mc/metacrypt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
cbd77c58e819f124b7d294b700dbe1e208cf1842
metacrypt/internal/server/routes.go
Kyle Isom cbd77c58e8 Implement transit encryption engine with versioned key management 
Add complete transit engine supporting symmetric encryption (AES-256-GCM,
XChaCha20-Poly1305), asymmetric signing (Ed25519, ECDSA P-256/P-384),
and HMAC (SHA-256/SHA-512) with versioned key rotation, min decryption
version enforcement, key trimming, batch operations, and rewrap.

Includes proto definitions, gRPC handlers, REST routes, and comprehensive
tests covering all 18 operations, auth enforcement, and edge cases.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-16 19:45:56 -07:00

914 lines
29 KiB
Go
Raw Blame History

package server
import (
"encoding/json"
"errors"
"io"
"net/http"
"strings"
"github.com/go-chi/chi/v5"
mcias "git.wntrmute.dev/kyle/mcias/clients/go"
"git.wntrmute.dev/kyle/metacrypt/internal/crypto"
"git.wntrmute.dev/kyle/metacrypt/internal/engine"
"git.wntrmute.dev/kyle/metacrypt/internal/engine/ca"
"git.wntrmute.dev/kyle/metacrypt/internal/policy"
"git.wntrmute.dev/kyle/metacrypt/internal/seal"
)
func (s *Server) registerRoutes(r chi.Router) {
// REST API routes — web UI served by metacrypt-web.
r.Get("/v1/status", s.handleStatus)
r.Post("/v1/init", s.handleInit)
r.Post("/v1/unseal", s.handleUnseal)
r.Post("/v1/seal", s.requireAdmin(s.handleSeal))
r.Post("/v1/auth/login", s.handleLogin)
r.Post("/v1/auth/logout", s.requireAuth(s.handleLogout))
r.Get("/v1/auth/tokeninfo", s.requireAuth(s.handleTokenInfo))
r.Get("/v1/engine/mounts", s.requireAuth(s.handleEngineMounts))
r.Post("/v1/engine/mount", s.requireAdmin(s.handleEngineMount))
r.Post("/v1/engine/unmount", s.requireAdmin(s.handleEngineUnmount))
r.Post("/v1/engine/request", s.requireAuth(s.handleEngineRequest))
// CA certificate routes (auth required).
r.Get("/v1/ca/{mount}/cert/{serial}", s.requireAuth(s.handleGetCert))
r.Post("/v1/ca/{mount}/cert/{serial}/revoke", s.requireAdmin(s.handleRevokeCert))
r.Delete("/v1/ca/{mount}/cert/{serial}", s.requireAdmin(s.handleDeleteCert))
// Public PKI routes (no auth required, but must be unsealed).
r.Get("/v1/pki/{mount}/ca", s.requireUnseal(s.handlePKIRoot))
r.Get("/v1/pki/{mount}/ca/chain", s.requireUnseal(s.handlePKIChain))
r.Get("/v1/pki/{mount}/issuer/{name}", s.requireUnseal(s.handlePKIIssuer))
r.Get("/v1/pki/{mount}/issuer/{name}/crl", s.requireUnseal(s.handlePKICRL))
r.HandleFunc("/v1/policy/rules", s.requireAuth(s.handlePolicyRules))
r.HandleFunc("/v1/policy/rule", s.requireAuth(s.handlePolicyRule))
// Transit engine routes.
