Skip to content

Commit 08cc7d1

Browse files
committed
PG-1419 Validate key provider access
This adds some validation to make sure we can access the key provider when it's created to make the user experience a little nicer. The actual access validation is very rudimentary for now but can easily be expanded.
1 parent 94d63db commit 08cc7d1

File tree

13 files changed

+114
-10
lines changed

13 files changed

+114
-10
lines changed

contrib/pg_tde/expected/key_provider.out

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -160,4 +160,7 @@ SELECT id, provider_name FROM pg_tde_list_all_global_key_providers();
160160
-1 | file-keyring
161161
(1 row)
162162

163+
-- Creating a file key provider fails if we can't open or create the file
164+
SELECT pg_tde_add_database_key_provider_file('will-not-work','/cant-create-file-in-root.per');
165+
ERROR: Failed to open keyring file /cant-create-file-in-root.per: Permission denied
163166
DROP EXTENSION pg_tde;

contrib/pg_tde/expected/key_provider_1.out

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -164,4 +164,7 @@ SELECT id, provider_name FROM pg_tde_list_all_global_key_providers();
164164
-2 | file-keyring
165165
(2 rows)
166166

167+
-- Creating a file key provider fails if we can't open or create the file
168+
SELECT pg_tde_add_database_key_provider_file('will-not-work','/cant-create-file-in-root.per');
169+
ERROR: Failed to open keyring file /cant-create-file-in-root.per: Permission denied
167170
DROP EXTENSION pg_tde;

contrib/pg_tde/expected/kmip_test.out

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -34,4 +34,7 @@ SELECT pg_tde_verify_key();
3434
(1 row)
3535

3636
DROP TABLE test_enc;
37+
-- Creating provider fails if we can't connect to kmip server
38+
SELECT pg_tde_add_database_key_provider_kmip('will-not-work','127.0.0.1', 61, '/tmp/server_certificate.pem', '/tmp/client_key_jane_doe.pem');
39+
ERROR: SSL error: BIO_do_connect failed
3740
DROP EXTENSION pg_tde;

contrib/pg_tde/expected/vault_v2_test.out

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -1,14 +1,11 @@
11
CREATE EXTENSION IF NOT EXISTS pg_tde;
22
\getenv root_token ROOT_TOKEN
33
SELECT pg_tde_add_database_key_provider_vault_v2('vault-incorrect',:'root_token','http://127.0.0.1:8200','DUMMY-TOKEN',NULL);
4-
pg_tde_add_database_key_provider_vault_v2
5-
-------------------------------------------
6-
1
7-
(1 row)
8-
4+
ERROR: Listing secrets of "http://127.0.0.1:8200" at mountpoint "DUMMY-TOKEN" failed
95
-- FAILS
106
SELECT pg_tde_set_key_using_database_key_provider('vault-v2-key','vault-incorrect');
11-
ERROR: Invalid HTTP response from keyring provider "vault-incorrect": 404
7+
ERROR: key provider "vault-incorrect" does not exists
8+
HINT: Create the key provider
129
CREATE TABLE test_enc(
1310
id SERIAL,
1411
k INTEGER DEFAULT '0' NOT NULL,
@@ -19,7 +16,7 @@ HINT: create one using pg_tde_set_key before using encrypted tables
1916
SELECT pg_tde_add_database_key_provider_vault_v2('vault-v2',:'root_token','http://127.0.0.1:8200','secret',NULL);
2017
pg_tde_add_database_key_provider_vault_v2
2118
-------------------------------------------
22-
2
19+
1
2320
(1 row)
2421

2522
SELECT pg_tde_set_key_using_database_key_provider('vault-v2-key','vault-v2');
@@ -51,4 +48,7 @@ SELECT pg_tde_verify_key();
5148
(1 row)
5249

