[ceph.git] / ceph / src / rgw / rgw_kms.cc

// -*- mode:C; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
// vim: ts=8 sw=2 smarttab

/**
 * Server-side encryption integrations with Key Management Systems (SSE-KMS)
 */

#include <sys/stat.h>
#include "include/str_map.h"
#include "common/safe_io.h"
#include "rgw/rgw_crypt.h"
#include "rgw/rgw_keystone.h"
#include "rgw/rgw_b64.h"
#include "rgw/rgw_kms.h"

#define dout_context g_ceph_context
#define dout_subsys ceph_subsys_rgw

using namespace rgw;


/**
 * Construct a full URL string by concatenating a "base" URL with another path,
 * ensuring there is one and only one forward slash between them. If path is
 * empty, the URL is not changed.
 */
static void concat_url(std::string &url, std::string path) {
  bool url_has_slash = !url.empty() && url.back() == '/';
  if (!path.empty()) {
    if (url_has_slash && path.front() == '/') {
      url.pop_back();
    } else if (!url_has_slash && path.front() != '/') {
      url.push_back('/');
    }
    url.append(path);
  }
}


class VaultSecretEngine: public SecretEngine {

protected:
  CephContext *cct;

  int load_token_from_file(std::string *vault_token)
  {

    int res = 0;
    std::string token_file = cct->_conf->rgw_crypt_vault_token_file;
    if (token_file.empty()) {
      ldout(cct, 0) << "ERROR: Vault token file not set in rgw_crypt_vault_token_file" << dendl;
      return -EINVAL;
    }
    ldout(cct, 20) << "Vault token file: " << token_file << dendl;

    struct stat token_st;
    if (stat(token_file.c_str(), &token_st) != 0) {
      ldout(cct, 0) << "ERROR: Vault token file '" << token_file << "' not found  " << dendl;
      return -ENOENT;
    }

    if (token_st.st_mode & (S_IRWXG | S_IRWXO)) {
      ldout(cct, 0) << "ERROR: Vault token file '" << token_file << "' permissions are "
                    << "too open, it must not be accessible by other users" << dendl;
      return -EACCES;
    }

    char buf[2048];
    res = safe_read_file("", token_file.c_str(), buf, sizeof(buf));
    if (res < 0) {
      if (-EACCES == res) {
        ldout(cct, 0) << "ERROR: Permission denied reading Vault token file" << dendl;
      } else {
        ldout(cct, 0) << "ERROR: Failed to read Vault token file with error " << res << dendl;
      }
      return res;
    }
    // drop trailing newlines
    while (res && isspace(buf[res-1])) {
      --res;
    }
    vault_token->assign(std::string{buf, static_cast<size_t>(res)});
    memset(buf, 0, sizeof(buf));
    ::ceph::crypto::zeroize_for_security(buf, sizeof(buf));
    return res;
  }

  int send_request(boost::string_view key_id, JSONParser* parser) override
  {
    bufferlist secret_bl;
    int res;
    string vault_token = "";
    if (RGW_SSE_KMS_VAULT_AUTH_TOKEN == cct->_conf->rgw_crypt_vault_auth){
      ldout(cct, 0) << "Loading Vault Token from filesystem" << dendl;
      res = load_token_from_file(&vault_token);
      if (res < 0){
        return res;
      }
    }

    std::string secret_url = cct->_conf->rgw_crypt_vault_addr;
    if (secret_url.empty()) {
      ldout(cct, 0) << "ERROR: Vault address not set in rgw_crypt_vault_addr" << dendl;
      return -EINVAL;
    }

    concat_url(secret_url, cct->_conf->rgw_crypt_vault_prefix);
    concat_url(secret_url, std::string(key_id));

