diff options
author | Kiran Kamineni <kiran.k.kamineni@intel.com> | 2018-04-10 15:13:03 -0700 |
---|---|---|
committer | Kiran Kamineni <kiran.k.kamineni@intel.com> | 2018-04-10 15:13:07 -0700 |
commit | a9e5943435ba1fb61fd891f1173f1b020858049f (patch) | |
tree | 38e45bdc242a57c44e6e0e7b7f8c9c2ce11ae887 /sms-service | |
parent | c4150670d35e36457ff5f793accae615627e55c8 (diff) |
Storing UUID that is created for secret domain
The UUID that is generated for secret domains
should be stored securely in Vault. These can
be used for future authorized access enforcement.
Issue-ID: AAF-222
Change-Id: I141ceb16b3c4a258cc5f6088585a9944093277af
Signed-off-by: Kiran Kamineni <kiran.k.kamineni@intel.com>
Diffstat (limited to 'sms-service')
-rw-r--r-- | sms-service/src/sms/backend/vault.go | 128 |
1 files changed, 98 insertions, 30 deletions
diff --git a/sms-service/src/sms/backend/vault.go b/sms-service/src/sms/backend/vault.go index fa8316c..ed05835 100644 --- a/sms-service/src/sms/backend/vault.go +++ b/sms-service/src/sms/backend/vault.go @@ -32,20 +32,17 @@ import ( // Vault is the main Struct used in Backend to initialize the struct type Vault struct { sync.Mutex - engineType string - initRoleDone bool - policyName string - roleID string - secretID string - vaultAddress string - vaultClient *vaultapi.Client - vaultMount string - vaultTempTokenTTL time.Time - vaultToken string - unsealShards []string - rootToken string - pgpPub string - pgpPr string + initRoleDone bool + policyName string + roleID string + secretID string + vaultAddress string + vaultClient *vaultapi.Client + vaultMountPrefix string + internalDomain string + internalDomainMounted bool + vaultTempTokenTTL time.Time + vaultToken string } // Init will initialize the vault connection @@ -60,11 +57,12 @@ func (v *Vault) Init() error { return errors.New("Unable to create new vault client") } - v.engineType = "kv" v.initRoleDone = false v.policyName = "smsvaultpolicy" v.vaultClient = client - v.vaultMount = "sms" + v.vaultMountPrefix = "sms" + v.internalDomain = "smsinternaldomain" + v.internalDomainMounted = false err = v.initRole() if err != nil { @@ -83,7 +81,6 @@ func (v *Vault) GetStatus() (bool, error) { smslogger.WriteError(err.Error()) return false, errors.New("Error getting status") } - return sealStatus.Sealed, nil } @@ -110,7 +107,7 @@ func (v *Vault) GetSecret(dom string, name string) (Secret, error) { return Secret{}, errors.New("Token check failed") } - dom = v.vaultMount + "/" + dom + dom = v.vaultMountPrefix + "/" + dom sec, err := v.vaultClient.Logical().Read(dom + "/" + name) if err != nil { @@ -136,7 +133,7 @@ func (v *Vault) ListSecret(dom string) ([]string, error) { return nil, errors.New("Token check failed") } - dom = v.vaultMount + "/" + dom + dom = v.vaultMountPrefix + "/" + dom sec, err := v.vaultClient.Logical().List(dom) if err != nil { @@ -164,6 +161,70 @@ func (v *Vault) ListSecret(dom string) ([]string, error) { return retval, nil } +// Mounts the internal Domain if its not already mounted +func (v *Vault) mountInternalDomain(name string) error { + if v.internalDomainMounted { + return nil + } + + name = strings.TrimSpace(name) + mountPath := v.vaultMountPrefix + "/" + name + mountInput := &vaultapi.MountInput{ + Type: "kv", + Description: "Mount point for domain: " + name, + Local: false, + SealWrap: false, + Config: vaultapi.MountConfigInput{}, + } + + err := v.vaultClient.Sys().Mount(mountPath, mountInput) + if err != nil { + if strings.Contains(err.Error(), "existing mount") { + // It is already mounted + v.internalDomainMounted = true + return nil + } + // Ran into some other error mounting it. + smslogger.WriteError(err.Error()) + return