aherman
/
boundary
mirror of https://github.com/hashicorp/boundary
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'fcafffdb24'
${ noResults }
boundary/internal/server/rewrapping.go

158 lines
6.6 KiB
Raw Blame History

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1
package server
import (
"context"
"github.com/hashicorp/boundary/internal/db"
"github.com/hashicorp/boundary/internal/errors"
"github.com/hashicorp/boundary/internal/kms"
"github.com/hashicorp/boundary/internal/util"
)
func init() {
kms.RegisterTableRewrapFn("worker_auth_ca_certificate", workerAuthCertRewrapFn)
kms.RegisterTableRewrapFn("worker_auth_authorized", workerAuthRewrapFn)
kms.RegisterTableRewrapFn("worker_auth_server_led_activation_token", workerAuthServerLedActivationTokenRewrapFn)
}
func rewrapParameterChecks(ctx context.Context, dataKeyVersionId string, scopeId string, reader db.Reader, writer db.Writer, kmsRepo kms.GetWrapperer) string {
if dataKeyVersionId == "" {
return "missing data key version id"
}
if scopeId == "" {
return "missing scope id"
}
if util.IsNil(reader) {
return "missing database reader"
}
if util.IsNil(writer) {
return "missing database writer"
}
if kmsRepo == nil {
return "missing kms repository"
}
return ""
}
func workerAuthCertRewrapFn(ctx context.Context, dataKeyVersionId string, scopeId string, reader db.Reader, writer db.Writer, kmsRepo kms.GetWrapperer) error {
const op = "server.workerAuthCertRewrapFn"
if errStr := rewrapParameterChecks(ctx, dataKeyVersionId, scopeId, reader, writer, kmsRepo); errStr != "" {
return errors.New(ctx, errors.InvalidParameter, op, errStr)
}
var certs []*RootCertificate
// Indexes on public id, state. neither of which are queryable via scope.
// This is the fastest query we can use without creating a new index on key_id.
if err := reader.SearchWhere(ctx, &certs, "key_id=?", []any{dataKeyVersionId}, db.WithLimit(-1)); err != nil {
return errors.Wrap(ctx, err, op, errors.WithMsg("failed to query sql for rows that need rewrapping"))
}
wrapper, err := kmsRepo.GetWrapper(ctx, scopeId, kms.KeyPurposeDatabase)
if err != nil {
return errors.Wrap(ctx, err, op, errors.WithMsg("failed to fetch kms wrapper for rewrapping"))
}
for _, cert := range certs {
if err := cert.decrypt(ctx, wrapper); err != nil {
return errors.Wrap(ctx, err, op, errors.WithMsg("failed to decrypt worker auth certificate"))
}
if err := cert.encrypt(ctx, wrapper); err != nil {
return errors.Wrap(ctx, err, op, errors.WithMsg("failed to re-encrypt worker auth certificate"))
}
if _, err := writer.Update(ctx, cert, []string{"CtPrivateKey", "KeyId"}, nil); err != nil {
return errors.Wrap(ctx, err, op, errors.WithMsg("failed to update worker auth certificate row with rewrapped fields"))
}
}
return nil
}
func workerAuthRewrapFn(ctx context.Context, dataKeyVersionId, scopeId string, reader db.Reader, writer db.Writer, kmsRepo kms.GetWrapperer) error {
const op = "server.workerAuthRewrapFn"
if errStr := rewrapParameterChecks(ctx, dataKeyVersionId, scopeId, reader, writer, kmsRepo); errStr != "" {
return errors.New(ctx, errors.InvalidParameter, op, errStr)
}
var auths []*WorkerAuth
// An index exists on (worker_id, state), so we can query workers via scope and refine with key id.