5350
DROP TABLE test_enc;
51+
-- Creating provider fails if we can't connect to vault
52+
SELECT pg_tde_add_database_key_provider_vault_v2('will-not-work', :'root_token', 'http://127.0.0.1:61', 'secret', NULL);
53+
ERROR: HTTP(S) request to keyring provider "will-not-work" failed
5454
DROP EXTENSION pg_tde;

contrib/pg_tde/sql/key_provider.sql

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -52,4 +52,7 @@ SELECT id, provider_name FROM pg_tde_list_all_global_key_providers();
5252
SELECT pg_tde_delete_global_key_provider('file-keyring2');
5353
SELECT id, provider_name FROM pg_tde_list_all_global_key_providers();
5454

55+
-- Creating a file key provider fails if we can't open or create the file
56+
SELECT pg_tde_add_database_key_provider_file('will-not-work','/cant-create-file-in-root.per');
57+
5558
DROP EXTENSION pg_tde;

contrib/pg_tde/sql/kmip_test.sql

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -19,4 +19,7 @@ SELECT pg_tde_verify_key();
1919

2020
DROP TABLE test_enc;
2121

22+
-- Creating provider fails if we can't connect to kmip server
23+
SELECT pg_tde_add_database_key_provider_kmip('will-not-work','127.0.0.1', 61, '/tmp/server_certificate.pem', '/tmp/client_key_jane_doe.pem');
24+
2225
DROP EXTENSION pg_tde;

contrib/pg_tde/sql/vault_v2_test.sql

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -31,4 +31,7 @@ SELECT pg_tde_verify_key();
3131

3232
DROP TABLE test_enc;
3333

34+
-- Creating provider fails if we can't connect to vault
35+
SELECT pg_tde_add_database_key_provider_vault_v2('will-not-work', :'root_token', 'http://127.0.0.1:61', 'secret', NULL);
36+
3437
DROP EXTENSION pg_tde;

contrib/pg_tde/src/catalog/tde_keyring.c

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -472,6 +472,8 @@ check_provider_record(KeyringProviderRecord *provider_record)
472472
errmsg("Invalid provider options."));
473473
}
474474

475+
KeyringValidate(provider);
476+
475477
pfree(provider);
476478
}
477479

contrib/pg_tde/src/include/keyring/keyring_api.h

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -61,6 +61,7 @@ typedef struct TDEKeyringRoutine
6161
{
6262
KeyInfo *(*keyring_get_key) (GenericKeyring *keyring, const char *key_name, KeyringReturnCodes *returnCode);
6363
void (*keyring_store_key) (GenericKeyring *keyring, KeyInfo *key);
64+
void (*keyring_validate) (GenericKeyring *keyring);
6465
} TDEKeyringRoutine;
6566

6667
typedef struct FileKeyring
@@ -91,5 +92,6 @@ extern void RegisterKeyProviderType(const TDEKeyringRoutine *routine, ProviderTy
9192

9293
extern KeyInfo *KeyringGetKey(GenericKeyring *keyring, const char *key_name, KeyringReturnCodes *returnCode);
9394
extern KeyInfo *KeyringGenerateNewKeyAndStore(GenericKeyring *keyring, const char *key_name, unsigned key_len);
95+
extern void KeyringValidate(GenericKeyring *keyring);
9496

9597
#endif /* KEYRING_API_H */

contrib/pg_tde/src/keyring/keyring_api.c

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -74,6 +74,7 @@ RegisterKeyProviderType(const TDEKeyringRoutine *routine, ProviderType type)
7474
Assert(routine != NULL);
7575
Assert(routine->keyring_get_key != NULL);
7676
Assert(routine->keyring_store_key != NULL);
77+
Assert(routine->keyring_validate != NULL);
7778

7879
kp = find_key_provider_type(type);
7980
if (kp)
@@ -148,3 +149,15 @@ KeyringGenerateNewKeyAndStore(GenericKeyring *keyring, const char *key_name, uns
148149

149150
return key;
150151
}
152+
153+
void
154+
KeyringValidate(GenericKeyring *keyring)
155+
{
156+
RegisteredKeyProviderType *kp = find_key_provider_type(keyring->type);
157+
158+
if (kp == NULL)
159+
ereport(ERROR,
160+
errmsg("Key provider of type %d not registered", keyring->type));
161+
162+
kp->routine->keyring_validate(keyring);
163+
}

0 commit comments

Comments
 (0)