mirror of
https://github.com/minio/minio.git
synced 2024-12-24 06:05:55 -05:00
Implement KMS methods for keys, policies and identities (#15673)
This commit is contained in:
parent
cf49da387b
commit
0b6175b742
45
internal/kms/identity-manager.go
Normal file
45
internal/kms/identity-manager.go
Normal file
@ -0,0 +1,45 @@
|
||||
// Copyright (c) 2015-2022 MinIO, Inc.
|
||||
//
|
||||
// This file is part of MinIO Object Storage stack
|
||||
//
|
||||
// This program is free software: you can redistribute it and/or modify
|
||||
// it under the terms of the GNU Affero General Public License as published by
|
||||
// the Free Software Foundation, either version 3 of the License, or
|
||||
// (at your option) any later version.
|
||||
//
|
||||
// This program is distributed in the hope that it will be useful
|
||||
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
// GNU Affero General Public License for more details.
|
||||
//
|
||||
// You should have received a copy of the GNU Affero General Public License
|
||||
// along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
package kms
|
||||
|
||||
import (
|
||||
"context"
|
||||
|
||||
"github.com/minio/kes"
|
||||
)
|
||||
|
||||
// IdentityManager is the generic interface that handles KMS identity operations
|
||||
type IdentityManager interface {
|
||||
// DescribeIdentity describes an identity by returning its metadata.
|
||||
// e.g. which policy is currently assigned and whether its an admin identity.
|
||||
DescribeIdentity(ctx context.Context, identity string) (*kes.IdentityInfo, error)
|
||||
|
||||
// DescribeSelfIdentity describes the identity issuing the request.
|
||||
// It infers the identity from the TLS client certificate used to authenticate.
|
||||
// It returns the identity and policy information for the client identity.
|
||||
DescribeSelfIdentity(ctx context.Context) (*kes.IdentityInfo, *kes.Policy, error)
|
||||
|
||||
// DeleteIdentity deletes an identity from KMS.
|
||||
// The client certificate that corresponds to the identity is no longer authorized to perform any API operations.
|
||||
// The admin identity cannot be deleted.
|
||||
DeleteIdentity(ctx context.Context, identity string) error
|
||||
|
||||
// ListIdentities list all identity metadata that match the specified pattern.
|
||||
// In particular, the pattern * lists all identity metadata.
|
||||
ListIdentities(ctx context.Context, pattern string) (*kes.IdentityIterator, error)
|
||||
}
|
@ -158,6 +158,24 @@ func (c *kesClient) CreateKey(ctx context.Context, keyID string) error {
|
||||
return c.client.CreateKey(ctx, keyID)
|
||||
}
|
||||
|
||||
// DeleteKey deletes a key at the KMS with the given key ID.
|
||||
// Please note that is a dangerous operation.
|
||||
// Once a key has been deleted all data that has been encrypted with it cannot be decrypted
|
||||
// anymore, and therefore, is lost.
|
||||
func (c *kesClient) DeleteKey(ctx context.Context, keyID string) error {
|
||||
c.lock.RLock()
|
||||
defer c.lock.RUnlock()
|
||||
return c.client.DeleteKey(ctx, keyID)
|
||||
}
|
||||
|
||||
// ListKeys List all key names that match the specified pattern. In particular,
|
||||
// the pattern * lists all keys.
|
||||
func (c *kesClient) ListKeys(ctx context.Context, pattern string) (*kes.KeyIterator, error) {
|
||||
c.lock.RLock()
|
||||
defer c.lock.RUnlock()
|
||||
return c.client.ListKeys(ctx, pattern)
|
||||
}
|
||||
|
||||
// GenerateKey generates a new data encryption key using
|
||||
// the key at the KES server referenced by the key ID.
|
||||
//
|
||||
@ -188,6 +206,26 @@ func (c *kesClient) GenerateKey(ctx context.Context, keyID string, cryptoCtx Con
|
||||
}, nil
|
||||
}
|
||||
|
||||
// ImportKey imports a cryptographic key into the KMS.
|
||||
func (c *kesClient) ImportKey(ctx context.Context, keyID string, bytes []byte) error {
|
||||
c.lock.RLock()
|
||||
defer c.lock.RUnlock()
|
||||
return c.client.ImportKey(ctx, keyID, bytes)
|
||||
}
|
||||
|
||||
// EncryptKey Encrypts and authenticates a (small) plaintext with the cryptographic key
|
||||
// The plaintext must not exceed 1 MB
|
||||
func (c *kesClient) EncryptKey(keyID string, plaintext []byte, ctx Context) ([]byte, error) {
|
||||
c.lock.RLock()
|
||||
defer c.lock.RUnlock()
|
||||
|
||||
ctxBytes, err := ctx.MarshalText()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return c.client.Encrypt(context.Background(), keyID, plaintext, ctxBytes)
|
||||
}
|
||||
|
||||
// DecryptKey decrypts the ciphertext with the key at the KES
|
||||
// server referenced by the key ID. The context must match the
|
||||
// context value used to generate the ciphertext.