    RGWHTTPTransceiver secret_req(cct, "GET", secret_url, &secret_bl);

    if (!vault_token.empty()){
      secret_req.append_header("X-Vault-Token", vault_token);
      vault_token.replace(0, vault_token.length(), vault_token.length(), '\000');
    }

    string vault_namespace = cct->_conf->rgw_crypt_vault_namespace;
    if (!vault_namespace.empty()){
      ldout(cct, 20) << "Vault Namespace: " << vault_namespace << dendl;
      secret_req.append_header("X-Vault-Namespace", vault_namespace);
    }

    res = secret_req.process(null_yield);
    if (res < 0) {
      ldout(cct, 0) << "ERROR: Request to Vault failed with error " << res << dendl;
      return res;
    }

    if (secret_req.get_http_status() ==
        RGWHTTPTransceiver::HTTP_STATUS_UNAUTHORIZED) {
      ldout(cct, 0) << "ERROR: Vault request failed authorization" << dendl;
      return -EACCES;
    }

    ldout(cct, 20) << "Request to Vault returned " << res << " and HTTP status "
      << secret_req.get_http_status() << dendl;

    ldout(cct, 20) << "Parse response into JSON Object" << dendl;

    if (!parser->parse(secret_bl.c_str(), secret_bl.length())) {
      ldout(cct, 0) << "ERROR: Failed to parse JSON response from Vault" << dendl;
      return -EINVAL;
    }
    secret_bl.zero();

    return res;
  }

  int decode_secret(JSONObj* json_obj, std::string& actual_key){
    std::string secret;
    try {
      secret = from_base64(json_obj->get_data());
    } catch (std::exception&) {
      ldout(cct, 0) << "ERROR: Failed to base64 decode key retrieved from Vault" << dendl;
      return -EINVAL;
    }

    actual_key.assign(secret.c_str(), secret.length());
    secret.replace(0, secret.length(), secret.length(), '\000');
    return 0;
  }

public:

  VaultSecretEngine(CephContext *cct) {
    this->cct = cct;
  }

  virtual ~VaultSecretEngine(){}
};


class TransitSecretEngine: public VaultSecretEngine {

private:
  int get_key_version(boost::string_view key_id, string& version)
  {
    size_t pos = 0;

    pos = key_id.rfind("/");
    if (pos != boost::string_view::npos){
      boost::string_view token = key_id.substr(pos+1, key_id.length()-pos);
      if (!token.empty() && token.find_first_not_of("0123456789") == boost::string_view::npos){
        version.assign(std::string(token));
        return 0;
      }
    }
    return -1;
  }

public:
  TransitSecretEngine(CephContext *cct): VaultSecretEngine(cct){ }

  int get_key(boost::string_view key_id, std::string& actual_key)
  {
    JSONParser parser;
    string version;

    if (get_key_version(key_id, version) < 0){
      ldout(cct, 20) << "Missing or invalid key version" << dendl;
      return -EINVAL;
    }

    int res = send_request(key_id, &parser);
    if (res < 0) {
      return res;
    }

    JSONObj* json_obj = &parser;
    std::array<std::string, 3> elements = {"data", "keys", version};
    for(const auto& elem : elements) {
      json_obj = json_obj->find_obj(elem);
      if (!json_obj) {
        ldout(cct, 0) << "ERROR: Key not found in JSON response from Vault using Transit Engine" << dendl;
        return -EINVAL;
      }
    }

    return decode_secret(json_obj, actual_key);
  }

};

class KvSecretEngine: public VaultSecretEngine {

public:

  KvSecretEngine(CephContext *cct): VaultSecretEngine(cct){ }

  virtual ~KvSecretEngine(){}

  int get_key(boost::string_view key_id, std::string& actual_key){
    JSONParser parser;
    int res = send_request(key_id, &parser);
    if (res < 0) {
      return res;
    }

    JSONObj *json_obj = &parser;
    std::array<std::string, 3> elements = {"data", "data", "key"};
    for(const auto& elem : elements) {
      json_obj = json_obj->find_obj(elem);
      if (!json_obj) {
        ldout(cct, 0) << "ERROR: Key not found in JSON response from Vault using KV Engine" << dendl;
        return -EINVAL;
      }
    }
    return decode_secret(json_obj, actual_key);
  }

