/* * MinIO Cloud Storage, (C) 2019 MinIO, Inc. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package crypto import ( "fmt" "reflect" "strconv" "github.com/minio/minio/cmd/config" "github.com/minio/minio/pkg/env" xnet "github.com/minio/minio/pkg/net" ) const ( // EnvKMSMasterKeyLegacy is the environment variable used to specify // a KMS master key used to protect SSE-S3 per-object keys. // Valid values must be of the from: "KEY_ID:32_BYTE_HEX_VALUE". EnvKMSMasterKeyLegacy = "MINIO_SSE_MASTER_KEY" // EnvAutoEncryptionLegacy is the environment variable used to en/disable // SSE-S3 auto-encryption. SSE-S3 auto-encryption, if enabled, // requires a valid KMS configuration and turns any non-SSE-C // request into an SSE-S3 request. // If present EnvAutoEncryption must be either "on" or "off". EnvAutoEncryptionLegacy = "MINIO_SSE_AUTO_ENCRYPTION" ) const ( // EnvLegacyVaultEndpoint is the environment variable used to specify // the vault HTTPS endpoint. EnvLegacyVaultEndpoint = "MINIO_SSE_VAULT_ENDPOINT" // EnvLegacyVaultAuthType is the environment variable used to specify // the authentication type for vault. EnvLegacyVaultAuthType = "MINIO_SSE_VAULT_AUTH_TYPE" // EnvLegacyVaultAppRoleID is the environment variable used to specify // the vault AppRole ID. EnvLegacyVaultAppRoleID = "MINIO_SSE_VAULT_APPROLE_ID" // EnvLegacyVaultAppSecretID is the environment variable used to specify // the vault AppRole secret corresponding to the AppRole ID. EnvLegacyVaultAppSecretID = "MINIO_SSE_VAULT_APPROLE_SECRET" // EnvLegacyVaultKeyVersion is the environment variable used to specify // the vault key version. EnvLegacyVaultKeyVersion = "MINIO_SSE_VAULT_KEY_VERSION" // EnvLegacyVaultKeyName is the environment variable used to specify // the vault named key-ring. In the S3 context it's referred as // customer master key ID (CMK-ID). EnvLegacyVaultKeyName = "MINIO_SSE_VAULT_KEY_NAME" // EnvLegacyVaultCAPath is the environment variable used to specify the // path to a directory of PEM-encoded CA cert files. These CA cert // files are used to authenticate MinIO to Vault over mTLS. EnvLegacyVaultCAPath = "MINIO_SSE_VAULT_CAPATH" // EnvLegacyVaultNamespace is the environment variable used to specify // vault namespace. The vault namespace is used if the enterprise // version of Hashicorp Vault is used. EnvLegacyVaultNamespace = "MINIO_SSE_VAULT_NAMESPACE" ) // SetKMSConfig helper to migrate from older KMSConfig to new KV. func SetKMSConfig(s config.Config, cfg KMSConfig) { s[config.KmsVaultSubSys][config.Default] = config.KVS{ KMSVaultEndpoint: cfg.Vault.Endpoint, KMSVaultCAPath: cfg.Vault.CAPath, KMSVaultAuthType: func() string { if cfg.Vault.Auth.Type != "" { return cfg.Vault.Auth.Type } return "approle" }(), KMSVaultAppRoleID: cfg.Vault.Auth.AppRole.ID, KMSVaultAppRoleSecret: cfg.Vault.Auth.AppRole.Secret, KMSVaultKeyName: cfg.Vault.Key.Name, KMSVaultKeyVersion: strconv.Itoa(cfg.Vault.Key.Version), KMSVaultNamespace: cfg.Vault.Namespace, config.State: func() string { if cfg.Vault.Endpoint != "" { return config.StateOn } return config.StateOff }(), config.Comment: "Settings for KMS Vault, after migrating config", } } // lookupConfigLegacy extracts the KMS configuration provided by legacy // environment variables and merge them with the provided KMS configuration. // The merging follows the following rules: // // 1. A valid value provided as environment variable has higher priority // than the provided configuration and overwrites the value from the // configuration file. // // 2. A value specified as environment variable never changes the configuration // file. So it is never made a persistent setting. // // It sets the global KMS configuration according to the merged configuration // on success. func lookupConfigLegacy(kvs config.KVS) (KMSConfig, error) { autoBool, err := config.ParseBool(env.Get(EnvAutoEncryptionLegacy, config.StateOff)) if err != nil { return KMSConfig{}, err } cfg := KMSConfig{ AutoEncryption: autoBool, Vault: VaultConfig{ Auth: VaultAuth{ Type: "approle", }, }, } // Assume default as "on" for legacy config since we didn't have a _STATE // flag to turn it off, but we should honor it nonetheless to turn it off // if the vault endpoint is down and there is no way to start the server. stateBool, err := config.ParseBool(env.Get(EnvKMSVaultState, config.StateOn)) if err != nil { return cfg, err } if !stateBool { return cfg, nil } endpointStr := env.Get(EnvLegacyVaultEndpoint, "") if endpointStr != "" { // Lookup Hashicorp-Vault configuration & overwrite config entry if ENV var is present endpoint, err := xnet.ParseHTTPURL(endpointStr) if err != nil { return cfg, err } endpointStr = endpoint.String() } cfg.Vault.Endpoint = endpointStr cfg.Vault.CAPath = env.Get(EnvLegacyVaultCAPath, "") cfg.Vault.Auth.Type = env.Get(EnvLegacyVaultAuthType, "") if cfg.Vault.Auth.Type == "" { cfg.Vault.Auth.Type = "approle" } cfg.Vault.Auth.AppRole.ID = env.Get(EnvLegacyVaultAppRoleID, "") cfg.Vault.Auth.AppRole.Secret = env.Get(EnvLegacyVaultAppSecretID, "") cfg.Vault.Key.Name = env.Get(EnvLegacyVaultKeyName, "") cfg.Vault.Namespace = env.Get(EnvLegacyVaultNamespace, "") if keyVersion := env.Get(EnvLegacyVaultKeyVersion, ""); keyVersion != "" { cfg.Vault.Key.Version, err = strconv.Atoi(keyVersion) if err != nil { return cfg, fmt.Errorf("Invalid ENV variable: Unable to parse %s value (`%s`)", EnvLegacyVaultKeyVersion, keyVersion) } } if reflect.DeepEqual(cfg.Vault, defaultCfg) { return cfg, nil } if err = cfg.Vault.Verify(); err != nil { return cfg, err } cfg.Vault.Enabled = true return cfg, nil }