open-dsi
/
postgres
mirror of https://github.com/postgres/postgres
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Vault access token must be always in file

Browse Source
pull/230/head
Andrew Pogrebnoy 4 months ago committed by Andrew Pogrebnoi
parent 591d6048e0
commit 356f619ad2
14 changed files with 84 additions and 60 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 7
      ci_scripts/setup-keyring-servers.sh
  2. 2
      contrib/pg_tde/documentation/docs/command-line-tools/pg-tde-change-key-provider.md
  3. 12
      contrib/pg_tde/documentation/docs/functions.md
  4. 6
      contrib/pg_tde/documentation/docs/global-key-provider-configuration/vault.md
  5. 4
      contrib/pg_tde/documentation/docs/how-to/multi-tenant-setup.md
  6. 4
      contrib/pg_tde/documentation/docs/wal-encryption.md
  7. 7
      contrib/pg_tde/expected/vault_v2_test.out
  8. 32
      contrib/pg_tde/pg_tde--1.0-rc.sql
  9. 8
      contrib/pg_tde/sql/vault_v2_test.sql
  10. 37
      contrib/pg_tde/src/catalog/tde_keyring.c
  11. 12
      contrib/pg_tde/src/catalog/tde_keyring_parse_opts.c
  12. 1
      contrib/pg_tde/src/include/keyring/keyring_api.h
  13. 4
      contrib/pg_tde/src/pg_tde_change_key_provider.c
  14. 8
      contrib/pg_tde/t/016_pg_tde_change_key_provider.pl

7
ci_scripts/setup-keyring-servers.sh
Unescape View File

@ -20,8 +20,5 @@ pykmip-server -f "$SCRIPT_DIR/../contrib/pg_tde/pykmip-server.conf" -l /tmp/kmip
TV=$(mktemp) TV=$(mktemp)
{ exec >$TV; vault server -dev; } & { exec >$TV; vault server -dev; } &
sleep 10 sleep 10
export ROOT_TOKEN=$(cat $TV | grep "Root Token" | cut -d ":" -f 2 | xargs echo -n) echo $(cat $TV | grep "Root Token" | cut -d ":" -f 2 | xargs echo -n) > /tmp/vault_test_token
echo "export ROOT_TOKEN=$ROOT_TOKEN" echo "write vault token to /tmp/vault_test_token"
if [ -v GITHUB_ACTIONS ]; then
echo "ROOT_TOKEN=$ROOT_TOKEN" >> $GITHUB_ENV
fi

2
contrib/pg_tde/documentation/docs/command-line-tools/pg-tde-change-key-provider.md
Unescape View File

@ -31,6 +31,6 @@ Depending on the provider type, the additional parameters are:
```bash ```bash
pg_tde_change_key_provider [-D <datadir>] <dbOid> <provider_name> file <filename> pg_tde_change_key_provider [-D <datadir>] <dbOid> <provider_name> file <filename>
pg_tde_change_key_provider [-D <datadir>] <dbOid> <provider_name> vault <token> <url> <mount_path> [<ca_path>] pg_tde_change_key_provider [-D <datadir>] <dbOid> <provider_name> vault <token_path> <url> <mount_path> [<ca_path>]
pg_tde_change_key_provider [-D <datadir>] <dbOid> <provider_name> kmip <host> <port> <cert_path> <key_path> [<ca_path>] pg_tde_change_key_provider [-D <datadir>] <dbOid> <provider_name> kmip <host> <port> <cert_path> <key_path> [<ca_path>]
``` ```