};


static map<string,string> get_str_map(const string &str) {
  map<string,string> m;
  get_str_map(str, &m, ";, \t");
  return m;
}


static int get_actual_key_from_conf(CephContext *cct,
                                    boost::string_view key_id,
                                    boost::string_view key_selector,
                                    std::string& actual_key)
{
  int res = 0;

  static map<string,string> str_map = get_str_map(
      cct->_conf->rgw_crypt_s3_kms_encryption_keys);

  map<string, string>::iterator it = str_map.find(std::string(key_id));
  if (it == str_map.end())
    return -ERR_INVALID_ACCESS_KEY;

  std::string master_key;
  try {
    master_key = from_base64((*it).second);
  } catch (std::exception&) {
    ldout(cct, 5) << "ERROR: get_actual_key_from_conf invalid encryption key id "
                  << "which contains character that is not base64 encoded."
                  << dendl;
    return -EINVAL;
  }

  if (master_key.length() == AES_256_KEYSIZE) {
    uint8_t _actual_key[AES_256_KEYSIZE];
    if (AES_256_ECB_encrypt(cct,
        reinterpret_cast<const uint8_t*>(master_key.c_str()), AES_256_KEYSIZE,
        reinterpret_cast<const uint8_t*>(key_selector.data()),
        _actual_key, AES_256_KEYSIZE)) {
      actual_key = std::string((char*)&_actual_key[0], AES_256_KEYSIZE);
    } else {
      res = -EIO;
    }
    ::ceph::crypto::zeroize_for_security(_actual_key, sizeof(_actual_key));
  } else {
    ldout(cct, 20) << "Wrong size for key=" << key_id << dendl;
    res = -EIO;
  }

  return res;
}

static int request_key_from_barbican(CephContext *cct,
                                     boost::string_view key_id,
                                     const std::string& barbican_token,
                                     std::string& actual_key) {
  int res;

  std::string secret_url = cct->_conf->rgw_barbican_url;
  if (secret_url.empty()) {
    ldout(cct, 0) << "ERROR: conf rgw_barbican_url is not set" << dendl;
    return -EINVAL;
  }
  concat_url(secret_url, "/v1/secrets/");
  concat_url(secret_url, std::string(key_id));

  bufferlist secret_bl;
  RGWHTTPTransceiver secret_req(cct, "GET", secret_url, &secret_bl);
  secret_req.append_header("Accept", "application/octet-stream");
  secret_req.append_header("X-Auth-Token", barbican_token);

  res = secret_req.process(null_yield);
  if (res < 0) {
    return res;
  }
  if (secret_req.get_http_status() ==
      RGWHTTPTransceiver::HTTP_STATUS_UNAUTHORIZED) {
    return -EACCES;
  }

  if (secret_req.get_http_status() >=200 &&
      secret_req.get_http_status() < 300 &&
      secret_bl.length() == AES_256_KEYSIZE) {
    actual_key.assign(secret_bl.c_str(), secret_bl.length());
    secret_bl.zero();
    } else {
      res = -EACCES;
    }
  return res;
}

static int get_actual_key_from_barbican(CephContext *cct,
                                        boost::string_view key_id,
                                        std::string& actual_key)
{
  int res = 0;
  std::string token;

  if (rgw::keystone::Service::get_keystone_barbican_token(cct, token) < 0) {
    ldout(cct, 5) << "Failed to retrieve token for Barbican" << dendl;
    return -EINVAL;
  }

  res = request_key_from_barbican(cct, key_id, token, actual_key);
  if (res != 0) {
    ldout(cct, 5) << "Failed to retrieve secret from Barbican:" << key_id << dendl;
  }
  return res;
}


static int get_actual_key_from_vault(CephContext *cct,
                                     boost::string_view key_id,
                                     std::string& actual_key)
{
  std::string secret_engine = cct->_conf->rgw_crypt_vault_secret_engine;
  ldout(cct, 20) << "Vault authentication method: " << cct->_conf->rgw_crypt_vault_auth << dendl;
  ldout(cct, 20) << "Vault Secrets Engine: " << secret_engine << dendl;

  if (RGW_SSE_KMS_VAULT_SE_KV == secret_engine){
    KvSecretEngine engine(cct);
    return engine.get_key(key_id, actual_key);
  }
  else if (RGW_SSE_KMS_VAULT_SE_TRANSIT == secret_engine){
    TransitSecretEngine engine(cct);
    return engine.get_key(key_id, actual_key);
  }
  else{
    ldout(cct, 0) << "Missing or invalid secret engine" << dendl;
    return -EINVAL;
  }
}


