update minio/kes-go dep to v0.2.0 (#17850)

This commit updates the minio/kes-go dependency to v0.2.0 and updates the existing code to work with the new KES APIs. The `SetPolicy` handler got removed since it may not get implemented by KES at all and could not have been used in the past since stateless KES is read-only w.r.t. policies and identities. Signed-off-by: Andreas Auernhammer <hi@aead.dev>
2025-11-07 12:52:58 -05:00 · 2023-08-19 16:37:53 +02:00
parent 4c6869cd9a
commit 8f8f8854f0
8 changed files with 86 additions and 126 deletions
--- a/internal/kms/identity-manager.go
+++ b/internal/kms/identity-manager.go
@@ -39,7 +39,6 @@ type IdentityManager interface {
 	// The admin identity cannot be deleted.
 	DeleteIdentity(ctx context.Context, identity string) error

-	// ListIdentities list all identity metadata that match the specified pattern.
-	// In particular, the pattern * lists all identity metadata.
-	ListIdentities(ctx context.Context, pattern string) (*kes.IdentityIterator, error)
+	// ListIdentities lists all identities.
+	ListIdentities(ctx context.Context) (*kes.ListIter[kes.Identity], error)
 }
--- a/internal/kms/kes.go
+++ b/internal/kms/kes.go
@@ -104,23 +104,10 @@ func NewWithConfig(config Config) (KMS, error) {
 	}
 	client.Endpoints = endpoints

-	var bulkAvailable bool
-	_, policy, err := client.DescribeSelf(context.Background())
-	if err == nil {
-		const BulkAPI = "/v1/key/bulk/decrypt/"
-		for _, allow := range policy.Allow {
-			if strings.HasPrefix(allow, BulkAPI) {
-				bulkAvailable = true
-				break
-			}
-		}
-	}
-
 	c := &kesClient{
-		client:        client,
-		enclave:       client.Enclave(config.Enclave),
-		defaultKeyID:  config.DefaultKeyID,
-		bulkAvailable: bulkAvailable,
+		client:       client,
+		enclave:      client.Enclave(config.Enclave),
+		defaultKeyID: config.DefaultKeyID,
 	}
 	go func() {
 		if config.Certificate == nil || config.ReloadCertEvents == nil {
@@ -166,11 +153,14 @@ type kesClient struct {
 	defaultKeyID string
 	client       *kes.Client
 	enclave      *kes.Enclave
-
-	bulkAvailable bool
 }

-var _ KMS = (*kesClient)(nil) // compiler check
+var ( // compiler checks
+	_ KMS             = (*kesClient)(nil)
+	_ KeyManager      = (*kesClient)(nil)
+	_ IdentityManager = (*kesClient)(nil)
+	_ PolicyManager   = (*kesClient)(nil)
+)

 // Stat returns the current KES status containing a
 // list of KES endpoints and the default key ID.
@@ -259,13 +249,14 @@ func (c *kesClient) DeleteKey(ctx context.Context, keyID string) error {
 	return c.enclave.DeleteKey(ctx, keyID)
 }

-// ListKeys List all key names that match the specified pattern. In particular,
-// the pattern * lists all keys.
-func (c *kesClient) ListKeys(ctx context.Context, pattern string) (*kes.KeyIterator, error) {
+// ListKeys returns an iterator over all key names.
+func (c *kesClient) ListKeys(ctx context.Context) (*kes.ListIter[string], error) {
 	c.lock.RLock()
 	defer c.lock.RUnlock()

-	return c.enclave.ListKeys(ctx, pattern)
+	return &kes.ListIter[string]{
+		NextFunc: c.enclave.ListKeys,
+	}, nil
 }

 // GenerateKey generates a new data encryption key using
@@ -304,7 +295,9 @@ func (c *kesClient) ImportKey(ctx context.Context, keyID string, bytes []byte) e
 	c.lock.RLock()
 	defer c.lock.RUnlock()

-	return c.enclave.ImportKey(ctx, keyID, bytes)
+	return c.enclave.ImportKey(ctx, keyID, &kes.ImportKeyRequest{
+		Key: bytes,
+	})
 }

 // EncryptKey Encrypts and authenticates a (small) plaintext with the cryptographic key
@@ -338,30 +331,6 @@ func (c *kesClient) DecryptAll(ctx context.Context, keyID string, ciphertexts []
 	c.lock.RLock()
 	defer c.lock.RUnlock()