|
||||
@ -239,3 +277,86 @@ func (c *kesClient) DecryptAll(ctx context.Context, keyID string, ciphertexts []
|
||||
}
|
||||
return plaintexts, nil
|
||||
}
|
||||
|
||||
// DescribePolicy describes a policy by returning its metadata.
|
||||
// e.g. who created the policy at which point in time.
|
||||
func (c *kesClient) DescribePolicy(ctx context.Context, policy string) (*kes.PolicyInfo, error) {
|
||||
c.lock.RLock()
|
||||
defer c.lock.RUnlock()
|
||||
return c.client.DescribePolicy(ctx, policy)
|
||||
}
|
||||
|
||||
// AssignPolicy assigns a policy to an identity.
|
||||
// An identity can have at most one policy while the same policy can be assigned to multiple identities.
|
||||
// The assigned policy defines which API calls this identity can perform.
|
||||
// It's not possible to assign a policy to the admin identity.
|
||||
// Further, an identity cannot assign a policy to itself.
|
||||
func (c *kesClient) AssignPolicy(ctx context.Context, policy, identity string) error {
|
||||
c.lock.RLock()
|
||||
defer c.lock.RUnlock()
|
||||
return c.client.AssignPolicy(ctx, policy, kes.Identity(identity))
|
||||
}
|
||||
|
||||
// DeletePolicy deletes a policy from KMS.
|
||||
// All identities that have been assigned to this policy will lose all authorization privileges.
|
||||
func (c *kesClient) DeletePolicy(ctx context.Context, policy string) error {
|
||||
c.lock.RLock()
|
||||
defer c.lock.RUnlock()
|
||||
return c.client.DeletePolicy(ctx, policy)
|
||||
}
|
||||
|
||||
// ListPolicies list all policy metadata that match the specified pattern.
|
||||
// In particular, the pattern * lists all policy metadata.
|
||||
func (c *kesClient) ListPolicies(ctx context.Context, pattern string) (*kes.PolicyIterator, error) {
|
||||
c.lock.RLock()
|
||||
defer c.lock.RUnlock()
|
||||
return c.client.ListPolicies(ctx, pattern)
|
||||
}
|
||||
|
||||
// SetPolicy creates or updates a policy.
|
||||
func (c *kesClient) SetPolicy(ctx context.Context, policy, data string) error {
|
||||
c.lock.RLock()
|
||||
defer c.lock.RUnlock()
|
||||
return c.client.SetPolicy(ctx, policy, &kes.Policy{Allow: []string{"*"}, Info: kes.PolicyInfo{Name: "my-app2"}})
|
||||
}
|
||||
|
||||
// GetPolicy gets a policy from KMS.
|
||||
func (c *kesClient) GetPolicy(ctx context.Context, policy string) (*kes.Policy, error) {
|
||||
c.lock.RLock()
|
||||
defer c.lock.RUnlock()
|
||||
return c.client.GetPolicy(ctx, policy)
|
||||
}
|
||||
|
||||
// DescribeIdentity describes an identity by returning its metadata.
|
||||
// e.g. which policy is currently assigned and whether its an admin identity.
|
||||
func (c *kesClient) DescribeIdentity(ctx context.Context, identity string) (*kes.IdentityInfo, error) {
|
||||
c.lock.RLock()
|
||||
defer c.lock.RUnlock()
|
||||
return c.client.DescribeIdentity(ctx, kes.Identity(identity))
|
||||
}
|
||||
|
||||
// DescribeSelfIdentity describes the identity issuing the request.
|
||||
// It infers the identity from the TLS client certificate used to authenticate.
|
||||
// It returns the identity and policy information for the client identity.
|
||||
func (c *kesClient) DescribeSelfIdentity(ctx context.Context) (*kes.IdentityInfo, *kes.Policy, error) {
|
||||
c.lock.RLock()
|
||||
defer c.lock.RUnlock()
|
||||
return c.client.DescribeSelf(ctx)
|
||||
}
|
||||
|
||||
// DeleteIdentity deletes an identity from KMS.
|
||||
// The client certificate that corresponds to the identity is no longer authorized to perform any API operations.
|
||||
// The admin identity cannot be deleted.
|
||||
func (c *kesClient) DeleteIdentity(ctx context.Context, identity string) error {
|
||||
c.lock.RLock()
|
||||
defer c.lock.RUnlock()
|
||||
return c.client.DeleteIdentity(ctx, kes.Identity(identity))
|
||||
}
|
||||
|
||||
// ListIdentities list all identity metadata that match the specified pattern.
|
||||
// In particular, the pattern * lists all identity metadata.
