// Copyright (c) 2015-2023 MinIO, Inc.
//
// This file is part of MinIO Object Storage stack
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see .
package kms
import (
"bytes"
"context"
"crypto/tls"
"crypto/x509"
"encoding/pem"
"errors"
"fmt"
"os"
"path/filepath"
"strings"
"sync/atomic"
"syscall"
"time"
"github.com/minio/kms-go/kes"
"github.com/minio/kms-go/kms"
"github.com/minio/pkg/v3/certs"
"github.com/minio/pkg/v3/ellipses"
"github.com/minio/pkg/v3/env"
)
// Environment variables for MinIO KMS.
const (
EnvKMSEndpoint = "MINIO_KMS_SERVER" // List of MinIO KMS endpoints, separated by ','
EnvKMSEnclave = "MINIO_KMS_ENCLAVE" // MinIO KMS enclave in which the key and identity exists
EnvKMSDefaultKey = "MINIO_KMS_SSE_KEY" // Default key used for SSE-S3 or when no SSE-KMS key ID is specified
EnvKMSAPIKey = "MINIO_KMS_API_KEY" // Credential to access the MinIO KMS.
)
// Environment variables for MinIO KES.
const (
EnvKESEndpoint = "MINIO_KMS_KES_ENDPOINT" // One or multiple KES endpoints, separated by ','
EnvKESDefaultKey = "MINIO_KMS_KES_KEY_NAME" // The default key name used for IAM data and when no key ID is specified on a bucket
EnvKESAPIKey = "MINIO_KMS_KES_API_KEY" // Access credential for KES - API keys and private key / certificate are mutually exclusive
EnvKESClientKey = "MINIO_KMS_KES_KEY_FILE" // Path to TLS private key for authenticating to KES with mTLS - usually prefer API keys
EnvKESClientCert = "MINIO_KMS_KES_CERT_FILE" // Path to TLS certificate for authenticating to KES with mTLS - usually prefer API keys
EnvKESServerCA = "MINIO_KMS_KES_CAPATH" // Path to file/directory containing CA certificates to verify the KES server certificate
EnvKESClientPassword = "MINIO_KMS_KES_KEY_PASSWORD" // Optional password to decrypt an encrypt TLS private key
)
// Environment variables for static KMS key.
const (
EnvKMSSecretKey = "MINIO_KMS_SECRET_KEY" // Static KMS key in the form ":". Implements a subset of KMS/KES APIs
EnvKMSSecretKeyFile = "MINIO_KMS_SECRET_KEY_FILE" // Path to a file to read the static KMS key from
)
const (
tlsClientSessionCacheSize = 100
)
// ConnectionOptions is a structure containing options for connecting
// to a KMS.
type ConnectionOptions struct {
CADir string // Path to directory (or file) containing CA certificates
}
// Connect returns a new Conn to a KMS. It uses configuration from the
// environment and returns a:
//
// - connection to MinIO KMS if the "MINIO_KMS_SERVER" variable is present.
// - connection to MinIO KES if the "MINIO_KMS_KES_ENDPOINT" is present.
// - connection to a "local" KMS implementation using a static key if the
// "MINIO_KMS_SECRET_KEY" or "MINIO_KMS_SECRET_KEY_FILE" is present.
//
// It returns an error if connecting to the KMS implementation fails,
// e.g. due to incomplete config, or when configurations for multiple
// KMS implementations are present.
