b3a8abf24a
Adding the openbao-monitor code pulled from the openbao-manager-go repo found here: https://github.com/michel-thebeau-WR/openbao-manager-go git related files have been trimmed off. Partial-bug: 2117422 Change-Id: I1a27ab4a4d0b68810d97c86e2930dd482a11d0cb Signed-off-by: Tae Park <tae.park@windriver.com>
95 lines
2.8 KiB
Go
95 lines
2.8 KiB
Go
package baoCommands
|
|
|
|
import (
|
|
"encoding/json"
|
|
"fmt"
|
|
"log/slog"
|
|
"strings"
|
|
|
|
baoConfig "github.com/michel-thebeau-WR/openbao-manager-go/baomon/config"
|
|
openbao "github.com/openbao/openbao/api/v2"
|
|
"github.com/spf13/cobra"
|
|
)
|
|
|
|
// A single instance of unseal.
|
|
func tryUnseal(keyShard baoConfig.KeyShards, client *openbao.Client) (*openbao.SealStatusResponse, error) {
|
|
slog.Debug("Attempting unseal...")
|
|
key := keyShard.Key
|
|
UnsealResult, err := client.Sys().Unseal(key)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("error with unseal call: %v", err)
|
|
}
|
|
slog.Debug("Unseal attempt successful")
|
|
return UnsealResult, nil
|
|
}
|
|
|
|
// run unseal on all keys associated with dnshost until unsealed.
|
|
func runUnseal(dnshost string, client *openbao.Client) (*openbao.SealStatusResponse, error) {
|
|
slog.Debug(fmt.Sprintf("Attempting to run unseal on host %v", dnshost))
|
|
|
|
slog.Debug("Checking if openbao is already unsealed")
|
|
healthResult, err := checkHealth(dnshost, client)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if !healthResult.Sealed {
|
|
return nil, fmt.Errorf("openbao server on host %v is already unsealed", dnshost)
|
|
}
|
|
|
|
tryCount := 1
|
|
for keyName, keyShard := range globalConfig.UnsealKeyShards {
|
|
// Don't use recovery keys
|
|
if !strings.Contains(keyName, "recovery") {
|
|
slog.Debug(fmt.Sprintf("Unseal attempt %v", tryCount))
|
|
UnsealResult, err := tryUnseal(keyShard, client)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if !UnsealResult.Sealed {
|
|
slog.Debug("Unseal complete.")
|
|
return UnsealResult, nil
|
|
}
|
|
slog.Debug(fmt.Sprintf("Openbao still sealed: threshold %v, progress %v", UnsealResult.T, UnsealResult.Progress))
|
|
tryCount++
|
|
}
|
|
}
|
|
|
|
return nil, fmt.Errorf("exhausted all non-recovery keys associated with %v", dnshost)
|
|
}
|
|
|
|
var unsealCmd = &cobra.Command{
|
|
Use: "unseal DNSHost",
|
|
Short: "Unseal openbao",
|
|
Long: `Unseal openbao server hosted on DNSHost. It will use all
|
|
non-recovery keys with its name on it to unseal.`,
|
|
Args: cobra.ExactArgs(1),
|
|
PersistentPreRunE: setupCmd,
|
|
PersistentPostRunE: cleanCmd,
|
|
RunE: func(cmd *cobra.Command, args []string) error {
|
|
slog.Debug(fmt.Sprintf("Action: unseal %v", args[0]))
|
|
|
|
cmd.SilenceUsage = true
|
|
newClient, err := globalConfig.SetupClient(args[0])
|
|
if err != nil {
|
|
return fmt.Errorf("openbao unseal failed with error: %v", err)
|
|
}
|
|
UnsealResult, err := runUnseal(args[0], newClient)
|
|
if err != nil {
|
|
return fmt.Errorf("openbao unseal failed with error: %v", err)
|
|
}
|
|
|
|
UnsealPrint, err := json.MarshalIndent(UnsealResult, "", " ")
|
|
if err != nil {
|
|
return fmt.Errorf("unable to marshal unseal result: %v", err)
|
|
}
|
|
slog.Debug(fmt.Sprintf("Unseal successful. Result: %v", string(UnsealPrint)))
|
|
slog.Info(fmt.Sprintf("Unseal successful for host %v", args[0]))
|
|
|
|
return nil
|
|
},
|
|
}
|
|
|
|
func init() {
|
|
RootCmd.AddCommand(unsealCmd)
|
|
}
|