Implement a two-level key hierarchy: the MEK now wraps per-engine DEKs stored in a new barrier_keys table, rather than encrypting all barrier entries directly. A v2 ciphertext format (0x02) embeds the key ID so the barrier can resolve which DEK to use on decryption. v1 ciphertext remains supported for backward compatibility. Key changes: - crypto: EncryptV2/DecryptV2/ExtractKeyID for v2 ciphertext with key IDs - barrier: key registry (CreateKey, RotateKey, ListKeys, MigrateToV2, ReWrapKeys) - seal: RotateMEK re-wraps DEKs without re-encrypting data - engine: Mount auto-creates per-engine DEK - REST + gRPC: barrier/keys, barrier/rotate-mek, barrier/rotate-key, barrier/migrate - proto: BarrierService (v1 + v2) with ListKeys, RotateMEK, RotateKey, Migrate - db: migration v2 adds barrier_keys table Also includes: security audit report, CSRF protection, engine design specs (sshca, transit, user), path-bound AAD migration tool, policy engine enhancements, and ARCHITECTURE.md updates. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
235
gen/metacrypt/v2/barrier_grpc.pb.go
Normal file
235
gen/metacrypt/v2/barrier_grpc.pb.go
Normal file
@@ -0,0 +1,235 @@
|
||||
// Code generated by protoc-gen-go-grpc. DO NOT EDIT.
|
||||
// versions:
|
||||
// - protoc-gen-go-grpc v1.6.1
|
||||
// - protoc v3.20.3
|
||||
// source: proto/metacrypt/v2/barrier.proto
|
||||
|
||||
package metacryptv2
|
||||
|
||||
import (
|
||||
context "context"
|
||||
grpc "google.golang.org/grpc"
|
||||
codes "google.golang.org/grpc/codes"
|
||||
status "google.golang.org/grpc/status"
|
||||
)
|
||||
|
||||
// This is a compile-time assertion to ensure that this generated file
|
||||
// is compatible with the grpc package it is being compiled against.
|
||||
// Requires gRPC-Go v1.64.0 or later.
|
||||
const _ = grpc.SupportPackageIsVersion9
|
||||
|
||||
const (
|
||||
BarrierService_ListKeys_FullMethodName = "/metacrypt.v2.BarrierService/ListKeys"
|
||||
BarrierService_RotateMEK_FullMethodName = "/metacrypt.v2.BarrierService/RotateMEK"
|
||||
BarrierService_RotateKey_FullMethodName = "/metacrypt.v2.BarrierService/RotateKey"
|
||||
BarrierService_Migrate_FullMethodName = "/metacrypt.v2.BarrierService/Migrate"
|
||||
)
|
||||
|
||||
// BarrierServiceClient is the client API for BarrierService service.
|
||||
//
|
||||
// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
|
||||
type BarrierServiceClient interface {
|
||||
ListKeys(ctx context.Context, in *ListKeysRequest, opts ...grpc.CallOption) (*ListKeysResponse, error)
|
||||
RotateMEK(ctx context.Context, in *RotateMEKRequest, opts ...grpc.CallOption) (*RotateMEKResponse, error)
|
||||
RotateKey(ctx context.Context, in *RotateKeyRequest, opts ...grpc.CallOption) (*RotateKeyResponse, error)
|
||||
Migrate(ctx context.Context, in *MigrateBarrierRequest, opts ...grpc.CallOption) (*MigrateBarrierResponse, error)
|
||||
}
|
||||
|
||||
type barrierServiceClient struct {
|
||||
cc grpc.ClientConnInterface
|
||||
}
|
||||
|
||||
func NewBarrierServiceClient(cc grpc.ClientConnInterface) BarrierServiceClient {
|
||||
return &barrierServiceClient{cc}
|
||||
}
|
||||
|
||||
func (c *barrierServiceClient) ListKeys(ctx context.Context, in *ListKeysRequest, opts ...grpc.CallOption) (*ListKeysResponse, error) {
|
||||
cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
|
||||
out := new(ListKeysResponse)
|
||||
err := c.cc.Invoke(ctx, BarrierService_ListKeys_FullMethodName, in, out, cOpts...)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return out, nil
|
||||
}
|
||||
|
||||
func (c *barrierServiceClient) RotateMEK(ctx context.Context, in *RotateMEKRequest, opts ...grpc.CallOption) (*RotateMEKResponse, error) {
|
||||
cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
|
||||
out := new(RotateMEKResponse)
|
||||
err := c.cc.Invoke(ctx, BarrierService_RotateMEK_FullMethodName, in, out, cOpts...)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return out, nil
|
||||
}
|
||||
|
||||
func (c *barrierServiceClient) RotateKey(ctx context.Context, in *RotateKeyRequest, opts ...grpc.CallOption) (*RotateKeyResponse, error) {
|
||||
cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
|
||||
out := new(RotateKeyResponse)
|
||||
err := c.cc.Invoke(ctx, BarrierService_RotateKey_FullMethodName, in, out, cOpts...)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return out, nil
|
||||
}
|
||||
|
||||
func (c *barrierServiceClient) Migrate(ctx context.Context, in *MigrateBarrierRequest, opts ...grpc.CallOption) (*MigrateBarrierResponse, error) {
|
||||
cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
|
||||
out := new(MigrateBarrierResponse)
|
||||
err := c.cc.Invoke(ctx, BarrierService_Migrate_FullMethodName, in, out, cOpts...)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return out, nil
|
||||
}
|
||||
|
||||
// BarrierServiceServer is the server API for BarrierService service.
