scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-11-01 19:17:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

Forbid setting auto_rotate_period on transit managed keys (#23723)

Browse Source 
* Forbid setting auto_rotate_period on transit managed keys

 - Prevent and guard against auto-rotating managed keys as we
   generate an invalid key version without the uuid field set.
 - Hook in the datakey generation api into managed key encryption.

* Add cl
This commit is contained in:
Steven Clark
2023-10-19 15:29:01 -04:00
committed by GitHub
parent 479520c474
commit d0501db90f
4 changed files with 30 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
builtin/logical/transit/backend.go
View File

@@ -275,6 +275,11 @@ func (b *backend) rotateIfRequired(ctx context.Context, req *logical.Request, ke
return nil return nil
} }
// We can't auto-rotate managed keys
if p.Type == keysutil.KeyType_MANAGED_KEY {
return nil
}
// Retrieve the latest version of the policy and determine if it is time to rotate. // Retrieve the latest version of the policy and determine if it is time to rotate.
latestKey := p.Keys[strconv.Itoa(p.LatestVersion)] latestKey := p.Keys[strconv.Itoa(p.LatestVersion)]
if time.Now().After(latestKey.CreationTime.Add(p.AutoRotatePeriod)) { if time.Now().After(latestKey.CreationTime.Add(p.AutoRotatePeriod)) {

19
builtin/logical/transit/path_datakey.go
View File

@@ -7,6 +7,7 @@ import (
"context" "context"
"crypto/rand" "crypto/rand"
"encoding/base64" "encoding/base64"
"errors"
"fmt" "fmt"
"github.com/hashicorp/vault/helper/constants" "github.com/hashicorp/vault/helper/constants"
@@ -141,7 +142,23 @@ func (b *backend) pathDatakeyWrite(ctx context.Context, req *logical.Request, d
return nil, err return nil, err
} }
ciphertext, err := p.Encrypt(ver, context, nonce, base64.StdEncoding.EncodeToString(newKey)) var managedKeyFactory ManagedKeyFactory
if p.Type == keysutil.KeyType_MANAGED_KEY {
managedKeySystemView, ok := b.System().(logical.ManagedKeySystemView)
if !ok {
return nil, errors.New("unsupported system view")
}
managedKeyFactory = ManagedKeyFactory{
managedKeyParams: keysutil.ManagedKeyParameters{
ManagedKeySystemView: managedKeySystemView,
BackendUUID: b.backendUUID,
Context: ctx,
},
}
}
ciphertext, err := p.EncryptWithFactory(ver, context, nonce, base64.StdEncoding.EncodeToString(newKey), nil, managedKeyFactory)
if err != nil { if err != nil {
switch err.(type) { switch err.(type) {
case errutil.UserError: case errutil.UserError:

4
builtin/logical/transit/path_keys_config.go
View File

@@ -218,6 +218,10 @@ func (b *backend) pathKeysConfigWrite(ctx context.Context, req *logical.Request,
p.AutoRotatePeriod = autoRotatePeriod p.AutoRotatePeriod = autoRotatePeriod
persistNeeded = true persistNeeded = true
} }
if p.Type == keysutil.KeyType_MANAGED_KEY && autoRotatePeriod != 0 {
return logical.ErrorResponse("Auto rotation can not be set for managed keys"), nil
}
} }
if !persistNeeded { if !persistNeeded {

3
changelog/23723.txt Normal file
View File

@@ -0,0 +1,3 @@
```release-note:bug
secrets/transit: Do not allow auto rotation on managed_key key types
```