Key management admin commands

src/admin_rpc.rs

@@ -12,6 +12,7 @@ use crate::rpc::rpc_client::*;
 use crate::rpc::rpc_server::*;
 
 use crate::store::bucket_table::*;
+use crate::store::key_table::*;
 use crate::store::repair::Repair;
 
 use crate::*;
@@ -29,6 +30,8 @@ pub enum AdminRPC {
 	Ok(String),
 	BucketList(Vec<String>),
 	BucketInfo(Bucket),
+	KeyList(Vec<(String, String)>),
+	KeyInfo(Key),
 }
 
 impl RpcMessage for AdminRPC {}
@@ -72,19 +75,8 @@ impl AdminRpcHandler {
 				Ok(AdminRPC::BucketList(bucket_names))
 			}
 			BucketOperation::Info(query) => {
-				let bucket = self
-					.garage
-					.bucket_table
-					.get(&EmptyKey, &query.name)
-					.await?
-					.filter(|b| !b.deleted);
-				match bucket {
-					Some(b) => Ok(AdminRPC::BucketInfo(b)),
-					None => Err(Error::BadRequest(format!(
-						"Bucket {} not found",
-						query.name
-					))),
-				}
+				let bucket = self.get_existing_bucket(&query.name).await?;
+				Ok(AdminRPC::BucketInfo(bucket))
 			}
 			BucketOperation::Create(query) => {
 				let bucket = self.garage.bucket_table.get(&EmptyKey, &query.name).await?;
@@ -105,21 +97,7 @@ impl AdminRpcHandler {
 				Ok(AdminRPC::Ok(format!("Bucket {} was created.", query.name)))
 			}
 			BucketOperation::Delete(query) => {
-				let bucket = match self
-					.garage
-					.bucket_table
-					.get(&EmptyKey, &query.name)
-					.await?
-					.filter(|b| !b.deleted)
-				{
-					None => {
-						return Err(Error::BadRequest(format!(
-							"Bucket {} does not exist",
-							query.name
-						)));
-					}
-					Some(b) => b,
-				};
+				let bucket = self.get_existing_bucket(&query.name).await?;
 				let objects = self
 					.garage
 					.object_table
@@ -136,6 +114,17 @@ impl AdminRpcHandler {
 						"Add --yes flag to really perform this operation"
 					)));
 				}
+				// --- done checking, now commit ---
+				for ak in bucket.authorized_keys() {
+					if let Some(key) = self.garage.key_table.get(&EmptyKey, &ak.key_id).await? {
+						if !key.deleted {
+							self.update_key_bucket(key, &bucket.name, false, false)
+								.await?;
+						}
+					} else {
+						return Err(Error::Message(format!("Key not found: {}", ak.key_id)));
+					}
+				}
 				self.garage
 					.bucket_table
 					.insert(&Bucket::new(
@@ -147,15 +136,172 @@ impl AdminRpcHandler {
 					.await?;
 				Ok(AdminRPC::Ok(format!("Bucket {} was deleted.", query.name)))
 			}
-			_ => {
-				// TODO
-				Err(Error::Message(format!("Not implemented")))
+			BucketOperation::Allow(query) => {
+				let key = self.get_existing_key(&query.key_id).await?;
+				let bucket = self.get_existing_bucket(&query.bucket).await?;
+				let allow_read = query.read || key.allow_read(&query.bucket);
+				let allow_write = query.write || key.allow_write(&query.bucket);
+				self.update_key_bucket(key, &query.bucket, allow_read, allow_write)
+					.await?;
+				self.update_bucket_key(bucket, &query.key_id, allow_read, allow_write)
+					.await?;
+				Ok(AdminRPC::Ok(format!(
+					"New permissions for {} on {}: read {}, write {}.",
+					&query.key_id, &query.bucket, allow_read, allow_write
+				)))
+			}
+			BucketOperation::Deny(query) => {
+				let key = self.get_existing_key(&query.key_id).await?;
+				let bucket = self.get_existing_bucket(&query.bucket).await?;
+				let allow_read = !query.read && key.allow_read(&query.bucket);
+				let allow_write = !query.write && key.allow_write(&query.bucket);
+				self.update_key_bucket(key, &query.bucket, allow_read, allow_write)
+					.await?;
+				self.update_bucket_key(bucket, &query.key_id, allow_read, allow_write)
+					.await?;
+				Ok(AdminRPC::Ok(format!(
+					"New permissions for {} on {}: read {}, write {}.",
+					&query.key_id, &query.bucket, allow_read, allow_write
+				)))
 			}
 		}
 	}
 