int get_actual_key_from_kms(CephContext *cct,
                            boost::string_view key_id,
                            boost::string_view key_selector,
                            std::string& actual_key)
{
  std::string kms_backend;

  kms_backend = cct->_conf->rgw_crypt_s3_kms_backend;
  ldout(cct, 20) << "Getting KMS encryption key for key " << key_id << dendl;
  ldout(cct, 20) << "SSE-KMS backend is " << kms_backend << dendl;

  if (RGW_SSE_KMS_BACKEND_BARBICAN == kms_backend)
    return get_actual_key_from_barbican(cct, key_id, actual_key);

  if (RGW_SSE_KMS_BACKEND_VAULT == kms_backend)
    return get_actual_key_from_vault(cct, key_id, actual_key);

  if (RGW_SSE_KMS_BACKEND_TESTING == kms_backend)
    return get_actual_key_from_conf(cct, key_id, key_selector, actual_key);

  ldout(cct, 0) << "ERROR: Invalid rgw_crypt_s3_kms_backend: " << kms_backend << dendl;
  return -EINVAL;
}
Commit	Line	Data
9f95a23c TL	1	// -- mode:C; tab-width:8; c-basic-offset:2; indent-tabs-mode:t --
	2	// vim: ts=8 sw=2 smarttab
	3
	4	/**
	5	* Server-side encryption integrations with Key Management Systems (SSE-KMS)
	6	*/
	7
	8	#include <sys/stat.h>
	9	#include "include/str_map.h"
	10	#include "common/safe_io.h"
	11	#include "rgw/rgw_crypt.h"
	12	#include "rgw/rgw_keystone.h"
	13	#include "rgw/rgw_b64.h"
	14	#include "rgw/rgw_kms.h"
	15
	16	#define dout_context g_ceph_context
	17	#define dout_subsys ceph_subsys_rgw
	18
	19	using namespace rgw;
	20
	21
	22	/**
	23	* Construct a full URL string by concatenating a "base" URL with another path,
	24	* ensuring there is one and only one forward slash between them. If path is
	25	* empty, the URL is not changed.
	26	*/
	27	static void concat_url(std::string &url, std::string path) {
	28	bool url_has_slash = !url.empty() && url.back() == '/';
	29	if (!path.empty()) {
	30	if (url_has_slash && path.front() == '/') {
	31	url.pop_back();
	32	} else if (!url_has_slash && path.front() != '/') {
	33	url.push_back('/');
	34	}
	35	url.append(path);
	36	}
	37	}
	38
	39
	40	class VaultSecretEngine: public SecretEngine {
	41
	42	protected:
	43	CephContext *cct;
	44
	45	int load_token_from_file(std::string *vault_token)
	46	{
	47
	48	int res = 0;
	49	std::string token_file = cct->_conf->rgw_crypt_vault_token_file;
	50	if (token_file.empty()) {
	51	ldout(cct, 0) << "ERROR: Vault token file not set in rgw_crypt_vault_token_file" << dendl;
	52	return -EINVAL;
	53	}
	54	ldout(cct, 20) << "Vault token file: " << token_file << dendl;
	55
	56	struct stat token_st;
	57	if (stat(token_file.c_str(), &token_st) != 0) {
	58	ldout(cct, 0) << "ERROR: Vault token file '" << token_file << "' not found " << dendl;
	59	return -ENOENT;
	60	}
	61
	62	if (token_st.st_mode & (S_IRWXG \| S_IRWXO)) {
	63	ldout(cct, 0) << "ERROR: Vault token file '" << token_file << "' permissions are "
	64	<< "too open, it must not be accessible by other users" << dendl;
65	return -EACCES;
66	}
67
68	char buf[2048];
69	res = safe_read_file("", token_file.c_str(), buf, sizeof(buf));
70	if (res < 0) {
71	if (-EACCES == res) {
72	ldout(cct, 0) << "ERROR: Permission denied reading Vault token file" << dendl;
73	} else {
74	ldout(cct, 0) << "ERROR: Failed to read Vault token file with error " << res << dendl;
75	}
76	return res;
77	}
