Implement transit encryption engine with versioned key management

Add complete transit engine supporting symmetric encryption (AES-256-GCM, XChaCha20-Poly1305), asymmetric signing (Ed25519, ECDSA P-256/P-384), and HMAC (SHA-256/SHA-512) with versioned key rotation, min decryption version enforcement, key trimming, batch operations, and rewrap. Includes proto definitions, gRPC handlers, REST routes, and comprehensive tests covering all 18 operations, auth enforcement, and edge cases. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-16 19:45:56 -07:00
parent ac4577f778
commit cbd77c58e8
10 changed files with 6718 additions and 4 deletions
--- a/internal/grpcserver/transit.go
+++ b/internal/grpcserver/transit.go
@@ -0,0 +1,486 @@
+package grpcserver
+
+import (
+	"context"
+	"errors"
+	"strings"
+
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+
+	pb "git.wntrmute.dev/kyle/metacrypt/gen/metacrypt/v2"
+	"git.wntrmute.dev/kyle/metacrypt/internal/engine"
+	"git.wntrmute.dev/kyle/metacrypt/internal/engine/transit"
+	"git.wntrmute.dev/kyle/metacrypt/internal/policy"
+)
+
+type transitServer struct {
+	pb.UnimplementedTransitServiceServer
+	s *GRPCServer
+}
+
+func (ts *transitServer) transitHandleRequest(ctx context.Context, mount, operation string, req *engine.Request) (*engine.Response, error) {
+	resp, err := ts.s.engines.HandleRequest(ctx, mount, req)
+	if err != nil {
+		st := codes.Internal
+		switch {
+		case errors.Is(err, engine.ErrMountNotFound):
+			st = codes.NotFound
+		case errors.Is(err, transit.ErrKeyNotFound):
+			st = codes.NotFound
+		case errors.Is(err, transit.ErrKeyExists):
+			st = codes.AlreadyExists
+		case errors.Is(err, transit.ErrUnauthorized):
+			st = codes.Unauthenticated
+		case errors.Is(err, transit.ErrForbidden):
+			st = codes.PermissionDenied
+		case errors.Is(err, transit.ErrDeletionDenied):
+			st = codes.FailedPrecondition
+		case errors.Is(err, transit.ErrUnsupportedOp):
+			st = codes.InvalidArgument
+		case errors.Is(err, transit.ErrDecryptVersion):
+			st = codes.FailedPrecondition
+		case errors.Is(err, transit.ErrInvalidFormat):
+			st = codes.InvalidArgument
+		case errors.Is(err, transit.ErrBatchTooLarge):
+			st = codes.InvalidArgument
+		case errors.Is(err, transit.ErrInvalidMinVer):
+			st = codes.InvalidArgument
+		case strings.Contains(err.Error(), "not found"):
+			st = codes.NotFound
+		case strings.Contains(err.Error(), "forbidden"):
+			st = codes.PermissionDenied
+		}
+		ts.s.logger.Error("grpc: transit "+operation, "mount", mount, "error", err)
+		return nil, status.Error(st, err.Error())
+	}
+	return resp, nil
+}
+
+func (ts *transitServer) callerInfo(ctx context.Context) *engine.CallerInfo {
+	ti := tokenInfoFromContext(ctx)
+	if ti == nil {
+		return nil
+	}
+	return &engine.CallerInfo{
+		Username: ti.Username,
+		Roles:    ti.Roles,
+		IsAdmin:  ti.IsAdmin,
+	}
+}
+
+func (ts *transitServer) policyChecker(ctx context.Context) engine.PolicyChecker {
+	caller := ts.callerInfo(ctx)
+	if caller == nil {
+		return nil
+	}
+	return func(resource, action string) (string, bool) {
+		pReq := &policy.Request{
+			Username: caller.Username,
+			Roles:    caller.Roles,
+			Resource: resource,
+			Action:   action,
+		}
+		effect, matched, err := ts.s.policy.Match(ctx, pReq)
+		if err != nil {
+			return string(policy.EffectDeny), false
+		}
+		return string(effect), matched
+	}
+}
+