func Connect(ctx context.Context, opts *ConnectionOptions) (*KMS, error) {
if present, err := IsPresent(); !present || err != nil {
if err != nil {
return nil, err
}
return nil, errors.New("kms: no KMS configuration specified")
}
lookup := func(key string) bool {
_, ok := os.LookupEnv(key)
return ok
}
switch {
case lookup(EnvKMSEndpoint):
rawEndpoint := env.Get(EnvKMSEndpoint, "")
if rawEndpoint == "" {
return nil, errors.New("kms: no KMS server endpoint provided")
}
endpoints, err := expandEndpoints(rawEndpoint)
if err != nil {
return nil, err
}
key, err := kms.ParseAPIKey(env.Get(EnvKMSAPIKey, ""))
if err != nil {
return nil, err
}
var rootCAs *x509.CertPool
if opts != nil && opts.CADir != "" {
rootCAs, err = certs.GetRootCAs(opts.CADir)
if err != nil {
return nil, err
}
}
client, err := kms.NewClient(&kms.Config{
Endpoints: endpoints,
APIKey: key,
TLS: &tls.Config{
MinVersion: tls.VersionTLS12,
ClientSessionCache: tls.NewLRUClientSessionCache(tlsClientSessionCacheSize),
RootCAs: rootCAs,
},
})
if err != nil {
return nil, err
}
return &KMS{
Type: MinKMS,
DefaultKey: env.Get(EnvKMSDefaultKey, ""),
conn: &kmsConn{
enclave: env.Get(EnvKMSEnclave, ""),
defaultKey: env.Get(EnvKMSDefaultKey, ""),
client: client,
},
latencyBuckets: defaultLatencyBuckets,
latency: make([]atomic.Uint64, len(defaultLatencyBuckets)),
}, nil
case lookup(EnvKESEndpoint):
rawEndpoint := env.Get(EnvKESEndpoint, "")
if rawEndpoint == "" {
return nil, errors.New("kms: no KES server endpoint provided")
}
endpoints, err := expandEndpoints(rawEndpoint)
if err != nil {
return nil, err
}
conf := &tls.Config{
MinVersion: tls.VersionTLS12,
ClientSessionCache: tls.NewLRUClientSessionCache(tlsClientSessionCacheSize),
}
if s := env.Get(EnvKESAPIKey, ""); s != "" {
key, err := kes.ParseAPIKey(s)
if err != nil {
return nil, err
}
cert, err := kes.GenerateCertificate(key)
if err != nil {
return nil, err
}
conf.GetClientCertificate = func(*tls.CertificateRequestInfo) (*tls.Certificate, error) { return &cert, nil }
} else {
loadX509KeyPair := func(certFile, keyFile string) (tls.Certificate, error) {
// Manually load the certificate and private key into memory.
// We need to check whether the private key is encrypted, and
// if so, decrypt it using the user-provided password.
certBytes, err := os.ReadFile(certFile)
if err != nil {
return tls.Certificate{}, fmt.Errorf("Unable to load KES client certificate as specified by the shell environment: %v", err)
}
keyBytes, err := os.ReadFile(keyFile)
if err != nil {
return tls.Certificate{}, fmt.Errorf("Unable to load KES client private key as specified by the shell environment: %v", err)
}
privateKeyPEM, rest := pem.Decode(bytes.TrimSpace(keyBytes))
if len(rest) != 0 {
return tls.Certificate{}, errors.New("Unable to load KES client private key as specified by the shell environment: private key contains additional data")
}
if x509.IsEncryptedPEMBlock(privateKeyPEM) {
keyBytes, err = x509.DecryptPEMBlock(privateKeyPEM, []byte(env.Get(EnvKESClientPassword, "")))
if err != nil {
return tls.Certificate{}, fmt.Errorf("Unable to decrypt KES client private key as specified by the shell environment: %v", err)
}
keyBytes = pem.EncodeToMemory(&pem.Block{Type: privateKeyPEM.Type, Bytes: keyBytes})
