Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use kms per client #556

Merged
merged 14 commits into from
Aug 8, 2022
5 changes: 5 additions & 0 deletions CHANGELOG_DEV.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,8 @@
# 0.94.0 - 2022-08-03
- Implement KMS Keystore encryptor
- Extend `acra-keymaker`, `acra-addzone` and `acra-poisonrecord` tools with ability to create key encryption keys on KMS
- Introduce new flag `keystore_encryption_type` for all keystore related acra tools

# 0.94.0 - 2022-07-08
- Extend encryptor config struct with database settings section
- Has subsections for mysql-specific settings as well as for postgres-specific ones
Expand Down
63 changes: 40 additions & 23 deletions cmd/acra-addzone/acra-addzone.go
Original file line number Diff line number Diff line change
Expand Up @@ -36,8 +36,7 @@ import (
"github.com/cossacklabs/acra/keystore"
"github.com/cossacklabs/acra/keystore/filesystem"
"github.com/cossacklabs/acra/keystore/keyloader"
"github.com/cossacklabs/acra/keystore/keyloader/hashicorp"
"github.com/cossacklabs/acra/keystore/keyloader/kms"
baseKMS "github.com/cossacklabs/acra/keystore/kms"
keystoreV2 "github.com/cossacklabs/acra/keystore/v2/keystore"
filesystemV2 "github.com/cossacklabs/acra/keystore/v2/keystore/filesystem"
filesystemBackendV2 "github.com/cossacklabs/acra/keystore/v2/keystore/filesystem/backend"
Expand All @@ -60,8 +59,7 @@ func main() {
outputDir := flag.String("keys_output_dir", keystore.DefaultKeyDirShort, "Folder where will be saved generated zone keys")
flag.Bool("fs_keystore_enable", true, "Use filesystem keystore (deprecated, ignored)")

kms.RegisterCLIParameters()
hashicorp.RegisterVaultCLIParameters()
keyloader.RegisterCLIParameters()
cmd.RegisterRedisKeyStoreParameters()
verbose := flag.Bool("v", false, "Log to stderr all INFO, WARNING and ERROR logs")

Expand All @@ -79,13 +77,13 @@ func main() {
logging.SetLogLevel(logging.LogVerbose)
}

keyLoader, err := keyloader.GetInitializedMasterKeyLoader(hashicorp.GetVaultCLIParameters(), kms.GetCLIParameters())
keyLoader, err := keyloader.GetInitializedMasterKeyLoader(keyloader.GetCLIParameters().KeystoreEncryptorType)
if err != nil {
log.WithError(err).Errorln("Can't initialize ACRA_MASTER_KEY loader")
os.Exit(1)
}

var keyStore keystore.StorageKeyGenerator
var keyStore keystore.KeyMaking
if filesystemV2.IsKeyDirectory(*outputDir) {
keyStore = openKeyStoreV2(*outputDir, keyLoader)
} else {
Expand All @@ -111,21 +109,34 @@ func main() {
fmt.Println(string(json))
}

func openKeyStoreV1(output string, loader keyloader.MasterKeyLoader) keystore.StorageKeyGenerator {
masterKey, err := loader.LoadMasterKey()
if err != nil {
log.WithError(err).Errorln("Cannot load master key")
os.Exit(1)
}
scellEncryptor, err := keystore.NewSCellKeyEncryptor(masterKey)
if err != nil {
log.WithError(err).Errorln("Can't init scell encryptor")
os.Exit(1)
func openKeyStoreV1(output string, loader keyloader.MasterKeyLoader) keystore.KeyMaking {
var keyStoreEncryptor keystore.KeyEncryptor

var keyLoaderParams = keyloader.GetCLIParameters()
if keyLoaderParams.KeystoreEncryptorType == keyloader.KeystoreStrategyKMSPerClient {
keyManager, err := keyLoaderParams.GetKMSParameters().NewKeyManager()
if err != nil {
log.WithError(err).Errorln("Failed to initializer kms KeyManager")
os.Exit(1)
}

keyStoreEncryptor = baseKMS.NewKeyEncryptor(keyManager)
} else {
masterKey, err := loader.LoadMasterKey()
if err != nil {
log.WithError(err).Errorln("Cannot load master key")
os.Exit(1)
}
keyStoreEncryptor, err = keystore.NewSCellKeyEncryptor(masterKey)
if err != nil {
log.WithError(err).Errorln("Can't init scell encryptor")
os.Exit(1)
}
}

