-
Andrei Klunnyi authored
^KTIJ-19939 fixed (cherry picked from commit ba5c306d72b06846c72517f74b8f0aeebf512bf1) GitOrigin-RevId: 65c1c5224f557f39b32d535619eaac6edc783ed3
557a9ea4
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
package api
import (
"fmt"
"net/url"
"time"
)
// Keyring is used to access the Secure Variables keyring
type Keyring struct {
client *Client
}
// Keyring returns a handle to the Keyring endpoint
func (c *Client) Keyring() *Keyring {
return &Keyring{client: c}
}
// EncryptionAlgorithm chooses which algorithm is used for
// encrypting / decrypting entries with this key
type EncryptionAlgorithm string
const (
EncryptionAlgorithmAES256GCM EncryptionAlgorithm = "aes256-gcm"
)
// RootKey wraps key metadata and the key itself. The key must be
// base64 encoded
type RootKey struct {
Meta *RootKeyMeta
Key string
}
// RootKeyMeta is the metadata used to refer to a RootKey.
type RootKeyMeta struct {
Active bool
KeyID string // UUID
Algorithm EncryptionAlgorithm
CreateTime time.Time
CreateIndex uint64
ModifyIndex uint64
}
// List lists all the keyring metadata
func (k *Keyring) List(q *QueryOptions) ([]*RootKeyMeta, *QueryMeta, error) {
var resp []*RootKeyMeta
qm, err := k.client.query("/v1/operator/keyring/keys", &resp, q)
if err != nil {
return nil, nil, err
}
return resp, qm, nil
}
// Delete deletes a specific inactive key from the keyring
func (k *Keyring) Delete(opts *KeyringDeleteOptions, w *WriteOptions) (*WriteMeta, error) {
wm, err := k.client.delete(fmt.Sprintf("/v1/operator/keyring/key/%v",
url.PathEscape(opts.KeyID)), nil, w)
return wm, err
}
// KeyringDeleteOptions are parameters for the Delete API
type KeyringDeleteOptions struct {
KeyID string // UUID
}
// Update upserts a key into the keyring
func (k *Keyring) Update(key *RootKey, w *WriteOptions) (*WriteMeta, error) {
wm, err := k.client.write("/v1/operator/keyring/keys", key, nil, w)
return wm, err
}
// Rotate requests a key rotation
func (k *Keyring) Rotate(opts *KeyringRotateOptions, w *WriteOptions) (*RootKeyMeta, *WriteMeta, error) {
qp := url.Values{}
if opts != nil {
if opts.Algorithm != "" {
qp.Set("algo", string(opts.Algorithm))
}
if opts.Full {
qp.Set("full", "true")
}
}
resp := &RootKeyMeta{}
wm, err := k.client.write("/v1/operator/keyring/rotate?"+qp.Encode(), nil, resp, w)
return resp, wm, err
}
// KeyringRotateOptions are parameters for the Rotate API
type KeyringRotateOptions struct {
Full bool
Algorithm EncryptionAlgorithm
}