minio/cmd/environment.go

// MinIO Cloud Storage, (C) 2016, 2017, 2018 MinIO, Inc.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package cmd

import (
	"encoding/hex"
	"errors"
	"fmt"
	"os"
	"strconv"
	"strings"

	"github.com/minio/minio/cmd/crypto"
)

const (
	// EnvKMSMasterKey is the environment variable used to specify
	// a KMS master key used to protect SSE-S3 per-object keys.
	// Valid values must be of the from: "KEY_ID:32_BYTE_HEX_VALUE".
	EnvKMSMasterKey = "MINIO_SSE_MASTER_KEY"

	// EnvAutoEncryption is the environment variable used to en/disable
	// SSE-S3 auto-encryption. SSE-S3 auto-encryption, if enabled,
	// requires a valid KMS configuration and turns any non-SSE-C
	// request into an SSE-S3 request.
	// If present EnvAutoEncryption must be either "on" or "off".
	EnvAutoEncryption = "MINIO_SSE_AUTO_ENCRYPTION"
)

const (
	// EnvVaultEndpoint is the environment variable used to specify
	// the vault HTTPS endpoint.
	EnvVaultEndpoint = "MINIO_SSE_VAULT_ENDPOINT"

	// EnvVaultAuthType is the environment variable used to specify
	// the authentication type for vault.
	EnvVaultAuthType = "MINIO_SSE_VAULT_AUTH_TYPE"

	// EnvVaultAppRoleID is the environment variable used to specify
	// the vault AppRole ID.
	EnvVaultAppRoleID = "MINIO_SSE_VAULT_APPROLE_ID"

	// EnvVaultAppSecretID is the environment variable used to specify
	// the vault AppRole secret corresponding to the AppRole ID.
	EnvVaultAppSecretID = "MINIO_SSE_VAULT_APPROLE_SECRET"

	// EnvVaultKeyVersion is the environment variable used to specify
	// the vault key version.
	EnvVaultKeyVersion = "MINIO_SSE_VAULT_KEY_VERSION"

	// EnvVaultKeyName is the environment variable used to specify
	// the vault named key-ring. In the S3 context it's referred as
	// customer master key ID (CMK-ID).
	EnvVaultKeyName = "MINIO_SSE_VAULT_KEY_NAME"

	// EnvVaultCAPath is the environment variable used to specify the
	// path to a directory of PEM-encoded CA cert files. These CA cert
	// files are used to authenticate MinIO to Vault over mTLS.
	EnvVaultCAPath = "MINIO_SSE_VAULT_CAPATH"

	// EnvVaultNamespace is the environment variable used to specify
	// vault namespace. The vault namespace is used if the enterprise
	// version of Hashicorp Vault is used.
	EnvVaultNamespace = "MINIO_SSE_VAULT_NAMESPACE"
)

// Environment provides functions for accessing environment
// variables.
var Environment = environment{}

type environment struct{}

// Get retrieves the value of the environment variable named
// by the key. If the variable is present in the environment the
// value (which may be empty) is returned. Otherwise it returns
// the specified default value.
func (environment) Get(key, defaultValue string) string {
	if v, ok := os.LookupEnv(key); ok {
		return v
	}
	return defaultValue
}

// Lookup retrieves the value of the environment variable named
// by the key. If the variable is present in the environment the
// value (which may be empty) is returned and the boolean is true.
// Otherwise the returned value will be empty and the boolean will
// be false.
func (environment) Lookup(key string) (string, bool) { return os.LookupEnv(key) }