12
contrib/pg_tde/documentation/docs/functions.md
Unescape View File

@ -63,14 +63,14 @@ Use the following functions to add the Vault provider:
```sql ```sql
SELECT pg_tde_add_database_key_provider_vault_v2( SELECT pg_tde_add_database_key_provider_vault_v2(
'provider-name', 'provider-name',
'secret_token', 'secret_token_path',
'url','mount', 'url','mount',
'ca_path' 'ca_path'
); );
SELECT pg_tde_add_global_key_provider_vault_v2( SELECT pg_tde_add_global_key_provider_vault_v2(
'provider-name', 'provider-name',
'secret_token', 'secret_token_path',
'url','mount', 'url','mount',
'ca_path' 'ca_path'
); );
@ -81,7 +81,7 @@ These functions change the Vault provider:
```sql ```sql
SELECT pg_tde_change_database_key_provider_vault_v2( SELECT pg_tde_change_database_key_provider_vault_v2(
'provider-name', 'provider-name',
'secret_token', 'secret_token_path',
'url', 'url',
'mount', 'mount',
'ca_path' 'ca_path'
@ -89,7 +89,7 @@ SELECT pg_tde_change_database_key_provider_vault_v2(
SELECT pg_tde_change_global_key_provider_vault_v2( SELECT pg_tde_change_global_key_provider_vault_v2(
'provider-name', 'provider-name',
'secret_token', 'secret_token_path',
'url', 'url',
'mount', 'mount',
'ca_path' 'ca_path'
@ -101,13 +101,11 @@ where:
* `provider-name` is the name of the key provider * `provider-name` is the name of the key provider
* `url` is the URL of the Vault server * `url` is the URL of the Vault server
* `mount` is the mount point on the Vault server where the key provider should store the keys * `mount` is the mount point on the Vault server where the key provider should store the keys
* `secret_token` is an access token with read and write access to the above mount point * `secret_token_path` is a path to the file that contains an access token with read and write access to the above mount point
* **[optional]** `ca_path` is the path of the CA file used for SSL verification * **[optional]** `ca_path` is the path of the CA file used for SSL verification
All parameters can be either strings, or JSON objects [referencing remote parameters](how-to/external-parameters.md). All parameters can be either strings, or JSON objects [referencing remote parameters](how-to/external-parameters.md).
!!! important
Never specify the secret token directly, use a remote parameter instead.
#### Adding or modifying KMIP providers #### Adding or modifying KMIP providers

6
contrib/pg_tde/documentation/docs/global-key-provider-configuration/vault.md
Unescape View File

@ -10,7 +10,7 @@ You can configure `pg_tde` to use HashiCorp Vault as a global key provider for m
```sql ```sql
SELECT pg_tde_add_global_key_provider_vault_v2( SELECT pg_tde_add_global_key_provider_vault_v2(
'provider-name', 'provider-name',
'secret_token', 'secret_token_path',
'url', 'url',
'mount', 'mount',
'ca_path' 'ca_path'
@ -20,7 +20,7 @@ SELECT pg_tde_add_global_key_provider_vault_v2(
## Parameter descriptions ## Parameter descriptions
* `provider-name` is the name to identify this key provider * `provider-name` is the name to identify this key provider
* `secret_token` is an access token with read and write access to the above mount point * `secret_token_path` is a path to the file that contains an access token with read and write access to the above mount point
* `url` is the URL of the Vault server * `url` is the URL of the Vault server
* `mount` is the mount point where the keyring should store the keys * `mount` is the mount point where the keyring should store the keys
* [optional] `ca_path` is the path of the CA file used for SSL verification * [optional] `ca_path` is the path of the CA file used for SSL verification
@ -30,7 +30,7 @@ The following example is for testing purposes only. Use secure tokens and proper
```sql ```sql
SELECT pg_tde_add_global_key_provider_vault_v2( SELECT pg_tde_add_global_key_provider_vault_v2(
'my-vault', 'my-vault',
'hvs.zPuyktykA...example...ewUEnIRVaKoBzs2', '/path/to/token_file',
'http://vault.vault.svc.cluster.local:8200', 'http://vault.vault.svc.cluster.local:8200',
'secret/data', 'secret/data',
NULL NULL

4
contrib/pg_tde/documentation/docs/how-to/multi-tenant-setup.md
Unescape View File

@ -84,14 +84,14 @@ You must do these steps for every database where you have created the extension.
The Vault server setup is out of scope of this document. The Vault server setup is out of scope of this document.
```sql ```sql
SELECT pg_tde_add_database_key_provider_vault_v2('provider-name','secret_token','url','mount','ca_path'); SELECT pg_tde_add_database_key_provider_vault_v2('provider-name','secret_token_path','url','mount','ca_path');
``` ```
where: where:
* `url` is the URL of the Vault server * `url` is the URL of the Vault server
* `mount` is the mount point where the keyring should store the keys * `mount` is the mount point where the keyring should store the keys
* `secret_token` is an access token with read and write access to the above mount point * `secret_token_path` is a path to the file that contains an access token with read and write access to the above mount point
* [optional] `ca_path` is the path of the CA file used for SSL verification * [optional] `ca_path` is the path of the CA file used for SSL verification
<i warning>:material-information: Warning:</i> This example is for testing purposes only: <i warning>:material-information: Warning:</i> This example is for testing purposes only:

4
contrib/pg_tde/documentation/docs/wal-encryption.md
Unescape View File

@ -40,7 +40,7 @@ Before turning WAL encryption on, you must follow the steps below to create your
=== "With HashiCorp Vault" === "With HashiCorp Vault"
```sql ```sql
SELECT pg_tde_add_global_key_provider_vault_v2('provider-name', 'secret_token', 'url', 'mount', 'ca_path'); SELECT pg_tde_add_global_key_provider_vault_v2('provider-name', 'secret_token_path', 'url', 'mount', 'ca_path');
``` ```
where: where:
@ -48,7 +48,7 @@ Before turning WAL encryption on, you must follow the steps below to create your
* `provider-name` is the name you define for the key provider * `provider-name` is the name you define for the key provider
* `url` is the URL of the Vault server * `url` is the URL of the Vault server
* `mount` is the mount point where the keyring should store the keys * `mount` is the mount point where the keyring should store the keys
* `secret_token` is an access token with read and write access to the above mount point * `secret_token_path` is a path to the file that contains an access token with read and write access to the above mount point
* [optional] `ca_path` is the path of the CA file used for SSL verification * [optional] `ca_path` is the path of the CA file used for SSL verification
=== "With keyring file" === "With keyring file"

7
contrib/pg_tde/expected/vault_v2_test.out
Unescape View File

@ -1,6 +1,5 @@
CREATE EXTENSION IF NOT EXISTS pg_tde; CREATE EXTENSION IF NOT EXISTS pg_tde;
\getenv root_token ROOT_TOKEN SELECT pg_tde_add_database_key_provider_vault_v2('vault-incorrect','/tmp/vault_test_token','http://127.0.0.1:8200','DUMMY-TOKEN',NULL);
SELECT pg_tde_add_database_key_provider_vault_v2('vault-incorrect',:'root_token','http://127.0.0.1:8200','DUMMY-TOKEN',NULL);
pg_tde_add_database_key_provider_vault_v2 pg_tde_add_database_key_provider_vault_v2
------------------------------------------- -------------------------------------------
@ -16,7 +15,7 @@ CREATE TABLE test_enc(
) USING tde_heap; ) USING tde_heap;
ERROR: principal key not configured ERROR: principal key not configured
HINT: create one using pg_tde_set_key before using encrypted tables HINT: create one using pg_tde_set_key before using encrypted tables
SELECT pg_tde_add_database_key_provider_vault_v2('vault-v2',:'root_token','http://127.0.0.1:8200','secret',NULL); SELECT pg_tde_add_database_key_provider_vault_v2('vault-v2','/tmp/vault_test_token','http://127.0.0.1:8200','secret',NULL);
pg_tde_add_database_key_provider_vault_v2 pg_tde_add_database_key_provider_vault_v2
------------------------------------------- -------------------------------------------
@ -52,6 +51,6 @@ SELECT pg_tde_verify_key();
DROP TABLE test_enc; DROP TABLE test_enc;
-- Creating provider fails if we can't connect to vault -- Creating provider fails if we can't connect to vault
SELECT pg_tde_add_database_key_provider_vault_v2('will-not-work', :'root_token', 'http://127.0.0.1:61', 'secret', NULL); SELECT pg_tde_add_database_key_provider_vault_v2('will-not-work', '/tmp/vault_test_token', 'http://127.0.0.1:61', 'secret', NULL);
ERROR: HTTP(S) request to keyring provider "will-not-work" failed ERROR: HTTP(S) request to keyring provider "will-not-work" failed
DROP EXTENSION pg_tde; DROP EXTENSION pg_tde;