78	// drop trailing newlines
79	while (res && isspace(buf[res-1])) {
80	--res;
81	}
82	vault_token->assign(std::string{buf, static_cast<size_t>(res)});
83	memset(buf, 0, sizeof(buf));
84	::ceph::crypto::zeroize_for_security(buf, sizeof(buf));
85	return res;
86	}
87
88	int send_request(boost::string_view key_id, JSONParser* parser) override
89	{
90	bufferlist secret_bl;
91	int res;
92	string vault_token = "";
93	if (RGW_SSE_KMS_VAULT_AUTH_TOKEN == cct->_conf->rgw_crypt_vault_auth){
94	ldout(cct, 0) << "Loading Vault Token from filesystem" << dendl;
95	res = load_token_from_file(&vault_token);
96	if (res < 0){
97	return res;
98	}
99	}
100
101	std::string secret_url = cct->_conf->rgw_crypt_vault_addr;
102	if (secret_url.empty()) {
103	ldout(cct, 0) << "ERROR: Vault address not set in rgw_crypt_vault_addr" << dendl;
104	return -EINVAL;
105	}
106
107	concat_url(secret_url, cct->_conf->rgw_crypt_vault_prefix);
108	concat_url(secret_url, std::string(key_id));
109
110	RGWHTTPTransceiver secret_req(cct, "GET", secret_url, &secret_bl);
111
112	if (!vault_token.empty()){
113	secret_req.append_header("X-Vault-Token", vault_token);
114	vault_token.replace(0, vault_token.length(), vault_token.length(), '\000');
115	}
116
117	string vault_namespace = cct->_conf->rgw_crypt_vault_namespace;
118	if (!vault_namespace.empty()){
119	ldout(cct, 20) << "Vault Namespace: " << vault_namespace << dendl;
120	secret_req.append_header("X-Vault-Namespace", vault_namespace);
121	}
122
123	res = secret_req.process(null_yield);
124	if (res < 0) {
125	ldout(cct, 0) << "ERROR: Request to Vault failed with error " << res << dendl;
126	return res;
127	}
128
129	if (secret_req.get_http_status() ==
130	RGWHTTPTransceiver::HTTP_STATUS_UNAUTHORIZED) {
131	ldout(cct, 0) << "ERROR: Vault request failed authorization" << dendl;
132	return -EACCES;
133	}
134
135	ldout(cct, 20) << "Request to Vault returned " << res << " and HTTP status "
136	<< secret_req.get_http_status() << dendl;
137
138	ldout(cct, 20) << "Parse response into JSON Object" << dendl;
139
140	if (!parser->parse(secret_bl.c_str(), secret_bl.length())) {
141	ldout(cct, 0) << "ERROR: Failed to parse JSON response from Vault" << dendl;
142	return -EINVAL;
143	}
144	secret_bl.zero();
145
146	return res;
147	}
148
149	int decode_secret(JSONObj* json_obj, std::string& actual_key){
150	std::string secret;
151	try {
152	secret = from_base64(json_obj->get_data());
153	} catch (std::exception&) {
154	ldout(cct, 0) << "ERROR: Failed to base64 decode key retrieved from Vault" << dendl;
155	return -EINVAL;
156	}
157
158	actual_key.assign(secret.c_str(), secret.length());
159	secret.replace(0, secret.length(), secret.length(), '\000');
160	return 0;
161	}
162
163	public:
164
165	VaultSecretEngine(CephContext *cct) {
166	this->cct = cct;
167	}
168
169	virtual ~VaultSecretEngine(){}
170	};
171
172
173	class TransitSecretEngine: public VaultSecretEngine {
174
175	private:
176	int get_key_version(boost::string_view key_id, string& version)
177	{
178	size_t pos = 0;
179
180	pos = key_id.rfind("/");
181	if (pos != boost::string_view::npos){
182	boost::string_view token = key_id.substr(pos+1, key_id.length()-pos);
183	if (!token.empty() && token.find_first_not_of("0123456789") == boost::string_view::npos){
184	version.assign(std::string(token));