// LookupKMSConfig extracts the KMS configuration provided by environment
// variables and merge them with the provided KMS configuration. The
// merging follows the following rules:
//
// 1. A valid value provided as environment variable is higher prioritized
// than the provided configuration and overwrites the value from the
// configuration file.
//
// 2. A value specified as environment variable never changes the configuration
// file. So it is never made a persistent setting.
//
// It sets the global KMS configuration according to the merged configuration
// on success.
func (env environment) LookupKMSConfig(config crypto.KMSConfig) (err error) {
	// Lookup Hashicorp-Vault configuration & overwrite config entry if ENV var is present
	config.Vault.Endpoint = env.Get(EnvVaultEndpoint, config.Vault.Endpoint)
	config.Vault.CAPath = env.Get(EnvVaultCAPath, config.Vault.CAPath)
	config.Vault.Auth.Type = env.Get(EnvVaultAuthType, config.Vault.Auth.Type)
	config.Vault.Auth.AppRole.ID = env.Get(EnvVaultAppRoleID, config.Vault.Auth.AppRole.ID)
	config.Vault.Auth.AppRole.Secret = env.Get(EnvVaultAppSecretID, config.Vault.Auth.AppRole.Secret)
	config.Vault.Key.Name = env.Get(EnvVaultKeyName, config.Vault.Key.Name)
	config.Vault.Namespace = env.Get(EnvVaultNamespace, config.Vault.Namespace)
	keyVersion := env.Get(EnvVaultKeyVersion, strconv.Itoa(config.Vault.Key.Version))
	config.Vault.Key.Version, err = strconv.Atoi(keyVersion)
	if err != nil {
		return fmt.Errorf("Invalid ENV variable: Unable to parse %s value (`%s`)", EnvVaultKeyVersion, keyVersion)
	}
	if err = config.Vault.Verify(); err != nil {
		return err
	}

	// Lookup KMS master keys - only available through ENV.
	if masterKey, ok := env.Lookup(EnvKMSMasterKey); ok {
		if !config.Vault.IsEmpty() { // Vault and KMS master key provided
			return errors.New("Ambiguous KMS configuration: vault configuration and a master key are provided at the same time")
		}
		globalKMSKeyID, GlobalKMS, err = parseKMSMasterKey(masterKey)
		if err != nil {
			return err
		}
	}
	if !config.Vault.IsEmpty() {
		GlobalKMS, err = crypto.NewVault(config.Vault)
		if err != nil {
			return err
		}
		globalKMSKeyID = config.Vault.Key.Name
	}

	autoEncryption, err := ParseBoolFlag(env.Get(EnvAutoEncryption, "off"))
	if err != nil {
		return err
	}
	globalAutoEncryption = bool(autoEncryption)
	if globalAutoEncryption && GlobalKMS == nil { // auto-encryption enabled but no KMS
		return errors.New("Invalid KMS configuration: auto-encryption is enabled but no valid KMS configuration is present")
	}
	return nil
}

// parseKMSMasterKey parses the value of the environment variable
// `EnvKMSMasterKey` and returns a key-ID and a master-key KMS on success.
func parseKMSMasterKey(envArg string) (string, crypto.KMS, error) {
	values := strings.SplitN(envArg, ":", 2)
	if len(values) != 2 {
		return "", nil, fmt.Errorf("Invalid KMS master key: %s does not contain a ':'", envArg)
	}
	var (
		keyID  = values[0]
		hexKey = values[1]
	)
	if len(hexKey) != 64 { // 2 hex bytes = 1 byte
		return "", nil, fmt.Errorf("Invalid KMS master key: %s not a 32 bytes long HEX value", hexKey)
	}
	var masterKey [32]byte
	if _, err := hex.Decode(masterKey[:], []byte(hexKey)); err != nil {
		return "", nil, fmt.Errorf("Invalid KMS master key: %s not a 32 bytes long HEX value", hexKey)
	}
	return keyID, crypto.NewKMS(masterKey), nil
}
Replace Minio refs in docs with MinIO and links (#7494) 2019-04-10 02:39:42 +08:00			`// MinIO Cloud Storage, (C) 2016, 2017, 2018 MinIO, Inc.`
refactor vault configuration and add master-key KMS (#6488) This refactors the vault configuration by moving the vault-related environment variables to `environment.go` (Other ENV should follow in the future to have a central place for adding / handling ENV instead of magic constants and handling across different files) Further this commit adds master-key SSE-S3 support. The operator can specify a SSE-S3 master key using `MINIO_SSE_MASTER_KEY` which will be used as master key to derive and encrypt per-object keys for SSE-S3 requests. This commit is also a pre-condition for SSE-S3 auto-encyption support. Fixes #6329 2018-12-12 14:50:29 +08:00			`//`
			`// Licensed under the Apache License, Version 2.0 (the "License");`
			`// you may not use this file except in compliance with the License.`
			`// You may obtain a copy of the License at`
			`//`
			`// http://www.apache.org/licenses/LICENSE-2.0`
			`//`
			`// Unless required by applicable law or agreed to in writing, software`
			`// distributed under the License is distributed on an "AS IS" BASIS,`
			`// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`// See the License for the specific language governing permissions and`
			`// limitations under the License.`

