %d: %s", i, err)
		}
		keyBytes, err := hex.DecodeString(encodedKeys[i])
		if err != nil {
			t.Fatalf("Error hex-decoding key %d: %s", i, err)
		}
		entityList := &openpgp.EntityList{entity}
		md, err := openpgp.ReadMessage(bytes.NewBuffer(keyBytes), entityList, nil, nil)
		if err != nil {
			t.Fatalf("Error decrypting with key %d (%s): %s", i, encodedKeys[i], err)
		}
		ptBuf.ReadFrom(md.UnverifiedBody)
		unsealKeys = append(unsealKeys, ptBuf.String())
	}

	err = core.Seal(rootToken)
	if err != nil {
		t.Fatalf("Error sealing vault with provided root token: %s", err)
	}

	for i, unsealKey := range unsealKeys {
		unsealBytes, err := hex.DecodeString(unsealKey)
		if err != nil {
			t.Fatalf("Error hex decoding unseal key %s: %s", unsealKey, err)
		}
		unsealed, err := core.Unseal(unsealBytes)
		if err != nil {
			t.Fatalf("Error using unseal key %s: %s", unsealKey, err)
		}
		if i >= 2 && !unsealed {
			t.Fatalf("Error: Provided two unseal keys but core is not unsealed")
		}
	}

}
Exemplo n.º 4
0
func (c *ServerCommand) enableDev(core *vault.Core, rootTokenID string) (*vault.InitResult, error) {
	// Initialize it with a basic single key
	init, err := core.Initialize(&vault.SealConfig{
		SecretShares:    1,
		SecretThreshold: 1,
	}, nil)
	if err != nil {
		return nil, err
	}

	// Copy the key so that it can be zeroed
	key := make([]byte, len(init.SecretShares[0]))
	copy(key, init.SecretShares[0])

	// Unseal the core
	unsealed, err := core.Unseal(key)
	if err != nil {
		return nil, err
	}
	if !unsealed {
		return nil, fmt.Errorf("failed to unseal Vault for dev mode")
	}

	if rootTokenID != "" {
		req := &logical.Request{
			Operation:   logical.UpdateOperation,
			ClientToken: init.RootToken,
			Path:        "auth/token/create",
			Data: map[string]interface{}{
				"id":                rootTokenID,
				"policies":          []string{"root"},
				"no_parent":         true,
				"no_default_policy": true,
			},
		}
		resp, err := core.HandleRequest(req)
		if err != nil {
			return nil, fmt.Errorf("failed to create root token with ID %s: %s", rootTokenID, err)
		}
		if resp == nil {
			return nil, fmt.Errorf("nil response when creating root token with ID %s", rootTokenID)
		}
		if resp.Auth == nil {
			return nil, fmt.Errorf("nil auth when creating root token with ID %s", rootTokenID)
		}

		init.RootToken = resp.Auth.ClientToken

		req.Path = "auth/token/revoke-self"
		req.Data = nil
		resp, err = core.HandleRequest(req)
		if err != nil {
			return nil, fmt.Errorf("failed to revoke initial root token: %s", err)
		}
	}

	// Set the token
	tokenHelper, err := c.TokenHelper()
	if err != nil {
		return nil, err
	}
	if err := tokenHelper.Store(init.RootToken); err != nil {
		return nil, err
	}

	return init, nil
}
Exemplo n.º 5
0
func (c *ServerCommand) enableDev(core *vault.Core, rootTokenID string) (*vault.InitResult, error) {
	// Initialize it with a basic single key
	init, err := core.Initialize(&vault.InitParams{
		BarrierConfig: &vault.SealConfig{
			SecretShares:    1,
			SecretThreshold: 1,
		},
		RecoveryConfig: nil,
	})
	if err != nil {
		return nil, err
	}

	// Copy the key so that it can be zeroed
	key := make([]byte, len(init.SecretShares[0]))
	copy(key, init.SecretShares[0])

	// Unseal the core
	unsealed, err := core.Unseal(key)
	if err != nil {
		return nil, err
	}
	if !unsealed {
		return nil, fmt.Errorf("failed to unseal Vault for dev mode")
	}

	isLeader, _, err := core.Leader()
	if err != nil && err != vault.ErrHANotEnabled {
		return nil, fmt.Errorf("failed to check active status: %v", err)
	}
	if err == nil {
		leaderCount := 5
		for !isLeader {
			if leaderCount == 0 {
				buf := make([]byte, 1<<16)
				runtime.Stack(buf, true)
				return nil, fmt.Errorf("failed to get active status after five seconds; call stack is\n%s\n", buf)
			}
			time.Sleep(1 * time.Second)
			isLeader, _, err = core.Leader()
			if err != nil {
				return nil, fmt.Errorf("failed to check active status: %v", err)
			}
			leaderCount--
		}
	}

	if rootTokenID != "" {
		req := &logical.Request{
			ID:          "dev-gen-root",
			Operation:   logical.UpdateOperation,
			ClientToken: init.RootToken,
			Path:        "auth/token/create",
			Data: map[string]interface{}{
				"id":                rootTokenID,
				"policies":          []string{"root"},
				"no_parent":         true,
				"no_default_policy": true,
			},
		}
		resp, err := core.HandleRequest(req)
		if err != nil {
			return nil, fmt.Errorf("failed to create root token with ID %s: %s", rootTokenID, err)
		}
		if resp == nil {
			return nil, fmt.Errorf("nil response when creating root token with ID %s", rootTokenID)
		}
		if resp.Auth == nil {
			return nil, fmt.Errorf("nil auth when creating root token with ID %s", rootTokenID)
		}

		init.RootToken = resp.Auth.ClientToken

		req.ID = "dev-revoke-init-root"
		req.Path = "auth/token/revoke-self"
		req.Data = nil
		resp, err = core.HandleRequest(req)
		if err != nil {
			return nil, fmt.Errorf("failed to revoke initial root token: %s", err)
		}
	}