+func (ts *transitServer) CreateKey(ctx context.Context, req *pb.CreateTransitKeyRequest) (*pb.CreateTransitKeyResponse, error) {
+	if req.Mount == "" || req.Name == "" {
+		return nil, status.Error(codes.InvalidArgument, "mount and name are required")
+	}
+	resp, err := ts.transitHandleRequest(ctx, req.Mount, "create-key", &engine.Request{
+		Operation:  "create-key",
+		CallerInfo: ts.callerInfo(ctx),
+		Data: map[string]interface{}{
+			"name": req.Name,
+			"type": req.Type,
+		},
+	})
+	if err != nil {
+		return nil, err
+	}
+	name, _ := resp.Data["name"].(string)
+	keyType, _ := resp.Data["type"].(string)
+	version, _ := resp.Data["version"].(int)
+	ts.s.logger.Info("audit: transit key created", "mount", req.Mount, "key", name, "type", keyType, "username", callerUsername(ctx))
+	return &pb.CreateTransitKeyResponse{Name: name, Type: keyType, Version: int32(version)}, nil
+}
+
+func (ts *transitServer) DeleteKey(ctx context.Context, req *pb.DeleteTransitKeyRequest) (*pb.DeleteTransitKeyResponse, error) {
+	if req.Mount == "" || req.Name == "" {
+		return nil, status.Error(codes.InvalidArgument, "mount and name are required")
+	}
+	_, err := ts.transitHandleRequest(ctx, req.Mount, "delete-key", &engine.Request{
+		Operation:  "delete-key",
+		CallerInfo: ts.callerInfo(ctx),
+		Data:       map[string]interface{}{"name": req.Name},
+	})
+	if err != nil {
+		return nil, err
+	}
+	ts.s.logger.Info("audit: transit key deleted", "mount", req.Mount, "key", req.Name, "username", callerUsername(ctx))
+	return &pb.DeleteTransitKeyResponse{}, nil
+}
+
+func (ts *transitServer) GetKey(ctx context.Context, req *pb.GetTransitKeyRequest) (*pb.GetTransitKeyResponse, error) {
+	if req.Mount == "" || req.Name == "" {
+		return nil, status.Error(codes.InvalidArgument, "mount and name are required")
+	}
+	resp, err := ts.transitHandleRequest(ctx, req.Mount, "get-key", &engine.Request{
+		Operation:  "get-key",
+		CallerInfo: ts.callerInfo(ctx),
+		Data:       map[string]interface{}{"name": req.Name},
+	})
+	if err != nil {
+		return nil, err
+	}
+	name, _ := resp.Data["name"].(string)
+	keyType, _ := resp.Data["type"].(string)
+	currentVersion, _ := resp.Data["current_version"].(int)
+	minDecryptionVersion, _ := resp.Data["min_decryption_version"].(int)
+	allowDeletion, _ := resp.Data["allow_deletion"].(bool)
+	rawVersions, _ := resp.Data["versions"].([]int)
+	versions := make([]int32, len(rawVersions))
+	for i, v := range rawVersions {
+		versions[i] = int32(v)
+	}
+	return &pb.GetTransitKeyResponse{
+		Name:                 name,
+		Type:                 keyType,
+		CurrentVersion:       int32(currentVersion),
+		MinDecryptionVersion: int32(minDecryptionVersion),
+		AllowDeletion:        allowDeletion,
+		Versions:             versions,
+	}, nil
+}
+
+func (ts *transitServer) ListKeys(ctx context.Context, req *pb.ListTransitKeysRequest) (*pb.ListTransitKeysResponse, error) {
+	if req.Mount == "" {
+		return nil, status.Error(codes.InvalidArgument, "mount is required")
+	}
+	resp, err := ts.transitHandleRequest(ctx, req.Mount, "list-keys", &engine.Request{
+		Operation:  "list-keys",
+		CallerInfo: ts.callerInfo(ctx),
+	})
+	if err != nil {
+		return nil, err
+	}
+	keys := toStringSliceFromInterface(resp.Data["keys"])
+	return &pb.ListTransitKeysResponse{Keys: keys}, nil
+}
+
+func (ts *transitServer) RotateKey(ctx context.Context, req *pb.RotateTransitKeyRequest) (*pb.RotateTransitKeyResponse, error) {
+	if req.Mount == "" || req.Name == "" {
