From 2efd29a63635444d0ecd9a81d119e9f4efe8714f Mon Sep 17 00:00:00 2001 From: Keenan Nemetz Date: Thu, 27 Jun 2024 11:07:28 -0700 Subject: [PATCH] fix: Keyring output (#2784) ## Relevant issue(s) Resolves #2759 Resolves #2758 Resolves #2757 ## Description This PR adds more logs to the keyring to improve the user experience. ## Tasks - [x] I made sure the code is well commented, particularly hard-to-understand areas. - [x] I made sure the repository-held documentation is changed accordingly. - [x] I made sure the pull request title adheres to the conventional commit style (the subset used in the project can be found in [tools/configs/chglog/config.yml](tools/configs/chglog/config.yml)). - [x] I made sure to discuss its limitations such as threats to validity, vulnerability to mistake and misuse, robustness to invalidation of assumptions, resource requirements, ... ## How has this been tested? - unit test Specify the platform(s) on which this was tested: - MacOS --- cli/keyring.go | 16 +++++++++- cli/keyring_generate.go | 32 +++++++++++++------ cli/keyring_generate_test.go | 16 ++++++++++ cli/utils.go | 6 +++- .../website/references/cli/defradb_keyring.md | 14 ++++++++ .../cli/defradb_keyring_generate.md | 7 +++- 6 files changed, 79 insertions(+), 12 deletions(-) diff --git a/cli/keyring.go b/cli/keyring.go index c60440ccc9..a905ce190b 100644 --- a/cli/keyring.go +++ b/cli/keyring.go @@ -19,7 +19,21 @@ func MakeKeyringCommand() *cobra.Command { Use: "keyring", Short: "Manage DefraDB private keys", Long: `Manage DefraDB private keys. -Generate, import, and export private keys.`, +Generate, import, and export private keys. + +The following keys are loaded from the keyring on start: + peer-key: Ed25519 private key (required) + encryption-key: AES-128, AES-192, or AES-256 key (optional) + +To randomly generate the required keys, run the following command: + defradb keyring generate + +To import externally generated keys, run the following command: + defradb keyring import + +To learn more about the available options: + defradb keyring --help +`, } return cmd } diff --git a/cli/keyring_generate.go b/cli/keyring_generate.go index f9e073d0d5..34209671a5 100644 --- a/cli/keyring_generate.go +++ b/cli/keyring_generate.go @@ -17,12 +17,14 @@ import ( ) func MakeKeyringGenerateCommand() *cobra.Command { - var noEncryption bool + var noEncryptionKey bool + var noPeerKey bool var cmd = &cobra.Command{ Use: "generate", Short: "Generate private keys", Long: `Generate private keys. Randomly generate and store private keys in the keyring. +By default peer and encryption keys will be generated. WARNING: This will overwrite existing keys in the keyring. @@ -32,6 +34,9 @@ Example: Example: with no encryption key defradb keyring generate --no-encryption-key +Example: with no peer key + defradb keyring generate --no-peer-key + Example: with system keyring defradb keyring generate --keyring-backend system`, RunE: func(cmd *cobra.Command, args []string) error { @@ -39,8 +44,7 @@ Example: with system keyring if err != nil { return err } - if !noEncryption { - // generate optional encryption key + if !noEncryptionKey { encryptionKey, err := crypto.GenerateAES256() if err != nil { return err @@ -49,15 +53,25 @@ Example: with system keyring if err != nil { return err } + log.Info("generated encryption key") } - peerKey, err := crypto.GenerateEd25519() - if err != nil { - return err + if !noPeerKey { + peerKey, err := crypto.GenerateEd25519() + if err != nil { + return err + } + err = keyring.Set(peerKeyName, peerKey) + if err != nil { + return err + } + log.Info("generated peer key") } - return keyring.Set(peerKeyName, peerKey) + return nil }, } - cmd.Flags().BoolVar(&noEncryption, "no-encryption-key", false, - "Skip generating an encryption. Encryption at rest will