Skip to content

Commit caea669

Browse files
committed
PG-1419 Validate key provider access
This adds some validation to make sure we can access the key provider when it's created to make the user experience a little nicer. The actual access validation is very rudimentary for now but can easily be expanded.
1 parent d711f37 commit caea669

File tree

13 files changed

+103
-6
lines changed

13 files changed

+103
-6
lines changed

contrib/pg_tde/expected/key_provider.out

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -162,4 +162,7 @@ SELECT id, provider_name FROM pg_tde_list_all_global_key_providers();
162162
----+---------------
163163
(0 rows)
164164

165+
-- Creating a file key provider fails if we can't open or create the file
166+
SELECT pg_tde_add_database_key_provider_file('will-not-work','/cant-create-file-in-root.per');
167+
ERROR: Failed to open keyring file /cant-create-file-in-root.per :Permission denied
165168
DROP EXTENSION pg_tde;

contrib/pg_tde/expected/key_provider_1.out

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -166,4 +166,7 @@ SELECT id, provider_name FROM pg_tde_list_all_global_key_providers();
166166
-1 | reg_file-global
167167
(1 row)
168168

169+
-- Creating a file key provider fails if we can't open or create the file
170+
SELECT pg_tde_add_database_key_provider_file('will-not-work','/cant-create-file-in-root.per');
171+
ERROR: Failed to open keyring file /cant-create-file-in-root.per :Permission denied
169172
DROP EXTENSION pg_tde;

contrib/pg_tde/expected/kmip_test.out

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -34,4 +34,7 @@ SELECT pg_tde_verify_key();
3434
(1 row)
3535

3636
DROP TABLE test_enc;
37+
-- Creating provider fails if we can't connect to kmip server
38+
SELECT pg_tde_add_database_key_provider_kmip('will-not-work','127.0.0.1', 61, '/tmp/server_certificate.pem', '/tmp/client_key_jane_doe.pem');
39+
ERROR: SSL error: BIO_do_connect failed
3740
DROP EXTENSION pg_tde;

contrib/pg_tde/expected/vault_v2_test.out

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -51,4 +51,7 @@ SELECT pg_tde_verify_key();
5151
(1 row)
5252

5353
DROP TABLE test_enc;
54+
-- Creating provider fails if we can't connect to vault
55+
SELECT pg_tde_add_database_key_provider_vault_v2('will-not-work', :'root_token', 'http://127.0.0.1:61', 'secret', NULL);
56+
ERROR: HTTP(S) request to keyring provider "will-not-work" failed
5457
DROP EXTENSION pg_tde;

contrib/pg_tde/sql/key_provider.sql

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -52,4 +52,7 @@ SELECT id, provider_name FROM pg_tde_list_all_global_key_providers();
5252
SELECT pg_tde_delete_global_key_provider('file-keyring2');
5353
SELECT id, provider_name FROM pg_tde_list_all_global_key_providers();
5454

55+
-- Creating a file key provider fails if we can't open or create the file
56+
SELECT pg_tde_add_database_key_provider_file('will-not-work','/cant-create-file-in-root.per');
57+
5558
DROP EXTENSION pg_tde;

contrib/pg_tde/sql/kmip_test.sql

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -19,4 +19,7 @@ SELECT pg_tde_verify_key();
1919

2020
DROP TABLE test_enc;
2121

22+
-- Creating provider fails if we can't connect to kmip server
23+
SELECT pg_tde_add_database_key_provider_kmip('will-not-work','127.0.0.1', 61, '/tmp/server_certificate.pem', '/tmp/client_key_jane_doe.pem');
24+
2225
DROP EXTENSION pg_tde;

contrib/pg_tde/sql/vault_v2_test.sql

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -31,4 +31,7 @@ SELECT pg_tde_verify_key();
3131

3232
DROP TABLE test_enc;
3333

34+
-- Creating provider fails if we can't connect to vault
35+
SELECT pg_tde_add_database_key_provider_vault_v2('will-not-work', :'root_token', 'http://127.0.0.1:61', 'secret', NULL);
36+
3437
DROP EXTENSION pg_tde;

contrib/pg_tde/src/catalog/tde_keyring.c

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -473,6 +473,8 @@ check_provider_record(KeyringProviderRecord *provider_record)
473473
errmsg("Invalid provider options."));
474474
}
475475

476+
KeyringValidate(provider);
477+
476478
pfree(provider);
477479
}
478480

@@ -562,9 +564,9 @@ save_new_key_provider_info(KeyringProviderRecord *provider, Oid databaseId, bool
562564
close(fd);
563565

564566
/*
565-
* TODO: Should we use overflow aware integer math here? (and then also not
566-
* blindly do abs() on something that might be INT_MIN above). It would be
567-
* overkill to do that, wouldn't it?
567+
* TODO: Should we use overflow aware integer math here? (and then also
568+
* not blindly do abs() on something that might be INT_MIN above). It
569+
* would be overkill to do that, wouldn't it?
568570
*/
569571
new_provider_id = max_provider_id + 1;
570572
provider->provider_id = (databaseId == GLOBAL_DATA_TDE_OID ? -new_provider_id : new_provider_id);

contrib/pg_tde/src/include/keyring/keyring_api.h

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -61,6 +61,7 @@ typedef struct TDEKeyringRoutine
6161
{
6262
KeyInfo *(*keyring_get_key) (GenericKeyring *keyring, const char *key_name, KeyringReturnCodes *returnCode);
6363
void (*keyring_store_key) (GenericKeyring *keyring, KeyInfo *key);
64+
void (*keyring_validate) (GenericKeyring *keyring);
6465
} TDEKeyringRoutine;
6566

6667
typedef struct FileKeyring
@@ -91,5 +92,6 @@ extern void RegisterKeyProviderType(const TDEKeyringRoutine *routine, ProviderTy
9192

9293
extern KeyInfo *KeyringGetKey(GenericKeyring *keyring, const char *key_name, KeyringReturnCodes *returnCode);
9394
extern KeyInfo *KeyringGenerateNewKeyAndStore(GenericKeyring *keyring, const char *key_name, unsigned key_len);
95+
extern void KeyringValidate(GenericKeyring *keyring);
9496

9597
#endif /* KEYRING_API_H */

contrib/pg_tde/src/keyring/keyring_api.c

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -74,6 +74,7 @@ RegisterKeyProviderType(const TDEKeyringRoutine *routine, ProviderType type)
7474
Assert(routine != NULL);
7575
Assert(routine->keyring_get_key != NULL);
7676
Assert(routine->keyring_store_key != NULL);
77+
Assert(routine->keyring_validate != NULL);
7778

7879
kp = find_key_provider_type(type);
7980
if (kp)
@@ -148,3 +149,15 @@ KeyringGenerateNewKeyAndStore(GenericKeyring *keyring, const char *key_name, uns
148149

149150
return key;
150151
}
152+
153+
void
154+
KeyringValidate(GenericKeyring *keyring)
155+
{
156+
RegisteredKeyProviderType *kp = find_key_provider_type(keyring->type);
157+
158+
if (kp == NULL)
159+
ereport(ERROR,
160+
errmsg("Key provider of type %d not registered", keyring->type));
161+
162+
kp->routine->keyring_validate(keyring);
163+
}

0 commit comments

Comments
 (0)