From c2797eb38efd5b7b32dfaef011bb3455dc70e722 Mon Sep 17 00:00:00 2001 From: Chris Reed Date: Mon, 19 May 2025 20:22:50 -0500 Subject: [PATCH 01/15] feat(policy): Default kas keys --- docs/grpc/index.html | 251 +++- .../policy/actions/actions.swagger.json | 2 +- .../policy/attributes/attributes.swagger.json | 2 +- .../key_access_server_registry.swagger.json | 68 +- .../policy/namespaces/namespaces.swagger.json | 2 +- .../resource_mapping.swagger.json | 2 +- .../subject_mapping.swagger.json | 2 +- .../openapi/policy/unsafe/unsafe.swagger.json | 2 +- .../key_access_server_registry.connect.go | 64 + .../key_access_server_registry.pb.go | 1106 +++++++++++++---- .../key_access_server_registry_grpc.pb.go | 78 ++ protocol/go/policy/objects.pb.go | 2 +- service/integration/kas_registry_key_test.go | 791 +++++++++++- service/pkg/db/marshalHelpers.go | 64 + service/policy/db/db.go | 2 +- .../policy/db/key_access_server_registry.go | 213 +++- .../20250512000000_default_keys_table.md | 41 + .../20250512000000_default_keys_table.sql | 49 + service/policy/db/models.go | 8 +- service/policy/db/query.sql | 62 + service/policy/db/query.sql.go | 167 ++- service/policy/db/schema_erd.md | 9 +- .../kasregistry/key_access_server_registry.go | 69 +- .../key_access_server_registry.proto | 51 + .../key_access_server_registry_keys_test.go | 72 ++ service/policy/objects.proto | 2 +- .../wellknown_configuration.go | 8 + 27 files changed, 2866 insertions(+), 323 deletions(-) create mode 100644 service/policy/db/migrations/20250512000000_default_keys_table.md create mode 100644 service/policy/db/migrations/20250512000000_default_keys_table.sql diff --git a/docs/grpc/index.html b/docs/grpc/index.html index 93eeae526f..75de72e3eb 100644 --- a/docs/grpc/index.html +++ b/docs/grpc/index.html @@ -910,6 +910,14 @@

Table of Contents

MDeactivatePublicKeyResponse +
  • + MDefaultKasKey +
    • + +
  • + MDefaultKasPublicKey +
    • +
  • MDeleteKeyAccessServerRequest
    • @@ -918,6 +926,14 @@

    Table of Contents

    MDeleteKeyAccessServerResponse +
  • + MGetDefaultKeysRequest +
    • + +
  • + MGetDefaultKeysResponse +
    • +
  • MGetKeyAccessServerRequest
    • @@ -1022,6 +1038,14 @@

    Table of Contents

    MRotatedResources +
  • + MSetDefaultKeyRequest +
    • + +
  • + MSetDefaultKeyResponse +
    • +
  • MUpdateKeyAccessServerRequest
    • @@ -1047,6 +1071,10 @@

    Table of Contents

    +
  • + ETdfType +
    • +
  • @@ -1991,7 +2019,7 @@

    AsymmetricKey

    private_key_ctx KasPrivateKeyCtx -

    Optional +

    Required Specific structure based on key provider implementation

    @@ -7885,6 +7913,82 @@

    DeactivatePublicKeyRespo +

    DefaultKasKey

    +

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldTypeLabelDescription
    tdf_typestring

    The type of TDF (e.g., ZTDF, Nano)

    kas_uristring

    The URL of the Key Access Server

    public_keyDefaultKasPublicKey

    The public key of the Key that belongs to the KAS

    + + + + + +

    DefaultKasPublicKey

    +

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldTypeLabelDescription
    algorithmstring

    kidstring

    pemstring

    + + + + +

    DeleteKeyAccessServerRequest

    @@ -7933,6 +8037,37 @@

    DeleteKeyAccessServerR +

    GetDefaultKeysRequest

    +

    + + + + + +

    GetDefaultKeysResponse

    +

    + + + + + + + + + + + + + + + + +
    FieldTypeLabelDescription
    default_kas_keysDefaultKasKeyrepeated

    The list of default keys

    + + + + +

    GetKeyAccessServerRequest

    @@ -8953,6 +9088,77 @@

    RotatedResources

    +

    SetDefaultKeyRequest

    +

    Sets the specified key as the default key for the Key Access Server

    Note: The key must be active.

    Side effects:

    If a key of the same cipher is set as default, calling 'SetDefaultKey' will override that key with the specified key.

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldTypeLabelDescription
    idstring

    Current Key UUID tp be set as default

    keyKasKeyIdentifier

    Alternative way to specify the key using KAS ID and Key ID

    tdf_typeTdfType

    Required + +The type of TDF (e.g., ZTDF, Nano)

    + + + + + +

    SetDefaultKeyResponse

    +

    + + + + + + + + + + + + + + + + + + + + + + + +
    FieldTypeLabelDescription
    new_default_kas_keyDefaultKasKey

    The key that was set as default

    previous_default_kas_keyDefaultKasKey

    The previous default key, if any

    + + + + +

    UpdateKeyAccessServerRequest

    @@ -9190,6 +9396,35 @@

    UpdatePublicKeyResponse

    +

    TdfType

    +

    + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameNumberDescription
    TDF_TYPE_UNSPECIFIED0

    TDF_TYPE_ZTDF1

    TDF_TYPE_NANO2

    + @@ -9280,6 +9515,20 @@

    KeyAccessServerRegist

    Request to rotate a key in the Key Access Service.

    + + SetDefaultKey + SetDefaultKeyRequest + SetDefaultKeyResponse +

    Request to set the default a default kas key.