32
contrib/pg_tde/pg_tde--1.0-rc.sql
Unescape View File

@ -31,7 +31,7 @@ BEGIN ATOMIC
END; END;
CREATE FUNCTION pg_tde_add_database_key_provider_vault_v2(provider_name TEXT, CREATE FUNCTION pg_tde_add_database_key_provider_vault_v2(provider_name TEXT,
vault_token TEXT, vault_token_path TEXT,
vault_url TEXT, vault_url TEXT,
vault_mount_path TEXT, vault_mount_path TEXT,
vault_ca_path TEXT) vault_ca_path TEXT)
@ -42,13 +42,13 @@ BEGIN ATOMIC
-- load_vaultV2_keyring_provider_options function. -- load_vaultV2_keyring_provider_options function.
SELECT pg_tde_add_database_key_provider('vault-v2', provider_name, SELECT pg_tde_add_database_key_provider('vault-v2', provider_name,
json_object('url' VALUE COALESCE(vault_url, ''), json_object('url' VALUE COALESCE(vault_url, ''),
'token' VALUE COALESCE(vault_token, ''), 'tokenPath' VALUE COALESCE(vault_token_path, ''),
'mountPath' VALUE COALESCE(vault_mount_path, ''), 'mountPath' VALUE COALESCE(vault_mount_path, ''),
'caPath' VALUE COALESCE(vault_ca_path, ''))); 'caPath' VALUE COALESCE(vault_ca_path, '')));
END; END;
CREATE FUNCTION pg_tde_add_database_key_provider_vault_v2(provider_name TEXT, CREATE FUNCTION pg_tde_add_database_key_provider_vault_v2(provider_name TEXT,
vault_token JSON, vault_token_path JSON,
vault_url JSON, vault_url JSON,
vault_mount_path JSON, vault_mount_path JSON,
vault_ca_path JSON) vault_ca_path JSON)
@ -59,7 +59,7 @@ BEGIN ATOMIC
-- load_vaultV2_keyring_provider_options function. -- load_vaultV2_keyring_provider_options function.
SELECT pg_tde_add_database_key_provider('vault-v2', provider_name, SELECT pg_tde_add_database_key_provider('vault-v2', provider_name,
json_object('url' VALUE vault_url, json_object('url' VALUE vault_url,
'token' VALUE vault_token, 'tokenPath' VALUE vault_token_path,
'mountPath' VALUE vault_mount_path, 'mountPath' VALUE vault_mount_path,
'caPath' VALUE vault_ca_path)); 'caPath' VALUE vault_ca_path));
END; END;
@ -150,7 +150,7 @@ BEGIN ATOMIC
END; END;
CREATE FUNCTION pg_tde_add_global_key_provider_vault_v2(provider_name TEXT, CREATE FUNCTION pg_tde_add_global_key_provider_vault_v2(provider_name TEXT,
vault_token TEXT, vault_token_path TEXT,
vault_url TEXT, vault_url TEXT,
vault_mount_path TEXT, vault_mount_path TEXT,
vault_ca_path TEXT) vault_ca_path TEXT)
@ -161,13 +161,13 @@ BEGIN ATOMIC
-- load_vaultV2_keyring_provider_options function. -- load_vaultV2_keyring_provider_options function.
SELECT pg_tde_add_global_key_provider('vault-v2', provider_name, SELECT pg_tde_add_global_key_provider('vault-v2', provider_name,
json_object('url' VALUE COALESCE(vault_url, ''), json_object('url' VALUE COALESCE(vault_url, ''),
'token' VALUE COALESCE(vault_token, ''), 'tokenPath' VALUE COALESCE(vault_token_path, ''),
'mountPath' VALUE COALESCE(vault_mount_path, ''), 'mountPath' VALUE COALESCE(vault_mount_path, ''),
'caPath' VALUE COALESCE(vault_ca_path, ''))); 'caPath' VALUE COALESCE(vault_ca_path, '')));
END; END;
CREATE FUNCTION pg_tde_add_global_key_provider_vault_v2(provider_name TEXT, CREATE FUNCTION pg_tde_add_global_key_provider_vault_v2(provider_name TEXT,
vault_token JSON, vault_token_path JSON,
vault_url JSON, vault_url JSON,
vault_mount_path JSON, vault_mount_path JSON,
vault_ca_path JSON) vault_ca_path JSON)
@ -178,7 +178,7 @@ BEGIN ATOMIC
-- load_vaultV2_keyring_provider_options function. -- load_vaultV2_keyring_provider_options function.
SELECT pg_tde_add_global_key_provider('vault-v2', provider_name, SELECT pg_tde_add_global_key_provider('vault-v2', provider_name,
json_object('url' VALUE vault_url, json_object('url' VALUE vault_url,
'token' VALUE vault_token, 'tokenPath' VALUE vault_token_path,
'mountPath' VALUE vault_mount_path, 'mountPath' VALUE vault_mount_path,
'caPath' VALUE vault_ca_path)); 'caPath' VALUE vault_ca_path));
END; END;
