Move etcd, logger, crypto into their own packages (#8366)

- Deprecates _MINIO_PROFILER, `mc admin profile` does the job - Move ENVs to common location in cmd/config/
2025-11-07 04:42:56 -05:00 · 2019-10-07 22:47:56 -07:00
parent bffc378a4f
commit 290ad0996f
36 changed files with 735 additions and 533 deletions
--- a/cmd/crypto/config.go
+++ b/cmd/crypto/config.go
@@ -1,4 +1,4 @@
-// MinIO Cloud Storage, (C) 2015, 2016, 2017, 2018 MinIO, Inc.
+// MinIO Cloud Storage, (C) 2017-2019 MinIO, Inc.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -14,8 +14,129 @@

 package crypto

+import (
+	"errors"
+	"fmt"
+	"strconv"
+	"strings"
+
+	"github.com/minio/minio/pkg/env"
+)
+
+const (
+	// EnvKMSMasterKey is the environment variable used to specify
+	// a KMS master key used to protect SSE-S3 per-object keys.
+	// Valid values must be of the from: "KEY_ID:32_BYTE_HEX_VALUE".
+	EnvKMSMasterKey = "MINIO_SSE_MASTER_KEY"
+
+	// EnvAutoEncryption is the environment variable used to en/disable
+	// SSE-S3 auto-encryption. SSE-S3 auto-encryption, if enabled,
+	// requires a valid KMS configuration and turns any non-SSE-C
+	// request into an SSE-S3 request.
+	// If present EnvAutoEncryption must be either "on" or "off".
+	EnvAutoEncryption = "MINIO_SSE_AUTO_ENCRYPTION"
+)
+
+const (
+	// EnvVaultEndpoint is the environment variable used to specify
+	// the vault HTTPS endpoint.
+	EnvVaultEndpoint = "MINIO_SSE_VAULT_ENDPOINT"
+
+	// EnvVaultAuthType is the environment variable used to specify
+	// the authentication type for vault.
+	EnvVaultAuthType = "MINIO_SSE_VAULT_AUTH_TYPE"
+
+	// EnvVaultAppRoleID is the environment variable used to specify
+	// the vault AppRole ID.
+	EnvVaultAppRoleID = "MINIO_SSE_VAULT_APPROLE_ID"
+
+	// EnvVaultAppSecretID is the environment variable used to specify
+	// the vault AppRole secret corresponding to the AppRole ID.
+	EnvVaultAppSecretID = "MINIO_SSE_VAULT_APPROLE_SECRET"
+
+	// EnvVaultKeyVersion is the environment variable used to specify
+	// the vault key version.
+	EnvVaultKeyVersion = "MINIO_SSE_VAULT_KEY_VERSION"
+
+	// EnvVaultKeyName is the environment variable used to specify
+	// the vault named key-ring. In the S3 context it's referred as
+	// customer master key ID (CMK-ID).
+	EnvVaultKeyName = "MINIO_SSE_VAULT_KEY_NAME"
+
+	// EnvVaultCAPath is the environment variable used to specify the
+	// path to a directory of PEM-encoded CA cert files. These CA cert
+	// files are used to authenticate MinIO to Vault over mTLS.
+	EnvVaultCAPath = "MINIO_SSE_VAULT_CAPATH"
+
+	// EnvVaultNamespace is the environment variable used to specify
+	// vault namespace. The vault namespace is used if the enterprise
+	// version of Hashicorp Vault is used.
+	EnvVaultNamespace = "MINIO_SSE_VAULT_NAMESPACE"
+)
+
 // KMSConfig has the KMS config for hashicorp vault
 type KMSConfig struct {
 	AutoEncryption bool        `json:"-"`
 	Vault          VaultConfig `json:"vault"`
 }
+
+// LookupConfig extracts the KMS configuration provided by environment