185	return 0;
186	}
187	}
188	return -1;
189	}
190
191	public:
192	TransitSecretEngine(CephContext *cct): VaultSecretEngine(cct){ }
193
194	int get_key(boost::string_view key_id, std::string& actual_key)
195	{
196	JSONParser parser;
197	string version;
198
199	if (get_key_version(key_id, version) < 0){
200	ldout(cct, 20) << "Missing or invalid key version" << dendl;
201	return -EINVAL;
202	}
203
204	int res = send_request(key_id, &parser);
205	if (res < 0) {
206	return res;
207	}
208
209	JSONObj* json_obj = &parser;
210	std::array<std::string, 3> elements = {"data", "keys", version};
211	for(const auto& elem : elements) {
212	json_obj = json_obj->find_obj(elem);
213	if (!json_obj) {
214	ldout(cct, 0) << "ERROR: Key not found in JSON response from Vault using Transit Engine" << dendl;
215	return -EINVAL;
216	}
217	}
218
219	return decode_secret(json_obj, actual_key);
220	}
221
222	};
223
224	class KvSecretEngine: public VaultSecretEngine {
225
226	public:
227
228	KvSecretEngine(CephContext *cct): VaultSecretEngine(cct){ }
229
230	virtual ~KvSecretEngine(){}
231
232	int get_key(boost::string_view key_id, std::string& actual_key){
233	JSONParser parser;
234	int res = send_request(key_id, &parser);
235	if (res < 0) {
236	return res;
237	}
238
239	JSONObj *json_obj = &parser;
240	std::array<std::string, 3> elements = {"data", "data", "key"};
241	for(const auto& elem : elements) {
242	json_obj = json_obj->find_obj(elem);
243	if (!json_obj) {
244	ldout(cct, 0) << "ERROR: Key not found in JSON response from Vault using KV Engine" << dendl;
245	return -EINVAL;
246	}
247	}
248	return decode_secret(json_obj, actual_key);
249	}
250
251	};
252
253
254	static map<string,string> get_str_map(const string &str) {
255	map<string,string> m;
256	get_str_map(str, &m, ";, \t");
257	return m;
258	}
259
260
261	static int get_actual_key_from_conf(CephContext *cct,
262	boost::string_view key_id,
263	boost::string_view key_selector,
264	std::string& actual_key)
265	{
266	int res = 0;
267
268	static map<string,string> str_map = get_str_map(
269	cct->_conf->rgw_crypt_s3_kms_encryption_keys);
270
271	map<string, string>::iterator it = str_map.find(std::string(key_id));
272	if (it == str_map.end())
273	return -ERR_INVALID_ACCESS_KEY;
274
275	std::string master_key;
276	try {
277	master_key = from_base64((*it).second);
278	} catch (std::exception&) {
279	ldout(cct, 5) << "ERROR: get_actual_key_from_conf invalid encryption key id "
280	<< "which contains character that is not base64 encoded."
281	<< dendl;
282	return -EINVAL;
283	}
284
285	if (master_key.length() == AES_256_KEYSIZE) {
286	uint8_t _actual_key[AES_256_KEYSIZE];
287	if (AES_256_ECB_encrypt(cct,
288	reinterpret_cast<const uint8_t*>(master_key.c_str()), AES_256_KEYSIZE,
289	reinterpret_cast<const uint8_t*>(key_selector.data()),
290	_actual_key, AES_256_KEYSIZE)) {
291	actual_key = std::string((char*)&_actual_key[0], AES_256_KEYSIZE);
292	} else {
293	res = -EIO;
294	}
295	::ceph::crypto::zeroize_for_security(_actual_key, sizeof(_actual_key));
296	} else {
297	ldout(cct, 20) << "Wrong size for key=" << key_id << dendl;
298	res = -EIO;
299	}
300
301	return res;
302	}
303
304	static int request_key_from_barbican(CephContext *cct,
305	boost::string_view key_id,
306	const std::string& barbican_token,
