Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Beejones/key release policy operators #138

Merged
merged 6 commits into from
Sep 27, 2024
Merged

Beejones/key release policy operators #138

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
f02755a
Add operators to key release policy
beejones Sep 19, 2024
b5c6f1b
change key release policy to work with IKeyReleasePolicy instead of p…
beejones Sep 24, 2024
e27f5fd
add unit tests and remove operations
beejones Sep 25, 2024
acc6188
Addressing PR feedback
beejones Sep 27, 2024
3075648
adding multiple claims in KeyReleasePolicy.validateKeyReleasePolicy
beejones Sep 27, 2024
0c67846
cleanup
beejones Sep 27, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -170,7 +170,7 @@ echo $wrapped
curl $KMS_URL/app/unwrapKey -X POST --cacert ${KEYS_DIR}/service_cert.pem --cert ${KEYS_DIR}/user0_cert.pem --key ${KEYS_DIR}/user0_privk.pem -H "Content-Type: application/json" -d "{\"attestation\":$ATTESTATION, \"wrappingKey\":$WRAPPING_KEY, \"wrapped\":\"$wrapped\", \"wrappedKid\":\"$kid\"}" | jq

# Get the latest private key (Tink)
wrapped_resp=$(curl $KMS_URL/app/key?fmt=tink -X POST --cacert ${KEYS_DIR}/service_cert.pem --cert ${KEYS_DIR}/user0_cert.pem --key ${KEYS_DIR}/user0_privk.pem -H "Content-Type: application/json" -d "{\"attestation\":$ATTESTATION, \"wrappingKey\":$WRAPPING_KEY}" | jq)
wrapped_resp=$(curl $KMS_URL/app/key?fmt=tink -X POST --cacert ${KEYS_DIR}/service_cert.pem --cert ${KEYS_DIR}/member0_cert.pem --key ${KEYS_DIR}/member0_privk.pem -H "Content-Type: application/json" -d "{\"attestation\":$ATTESTATION, \"wrappingKey\":$WRAPPING_KEY}" | jq)
echo $wrapped_resp
key=$(echo $wrapped_resp | jq -r '.wrapped' | jq -R 'fromjson' | jq '.keys[0]')
# It has a format of "azu-kms://<kid>" like "azu-kms://tGe-cVHzNyim2Z0PzHO4y0ClXCa5J6x-bh7GmGJTr3c".
Expand All @@ -182,10 +182,10 @@ wrapped=$(echo $keyMaterial | jq '.encryptedKeyset' -r)
echo $wrapped

# Unwrap key with attestation (Tink)
curl $KMS_URL/app/unwrapKey?fmt=tink -X POST --cacert ${KEYS_DIR}/service_cert.pem --cert ${KEYS_DIR}/user0_cert.pem --key ${KEYS_DIR}/user0_privk.pem -H "Content-Type: application/json" -d "{\"attestation\":$ATTESTATION, \"wrappingKey\":$WRAPPING_KEY, \"wrapped\":\"$wrapped\", \"wrappedKid\":\"$kid\"}" | jq
curl $KMS_URL/app/unwrapKey?fmt=tink -X POST --cacert ${KEYS_DIR}/service_cert.pem --cert ${KEYS_DIR}/member0_cert.pem --key ${KEYS_DIR}/member0_privk.pem -H "Content-Type: application/json" -d "{\"attestation\":$ATTESTATION, \"wrappingKey\":$WRAPPING_KEY, \"wrapped\":\"$wrapped\", \"wrappedKid\":\"$kid\"}" | jq

# Get key release policy
curl $KMS_URL/app/key_release_policy --cacert ${KEYS_DIR}/service_cert.pem --cert ${KEYS_DIR}/user0_cert.pem --key ${KEYS_DIR}/user0_privk.pem -H "Content-Type: application/json" | jq
curl $KMS_URL/app/keyReleasePolicy --cacert ${KEYS_DIR}/service_cert.pem --cert ${KEYS_DIR}/member0_cert.pem --key ${KEYS_DIR}/member0_privk.pem -H "Content-Type: application/json" | jq

