Merge pull request ceph#62908 from clwluvw/vault-cleanup

rgw: vault code cleanup

Author: anrao19

qa/workunits/rgw/test_awssdkv4_sig.sh

@@ -6,7 +6,7 @@
 # $RGW_HTTP_ENDPOINT_URL needs to be set to the endpoint of the RGW
 #
 # Example when ceph source is cloned into $HOME and a vstart cluster is already running with a radosgw:
-# $ PATH=~/ceph/build/bin/:$PATH CEPH_ROOT=~/ceph RGW_HTTP_ENDPOINT=http://localhost:8000 ~/ceph/qa/workunits/rgw/test_awssdkv4_sig.sh
+# $ PATH=~/ceph/build/bin/:$PATH CEPH_ROOT=~/ceph RGW_HTTP_ENDPOINT_URL=http://localhost:8000 ~/ceph/qa/workunits/rgw/test_awssdkv4_sig.sh
 #
 
 set -x

src/rgw/rgw_crypt.cc

@@ -1170,10 +1170,12 @@ int rgw_s3_prepare_encrypt(req_state* s, optional_yield y,
           return -EINVAL;
         }
         /* try to retrieve actual key */
-        std::string key_selector = create_random_key_selector(s->cct);
+        if (s->cct->_conf->rgw_crypt_s3_kms_backend == RGW_SSE_KMS_BACKEND_TESTING) {
+          std::string key_selector = create_random_key_selector(s->cct);
+          set_attr(attrs, RGW_ATTR_CRYPT_KEYSEL, key_selector);
+        }
         set_attr(attrs, RGW_ATTR_CRYPT_MODE, "SSE-KMS");
         set_attr(attrs, RGW_ATTR_CRYPT_KEYID, key_id);
-        set_attr(attrs, RGW_ATTR_CRYPT_KEYSEL, key_selector);
         set_attr(attrs, RGW_ATTR_CRYPT_CONTEXT, cooked_context);
         std::string actual_key;
         res = make_actual_key_from_kms(s, attrs, y, actual_key);
@@ -1226,9 +1228,7 @@ int rgw_s3_prepare_encrypt(req_state* s, optional_yield y,
       if (res != 0) {
         return res;
       }
-      std::string key_selector = create_random_key_selector(s->cct);
 
-      set_attr(attrs, RGW_ATTR_CRYPT_KEYSEL, key_selector);
       set_attr(attrs, RGW_ATTR_CRYPT_CONTEXT, cooked_context);
       set_attr(attrs, RGW_ATTR_CRYPT_MODE, "AES256");
       set_attr(attrs, RGW_ATTR_CRYPT_KEYID, key_id);

src/rgw/rgw_kms.cc

@@ -290,10 +290,8 @@ class VaultSecretEngine: public SecretEngine {
       secret_req.set_send_length(postdata.length());
     }
 
-    secret_req.append_header("X-Vault-Token", vault_token);
-    if (!vault_token.empty()){
+    if (!vault_token.empty()) {
       secret_req.append_header("X-Vault-Token", vault_token);
-      vault_token.replace(0, vault_token.length(), vault_token.length(), '\000');
     }
 
     string vault_namespace = kctx.k_namespace();
@@ -503,6 +501,8 @@ class TransitSecretEngine: public VaultSecretEngine {
     int res = send_request(dpp, "POST", "/datakey/plaintext/", key_id,
                            post_data, y, secret_bl);
     if (res < 0) {
+      ldpp_dout(dpp, 0) << "ERROR: Failed to send request to Vault, res: "
+                        << res << " response: " << string_view(secret_bl.c_str(), secret_bl.length()) << dendl;
       return res;
     }
 
@@ -588,6 +588,8 @@ class TransitSecretEngine: public VaultSecretEngine {
     int res = send_request(dpp, "POST", "/decrypt/", key_id,
                            post_data, y, secret_bl);
     if (res < 0) {
+      ldpp_dout(dpp, 0) << "ERROR: Failed to send request to Vault for decrypt, res: "
+                        << res << " response: " << string_view(secret_bl.c_str(), secret_bl.length()) << dendl;
       return res;
     }
 
@@ -656,12 +658,11 @@ class TransitSecretEngine: public VaultSecretEngine {
     int res = send_request(dpp, "POST", "/keys/", key_name,
                            post_data, y, dummy_bl);
     if (res < 0) {
-      return res;
-    }
-    if (dummy_bl.length() != 0) {
-      ldpp_dout(dpp, 0) << "ERROR: unexpected response from Vault making a key: "
+      ldpp_dout(dpp, 0) << "ERROR: key creation failed by Vault, ret: "
+        << res << " response: "
         << std::string_view(dummy_bl.c_str(), dummy_bl.length())
         << dendl;
+      return res;
     }
     return 0;
   }