}
certificate, err := tls.X509KeyPair(certBytes, keyBytes)
if err != nil {
return tls.Certificate{}, fmt.Errorf("Unable to load KES client certificate as specified by the shell environment: %v", err)
}
return certificate, nil
}
certificate, err := certs.NewCertificate(env.Get(EnvKESClientCert, ""), env.Get(EnvKESClientKey, ""), loadX509KeyPair)
if err != nil {
return nil, err
}
certificate.Watch(ctx, 15*time.Minute, syscall.SIGHUP)
conf.GetClientCertificate = func(*tls.CertificateRequestInfo) (*tls.Certificate, error) {
cert := certificate.Get()
return &cert, nil
}
}
var caDir string
if opts != nil {
caDir = opts.CADir
}
conf.RootCAs, err = certs.GetRootCAs(env.Get(EnvKESServerCA, caDir))
if err != nil {
return nil, err
}
client := kes.NewClientWithConfig("", conf)
client.Endpoints = endpoints
// Keep the default key in the KES cache to prevent availability issues
// when MinIO restarts
go func() {
timer := time.NewTicker(10 * time.Second)
defer timer.Stop()
defaultKey := env.Get(EnvKESDefaultKey, "")
for {
select {
case <-ctx.Done():
return
case <-timer.C:
client.DescribeKey(ctx, defaultKey)
}
}
}()
return &KMS{
Type: MinKES,
DefaultKey: env.Get(EnvKESDefaultKey, ""),
conn: &kesConn{
defaultKeyID: env.Get(EnvKESDefaultKey, ""),
client: client,
},
latencyBuckets: defaultLatencyBuckets,
latency: make([]atomic.Uint64, len(defaultLatencyBuckets)),
}, nil
default:
var s string
if lookup(EnvKMSSecretKeyFile) {
b, err := os.ReadFile(env.Get(EnvKMSSecretKeyFile, ""))
if err != nil && !os.IsNotExist(err) {
return nil, err
}
if os.IsNotExist(err) {
// Relative path where "/run/secrets" is the default docker path for secrets
b, err = os.ReadFile(filepath.Join("/run/secrets", env.Get(EnvKMSSecretKeyFile, "")))
}
if err != nil {
return nil, err
}
s = string(b)
} else {
s = env.Get(EnvKMSSecretKey, "")
}
return ParseSecretKey(s)
}
}
// IsPresent reports whether a KMS configuration is present.
// It returns an error if multiple KMS configurations are
// present or if one configuration is incomplete.
func IsPresent() (bool, error) {
// isPresent reports whether at least one of the
// given env. variables is present.
isPresent := func(vars ...string) bool {
for _, v := range vars {
if _, ok := os.LookupEnv(v); ok {
return ok
}
}
return false
}
// First, check which KMS/KES env. variables are present.
// Only one set, either KMS, KES or static key must be
// present.
kmsPresent := isPresent(
EnvKMSEndpoint,
EnvKMSEnclave,
EnvKMSAPIKey,
EnvKMSDefaultKey,
)
kesPresent := isPresent(
EnvKESEndpoint,
EnvKESDefaultKey,
EnvKESAPIKey,
EnvKESClientKey,
EnvKESClientCert,
EnvKESClientPassword,
EnvKESServerCA,
)
// We have to handle a special case for MINIO_KMS_SECRET_KEY and
// MINIO_KMS_SECRET_KEY_FILE. The docker image always sets the
// MINIO_KMS_SECRET_KEY_FILE - either to the argument passed to
// the container or to a default string (e.g. "minio_master_key").
//
// We have to distinguish a explicit config from an implicit. Hence,
// we unset the env. vars if they are set but empty or contain a path
// which does not exist. The downside of this check is that if
// MINIO_KMS_SECRET_KEY_FILE is set to a path that does not exist,
// the server does not complain and start without a KMS config.
