mirror of
https://github.com/minio/minio.git
synced 2024-12-24 06:05:55 -05:00
refine the KMS admin API (#8943)
This commit removes the `Update` functionality from the admin API. While this is technically a breaking change I think this will not cause any harm because: - The KMS admin API is not complete, yet. At the moment only the status can be fetched. - The `mc` integration hasn't been merged yet. So no `mc` client could have used this API in the past. The `Update`/`Rewrap` status is not useful anymore. It provided a way to migrate from one master key version to another. However, KES does not support the concept of key versions. Instead, key migration should be implemented as migration from one master key to another. Basically, the `Update` functionality has been implemented just for Vault.
This commit is contained in:
parent
026265f8f7
commit
4f37c8ccf2
@ -1270,20 +1270,7 @@ func (a adminAPIHandlers) KMSKeyStatusHandler(w http.ResponseWriter, r *http.Req
|
||||
return
|
||||
}
|
||||
|
||||
// 2. Check whether we can update / re-wrap the sealed key.
|
||||
sealedKey, err = GlobalKMS.UpdateKey(keyID, sealedKey, kmsContext)
|
||||
if err != nil {
|
||||
response.UpdateErr = err.Error()
|
||||
resp, err := json.Marshal(response)
|
||||
if err != nil {
|
||||
writeCustomErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrInternalError), err.Error(), r.URL)
|
||||
return
|
||||
}
|
||||
writeSuccessResponseJSON(w, resp)
|
||||
return
|
||||
}
|
||||
|
||||
// 3. Verify that we can indeed decrypt the (encrypted) key
|
||||
// 2. Verify that we can indeed decrypt the (encrypted) key
|
||||
decryptedKey, err := GlobalKMS.UnsealKey(keyID, sealedKey, kmsContext)
|
||||
if err != nil {
|
||||
response.DecryptionErr = err.Error()
|
||||
@ -1296,7 +1283,7 @@ func (a adminAPIHandlers) KMSKeyStatusHandler(w http.ResponseWriter, r *http.Req
|
||||
return
|
||||
}
|
||||
|
||||
// 4. Compare generated key with decrypted key
|
||||
// 3. Compare generated key with decrypted key
|
||||
if subtle.ConstantTimeCompare(key[:], decryptedKey[:]) != 1 {
|
||||
response.DecryptionErr = "The generated and the decrypted data key do not match"
|
||||
resp, err := json.Marshal(response)
|
||||
|
@ -57,6 +57,5 @@ func (adm *AdminClient) GetKeyStatus(keyID string) (*KMSKeyStatus, error) {
|
||||
type KMSKeyStatus struct {
|
||||
KeyID string `json:"key-id"`
|
||||
EncryptionErr string `json:"encryption-error,omitempty"` // An empty error == success
|
||||
UpdateErr string `json:"update-error,omitempty"` // An empty error == success
|
||||
DecryptionErr string `json:"decryption-error,omitempty"` // An empty error == success
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user