# Get receipt
curl $KMS_URL/receipt?transaction_id=2.20 --cacert ${KEYS_DIR}/service_cert.pem --cert ${KEYS_DIR}/user0_cert.pem --key ${KEYS_DIR}/user0_privk.pem -H "Content-Type: application/json" -i -w '\n'
Expand Down
289 changes: 218 additions & 71 deletions governance/constitution/kms_actions.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -117,116 +117,254 @@ actions.set(
};
const keyReleaseMapName = "public:ccf.gov.policies.key_release";
// Function to add key release policy claims
const add = (claims) => {
let items = [];
const add = (type, claims) => {
let items = {};
console.log(
`Add claims to key release policy: ${JSON.stringify(claims)}`,
`Add claims to key release policy for ${type}: ${JSON.stringify(claims)}`,
);
// get all the claims for type from the KV
let keyBuf = ccf.strToBuf(type);
if (ccf.kv[keyReleaseMapName].has(keyBuf)) {
// type is already available
const itemsBuf = ccf.kv[keyReleaseMapName].get(keyBuf);
items = ccf.bufToStr(itemsBuf);
console.log(
`KRP add ${type}=>key: ${type} already exist: ${items} in the key release policy`,
);
items = JSON.parse(items);
beejones marked this conversation as resolved.
Show resolved Hide resolved
} else {
console.log(
`KRP add ${type}=>key: ${type} is new in the key release policy`,
);
}

// iterate over every claim
Object.keys(claims).forEach((key) => {
if (CLAIMS[key] === undefined) {
throw new Error(`The claim ${key} is not an allowed claim`);
throw new Error(
`KRP add ${type}=>The claim ${key} is not an allowed claim`,
);
}
let item = claims[key];
// Make sure item is always an array
if (!Array.isArray(item)) {
item = [item];
}

let keyBuf = ccf.strToBuf(key);
if (ccf.kv[keyReleaseMapName].has(keyBuf)) {
// Key is already available
const itemsBuf = ccf.kv[keyReleaseMapName].get(keyBuf);
items = ccf.bufToStr(itemsBuf);
console.log(`key: ${key} already exist: ${items}`);
items = JSON.parse(items);
if (typeof item[0] === "boolean") {
//booleans are single value arrays
items = item;
} else {
// loop through the input and add it to the existing set
item.forEach((i) => {
items.push(i);
});
}
if (items[key] !== undefined) {
item.forEach((i) => {
console.log(`KRP add ${type}=>Adding ${i} to ${key}`);
items[key].push(i);
});
} else {
// set single value
items = item;
items[key] = item;
console.log(`KRP add ${type}=>currrent items: `, items);
}
});

// prepare and store items
let jsonItems = JSON.stringify(items);
let jsonItemsBuf = ccf.strToBuf(jsonItems);
// Safe into KV
console.log(`KRP add ${type}=>items: `, items);
let jsonItems = JSON.stringify(items);
console.log(
`KRP add ${type}=>Add claims to key release policy for ${type}: ${jsonItems}`,
);
let jsonItemsBuf = ccf.strToBuf(jsonItems);
ccf.kv[keyReleaseMapName].set(keyBuf, jsonItemsBuf);
};
// Function to add key release policy operator
const addOperator = (type, claims) => {
let items = {};
console.log(
`Add claims to key release policy for ${type}: ${JSON.stringify(claims)}`,
);
// get all the claims for type from the KV
let keyBuf = ccf.strToBuf(type);
if (ccf.kv[keyReleaseMapName].has(keyBuf)) {
// type is already available
const itemsBuf = ccf.kv[keyReleaseMapName].get(keyBuf);
items = ccf.bufToStr(itemsBuf);
console.log(
`Voted key release policy item. Key: ${key}, value: ${jsonItems}`,
`KRP add ${type}=>key: ${type} already exist: ${items} in the key release policy`,
);
ccf.kv[keyReleaseMapName].set(keyBuf, jsonItemsBuf);
items = JSON.parse(items);
} else {
console.log(
`KRP add ${type}=>key: ${type} is new in the key release policy`,
);
}

