Skip to content

Commit

Permalink
combine CreateKey and AddKeyVersion request
Browse files Browse the repository at this point in the history
This commit simplifies key creation and deletion by combining the
`CreateKeyRequest` and `AddKeyVersionRequest` as well as the
`DeleteKeyRequest` and `RemoveKeyVersionRequest`.

Signed-off-by: Andreas Auernhammer <[email protected]>
  • Loading branch information
aead committed Dec 18, 2023
1 parent b20ad15 commit bdecb31
Show file tree
Hide file tree
Showing 5 changed files with 155 additions and 317 deletions.
94 changes: 6 additions & 88 deletions kms/client.go
Original file line number Diff line number Diff line change
Expand Up @@ -489,9 +489,10 @@ func (c *Client) ListEnclaveNames(ctx context.Context, req *ListRequest) (*ListR
}, nil
}

// CreateKey creates a new key with the name req.Name within req.Enclave
// if and only if no such key exists already. For adding key versions to
// an existing key use AddKeyVersion.
// CreateKey creates a new key with the name req.Name within req.Enclave.
// By default, a new key is created if and only if no such key exists. If
// req.AddVersion is true, a new key version is added to an existing key.
// The later is often referred to as key rotation.
//
// It returns ErrEnclaveNotFound if no such enclave exists and ErrKeyExists
// if such a key already exists.
Expand Down Expand Up @@ -531,90 +532,6 @@ func (c *Client) CreateKey(ctx context.Context, req *CreateKeyRequest) error {
return nil
}

// AddKeyVersion adds a new key version to an existing key with the name req.Name
// within req.Enclave. If no such key exists, it creates the key. For creating a
// key without adding a new key versions use CreateKey.
//
// It returns ErrEnclaveNotFound if no such enclave exists.
func (c *Client) AddKeyVersion(ctx context.Context, req *AddKeyVersionRequest) error {
const (
Method = http.MethodPatch
Path = api.PathSecretKeyAdd
StatusOK = http.StatusOK
ContentType = headers.ContentTypeAppAny // accept JSON or protobuf
)

body, err := pb.Marshal(req)
if err != nil {
return err
}

url, err := c.lb.URL(Path, req.Name)
if err != nil {
return err
}
r, err := http.NewRequestWithContext(ctx, Method, url, bytes.NewReader(body))
if err != nil {
return err
}
r.Header.Set(headers.Accept, ContentType)
r.Header.Set(headers.Enclave, req.Enclave)

resp, err := c.client.Do(r)
if err != nil {
return err
}
defer resp.Body.Close()

if resp.StatusCode != StatusOK {
return readError(resp)
}
return nil
}

// RemoveKeyVersion removes the version req.Version from the key with the name
// req.Name within req.Enclave. Once a key version has been removed, it cannot
// be added again. When a key contains just a single key version, RemoveKeyVersion
// deletes the key.
//
// It returns ErrEnclaveNotFound if no such enclave exists and ErrKeyNotFound if
// no such a key or key version exists.
func (c *Client) RemoveKeyVersion(ctx context.Context, req *RemoveKeyVersionRequest) error {
const (
Method = http.MethodPatch
Path = api.PathSecretKeyRemove
StatusOK = http.StatusOK
ContentType = headers.ContentTypeAppAny // accept JSON or protobuf
)

body, err := pb.Marshal(req)
if err != nil {
return err
}

url, err := c.lb.URL(Path, req.Name)
if err != nil {
return err
}
r, err := http.NewRequestWithContext(ctx, Method, url, bytes.NewReader(body))
if err != nil {
return err
}
r.Header.Set(headers.Accept, ContentType)
r.Header.Set(headers.Enclave, req.Enclave)

resp, err := c.client.Do(r)
if err != nil {
return err
}
defer resp.Body.Close()

if resp.StatusCode != StatusOK {
return readError(resp)
}
return nil
}

// DescribeKeyVersion returns metadata about the key req.Name within
// the req.Enclave.
//
Expand Down Expand Up @@ -658,7 +575,8 @@ func (c *Client) DescribeKeyVersion(ctx context.Context, req *DescribeKeyVersion

// DeleteKey deletes the key with the version req.Version from the key ring
// with the name req.Name within req.Enclave. It deletes the latest key
// version if no key version is specified.
// version if no key version is specified and the entire key and all versions
// if req.AllVersions is true.
//
// It returns ErrEnclaveNotFound if no such enclave exists and ErrKeyNotFound
// if such key or key version exists.
Expand Down
2 changes: 0 additions & 2 deletions kms/internal/api/api.go
Original file line number Diff line number Diff line change
Expand Up @@ -13,9 +13,7 @@ const (
PathEnclaveList = "/v1/enclave/list/"

PathSecretKeyCreate = "/v1/key/create/"
PathSecretKeyAdd = "/v1/key/add/"
PathSecretKeyDescribe = "/v1/key/describe/"
PathSecretKeyRemove = "/v1/key/remove/"
PathSecretKeyDelete = "/v1/key/delete/"
PathSecretKeyList = "/v1/key/list/"
PathSecretKeyGenerate = "/v1/key/generate/"
Expand Down
Loading

0 comments on commit bdecb31

Please sign in to comment.