+		return nil, status.Error(codes.InvalidArgument, "mount and name are required")
+	}
+	resp, err := ts.transitHandleRequest(ctx, req.Mount, "rotate-key", &engine.Request{
+		Operation:  "rotate-key",
+		CallerInfo: ts.callerInfo(ctx),
+		Data:       map[string]interface{}{"name": req.Name},
+	})
+	if err != nil {
+		return nil, err
+	}
+	name, _ := resp.Data["name"].(string)
+	version, _ := resp.Data["version"].(int)
+	ts.s.logger.Info("audit: transit key rotated", "mount", req.Mount, "key", name, "version", version, "username", callerUsername(ctx))
+	return &pb.RotateTransitKeyResponse{Name: name, Version: int32(version)}, nil
+}
+
+func (ts *transitServer) UpdateKeyConfig(ctx context.Context, req *pb.UpdateTransitKeyConfigRequest) (*pb.UpdateTransitKeyConfigResponse, error) {
+	if req.Mount == "" || req.Name == "" {
+		return nil, status.Error(codes.InvalidArgument, "mount and name are required")
+	}
+	data := map[string]interface{}{"name": req.Name}
+	if req.MinDecryptionVersion != 0 {
+		data["min_decryption_version"] = float64(req.MinDecryptionVersion)
+	}
+	data["allow_deletion"] = req.AllowDeletion
+
+	_, err := ts.transitHandleRequest(ctx, req.Mount, "update-key-config", &engine.Request{
+		Operation:  "update-key-config",
+		CallerInfo: ts.callerInfo(ctx),
+		Data:       data,
+	})
+	if err != nil {
+		return nil, err
+	}
+	return &pb.UpdateTransitKeyConfigResponse{}, nil
+}
+
+func (ts *transitServer) TrimKey(ctx context.Context, req *pb.TrimTransitKeyRequest) (*pb.TrimTransitKeyResponse, error) {
+	if req.Mount == "" || req.Name == "" {
+		return nil, status.Error(codes.InvalidArgument, "mount and name are required")
+	}
+	resp, err := ts.transitHandleRequest(ctx, req.Mount, "trim-key", &engine.Request{
+		Operation:  "trim-key",
+		CallerInfo: ts.callerInfo(ctx),
+		Data:       map[string]interface{}{"name": req.Name},
+	})
+	if err != nil {
+		return nil, err
+	}
+	trimmed, _ := resp.Data["trimmed"].(int)
+	return &pb.TrimTransitKeyResponse{Trimmed: int32(trimmed)}, nil
+}
+
+func (ts *transitServer) Encrypt(ctx context.Context, req *pb.TransitEncryptRequest) (*pb.TransitEncryptResponse, error) {
+	if req.Mount == "" || req.Key == "" {
+		return nil, status.Error(codes.InvalidArgument, "mount and key are required")
+	}
+	data := map[string]interface{}{
+		"key":       req.Key,
+		"plaintext": req.Plaintext,
+	}
+	if req.Context != "" {
+		data["context"] = req.Context
+	}
+	resp, err := ts.transitHandleRequest(ctx, req.Mount, "encrypt", &engine.Request{
+		Operation:   "encrypt",
+		CallerInfo:  ts.callerInfo(ctx),
+		CheckPolicy: ts.policyChecker(ctx),
+		Data:        data,
+	})
+	if err != nil {
+		return nil, err
+	}
+	ct, _ := resp.Data["ciphertext"].(string)
+	return &pb.TransitEncryptResponse{Ciphertext: ct}, nil
+}
+
+func (ts *transitServer) Decrypt(ctx context.Context, req *pb.TransitDecryptRequest) (*pb.TransitDecryptResponse, error) {
+	if req.Mount == "" || req.Key == "" {
+		return nil, status.Error(codes.InvalidArgument, "mount and key are required")
+	}
+	data := map[string]interface{}{
+		"key":        req.Key,
+		"ciphertext": req.Ciphertext,
+	}
+	if req.Context != "" {
+		data["context"] = req.Context
+	}
+	resp, err := ts.transitHandleRequest(ctx, req.Mount, "decrypt", &engine.Request{
+		Operation:   "decrypt",
+		CallerInfo:  ts.callerInfo(ctx),
+		CheckPolicy: ts.policyChecker(ctx),
+		Data:        data,
+	})
+	if err != nil {
+		return nil, err
+	}
+	pt, _ := resp.Data["plaintext"].(string)
