Implement KMS methods for keys, policies and identities (#15673)

internal/kms/identity-manager.go

@@ -0,0 +1,45 @@
+// Copyright (c) 2015-2022 MinIO, Inc.
+//
+// This file is part of MinIO Object Storage stack
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package kms
+
+import (
+	"context"
+
+	"github.com/minio/kes"
+)
+
+// IdentityManager is the generic interface that handles KMS identity operations
+type IdentityManager interface {
+	// DescribeIdentity describes an identity by returning its metadata.
+	// e.g. which policy is currently assigned and whether its an admin identity.
+	DescribeIdentity(ctx context.Context, identity string) (*kes.IdentityInfo, error)
+
+	// DescribeSelfIdentity describes the identity issuing the request.
+	// It infers the identity from the TLS client certificate used to authenticate.
+	// It returns the identity and policy information for the client identity.
+	DescribeSelfIdentity(ctx context.Context) (*kes.IdentityInfo, *kes.Policy, error)
+
+	// 	DeleteIdentity deletes an identity from KMS.
+	// The client certificate that corresponds to the identity is no longer authorized to perform any API operations.
+	// The admin identity cannot be deleted.
+	DeleteIdentity(ctx context.Context, identity string) error
+
+	// ListIdentities list all identity metadata that match the specified pattern.
+	// In particular, the pattern * lists all identity metadata.
+	ListIdentities(ctx context.Context, pattern string) (*kes.IdentityIterator, error)
+}

internal/kms/kes.go

@@ -158,6 +158,24 @@ func (c *kesClient) CreateKey(ctx context.Context, keyID string) error {
 	return c.client.CreateKey(ctx, keyID)
 }
 
+// DeleteKey deletes a key at the KMS with the given key ID.
+// Please note that is a dangerous operation.
+// Once a key has been deleted all data that has been encrypted with it cannot be decrypted
+// anymore, and therefore, is lost.
+func (c *kesClient) DeleteKey(ctx context.Context, keyID string) error {
+	c.lock.RLock()
+	defer c.lock.RUnlock()
+	return c.client.DeleteKey(ctx, keyID)
+}
+
+// ListKeys List all key names that match the specified pattern. In particular,
+// the pattern * lists all keys.
+func (c *kesClient) ListKeys(ctx context.Context, pattern string) (*kes.KeyIterator, error) {
+	c.lock.RLock()
+	defer c.lock.RUnlock()
+	return c.client.ListKeys(ctx, pattern)
+}
+
 // GenerateKey generates a new data encryption key using
 // the key at the KES server referenced by the key ID.
 //
@@ -188,6 +206,26 @@ func (c *kesClient) GenerateKey(ctx context.Context, keyID string, cryptoCtx Con
 	}, nil
 }
 
+// ImportKey imports a cryptographic key into the KMS.
+func (c *kesClient) ImportKey(ctx context.Context, keyID string, bytes []byte) error {
+	c.lock.RLock()
+	defer c.lock.RUnlock()
+	return c.client.ImportKey(ctx, keyID, bytes)
+}
+
+// EncryptKey Encrypts and authenticates a (small) plaintext with the cryptographic key
+// The plaintext must not exceed 1 MB
+func (c *kesClient) EncryptKey(keyID string, plaintext []byte, ctx Context) ([]byte, error) {
+	c.lock.RLock()
+	defer c.lock.RUnlock()
+
+	ctxBytes, err := ctx.MarshalText()
+	if err != nil {
+		return nil, err
+	}
+	return c.client.Encrypt(context.Background(), keyID, plaintext, ctxBytes)
+}
+
 // DecryptKey decrypts the ciphertext with the key at the KES
 // server referenced by the key ID. The context must match the
 // context value used to generate the ciphertext.
@@ -239,3 +277,86 @@ func (c *kesClient) DecryptAll(ctx context.Context, keyID string, ciphertexts []
 	}
 	return plaintexts, nil
 }
+
+// DescribePolicy describes a policy by returning its metadata.
+// e.g. who created the policy at which point in time.
+func (c *kesClient) DescribePolicy(ctx context.Context, policy string) (*kes.PolicyInfo, error) {
+	c.lock.RLock()
+	defer c.lock.RUnlock()
+	return c.client.DescribePolicy(ctx, policy)
+}
+
+// AssignPolicy assigns a policy to an identity.
+// An identity can have at most one policy while the same policy can be assigned to multiple identities.
+// The assigned policy defines which API calls this identity can perform.
+// It's not possible to assign a policy to the admin identity.
+// Further, an identity cannot assign a policy to itself.
+func (c *kesClient) AssignPolicy(ctx context.Context, policy, identity string) error {
+	c.lock.RLock()
+	defer c.lock.RUnlock()
+	return c.client.AssignPolicy(ctx, policy, kes.Identity(identity))
+}
+
+// DeletePolicy	deletes a policy from KMS.
+// All identities that have been assigned to this policy will lose all authorization privileges.
+func (c *kesClient) DeletePolicy(ctx context.Context, policy string) error {
+	c.lock.RLock()
+	defer c.lock.RUnlock()
+	return c.client.DeletePolicy(ctx, policy)
+}
+
+// ListPolicies list all policy metadata that match the specified pattern.
+// In particular, the pattern * lists all policy metadata.
+func (c *kesClient) ListPolicies(ctx context.Context, pattern string) (*kes.PolicyIterator, error) {
+	c.lock.RLock()
+	defer c.lock.RUnlock()
+	return c.client.ListPolicies(ctx, pattern)
+}
+
+// SetPolicy creates or updates a policy.
+func (c *kesClient) SetPolicy(ctx context.Context, policy, data string) error {
+	c.lock.RLock()
+	defer c.lock.RUnlock()
+	return c.client.SetPolicy(ctx, policy, &kes.Policy{Allow: []string{"*"}, Info: kes.PolicyInfo{Name: "my-app2"}})
+}
+
+// GetPolicy gets a policy from KMS.
+func (c *kesClient) GetPolicy(ctx context.Context, policy string) (*kes.Policy, error) {
+	c.lock.RLock()
+	defer c.lock.RUnlock()
+	return c.client.GetPolicy(ctx, policy)
+}
+
+// DescribeIdentity describes an identity by returning its metadata.
+// e.g. which policy is currently assigned and whether its an admin identity.
+func (c *kesClient) DescribeIdentity(ctx context.Context, identity string) (*kes.IdentityInfo, error) {
+	c.lock.RLock()
+	defer c.lock.RUnlock()
+	return c.client.DescribeIdentity(ctx, kes.Identity(identity))
+}
+
+// DescribeSelfIdentity describes the identity issuing the request.
+// It infers the identity from the TLS client certificate used to authenticate.
+// It returns the identity and policy information for the client identity.
+func (c *kesClient) DescribeSelfIdentity(ctx context.Context) (*kes.IdentityInfo, *kes.Policy, error) {
+	c.lock.RLock()
+	defer c.lock.RUnlock()
+	return c.client.DescribeSelf(ctx)
+}
+
+// DeleteIdentity deletes an identity from KMS.
+// The client certificate that corresponds to the identity is no longer authorized to perform any API operations.
+// The admin identity cannot be deleted.
+func (c *kesClient) DeleteIdentity(ctx context.Context, identity string) error {
+	c.lock.RLock()
+	defer c.lock.RUnlock()
+	return c.client.DeleteIdentity(ctx, kes.Identity(identity))
+}
+
+// ListIdentities list all identity metadata that match the specified pattern.
+// In particular, the pattern * lists all identity metadata.
+func (c *kesClient) ListIdentities(ctx context.Context, pattern string) (*kes.IdentityIterator, error) {
+	c.lock.RLock()
+	defer c.lock.RUnlock()
+	return c.client.ListIdentities(ctx, pattern)
+}