			`package cmd`

			`import (`
			`"encoding/hex"`
			`"errors"`
			`"fmt"`
			`"os"`
			`"strconv"`
			`"strings"`

			`"github.com/minio/minio/cmd/crypto"`
			`)`

			`const (`
			`// EnvKMSMasterKey is the environment variable used to specify`
			`// a KMS master key used to protect SSE-S3 per-object keys.`
			`// Valid values must be of the from: "KEY_ID:32_BYTE_HEX_VALUE".`
			`EnvKMSMasterKey = "MINIO_SSE_MASTER_KEY"`
add auto-encryption feature (#6523) This commit adds an auto-encryption feature which allows the Minio operator to ensure that uploaded objects are always encrypted. This change adds the `autoEncryption` configuration option as part of the KMS conifguration and the ENV. variable `MINIO_SSE_AUTO_ENCRYPTION:{on,off}`. It also updates the KMS documentation according to the changes. Fixes #6502 2018-12-15 05:35:48 +08:00
			`// EnvAutoEncryption is the environment variable used to en/disable`
			`// SSE-S3 auto-encryption. SSE-S3 auto-encryption, if enabled,`
			`// requires a valid KMS configuration and turns any non-SSE-C`
			`// request into an SSE-S3 request.`
			`// If present EnvAutoEncryption must be either "on" or "off".`
			`EnvAutoEncryption = "MINIO_SSE_AUTO_ENCRYPTION"`
refactor vault configuration and add master-key KMS (#6488) This refactors the vault configuration by moving the vault-related environment variables to `environment.go` (Other ENV should follow in the future to have a central place for adding / handling ENV instead of magic constants and handling across different files) Further this commit adds master-key SSE-S3 support. The operator can specify a SSE-S3 master key using `MINIO_SSE_MASTER_KEY` which will be used as master key to derive and encrypt per-object keys for SSE-S3 requests. This commit is also a pre-condition for SSE-S3 auto-encyption support. Fixes #6329 2018-12-12 14:50:29 +08:00			`)`

			`const (`
			`// EnvVaultEndpoint is the environment variable used to specify`
			`// the vault HTTPS endpoint.`
			`EnvVaultEndpoint = "MINIO_SSE_VAULT_ENDPOINT"`

			`// EnvVaultAuthType is the environment variable used to specify`
			`// the authentication type for vault.`
			`EnvVaultAuthType = "MINIO_SSE_VAULT_AUTH_TYPE"`

			`// EnvVaultAppRoleID is the environment variable used to specify`
			`// the vault AppRole ID.`
			`EnvVaultAppRoleID = "MINIO_SSE_VAULT_APPROLE_ID"`

			`// EnvVaultAppSecretID is the environment variable used to specify`
			`// the vault AppRole secret corresponding to the AppRole ID.`
			`EnvVaultAppSecretID = "MINIO_SSE_VAULT_APPROLE_SECRET"`

			`// EnvVaultKeyVersion is the environment variable used to specify`
			`// the vault key version.`
			`EnvVaultKeyVersion = "MINIO_SSE_VAULT_KEY_VERSION"`

			`// EnvVaultKeyName is the environment variable used to specify`
			`// the vault named key-ring. In the S3 context it's referred as`
			`// customer master key ID (CMK-ID).`
			`EnvVaultKeyName = "MINIO_SSE_VAULT_KEY_NAME"`

			`// EnvVaultCAPath is the environment variable used to specify the`
			`// path to a directory of PEM-encoded CA cert files. These CA cert`
Replace Minio refs in docs with MinIO and links (#7494) 2019-04-10 02:39:42 +08:00			`// files are used to authenticate MinIO to Vault over mTLS.`
refactor vault configuration and add master-key KMS (#6488) This refactors the vault configuration by moving the vault-related environment variables to `environment.go` (Other ENV should follow in the future to have a central place for adding / handling ENV instead of magic constants and handling across different files) Further this commit adds master-key SSE-S3 support. The operator can specify a SSE-S3 master key using `MINIO_SSE_MASTER_KEY` which will be used as master key to derive and encrypt per-object keys for SSE-S3 requests. This commit is also a pre-condition for SSE-S3 auto-encyption support. Fixes #6329 2018-12-12 14:50:29 +08:00			`EnvVaultCAPath = "MINIO_SSE_VAULT_CAPATH"`