    + + + + GetDefaultKeys + GetDefaultKeysRequest + GetDefaultKeysResponse +

    Get Default kas keys

    + + diff --git a/docs/openapi/policy/actions/actions.swagger.json b/docs/openapi/policy/actions/actions.swagger.json index 7d40140586..c687575d69 100644 --- a/docs/openapi/policy/actions/actions.swagger.json +++ b/docs/openapi/policy/actions/actions.swagger.json @@ -203,7 +203,7 @@ "privateKeyCtx": { "$ref": "#/definitions/policyKasPrivateKeyCtx", "description": "Specific structure based on key provider implementation", - "title": "Optional" + "title": "Required" }, "providerConfig": { "$ref": "#/definitions/policyKeyProviderConfig", diff --git a/docs/openapi/policy/attributes/attributes.swagger.json b/docs/openapi/policy/attributes/attributes.swagger.json index cc164b7bcd..c89fd4e295 100644 --- a/docs/openapi/policy/attributes/attributes.swagger.json +++ b/docs/openapi/policy/attributes/attributes.swagger.json @@ -1060,7 +1060,7 @@ "privateKeyCtx": { "$ref": "#/definitions/policyKasPrivateKeyCtx", "description": "Specific structure based on key provider implementation", - "title": "Optional" + "title": "Required" }, "providerConfig": { "$ref": "#/definitions/policyKeyProviderConfig", diff --git a/docs/openapi/policy/kasregistry/key_access_server_registry.swagger.json b/docs/openapi/policy/kasregistry/key_access_server_registry.swagger.json index 1082d95d1c..2d2ce328c9 100644 --- a/docs/openapi/policy/kasregistry/key_access_server_registry.swagger.json +++ b/docs/openapi/policy/kasregistry/key_access_server_registry.swagger.json @@ -425,6 +425,37 @@ }, "title": "Response to a CreateKeyRequest, containing the created asymmetric key" }, + "kasregistryDefaultKasKey": { + "type": "object", + "properties": { + "tdfType": { + "type": "string", + "title": "The type of TDF (e.g., ZTDF, Nano)" + }, + "kasUri": { + "type": "string", + "title": "The URL of the Key Access Server" + }, + "publicKey": { + "$ref": "#/definitions/kasregistryDefaultKasPublicKey", + "title": "The public key of the Key that belongs to the KAS" + } + } + }, + "kasregistryDefaultKasPublicKey": { + "type": "object", + "properties": { + "algorithm": { + "type": "string" + }, + "kid": { + "type": "string" + }, + "pem": { + "type": "string" + } + } + }, "kasregistryDeleteKeyAccessServerResponse": { "type": "object", "properties": { @@ -433,6 +464,19 @@ } } }, + "kasregistryGetDefaultKeysResponse": { + "type": "object", + "properties": { + "defaultKasKeys": { + "type": "array", + "items": { + "type": "object", + "$ref": "#/definitions/kasregistryDefaultKasKey" + }, + "title": "The list of default keys" + } + } + }, "kasregistryGetKeyAccessServerResponse": { "type": "object", "properties": { @@ -606,6 +650,28 @@ }, "title": "All resources that were rotated as part of the key rotation process" }, + "kasregistrySetDefaultKeyResponse": { + "type": "object", + "properties": { + "newDefaultKasKey": { + "$ref": "#/definitions/kasregistryDefaultKasKey", + "title": "The key that was set as default" + }, + "previousDefaultKasKey": { + "$ref": "#/definitions/kasregistryDefaultKasKey", + "title": "The previous default key, if any" + } + } + }, + "kasregistryTdfType": { + "type": "string", + "enum": [ + "TDF_TYPE_UNSPECIFIED", + "TDF_TYPE_ZTDF", + "TDF_TYPE_NANO" + ], + "default": "TDF_TYPE_UNSPECIFIED" + }, "kasregistryUpdateKeyAccessServerResponse": { "type": "object", "properties": { @@ -669,7 +735,7 @@ "privateKeyCtx": { "$ref": "#/definitions/policyKasPrivateKeyCtx", "description": "Specific structure based on key provider implementation", - "title": "Optional" + "title": "Required" }, "providerConfig": { "$ref": "#/definitions/policyKeyProviderConfig", diff --git a/docs/openapi/policy/namespaces/namespaces.swagger.json b/docs/openapi/policy/namespaces/namespaces.swagger.json index 33c7f5c58f..42aac4a672 100644 --- a/docs/openapi/policy/namespaces/namespaces.swagger.json +++ b/docs/openapi/policy/namespaces/namespaces.swagger.json @@ -504,7 +504,7 @@ "privateKeyCtx": { "$ref": "#/definitions/policyKasPrivateKeyCtx", "description": "Specific structure based on key provider implementation", - "title": "Optional" + "title": "Required" }, "providerConfig": { "$ref": "#/definitions/policyKeyProviderConfig", diff --git a/docs/openapi/policy/resourcemapping/resource_mapping.swagger.json b/docs/openapi/policy/resourcemapping/resource_mapping.swagger.json index 6815a6b315..c5c68d8610 100644 --- a/docs/openapi/policy/resourcemapping/resource_mapping.swagger.json +++ b/docs/openapi/policy/resourcemapping/resource_mapping.swagger.json @@ -566,7 +566,7 @@ "privateKeyCtx": { "$ref": "#/definitions/policyKasPrivateKeyCtx", "description": "Specific structure based on key provider implementation", - "title": "Optional" + "title": "Required" }, "providerConfig": { "$ref": "#/definitions/policyKeyProviderConfig", diff --git a/docs/openapi/policy/subjectmapping/subject_mapping.swagger.json b/docs/openapi/policy/subjectmapping/subject_mapping.swagger.json index 3e64f0da2b..580a51403c 100644 --- a/docs/openapi/policy/subjectmapping/subject_mapping.swagger.json +++ b/docs/openapi/policy/subjectmapping/subject_mapping.swagger.json @@ -573,7 +573,7 @@ "privateKeyCtx": { "$ref": "#/definitions/policyKasPrivateKeyCtx", "description": "Specific structure based on key provider implementation", - "title": "Optional" + "title": "Required" }, "providerConfig": { "$ref": "#/definitions/policyKeyProviderConfig", diff --git a/docs/openapi/policy/unsafe/unsafe.swagger.json b/docs/openapi/policy/unsafe/unsafe.swagger.json index d58a667072..fd9cb53cee 100644 --- a/docs/openapi/policy/unsafe/unsafe.swagger.json +++ b/docs/openapi/policy/unsafe/unsafe.swagger.json @@ -463,7 +463,7 @@ "privateKeyCtx": { "$ref": "#/definitions/policyKasPrivateKeyCtx", "description": "Specific structure based on key provider implementation", - "title": "Optional" + "title": "Required" }, "providerConfig": { "$ref": "#/definitions/policyKeyProviderConfig", diff --git a/protocol/go/policy/kasregistry/kasregistryconnect/key_access_server_registry.connect.go b/protocol/go/policy/kasregistry/kasregistryconnect/key_access_server_registry.connect.go index cec1bb5e11..7e21a0177d 100644 --- a/protocol/go/policy/kasregistry/kasregistryconnect/key_access_server_registry.connect.go +++ b/protocol/go/policy/kasregistry/kasregistryconnect/key_access_server_registry.connect.go @@ -67,6 +67,12 @@ const ( // KeyAccessServerRegistryServiceRotateKeyProcedure is the fully-qualified name of the // KeyAccessServerRegistryService's RotateKey RPC. KeyAccessServerRegistryServiceRotateKeyProcedure = "/policy.kasregistry.KeyAccessServerRegistryService/RotateKey" + // KeyAccessServerRegistryServiceSetDefaultKeyProcedure is the fully-qualified name of the + // KeyAccessServerRegistryService's SetDefaultKey RPC. + KeyAccessServerRegistryServiceSetDefaultKeyProcedure = "/policy.kasregistry.KeyAccessServerRegistryService/SetDefaultKey" + // KeyAccessServerRegistryServiceGetDefaultKeysProcedure is the fully-qualified name of the + // KeyAccessServerRegistryService's GetDefaultKeys RPC. + KeyAccessServerRegistryServiceGetDefaultKeysProcedure = "/policy.kasregistry.KeyAccessServerRegistryService/GetDefaultKeys" ) // These variables are the protoreflect.Descriptor objects for the RPCs defined in this package. @@ -83,6 +89,8 @@ var ( keyAccessServerRegistryServiceListKeysMethodDescriptor = keyAccessServerRegistryServiceServiceDescriptor.Methods().ByName("ListKeys") keyAccessServerRegistryServiceUpdateKeyMethodDescriptor = keyAccessServerRegistryServiceServiceDescriptor.Methods().ByName("UpdateKey") keyAccessServerRegistryServiceRotateKeyMethodDescriptor = keyAccessServerRegistryServiceServiceDescriptor.Methods().ByName("RotateKey") + keyAccessServerRegistryServiceSetDefaultKeyMethodDescriptor = keyAccessServerRegistryServiceServiceDescriptor.Methods().ByName("SetDefaultKey") + keyAccessServerRegistryServiceGetDefaultKeysMethodDescriptor = keyAccessServerRegistryServiceServiceDescriptor.Methods().ByName("GetDefaultKeys") ) // KeyAccessServerRegistryServiceClient is a client for the @@ -106,6 +114,10 @@ type KeyAccessServerRegistryServiceClient interface { UpdateKey(context.Context, *connect.Request[kasregistry.UpdateKeyRequest]) (*connect.Response[kasregistry.UpdateKeyResponse], error) // Request to rotate a key in the Key Access Service. RotateKey(context.Context, *connect.Request[kasregistry.RotateKeyRequest]) (*connect.Response[kasregistry.RotateKeyResponse], error) + // Request to set the default a default kas key. + SetDefaultKey(context.Context, *connect.Request[kasregistry.SetDefaultKeyRequest]) (*connect.Response[kasregistry.SetDefaultKeyResponse], error) + // Get Default kas keys + GetDefaultKeys(context.Context, *connect.Request[kasregistry.GetDefaultKeysRequest]) (*connect.Response[kasregistry.GetDefaultKeysResponse], error) } // NewKeyAccessServerRegistryServiceClient constructs a client for the @@ -188,6 +200,18 @@ func NewKeyAccessServerRegistryServiceClient(httpClient connect.HTTPClient, base connect.WithSchema(keyAccessServerRegistryServiceRotateKeyMethodDescriptor), connect.WithClientOptions(opts...), ), + setDefaultKey: connect.NewClient[kasregistry.SetDefaultKeyRequest, kasregistry.SetDefaultKeyResponse]( + httpClient, + baseURL+KeyAccessServerRegistryServiceSetDefaultKeyProcedure, + connect.WithSchema(keyAccessServerRegistryServiceSetDefaultKeyMethodDescriptor), + connect.WithClientOptions(opts...), + ), + getDefaultKeys: connect.NewClient[kasregistry.GetDefaultKeysRequest, kasregistry.GetDefaultKeysResponse]( + httpClient, + baseURL+KeyAccessServerRegistryServiceGetDefaultKeysProcedure, + connect.WithSchema(keyAccessServerRegistryServiceGetDefaultKeysMethodDescriptor), + connect.WithClientOptions(opts...), + ), } } @@ -204,6 +228,8 @@ type keyAccessServerRegistryServiceClient struct { listKeys *connect.Client[kasregistry.ListKeysRequest, kasregistry.ListKeysResponse] updateKey *connect.Client[kasregistry.UpdateKeyRequest, kasregistry.UpdateKeyResponse] rotateKey *connect.Client[kasregistry.RotateKeyRequest, kasregistry.RotateKeyResponse] + setDefaultKey *connect.Client[kasregistry.SetDefaultKeyRequest, kasregistry.SetDefaultKeyResponse] + getDefaultKeys *connect.Client[kasregistry.GetDefaultKeysRequest, kasregistry.GetDefaultKeysResponse] } // ListKeyAccessServers calls @@ -266,6 +292,16 @@ func (c *keyAccessServerRegistryServiceClient) RotateKey(ctx context.Context, re return c.rotateKey.CallUnary(ctx, req) } +// SetDefaultKey calls policy.kasregistry.KeyAccessServerRegistryService.SetDefaultKey. +func (c *keyAccessServerRegistryServiceClient) SetDefaultKey(ctx context.Context, req *connect.Request[kasregistry.SetDefaultKeyRequest]) (*connect.Response[kasregistry.SetDefaultKeyResponse], error) { + return c.setDefaultKey.CallUnary(ctx, req) +} + +// GetDefaultKeys calls policy.kasregistry.KeyAccessServerRegistryService.GetDefaultKeys. +func (c *keyAccessServerRegistryServiceClient) GetDefaultKeys(ctx context.Context, req *connect.Request[kasregistry.GetDefaultKeysRequest]) (*connect.Response[kasregistry.GetDefaultKeysResponse], error) { + return c.getDefaultKeys.CallUnary(ctx, req) +} + // KeyAccessServerRegistryServiceHandler is an implementation of the // policy.kasregistry.KeyAccessServerRegistryService service. type KeyAccessServerRegistryServiceHandler interface { @@ -287,6 +323,10 @@ type KeyAccessServerRegistryServiceHandler interface { UpdateKey(context.Context, *connect.Request[kasregistry.UpdateKeyRequest]) (*connect.Response[kasregistry.UpdateKeyResponse], error) // Request to rotate a key in the Key Access Service. RotateKey(context.Context, *connect.Request[kasregistry.RotateKeyRequest]) (*connect.Response[kasregistry.RotateKeyResponse], error) + // Request to set the default a default kas key. + SetDefaultKey(context.Context, *connect.Request[kasregistry.SetDefaultKeyRequest]) (*connect.Response[kasregistry.SetDefaultKeyResponse], error) + // Get Default kas keys + GetDefaultKeys(context.Context, *connect.Request[kasregistry.GetDefaultKeysRequest]) (*connect.Response[kasregistry.GetDefaultKeysResponse], error) } // NewKeyAccessServerRegistryServiceHandler builds an HTTP handler from the service implementation. @@ -364,6 +404,18 @@ func NewKeyAccessServerRegistryServiceHandler(svc KeyAccessServerRegistryService connect.WithSchema(keyAccessServerRegistryServiceRotateKeyMethodDescriptor), connect.WithHandlerOptions(opts...), ) + keyAccessServerRegistryServiceSetDefaultKeyHandler := connect.NewUnaryHandler( + KeyAccessServerRegistryServiceSetDefaultKeyProcedure, + svc.SetDefaultKey, + connect.WithSchema(keyAccessServerRegistryServiceSetDefaultKeyMethodDescriptor), + connect.WithHandlerOptions(opts...), + ) + keyAccessServerRegistryServiceGetDefaultKeysHandler := connect.NewUnaryHandler( + KeyAccessServerRegistryServiceGetDefaultKeysProcedure, + svc.GetDefaultKeys, + connect.WithSchema(keyAccessServerRegistryServiceGetDefaultKeysMethodDescriptor), + connect.WithHandlerOptions(opts...), + ) return "/policy.kasregistry.KeyAccessServerRegistryService/", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { switch r.URL.Path { case KeyAccessServerRegistryServiceListKeyAccessServersProcedure: @@ -388,6 +440,10 @@ func NewKeyAccessServerRegistryServiceHandler(svc KeyAccessServerRegistryService keyAccessServerRegistryServiceUpdateKeyHandler.ServeHTTP(w, r) case KeyAccessServerRegistryServiceRotateKeyProcedure: keyAccessServerRegistryServiceRotateKeyHandler.ServeHTTP(w, r) + case KeyAccessServerRegistryServiceSetDefaultKeyProcedure: + keyAccessServerRegistryServiceSetDefaultKeyHandler.ServeHTTP(w, r) + case KeyAccessServerRegistryServiceGetDefaultKeysProcedure: + keyAccessServerRegistryServiceGetDefaultKeysHandler.ServeHTTP(w, r) default: http.NotFound(w, r) } @@ -440,3 +496,11 @@ func (UnimplementedKeyAccessServerRegistryServiceHandler) UpdateKey(context.Cont func (UnimplementedKeyAccessServerRegistryServiceHandler) RotateKey(context.Context, *connect.Request[kasregistry.RotateKeyRequest]) (*connect.Response[kasregistry.RotateKeyResponse], error) { return nil, connect.NewError(connect.CodeUnimplemented, errors.New("policy.kasregistry.KeyAccessServerRegistryService.RotateKey is not implemented")) } + +func (UnimplementedKeyAccessServerRegistryServiceHandler) SetDefaultKey(context.Context, *connect.Request[kasregistry.SetDefaultKeyRequest]) (*connect.Response[kasregistry.SetDefaultKeyResponse], error) { + return nil, connect.NewError(connect.CodeUnimplemented, errors.New("policy.kasregistry.KeyAccessServerRegistryService.SetDefaultKey is not implemented")) +} + +func (UnimplementedKeyAccessServerRegistryServiceHandler) GetDefaultKeys(context.Context, *connect.Request[kasregistry.GetDefaultKeysRequest]) (*connect.Response[kasregistry.GetDefaultKeysResponse], error) { + return nil, connect.NewError(connect.CodeUnimplemented, errors.New("policy.kasregistry.KeyAccessServerRegistryService.GetDefaultKeys is not implemented")) +} diff --git a/protocol/go/policy/kasregistry/key_access_server_registry.pb.go b/protocol/go/policy/kasregistry/key_access_server_registry.pb.go index a2e8fea955..f117141363 100644 --- a/protocol/go/policy/kasregistry/key_access_server_registry.pb.go +++ b/protocol/go/policy/kasregistry/key_access_server_registry.pb.go @@ -24,6 +24,55 @@ const ( _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) ) +type TdfType int32 + +const ( + TdfType_TDF_TYPE_UNSPECIFIED TdfType = 0 + TdfType_TDF_TYPE_ZTDF TdfType = 1 + TdfType_TDF_TYPE_NANO TdfType = 2 +) + +// Enum value maps for TdfType. +var ( + TdfType_name = map[int32]string{ + 0: "TDF_TYPE_UNSPECIFIED", + 1: "TDF_TYPE_ZTDF", + 2: "TDF_TYPE_NANO", + } + TdfType_value = map[string]int32{ + "TDF_TYPE_UNSPECIFIED": 0, + "TDF_TYPE_ZTDF": 1, + "TDF_TYPE_NANO": 2, + } +) + +func (x TdfType) Enum() *TdfType { + p := new(TdfType) + *p = x + return p +} + +func (x TdfType) String() string { + return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x)) +} + +func (TdfType) Descriptor() protoreflect.EnumDescriptor { + return file_policy_kasregistry_key_access_server_registry_proto_enumTypes[0].Descriptor() +} + +func (TdfType) Type() protoreflect.EnumType { + return &file_policy_kasregistry_key_access_server_registry_proto_enumTypes[0] +} + +func (x TdfType) Number() protoreflect.EnumNumber { + return protoreflect.EnumNumber(x) +} + +// Deprecated: Use TdfType.Descriptor instead. +func (TdfType) EnumDescriptor() ([]byte, []int) { + return file_policy_kasregistry_key_access_server_registry_proto_rawDescGZIP(), []int{0} +} + type GetKeyAccessServerRequest struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache @@ -2768,6 +2817,371 @@ func (x *RotateKeyResponse) GetRotatedResources() *RotatedResources { return nil } +// Sets the specified key as the default key for the Key Access Server +// Note: The key must be active. +// Side effects: +// +// If a key of the same cipher is set as default, calling 'SetDefaultKey' will override that key with the specified key. +type SetDefaultKeyRequest struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // Required + // + // Types that are assignable to ActiveKey: + // + // *SetDefaultKeyRequest_Id + // *SetDefaultKeyRequest_Key + ActiveKey isSetDefaultKeyRequest_ActiveKey `protobuf_oneof:"active_key"` + // Required + TdfType TdfType `protobuf:"varint,3,opt,name=tdf_type,json=tdfType,proto3,enum=policy.kasregistry.TdfType" json:"tdf_type,omitempty"` // The type of TDF (e.g., ZTDF, Nano) +} + +func (x *SetDefaultKeyRequest) Reset() { + *x = SetDefaultKeyRequest{} + if protoimpl.UnsafeEnabled { + mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[41] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *SetDefaultKeyRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*SetDefaultKeyRequest) ProtoMessage() {} + +func (x *SetDefaultKeyRequest) ProtoReflect() protoreflect.Message { + mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[41] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use SetDefaultKeyRequest.ProtoReflect.Descriptor instead. +func (*SetDefaultKeyRequest) Descriptor() ([]byte, []int) { + return file_policy_kasregistry_key_access_server_registry_proto_rawDescGZIP(), []int{41} +} + +func (m *SetDefaultKeyRequest) GetActiveKey() isSetDefaultKeyRequest_ActiveKey { + if m != nil { + return m.ActiveKey + } + return nil +} + +func (x *SetDefaultKeyRequest) GetId() string { + if x, ok := x.GetActiveKey().(*SetDefaultKeyRequest_Id); ok { + return x.Id + } + return "" +} + +func (x *SetDefaultKeyRequest) GetKey() *KasKeyIdentifier { + if x, ok := x.GetActiveKey().(*SetDefaultKeyRequest_Key); ok { + return x.Key + } + return nil +} + +func (x *SetDefaultKeyRequest) GetTdfType() TdfType { + if x != nil { + return x.TdfType + } + return TdfType_TDF_TYPE_UNSPECIFIED +} + +type isSetDefaultKeyRequest_ActiveKey interface { + isSetDefaultKeyRequest_ActiveKey() +} + +type SetDefaultKeyRequest_Id struct { + // Current Key UUID tp be set as default + Id string `protobuf:"bytes,1,opt,name=id,proto3,oneof"` +} + +type SetDefaultKeyRequest_Key struct { + // Alternative way to specify the key using KAS ID and Key ID + Key *KasKeyIdentifier `protobuf:"bytes,2,opt,name=key,proto3,oneof"` +} + +func (*SetDefaultKeyRequest_Id) isSetDefaultKeyRequest_ActiveKey() {} + +func (*SetDefaultKeyRequest_Key) isSetDefaultKeyRequest_ActiveKey() {} + +type DefaultKasPublicKey struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + Algorithm string `protobuf:"bytes,1,opt,name=algorithm,proto3" json:"algorithm,omitempty"` + Kid string `protobuf:"bytes,2,opt,name=kid,proto3" json:"kid,omitempty"` + Pem string `protobuf:"bytes,3,opt,name=pem,proto3" json:"pem,omitempty"` +} + +func (x *DefaultKasPublicKey) Reset() { + *x = DefaultKasPublicKey{} + if protoimpl.UnsafeEnabled { + mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[42] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *DefaultKasPublicKey) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*DefaultKasPublicKey) ProtoMessage() {} + +func (x *DefaultKasPublicKey) ProtoReflect() protoreflect.Message { + mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[42] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use DefaultKasPublicKey.ProtoReflect.Descriptor instead. +func (*DefaultKasPublicKey) Descriptor() ([]byte, []int) { + return file_policy_kasregistry_key_access_server_registry_proto_rawDescGZIP(), []int{42} +} + +func (x *DefaultKasPublicKey) GetAlgorithm() string { + if x != nil { + return x.Algorithm + } + return "" +} + +func (x *DefaultKasPublicKey) GetKid() string { + if x != nil { + return x.Kid + } + return "" +} + +func (x *DefaultKasPublicKey) GetPem() string { + if x != nil { + return x.Pem + } + return "" +} + +type DefaultKasKey struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + TdfType string `protobuf:"bytes,1,opt,name=tdf_type,json=tdfType,proto3" json:"tdf_type,omitempty"` // The type of TDF (e.g., ZTDF, Nano) + KasUri string `protobuf:"bytes,2,opt,name=kas_uri,json=kasUri,proto3" json:"kas_uri,omitempty"` // The URL of the Key Access Server + PublicKey *DefaultKasPublicKey `protobuf:"bytes,3,opt,name=public_key,json=publicKey,proto3" json:"public_key,omitempty"` // The public key of the Key that belongs to the KAS +} + +func (x *DefaultKasKey) Reset() { + *x = DefaultKasKey{} + if protoimpl.UnsafeEnabled { + mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[43] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *DefaultKasKey) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*DefaultKasKey) ProtoMessage() {} + +func (x *DefaultKasKey) ProtoReflect() protoreflect.Message { + mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[43] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use DefaultKasKey.ProtoReflect.Descriptor instead. +func (*DefaultKasKey) Descriptor() ([]byte, []int) { + return file_policy_kasregistry_key_access_server_registry_proto_rawDescGZIP(), []int{43} +} + +func (x *DefaultKasKey) GetTdfType() string { + if x != nil { + return x.TdfType + } + return "" +} + +func (x *DefaultKasKey) GetKasUri() string { + if x != nil { + return x.KasUri + } + return "" +} + +func (x *DefaultKasKey) GetPublicKey() *DefaultKasPublicKey { + if x != nil { + return x.PublicKey + } + return nil +} + +type GetDefaultKeysRequest struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields +} + +func (x *GetDefaultKeysRequest) Reset() { + *x = GetDefaultKeysRequest{} + if protoimpl.UnsafeEnabled { + mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[44] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *GetDefaultKeysRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*GetDefaultKeysRequest) ProtoMessage() {} + +func (x *GetDefaultKeysRequest) ProtoReflect() protoreflect.Message { + mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[44] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use GetDefaultKeysRequest.ProtoReflect.Descriptor instead. +func (*GetDefaultKeysRequest) Descriptor() ([]byte, []int) { + return file_policy_kasregistry_key_access_server_registry_proto_rawDescGZIP(), []int{44} +} + +type GetDefaultKeysResponse struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + DefaultKasKeys []*DefaultKasKey `protobuf:"bytes,1,rep,name=default_kas_keys,json=defaultKasKeys,proto3" json:"default_kas_keys,omitempty"` // The list of default keys +} + +func (x *GetDefaultKeysResponse) Reset() { + *x = GetDefaultKeysResponse{} + if protoimpl.UnsafeEnabled { + mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[45] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *GetDefaultKeysResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*GetDefaultKeysResponse) ProtoMessage() {} + +func (x *GetDefaultKeysResponse) ProtoReflect() protoreflect.Message { + mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[45] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use GetDefaultKeysResponse.ProtoReflect.Descriptor instead. +func (*GetDefaultKeysResponse) Descriptor() ([]byte, []int) { + return file_policy_kasregistry_key_access_server_registry_proto_rawDescGZIP(), []int{45} +} + +func (x *GetDefaultKeysResponse) GetDefaultKasKeys() []*DefaultKasKey { + if x != nil { + return x.DefaultKasKeys + } + return nil +} + +type SetDefaultKeyResponse struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + NewDefaultKasKey *DefaultKasKey `protobuf:"bytes,1,opt,name=new_default_kas_key,json=newDefaultKasKey,proto3" json:"new_default_kas_key,omitempty"` // The key that was set as default + PreviousDefaultKasKey *DefaultKasKey `protobuf:"bytes,2,opt,name=previous_default_kas_key,json=previousDefaultKasKey,proto3" json:"previous_default_kas_key,omitempty"` // The previous default key, if any +} + +func (x *SetDefaultKeyResponse) Reset() { + *x = SetDefaultKeyResponse{} + if protoimpl.UnsafeEnabled { + mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[46] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *SetDefaultKeyResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*SetDefaultKeyResponse) ProtoMessage() {} + +func (x *SetDefaultKeyResponse) ProtoReflect() protoreflect.Message { + mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[46] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use SetDefaultKeyResponse.ProtoReflect.Descriptor instead. +func (*SetDefaultKeyResponse) Descriptor() ([]byte, []int) { + return file_policy_kasregistry_key_access_server_registry_proto_rawDescGZIP(), []int{46} +} + +func (x *SetDefaultKeyResponse) GetNewDefaultKasKey() *DefaultKasKey { + if x != nil { + return x.NewDefaultKasKey + } + return nil +} + +func (x *SetDefaultKeyResponse) GetPreviousDefaultKasKey() *DefaultKasKey { + if x != nil { + return x.PreviousDefaultKasKey + } + return nil +} + type ListPublicKeyMappingResponse_PublicKeyMapping struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache @@ -2782,7 +3196,7 @@ type ListPublicKeyMappingResponse_PublicKeyMapping struct { func (x *ListPublicKeyMappingResponse_PublicKeyMapping) Reset() { *x = ListPublicKeyMappingResponse_PublicKeyMapping{} if protoimpl.UnsafeEnabled { - mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[41] + mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[47] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -2795,7 +3209,7 @@ func (x *ListPublicKeyMappingResponse_PublicKeyMapping) String() string { func (*ListPublicKeyMappingResponse_PublicKeyMapping) ProtoMessage() {} func (x *ListPublicKeyMappingResponse_PublicKeyMapping) ProtoReflect() protoreflect.Message { - mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[41] + mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[47] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -2853,7 +3267,7 @@ type ListPublicKeyMappingResponse_PublicKey struct { func (x *ListPublicKeyMappingResponse_PublicKey) Reset() { *x = ListPublicKeyMappingResponse_PublicKey{} if protoimpl.UnsafeEnabled { - mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[42] + mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[48] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -2866,7 +3280,7 @@ func (x *ListPublicKeyMappingResponse_PublicKey) String() string { func (*ListPublicKeyMappingResponse_PublicKey) ProtoMessage() {} func (x *ListPublicKeyMappingResponse_PublicKey) ProtoReflect() protoreflect.Message { - mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[42] + mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[48] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -2922,7 +3336,7 @@ type ListPublicKeyMappingResponse_Association struct { func (x *ListPublicKeyMappingResponse_Association) Reset() { *x = ListPublicKeyMappingResponse_Association{} if protoimpl.UnsafeEnabled { - mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[43] + mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[49] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -2935,7 +3349,7 @@ func (x *ListPublicKeyMappingResponse_Association) String() string { func (*ListPublicKeyMappingResponse_Association) ProtoMessage() {} func (x *ListPublicKeyMappingResponse_Association) ProtoReflect() protoreflect.Message { - mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[43] + mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[49] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -2990,7 +3404,7 @@ type RotateKeyRequest_NewKey struct { func (x *RotateKeyRequest_NewKey) Reset() { *x = RotateKeyRequest_NewKey{} if protoimpl.UnsafeEnabled { - mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[44] + mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[50] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -3003,7 +3417,7 @@ func (x *RotateKeyRequest_NewKey) String() string { func (*RotateKeyRequest_NewKey) ProtoMessage() {} func (x *RotateKeyRequest_NewKey) ProtoReflect() protoreflect.Message { - mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[44] + mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[50] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -3755,112 +4169,177 @@ var file_policy_kasregistry_key_access_server_registry_proto_rawDesc = []byte{ 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x52, 0x6f, 0x74, 0x61, 0x74, 0x65, 0x64, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x52, 0x10, 0x72, 0x6f, 0x74, 0x61, 0x74, 0x65, 0x64, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, - 0x32, 0xad, 0x0b, 0x0a, 0x1e, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, - 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x53, 0x65, 0x72, 0x76, - 0x69, 0x63, 0x65, 0x12, 0x99, 0x01, 0x0a, 0x14, 0x4c, 0x69, 0x73, 0x74, 0x4b, 0x65, 0x79, 0x41, - 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x12, 0x2f, 0x2e, 0x70, + 0x22, 0xc5, 0x01, 0x0a, 0x14, 0x53, 0x65, 0x74, 0x44, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x4b, + 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1a, 0x0a, 0x02, 0x69, 0x64, 0x18, + 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x08, 0xba, 0x48, 0x05, 0x72, 0x03, 0xb0, 0x01, 0x01, 0x48, + 0x00, 0x52, 0x02, 0x69, 0x64, 0x12, 0x38, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01, + 0x28, 0x0b, 0x32, 0x24, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, + 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x4b, 0x61, 0x73, 0x4b, 0x65, 0x79, 0x49, 0x64, + 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, 0x72, 0x48, 0x00, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, + 0x42, 0x0a, 0x08, 0x74, 0x64, 0x66, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, + 0x0e, 0x32, 0x1b, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, + 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x54, 0x64, 0x66, 0x54, 0x79, 0x70, 0x65, 0x42, 0x0a, + 0xba, 0x48, 0x07, 0x82, 0x01, 0x04, 0x18, 0x01, 0x18, 0x02, 0x52, 0x07, 0x74, 0x64, 0x66, 0x54, + 0x79, 0x70, 0x65, 0x42, 0x13, 0x0a, 0x0a, 0x61, 0x63, 0x74, 0x69, 0x76, 0x65, 0x5f, 0x6b, 0x65, + 0x79, 0x12, 0x05, 0xba, 0x48, 0x02, 0x08, 0x01, 0x22, 0x57, 0x0a, 0x13, 0x44, 0x65, 0x66, 0x61, + 0x75, 0x6c, 0x74, 0x4b, 0x61, 0x73, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, + 0x1c, 0x0a, 0x09, 0x61, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x18, 0x01, 0x20, 0x01, + 0x28, 0x09, 0x52, 0x09, 0x61, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x12, 0x10, 0x0a, + 0x03, 0x6b, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x69, 0x64, 0x12, + 0x10, 0x0a, 0x03, 0x70, 0x65, 0x6d, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x70, 0x65, + 0x6d, 0x22, 0x8b, 0x01, 0x0a, 0x0d, 0x44, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x4b, 0x61, 0x73, + 0x4b, 0x65, 0x79, 0x12, 0x19, 0x0a, 0x08, 0x74, 0x64, 0x66, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x18, + 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x74, 0x64, 0x66, 0x54, 0x79, 0x70, 0x65, 0x12, 0x17, + 0x0a, 0x07, 0x6b, 0x61, 0x73, 0x5f, 0x75, 0x72, 0x69, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, + 0x06, 0x6b, 0x61, 0x73, 0x55, 0x72, 0x69, 0x12, 0x46, 0x0a, 0x0a, 0x70, 0x75, 0x62, 0x6c, 0x69, + 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x27, 0x2e, 0x70, 0x6f, + 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, + 0x2e, 0x44, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x4b, 0x61, 0x73, 0x50, 0x75, 0x62, 0x6c, 0x69, + 0x63, 0x4b, 0x65, 0x79, 0x52, 0x09, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x22, + 0x17, 0x0a, 0x15, 0x47, 0x65, 0x74, 0x44, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x4b, 0x65, 0x79, + 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x22, 0x65, 0x0a, 0x16, 0x47, 0x65, 0x74, 0x44, + 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x4b, 0x65, 0x79, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, + 0x73, 0x65, 0x12, 0x4b, 0x0a, 0x10, 0x64, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x5f, 0x6b, 0x61, + 0x73, 0x5f, 0x6b, 0x65, 0x79, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x21, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, - 0x79, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, - 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x30, 0x2e, + 0x79, 0x2e, 0x44, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x4b, 0x61, 0x73, 0x4b, 0x65, 0x79, 0x52, + 0x0e, 0x64, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x4b, 0x61, 0x73, 0x4b, 0x65, 0x79, 0x73, 0x22, + 0xc5, 0x01, 0x0a, 0x15, 0x53, 0x65, 0x74, 0x44, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x4b, 0x65, + 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x50, 0x0a, 0x13, 0x6e, 0x65, 