Skip to content

Commit

Permalink
Minor DEK Registry changes: DELETE returns 404, ensure ts is set (#2763)
Browse files Browse the repository at this point in the history
  • Loading branch information
rayokota authored Sep 15, 2023
1 parent 17462b6 commit 31a6866
Show file tree
Hide file tree
Showing 3 changed files with 44 additions and 4 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -427,6 +427,8 @@ private KeyEncryptionKey createKek(CreateKekRequest request)
KeyEncryptionKey key = new KeyEncryptionKey(request.getName(), kmsType,
request.getKmsKeyId(), kmsProps, request.getDoc(), request.isShared(), false);
keys.put(keyId, key);
// Retrieve key with ts set
key = (KeyEncryptionKey) keys.get(keyId);
return key;
}

Expand Down Expand Up @@ -516,6 +518,8 @@ private DataEncryptionKey createDek(String kekName, CreateDekRequest request)
}
}
keys.put(keyId, key);
// Retrieve key with ts set
key = (DataEncryptionKey) keys.get(keyId);
if (kek.isShared()) {
key = generateRawDek(kek, key);
}
Expand Down Expand Up @@ -551,10 +555,11 @@ protected DataEncryptionKey generateRawDek(KeyEncryptionKey kek, DataEncryptionK
String rawDekStr =
new String(Base64.getEncoder().encode(rawDek), StandardCharsets.UTF_8);
// Copy dek
key = new DataEncryptionKey(key.getKekName(), key.getSubject(), key.getVersion(),
key.getAlgorithm(), key.getEncryptedKeyMaterial(), key.isDeleted());
key.setKeyMaterial(rawDekStr);
return key;
DataEncryptionKey newKey = new DataEncryptionKey(key.getKekName(), key.getSubject(),
key.getVersion(), key.getAlgorithm(), key.getEncryptedKeyMaterial(), key.isDeleted());
newKey.setKeyMaterial(rawDekStr);
newKey.setTimestamp(key.getTimestamp());
return newKey;
} catch (GeneralSecurityException e) {
log.error("Could not generate raw dek for " + key.getSubject(), e);
throw new DekGenerationException("Could not generate raw dek for " + key.getSubject());
Expand Down Expand Up @@ -624,6 +629,8 @@ private KeyEncryptionKey putKek(String name, UpdateKekRequest request)
KeyEncryptionKey newKey = new KeyEncryptionKey(name, key.getKmsType(),
key.getKmsKeyId(), kmsProps, doc, shared, false);
keys.put(keyId, newKey);
// Retrieve key with ts set
newKey = (KeyEncryptionKey) keys.get(keyId);
return newKey;
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -318,6 +318,11 @@ public void deleteKek(
headers, getSchemaRegistry().config().whitelistHeaders());

try {
KeyEncryptionKey kek = dekRegistry.getKek(name, true);
if (kek == null) {
throw DekRegistryErrors.keyNotFoundException(name);
}

dekRegistry.deleteKekOrForward(name, permanentDelete, headerProperties);
asyncResponse.resume(Response.status(204).build());
} catch (KeyNotSoftDeletedException e) {
Expand Down Expand Up @@ -358,6 +363,15 @@ public void deleteDek(
headers, getSchemaRegistry().config().whitelistHeaders());

try {
KeyEncryptionKey kek = dekRegistry.getKek(kekName, true);
if (kek == null) {
throw DekRegistryErrors.keyNotFoundException(kekName);
}
DataEncryptionKey key = dekRegistry.getDek(kekName, subject, algorithm, true);
if (key == null) {
throw DekRegistryErrors.keyNotFoundException(subject);
}

dekRegistry.deleteDekOrForward(
kekName, subject, algorithm, permanentDelete, headerProperties);
asyncResponse.resume(Response.status(204).build());
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -219,6 +219,7 @@ private void testBasic(Map<String, String> headers) throws Exception {

newDek = client.getDek(kekName, subject, algorithm, false);
assertEquals(dek, newDek);
assertNotNull(newDek.getTimestamp());

// Create dek w/o key material
try {
Expand All @@ -230,6 +231,7 @@ private void testBasic(Map<String, String> headers) throws Exception {

newDek = client.getDek(kekName, subject, algorithm, false);
assertEquals(dek, newDek);
assertNotNull(newDek.getTimestamp());

Kek kek2 = new Kek(kekName, kmsType, kmsKeyId, kmsProps, doc, true, null);

Expand All @@ -244,11 +246,13 @@ private void testBasic(Map<String, String> headers) throws Exception {
Dek dek2 = new Dek(kekName, subject, 1, algorithm, encryptedDekStr, rawDekStr, null);
newDek = client.getDek(kekName, subject, algorithm, true);
assertEquals(dek2, newDek);
assertNotNull(newDek.getTimestamp());

// Create dek w/o key material, receive both encrypted and decrypted key material
newDek = client.createDek(headers, kekName, subject2, algorithm, null);
assertNotNull(newDek.getEncryptedKeyMaterial());
assertNotNull(newDek.getKeyMaterial());
assertNotNull(newDek.getTimestamp());

List<String> deks = client.listDeks(kekName, false);
assertEquals(ImmutableList.of(subject, subject2), deks);
Expand Down Expand Up @@ -278,6 +282,7 @@ private void testBasic(Map<String, String> headers) throws Exception {

newDek = client.getDek(kekName, subject, algorithm, true);
assertEquals(dek2, newDek);
assertNotNull(newDek.getTimestamp());

deks = client.listDeks(kekName, false);
assertEquals(ImmutableList.of(subject2), deks);
Expand All @@ -302,6 +307,13 @@ private void testBasic(Map<String, String> headers) throws Exception {
}

client.deleteDek(headers, kekName, subject, algorithm, true);
try {
client.deleteDek(headers, kekName, subject, algorithm, true);
fail();
} catch (RestClientException e) {
assertEquals(DekRegistryErrors.KEY_NOT_FOUND_ERROR_CODE, e.getErrorCode());
}

client.deleteDek(headers, kekName, subject2, algorithm, true);

deks = client.listDeks(kekName, false);
Expand All @@ -311,6 +323,12 @@ private void testBasic(Map<String, String> headers) throws Exception {
assertEquals(Collections.emptyList(), deks);

client.deleteKek(headers, kekName, true);
try {
client.deleteKek(headers, kekName, true);
fail();
} catch (RestClientException e) {
assertEquals(DekRegistryErrors.KEY_NOT_FOUND_ERROR_CODE, e.getErrorCode());
}
}

@Test
Expand Down Expand Up @@ -348,6 +366,7 @@ public void testUnknownKmsType() throws Exception {

newDek = client.getDek(kekName, subject, algorithm, false);
assertEquals(dek, newDek);
assertNotNull(newDek.getTimestamp());

// Create dek w/o key material, exception
try {
Expand Down

0 comments on commit 31a6866

Please sign in to comment.