be disabled") + cmd.Flags().BoolVar(&noEncryptionKey, "no-encryption-key", false, + "Skip generating an encryption key. Encryption at rest will be disabled") + cmd.Flags().BoolVar(&noPeerKey, "no-peer-key", false, + "Skip generating a peer key.") return cmd } diff --git a/cli/keyring_generate_test.go b/cli/keyring_generate_test.go index 672760c2ef..b29446bd15 100644 --- a/cli/keyring_generate_test.go +++ b/cli/keyring_generate_test.go @@ -50,3 +50,19 @@ func TestKeyringGenerateNoEncryptionKey(t *testing.T) { assert.NoFileExists(t, filepath.Join(rootdir, "keys", encryptionKeyName)) assert.FileExists(t, filepath.Join(rootdir, "keys", peerKeyName)) } + +func TestKeyringGenerateNoPeerKey(t *testing.T) { + rootdir := t.TempDir() + readPassword = func(_ *cobra.Command, _ string) ([]byte, error) { + return []byte("secret"), nil + } + + cmd := NewDefraCommand() + cmd.SetArgs([]string{"keyring", "generate", "--no-peer-key", "--rootdir", rootdir}) + + err := cmd.Execute() + require.NoError(t, err) + + assert.FileExists(t, filepath.Join(rootdir, "keys", encryptionKeyName)) + assert.NoFileExists(t, filepath.Join(rootdir, "keys", peerKeyName)) +} diff --git a/cli/utils.go b/cli/utils.go index ed98fb0f30..d1ee09962b 100644 --- a/cli/utils.go +++ b/cli/utils.go @@ -181,9 +181,13 @@ func setContextRootDir(cmd *cobra.Command) error { // openKeyring opens the keyring for the current environment. func openKeyring(cmd *cobra.Command) (keyring.Keyring, error) { cfg := mustGetContextConfig(cmd) - if cfg.Get("keyring.backend") == "system" { + backend := cfg.Get("keyring.backend") + if backend == "system" { return keyring.OpenSystemKeyring(cfg.GetString("keyring.namespace")), nil } + if backend != "file" { + log.Info("keyring defaulted to file backend") + } path := cfg.GetString("keyring.path") if err := os.MkdirAll(path, 0755); err != nil { return nil, err diff --git a/docs/website/references/cli/defradb_keyring.md b/docs/website/references/cli/defradb_keyring.md index e650592529..ef091ef233 100644 --- a/docs/website/references/cli/defradb_keyring.md +++ b/docs/website/references/cli/defradb_keyring.md @@ -7,6 +7,20 @@ Manage DefraDB private keys Manage DefraDB private keys. Generate, import, and export private keys. +The following keys are loaded from the keyring on start: + peer-key: Ed25519 private key (required) + encryption-key: AES-128, AES-192, or AES-256 key (optional) + +To randomly generate the required keys, run the following command: + defradb keyring generate + +To import externally generated keys, run the following command: + defradb keyring import + +To learn more about the available options: + defradb keyring --help + + ### Options ``` diff --git a/docs/website/references/cli/defradb_keyring_generate.md b/docs/website/references/cli/defradb_keyring_generate.md index ab8ce5ad88..5f58c61369 100644 --- a/docs/website/references/cli/defradb_keyring_generate.md +++ b/docs/website/references/cli/defradb_keyring_generate.md @@ -6,6 +6,7 @@ Generate private keys Generate private keys. Randomly generate and store private keys in the keyring. +By default peer and encryption keys will be generated. WARNING: This will overwrite existing keys in the keyring. @@ -15,6 +16,9 @@ Example: Example: with no encryption key defradb keyring generate --no-encryption-key +Example: with no peer key + defradb keyring generate --no-peer-key + Example: with system keyring defradb keyring generate --keyring-backend system @@ -26,7 +30,8 @@ defradb keyring generate [flags] ``` -h, --help help for generate - --no-encryption-key Skip generating an encryption. Encryption at rest will be disabled + --no-encryption-key Skip generating an encryption key. Encryption at rest will be disabled + --no-peer-key Skip generating a peer key. ``` ### Options inherited from parent commands