0x77, + 0x5f, 0x64, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x5f, 0x6b, 0x61, 0x73, 0x5f, 0x6b, 0x65, 0x79, + 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x21, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, + 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x44, 0x65, 0x66, 0x61, + 0x75, 0x6c, 0x74, 0x4b, 0x61, 0x73, 0x4b, 0x65, 0x79, 0x52, 0x10, 0x6e, 0x65, 0x77, 0x44, 0x65, + 0x66, 0x61, 0x75, 0x6c, 0x74, 0x4b, 0x61, 0x73, 0x4b, 0x65, 0x79, 0x12, 0x5a, 0x0a, 0x18, 0x70, + 0x72, 0x65, 0x76, 0x69, 0x6f, 0x75, 0x73, 0x5f, 0x64, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x5f, + 0x6b, 0x61, 0x73, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x21, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, - 0x72, 0x79, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, - 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, - 0x1e, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x15, 0x12, 0x13, 0x2f, 0x6b, 0x65, 0x79, 0x2d, 0x61, 0x63, - 0x63, 0x65, 0x73, 0x73, 0x2d, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x90, 0x02, 0x01, 0x12, - 0x98, 0x01, 0x0a, 0x12, 0x47, 0x65, 0x74, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, - 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x12, 0x2d, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, - 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x47, 0x65, 0x74, 0x4b, - 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, - 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x2e, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, - 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x47, 0x65, 0x74, 0x4b, 0x65, - 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x73, - 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x23, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x1a, 0x12, 0x18, 0x2f, - 0x6b, 0x65, 0x79, 0x2d, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x2d, 0x73, 0x65, 0x72, 0x76, 0x65, - 0x72, 0x73, 0x2f, 0x7b, 0x69, 0x64, 0x7d, 0x90, 0x02, 0x01, 0x12, 0x9c, 0x01, 0x0a, 0x15, 0x43, - 0x72, 0x65, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, - 0x72, 0x76, 0x65, 0x72, 0x12, 0x30, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, - 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, + 0x72, 0x79, 0x2e, 0x44, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x4b, 0x61, 0x73, 0x4b, 0x65, 0x79, + 0x52, 0x15, 0x70, 0x72, 0x65, 0x76, 0x69, 0x6f, 0x75, 0x73, 0x44, 0x65, 0x66, 0x61, 0x75, 0x6c, + 0x74, 0x4b, 0x61, 0x73, 0x4b, 0x65, 0x79, 0x2a, 0x49, 0x0a, 0x07, 0x54, 0x64, 0x66, 0x54, 0x79, + 0x70, 0x65, 0x12, 0x18, 0x0a, 0x14, 0x54, 0x44, 0x46, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55, + 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x11, 0x0a, 0x0d, + 0x54, 0x44, 0x46, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x5a, 0x54, 0x44, 0x46, 0x10, 0x01, 0x12, + 0x11, 0x0a, 0x0d, 0x54, 0x44, 0x46, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x4e, 0x41, 0x4e, 0x4f, + 0x10, 0x02, 0x32, 0x80, 0x0d, 0x0a, 0x1e, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, + 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x53, 0x65, + 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x99, 0x01, 0x0a, 0x14, 0x4c, 0x69, 0x73, 0x74, 0x4b, 0x65, + 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x12, 0x2f, + 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, + 0x74, 0x72, 0x79, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, + 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, + 0x30, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, + 0x73, 0x74, 0x72, 0x79, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, + 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, + 0x65, 0x22, 0x1e, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x15, 0x12, 0x13, 0x2f, 0x6b, 0x65, 0x79, 0x2d, + 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x2d, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x90, 0x02, + 0x01, 0x12, 0x98, 0x01, 0x0a, 0x12, 0x47, 0x65, 0x74, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, + 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x12, 0x2d, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, + 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x47, 0x65, + 0x74, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, + 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x2e, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, + 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x47, 0x65, 0x74, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, - 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x31, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, + 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x23, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x1a, 0x12, + 0x18, 0x2f, 0x6b, 0x65, 0x79, 0x2d, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x2d, 0x73, 0x65, 0x72, + 0x76, 0x65, 0x72, 0x73, 0x2f, 0x7b, 0x69, 0x64, 0x7d, 0x90, 0x02, 0x01, 0x12, 0x9c, 0x01, 0x0a, + 0x15, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, + 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x12, 0x30, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, - 0x72, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x1e, 0x82, 0xd3, 0xe4, 0x93, 0x02, - 0x18, 0x3a, 0x01, 0x2a, 0x22, 0x13, 0x2f, 0x6b, 0x65, 0x79, 0x2d, 0x61, 0x63, 0x63, 0x65, 0x73, - 0x73, 0x2d, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x12, 0xa1, 0x01, 0x0a, 0x15, 0x55, 0x70, - 0x64, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, - 0x76, 0x65, 0x72, 0x12, 0x30, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, - 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x4b, - 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, - 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x31, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, + 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x31, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, + 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x43, 0x72, + 0x65, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, + 0x76, 0x65, 0x72, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x1e, 0x82, 0xd3, 0xe4, + 0x93, 0x02, 0x18, 0x3a, 0x01, 0x2a, 0x22, 0x13, 0x2f, 0x6b, 0x65, 0x79, 0x2d, 0x61, 0x63, 0x63, + 0x65, 0x73, 0x73, 0x2d, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x12, 0xa1, 0x01, 0x0a, 0x15, + 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, + 0x65, 0x72, 0x76, 0x65, 0x72, 0x12, 0x30, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, - 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x23, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x1d, - 0x3a, 0x01, 0x2a, 0x32, 0x18, 0x2f, 0x6b, 0x65, 0x79, 0x2d, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, - 0x2d, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x2f, 0x7b, 0x69, 0x64, 0x7d, 0x12, 0x9e, 0x01, - 0x0a, 0x15, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, - 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x12, 0x30, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, - 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x44, 0x65, 0x6c, - 0x65, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, - 0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x31, 0x2e, 0x70, 0x6f, 0x6c, 0x69, + 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x31, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, + 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x55, 0x70, 0x64, + 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, + 0x65, 0x72, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x23, 0x82, 0xd3, 0xe4, 0x93, + 0x02, 0x1d, 0x3a, 0x01, 0x2a, 0x32, 0x18, 0x2f, 0x6b, 0x65, 0x79, 0x2d, 0x61, 0x63, 0x63, 0x65, + 0x73, 0x73, 0x2d, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x2f, 0x7b, 0x69, 0x64, 0x7d, 0x12, + 0x9e, 0x01, 0x0a, 0x15, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, + 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x12, 0x30, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, - 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x20, 0x82, 0xd3, - 0xe4, 0x93, 0x02, 0x1a, 0x2a, 0x18, 0x2f, 0x6b, 0x65, 0x79, 0x2d, 0x61, 0x63, 0x63, 0x65, 0x73, - 0x73, 0x2d, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x2f, 0x7b, 0x69, 0x64, 0x7d, 0x12, 0xaf, - 0x01, 0x0a, 0x19, 0x4c, 0x69, 0x73, 0x74, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, - 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x47, 0x72, 0x61, 0x6e, 0x74, 0x73, 0x12, 0x34, 0x2e, 0x70, - 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, - 0x79, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, - 0x65, 0x72, 0x76, 0x65, 0x72, 0x47, 0x72, 0x61, 0x6e, 0x74, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, - 0x73, 0x74, 0x1a, 0x35, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, - 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x4b, 0x65, 0x79, 0x41, - 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x47, 0x72, 0x61, 0x6e, 0x74, - 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x25, 0x82, 0xd3, 0xe4, 0x93, 0x02, - 0x1c, 0x12, 0x1a, 0x2f, 0x6b, 0x65, 0x79, 0x2d, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x2d, 0x73, - 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x2f, 0x67, 0x72, 0x61, 0x6e, 0x74, 0x73, 0x90, 0x02, 0x01, - 0x12, 0x5a, 0x0a, 0x09, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x12, 0x24, 0x2e, - 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, - 0x72, 0x79, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, - 0x65, 0x73, 0x74, 0x1a, 0x25, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, - 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x4b, - 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x51, 0x0a, 0x06, - 0x47, 0x65, 0x74, 0x4b, 0x65, 0x79, 0x12, 0x21, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, - 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x47, 0x65, 0x74, 0x4b, - 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x22, 0x2e, 0x70, 0x6f, 0x6c, 0x69, - 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x47, - 0x65, 0x74, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, - 0x57, 0x0a, 0x08, 0x4c, 0x69, 0x73, 0x74, 0x4b, 0x65, 0x79, 0x73, 0x12, 0x23, 0x2e, 0x70, 0x6f, + 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x31, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, - 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x4b, 0x65, 0x79, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, - 0x1a, 0x24, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, - 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x4b, 0x65, 0x79, 0x73, 0x52, 0x65, - 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x5a, 0x0a, 0x09, 0x55, 0x70, 0x64, 0x61, - 0x74, 0x65, 0x4b, 0x65, 0x79, 0x12, 0x24, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, - 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x55, 0x70, 0x64, 0x61, 0x74, - 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x25, 0x2e, 0x70, 0x6f, + 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, + 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x20, + 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x1a, 0x2a, 0x18, 0x2f, 0x6b, 0x65, 0x79, 0x2d, 0x61, 0x63, 0x63, + 0x65, 0x73, 0x73, 0x2d, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x2f, 0x7b, 0x69, 0x64, 0x7d, + 0x12, 0xaf, 0x01, 0x0a, 0x19, 0x4c, 0x69, 0x73, 0x74, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, + 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x47, 0x72, 0x61, 0x6e, 0x74, 0x73, 0x12, 0x34, + 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, + 0x74, 0x72, 0x79, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, + 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x47, 0x72, 0x61, 0x6e, 0x74, 0x73, 0x52, 0x65, 0x71, + 0x75, 0x65, 0x73, 0x74, 0x1a, 0x35, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, + 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x4b, 0x65, + 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x47, 0x72, 0x61, + 0x6e, 0x74, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x25, 0x82, 0xd3, 0xe4, + 0x93, 0x02, 0x1c, 0x12, 0x1a, 0x2f, 0x6b, 0x65, 0x79, 0x2d, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, + 0x2d, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x2f, 0x67, 0x72, 0x61, 0x6e, 0x74, 0x73, 0x90, + 0x02, 0x01, 0x12, 0x5a, 0x0a, 0x09, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x12, + 0x24, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, + 0x73, 0x74, 0x72, 0x79, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65, + 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x25, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, + 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, + 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x51, + 0x0a, 0x06, 0x47, 0x65, 0x74, 0x4b, 0x65, 0x79, 0x12, 0x21, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, + 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x47, 0x65, + 0x74, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x22, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, - 0x2e, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, - 0x73, 0x65, 0x22, 0x00, 0x12, 0x5a, 0x0a, 0x09, 0x52, 0x6f, 0x74, 0x61, 0x74, 0x65, 0x4b, 0x65, - 0x79, 0x12, 0x24, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, - 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x52, 0x6f, 0x74, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, - 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x25, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, - 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x52, 0x6f, 0x74, - 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, - 0x42, 0xdb, 0x01, 0x0a, 0x16, 0x63, 0x6f, 0x6d, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, - 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x42, 0x1c, 0x4b, 0x65, 0x79, - 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x67, 0x69, - 0x73, 0x74, 0x72, 0x79, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x3a, 0x67, 0x69, 0x74, - 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6f, 0x70, 0x65, 0x6e, 0x74, 0x64, 0x66, 0x2f, - 0x70, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, - 0x6c, 0x2f, 0x67, 0x6f, 0x2f, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2f, 0x6b, 0x61, 0x73, 0x72, - 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0xa2, 0x02, 0x03, 0x50, 0x4b, 0x58, 0xaa, 0x02, 0x12, - 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, - 0x72, 0x79, 0xca, 0x02, 0x12, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x5c, 0x4b, 0x61, 0x73, 0x72, - 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0xe2, 0x02, 0x1e, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, - 0x5c, 0x4b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x5c, 0x47, 0x50, 0x42, - 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0xea, 0x02, 0x13, 0x50, 0x6f, 0x6c, 0x69, 0x63, - 0x79, 0x3a, 0x3a, 0x4b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x62, 0x06, - 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x2e, 0x47, 0x65, 0x74, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, + 0x00, 0x12, 0x57, 0x0a, 0x08, 0x4c, 0x69, 0x73, 0x74, 0x4b, 0x65, 0x79, 0x73, 0x12, 0x23, 0x2e, + 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, + 0x72, 0x79, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x4b, 0x65, 0x79, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, + 0x73, 0x74, 0x1a, 0x24, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, + 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x4b, 0x65, 0x79, 0x73, + 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x5a, 0x0a, 0x09, 0x55, 0x70, + 0x64, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x12, 0x24, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, + 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x55, 0x70, 0x64, + 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x25, 0x2e, + 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, + 0x72, 0x79, 0x2e, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, + 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x5a, 0x0a, 0x09, 0x52, 0x6f, 0x74, 0x61, 0x74, 0x65, + 0x4b, 0x65, 0x79, 0x12, 0x24, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, + 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x52, 0x6f, 0x74, 0x61, 0x74, 0x65, 0x4b, + 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x25, 0x2e, 0x70, 0x6f, 0x6c, 0x69, + 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x52, + 0x6f, 0x74, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, + 0x22, 0x00, 0x12, 0x66, 0x0a, 0x0d, 0x53, 0x65, 0x74, 0x44, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, + 0x4b, 0x65, 0x79, 0x12, 0x28, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, + 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x53, 0x65, 0x74, 0x44, 0x65, 0x66, 0x61, + 0x75, 0x6c, 0x74, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x29, 0x2e, + 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, + 0x72, 0x79, 0x2e, 0x53, 0x65, 0x74, 0x44, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x4b, 0x65, 0x79, + 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x69, 0x0a, 0x0e, 0x47, 0x65, + 0x74, 0x44, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x4b, 0x65, 0x79, 0x73, 0x12, 0x29, 0x2e, 0x70, + 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, + 0x79, 0x2e, 0x47, 0x65, 0x74, 0x44, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x4b, 0x65, 0x79, 0x73, + 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x2a, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, + 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x47, 0x65, 0x74, + 0x44, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x4b, 0x65, 0x79, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, + 0x6e, 0x73, 0x65, 0x22, 0x00, 0x42, 0xdb, 0x01, 0x0a, 0x16, 0x63, 0x6f, 0x6d, 0x2e, 0x70, 0x6f, + 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, + 0x42, 0x1c, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, + 0x72, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, + 0x5a, 0x3a, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6f, 0x70, 0x65, + 0x6e, 0x74, 0x64, 0x66, 0x2f, 0x70, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x2f, 0x70, 0x72, + 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x2f, 0x67, 0x6f, 0x2f, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, + 0x2f, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0xa2, 0x02, 0x03, 0x50, + 0x4b, 0x58, 0xaa, 0x02, 0x12, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b, 0x61, 0x73, 0x72, + 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0xca, 0x02, 0x12, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, + 0x5c, 0x4b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0xe2, 0x02, 0x1e, 0x50, + 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x5c, 0x4b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, + 0x79, 0x5c, 0x47, 0x50, 0x42, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0xea, 0x02, 0x13, + 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x3a, 0x3a, 0x4b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, + 0x74, 0x72, 0x79, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( @@ -3875,167 +4354,185 @@ func file_policy_kasregistry_key_access_server_registry_proto_rawDescGZIP() []by return file_policy_kasregistry_key_access_server_registry_proto_rawDescData } -var file_policy_kasregistry_key_access_server_registry_proto_msgTypes = make([]protoimpl.MessageInfo, 45) +var file_policy_kasregistry_key_access_server_registry_proto_enumTypes = make([]protoimpl.EnumInfo, 1) +var file_policy_kasregistry_key_access_server_registry_proto_msgTypes = make([]protoimpl.MessageInfo, 51) var file_policy_kasregistry_key_access_server_registry_proto_goTypes = []interface{}{ - (*GetKeyAccessServerRequest)(nil), // 0: policy.kasregistry.GetKeyAccessServerRequest - (*GetKeyAccessServerResponse)(nil), // 1: policy.kasregistry.GetKeyAccessServerResponse - (*ListKeyAccessServersRequest)(nil), // 2: policy.kasregistry.ListKeyAccessServersRequest - (*ListKeyAccessServersResponse)(nil), // 3: policy.kasregistry.ListKeyAccessServersResponse - (*CreateKeyAccessServerRequest)(nil), // 4: policy.kasregistry.CreateKeyAccessServerRequest - (*CreateKeyAccessServerResponse)(nil), // 5: policy.kasregistry.CreateKeyAccessServerResponse - (*UpdateKeyAccessServerRequest)(nil), // 6: policy.kasregistry.UpdateKeyAccessServerRequest - (*UpdateKeyAccessServerResponse)(nil), // 7: policy.kasregistry.UpdateKeyAccessServerResponse - (*DeleteKeyAccessServerRequest)(nil), // 8: policy.kasregistry.DeleteKeyAccessServerRequest - (*DeleteKeyAccessServerResponse)(nil), // 9: policy.kasregistry.DeleteKeyAccessServerResponse - (*GrantedPolicyObject)(nil), // 10: policy.kasregistry.GrantedPolicyObject - (*KeyAccessServerGrants)(nil), // 11: policy.kasregistry.KeyAccessServerGrants - (*CreatePublicKeyRequest)(nil), // 12: policy.kasregistry.CreatePublicKeyRequest - (*CreatePublicKeyResponse)(nil), // 13: policy.kasregistry.CreatePublicKeyResponse - (*GetPublicKeyRequest)(nil), // 14: policy.kasregistry.GetPublicKeyRequest - (*GetPublicKeyResponse)(nil), // 15: policy.kasregistry.GetPublicKeyResponse - (*ListPublicKeysRequest)(nil), // 16: policy.kasregistry.ListPublicKeysRequest - (*ListPublicKeysResponse)(nil), // 17: policy.kasregistry.ListPublicKeysResponse - (*ListPublicKeyMappingRequest)(nil), // 18: policy.kasregistry.ListPublicKeyMappingRequest - (*ListPublicKeyMappingResponse)(nil), // 19: policy.kasregistry.ListPublicKeyMappingResponse - (*UpdatePublicKeyRequest)(nil), // 20: policy.kasregistry.UpdatePublicKeyRequest - (*UpdatePublicKeyResponse)(nil), // 21: policy.kasregistry.UpdatePublicKeyResponse - (*DeactivatePublicKeyRequest)(nil), // 22: policy.kasregistry.DeactivatePublicKeyRequest - (*DeactivatePublicKeyResponse)(nil), // 23: policy.kasregistry.DeactivatePublicKeyResponse - (*ActivatePublicKeyRequest)(nil), // 24: policy.kasregistry.ActivatePublicKeyRequest - (*ActivatePublicKeyResponse)(nil), // 25: policy.kasregistry.ActivatePublicKeyResponse - (*ListKeyAccessServerGrantsRequest)(nil), // 26: policy.kasregistry.ListKeyAccessServerGrantsRequest - (*ListKeyAccessServerGrantsResponse)(nil), // 27: policy.kasregistry.ListKeyAccessServerGrantsResponse - (*CreateKeyRequest)(nil), // 28: policy.kasregistry.CreateKeyRequest - (*CreateKeyResponse)(nil), // 29: policy.kasregistry.CreateKeyResponse - (*GetKeyRequest)(nil), // 30: policy.kasregistry.GetKeyRequest - (*GetKeyResponse)(nil), // 31: policy.kasregistry.GetKeyResponse - (*ListKeysRequest)(nil), // 32: policy.kasregistry.ListKeysRequest - (*ListKeysResponse)(nil), // 33: policy.kasregistry.ListKeysResponse - (*UpdateKeyRequest)(nil), // 34: policy.kasregistry.UpdateKeyRequest - (*UpdateKeyResponse)(nil), // 35: policy.kasregistry.UpdateKeyResponse - (*KasKeyIdentifier)(nil), // 36: policy.kasregistry.KasKeyIdentifier - (*RotateKeyRequest)(nil), // 37: policy.kasregistry.RotateKeyRequest - (*ChangeMappings)(nil), // 38: policy.kasregistry.ChangeMappings - (*RotatedResources)(nil), // 39: policy.kasregistry.RotatedResources - (*RotateKeyResponse)(nil), // 40: policy.kasregistry.RotateKeyResponse - (*ListPublicKeyMappingResponse_PublicKeyMapping)(nil), // 41: policy.kasregistry.ListPublicKeyMappingResponse.PublicKeyMapping - (*ListPublicKeyMappingResponse_PublicKey)(nil), // 42: policy.kasregistry.ListPublicKeyMappingResponse.PublicKey - (*ListPublicKeyMappingResponse_Association)(nil), // 43: policy.kasregistry.ListPublicKeyMappingResponse.Association - (*RotateKeyRequest_NewKey)(nil), // 44: policy.kasregistry.RotateKeyRequest.NewKey - (*policy.KeyAccessServer)(nil), // 45: policy.KeyAccessServer - (*policy.PageRequest)(nil), // 46: policy.PageRequest - (*policy.PageResponse)(nil), // 47: policy.PageResponse - (*policy.PublicKey)(nil), // 48: policy.PublicKey - (policy.SourceType)(0), // 49: policy.SourceType - (*common.MetadataMutable)(nil), // 50: common.MetadataMutable - (common.MetadataUpdateEnum)(0), // 51: common.MetadataUpdateEnum - (*policy.KasPublicKey)(nil), // 52: policy.KasPublicKey - (*policy.Key)(nil), // 53: policy.Key - (policy.Algorithm)(0), // 54: policy.Algorithm - (policy.KeyMode)(0), // 55: policy.KeyMode - (*policy.KasPublicKeyCtx)(nil), // 56: policy.KasPublicKeyCtx - (*policy.KasPrivateKeyCtx)(nil), // 57: policy.KasPrivateKeyCtx - (*policy.KasKey)(nil), // 58: policy.KasKey - (policy.KeyStatus)(0), // 59: policy.KeyStatus + (TdfType)(0), // 0: policy.kasregistry.TdfType + (*GetKeyAccessServerRequest)(nil), // 1: policy.kasregistry.GetKeyAccessServerRequest + (*GetKeyAccessServerResponse)(nil), // 2: policy.kasregistry.GetKeyAccessServerResponse + (*ListKeyAccessServersRequest)(nil), // 3: policy.kasregistry.ListKeyAccessServersRequest + (*ListKeyAccessServersResponse)(nil), // 4: policy.kasregistry.ListKeyAccessServersResponse + (*CreateKeyAccessServerRequest)(nil), // 5: policy.kasregistry.CreateKeyAccessServerRequest + (*CreateKeyAccessServerResponse)(nil), // 6: policy.kasregistry.CreateKeyAccessServerResponse + (*UpdateKeyAccessServerRequest)(nil), // 7: policy.kasregistry.UpdateKeyAccessServerRequest + (*UpdateKeyAccessServerResponse)(nil), // 8: policy.kasregistry.UpdateKeyAccessServerResponse + (*DeleteKeyAccessServerRequest)(nil), // 9: policy.kasregistry.DeleteKeyAccessServerRequest + (*DeleteKeyAccessServerResponse)(nil), // 10: policy.kasregistry.DeleteKeyAccessServerResponse + (*GrantedPolicyObject)(nil), // 11: policy.kasregistry.GrantedPolicyObject + (*KeyAccessServerGrants)(nil), // 12: policy.kasregistry.KeyAccessServerGrants + (*CreatePublicKeyRequest)(nil), // 13: policy.kasregistry.CreatePublicKeyRequest + (*CreatePublicKeyResponse)(nil), // 14: policy.kasregistry.CreatePublicKeyResponse + (*GetPublicKeyRequest)(nil), // 15: policy.kasregistry.GetPublicKeyRequest + (*GetPublicKeyResponse)(nil), // 16: policy.kasregistry.GetPublicKeyResponse + (*ListPublicKeysRequest)(nil), // 17: policy.kasregistry.ListPublicKeysRequest + (*ListPublicKeysResponse)(nil), // 18: policy.kasregistry.ListPublicKeysResponse + (*ListPublicKeyMappingRequest)(nil), // 19: policy.kasregistry.ListPublicKeyMappingRequest + (*ListPublicKeyMappingResponse)(nil), // 20: policy.kasregistry.ListPublicKeyMappingResponse + (*UpdatePublicKeyRequest)(nil), // 21: policy.kasregistry.UpdatePublicKeyRequest + (*UpdatePublicKeyResponse)(nil), // 22: policy.kasregistry.UpdatePublicKeyResponse + (*DeactivatePublicKeyRequest)(nil), // 23: policy.kasregistry.DeactivatePublicKeyRequest + (*DeactivatePublicKeyResponse)(nil), // 24: policy.kasregistry.DeactivatePublicKeyResponse + (*ActivatePublicKeyRequest)(nil), // 25: policy.kasregistry.ActivatePublicKeyRequest + (*ActivatePublicKeyResponse)(nil), // 26: policy.kasregistry.ActivatePublicKeyResponse + (*ListKeyAccessServerGrantsRequest)(nil), // 27: policy.kasregistry.ListKeyAccessServerGrantsRequest + (*ListKeyAccessServerGrantsResponse)(nil), // 28: policy.kasregistry.ListKeyAccessServerGrantsResponse + (*CreateKeyRequest)(nil), // 29: policy.kasregistry.CreateKeyRequest + (*CreateKeyResponse)(nil), // 30: policy.kasregistry.CreateKeyResponse + (*GetKeyRequest)(nil), // 31: policy.kasregistry.GetKeyRequest + (*GetKeyResponse)(nil), // 32: policy.kasregistry.GetKeyResponse + (*ListKeysRequest)(nil), // 33: policy.kasregistry.ListKeysRequest + (*ListKeysResponse)(nil), // 34: policy.kasregistry.ListKeysResponse + (*UpdateKeyRequest)(nil), // 35: policy.kasregistry.UpdateKeyRequest + (*UpdateKeyResponse)(nil), // 36: policy.kasregistry.UpdateKeyResponse + (*KasKeyIdentifier)(nil), // 37: policy.kasregistry.KasKeyIdentifier + (*RotateKeyRequest)(nil), // 38: policy.kasregistry.RotateKeyRequest + (*ChangeMappings)(nil), // 39: policy.kasregistry.ChangeMappings + (*RotatedResources)(nil), // 40: policy.kasregistry.RotatedResources + (*RotateKeyResponse)(nil), // 41: policy.kasregistry.RotateKeyResponse + (*SetDefaultKeyRequest)(nil), // 42: policy.kasregistry.SetDefaultKeyRequest + (*DefaultKasPublicKey)(nil), // 43: policy.kasregistry.DefaultKasPublicKey + (*DefaultKasKey)(nil), // 44: policy.kasregistry.DefaultKasKey + (*GetDefaultKeysRequest)(nil), // 45: policy.kasregistry.GetDefaultKeysRequest + (*GetDefaultKeysResponse)(nil), // 46: policy.kasregistry.GetDefaultKeysResponse + (*SetDefaultKeyResponse)(nil), // 47: policy.kasregistry.SetDefaultKeyResponse + (*ListPublicKeyMappingResponse_PublicKeyMapping)(nil), // 48: policy.kasregistry.ListPublicKeyMappingResponse.PublicKeyMapping + (*ListPublicKeyMappingResponse_PublicKey)(nil), // 49: policy.kasregistry.ListPublicKeyMappingResponse.PublicKey + (*ListPublicKeyMappingResponse_Association)(nil), // 50: policy.kasregistry.ListPublicKeyMappingResponse.Association + (*RotateKeyRequest_NewKey)(nil), // 51: policy.kasregistry.RotateKeyRequest.NewKey + (*policy.KeyAccessServer)(nil), // 52: policy.KeyAccessServer + (*policy.PageRequest)(nil), // 53: policy.PageRequest + (*policy.PageResponse)(nil), // 54: policy.PageResponse + (*policy.PublicKey)(nil), // 55: policy.PublicKey + (policy.SourceType)(0), // 56: policy.SourceType + (*common.MetadataMutable)(nil), // 57: common.MetadataMutable + (common.MetadataUpdateEnum)(0), // 58: common.MetadataUpdateEnum + (*policy.KasPublicKey)(nil), // 59: policy.KasPublicKey + (*policy.Key)(nil), // 60: policy.Key + (policy.Algorithm)(0), // 61: policy.Algorithm + (policy.KeyMode)(0), // 62: policy.KeyMode + (*policy.KasPublicKeyCtx)(nil), // 63: policy.KasPublicKeyCtx + (*policy.KasPrivateKeyCtx)(nil), // 64: policy.KasPrivateKeyCtx + (*policy.KasKey)(nil), // 65: policy.KasKey + (policy.KeyStatus)(0), // 66: policy.KeyStatus } var file_policy_kasregistry_key_access_server_registry_proto_depIdxs = []int32{ - 45, // 0: policy.kasregistry.GetKeyAccessServerResponse.key_access_server:type_name -> policy.KeyAccessServer - 46, // 1: policy.kasregistry.ListKeyAccessServersRequest.pagination:type_name -> policy.PageRequest - 45, // 2: policy.kasregistry.ListKeyAccessServersResponse.key_access_servers:type_name -> policy.KeyAccessServer - 47, // 3: policy.kasregistry.ListKeyAccessServersResponse.pagination:type_name -> policy.PageResponse - 48, // 4: policy.kasregistry.CreateKeyAccessServerRequest.public_key:type_name -> policy.PublicKey - 49, // 5: policy.kasregistry.CreateKeyAccessServerRequest.source_type:type_name -> policy.SourceType - 50, // 6: policy.kasregistry.CreateKeyAccessServerRequest.metadata:type_name -> common.MetadataMutable - 45, // 7: policy.kasregistry.CreateKeyAccessServerResponse.key_access_server:type_name -> policy.KeyAccessServer - 48, // 8: policy.kasregistry.UpdateKeyAccessServerRequest.public_key:type_name -> policy.PublicKey - 49, // 9: policy.kasregistry.UpdateKeyAccessServerRequest.source_type:type_name -> policy.SourceType - 50, // 10: policy.kasregistry.UpdateKeyAccessServerRequest.metadata:type_name -> common.MetadataMutable - 51, // 11: policy.kasregistry.UpdateKeyAccessServerRequest.metadata_update_behavior:type_name -> common.MetadataUpdateEnum - 45, // 12: policy.kasregistry.UpdateKeyAccessServerResponse.key_access_server:type_name -> policy.KeyAccessServer - 45, // 13: policy.kasregistry.DeleteKeyAccessServerResponse.key_access_server:type_name -> policy.KeyAccessServer - 45, // 14: policy.kasregistry.KeyAccessServerGrants.key_access_server:type_name -> policy.KeyAccessServer - 10, // 15: policy.kasregistry.KeyAccessServerGrants.namespace_grants:type_name -> policy.kasregistry.GrantedPolicyObject - 10, // 16: policy.kasregistry.KeyAccessServerGrants.attribute_grants:type_name -> policy.kasregistry.GrantedPolicyObject - 10, // 17: policy.kasregistry.KeyAccessServerGrants.value_grants:type_name -> policy.kasregistry.GrantedPolicyObject - 52, // 18: policy.kasregistry.CreatePublicKeyRequest.key:type_name -> policy.KasPublicKey - 50, // 19: policy.kasregistry.CreatePublicKeyRequest.metadata:type_name -> common.MetadataMutable - 53, // 20: policy.kasregistry.CreatePublicKeyResponse.key:type_name -> policy.Key - 53, // 21: policy.kasregistry.GetPublicKeyResponse.key:type_name -> policy.Key - 46, // 22: policy.kasregistry.ListPublicKeysRequest.pagination:type_name -> policy.PageRequest - 53, // 23: policy.kasregistry.ListPublicKeysResponse.keys:type_name -> policy.Key - 47, // 24: policy.kasregistry.ListPublicKeysResponse.pagination:type_name -> policy.PageResponse - 46, // 25: policy.kasregistry.ListPublicKeyMappingRequest.pagination:type_name -> policy.PageRequest - 41, // 26: policy.kasregistry.ListPublicKeyMappingResponse.public_key_mappings:type_name -> policy.kasregistry.ListPublicKeyMappingResponse.PublicKeyMapping - 47, // 27: policy.kasregistry.ListPublicKeyMappingResponse.pagination:type_name -> policy.PageResponse - 50, // 28: policy.kasregistry.UpdatePublicKeyRequest.metadata:type_name -> common.MetadataMutable - 51, // 29: policy.kasregistry.UpdatePublicKeyRequest.metadata_update_behavior:type_name -> common.MetadataUpdateEnum - 53, // 30: policy.kasregistry.UpdatePublicKeyResponse.key:type_name -> policy.Key - 53, // 31: policy.kasregistry.DeactivatePublicKeyResponse.key:type_name -> policy.Key - 53, // 32: policy.kasregistry.ActivatePublicKeyResponse.key:type_name -> policy.Key - 46, // 33: policy.kasregistry.ListKeyAccessServerGrantsRequest.pagination:type_name -> policy.PageRequest - 11, // 34: policy.kasregistry.ListKeyAccessServerGrantsResponse.grants:type_name -> policy.kasregistry.KeyAccessServerGrants - 47, // 35: policy.kasregistry.ListKeyAccessServerGrantsResponse.pagination:type_name -> policy.PageResponse - 54, // 36: policy.kasregistry.CreateKeyRequest.key_algorithm:type_name -> policy.Algorithm - 55, // 37: policy.kasregistry.CreateKeyRequest.key_mode:type_name -> policy.KeyMode - 56, // 38: policy.kasregistry.CreateKeyRequest.public_key_ctx:type_name -> policy.KasPublicKeyCtx - 57, // 39: policy.kasregistry.CreateKeyRequest.private_key_ctx:type_name -> policy.KasPrivateKeyCtx - 50, // 40: policy.kasregistry.CreateKeyRequest.metadata:type_name -> common.MetadataMutable - 58, // 41: policy.kasregistry.CreateKeyResponse.kas_key:type_name -> policy.KasKey - 36, // 42: policy.kasregistry.GetKeyRequest.key:type_name -> policy.kasregistry.KasKeyIdentifier - 58, // 43: policy.kasregistry.GetKeyResponse.kas_key:type_name -> policy.KasKey - 54, // 44: policy.kasregistry.ListKeysRequest.key_algorithm:type_name -> policy.Algorithm - 46, // 45: policy.kasregistry.ListKeysRequest.pagination:type_name -> policy.PageRequest - 58, // 46: policy.kasregistry.ListKeysResponse.kas_keys:type_name -> policy.KasKey - 47, // 47: policy.kasregistry.ListKeysResponse.pagination:type_name -> policy.PageResponse - 59, // 48: policy.kasregistry.UpdateKeyRequest.key_status:type_name -> policy.KeyStatus - 50, // 49: policy.kasregistry.UpdateKeyRequest.metadata:type_name -> common.MetadataMutable - 51, // 50: policy.kasregistry.UpdateKeyRequest.metadata_update_behavior:type_name -> common.MetadataUpdateEnum - 58, // 51: policy.kasregistry.UpdateKeyResponse.kas_key:type_name -> policy.KasKey - 36, // 52: policy.kasregistry.RotateKeyRequest.key:type_name -> policy.kasregistry.KasKeyIdentifier - 44, // 53: policy.kasregistry.RotateKeyRequest.new_key:type_name -> policy.kasregistry.RotateKeyRequest.NewKey - 58, // 54: policy.kasregistry.RotatedResources.rotated_out_key:type_name -> policy.KasKey - 38, // 55: policy.kasregistry.RotatedResources.attribute_definition_mappings:type_name -> policy.kasregistry.ChangeMappings - 38, // 56: policy.kasregistry.RotatedResources.attribute_value_mappings:type_name -> policy.kasregistry.ChangeMappings - 38, // 57: policy.kasregistry.RotatedResources.namespace_mappings:type_name -> policy.kasregistry.ChangeMappings - 58, // 58: policy.kasregistry.RotateKeyResponse.kas_key:type_name -> policy.KasKey - 39, // 59: policy.kasregistry.RotateKeyResponse.rotated_resources:type_name -> policy.kasregistry.RotatedResources - 42, // 60: policy.kasregistry.ListPublicKeyMappingResponse.PublicKeyMapping.public_keys:type_name -> policy.kasregistry.ListPublicKeyMappingResponse.PublicKey - 53, // 61: policy.kasregistry.ListPublicKeyMappingResponse.PublicKey.key:type_name -> policy.Key - 43, // 62: policy.kasregistry.ListPublicKeyMappingResponse.PublicKey.values:type_name -> policy.kasregistry.ListPublicKeyMappingResponse.Association - 43, // 63: policy.kasregistry.ListPublicKeyMappingResponse.PublicKey.definitions:type_name -> policy.kasregistry.ListPublicKeyMappingResponse.Association - 43, // 64: policy.kasregistry.ListPublicKeyMappingResponse.PublicKey.namespaces:type_name -> policy.kasregistry.ListPublicKeyMappingResponse.Association - 54, // 65: policy.kasregistry.RotateKeyRequest.NewKey.algorithm:type_name -> policy.Algorithm - 55, // 66: policy.kasregistry.RotateKeyRequest.NewKey.key_mode:type_name -> policy.KeyMode - 56, // 67: policy.kasregistry.RotateKeyRequest.NewKey.public_key_ctx:type_name -> policy.KasPublicKeyCtx - 57, // 68: policy.kasregistry.RotateKeyRequest.NewKey.private_key_ctx:type_name -> policy.KasPrivateKeyCtx - 50, // 69: policy.kasregistry.RotateKeyRequest.NewKey.metadata:type_name -> common.MetadataMutable - 2, // 70: policy.kasregistry.KeyAccessServerRegistryService.ListKeyAccessServers:input_type -> policy.kasregistry.ListKeyAccessServersRequest - 0, // 71: policy.kasregistry.KeyAccessServerRegistryService.GetKeyAccessServer:input_type -> policy.kasregistry.GetKeyAccessServerRequest - 4, // 72: policy.kasregistry.KeyAccessServerRegistryService.CreateKeyAccessServer:input_type -> policy.kasregistry.CreateKeyAccessServerRequest - 6, // 73: policy.kasregistry.KeyAccessServerRegistryService.UpdateKeyAccessServer:input_type -> policy.kasregistry.UpdateKeyAccessServerRequest - 8, // 74: policy.kasregistry.KeyAccessServerRegistryService.DeleteKeyAccessServer:input_type -> policy.kasregistry.DeleteKeyAccessServerRequest - 26, // 75: policy.kasregistry.KeyAccessServerRegistryService.ListKeyAccessServerGrants:input_type -> policy.kasregistry.ListKeyAccessServerGrantsRequest - 28, // 76: policy.kasregistry.KeyAccessServerRegistryService.CreateKey:input_type -> policy.kasregistry.CreateKeyRequest - 30, // 77: policy.kasregistry.KeyAccessServerRegistryService.GetKey:input_type -> policy.kasregistry.GetKeyRequest - 32, // 78: policy.kasregistry.KeyAccessServerRegistryService.ListKeys:input_type -> policy.kasregistry.ListKeysRequest - 34, // 79: policy.kasregistry.KeyAccessServerRegistryService.UpdateKey:input_type -> policy.kasregistry.UpdateKeyRequest - 37, // 80: policy.kasregistry.KeyAccessServerRegistryService.RotateKey:input_type -> policy.kasregistry.RotateKeyRequest - 3, // 81: policy.kasregistry.KeyAccessServerRegistryService.ListKeyAccessServers:output_type -> policy.kasregistry.ListKeyAccessServersResponse - 1, // 82: policy.kasregistry.KeyAccessServerRegistryService.GetKeyAccessServer:output_type -> policy.kasregistry.GetKeyAccessServerResponse - 5, // 83: policy.kasregistry.KeyAccessServerRegistryService.CreateKeyAccessServer:output_type -> policy.kasregistry.CreateKeyAccessServerResponse - 7, // 84: policy.kasregistry.KeyAccessServerRegistryService.UpdateKeyAccessServer:output_type -> policy.kasregistry.UpdateKeyAccessServerResponse - 9, // 85: policy.kasregistry.KeyAccessServerRegistryService.DeleteKeyAccessServer:output_type -> policy.kasregistry.DeleteKeyAccessServerResponse - 27, // 86: policy.kasregistry.KeyAccessServerRegistryService.ListKeyAccessServerGrants:output_type -> policy.kasregistry.ListKeyAccessServerGrantsResponse - 29, // 87: policy.kasregistry.KeyAccessServerRegistryService.CreateKey:output_type -> policy.kasregistry.CreateKeyResponse - 31, // 88: policy.kasregistry.KeyAccessServerRegistryService.GetKey:output_type -> policy.kasregistry.GetKeyResponse - 33, // 89: policy.kasregistry.KeyAccessServerRegistryService.ListKeys:output_type -> policy.kasregistry.ListKeysResponse - 35, // 90: policy.kasregistry.KeyAccessServerRegistryService.UpdateKey:output_type -> policy.kasregistry.UpdateKeyResponse - 40, // 91: policy.kasregistry.KeyAccessServerRegistryService.RotateKey:output_type -> policy.kasregistry.RotateKeyResponse - 81, // [81:92] is the sub-list for method output_type - 70, // [70:81] is the sub-list for method input_type - 70, // [70:70] is the sub-list for extension type_name - 70, // [70:70] is the sub-list for extension extendee - 0, // [0:70] is the sub-list for field type_name + 52, // 0: policy.kasregistry.GetKeyAccessServerResponse.key_access_server:type_name -> policy.KeyAccessServer + 53, // 1: policy.kasregistry.ListKeyAccessServersRequest.pagination:type_name -> policy.PageRequest + 52, // 2: policy.kasregistry.ListKeyAccessServersResponse.key_access_servers:type_name -> policy.KeyAccessServer + 54, // 3: policy.kasregistry.ListKeyAccessServersResponse.pagination:type_name -> policy.PageResponse + 55, // 4: policy.kasregistry.CreateKeyAccessServerRequest.public_key:type_name -> policy.PublicKey + 56, // 5: policy.kasregistry.CreateKeyAccessServerRequest.source_type:type_name -> policy.SourceType + 57, // 6: policy.kasregistry.CreateKeyAccessServerRequest.metadata:type_name -> common.MetadataMutable + 52, // 7: policy.kasregistry.CreateKeyAccessServerResponse.key_access_server:type_name -> policy.KeyAccessServer + 55, // 8: policy.kasregistry.UpdateKeyAccessServerRequest.public_key:type_name -> policy.PublicKey + 56, // 9: policy.kasregistry.UpdateKeyAccessServerRequest.source_type:type_name -> policy.SourceType + 57, // 10: policy.kasregistry.UpdateKeyAccessServerRequest.metadata:type_name -> common.MetadataMutable + 58, // 11: policy.kasregistry.UpdateKeyAccessServerRequest.metadata_update_behavior:type_name -> common.MetadataUpdateEnum + 52, // 12: policy.kasregistry.UpdateKeyAccessServerResponse.key_access_server:type_name -> policy.KeyAccessServer + 52, // 13: policy.kasregistry.DeleteKeyAccessServerResponse.key_access_server:type_name -> policy.KeyAccessServer + 52, // 14: policy.kasregistry.KeyAccessServerGrants.key_access_server:type_name -> policy.KeyAccessServer + 11, // 15: policy.kasregistry.KeyAccessServerGrants.namespace_grants:type_name -> policy.kasregistry.GrantedPolicyObject + 11, // 16: policy.kasregistry.KeyAccessServerGrants.attribute_grants:type_name -> policy.kasregistry.GrantedPolicyObject + 11, // 17: policy.kasregistry.KeyAccessServerGrants.value_grants:type_name -> policy.kasregistry.GrantedPolicyObject + 59, // 18: policy.kasregistry.CreatePublicKeyRequest.key:type_name -> policy.KasPublicKey + 57, // 19: policy.kasregistry.CreatePublicKeyRequest.metadata:type_name -> common.MetadataMutable + 60, // 20: policy.kasregistry.CreatePublicKeyResponse.key:type_name -> policy.Key + 60, // 21: policy.kasregistry.GetPublicKeyResponse.key:type_name -> policy.Key + 53, // 22: policy.kasregistry.ListPublicKeysRequest.pagination:type_name -> policy.PageRequest + 60, // 23: policy.kasregistry.ListPublicKeysResponse.keys:type_name -> policy.Key + 54, // 24: policy.kasregistry.ListPublicKeysResponse.pagination:type_name -> policy.PageResponse + 53, // 25: policy.kasregistry.ListPublicKeyMappingRequest.pagination:type_name -> policy.PageRequest + 48, // 26: policy.kasregistry.ListPublicKeyMappingResponse.public_key_mappings:type_name -> policy.kasregistry.ListPublicKeyMappingResponse.PublicKeyMapping + 54, // 27: policy.kasregistry.ListPublicKeyMappingResponse.pagination:type_name -> policy.PageResponse + 57, // 28: policy.kasregistry.UpdatePublicKeyRequest.metadata:type_name -> common.MetadataMutable + 58, // 29: policy.kasregistry.UpdatePublicKeyRequest.metadata_update_behavior:type_name -> common.MetadataUpdateEnum + 60, // 30: policy.kasregistry.UpdatePublicKeyResponse.key:type_name -> policy.Key + 60, // 31: policy.kasregistry.DeactivatePublicKeyResponse.key:type_name -> policy.Key + 60, // 32: policy.kasregistry.ActivatePublicKeyResponse.key:type_name -> policy.Key + 53, // 33: policy.kasregistry.ListKeyAccessServerGrantsRequest.pagination:type_name -> policy.PageRequest + 12, // 34: policy.kasregistry.ListKeyAccessServerGrantsResponse.grants:type_name -> policy.kasregistry.KeyAccessServerGrants + 54, // 35: policy.kasregistry.ListKeyAccessServerGrantsResponse.pagination:type_name -> policy.PageResponse + 61, // 36: policy.kasregistry.CreateKeyRequest.key_algorithm:type_name -> policy.Algorithm + 62, // 37: policy.kasregistry.CreateKeyRequest.key_mode:type_name -> policy.KeyMode + 63, // 38: policy.kasregistry.CreateKeyRequest.public_key_ctx:type_name -> policy.KasPublicKeyCtx + 64, // 39: policy.kasregistry.CreateKeyRequest.private_key_ctx:type_name -> policy.KasPrivateKeyCtx + 57, // 40: policy.kasregistry.CreateKeyRequest.metadata:type_name -> common.MetadataMutable + 65, // 41: policy.kasregistry.CreateKeyResponse.kas_key:type_name -> policy.KasKey + 37, // 42: policy.kasregistry.GetKeyRequest.key:type_name -> policy.kasregistry.KasKeyIdentifier + 65, // 43: policy.kasregistry.GetKeyResponse.kas_key:type_name -> policy.KasKey + 61, // 44: policy.kasregistry.ListKeysRequest.key_algorithm:type_name -> policy.Algorithm + 53, // 45: policy.kasregistry.ListKeysRequest.pagination:type_name -> policy.PageRequest + 65, // 46: policy.kasregistry.ListKeysResponse.kas_keys:type_name -> policy.KasKey + 54, // 47: policy.kasregistry.ListKeysResponse.pagination:type_name -> policy.PageResponse + 66, // 48: policy.kasregistry.UpdateKeyRequest.key_status:type_name -> policy.KeyStatus + 57, // 49: policy.kasregistry.UpdateKeyRequest.metadata:type_name -> common.MetadataMutable + 58, // 50: policy.kasregistry.UpdateKeyRequest.metadata_update_behavior:type_name -> common.MetadataUpdateEnum + 65, // 51: policy.kasregistry.UpdateKeyResponse.kas_key:type_name -> policy.KasKey + 37, // 52: policy.kasregistry.RotateKeyRequest.key:type_name -> policy.kasregistry.KasKeyIdentifier + 51, // 53: policy.kasregistry.RotateKeyRequest.new_key:type_name -> policy.kasregistry.RotateKeyRequest.NewKey + 65, // 54: policy.kasregistry.RotatedResources.rotated_out_key:type_name -> policy.KasKey + 39, // 55: policy.kasregistry.RotatedResources.attribute_definition_mappings:type_name -> policy.kasregistry.ChangeMappings + 39, // 56: policy.kasregistry.RotatedResources.attribute_value_mappings:type_name -> policy.kasregistry.ChangeMappings + 39, // 57: policy.kasregistry.RotatedResources.namespace_mappings:type_name -> policy.kasregistry.ChangeMappings + 65, // 58: policy.kasregistry.RotateKeyResponse.kas_key:type_name -> policy.KasKey + 40, // 59: policy.kasregistry.RotateKeyResponse.rotated_resources:type_name -> policy.kasregistry.RotatedResources + 37, // 60: policy.kasregistry.SetDefaultKeyRequest.key:type_name -> policy.kasregistry.KasKeyIdentifier + 0, // 61: policy.kasregistry.SetDefaultKeyRequest.tdf_type:type_name -> policy.kasregistry.TdfType + 43, // 62: policy.kasregistry.DefaultKasKey.public_key:type_name -> policy.kasregistry.DefaultKasPublicKey + 44, // 63: policy.kasregistry.GetDefaultKeysResponse.default_kas_keys:type_name -> policy.kasregistry.DefaultKasKey + 44, // 64: policy.kasregistry.SetDefaultKeyResponse.new_default_kas_key:type_name -> policy.kasregistry.DefaultKasKey + 44, // 65: policy.kasregistry.SetDefaultKeyResponse.previous_default_kas_key:type_name -> policy.kasregistry.DefaultKasKey + 49, // 66: policy.kasregistry.ListPublicKeyMappingResponse.PublicKeyMapping.public_keys:type_name -> policy.kasregistry.ListPublicKeyMappingResponse.PublicKey + 60, // 67: policy.kasregistry.ListPublicKeyMappingResponse.PublicKey.key:type_name -> policy.Key + 50, // 68: policy.kasregistry.ListPublicKeyMappingResponse.PublicKey.values:type_name -> policy.kasregistry.ListPublicKeyMappingResponse.Association + 50, // 69: policy.kasregistry.ListPublicKeyMappingResponse.PublicKey.definitions:type_name -> policy.kasregistry.ListPublicKeyMappingResponse.Association + 50, // 70: policy.kasregistry.ListPublicKeyMappingResponse.PublicKey.namespaces:type_name -> policy.kasregistry.ListPublicKeyMappingResponse.Association + 61, // 71: policy.kasregistry.RotateKeyRequest.NewKey.algorithm:type_name -> policy.Algorithm + 62, // 72: policy.kasregistry.RotateKeyRequest.NewKey.key_mode:type_name -> policy.KeyMode + 63, // 73: policy.kasregistry.RotateKeyRequest.NewKey.public_key_ctx:type_name -> policy.KasPublicKeyCtx + 64, // 74: policy.kasregistry.RotateKeyRequest.NewKey.private_key_ctx:type_name -> policy.KasPrivateKeyCtx + 57, // 75: policy.kasregistry.RotateKeyRequest.NewKey.metadata:type_name -> common.MetadataMutable + 3, // 76: policy.kasregistry.KeyAccessServerRegistryService.ListKeyAccessServers:input_type -> policy.kasregistry.ListKeyAccessServersRequest + 1, // 77: policy.kasregistry.KeyAccessServerRegistryService.GetKeyAccessServer:input_type -> policy.kasregistry.GetKeyAccessServerRequest + 5, // 78: policy.kasregistry.KeyAccessServerRegistryService.CreateKeyAccessServer:input_type -> policy.kasregistry.CreateKeyAccessServerRequest + 7, // 79: policy.kasregistry.KeyAccessServerRegistryService.UpdateKeyAccessServer:input_type -> policy.kasregistry.UpdateKeyAccessServerRequest + 9, // 80: policy.kasregistry.KeyAccessServerRegistryService.DeleteKeyAccessServer:input_type -> policy.kasregistry.DeleteKeyAccessServerRequest + 27, // 81: policy.kasregistry.KeyAccessServerRegistryService.ListKeyAccessServerGrants:input_type -> policy.kasregistry.ListKeyAccessServerGrantsRequest + 29, // 82: policy.kasregistry.KeyAccessServerRegistryService.CreateKey:input_type -> policy.kasregistry.CreateKeyRequest + 31, // 83: policy.kasregistry.KeyAccessServerRegistryService.GetKey:input_type -> policy.kasregistry.GetKeyRequest + 33, // 84: policy.kasregistry.KeyAccessServerRegistryService.ListKeys:input_type -> policy.kasregistry.ListKeysRequest + 35, // 85: policy.kasregistry.KeyAccessServerRegistryService.UpdateKey:input_type -> policy.kasregistry.UpdateKeyRequest + 38, // 86: policy.kasregistry.KeyAccessServerRegistryService.RotateKey:input_type -> policy.kasregistry.RotateKeyRequest + 42, // 87: policy.kasregistry.KeyAccessServerRegistryService.SetDefaultKey:input_type -> policy.kasregistry.SetDefaultKeyRequest + 45, // 88: policy.kasregistry.KeyAccessServerRegistryService.GetDefaultKeys:input_type -> policy.kasregistry.GetDefaultKeysRequest + 4, // 89: policy.kasregistry.KeyAccessServerRegistryService.ListKeyAccessServers:output_type -> policy.kasregistry.ListKeyAccessServersResponse + 2, // 90: policy.kasregistry.KeyAccessServerRegistryService.GetKeyAccessServer:output_type -> policy.kasregistry.GetKeyAccessServerResponse + 6, // 91: policy.kasregistry.KeyAccessServerRegistryService.CreateKeyAccessServer:output_type -> policy.kasregistry.CreateKeyAccessServerResponse + 8, // 92: policy.kasregistry.KeyAccessServerRegistryService.UpdateKeyAccessServer:output_type -> policy.kasregistry.UpdateKeyAccessServerResponse + 10, // 93: policy.kasregistry.KeyAccessServerRegistryService.DeleteKeyAccessServer:output_type -> policy.kasregistry.DeleteKeyAccessServerResponse + 28, // 94: policy.kasregistry.KeyAccessServerRegistryService.ListKeyAccessServerGrants:output_type -> policy.kasregistry.ListKeyAccessServerGrantsResponse + 30, // 95: policy.kasregistry.KeyAccessServerRegistryService.CreateKey:output_type -> policy.kasregistry.CreateKeyResponse + 32, // 96: policy.kasregistry.KeyAccessServerRegistryService.GetKey:output_type -> policy.kasregistry.GetKeyResponse + 34, // 97: policy.kasregistry.KeyAccessServerRegistryService.ListKeys:output_type -> policy.kasregistry.ListKeysResponse + 36, // 98: policy.kasregistry.KeyAccessServerRegistryService.UpdateKey:output_type -> policy.kasregistry.UpdateKeyResponse + 41, // 99: policy.kasregistry.KeyAccessServerRegistryService.RotateKey:output_type -> policy.kasregistry.RotateKeyResponse + 47, // 100: policy.kasregistry.KeyAccessServerRegistryService.SetDefaultKey:output_type -> policy.kasregistry.SetDefaultKeyResponse + 46, // 101: policy.kasregistry.KeyAccessServerRegistryService.GetDefaultKeys:output_type -> policy.kasregistry.GetDefaultKeysResponse + 89, // [89:102] is the sub-list for method output_type + 76, // [76:89] is the sub-list for method input_type + 76, // [76:76] is the sub-list for extension type_name + 76, // [76:76] is the sub-list for extension extendee + 0, // [0:76] is the sub-list for field type_name } func init() { file_policy_kasregistry_key_access_server_registry_proto_init() } @@ -4537,7 +5034,7 @@ func file_policy_kasregistry_key_access_server_registry_proto_init() { } } file_policy_kasregistry_key_access_server_registry_proto_msgTypes[41].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*ListPublicKeyMappingResponse_PublicKeyMapping); i { + switch v := v.(*SetDefaultKeyRequest); i { case 0: return &v.state case 1: @@ -4549,7 +5046,7 @@ func file_policy_kasregistry_key_access_server_registry_proto_init() { } } file_policy_kasregistry_key_access_server_registry_proto_msgTypes[42].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*ListPublicKeyMappingResponse_PublicKey); i { + switch v := v.(*DefaultKasPublicKey); i { case 0: return &v.state case 1: @@ -4561,7 +5058,7 @@ func file_policy_kasregistry_key_access_server_registry_proto_init() { } } file_policy_kasregistry_key_access_server_registry_proto_msgTypes[43].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*ListPublicKeyMappingResponse_Association); i { + switch v := v.(*DefaultKasKey); i { case 0: return &v.state case 1: @@ -4573,6 +5070,78 @@ func file_policy_kasregistry_key_access_server_registry_proto_init() { } } file_policy_kasregistry_key_access_server_registry_proto_msgTypes[44].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*GetDefaultKeysRequest); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_policy_kasregistry_key_access_server_registry_proto_msgTypes[45].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*GetDefaultKeysResponse); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_policy_kasregistry_key_access_server_registry_proto_msgTypes[46].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*SetDefaultKeyResponse); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_policy_kasregistry_key_access_server_registry_proto_msgTypes[47].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*ListPublicKeyMappingResponse_PublicKeyMapping); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_policy_kasregistry_key_access_server_registry_proto_msgTypes[48].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*ListPublicKeyMappingResponse_PublicKey); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_policy_kasregistry_key_access_server_registry_proto_msgTypes[49].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*ListPublicKeyMappingResponse_Association); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_policy_kasregistry_key_access_server_registry_proto_msgTypes[50].Exporter = func(v interface{}, i int) interface{} { switch v := v.(*RotateKeyRequest_NewKey); i { case 0: return &v.state @@ -4621,18 +5190,23 @@ func file_policy_kasregistry_key_access_server_registry_proto_init() { (*RotateKeyRequest_Id)(nil), (*RotateKeyRequest_Key)(nil), } + file_policy_kasregistry_key_access_server_registry_proto_msgTypes[41].OneofWrappers = []interface{}{ + (*SetDefaultKeyRequest_Id)(nil), + (*SetDefaultKeyRequest_Key)(nil), + } type x struct{} out := protoimpl.TypeBuilder{ File: protoimpl.DescBuilder{ GoPackagePath: reflect.TypeOf(x{}).PkgPath(), RawDescriptor: file_policy_kasregistry_key_access_server_registry_proto_rawDesc, - NumEnums: 0, - NumMessages: 45, + NumEnums: 1, + NumMessages: 51, NumExtensions: 0, NumServices: 1, }, GoTypes: file_policy_kasregistry_key_access_server_registry_proto_goTypes, DependencyIndexes: file_policy_kasregistry_key_access_server_registry_proto_depIdxs, + EnumInfos: file_policy_kasregistry_key_access_server_registry_proto_enumTypes, MessageInfos: file_policy_kasregistry_key_access_server_registry_proto_msgTypes, }.Build() File_policy_kasregistry_key_access_server_registry_proto = out.File diff --git a/protocol/go/policy/kasregistry/key_access_server_registry_grpc.pb.go b/protocol/go/policy/kasregistry/key_access_server_registry_grpc.pb.go index fa958ab444..d37de0099c 100644 --- a/protocol/go/policy/kasregistry/key_access_server_registry_grpc.pb.go +++ b/protocol/go/policy/kasregistry/key_access_server_registry_grpc.pb.go @@ -30,6 +30,8 @@ const ( KeyAccessServerRegistryService_ListKeys_FullMethodName = "/policy.kasregistry.KeyAccessServerRegistryService/ListKeys" KeyAccessServerRegistryService_UpdateKey_FullMethodName = "/policy.kasregistry.KeyAccessServerRegistryService/UpdateKey" KeyAccessServerRegistryService_RotateKey_FullMethodName = "/policy.kasregistry.KeyAccessServerRegistryService/RotateKey" + KeyAccessServerRegistryService_SetDefaultKey_FullMethodName = "/policy.kasregistry.KeyAccessServerRegistryService/SetDefaultKey" + KeyAccessServerRegistryService_GetDefaultKeys_FullMethodName = "/policy.kasregistry.KeyAccessServerRegistryService/GetDefaultKeys" ) // KeyAccessServerRegistryServiceClient is the client API for KeyAccessServerRegistryService service. @@ -54,6 +56,10 @@ type KeyAccessServerRegistryServiceClient interface { UpdateKey(ctx context.Context, in *UpdateKeyRequest, opts ...grpc.CallOption) (*UpdateKeyResponse, error) // Request to rotate a key in the Key Access Service. RotateKey(ctx context.Context, in *RotateKeyRequest, opts ...grpc.CallOption) (*RotateKeyResponse, error) + // Request to set the default a default kas key. + SetDefaultKey(ctx context.Context, in *SetDefaultKeyRequest, opts ...grpc.CallOption) (*SetDefaultKeyResponse, error) + // Get Default kas keys + GetDefaultKeys(ctx context.Context, in *GetDefaultKeysRequest, opts ...grpc.CallOption) (*GetDefaultKeysResponse, error) } type keyAccessServerRegistryServiceClient struct { @@ -163,6 +169,24 @@ func (c *keyAccessServerRegistryServiceClient) RotateKey(ctx context.Context, in return out, nil } +func (c *keyAccessServerRegistryServiceClient) SetDefaultKey(ctx context.Context, in *SetDefaultKeyRequest, opts ...grpc.CallOption) (*SetDefaultKeyResponse, error) { + out := new(SetDefaultKeyResponse) + err := c.cc.Invoke(ctx, KeyAccessServerRegistryService_SetDefaultKey_FullMethodName, in, out, opts...) + if err != nil { + return nil, err + } + return out, nil +} + +func (c *keyAccessServerRegistryServiceClient) GetDefaultKeys(ctx context.Context, in *GetDefaultKeysRequest, opts ...grpc.CallOption) (*GetDefaultKeysResponse, error) { + out := new(GetDefaultKeysResponse) + err := c.cc.Invoke(ctx, KeyAccessServerRegistryService_GetDefaultKeys_FullMethodName, in, out, opts...) + if err != nil { + return nil, err + } + return out, nil +} + // KeyAccessServerRegistryServiceServer is the server API for KeyAccessServerRegistryService service. // All implementations must embed UnimplementedKeyAccessServerRegistryServiceServer // for forward compatibility @@ -185,6 +209,10 @@ type KeyAccessServerRegistryServiceServer interface { UpdateKey(context.Context, *UpdateKeyRequest) (*UpdateKeyResponse, error) // Request to rotate a key in the Key Access Service. RotateKey(context.Context, *RotateKeyRequest) (*RotateKeyResponse, error) + // Request to set the default a default kas key. + SetDefaultKey(context.Context, *SetDefaultKeyRequest) (*SetDefaultKeyResponse, error) + // Get Default kas keys + GetDefaultKeys(context.Context, *GetDefaultKeysRequest) (*GetDefaultKeysResponse, error) mustEmbedUnimplementedKeyAccessServerRegistryServiceServer() } @@ -225,6 +253,12 @@ func (UnimplementedKeyAccessServerRegistryServiceServer) UpdateKey(context.Conte func (UnimplementedKeyAccessServerRegistryServiceServer) RotateKey(context.Context, *RotateKeyRequest) (*RotateKeyResponse, error) { return nil, status.Errorf(codes.Unimplemented, "method RotateKey not implemented") } +func (UnimplementedKeyAccessServerRegistryServiceServer) SetDefaultKey(context.Context, *SetDefaultKeyRequest) (*SetDefaultKeyResponse, error) { + return nil, status.Errorf(codes.Unimplemented, "method SetDefaultKey not implemented") +} +func (UnimplementedKeyAccessServerRegistryServiceServer) GetDefaultKeys(context.Context, *GetDefaultKeysRequest) (*GetDefaultKeysResponse, error) { + return nil, status.Errorf(codes.Unimplemented, "method GetDefaultKeys not implemented") +} func (UnimplementedKeyAccessServerRegistryServiceServer) mustEmbedUnimplementedKeyAccessServerRegistryServiceServer() { } @@ -437,6 +471,42 @@ func _KeyAccessServerRegistryService_RotateKey_Handler(srv interface{}, ctx cont return interceptor(ctx, in, info, handler) } +func _KeyAccessServerRegistryService_SetDefaultKey_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(SetDefaultKeyRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(KeyAccessServerRegistryServiceServer).SetDefaultKey(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: KeyAccessServerRegistryService_SetDefaultKey_FullMethodName, + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(KeyAccessServerRegistryServiceServer).SetDefaultKey(ctx, req.(*SetDefaultKeyRequest)) + } + return interceptor(ctx, in, info, handler) +} + +func _KeyAccessServerRegistryService_GetDefaultKeys_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(GetDefaultKeysRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(KeyAccessServerRegistryServiceServer).GetDefaultKeys(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: KeyAccessServerRegistryService_GetDefaultKeys_FullMethodName, + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(KeyAccessServerRegistryServiceServer).GetDefaultKeys(ctx, req.(*GetDefaultKeysRequest)) + } + return interceptor(ctx, in, info, handler) +} + // KeyAccessServerRegistryService_ServiceDesc is the grpc.ServiceDesc for KeyAccessServerRegistryService service. // It's only intended for direct use with grpc.RegisterService, // and not to be introspected or modified (even as a copy) @@ -488,6 +558,14 @@ var KeyAccessServerRegistryService_ServiceDesc = grpc.ServiceDesc{ MethodName: "RotateKey", Handler: _KeyAccessServerRegistryService_RotateKey_Handler, }, + { + MethodName: "SetDefaultKey", + Handler: _KeyAccessServerRegistryService_SetDefaultKey_Handler, + }, + { + MethodName: "GetDefaultKeys", + Handler: _KeyAccessServerRegistryService_GetDefaultKeys_Handler, + }, }, Streams: []grpc.StreamDesc{}, Metadata: "policy/kasregistry/key_access_server_registry.proto", diff --git a/protocol/go/policy/objects.pb.go b/protocol/go/policy/objects.pb.go index 36ab8ce9e5..ef4aeccb77 100644 --- a/protocol/go/policy/objects.pb.go +++ b/protocol/go/policy/objects.pb.go @@ -2315,7 +2315,7 @@ type AsymmetricKey struct { KeyMode KeyMode `protobuf:"varint,5,opt,name=key_mode,json=keyMode,proto3,enum=policy.KeyMode" json:"key_mode,omitempty"` // Specifies how the key is managed (local or remote) // Required PublicKeyCtx *KasPublicKeyCtx `protobuf:"bytes,6,opt,name=public_key_ctx,json=publicKeyCtx,proto3" json:"public_key_ctx,omitempty"` // Specific structure based on key provider implementation - // Optional + // Required PrivateKeyCtx *KasPrivateKeyCtx `protobuf:"bytes,7,opt,name=private_key_ctx,json=privateKeyCtx,proto3" json:"private_key_ctx,omitempty"` // Specific structure based on key provider implementation // Optional ProviderConfig *KeyProviderConfig `protobuf:"bytes,8,opt,name=provider_config,json=providerConfig,proto3" json:"provider_config,omitempty"` // Configuration for the key provider diff --git a/service/integration/kas_registry_key_test.go b/service/integration/kas_registry_key_test.go index 80d72e2ce6..f916e6f7a1 100644 --- a/service/integration/kas_registry_key_test.go +++ b/service/integration/kas_registry_key_test.go @@ -100,20 +100,6 @@ func (s *KasRegistryKeySuite) Test_CreateKasKey_ProviderConfigInvalid_Fail() { s.Require().ErrorContains(err, db.ErrTextNotFound) } -func (s *KasRegistryKeySuite) Test_CreateKasKey_ActiveKeyForAlgoExists_Fail() { - req := kasregistry.CreateKeyRequest{ - KasId: s.kasKeys[0].KeyAccessServerID, - KeyId: validKeyID1, - KeyAlgorithm: policy.Algorithm_ALGORITHM_RSA_2048, - KeyMode: policy.KeyMode_KEY_MODE_REMOTE, - PublicKeyCtx: &policy.KasPublicKeyCtx{Pem: keyCtx}, - } - resp, err := s.db.PolicyClient.CreateKey(s.ctx, &req) - s.Require().Error(err) - s.Require().ErrorContains(err, "cannot create a new key") - s.Nil(resp) -} - func (s *KasRegistryKeySuite) Test_CreateKasKey_NonBase64Ctx_Fail() { nonBase64Ctx := `{"pem: "value"}` req := kasregistry.CreateKeyRequest{ @@ -533,12 +519,11 @@ func (s *KasRegistryKeySuite) Test_RotateKey_Multiple_Attributes_Values_Namespac []string{attrValue.GetId(), nonUpdatedAttrValue.GetId()}, []string{namespaceMap[rotateKey][0].GetId(), namespaceMap[nonRotateKey][0].GetId()}, []string{attributeMap[rotateKey][0].GetId(), attributeMap[nonRotateKey][0].GetId()}, - []string{keyMap[rotateKey].GetKey().GetId(), keyMap[nonRotateKey].GetKey().GetId(), rotatedInKey.GetKasKey().GetKey().GetId()}, - []string{kas.GetId()}, ) + s.cleanupKeys([]string{keyMap[rotateKey].GetKey().GetId(), keyMap[nonRotateKey].GetKey().GetId(), rotatedInKey.GetKasKey().GetKey().GetId()}, + []string{kas.GetId()}) } -// Should probably add a test where there are more than one of each attribute granularity to be rotated and make sure I get them // For example, 2 attributes, 0 namespaces, 1 attribute value. func (s *KasRegistryKeySuite) Test_RotateKey_Two_Attribute_Two_Namespace_0_AttributeValue_Success() { // Create a new KAS server @@ -669,9 +654,9 @@ func (s *KasRegistryKeySuite) Test_RotateKey_Two_Attribute_Two_Namespace_0_Attri []string{}, namespaceIDs, attributeIDs, - []string{keyMap[rotateKey].GetKey().GetId(), keyMap[nonRotateKey].GetKey().GetId(), rotatedInKey.GetKasKey().GetKey().GetId()}, - []string{kas.GetId()}, ) + s.cleanupKeys([]string{keyMap[rotateKey].GetKey().GetId(), keyMap[nonRotateKey].GetKey().GetId(), rotatedInKey.GetKasKey().GetKey().GetId()}, + []string{kas.GetId()}) } func (s *KasRegistryKeySuite) Test_RotateKey_NoAttributeKeyMapping_Success() { @@ -694,6 +679,12 @@ func (s *KasRegistryKeySuite) Test_RotateKey_NoAttributeKeyMapping_Success() { WrappedKey: keyCtx, }, } + + // Ensure there is no default key mapping + defaultKasKeys, err := s.db.PolicyClient.GetDefaultKasKeys(s.ctx) + s.Require().NoError(err) + s.Empty(defaultKasKeys) + rotatedInKey, err := s.db.PolicyClient.RotateKey(s.ctx, keyMap[rotateKey], &newKey) s.Require().NoError(err) s.NotNil(rotatedInKey) @@ -718,11 +709,226 @@ func (s *KasRegistryKeySuite) Test_RotateKey_NoAttributeKeyMapping_Success() { s.Require().NoError(err) s.Equal(policy.KeyStatus_KEY_STATUS_INACTIVE, oldKey.GetKey().GetKeyStatus()) + // Ensure there are no default kas keys after rotation + defaultKasKeys, err = s.db.PolicyClient.GetDefaultKasKeys(s.ctx) + s.Require().NoError(err) + s.Empty(defaultKasKeys) + // Clean up - s.cleanupRotate( - []string{}, - []string{}, - []string{}, + s.cleanupKeys( + []string{ + keyMap[rotateKey].GetKey().GetId(), + keyMap[nonRotateKey].GetKey().GetId(), + rotatedInKey.GetKasKey().GetKey().GetId(), + }, + []string{kas.GetId()}) +} + +func (s *KasRegistryKeySuite) Test_RotateKey_NoDefaultKeyRotated_Success() { + kasReq := kasregistry.CreateKeyAccessServerRequest{ + Name: "test_rotate_key_kas", + Uri: "https://test-rotate-key.opentdf.io", + } + kas, err := s.db.PolicyClient.CreateKeyAccessServer(s.ctx, &kasReq) + s.Require().NoError(err) + s.NotNil(kas) + + keyMap := s.setupKeysForRotate(kas.GetId()) + newKey := kasregistry.RotateKeyRequest_NewKey{ + KeyId: "new_key_id", + Algorithm: policy.Algorithm_ALGORITHM_RSA_2048, + KeyMode: policy.KeyMode_KEY_MODE_LOCAL, + PublicKeyCtx: &policy.KasPublicKeyCtx{Pem: keyCtx}, + PrivateKeyCtx: &policy.KasPrivateKeyCtx{ + KeyId: validKeyID1, + WrappedKey: keyCtx, + }, + } + + // Set default key mapping + s.Require().NoError(err) + _, err = s.db.PolicyClient.SetDefaultKey(s.ctx, &kasregistry.SetDefaultKeyRequest{ + ActiveKey: &kasregistry.SetDefaultKeyRequest_Id{ + Id: keyMap[nonRotateKey].GetKey().GetId(), + }, + TdfType: kasregistry.TdfType_TDF_TYPE_ZTDF, + }) + s.Require().NoError(err) + + // Ensure there is no default key mapping + defaultKasKeys, err := s.db.PolicyClient.GetDefaultKasKeys(s.ctx) + s.Require().NoError(err) + s.Len(defaultKasKeys, 1) + + rotatedInKey, err := s.db.PolicyClient.RotateKey(s.ctx, keyMap[rotateKey], &newKey) + s.Require().NoError(err) + s.NotNil(rotatedInKey) + + // Check that the rotated in key is now the ZTDF default key. + defaultKasKeys, err = s.db.PolicyClient.GetDefaultKasKeys(s.ctx) + s.Require().NoError(err) + s.Len(defaultKasKeys, 1) + s.Equal(keyMap[nonRotateKey].GetKey().GetKeyId(), defaultKasKeys[0].GetPublicKey().GetKid()) + + // Clean up + s.cleanupKeys( + []string{ + keyMap[rotateKey].GetKey().GetId(), + keyMap[nonRotateKey].GetKey().GetId(), + rotatedInKey.GetKasKey().GetKey().GetId(), + }, + []string{kas.GetId()}, + ) +} + +func (s *KasRegistryKeySuite) Test_RotateKey_OneDefaultKeyRotated_Success() { + kasReq := kasregistry.CreateKeyAccessServerRequest{ + Name: "test_rotate_key_kas", + Uri: "https://test-rotate-key.opentdf.io", + } + kas, err := s.db.PolicyClient.CreateKeyAccessServer(s.ctx, &kasReq) + s.Require().NoError(err) + s.NotNil(kas) + + keyMap := s.setupKeysForRotate(kas.GetId()) + newKey := kasregistry.RotateKeyRequest_NewKey{ + KeyId: "new_key_id", + Algorithm: policy.Algorithm_ALGORITHM_RSA_2048, + KeyMode: policy.KeyMode_KEY_MODE_LOCAL, + PublicKeyCtx: &policy.KasPublicKeyCtx{Pem: keyCtx}, + PrivateKeyCtx: &policy.KasPrivateKeyCtx{ + KeyId: validKeyID1, + WrappedKey: keyCtx, + }, + } + + // Set default key mapping + _, err = s.db.PolicyClient.SetDefaultKey(s.ctx, &kasregistry.SetDefaultKeyRequest{ + ActiveKey: &kasregistry.SetDefaultKeyRequest_Id{ + Id: keyMap[rotateKey].GetKey().GetId(), + }, + TdfType: kasregistry.TdfType_TDF_TYPE_ZTDF, + }) + s.Require().NoError(err) + _, err = s.db.PolicyClient.SetDefaultKey(s.ctx, &kasregistry.SetDefaultKeyRequest{ + ActiveKey: &kasregistry.SetDefaultKeyRequest_Id{ + Id: keyMap[nonRotateKey].GetKey().GetId(), + }, + TdfType: kasregistry.TdfType_TDF_TYPE_NANO, + }) + s.Require().NoError(err) + + // Ensure there is no default key mapping + defaultKasKeys, err := s.db.PolicyClient.GetDefaultKasKeys(s.ctx) + s.Require().NoError(err) + s.Len(defaultKasKeys, 2) + + rotatedInKey, err := s.db.PolicyClient.RotateKey(s.ctx, keyMap[rotateKey], &newKey) + s.Require().NoError(err) + s.NotNil(rotatedInKey) + + // Check that the rotated in key is now the ZTDF default key. + defaultKasKeys, err = s.db.PolicyClient.GetDefaultKasKeys(s.ctx) + s.Require().NoError(err) + s.Len(defaultKasKeys, 2) + // Check that rotated in key is the default key. + var newRotatedInDefaultKey *kasregistry.DefaultKasKey + var nonRotatedInDefaultKey *kasregistry.DefaultKasKey + for _, defaultKasKey := range defaultKasKeys { + s.NotEqual(defaultKasKey.GetPublicKey().GetKid(), keyMap[rotateKey].GetKey().GetId()) + if defaultKasKey.GetPublicKey().GetKid() == keyMap[nonRotateKey].GetKey().GetKeyId() { + nonRotatedInDefaultKey = defaultKasKey + } else if defaultKasKey.GetPublicKey().GetKid() == rotatedInKey.GetKasKey().GetKey().GetKeyId() { + newRotatedInDefaultKey = defaultKasKey + } + } + s.NotNil(newRotatedInDefaultKey) + s.NotNil(nonRotatedInDefaultKey) + s.Equal(newRotatedInDefaultKey.GetTdfType(), kasregistry.TdfType_TDF_TYPE_ZTDF.String()) + s.Equal(nonRotatedInDefaultKey.GetTdfType(), kasregistry.TdfType_TDF_TYPE_NANO.String()) + + // Clean up + s.cleanupKeys( + []string{ + keyMap[rotateKey].GetKey().GetId(), + keyMap[nonRotateKey].GetKey().GetId(), + rotatedInKey.GetKasKey().GetKey().GetId(), + }, + []string{kas.GetId()}, + ) +} + +func (s *KasRegistryKeySuite) Test_RotateKey_TwoDefaultKeyRotated_Success() { + kasReq := kasregistry.CreateKeyAccessServerRequest{ + Name: "test_rotate_key_kas", + Uri: "https://test-rotate-key.opentdf.io", + } + kas, err := s.db.PolicyClient.CreateKeyAccessServer(s.ctx, &kasReq) + s.Require().NoError(err) + s.NotNil(kas) + + keyMap := s.setupKeysForRotate(kas.GetId()) + newKey := kasregistry.RotateKeyRequest_NewKey{ + KeyId: "new_key_id", + Algorithm: policy.Algorithm_ALGORITHM_EC_P521, + KeyMode: policy.KeyMode_KEY_MODE_LOCAL, + PublicKeyCtx: &policy.KasPublicKeyCtx{Pem: keyCtx}, + PrivateKeyCtx: &policy.KasPrivateKeyCtx{ + KeyId: validKeyID1, + WrappedKey: keyCtx, + }, + } + + // Set default key mapping + _, err = s.db.PolicyClient.SetDefaultKey(s.ctx, &kasregistry.SetDefaultKeyRequest{ + ActiveKey: &kasregistry.SetDefaultKeyRequest_Id{ + Id: keyMap[rotateKey].GetKey().GetId(), + }, + TdfType: kasregistry.TdfType_TDF_TYPE_ZTDF, + }) + s.Require().NoError(err) + _, err = s.db.PolicyClient.SetDefaultKey(s.ctx, &kasregistry.SetDefaultKeyRequest{ + ActiveKey: &kasregistry.SetDefaultKeyRequest_Id{ + Id: keyMap[rotateKey].GetKey().GetId(), + }, + TdfType: kasregistry.TdfType_TDF_TYPE_NANO, + }) + s.Require().NoError(err) + + // Ensure there is no default key mapping + defaultKasKeys, err := s.db.PolicyClient.GetDefaultKasKeys(s.ctx) + s.Require().NoError(err) + s.Len(defaultKasKeys, 2) + + rotatedInKey, err := s.db.PolicyClient.RotateKey(s.ctx, keyMap[rotateKey], &newKey) + s.Require().NoError(err) + s.NotNil(rotatedInKey) + + // Check that the rotated in key is now the ZTDF default key. + defaultKasKeys, err = s.db.PolicyClient.GetDefaultKasKeys(s.ctx) + s.Require().NoError(err) + s.Len(defaultKasKeys, 2) + // Check that rotated in key is the default key. + var newZtdfKey *kasregistry.DefaultKasKey + var newNanoKey *kasregistry.DefaultKasKey + for _, defaultKasKey := range defaultKasKeys { + s.NotEqual(defaultKasKey.GetPublicKey().GetKid(), keyMap[rotateKey].GetKey().GetId()) + switch defaultKasKey.GetTdfType() { + case kasregistry.TdfType_TDF_TYPE_ZTDF.String(): + newZtdfKey = defaultKasKey + case kasregistry.TdfType_TDF_TYPE_NANO.String(): + newNanoKey = defaultKasKey + default: + s.Fail("Unexpected TDF type") + } + } + s.NotNil(newZtdfKey) + s.NotNil(newNanoKey) + s.Equal(rotatedInKey.GetKasKey().GetKey().GetKeyId(), newZtdfKey.GetPublicKey().GetKid()) + s.Equal(rotatedInKey.GetKasKey().GetKey().GetKeyId(), newNanoKey.GetPublicKey().GetKid()) + + // Clean up + s.cleanupKeys( []string{ keyMap[rotateKey].GetKey().GetId(), keyMap[nonRotateKey].GetKey().GetId(), @@ -732,12 +938,542 @@ func (s *KasRegistryKeySuite) Test_RotateKey_NoAttributeKeyMapping_Success() { ) } +func (s *KasRegistryKeySuite) Test_RotateKey_NanoDefaultKey_NewKeyIsNotECC_Fail() { + kasReq := kasregistry.CreateKeyAccessServerRequest{ + Name: "test_rotate_key_kas", + Uri: "https://test-rotate-key.opentdf.io", + } + kas, err := s.db.PolicyClient.CreateKeyAccessServer(s.ctx, &kasReq) + s.Require().NoError(err) + s.NotNil(kas) + + keyMap := s.setupKeysForRotate(kas.GetId()) + newKey := kasregistry.RotateKeyRequest_NewKey{ + KeyId: "new_key_id", + Algorithm: policy.Algorithm_ALGORITHM_RSA_2048, + KeyMode: policy.KeyMode_KEY_MODE_LOCAL, + PublicKeyCtx: &policy.KasPublicKeyCtx{Pem: keyCtx}, + PrivateKeyCtx: &policy.KasPrivateKeyCtx{ + KeyId: validKeyID1, + WrappedKey: keyCtx, + }, + } + + // Set default key mapping + s.Require().NoError(err) + _, err = s.db.PolicyClient.SetDefaultKey(s.ctx, &kasregistry.SetDefaultKeyRequest{ + ActiveKey: &kasregistry.SetDefaultKeyRequest_Id{ + Id: keyMap[rotateKey].GetKey().GetId(), + }, + TdfType: kasregistry.TdfType_TDF_TYPE_NANO, + }) + s.Require().NoError(err) + + // Ensure there is no default key mapping + defaultKasKeys, err := s.db.PolicyClient.GetDefaultKasKeys(s.ctx) + s.Require().NoError(err) + s.Len(defaultKasKeys, 1) + + rotatedInKey, err := s.db.PolicyClient.RotateKey(s.ctx, keyMap[rotateKey], &newKey) + s.Require().Error(err) + s.Require().ErrorContains(err, "not valid for TDF type NANO") + s.Nil(rotatedInKey) + + // Check that the rotated in key is now the ZTDF default key. + defaultKasKeys, err = s.db.PolicyClient.GetDefaultKasKeys(s.ctx) + s.Require().NoError(err) + s.Len(defaultKasKeys, 1) + s.Equal(keyMap[rotateKey].GetKey().GetKeyId(), defaultKasKeys[0].GetPublicKey().GetKid()) + + resp, err := s.db.PolicyClient.GetKey(s.ctx, &kasregistry.GetKeyRequest_Key{ + Key: &kasregistry.KasKeyIdentifier{ + Identifier: &kasregistry.KasKeyIdentifier_Uri{ + Uri: kas.GetUri(), + }, + Kid: newKey.GetKeyId(), + }, + }) + s.Require().NoError(err) + s.NotNil(resp) + + // Clean up + s.cleanupKeys( + []string{ + keyMap[rotateKey].GetKey().GetId(), + keyMap[nonRotateKey].GetKey().GetId(), + resp.GetKey().GetId(), + }, + []string{kas.GetId()}, + ) +} + +// Default Key Tests +func (s *KasRegistryKeySuite) Test_SetDefaultKey_KasKeyNotFound_Fails() { + // Create a new KAS server + kasReq := kasregistry.CreateKeyAccessServerRequest{ + Name: "test_default_key_kas", + Uri: "https://test-default-key.opentdf.io", + } + kas, err := s.db.PolicyClient.CreateKeyAccessServer(s.ctx, &kasReq) + s.Require().NoError(err) + s.NotNil(kas) + + // Create a key for the KAS + keyReq := kasregistry.CreateKeyRequest{ + KasId: kas.GetId(), + KeyId: "default_key_id", + KeyAlgorithm: policy.Algorithm_ALGORITHM_RSA_2048, + KeyMode: policy.KeyMode_KEY_MODE_LOCAL, + PublicKeyCtx: &policy.KasPublicKeyCtx{ + Pem: keyCtx, + }, + PrivateKeyCtx: &policy.KasPrivateKeyCtx{ + KeyId: validKeyID1, + WrappedKey: keyCtx, + }, + } + key, err := s.db.PolicyClient.CreateKey(s.ctx, &keyReq) + s.Require().NoError(err) + s.NotNil(key) + + // Ensure there is no default key mapping + defaultKasKeys, err := s.db.PolicyClient.GetDefaultKasKeys(s.ctx) + s.Require().NoError(err) + s.Empty(defaultKasKeys) + + // Set default key mapping + _, err = s.db.PolicyClient.SetDefaultKey(s.ctx, &kasregistry.SetDefaultKeyRequest{ + ActiveKey: &kasregistry.SetDefaultKeyRequest_Id{ + Id: uuid.NewString(), + }, + TdfType: kasregistry.TdfType_TDF_TYPE_ZTDF, + }) + s.Require().Error(err) + s.Require().ErrorContains(err, "not found") + + s.cleanupKeys( + []string{ + key.GetKasKey().GetKey().GetId(), + }, + []string{kas.GetId()}, + ) +} + +func (s *KasRegistryKeySuite) Test_SetDefaultKey_CannotSetNonECCAlgForNano_Fails() { + // Create a new KAS server + kasReq := kasregistry.CreateKeyAccessServerRequest{ + Name: "test_default_key_kas", + Uri: "https://test-default-key.opentdf.io", + } + kas, err := s.db.PolicyClient.CreateKeyAccessServer(s.ctx, &kasReq) + s.Require().NoError(err) + s.NotNil(kas) + + // Create a key for the KAS + keyReq := kasregistry.CreateKeyRequest{ + KasId: kas.GetId(), + KeyId: "default_key_id", + KeyAlgorithm: policy.Algorithm_ALGORITHM_RSA_2048, + KeyMode: policy.KeyMode_KEY_MODE_LOCAL, + PublicKeyCtx: &policy.KasPublicKeyCtx{ + Pem: keyCtx, + }, + PrivateKeyCtx: &policy.KasPrivateKeyCtx{ + KeyId: validKeyID1, + WrappedKey: keyCtx, + }, + } + key, err := s.db.PolicyClient.CreateKey(s.ctx, &keyReq) + s.Require().NoError(err) + s.NotNil(key) + + // Ensure there is no default key mapping + defaultKasKeys, err := s.db.PolicyClient.GetDefaultKasKeys(s.ctx) + s.Require().NoError(err) + s.Empty(defaultKasKeys) + + // Set default key mapping + _, err = s.db.PolicyClient.SetDefaultKey(s.ctx, &kasregistry.SetDefaultKeyRequest{ + ActiveKey: &kasregistry.SetDefaultKeyRequest_Id{ + Id: key.GetKasKey().GetKey().GetId(), + }, + TdfType: kasregistry.TdfType_TDF_TYPE_NANO, + }) + s.Require().Error(err) + s.Require().ErrorContains(err, "not valid for TDF type NANO") + + s.cleanupKeys( + []string{ + key.GetKasKey().GetKey().GetId(), + }, + []string{kas.GetId()}, + ) +} + +func (s *KasRegistryKeySuite) Test_SetDefaultKey_NoDefaultKeys_ZTDFInsert_Success() { + // Create a new KAS server + kasReq := kasregistry.CreateKeyAccessServerRequest{ + Name: "test_default_key_kas", + Uri: "https://test-default-key.opentdf.io", + } + kas, err := s.db.PolicyClient.CreateKeyAccessServer(s.ctx, &kasReq) + s.Require().NoError(err) + s.NotNil(kas) + + // Create a key for the KAS + keyReq := kasregistry.CreateKeyRequest{ + KasId: kas.GetId(), + KeyId: "default_key_id", + KeyAlgorithm: policy.Algorithm_ALGORITHM_RSA_2048, + KeyMode: policy.KeyMode_KEY_MODE_LOCAL, + PublicKeyCtx: &policy.KasPublicKeyCtx{ + Pem: keyCtx, + }, + PrivateKeyCtx: &policy.KasPrivateKeyCtx{ + KeyId: validKeyID1, + WrappedKey: keyCtx, + }, + } + key, err := s.db.PolicyClient.CreateKey(s.ctx, &keyReq) + s.Require().NoError(err) + s.NotNil(key) + + // Ensure there is no default key mapping + defaultKasKeys, err := s.db.PolicyClient.GetDefaultKasKeys(s.ctx) + s.Require().NoError(err) + s.Empty(defaultKasKeys) + + // Set default key mapping + defaultKeys, err := s.db.PolicyClient.SetDefaultKey(s.ctx, &kasregistry.SetDefaultKeyRequest{ + ActiveKey: &kasregistry.SetDefaultKeyRequest_Id{ + Id: key.GetKasKey().GetKey().GetId(), + }, + TdfType: kasregistry.TdfType_TDF_TYPE_ZTDF, + }) + s.Require().NoError(err) + s.NotNil(defaultKeys) + s.Nil(defaultKeys.GetPreviousDefaultKasKey()) + s.Equal(key.GetKasKey().GetKey().GetKeyId(), defaultKeys.GetNewDefaultKasKey().GetPublicKey().GetKid()) + s.Equal(kasregistry.TdfType_TDF_TYPE_ZTDF.String(), defaultKeys.GetNewDefaultKasKey().GetTdfType()) + + s.cleanupKeys( + []string{ + key.GetKasKey().GetKey().GetId(), + }, + []string{kas.GetId()}, + ) +} + +func (s *KasRegistryKeySuite) Test_SetDefaultKey_NoDefaultKeys_NanoInsert_Success() { + // Create a new KAS server + kasReq := kasregistry.CreateKeyAccessServerRequest{ + Name: "test_default_key_kas", + Uri: "https://test-default-key.opentdf.io", + } + kas, err := s.db.PolicyClient.CreateKeyAccessServer(s.ctx, &kasReq) + s.Require().NoError(err) + s.NotNil(kas) + + // Create a key for the KAS + keyReq := kasregistry.CreateKeyRequest{ + KasId: kas.GetId(), + KeyId: "default_key_id", + KeyAlgorithm: policy.Algorithm_ALGORITHM_EC_P256, + KeyMode: policy.KeyMode_KEY_MODE_LOCAL, + PublicKeyCtx: &policy.KasPublicKeyCtx{ + Pem: keyCtx, + }, + PrivateKeyCtx: &policy.KasPrivateKeyCtx{ + KeyId: validKeyID1, + WrappedKey: keyCtx, + }, + } + key, err := s.db.PolicyClient.CreateKey(s.ctx, &keyReq) + s.Require().NoError(err) + s.NotNil(key) + + // Ensure there is no default key mapping + defaultKasKeys, err := s.db.PolicyClient.GetDefaultKasKeys(s.ctx) + s.Require().NoError(err) + s.Empty(defaultKasKeys) + + // Set default key mapping + defaultKeys, err := s.db.PolicyClient.SetDefaultKey(s.ctx, &kasregistry.SetDefaultKeyRequest{ + ActiveKey: &kasregistry.SetDefaultKeyRequest_Id{ + Id: key.GetKasKey().GetKey().GetId(), + }, + TdfType: kasregistry.TdfType_TDF_TYPE_NANO, + }) + s.Require().NoError(err) + s.NotNil(defaultKeys) + s.Nil(defaultKeys.GetPreviousDefaultKasKey()) + s.Equal(key.GetKasKey().GetKey().GetKeyId(), defaultKeys.GetNewDefaultKasKey().GetPublicKey().GetKid()) + s.Equal(kasregistry.TdfType_TDF_TYPE_NANO.String(), defaultKeys.GetNewDefaultKasKey().GetTdfType()) + + s.cleanupKeys( + []string{ + key.GetKasKey().GetKey().GetId(), + }, + []string{kas.GetId()}, + ) +} + +func (s *KasRegistryKeySuite) Test_SetDefaultKey_ZTDFKeyExists_ZTDFUpdate_Success() { + // Create a new KAS server + kasReq := kasregistry.CreateKeyAccessServerRequest{ + Name: "test_default_key_kas", + Uri: "https://test-default-key.opentdf.io", + } + kas, err := s.db.PolicyClient.CreateKeyAccessServer(s.ctx, &kasReq) + s.Require().NoError(err) + s.NotNil(kas) + + // Create a key for the KAS + keyReq := kasregistry.CreateKeyRequest{ + KasId: kas.GetId(), + KeyId: "default_key_id", + KeyAlgorithm: policy.Algorithm_ALGORITHM_RSA_2048, + KeyMode: policy.KeyMode_KEY_MODE_LOCAL, + PublicKeyCtx: &policy.KasPublicKeyCtx{ + Pem: keyCtx, + }, + PrivateKeyCtx: &policy.KasPrivateKeyCtx{ + KeyId: validKeyID1, + WrappedKey: keyCtx, + }, + } + key, err := s.db.PolicyClient.CreateKey(s.ctx, &keyReq) + s.Require().NoError(err) + s.NotNil(key) + + // Create a second key for the KAS + keyReq2 := kasregistry.CreateKeyRequest{ + KasId: kas.GetId(), + KeyId: "default_key_id_2", + KeyAlgorithm: policy.Algorithm_ALGORITHM_RSA_2048, + KeyMode: policy.KeyMode_KEY_MODE_LOCAL, + PublicKeyCtx: &policy.KasPublicKeyCtx{ + Pem: keyCtx, + }, + PrivateKeyCtx: &policy.KasPrivateKeyCtx{ + KeyId: validKeyID1, + WrappedKey: keyCtx, + }, + } + key2, err := s.db.PolicyClient.CreateKey(s.ctx, &keyReq2) + s.Require().NoError(err) + s.NotNil(key2) + + // Create a third key for the KAS + keyReq3 := kasregistry.CreateKeyRequest{ + KasId: kas.GetId(), + KeyId: "default_key_id_3", + KeyAlgorithm: policy.Algorithm_ALGORITHM_EC_P256, + KeyMode: policy.KeyMode_KEY_MODE_LOCAL, + PublicKeyCtx: &policy.KasPublicKeyCtx{ + Pem: keyCtx, + }, + PrivateKeyCtx: &policy.KasPrivateKeyCtx{ + KeyId: validKeyID1, + WrappedKey: keyCtx, + }, + } + key3, err := s.db.PolicyClient.CreateKey(s.ctx, &keyReq3) + s.Require().NoError(err) + s.NotNil(key3) + + // Ensure there is no default key mapping + defaultKasKeys, err := s.db.PolicyClient.GetDefaultKasKeys(s.ctx) + s.Require().NoError(err) + s.Empty(defaultKasKeys) + + // Set default key mapping + defaultKeys, err := s.db.PolicyClient.SetDefaultKey(s.ctx, &kasregistry.SetDefaultKeyRequest{ + ActiveKey: &kasregistry.SetDefaultKeyRequest_Id{ + Id: key.GetKasKey().GetKey().GetId(), + }, + TdfType: kasregistry.TdfType_TDF_TYPE_ZTDF, + }) + s.Require().NoError(err) + s.NotNil(defaultKeys) + s.Nil(defaultKeys.GetPreviousDefaultKasKey()) + s.Equal(key.GetKasKey().GetKey().GetKeyId(), defaultKeys.GetNewDefaultKasKey().GetPublicKey().GetKid()) + s.Equal(kasregistry.TdfType_TDF_TYPE_ZTDF.String(), defaultKeys.GetNewDefaultKasKey().GetTdfType()) + + // Set nano key + _, err = s.db.PolicyClient.SetDefaultKey(s.ctx, &kasregistry.SetDefaultKeyRequest{ + ActiveKey: &kasregistry.SetDefaultKeyRequest_Id{ + Id: key3.GetKasKey().GetKey().GetId(), + }, + TdfType: kasregistry.TdfType_TDF_TYPE_NANO, + }) + s.Require().NoError(err) + + // Update default key mapping + defaultKeys2, err := s.db.PolicyClient.SetDefaultKey(s.ctx, &kasregistry.SetDefaultKeyRequest{ + ActiveKey: &kasregistry.SetDefaultKeyRequest_Id{ + Id: key2.GetKasKey().GetKey().GetId(), + }, + TdfType: kasregistry.TdfType_TDF_TYPE_ZTDF, + }) + s.Require().NoError(err) + s.NotNil(defaultKeys2) + s.NotNil(defaultKeys2.GetPreviousDefaultKasKey()) + s.Equal(key2.GetKasKey().GetKey().GetKeyId(), defaultKeys2.GetNewDefaultKasKey().GetPublicKey().GetKid()) + s.Equal(kasregistry.TdfType_TDF_TYPE_ZTDF.String(), defaultKeys2.GetNewDefaultKasKey().GetTdfType()) + s.Equal(key.GetKasKey().GetKey().GetKeyId(), defaultKeys2.GetPreviousDefaultKasKey().GetPublicKey().GetKid()) + + // Ensure nano key is still the same + defaultKasKeys, err = s.db.PolicyClient.GetDefaultKasKeys(s.ctx) + s.Require().NoError(err) + s.Len(defaultKasKeys, 2) + for _, defaultKasKey := range defaultKasKeys { + if defaultKasKey.GetTdfType() == kasregistry.TdfType_TDF_TYPE_NANO.String() { + s.Equal(key3.GetKasKey().GetKey().GetKeyId(), defaultKasKey.GetPublicKey().GetKid()) + } + } + + s.cleanupKeys( + []string{ + key.GetKasKey().GetKey().GetId(), + key2.GetKasKey().GetKey().GetId(), + key3.GetKasKey().GetKey().GetId(), + }, + []string{kas.GetId()}, + ) +} + +func (s *KasRegistryKeySuite) Test_SetDefaultKey_NanoKeyExists_NanoUpdate_Success() { + // Create a new KAS server + kasReq := kasregistry.CreateKeyAccessServerRequest{ + Name: "test_default_key_kas", + Uri: "https://test-default-key.opentdf.io", + } + kas, err := s.db.PolicyClient.CreateKeyAccessServer(s.ctx, &kasReq) + s.Require().NoError(err) + s.NotNil(kas) + + // Create a key for the KAS + keyReq := kasregistry.CreateKeyRequest{ + KasId: kas.GetId(), + KeyId: "default_key_id", + KeyAlgorithm: policy.Algorithm_ALGORITHM_EC_P256, + KeyMode: policy.KeyMode_KEY_MODE_LOCAL, + PublicKeyCtx: &policy.KasPublicKeyCtx{ + Pem: keyCtx, + }, + PrivateKeyCtx: &policy.KasPrivateKeyCtx{ + KeyId: validKeyID1, + WrappedKey: keyCtx, + }, + } + key, err := s.db.PolicyClient.CreateKey(s.ctx, &keyReq) + s.Require().NoError(err) + s.NotNil(key) + + // Create a second key for the KAS + keyReq2 := kasregistry.CreateKeyRequest{ + KasId: kas.GetId(), + KeyId: "default_key_id_2", + KeyAlgorithm: policy.Algorithm_ALGORITHM_EC_P256, + KeyMode: policy.KeyMode_KEY_MODE_LOCAL, + PublicKeyCtx: &policy.KasPublicKeyCtx{ + Pem: keyCtx, + }, + PrivateKeyCtx: &policy.KasPrivateKeyCtx{ + KeyId: validKeyID1, + WrappedKey: keyCtx, + }, + } + key2, err := s.db.PolicyClient.CreateKey(s.ctx, &keyReq2) + s.Require().NoError(err) + s.NotNil(key2) + + // Create a third key for the KAS + keyReq3 := kasregistry.CreateKeyRequest{ + KasId: kas.GetId(), + KeyId: "default_key_id_3", + KeyAlgorithm: policy.Algorithm_ALGORITHM_RSA_2048, + KeyMode: policy.KeyMode_KEY_MODE_LOCAL, + PublicKeyCtx: &policy.KasPublicKeyCtx{ + Pem: keyCtx, + }, + PrivateKeyCtx: &policy.KasPrivateKeyCtx{ + KeyId: validKeyID1, + WrappedKey: keyCtx, + }, + } + key3, err := s.db.PolicyClient.CreateKey(s.ctx, &keyReq3) + s.Require().NoError(err) + s.NotNil(key3) + + // Ensure there is no default key mapping + defaultKasKeys, err := s.db.PolicyClient.GetDefaultKasKeys(s.ctx) + s.Require().NoError(err) + s.Empty(defaultKasKeys) + + // Set default nano key mapping + defaultKeys, err := s.db.PolicyClient.SetDefaultKey(s.ctx, &kasregistry.SetDefaultKeyRequest{ + ActiveKey: &kasregistry.SetDefaultKeyRequest_Id{ + Id: key.GetKasKey().GetKey().GetId(), + }, + TdfType: kasregistry.TdfType_TDF_TYPE_NANO, + }) + s.Require().NoError(err) + s.NotNil(defaultKeys) + s.Nil(defaultKeys.GetPreviousDefaultKasKey()) + s.Equal(key.GetKasKey().GetKey().GetKeyId(), defaultKeys.GetNewDefaultKasKey().GetPublicKey().GetKid()) + s.Equal(kasregistry.TdfType_TDF_TYPE_NANO.String(), defaultKeys.GetNewDefaultKasKey().GetTdfType()) + + // Set default ztdf key mapping + _, err = s.db.PolicyClient.SetDefaultKey(s.ctx, &kasregistry.SetDefaultKeyRequest{ + ActiveKey: &kasregistry.SetDefaultKeyRequest_Id{ + Id: key3.GetKasKey().GetKey().GetId(), + }, + TdfType: kasregistry.TdfType_TDF_TYPE_ZTDF, + }) + s.Require().NoError(err) + + // Update default nano key mapping + defaultKeys2, err := s.db.PolicyClient.SetDefaultKey(s.ctx, &kasregistry.SetDefaultKeyRequest{ + ActiveKey: &kasregistry.SetDefaultKeyRequest_Id{ + Id: key2.GetKasKey().GetKey().GetId(), + }, + TdfType: kasregistry.TdfType_TDF_TYPE_NANO, + }) + s.Require().NoError(err) + s.NotNil(defaultKeys2) + s.NotNil(defaultKeys2.GetPreviousDefaultKasKey()) + s.Equal(key2.GetKasKey().GetKey().GetKeyId(), defaultKeys2.GetNewDefaultKasKey().GetPublicKey().GetKid()) + s.Equal(kasregistry.TdfType_TDF_TYPE_NANO.String(), defaultKeys2.GetNewDefaultKasKey().GetTdfType()) + s.Equal(key.GetKasKey().GetKey().GetKeyId(), defaultKeys2.GetPreviousDefaultKasKey().GetPublicKey().GetKid()) + + // Ensure ztdf key is still the same + defaultKasKeys, err = s.db.PolicyClient.GetDefaultKasKeys(s.ctx) + s.Require().NoError(err) + s.Len(defaultKasKeys, 2) + for _, defaultKasKey := range defaultKasKeys { + if defaultKasKey.GetTdfType() == kasregistry.TdfType_TDF_TYPE_ZTDF.String() { + s.Equal(key3.GetKasKey().GetKey().GetKeyId(), defaultKasKey.GetPublicKey().GetKid()) + } + } + + s.cleanupKeys( + []string{ + key.GetKasKey().GetKey().GetId(), + key2.GetKasKey().GetKey().GetId(), + key3.GetKasKey().GetKey().GetId(), + }, + []string{kas.GetId()}, + ) +} + func (s *KasRegistryKeySuite) setupKeysForRotate(kasID string) map[string]*policy.KasKey { // Create a key for the KAS keyReq := kasregistry.CreateKeyRequest{ KasId: kasID, KeyId: "original_key_id_to_rotate", - KeyAlgorithm: policy.Algorithm_ALGORITHM_RSA_2048, + KeyAlgorithm: policy.Algorithm_ALGORITHM_EC_P384, KeyMode: policy.KeyMode_KEY_MODE_LOCAL, PublicKeyCtx: &policy.KasPublicKeyCtx{ Pem: keyCtx, @@ -921,7 +1657,7 @@ func (s *KasRegistryKeySuite) setupAttributesForRotate(numAttrsToRotate, numAttr } } -func (s *KasRegistryKeySuite) cleanupRotate(attrValueIDs []string, namespaceIDs []string, attributeIDs []string, keyIDs []string, keyAccessServerIDs []string) { +func (s *KasRegistryKeySuite) cleanupRotate(attrValueIDs []string, namespaceIDs []string, attributeIDs []string) { for _, id := range attrValueIDs { _, err := s.db.PolicyClient.DeleteAttributeValue(s.ctx, id) s.Require().NoError(err) @@ -934,6 +1670,11 @@ func (s *KasRegistryKeySuite) cleanupRotate(attrValueIDs []string, namespaceIDs _, err := s.db.PolicyClient.DeleteAttribute(s.ctx, id) s.Require().NoError(err) } +} + +func (s *KasRegistryKeySuite) cleanupKeys(keyIDs []string, keyAccessServerIDs []string) { + err := s.db.PolicyClient.DeleteAllDefaultKeys(s.ctx) + s.Require().NoError(err) for _, id := range keyIDs { _, err := s.db.PolicyClient.DeleteKey(s.ctx, id) s.Require().NoError(err) diff --git a/service/pkg/db/marshalHelpers.go b/service/pkg/db/marshalHelpers.go index 79ee37e522..b4b4a95687 100644 --- a/service/pkg/db/marshalHelpers.go +++ b/service/pkg/db/marshalHelpers.go @@ -1,9 +1,11 @@ package db import ( + "encoding/base64" "encoding/json" "errors" "fmt" + "strconv" "github.com/opentdf/platform/protocol/go/common" "github.com/opentdf/platform/protocol/go/policy" @@ -122,3 +124,65 @@ func KasKeysProtoJSON(keysJSON []byte) ([]*policy.KasKey, error) { } return keys, nil } + +func formatAlg(alg policy.Algorithm) (string, error) { + switch alg { + case policy.Algorithm_ALGORITHM_RSA_2048: + return "rsa:2048", nil + case policy.Algorithm_ALGORITHM_RSA_4096: + return "rsa:4096", nil + case policy.Algorithm_ALGORITHM_EC_P256: + return "ec:secp256r1", nil + case policy.Algorithm_ALGORITHM_EC_P384: + return "ec:secp384r1", nil + case policy.Algorithm_ALGORITHM_EC_P521: + return "ec:secp512r1", nil + case policy.Algorithm_ALGORITHM_UNSPECIFIED: + fallthrough + default: + return "", fmt.Errorf("unsupported algorithm: %s", alg) + } +} + +func UnmarshalDefaultKasKey(keysJSON []byte, key *kasregistry.DefaultKasKey) error { + if keysJSON != nil { + if err := protojson.Unmarshal(keysJSON, key); err != nil { + return err + } + + alg, err := strconv.Atoi(key.GetPublicKey().GetAlgorithm()) + if err != nil { + return err + } + key.PublicKey.Algorithm, err = formatAlg(policy.Algorithm(alg)) + if err != nil { + return err + } + // Base64 decode the public key + pem, err := base64.StdEncoding.DecodeString(key.GetPublicKey().GetPem()) + if err != nil { + return err + } + key.PublicKey.Pem = string(pem) + } + return nil +} + +func DefaultKasKeysProtoJSON(keysJSON []byte) ([]*kasregistry.DefaultKasKey, error) { + var ( + keys []*kasregistry.DefaultKasKey + raw []json.RawMessage + ) + if err := json.Unmarshal(keysJSON, &raw); err != nil { + return nil, err + } + for _, r := range raw { + k := kasregistry.DefaultKasKey{} + err := UnmarshalDefaultKasKey(r, &k) + if err != nil { + return nil, err + } + keys = append(keys, &k) + } + return keys, nil +} diff --git a/service/policy/db/db.go b/service/policy/db/db.go index 0e4c3f4a0b..eeee39e428 100644 --- a/service/policy/db/db.go +++ b/service/policy/db/db.go @@ -1,6 +1,6 @@ // Code generated by sqlc. DO NOT EDIT. // versions: -// sqlc v1.29.0 +// sqlc v1.28.0 package db diff --git a/service/policy/db/key_access_server_registry.go b/service/policy/db/key_access_server_registry.go index 2aebd70dfc..772588aee4 100644 --- a/service/policy/db/key_access_server_registry.go +++ b/service/policy/db/key_access_server_registry.go @@ -15,9 +15,12 @@ import ( "github.com/opentdf/platform/protocol/go/policy/keymanagement" "github.com/opentdf/platform/protocol/go/policy/namespaces" "github.com/opentdf/platform/service/pkg/db" + "github.com/opentdf/platform/service/wellknownconfiguration" "google.golang.org/protobuf/encoding/protojson" ) +var DefaultKasKeyWellKnown = "default_kas_keys" + type rotatedMappingIDs struct { NamespaceIDs []string AttributeDefIDs []string @@ -373,21 +376,10 @@ func (c PolicyDBClient) CreateKey(ctx context.Context, r *kasregistry.CreateKeyR return nil, errors.Join(errors.New("private key ctx"), db.ErrExpectedBase64EncodedValue) } - // Only allow one active key for an algo per KAS. - activeKeyExists, err := c.Queries.checkIfKeyExists(ctx, checkIfKeyExistsParams{ - KeyAccessServerID: kasID, - KeyStatus: keyStatus, - KeyAlgorithm: algo, - }) - if err != nil { - return nil, db.WrapIfKnownInvalidQueryErr(err) - } else if activeKeyExists { - return nil, fmt.Errorf("cannot create a new key when an active key already exists with algorithm %s", r.GetKeyAlgorithm().String()) - } - // Especially if we need to verify the connection and get the public key. // Need provider logic to validate connection to remote provider. var pc *policy.KeyProviderConfig + var err error if providerConfigID != "" { pc, err = c.GetProviderConfig(ctx, &keymanagement.GetProviderConfigRequest_Id{Id: providerConfigID}) if err != nil { @@ -731,19 +723,25 @@ func (c PolicyDBClient) RotateKey(ctx context.Context, activeKey *policy.KasKey, return nil, err } - // Step 3: Update Namespace/Attribute/Value tables to use the new key. + // Step 3: Check if the rotated out key is currently a default key. If so, update. + err = c.rotateDefaultKey(ctx, rotatedOutKey.GetKey().GetId(), newKasKey.GetKasKey().GetKey().GetId()) + if err != nil { + return nil, err + } + + // Step 4: Update Namespace/Attribute/Value tables to use the new key. rotatedIDs, err := c.rotatePublicKeyTables(ctx, activeKey.GetKey().GetId(), newKasKey.GetKasKey().GetKey().GetId()) if err != nil { return nil, err } - // Step 4: Populate the rotated resources. + // Step 5: Populate the rotated resources. if err := c.populateChangeMappings(ctx, rotatedIDs, rotateKeyResp.GetRotatedResources()); err != nil { return nil, err } rotateKeyResp.RotatedResources.RotatedOutKey = rotatedOutKey - // Step 5: Populate the new key + // Step 6: Populate the new key rotateKeyResp.KasKey = newKasKey.GetKasKey() return rotateKeyResp, nil @@ -830,3 +828,188 @@ func (c PolicyDBClient) rotatePublicKeyTables(ctx context.Context, oldKeyID, new return rotatedIDs, nil } + +func (c PolicyDBClient) rotateDefaultKey(ctx context.Context, rotatedOutKeyID, newKeyID string) error { + defaultKeys, err := c.GetDefaultKeysByID(ctx, rotatedOutKeyID) + if err != nil { + return db.WrapIfKnownInvalidQueryErr(err) + } + // It's possible that the rotated out key was mapped to both modes: ztdf/nano. + // If the key algorithm is of type ECC. + for _, defaultKey := range defaultKeys { + tdfType, ok := kasregistry.TdfType_value[defaultKey.GetTdfType()] + if !ok { + return fmt.Errorf("invalid TDF type: %s", defaultKey.GetTdfType()) + } + + _, err = c.SetDefaultKey(ctx, &kasregistry.SetDefaultKeyRequest{ + ActiveKey: &kasregistry.SetDefaultKeyRequest_Id{ + Id: newKeyID, + }, + TdfType: kasregistry.TdfType(tdfType), + }) + if err != nil { + return err + } + } + + return nil +} + +func (c PolicyDBClient) GetDefaultKasKeys(ctx context.Context) ([]*kasregistry.DefaultKasKey, error) { + keys, err := c.Queries.getDefaultKeys(ctx) + if err != nil { + return nil, db.WrapIfKnownInvalidQueryErr(err) + } + + var defaultKeys []*kasregistry.DefaultKasKey + if len(keys) > 0 { + defaultKeys, err = db.DefaultKasKeysProtoJSON(keys) + if err != nil { + return nil, err + } + } + + return defaultKeys, nil +} + +func (c PolicyDBClient) GetDefaultKeysByID(ctx context.Context, id string) ([]*kasregistry.DefaultKasKey, error) { + keys, err := c.Queries.getDefaultKeysById(ctx, pgtypeUUID(id)) + if err != nil { + return nil, db.WrapIfKnownInvalidQueryErr(err) + } + + var defaultKeys []*kasregistry.DefaultKasKey + if len(keys) > 0 { + defaultKeys, err = db.DefaultKasKeysProtoJSON(keys) + if err != nil { + return nil, err + } + } + + return defaultKeys, nil +} + +func (c PolicyDBClient) GetDefaultKasKeyByMode(ctx context.Context, tdfType kasregistry.TdfType) (*kasregistry.DefaultKasKey, error) { + key, err := c.getDefaultKasKeyByMode(ctx, pgtypeText(tdfType.String())) + if err != nil && !errors.Is(db.WrapIfKnownInvalidQueryErr(err), db.ErrNotFound) { + c.logger.Error("GetDefaultKasKeyByMode", "error", err) + return nil, db.WrapIfKnownInvalidQueryErr(err) + } + + var defaultKey *kasregistry.DefaultKasKey + if len(key) > 0 { + defaultKey = &kasregistry.DefaultKasKey{} + err = db.UnmarshalDefaultKasKey(key, defaultKey) + if err != nil { + return nil, err + } + } + + return defaultKey, nil +} + +func isAlgValidForNano(alg policy.Algorithm) bool { + switch alg { + case policy.Algorithm_ALGORITHM_EC_P256, policy.Algorithm_ALGORITHM_EC_P384, policy.Algorithm_ALGORITHM_EC_P521: + return true + case policy.Algorithm_ALGORITHM_RSA_2048, policy.Algorithm_ALGORITHM_RSA_4096, policy.Algorithm_ALGORITHM_UNSPECIFIED: + return false + default: + return false + } +} + +func (c PolicyDBClient) SetDefaultKey(ctx context.Context, r *kasregistry.SetDefaultKeyRequest) (*kasregistry.SetDefaultKeyResponse, error) { + var identifier any + switch r.GetActiveKey().