 	async fn handle_key_cmd(&self, cmd: KeyOperation) -> Result<AdminRPC, Error> {
-		Err(Error::Message(format!("Not implemented")))
+		match cmd {
+			KeyOperation::List => {
+				let key_ids = self
+					.garage
+					.key_table
+					.get_range(&EmptyKey, None, Some(()), 10000)
+					.await?
+					.iter()
+					.map(|k| (k.key_id.to_string(), k.name.to_string()))
+					.collect::<Vec<_>>();
+				Ok(AdminRPC::KeyList(key_ids))
+			}
+			KeyOperation::Info(query) => {
+				let key = self.get_existing_key(&query.key_id).await?;
+				Ok(AdminRPC::KeyInfo(key))
+			}
+			KeyOperation::New(query) => {
+				let key = Key::new(query.name, vec![]);
+				self.garage.key_table.insert(&key).await?;
+				Ok(AdminRPC::KeyInfo(key))
+			}
+			KeyOperation::Rename(query) => {
+				let mut key = self.get_existing_key(&query.key_id).await?;
+				key.name_timestamp = std::cmp::max(key.name_timestamp + 1, now_msec());
+				key.name = query.new_name;
+				self.garage.key_table.insert(&key).await?;
+				Ok(AdminRPC::KeyInfo(key))
+			}
+			KeyOperation::Delete(query) => {
+				let key = self.get_existing_key(&query.key_id).await?;
+				if !query.yes {
+					return Err(Error::BadRequest(format!(
+						"Add --yes flag to really perform this operation"
+					)));
+				}
+				// --- done checking, now commit ---
+				for ab in key.authorized_buckets().iter() {
+					if let Some(bucket) =
+						self.garage.bucket_table.get(&EmptyKey, &ab.bucket).await?
+					{
+						if !bucket.deleted {
+							self.update_bucket_key(bucket, &key.key_id, false, false)
+								.await?;
+						}
+					} else {
+						return Err(Error::Message(format!("Bucket not found: {}", ab.bucket)));
+					}
+				}
+				let del_key = Key::delete(key.key_id);
+				self.garage.key_table.insert(&del_key).await?;
+				Ok(AdminRPC::Ok(format!(
+					"Key {} was deleted successfully.",
+					query.key_id
+				)))
+			}
+		}
+	}
+
+	async fn get_existing_bucket(&self, bucket: &String) -> Result<Bucket, Error> {
+		self.garage
+			.bucket_table
+			.get(&EmptyKey, bucket)
+			.await?
+			.filter(|b| !b.deleted)
+			.map(Ok)
+			.unwrap_or(Err(Error::BadRequest(format!(
+				"Bucket {} does not exist",
+				bucket
+			))))
+	}
+
+	async fn get_existing_key(&self, id: &String) -> Result<Key, Error> {
+		self.garage
+			.key_table
+			.get(&EmptyKey, id)
+			.await?
+			.filter(|k| !k.deleted)
+			.map(Ok)
+			.unwrap_or(Err(Error::BadRequest(format!("Key {} does not exist", id))))
+	}
+
+	async fn update_bucket_key(
+		&self,
+		mut bucket: Bucket,
+		key_id: &String,
+		allow_read: bool,
+		allow_write: bool,
+	) -> Result<(), Error> {
+		let timestamp = match bucket
+			.authorized_keys()
+			.iter()
+			.find(|x| x.key_id == *key_id)
+		{
+			None => now_msec(),
+			Some(ab) => std::cmp::max(ab.timestamp + 1, now_msec()),
+		};
+		bucket.clear_keys();
+		bucket
+			.add_key(AllowedKey {
+				key_id: key_id.clone(),
+				timestamp,
+				allow_read,
+				allow_write,
+			})
+			.unwrap();
+		self.garage.bucket_table.insert(&bucket).await?;
+		Ok(())
+	}
+
+	async fn update_key_bucket(
+		&self,
+		mut key: Key,
+		bucket: &String,
+		allow_read: bool,
+		allow_write: bool,
+	) -> Result<(), Error> {
+		let timestamp = match key
+			.authorized_buckets()
+			.iter()
+			.find(|x| x.bucket == *bucket)
+		{
+			None => now_msec(),
+			Some(ab) => std::cmp::max(ab.timestamp + 1, now_msec()),
+		};
+		key.clear_buckets();
+		key.add_bucket(AllowedBucket {
+			bucket: bucket.clone(),
+			timestamp,
+			allow_read,
+			allow_write,
+		})
+		.unwrap();
+		self.garage.key_table.insert(&key).await?;
+		Ok(())
 	}
 
 	async fn handle_launch_repair(self: &Arc<Self>, opt: RepairOpt) -> Result<AdminRPC, Error> {

src/main.rs

@@ -172,7 +172,7 @@ pub struct DeleteBucketOpt {
 pub struct PermBucketOpt {
 	/// Access key ID
 	#[structopt(long = "key")]
-	pub key: String,
+	pub key_id: String,
 
