Add vault seal/unseal lifecycle
- New internal/vault package: thread-safe Vault struct with seal/unseal state, key material zeroing, and key derivation - REST: POST /v1/vault/unseal, POST /v1/vault/seal, GET /v1/vault/status; health returns sealed status - UI: /unseal page with passphrase form, redirect when sealed - gRPC: sealedInterceptor rejects RPCs when sealed - Middleware: RequireUnsealed blocks all routes except exempt paths; RequireAuth reads pubkey from vault at request time - Startup: server starts sealed when passphrase unavailable - All servers share single *vault.Vault by pointer - CSRF manager derives key lazily from vault Security: Key material is zeroed on seal. Sealed middleware runs before auth. Handlers fail closed if vault becomes sealed mid-request. Unseal endpoint is rate-limited (3/s burst 5). No CSRF on unseal page (no session to protect; chicken-and-egg with master key). Passphrase never logged. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -199,12 +199,15 @@ paths:
|
||||
/v1/health:
|
||||
get:
|
||||
summary: Health check
|
||||
description: Returns `{"status":"ok"}` if the server is running. No auth required.
|
||||
description: |
|
||||
Returns `{"status":"ok"}` if the server is running and the vault is
|
||||
unsealed, or `{"status":"sealed"}` if the vault is sealed.
|
||||
No auth required.
|
||||
operationId: getHealth
|
||||
tags: [Public]
|
||||
responses:
|
||||
"200":
|
||||
description: Server is healthy.
|
||||
description: Server is healthy (may be sealed).
|
||||
content:
|
||||
application/json:
|
||||
schema:
|
||||
@@ -212,8 +215,87 @@ paths:
|
||||
properties:
|
||||
status:
|
||||
type: string
|
||||
enum: [ok, sealed]
|
||||
example: ok
|
||||
|
||||
/v1/vault/status:
|
||||
get:
|
||||
summary: Vault seal status
|
||||
description: Returns `{"sealed": true}` or `{"sealed": false}`. No auth required.
|
||||
operationId: getVaultStatus
|
||||
tags: [Vault]
|
||||
responses:
|
||||
"200":
|
||||
description: Current seal state.
|
||||
content:
|
||||
application/json:
|
||||
schema:
|
||||
type: object
|
||||
properties:
|
||||
sealed:
|
||||
type: boolean
|
||||
|
||||
/v1/vault/unseal:
|
||||
post:
|
||||
summary: Unseal the vault
|
||||
description: |
|
||||
Accepts a passphrase, derives the master key, and unseals the vault.
|
||||
Rate-limited to 3 requests per second, burst of 5.
|
||||
No auth required (the vault is sealed, so no tokens can be validated).
|
||||
operationId: unsealVault
|
||||
tags: [Vault]
|
||||
requestBody:
|
||||
required: true
|
||||
content:
|
||||
application/json:
|
||||
schema:
|
||||
type: object
|
||||
required: [passphrase]
|
||||
properties:
|
||||
passphrase:
|
||||
type: string
|
||||
description: Master passphrase for key derivation.
|
||||
responses:
|
||||
"200":
|
||||
description: Vault unsealed successfully.
|
||||
content:
|
||||
application/json:
|
||||
schema:
|
||||
type: object
|
||||
properties:
|
||||
status:
|
||||
type: string
|
||||
example: unsealed
|
||||
"401":
|
||||
description: Unseal failed (wrong passphrase).
|
||||
content:
|
||||
application/json:
|
||||
schema:
|
||||
$ref: "#/components/schemas/Error"
|
||||
|
||||
/v1/vault/seal:
|
||||
post:
|
||||
summary: Seal the vault
|
||||
description: |
|
||||
Seals the vault, zeroing all key material in memory.
|
||||
Requires admin authentication. The caller's token becomes invalid
|
||||
after sealing.
|
||||
operationId: sealVault
|
||||
tags: [Vault]
|
||||
security:
|
||||
- bearerAuth: []
|
||||
responses:
|
||||
"200":
|
||||
description: Vault sealed successfully.
|
||||
content:
|
||||
application/json:
|
||||
schema:
|
||||
type: object
|
||||
properties:
|
||||
status:
|
||||
type: string
|
||||
example: sealed
|
||||
|
||||
/v1/keys/public:
|
||||
get:
|
||||
summary: Ed25519 public key (JWK)
|
||||
|
||||
Reference in New Issue
Block a user