(type) { + case *kasregistry.SetDefaultKeyRequest_Id: + identifier = &kasregistry.GetKeyRequest_Id{ + Id: r.GetId(), + } + case *kasregistry.SetDefaultKeyRequest_Key: + identifier = &kasregistry.GetKeyRequest_Key{ + Key: r.GetKey(), + } + } + keyToSet, err := c.GetKey(ctx, identifier) + if err != nil { + return nil, err + } + + previousDefaultKey, err := c.GetDefaultKasKeyByMode(ctx, r.GetTdfType()) + if err != nil { + return nil, err + } + + // If default key is nano, cipher must be ECC. + if r.GetTdfType() == kasregistry.TdfType_TDF_TYPE_NANO && !isAlgValidForNano(keyToSet.GetKey().GetKeyAlgorithm()) { + return nil, fmt.Errorf("key algorithm %s is not valid for TDF type NANO", keyToSet.GetKey().GetKeyAlgorithm().String()) + } + + // A trigger is set for BEFORE INSERT which will update the + // the key reference to the one being inserted, if present. + // If not, the insert will continue. + _, err = c.Queries.setDefaultKasKey(ctx, setDefaultKasKeyParams{ + KeyAccessServerKeyID: pgtypeUUID(keyToSet.GetKey().GetId()), + TdfType: r.GetTdfType().String(), + }) + if err != nil { + return nil, db.WrapIfKnownInvalidQueryErr(err) + } + + // Get the new default key. + newDefaultKey, err := c.GetDefaultKasKeyByMode(ctx, r.GetTdfType()) + if err != nil { + return nil, err + } + + // Set wellknown config + if err := c.SetWellKnownConfig(ctx); err != nil { + return nil, err + } + + return &kasregistry.SetDefaultKeyResponse{ + NewDefaultKasKey: newDefaultKey, + PreviousDefaultKasKey: previousDefaultKey, + }, nil +} + +func (c PolicyDBClient) SetWellKnownConfig(ctx context.Context) error { + defaultKeys, err := c.GetDefaultKasKeys(ctx) + if err != nil { + return err + } + + defaulKeyArr := make([]any, len(defaultKeys)) + for i, key := range defaultKeys { + defaulKeyArr[i] = key + } + + keyMapBytes, err := json.Marshal(defaulKeyArr) + if err != nil { + return err + } + + genericKeyArr := make([]any, len(defaulKeyArr)) + err = json.Unmarshal(keyMapBytes, &genericKeyArr) + if err != nil { + return err + } + + return wellknownconfiguration.UpdateConfiguration(DefaultKasKeyWellKnown, genericKeyArr) +} + +/* +********************** +TESTING ONLY +************************ +*/ +func (c PolicyDBClient) DeleteAllDefaultKeys(ctx context.Context) error { + _, err := c.Queries.deleteAllDefaultKasKeys(ctx) + if err != nil { + return db.WrapIfKnownInvalidQueryErr(err) + } + + return nil +} diff --git a/service/policy/db/migrations/20250512000000_default_keys_table.md b/service/policy/db/migrations/20250512000000_default_keys_table.md new file mode 100644 index 0000000000..5c9aee3f69 --- /dev/null +++ b/service/policy/db/migrations/20250512000000_default_keys_table.md @@ -0,0 +1,41 @@ +```mermaid +erDiagram + + key_access_server_keys { + timestamp_with_time_zone created_at + timestamp_with_time_zone expiration + uuid id PK + uuid key_access_server_id FK,UK + integer key_algorithm + character_varying key_cipher "Cipher used to generate the key" + character_varying key_id UK + integer key_mode + integer key_status + jsonb metadata + jsonb private_key_ctx + uuid provider_config_id + jsonb public_key_ctx + timestamp_with_time_zone updated_at + boolean default_key + } + + asym_key { + timestamp_with_time_zone created_at "Timestamp when the key was created" + timestamp_with_time_zone expiration + uuid id PK "Unique identifier for the key" + integer key_algorithm "Algorithm used to generate the key" + character_varying key_id UK "Unique identifier for the key" + integer key_mode "Indicates whether the key is stored LOCAL or REMOTE" + integer key_status "Indicates the status of the key Active, Inactive, Compromised, or Expired" + jsonb metadata "Additional metadata for the key" + jsonb private_key_ctx "Private Key Context is a json defined structure of the private key. Could include information like PEM encoded key, or external key id information" + uuid provider_config_id FK "Reference the provider configuration for this key" + jsonb public_key_ctx "Public Key Context is a json defined structure of the public key" + timestamp_with_time_zone updated_at "Timestamp when the key was last updated" + } + + + key_access_server_keys }o--|| key_access_servers : "key_access_server_id" +``` + + diff --git a/service/policy/db/migrations/20250512000000_default_keys_table.sql b/service/policy/db/migrations/20250512000000_default_keys_table.sql new file mode 100644 index 0000000000..579c2cddc5 --- /dev/null +++ b/service/policy/db/migrations/20250512000000_default_keys_table.sql @@ -0,0 +1,49 @@ +-- +goose Up +-- +goose StatementBegin +CREATE TABLE IF NOT EXISTS default_kas_keys ( + id UUID DEFAULT gen_random_uuid() CONSTRAINT default_key_pkey PRIMARY KEY, + key_access_server_key_id UUID CONSTRAINT key_access_server_key_id_fkey REFERENCES key_access_server_keys(id) ON DELETE RESTRICT, + tdf_type VARCHAR(255) NOT NULL, + CONSTRAINT unique_tdf_type UNIQUE (tdf_type) -- Ensure only one row per tdf_type +); + +-- Trigger Function +CREATE OR REPLACE FUNCTION upsert_default_kas_keys() +RETURNS TRIGGER AS $$ +BEGIN + -- Check if a row exists with the same tdf_type and key_access_server_id + IF EXISTS ( + SELECT 1 + FROM default_kas_keys + WHERE tdf_type = NEW.tdf_type + ) THEN + -- Update the existing row + UPDATE default_kas_keys + SET key_access_server_key_id = NEW.key_access_server_key_id + WHERE tdf_type = NEW.tdf_type; + + RETURN NULL; -- Important: Returning NULL prevents the original INSERT from proceeding, as the upsert has already happened + + ELSE + -- Insert a new row (the original INSERT will proceed) + RETURN NEW; -- Important: Returning NEW allows the original INSERT to proceed + END IF; +END; +$$ LANGUAGE 'plpgsql'; + +-- Trigger +CREATE TRIGGER before_insert_or_update_default_kas_keys +BEFORE INSERT ON default_kas_keys +FOR EACH ROW +EXECUTE FUNCTION upsert_default_kas_keys(); +-- +goose StatementEnd + + + +-- +goose Down +-- +goose StatementBegin +DROP TRIGGER IF EXISTS before_insert_or_update_default_kas_keys ON default_kas_keys; +DROP FUNCTION IF EXISTS upsert_default_kas_keys; + +DROP TABLE IF EXISTS default_kas_keys; +-- +goose StatementEnd \ No newline at end of file diff --git a/service/policy/db/models.go b/service/policy/db/models.go index b4a0558ae8..071282c136 100644 --- a/service/policy/db/models.go +++ b/service/policy/db/models.go @@ -1,6 +1,6 @@ // Code generated by sqlc. DO NOT EDIT. // versions: -// sqlc v1.29.0 +// sqlc v1.28.0 package db @@ -226,6 +226,12 @@ type AttributeValuePublicKeyMap struct { KeyAccessServerKeyID string `json:"key_access_server_key_id"` } +type DefaultKasKey struct { + ID string `json:"id"` + KeyAccessServerKeyID pgtype.UUID `json:"key_access_server_key_id"` + TdfType string `json:"tdf_type"` +} + // Table to store the known registrations of key access servers (KASs) type KeyAccessServer struct { // Primary key for the table diff --git a/service/policy/db/query.sql b/service/policy/db/query.sql index 083ebc181a..c4b54ecd14 100644 --- a/service/policy/db/query.sql +++ b/service/policy/db/query.sql @@ -1652,3 +1652,65 @@ WHERE id = $1; DELETE FROM provider_config WHERE id = $1; + +---------------------------------------------------------------- +-- Default KAS Keys +---------------------------------------------------------------- +-- name: getDefaultKeys :one +SELECT + JSONB_AGG( + DISTINCT JSONB_BUILD_OBJECT( + 'tdf_type', dkk.tdf_type, + 'kas_uri', kas.uri, + 'public_key', JSONB_BUILD_OBJECT( + 'algorithm', kask.key_algorithm::TEXT, + 'kid', kask.key_id, + 'pem', kask.public_key_ctx ->> 'pem' + ) + ) + ) AS default_key +FROM default_kas_keys dkk +INNER JOIN key_access_server_keys kask ON dkk.key_access_server_key_id = kask.id +INNER JOIN key_access_servers kas ON kask.key_access_server_id = kas.id; + +-- name: getDefaultKasKeyByMode :one +SELECT + DISTINCT JSONB_BUILD_OBJECT( + 'tdf_type', dkk.tdf_type, + 'kas_uri', kas.uri, + 'public_key', JSONB_BUILD_OBJECT( + 'algorithm', kask.key_algorithm::TEXT, + 'kid', kask.key_id, + 'pem', kask.public_key_ctx ->> 'pem' + ) + ) AS default_key +FROM default_kas_keys dkk +INNER JOIN key_access_server_keys kask ON dkk.key_access_server_key_id = kask.id +INNER JOIN key_access_servers kas ON kask.key_access_server_id = kas.id +WHERE (dkk.tdf_type = sqlc.narg('tdf_type')::TEXT); + +-- name: setDefaultKasKey :execrows +INSERT INTO default_kas_keys (key_access_server_key_id, tdf_type) +VALUES ($1, $2); + +-- name: getDefaultKeysById :one +SELECT + JSONB_AGG( + DISTINCT JSONB_BUILD_OBJECT( + 'tdf_type', dkk.tdf_type, + 'kas_uri', kas.uri, + 'public_key', JSONB_BUILD_OBJECT( + 'algorithm', kask.key_algorithm::TEXT, + 'kid', kask.key_id, + 'pem', kask.public_key_ctx ->> 'pem' + ) + ) + ) AS default_key +FROM default_kas_keys dkk +INNER JOIN key_access_server_keys kask ON dkk.key_access_server_key_id = kask.id +INNER JOIN key_access_servers kas ON kask.key_access_server_id = kas.id +WHERE (sqlc.narg('key_access_server_key_id')::UUID IS NULL OR dkk.key_access_server_key_id = sqlc.narg('key_access_server_key_id')::UUID); + +-- name: deleteAllDefaultKasKeys :execrows +DELETE FROM default_kas_keys; + diff --git a/service/policy/db/query.sql.go b/service/policy/db/query.sql.go index 29d3e38846..c1e7971f65 100644 --- a/service/policy/db/query.sql.go +++ b/service/policy/db/query.sql.go @@ -1,6 +1,6 @@ // Code generated by sqlc. DO NOT EDIT. // versions: -// sqlc v1.29.0 +// sqlc v1.28.0 // source: query.sql package db @@ -3322,6 +3322,21 @@ func (q *Queries) createSubjectMapping(ctx context.Context, arg createSubjectMap return id, err } +const deleteAllDefaultKasKeys = `-- name: deleteAllDefaultKasKeys :execrows +DELETE FROM default_kas_keys +` + +// deleteAllDefaultKasKeys +// +// DELETE FROM default_kas_keys +func (q *Queries) deleteAllDefaultKasKeys(ctx context.Context) (int64, error) { + result, err := q.db.Exec(ctx, deleteAllDefaultKasKeys) + if err != nil { + return 0, err + } + return result.RowsAffected(), nil +} + const deleteCustomAction = `-- name: deleteCustomAction :execrows DELETE FROM actions WHERE id = $1 @@ -3465,6 +3480,134 @@ func (q *Queries) getAction(ctx context.Context, arg getActionParams) (getAction return i, err } +const getDefaultKasKeyByMode = `-- name: getDefaultKasKeyByMode :one +SELECT + DISTINCT JSONB_BUILD_OBJECT( + 'tdf_type', dkk.tdf_type, + 'kas_uri', kas.uri, + 'public_key', JSONB_BUILD_OBJECT( + 'algorithm', kask.key_algorithm::TEXT, + 'kid', kask.key_id, + 'pem', kask.public_key_ctx ->> 'pem' + ) + ) AS default_key +FROM default_kas_keys dkk +INNER JOIN key_access_server_keys kask ON dkk.key_access_server_key_id = kask.id +INNER JOIN key_access_servers kas ON kask.key_access_server_id = kas.id +WHERE (dkk.tdf_type = $1::TEXT) +` + +// getDefaultKasKeyByMode +// +// SELECT +// DISTINCT JSONB_BUILD_OBJECT( +// 'tdf_type', dkk.tdf_type, +// 'kas_uri', kas.uri, +// 'public_key', JSONB_BUILD_OBJECT( +// 'algorithm', kask.key_algorithm::TEXT, +// 'kid', kask.key_id, +// 'pem', kask.public_key_ctx ->> 'pem' +// ) +// ) AS default_key +// FROM default_kas_keys dkk +// INNER JOIN key_access_server_keys kask ON dkk.key_access_server_key_id = kask.id +// INNER JOIN key_access_servers kas ON kask.key_access_server_id = kas.id +// WHERE (dkk.tdf_type = $1::TEXT) +func (q *Queries) getDefaultKasKeyByMode(ctx context.Context, tdfType pgtype.Text) ([]byte, error) { + row := q.db.QueryRow(ctx, getDefaultKasKeyByMode, tdfType) + var default_key []byte + err := row.Scan(&default_key) + return default_key, err +} + +const getDefaultKeys = `-- name: getDefaultKeys :one +SELECT + JSONB_AGG( + DISTINCT JSONB_BUILD_OBJECT( + 'tdf_type', dkk.tdf_type, + 'kas_uri', kas.uri, + 'public_key', JSONB_BUILD_OBJECT( + 'algorithm', kask.key_algorithm::TEXT, + 'kid', kask.key_id, + 'pem', kask.public_key_ctx ->> 'pem' + ) + ) + ) AS default_key +FROM default_kas_keys dkk +INNER JOIN key_access_server_keys kask ON dkk.key_access_server_key_id = kask.id +INNER JOIN key_access_servers kas ON kask.key_access_server_id = kas.id +` + +// -------------------------------------------------------------- +// Default KAS Keys +// -------------------------------------------------------------- +// +// SELECT +// JSONB_AGG( +// DISTINCT JSONB_BUILD_OBJECT( +// 'tdf_type', dkk.tdf_type, +// 'kas_uri', kas.uri, +// 'public_key', JSONB_BUILD_OBJECT( +// 'algorithm', kask.key_algorithm::TEXT, +// 'kid', kask.key_id, +// 'pem', kask.public_key_ctx ->> 'pem' +// ) +// ) +// ) AS default_key +// FROM default_kas_keys dkk +// INNER JOIN key_access_server_keys kask ON dkk.key_access_server_key_id = kask.id +// INNER JOIN key_access_servers kas ON kask.key_access_server_id = kas.id +func (q *Queries) getDefaultKeys(ctx context.Context) ([]byte, error) { + row := q.db.QueryRow(ctx, getDefaultKeys) + var default_key []byte + err := row.Scan(&default_key) + return default_key, err +} + +const getDefaultKeysById = `-- name: getDefaultKeysById :one +SELECT + JSONB_AGG( + DISTINCT JSONB_BUILD_OBJECT( + 'tdf_type', dkk.tdf_type, + 'kas_uri', kas.uri, + 'public_key', JSONB_BUILD_OBJECT( + 'algorithm', kask.key_algorithm::TEXT, + 'kid', kask.key_id, + 'pem', kask.public_key_ctx ->> 'pem' + ) + ) + ) AS default_key +FROM default_kas_keys dkk +INNER JOIN key_access_server_keys kask ON dkk.key_access_server_key_id = kask.id +INNER JOIN key_access_servers kas ON kask.key_access_server_id = kas.id +WHERE ($1::UUID IS NULL OR dkk.key_access_server_key_id = $1::UUID) +` + +// getDefaultKeysById +// +// SELECT +// JSONB_AGG( +// DISTINCT JSONB_BUILD_OBJECT( +// 'tdf_type', dkk.tdf_type, +// 'kas_uri', kas.uri, +// 'public_key', JSONB_BUILD_OBJECT( +// 'algorithm', kask.key_algorithm::TEXT, +// 'kid', kask.key_id, +// 'pem', kask.public_key_ctx ->> 'pem' +// ) +// ) +// ) AS default_key +// FROM default_kas_keys dkk +// INNER JOIN key_access_server_keys kask ON dkk.key_access_server_key_id = kask.id +// INNER JOIN key_access_servers kas ON kask.key_access_server_id = kas.id +// WHERE ($1::UUID IS NULL OR dkk.key_access_server_key_id = $1::UUID) +func (q *Queries) getDefaultKeysById(ctx context.Context, keyAccessServerKeyID pgtype.UUID) ([]byte, error) { + row := q.db.QueryRow(ctx, getDefaultKeysById, keyAccessServerKeyID) + var default_key []byte + err := row.Scan(&default_key) + return default_key, err +} + const getKey = `-- name: getKey :one SELECT kask.id, @@ -5210,6 +5353,28 @@ func (q *Queries) rotatePublicKeyForNamespace(ctx context.Context, arg rotatePub return items, nil } +const setDefaultKasKey = `-- name: setDefaultKasKey :execrows +INSERT INTO default_kas_keys (key_access_server_key_id, tdf_type) +VALUES ($1, $2) +` + +type setDefaultKasKeyParams struct { + KeyAccessServerKeyID pgtype.UUID `json:"key_access_server_key_id"` + TdfType string `json:"tdf_type"` +} + +// setDefaultKasKey +// +// INSERT INTO default_kas_keys (key_access_server_key_id, tdf_type) +// VALUES ($1, $2) +func (q *Queries) setDefaultKasKey(ctx context.Context, arg setDefaultKasKeyParams) (int64, error) { + result, err := q.db.Exec(ctx, setDefaultKasKey, arg.KeyAccessServerKeyID, arg.TdfType) + if err != nil { + return 0, err + } + return result.RowsAffected(), nil +} + const updateCustomAction = `-- name: updateCustomAction :execrows UPDATE actions SET diff --git a/service/policy/db/schema_erd.md b/service/policy/db/schema_erd.md index 1a10e2f270..86d76e38d6 100644 --- a/service/policy/db/schema_erd.md +++ b/service/policy/db/schema_erd.md @@ -13,9 +13,10 @@ erDiagram timestamp_with_time_zone created_at "Timestamp when the key was created" timestamp_with_time_zone expiration uuid id PK "Unique identifier for the key" - integer key_algorithm "Algorithm used to generate the key" + integer key_cipher "Algorithm used to generate the key" character_varying key_id UK "Unique identifier for the key" integer key_mode "Indicates whether the key is stored LOCAL or REMOTE" + character_varying key_shape "The shape of the key, for example, #quot;2048#quot; or #quot;P256#quot;" integer key_status "Indicates the status of the key Active, Inactive, Compromised, or Expired" jsonb metadata "Additional metadata for the key" jsonb private_key_ctx "Private Key Context is a json defined structure of the private key. Could include information like PEM encoded key, or external key id information" @@ -102,12 +103,14 @@ erDiagram key_access_server_keys { timestamp_with_time_zone created_at + boolean default_key "Whether this key is the default key, for its algorithm for the kas server" timestamp_with_time_zone expiration uuid id PK uuid key_access_server_id FK,UK - integer key_algorithm + integer key_cipher character_varying key_id UK integer key_mode + character_varying key_shape integer key_status jsonb metadata jsonb private_key_ctx @@ -122,7 +125,7 @@ erDiagram jsonb metadata "Metadata for the KAS (see protos for structure)" character_varying name UK "Optional common name of the KAS" jsonb public_key "Public key of the KAS (see protos for structure/options)" - integer source_type + character_varying source_type timestamp_with_time_zone updated_at character_varying uri UK "URI of the KAS" } diff --git a/service/policy/kasregistry/key_access_server_registry.go b/service/policy/kasregistry/key_access_server_registry.go index e553724124..457539398c 100644 --- a/service/policy/kasregistry/key_access_server_registry.go +++ b/service/policy/kasregistry/key_access_server_registry.go @@ -72,6 +72,11 @@ func NewRegistration(ns string, dbRegister serviceregistry.DBRegister) *servicer kasrSvc.logger = logger kasrSvc.dbClient = policydb.NewClient(srp.DBClient, logger, int32(cfg.ListRequestLimitMax), int32(cfg.ListRequestLimitDefault)) + if err = kasrSvc.dbClient.SetWellKnownConfig(context.TODO()); err != nil { + logger.Error("error setting well-known config", slog.String("error", err.Error())) + panic(err) + } + kasrSvc.config = cfg return kasrSvc, nil }, @@ -352,14 +357,21 @@ func (s KeyAccessServerRegistry) ListKeys(ctx context.Context, r *connect.Reques func (s KeyAccessServerRegistry) RotateKey(ctx context.Context, r *connect.Request[kasr.RotateKeyRequest]) (*connect.Response[kasr.RotateKeyResponse], error) { var resp *kasr.RotateKeyResponse var objectID string + var identifier any switch i := r.Msg.GetActiveKey().(type) { case *kasr.RotateKeyRequest_Id: s.logger.Debug("Rotating key by ID", slog.String("ID", i.Id)) objectID = i.Id + identifier = &kasr.GetKeyRequest_Id{ + Id: i.Id, + } case *kasr.RotateKeyRequest_Key: s.logger.Debug("Rotating key by Kas Key", slog.String("Active Key ID", i.Key.GetKid()), slog.String("New Key ID", r.Msg.GetNewKey().GetKeyId())) objectID = i.Key.GetKid() + identifier = &kasr.GetKeyRequest_Key{ + Key: i.Key, + } default: return nil, connect.NewError(connect.CodeInvalidArgument, nil) } @@ -370,7 +382,7 @@ func (s KeyAccessServerRegistry) RotateKey(ctx context.Context, r *connect.Reque ObjectID: objectID, } - original, err := s.dbClient.GetKey(ctx, r.Msg.GetActiveKey()) + original, err := s.dbClient.GetKey(ctx, identifier) if err != nil { s.logger.Audit.PolicyCRUDFailure(ctx, auditParams) return nil, db.StatusifyError(err, db.ErrTextGetRetrievalFailed, slog.String("keyAccessServer Keys", objectID)) @@ -423,3 +435,58 @@ func (s KeyAccessServerRegistry) RotateKey(ctx context.Context, r *connect.Reque // Implementation for RotateKey return connect.NewResponse(resp), nil } + +func (s KeyAccessServerRegistry) SetDefaultKey(ctx context.Context, r *connect.Request[kasr.SetDefaultKeyRequest]) (*connect.Response[kasr.SetDefaultKeyResponse], error) { + resp := &kasr.SetDefaultKeyResponse{} + + var objectID string + switch i := r.Msg.GetActiveKey().(type) { + case *kasr.SetDefaultKeyRequest_Id: + s.logger.Debug("Setting default key by ID", slog.String("ID", i.Id), slog.String("Tdf type", r.Msg.GetTdfType().String())) + objectID = i.Id + case *kasr.SetDefaultKeyRequest_Key: + s.logger.Debug("Setting default key by Key ID", slog.String("Active Key ID", i.Key.GetKid()), slog.String("Tdf type", r.Msg.GetTdfType().String())) + objectID = i.Key.GetKid() + default: + return nil, connect.NewError(connect.CodeInvalidArgument, nil) + } + + auditParams := audit.PolicyEventParams{ + ActionType: audit.ActionTypeUpdate, + ObjectType: audit.ObjectTypeKasRegistryKeys, + ObjectID: objectID, + } + + err := s.dbClient.RunInTx(ctx, func(txClient *policydb.PolicyDBClient) error { + var err error + resp, err = txClient.SetDefaultKey(ctx, r.Msg) + if err != nil { + s.logger.Error("failed to set default key", slog.String("error", err.Error())) + s.logger.Audit.PolicyCRUDFailure(ctx, auditParams) + return err + } + + auditParams.Original = resp.GetPreviousDefaultKasKey() + auditParams.Updated = resp.GetNewDefaultKasKey() + s.logger.Audit.PolicyCRUDSuccess(ctx, auditParams) + + return nil + }) + if err != nil { + return nil, db.StatusifyError(err, db.ErrTextUpdateFailed, slog.String("SetDefaultKey", r.Msg.GetId())) + } + + return connect.NewResponse(resp), nil +} + +func (s KeyAccessServerRegistry) GetDefaultKeys(ctx context.Context, _ *connect.Request[kasr.GetDefaultKeysRequest]) (*connect.Response[kasr.GetDefaultKeysResponse], error) { + s.logger.Debug("Getting Default KAS Keys") + resp := &kasr.GetDefaultKeysResponse{} + + keys, err := s.dbClient.GetDefaultKasKeys(ctx) + if err != nil { + return nil, db.StatusifyError(err, db.ErrTextGetRetrievalFailed) + } + resp.DefaultKasKeys = keys + return connect.NewResponse(resp), nil +} diff --git a/service/policy/kasregistry/key_access_server_registry.proto b/service/policy/kasregistry/key_access_server_registry.proto index bc3036a9c3..265969d972 100644 --- a/service/policy/kasregistry/key_access_server_registry.proto +++ b/service/policy/kasregistry/key_access_server_registry.proto @@ -581,6 +581,51 @@ message RotateKeyResponse { RotatedResources rotated_resources = 2; } +enum TdfType { + TDF_TYPE_UNSPECIFIED = 0; + TDF_TYPE_ZTDF = 1; + TDF_TYPE_NANO = 2; +} + +// Sets the specified key as the default key for the Key Access Server +// Note: The key must be active. +// Side effects: +// If a key of the same cipher is set as default, calling 'SetDefaultKey' will override that key with the specified key. +message SetDefaultKeyRequest { + // Required + oneof active_key { + option (buf.validate.oneof).required = true; + // Current Key UUID tp be set as default + string id = 1 [(buf.validate.field).string.uuid = true]; + // Alternative way to specify the key using KAS ID and Key ID + KasKeyIdentifier key = 2; + } + // Required + TdfType tdf_type = 3 [(buf.validate.field).enum = {in: [1, 2]}]; // The type of TDF (e.g., ZTDF, Nano) +} + +message DefaultKasPublicKey { + string algorithm = 1; + string kid = 2; + string pem = 3; +} + +message DefaultKasKey { + string tdf_type = 1; // The type of TDF (e.g., ZTDF, Nano) + string kas_uri = 2; // The URL of the Key Access Server + DefaultKasPublicKey public_key = 3; // The public key of the Key that belongs to the KAS +}; + +message GetDefaultKeysRequest {} +message GetDefaultKeysResponse { + repeated DefaultKasKey default_kas_keys = 1; // The list of default keys +} + +message SetDefaultKeyResponse { + DefaultKasKey new_default_kas_key = 1; // The key that was set as default + DefaultKasKey previous_default_kas_key = 2; // The previous default key, if any +} + service KeyAccessServerRegistryService { rpc ListKeyAccessServers(ListKeyAccessServersRequest) returns (ListKeyAccessServersResponse) { option (google.api.http) = {get: "/key-access-servers"}; @@ -631,4 +676,10 @@ service KeyAccessServerRegistryService { // Request to rotate a key in the Key Access Service. rpc RotateKey(RotateKeyRequest) returns (RotateKeyResponse) {} + + // Request to set the default a default kas key. + rpc SetDefaultKey(SetDefaultKeyRequest) returns (SetDefaultKeyResponse) {} + + // Get Default kas keys + rpc GetDefaultKeys(GetDefaultKeysRequest) returns (GetDefaultKeysResponse) {} } diff --git a/service/policy/kasregistry/key_access_server_registry_keys_test.go b/service/policy/kasregistry/key_access_server_registry_keys_test.go index fb829bedeb..a787b3eaee 100644 --- a/service/policy/kasregistry/key_access_server_registry_keys_test.go +++ b/service/policy/kasregistry/key_access_server_registry_keys_test.go @@ -23,6 +23,7 @@ const ( errMessageKeyURI = "key.uri" errMessageKeyAlgo = "key_algorithm" errMessageKeyMode = "key_mode" + errMessageTdfType = "tdf_type" errMessagePubKeyCtx = "public_key_ctx" errMessagePrivateKeyCtx = "The wrapped_key is required" errMessageProviderConfigID = "Provider config id is required" @@ -878,3 +879,74 @@ func Test_RotateKeyAccessServer_Keys(t *testing.T) { }) } } + +func Test_SetDefault_Keys(t *testing.T) { + testCases := []struct { + name string + req *kasregistry.SetDefaultKeyRequest + expectError bool + errorMessage string + }{ + { + name: "Invalid Request (empty)", + req: &kasregistry.SetDefaultKeyRequest{}, + expectError: true, + errorMessage: errMessageRequired, + }, + { + name: "Invalid Request (empty active key)", + req: &kasregistry.SetDefaultKeyRequest{ + TdfType: kasregistry.TdfType_TDF_TYPE_NANO, + }, + expectError: true, + errorMessage: errMessageRequired, + }, + { + name: "Invalid Request (invalid tdf mode)", + req: &kasregistry.SetDefaultKeyRequest{ + ActiveKey: &kasregistry.SetDefaultKeyRequest_Id{ + Id: validUUID, + }, + TdfType: -1, + }, + expectError: true, + errorMessage: errMessageTdfType, + }, + { + name: "Valid Request (nano)", + req: &kasregistry.SetDefaultKeyRequest{ + ActiveKey: &kasregistry.SetDefaultKeyRequest_Id{ + Id: validUUID, + }, + TdfType: kasregistry.TdfType_TDF_TYPE_NANO, + }, + expectError: false, + }, + { + name: "Valid Request (ztdf)", + req: &kasregistry.SetDefaultKeyRequest{ + ActiveKey: &kasregistry.SetDefaultKeyRequest_Id{ + Id: validUUID, + }, + TdfType: kasregistry.TdfType_TDF_TYPE_ZTDF, + }, + expectError: false, + }, + } + + v := getValidator() // Get the validator instance (assuming this is defined elsewhere) + + for _, tc := range testCases { + t.Run(tc.name, func(t *testing.T) { + err := v.Validate(tc.req) + if tc.expectError { + require.Error(t, err, "Expected error for test case: %s", tc.name) + if tc.errorMessage != "" { + require.Contains(t, err.Error(), tc.errorMessage, "Expected error message to contain '%s' for test case: %s", tc.errorMessage, tc.name) + } + } else { + require.NoError(t, err, "Expected no error for test case: %s", tc.name) + } + }) + } +} diff --git a/service/policy/objects.proto b/service/policy/objects.proto index 13cbfdc535..af59a88757 100644 --- a/service/policy/objects.proto +++ b/service/policy/objects.proto @@ -494,7 +494,7 @@ message AsymmetricKey { KeyMode key_mode = 5; // Specifies how the key is managed (local or remote) // Required KasPublicKeyCtx public_key_ctx = 6; // Specific structure based on key provider implementation - // Optional + // Required KasPrivateKeyCtx private_key_ctx = 7; // Specific structure based on key provider implementation // Optional KeyProviderConfig provider_config = 8; // Configuration for the key provider diff --git a/service/wellknownconfiguration/wellknown_configuration.go b/service/wellknownconfiguration/wellknown_configuration.go index 7459463383..e860bf2e32 100644 --- a/service/wellknownconfiguration/wellknown_configuration.go +++ b/service/wellknownconfiguration/wellknown_configuration.go @@ -34,6 +34,14 @@ func RegisterConfiguration(namespace string, config any) error { return nil } +// We should probably have a safe-guard as to what config can be updated +func UpdateConfiguration(namespace string, config any) error { + rwMutex.Lock() + defer rwMutex.Unlock() + wellKnownConfiguration[namespace] = config + return nil +} + func NewRegistration() *serviceregistry.Service[wellknownconfigurationconnect.WellKnownServiceHandler] { return &serviceregistry.Service[wellknownconfigurationconnect.WellKnownServiceHandler]{ ServiceOptions: serviceregistry.ServiceOptions[wellknownconfigurationconnect.WellKnownServiceHandler]{ From afdd4ab2b55679995d8b4efd558bfe0a0c4e828e Mon Sep 17 00:00:00 2001 From: Chris Reed Date: Mon, 19 May 2025 20:24:55 -0500 Subject: [PATCH 02/15] schema. --- .../20250512000000_default_keys_table.md | 35 +++---------------- service/policy/db/schema_erd.md | 14 +++++--- 2 files changed, 13 insertions(+), 36 deletions(-) diff --git a/service/policy/db/migrations/20250512000000_default_keys_table.md b/service/policy/db/migrations/20250512000000_default_keys_table.md index 5c9aee3f69..b2f5094075 100644 --- a/service/policy/db/migrations/20250512000000_default_keys_table.md +++ b/service/policy/db/migrations/20250512000000_default_keys_table.md @@ -1,41 +1,14 @@ ```mermaid erDiagram - key_access_server_keys { - timestamp_with_time_zone created_at - timestamp_with_time_zone expiration + default_kas_keys { uuid id PK - uuid key_access_server_id FK,UK - integer key_algorithm - character_varying key_cipher "Cipher used to generate the key" - character_varying key_id UK - integer key_mode - integer key_status - jsonb metadata - jsonb private_key_ctx - uuid provider_config_id - jsonb public_key_ctx - timestamp_with_time_zone updated_at - boolean default_key - } - - asym_key { - timestamp_with_time_zone created_at "Timestamp when the key was created" - timestamp_with_time_zone expiration - uuid id PK "Unique identifier for the key" - integer key_algorithm "Algorithm used to generate the key" - character_varying key_id UK "Unique identifier for the key" - integer key_mode "Indicates whether the key is stored LOCAL or REMOTE" - integer key_status "Indicates the status of the key Active, Inactive, Compromised, or Expired" - jsonb metadata "Additional metadata for the key" - jsonb private_key_ctx "Private Key Context is a json defined structure of the private key. Could include information like PEM encoded key, or external key id information" - uuid provider_config_id FK "Reference the provider configuration for this key" - jsonb public_key_ctx "Public Key Context is a json defined structure of the public key" - timestamp_with_time_zone updated_at "Timestamp when the key was last updated" + uuid key_access_server_key_id FK + character_varying tdf_type UK } - key_access_server_keys }o--|| key_access_servers : "key_access_server_id" + default_kas_keys }o--|| key_access_server_keys : "key_access_server_key_id" ``` diff --git a/service/policy/db/schema_erd.md b/service/policy/db/schema_erd.md index 86d76e38d6..a7a7e97911 100644 --- a/service/policy/db/schema_erd.md +++ b/service/policy/db/schema_erd.md @@ -13,10 +13,9 @@ erDiagram timestamp_with_time_zone created_at "Timestamp when the key was created" timestamp_with_time_zone expiration uuid id PK "Unique identifier for the key" - integer key_cipher "Algorithm used to generate the key" + integer key_algorithm "Algorithm used to generate the key" character_varying key_id UK "Unique identifier for the key" integer key_mode "Indicates whether the key is stored LOCAL or REMOTE" - character_varying key_shape "The shape of the key, for example, #quot;2048#quot; or #quot;P256#quot;" integer key_status "Indicates the status of the key Active, Inactive, Compromised, or Expired" jsonb metadata "Additional metadata for the key" jsonb private_key_ctx "Private Key Context is a json defined structure of the private key. Could include information like PEM encoded key, or external key id information" @@ -94,6 +93,12 @@ erDiagram character_varying value UK "Value of the attribute (i.e. #quot;manager#quot; or #quot;admin#quot; on an attribute for titles), unique within the definition" } + default_kas_keys { + uuid id PK + uuid key_access_server_key_id FK + character_varying tdf_type UK + } + goose_db_version { integer id PK boolean is_applied @@ -103,14 +108,12 @@ erDiagram key_access_server_keys { timestamp_with_time_zone created_at - boolean default_key "Whether this key is the default key, for its algorithm for the kas server" timestamp_with_time_zone expiration uuid id PK uuid key_access_server_id FK,UK - integer key_cipher + integer key_algorithm character_varying key_id UK integer key_mode - character_varying key_shape integer key_status jsonb metadata jsonb private_key_ctx @@ -233,6 +236,7 @@ erDiagram attribute_value_public_key_map }o--|| key_access_server_keys : "key_access_server_key_id" resource_mappings }o--|| attribute_values : "attribute_value_id" subject_mappings }o--|| attribute_values : "attribute_value_id" + default_kas_keys }o--|| key_access_server_keys : "key_access_server_key_id" key_access_server_keys }o--|| key_access_servers : "key_access_server_id" sym_key }o--|| provider_config : "provider_config_id" registered_resource_values }o--|| registered_resources : "registered_resource_id" From e66cdca1456979246ca9c9afeb95ff2e0b94438a Mon Sep 17 00:00:00 2001 From: Chris Reed Date: Mon, 19 May 2025 20:32:32 -0500 Subject: [PATCH 03/15] update doc. --- docs/grpc/index.html | 2 +- docs/openapi/policy/actions/actions.swagger.json | 2 +- docs/openapi/policy/attributes/attributes.swagger.json | 2 +- .../policy/kasregistry/key_access_server_registry.swagger.json | 2 +- docs/openapi/policy/namespaces/namespaces.swagger.json | 2 +- .../policy/resourcemapping/resource_mapping.swagger.json | 2 +- docs/openapi/policy/subjectmapping/subject_mapping.swagger.json | 2 +- docs/openapi/policy/unsafe/unsafe.swagger.json | 2 +- protocol/go/policy/objects.pb.go | 2 +- service/policy/objects.proto | 2 +- 10 files changed, 10 insertions(+), 10 deletions(-) diff --git a/docs/grpc/index.html b/docs/grpc/index.html index 75de72e3eb..76f9105155 100644 --- a/docs/grpc/index.html +++ b/docs/grpc/index.html @@ -2019,7 +2019,7 @@