 	/// Allow/deny read operations
 	#[structopt(long = "read")]
@@ -192,19 +192,53 @@ pub enum KeyOperation {
 	#[structopt(name = "list")]
 	List,
 
+	/// Get key info
+	#[structopt(name = "info")]
+	Info(KeyOpt),
+
 	/// Create new key
 	#[structopt(name = "new")]
-	New,
+	New(KeyNewOpt),
+
+	/// Rename key
+	#[structopt(name = "rename")]
+	Rename(KeyRenameOpt),
 
 	/// Delete key
 	#[structopt(name = "delete")]
 	Delete(KeyDeleteOpt),
 }
 
+#[derive(Serialize, Deserialize, StructOpt, Debug)]
+pub struct KeyOpt {
+	/// ID of the key
+	key_id: String,
+}
+
+#[derive(Serialize, Deserialize, StructOpt, Debug)]
+pub struct KeyNewOpt {
+	/// Name of the key
+	#[structopt(long = "name", default_value = "Unnamed key")]
+	name: String,
+}
+
+#[derive(Serialize, Deserialize, StructOpt, Debug)]
+pub struct KeyRenameOpt {
+	/// ID of the key
+	key_id: String,
+
+	/// New name of the key
+	new_name: String,
+}
+
 #[derive(Serialize, Deserialize, StructOpt, Debug)]
 pub struct KeyDeleteOpt {
-	/// Name of the bucket to delete
-	bucket: String,
+	/// ID of the key
+	key_id: String,
+
+	/// Confirm deletion
+	#[structopt(long = "yes")]
+	yes: bool,
 }
 
 #[derive(Serialize, Deserialize, StructOpt, Debug, Clone)]
@@ -489,6 +523,15 @@ async fn cmd_admin(
 		AdminRPC::BucketInfo(bucket) => {
 			println!("{:?}", bucket);
 		}
+		AdminRPC::KeyList(kl) => {
+			println!("List of keys:");
+			for key in kl {
+				println!("{}\t{}", key.0, key.1);
+			}
+		}
+		AdminRPC::KeyInfo(key) => {
+			println!("{:?}", key);
+		}
 		r => {
 			error!("Unexpected response: {:?}", r);
 		}

src/server.rs

@@ -19,6 +19,7 @@ use crate::table::*;
 use crate::store::block::*;
 use crate::store::block_ref_table::*;
 use crate::store::bucket_table::*;
+use crate::store::key_table::*;
 use crate::store::object_table::*;
 use crate::store::version_table::*;
 
@@ -35,6 +36,8 @@ pub struct Garage {
 	pub block_manager: Arc<BlockManager>,
 
 	pub bucket_table: Arc<Table<BucketTable, TableFullReplication>>,
+	pub key_table: Arc<Table<KeyTable, TableFullReplication>>,
+
 	pub object_table: Arc<Table<ObjectTable, TableShardedReplication>>,
 	pub version_table: Arc<Table<VersionTable, TableShardedReplication>>,
 	pub block_ref_table: Arc<Table<BlockRefTable, TableShardedReplication>>,
@@ -138,6 +141,17 @@ impl Garage {
 		)
 		.await;
 
+		info!("Initialize key_table_table...");
+		let key_table = Table::new(
+			KeyTable,
+			control_rep_param.clone(),
+			system.clone(),
+			&db,
+			"key".to_string(),
+			rpc_server,
+		)
+		.await;
+
 		info!("Initialize Garage...");
 		let garage = Arc::new(Self {
 			config,
@@ -146,6 +160,7 @@ impl Garage {
 			block_manager,
 			background,
 			bucket_table,
+			key_table,
 			object_table,
 			version_table,
 			block_ref_table,

src/store/bucket_table.rs

@@ -41,7 +41,7 @@ impl Bucket {
 	pub fn add_key(&mut self, key: AllowedKey) -> Result<(), ()> {
 		match self
 			.authorized_keys
-			.binary_search_by(|k| k.access_key_id.cmp(&key.access_key_id))
+			.binary_search_by(|k| k.key_id.cmp(&key.key_id))
 		{
 			Err(i) => {
 				self.authorized_keys.insert(i, key);
@@ -53,14 +53,17 @@ impl Bucket {
 	pub fn authorized_keys(&self) -> &[AllowedKey] {
 		&self.authorized_keys[..]
 	}
+	pub fn clear_keys(&mut self) {
+		self.authorized_keys.clear();
+	}
 }
 
