minio/cmd/crypto/config.go

// MinIO Cloud Storage, (C) 2017-2019 MinIO, Inc.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//    http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package crypto

import (
	"errors"
	"fmt"
	"reflect"
	"strconv"

	"github.com/minio/minio/cmd/config"
	"github.com/minio/minio/pkg/env"
	xnet "github.com/minio/minio/pkg/net"
)

// KMSConfig has the KMS config for hashicorp vault
type KMSConfig struct {
	AutoEncryption bool        `json:"-"`
	Vault          VaultConfig `json:"vault"`
}

// KMS Vault constants.
const (
	KMSVaultEndpoint      = "endpoint"
	KMSVaultCAPath        = "capath"
	KMSVaultKeyName       = "key_name"
	KMSVaultKeyVersion    = "key_version"
	KMSVaultNamespace     = "namespace"
	KMSVaultAuthType      = "auth_type"
	KMSVaultAppRoleID     = "auth_approle_id"
	KMSVaultAppRoleSecret = "auth_approle_secret"
)

// DefaultKVS - default KV crypto config
var (
	DefaultKVS = config.KVS{
		config.State:          config.StateOff,
		config.Comment:        "This is a default Vault configuration",
		KMSVaultEndpoint:      "",
		KMSVaultCAPath:        "",
		KMSVaultKeyName:       "",
		KMSVaultKeyVersion:    "",
		KMSVaultNamespace:     "",
		KMSVaultAuthType:      "approle",
		KMSVaultAppRoleID:     "",
		KMSVaultAppRoleSecret: "",
	}
)

const (
	// EnvKMSMasterKey is the environment variable used to specify
	// a KMS master key used to protect SSE-S3 per-object keys.
	// Valid values must be of the from: "KEY_ID:32_BYTE_HEX_VALUE".
	EnvKMSMasterKey = "MINIO_KMS_MASTER_KEY"

	// EnvKMSAutoEncryption is the environment variable used to en/disable
	// SSE-S3 auto-encryption. SSE-S3 auto-encryption, if enabled,
	// requires a valid KMS configuration and turns any non-SSE-C
	// request into an SSE-S3 request.
	// If present EnvAutoEncryption must be either "on" or "off".
	EnvKMSAutoEncryption = "MINIO_KMS_AUTO_ENCRYPTION"
)

const (
	// EnvKMSVaultState to enable on/off
	EnvKMSVaultState = "MINIO_KMS_VAULT_STATE"

	// EnvKMSVaultEndpoint is the environment variable used to specify
	// the vault HTTPS endpoint.
	EnvKMSVaultEndpoint = "MINIO_KMS_VAULT_ENDPOINT"

	// EnvKMSVaultAuthType is the environment variable used to specify
	// the authentication type for vault.
	EnvKMSVaultAuthType = "MINIO_KMS_VAULT_AUTH_TYPE"

	// EnvKMSVaultAppRoleID is the environment variable used to specify
	// the vault AppRole ID.
	EnvKMSVaultAppRoleID = "MINIO_KMS_VAULT_APPROLE_ID"

	// EnvKMSVaultAppSecretID is the environment variable used to specify
	// the vault AppRole secret corresponding to the AppRole ID.
	EnvKMSVaultAppSecretID = "MINIO_KMS_VAULT_APPROLE_SECRET"

	// EnvKMSVaultKeyVersion is the environment variable used to specify
	// the vault key version.
	EnvKMSVaultKeyVersion = "MINIO_KMS_VAULT_KEY_VERSION"

	// EnvKMSVaultKeyName is the environment variable used to specify
	// the vault named key-ring. In the S3 context it's referred as
	// customer master key ID (CMK-ID).
	EnvKMSVaultKeyName = "MINIO_KMS_VAULT_KEY_NAME"

	// EnvKMSVaultCAPath is the environment variable used to specify the
	// path to a directory of PEM-encoded CA cert files. These CA cert
	// files are used to authenticate MinIO to Vault over mTLS.
	EnvKMSVaultCAPath = "MINIO_KMS_VAULT_CAPATH"

