|
| 1 | +/* |
| 2 | +Copyright 2026 Cozystack contributors. |
| 3 | +
|
| 4 | +Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | +you may not use this file except in compliance with the License. |
| 6 | +You may obtain a copy of the License at |
| 7 | +
|
| 8 | + http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | +
|
| 10 | +Unless required by applicable law or agreed to in writing, software |
| 11 | +distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | +See the License for the specific language governing permissions and |
| 14 | +limitations under the License. |
| 15 | +*/ |
| 16 | + |
| 17 | +package rest |
| 18 | + |
| 19 | +import ( |
| 20 | + "context" |
| 21 | + "encoding/json" |
| 22 | + "net/http" |
| 23 | + |
| 24 | + "github.com/cockroachdb/errors" |
| 25 | + |
| 26 | + apiv1 "github.com/cozystack/blockstor/pkg/api/v1" |
| 27 | + "github.com/cozystack/blockstor/pkg/store" |
| 28 | +) |
| 29 | + |
| 30 | +// passphraseRequest is the body upstream linstor expects on the |
| 31 | +// encryption/passphrase endpoints. |
| 32 | +type passphraseRequest struct { |
| 33 | + NewPassphrase string `json:"new_passphrase"` |
| 34 | + OldPassphrase string `json:"old_passphrase,omitempty"` |
| 35 | +} |
| 36 | + |
| 37 | +// registerEncryption wires `linstor encryption *` endpoints. The |
| 38 | +// cluster passphrase is the master key used to encrypt LUKS volume |
| 39 | +// keys at rest in the controller's KV store. |
| 40 | +// |
| 41 | +// Storage scaffolding only for now: the passphrase is held verbatim |
| 42 | +// under the ControllerProps KV instance. Real KDF + at-rest encryption |
| 43 | +// of the per-volume keys is Phase 6 work. |
| 44 | +func (s *Server) registerEncryption(mux *http.ServeMux) { |
| 45 | + mux.HandleFunc("POST /v1/encryption/passphrase", |
| 46 | + s.requireStore(s.handlePassphraseCreate)) |
| 47 | + mux.HandleFunc("PATCH /v1/encryption/passphrase", |
| 48 | + s.requireStore(s.handlePassphraseEnter)) |
| 49 | + mux.HandleFunc("PUT /v1/encryption/passphrase", |
| 50 | + s.requireStore(s.handlePassphraseModify)) |
| 51 | +} |
| 52 | + |
| 53 | +// handlePassphraseCreate sets the passphrase the first time. 409 if |
| 54 | +// one already exists; the caller is supposed to PATCH to change. |
| 55 | +func (s *Server) handlePassphraseCreate(w http.ResponseWriter, r *http.Request) { |
| 56 | + var req passphraseRequest |
| 57 | + |
| 58 | + err := json.NewDecoder(r.Body).Decode(&req) |
| 59 | + if err != nil { |
| 60 | + writeError(w, http.StatusBadRequest, err.Error()) |
| 61 | + |
| 62 | + return |
| 63 | + } |
| 64 | + |
| 65 | + if req.NewPassphrase == "" { |
| 66 | + writeError(w, http.StatusBadRequest, "new_passphrase is required") |
| 67 | + |
| 68 | + return |
| 69 | + } |
| 70 | + |
| 71 | + have, err := getPassphrase(r.Context(), s.Store) |
| 72 | + if err != nil { |
| 73 | + writeError(w, http.StatusInternalServerError, err.Error()) |
| 74 | + |
| 75 | + return |
| 76 | + } |
| 77 | + |
| 78 | + if have != "" { |
| 79 | + writeError(w, http.StatusConflict, "cluster passphrase already set; PATCH to modify") |
| 80 | + |
| 81 | + return |
| 82 | + } |
| 83 | + |
| 84 | + err = setPassphrase(r.Context(), s.Store, req.NewPassphrase) |
| 85 | + if err != nil { |
| 86 | + writeError(w, http.StatusInternalServerError, err.Error()) |
| 87 | + |
| 88 | + return |
| 89 | + } |
| 90 | + |
| 91 | + w.WriteHeader(http.StatusCreated) |
| 92 | +} |
| 93 | + |
| 94 | +// handlePassphraseEnter unlocks the in-memory crypto context for this |
| 95 | +// controller process. We treat the request body's `new_passphrase` as |
| 96 | +// the proof-of-knowledge — matches upstream's PATCH semantics. |
| 97 | +func (s *Server) handlePassphraseEnter(w http.ResponseWriter, r *http.Request) { |