			`// EnvVaultNamespace is the environment variable used to specify`
			`// vault namespace. The vault namespace is used if the enterprise`
			`// version of Hashicorp Vault is used.`
			`EnvVaultNamespace = "MINIO_SSE_VAULT_NAMESPACE"`
			`)`

			`// Environment provides functions for accessing environment`
			`// variables.`
			`var Environment = environment{}`

			`type environment struct{}`

			`// Get retrieves the value of the environment variable named`
			`// by the key. If the variable is present in the environment the`
			`// value (which may be empty) is returned. Otherwise it returns`
			`// the specified default value.`
			`func (environment) Get(key, defaultValue string) string {`
			`if v, ok := os.LookupEnv(key); ok {`
			`return v`
			`}`
			`return defaultValue`
			`}`

			`// Lookup retrieves the value of the environment variable named`
			`// by the key. If the variable is present in the environment the`
			`// value (which may be empty) is returned and the boolean is true.`
			`// Otherwise the returned value will be empty and the boolean will`
			`// be false.`
			`func (environment) Lookup(key string) (string, bool) { return os.LookupEnv(key) }`

			`// LookupKMSConfig extracts the KMS configuration provided by environment`
			`// variables and merge them with the provided KMS configuration. The`
			`// merging follows the following rules:`
			`//`
			`// 1. A valid value provided as environment variable is higher prioritized`
			`// than the provided configuration and overwrites the value from the`
			`// configuration file.`
			`//`
			`// 2. A value specified as environment variable never changes the configuration`
			`// file. So it is never made a persistent setting.`
			`//`
			`// It sets the global KMS configuration according to the merged configuration`
			`// on success.`
			`func (env environment) LookupKMSConfig(config crypto.KMSConfig) (err error) {`
			`// Lookup Hashicorp-Vault configuration & overwrite config entry if ENV var is present`
			`config.Vault.Endpoint = env.Get(EnvVaultEndpoint, config.Vault.Endpoint)`
			`config.Vault.CAPath = env.Get(EnvVaultCAPath, config.Vault.CAPath)`
			`config.Vault.Auth.Type = env.Get(EnvVaultAuthType, config.Vault.Auth.Type)`
			`config.Vault.Auth.AppRole.ID = env.Get(EnvVaultAppRoleID, config.Vault.Auth.AppRole.ID)`
			`config.Vault.Auth.AppRole.Secret = env.Get(EnvVaultAppSecretID, config.Vault.Auth.AppRole.Secret)`
			`config.Vault.Key.Name = env.Get(EnvVaultKeyName, config.Vault.Key.Name)`
			`config.Vault.Namespace = env.Get(EnvVaultNamespace, config.Vault.Namespace)`
			`keyVersion := env.Get(EnvVaultKeyVersion, strconv.Itoa(config.Vault.Key.Version))`
			`config.Vault.Key.Version, err = strconv.Atoi(keyVersion)`
			`if err != nil {`
			return fmt.Errorf("Invalid ENV variable: Unable to parse %s value (`%s`)", EnvVaultKeyVersion, keyVersion)
			`}`
			`if err = config.Vault.Verify(); err != nil {`
			`return err`
			`}`

