macaroons: Let GenerateNewRootKey be applied to all root keys

With this commit, GenerateNewRootKey will regenerate the Default root key and will then also check if any other root keys exist and regenerate those as well.
2025-03-12 10:30:40 +01:00 · 2023-05-17 11:51:56 +02:00 · 2023-05-17 11:51:56 +02:00 · 51f0082c53
commit 51f0082c53
parent ee01956978
2 changed files with 29 additions and 9 deletions
--- a/macaroons/store.go
+++ b/macaroons/store.go
@ -325,10 +325,34 @@ func (r *RootKeyStorage) GenerateNewRootKey() error {
 		if bucket == nil {
 			return ErrRootKeyBucketNotFound
 		}
+
+		// The default root key should be created even if it does not
+		// yet exist, so we do this separately from the rest of the
+		// root keys.
 		_, err := generateAndStoreNewRootKey(
 			bucket, DefaultRootKeyID, r.encKey,
 		)
+		if err != nil {
 			return err
+		}
+
+		// Now iterate over all the other root keys that may exist
+		// and re-generate each of them.
+		return bucket.ForEach(func(k, v []byte) error {
+			if bytes.Equal(k, encryptionKeyID) {
+				return nil
+			}
+
+			if bytes.Equal(k, DefaultRootKeyID) {
+				return nil
+			}
+
+			_, err := generateAndStoreNewRootKey(
+				bucket, k, r.encKey,
+			)
+
+			return err
+		})
 	}, func() {})
 }

--- a/macaroons/store_test.go
+++ b/macaroons/store_test.go
@ -135,10 +135,8 @@ func TestStore(t *testing.T) {
 	require.Equal(t, rootID, id)
 }

-// TestStoreGenerateNewRootKey tests that a root key can be replaced with a new
-// one in the store without changing the password. Also demonstrate that at the
-// moment, only the default root key will be replaced. This is a bug that will
-// be fixed in an upcoming commit.
+// TestStoreGenerateNewRootKey tests that root keys can be replaced with new
+// ones in the store without changing the password.
 func TestStoreGenerateNewRootKey(t *testing.T) {
 	_, store := newTestStore(t)

@ -159,22 +157,20 @@ func TestStoreGenerateNewRootKey(t *testing.T) {
 	oldRootKey2, _, err := store.RootKey(nonDefaultRootKeyIDContext)
 	require.NoError(t, err)

-	// Attempt to replace the root keys with new random keys.
+	// Replace the root keys with new random keys.
 	err = store.GenerateNewRootKey()
 	require.NoError(t, err)

 	// Finally, read both root keys from the DB and compare them to the ones
 	// we got returned earlier. This makes sure that the encryption/
 	// decryption of the key in the DB worked as expected too.
-	// Currently, this is only successful for the default root key and not
-	// for non-default key. This will be fixed in an upcoming commit.
 	newRootKey1, _, err := store.RootKey(defaultRootKeyIDContext)
 	require.NoError(t, err)
 	require.NotEqual(t, oldRootKey1, newRootKey1)

 	newRootKey2, _, err := store.RootKey(nonDefaultRootKeyIDContext)
 	require.NoError(t, err)
-	require.Equal(t, oldRootKey2, newRootKey2)
+	require.NotEqual(t, oldRootKey2, newRootKey2)
 }

 // TestStoreSetRootKey tests that a root key can be set to a specified value.