	// Set the token
	tokenHelper, err := c.TokenHelper()
	if err != nil {
		return nil, err
	}
	if err := tokenHelper.Store(init.RootToken); err != nil {
		return nil, err
	}

	return init, nil
}
Exemplo n.º 6
0
func handleSysUnseal(core *vault.Core) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		switch r.Method {
		case "PUT":
		case "POST":
		default:
			respondError(w, http.StatusMethodNotAllowed, nil)
			return
		}

		// Parse the request
		var req UnsealRequest
		if err := parseRequest(r, w, &req); err != nil {
			respondError(w, http.StatusBadRequest, err)
			return
		}
		if !req.Reset && req.Key == "" {
			respondError(
				w, http.StatusBadRequest,
				errors.New("'key' must specified in request body as JSON, or 'reset' set to true"))
			return
		}

		if req.Reset {
			sealed, err := core.Sealed()
			if err != nil {
				respondError(w, http.StatusInternalServerError, err)
				return
			}
			if !sealed {
				respondError(w, http.StatusBadRequest, errors.New("vault is unsealed"))
				return
			}
			core.ResetUnsealProcess()
		} else {
			// Decode the key, which is base64 or hex encoded
			min, max := core.BarrierKeyLength()
			key, err := hex.DecodeString(req.Key)
			// We check min and max here to ensure that a string that is base64
			// encoded but also valid hex will not be valid and we instead base64
			// decode it
			if err != nil || len(key) < min || len(key) > max {
				key, err = base64.StdEncoding.DecodeString(req.Key)
				if err != nil {
					respondError(
						w, http.StatusBadRequest,
						errors.New("'key' must be a valid hex or base64 string"))
					return
				}
			}

			// Attempt the unseal
			if _, err := core.Unseal(key); err != nil {
				switch {
				case errwrap.ContainsType(err, new(vault.ErrInvalidKey)):
				case errwrap.Contains(err, vault.ErrBarrierInvalidKey.Error()):
				case errwrap.Contains(err, vault.ErrBarrierNotInit.Error()):
				case errwrap.Contains(err, vault.ErrBarrierSealed.Error()):
				case errwrap.Contains(err, vault.ErrStandby.Error()):
				default:
					respondError(w, http.StatusInternalServerError, err)
					return
				}
				respondError(w, http.StatusBadRequest, err)
				return
			}
		}

		// Return the seal status
		handleSysSealStatusRaw(core, w, r)
	})
}
Exemplo n.º 7
0
func parseDecryptAndTestUnsealKeys(t *testing.T, input, rootToken string, core *vault.Core) {
	decoder := base64.StdEncoding
	priv1Bytes, err := decoder.DecodeString(privKey1)
	if err != nil {
		t.Fatalf("Error decoding bytes for private key 1: %s", err)
	}
	priv2Bytes, err := decoder.DecodeString(privKey2)
	if err != nil {
		t.Fatalf("Error decoding bytes for private key 2: %s", err)
	}
	priv3Bytes, err := decoder.DecodeString(privKey3)
	if err != nil {
		t.Fatalf("Error decoding bytes for private key 3: %s", err)
	}

	privBytes := [][]byte{
		priv1Bytes,
		priv2Bytes,
		priv3Bytes,
	}

	re, err := regexp.Compile("\\s*Key\\s+\\d+:\\s+(.*)")
	if err != nil {
		t.Fatalf("Error compiling regex: %s", err)
	}
	matches := re.FindAllStringSubmatch(input, -1)
	if len(matches) != 3 {
		t.Fatalf("Unexpected number of keys returned, got %d, matches was \n\n%#v\n\n, input was \n\n%s\n\n", len(matches), matches, input)
	}

	encodedKeys := []string{}
	for _, pair := range matches {
		if len(pair) != 2 {
			t.Fatalf("Key not found: %#v", pair)
		}
		encodedKeys = append(encodedKeys, pair[1])
	}

	unsealKeys := []string{}
	ptBuf := bytes.NewBuffer(nil)
	for i, keyHex := range privBytes {
		if i > 2 {
			break
		}
		ptBuf.Reset()
		entity, err := openpgp.ReadEntity(packet.NewReader(bytes.NewBuffer(keyHex)))
		if err != nil {
			t.Fatalf("Error parsing private key %d: %s", i, err)
		}
		keyBytes, err := hex.DecodeString(encodedKeys[i])
		if err != nil {
			t.Fatalf("Error hex-decoding key %d: %s", i, err)
		}
		entityList := &openpgp.EntityList{entity}
		md, err := openpgp.ReadMessage(bytes.NewBuffer(keyBytes), entityList, nil, nil)
		if err != nil {
			t.Fatalf("Error decrypting with key %d (%s): %s", i, encodedKeys[i], err)
		}
		ptBuf.ReadFrom(md.UnverifiedBody)
		unsealKeys = append(unsealKeys, ptBuf.String())
	}

	err = core.Seal(rootToken)
	if err != nil {
		t.Fatalf("Error sealing vault with provided root token: %s", err)
	}

	for i, unsealKey := range unsealKeys {
		unsealBytes, err := hex.DecodeString(unsealKey)
		if err != nil {
			t.Fatalf("Error hex decoding unseal key %s: %s", unsealKey, err)
		}
		unsealed, err := core.Unseal(unsealBytes)
		if err != nil {
			t.Fatalf("Error using unseal key %s: %s", unsealKey, err)
		}
		if i >= 2 && !unsealed {
			t.Fatalf("Error: Provided two unseal keys but core is not unsealed")
		}
	}

}