// iterate over every claim
Object.keys(claims).forEach((key) => {
if (CLAIMS[key] === undefined) {
throw new Error(
`KRP add ${type}=>The claim ${key} is not an allowed claim`,
);
}
let item = claims[key];
// Make sure item is always an array
if (Array.isArray(item)) {
throw new Error(`The operator claim ${key} cannot be an array`);
}

items[key] = item;
});

// Safe into KV
console.log(`KRP add ${type}=>items: `, items);
let jsonItems = JSON.stringify(items);
console.log(
`KRP add ${type}=>Add claims to key release policy for ${type}: ${jsonItems}`,
);
let jsonItemsBuf = ccf.strToBuf(jsonItems);
ccf.kv[keyReleaseMapName].set(keyBuf, jsonItemsBuf);
};

// Function to remove key release policy claims
const remove = (claims) => {
let items = [];
const remove = (type, claims) => {
let items = {};
console.log(
`Remove claims to key release policy: ${JSON.stringify(claims)}`,
`Remove claims from key release policy for ${type}: ${JSON.stringify(claims)}`,
);
// get all the claims for type from the KV
let keyBuf = ccf.strToBuf(type);
if (ccf.kv[keyReleaseMapName].has(keyBuf)) {
// type is available
const itemsBuf = ccf.kv[keyReleaseMapName].get(keyBuf);
items = ccf.bufToStr(itemsBuf);
console.log(
`KRP remove ${type}=>key: ${type} exist: ${items} in the key release policy`,
);
items = JSON.parse(items);
} else {
console.log(
`KRP remove ${type}=>key: ${type} does not exists in the key release policy`,
);
throw new Error(
`The key ${type} does not exists in the key release policy`,
);
}

// iterate over every claim
Object.keys(claims).forEach((key) => {
if (CLAIMS[key] === undefined) {
throw new Error(`The claim ${key} is not an allowed claim`);
throw new Error(
`KRP remove ${type}=>The claim ${key} is not an allowed claim`,
);
}
let item = claims[key];
// Make sure item is always an array
if (!Array.isArray(item)) {
item = [item];
}

let keyBuf = ccf.strToBuf(key);
if (ccf.kv[keyReleaseMapName].has(keyBuf)) {
// Key must be available
const itemsBuf = ccf.kv[keyReleaseMapName].get(keyBuf);
items = ccf.bufToStr(itemsBuf);
console.log(`key: ${key} exist: ${items}`);
items = JSON.parse(items);
if (typeof item[0] === "boolean") {
//booleans are single value arrays, removing will remove the whole key
ccf.kv[keyReleaseMapName].delete(keyBuf);
} else {
// loop through the input and delete it from the existing set
item.forEach((i) => {
if (items.filter((ii) => ii === i).length === 0) {
throw new Error(
`Trying to remove value '${i}' from ${items} and it does not exist`,
);
}
// Remove value from list
const index = items.indexOf(i);
if (index > -1) {
items.splice(index, 1);
}
});
// update items
if (items.length === 0) {
ccf.kv[keyReleaseMapName].delete(keyBuf);
} else {
let jsonItems = JSON.stringify(items);
let jsonItemsBuf = ccf.strToBuf(jsonItems);
ccf.kv[keyReleaseMapName].set(keyBuf, jsonItemsBuf);
if (items[key] !== undefined) {
item.forEach((i) => {
console.log(`KRP remove ${type}=>Removing ${i} from ${key}`);
items[key] = items[key].filter((value) => value !== i);
if (items[key].length === 0) {
delete items[key];
}
}
});
} else {
console.log(
`KRP remove ${type}=>Claim ${key} not found in the key release policy`,
);
throw new Error(
`Cannot remove values of ${key} because the key does not exist in the key release policy claims`,
`The claim ${key} does not exists in the key release policy`,
);
}
});

