diff --git a/internal/kms/identity-manager.go b/internal/kms/identity-manager.go
new file mode 100644
index 000000000..0c99bf705
--- /dev/null
+++ b/internal/kms/identity-manager.go
@@ -0,0 +1,45 @@
+// Copyright (c) 2015-2022 MinIO, Inc.
+//
+// This file is part of MinIO Object Storage stack
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program. If not, see .
+
+package kms
+
+import (
+ "context"
+
+ "github.com/minio/kes"
+)
+
+// IdentityManager is the generic interface that handles KMS identity operations
+type IdentityManager interface {
+ // DescribeIdentity describes an identity by returning its metadata.
+ // e.g. which policy is currently assigned and whether its an admin identity.
+ DescribeIdentity(ctx context.Context, identity string) (*kes.IdentityInfo, error)
+
+ // DescribeSelfIdentity describes the identity issuing the request.
+ // It infers the identity from the TLS client certificate used to authenticate.
+ // It returns the identity and policy information for the client identity.
+ DescribeSelfIdentity(ctx context.Context) (*kes.IdentityInfo, *kes.Policy, error)
+
+ // DeleteIdentity deletes an identity from KMS.
+ // The client certificate that corresponds to the identity is no longer authorized to perform any API operations.
+ // The admin identity cannot be deleted.
+ DeleteIdentity(ctx context.Context, identity string) error
+
+ // ListIdentities list all identity metadata that match the specified pattern.
+ // In particular, the pattern * lists all identity metadata.
+ ListIdentities(ctx context.Context, pattern string) (*kes.IdentityIterator, error)
+}
diff --git a/internal/kms/kes.go b/internal/kms/kes.go
index 1ded34ca2..ad4323daa 100644
--- a/internal/kms/kes.go
+++ b/internal/kms/kes.go
@@ -158,6 +158,24 @@ func (c *kesClient) CreateKey(ctx context.Context, keyID string) error {
return c.client.CreateKey(ctx, keyID)
}
+// DeleteKey deletes a key at the KMS with the given key ID.
+// Please note that is a dangerous operation.
+// Once a key has been deleted all data that has been encrypted with it cannot be decrypted
+// anymore, and therefore, is lost.
+func (c *kesClient) DeleteKey(ctx context.Context, keyID string) error {
+ c.lock.RLock()
+ defer c.lock.RUnlock()
+ return c.client.DeleteKey(ctx, keyID)
+}
+
+// ListKeys List all key names that match the specified pattern. In particular,
+// the pattern * lists all keys.
+func (c *kesClient) ListKeys(ctx context.Context, pattern string) (*kes.KeyIterator, error) {
+ c.lock.RLock()
+ defer c.lock.RUnlock()
+ return c.client.ListKeys(ctx, pattern)
+}
+
// GenerateKey generates a new data encryption key using
// the key at the KES server referenced by the key ID.
//
@@ -188,6 +206,26 @@ func (c *kesClient) GenerateKey(ctx context.Context, keyID string, cryptoCtx Con
}, nil
}
+// ImportKey imports a cryptographic key into the KMS.
+func (c *kesClient) ImportKey(ctx context.Context, keyID string, bytes []byte) error {
+ c.lock.RLock()
+ defer c.lock.RUnlock()
+ return c.client.ImportKey(ctx, keyID, bytes)
+}
+
+// EncryptKey Encrypts and authenticates a (small) plaintext with the cryptographic key
+// The plaintext must not exceed 1 MB
+func (c *kesClient) EncryptKey(keyID string, plaintext []byte, ctx Context) ([]byte, error) {
+ c.lock.RLock()
+ defer c.lock.RUnlock()
+
+ ctxBytes, err := ctx.MarshalText()
+ if err != nil {
+ return nil, err
+ }
+ return c.client.Encrypt(context.Background(), keyID, plaintext, ctxBytes)
+}
+
// DecryptKey decrypts the ciphertext with the key at the KES
// server referenced by the key ID. The context must match the
// context value used to generate the ciphertext.
@@ -239,3 +277,86 @@ func (c *kesClient) DecryptAll(ctx context.Context, keyID string, ciphertexts []
}
return plaintexts, nil
}
+
+// DescribePolicy describes a policy by returning its metadata.
+// e.g. who created the policy at which point in time.
+func (c *kesClient) DescribePolicy(ctx context.Context, policy string) (*kes.PolicyInfo, error) {
+ c.lock.RLock()
+ defer c.lock.RUnlock()
+ return c.client.DescribePolicy(ctx, policy)
+}
+
+// AssignPolicy assigns a policy to an identity.
+// An identity can have at most one policy while the same policy can be assigned to multiple identities.
+// The assigned policy defines which API calls this identity can perform.
+// It's not possible to assign a policy to the admin identity.
+// Further, an identity cannot assign a policy to itself.
+func (c *kesClient) AssignPolicy(ctx context.Context, policy, identity string) error {
+ c.lock.RLock()
+ defer c.lock.RUnlock()
+ return c.client.AssignPolicy(ctx, policy, kes.Identity(identity))
+}
+
+// DeletePolicy deletes a policy from KMS.
+// All identities that have been assigned to this policy will lose all authorization privileges.
+func (c *kesClient) DeletePolicy(ctx context.Context, policy string) error {
+ c.lock.RLock()
+ defer c.lock.RUnlock()
+ return c.client.DeletePolicy(ctx, policy)
+}
+
+// ListPolicies list all policy metadata that match the specified pattern.
+// In particular, the pattern * lists all policy metadata.
+func (c *kesClient) ListPolicies(ctx context.Context, pattern string) (*kes.PolicyIterator, error) {
+ c.lock.RLock()
+ defer c.lock.RUnlock()
+ return c.client.ListPolicies(ctx, pattern)
+}
+
+// SetPolicy creates or updates a policy.