-	if c.bulkAvailable {
-		CCPs := make([]kes.CCP, 0, len(ciphertexts))
-		for i := range ciphertexts {
-			bCtx, err := contexts[i].MarshalText()
-			if err != nil {
-				return nil, err
-			}
-			CCPs = append(CCPs, kes.CCP{
-				Ciphertext: ciphertexts[i],
-				Context:    bCtx,
-			})
-		}
-
-		PCPs, err := c.enclave.DecryptAll(ctx, keyID, CCPs...)
-		if err != nil {
-			return nil, err
-		}
-		plaintexts := make([][]byte, 0, len(PCPs))
-		for _, p := range PCPs {
-			plaintexts = append(plaintexts, p.Plaintext)
-		}
-		return plaintexts, nil
-	}
-
 	plaintexts := make([][]byte, 0, len(ciphertexts))
 	for i := range ciphertexts {
 		ctxBytes, err := contexts[i].MarshalText()
@@ -407,21 +376,14 @@ func (c *kesClient) DeletePolicy(ctx context.Context, policy string) error {
 	return c.enclave.DeletePolicy(ctx, policy)
 }

-// ListPolicies list all policy metadata that match the specified pattern.
-// In particular, the pattern * lists all policy metadata.
-func (c *kesClient) ListPolicies(ctx context.Context, pattern string) (*kes.PolicyIterator, error) {
+// ListPolicies returns an iterator over all policy names.
+func (c *kesClient) ListPolicies(ctx context.Context) (*kes.ListIter[string], error) {
 	c.lock.RLock()
 	defer c.lock.RUnlock()

-	return c.enclave.ListPolicies(ctx, pattern)
-}
-
-// SetPolicy creates or updates a policy.
-func (c *kesClient) SetPolicy(ctx context.Context, policy string, policyItem *kes.Policy) error {
-	c.lock.RLock()
-	defer c.lock.RUnlock()
-
-	return c.enclave.SetPolicy(ctx, policy, policyItem)
+	return &kes.ListIter[string]{
+		NextFunc: c.enclave.ListPolicies,
+	}, nil
 }

 // GetPolicy gets a policy from KMS.
@@ -461,13 +423,14 @@ func (c *kesClient) DeleteIdentity(ctx context.Context, identity string) error {
 	return c.enclave.DeleteIdentity(ctx, kes.Identity(identity))
 }

-// ListIdentities list all identity metadata that match the specified pattern.
-// In particular, the pattern * lists all identity metadata.
-func (c *kesClient) ListIdentities(ctx context.Context, pattern string) (*kes.IdentityIterator, error) {
+// ListPolicies returns an iterator over all identities.
+func (c *kesClient) ListIdentities(ctx context.Context) (*kes.ListIter[kes.Identity], error) {
 	c.lock.RLock()
 	defer c.lock.RUnlock()

-	return c.enclave.ListIdentities(ctx, pattern)
+	return &kes.ListIter[kes.Identity]{
+		NextFunc: c.enclave.ListIdentities,
+	}, nil
 }

 // Verify verifies all KMS endpoints and returns details
--- a/internal/kms/key-manager.go
+++ b/internal/kms/key-manager.go
@@ -34,9 +34,8 @@ type KeyManager interface {
 	// anymore, and therefore, is lost.
 	DeleteKey(ctx context.Context, keyID string) error

-	// ListKeys List all key names that match the specified pattern. In particular,
-	// the pattern * lists all keys.
-	ListKeys(ctx context.Context, pattern string) (*kes.KeyIterator, error)
+	// ListKeys lists all key names.
+	ListKeys(ctx context.Context) (*kes.ListIter[string], error)

 	// ImportKey imports a cryptographic key into the KMS.
 	ImportKey(ctx context.Context, keyID string, bytes []byte) error
--- a/internal/kms/policy-manager.go
+++ b/internal/kms/policy-manager.go
@@ -36,15 +36,11 @@ type PolicyManager interface {
 	// Further, an identity cannot assign a policy to itself.
 	AssignPolicy(ctx context.Context, policy, identity string) error

-	// SetPolicy creates or updates a policy.
-	SetPolicy(ctx context.Context, policy string, policyItem *kes.Policy) error
-
 	// GetPolicy gets a policy from KMS.
 	GetPolicy(ctx context.Context, policy string) (*kes.Policy, error)

-	// ListPolicies list all policy metadata that match the specified pattern.
-	// In particular, the pattern * lists all policy metadata.
-	ListPolicies(ctx context.Context, pattern string) (*kes.PolicyIterator, error)
+	// ListPolicies lists all policies.
+	ListPolicies(ctx context.Context) (*kes.ListIter[string], error)

 	// DeletePolicy	deletes a policy from KMS.
 	// All identities that have been assigned to this policy will lose all authorization privileges.