// Safe into KV
console.log(`KRP remove ${type}=>items: `, items);
let jsonItems = JSON.stringify(items);
console.log(
`KRP remove ${type}=>Remove claims from key release policy for ${type}: ${jsonItems}`,
);
let jsonItemsBuf = ccf.strToBuf(jsonItems);
ccf.kv[keyReleaseMapName].set(keyBuf, jsonItemsBuf);
};

const removeOperator = (type, claims) => {
let items = {};
console.log(
`Remove claims from key release policy for ${type}: ${JSON.stringify(claims)}`,
);
// get all the claims for type from the KV
let keyBuf = ccf.strToBuf(type);
if (ccf.kv[keyReleaseMapName].has(keyBuf)) {
// type is available
const itemsBuf = ccf.kv[keyReleaseMapName].get(keyBuf);
items = ccf.bufToStr(itemsBuf);
console.log(
`KRP remove ${type}=>key: ${type} exist: ${items} in the key release policy`,
);
items = JSON.parse(items);
} else {
console.log(
`KRP remove ${type}=>key: ${type} does not exists in the key release policy`,
);
throw new Error(
`The key ${type} does not exists in the key release policy`,
);
}

// iterate over every claim
Object.keys(claims).forEach((key) => {
if (CLAIMS[key] === undefined) {
throw new Error(
`KRP remove ${type}=>The claim ${key} is not an allowed claim`,
);
}
let item = claims[key];
// Make sure item is always an array
if (Array.isArray(item)) {
throw new Error(`The operator claim ${key} cannot be an array`);
}

if (items[key] !== undefined) {
console.log(`KRP remove ${type}=>Removing ${item} from ${key}`);
delete items[key];
} else {
console.log(
`KRP remove ${type}=>Claim ${key} not found in the key release policy`,
);
throw new Error(
`The claim ${key} does not exists in the key release policy`,
);
}
});

// Save into KV
console.log(`KRP remove ${type}=>items: `, items);
let jsonItems = JSON.stringify(items);
console.log(
`KRP remove ${type}=>Remove claims from key release policy for ${type}: ${jsonItems}`,
);
let jsonItemsBuf = ccf.strToBuf(jsonItems);
ccf.kv[keyReleaseMapName].set(keyBuf, jsonItemsBuf);
};

const type = args.type;
switch (type) {
case "add":
add(args.claims);
add("claims", args.claims);
if (args.gte !== undefined) {
addOperator("gte", args.gte);
}
if (args.gt !== undefined) {
addOperator("gt", args.gt);
}

break;
case "remove":
remove(args.claims);
remove("claims", args.claims);
if (args.gte !== undefined) {
removeOperator("gte", args.gte);
}
if (args.gt !== undefined) {
removeOperator("gt", args.gt);
}
break;
default:
throw new Error(
Expand All @@ -237,18 +375,27 @@ actions.set(
),
);


actions.set(
"set_key_rotation_policy",
// validate function
new Action(
function (args) {
console.log(`set_key_rotation_policy, check args: ${JSON.stringify(args)}`);
console.log(
`set_key_rotation_policy, check args: ${JSON.stringify(args)}`,
);
checkType(args.key_rotation_policy, "object", "set_key_rotation_policy");

// Check settings policy
checkType(args.key_rotation_policy.rotation_interval_seconds, "integer", "Number_of_seconds_between_key_rotations");
checkType(args.key_rotation_policy.grace_period_seconds, "integer", "Number_of_seconds_to_allow_an_expired_key_to_be_used_by_clients");
checkType(
args.key_rotation_policy.rotation_interval_seconds,
"integer",
"Number_of_seconds_between_key_rotations",
);
checkType(
args.key_rotation_policy.grace_period_seconds,
"integer",
"Number_of_seconds_to_allow_an_expired_key_to_be_used_by_clients",
);
console.log(`Key rotation policy validation passed.`);
},

Expand All @@ -267,4 +414,4 @@ actions.set(
);
},
),
);
);
6 changes: 6 additions & 0 deletions governance/policies/key-release-policy-add.json
View file
Open in desktop
beejones marked this conversation as resolved.
Show resolved Hide resolved
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,12 @@
"name": "set_key_release_policy",
"args": {
"service": "some service",
"gte": {
"x-ms-ver": "2"
},
"gt": {
"x-ms-ver": "1"
},
"type": "add",
"claims": {
"x-ms-ver": ["2", "3"],
Expand Down
Loading
Loading