@ -249,7 +249,7 @@ BEGIN ATOMIC
END; END;
CREATE FUNCTION pg_tde_change_database_key_provider_vault_v2(provider_name TEXT, CREATE FUNCTION pg_tde_change_database_key_provider_vault_v2(provider_name TEXT,
vault_token TEXT, vault_token_path TEXT,
vault_url TEXT, vault_url TEXT,
vault_mount_path TEXT, vault_mount_path TEXT,
vault_ca_path TEXT) vault_ca_path TEXT)
@ -260,13 +260,13 @@ BEGIN ATOMIC
-- load_vaultV2_keyring_provider_options function. -- load_vaultV2_keyring_provider_options function.
SELECT pg_tde_change_database_key_provider('vault-v2', provider_name, SELECT pg_tde_change_database_key_provider('vault-v2', provider_name,
json_object('url' VALUE COALESCE(vault_url, ''), json_object('url' VALUE COALESCE(vault_url, ''),
'token' VALUE COALESCE(vault_token, ''), 'tokenPath' VALUE COALESCE(vault_token_path, ''),
'mountPath' VALUE COALESCE(vault_mount_path, ''), 'mountPath' VALUE COALESCE(vault_mount_path, ''),
'caPath' VALUE COALESCE(vault_ca_path, ''))); 'caPath' VALUE COALESCE(vault_ca_path, '')));
END; END;
CREATE FUNCTION pg_tde_change_database_key_provider_vault_v2(provider_name TEXT, CREATE FUNCTION pg_tde_change_database_key_provider_vault_v2(provider_name TEXT,
vault_token JSON, vault_token_path JSON,
vault_url JSON, vault_url JSON,
vault_mount_path JSON, vault_mount_path JSON,
vault_ca_path JSON) vault_ca_path JSON)
@ -277,7 +277,7 @@ BEGIN ATOMIC
-- load_vaultV2_keyring_provider_options function. -- load_vaultV2_keyring_provider_options function.
SELECT pg_tde_change_database_key_provider('vault-v2', provider_name, SELECT pg_tde_change_database_key_provider('vault-v2', provider_name,
json_object('url' VALUE vault_url, json_object('url' VALUE vault_url,
'token' VALUE vault_token, 'tokenPath' VALUE vault_token_path,
'mountPath' VALUE vault_mount_path, 'mountPath' VALUE vault_mount_path,
'caPath' VALUE vault_ca_path)); 'caPath' VALUE vault_ca_path));
END; END;
@ -348,7 +348,7 @@ BEGIN ATOMIC
END; END;
CREATE FUNCTION pg_tde_change_global_key_provider_vault_v2(provider_name TEXT, CREATE FUNCTION pg_tde_change_global_key_provider_vault_v2(provider_name TEXT,
vault_token TEXT, vault_token_path TEXT,
vault_url TEXT, vault_url TEXT,
vault_mount_path TEXT, vault_mount_path TEXT,
vault_ca_path TEXT) vault_ca_path TEXT)
@ -359,13 +359,13 @@ BEGIN ATOMIC
-- load_vaultV2_keyring_provider_options function. -- load_vaultV2_keyring_provider_options function.
SELECT pg_tde_change_global_key_provider('vault-v2', provider_name, SELECT pg_tde_change_global_key_provider('vault-v2', provider_name,
json_object('url' VALUE COALESCE(vault_url, ''), json_object('url' VALUE COALESCE(vault_url, ''),
'token' VALUE COALESCE(vault_token, ''), 'tokenPath' VALUE COALESCE(vault_token_path, ''),
'mountPath' VALUE COALESCE(vault_mount_path, ''), 'mountPath' VALUE COALESCE(vault_mount_path, ''),
'caPath' VALUE COALESCE(vault_ca_path, ''))); 'caPath' VALUE COALESCE(vault_ca_path, '')));
END; END;
CREATE FUNCTION pg_tde_change_global_key_provider_vault_v2(provider_name TEXT, CREATE FUNCTION pg_tde_change_global_key_provider_vault_v2(provider_name TEXT,
vault_token JSON, vault_token_path JSON,
vault_url JSON, vault_url JSON,
vault_mount_path JSON, vault_mount_path JSON,
vault_ca_path JSON) vault_ca_path JSON)
@ -376,7 +376,7 @@ BEGIN ATOMIC
-- load_vaultV2_keyring_provider_options function. -- load_vaultV2_keyring_provider_options function.
SELECT pg_tde_change_global_key_provider('vault-v2', provider_name, SELECT pg_tde_change_global_key_provider('vault-v2', provider_name,
json_object('url' VALUE vault_url, json_object('url' VALUE vault_url,
'token' VALUE vault_token, 'tokenPath' VALUE vault_token_path,
'mountPath' VALUE vault_mount_path, 'mountPath' VALUE vault_mount_path,
'caPath' VALUE vault_ca_path)); 'caPath' VALUE vault_ca_path));
END; END;

