Got rid of hardcoded aws:kms keys

Signed-off-by: Adam Kupczyk <akupczyk@mirantis.com>

diff --git a/src/common/config_opts.h b/src/common/config_opts.h
index 687474e803f7532fd5234bce8e92ec7ae4f18d7c..106e6086eaa0e575ac5c73679e62d0504a1ce4d8 100644 (file)
--- a/src/common/config_opts.h
+++ b/src/common/config_opts.h
@@ -1656,6 +1656,8 @@ OPTION(mon_mgr_digest_period, OPT_INT, 5)  // How frequently to send digests
 OPTION(mon_mgr_beacon_grace, OPT_INT, 30)  // How long to wait to failover
 OPTION(mon_mgr_inactive_grace, OPT_INT, 60) // How long before health WARN -> ERR
 OPTION(rgw_crypt_default_encryption_key, OPT_STR, "") // base64 encoded key for encryption of rgw objects
+OPTION(rgw_crypt_s3_kms_encryption_keys, OPT_STR, "") // extra keys that may be used for aws:kms
+                                                      // defined as map "key1=YmluCmJvb3N0CmJvb3N0LQ== key2=b3V0CnNyYwpUZXN0aW5nCg=="
 
 OPTION(rgw_list_bucket_min_readahead, OPT_INT, 1000) // minimum number of entries to read from rados for bucket listing
 

diff --git a/src/rgw/rgw_crypt.cc b/src/rgw/rgw_crypt.cc
index 376371196e69f7b780402440fa3e73f1be5d2f02..b5fa404c5a35f4c65baad367a066969546184ad9 100644 (file)
--- a/src/rgw/rgw_crypt.cc
+++ b/src/rgw/rgw_crypt.cc
@@ -11,6 +11,7 @@
 #include "include/assert.h"
 #include <boost/utility/string_ref.hpp>
 #include <rgw/rgw_keystone.h>
+#include "include/str_map.h"
 #include "../isa-l_crypto_plugin/crypto_accel.h"
 #include "../isa-l_crypto_plugin/crypto_plugin.h"
 
@@ -920,6 +921,12 @@ int request_key_from_barbican(CephContext *cct,
   return res;
 }
 
+static map<string,string> get_str_map(const string &str) {
+  map<string,string> m;
+  get_str_map(str, &m, ";, \t");
+  return m;
+}
+
 int get_actual_key_from_kms(CephContext *cct,
                             boost::string_ref key_id,
                             boost::string_ref key_selector,
@@ -927,27 +934,27 @@ int get_actual_key_from_kms(CephContext *cct,
 {
   int res = 0;
   ldout(cct, 20) << "Getting KMS encryption key for key=" << key_id << dendl;
-  if (key_id.starts_with("testkey-")) {
-    /* test keys for testing purposes */
-    boost::string_ref key = key_id.substr(sizeof("testkey-")-1);
-    std::string master_key;
-    if (key == "1")       master_key = "012345678901234567890123456789012345";
-    else if (key == "2")  master_key = "abcdefghijklmnopqrstuvwxyzabcdefghij";
-    else {
-      res = -EIO;
-      return res;
-    }
-    uint8_t _actual_key[AES_256_KEYSIZE];
-    if (AES_256_ECB_encrypt(cct,
-                            (uint8_t*)master_key.c_str(), AES_256_KEYSIZE,
-                            (uint8_t*)key_selector.data(),
-                            _actual_key, AES_256_KEYSIZE)) {
-      actual_key = std::string((char*)&_actual_key[0], AES_256_KEYSIZE);
+  static map<string,string> str_map = get_str_map(
+      cct->_conf->rgw_crypt_s3_kms_encryption_keys);
+
+  map<string, string>::iterator it = str_map.find(std::string(key_id));
+  if (it != str_map.end() ) {
+    std::string master_key = from_base64((*it).second);
+    if (master_key.length() == AES_256_KEYSIZE) {
+      uint8_t _actual_key[AES_256_KEYSIZE];
+      if (AES_256_ECB_encrypt(cct,
+          (uint8_t*)master_key.c_str(), AES_256_KEYSIZE,
+          (uint8_t*)key_selector.data(),
+          _actual_key, AES_256_KEYSIZE)) {
+        actual_key = std::string((char*)&_actual_key[0], AES_256_KEYSIZE);
+      } else {
+        res = -EIO;
+      }
     } else {
+      ldout(cct, 20) << "Wrong size for key=" << key_id << dendl;
       res = -EIO;
     }
-  }
-  else {
+  } else {
     std::string token;
     if (rgw::keystone::Service::get_keystone_barbican_token(cct, token) < 0) {
       ldout(cct, 5) << "Failed to retrieve token for barbican" << dendl;