mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-08-23 07:31:09 +02:00
Code Issues Projects Releases Wiki Activity

vault: expose information about keys

Browse Source
This commit is contained in:
Armon Dadgar 2015-05-27 17:25:36 -07:00
parent 2fe8158591
commit 083fa51bfb
3 changed files with 56 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
vault/barrier.go
View File

@ -2,6 +2,7 @@ package vault
import ( import (
"errors" "errors"
"time"
"github.com/hashicorp/vault/logical" "github.com/hashicorp/vault/logical"
) )
@ -69,6 +70,9 @@ type SecurityBarrier interface {
// should use the new key, while old values should still be decryptable. // should use the new key, while old values should still be decryptable.
Rotate() error Rotate() error
// ActiveKeyInfo is used to inform details about the active key
ActiveKeyInfo() (*KeyInfo, error)
// Rekey is used to change the master key used to protect the keyring // Rekey is used to change the master key used to protect the keyring
Rekey([]byte) error Rekey([]byte) error
@ -105,3 +109,9 @@ func (e *Entry) Logical() *logical.StorageEntry {
Value: e.Value, Value: e.Value,
} }
} }
// KeyInfo is used to convey information about the encryption key
type KeyInfo struct {
Term int
InstallTime time.Time
}

20
vault/barrier_aes_gcm.go
View File

@ -321,6 +321,26 @@ func (b *AESGCMBarrier) Rotate() error {
return nil return nil
} }
// ActiveKeyInfo is used to inform details about the active key
func (b *AESGCMBarrier) ActiveKeyInfo() (*KeyInfo, error) {
b.l.RLock()
defer b.l.RUnlock()
if b.sealed {
return nil, ErrBarrierSealed
}
// Determine the key install time
term := b.keyring.ActiveTerm()
key := b.keyring.TermKey(term)
// Return the key info
info := &KeyInfo{
Term: int(term),
InstallTime: key.InstallTime,
}
return info, nil
}
// Rekey is used to change the master key used to protect the keyring // Rekey is used to change the master key used to protect the keyring
func (b *AESGCMBarrier) Rekey(key []byte) error { func (b *AESGCMBarrier) Rekey(key []byte) error {
b.l.Lock() b.l.Lock()

26
vault/barrier_test.go
View File

@ -3,6 +3,7 @@ package vault
import ( import (
"reflect" "reflect"
"testing" "testing"
"time"
) )
func testBarrier(t *testing.T, b SecurityBarrier) { func testBarrier(t *testing.T, b SecurityBarrier) {
@ -243,6 +244,19 @@ func testBarrier_Rotate(t *testing.T, b SecurityBarrier) {
t.Fatalf("err: %v", err) t.Fatalf("err: %v", err)
} }
// Check the key info
info, err := b.ActiveKeyInfo()
if err != nil {
t.Fatalf("err: %v", err)
}
if info.Term != 1 {
t.Fatalf("Bad term: %d", info.Term)
}
if time.Since(info.InstallTime) > time.Second {
t.Fatalf("Bad install: %v", info.InstallTime)
}
first := info.InstallTime
// Write a key // Write a key
e1 := &Entry{Key: "test", Value: []byte("test")} e1 := &Entry{Key: "test", Value: []byte("test")}
if err := b.Put(e1); err != nil { if err := b.Put(e1); err != nil {
@ -255,6 +269,18 @@ func testBarrier_Rotate(t *testing.T, b SecurityBarrier) {
t.Fatalf("err: %v", err) t.Fatalf("err: %v", err)
} }
// Check the key info
info, err = b.ActiveKeyInfo()
if err != nil {
t.Fatalf("err: %v", err)
}
if info.Term != 2 {
t.Fatalf("Bad term: %d", info.Term)
}
if !info.InstallTime.After(first) {
t.Fatalf("Bad install: %v", info.InstallTime)
}
// Write another key // Write another key
e2 := &Entry{Key: "foo", Value: []byte("test")} e2 := &Entry{Key: "foo", Value: []byte("test")}
if err := b.Put(e2); err != nil { if err := b.Put(e2); err != nil {