|
||||
// All implementations must embed UnimplementedBarrierServiceServer
|
||||
// for forward compatibility.
|
||||
type BarrierServiceServer interface {
|
||||
ListKeys(context.Context, *ListKeysRequest) (*ListKeysResponse, error)
|
||||
RotateMEK(context.Context, *RotateMEKRequest) (*RotateMEKResponse, error)
|
||||
RotateKey(context.Context, *RotateKeyRequest) (*RotateKeyResponse, error)
|
||||
Migrate(context.Context, *MigrateBarrierRequest) (*MigrateBarrierResponse, error)
|
||||
mustEmbedUnimplementedBarrierServiceServer()
|
||||
}
|
||||
|
||||
// UnimplementedBarrierServiceServer must be embedded to have
|
||||
// forward compatible implementations.
|
||||
//
|
||||
// NOTE: this should be embedded by value instead of pointer to avoid a nil
|
||||
// pointer dereference when methods are called.
|
||||
type UnimplementedBarrierServiceServer struct{}
|
||||
|
||||
func (UnimplementedBarrierServiceServer) ListKeys(context.Context, *ListKeysRequest) (*ListKeysResponse, error) {
|
||||
return nil, status.Error(codes.Unimplemented, "method ListKeys not implemented")
|
||||
}
|
||||
func (UnimplementedBarrierServiceServer) RotateMEK(context.Context, *RotateMEKRequest) (*RotateMEKResponse, error) {
|
||||
return nil, status.Error(codes.Unimplemented, "method RotateMEK not implemented")
|
||||
}
|
||||
func (UnimplementedBarrierServiceServer) RotateKey(context.Context, *RotateKeyRequest) (*RotateKeyResponse, error) {
|
||||
return nil, status.Error(codes.Unimplemented, "method RotateKey not implemented")
|
||||
}
|
||||
func (UnimplementedBarrierServiceServer) Migrate(context.Context, *MigrateBarrierRequest) (*MigrateBarrierResponse, error) {
|
||||
return nil, status.Error(codes.Unimplemented, "method Migrate not implemented")
|
||||
}
|
||||
func (UnimplementedBarrierServiceServer) mustEmbedUnimplementedBarrierServiceServer() {}
|
||||
func (UnimplementedBarrierServiceServer) testEmbeddedByValue() {}
|
||||
|
||||
// UnsafeBarrierServiceServer may be embedded to opt out of forward compatibility for this service.
|
||||
// Use of this interface is not recommended, as added methods to BarrierServiceServer will
|
||||
// result in compilation errors.
|
||||
type UnsafeBarrierServiceServer interface {
|
||||
mustEmbedUnimplementedBarrierServiceServer()
|
||||
}
|
||||
|
||||
func RegisterBarrierServiceServer(s grpc.ServiceRegistrar, srv BarrierServiceServer) {
|
||||
// If the following call panics, it indicates UnimplementedBarrierServiceServer was
|
||||
// embedded by pointer and is nil. This will cause panics if an
|
||||
// unimplemented method is ever invoked, so we test this at initialization
|
||||
// time to prevent it from happening at runtime later due to I/O.