+	return &pb.TransitDecryptResponse{Plaintext: pt}, nil
+}
+
+func (ts *transitServer) Rewrap(ctx context.Context, req *pb.TransitRewrapRequest) (*pb.TransitRewrapResponse, error) {
+	if req.Mount == "" || req.Key == "" {
+		return nil, status.Error(codes.InvalidArgument, "mount and key are required")
+	}
+	data := map[string]interface{}{
+		"key":        req.Key,
+		"ciphertext": req.Ciphertext,
+	}
+	if req.Context != "" {
+		data["context"] = req.Context
+	}
+	resp, err := ts.transitHandleRequest(ctx, req.Mount, "rewrap", &engine.Request{
+		Operation:   "rewrap",
+		CallerInfo:  ts.callerInfo(ctx),
+		CheckPolicy: ts.policyChecker(ctx),
+		Data:        data,
+	})
+	if err != nil {
+		return nil, err
+	}
+	ct, _ := resp.Data["ciphertext"].(string)
+	return &pb.TransitRewrapResponse{Ciphertext: ct}, nil
+}
+
+func (ts *transitServer) BatchEncrypt(ctx context.Context, req *pb.TransitBatchEncryptRequest) (*pb.TransitBatchResponse, error) {
+	if req.Mount == "" || req.Key == "" {
+		return nil, status.Error(codes.InvalidArgument, "mount and key are required")
+	}
+	items := protoItemsToInterface(req.Items)
+	resp, err := ts.transitHandleRequest(ctx, req.Mount, "batch-encrypt", &engine.Request{
+		Operation:   "batch-encrypt",
+		CallerInfo:  ts.callerInfo(ctx),
+		CheckPolicy: ts.policyChecker(ctx),
+		Data:        map[string]interface{}{"key": req.Key, "items": items},
+	})
+	if err != nil {
+		return nil, err
+	}
+	return toBatchResponse(resp), nil
+}
+
+func (ts *transitServer) BatchDecrypt(ctx context.Context, req *pb.TransitBatchDecryptRequest) (*pb.TransitBatchResponse, error) {
+	if req.Mount == "" || req.Key == "" {
+		return nil, status.Error(codes.InvalidArgument, "mount and key are required")
+	}
+	items := protoItemsToInterface(req.Items)
+	resp, err := ts.transitHandleRequest(ctx, req.Mount, "batch-decrypt", &engine.Request{
+		Operation:   "batch-decrypt",
+		CallerInfo:  ts.callerInfo(ctx),
+		CheckPolicy: ts.policyChecker(ctx),
+		Data:        map[string]interface{}{"key": req.Key, "items": items},
+	})
+	if err != nil {
+		return nil, err
+	}
+	return toBatchResponse(resp), nil
+}
+
+func (ts *transitServer) BatchRewrap(ctx context.Context, req *pb.TransitBatchRewrapRequest) (*pb.TransitBatchResponse, error) {
+	if req.Mount == "" || req.Key == "" {
+		return nil, status.Error(codes.InvalidArgument, "mount and key are required")
+	}
+	items := protoItemsToInterface(req.Items)
+	resp, err := ts.transitHandleRequest(ctx, req.Mount, "batch-rewrap", &engine.Request{
+		Operation:   "batch-rewrap",
+		CallerInfo:  ts.callerInfo(ctx),
+		CheckPolicy: ts.policyChecker(ctx),
+		Data:        map[string]interface{}{"key": req.Key, "items": items},
+	})
+	if err != nil {
+		return nil, err
+	}
+	return toBatchResponse(resp), nil
+}
+
+func (ts *transitServer) Sign(ctx context.Context, req *pb.TransitSignRequest) (*pb.TransitSignResponse, error) {
+	if req.Mount == "" || req.Key == "" {
+		return nil, status.Error(codes.InvalidArgument, "mount and key are required")
+	}
+	resp, err := ts.transitHandleRequest(ctx, req.Mount, "sign", &engine.Request{
+		Operation:   "sign",
+		CallerInfo:  ts.callerInfo(ctx),
+		CheckPolicy: ts.policyChecker(ctx),
+		Data:        map[string]interface{}{"key": req.Key, "input": req.Input},
+	})
+	if err != nil {
+		return nil, err
+	}
+	sig, _ := resp.Data["signature"].(string)
+	return &pb.TransitSignResponse{Signature: sig}, nil
+}
+