r.Post("/v1/transit/{mount}/keys", s.requireAdmin(s.handleTransitCreateKey))
r.Get("/v1/transit/{mount}/keys", s.requireAuth(s.handleTransitListKeys))
r.Get("/v1/transit/{mount}/keys/{name}", s.requireAuth(s.handleTransitGetKey))
r.Delete("/v1/transit/{mount}/keys/{name}", s.requireAdmin(s.handleTransitDeleteKey))
r.Post("/v1/transit/{mount}/keys/{name}/rotate", s.requireAdmin(s.handleTransitRotateKey))
r.Post("/v1/transit/{mount}/keys/{name}/config", s.requireAdmin(s.handleTransitUpdateKeyConfig))
r.Post("/v1/transit/{mount}/keys/{name}/trim", s.requireAdmin(s.handleTransitTrimKey))
r.Post("/v1/transit/{mount}/encrypt/{key}", s.requireAuth(s.handleTransitEncrypt))
r.Post("/v1/transit/{mount}/decrypt/{key}", s.requireAuth(s.handleTransitDecrypt))
r.Post("/v1/transit/{mount}/rewrap/{key}", s.requireAuth(s.handleTransitRewrap))
r.Post("/v1/transit/{mount}/batch/encrypt/{key}", s.requireAuth(s.handleTransitBatchEncrypt))
r.Post("/v1/transit/{mount}/batch/decrypt/{key}", s.requireAuth(s.handleTransitBatchDecrypt))
r.Post("/v1/transit/{mount}/batch/rewrap/{key}", s.requireAuth(s.handleTransitBatchRewrap))
r.Post("/v1/transit/{mount}/sign/{key}", s.requireAuth(s.handleTransitSign))
r.Post("/v1/transit/{mount}/verify/{key}", s.requireAuth(s.handleTransitVerify))
r.Post("/v1/transit/{mount}/hmac/{key}", s.requireAuth(s.handleTransitHmac))
r.Get("/v1/transit/{mount}/keys/{name}/public-key", s.requireAuth(s.handleTransitGetPublicKey))
s.registerACMERoutes(r)
}
// --- API Handlers ---
func (s *Server) handleStatus(w http.ResponseWriter, r *http.Request) {
writeJSON(w, http.StatusOK, map[string]interface{}{
"state": s.seal.State().String(),
})
}
func (s *Server) handleInit(w http.ResponseWriter, r *http.Request) {
var req struct {
Password string `json:"password"`
}
if err := readJSON(r, &req); err != nil {
http.Error(w, `{"error":"invalid request"}`, http.StatusBadRequest)
return
}
if req.Password == "" {
http.Error(w, `{"error":"password is required"}`, http.StatusBadRequest)
return
}
params := crypto.Argon2Params{
Time: s.cfg.Seal.Argon2Time,
Memory: s.cfg.Seal.Argon2Memory,
Threads: s.cfg.Seal.Argon2Threads,
}
if err := s.seal.Initialize(r.Context(), []byte(req.Password), params); err != nil {
if errors.Is(err, seal.ErrAlreadyInitialized) {
http.Error(w, `{"error":"already initialized"}`, http.StatusConflict)
return
}
s.logger.Error("init failed", "error", err)
http.Error(w, `{"error":"initialization failed"}`, http.StatusInternalServerError)
return
}
writeJSON(w, http.StatusOK, map[string]interface{}{
"state": s.seal.State().String(),
})
}
func (s *Server) handleUnseal(w http.ResponseWriter, r *http.Request) {
var req struct {
Password string `json:"password"`
}
if err := readJSON(r, &req); err != nil {
http.Error(w, `{"error":"invalid request"}`, http.StatusBadRequest)
return
}
if err := s.seal.Unseal([]byte(req.Password)); err != nil {
if errors.Is(err, seal.ErrNotInitialized) {
s.logger.Warn("unseal attempt on uninitialized service", "remote_addr", r.RemoteAddr)
http.Error(w, `{"error":"not initialized"}`, http.StatusPreconditionFailed)
} else if errors.Is(err, seal.ErrInvalidPassword) {
s.logger.Warn("unseal attempt with invalid password", "remote_addr", r.RemoteAddr)
http.Error(w, `{"error":"invalid password"}`, http.StatusUnauthorized)
} else if errors.Is(err, seal.ErrRateLimited) {
s.logger.Warn("unseal attempt rate limited", "remote_addr", r.RemoteAddr)
http.Error(w, `{"error":"too many attempts, try again later"}`, http.StatusTooManyRequests)
} else if errors.Is(err, seal.ErrNotSealed) {
s.logger.Warn("unseal attempt on already-unsealed service", "remote_addr", r.RemoteAddr)
http.Error(w, `{"error":"already unsealed"}`, http.StatusConflict)
} else {
s.logger.Error("unseal failed", "remote_addr", r.RemoteAddr, "error", err)
http.Error(w, `{"error":"unseal failed"}`, http.StatusInternalServerError)
}
return
}
if err := s.engines.UnsealAll(r.Context()); err != nil {
s.logger.Error("engine unseal failed", "error", err)
http.Error(w, `{"error":"engine unseal failed"}`, http.StatusInternalServerError)