+func (c *kesClient) SetPolicy(ctx context.Context, policy, data string) error {
+ c.lock.RLock()
+ defer c.lock.RUnlock()
+ return c.client.SetPolicy(ctx, policy, &kes.Policy{Allow: []string{"*"}, Info: kes.PolicyInfo{Name: "my-app2"}})
+}
+
+// GetPolicy gets a policy from KMS.
+func (c *kesClient) GetPolicy(ctx context.Context, policy string) (*kes.Policy, error) {
+ c.lock.RLock()
+ defer c.lock.RUnlock()
+ return c.client.GetPolicy(ctx, policy)
+}
+
+// DescribeIdentity describes an identity by returning its metadata.
+// e.g. which policy is currently assigned and whether its an admin identity.
+func (c *kesClient) DescribeIdentity(ctx context.Context, identity string) (*kes.IdentityInfo, error) {
+ c.lock.RLock()
+ defer c.lock.RUnlock()
+ return c.client.DescribeIdentity(ctx, kes.Identity(identity))
+}
+
+// DescribeSelfIdentity describes the identity issuing the request.
+// It infers the identity from the TLS client certificate used to authenticate.
+// It returns the identity and policy information for the client identity.
+func (c *kesClient) DescribeSelfIdentity(ctx context.Context) (*kes.IdentityInfo, *kes.Policy, error) {
+ c.lock.RLock()
+ defer c.lock.RUnlock()
+ return c.client.DescribeSelf(ctx)
+}
+
+// DeleteIdentity deletes an identity from KMS.
+// The client certificate that corresponds to the identity is no longer authorized to perform any API operations.
+// The admin identity cannot be deleted.
+func (c *kesClient) DeleteIdentity(ctx context.Context, identity string) error {
+ c.lock.RLock()
+ defer c.lock.RUnlock()
+ return c.client.DeleteIdentity(ctx, kes.Identity(identity))
+}
+
+// ListIdentities list all identity metadata that match the specified pattern.
+// In particular, the pattern * lists all identity metadata.
+func (c *kesClient) ListIdentities(ctx context.Context, pattern string) (*kes.IdentityIterator, error) {
+ c.lock.RLock()
+ defer c.lock.RUnlock()
+ return c.client.ListIdentities(ctx, pattern)
+}
diff --git a/internal/kms/key-manager.go b/internal/kms/key-manager.go
new file mode 100644
index 000000000..b63c5e0c3
--- /dev/null
+++ b/internal/kms/key-manager.go
@@ -0,0 +1,47 @@
+// Copyright (c) 2015-2022 MinIO, Inc.
+//
+// This file is part of MinIO Object Storage stack
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program. If not, see .
+
+package kms
+
+import (
+ "context"
+
+ "github.com/minio/kes"
+)
+
+// KeyManager is the generic interface that handles KMS key operations
+type KeyManager interface {
+ // CreateKey creates a new key at the KMS with the given key ID.
+ CreateKey(ctx context.Context, keyID string) error
+
+ // DeleteKey deletes a key at the KMS with the given key ID.
+ // Please note that is a dangerous operation.
+ // Once a key has been deleted all data that has been encrypted with it cannot be decrypted
+ // anymore, and therefore, is lost.
+ DeleteKey(ctx context.Context, keyID string) error
+
+ // ListKeys List all key names that match the specified pattern. In particular,
+ // the pattern * lists all keys.
+ ListKeys(ctx context.Context, pattern string) (*kes.KeyIterator, error)
+
+ // ImportKey imports a cryptographic key into the KMS.
+ ImportKey(ctx context.Context, keyID string, bytes []byte) error
+
+ // EncryptKey Encrypts and authenticates a (small) plaintext with the cryptographic key
+ // The plaintext must not exceed 1 MB
+ EncryptKey(keyID string, plaintext []byte, context Context) ([]byte, error)
+}
diff --git a/internal/kms/policy-manager.go b/internal/kms/policy-manager.go
new file mode 100644
index 000000000..865de405b
--- /dev/null
+++ b/internal/kms/policy-manager.go
@@ -0,0 +1,52 @@
+// Copyright (c) 2015-2022 MinIO, Inc.
+//
+// This file is part of MinIO Object Storage stack
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program. If not, see .
+
+package kms
+
+import (
+ "context"
+
+ "github.com/minio/kes"
+)
+
+// PolicyManager is the generic interface that handles KMS policy] operations
+type PolicyManager interface {
+ // DescribePolicy describes a policy by returning its metadata.
+ // e.g. who created the policy at which point in time.
+ DescribePolicy(ctx context.Context, policy string) (*kes.PolicyInfo, error)
+
+ // AssignPolicy assigns a policy to an identity.
+ // An identity can have at most one policy while the same policy can be assigned to multiple identities.
+ // The assigned policy defines which API calls this identity can perform.
+ // It's not possible to assign a policy to the admin identity.
+ // Further, an identity cannot assign a policy to itself.
+ AssignPolicy(ctx context.Context, policy, identity string) error
+
+ // SetPolicy creates or updates a policy.
+ SetPolicy(ctx context.Context, policy, data string) error
+
+ // GetPolicy gets a policy from KMS.
+ GetPolicy(ctx context.Context, policy string) (*kes.Policy, error)
+
+ // ListPolicies list all policy metadata that match the specified pattern.
+ // In particular, the pattern * lists all policy metadata.
+ ListPolicies(ctx context.Context, pattern string) (*kes.PolicyIterator, error)
+
+ // DeletePolicy deletes a policy from KMS.
+ // All identities that have been assigned to this policy will lose all authorization privileges.
+ DeletePolicy(ctx context.Context, policy string) error
+}