			`// Lookup KMS master keys - only available through ENV.`
			`if masterKey, ok := env.Lookup(EnvKMSMasterKey); ok {`
			`if !config.Vault.IsEmpty() { // Vault and KMS master key provided`
			`return errors.New("Ambiguous KMS configuration: vault configuration and a master key are provided at the same time")`
			`}`
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696 2019-01-06 06:16:43 +08:00			`globalKMSKeyID, GlobalKMS, err = parseKMSMasterKey(masterKey)`
refactor vault configuration and add master-key KMS (#6488) This refactors the vault configuration by moving the vault-related environment variables to `environment.go` (Other ENV should follow in the future to have a central place for adding / handling ENV instead of magic constants and handling across different files) Further this commit adds master-key SSE-S3 support. The operator can specify a SSE-S3 master key using `MINIO_SSE_MASTER_KEY` which will be used as master key to derive and encrypt per-object keys for SSE-S3 requests. This commit is also a pre-condition for SSE-S3 auto-encyption support. Fixes #6329 2018-12-12 14:50:29 +08:00			`if err != nil {`
			`return err`
			`}`
			`}`
			`if !config.Vault.IsEmpty() {`
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696 2019-01-06 06:16:43 +08:00			`GlobalKMS, err = crypto.NewVault(config.Vault)`
refactor vault configuration and add master-key KMS (#6488) This refactors the vault configuration by moving the vault-related environment variables to `environment.go` (Other ENV should follow in the future to have a central place for adding / handling ENV instead of magic constants and handling across different files) Further this commit adds master-key SSE-S3 support. The operator can specify a SSE-S3 master key using `MINIO_SSE_MASTER_KEY` which will be used as master key to derive and encrypt per-object keys for SSE-S3 requests. This commit is also a pre-condition for SSE-S3 auto-encyption support. Fixes #6329 2018-12-12 14:50:29 +08:00			`if err != nil {`
			`return err`
			`}`
			`globalKMSKeyID = config.Vault.Key.Name`
			`}`
add auto-encryption feature (#6523) This commit adds an auto-encryption feature which allows the Minio operator to ensure that uploaded objects are always encrypted. This change adds the `autoEncryption` configuration option as part of the KMS conifguration and the ENV. variable `MINIO_SSE_AUTO_ENCRYPTION:{on,off}`. It also updates the KMS documentation according to the changes. Fixes #6502 2018-12-15 05:35:48 +08:00
			`autoEncryption, err := ParseBoolFlag(env.Get(EnvAutoEncryption, "off"))`
			`if err != nil {`
			`return err`
			`}`
			`globalAutoEncryption = bool(autoEncryption)`
Add double encryption at S3 gateway. (#6423) This PR adds pass-through, single encryption at gateway and double encryption support (gateway encryption with pass through of SSE headers to backend). If KMS is set up (either with Vault as KMS or using MINIO_SSE_MASTER_KEY),gateway will automatically perform single encryption. If MINIO_GATEWAY_SSE is set up in addition to Vault KMS, double encryption is performed.When neither KMS nor MINIO_GATEWAY_SSE is set, do a pass through to backend. When double encryption is specified, MINIO_GATEWAY_SSE can be set to "C" for SSE-C encryption at gateway and backend, "S3" for SSE-S3 encryption at gateway/backend or both to support more than one option. Fixes #6323, #6696 2019-01-06 06:16:43 +08:00			`if globalAutoEncryption && GlobalKMS == nil { // auto-encryption enabled but no KMS`
add auto-encryption feature (#6523) This commit adds an auto-encryption feature which allows the Minio operator to ensure that uploaded objects are always encrypted. This change adds the `autoEncryption` configuration option as part of the KMS conifguration and the ENV. variable `MINIO_SSE_AUTO_ENCRYPTION:{on,off}`. It also updates the KMS documentation according to the changes. Fixes #6502 2018-12-15 05:35:48 +08:00			`return errors.New("Invalid KMS configuration: auto-encryption is enabled but no valid KMS configuration is present")`
			`}`
refactor vault configuration and add master-key KMS (#6488) This refactors the vault configuration by moving the vault-related environment variables to `environment.go` (Other ENV should follow in the future to have a central place for adding / handling ENV instead of magic constants and handling across different files) Further this commit adds master-key SSE-S3 support. The operator can specify a SSE-S3 master key using `MINIO_SSE_MASTER_KEY` which will be used as master key to derive and encrypt per-object keys for SSE-S3 requests. This commit is also a pre-condition for SSE-S3 auto-encyption support. Fixes #6329 2018-12-12 14:50:29 +08:00			`return nil`
			`}`

			`// parseKMSMasterKey parses the value of the environment variable`
			// `EnvKMSMasterKey` and returns a key-ID and a master-key KMS on success.
			`func parseKMSMasterKey(envArg string) (string, crypto.KMS, error) {`
			`values := strings.SplitN(envArg, ":", 2)`
			`if len(values) != 2 {`
			`return "", nil, fmt.Errorf("Invalid KMS master key: %s does not contain a ':'", envArg)`
			`}`
			`var (`
			`keyID = values[0]`
			`hexKey = values[1]`
			`)`
			`if len(hexKey) != 64 { // 2 hex bytes = 1 byte`
			`return "", nil, fmt.Errorf("Invalid KMS master key: %s not a 32 bytes long HEX value", hexKey)`
			`}`
			`var masterKey [32]byte`
			`if _, err := hex.Decode(masterKey[:], []byte(hexKey)); err != nil {`
			`return "", nil, fmt.Errorf("Invalid KMS master key: %s not a 32 bytes long HEX value", hexKey)`
			`}`
			`return keyID, crypto.NewKMS(masterKey), nil`
			`}`