307	std::string& actual_key) {
308	int res;
309
310	std::string secret_url = cct->_conf->rgw_barbican_url;
311	if (secret_url.empty()) {
312	ldout(cct, 0) << "ERROR: conf rgw_barbican_url is not set" << dendl;
313	return -EINVAL;
314	}
315	concat_url(secret_url, "/v1/secrets/");
316	concat_url(secret_url, std::string(key_id));
317
318	bufferlist secret_bl;
319	RGWHTTPTransceiver secret_req(cct, "GET", secret_url, &secret_bl);
320	secret_req.append_header("Accept", "application/octet-stream");
321	secret_req.append_header("X-Auth-Token", barbican_token);
322
323	res = secret_req.process(null_yield);
324	if (res < 0) {
325	return res;
326	}
327	if (secret_req.get_http_status() ==
328	RGWHTTPTransceiver::HTTP_STATUS_UNAUTHORIZED) {
329	return -EACCES;
330	}
331
332	if (secret_req.get_http_status() >=200 &&
333	secret_req.get_http_status() < 300 &&
334	secret_bl.length() == AES_256_KEYSIZE) {
335	actual_key.assign(secret_bl.c_str(), secret_bl.length());
336	secret_bl.zero();
337	} else {
338	res = -EACCES;
339	}
340	return res;
341	}
342
343	static int get_actual_key_from_barbican(CephContext *cct,
344	boost::string_view key_id,
345	std::string& actual_key)
346	{
347	int res = 0;
348	std::string token;
349
350	if (rgw::keystone::Service::get_keystone_barbican_token(cct, token) < 0) {
351	ldout(cct, 5) << "Failed to retrieve token for Barbican" << dendl;
352	return -EINVAL;
353	}
354
355	res = request_key_from_barbican(cct, key_id, token, actual_key);
356	if (res != 0) {
357	ldout(cct, 5) << "Failed to retrieve secret from Barbican:" << key_id << dendl;
358	}
359	return res;
360	}
361
362
363	static int get_actual_key_from_vault(CephContext *cct,
364	boost::string_view key_id,
365	std::string& actual_key)
366	{
367	std::string secret_engine = cct->_conf->rgw_crypt_vault_secret_engine;
368	ldout(cct, 20) << "Vault authentication method: " << cct->_conf->rgw_crypt_vault_auth << dendl;
369	ldout(cct, 20) << "Vault Secrets Engine: " << secret_engine << dendl;
370
371	if (RGW_SSE_KMS_VAULT_SE_KV == secret_engine){
372	KvSecretEngine engine(cct);
373	return engine.get_key(key_id, actual_key);
374	}
375	else if (RGW_SSE_KMS_VAULT_SE_TRANSIT == secret_engine){
376	TransitSecretEngine engine(cct);
377	return engine.get_key(key_id, actual_key);
378	}
379	else{
380	ldout(cct, 0) << "Missing or invalid secret engine" << dendl;
381	return -EINVAL;
382	}
383	}
384
385
386	int get_actual_key_from_kms(CephContext *cct,
387	boost::string_view key_id,
388	boost::string_view key_selector,
389	std::string& actual_key)
390	{
391	std::string kms_backend;
392
393	kms_backend = cct->_conf->rgw_crypt_s3_kms_backend;
394	ldout(cct, 20) << "Getting KMS encryption key for key " << key_id << dendl;
395	ldout(cct, 20) << "SSE-KMS backend is " << kms_backend << dendl;
396
397	if (RGW_SSE_KMS_BACKEND_BARBICAN == kms_backend)
398	return get_actual_key_from_barbican(cct, key_id, actual_key);
399
400	if (RGW_SSE_KMS_BACKEND_VAULT == kms_backend)
401	return get_actual_key_from_vault(cct, key_id, actual_key);
402
403	if (RGW_SSE_KMS_BACKEND_TESTING == kms_backend)
404	return get_actual_key_from_conf(cct, key_id, key_selector, actual_key);
405
406	ldout(cct, 0) << "ERROR: Invalid rgw_crypt_s3_kms_backend: " << kms_backend << dendl;
407	return -EINVAL;
408	}