	// EnvKMSVaultNamespace is the environment variable used to specify
	// vault namespace. The vault namespace is used if the enterprise
	// version of Hashicorp Vault is used.
	EnvKMSVaultNamespace = "MINIO_KMS_VAULT_NAMESPACE"
)

var defaultCfg = VaultConfig{
	Auth: VaultAuth{
		Type: "approle",
	},
}

// LookupConfig extracts the KMS configuration provided by environment
// variables and merge them with the provided KMS configuration. The
// merging follows the following rules:
//
// 1. A valid value provided as environment variable is higher prioritized
// than the provided configuration and overwrites the value from the
// configuration file.
//
// 2. A value specified as environment variable never changes the configuration
// file. So it is never made a persistent setting.
//
// It sets the global KMS configuration according to the merged configuration
// on succes.
func LookupConfig(kvs config.KVS) (KMSConfig, error) {
	if err := config.CheckValidKeys(config.KmsVaultSubSys, kvs, DefaultKVS); err != nil {
		return KMSConfig{}, err
	}
	kmsCfg, err := lookupConfigLegacy(kvs)
	if err != nil {
		return kmsCfg, err
	}
	if !kmsCfg.AutoEncryption {
		kmsCfg.AutoEncryption, err = config.ParseBool(env.Get(EnvKMSAutoEncryption, config.StateOff))
		if err != nil {
			return kmsCfg, err
		}
	}
	if kmsCfg.Vault.Enabled {
		return kmsCfg, nil
	}

	stateBool, err := config.ParseBool(env.Get(EnvKMSVaultState, kvs.Get(config.State)))
	if err != nil {
		if kvs.Empty() {
			return kmsCfg, nil
		}
		return kmsCfg, err
	}
	if !stateBool {
		return kmsCfg, nil
	}
	vcfg := VaultConfig{
		Auth: VaultAuth{
			Type: "approle",
		},
	}
	endpointStr := env.Get(EnvKMSVaultEndpoint, kvs.Get(KMSVaultEndpoint))
	if endpointStr != "" {
		// Lookup Hashicorp-Vault configuration & overwrite config entry if ENV var is present
		endpoint, err := xnet.ParseHTTPURL(endpointStr)
		if err != nil {
			return kmsCfg, err
		}
		endpointStr = endpoint.String()
	}
	vcfg.Endpoint = endpointStr
	vcfg.CAPath = env.Get(EnvKMSVaultCAPath, kvs.Get(KMSVaultCAPath))
	vcfg.Auth.Type = env.Get(EnvKMSVaultAuthType, kvs.Get(KMSVaultAuthType))
	if vcfg.Auth.Type == "" {
		vcfg.Auth.Type = "approle"
	}
	vcfg.Auth.AppRole.ID = env.Get(EnvKMSVaultAppRoleID, kvs.Get(KMSVaultAppRoleID))
	vcfg.Auth.AppRole.Secret = env.Get(EnvKMSVaultAppSecretID, kvs.Get(KMSVaultAppRoleSecret))
	vcfg.Key.Name = env.Get(EnvKMSVaultKeyName, kvs.Get(KMSVaultKeyName))
	vcfg.Namespace = env.Get(EnvKMSVaultNamespace, kvs.Get(KMSVaultNamespace))
	if keyVersion := env.Get(EnvKMSVaultKeyVersion, kvs.Get(KMSVaultKeyVersion)); keyVersion != "" {
		vcfg.Key.Version, err = strconv.Atoi(keyVersion)
		if err != nil {
			return kmsCfg, fmt.Errorf("Unable to parse VaultKeyVersion value (`%s`)", keyVersion)
		}
	}

	if reflect.DeepEqual(vcfg, defaultCfg) {
		return kmsCfg, nil
	}

	// Verify all the proper settings.
	if err = vcfg.Verify(); err != nil {
		return kmsCfg, err
	}

	vcfg.Enabled = true
	kmsCfg.Vault = vcfg
	return kmsCfg, nil
}

// NewKMS - initialize a new KMS.
func NewKMS(cfg KMSConfig) (kms KMS, err error) {
	// Lookup KMS master keys - only available through ENV.
	if masterKeyLegacy := env.Get(EnvKMSMasterKeyLegacy, ""); len(masterKeyLegacy) != 0 {
		if cfg.Vault.Enabled { // Vault and KMS master key provided
			return kms, errors.New("Ambiguous KMS configuration: vault configuration and a master key are provided at the same time")
		}
		kms, err = ParseMasterKey(masterKeyLegacy)
		if err != nil {
			return kms, err
		}
	} else if masterKey := env.Get(EnvKMSMasterKey, ""); len(masterKey) != 0 {
		if cfg.Vault.Enabled { // Vault and KMS master key provided
			return kms, errors.New("Ambiguous KMS configuration: vault configuration and a master key are provided at the same time")
		}
		kms, err = ParseMasterKey(masterKey)
		if err != nil {
			return kms, err
		}
	} else if cfg.Vault.Enabled {
		kms, err = NewVault(cfg.Vault)
		if err != nil {
			return kms, err
		}
	}

	if cfg.AutoEncryption && kms == nil {
		return kms, errors.New("Invalid KMS configuration: auto-encryption is enabled but no valid KMS configuration is present")
	}
	return kms, nil
}