Skip to content

Commit

Permalink
kms: add DeleteKey API and DeleteKeyRequest type
Browse files Browse the repository at this point in the history
This commit adds the `DeleteKey` API. Now, applications
can delete a secret key using a `DeleteKeyRequest`.

As part of this, the semantics of the key version zero
has been changed to refer to the latest key version.

Signed-off-by: Andreas Auernhammer <[email protected]>
  • Loading branch information
aead committed Dec 5, 2023
1 parent c977f0e commit 05b99e8
Show file tree
Hide file tree
Showing 5 changed files with 217 additions and 74 deletions.
58 changes: 50 additions & 8 deletions kms/client.go
Original file line number Diff line number Diff line change
Expand Up @@ -438,7 +438,7 @@ func (c *Client) ListEnclaveNames(ctx context.Context, req *ListRequest) (*ListR
}, nil
}

// CreateKey creates a new key with the name req.Key with req.Enclave.
// CreateKey creates a new key with the name req.Name within req.Enclave.
//
// It returns ErrEnclaveNotFound if no such enclave exists and ErrKeyExists
// if such a key already exists.
Expand Down Expand Up @@ -478,7 +478,7 @@ func (c *Client) CreateKey(ctx context.Context, req *CreateKeyRequest) error {
return nil
}

// DescribeKeyVersion returns metadata about the req.Key within
// DescribeKeyVersion returns metadata about the key req.Name within
// the req.Enclave.
//
// It returns ErrEnclaveNotFound if no such enclave exists and
Expand All @@ -491,7 +491,7 @@ func (c *Client) DescribeKeyVersion(ctx context.Context, req *DescribeKeyVersion
ContentType = headers.ContentTypeAppAny // accept JSON or protobuf
)

url, err := c.lb.URL(Path, req.Key)
url, err := c.lb.URL(Path, req.Name)
if err != nil {
return nil, err
}
Expand Down Expand Up @@ -519,6 +519,48 @@ func (c *Client) DescribeKeyVersion(ctx context.Context, req *DescribeKeyVersion
return &data, nil
}

// DeleteKey deletes the key with the version req.Version from the key ring
// with the name req.Name within req.Enclave. It deletes the latest key
// version if no key version is specified.
//
// It returns ErrEnclaveNotFound if no such enclave exists and ErrKeyNotFound
// if such key or key version exists.
func (c *Client) DeleteKey(ctx context.Context, req *DeleteKeyRequest) error {
const (
Method = http.MethodDelete
Path = api.PathSecretKeyDelete
StatusOK = http.StatusOK
ContentType = headers.ContentTypeAppAny // accept JSON or protobuf
)

body, err := pb.Marshal(req)
if err != nil {
return err
}

url, err := c.lb.URL(Path, req.Name)
if err != nil {
return err
}
r, err := http.NewRequestWithContext(ctx, Method, url, bytes.NewReader(body))
if err != nil {
return err
}
r.Header.Set(headers.Accept, ContentType)
r.Header.Set(headers.Enclave, req.Enclave)

resp, err := c.client.Do(r)
if err != nil {
return err
}
defer resp.Body.Close()

if resp.StatusCode != StatusOK {
return readError(resp)
}
return nil
}

// ListKeyNames returns a list of key names. The list starts at the given
// req.Prefix and req.ContinueAt and contains at most req.Limit names.
//
Expand Down Expand Up @@ -576,7 +618,7 @@ func (c *Client) ListKeyNames(ctx context.Context, req *ListRequest) (*ListRespo
}, nil
}

// Encrypt encrypts the req.Plaintext with the req.Key within
// Encrypt encrypts the req.Plaintext with the key req.Name within
// the req.Enclave.
//
// It returns ErrEnclaveNotFound if no such enclave exists and
Expand All @@ -594,7 +636,7 @@ func (c *Client) Encrypt(ctx context.Context, req *EncryptRequest) (*EncryptResp
return nil, err
}

url, err := c.lb.URL(Path, req.Key)
url, err := c.lb.URL(Path, req.Name)
if err != nil {
return nil, err
}
Expand Down Expand Up @@ -622,7 +664,7 @@ func (c *Client) Encrypt(ctx context.Context, req *EncryptRequest) (*EncryptResp
return &data, nil
}

// Decrypt decrypts the req.Ciphertext with the req.Key within
// Decrypt decrypts the req.Ciphertext with the key req.Name within
// the req.Enclave.
//
// It returns ErrEnclaveNotFound if no such enclave exists and
Expand All @@ -640,7 +682,7 @@ func (c *Client) Decrypt(ctx context.Context, req *DecryptRequest) (*DecryptResp
return nil, err
}

url, err := c.lb.URL(Path, req.Key)
url, err := c.lb.URL(Path, req.Name)
if err != nil {
return nil, err
}
Expand Down Expand Up @@ -700,7 +742,7 @@ func (c *Client) GenerateKey(ctx context.Context, req *GenerateKeyRequest) (*Gen
return nil, err
}

url, err := c.lb.URL(Path, req.Key)
url, err := c.lb.URL(Path, req.Name)
if err != nil {
return nil, err
}
Expand Down
Loading

0 comments on commit 05b99e8

Please sign in to comment.