fix and improve KMS server info (#8944)

This commit fixes typos in the displayed server info
w.r.t. the KMS and removes the update status.

For more information about why the update status
is removed see: PR #8943
This commit is contained in:
Andreas Auernhammer 2020-02-06 01:48:34 +01:00 committed by GitHub
parent 4f37c8ccf2
commit 086fbb745e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 10 additions and 18 deletions

View File

@ -1574,30 +1574,23 @@ func fetchVaultStatus(cfg config.Config) madmin.Vault {
} else { } else {
vault.Status = "online" vault.Status = "online"
kmsContext := crypto.Context{"MinIO admin API": "KMSKeyStatusHandler"} // Context for a test key operation kmsContext := crypto.Context{"MinIO admin API": "ServerInfoHandler"} // Context for a test key operation
// 1. Generate a new key using the KMS. // 1. Generate a new key using the KMS.
key, sealedKey, err := GlobalKMS.GenerateKey(keyID, kmsContext) key, sealedKey, err := GlobalKMS.GenerateKey(keyID, kmsContext)
if err != nil { if err != nil {
vault.Encrypt = "Encryption failed" vault.Encrypt = fmt.Sprintf("Encryption failed: %v", err)
} else { } else {
vault.Encrypt = "Ok" vault.Encrypt = "Ok"
} }
// 2. Check whether we can update / re-wrap the sealed key. // 2. Verify that we can indeed decrypt the (encrypted) key
sealedKey, err = GlobalKMS.UpdateKey(keyID, sealedKey, kmsContext) decryptedKey, err := GlobalKMS.UnsealKey(keyID, sealedKey, kmsContext)
if err != nil { switch {
vault.Update = "Re-wrap failed:" case err != nil:
} else { vault.Decrypt = fmt.Sprintf("Decryption failed: %v", err)
vault.Update = "Ok" case subtle.ConstantTimeCompare(key[:], decryptedKey[:]) != 1:
} vault.Decrypt = "Decryption failed: decrypted key does not match generated key"
default:
// 3. Verify that we can indeed decrypt the (encrypted) key
decryptedKey, decryptErr := GlobalKMS.UnsealKey(keyID, sealedKey, kmsContext)
// 4. Compare generated key with decrypted key
if subtle.ConstantTimeCompare(key[:], decryptedKey[:]) != 1 || decryptErr != nil {
vault.Decrypt = "Re-wrap failed:"
} else {
vault.Decrypt = "Ok" vault.Decrypt = "Ok"
} }
} }

View File

@ -470,7 +470,6 @@ type Vault struct {
Status string `json:"status,omitempty"` Status string `json:"status,omitempty"`
Encrypt string `json:"encryp,omitempty"` Encrypt string `json:"encryp,omitempty"`
Decrypt string `json:"decrypt,omitempty"` Decrypt string `json:"decrypt,omitempty"`
Update string `json:"update,omitempty"`
} }
// LDAP contains ldap status // LDAP contains ldap status