mirror of
https://github.com/hashicorp/vault.git
synced 2025-08-14 18:47:01 +02:00
0b12cdcfd1
* Adding explicit MPL license for sub-package. This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Adding explicit MPL license for sub-package. This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Updating the license from MPL to Business Source License. Going forward, this project will be licensed under the Business Source License v1.1. Please see our blog post for more details at https://hashi.co/bsl-blog, FAQ at www.hashicorp.com/licensing-faq, and details of the license at www.hashicorp.com/bsl. * add missing license headers * Update copyright file headers to BUS-1.1 * Fix test that expected exact offset on hcl file --------- Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com> Co-authored-by: Sarah Thompson <sthompson@hashicorp.com> Co-authored-by: Brian Kassouf <bkassouf@hashicorp.com>
235 lines
7.5 KiB
Go
235 lines
7.5 KiB
Go
// Copyright (c) HashiCorp, Inc.
|
|
// SPDX-License-Identifier: BUSL-1.1
|
|
|
|
package pki
|
|
|
|
import (
|
|
"context"
|
|
"crypto/sha256"
|
|
"encoding/hex"
|
|
"fmt"
|
|
"time"
|
|
|
|
"github.com/hashicorp/vault/sdk/helper/certutil"
|
|
"github.com/hashicorp/vault/sdk/logical"
|
|
)
|
|
|
|
// This allows us to record the version of the migration code within the log entry
|
|
// in case we find out in the future that something was horribly wrong with the migration,
|
|
// and we need to perform it again...
|
|
const (
|
|
latestMigrationVersion = 2
|
|
legacyBundleShimID = issuerID("legacy-entry-shim-id")
|
|
legacyBundleShimKeyID = keyID("legacy-entry-shim-key-id")
|
|
)
|
|
|
|
type legacyBundleMigrationLog struct {
|
|
Hash string `json:"hash"`
|
|
Created time.Time `json:"created"`
|
|
CreatedIssuer issuerID `json:"issuer_id"`
|
|
CreatedKey keyID `json:"key_id"`
|
|
MigrationVersion int `json:"migrationVersion"`
|
|
}
|
|
|
|
type migrationInfo struct {
|
|
isRequired bool
|
|
legacyBundle *certutil.CertBundle
|
|
legacyBundleHash string
|
|
migrationLog *legacyBundleMigrationLog
|
|
}
|
|
|
|
func getMigrationInfo(ctx context.Context, s logical.Storage) (migrationInfo, error) {
|
|
migrationInfo := migrationInfo{
|
|
isRequired: false,
|
|
legacyBundle: nil,
|
|
legacyBundleHash: "",
|
|
migrationLog: nil,
|
|
}
|
|
|
|
var err error
|
|
_, migrationInfo.legacyBundle, err = getLegacyCertBundle(ctx, s)
|
|
if err != nil {
|
|
return migrationInfo, err
|
|
}
|
|
|
|
migrationInfo.migrationLog, err = getLegacyBundleMigrationLog(ctx, s)
|
|
if err != nil {
|
|
return migrationInfo, err
|
|
}
|
|
|
|
migrationInfo.legacyBundleHash, err = computeHashOfLegacyBundle(migrationInfo.legacyBundle)
|
|
if err != nil {
|
|
return migrationInfo, err
|
|
}
|
|
|
|
// Even if there isn't anything to migrate, we always want to write out the log entry
|
|
// as that will trigger the secondary clusters to toggle/wake up
|
|
if (migrationInfo.migrationLog == nil) ||
|
|
(migrationInfo.migrationLog.Hash != migrationInfo.legacyBundleHash) ||
|
|
(migrationInfo.migrationLog.MigrationVersion != latestMigrationVersion) {
|
|
migrationInfo.isRequired = true
|
|
}
|
|
|
|
return migrationInfo, nil
|
|
}
|
|
|
|
func migrateStorage(ctx context.Context, b *backend, s logical.Storage) error {
|
|
migrationInfo, err := getMigrationInfo(ctx, s)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if !migrationInfo.isRequired {
|
|
// No migration was deemed to be required.
|
|
return nil
|
|
}
|
|
|
|
var issuerIdentifier issuerID
|
|
var keyIdentifier keyID
|
|
sc := b.makeStorageContext(ctx, s)
|
|
if migrationInfo.legacyBundle != nil {
|
|
// When the legacy bundle still exists, there's three scenarios we
|
|
// need to worry about:
|
|
//
|
|
// 1. When we have no migration log, we definitely want to migrate.
|
|
haveNoLog := migrationInfo.migrationLog == nil
|
|
// 2. When we have an (empty) log and the version is zero, we want to
|
|
// migrate.
|
|
haveOldVersion := !haveNoLog && migrationInfo.migrationLog.MigrationVersion == 0
|
|
// 3. When we have a log and the version is at least 1 (where this
|
|
// migration was introduced), we want to run the migration again
|
|
// only if the legacy bundle hash has changed.
|
|
isCurrentOrBetterVersion := !haveNoLog && migrationInfo.migrationLog.MigrationVersion >= 1
|
|
haveChange := !haveNoLog && migrationInfo.migrationLog.Hash != migrationInfo.legacyBundleHash
|
|
haveVersionWithChange := isCurrentOrBetterVersion && haveChange
|
|
|
|
if haveNoLog || haveOldVersion || haveVersionWithChange {
|
|
// Generate a unique name for the migrated items in case things were to be re-migrated again
|
|
// for some weird reason in the future...