+// variables and merge them with the provided KMS configuration. The
+// merging follows the following rules:
+//
+// 1. A valid value provided as environment variable is higher prioritized
+// than the provided configuration and overwrites the value from the
+// configuration file.
+//
+// 2. A value specified as environment variable never changes the configuration
+// file. So it is never made a persistent setting.
+//
+// It sets the global KMS configuration according to the merged configuration
+// on succes.
+func LookupConfig(config KMSConfig) (KMSConfig, error) {
+	var err error
+	// Lookup Hashicorp-Vault configuration & overwrite config entry if ENV var is present
+	config.Vault.Endpoint = env.Get(EnvVaultEndpoint, config.Vault.Endpoint)
+	config.Vault.CAPath = env.Get(EnvVaultCAPath, config.Vault.CAPath)
+	config.Vault.Auth.Type = env.Get(EnvVaultAuthType, config.Vault.Auth.Type)
+	config.Vault.Auth.AppRole.ID = env.Get(EnvVaultAppRoleID, config.Vault.Auth.AppRole.ID)
+	config.Vault.Auth.AppRole.Secret = env.Get(EnvVaultAppSecretID, config.Vault.Auth.AppRole.Secret)
+	config.Vault.Key.Name = env.Get(EnvVaultKeyName, config.Vault.Key.Name)
+	config.Vault.Namespace = env.Get(EnvVaultNamespace, config.Vault.Namespace)
+	keyVersion := env.Get(EnvVaultKeyVersion, strconv.Itoa(config.Vault.Key.Version))
+	config.Vault.Key.Version, err = strconv.Atoi(keyVersion)
+	if err != nil {
+		return config, fmt.Errorf("Invalid ENV variable: Unable to parse %s value (`%s`)", EnvVaultKeyVersion, keyVersion)
+	}
+	if err = config.Vault.Verify(); err != nil {
+		return config, err
+	}
+
+	return config, nil
+}
+
+// NewKMS - initialize a new KMS.
+func NewKMS(config KMSConfig) (kms KMS, err error) {
+	// Lookup KMS master keys - only available through ENV.
+	if masterKey, ok := env.Lookup(EnvKMSMasterKey); ok {
+		if !config.Vault.IsEmpty() { // Vault and KMS master key provided
+			return kms, errors.New("Ambiguous KMS configuration: vault configuration and a master key are provided at the same time")
+		}
+		kms, err = ParseMasterKey(masterKey)
+		if err != nil {
+			return kms, err
+		}
+	}
+	if !config.Vault.IsEmpty() {
+		kms, err = NewVault(config.Vault)
+		if err != nil {
+			return kms, err
+		}
+	}
+
+	autoEncryption := strings.EqualFold(env.Get(EnvAutoEncryption, "off"), "on")
+	if autoEncryption && kms == nil {
+		return kms, errors.New("Invalid KMS configuration: auto-encryption is enabled but no valid KMS configuration is present")
+	}
+	return kms, nil
+}
--- a/cmd/crypto/kms.go
+++ b/cmd/crypto/kms.go
@@ -72,6 +72,9 @@ func (c Context) WriteTo(w io.Writer) (n int64, err error) {
 // data key generation and unsealing of KMS-generated
 // data keys.
 type KMS interface {
+	// KeyID - returns configured KMS key id.
+	KeyID() string
+
 	// GenerateKey generates a new random data key using
 	// the master key referenced by the keyID. It returns
 	// the plaintext key and the sealed plaintext key
@@ -102,14 +105,19 @@ type KMS interface {
 }