// This is the fastest query we can use without creating a new index on key_id.
rows, err := reader.Query(ctx, workerAuthRewrapQuery, []any{scopeId, dataKeyVersionId})
if err != nil {
return errors.Wrap(ctx, err, op, errors.WithMsg("failed to query sql for rows that need rewrapping"))
}
defer rows.Close()
for rows.Next() {
workerAuth := allocWorkerAuth()
if err := rows.Scan(
&workerAuth.WorkerKeyIdentifier,
&workerAuth.CtControllerEncryptionPrivKey,
&workerAuth.KeyId,
); err != nil {
return errors.Wrap(ctx, err, op, errors.WithMsg("failed to scan row"))
}
auths = append(auths, workerAuth)
}
if err := rows.Err(); err != nil {
return errors.Wrap(ctx, err, op, errors.WithMsg("failed to iterate over retrieved rows"))
}
wrapper, err := kmsRepo.GetWrapper(ctx, scopeId, kms.KeyPurposeDatabase)
if err != nil {
return errors.Wrap(ctx, err, op, errors.WithMsg("failed to fetch kms wrapper for rewrapping"))
}
for _, workerAuth := range auths {
if err := workerAuth.decrypt(ctx, wrapper); err != nil {
return errors.Wrap(ctx, err, op, errors.WithMsg("failed to decrypt worker auth"))
}
if err := workerAuth.encrypt(ctx, wrapper); err != nil {
return errors.Wrap(ctx, err, op, errors.WithMsg("failed to re-encrypt worker auth"))
}
if _, err := writer.Update(ctx, workerAuth, []string{"CtControllerEncryptionPrivKey", "KeyId"}, nil); err != nil {
return errors.Wrap(ctx, err, op, errors.WithMsg("failed to update worker auth row with rewrapped fields"))
}
}
return nil
}
func workerAuthServerLedActivationTokenRewrapFn(ctx context.Context, dataKeyVersionId, scopeId string, reader db.Reader, writer db.Writer, kmsRepo kms.GetWrapperer) error {
const op = "server.workerAuthServerLedActivationTokenRewrapFn"
if errStr := rewrapParameterChecks(ctx, dataKeyVersionId, scopeId, reader, writer, kmsRepo); errStr != "" {
return errors.New(ctx, errors.InvalidParameter, op, errStr)
}
var tokens []*WorkerAuthServerLedActivationToken
// An index exists on worker_id, so we can query workers via scope and refine with key id.
// This is the fastest query we can use without creating a new index on key_id.
rows, err := reader.Query(ctx, workerAuthServerLedActivationTokenRewrapQuery, []any{scopeId, dataKeyVersionId})
if err != nil {
return errors.Wrap(ctx, err, op, errors.WithMsg("failed to query sql for rows that need rewrapping"))
}
defer rows.Close()
for rows.Next() {
token := allocWorkerAuthServerLedActivationToken()
if err := rows.Scan(
&token.WorkerId,
&token.CreationTimeEncrypted,
&token.KeyId,
); err != nil {
return errors.Wrap(ctx, err, op, errors.WithMsg("failed to scan row"))
}
tokens = append(tokens, token)
}
if err := rows.Err(); err != nil {
return errors.Wrap(ctx, err, op, errors.WithMsg("failed to iterate over retrieved rows"))
}
wrapper, err := kmsRepo.GetWrapper(ctx, scopeId, kms.KeyPurposeDatabase)
if err != nil {
return errors.Wrap(ctx, err, op, errors.WithMsg("failed to fetch kms wrapper for rewrapping"))
}
for _, token := range tokens {
if err := token.decrypt(ctx, wrapper); err != nil {
return errors.Wrap(ctx, err, op, errors.WithMsg("failed to decrypt activation token"))
}
if err := token.encrypt(ctx, wrapper); err != nil {
return errors.Wrap(ctx, err, op, errors.WithMsg("failed to re-encrypt activation token"))
}
if _, err := writer.Update(ctx, token, []string{"CreationTimeEncrypted", "KeyId"}, nil); err != nil {
return errors.Wrap(ctx, err, op, errors.WithMsg("failed to update activation token row with rewrapped fields"))
}
}
return nil
}
Reference in new issue View Git Blame Copy Permalink