return
}
s.logger.Info("service unsealed", "remote_addr", r.RemoteAddr)
writeJSON(w, http.StatusOK, map[string]interface{}{
"state": s.seal.State().String(),
})
}
func (s *Server) handleSeal(w http.ResponseWriter, r *http.Request) {
if err := s.engines.SealAll(); err != nil {
s.logger.Error("seal engines failed", "error", err)
}
if err := s.seal.Seal(); err != nil {
s.logger.Error("seal failed", "error", err)
http.Error(w, `{"error":"seal failed"}`, http.StatusInternalServerError)
return
}
s.auth.ClearCache()
writeJSON(w, http.StatusOK, map[string]interface{}{
"state": s.seal.State().String(),
})
}
func (s *Server) handleLogin(w http.ResponseWriter, r *http.Request) {
if s.seal.State() != seal.StateUnsealed {
http.Error(w, `{"error":"sealed"}`, http.StatusServiceUnavailable)
return
}
var req struct {
Username string `json:"username"`
Password string `json:"password"`
TOTPCode string `json:"totp_code"`
}
if err := readJSON(r, &req); err != nil {
http.Error(w, `{"error":"invalid request"}`, http.StatusBadRequest)
return
}
token, expiresAt, err := s.auth.Login(req.Username, req.Password, req.TOTPCode)
if err != nil {
http.Error(w, `{"error":"invalid credentials"}`, http.StatusUnauthorized)
return
}
writeJSON(w, http.StatusOK, map[string]interface{}{
"token": token,
"expires_at": expiresAt,
})
}
func (s *Server) handleLogout(w http.ResponseWriter, r *http.Request) {
token := extractToken(r)
client, err := mcias.New(s.cfg.MCIAS.ServerURL, mcias.Options{
CACertPath: s.cfg.MCIAS.CACert,
Token: token,
})
if err == nil {
_ = s.auth.Logout(client)
}
// Clear cookie.
http.SetCookie(w, &http.Cookie{
Name: "metacrypt_token",
Value: "",
Path: "/",
MaxAge: -1,
HttpOnly: true,
Secure: true,
SameSite: http.SameSiteStrictMode,
})
writeJSON(w, http.StatusOK, map[string]interface{}{"ok": true})
}
func (s *Server) handleTokenInfo(w http.ResponseWriter, r *http.Request) {
info := TokenInfoFromContext(r.Context())
writeJSON(w, http.StatusOK, map[string]interface{}{
"username": info.Username,
"roles": info.Roles,
"is_admin": info.IsAdmin,
})
}
func (s *Server) handleEngineMounts(w http.ResponseWriter, r *http.Request) {
mounts := s.engines.ListMounts()
writeJSON(w, http.StatusOK, mounts)
}
func (s *Server) handleEngineMount(w http.ResponseWriter, r *http.Request) {
var req struct {
Config map[string]interface{} `json:"config"`
Name string `json:"name"`
Type string `json:"type"`
}
if err := readJSON(r, &req); err != nil {
http.Error(w, `{"error":"invalid request"}`, http.StatusBadRequest)
return
}
if req.Name == "" || req.Type == "" {
http.Error(w, `{"error":"name and type are required"}`, http.StatusBadRequest)
return
}
if err := s.engines.Mount(r.Context(), req.Name, engine.EngineType(req.Type), req.Config); err != nil {
s.logger.Error("mount engine", "name", req.Name, "type", req.Type, "error", err)
http.Error(w, `{"error":"`+err.Error()+`"}`, http.StatusBadRequest)
return
}
writeJSON(w, http.StatusOK, map[string]interface{}{"ok": true})
}
func (s *Server) handleEngineUnmount(w http.ResponseWriter, r *http.Request) {
var req struct {
Name string `json:"name"`
}
if err := readJSON(r, &req); err != nil {
http.Error(w, `{"error":"invalid request"}`, http.StatusBadRequest)
return
}
if err := s.engines.Unmount(r.Context(), req.Name); err != nil {
http.Error(w, `{"error":"`+err.Error()+`"}`, http.StatusNotFound)
return
}
writeJSON(w, http.StatusOK, map[string]interface{}{"ok": true})
}
func (s *Server) handleEngineRequest(w http.ResponseWriter, r *http.Request) {
var req struct {
Data map[string]interface{} `json:"data"`
Mount string `json:"mount"`
Operation string `json:"operation"`
Path string `json:"path"`
}
if err := readJSON(r, &req); err != nil {
http.Error(w, `{"error":"invalid request"}`, http.StatusBadRequest)
return
}
if req.Mount == "" || req.Operation == "" {
http.Error(w, `{"error":"mount and operation are required"}`, http.StatusBadRequest)
return
}
info := TokenInfoFromContext(r.Context())
// Evaluate policy before dispatching to the engine.