8
contrib/pg_tde/sql/vault_v2_test.sql
Unescape View File

@ -1,8 +1,6 @@
CREATE EXTENSION IF NOT EXISTS pg_tde; CREATE EXTENSION IF NOT EXISTS pg_tde;
\getenv root_token ROOT_TOKEN SELECT pg_tde_add_database_key_provider_vault_v2('vault-incorrect','/tmp/vault_test_token','http://127.0.0.1:8200','DUMMY-TOKEN',NULL);
SELECT pg_tde_add_database_key_provider_vault_v2('vault-incorrect',:'root_token','http://127.0.0.1:8200','DUMMY-TOKEN',NULL);
-- FAILS -- FAILS
SELECT pg_tde_set_key_using_database_key_provider('vault-v2-key','vault-incorrect'); SELECT pg_tde_set_key_using_database_key_provider('vault-v2-key','vault-incorrect');
@ -12,7 +10,7 @@ CREATE TABLE test_enc(
PRIMARY KEY (id) PRIMARY KEY (id)
) USING tde_heap; ) USING tde_heap;
SELECT pg_tde_add_database_key_provider_vault_v2('vault-v2',:'root_token','http://127.0.0.1:8200','secret',NULL); SELECT pg_tde_add_database_key_provider_vault_v2('vault-v2','/tmp/vault_test_token','http://127.0.0.1:8200','secret',NULL);
SELECT pg_tde_set_key_using_database_key_provider('vault-v2-key','vault-v2'); SELECT pg_tde_set_key_using_database_key_provider('vault-v2-key','vault-v2');
CREATE TABLE test_enc( CREATE TABLE test_enc(
@ -32,6 +30,6 @@ SELECT pg_tde_verify_key();
DROP TABLE test_enc; DROP TABLE test_enc;
-- Creating provider fails if we can't connect to vault -- Creating provider fails if we can't connect to vault
SELECT pg_tde_add_database_key_provider_vault_v2('will-not-work', :'root_token', 'http://127.0.0.1:61', 'secret', NULL); SELECT pg_tde_add_database_key_provider_vault_v2('will-not-work', '/tmp/vault_test_token', 'http://127.0.0.1:61', 'secret', NULL);
DROP EXTENSION pg_tde; DROP EXTENSION pg_tde;

37
contrib/pg_tde/src/catalog/tde_keyring.c
Unescape View File

@ -62,6 +62,7 @@ static GenericKeyring *load_keyring_provider_options(ProviderType provider_type,
static KmipKeyring *load_kmip_keyring_provider_options(char *keyring_options); static KmipKeyring *load_kmip_keyring_provider_options(char *keyring_options);
static VaultV2Keyring *load_vaultV2_keyring_provider_options(char *keyring_options); static VaultV2Keyring *load_vaultV2_keyring_provider_options(char *keyring_options);
static int open_keyring_infofile(Oid dbOid, int flags); static int open_keyring_infofile(Oid dbOid, int flags);
static char *get_file_value(const char *path, const char *field_name);
#ifdef FRONTEND #ifdef FRONTEND
@ -870,19 +871,22 @@ load_vaultV2_keyring_provider_options(char *keyring_options)
(GenericKeyring *) vaultV2_keyring, (GenericKeyring *) vaultV2_keyring,
keyring_options, strlen(keyring_options)); keyring_options, strlen(keyring_options));
if (vaultV2_keyring->vault_token == NULL || vaultV2_keyring->vault_token[0] == '\0' || if (vaultV2_keyring->vault_token_path == NULL || vaultV2_keyring->vault_token_path[0] == '\0' ||
vaultV2_keyring->vault_url == NULL || vaultV2_keyring->vault_url[0] == '\0' || vaultV2_keyring->vault_url == NULL || vaultV2_keyring->vault_url[0] == '\0' ||
vaultV2_keyring->vault_mount_path == NULL || vaultV2_keyring->vault_mount_path[0] == '\0') vaultV2_keyring->vault_mount_path == NULL || vaultV2_keyring->vault_mount_path[0] == '\0')
{ {
ereport(WARNING, ereport(WARNING,
errcode(ERRCODE_INVALID_PARAMETER_VALUE), errcode(ERRCODE_INVALID_PARAMETER_VALUE),
errmsg("missing in the keyring options:%s%s%s", errmsg("missing in the keyring options:%s%s%s",
(vaultV2_keyring->vault_token != NULL && vaultV2_keyring->vault_token[0] != '\0') ? "" : " token", (vaultV2_keyring->vault_token_path != NULL && vaultV2_keyring->vault_token_path[0] != '\0') ? "" : " tokenPath",
(vaultV2_keyring->vault_url != NULL && vaultV2_keyring->vault_url[0] != '\0') ? "" : " url", (vaultV2_keyring->vault_url != NULL && vaultV2_keyring->vault_url[0] != '\0') ? "" : " url",
(vaultV2_keyring->vault_mount_path != NULL && vaultV2_keyring->vault_mount_path[0] != '\0') ? "" : " mountPath")); (vaultV2_keyring->vault_mount_path != NULL && vaultV2_keyring->vault_mount_path[0] != '\0') ? "" : " mountPath"));
return NULL; return NULL;
} }
/* TODO: the vault_token mem should be protected from paging to the swap */
vaultV2_keyring->vault_token = get_file_value(vaultV2_keyring->vault_token_path, "vault_token");
return vaultV2_keyring; return vaultV2_keyring;
} }
@ -916,6 +920,33 @@ load_kmip_keyring_provider_options(char *keyring_options)
return kmip_keyring; return kmip_keyring;
} }
#define MAX_FILE_DATA_LENGTH 1024
static char *
get_file_value(const char *path, const char *field_name)
{
int fd = -1;
char *val;
fd = BasicOpenFile(path, O_RDONLY);
if (fd < 0)
{
elog(ERROR, "failed to open file \"%s\" for \"%s\"", path, field_name);
}
val = palloc0(MAX_FILE_DATA_LENGTH);
if (pg_pread(fd, val, MAX_FILE_DATA_LENGTH, 0) == -1)
{
close(fd);
elog(ERROR, "failed to read file \"%s\" for \"%s\"", path, field_name);
}
/* remove trailing whitespace */
val[strcspn(val, " \t\n\r")] = '\0';
close(fd);
return val;
}
static void static void
debug_print_kerying(GenericKeyring *keyring) debug_print_kerying(GenericKeyring *keyring)
{ {
@ -928,7 +959,7 @@ debug_print_kerying(GenericKeyring *keyring)
elog(DEBUG2, "File Keyring Path: %s", ((FileKeyring *) keyring)->file_name); elog(DEBUG2, "File Keyring Path: %s", ((FileKeyring *) keyring)->file_name);
break; break;
case VAULT_V2_KEY_PROVIDER: case VAULT_V2_KEY_PROVIDER:
elog(DEBUG2, "Vault Keyring Token: %s", ((VaultV2Keyring *) keyring)->vault_token); elog(DEBUG2, "Vault Keyring Token Path: %s", ((VaultV2Keyring *) keyring)->vault_token_path);
elog(DEBUG2, "Vault Keyring URL: %s", ((VaultV2Keyring *) keyring)->vault_url); elog(DEBUG2, "Vault Keyring URL: %s", ((VaultV2Keyring *) keyring)->vault_url);
elog(DEBUG2, "Vault Keyring Mount Path: %s", ((VaultV2Keyring *) keyring)->vault_mount_path); elog(DEBUG2, "Vault Keyring Mount Path: %s", ((VaultV2Keyring *) keyring)->vault_mount_path);
elog(DEBUG2, "Vault Keyring CA Path: %s", ((VaultV2Keyring *) keyring)->vault_ca_path); elog(DEBUG2, "Vault Keyring CA Path: %s", ((VaultV2Keyring *) keyring)->vault_ca_path);

