scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-11-03 03:58:01 +00:00
Code Issues Packages Projects Releases Wiki Activity

Seal wrap storage entries of the ManagedKeyRegistry. (#13905)

Browse Source 
Seal wrap storage entries of the ManagedKeyRegistry.

Specify the managed key registry's path in SealWrapStorage in the SystemBackend.

Enable SealWrap in the system mount entry.
This commit is contained in:
Victor Rodriguez
2022-02-04 16:06:32 -05:00
committed by GitHub
parent 56a6ef7ff5
commit 5cda092984
7 changed files with 30 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
http/handler_test.go
View File

@@ -425,7 +425,7 @@ func TestSysMounts_headerAuth(t *testing.T) {
"passthrough_request_headers": []interface{}{"Accept"}, "passthrough_request_headers": []interface{}{"Accept"},
}, },
"local": false, "local": false,
"seal_wrap": false, "seal_wrap": true,
"options": interface{}(nil), "options": interface{}(nil),
}, },
"cubbyhole/": map[string]interface{}{ "cubbyhole/": map[string]interface{}{
@@ -480,7 +480,7 @@ func TestSysMounts_headerAuth(t *testing.T) {
"passthrough_request_headers": []interface{}{"Accept"}, "passthrough_request_headers": []interface{}{"Accept"},
}, },
"local": false, "local": false,
"seal_wrap": false, "seal_wrap": true,
"options": interface{}(nil), "options": interface{}(nil),
}, },
"cubbyhole/": map[string]interface{}{ "cubbyhole/": map[string]interface{}{

24
http/sys_mount_test.go
View File

@@ -52,7 +52,7 @@ func TestSysMounts(t *testing.T) {
"passthrough_request_headers": []interface{}{"Accept"}, "passthrough_request_headers": []interface{}{"Accept"},
}, },
"local": false, "local": false,
"seal_wrap": false, "seal_wrap": true,
"options": interface{}(nil), "options": interface{}(nil),
}, },
"cubbyhole/": map[string]interface{}{ "cubbyhole/": map[string]interface{}{
@@ -107,7 +107,7 @@ func TestSysMounts(t *testing.T) {
"passthrough_request_headers": []interface{}{"Accept"}, "passthrough_request_headers": []interface{}{"Accept"},
}, },
"local": false, "local": false,
"seal_wrap": false, "seal_wrap": true,
"options": interface{}(nil), "options": interface{}(nil),
}, },
"cubbyhole/": map[string]interface{}{ "cubbyhole/": map[string]interface{}{
@@ -222,7 +222,7 @@ func TestSysMount(t *testing.T) {
"passthrough_request_headers": []interface{}{"Accept"}, "passthrough_request_headers": []interface{}{"Accept"},
}, },
"local": false, "local": false,
"seal_wrap": false, "seal_wrap": true,
"options": interface{}(nil), "options": interface{}(nil),
}, },
"cubbyhole/": map[string]interface{}{ "cubbyhole/": map[string]interface{}{
@@ -290,7 +290,7 @@ func TestSysMount(t *testing.T) {
"passthrough_request_headers": []interface{}{"Accept"}, "passthrough_request_headers": []interface{}{"Accept"},
}, },
"local": false, "local": false,
"seal_wrap": false, "seal_wrap": true,
"options": interface{}(nil), "options": interface{}(nil),
}, },
"cubbyhole/": map[string]interface{}{ "cubbyhole/": map[string]interface{}{
@@ -424,7 +424,7 @@ func TestSysRemount(t *testing.T) {
"passthrough_request_headers": []interface{}{"Accept"}, "passthrough_request_headers": []interface{}{"Accept"},
}, },
"local": false, "local": false,
"seal_wrap": false, "seal_wrap": true,
"options": interface{}(nil), "options": interface{}(nil),
}, },
"cubbyhole/": map[string]interface{}{ "cubbyhole/": map[string]interface{}{
@@ -492,7 +492,7 @@ func TestSysRemount(t *testing.T) {
"passthrough_request_headers": []interface{}{"Accept"}, "passthrough_request_headers": []interface{}{"Accept"},
}, },
"local": false, "local": false,
"seal_wrap": false, "seal_wrap": true,
"options": interface{}(nil), "options": interface{}(nil),
}, },
"cubbyhole/": map[string]interface{}{ "cubbyhole/": map[string]interface{}{
@@ -594,7 +594,7 @@ func TestSysUnmount(t *testing.T) {
"passthrough_request_headers": []interface{}{"Accept"}, "passthrough_request_headers": []interface{}{"Accept"},
}, },
"local": false, "local": false,
"seal_wrap": false, "seal_wrap": true,
"options": interface{}(nil), "options": interface{}(nil),
}, },
"cubbyhole/": map[string]interface{}{ "cubbyhole/": map[string]interface{}{
@@ -649,7 +649,7 @@ func TestSysUnmount(t *testing.T) {
"passthrough_request_headers": []interface{}{"Accept"}, "passthrough_request_headers": []interface{}{"Accept"},
}, },
"local": false, "local": false,
"seal_wrap": false, "seal_wrap": true,
"options": interface{}(nil), "options": interface{}(nil),
}, },
"cubbyhole/": map[string]interface{}{ "cubbyhole/": map[string]interface{}{
@@ -850,7 +850,7 @@ func TestSysTuneMount(t *testing.T) {
"passthrough_request_headers": []interface{}{"Accept"}, "passthrough_request_headers": []interface{}{"Accept"},
}, },
"local": false, "local": false,
"seal_wrap": false, "seal_wrap": true,
"options": interface{}(nil), "options": interface{}(nil),
}, },
"cubbyhole/": map[string]interface{}{ "cubbyhole/": map[string]interface{}{
@@ -918,7 +918,7 @@ func TestSysTuneMount(t *testing.T) {
"passthrough_request_headers": []interface{}{"Accept"}, "passthrough_request_headers": []interface{}{"Accept"},
}, },
"local": false, "local": false,
"seal_wrap": false, "seal_wrap": true,
"options": interface{}(nil), "options": interface{}(nil),
}, },
"cubbyhole/": map[string]interface{}{ "cubbyhole/": map[string]interface{}{
@@ -1059,7 +1059,7 @@ func TestSysTuneMount(t *testing.T) {
"passthrough_request_headers": []interface{}{"Accept"}, "passthrough_request_headers": []interface{}{"Accept"},
}, },
"local": false, "local": false,
"seal_wrap": false, "seal_wrap": true,
"options": interface{}(nil), "options": interface{}(nil),
}, },
"cubbyhole/": map[string]interface{}{ "cubbyhole/": map[string]interface{}{
@@ -1127,7 +1127,7 @@ func TestSysTuneMount(t *testing.T) {
"passthrough_request_headers": []interface{}{"Accept"}, "passthrough_request_headers": []interface{}{"Accept"},
}, },
"local": false, "local": false,
"seal_wrap": false, "seal_wrap": true,
"options": interface{}(nil), "options": interface{}(nil),
}, },
"cubbyhole/": map[string]interface{}{ "cubbyhole/": map[string]interface{}{