errors.New("Unable to mount internal Domain") + } + + v.internalDomainMounted = true + return nil +} + +// Stores the UUID created for secretdomain in vault +// under v.vaultMountPrefix / smsinternal domain +func (v *Vault) storeUUID(uuid string, name string) error { + // Check if token is still valid + err := v.checkToken() + if err != nil { + smslogger.WriteError(err.Error()) + return errors.New("Token Check failed") + } + + err = v.mountInternalDomain(v.internalDomain) + if err != nil { + smslogger.WriteError("Could not mount internal domain") + return err + } + + secret := Secret{ + Name: name, + Values: map[string]interface{}{ + "uuid": uuid, + }, + } + + err = v.CreateSecret(v.internalDomain, secret) + if err != nil { + smslogger.WriteError("Unable to write UUID to internal domain") + return err + } + + return nil +} + // CreateSecretDomain mounts the kv backend on a path with the given name func (v *Vault) CreateSecretDomain(name string) (SecretDomain, error) { // Check if token is still valid @@ -174,9 +235,9 @@ func (v *Vault) CreateSecretDomain(name string) (SecretDomain, error) { } name = strings.TrimSpace(name) - mountPath := v.vaultMount + "/" + name + mountPath := v.vaultMountPrefix + "/" + name mountInput := &vaultapi.MountInput{ - Type: v.engineType, + Type: "kv", Description: "Mount point for domain: " + name, Local: false, SealWrap: false, @@ -190,6 +251,15 @@ func (v *Vault) CreateSecretDomain(name string) (SecretDomain, error) { } uuid, _ := uuid.GenerateUUID() + err = v.storeUUID(uuid, name) + if err != nil { + // Mount was successful at this point. + // Rollback the mount operation since we could not + // store the UUID for the mount. + v.vaultClient.Sys().Unmount(mountPath) + return SecretDomain{}, errors.New("Unable to store Secret Domain UUID. Retry.") + } + return SecretDomain{uuid, name}, nil } @@ -202,7 +272,7 @@ func (v *Vault) CreateSecret(dom string, sec Secret) error { return errors.New("Token check failed") } - dom = v.vaultMount + "/" + dom + dom = v.vaultMountPrefix + "/" + dom // Vault return is empty on successful write // TODO: Check if values is not empty @@ -225,7 +295,7 @@ func (v *Vault) DeleteSecretDomain(name string) error { } name = strings.TrimSpace(name) - mountPath := v.vaultMount + "/" + name + mountPath := v.vaultMountPrefix + "/" + name err = v.vaultClient.Sys().Unmount(mountPath) if err != nil { @@ -244,7 +314,7 @@ func (v *Vault) DeleteSecret(dom string, name string) error { return errors.New("Token check failed") } - dom = v.vaultMount + "/" + dom + dom = v.vaultMountPrefix + "/" + dom // Vault return is empty on successful delete _, err = v.vaultClient.Logical().Delete(dom + "/" + name) @@ -270,7 +340,7 @@ func (v *Vault) initRole() error { return errors.New("Unable to create policy for approle creation") } - rName := v.vaultMount + "-role" + rName := v.vaultMountPrefix + "-role" data := map[string]interface{}{ "token_ttl": "60m", "policies": [2]string{"default", v.policyName}, @@ -363,14 +433,12 @@ func (v *Vault) initializeVault() error { SecretThreshold: 3, } - pbkey, prkey, err := smsauth.GeneratePGPKeyPair() + pbkey, _, err := smsauth.GeneratePGPKeyPair() if err != nil { smslogger.WriteError("Error Generating PGP Keys. Vault Init will not use encryption!") } else { initReq.PGPKeys = []string{pbkey, pbkey, pbkey, pbkey, pbkey} initReq.RootTokenPGPKey = pbkey - v.pgpPub = pbkey - v.pgpPr = prkey } resp, err := v.vaultClient.Sys().Init(initReq) @@ -380,8 +448,8 @@ func (v *Vault) initializeVault() error { } if resp != nil { - v.unsealShards = resp.KeysB64 - v.rootToken = resp.RootToken + //v.writeUnsealShards(resp.KeysB64) + v.vaultToken = resp.RootToken return nil } |