keyStore := filesystem.NewCustomFilesystemKeyStore()
keyStore.KeyDirectory(output)
keyStore.Encryptor(scellEncryptor)
keyStoreBuilder := filesystem.NewCustomFilesystemKeyStore()
keyStoreBuilder.KeyDirectory(output)
keyStoreBuilder.Encryptor(keyStoreEncryptor)
redis := cmd.GetRedisParameters()
if redis.KeysConfigured() {
keyStorage, err := filesystem.NewRedisStorage(redis.HostPort, redis.Password, redis.DBKeys, nil)
Expand All @@ -134,17 +145,23 @@ func openKeyStoreV1(output string, loader keyloader.MasterKeyLoader) keystore.St
Errorln("Can't initialize Redis client")
os.Exit(1)
}
keyStore.Storage(keyStorage)
keyStoreBuilder.Storage(keyStorage)
}
keyStoreV1, err := keyStore.Build()
keyStore, err := keyStoreBuilder.Build()
if err != nil {
log.WithError(err).Errorln("Can't init keystore")
os.Exit(1)
}
return keyStoreV1

if keyLoaderParams.KeystoreEncryptorType == keyloader.KeystoreStrategyKMSPerClient {
keyManager, _ := keyLoaderParams.GetKMSParameters().NewKeyManager()
return baseKMS.NewKeyMakingWrapper(keyStore, keyManager)
}

return keyStore
}

func openKeyStoreV2(keyDirPath string, loader keyloader.MasterKeyLoader) keystore.StorageKeyGenerator {
func openKeyStoreV2(keyDirPath string, loader keyloader.MasterKeyLoader) keystore.KeyMaking {
encryption, signature, err := loader.LoadMasterKeys()
if err != nil {
log.WithError(err).Errorln("Cannot load master key")
Expand Down
6 changes: 2 additions & 4 deletions cmd/acra-backup/acra-backup.go
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,6 @@ import (
"github.com/cossacklabs/acra/keystore/filesystem"
"github.com/cossacklabs/acra/keystore/keyloader"
"github.com/cossacklabs/acra/keystore/keyloader/hashicorp"
"github.com/cossacklabs/acra/keystore/keyloader/kms"
"github.com/cossacklabs/acra/logging"
"github.com/cossacklabs/acra/utils"

Expand Down Expand Up @@ -58,8 +57,7 @@ func main() {
action := flag.String("action", "", fmt.Sprintf("%s|%s values are accepted", actionImport, actionExport))
file := flag.String("file", "", fmt.Sprintf("path to file which will be used for %s|%s action", actionImport, actionExport))

kms.RegisterCLIParameters()
cmd.RegisterRedisKeyStoreParameters()
keyloader.RegisterCLIParameters()
hashicorp.RegisterVaultCLIParameters()

err := cmd.Parse(DefaultConfigPath, ServiceName)
Expand All @@ -85,7 +83,7 @@ func main() {
storage = &filesystem.DummyStorage{}
}

keyLoader, err := keyloader.GetInitializedMasterKeyLoader(hashicorp.GetVaultCLIParameters(), kms.GetCLIParameters())
keyLoader, err := keyloader.GetInitializedMasterKeyLoader(keyloader.GetCLIParameters().KeystoreEncryptorType)
if err != nil {
log.WithError(err).Errorln("Can't initialize ACRA_MASTER_KEY loader")
os.Exit(1)
Expand Down
61 changes: 39 additions & 22 deletions cmd/acra-keymaker/acra-keymaker.go
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,6 @@ import (
"github.com/cossacklabs/acra/keystore"
"github.com/cossacklabs/acra/keystore/filesystem"
"github.com/cossacklabs/acra/keystore/keyloader"
"github.com/cossacklabs/acra/keystore/keyloader/hashicorp"
"github.com/cossacklabs/acra/keystore/keyloader/kms"
baseKMS "github.com/cossacklabs/acra/keystore/kms"
keystoreV2 "github.com/cossacklabs/acra/keystore/v2/keystore"
Expand Down Expand Up @@ -72,8 +71,7 @@ func main() {
tlsClientCert := flag.String("tls_cert", "", "Path to TLS certificate to use as client_id identifier")
tlsIdentifierExtractorType := flag.String("tls_identifier_extractor_type", network.IdentifierExtractorTypeDistinguishedName, fmt.Sprintf("Decide which field of TLS certificate to use as ClientID (%s). Default is %s.", strings.Join(network.IdentifierExtractorTypesList, "|"), network.IdentifierExtractorTypeDistinguishedName))

kms.RegisterCLIParameters()
hashicorp.RegisterVaultCLIParameters()
keyloader.RegisterCLIParameters()
logging.SetLogLevel(logging.LogVerbose)

err := cmd.Parse(DefaultConfigPath, ServiceName)
Expand Down Expand Up @@ -151,7 +149,7 @@ func main() {
os.Exit(1)
}

if kmsOptions := kms.GetCLIParameters(); kmsOptions.KMSType != "" {
if kmsOptions := keyloader.GetCLIParameters().GetKMSParameters(); kmsOptions.KMSType != "" {
keyManager, err := kmsOptions.NewKeyManager()
if err != nil {
log.WithError(err).WithField("path", *masterKey).Errorln("Failed to initializer kms KeyManager")
Expand All @@ -167,7 +165,7 @@ func main() {
}

