mirror of https://github.com/minio/minio.git
211 lines
6.0 KiB
Go
211 lines
6.0 KiB
Go
// Copyright (c) 2015-2021 MinIO, Inc.
|
|
//
|
|
// This file is part of MinIO Object Storage stack
|
|
//
|
|
// This program is free software: you can redistribute it and/or modify
|
|
// it under the terms of the GNU Affero General Public License as published by
|
|
// the Free Software Foundation, either version 3 of the License, or
|
|
// (at your option) any later version.
|
|
//
|
|
// This program is distributed in the hope that it will be useful
|
|
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
// GNU Affero General Public License for more details.
|
|
//
|
|
// You should have received a copy of the GNU Affero General Public License
|
|
// along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
package cmd
|
|
|
|
import (
|
|
"bytes"
|
|
"context"
|
|
"fmt"
|
|
"path"
|
|
"time"
|
|
"unicode/utf8"
|
|
|
|
"github.com/minio/madmin-go"
|
|
"github.com/minio/minio/internal/config"
|
|
"github.com/minio/minio/internal/kms"
|
|
"github.com/minio/minio/internal/logger"
|
|
etcd "go.etcd.io/etcd/client/v3"
|
|
)
|
|
|
|
func handleEncryptedConfigBackend(objAPI ObjectLayer) error {
|
|
encrypted, err := checkBackendEncrypted(objAPI)
|
|
if err != nil {
|
|
return fmt.Errorf("Unable to encrypt config %w", err)
|
|
}
|
|
if err = migrateConfigPrefixToEncrypted(objAPI, encrypted); err != nil {
|
|
return fmt.Errorf("Unable to migrate all config at .minio.sys/config/: %w", err)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
const backendEncryptedFile = "backend-encrypted"
|
|
|
|
var backendEncryptedMigrationComplete = []byte("encrypted")
|
|
|
|
func checkBackendEtcdEncrypted(ctx context.Context, client *etcd.Client) (bool, error) {
|
|
data, err := readKeyEtcd(ctx, client, backendEncryptedFile)
|
|
if err != nil && err != errConfigNotFound {
|
|
return false, err
|
|
}
|
|
return err == nil && bytes.Equal(data, backendEncryptedMigrationComplete), nil
|
|
}
|
|
|
|
func checkBackendEncrypted(objAPI ObjectLayer) (bool, error) {
|
|
data, err := readConfig(GlobalContext, objAPI, backendEncryptedFile)
|
|
if err != nil && err != errConfigNotFound {
|
|
return false, err
|
|
}
|
|
return err == nil && bytes.Equal(data, backendEncryptedMigrationComplete), nil
|
|
}
|
|
|
|
func migrateIAMConfigsEtcdToEncrypted(ctx context.Context, client *etcd.Client) error {
|
|
encrypted, err := checkBackendEtcdEncrypted(ctx, client)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
// If backend doesn't have this file means we have already
|
|
// attempted then migration
|
|
if !encrypted {
|
|
return nil
|
|
}
|
|
|
|
if encrypted && GlobalKMS != nil {
|
|
stat, err := GlobalKMS.Stat(ctx)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
logger.Info(fmt.Sprintf("Attempting to re-encrypt IAM users and policies on etcd with %q (%s)", stat.DefaultKey, stat.Name))
|
|
}
|
|
|
|
listCtx, cancel := context.WithTimeout(ctx, 1*time.Minute)
|
|
defer cancel()
|
|
|
|
r, err := client.Get(listCtx, minioConfigPrefix, etcd.WithPrefix(), etcd.WithKeysOnly())
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
for _, kv := range r.Kvs {
|
|
data, err := readKeyEtcd(ctx, client, string(kv.Key))
|
|
if err == errConfigNotFound { // Perhaps not present or someone deleted it.