    AsymmetricKey

    private_key_ctx KasPrivateKeyCtx -

    Required +

    Optional Specific structure based on key provider implementation

    diff --git a/docs/openapi/policy/actions/actions.swagger.json b/docs/openapi/policy/actions/actions.swagger.json index c687575d69..7d40140586 100644 --- a/docs/openapi/policy/actions/actions.swagger.json +++ b/docs/openapi/policy/actions/actions.swagger.json @@ -203,7 +203,7 @@ "privateKeyCtx": { "$ref": "#/definitions/policyKasPrivateKeyCtx", "description": "Specific structure based on key provider implementation", - "title": "Required" + "title": "Optional" }, "providerConfig": { "$ref": "#/definitions/policyKeyProviderConfig", diff --git a/docs/openapi/policy/attributes/attributes.swagger.json b/docs/openapi/policy/attributes/attributes.swagger.json index c89fd4e295..cc164b7bcd 100644 --- a/docs/openapi/policy/attributes/attributes.swagger.json +++ b/docs/openapi/policy/attributes/attributes.swagger.json @@ -1060,7 +1060,7 @@ "privateKeyCtx": { "$ref": "#/definitions/policyKasPrivateKeyCtx", "description": "Specific structure based on key provider implementation", - "title": "Required" + "title": "Optional" }, "providerConfig": { "$ref": "#/definitions/policyKeyProviderConfig", diff --git a/docs/openapi/policy/kasregistry/key_access_server_registry.swagger.json b/docs/openapi/policy/kasregistry/key_access_server_registry.swagger.json index 2d2ce328c9..4211a926e1 100644 --- a/docs/openapi/policy/kasregistry/key_access_server_registry.swagger.json +++ b/docs/openapi/policy/kasregistry/key_access_server_registry.swagger.json @@ -735,7 +735,7 @@ "privateKeyCtx": { "$ref": "#/definitions/policyKasPrivateKeyCtx", "description": "Specific structure based on key provider implementation", - "title": "Required" + "title": "Optional" }, "providerConfig": { "$ref": "#/definitions/policyKeyProviderConfig", diff --git a/docs/openapi/policy/namespaces/namespaces.swagger.json b/docs/openapi/policy/namespaces/namespaces.swagger.json index 42aac4a672..33c7f5c58f 100644 --- a/docs/openapi/policy/namespaces/namespaces.swagger.json +++ b/docs/openapi/policy/namespaces/namespaces.swagger.json @@ -504,7 +504,7 @@ "privateKeyCtx": { "$ref": "#/definitions/policyKasPrivateKeyCtx", "description": "Specific structure based on key provider implementation", - "title": "Required" + "title": "Optional" }, "providerConfig": { "$ref": "#/definitions/policyKeyProviderConfig", diff --git a/docs/openapi/policy/resourcemapping/resource_mapping.swagger.json b/docs/openapi/policy/resourcemapping/resource_mapping.swagger.json index c5c68d8610..6815a6b315 100644 --- a/docs/openapi/policy/resourcemapping/resource_mapping.swagger.json +++ b/docs/openapi/policy/resourcemapping/resource_mapping.swagger.json @@ -566,7 +566,7 @@ "privateKeyCtx": { "$ref": "#/definitions/policyKasPrivateKeyCtx", "description": "Specific structure based on key provider implementation", - "title": "Required" + "title": "Optional" }, "providerConfig": { "$ref": "#/definitions/policyKeyProviderConfig", diff --git a/docs/openapi/policy/subjectmapping/subject_mapping.swagger.json b/docs/openapi/policy/subjectmapping/subject_mapping.swagger.json index 580a51403c..3e64f0da2b 100644 --- a/docs/openapi/policy/subjectmapping/subject_mapping.swagger.json +++ b/docs/openapi/policy/subjectmapping/subject_mapping.swagger.json @@ -573,7 +573,7 @@ "privateKeyCtx": { "$ref": "#/definitions/policyKasPrivateKeyCtx", "description": "Specific structure based on key provider implementation", - "title": "Required" + "title": "Optional" }, "providerConfig": { "$ref": "#/definitions/policyKeyProviderConfig", diff --git a/docs/openapi/policy/unsafe/unsafe.swagger.json b/docs/openapi/policy/unsafe/unsafe.swagger.json index fd9cb53cee..d58a667072 100644 --- a/docs/openapi/policy/unsafe/unsafe.swagger.json +++ b/docs/openapi/policy/unsafe/unsafe.swagger.json @@ -463,7 +463,7 @@ "privateKeyCtx": { "$ref": "#/definitions/policyKasPrivateKeyCtx", "description": "Specific structure based on key provider implementation", - "title": "Required" + "title": "Optional" }, "providerConfig": { "$ref": "#/definitions/policyKeyProviderConfig", diff --git a/protocol/go/policy/objects.pb.go b/protocol/go/policy/objects.pb.go index ef4aeccb77..36ab8ce9e5 100644 --- a/protocol/go/policy/objects.pb.go +++ b/protocol/go/policy/objects.pb.go @@ -2315,7 +2315,7 @@ type AsymmetricKey struct { KeyMode KeyMode `protobuf:"varint,5,opt,name=key_mode,json=keyMode,proto3,enum=policy.KeyMode" json:"key_mode,omitempty"` // Specifies how the key is managed (local or remote) // Required PublicKeyCtx *KasPublicKeyCtx `protobuf:"bytes,6,opt,name=public_key_ctx,json=publicKeyCtx,proto3" json:"public_key_ctx,omitempty"` // Specific structure based on key provider implementation - // Required + // Optional PrivateKeyCtx *KasPrivateKeyCtx `protobuf:"bytes,7,opt,name=private_key_ctx,json=privateKeyCtx,proto3" json:"private_key_ctx,omitempty"` // Specific structure based on key provider implementation // Optional ProviderConfig *KeyProviderConfig `protobuf:"bytes,8,opt,name=provider_config,json=providerConfig,proto3" json:"provider_config,omitempty"` // Configuration for the key provider diff --git a/service/policy/objects.proto b/service/policy/objects.proto index af59a88757..13cbfdc535 100644 --- a/service/policy/objects.proto +++ b/service/policy/objects.proto @@ -494,7 +494,7 @@ message AsymmetricKey { KeyMode key_mode = 5; // Specifies how the key is managed (local or remote) // Required KasPublicKeyCtx public_key_ctx = 6; // Specific structure based on key provider implementation - // Required + // Optional KasPrivateKeyCtx private_key_ctx = 7; // Specific structure based on key provider implementation // Optional KeyProviderConfig provider_config = 8; // Configuration for the key provider From efb6795b406d3191bdabdbd4b2b8f637f6e18d9b Mon Sep 17 00:00:00 2001 From: Chris Reed Date: Tue, 20 May 2025 07:59:42 -0500 Subject: [PATCH 04/15] refactor. --- service/pkg/db/marshalHelpers.go | 2 +- service/policy/db/key_access_server_registry.go | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/service/pkg/db/marshalHelpers.go b/service/pkg/db/marshalHelpers.go index b4b4a95687..1ec437067f 100644 --- a/service/pkg/db/marshalHelpers.go +++ b/service/pkg/db/marshalHelpers.go @@ -150,7 +150,7 @@ func UnmarshalDefaultKasKey(keysJSON []byte, key *kasregistry.DefaultKasKey) err return err } - alg, err := strconv.Atoi(key.GetPublicKey().GetAlgorithm()) + alg, err := strconv.ParseInt(key.GetPublicKey().GetAlgorithm(), 10, 32) if err != nil { return err } diff --git a/service/policy/db/key_access_server_registry.go b/service/policy/db/key_access_server_registry.go index 772588aee4..85910f1267 100644 --- a/service/policy/db/key_access_server_registry.go +++ b/service/policy/db/key_access_server_registry.go @@ -981,17 +981,17 @@ func (c PolicyDBClient) SetWellKnownConfig(ctx context.Context) error { return err } - defaulKeyArr := make([]any, len(defaultKeys)) + defaultKeyArr := make([]any, len(defaultKeys)) for i, key := range defaultKeys { - defaulKeyArr[i] = key + defaultKeyArr[i] = key } - keyMapBytes, err := json.Marshal(defaulKeyArr) + keyMapBytes, err := json.Marshal(defaultKeyArr) if err != nil { return err } - genericKeyArr := make([]any, len(defaulKeyArr)) + genericKeyArr := make([]any, len(defaultKeyArr)) err = json.Unmarshal(keyMapBytes, &genericKeyArr) if err != nil { return err From 6073944d79c820c096ad5a64e807bb0f19348374 Mon Sep 17 00:00:00 2001 From: Chris Reed Date: Tue, 20 May 2025 08:07:52 -0500 Subject: [PATCH 05/15] refactor. --- service/policy/db/key_access_server_registry.go | 4 ++-- service/policy/kasregistry/key_access_server_registry.go | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/service/policy/db/key_access_server_registry.go b/service/policy/db/key_access_server_registry.go index 85910f1267..1968a9d53e 100644 --- a/service/policy/db/key_access_server_registry.go +++ b/service/policy/db/key_access_server_registry.go @@ -965,7 +965,7 @@ func (c PolicyDBClient) SetDefaultKey(ctx context.Context, r *kasregistry.SetDef } // Set wellknown config - if err := c.SetWellKnownConfig(ctx); err != nil { + if err := c.SetDefaultKeyOnWellKnownConfig(ctx); err != nil { return nil, err } @@ -975,7 +975,7 @@ func (c PolicyDBClient) SetDefaultKey(ctx context.Context, r *kasregistry.SetDef }, nil } -func (c PolicyDBClient) SetWellKnownConfig(ctx context.Context) error { +func (c PolicyDBClient) SetDefaultKeyOnWellKnownConfig(ctx context.Context) error { defaultKeys, err := c.GetDefaultKasKeys(ctx) if err != nil { return err diff --git a/service/policy/kasregistry/key_access_server_registry.go b/service/policy/kasregistry/key_access_server_registry.go index 457539398c..ce5d3aa8f4 100644 --- a/service/policy/kasregistry/key_access_server_registry.go +++ b/service/policy/kasregistry/key_access_server_registry.go @@ -72,7 +72,7 @@ func NewRegistration(ns string, dbRegister serviceregistry.DBRegister) *servicer kasrSvc.logger = logger kasrSvc.dbClient = policydb.NewClient(srp.DBClient, logger, int32(cfg.ListRequestLimitMax), int32(cfg.ListRequestLimitDefault)) - if err = kasrSvc.dbClient.SetWellKnownConfig(context.TODO()); err != nil { + if err = kasrSvc.dbClient.SetDefaultKeyOnWellKnownConfig(context.TODO()); err != nil { logger.Error("error setting well-known config", slog.String("error", err.Error())) panic(err) } From 48db782f8cd6b0397cf119e1b0594b65806eb1c1 Mon Sep 17 00:00:00 2001 From: Chris Reed Date: Tue, 20 May 2025 11:03:50 -0500 Subject: [PATCH 06/15] fix issue with marshalling. Add test for public key only. --- service/integration/kas_registry_key_test.go | 47 +++++++++++++++++++ .../policy/db/key_access_server_registry.go | 13 +++-- 2 files changed, 57 insertions(+), 3 deletions(-) diff --git a/service/integration/kas_registry_key_test.go b/service/integration/kas_registry_key_test.go index ab088d864f..265d626aa2 100644 --- a/service/integration/kas_registry_key_test.go +++ b/service/integration/kas_registry_key_test.go @@ -1468,6 +1468,53 @@ func (s *KasRegistryKeySuite) Test_SetDefaultKey_NanoKeyExists_NanoUpdate_Succes ) } +func (s *KasRegistryKeySuite) Test_SetDefaultKey_CannotSetPublicKeyOnlyKey_Fails() { + // Create a new KAS server + kasReq := kasregistry.CreateKeyAccessServerRequest{ + Name: "test_default_key_kas", + Uri: "https://test-default-key.opentdf.io", + } + kas, err := s.db.PolicyClient.CreateKeyAccessServer(s.ctx, &kasReq) + s.Require().NoError(err) + s.NotNil(kas) + + // Create a key for the KAS + keyReq := kasregistry.CreateKeyRequest{ + KasId: kas.GetId(), + KeyId: "default_key_id", + KeyAlgorithm: policy.Algorithm_ALGORITHM_RSA_2048, + KeyMode: policy.KeyMode_KEY_MODE_PUBLIC_KEY_ONLY, + PublicKeyCtx: &policy.KasPublicKeyCtx{ + Pem: keyCtx, + }, + } + key, err := s.db.PolicyClient.CreateKey(s.ctx, &keyReq) + s.Require().NoError(err) + s.NotNil(key) + + // Ensure there is no default key mapping + defaultKasKeys, err := s.db.PolicyClient.GetDefaultKasKeys(s.ctx) + s.Require().NoError(err) + s.Empty(defaultKasKeys) + + // Set default key mapping + _, err = s.db.PolicyClient.SetDefaultKey(s.ctx, &kasregistry.SetDefaultKeyRequest{ + ActiveKey: &kasregistry.SetDefaultKeyRequest_Id{ + Id: key.GetKasKey().GetKey().GetId(), + }, + TdfType: kasregistry.TdfType_TDF_TYPE_ZTDF, + }) + s.Require().Error(err) + s.Require().ErrorContains(err, "KEY_MODE_PUBLIC_KEY_ONLY as default key") + + s.cleanupKeys( + []string{ + key.GetKasKey().GetKey().GetId(), + }, + []string{kas.GetId()}, + ) +} + func (s *KasRegistryKeySuite) setupKeysForRotate(kasID string) map[string]*policy.KasKey { // Create a key for the KAS keyReq := kasregistry.CreateKeyRequest{ diff --git a/service/policy/db/key_access_server_registry.go b/service/policy/db/key_access_server_registry.go index e41a45cbe7..db657e97a5 100644 --- a/service/policy/db/key_access_server_registry.go +++ b/service/policy/db/key_access_server_registry.go @@ -392,9 +392,12 @@ func (c PolicyDBClient) CreateKey(ctx context.Context, r *kasregistry.CreateKeyR if err != nil { return nil, db.ErrMarshalValueFailed } - privateCtx, err := json.Marshal(r.GetPrivateKeyCtx()) - if err != nil { - return nil, db.ErrMarshalValueFailed + var privateCtx []byte + if r.GetPrivateKeyCtx() != nil { + privateCtx, err = json.Marshal(r.GetPrivateKeyCtx()) + if err != nil { + return nil, db.ErrMarshalValueFailed + } } metadataJSON, _, err := db.MarshalCreateMetadata(r.GetMetadata()) @@ -937,6 +940,10 @@ func (c PolicyDBClient) SetDefaultKey(ctx context.Context, r *kasregistry.SetDef return nil, err } + if keyToSet.GetKey().GetKeyMode() == policy.KeyMode_KEY_MODE_PUBLIC_KEY_ONLY { + return nil, fmt.Errorf("cannot set key of mode %s as default key", keyToSet.GetKey().GetKeyMode().String()) + } + previousDefaultKey, err := c.GetDefaultKasKeyByMode(ctx, r.GetTdfType()) if err != nil { return nil, err From 21bbe5e5bc3c8ca6b557eeb54a7834a6d1623b9f Mon Sep 17 00:00:00 2001 From: Chris Reed Date: Tue, 20 May 2025 14:26:44 -0500 Subject: [PATCH 07/15] refactor. --- service/policy/db/key_access_server_registry.go | 4 +--- service/wellknownconfiguration/wellknown_configuration.go | 5 +++-- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/service/policy/db/key_access_server_registry.go b/service/policy/db/key_access_server_registry.go index db657e97a5..87c1e171a3 100644 --- a/service/policy/db/key_access_server_registry.go +++ b/service/policy/db/key_access_server_registry.go @@ -19,8 +19,6 @@ import ( "google.golang.org/protobuf/encoding/protojson" ) -var DefaultKasKeyWellKnown = "default_kas_keys" - type rotatedMappingIDs struct { NamespaceIDs []string AttributeDefIDs []string @@ -1004,7 +1002,7 @@ func (c PolicyDBClient) SetDefaultKeyOnWellKnownConfig(ctx context.Context) erro return err } - return wellknownconfiguration.UpdateConfiguration(DefaultKasKeyWellKnown, genericKeyArr) + return wellknownconfiguration.UpdateConfigurationDefaultKey(genericKeyArr) } /* diff --git a/service/wellknownconfiguration/wellknown_configuration.go b/service/wellknownconfiguration/wellknown_configuration.go index e860bf2e32..811800e493 100644 --- a/service/wellknownconfiguration/wellknown_configuration.go +++ b/service/wellknownconfiguration/wellknown_configuration.go @@ -22,6 +22,7 @@ type WellKnownService struct { var ( wellKnownConfiguration = make(map[string]any) rwMutex sync.RWMutex + defaultKasKeyWellKnown = "default_kas_keys" ) func RegisterConfiguration(namespace string, config any) error { @@ -35,10 +36,10 @@ func RegisterConfiguration(namespace string, config any) error { } // We should probably have a safe-guard as to what config can be updated -func UpdateConfiguration(namespace string, config any) error { +func UpdateConfigurationDefaultKey(config any) error { rwMutex.Lock() defer rwMutex.Unlock() - wellKnownConfiguration[namespace] = config + wellKnownConfiguration[defaultKasKeyWellKnown] = config return nil } From 852430a4bd86d772a93daa4422471462259876fe Mon Sep 17 00:00:00 2001 From: Chris Reed Date: Wed, 21 May 2025 16:30:00 -0500 Subject: [PATCH 08/15] refactor. --- service/integration/kas_registry_key_test.go | 78 +++++++++---------- service/pkg/db/marshalHelpers.go | 3 +- .../policy/db/key_access_server_registry.go | 3 +- .../key_access_server_registry_keys_test.go | 2 +- .../wellknown_configuration.go | 3 +- 5 files changed, 42 insertions(+), 47 deletions(-) diff --git a/service/integration/kas_registry_key_test.go b/service/integration/kas_registry_key_test.go index 265d626aa2..5f69d867ed 100644 --- a/service/integration/kas_registry_key_test.go +++ b/service/integration/kas_registry_key_test.go @@ -414,6 +414,17 @@ func (s *KasRegistryKeySuite) Test_ListKeys_KasID_Limit_Success() { } func (s *KasRegistryKeySuite) Test_RotateKey_Multiple_Attributes_Values_Namespaces_Success() { + attrValueIDs := make([]string, 0) + attrDefIDs := make([]string, 0) + namespaceIDs := make([]string, 0) + keyIDs := make([]string, 0) + kasIDs := make([]string, 0) + + defer func() { + s.cleanupAttrs(attrValueIDs, namespaceIDs, attrDefIDs) + s.cleanupKeys(keyIDs, kasIDs) + }() + // Create a new KAS server kasReq := kasregistry.CreateKeyAccessServerRequest{ Name: "test_rotate_key_kas", @@ -422,10 +433,15 @@ func (s *KasRegistryKeySuite) Test_RotateKey_Multiple_Attributes_Values_Namespac kas, err := s.db.PolicyClient.CreateKeyAccessServer(s.ctx, &kasReq) s.Require().NoError(err) s.NotNil(kas) + kasIDs = append(kasIDs, kas.GetId()) keyMap := s.setupKeysForRotate(kas.GetId()) + keyIDs = append(keyIDs, keyMap[rotateKey].GetKey().GetId(), keyMap[nonRotateKey].GetKey().GetId()) namespaceMap := s.setupNamespaceForRotate(1, 1, keyMap[rotateKey].GetKey(), keyMap[nonRotateKey].GetKey()) + namespaceIDs = append(namespaceIDs, namespaceMap[rotateKey][0].GetId(), namespaceMap[nonRotateKey][0].GetId()) attributeMap := s.setupAttributesForRotate(1, 1, 1, 1, namespaceMap, keyMap[rotateKey].GetKey(), keyMap[nonRotateKey].GetKey()) + attrDefIDs = append(attrDefIDs, attributeMap[rotateKey][0].GetId(), attributeMap[nonRotateKey][0].GetId()) + attrValueIDs = append(attrValueIDs, attributeMap[rotateKey][0].GetValues()[0].GetId(), attributeMap[nonRotateKey][0].GetValues()[0].GetId()) newKey := kasregistry.RotateKeyRequest_NewKey{ KeyId: "new_key_id", @@ -441,6 +457,7 @@ func (s *KasRegistryKeySuite) Test_RotateKey_Multiple_Attributes_Values_Namespac rotatedInKey, err := s.db.PolicyClient.RotateKey(s.ctx, keyMap[rotateKey], &newKey) s.Require().NoError(err) s.NotNil(rotatedInKey) + keyIDs = append(keyIDs, rotatedInKey.GetKasKey().GetKey().GetId()) // Validate the rotated key s.Equal(newKey.GetKeyId(), rotatedInKey.GetKasKey().GetKey().GetKeyId()) @@ -513,19 +530,20 @@ func (s *KasRegistryKeySuite) Test_RotateKey_Multiple_Attributes_Values_Namespac s.Require().NoError(err) s.Len(nonUpdatedAttrValue.GetKasKeys(), 1) s.Equal(keyMap[nonRotateKey].GetKey().GetId(), nonUpdatedAttrValue.GetKasKeys()[0].GetKey().GetId()) - - // Clean up - s.cleanupRotate( - []string{attrValue.GetId(), nonUpdatedAttrValue.GetId()}, - []string{namespaceMap[rotateKey][0].GetId(), namespaceMap[nonRotateKey][0].GetId()}, - []string{attributeMap[rotateKey][0].GetId(), attributeMap[nonRotateKey][0].GetId()}, - ) - s.cleanupKeys([]string{keyMap[rotateKey].GetKey().GetId(), keyMap[nonRotateKey].GetKey().GetId(), rotatedInKey.GetKasKey().GetKey().GetId()}, - []string{kas.GetId()}) } -// For example, 2 attributes, 0 namespaces, 1 attribute value. func (s *KasRegistryKeySuite) Test_RotateKey_Two_Attribute_Two_Namespace_0_AttributeValue_Success() { + attrValueIDs := make([]string, 0) + attrDefIDs := make([]string, 0) + namespaceIDs := make([]string, 0) + keyIDs := make([]string, 0) + kasIDs := make([]string, 0) + + defer func() { + s.cleanupAttrs(attrValueIDs, namespaceIDs, attrDefIDs) + s.cleanupKeys(keyIDs, kasIDs) + }() + // Create a new KAS server kasReq := kasregistry.CreateKeyAccessServerRequest{ Name: "test_rotate_key_kas", @@ -534,10 +552,14 @@ func (s *KasRegistryKeySuite) Test_RotateKey_Two_Attribute_Two_Namespace_0_Attri kas, err := s.db.PolicyClient.CreateKeyAccessServer(s.ctx, &kasReq) s.Require().NoError(err) s.NotNil(kas) + kasIDs = append(kasIDs, kas.GetId()) keyMap := s.setupKeysForRotate(kas.GetId()) + keyIDs = append(keyIDs, keyMap[rotateKey].GetKey().GetId(), keyMap[nonRotateKey].GetKey().GetId()) namespaceMap := s.setupNamespaceForRotate(2, 2, keyMap[rotateKey].GetKey(), keyMap[nonRotateKey].GetKey()) + namespaceIDs = append(namespaceIDs, namespaceMap[rotateKey][0].GetId(), namespaceMap[rotateKey][1].GetId(), namespaceMap[nonRotateKey][0].GetId(), namespaceMap[nonRotateKey][1].GetId()) attributeMap := s.setupAttributesForRotate(2, 2, 0, 0, namespaceMap, keyMap[rotateKey].GetKey(), keyMap[nonRotateKey].GetKey()) + attrDefIDs = append(attrDefIDs, attributeMap[rotateKey][0].GetId(), attributeMap[nonRotateKey][0].GetId(), attributeMap[rotateKey][1].GetId(), attributeMap[nonRotateKey][1].GetId()) newKey := kasregistry.RotateKeyRequest_NewKey{ KeyId: "new_key_id", @@ -553,6 +575,7 @@ func (s *KasRegistryKeySuite) Test_RotateKey_Two_Attribute_Two_Namespace_0_Attri rotatedInKey, err := s.db.PolicyClient.RotateKey(s.ctx, keyMap[rotateKey], &newKey) s.Require().NoError(err) s.NotNil(rotatedInKey) + keyIDs = append(keyIDs, rotatedInKey.GetKasKey().GetKey().GetId()) // Validate the rotated key s.Equal(newKey.GetKeyId(), rotatedInKey.GetKasKey().GetKey().GetKeyId()) @@ -633,30 +656,6 @@ func (s *KasRegistryKeySuite) Test_RotateKey_Two_Attribute_Two_Namespace_0_Attri s.Len(nonUpdatedAttr.GetKasKeys(), 1) s.Equal(keyMap[nonRotateKey].GetKey().GetId(), nonUpdatedAttr.GetKasKeys()[0].GetKey().GetId()) } - - // Clean up - namespaceIDs := make([]string, 0) - attributeIDs := make([]string, 0) - for _, ns := range namespaceMap[rotateKey] { - namespaceIDs = append(namespaceIDs, ns.GetId()) - } - for _, ns := range namespaceMap[nonRotateKey] { - namespaceIDs = append(namespaceIDs, ns.GetId()) - } - for _, attr := range attributeMap[rotateKey] { - attributeIDs = append(attributeIDs, attr.GetId()) - } - for _, attr := range attributeMap[nonRotateKey] { - attributeIDs = append(attributeIDs, attr.GetId()) - } - - s.cleanupRotate( - []string{}, - namespaceIDs, - attributeIDs, - ) - s.cleanupKeys([]string{keyMap[rotateKey].GetKey().GetId(), keyMap[nonRotateKey].GetKey().GetId(), rotatedInKey.GetKasKey().GetKey().GetId()}, - []string{kas.GetId()}) } func (s *KasRegistryKeySuite) Test_RotateKey_NoAttributeKeyMapping_Success() { @@ -744,9 +743,6 @@ func (s *KasRegistryKeySuite) Test_RotateKey_NoDefaultKeyRotated_Success() { WrappedKey: keyCtx, }, } - - // Set default key mapping - s.Require().NoError(err) _, err = s.db.PolicyClient.SetDefaultKey(s.ctx, &kasregistry.SetDefaultKeyRequest{ ActiveKey: &kasregistry.SetDefaultKeyRequest_Id{ Id: keyMap[nonRotateKey].GetKey().GetId(), @@ -958,9 +954,6 @@ func (s *KasRegistryKeySuite) Test_RotateKey_NanoDefaultKey_NewKeyIsNotECC_Fail( WrappedKey: keyCtx, }, } - - // Set default key mapping - s.Require().NoError(err) _, err = s.db.PolicyClient.SetDefaultKey(s.ctx, &kasregistry.SetDefaultKeyRequest{ ActiveKey: &kasregistry.SetDefaultKeyRequest_Id{ Id: keyMap[rotateKey].GetKey().GetId(), @@ -1650,7 +1643,7 @@ func (s *KasRegistryKeySuite) setupAttributesForRotate(numAttrsToRotate, numAttr attrValueNames := make([]string, 0) if i-numAttrValuesToRotate == 0 { // Create all the attribute values for the first attribute - for j := 0; j < numAttrValuesToRotate; j++ { + for j := 0; j < numAttrsToNotRotate; j++ { attrValueNames = append(attrValueNames, nonRotatePrefix+uuid.NewString()) } } @@ -1704,7 +1697,7 @@ func (s *KasRegistryKeySuite) setupAttributesForRotate(numAttrsToRotate, numAttr } } -func (s *KasRegistryKeySuite) cleanupRotate(attrValueIDs []string, namespaceIDs []string, attributeIDs []string) { +func (s *KasRegistryKeySuite) cleanupAttrs(attrValueIDs []string, namespaceIDs []string, attributeIDs []string) { for _, id := range attrValueIDs { _, err := s.db.PolicyClient.DeleteAttributeValue(s.ctx, id) s.Require().NoError(err) @@ -1722,6 +1715,7 @@ func (s *KasRegistryKeySuite) cleanupRotate(attrValueIDs []string, namespaceIDs func (s *KasRegistryKeySuite) cleanupKeys(keyIDs []string, keyAccessServerIDs []string) { err := s.db.PolicyClient.DeleteAllDefaultKeys(s.ctx) s.Require().NoError(err) + for _, id := range keyIDs { _, err := s.db.PolicyClient.DeleteKey(s.ctx, id) s.Require().NoError(err) diff --git a/service/pkg/db/marshalHelpers.go b/service/pkg/db/marshalHelpers.go index 1ec437067f..50c8ce04b7 100644 --- a/service/pkg/db/marshalHelpers.go +++ b/service/pkg/db/marshalHelpers.go @@ -154,7 +154,7 @@ func UnmarshalDefaultKasKey(keysJSON []byte, key *kasregistry.DefaultKasKey) err if err != nil { return err } - key.PublicKey.Algorithm, err = formatAlg(policy.Algorithm(alg)) + algorithm, err := formatAlg(policy.Algorithm(alg)) if err != nil { return err } @@ -164,6 +164,7 @@ func UnmarshalDefaultKasKey(keysJSON []byte, key *kasregistry.DefaultKasKey) err return err } key.PublicKey.Pem = string(pem) + key.PublicKey.Algorithm = algorithm } return nil } diff --git a/service/policy/db/key_access_server_registry.go b/service/policy/db/key_access_server_registry.go index 6dffb2e584..2ccf369a7d 100644 --- a/service/policy/db/key_access_server_registry.go +++ b/service/policy/db/key_access_server_registry.go @@ -999,7 +999,8 @@ func (c PolicyDBClient) SetDefaultKeyOnWellKnownConfig(ctx context.Context) erro return err } - return wellknownconfiguration.UpdateConfigurationDefaultKey(genericKeyArr) + wellknownconfiguration.UpdateConfigurationDefaultKey(genericKeyArr) + return nil } /* diff --git a/service/policy/kasregistry/key_access_server_registry_keys_test.go b/service/policy/kasregistry/key_access_server_registry_keys_test.go index e0a5c5ab8c..01b6d25330 100644 --- a/service/policy/kasregistry/key_access_server_registry_keys_test.go +++ b/service/policy/kasregistry/key_access_server_registry_keys_test.go @@ -1449,7 +1449,7 @@ func Test_SetDefault_Keys(t *testing.T) { }, } - v := getValidator() // Get the validator instance (assuming this is defined elsewhere) + v := getValidator() for _, tc := range testCases { t.Run(tc.name, func(t *testing.T) { diff --git a/service/wellknownconfiguration/wellknown_configuration.go b/service/wellknownconfiguration/wellknown_configuration.go index 811800e493..c0aa529ed3 100644 --- a/service/wellknownconfiguration/wellknown_configuration.go +++ b/service/wellknownconfiguration/wellknown_configuration.go @@ -36,11 +36,10 @@ func RegisterConfiguration(namespace string, config any) error { } // We should probably have a safe-guard as to what config can be updated -func UpdateConfigurationDefaultKey(config any) error { +func UpdateConfigurationDefaultKey(config any) { rwMutex.Lock() defer rwMutex.Unlock() wellKnownConfiguration[defaultKasKeyWellKnown] = config - return nil } func NewRegistration() *serviceregistry.Service[wellknownconfigurationconnect.WellKnownServiceHandler] { From 22974e1c0758fee005c3d79ee7fd8cbcc6ad57bf Mon Sep 17 00:00:00 2001 From: Chris Reed Date: Wed, 21 May 2025 17:09:25 -0500 Subject: [PATCH 09/15] refactor. --- service/integration/kas_registry_key_test.go | 209 ++++++++++--------- 1 file changed, 107 insertions(+), 102 deletions(-) diff --git a/service/integration/kas_registry_key_test.go b/service/integration/kas_registry_key_test.go index 5f69d867ed..11affd70f6 100644 --- a/service/integration/kas_registry_key_test.go +++ b/service/integration/kas_registry_key_test.go @@ -659,6 +659,12 @@ func (s *KasRegistryKeySuite) Test_RotateKey_Two_Attribute_Two_Namespace_0_Attri } func (s *KasRegistryKeySuite) Test_RotateKey_NoAttributeKeyMapping_Success() { + keyIDs := make([]string, 0) + kasIDs := make([]string, 0) + defer func() { + s.cleanupKeys(keyIDs, kasIDs) + }() + kasReq := kasregistry.CreateKeyAccessServerRequest{ Name: "test_rotate_key_kas", Uri: "https://test-rotate-key.opentdf.io", @@ -666,8 +672,10 @@ func (s *KasRegistryKeySuite) Test_RotateKey_NoAttributeKeyMapping_Success() { kas, err := s.db.PolicyClient.CreateKeyAccessServer(s.ctx, &kasReq) s.Require().NoError(err) s.NotNil(kas) + kasIDs = append(kasIDs, kas.GetId()) keyMap := s.setupKeysForRotate(kas.GetId()) + keyIDs = append(keyIDs, keyMap[rotateKey].GetKey().GetId(), keyMap[nonRotateKey].GetKey().GetId()) newKey := kasregistry.RotateKeyRequest_NewKey{ KeyId: "new_key_id", Algorithm: policy.Algorithm_ALGORITHM_RSA_2048, @@ -687,6 +695,7 @@ func (s *KasRegistryKeySuite) Test_RotateKey_NoAttributeKeyMapping_Success() { rotatedInKey, err := s.db.PolicyClient.RotateKey(s.ctx, keyMap[rotateKey], &newKey) s.Require().NoError(err) s.NotNil(rotatedInKey) + keyIDs = append(keyIDs, rotatedInKey.GetKasKey().GetKey().GetId()) s.Equal(newKey.GetKeyId(), rotatedInKey.GetKasKey().GetKey().GetKeyId()) s.Equal(newKey.GetAlgorithm(), rotatedInKey.GetKasKey().GetKey().GetKeyAlgorithm()) s.Equal(newKey.GetKeyMode(), rotatedInKey.GetKasKey().GetKey().GetKeyMode()) @@ -712,18 +721,15 @@ func (s *KasRegistryKeySuite) Test_RotateKey_NoAttributeKeyMapping_Success() { defaultKasKeys, err = s.db.PolicyClient.GetDefaultKasKeys(s.ctx) s.Require().NoError(err) s.Empty(defaultKasKeys) - - // Clean up - s.cleanupKeys( - []string{ - keyMap[rotateKey].GetKey().GetId(), - keyMap[nonRotateKey].GetKey().GetId(), - rotatedInKey.GetKasKey().GetKey().GetId(), - }, - []string{kas.GetId()}) } func (s *KasRegistryKeySuite) Test_RotateKey_NoDefaultKeyRotated_Success() { + keyIDs := make([]string, 0) + kasIDs := make([]string, 0) + defer func() { + s.cleanupKeys(keyIDs, kasIDs) + }() + kasReq := kasregistry.CreateKeyAccessServerRequest{ Name: "test_rotate_key_kas", Uri: "https://test-rotate-key.opentdf.io", @@ -731,8 +737,10 @@ func (s *KasRegistryKeySuite) Test_RotateKey_NoDefaultKeyRotated_Success() { kas, err := s.db.PolicyClient.CreateKeyAccessServer(s.ctx, &kasReq) s.Require().NoError(err) s.NotNil(kas) + kasIDs = append(kasIDs, kas.GetId()) keyMap := s.setupKeysForRotate(kas.GetId()) + keyIDs = append(keyIDs, keyMap[rotateKey].GetKey().GetId(), keyMap[nonRotateKey].GetKey().GetId()) newKey := kasregistry.RotateKeyRequest_NewKey{ KeyId: "new_key_id", Algorithm: policy.Algorithm_ALGORITHM_RSA_2048, @@ -759,25 +767,22 @@ func (s *KasRegistryKeySuite) Test_RotateKey_NoDefaultKeyRotated_Success() { rotatedInKey, err := s.db.PolicyClient.RotateKey(s.ctx, keyMap[rotateKey], &newKey) s.Require().NoError(err) s.NotNil(rotatedInKey) + keyIDs = append(keyIDs, rotatedInKey.GetKasKey().GetKey().GetId()) // Check that the rotated in key is now the ZTDF default key. defaultKasKeys, err = s.db.PolicyClient.GetDefaultKasKeys(s.ctx) s.Require().NoError(err) s.Len(defaultKasKeys, 1) s.Equal(keyMap[nonRotateKey].GetKey().GetKeyId(), defaultKasKeys[0].GetPublicKey().GetKid()) - - // Clean up - s.cleanupKeys( - []string{ - keyMap[rotateKey].GetKey().GetId(), - keyMap[nonRotateKey].GetKey().GetId(), - rotatedInKey.GetKasKey().GetKey().GetId(), - }, - []string{kas.GetId()}, - ) } func (s *KasRegistryKeySuite) Test_RotateKey_OneDefaultKeyRotated_Success() { + keyIDs := make([]string, 0) + kasIDs := make([]string, 0) + defer func() { + s.cleanupKeys(keyIDs, kasIDs) + }() + kasReq := kasregistry.CreateKeyAccessServerRequest{ Name: "test_rotate_key_kas", Uri: "https://test-rotate-key.opentdf.io", @@ -785,8 +790,10 @@ func (s *KasRegistryKeySuite) Test_RotateKey_OneDefaultKeyRotated_Success() { kas, err := s.db.PolicyClient.CreateKeyAccessServer(s.ctx, &kasReq) s.Require().NoError(err) s.NotNil(kas) + kasIDs = append(kasIDs, kas.GetId()) keyMap := s.setupKeysForRotate(kas.GetId()) + keyIDs = append(keyIDs, keyMap[rotateKey].GetKey().GetId(), keyMap[nonRotateKey].GetKey().GetId()) newKey := kasregistry.RotateKeyRequest_NewKey{ KeyId: "new_key_id", Algorithm: policy.Algorithm_ALGORITHM_RSA_2048, @@ -822,6 +829,7 @@ func (s *KasRegistryKeySuite) Test_RotateKey_OneDefaultKeyRotated_Success() { rotatedInKey, err := s.db.PolicyClient.RotateKey(s.ctx, keyMap[rotateKey], &newKey) s.Require().NoError(err) s.NotNil(rotatedInKey) + keyIDs = append(keyIDs, rotatedInKey.GetKasKey().GetKey().GetId()) // Check that the rotated in key is now the ZTDF default key. defaultKasKeys, err = s.db.PolicyClient.GetDefaultKasKeys(s.ctx) @@ -842,19 +850,15 @@ func (s *KasRegistryKeySuite) Test_RotateKey_OneDefaultKeyRotated_Success() { s.NotNil(nonRotatedInDefaultKey) s.Equal(newRotatedInDefaultKey.GetTdfType(), kasregistry.TdfType_TDF_TYPE_ZTDF.String()) s.Equal(nonRotatedInDefaultKey.GetTdfType(), kasregistry.TdfType_TDF_TYPE_NANO.String()) - - // Clean up - s.cleanupKeys( - []string{ - keyMap[rotateKey].GetKey().GetId(), - keyMap[nonRotateKey].GetKey().GetId(), - rotatedInKey.GetKasKey().GetKey().GetId(), - }, - []string{kas.GetId()}, - ) } func (s *KasRegistryKeySuite) Test_RotateKey_TwoDefaultKeyRotated_Success() { + keyIDs := make([]string, 0) + kasIDs := make([]string, 0) + defer func() { + s.cleanupKeys(keyIDs, kasIDs) + }() + kasReq := kasregistry.CreateKeyAccessServerRequest{ Name: "test_rotate_key_kas", Uri: "https://test-rotate-key.opentdf.io", @@ -862,8 +866,10 @@ func (s *KasRegistryKeySuite) Test_RotateKey_TwoDefaultKeyRotated_Success() { kas, err := s.db.PolicyClient.CreateKeyAccessServer(s.ctx, &kasReq) s.Require().NoError(err) s.NotNil(kas) + kasIDs = append(kasIDs, kas.GetId()) keyMap := s.setupKeysForRotate(kas.GetId()) + keyIDs = append(keyIDs, keyMap[rotateKey].GetKey().GetId(), keyMap[nonRotateKey].GetKey().GetId()) newKey := kasregistry.RotateKeyRequest_NewKey{ KeyId: "new_key_id", Algorithm: policy.Algorithm_ALGORITHM_EC_P521, @@ -899,6 +905,7 @@ func (s *KasRegistryKeySuite) Test_RotateKey_TwoDefaultKeyRotated_Success() { rotatedInKey, err := s.db.PolicyClient.RotateKey(s.ctx, keyMap[rotateKey], &newKey) s.Require().NoError(err) s.NotNil(rotatedInKey) + keyIDs = append(keyIDs, rotatedInKey.GetKasKey().GetKey().GetId()) // Check that the rotated in key is now the ZTDF default key. defaultKasKeys, err = s.db.PolicyClient.GetDefaultKasKeys(s.ctx) @@ -922,19 +929,15 @@ func (s *KasRegistryKeySuite) Test_RotateKey_TwoDefaultKeyRotated_Success() { s.NotNil(newNanoKey) s.Equal(rotatedInKey.GetKasKey().GetKey().GetKeyId(), newZtdfKey.GetPublicKey().GetKid()) s.Equal(rotatedInKey.GetKasKey().GetKey().GetKeyId(), newNanoKey.GetPublicKey().GetKid()) - - // Clean up - s.cleanupKeys( - []string{ - keyMap[rotateKey].GetKey().GetId(), - keyMap[nonRotateKey].GetKey().GetId(), - rotatedInKey.GetKasKey().GetKey().GetId(), - }, - []string{kas.GetId()}, - ) } func (s *KasRegistryKeySuite) Test_RotateKey_NanoDefaultKey_NewKeyIsNotECC_Fail() { + keyIDs := make([]string, 0) + kasIDs := make([]string, 0) + defer func() { + s.cleanupKeys(keyIDs, kasIDs) + }() + kasReq := kasregistry.CreateKeyAccessServerRequest{ Name: "test_rotate_key_kas", Uri: "https://test-rotate-key.opentdf.io", @@ -942,8 +945,10 @@ func (s *KasRegistryKeySuite) Test_RotateKey_NanoDefaultKey_NewKeyIsNotECC_Fail( kas, err := s.db.PolicyClient.CreateKeyAccessServer(s.ctx, &kasReq) s.Require().NoError(err) s.NotNil(kas) + kasIDs = append(kasIDs, kas.GetId()) keyMap := s.setupKeysForRotate(kas.GetId()) + keyIDs = append(keyIDs, keyMap[rotateKey].GetKey().GetId(), keyMap[nonRotateKey].GetKey().GetId()) newKey := kasregistry.RotateKeyRequest_NewKey{ KeyId: "new_key_id", Algorithm: policy.Algorithm_ALGORITHM_RSA_2048, @@ -978,6 +983,8 @@ func (s *KasRegistryKeySuite) Test_RotateKey_NanoDefaultKey_NewKeyIsNotECC_Fail( s.Len(defaultKasKeys, 1) s.Equal(keyMap[rotateKey].GetKey().GetKeyId(), defaultKasKeys[0].GetPublicKey().GetKid()) + // This is a workaround to get the key ID of the new key that was not rotated in, as it + // would not be inserted into the database when run as a transcation at the service level. resp, err := s.db.PolicyClient.GetKey(s.ctx, &kasregistry.GetKeyRequest_Key{ Key: &kasregistry.KasKeyIdentifier{ Identifier: &kasregistry.KasKeyIdentifier_Uri{ @@ -989,19 +996,16 @@ func (s *KasRegistryKeySuite) Test_RotateKey_NanoDefaultKey_NewKeyIsNotECC_Fail( s.Require().NoError(err) s.NotNil(resp) - // Clean up - s.cleanupKeys( - []string{ - keyMap[rotateKey].GetKey().GetId(), - keyMap[nonRotateKey].GetKey().GetId(), - resp.GetKey().GetId(), - }, - []string{kas.GetId()}, - ) + keyIDs = append(keyIDs, resp.GetKey().GetId()) } -// Default Key Tests func (s *KasRegistryKeySuite) Test_SetDefaultKey_KasKeyNotFound_Fails() { + keyIDs := make([]string, 0) + kasIDs := make([]string, 0) + defer func() { + s.cleanupKeys(keyIDs, kasIDs) + }() + // Create a new KAS server kasReq := kasregistry.CreateKeyAccessServerRequest{ Name: "test_default_key_kas", @@ -1010,6 +1014,7 @@ func (s *KasRegistryKeySuite) Test_SetDefaultKey_KasKeyNotFound_Fails() { kas, err := s.db.PolicyClient.CreateKeyAccessServer(s.ctx, &kasReq) s.Require().NoError(err) s.NotNil(kas) + kasIDs = append(kasIDs, kas.GetId()) // Create a key for the KAS keyReq := kasregistry.CreateKeyRequest{ @@ -1028,6 +1033,7 @@ func (s *KasRegistryKeySuite) Test_SetDefaultKey_KasKeyNotFound_Fails() { key, err := s.db.PolicyClient.CreateKey(s.ctx, &keyReq) s.Require().NoError(err) s.NotNil(key) + keyIDs = append(keyIDs, key.GetKasKey().GetKey().GetId()) // Ensure there is no default key mapping defaultKasKeys, err := s.db.PolicyClient.GetDefaultKasKeys(s.ctx) @@ -1043,16 +1049,15 @@ func (s *KasRegistryKeySuite) Test_SetDefaultKey_KasKeyNotFound_Fails() { }) s.Require().Error(err) s.Require().ErrorContains(err, "not found") - - s.cleanupKeys( - []string{ - key.GetKasKey().GetKey().GetId(), - }, - []string{kas.GetId()}, - ) } func (s *KasRegistryKeySuite) Test_SetDefaultKey_CannotSetNonECCAlgForNano_Fails() { + keyIDs := make([]string, 0) + kasIDs := make([]string, 0) + defer func() { + s.cleanupKeys(keyIDs, kasIDs) + }() + // Create a new KAS server kasReq := kasregistry.CreateKeyAccessServerRequest{ Name: "test_default_key_kas", @@ -1061,6 +1066,7 @@ func (s *KasRegistryKeySuite) Test_SetDefaultKey_CannotSetNonECCAlgForNano_Fails kas, err := s.db.PolicyClient.CreateKeyAccessServer(s.ctx, &kasReq) s.Require().NoError(err) s.NotNil(kas) + kasIDs = append(kasIDs, kas.GetId()) // Create a key for the KAS keyReq := kasregistry.CreateKeyRequest{ @@ -1079,6 +1085,7 @@ func (s *KasRegistryKeySuite) Test_SetDefaultKey_CannotSetNonECCAlgForNano_Fails key, err := s.db.PolicyClient.CreateKey(s.ctx, &keyReq) s.Require().NoError(err) s.NotNil(key) + keyIDs = append(keyIDs, key.GetKasKey().GetKey().GetId()) // Ensure there is no default key mapping defaultKasKeys, err := s.db.PolicyClient.GetDefaultKasKeys(s.ctx) @@ -1094,16 +1101,15 @@ func (s *KasRegistryKeySuite) Test_SetDefaultKey_CannotSetNonECCAlgForNano_Fails }) s.Require().Error(err) s.Require().ErrorContains(err, "not valid for TDF type NANO") - - s.cleanupKeys( - []string{ - key.GetKasKey().GetKey().GetId(), - }, - []string{kas.GetId()}, - ) } func (s *KasRegistryKeySuite) Test_SetDefaultKey_NoDefaultKeys_ZTDFInsert_Success() { + keyIDs := make([]string, 0) + kasIDs := make([]string, 0) + defer func() { + s.cleanupKeys(keyIDs, kasIDs) + }() + // Create a new KAS server kasReq := kasregistry.CreateKeyAccessServerRequest{ Name: "test_default_key_kas", @@ -1112,6 +1118,7 @@ func (s *KasRegistryKeySuite) Test_SetDefaultKey_NoDefaultKeys_ZTDFInsert_Succes kas, err := s.db.PolicyClient.CreateKeyAccessServer(s.ctx, &kasReq) s.Require().NoError(err) s.NotNil(kas) + kasIDs = append(kasIDs, kas.GetId()) // Create a key for the KAS keyReq := kasregistry.CreateKeyRequest{ @@ -1130,6 +1137,7 @@ func (s *KasRegistryKeySuite) Test_SetDefaultKey_NoDefaultKeys_ZTDFInsert_Succes key, err := s.db.PolicyClient.CreateKey(s.ctx, &keyReq) s.Require().NoError(err) s.NotNil(key) + keyIDs = append(keyIDs, key.GetKasKey().GetKey().GetId()) // Ensure there is no default key mapping defaultKasKeys, err := s.db.PolicyClient.GetDefaultKasKeys(s.ctx) @@ -1148,16 +1156,15 @@ func (s *KasRegistryKeySuite) Test_SetDefaultKey_NoDefaultKeys_ZTDFInsert_Succes s.Nil(defaultKeys.GetPreviousDefaultKasKey()) s.Equal(key.GetKasKey().GetKey().GetKeyId(), defaultKeys.GetNewDefaultKasKey().GetPublicKey().GetKid()) s.Equal(kasregistry.TdfType_TDF_TYPE_ZTDF.String(), defaultKeys.GetNewDefaultKasKey().GetTdfType()) - - s.cleanupKeys( - []string{ - key.GetKasKey().GetKey().GetId(), - }, - []string{kas.GetId()}, - ) } func (s *KasRegistryKeySuite) Test_SetDefaultKey_NoDefaultKeys_NanoInsert_Success() { + keyIDs := make([]string, 0) + kasIDs := make([]string, 0) + defer func() { + s.cleanupKeys(keyIDs, kasIDs) + }() + // Create a new KAS server kasReq := kasregistry.CreateKeyAccessServerRequest{ Name: "test_default_key_kas", @@ -1166,6 +1173,7 @@ func (s *KasRegistryKeySuite) Test_SetDefaultKey_NoDefaultKeys_NanoInsert_Succes kas, err := s.db.PolicyClient.CreateKeyAccessServer(s.ctx, &kasReq) s.Require().NoError(err) s.NotNil(kas) + kasIDs = append(kasIDs, kas.GetId()) // Create a key for the KAS keyReq := kasregistry.CreateKeyRequest{ @@ -1184,6 +1192,7 @@ func (s *KasRegistryKeySuite) Test_SetDefaultKey_NoDefaultKeys_NanoInsert_Succes key, err := s.db.PolicyClient.CreateKey(s.ctx, &keyReq) s.Require().NoError(err) s.NotNil(key) + keyIDs = append(keyIDs, key.GetKasKey().GetKey().GetId()) // Ensure there is no default key mapping defaultKasKeys, err := s.db.PolicyClient.GetDefaultKasKeys(s.ctx) @@ -1202,16 +1211,15 @@ func (s *KasRegistryKeySuite) Test_SetDefaultKey_NoDefaultKeys_NanoInsert_Succes s.Nil(defaultKeys.GetPreviousDefaultKasKey()) s.Equal(key.GetKasKey().GetKey().GetKeyId(), defaultKeys.GetNewDefaultKasKey().GetPublicKey().GetKid()) s.Equal(kasregistry.TdfType_TDF_TYPE_NANO.String(), defaultKeys.GetNewDefaultKasKey().GetTdfType()) - - s.cleanupKeys( - []string{ - key.GetKasKey().GetKey().GetId(), - }, - []string{kas.GetId()}, - ) } func (s *KasRegistryKeySuite) Test_SetDefaultKey_ZTDFKeyExists_ZTDFUpdate_Success() { + keyIDs := make([]string, 0) + kasIDs := make([]string, 0) + defer func() { + s.cleanupKeys(keyIDs, kasIDs) + }() + // Create a new KAS server kasReq := kasregistry.CreateKeyAccessServerRequest{ Name: "test_default_key_kas", @@ -1220,6 +1228,7 @@ func (s *KasRegistryKeySuite) Test_SetDefaultKey_ZTDFKeyExists_ZTDFUpdate_Succes kas, err := s.db.PolicyClient.CreateKeyAccessServer(s.ctx, &kasReq) s.Require().NoError(err) s.NotNil(kas) + kasIDs = append(kasIDs, kas.GetId()) // Create a key for the KAS keyReq := kasregistry.CreateKeyRequest{ @@ -1238,6 +1247,7 @@ func (s *KasRegistryKeySuite) Test_SetDefaultKey_ZTDFKeyExists_ZTDFUpdate_Succes key, err := s.db.PolicyClient.CreateKey(s.ctx, &keyReq) s.Require().NoError(err) s.NotNil(key) + keyIDs = append(keyIDs, key.GetKasKey().GetKey().GetId()) // Create a second key for the KAS keyReq2 := kasregistry.CreateKeyRequest{ @@ -1256,6 +1266,7 @@ func (s *KasRegistryKeySuite) Test_SetDefaultKey_ZTDFKeyExists_ZTDFUpdate_Succes key2, err := s.db.PolicyClient.CreateKey(s.ctx, &keyReq2) s.Require().NoError(err) s.NotNil(key2) + keyIDs = append(keyIDs, key2.GetKasKey().GetKey().GetId()) // Create a third key for the KAS keyReq3 := kasregistry.CreateKeyRequest{ @@ -1274,6 +1285,7 @@ func (s *KasRegistryKeySuite) Test_SetDefaultKey_ZTDFKeyExists_ZTDFUpdate_Succes key3, err := s.db.PolicyClient.CreateKey(s.ctx, &keyReq3) s.Require().NoError(err) s.NotNil(key3) + keyIDs = append(keyIDs, key3.GetKasKey().GetKey().GetId()) // Ensure there is no default key mapping defaultKasKeys, err := s.db.PolicyClient.GetDefaultKasKeys(s.ctx) @@ -1325,18 +1337,15 @@ func (s *KasRegistryKeySuite) Test_SetDefaultKey_ZTDFKeyExists_ZTDFUpdate_Succes s.Equal(key3.GetKasKey().GetKey().GetKeyId(), defaultKasKey.GetPublicKey().GetKid()) } } - - s.cleanupKeys( - []string{ - key.GetKasKey().GetKey().GetId(), - key2.GetKasKey().GetKey().GetId(), - key3.GetKasKey().GetKey().GetId(), - }, - []string{kas.GetId()}, - ) } func (s *KasRegistryKeySuite) Test_SetDefaultKey_NanoKeyExists_NanoUpdate_Success() { + keyIDs := make([]string, 0) + kasIDs := make([]string, 0) + defer func() { + s.cleanupKeys(keyIDs, kasIDs) + }() + // Create a new KAS server kasReq := kasregistry.CreateKeyAccessServerRequest{ Name: "test_default_key_kas", @@ -1345,6 +1354,7 @@ func (s *KasRegistryKeySuite) Test_SetDefaultKey_NanoKeyExists_NanoUpdate_Succes kas, err := s.db.PolicyClient.CreateKeyAccessServer(s.ctx, &kasReq) s.Require().NoError(err) s.NotNil(kas) + kasIDs = append(kasIDs, kas.GetId()) // Create a key for the KAS keyReq := kasregistry.CreateKeyRequest{ @@ -1363,6 +1373,7 @@ func (s *KasRegistryKeySuite) Test_SetDefaultKey_NanoKeyExists_NanoUpdate_Succes key, err := s.db.PolicyClient.CreateKey(s.ctx, &keyReq) s.Require().NoError(err) s.NotNil(key) + keyIDs = append(keyIDs, key.GetKasKey().GetKey().GetId()) // Create a second key for the KAS keyReq2 := kasregistry.CreateKeyRequest{ @@ -1381,6 +1392,7 @@ func (s *KasRegistryKeySuite) Test_SetDefaultKey_NanoKeyExists_NanoUpdate_Succes key2, err := s.db.PolicyClient.CreateKey(s.ctx, &keyReq2) s.Require().NoError(err) s.NotNil(key2) + keyIDs = append(keyIDs, key2.GetKasKey().GetKey().GetId()) // Create a third key for the KAS keyReq3 := kasregistry.CreateKeyRequest{ @@ -1399,6 +1411,7 @@ func (s *KasRegistryKeySuite) Test_SetDefaultKey_NanoKeyExists_NanoUpdate_Succes key3, err := s.db.PolicyClient.CreateKey(s.ctx, &keyReq3) s.Require().NoError(err) s.NotNil(key3) + keyIDs = append(keyIDs, key3.GetKasKey().GetKey().GetId()) // Ensure there is no default key mapping defaultKasKeys, err := s.db.PolicyClient.GetDefaultKasKeys(s.ctx) @@ -1450,18 +1463,15 @@ func (s *KasRegistryKeySuite) Test_SetDefaultKey_NanoKeyExists_NanoUpdate_Succes s.Equal(key3.GetKasKey().GetKey().GetKeyId(), defaultKasKey.GetPublicKey().GetKid()) } } - - s.cleanupKeys( - []string{ - key.GetKasKey().GetKey().GetId(), - key2.GetKasKey().GetKey().GetId(), - key3.GetKasKey().GetKey().GetId(), - }, - []string{kas.GetId()}, - ) } func (s *KasRegistryKeySuite) Test_SetDefaultKey_CannotSetPublicKeyOnlyKey_Fails() { + keyIDs := make([]string, 0) + kasIDs := make([]string, 0) + defer func() { + s.cleanupKeys(keyIDs, kasIDs) + }() + // Create a new KAS server kasReq := kasregistry.CreateKeyAccessServerRequest{ Name: "test_default_key_kas", @@ -1470,6 +1480,7 @@ func (s *KasRegistryKeySuite) Test_SetDefaultKey_CannotSetPublicKeyOnlyKey_Fails kas, err := s.db.PolicyClient.CreateKeyAccessServer(s.ctx, &kasReq) s.Require().NoError(err) s.NotNil(kas) + kasIDs = append(kasIDs, kas.GetId()) // Create a key for the KAS keyReq := kasregistry.CreateKeyRequest{ @@ -1484,6 +1495,7 @@ func (s *KasRegistryKeySuite) Test_SetDefaultKey_CannotSetPublicKeyOnlyKey_Fails key, err := s.db.PolicyClient.CreateKey(s.ctx, &keyReq) s.Require().NoError(err) s.NotNil(key) + keyIDs = append(keyIDs, key.GetKasKey().GetKey().GetId()) // Ensure there is no default key mapping defaultKasKeys, err := s.db.PolicyClient.GetDefaultKasKeys(s.ctx) @@ -1499,13 +1511,6 @@ func (s *KasRegistryKeySuite) Test_SetDefaultKey_CannotSetPublicKeyOnlyKey_Fails }) s.Require().Error(err) s.Require().ErrorContains(err, "KEY_MODE_PUBLIC_KEY_ONLY as default key") - - s.cleanupKeys( - []string{ - key.GetKasKey().GetKey().GetId(), - }, - []string{kas.GetId()}, - ) } func (s *KasRegistryKeySuite) setupKeysForRotate(kasID string) map[string]*policy.KasKey { From 6e41cdb390738c61777e996393ee2a7979205ffa Mon Sep 17 00:00:00 2001 From: Chris Reed Date: Thu, 22 May 2025 18:25:50 -0500 Subject: [PATCH 10/15] refactor code for one base key. --- docs/grpc/index.html | 241 ++--- .../key_access_server_registry.swagger.json | 89 +- .../key_access_server_registry.connect.go | 84 +- .../key_access_server_registry.pb.go | 905 ++++++++---------- .../key_access_server_registry_grpc.pb.go | 60 +- service/integration/kas_registry_key_test.go | 594 +----------- service/pkg/db/marshalHelpers.go | 33 +- service/policy/db/copyfrom.go | 2 +- .../policy/db/key_access_server_registry.go | 194 +--- ...e.md => 20250512000000_base_keys_table.md} | 5 +- .../20250512000000_base_keys_table.sql | 45 + .../20250512000000_default_keys_table.sql | 49 - service/policy/db/models.go | 3 +- service/policy/db/query.sql | 113 +-- service/policy/db/query.sql.go | 327 +------ service/policy/db/schema_erd.md | 5 +- .../kasregistry/key_access_server_registry.go | 30 +- .../key_access_server_registry.proto | 41 +- .../key_access_server_registry_keys_test.go | 33 +- .../wellknown_configuration.go | 6 +- 20 files changed, 874 insertions(+), 1985 deletions(-) rename service/policy/db/migrations/{20250512000000_default_keys_table.md => 20250512000000_base_keys_table.md} (55%) create mode 100644 service/policy/db/migrations/20250512000000_base_keys_table.sql delete mode 100644 service/policy/db/migrations/20250512000000_default_keys_table.sql diff --git a/docs/grpc/index.html b/docs/grpc/index.html index b20977f83e..7a892e98ab 100644 --- a/docs/grpc/index.html +++ b/docs/grpc/index.html @@ -1059,14 +1059,6 @@

    Table of Contents

    MDeactivatePublicKeyResponse

    • -
  • - MDefaultKasKey -
    • - -
  • - MDefaultKasPublicKey -
    • -
  • MDeleteKeyAccessServerRequest
    • @@ -1076,11 +1068,11 @@

    Table of Contents

  • - MGetDefaultKeysRequest + MGetBaseKeyRequest
  • - MGetDefaultKeysResponse + MGetBaseKeyResponse
  • @@ -1188,11 +1180,19 @@

    Table of Contents

  • - MSetDefaultKeyRequest + MSetBaseKeyRequest +
    • + +
  • + MSetBaseKeyResponse +
    • + +
  • + MSimpleKasKey
  • - MSetDefaultKeyResponse + MSimpleKasPublicKey
  • @@ -1220,10 +1220,6 @@

    Table of Contents

    • -
  • - ETdfType -
    • -
  • @@ -9060,82 +9056,6 @@

    DeactivatePublicKeyRespo -

    DefaultKasKey

    -

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeLabelDescription
    tdf_typestring

    The type of TDF (e.g., ZTDF, Nano)

    kas_uristring

    The URL of the Key Access Server

    public_keyDefaultKasPublicKey

    The public key of the Key that belongs to the KAS

    - - - - - -

    DefaultKasPublicKey

    -

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeLabelDescription
    algorithmstring

    kidstring

    pemstring

    - - - - -

    DeleteKeyAccessServerRequest

    @@ -9184,14 +9104,14 @@

    DeleteKeyAccessServerR -

    GetDefaultKeysRequest

    +

    GetBaseKeyRequest

    -

    GetDefaultKeysResponse

    +

    GetBaseKeyResponse

    @@ -9202,9 +9122,9 @@

    GetDefaultKeysResponse

    - default_kas_keys - DefaultKasKey - repeated + base_key + SimpleKasKey +

    The list of default keys

    @@ -10237,8 +10157,8 @@

    RotatedResources

    -

    SetDefaultKeyRequest

    -

    Sets the specified key as the default key for the Key Access Server

    Note: The key must be active.