policyReq := &policy.Request{
Username: info.Username,
Roles: info.Roles,
Resource: "engine/" + req.Mount + "/" + req.Operation,
Action: operationAction(req.Operation),
}
effect, err := s.policy.Evaluate(r.Context(), policyReq)
if err != nil {
s.logger.Error("policy evaluation failed", "error", err)
http.Error(w, `{"error":"internal error"}`, http.StatusInternalServerError)
return
}
if effect != policy.EffectAllow {
http.Error(w, `{"error":"forbidden"}`, http.StatusForbidden)
return
}
policyChecker := func(resource, action string) (string, bool) {
pReq := &policy.Request{
Username: info.Username,
Roles: info.Roles,
Resource: resource,
Action: action,
}
eff, matched, pErr := s.policy.Match(r.Context(), pReq)
if pErr != nil {
return string(policy.EffectDeny), false
}
return string(eff), matched
}
engReq := &engine.Request{
Operation: req.Operation,
Path: req.Path,
Data: req.Data,
CallerInfo: &engine.CallerInfo{
Username: info.Username,
Roles: info.Roles,
IsAdmin: info.IsAdmin,
},
CheckPolicy: policyChecker,
}
resp, err := s.engines.HandleRequest(r.Context(), req.Mount, engReq)
if err != nil {
status := http.StatusInternalServerError
switch {
case errors.Is(err, engine.ErrMountNotFound):
status = http.StatusNotFound
case errors.Is(err, ca.ErrIdentifierInUse):
status = http.StatusConflict
case strings.Contains(err.Error(), "forbidden"):
status = http.StatusForbidden
case strings.Contains(err.Error(), "authentication required"):
status = http.StatusUnauthorized
case strings.Contains(err.Error(), "not found"):
status = http.StatusNotFound
}
http.Error(w, `{"error":"`+err.Error()+`"}`, status)
return
}
writeJSON(w, http.StatusOK, resp.Data)
}
func (s *Server) handlePolicyRules(w http.ResponseWriter, r *http.Request) {
info := TokenInfoFromContext(r.Context())
switch r.Method {
case http.MethodGet:
if !info.IsAdmin {
http.Error(w, `{"error":"forbidden"}`, http.StatusForbidden)
return
}
rules, err := s.policy.ListRules(r.Context())
if err != nil {
s.logger.Error("list policies", "error", err)
http.Error(w, `{"error":"internal error"}`, http.StatusInternalServerError)
return
}
if rules == nil {
rules = []policy.Rule{}
}
writeJSON(w, http.StatusOK, rules)
case http.MethodPost:
if !info.IsAdmin {
http.Error(w, `{"error":"forbidden"}`, http.StatusForbidden)
return
}
var rule policy.Rule
if err := readJSON(r, &rule); err != nil {
http.Error(w, `{"error":"invalid request"}`, http.StatusBadRequest)
return
}
if rule.ID == "" {
http.Error(w, `{"error":"id is required"}`, http.StatusBadRequest)
return
}
if err := s.policy.CreateRule(r.Context(), &rule); err != nil {
s.logger.Error("create policy", "error", err)
http.Error(w, `{"error":"internal error"}`, http.StatusInternalServerError)
return
}
writeJSON(w, http.StatusCreated, rule)
default:
http.Error(w, `{"error":"method not allowed"}`, http.StatusMethodNotAllowed)
}
}
func (s *Server) handlePolicyRule(w http.ResponseWriter, r *http.Request) {
info := TokenInfoFromContext(r.Context())
if !info.IsAdmin {
http.Error(w, `{"error":"forbidden"}`, http.StatusForbidden)
return
}
id := r.URL.Query().Get("id")
if id == "" {
http.Error(w, `{"error":"id parameter required"}`, http.StatusBadRequest)
return
}
switch r.Method {
case http.MethodGet:
rule, err := s.policy.GetRule(r.Context(), id)
if err != nil {
http.Error(w, `{"error":"not found"}`, http.StatusNotFound)
return
}
writeJSON(w, http.StatusOK, rule)
case http.MethodDelete:
if err := s.policy.DeleteRule(r.Context(), id); err != nil {
http.Error(w, `{"error":"not found"}`, http.StatusNotFound)
return
}
writeJSON(w, http.StatusOK, map[string]interface{}{"ok": true})