|
|
continue
|
|
}
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if !utf8.Valid(data) {
|
|
pdata, err := madmin.DecryptData(globalActiveCred.String(), bytes.NewReader(data))
|
|
if err != nil {
|
|
if GlobalKMS != nil {
|
|
pdata, err = config.DecryptBytes(GlobalKMS, data, kms.Context{
|
|
minioMetaBucket: path.Join(minioMetaBucket, string(kv.Key)),
|
|
})
|
|
if err != nil {
|
|
pdata, err = config.DecryptBytes(GlobalKMS, data, kms.Context{
|
|
minioMetaBucket: string(kv.Key),
|
|
})
|
|
if err != nil {
|
|
return fmt.Errorf("Decrypting IAM config failed %w, possibly credentials are incorrect", err)
|
|
}
|
|
}
|
|
} else {
|
|
return fmt.Errorf("Decrypting IAM config failed %w, possibly credentials are incorrect", err)
|
|
}
|
|
}
|
|
data = pdata
|
|
}
|
|
|
|
if GlobalKMS != nil {
|
|
data, err = config.EncryptBytes(GlobalKMS, data, kms.Context{
|
|
minioMetaBucket: path.Join(minioMetaBucket, string(kv.Key)),
|
|
})
|
|
if err != nil {
|
|
return err
|
|
}
|
|
}
|
|
|
|
if err = saveKeyEtcd(ctx, client, string(kv.Key), data); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
|
|
if encrypted && GlobalKMS != nil {
|
|
logger.Info("Migration of encrypted IAM config data completed. All data is now encrypted on etcd.")
|
|
}
|
|
|
|
return deleteKeyEtcd(ctx, client, backendEncryptedFile)
|
|
}
|
|
|
|
func migrateConfigPrefixToEncrypted(objAPI ObjectLayer, encrypted bool) error {
|
|
if !encrypted {
|
|
return nil
|
|
}
|
|
if encrypted && GlobalKMS != nil {
|
|
stat, err := GlobalKMS.Stat(context.Background())
|
|
if err != nil {
|
|
return err
|
|
}
|
|
logger.Info(fmt.Sprintf("Attempting to re-encrypt config, IAM users and policies on MinIO with %q (%s)", stat.DefaultKey, stat.Name))
|
|
}
|
|
|
|
results := make(chan ObjectInfo)
|
|
if err := objAPI.Walk(GlobalContext, minioMetaBucket, minioConfigPrefix, results, ObjectOptions{}); err != nil {
|
|
return err
|
|
}
|
|
|
|
for obj := range results {
|
|
data, err := readConfig(GlobalContext, objAPI, obj.Name)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if !utf8.Valid(data) {
|
|
pdata, err := madmin.DecryptData(globalActiveCred.String(), bytes.NewReader(data))
|
|
if err != nil {
|
|
if GlobalKMS != nil {
|
|
pdata, err = config.DecryptBytes(GlobalKMS, data, kms.Context{
|
|
minioMetaBucket: path.Join(minioMetaBucket, obj.Name),
|
|
})
|
|
if err != nil {
|
|
pdata, err = config.DecryptBytes(GlobalKMS, data, kms.Context{
|
|
minioMetaBucket: obj.Name,
|
|
})
|
|
if err != nil {
|
|
return fmt.Errorf("Decrypting IAM config failed %w, possibly credentials are incorrect", err)
|
|
}
|
|
}
|
|
} else {
|
|
return fmt.Errorf("Decrypting IAM config failed %w, possibly credentials are incorrect", err)
|
|
}
|
|
}
|
|
data = pdata
|
|
}
|
|
|
|
if GlobalKMS != nil {
|
|
data, err = config.EncryptBytes(GlobalKMS, data, kms.Context{
|
|
obj.Bucket: path.Join(obj.Bucket, obj.Name),
|
|
})
|
|
if err != nil {
|
|
return err
|
|
}
|
|
}
|
|
|
|
if err = saveConfig(GlobalContext, objAPI, obj.Name, data); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
|
|
if encrypted && GlobalKMS != nil {
|
|
logger.Info("Migration of encrypted config data completed. All config data is now encrypted.")
|
|
}
|
|
|
|
return deleteConfig(GlobalContext, objAPI, backendEncryptedFile)
|
|
}
|