 type masterKeyKMS struct {
+	keyID     string
 	masterKey [32]byte
 }

-// NewKMS returns a basic KMS implementation from a single 256 bit master key.
+// NewMasterKey returns a basic KMS implementation from a single 256 bit master key.
 //
 // The KMS accepts any keyID but binds the keyID and context cryptographically
 // to the generated keys.
-func NewKMS(key [32]byte) KMS { return &masterKeyKMS{masterKey: key} }
+func NewMasterKey(keyID string, key [32]byte) KMS { return &masterKeyKMS{keyID: keyID, masterKey: key} }
+
+func (kms *masterKeyKMS) KeyID() string {
+	return kms.keyID
+}

 func (kms *masterKeyKMS) GenerateKey(keyID string, ctx Context) (key [32]byte, sealedKey []byte, err error) {
 	if _, err = io.ReadFull(rand.Reader, key[:]); err != nil {
--- a/cmd/crypto/kms_test.go
+++ b/cmd/crypto/kms_test.go
@@ -40,8 +40,9 @@ var masterKeyKMSTests = []struct {
 }

 func TestMasterKeyKMS(t *testing.T) {
-	kms := NewKMS([32]byte{})
 	for i, test := range masterKeyKMSTests {
+		kms := NewMasterKey(test.GenKeyID, [32]byte{})
+
 		key, sealedKey, err := kms.GenerateKey(test.GenKeyID, test.GenContext)
 		if err != nil {
 			t.Errorf("Test %d: KMS failed to generate key: %v", i, err)
--- a/cmd/crypto/parse.go
+++ b/cmd/crypto/parse.go
@@ -0,0 +1,42 @@
+// MinIO Cloud Storage, (C) 2017-2019 MinIO, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//    http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package crypto
+
+import (
+	"encoding/hex"
+	"fmt"
+	"strings"
+)
+
+// ParseMasterKey parses the value of the environment variable
+// `EnvKMSMasterKey` and returns a key-ID and a master-key KMS on success.
+func ParseMasterKey(envArg string) (KMS, error) {
+	values := strings.SplitN(envArg, ":", 2)
+	if len(values) != 2 {
+		return nil, fmt.Errorf("Invalid KMS master key: %s does not contain a ':'", envArg)
+	}
+	var (
+		keyID  = values[0]
+		hexKey = values[1]
+	)
+	if len(hexKey) != 64 { // 2 hex bytes = 1 byte
+		return nil, fmt.Errorf("Invalid KMS master key: %s not a 32 bytes long HEX value", hexKey)
+	}
+	var masterKey [32]byte
+	if _, err := hex.Decode(masterKey[:], []byte(hexKey)); err != nil {
+		return nil, err
+	}
+	return NewMasterKey(keyID, masterKey), nil
+}
--- a/cmd/crypto/parse_test.go
+++ b/cmd/crypto/parse_test.go
@@ -0,0 +1,59 @@
+// MinIO Cloud Storage, (C) 2019 MinIO, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//    http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package crypto
+
+import "testing"
+
+func TestParseMasterKey(t *testing.T) {
+	tests := []struct {
+		envValue      string
+		expectedKeyID string
+		success       bool
+	}{
+		{
+			envValue: "invalid-value",
+			success:  false,
+		},
+		{
+			envValue: "too:many:colons",
+			success:  false,
+		},
+		{
+			envValue: "myminio-key:not-a-hex",
+			success:  false,
+		},
+		{
+			envValue:      "my-minio-key:6368616e676520746869732070617373776f726420746f206120736563726574",
+			expectedKeyID: "my-minio-key",
+			success:       true,
+		},
+	}
+
+	for _, tt := range tests {
+		tt := tt
+		t.Run(tt.envValue, func(t *testing.T) {
+			kms, err := ParseMasterKey(tt.envValue)
+			if tt.success && err != nil {
+				t.Error(err)
+			}
+			if !tt.success && err == nil {
+				t.Error("Unexpected failure")
+			}
+			if err == nil && kms.KeyID() != tt.expectedKeyID {
+				t.Errorf("Expected keyID %s, got %s", tt.expectedKeyID, kms.KeyID())
+			}
+		})
+	}
+}
--- a/cmd/crypto/sse_test.go
+++ b/cmd/crypto/sse_test.go
@@ -191,7 +191,7 @@ var s3UnsealObjectKeyTests = []struct {
 	ExpectedErr error
 }{
 	{ // 0 - Valid KMS key-ID and valid metadata entries for bucket/object
-		KMS:    NewKMS([32]byte{}),
+		KMS:    NewMasterKey("my-minio-key", [32]byte{}),
 		Bucket: "bucket",
 		Object: "object",
 		Metadata: map[string]string{
@@ -204,7 +204,7 @@ var s3UnsealObjectKeyTests = []struct {
 		ExpectedErr: nil,
 	},
 	{ // 1 - Valid KMS key-ID for invalid metadata entries for bucket/object
-		KMS:    NewKMS([32]byte{}),
+		KMS:    NewMasterKey("my-minio-key", [32]byte{}),
 		Bucket: "bucket",
 		Object: "object",
 		Metadata: map[string]string{
--- a/cmd/crypto/vault.go
+++ b/cmd/crypto/vault.go
@@ -199,6 +199,11 @@ func (v *vaultService) authenticate() (err error) {
 	return
 }

+// KeyID - vault configured keyID
+func (v *vaultService) KeyID() string {
+	return v.config.Key.Name
+}
+
 // GenerateKey returns a new plaintext key, generated by the KMS,
 // and a sealed version of this plaintext key encrypted using the
 // named key referenced by keyID. It also binds the generated key