4
vault/logical_system.go
View File

@@ -153,6 +153,10 @@ func NewSystemBackend(core *Core, logger log.Logger) *SystemBackend {
expirationSubPath, expirationSubPath,
countersSubPath, countersSubPath,
}, },
SealWrapStorage: []string{
managedKeyRegistrySubPath,
},
}, },
} }

6
vault/logical_system_test.go
View File

@@ -183,7 +183,7 @@ func TestSystemBackend_mounts(t *testing.T) {
"passthrough_request_headers": []string{"Accept"}, "passthrough_request_headers": []string{"Accept"},
}, },
"local": false, "local": false,
"seal_wrap": false, "seal_wrap": true,
"options": map[string]string(nil), "options": map[string]string(nil),
}, },
"cubbyhole/": map[string]interface{}{ "cubbyhole/": map[string]interface{}{
@@ -296,7 +296,7 @@ func TestSystemBackend_mount(t *testing.T) {
"passthrough_request_headers": []string{"Accept"}, "passthrough_request_headers": []string{"Accept"},
}, },
"local": false, "local": false,
"seal_wrap": false, "seal_wrap": true,
"options": map[string]string(nil), "options": map[string]string(nil),
}, },
"cubbyhole/": map[string]interface{}{ "cubbyhole/": map[string]interface{}{
@@ -2934,7 +2934,7 @@ func TestSystemBackend_InternalUIMounts(t *testing.T) {
"passthrough_request_headers": []string{"Accept"}, "passthrough_request_headers": []string{"Accept"},
}, },
"local": false, "local": false,
"seal_wrap": false, "seal_wrap": true,
"options": map[string]string(nil), "options": map[string]string(nil),
}, },
"cubbyhole/": map[string]interface{}{ "cubbyhole/": map[string]interface{}{

5
vault/managed_key_registry.go
View File

@@ -2,6 +2,11 @@
package vault package vault
// managedKeyRegistrySubPath is the storage prefix used by the registry.
// We need to define the constant even though managed keys is a Vault Enterprise
// feature in order to set up seal wrapping in the SystemBackend.
const managedKeyRegistrySubPath = "managed-key-registry/"
func (c *Core) setupManagedKeyRegistry() error { func (c *Core) setupManagedKeyRegistry() error {
return nil return nil
} }

1
vault/mount.go
View File

@@ -1499,6 +1499,7 @@ func (c *Core) requiredMountTable() *MountTable {
UUID: sysUUID, UUID: sysUUID,
Accessor: sysAccessor, Accessor: sysAccessor,
BackendAwareUUID: sysBackendUUID, BackendAwareUUID: sysBackendUUID,
SealWrap: true, // Enable SealWrap since SystemBackend utilizes SealWrapStorage, see factory in addExtraLogicalBackends().
Config: MountConfig{ Config: MountConfig{
PassthroughRequestHeaders: []string{"Accept"}, PassthroughRequestHeaders: []string{"Accept"},
}, },

3
vault/mount_test.go
View File

@@ -841,6 +841,9 @@ func verifyDefaultTable(t *testing.T, table *MountTable, expected int) {
if entry.Type != "system" { if entry.Type != "system" {
t.Fatalf("bad: %v", entry) t.Fatalf("bad: %v", entry)
} }
if !entry.SealWrap {
t.Fatalf("expected SealWrap to be enabled: %v", entry)
}
case "identity/": case "identity/":
if entry.Type != "identity" { if entry.Type != "identity" {
t.Fatalf("bad: %v", entry) t.Fatalf("bad: %v", entry)