| 98 | + var req passphraseRequest |
| 99 | + |
| 100 | + err := json.NewDecoder(r.Body).Decode(&req) |
| 101 | + if err != nil { |
| 102 | + writeError(w, http.StatusBadRequest, err.Error()) |
| 103 | + |
| 104 | + return |
| 105 | + } |
| 106 | + |
| 107 | + have, err := getPassphrase(r.Context(), s.Store) |
| 108 | + if err != nil { |
| 109 | + writeError(w, http.StatusInternalServerError, err.Error()) |
| 110 | + |
| 111 | + return |
| 112 | + } |
| 113 | + |
| 114 | + if have == "" { |
| 115 | + writeError(w, http.StatusPreconditionFailed, "no cluster passphrase set; POST to create") |
| 116 | + |
| 117 | + return |
| 118 | + } |
| 119 | + |
| 120 | + if have != req.NewPassphrase { |
| 121 | + writeError(w, http.StatusForbidden, "passphrase mismatch") |
| 122 | + |
| 123 | + return |
| 124 | + } |
| 125 | + |
| 126 | + w.WriteHeader(http.StatusOK) |
| 127 | +} |
| 128 | + |
| 129 | +// handlePassphraseModify rotates the passphrase. Old must verify, new |
| 130 | +// replaces it. |
| 131 | +func (s *Server) handlePassphraseModify(w http.ResponseWriter, r *http.Request) { |
| 132 | + var req passphraseRequest |
| 133 | + |
| 134 | + err := json.NewDecoder(r.Body).Decode(&req) |
| 135 | + if err != nil { |
| 136 | + writeError(w, http.StatusBadRequest, err.Error()) |
| 137 | + |
| 138 | + return |
| 139 | + } |
| 140 | + |
| 141 | + have, err := getPassphrase(r.Context(), s.Store) |
| 142 | + if err != nil { |
| 143 | + writeError(w, http.StatusInternalServerError, err.Error()) |
| 144 | + |
| 145 | + return |
| 146 | + } |
| 147 | + |
| 148 | + if have == "" { |
| 149 | + writeError(w, http.StatusPreconditionFailed, "no cluster passphrase set") |
| 150 | + |
| 151 | + return |
| 152 | + } |
| 153 | + |
| 154 | + if have != req.OldPassphrase { |
| 155 | + writeError(w, http.StatusForbidden, "old passphrase mismatch") |
| 156 | + |
| 157 | + return |
| 158 | + } |
| 159 | + |
| 160 | + err = setPassphrase(r.Context(), s.Store, req.NewPassphrase) |
| 161 | + if err != nil { |
| 162 | + writeError(w, http.StatusInternalServerError, err.Error()) |
| 163 | + |
| 164 | + return |
| 165 | + } |
| 166 | + |
| 167 | + w.WriteHeader(http.StatusOK) |
| 168 | +} |
| 169 | + |
| 170 | +// getPassphrase reads the current cluster passphrase. Empty string |
| 171 | +// (not error) for "not yet set". |
| 172 | +func getPassphrase(ctx context.Context, st store.Store) (string, error) { |
| 173 | + props, err := st.KeyValueStore().GetInstance(ctx, controllerPropsInstance) |
| 174 | + if err != nil { |
| 175 | + if errors.Is(err, store.ErrNotFound) { |
| 176 | + return "", nil |
| 177 | + } |
| 178 | + |
| 179 | + return "", errors.Wrap(err, "read passphrase") |
| 180 | + } |
| 181 | + |
| 182 | + return props[passphraseKey], nil |
| 183 | +} |
| 184 | + |
| 185 | +// setPassphrase writes the cluster passphrase via SetKeys (so the |
| 186 | +// merge semantic preserves any sibling controller props). |
| 187 | +func setPassphrase(ctx context.Context, st store.Store, value string) error { |
| 188 | + err := st.KeyValueStore().SetKeys(ctx, controllerPropsInstance, apiv1.GenericPropsModify{ |
| 189 | + OverrideProps: map[string]string{passphraseKey: value}, |
| 190 | + }) |
| 191 | + if err != nil { |
| 192 | + return errors.Wrap(err, "write passphrase") |
| 193 | + } |
| 194 | + |
| 195 | + return nil |
| 196 | +} |
| 197 | + |
| 198 | +// passphraseKey is the property key under ControllerProps where the |
| 199 | +// cluster passphrase lives. The upstream-compatible name keeps |
| 200 | +// satellites that look it up by string identifier working. |
| 201 | +// |
| 202 | +//nolint:gosec // this is the storage key name, not the secret value itself |
| 203 | +const passphraseKey = "Cluster/EncryptionPassphrase" |
0 commit comments