ceph/src/rgw/rgw_kms.h

   1 // -*- mode:C; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
   2 // vim: ts=8 sw=2 smarttab
   3
   4 /**
   5  * Server-side encryption integrations with Key Management Systems (SSE-KMS)
   6  */
   7
   8 #ifndef CEPH_RGW_KMS_H
   9 #define CEPH_RGW_KMS_H
  10
  11 static const std::string RGW_SSE_KMS_BACKEND_TESTING = "testing";
  12 static const std::string RGW_SSE_KMS_BACKEND_BARBICAN = "barbican";
  13 static const std::string RGW_SSE_KMS_BACKEND_VAULT = "vault";
  14
  15 static const std::string RGW_SSE_KMS_VAULT_AUTH_TOKEN = "token";
  16 static const std::string RGW_SSE_KMS_VAULT_AUTH_AGENT = "agent";
  17
  18 static const std::string RGW_SSE_KMS_VAULT_SE_TRANSIT = "transit";
  19 static const std::string RGW_SSE_KMS_VAULT_SE_KV = "kv";
  20
  21 /**
  22  * Retrieves the actual server-side encryption key from a KMS system given a
  23  * key ID. Currently supported KMS systems are OpenStack Barbican and HashiCorp
  24  * Vault, but keys can also be retrieved from Ceph configuration file (if
  25  * kms is set to 'local').
  26  *
  27  * \params
  28  * TODO
  29  * \return
  30  */
  31 int get_actual_key_from_kms(CephContext *cct,
  32                             boost::string_view key_id,
  33                             boost::string_view key_selector,
  34                             std::string& actual_key);
  35
  36 /**
  37  * SecretEngine Interface
  38  * Defining interface here such that we can use both a real implementation
  39  * of this interface, and a mock implementation in tests.
  40 **/
  41 class SecretEngine {
  42
  43 public:
  44   virtual int get_key(boost::string_view key_id, std::string& actual_key) = 0;
  45   virtual ~SecretEngine(){};
  46 protected:
  47   virtual int send_request(boost::string_view key_id, JSONParser* parser) = 0;
  48   virtual int decode_secret(JSONObj* json_obj, std::string& actual_key) = 0;
  49 };
  50 #endif