default:
http.Error(w, `{"error":"method not allowed"}`, http.StatusMethodNotAllowed)
}
}
// --- CA Certificate Handlers ---
func (s *Server) handleGetCert(w http.ResponseWriter, r *http.Request) {
mountName := chi.URLParam(r, "mount")
serial := chi.URLParam(r, "serial")
info := TokenInfoFromContext(r.Context())
resp, err := s.engines.HandleRequest(r.Context(), mountName, &engine.Request{
Operation: "get-cert",
Data: map[string]interface{}{"serial": serial},
CallerInfo: &engine.CallerInfo{
Username: info.Username,
Roles: info.Roles,
IsAdmin: info.IsAdmin,
},
})
if err != nil {
if errors.Is(err, ca.ErrCertNotFound) {
http.Error(w, `{"error":"certificate not found"}`, http.StatusNotFound)
return
}
http.Error(w, `{"error":"`+err.Error()+`"}`, http.StatusInternalServerError)
return
}
writeJSON(w, http.StatusOK, resp.Data)
}
func (s *Server) handleRevokeCert(w http.ResponseWriter, r *http.Request) {
mountName := chi.URLParam(r, "mount")
serial := chi.URLParam(r, "serial")
info := TokenInfoFromContext(r.Context())
resp, err := s.engines.HandleRequest(r.Context(), mountName, &engine.Request{
Operation: "revoke-cert",
Data: map[string]interface{}{"serial": serial},
CallerInfo: &engine.CallerInfo{
Username: info.Username,
Roles: info.Roles,
IsAdmin: info.IsAdmin,
},
})
if err != nil {
if errors.Is(err, ca.ErrCertNotFound) {
http.Error(w, `{"error":"certificate not found"}`, http.StatusNotFound)
return
}
if errors.Is(err, ca.ErrForbidden) {
http.Error(w, `{"error":"forbidden"}`, http.StatusForbidden)
return
}
http.Error(w, `{"error":"`+err.Error()+`"}`, http.StatusInternalServerError)
return
}
writeJSON(w, http.StatusOK, resp.Data)
}
func (s *Server) handleDeleteCert(w http.ResponseWriter, r *http.Request) {
mountName := chi.URLParam(r, "mount")
serial := chi.URLParam(r, "serial")
info := TokenInfoFromContext(r.Context())
_, err := s.engines.HandleRequest(r.Context(), mountName, &engine.Request{
Operation: "delete-cert",
Data: map[string]interface{}{"serial": serial},
CallerInfo: &engine.CallerInfo{
Username: info.Username,
Roles: info.Roles,
IsAdmin: info.IsAdmin,
},
})
if err != nil {
if errors.Is(err, ca.ErrCertNotFound) {
http.Error(w, `{"error":"certificate not found"}`, http.StatusNotFound)
return
}
if errors.Is(err, ca.ErrForbidden) {
http.Error(w, `{"error":"forbidden"}`, http.StatusForbidden)
return
}
http.Error(w, `{"error":"`+err.Error()+`"}`, http.StatusInternalServerError)
return
}
writeJSON(w, http.StatusNoContent, nil)
}
// --- Public PKI Handlers ---
func (s *Server) handlePKIRoot(w http.ResponseWriter, r *http.Request) {
mountName := chi.URLParam(r, "mount")
caEng, err := s.getCAEngine(mountName)
if err != nil {
http.Error(w, `{"error":"`+err.Error()+`"}`, http.StatusNotFound)
return
}
certPEM, err := caEng.GetRootCertPEM()
if err != nil {
http.Error(w, `{"error":"sealed"}`, http.StatusServiceUnavailable)
return
}
w.Header().Set("Content-Type", "application/x-pem-file")
_, _ = w.Write(certPEM) //nolint:gosec
}
func (s *Server) handlePKIChain(w http.ResponseWriter, r *http.Request) {
mountName := chi.URLParam(r, "mount")
issuerName := r.URL.Query().Get("issuer")
if issuerName == "" {
http.Error(w, `{"error":"issuer query parameter required"}`, http.StatusBadRequest)
return
}
caEng, err := s.getCAEngine(mountName)
if err != nil {
http.Error(w, `{"error":"`+err.Error()+`"}`, http.StatusNotFound)
return
}
chainPEM, err := caEng.GetChainPEM(issuerName)
if err != nil {
if errors.Is(err, ca.ErrIssuerNotFound) {
http.Error(w, `{"error":"issuer not found"}`, http.StatusNotFound)
return
}