|
|
migrationName := fmt.Sprintf("current-%d", time.Now().Unix())
|
|
|
|
b.Logger().Info("performing PKI migration to new keys/issuers layout")
|
|
anIssuer, aKey, err := sc.writeCaBundle(migrationInfo.legacyBundle, migrationName, migrationName)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
b.Logger().Info("Migration generated the following ids and set them as defaults",
|
|
"issuer id", anIssuer.ID, "key id", aKey.ID)
|
|
issuerIdentifier = anIssuer.ID
|
|
keyIdentifier = aKey.ID
|
|
|
|
// Since we do not have all the mount information available we must schedule
|
|
// the CRL to be rebuilt at a later time.
|
|
b.crlBuilder.requestRebuildIfActiveNode(b)
|
|
}
|
|
}
|
|
|
|
if migrationInfo.migrationLog != nil && migrationInfo.migrationLog.MigrationVersion == 1 {
|
|
// We've seen a bundle with migration version 1; this means an
|
|
// earlier version of the code ran which didn't have the fix for
|
|
// correct write order in rebuildIssuersChains(...). Rather than
|
|
// having every user read the migrated active issuer and see if
|
|
// their chains need rebuilding, we'll schedule a one-off chain
|
|
// migration here.
|
|
b.Logger().Info(fmt.Sprintf("%v: performing maintenance rebuild of ca_chains", b.backendUUID))
|
|
if err := sc.rebuildIssuersChains(nil); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
|
|
// We always want to write out this log entry as the secondary clusters leverage this path to wake up
|
|
// if they were upgraded prior to the primary cluster's migration occurred.
|
|
err = setLegacyBundleMigrationLog(ctx, s, &legacyBundleMigrationLog{
|
|
Hash: migrationInfo.legacyBundleHash,
|
|
Created: time.Now(),
|
|
CreatedIssuer: issuerIdentifier,
|
|
CreatedKey: keyIdentifier,
|
|
MigrationVersion: latestMigrationVersion,
|
|
})
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
b.Logger().Info(fmt.Sprintf("%v: succeeded in migrating to issuer storage version %v", b.backendUUID, latestMigrationVersion))
|
|
|
|
return nil
|
|
}
|
|
|
|
func computeHashOfLegacyBundle(bundle *certutil.CertBundle) (string, error) {
|
|
hasher := sha256.New()
|
|
// Generate an empty hash if the bundle does not exist.
|
|
if bundle != nil {
|
|
// We only hash the main certificate and the certs within the CAChain,
|
|
// assuming that any sort of change that occurred would have influenced one of those two fields.
|
|
if _, err := hasher.Write([]byte(bundle.Certificate)); err != nil {
|
|
return "", err
|
|
}
|
|
for _, cert := range bundle.CAChain {
|
|
if _, err := hasher.Write([]byte(cert)); err != nil {
|
|
return "", err
|
|
}
|
|
}
|
|
}
|
|
return hex.EncodeToString(hasher.Sum(nil)), nil
|
|
}
|
|
|
|
func getLegacyBundleMigrationLog(ctx context.Context, s logical.Storage) (*legacyBundleMigrationLog, error) {
|
|
entry, err := s.Get(ctx, legacyMigrationBundleLogKey)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if entry == nil {
|
|
return nil, nil
|
|
}
|
|
|
|
lbm := &legacyBundleMigrationLog{}
|
|
err = entry.DecodeJSON(lbm)
|
|
if err != nil {
|
|
// If we can't decode our bundle, lets scrap it and assume a blank value,
|
|
// re-running the migration will at most bring back an older certificate/private key
|
|
return nil, nil
|
|
}
|
|
return lbm, nil
|
|
}
|
|
|
|
func setLegacyBundleMigrationLog(ctx context.Context, s logical.Storage, lbm *legacyBundleMigrationLog) error {
|
|
json, err := logical.StorageEntryJSON(legacyMigrationBundleLogKey, lbm)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
return s.Put(ctx, json)
|
|
}
|
|
|
|
func getLegacyCertBundle(ctx context.Context, s logical.Storage) (*issuerEntry, *certutil.CertBundle, error) {
|
|
entry, err := s.Get(ctx, legacyCertBundlePath)
|
|
if err != nil {
|
|
return nil, nil, err
|
|
}
|
|
|
|
if entry == nil {
|
|
return nil, nil, nil
|
|
}
|
|
|
|
cb := &certutil.CertBundle{}
|
|
err = entry.DecodeJSON(cb)
|
|
if err != nil {
|
|
return nil, nil, err
|
|
}
|
|
|
|
// Fake a storage entry with backwards compatibility in mind.
|
|
issuer := &issuerEntry{
|
|
ID: legacyBundleShimID,
|
|
KeyID: legacyBundleShimKeyID,
|
|
Name: "legacy-entry-shim",
|
|
Certificate: cb.Certificate,
|
|
CAChain: cb.CAChain,
|
|
SerialNumber: cb.SerialNumber,
|
|
LeafNotAfterBehavior: certutil.ErrNotAfterBehavior,
|
|
}
|
|
issuer.Usage.ToggleUsage(AllIssuerUsages)
|
|
|
|
return issuer, cb, nil
|
|
}
|