internal/kms/key-manager.go

@@ -0,0 +1,47 @@
+// Copyright (c) 2015-2022 MinIO, Inc.
+//
+// This file is part of MinIO Object Storage stack
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package kms
+
+import (
+	"context"
+
+	"github.com/minio/kes"
+)
+
+// KeyManager is the generic interface that handles KMS key operations
+type KeyManager interface {
+	// CreateKey creates a new key at the KMS with the given key ID.
+	CreateKey(ctx context.Context, keyID string) error
+
+	// DeleteKey deletes a key at the KMS with the given key ID.
+	// Please note that is a dangerous operation.
+	// Once a key has been deleted all data that has been encrypted with it cannot be decrypted
+	// anymore, and therefore, is lost.
+	DeleteKey(ctx context.Context, keyID string) error
+
+	// ListKeys List all key names that match the specified pattern. In particular,
+	// the pattern * lists all keys.
+	ListKeys(ctx context.Context, pattern string) (*kes.KeyIterator, error)
+
+	// ImportKey imports a cryptographic key into the KMS.
+	ImportKey(ctx context.Context, keyID string, bytes []byte) error
+
+	// EncryptKey Encrypts and authenticates a (small) plaintext with the cryptographic key
+	// The plaintext must not exceed 1 MB
+	EncryptKey(keyID string, plaintext []byte, context Context) ([]byte, error)
+}

internal/kms/policy-manager.go

@@ -0,0 +1,52 @@
+// Copyright (c) 2015-2022 MinIO, Inc.
+//
+// This file is part of MinIO Object Storage stack
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package kms
+
+import (
+	"context"
+
+	"github.com/minio/kes"
+)
+
+// PolicyManager is the generic interface that handles KMS policy] operations
+type PolicyManager interface {
+	// DescribePolicy describes a policy by returning its metadata.
+	// e.g. who created the policy at which point in time.
+	DescribePolicy(ctx context.Context, policy string) (*kes.PolicyInfo, error)
+
+	// AssignPolicy assigns a policy to an identity.
+	// An identity can have at most one policy while the same policy can be assigned to multiple identities.
+	// The assigned policy defines which API calls this identity can perform.
+	// It's not possible to assign a policy to the admin identity.
+	// Further, an identity cannot assign a policy to itself.
+	AssignPolicy(ctx context.Context, policy, identity string) error
+
+	// SetPolicy creates or updates a policy.
+	SetPolicy(ctx context.Context, policy, data string) error
+
+	// GetPolicy gets a policy from KMS.
+	GetPolicy(ctx context.Context, policy string) (*kes.Policy, error)
+
+	// ListPolicies list all policy metadata that match the specified pattern.
+	// In particular, the pattern * lists all policy metadata.
+	ListPolicies(ctx context.Context, pattern string) (*kes.PolicyIterator, error)
+
+	// DeletePolicy	deletes a policy from KMS.
+	// All identities that have been assigned to this policy will lose all authorization privileges.
+	DeletePolicy(ctx context.Context, policy string) error
+}