|
||||
if t, ok := srv.(interface{ testEmbeddedByValue() }); ok {
|
||||
t.testEmbeddedByValue()
|
||||
}
|
||||
s.RegisterService(&BarrierService_ServiceDesc, srv)
|
||||
}
|
||||
|
||||
func _BarrierService_ListKeys_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
|
||||
in := new(ListKeysRequest)
|
||||
if err := dec(in); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if interceptor == nil {
|
||||
return srv.(BarrierServiceServer).ListKeys(ctx, in)
|
||||
}
|
||||
info := &grpc.UnaryServerInfo{
|
||||
Server: srv,
|
||||
FullMethod: BarrierService_ListKeys_FullMethodName,
|
||||
}
|
||||
handler := func(ctx context.Context, req interface{}) (interface{}, error) {
|
||||
return srv.(BarrierServiceServer).ListKeys(ctx, req.(*ListKeysRequest))
|
||||
}
|
||||
return interceptor(ctx, in, info, handler)
|
||||
}
|
||||
|
||||
func _BarrierService_RotateMEK_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
|
||||
in := new(RotateMEKRequest)
|
||||
if err := dec(in); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if interceptor == nil {
|
||||
return srv.(BarrierServiceServer).RotateMEK(ctx, in)
|
||||
}
|
||||
info := &grpc.UnaryServerInfo{
|
||||
Server: srv,
|
||||
FullMethod: BarrierService_RotateMEK_FullMethodName,
|
||||
}
|
||||
handler := func(ctx context.Context, req interface{}) (interface{}, error) {
|
||||
return srv.(BarrierServiceServer).RotateMEK(ctx, req.(*RotateMEKRequest))
|
||||
}
|
||||
return interceptor(ctx, in, info, handler)
|
||||
}
|
||||
|
||||
func _BarrierService_RotateKey_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
|
||||
in := new(RotateKeyRequest)
|
||||
if err := dec(in); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if interceptor == nil {
|
||||
return srv.(BarrierServiceServer).RotateKey(ctx, in)
|
||||
}
|
||||
info := &grpc.UnaryServerInfo{
|
||||
Server: srv,
|
||||
FullMethod: BarrierService_RotateKey_FullMethodName,
|
||||
}
|
||||
handler := func(ctx context.Context, req interface{}) (interface{}, error) {
|
||||
return srv.(BarrierServiceServer).RotateKey(ctx, req.(*RotateKeyRequest))
|
||||
}
|
||||
return interceptor(ctx, in, info, handler)
|
||||
}
|
||||
|
||||
func _BarrierService_Migrate_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
|
||||
in := new(MigrateBarrierRequest)
|
||||
if err := dec(in); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if interceptor == nil {
|
||||
return srv.(BarrierServiceServer).Migrate(ctx, in)
|
||||
}
|
||||
info := &grpc.UnaryServerInfo{
|
||||
Server: srv,
|
||||
FullMethod: BarrierService_Migrate_FullMethodName,
|
||||
}
|
||||
handler := func(ctx context.Context, req interface{}) (interface{}, error) {
|
||||
return srv.(BarrierServiceServer).Migrate(ctx, req.(*MigrateBarrierRequest))
|
||||
}
|
||||
return interceptor(ctx, in, info, handler)
|
||||
}
|
||||
|
||||
// BarrierService_ServiceDesc is the grpc.ServiceDesc for BarrierService service.
|
||||
// It's only intended for direct use with grpc.RegisterService,
|
||||
// and not to be introspected or modified (even as a copy)
|
||||
var BarrierService_ServiceDesc = grpc.ServiceDesc{
|
||||
ServiceName: "metacrypt.v2.BarrierService",
|
||||
HandlerType: (*BarrierServiceServer)(nil),
|
||||
Methods: []grpc.MethodDesc{
|
||||
{
|
||||
MethodName: "ListKeys",
|
||||
Handler: _BarrierService_ListKeys_Handler,
|
||||
},
|
||||
{
|
||||
MethodName: "RotateMEK",
|
||||
Handler: _BarrierService_RotateMEK_Handler,
|
||||
},
|
||||
{
|
||||
MethodName: "RotateKey",
|
||||
Handler: _BarrierService_RotateKey_Handler,
|
||||
},
|
||||
{
|
||||
MethodName: "Migrate",
|
||||
Handler: _BarrierService_Migrate_Handler,
|
||||
},
|
||||
},
|
||||
Streams: []grpc.StreamDesc{},
|
||||
Metadata: "proto/metacrypt/v2/barrier.proto",
|
||||
}
|
||||
Reference in New Issue
Block a user