http.Error(w, `{"error":"sealed"}`, http.StatusServiceUnavailable)
return
}
w.Header().Set("Content-Type", "application/x-pem-file")
_, _ = w.Write(chainPEM) //nolint:gosec
}
func (s *Server) handlePKIIssuer(w http.ResponseWriter, r *http.Request) {
mountName := chi.URLParam(r, "mount")
issuerName := chi.URLParam(r, "name")
caEng, err := s.getCAEngine(mountName)
if err != nil {
http.Error(w, `{"error":"`+err.Error()+`"}`, http.StatusNotFound)
return
}
certPEM, err := caEng.GetIssuerCertPEM(issuerName)
if err != nil {
if errors.Is(err, ca.ErrIssuerNotFound) {
http.Error(w, `{"error":"issuer not found"}`, http.StatusNotFound)
return
}
http.Error(w, `{"error":"sealed"}`, http.StatusServiceUnavailable)
return
}
w.Header().Set("Content-Type", "application/x-pem-file")
_, _ = w.Write(certPEM) //nolint:gosec
}
func (s *Server) handlePKICRL(w http.ResponseWriter, r *http.Request) {
mountName := chi.URLParam(r, "mount")
issuerName := chi.URLParam(r, "name")
caEng, err := s.getCAEngine(mountName)
if err != nil {
http.Error(w, `{"error":"`+err.Error()+`"}`, http.StatusNotFound)
return
}
crlDER, err := caEng.GetCRLDER(r.Context(), issuerName)
if err != nil {
if errors.Is(err, ca.ErrIssuerNotFound) {
http.Error(w, `{"error":"issuer not found"}`, http.StatusNotFound)
return
}
http.Error(w, `{"error":"sealed"}`, http.StatusServiceUnavailable)
return
}
w.Header().Set("Content-Type", "application/pkix-crl")
_, _ = w.Write(crlDER) //nolint:gosec
}
func (s *Server) getCAEngine(mountName string) (*ca.CAEngine, error) {
mount, err := s.engines.GetMount(mountName)
if err != nil {
return nil, err
}
if mount.Type != engine.EngineTypeCA {
return nil, errors.New("mount is not a CA engine")
}
caEng, ok := mount.Engine.(*ca.CAEngine)
if !ok {
return nil, errors.New("mount is not a CA engine")
}
return caEng, nil
}
// --- Transit Engine Handlers ---
func (s *Server) transitRequest(w http.ResponseWriter, r *http.Request, mount, operation string, data map[string]interface{}) {
info := TokenInfoFromContext(r.Context())
policyChecker := func(resource, action string) (string, bool) {
pReq := &policy.Request{
Username: info.Username,
Roles: info.Roles,
Resource: resource,
Action: action,
}
eff, matched, pErr := s.policy.Match(r.Context(), pReq)
if pErr != nil {
return string(policy.EffectDeny), false
}
return string(eff), matched
}
resp, err := s.engines.HandleRequest(r.Context(), mount, &engine.Request{
Operation: operation,
CallerInfo: &engine.CallerInfo{Username: info.Username, Roles: info.Roles, IsAdmin: info.IsAdmin},
CheckPolicy: policyChecker,
Data: data,
})
if err != nil {
status := http.StatusInternalServerError
switch {
case errors.Is(err, engine.ErrMountNotFound):
status = http.StatusNotFound
case strings.Contains(err.Error(), "forbidden"):
status = http.StatusForbidden
case strings.Contains(err.Error(), "authentication required"):
status = http.StatusUnauthorized
case strings.Contains(err.Error(), "not found"):
status = http.StatusNotFound
case strings.Contains(err.Error(), "not allowed"):
status = http.StatusForbidden
case strings.Contains(err.Error(), "unsupported"):
status = http.StatusBadRequest
case strings.Contains(err.Error(), "invalid"):
status = http.StatusBadRequest
}
http.Error(w, `{"error":"`+err.Error()+`"}`, status)
return
}
writeJSON(w, http.StatusOK, resp.Data)
}
func (s *Server) handleTransitCreateKey(w http.ResponseWriter, r *http.Request) {
mount := chi.URLParam(r, "mount")
var req struct {
Name string `json:"name"`
Type string `json:"type"`
}
if err := readJSON(r, &req); err != nil {
http.Error(w, `{"error":"invalid request"}`, http.StatusBadRequest)