//
// Until the container image changes, this behavior has to be preserved.
if isPresent(EnvKMSSecretKey) && os.Getenv(EnvKMSSecretKey) == "" {
os.Unsetenv(EnvKMSSecretKey)
}
if isPresent(EnvKMSSecretKeyFile) {
if filename := os.Getenv(EnvKMSSecretKeyFile); filename == "" {
os.Unsetenv(EnvKMSSecretKeyFile)
} else if _, err := os.Stat(filename); errors.Is(err, os.ErrNotExist) {
os.Unsetenv(EnvKMSSecretKeyFile)
}
}
// Now, the static key env. vars are only present if they contain explicit
// values.
staticKeyPresent := isPresent(EnvKMSSecretKey, EnvKMSSecretKeyFile)
switch {
case kmsPresent && kesPresent:
return false, errors.New("kms: configuration for MinIO KMS and MinIO KES is present")
case kmsPresent && staticKeyPresent:
return false, errors.New("kms: configuration for MinIO KMS and static KMS key is present")
case kesPresent && staticKeyPresent:
return false, errors.New("kms: configuration for MinIO KES and static KMS key is present")
}
// Next, we check that all required configuration for the concrete
// KMS is present.
// For example, the MinIO KMS requires an endpoint or a list of
// endpoints and authentication credentials. However, a path to
// CA certificates is optional.
switch {
default:
return false, nil // No KMS config present
case kmsPresent:
if !isPresent(EnvKMSEndpoint) {
return false, fmt.Errorf("kms: incomplete configuration for MinIO KMS: missing '%s'", EnvKMSEndpoint)
}
if !isPresent(EnvKMSEnclave) {
return false, fmt.Errorf("kms: incomplete configuration for MinIO KMS: missing '%s'", EnvKMSEnclave)
}
if !isPresent(EnvKMSDefaultKey) {
return false, fmt.Errorf("kms: incomplete configuration for MinIO KMS: missing '%s'", EnvKMSDefaultKey)
}
if !isPresent(EnvKMSAPIKey) {
return false, fmt.Errorf("kms: incomplete configuration for MinIO KMS: missing '%s'", EnvKMSAPIKey)
}
return true, nil
case staticKeyPresent:
if isPresent(EnvKMSSecretKey) && isPresent(EnvKMSSecretKeyFile) {
return false, fmt.Errorf("kms: invalid configuration for static KMS key: '%s' and '%s' are present", EnvKMSSecretKey, EnvKMSSecretKeyFile)
}
return true, nil
case kesPresent:
if !isPresent(EnvKESEndpoint) {
return false, fmt.Errorf("kms: incomplete configuration for MinIO KES: missing '%s'", EnvKESEndpoint)
}
if !isPresent(EnvKESDefaultKey) {
return false, fmt.Errorf("kms: incomplete configuration for MinIO KES: missing '%s'", EnvKESDefaultKey)
}
if isPresent(EnvKESClientKey, EnvKESClientCert, EnvKESClientPassword) {
if isPresent(EnvKESAPIKey) {
return false, fmt.Errorf("kms: invalid configuration for MinIO KES: '%s' and client certificate is present", EnvKESAPIKey)
}
if !isPresent(EnvKESClientCert) {
return false, fmt.Errorf("kms: incomplete configuration for MinIO KES: missing '%s'", EnvKESClientCert)
}
if !isPresent(EnvKESClientKey) {
return false, fmt.Errorf("kms: incomplete configuration for MinIO KES: missing '%s'", EnvKESClientKey)
}
} else if !isPresent(EnvKESAPIKey) {
return false, errors.New("kms: incomplete configuration for MinIO KES: missing authentication method")
}
return true, nil
}
}
func expandEndpoints(s string) ([]string, error) {
var endpoints []string
for _, endpoint := range strings.Split(s, ",") {
endpoint = strings.TrimSpace(endpoint)
if endpoint == "" {
continue
}
if !ellipses.HasEllipses(endpoint) {
endpoints = append(endpoints, endpoint)
continue
}
pattern, err := ellipses.FindEllipsesPatterns(endpoint)
if err != nil {
return nil, fmt.Errorf("kms: invalid endpoint '%s': %v", endpoint, err)
}
for _, p := range pattern.Expand() {
endpoints = append(endpoints, strings.Join(p, ""))
}
}
return endpoints, nil
}