Skip to content

Commit

Permalink
Re-add lost stored-shares parameter to operator rekey command.
Browse files Browse the repository at this point in the history
Also change the rekey API to not require explicitly setting values to 1.

Fixes #3969
  • Loading branch information
jefferai committed Feb 14, 2018
1 parent 901f98f commit 9aa481d
Show file tree
Hide file tree
Showing 4 changed files with 41 additions and 35 deletions.
19 changes: 9 additions & 10 deletions command/operator_init.go
Original file line number Diff line number Diff line change
Expand Up @@ -196,15 +196,6 @@ func (c *OperatorInitCommand) Flags() *FlagSets {
"is only used in HSM mode.",
})

f.IntVar(&IntVar{
Name: "stored-shares",
Target: &c.flagStoredShares,
Default: 0, // No default, because we need to check if was supplied
Completion: complete.PredictAnything,
Usage: "Number of unseal keys to store on an HSM. This must be equal to " +
"-key-shares. This is only used in HSM mode.",
})

// Deprecations
// TODO: remove in 0.9.0
f.BoolVar(&BoolVar{
Expand All @@ -222,6 +213,14 @@ func (c *OperatorInitCommand) Flags() *FlagSets {
Usage: "",
})

f.IntVar(&IntVar{
Name: "stored-shares",
Target: &c.flagStoredShares,
Default: 0, // No default, because we need to check if was supplied
Hidden: true,
Usage: "",
})

return set
}

Expand Down Expand Up @@ -456,7 +455,7 @@ func (c *OperatorInitCommand) init(client *api.Client, req *api.InitRequest) int
c.UI.Output("")
c.UI.Output(fmt.Sprintf("Initial Root Token: %s", resp.RootToken))

if req.StoredShares < 1 {
if len(resp.Keys) > 0 {
c.UI.Output("")
c.UI.Output(wrapAtLength(fmt.Sprintf(
"Vault initialized with %d key shares and a key threshold of %d. Please "+
Expand Down
16 changes: 13 additions & 3 deletions command/operator_rekey.go
Original file line number Diff line number Diff line change
Expand Up @@ -37,9 +37,10 @@ type OperatorRekeyCommand struct {

// Deprecations
// TODO: remove in 0.9.0
flagDelete bool
flagRecoveryKey bool
flagRetrieve bool
flagDelete bool
flagRecoveryKey bool
flagRetrieve bool
flagStoredShares int

testStdin io.Reader // for tests
}
Expand Down Expand Up @@ -231,6 +232,14 @@ func (c *OperatorRekeyCommand) Flags() *FlagSets {
Usage: "",
})

f.IntVar(&IntVar{
Name: "stored-shares",
Target: &c.flagStoredShares,
Default: 0,
Hidden: true,
Usage: "",
})

return set
}

Expand Down Expand Up @@ -323,6 +332,7 @@ func (c *OperatorRekeyCommand) init(client *api.Client) int {
status, err := fn(&api.RekeyInitRequest{
SecretShares: c.flagKeyShares,
SecretThreshold: c.flagKeyThreshold,
StoredShares: c.flagStoredShares,
PGPKeys: c.flagPGPKeys,
Backup: c.flagBackup,
})
Expand Down
24 changes: 8 additions & 16 deletions http/sys_init.go
Original file line number Diff line number Diff line change
Expand Up @@ -69,36 +69,28 @@ func handleSysInitPut(core *vault.Core, w http.ResponseWriter, r *http.Request)
// need to be a way to actually allow fetching of the generated keys by
// operators.
if core.SealAccess().StoredKeysSupported() {
if barrierConfig.SecretShares != 1 {
respondError(w, http.StatusBadRequest, fmt.Errorf("secret shares must be 1"))
return
}
if barrierConfig.SecretThreshold != barrierConfig.SecretShares {
respondError(w, http.StatusBadRequest, fmt.Errorf("secret threshold must be same as secret shares"))
return
}
if barrierConfig.StoredShares != barrierConfig.SecretShares {
respondError(w, http.StatusBadRequest, fmt.Errorf("stored shares must be same as secret shares"))
return
}
if barrierConfig.PGPKeys != nil && len(barrierConfig.PGPKeys) > 0 {
if len(barrierConfig.PGPKeys) > 0 {
respondError(w, http.StatusBadRequest, fmt.Errorf("PGP keys not supported when storing shares"))
return
}
barrierConfig.SecretShares = 1
barrierConfig.SecretThreshold = 1
barrierConfig.StoredShares = 1
core.Logger().Warn("init: stored keys supported, forcing shares/threshold to 1")
} else {
if barrierConfig.StoredShares > 0 {
respondError(w, http.StatusBadRequest, fmt.Errorf("stored keys are not supported"))
respondError(w, http.StatusBadRequest, fmt.Errorf("stored keys are not supported by the current seal type"))
return
}
}

if len(barrierConfig.PGPKeys) > 0 && len(barrierConfig.PGPKeys) != barrierConfig.SecretShares-barrierConfig.StoredShares {
if len(barrierConfig.PGPKeys) > 0 && len(barrierConfig.PGPKeys) != barrierConfig.SecretShares {
respondError(w, http.StatusBadRequest, fmt.Errorf("incorrect number of PGP keys"))
return
}

if core.SealAccess().RecoveryKeySupported() {
if len(recoveryConfig.PGPKeys) > 0 && len(recoveryConfig.PGPKeys) != recoveryConfig.SecretShares-recoveryConfig.StoredShares {
if len(recoveryConfig.PGPKeys) > 0 && len(recoveryConfig.PGPKeys) != recoveryConfig.SecretShares {
respondError(w, http.StatusBadRequest, fmt.Errorf("incorrect number of PGP keys for recovery"))
return
}
Expand Down
17 changes: 11 additions & 6 deletions http/sys_rekey.go
Original file line number Diff line number Diff line change
Expand Up @@ -117,16 +117,21 @@ func handleSysRekeyInitPut(ctx context.Context, core *vault.Core, recovery bool,
return
}

// If the seal supports recovery keys and stored keys, then we allow rekeying the barrier key
// iff the secret shares, secret threshold, and stored shares are set to 1.
if !recovery && core.SealAccess().RecoveryKeySupported() && core.SealAccess().StoredKeysSupported() {
if req.SecretShares != 1 || req.SecretThreshold != 1 || req.StoredShares != 1 {
respondError(w, http.StatusBadRequest, fmt.Errorf("secret shares, secret threshold, and stored shares must be set to 1"))
// If the seal supports stored keys, and we are rekeying the barrier key,
// force the shares to 1
if !recovery && core.SealAccess().StoredKeysSupported() {
req.SecretShares = 1
req.SecretThreshold = 1
req.StoredShares = 1
core.Logger().Warn("rekey: stored keys supported, forcing shares/threshold to 1")
} else {
if req.StoredShares != 0 {
respondError(w, http.StatusBadRequest, fmt.Errorf("stored keys are not supported by the current seal type"))
return
}
}

if len(req.PGPKeys) > 0 && len(req.PGPKeys) != req.SecretShares-req.StoredShares {
if len(req.PGPKeys) > 0 && len(req.PGPKeys) != req.SecretShares {
respondError(w, http.StatusBadRequest, fmt.Errorf("incorrect number of PGP keys for rekey"))
return
}
Expand Down

0 comments on commit 9aa481d

Please sign in to comment.