return
}
s.transitRequest(w, r, mount, "create-key", map[string]interface{}{"name": req.Name, "type": req.Type})
}
func (s *Server) handleTransitDeleteKey(w http.ResponseWriter, r *http.Request) {
mount := chi.URLParam(r, "mount")
name := chi.URLParam(r, "name")
s.transitRequest(w, r, mount, "delete-key", map[string]interface{}{"name": name})
}
func (s *Server) handleTransitGetKey(w http.ResponseWriter, r *http.Request) {
mount := chi.URLParam(r, "mount")
name := chi.URLParam(r, "name")
s.transitRequest(w, r, mount, "get-key", map[string]interface{}{"name": name})
}
func (s *Server) handleTransitListKeys(w http.ResponseWriter, r *http.Request) {
mount := chi.URLParam(r, "mount")
s.transitRequest(w, r, mount, "list-keys", nil)
}
func (s *Server) handleTransitRotateKey(w http.ResponseWriter, r *http.Request) {
mount := chi.URLParam(r, "mount")
name := chi.URLParam(r, "name")
s.transitRequest(w, r, mount, "rotate-key", map[string]interface{}{"name": name})
}
func (s *Server) handleTransitUpdateKeyConfig(w http.ResponseWriter, r *http.Request) {
mount := chi.URLParam(r, "mount")
name := chi.URLParam(r, "name")
var req struct {
MinDecryptionVersion *float64 `json:"min_decryption_version"`
AllowDeletion *bool `json:"allow_deletion"`
}
if err := readJSON(r, &req); err != nil {
http.Error(w, `{"error":"invalid request"}`, http.StatusBadRequest)
return
}
data := map[string]interface{}{"name": name}
if req.MinDecryptionVersion != nil {
data["min_decryption_version"] = *req.MinDecryptionVersion
}
if req.AllowDeletion != nil {
data["allow_deletion"] = *req.AllowDeletion
}
s.transitRequest(w, r, mount, "update-key-config", data)
}
func (s *Server) handleTransitTrimKey(w http.ResponseWriter, r *http.Request) {
mount := chi.URLParam(r, "mount")
name := chi.URLParam(r, "name")
s.transitRequest(w, r, mount, "trim-key", map[string]interface{}{"name": name})
}
func (s *Server) handleTransitEncrypt(w http.ResponseWriter, r *http.Request) {
mount := chi.URLParam(r, "mount")
key := chi.URLParam(r, "key")
var req struct {
Plaintext string `json:"plaintext"`
Context string `json:"context"`
}
if err := readJSON(r, &req); err != nil {
http.Error(w, `{"error":"invalid request"}`, http.StatusBadRequest)
return
}
data := map[string]interface{}{"key": key, "plaintext": req.Plaintext}
if req.Context != "" {
data["context"] = req.Context
}
s.transitRequest(w, r, mount, "encrypt", data)
}
func (s *Server) handleTransitDecrypt(w http.ResponseWriter, r *http.Request) {
mount := chi.URLParam(r, "mount")
key := chi.URLParam(r, "key")
var req struct {
Ciphertext string `json:"ciphertext"`
Context string `json:"context"`
}
if err := readJSON(r, &req); err != nil {
http.Error(w, `{"error":"invalid request"}`, http.StatusBadRequest)
return
}
data := map[string]interface{}{"key": key, "ciphertext": req.Ciphertext}
if req.Context != "" {
data["context"] = req.Context
}
s.transitRequest(w, r, mount, "decrypt", data)
}
func (s *Server) handleTransitRewrap(w http.ResponseWriter, r *http.Request) {
mount := chi.URLParam(r, "mount")
key := chi.URLParam(r, "key")
var req struct {
Ciphertext string `json:"ciphertext"`
Context string `json:"context"`
}
if err := readJSON(r, &req); err != nil {
http.Error(w, `{"error":"invalid request"}`, http.StatusBadRequest)
return
}
data := map[string]interface{}{"key": key, "ciphertext": req.Ciphertext}
if req.Context != "" {
data["context"] = req.Context
}
s.transitRequest(w, r, mount, "rewrap", data)
}
func (s *Server) handleTransitBatchEncrypt(w http.ResponseWriter, r *http.Request) {
mount := chi.URLParam(r, "mount")