12
contrib/pg_tde/src/catalog/tde_keyring_parse_opts.c
Unescape View File

@ -64,7 +64,7 @@ typedef enum JsonKeyringField
/* Settings specific for the individual key provider types. */ /* Settings specific for the individual key provider types. */
JK_FILE_PATH, JK_FILE_PATH,
JK_VAULT_TOKEN, JK_VAULT_TOKEN_PATH,
JK_VAULT_URL, JK_VAULT_URL,
JK_VAULT_MOUNT_PATH, JK_VAULT_MOUNT_PATH,
JK_VAULT_CA_PATH, JK_VAULT_CA_PATH,
@ -93,7 +93,7 @@ static const char *JK_FIELD_NAMES[JK_FIELDS_TOTAL] = {
*/ */
[JK_FILE_PATH] = "path", [JK_FILE_PATH] = "path",
[JK_VAULT_TOKEN] = "token", [JK_VAULT_TOKEN_PATH] = "tokenPath",
[JK_VAULT_URL] = "url", [JK_VAULT_URL] = "url",
[JK_VAULT_MOUNT_PATH] = "mountPath", [JK_VAULT_MOUNT_PATH] = "mountPath",
[JK_VAULT_CA_PATH] = "caPath", [JK_VAULT_CA_PATH] = "caPath",
@ -358,8 +358,8 @@ json_kring_object_field_start(void *state, char *fname, bool isnull)
break; break;
case VAULT_V2_KEY_PROVIDER: case VAULT_V2_KEY_PROVIDER:
if (strcmp(fname, JK_FIELD_NAMES[JK_VAULT_TOKEN]) == 0) if (strcmp(fname, JK_FIELD_NAMES[JK_VAULT_TOKEN_PATH]) == 0)
parse->top_level_field = JK_VAULT_TOKEN; parse->top_level_field = JK_VAULT_TOKEN_PATH;
else if (strcmp(fname, JK_FIELD_NAMES[JK_VAULT_URL]) == 0) else if (strcmp(fname, JK_FIELD_NAMES[JK_VAULT_URL]) == 0)
parse->top_level_field = JK_VAULT_URL; parse->top_level_field = JK_VAULT_URL;
else if (strcmp(fname, JK_FIELD_NAMES[JK_VAULT_MOUNT_PATH]) == 0) else if (strcmp(fname, JK_FIELD_NAMES[JK_VAULT_MOUNT_PATH]) == 0)
@ -498,8 +498,8 @@ json_kring_assign_scalar(JsonKeyringState *parse, JsonKeyringField field, char *
file->file_name = value; file->file_name = value;
break; break;
case JK_VAULT_TOKEN: case JK_VAULT_TOKEN_PATH:
vault->vault_token = value; vault->vault_token_path = value;
break; break;
case JK_VAULT_URL: case JK_VAULT_URL:
vault->vault_url = value; vault->vault_url = value;

