kms: add support for multiple HSMs (#32)

This commit adds support for adding, removing and listing HSMs.
Now, a KMS cluster can protect its on-disk state with multiple
HSMs. This commit adds functions for managing them.

Signed-off-by: Andreas Auernhammer <github@aead.dev>

Author: aead

kms/client.go

@@ -615,6 +615,28 @@ func (c *Client) EditCluster(ctx context.Context, req *EditClusterRequest) error
 	return resp.Body.Close()
 }
 
+// ResealCluster re-seals the cluster's on-disk state with the active HSMs.
+// It returns an error if an active HSM fails to re-seal the cluster's root
+// encryption key. For example, when the HSM is currently not available.
+//
+// It requires SysAdmin privileges.
+//
+// The returned error is of type *HostError.
+func (c *Client) ResealCluster(ctx context.Context, req *ResealClusterRequest) error {
+	body, err := cmds.Encode(nil, cmds.ClusterReseal, req)
+	if err != nil {
+		return err
+	}
+
+	resp, err := c.Send(ctx, &Request{
+		Body: body,
+	})
+	if err != nil {
+		return err
+	}
+	return resp.Body.Close()
+}
+
 // AddNode adds the KMS server at req.Host to the current KMS cluster.
 // It returns an error if the server is already part of the cluster.
 //
@@ -851,6 +873,53 @@ func (c *Client) Logs(ctx context.Context, req *LogRequest) (*LogResponse, error
 	}, nil
 }
 
+// AddHSM seals the cluster's on-disk state with the HSM referenced by req.Name.
+//
+// The cluster must already be configured with the HSM. Hence, AddHSM can only
+// add HSMs that have been removed using RemoveHSM.
+//
+// It requires SysAdmin privileges.
+//
+// The returned error is of type *HostError.
+func (c *Client) AddHSM(ctx context.Context, req *AddHSMRequest) error {
+	body, err := cmds.Encode(nil, cmds.ClusterAddHSM, req)
+	if err != nil {
+		return err
+	}
+
+	resp, err := c.Send(ctx, &Request{
+		Body: body,
+	})
+	if err != nil {
+		return err
+	}
+	return resp.Body.Close()
+}
+
+// RemoveHSM removes any sealed root encryption key associated with the HSM
+// referenced by req.Name. It does not remove the HSM configuration from the
+// cluster. Once removed, the specified HSM can no longer be used to unseal
+// the on-disk state. However, the HSM can added again via AddHSM as long as
+// the HSM configuration is present on the cluster.
+//
+// It requires SysAdmin privileges.
+//
+// The returned error is of type *HostError.
+func (c *Client) RemoveHSM(ctx context.Context, req *RemoveHSMRequest) error {
+	body, err := cmds.Encode(nil, cmds.ClusterRemoveHSM, req)
+	if err != nil {
+		return err
+	}
+
+	resp, err := c.Send(ctx, &Request{
+		Body: body,
+	})
+	if err != nil {
+		return err
+	}
+	return resp.Body.Close()
+}
+
 // CreateEnclave creates a new enclave with the name req.Name.
 //
 // It returns ErrEnclaveExists if such an enclave already exists

kms/cmds/command.go

@@ -15,6 +15,9 @@ const (
 	ClusterRemoveNode Command = 2
 	ClusterStatus     Command = 3
 	ClusterEdit       Command = 4
+	ClusterAddHSM     Command = 5
+	ClusterRemoveHSM  Command = 6
+	ClusterReseal     Command = 7
 
 	EnclaveCreate Command = 101
 	EnclaveDelete Command = 102
@@ -45,6 +48,7 @@ const (
 	IdentityList   Command = 404
 )
 
+// Parse parses s as a string representation of a Command.
 func Parse(s string) (Command, error) {
 	c, ok := textCmds[strings.ToUpper(s)]
 	if !ok {
@@ -66,6 +70,16 @@ func (c Command) IsWrite() bool {
 	return ok
 }
 
+// IsCluster reports whether c operates on a cluster-level
+// instead of within a specific enclave.
+//
+// Cluster-level commands usually require SysAdmin privileges
+// and cannot be performed by enclave admins or regular users.
+func (c Command) IsCluster() bool {
+	_, ok := isCluster[c]
+	return ok
+}
+
 func (c Command) String() string {
 	s, ok := cmdTexts[c]
 	if !ok {
@@ -104,6 +118,9 @@ var isWrite = map[Command]struct{}{ // Commands that change state on a KMS serve
 	ClusterAddNode:    {},
 	ClusterRemoveNode: {},
 	ClusterEdit:       {},
+	ClusterAddHSM:     {},
+	ClusterRemoveHSM:  {},
+	ClusterReseal:     {},
 
 	EnclaveCreate: {},
 	EnclaveDelete: {},
@@ -120,11 +137,29 @@ var isWrite = map[Command]struct{}{ // Commands that change state on a KMS serve
 	IdentityDelete: {},
 }
 
+var isCluster = map[Command]struct{}{ // Commands that operate on a cluster-level and require sysadmin privileges
+	ClusterAddNode:    {},
+	ClusterRemoveNode: {},
+	ClusterStatus:     {},
+	ClusterEdit:       {},
+	ClusterAddHSM:     {},
+	ClusterRemoveHSM:  {},
+	ClusterReseal:     {},
+
+	EnclaveCreate: {},
+	EnclaveDelete: {},
+	EnclaveStatus: {},
+	EnclaveList:   {},
+}
+
 var cmdTexts = map[Command]string{
 	ClusterAddNode:    "CLUSTER:ADDNODE",
 	ClusterRemoveNode: "CLUSTER:REMOVENODE",
 	ClusterStatus:     "CLUSTER:STATUS",
 	ClusterEdit:       "CLUSTER:EDIT",
+	ClusterAddHSM:     "CLUSTER:ADDHSM",
+	ClusterRemoveHSM:  "CLUSTER:REMOVEHSM",
+	ClusterReseal:     "CLUSTER:RESEAL",
 
 	EnclaveCreate: "ENCLAVE:CREATE",
 	EnclaveDelete: "ENCLAVE:DELETE",
@@ -159,6 +194,9 @@ var textCmds = map[string]Command{
 	"CLUSTER:REMOVENODE": ClusterRemoveNode,
 	"CLUSTER:STATUS":     ClusterStatus,
 	"CLUSTER:EDIT":       ClusterEdit,
+	"CLUSTER:ADDHSM":     ClusterAddHSM,
+	"CLUSTER:REMOVEHSM":  ClusterRemoveHSM,
+	"CLUSTER:RESEAL":     ClusterReseal,
 
 	"ENCLAVE:CREATE": EnclaveCreate,
 	"ENCLAVE:DELETE": EnclaveDelete,