key := chi.URLParam(r, "key")
var req struct {
Items []interface{} `json:"items"`
}
if err := readJSON(r, &req); err != nil {
http.Error(w, `{"error":"invalid request"}`, http.StatusBadRequest)
return
}
s.transitRequest(w, r, mount, "batch-encrypt", map[string]interface{}{"key": key, "items": req.Items})
}
func (s *Server) handleTransitBatchDecrypt(w http.ResponseWriter, r *http.Request) {
mount := chi.URLParam(r, "mount")
key := chi.URLParam(r, "key")
var req struct {
Items []interface{} `json:"items"`
}
if err := readJSON(r, &req); err != nil {
http.Error(w, `{"error":"invalid request"}`, http.StatusBadRequest)
return
}
s.transitRequest(w, r, mount, "batch-decrypt", map[string]interface{}{"key": key, "items": req.Items})
}
func (s *Server) handleTransitBatchRewrap(w http.ResponseWriter, r *http.Request) {
mount := chi.URLParam(r, "mount")
key := chi.URLParam(r, "key")
var req struct {
Items []interface{} `json:"items"`
}
if err := readJSON(r, &req); err != nil {
http.Error(w, `{"error":"invalid request"}`, http.StatusBadRequest)
return
}
s.transitRequest(w, r, mount, "batch-rewrap", map[string]interface{}{"key": key, "items": req.Items})
}
func (s *Server) handleTransitSign(w http.ResponseWriter, r *http.Request) {
mount := chi.URLParam(r, "mount")
key := chi.URLParam(r, "key")
var req struct {
Input string `json:"input"`
}
if err := readJSON(r, &req); err != nil {
http.Error(w, `{"error":"invalid request"}`, http.StatusBadRequest)
return
}
s.transitRequest(w, r, mount, "sign", map[string]interface{}{"key": key, "input": req.Input})
}
func (s *Server) handleTransitVerify(w http.ResponseWriter, r *http.Request) {
mount := chi.URLParam(r, "mount")
key := chi.URLParam(r, "key")
var req struct {
Input string `json:"input"`
Signature string `json:"signature"`
}
if err := readJSON(r, &req); err != nil {
http.Error(w, `{"error":"invalid request"}`, http.StatusBadRequest)
return
}
s.transitRequest(w, r, mount, "verify", map[string]interface{}{"key": key, "input": req.Input, "signature": req.Signature})
}
func (s *Server) handleTransitHmac(w http.ResponseWriter, r *http.Request) {
mount := chi.URLParam(r, "mount")
key := chi.URLParam(r, "key")
var req struct {
Input string `json:"input"`
HMAC string `json:"hmac"`
}
if err := readJSON(r, &req); err != nil {
http.Error(w, `{"error":"invalid request"}`, http.StatusBadRequest)
return
}
data := map[string]interface{}{"key": key, "input": req.Input}
if req.HMAC != "" {
data["hmac"] = req.HMAC
}
s.transitRequest(w, r, mount, "hmac", data)
}
func (s *Server) handleTransitGetPublicKey(w http.ResponseWriter, r *http.Request) {
mount := chi.URLParam(r, "mount")
name := chi.URLParam(r, "name")
s.transitRequest(w, r, mount, "get-public-key", map[string]interface{}{"name": name})
}
// operationAction maps an engine operation name to a policy action ("read" or "write").
func operationAction(op string) string {
switch op {
case "list-issuers", "list-certs", "get-cert", "get-root", "get-chain", "get-issuer",
"list-keys", "get-key", "get-public-key":
return "read"
case "decrypt", "rewrap", "batch-decrypt", "batch-rewrap":
return "decrypt"
default:
return "write"
}
}
func writeJSON(w http.ResponseWriter, status int, v interface{}) {
w.Header().Set("Content-Type", "application/json")
w.WriteHeader(status)
_ = json.NewEncoder(w).Encode(v)
}
func readJSON(r *http.Request, v interface{}) error {
defer func() { _ = r.Body.Close() }()
body, err := io.ReadAll(io.LimitReader(r.Body, 1<<20)) // 1MB limit
if err != nil {
return err
}
return json.Unmarshal(body, v)
}
Reference in New Issue View Git Blame Copy Permalink