kms: encrypt IAM/config data with the KMS (#12041)

This commit changes the config/IAM encryption process. Instead of encrypting config data (users, policies etc.) with the root credentials MinIO now encrypts this data with a KMS - if configured. Therefore, this PR moves the MinIO-KMS configuration (via env. variables) to a "top-level" configuration. The KMS configuration cannot be stored in the config file since it is used to decrypt the config file in the first place. As a consequence, this commit also removes support for Hashicorp Vault - which has been deprecated anyway. Signed-off-by: Andreas Auernhammer <aead@mail.de>
2021-04-22 17:45:30 +02:00
parent e05e14309c
commit 3455f786fa
41 changed files with 553 additions and 2157 deletions
--- a/cmd/encryption-v1_test.go
+++ b/cmd/encryption-v1_test.go
@@ -19,14 +19,10 @@ package cmd
 import (
 	"bytes"
 	"encoding/base64"
-	"encoding/json"
-	"fmt"
 	"net/http"
-	"os"
 	"testing"

 	humanize "github.com/dustin/go-humanize"
-	"github.com/klauspost/compress/zstd"
 	"github.com/minio/minio-go/v7/pkg/encrypt"
 	"github.com/minio/minio/cmd/crypto"
 	xhttp "github.com/minio/minio/cmd/http"
@@ -619,7 +615,6 @@ func TestGetDefaultOpts(t *testing.T) {
 		if err == nil {
 			if opts.ServerSideEncryption == nil && test.encryptionType != "" {
 				t.Errorf("Case %d: expected opts to be of %v encryption type", i, test.encryptionType)
-
 			}
 			if opts.ServerSideEncryption != nil && test.encryptionType != opts.ServerSideEncryption.Type() {
 				t.Errorf("Case %d: expected opts to have encryption type %v but was %v ", i, test.encryptionType, opts.ServerSideEncryption.Type())
@@ -627,89 +622,3 @@ func TestGetDefaultOpts(t *testing.T) {
 		}
 	}
 }
-func Test_decryptObjectInfo(t *testing.T) {
-	var testSet []struct {
-		Bucket  string
-		Name    string
-		UserDef map[string]string
-	}
-	file, err := os.Open("testdata/decryptObjectInfo.json.zst")
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer file.Close()
-	dec, err := zstd.NewReader(file)
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer dec.Close()
-	js := json.NewDecoder(dec)
-	err = js.Decode(&testSet)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	os.Setenv("MINIO_KMS_MASTER_KEY", "my-minio-key:6368616e676520746869732070617373776f726420746f206120736563726574")
-	defer os.Setenv("MINIO_KMS_MASTER_KEY", "")
-	GlobalKMS, err = crypto.NewKMS(crypto.KMSConfig{})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	var dst [32]byte
-	for i := range testSet {
-		t.Run(fmt.Sprint("case-", i), func(t *testing.T) {
-			test := &testSet[i]
-			_, err := decryptObjectInfo(dst[:], test.Bucket, test.Name, test.UserDef)
-			if err != nil {
-				t.Fatal(err)
-			}
-		})
-	}
-}
-
-func Benchmark_decryptObjectInfo(b *testing.B) {
-	var testSet []struct {
-		Bucket  string
-		Name    string
-		UserDef map[string]string
-	}
-	file, err := os.Open("testdata/decryptObjectInfo.json.zst")
-	if err != nil {
-		b.Fatal(err)
-	}
-	defer file.Close()
-	dec, err := zstd.NewReader(file)
-	if err != nil {
-		b.Fatal(err)
-	}
-	defer dec.Close()
-	js := json.NewDecoder(dec)
-	err = js.Decode(&testSet)
-	if err != nil {
-		b.Fatal(err)
-	}
-
-	os.Setenv("MINIO_KMS_MASTER_KEY", "my-minio-key:6368616e676520746869732070617373776f726420746f206120736563726574")
-	defer os.Setenv("MINIO_KMS_MASTER_KEY", "")
-	GlobalKMS, err = crypto.NewKMS(crypto.KMSConfig{})
-	if err != nil {
-		b.Fatal(err)
-	}
-
-	b.ReportAllocs()
-	b.ResetTimer()
-	b.SetBytes(int64(len(testSet)))
-	b.RunParallel(func(pb *testing.PB) {
-		for pb.Next() {
-			var dst [32]byte
-			for i := range testSet {
-				test := &testSet[i]
-				_, err := decryptObjectInfo(dst[:], test.Bucket, test.Name, test.UserDef)
-				if err != nil {
-					b.Fatal(err)
-				}
-			}
-		}
-	})
-}