Checkpoint: auth, engine, seal, server, grpc updates
Co-authored-by: Junie <junie@jetbrains.com>
This commit is contained in:
@@ -6,6 +6,7 @@ import (
|
||||
"database/sql"
|
||||
"errors"
|
||||
"fmt"
|
||||
"log/slog"
|
||||
"sync"
|
||||
"time"
|
||||
|
||||
@@ -51,6 +52,7 @@ var (
|
||||
type Manager struct {
|
||||
db *sql.DB
|
||||
barrier *barrier.AESGCMBarrier
|
||||
logger *slog.Logger
|
||||
|
||||
mu sync.RWMutex
|
||||
state ServiceState
|
||||
@@ -63,10 +65,11 @@ type Manager struct {
|
||||
}
|
||||
|
||||
// NewManager creates a new seal manager.
|
||||
func NewManager(db *sql.DB, b *barrier.AESGCMBarrier) *Manager {
|
||||
func NewManager(db *sql.DB, b *barrier.AESGCMBarrier, logger *slog.Logger) *Manager {
|
||||
return &Manager{
|
||||
db: db,
|
||||
barrier: b,
|
||||
logger: logger,
|
||||
state: StateUninitialized,
|
||||
}
|
||||
}
|
||||
@@ -98,8 +101,10 @@ func (m *Manager) CheckInitialized() error {
|
||||
}
|
||||
if count > 0 {
|
||||
m.state = StateSealed
|
||||
m.logger.Debug("seal config found, state set to sealed")
|
||||
} else {
|
||||
m.state = StateUninitialized
|
||||
m.logger.Debug("no seal config found, state set to uninitialized")
|
||||
}
|
||||
return nil
|
||||
}
|
||||
@@ -114,6 +119,7 @@ func (m *Manager) Initialize(ctx context.Context, password []byte, params crypto
|
||||
return ErrAlreadyInitialized
|
||||
}
|
||||
|
||||
m.logger.Debug("initializing seal manager")
|
||||
m.state = StateInitializing
|
||||
defer func() {
|
||||
if m.mek == nil {
|
||||
@@ -162,6 +168,7 @@ func (m *Manager) Initialize(ctx context.Context, password []byte, params crypto
|
||||
|
||||
m.mek = mek
|
||||
m.state = StateUnsealed
|
||||
m.logger.Debug("seal initialization complete, barrier unsealed")
|
||||
return nil
|
||||
}
|
||||
|
||||
@@ -177,9 +184,11 @@ func (m *Manager) Unseal(password []byte) error {
|
||||
return ErrNotSealed
|
||||
}
|
||||
|
||||
m.logger.Debug("unseal attempt")
|
||||
// Rate limiting.
|
||||
now := time.Now()
|
||||
if now.Before(m.lockoutUntil) {
|
||||
m.logger.Debug("unseal attempt rate limited")
|
||||
return ErrRateLimited
|
||||
}
|
||||
if now.Sub(m.lastAttempt) > time.Minute {
|
||||
@@ -190,6 +199,7 @@ func (m *Manager) Unseal(password []byte) error {
|
||||
if m.unsealAttempts > 5 {
|
||||
m.lockoutUntil = now.Add(60 * time.Second)
|
||||
m.unsealAttempts = 0
|
||||
m.logger.Debug("unseal attempts exceeded, locking out")
|
||||
return ErrRateLimited
|
||||
}
|
||||
|
||||
@@ -215,6 +225,7 @@ func (m *Manager) Unseal(password []byte) error {
|
||||
|
||||
mek, err := crypto.Decrypt(kwk, encryptedMEK)
|
||||
if err != nil {
|
||||
m.logger.Debug("unseal failed: invalid password")
|
||||
return ErrInvalidPassword
|
||||
}
|
||||
|
||||
@@ -227,6 +238,7 @@ func (m *Manager) Unseal(password []byte) error {
|
||||
m.mek = mek
|
||||
m.state = StateUnsealed
|
||||
m.unsealAttempts = 0
|
||||
m.logger.Debug("unseal succeeded, barrier unsealed")
|
||||
return nil
|
||||
}
|
||||
|
||||
@@ -239,11 +251,13 @@ func (m *Manager) Seal() error {
|
||||
return ErrNotSealed
|
||||
}
|
||||
|
||||
m.logger.Debug("sealing service")
|
||||
if m.mek != nil {
|
||||
crypto.Zeroize(m.mek)
|
||||
m.mek = nil
|
||||
}
|
||||
m.barrier.Seal()
|
||||
m.state = StateSealed
|
||||
m.logger.Debug("service sealed")
|
||||
return nil
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user