 #[derive(PartialEq, Clone, Debug, Serialize, Deserialize)]
 pub struct AllowedKey {
-	pub access_key_id: String,
+	pub key_id: String,
 	pub timestamp: u64,
-	pub allowed_read: bool,
-	pub allowed_write: bool,
+	pub allow_read: bool,
+	pub allow_write: bool,
 }
 
 impl Entry<EmptyKey, String> for Bucket {
@@ -83,7 +86,7 @@ impl Entry<EmptyKey, String> for Bucket {
 		for ak in other.authorized_keys.iter() {
 			match self
 				.authorized_keys
-				.binary_search_by(|our_ak| our_ak.access_key_id.cmp(&ak.access_key_id))
+				.binary_search_by(|our_ak| our_ak.key_id.cmp(&ak.key_id))
 			{
 				Ok(i) => {
 					let our_ak = &mut self.authorized_keys[i];

src/store/key_table.rs

@@ -1,16 +1,21 @@
 use async_trait::async_trait;
 use serde::{Deserialize, Serialize};
 
+use crate::data::*;
 use crate::error::Error;
 use crate::table::*;
 
 #[derive(PartialEq, Clone, Debug, Serialize, Deserialize)]
 pub struct Key {
 	// Primary key
-	pub access_key_id: String,
+	pub key_id: String,
 
 	// Associated secret key (immutable)
-	pub secret_access_key: String,
+	pub secret_key: String,
+
+	// Name
+	pub name: String,
+	pub name_timestamp: u64,
 
 	// Deletion
 	pub deleted: bool,
@@ -20,12 +25,14 @@ pub struct Key {
 }
 
 impl Key {
-	pub fn new(buckets: Vec<AllowedBucket>) -> Self {
-		let access_key_id = format!("GK{}", hex::encode(&rand::random::<[u8; 12]>()[..]));
-		let secret_access_key = hex::encode(&rand::random::<[u8; 32]>()[..]);
+	pub fn new(name: String, buckets: Vec<AllowedBucket>) -> Self {
+		let key_id = format!("GK{}", hex::encode(&rand::random::<[u8; 12]>()[..]));
+		let secret_key = hex::encode(&rand::random::<[u8; 32]>()[..]);
 		let mut ret = Self {
-			access_key_id,
-			secret_access_key,
+			key_id,
+			secret_key,
+			name,
+			name_timestamp: now_msec(),
 			deleted: false,
 			authorized_buckets: vec![],
 		};
@@ -35,10 +42,12 @@ impl Key {
 		}
 		ret
 	}
-	pub fn delete(access_key_id: String, secret_access_key: String) -> Self {
+	pub fn delete(key_id: String) -> Self {
 		Self {
-			access_key_id,
-			secret_access_key,
+			key_id,
+			secret_key: "".into(),
+			name: "".into(),
+			name_timestamp: now_msec(),
 			deleted: true,
 			authorized_buckets: vec![],
 		}
@@ -59,14 +68,31 @@ impl Key {
 	pub fn authorized_buckets(&self) -> &[AllowedBucket] {
 		&self.authorized_buckets[..]
 	}
+	pub fn clear_buckets(&mut self) {
+		self.authorized_buckets.clear();
+	}
+	pub fn allow_read(&self, bucket: &str) -> bool {
+		self.authorized_buckets
+			.iter()
+			.find(|x| x.bucket.as_str() == bucket)
+			.map(|x| x.allow_read)
+			.unwrap_or(false)
+	}
+	pub fn allow_write(&self, bucket: &str) -> bool {
+		self.authorized_buckets
+			.iter()
+			.find(|x| x.bucket.as_str() == bucket)
+			.map(|x| x.allow_write)
+			.unwrap_or(false)
+	}
 }
 
 #[derive(PartialEq, Clone, Debug, Serialize, Deserialize)]
 pub struct AllowedBucket {
 	pub bucket: String,
 	pub timestamp: u64,
-	pub allowed_read: bool,
-	pub allowed_write: bool,
+	pub allow_read: bool,
+	pub allow_write: bool,
 }
 
 impl Entry<EmptyKey, String> for Key {
@@ -74,15 +100,21 @@ impl Entry<EmptyKey, String> for Key {
 		&EmptyKey
 	}
 	fn sort_key(&self) -> &String {
-		&self.access_key_id
+		&self.key_id
 	}
 
 	fn merge(&mut self, other: &Self) {
 		if other.deleted {
 			self.deleted = true;
+		}
+		if self.deleted {
 			self.authorized_buckets.clear();
 			return;
 		}
+		if other.name_timestamp > self.name_timestamp {
+			self.name_timestamp = other.name_timestamp;
+			self.name = other.name.clone();
+		}
 
 		for ab in other.authorized_buckets.iter() {
 			match self