mirrors/redoctober
1
0
Fork 0
mirror of https://github.com/cloudflare/redoctober.git synced 2026-01-07 05:56:56 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Address @jkroll-cf's feedback on keycache interface.

Browse Source 
+ persistLabels moved from cryptor to persist package global.
+ Restore now explicitly checks for the case where there aren't enough
  shares to return `ErrRestoreDelegations`.
+ The users responsible for restoring the cache are now logged.
This commit is contained in:
Kyle Isom
2016-08-05 09:09:41 -07:00
parent 510b7ba9f6
commit 5396cdc899
4 changed files with 35 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
cryptor/cryptor.go
View File

@@ -12,8 +12,10 @@ import (
"crypto/sha1"
"encoding/json"
"errors"
"log"
"sort"
"strconv"
"strings"
"github.com/cloudflare/redoctober/config"
"github.com/cloudflare/redoctober/keycache"
@@ -705,8 +707,6 @@ func (c *Cryptor) DelegateStatus(name string, labels, admins []string) (adminsDe
return c.cache.DelegateStatus(name, labels, admins)
}
var persistLabels = []string{"restore"}
// store serialises the key cache, encrypts it, and writes it to disk.
func (c *Cryptor) store() error {
// If the store isn't currently active, we shouldn't attempt
@@ -726,7 +726,7 @@ func (c *Cryptor) store() error {
Predicate: c.persist.Policy(),
}
cache, err = c.Encrypt(cache, persistLabels, access)
cache, err = c.Encrypt(cache, persist.Labels, access)
if err != nil {
return err
}
@@ -747,19 +747,25 @@ func (c *Cryptor) Restore(name, password string, uses int, slot, durationString
return errors.New("Missing user on disk")
}
err := c.persist.Delegate(record, name, password, c.persist.Users(), persistLabels, uses, slot, durationString)
err := c.persist.Delegate(record, name, password, c.persist.Users(), persist.Labels, uses, slot, durationString)
if err != nil {
return err
}
// A failure to decrypt isn't an error, it just means there
// aren't enough delegations yet; the sentinal value
// ErrRestoreDelegations is returned to indicate this.
cache, _, _, _, err := c.decrypt(c.persist.Cache(), c.persist.Blob(), name)
// A failure to decrypt isn't a restore error, it (most often)
// just means there aren't enough delegations yet; the
// sentinal value ErrRestoreDelegations is returned to
// indicate this. However, the error
cache, _, names, _, err := c.decrypt(c.persist.Cache(), c.persist.Blob(), name)
if err != nil {
return ErrRestoreDelegations
if err == msp.ErrNotEnoughShares {
return ErrRestoreDelegations
}
return err
}
log.Printf("cryptor.restore success: names=%s", strings.Join(names, ","))
var uk map[string]keycache.ActiveUser
err = json.Unmarshal(cache, &uk)
if err != nil {

5
cryptor/cryptor_test.go
View File

@@ -293,6 +293,11 @@ func TestRestore(t *testing.T) {
persist.Inactive, status.State)
}
err = c.Restore("Carl", "weakpassword", 0, "", "0h")
if err != ErrRestoreDelegations {
t.Fatal(err)
}
err = c.Restore("Bob", "weakpassword", 2, "", "1h")
if err != nil {
t.Fatal(err)