|
||||
func (c *kesClient) ListIdentities(ctx context.Context, pattern string) (*kes.IdentityIterator, error) {
|
||||
c.lock.RLock()
|
||||
defer c.lock.RUnlock()
|
||||
return c.client.ListIdentities(ctx, pattern)
|
||||
}
|
||||
|
47
internal/kms/key-manager.go
Normal file
47
internal/kms/key-manager.go
Normal file
@ -0,0 +1,47 @@
|
||||
// Copyright (c) 2015-2022 MinIO, Inc.
|
||||
//
|
||||
// This file is part of MinIO Object Storage stack
|
||||
//
|
||||
// This program is free software: you can redistribute it and/or modify
|
||||
// it under the terms of the GNU Affero General Public License as published by
|
||||
// the Free Software Foundation, either version 3 of the License, or
|
||||
// (at your option) any later version.
|
||||
//
|
||||
// This program is distributed in the hope that it will be useful
|
||||
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
// GNU Affero General Public License for more details.
|
||||
//
|
||||
// You should have received a copy of the GNU Affero General Public License
|
||||
// along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
package kms
|
||||
|
||||
import (
|
||||
"context"
|
||||
|
||||
"github.com/minio/kes"
|
||||
)
|
||||
|
||||
// KeyManager is the generic interface that handles KMS key operations
|
||||
type KeyManager interface {
|
||||
// CreateKey creates a new key at the KMS with the given key ID.
|
||||
CreateKey(ctx context.Context, keyID string) error
|
||||
|
||||
// DeleteKey deletes a key at the KMS with the given key ID.
|
||||
// Please note that is a dangerous operation.
|
||||
// Once a key has been deleted all data that has been encrypted with it cannot be decrypted
|
||||
// anymore, and therefore, is lost.
|
||||
DeleteKey(ctx context.Context, keyID string) error
|
||||
|
||||
// ListKeys List all key names that match the specified pattern. In particular,
|
||||
// the pattern * lists all keys.
|
||||
ListKeys(ctx context.Context, pattern string) (*kes.KeyIterator, error)
|
||||
|
||||
// ImportKey imports a cryptographic key into the KMS.
|
||||
ImportKey(ctx context.Context, keyID string, bytes []byte) error
|
||||
|
||||
// EncryptKey Encrypts and authenticates a (small) plaintext with the cryptographic key
|
||||
// The plaintext must not exceed 1 MB
|
||||
EncryptKey(keyID string, plaintext []byte, context Context) ([]byte, error)
|
||||
}
|
52
internal/kms/policy-manager.go
Normal file
52
internal/kms/policy-manager.go
Normal file
@ -0,0 +1,52 @@
|
||||
// Copyright (c) 2015-2022 MinIO, Inc.
|
||||
//
|
||||
// This file is part of MinIO Object Storage stack
|
||||
//
|
||||
// This program is free software: you can redistribute it and/or modify
|
||||
// it under the terms of the GNU Affero General Public License as published by
|
||||
// the Free Software Foundation, either version 3 of the License, or
|
||||
// (at your option) any later version.
|
||||
//
|
||||
// This program is distributed in the hope that it will be useful
|
||||
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
// GNU Affero General Public License for more details.
|
||||
//
|
||||
// You should have received a copy of the GNU Affero General Public License
|
||||
// along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
package kms
|
||||
|
||||
import (
|
||||
"context"
|
||||
|
||||
"github.com/minio/kes"
|
||||
)
|
||||
|
||||
// PolicyManager is the generic interface that handles KMS policy] operations
|
||||
type PolicyManager interface {
|
||||
// DescribePolicy describes a policy by returning its metadata.
|
||||
// e.g. who created the policy at which point in time.
|
||||
DescribePolicy(ctx context.Context, policy string) (*kes.PolicyInfo, error)
|
||||
|
||||
// AssignPolicy assigns a policy to an identity.
|
||||
// An identity can have at most one policy while the same policy can be assigned to multiple identities.
|
||||
// The assigned policy defines which API calls this identity can perform.
|
||||
// It's not possible to assign a policy to the admin identity.
|
||||
// Further, an identity cannot assign a policy to itself.
|
||||
AssignPolicy(ctx context.Context, policy, identity string) error
|
||||
|
||||
// SetPolicy creates or updates a policy.
|
||||
SetPolicy(ctx context.Context, policy, data string) error
|
||||
|
||||
// GetPolicy gets a policy from KMS.
|
||||
GetPolicy(ctx context.Context, policy string) (*kes.Policy, error)
|
||||
|
||||
// ListPolicies list all policy metadata that match the specified pattern.
|
||||
// In particular, the pattern * lists all policy metadata.
|
||||
ListPolicies(ctx context.Context, pattern string) (*kes.PolicyIterator, error)
|
||||
|
||||
// DeletePolicy deletes a policy from KMS.
|
||||
// All identities that have been assigned to this policy will lose all authorization privileges.
|
||||
DeletePolicy(ctx context.Context, policy string) error
|
||||
}
|
Loading…
Reference in New Issue
Block a user