-
Notifications
You must be signed in to change notification settings - Fork 4.3k
/
Copy pathrandom_api.go
115 lines (104 loc) · 2.91 KB
/
random_api.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
package random
import (
"crypto/rand"
"encoding/base64"
"encoding/hex"
"fmt"
"io"
"strconv"
"github.com/hashicorp/go-uuid"
"github.com/hashicorp/vault/sdk/framework"
"github.com/hashicorp/vault/sdk/helper/xor"
"github.com/hashicorp/vault/sdk/logical"
)
const APIMaxBytes = 128 * 1024
func HandleRandomAPI(d *framework.FieldData, additionalSource io.Reader) (*logical.Response, error) {
bytes := 0
// Parsing is convoluted here, but allows operators to ACL both source and byte count
maybeUrlBytes := d.Raw["urlbytes"]
maybeSource := d.Raw["source"]
source := "platform"
var err error
if maybeSource == "" {
bytes = d.Get("bytes").(int)
} else if maybeUrlBytes == "" && isValidSource(maybeSource.(string)) {
source = maybeSource.(string)
bytes = d.Get("bytes").(int)
} else if maybeUrlBytes == "" {
bytes, err = strconv.Atoi(maybeSource.(string))
if err != nil {
return logical.ErrorResponse(fmt.Sprintf("error parsing url-set byte count: %s", err)), nil
}
} else {
source = maybeSource.(string)
bytes, err = strconv.Atoi(maybeUrlBytes.(string))
if err != nil {
return logical.ErrorResponse(fmt.Sprintf("error parsing url-set byte count: %s", err)), nil
}
}
format := d.Get("format").(string)
if bytes < 1 {
return logical.ErrorResponse(`"bytes" cannot be less than 1`), nil
}
if bytes > APIMaxBytes {
return logical.ErrorResponse(`"bytes" should be less than %d`, APIMaxBytes), nil
}
switch format {
case "hex":
case "base64":
default:
return logical.ErrorResponse("unsupported encoding format %q; must be \"hex\" or \"base64\"", format), nil
}
var randBytes []byte
var warning string
switch source {
case "", "platform":
randBytes, err = uuid.GenerateRandomBytes(bytes)
if err != nil {
return nil, err
}
case "seal":
if rand.Reader == additionalSource {
warning = "no seal/entropy augmentation available, using platform entropy source"
}
randBytes, err = uuid.GenerateRandomBytesWithReader(bytes, additionalSource)
case "all":
randBytes, err = uuid.GenerateRandomBytes(bytes)
if err == nil && rand.Reader != additionalSource {
var sealBytes []byte
sealBytes, err = uuid.GenerateRandomBytesWithReader(bytes, additionalSource)
if err == nil {
randBytes, err = xor.XORBytes(sealBytes, randBytes)
}
}
default:
return logical.ErrorResponse("unsupported entropy source %q; must be \"platform\" or \"seal\", or \"all\"", source), nil
}
if err != nil {
return nil, err
}
var retStr string
switch format {
case "hex":
retStr = hex.EncodeToString(randBytes)
case "base64":
retStr = base64.StdEncoding.EncodeToString(randBytes)
}
// Generate the response
resp := &logical.Response{
Data: map[string]interface{}{
"random_bytes": retStr,
},
}
if warning != "" {
resp.Warnings = []string{warning}
}
return resp, nil
}
func isValidSource(s string) bool {
switch s {
case "", "platform", "seal", "all":
return true
}
return false
}