1
contrib/pg_tde/src/include/keyring/keyring_api.h
Unescape View File

@ -74,6 +74,7 @@ typedef struct VaultV2Keyring
{ {
GenericKeyring keyring; /* Must be the first field */ GenericKeyring keyring; /* Must be the first field */
char *vault_token; char *vault_token;
char *vault_token_path;
char *vault_url; char *vault_url;
char *vault_ca_path; char *vault_ca_path;
char *vault_mount_path; char *vault_mount_path;

4
contrib/pg_tde/src/pg_tde_change_key_provider.c
Unescape View File

@ -27,7 +27,7 @@ help(void)
puts("Depending on the provider type, the complete parameter list is:"); puts("Depending on the provider type, the complete parameter list is:");
puts(""); puts("");
puts("pg_tde_change_key_provider [-D <datadir>] <dbOid> <provider_name> file <filename>"); puts("pg_tde_change_key_provider [-D <datadir>] <dbOid> <provider_name> file <filename>");
puts("pg_tde_change_key_provider [-D <datadir>] <dbOid> <provider_name> vault-v2 <url> <token> <mount_path> [<ca_path>]"); puts("pg_tde_change_key_provider [-D <datadir>] <dbOid> <provider_name> vault-v2 <url> <token_path> <mount_path> [<ca_path>]");
puts("pg_tde_change_key_provider [-D <datadir>] <dbOid> <provider_name> kmip <host> <port> <cert_path> <key_path> [<ca_path>]"); puts("pg_tde_change_key_provider [-D <datadir>] <dbOid> <provider_name> kmip <host> <port> <cert_path> <key_path> [<ca_path>]");
puts(""); puts("");
printf("Use dbOid %d for global key providers.\n", GLOBAL_DATA_TDE_OID); printf("Use dbOid %d for global key providers.\n", GLOBAL_DATA_TDE_OID);
@ -196,7 +196,7 @@ main(int argc, char *argv[])
if (!build_json(json, 4, if (!build_json(json, 4,
"url", argv[4 + argstart], "url", argv[4 + argstart],
"token", argv[5 + argstart], "tokenPath", argv[5 + argstart],
"mountPath", argv[6 + argstart], "mountPath", argv[6 + argstart],
"caPath", (argc - argstart > 7 ? argv[7 + argstart] : ""))) "caPath", (argc - argstart > 7 ? argv[7 + argstart] : "")))
{ {

8
contrib/pg_tde/t/016_pg_tde_change_key_provider.pl
Unescape View File

@ -64,7 +64,7 @@ command_like(
'database-provider', 'database-provider',
'vault-v2', 'vault-v2',
'http://vault-server.example:8200/', 'http://vault-server.example:8200/',
'secret-token', '/tmp/vault_test_token',
'mount-path', 'mount-path',
'/tmp/ca_path', '/tmp/ca_path',
], ],
@ -85,8 +85,8 @@ $options = decode_json(
'postgres', 'postgres',
q{SELECT options FROM pg_tde_list_all_database_key_providers() WHERE provider_name = 'database-provider'} q{SELECT options FROM pg_tde_list_all_database_key_providers() WHERE provider_name = 'database-provider'}
)); ));
is($options->{token}, 'secret-token', is($options->{tokenPath}, '/tmp/vault_test_token',
'token is set correctly for vault-v2 provider'); 'tokenPath is set correctly for vault-v2 provider');
is( $options->{url}, is( $options->{url},
'http://vault-server.example:8200/', 'http://vault-server.example:8200/',
'url is set correctly for vault-v2 provider'); 'url is set correctly for vault-v2 provider');
@ -147,7 +147,7 @@ command_like(
'global-provider', 'global-provider',
'vault-v2', 'vault-v2',
'http://vault-server.example:8200/', 'http://vault-server.example:8200/',
'secret-token', '/tmp/vault_test_token',
'mount-path', 'mount-path',
'/tmp/ca_path', '/tmp/ca_path',
], ],

Write Preview
Loading…
Cancel
Save