default:
log.WithField("supported", kms.SupportedPolicies).WithField("policy", kmsOptions.KeyPolicy).Errorln("Unsupported key policy for `kms_key_policy`")
log.WithField("supported", kms.SupportedPolicies).WithField("policy", *kmsKeyPolicy).Errorln("Unsupported key policy for `kms_key_policy`")
os.Exit(1)
}
}
Expand All @@ -189,7 +187,7 @@ func main() {
}
}

keyLoader, err := keyloader.GetInitializedMasterKeyLoader(hashicorp.GetVaultCLIParameters(), kms.GetCLIParameters())
keyLoader, err := keyloader.GetInitializedMasterKeyLoader(keyloader.GetCLIParameters().KeystoreEncryptorType)
if err != nil {
log.WithError(err).Errorln("Can't initialize ACRA_MASTER_KEY loader")
os.Exit(1)
Expand Down Expand Up @@ -287,23 +285,37 @@ func main() {
}

func openKeyStoreV1(output, outputPublic string, loader keyloader.MasterKeyLoader) keystore.KeyMaking {
masterKey, err := loader.LoadMasterKey()
if err != nil {
log.WithError(err).Errorln("Cannot load master key")
os.Exit(1)
}
scellEncryptor, err := keystore.NewSCellKeyEncryptor(masterKey)
if err != nil {
log.WithError(err).Errorln("Can't init scell encryptor")
os.Exit(1)
var keyStoreEncryptor keystore.KeyEncryptor

var keyLoaderParams = keyloader.GetCLIParameters()
if keyLoaderParams.KeystoreEncryptorType == keyloader.KeystoreStrategyKMSPerClient {
keyManager, err := keyLoaderParams.GetKMSParameters().NewKeyManager()
if err != nil {
log.WithError(err).Errorln("Failed to initializer kms KeyManager")
os.Exit(1)
}

keyStoreEncryptor = baseKMS.NewKeyEncryptor(keyManager)
} else {
masterKey, err := loader.LoadMasterKey()
if err != nil {
log.WithError(err).Errorln("Cannot load master key")
os.Exit(1)
}
keyStoreEncryptor, err = keystore.NewSCellKeyEncryptor(masterKey)
if err != nil {
log.WithError(err).Errorln("Can't init scell encryptor")
os.Exit(1)
}
}
keyStore := filesystem.NewCustomFilesystemKeyStore()

keyStoreBuilder := filesystem.NewCustomFilesystemKeyStore()
if outputPublic != output {
keyStore.KeyDirectories(output, outputPublic)
keyStoreBuilder.KeyDirectories(output, outputPublic)
} else {
keyStore.KeyDirectory(output)
keyStoreBuilder.KeyDirectory(output)
}
keyStore.Encryptor(scellEncryptor)
keyStoreBuilder.Encryptor(keyStoreEncryptor)
redis := cmd.GetRedisParameters()
if redis.KeysConfigured() {
keyStorage, err := filesystem.NewRedisStorage(redis.HostPort, redis.Password, redis.DBKeys, nil)
Expand All @@ -312,14 +324,19 @@ func openKeyStoreV1(output, outputPublic string, loader keyloader.MasterKeyLoade
Errorln("Can't initialize Redis client")
os.Exit(1)
}
keyStore.Storage(keyStorage)
keyStoreBuilder.Storage(keyStorage)
}
keyStoreV1, err := keyStore.Build()
keyStore, err := keyStoreBuilder.Build()
if err != nil {
log.WithError(err).Errorln("Can't init keystore")
os.Exit(1)
}
return keyStoreV1

if keyLoaderParams.KeystoreEncryptorType == keyloader.KeystoreStrategyKMSPerClient {
keyManager, _ := keyLoaderParams.GetKMSParameters().NewKeyManager()
return baseKMS.NewKeyMakingWrapper(keyStore, keyManager)
}
return keyStore
}

func openKeyStoreV2(keyDirPath string, loader keyloader.MasterKeyLoader) keystore.KeyMaking {
Expand Down
2 changes: 1 addition & 1 deletion cmd/acra-keys/keys/generate.go
Original file line number Diff line number Diff line change
Expand Up @@ -298,7 +298,7 @@ func (g *GenerateKeySubcommand) Execute() {
}
}

keyLoader, err := keyloader.GetInitializedMasterKeyLoader(g.CommonKeyStoreParameters.VaultCLIOptions(), g.CommonKeyStoreParameters.KMSCLIOptions())
keyLoader, err := keyloader.GetInitializedMasterKeyLoader(g.CommonKeyStoreParameters.KeyLoaderCLIOptions().KeystoreEncryptorType)
if err != nil {
return
}
Expand Down
Loading