+func (ts *transitServer) Verify(ctx context.Context, req *pb.TransitVerifyRequest) (*pb.TransitVerifyResponse, error) {
+	if req.Mount == "" || req.Key == "" {
+		return nil, status.Error(codes.InvalidArgument, "mount and key are required")
+	}
+	resp, err := ts.transitHandleRequest(ctx, req.Mount, "verify", &engine.Request{
+		Operation:   "verify",
+		CallerInfo:  ts.callerInfo(ctx),
+		CheckPolicy: ts.policyChecker(ctx),
+		Data: map[string]interface{}{
+			"key":       req.Key,
+			"input":     req.Input,
+			"signature": req.Signature,
+		},
+	})
+	if err != nil {
+		return nil, err
+	}
+	valid, _ := resp.Data["valid"].(bool)
+	return &pb.TransitVerifyResponse{Valid: valid}, nil
+}
+
+func (ts *transitServer) Hmac(ctx context.Context, req *pb.TransitHmacRequest) (*pb.TransitHmacResponse, error) {
+	if req.Mount == "" || req.Key == "" {
+		return nil, status.Error(codes.InvalidArgument, "mount and key are required")
+	}
+	data := map[string]interface{}{
+		"key":   req.Key,
+		"input": req.Input,
+	}
+	if req.Hmac != "" {
+		data["hmac"] = req.Hmac
+	}
+	resp, err := ts.transitHandleRequest(ctx, req.Mount, "hmac", &engine.Request{
+		Operation:   "hmac",
+		CallerInfo:  ts.callerInfo(ctx),
+		CheckPolicy: ts.policyChecker(ctx),
+		Data:        data,
+	})
+	if err != nil {
+		return nil, err
+	}
+	hmacStr, _ := resp.Data["hmac"].(string)
+	valid, _ := resp.Data["valid"].(bool)
+	return &pb.TransitHmacResponse{Hmac: hmacStr, Valid: valid}, nil
+}
+
+func (ts *transitServer) GetPublicKey(ctx context.Context, req *pb.GetTransitPublicKeyRequest) (*pb.GetTransitPublicKeyResponse, error) {
+	if req.Mount == "" || req.Name == "" {
+		return nil, status.Error(codes.InvalidArgument, "mount and name are required")
+	}
+	data := map[string]interface{}{"name": req.Name}
+	if req.Version != 0 {
+		data["version"] = float64(req.Version)
+	}
+	resp, err := ts.transitHandleRequest(ctx, req.Mount, "get-public-key", &engine.Request{
+		Operation:  "get-public-key",
+		CallerInfo: ts.callerInfo(ctx),
+		Data:       data,
+	})
+	if err != nil {
+		return nil, err
+	}
+	pk, _ := resp.Data["public_key"].(string)
+	version, _ := resp.Data["version"].(int)
+	keyType, _ := resp.Data["type"].(string)
+	return &pb.GetTransitPublicKeyResponse{
+		PublicKey: pk,
+		Version:  int32(version),
+		Type:     keyType,
+	}, nil
+}
+
+// --- helpers ---
+
+func protoItemsToInterface(items []*pb.TransitBatchItem) []interface{} {
+	out := make([]interface{}, len(items))
+	for i, item := range items {
+		m := map[string]interface{}{}
+		if item.Plaintext != "" {
+			m["plaintext"] = item.Plaintext
+		}
+		if item.Ciphertext != "" {
+			m["ciphertext"] = item.Ciphertext
+		}
+		if item.Context != "" {
+			m["context"] = item.Context
+		}
+		if item.Reference != "" {
+			m["reference"] = item.Reference
+		}
+		out[i] = m
+	}
+	return out
+}
+
+func toBatchResponse(resp *engine.Response) *pb.TransitBatchResponse {
+	raw, _ := resp.Data["results"].([]interface{})
+	results := make([]*pb.TransitBatchResultItem, 0, len(raw))
+	for _, item := range raw {
+		switch r := item.(type) {
+		case map[string]interface{}:
+			pt, _ := r["plaintext"].(string)
+			ct, _ := r["ciphertext"].(string)
+			ref, _ := r["reference"].(string)
+			errStr, _ := r["error"].(string)
+			results = append(results, &pb.TransitBatchResultItem{
+				Plaintext:  pt,
+				Ciphertext: ct,
+				Reference:  ref,
+				Error:      errStr,
+			})
+		}
+	}
+	return &pb.TransitBatchResponse{Results: results}
+}