    Side effects:

    If a key of the same cipher is set as default, calling 'SetDefaultKey' will override that key with the specified key.

    +

    SetBaseKeyRequest

    +

    Sets the specified key as the base key for the Key Access Server

    Note: The key must be active.

    @@ -10261,13 +10181,66 @@

    SetDefaultKeyRequest

    + +

    Alternative way to specify the key using KAS ID and Key ID

    + + + + + +

    SetBaseKeyResponse

    +

    + + + + + + + + - - + + - + + + + + + + + + + +
    FieldTypeLabelDescription
    tdf_typeTdfTypenew_base_keySimpleKasKey

    Required +

    The key that was set as base

    previous_base_keySimpleKasKey

    The previous base key, if any

    -The type of TDF (e.g., ZTDF, Nano)

    + + + + +

    SimpleKasKey

    +

    + + + + + + + + + + + + + + + + + + + + @@ -10277,7 +10250,7 @@

    SetDefaultKeyRequest

    -

    SetDefaultKeyResponse

    +

    SimpleKasPublicKey

    @@ -10288,17 +10261,24 @@

    SetDefaultKeyResponse

    - - + + + + + + + + + - + - - + + - + @@ -10545,35 +10525,6 @@

    UpdatePublicKeyResponse

    -

    TdfType

    -

    -
    FieldTypeLabelDescription
    kas_uristring

    The URL of the Key Access Server

    public_keySimpleKasPublicKey

    The public key of the Key that belongs to the KAS

    new_default_kas_keyDefaultKasKeyalgorithmstring

    kidstring

    The key that was set as default

    previous_default_kas_keyDefaultKasKeypemstring

    The previous default key, if any

    - - - - - - - - - - - - - - - - - - - - - - - - -
    NameNumberDescription
    TDF_TYPE_UNSPECIFIED0

    TDF_TYPE_ZTDF1

    TDF_TYPE_NANO2

    - @@ -10665,16 +10616,16 @@

    KeyAccessServerRegist - SetDefaultKey - SetDefaultKeyRequest - SetDefaultKeyResponse + SetBaseKey + SetBaseKeyRequest + SetBaseKeyResponse

    Request to set the default a default kas key.

    - GetDefaultKeys - GetDefaultKeysRequest - GetDefaultKeysResponse + GetBaseKey + GetBaseKeyRequest + GetBaseKeyResponse

    Get Default kas keys

    diff --git a/docs/openapi/policy/kasregistry/key_access_server_registry.swagger.json b/docs/openapi/policy/kasregistry/key_access_server_registry.swagger.json index 1fe1e93256..d08361170d 100644 --- a/docs/openapi/policy/kasregistry/key_access_server_registry.swagger.json +++ b/docs/openapi/policy/kasregistry/key_access_server_registry.swagger.json @@ -425,37 +425,6 @@ }, "title": "Response to a CreateKeyRequest, containing the created asymmetric key" }, - "kasregistryDefaultKasKey": { - "type": "object", - "properties": { - "tdfType": { - "type": "string", - "title": "The type of TDF (e.g., ZTDF, Nano)" - }, - "kasUri": { - "type": "string", - "title": "The URL of the Key Access Server" - }, - "publicKey": { - "$ref": "#/definitions/kasregistryDefaultKasPublicKey", - "title": "The public key of the Key that belongs to the KAS" - } - } - }, - "kasregistryDefaultKasPublicKey": { - "type": "object", - "properties": { - "algorithm": { - "type": "string" - }, - "kid": { - "type": "string" - }, - "pem": { - "type": "string" - } - } - }, "kasregistryDeleteKeyAccessServerResponse": { "type": "object", "properties": { @@ -464,15 +433,11 @@ } } }, - "kasregistryGetDefaultKeysResponse": { + "kasregistryGetBaseKeyResponse": { "type": "object", "properties": { - "defaultKasKeys": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/kasregistryDefaultKasKey" - }, + "baseKey": { + "$ref": "#/definitions/kasregistrySimpleKasKey", "title": "The list of default keys" } } @@ -650,27 +615,45 @@ }, "title": "All resources that were rotated as part of the key rotation process" }, - "kasregistrySetDefaultKeyResponse": { + "kasregistrySetBaseKeyResponse": { "type": "object", "properties": { - "newDefaultKasKey": { - "$ref": "#/definitions/kasregistryDefaultKasKey", - "title": "The key that was set as default" + "newBaseKey": { + "$ref": "#/definitions/kasregistrySimpleKasKey", + "title": "The key that was set as base" }, - "previousDefaultKasKey": { - "$ref": "#/definitions/kasregistryDefaultKasKey", - "title": "The previous default key, if any" + "previousBaseKey": { + "$ref": "#/definitions/kasregistrySimpleKasKey", + "title": "The previous base key, if any" } } }, - "kasregistryTdfType": { - "type": "string", - "enum": [ - "TDF_TYPE_UNSPECIFIED", - "TDF_TYPE_ZTDF", - "TDF_TYPE_NANO" - ], - "default": "TDF_TYPE_UNSPECIFIED" + "kasregistrySimpleKasKey": { + "type": "object", + "properties": { + "kasUri": { + "type": "string", + "title": "The URL of the Key Access Server" + }, + "publicKey": { + "$ref": "#/definitions/kasregistrySimpleKasPublicKey", + "title": "The public key of the Key that belongs to the KAS" + } + } + }, + "kasregistrySimpleKasPublicKey": { + "type": "object", + "properties": { + "algorithm": { + "type": "string" + }, + "kid": { + "type": "string" + }, + "pem": { + "type": "string" + } + } }, "kasregistryUpdateKeyAccessServerResponse": { "type": "object", diff --git a/protocol/go/policy/kasregistry/kasregistryconnect/key_access_server_registry.connect.go b/protocol/go/policy/kasregistry/kasregistryconnect/key_access_server_registry.connect.go index 7e21a0177d..d5917a2077 100644 --- a/protocol/go/policy/kasregistry/kasregistryconnect/key_access_server_registry.connect.go +++ b/protocol/go/policy/kasregistry/kasregistryconnect/key_access_server_registry.connect.go @@ -67,12 +67,12 @@ const ( // KeyAccessServerRegistryServiceRotateKeyProcedure is the fully-qualified name of the // KeyAccessServerRegistryService's RotateKey RPC. KeyAccessServerRegistryServiceRotateKeyProcedure = "/policy.kasregistry.KeyAccessServerRegistryService/RotateKey" - // KeyAccessServerRegistryServiceSetDefaultKeyProcedure is the fully-qualified name of the - // KeyAccessServerRegistryService's SetDefaultKey RPC. - KeyAccessServerRegistryServiceSetDefaultKeyProcedure = "/policy.kasregistry.KeyAccessServerRegistryService/SetDefaultKey" - // KeyAccessServerRegistryServiceGetDefaultKeysProcedure is the fully-qualified name of the - // KeyAccessServerRegistryService's GetDefaultKeys RPC. - KeyAccessServerRegistryServiceGetDefaultKeysProcedure = "/policy.kasregistry.KeyAccessServerRegistryService/GetDefaultKeys" + // KeyAccessServerRegistryServiceSetBaseKeyProcedure is the fully-qualified name of the + // KeyAccessServerRegistryService's SetBaseKey RPC. + KeyAccessServerRegistryServiceSetBaseKeyProcedure = "/policy.kasregistry.KeyAccessServerRegistryService/SetBaseKey" + // KeyAccessServerRegistryServiceGetBaseKeyProcedure is the fully-qualified name of the + // KeyAccessServerRegistryService's GetBaseKey RPC. + KeyAccessServerRegistryServiceGetBaseKeyProcedure = "/policy.kasregistry.KeyAccessServerRegistryService/GetBaseKey" ) // These variables are the protoreflect.Descriptor objects for the RPCs defined in this package. @@ -89,8 +89,8 @@ var ( keyAccessServerRegistryServiceListKeysMethodDescriptor = keyAccessServerRegistryServiceServiceDescriptor.Methods().ByName("ListKeys") keyAccessServerRegistryServiceUpdateKeyMethodDescriptor = keyAccessServerRegistryServiceServiceDescriptor.Methods().ByName("UpdateKey") keyAccessServerRegistryServiceRotateKeyMethodDescriptor = keyAccessServerRegistryServiceServiceDescriptor.Methods().ByName("RotateKey") - keyAccessServerRegistryServiceSetDefaultKeyMethodDescriptor = keyAccessServerRegistryServiceServiceDescriptor.Methods().ByName("SetDefaultKey") - keyAccessServerRegistryServiceGetDefaultKeysMethodDescriptor = keyAccessServerRegistryServiceServiceDescriptor.Methods().ByName("GetDefaultKeys") + keyAccessServerRegistryServiceSetBaseKeyMethodDescriptor = keyAccessServerRegistryServiceServiceDescriptor.Methods().ByName("SetBaseKey") + keyAccessServerRegistryServiceGetBaseKeyMethodDescriptor = keyAccessServerRegistryServiceServiceDescriptor.Methods().ByName("GetBaseKey") ) // KeyAccessServerRegistryServiceClient is a client for the @@ -115,9 +115,9 @@ type KeyAccessServerRegistryServiceClient interface { // Request to rotate a key in the Key Access Service. RotateKey(context.Context, *connect.Request[kasregistry.RotateKeyRequest]) (*connect.Response[kasregistry.RotateKeyResponse], error) // Request to set the default a default kas key. - SetDefaultKey(context.Context, *connect.Request[kasregistry.SetDefaultKeyRequest]) (*connect.Response[kasregistry.SetDefaultKeyResponse], error) + SetBaseKey(context.Context, *connect.Request[kasregistry.SetBaseKeyRequest]) (*connect.Response[kasregistry.SetBaseKeyResponse], error) // Get Default kas keys - GetDefaultKeys(context.Context, *connect.Request[kasregistry.GetDefaultKeysRequest]) (*connect.Response[kasregistry.GetDefaultKeysResponse], error) + GetBaseKey(context.Context, *connect.Request[kasregistry.GetBaseKeyRequest]) (*connect.Response[kasregistry.GetBaseKeyResponse], error) } // NewKeyAccessServerRegistryServiceClient constructs a client for the @@ -200,16 +200,16 @@ func NewKeyAccessServerRegistryServiceClient(httpClient connect.HTTPClient, base connect.WithSchema(keyAccessServerRegistryServiceRotateKeyMethodDescriptor), connect.WithClientOptions(opts...), ), - setDefaultKey: connect.NewClient[kasregistry.SetDefaultKeyRequest, kasregistry.SetDefaultKeyResponse]( + setBaseKey: connect.NewClient[kasregistry.SetBaseKeyRequest, kasregistry.SetBaseKeyResponse]( httpClient, - baseURL+KeyAccessServerRegistryServiceSetDefaultKeyProcedure, - connect.WithSchema(keyAccessServerRegistryServiceSetDefaultKeyMethodDescriptor), + baseURL+KeyAccessServerRegistryServiceSetBaseKeyProcedure, + connect.WithSchema(keyAccessServerRegistryServiceSetBaseKeyMethodDescriptor), connect.WithClientOptions(opts...), ), - getDefaultKeys: connect.NewClient[kasregistry.GetDefaultKeysRequest, kasregistry.GetDefaultKeysResponse]( + getBaseKey: connect.NewClient[kasregistry.GetBaseKeyRequest, kasregistry.GetBaseKeyResponse]( httpClient, - baseURL+KeyAccessServerRegistryServiceGetDefaultKeysProcedure, - connect.WithSchema(keyAccessServerRegistryServiceGetDefaultKeysMethodDescriptor), + baseURL+KeyAccessServerRegistryServiceGetBaseKeyProcedure, + connect.WithSchema(keyAccessServerRegistryServiceGetBaseKeyMethodDescriptor), connect.WithClientOptions(opts...), ), } @@ -228,8 +228,8 @@ type keyAccessServerRegistryServiceClient struct { listKeys *connect.Client[kasregistry.ListKeysRequest, kasregistry.ListKeysResponse] updateKey *connect.Client[kasregistry.UpdateKeyRequest, kasregistry.UpdateKeyResponse] rotateKey *connect.Client[kasregistry.RotateKeyRequest, kasregistry.RotateKeyResponse] - setDefaultKey *connect.Client[kasregistry.SetDefaultKeyRequest, kasregistry.SetDefaultKeyResponse] - getDefaultKeys *connect.Client[kasregistry.GetDefaultKeysRequest, kasregistry.GetDefaultKeysResponse] + setBaseKey *connect.Client[kasregistry.SetBaseKeyRequest, kasregistry.SetBaseKeyResponse] + getBaseKey *connect.Client[kasregistry.GetBaseKeyRequest, kasregistry.GetBaseKeyResponse] } // ListKeyAccessServers calls @@ -292,14 +292,14 @@ func (c *keyAccessServerRegistryServiceClient) RotateKey(ctx context.Context, re return c.rotateKey.CallUnary(ctx, req) } -// SetDefaultKey calls policy.kasregistry.KeyAccessServerRegistryService.SetDefaultKey. -func (c *keyAccessServerRegistryServiceClient) SetDefaultKey(ctx context.Context, req *connect.Request[kasregistry.SetDefaultKeyRequest]) (*connect.Response[kasregistry.SetDefaultKeyResponse], error) { - return c.setDefaultKey.CallUnary(ctx, req) +// SetBaseKey calls policy.kasregistry.KeyAccessServerRegistryService.SetBaseKey. +func (c *keyAccessServerRegistryServiceClient) SetBaseKey(ctx context.Context, req *connect.Request[kasregistry.SetBaseKeyRequest]) (*connect.Response[kasregistry.SetBaseKeyResponse], error) { + return c.setBaseKey.CallUnary(ctx, req) } -// GetDefaultKeys calls policy.kasregistry.KeyAccessServerRegistryService.GetDefaultKeys. -func (c *keyAccessServerRegistryServiceClient) GetDefaultKeys(ctx context.Context, req *connect.Request[kasregistry.GetDefaultKeysRequest]) (*connect.Response[kasregistry.GetDefaultKeysResponse], error) { - return c.getDefaultKeys.CallUnary(ctx, req) +// GetBaseKey calls policy.kasregistry.KeyAccessServerRegistryService.GetBaseKey. +func (c *keyAccessServerRegistryServiceClient) GetBaseKey(ctx context.Context, req *connect.Request[kasregistry.GetBaseKeyRequest]) (*connect.Response[kasregistry.GetBaseKeyResponse], error) { + return c.getBaseKey.CallUnary(ctx, req) } // KeyAccessServerRegistryServiceHandler is an implementation of the @@ -324,9 +324,9 @@ type KeyAccessServerRegistryServiceHandler interface { // Request to rotate a key in the Key Access Service. RotateKey(context.Context, *connect.Request[kasregistry.RotateKeyRequest]) (*connect.Response[kasregistry.RotateKeyResponse], error) // Request to set the default a default kas key. - SetDefaultKey(context.Context, *connect.Request[kasregistry.SetDefaultKeyRequest]) (*connect.Response[kasregistry.SetDefaultKeyResponse], error) + SetBaseKey(context.Context, *connect.Request[kasregistry.SetBaseKeyRequest]) (*connect.Response[kasregistry.SetBaseKeyResponse], error) // Get Default kas keys - GetDefaultKeys(context.Context, *connect.Request[kasregistry.GetDefaultKeysRequest]) (*connect.Response[kasregistry.GetDefaultKeysResponse], error) + GetBaseKey(context.Context, *connect.Request[kasregistry.GetBaseKeyRequest]) (*connect.Response[kasregistry.GetBaseKeyResponse], error) } // NewKeyAccessServerRegistryServiceHandler builds an HTTP handler from the service implementation. @@ -404,16 +404,16 @@ func NewKeyAccessServerRegistryServiceHandler(svc KeyAccessServerRegistryService connect.WithSchema(keyAccessServerRegistryServiceRotateKeyMethodDescriptor), connect.WithHandlerOptions(opts...), ) - keyAccessServerRegistryServiceSetDefaultKeyHandler := connect.NewUnaryHandler( - KeyAccessServerRegistryServiceSetDefaultKeyProcedure, - svc.SetDefaultKey, - connect.WithSchema(keyAccessServerRegistryServiceSetDefaultKeyMethodDescriptor), + keyAccessServerRegistryServiceSetBaseKeyHandler := connect.NewUnaryHandler( + KeyAccessServerRegistryServiceSetBaseKeyProcedure, + svc.SetBaseKey, + connect.WithSchema(keyAccessServerRegistryServiceSetBaseKeyMethodDescriptor), connect.WithHandlerOptions(opts...), ) - keyAccessServerRegistryServiceGetDefaultKeysHandler := connect.NewUnaryHandler( - KeyAccessServerRegistryServiceGetDefaultKeysProcedure, - svc.GetDefaultKeys, - connect.WithSchema(keyAccessServerRegistryServiceGetDefaultKeysMethodDescriptor), + keyAccessServerRegistryServiceGetBaseKeyHandler := connect.NewUnaryHandler( + KeyAccessServerRegistryServiceGetBaseKeyProcedure, + svc.GetBaseKey, + connect.WithSchema(keyAccessServerRegistryServiceGetBaseKeyMethodDescriptor), connect.WithHandlerOptions(opts...), ) return "/policy.kasregistry.KeyAccessServerRegistryService/", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { @@ -440,10 +440,10 @@ func NewKeyAccessServerRegistryServiceHandler(svc KeyAccessServerRegistryService keyAccessServerRegistryServiceUpdateKeyHandler.ServeHTTP(w, r) case KeyAccessServerRegistryServiceRotateKeyProcedure: keyAccessServerRegistryServiceRotateKeyHandler.ServeHTTP(w, r) - case KeyAccessServerRegistryServiceSetDefaultKeyProcedure: - keyAccessServerRegistryServiceSetDefaultKeyHandler.ServeHTTP(w, r) - case KeyAccessServerRegistryServiceGetDefaultKeysProcedure: - keyAccessServerRegistryServiceGetDefaultKeysHandler.ServeHTTP(w, r) + case KeyAccessServerRegistryServiceSetBaseKeyProcedure: + keyAccessServerRegistryServiceSetBaseKeyHandler.ServeHTTP(w, r) + case KeyAccessServerRegistryServiceGetBaseKeyProcedure: + keyAccessServerRegistryServiceGetBaseKeyHandler.ServeHTTP(w, r) default: http.NotFound(w, r) } @@ -497,10 +497,10 @@ func (UnimplementedKeyAccessServerRegistryServiceHandler) RotateKey(context.Cont return nil, connect.NewError(connect.CodeUnimplemented, errors.New("policy.kasregistry.KeyAccessServerRegistryService.RotateKey is not implemented")) } -func (UnimplementedKeyAccessServerRegistryServiceHandler) SetDefaultKey(context.Context, *connect.Request[kasregistry.SetDefaultKeyRequest]) (*connect.Response[kasregistry.SetDefaultKeyResponse], error) { - return nil, connect.NewError(connect.CodeUnimplemented, errors.New("policy.kasregistry.KeyAccessServerRegistryService.SetDefaultKey is not implemented")) +func (UnimplementedKeyAccessServerRegistryServiceHandler) SetBaseKey(context.Context, *connect.Request[kasregistry.SetBaseKeyRequest]) (*connect.Response[kasregistry.SetBaseKeyResponse], error) { + return nil, connect.NewError(connect.CodeUnimplemented, errors.New("policy.kasregistry.KeyAccessServerRegistryService.SetBaseKey is not implemented")) } -func (UnimplementedKeyAccessServerRegistryServiceHandler) GetDefaultKeys(context.Context, *connect.Request[kasregistry.GetDefaultKeysRequest]) (*connect.Response[kasregistry.GetDefaultKeysResponse], error) { - return nil, connect.NewError(connect.CodeUnimplemented, errors.New("policy.kasregistry.KeyAccessServerRegistryService.GetDefaultKeys is not implemented")) +func (UnimplementedKeyAccessServerRegistryServiceHandler) GetBaseKey(context.Context, *connect.Request[kasregistry.GetBaseKeyRequest]) (*connect.Response[kasregistry.GetBaseKeyResponse], error) { + return nil, connect.NewError(connect.CodeUnimplemented, errors.New("policy.kasregistry.KeyAccessServerRegistryService.GetBaseKey is not implemented")) } diff --git a/protocol/go/policy/kasregistry/key_access_server_registry.pb.go b/protocol/go/policy/kasregistry/key_access_server_registry.pb.go index 399e7010d9..43011d0c7d 100644 --- a/protocol/go/policy/kasregistry/key_access_server_registry.pb.go +++ b/protocol/go/policy/kasregistry/key_access_server_registry.pb.go @@ -24,55 +24,6 @@ const ( _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) ) -type TdfType int32 - -const ( - TdfType_TDF_TYPE_UNSPECIFIED TdfType = 0 - TdfType_TDF_TYPE_ZTDF TdfType = 1 - TdfType_TDF_TYPE_NANO TdfType = 2 -) - -// Enum value maps for TdfType. -var ( - TdfType_name = map[int32]string{ - 0: "TDF_TYPE_UNSPECIFIED", - 1: "TDF_TYPE_ZTDF", - 2: "TDF_TYPE_NANO", - } - TdfType_value = map[string]int32{ - "TDF_TYPE_UNSPECIFIED": 0, - "TDF_TYPE_ZTDF": 1, - "TDF_TYPE_NANO": 2, - } -) - -func (x TdfType) Enum() *TdfType { - p := new(TdfType) - *p = x - return p -} - -func (x TdfType) String() string { - return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x)) -} - -func (TdfType) Descriptor() protoreflect.EnumDescriptor { - return file_policy_kasregistry_key_access_server_registry_proto_enumTypes[0].Descriptor() -} - -func (TdfType) Type() protoreflect.EnumType { - return &file_policy_kasregistry_key_access_server_registry_proto_enumTypes[0] -} - -func (x TdfType) Number() protoreflect.EnumNumber { - return protoreflect.EnumNumber(x) -} - -// Deprecated: Use TdfType.Descriptor instead. -func (TdfType) EnumDescriptor() ([]byte, []int) { - return file_policy_kasregistry_key_access_server_registry_proto_rawDescGZIP(), []int{0} -} - type GetKeyAccessServerRequest struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache @@ -2817,12 +2768,9 @@ func (x *RotateKeyResponse) GetRotatedResources() *RotatedResources { return nil } -// Sets the specified key as the default key for the Key Access Server +// Sets the specified key as the base key for the Key Access Server // Note: The key must be active. -// Side effects: -// -// If a key of the same cipher is set as default, calling 'SetDefaultKey' will override that key with the specified key. -type SetDefaultKeyRequest struct { +type SetBaseKeyRequest struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields @@ -2831,15 +2779,13 @@ type SetDefaultKeyRequest struct { // // Types that are assignable to ActiveKey: // - // *SetDefaultKeyRequest_Id - // *SetDefaultKeyRequest_Key - ActiveKey isSetDefaultKeyRequest_ActiveKey `protobuf_oneof:"active_key"` - // Required - TdfType TdfType `protobuf:"varint,3,opt,name=tdf_type,json=tdfType,proto3,enum=policy.kasregistry.TdfType" json:"tdf_type,omitempty"` // The type of TDF (e.g., ZTDF, Nano) + // *SetBaseKeyRequest_Id + // *SetBaseKeyRequest_Key + ActiveKey isSetBaseKeyRequest_ActiveKey `protobuf_oneof:"active_key"` } -func (x *SetDefaultKeyRequest) Reset() { - *x = SetDefaultKeyRequest{} +func (x *SetBaseKeyRequest) Reset() { + *x = SetBaseKeyRequest{} if protoimpl.UnsafeEnabled { mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[41] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) @@ -2847,13 +2793,13 @@ func (x *SetDefaultKeyRequest) Reset() { } } -func (x *SetDefaultKeyRequest) String() string { +func (x *SetBaseKeyRequest) String() string { return protoimpl.X.MessageStringOf(x) } -func (*SetDefaultKeyRequest) ProtoMessage() {} +func (*SetBaseKeyRequest) ProtoMessage() {} -func (x *SetDefaultKeyRequest) ProtoReflect() protoreflect.Message { +func (x *SetBaseKeyRequest) ProtoReflect() protoreflect.Message { mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[41] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) @@ -2865,58 +2811,51 @@ func (x *SetDefaultKeyRequest) ProtoReflect() protoreflect.Message { return mi.MessageOf(x) } -// Deprecated: Use SetDefaultKeyRequest.ProtoReflect.Descriptor instead. -func (*SetDefaultKeyRequest) Descriptor() ([]byte, []int) { +// Deprecated: Use SetBaseKeyRequest.ProtoReflect.Descriptor instead. +func (*SetBaseKeyRequest) Descriptor() ([]byte, []int) { return file_policy_kasregistry_key_access_server_registry_proto_rawDescGZIP(), []int{41} } -func (m *SetDefaultKeyRequest) GetActiveKey() isSetDefaultKeyRequest_ActiveKey { +func (m *SetBaseKeyRequest) GetActiveKey() isSetBaseKeyRequest_ActiveKey { if m != nil { return m.ActiveKey } return nil } -func (x *SetDefaultKeyRequest) GetId() string { - if x, ok := x.GetActiveKey().(*SetDefaultKeyRequest_Id); ok { +func (x *SetBaseKeyRequest) GetId() string { + if x, ok := x.GetActiveKey().(*SetBaseKeyRequest_Id); ok { return x.Id } return "" } -func (x *SetDefaultKeyRequest) GetKey() *KasKeyIdentifier { - if x, ok := x.GetActiveKey().(*SetDefaultKeyRequest_Key); ok { +func (x *SetBaseKeyRequest) GetKey() *KasKeyIdentifier { + if x, ok := x.GetActiveKey().(*SetBaseKeyRequest_Key); ok { return x.Key } return nil } -func (x *SetDefaultKeyRequest) GetTdfType() TdfType { - if x != nil { - return x.TdfType - } - return TdfType_TDF_TYPE_UNSPECIFIED -} - -type isSetDefaultKeyRequest_ActiveKey interface { - isSetDefaultKeyRequest_ActiveKey() +type isSetBaseKeyRequest_ActiveKey interface { + isSetBaseKeyRequest_ActiveKey() } -type SetDefaultKeyRequest_Id struct { +type SetBaseKeyRequest_Id struct { // Current Key UUID tp be set as default Id string `protobuf:"bytes,1,opt,name=id,proto3,oneof"` } -type SetDefaultKeyRequest_Key struct { +type SetBaseKeyRequest_Key struct { // Alternative way to specify the key using KAS ID and Key ID Key *KasKeyIdentifier `protobuf:"bytes,2,opt,name=key,proto3,oneof"` } -func (*SetDefaultKeyRequest_Id) isSetDefaultKeyRequest_ActiveKey() {} +func (*SetBaseKeyRequest_Id) isSetBaseKeyRequest_ActiveKey() {} -func (*SetDefaultKeyRequest_Key) isSetDefaultKeyRequest_ActiveKey() {} +func (*SetBaseKeyRequest_Key) isSetBaseKeyRequest_ActiveKey() {} -type DefaultKasPublicKey struct { +type SimpleKasPublicKey struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields @@ -2926,8 +2865,8 @@ type DefaultKasPublicKey struct { Pem string `protobuf:"bytes,3,opt,name=pem,proto3" json:"pem,omitempty"` } -func (x *DefaultKasPublicKey) Reset() { - *x = DefaultKasPublicKey{} +func (x *SimpleKasPublicKey) Reset() { + *x = SimpleKasPublicKey{} if protoimpl.UnsafeEnabled { mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[42] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) @@ -2935,13 +2874,13 @@ func (x *DefaultKasPublicKey) Reset() { } } -func (x *DefaultKasPublicKey) String() string { +func (x *SimpleKasPublicKey) String() string { return protoimpl.X.MessageStringOf(x) } -func (*DefaultKasPublicKey) ProtoMessage() {} +func (*SimpleKasPublicKey) ProtoMessage() {} -func (x *DefaultKasPublicKey) ProtoReflect() protoreflect.Message { +func (x *SimpleKasPublicKey) ProtoReflect() protoreflect.Message { mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[42] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) @@ -2953,44 +2892,43 @@ func (x *DefaultKasPublicKey) ProtoReflect() protoreflect.Message { return mi.MessageOf(x) } -// Deprecated: Use DefaultKasPublicKey.ProtoReflect.Descriptor instead. -func (*DefaultKasPublicKey) Descriptor() ([]byte, []int) { +// Deprecated: Use SimpleKasPublicKey.ProtoReflect.Descriptor instead. +func (*SimpleKasPublicKey) Descriptor() ([]byte, []int) { return file_policy_kasregistry_key_access_server_registry_proto_rawDescGZIP(), []int{42} } -func (x *DefaultKasPublicKey) GetAlgorithm() string { +func (x *SimpleKasPublicKey) GetAlgorithm() string { if x != nil { return x.Algorithm } return "" } -func (x *DefaultKasPublicKey) GetKid() string { +func (x *SimpleKasPublicKey) GetKid() string { if x != nil { return x.Kid } return "" } -func (x *DefaultKasPublicKey) GetPem() string { +func (x *SimpleKasPublicKey) GetPem() string { if x != nil { return x.Pem } return "" } -type DefaultKasKey struct { +type SimpleKasKey struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields - TdfType string `protobuf:"bytes,1,opt,name=tdf_type,json=tdfType,proto3" json:"tdf_type,omitempty"` // The type of TDF (e.g., ZTDF, Nano) - KasUri string `protobuf:"bytes,2,opt,name=kas_uri,json=kasUri,proto3" json:"kas_uri,omitempty"` // The URL of the Key Access Server - PublicKey *DefaultKasPublicKey `protobuf:"bytes,3,opt,name=public_key,json=publicKey,proto3" json:"public_key,omitempty"` // The public key of the Key that belongs to the KAS + KasUri string `protobuf:"bytes,1,opt,name=kas_uri,json=kasUri,proto3" json:"kas_uri,omitempty"` // The URL of the Key Access Server + PublicKey *SimpleKasPublicKey `protobuf:"bytes,2,opt,name=public_key,json=publicKey,proto3" json:"public_key,omitempty"` // The public key of the Key that belongs to the KAS } -func (x *DefaultKasKey) Reset() { - *x = DefaultKasKey{} +func (x *SimpleKasKey) Reset() { + *x = SimpleKasKey{} if protoimpl.UnsafeEnabled { mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[43] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) @@ -2998,13 +2936,13 @@ func (x *DefaultKasKey) Reset() { } } -func (x *DefaultKasKey) String() string { +func (x *SimpleKasKey) String() string { return protoimpl.X.MessageStringOf(x) } -func (*DefaultKasKey) ProtoMessage() {} +func (*SimpleKasKey) ProtoMessage() {} -func (x *DefaultKasKey) ProtoReflect() protoreflect.Message { +func (x *SimpleKasKey) ProtoReflect() protoreflect.Message { mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[43] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) @@ -3016,40 +2954,33 @@ func (x *DefaultKasKey) ProtoReflect() protoreflect.Message { return mi.MessageOf(x) } -// Deprecated: Use DefaultKasKey.ProtoReflect.Descriptor instead. -func (*DefaultKasKey) Descriptor() ([]byte, []int) { +// Deprecated: Use SimpleKasKey.ProtoReflect.Descriptor instead. +func (*SimpleKasKey) Descriptor() ([]byte, []int) { return file_policy_kasregistry_key_access_server_registry_proto_rawDescGZIP(), []int{43} } -func (x *DefaultKasKey) GetTdfType() string { - if x != nil { - return x.TdfType - } - return "" -} - -func (x *DefaultKasKey) GetKasUri() string { +func (x *SimpleKasKey) GetKasUri() string { if x != nil { return x.KasUri } return "" } -func (x *DefaultKasKey) GetPublicKey() *DefaultKasPublicKey { +func (x *SimpleKasKey) GetPublicKey() *SimpleKasPublicKey { if x != nil { return x.PublicKey } return nil } -type GetDefaultKeysRequest struct { +type GetBaseKeyRequest struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields } -func (x *GetDefaultKeysRequest) Reset() { - *x = GetDefaultKeysRequest{} +func (x *GetBaseKeyRequest) Reset() { + *x = GetBaseKeyRequest{} if protoimpl.UnsafeEnabled { mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[44] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) @@ -3057,13 +2988,13 @@ func (x *GetDefaultKeysRequest) Reset() { } } -func (x *GetDefaultKeysRequest) String() string { +func (x *GetBaseKeyRequest) String() string { return protoimpl.X.MessageStringOf(x) } -func (*GetDefaultKeysRequest) ProtoMessage() {} +func (*GetBaseKeyRequest) ProtoMessage() {} -func (x *GetDefaultKeysRequest) ProtoReflect() protoreflect.Message { +func (x *GetBaseKeyRequest) ProtoReflect() protoreflect.Message { mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[44] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) @@ -3075,21 +3006,21 @@ func (x *GetDefaultKeysRequest) ProtoReflect() protoreflect.Message { return mi.MessageOf(x) } -// Deprecated: Use GetDefaultKeysRequest.ProtoReflect.Descriptor instead. -func (*GetDefaultKeysRequest) Descriptor() ([]byte, []int) { +// Deprecated: Use GetBaseKeyRequest.ProtoReflect.Descriptor instead. +func (*GetBaseKeyRequest) Descriptor() ([]byte, []int) { return file_policy_kasregistry_key_access_server_registry_proto_rawDescGZIP(), []int{44} } -type GetDefaultKeysResponse struct { +type GetBaseKeyResponse struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields - DefaultKasKeys []*DefaultKasKey `protobuf:"bytes,1,rep,name=default_kas_keys,json=defaultKasKeys,proto3" json:"default_kas_keys,omitempty"` // The list of default keys + BaseKey *SimpleKasKey `protobuf:"bytes,1,opt,name=base_key,json=baseKey,proto3" json:"base_key,omitempty"` // The list of default keys } -func (x *GetDefaultKeysResponse) Reset() { - *x = GetDefaultKeysResponse{} +func (x *GetBaseKeyResponse) Reset() { + *x = GetBaseKeyResponse{} if protoimpl.UnsafeEnabled { mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[45] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) @@ -3097,13 +3028,13 @@ func (x *GetDefaultKeysResponse) Reset() { } } -func (x *GetDefaultKeysResponse) String() string { +func (x *GetBaseKeyResponse) String() string { return protoimpl.X.MessageStringOf(x) } -func (*GetDefaultKeysResponse) ProtoMessage() {} +func (*GetBaseKeyResponse) ProtoMessage() {} -func (x *GetDefaultKeysResponse) ProtoReflect() protoreflect.Message { +func (x *GetBaseKeyResponse) ProtoReflect() protoreflect.Message { mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[45] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) @@ -3115,29 +3046,29 @@ func (x *GetDefaultKeysResponse) ProtoReflect() protoreflect.Message { return mi.MessageOf(x) } -// Deprecated: Use GetDefaultKeysResponse.ProtoReflect.Descriptor instead. -func (*GetDefaultKeysResponse) Descriptor() ([]byte, []int) { +// Deprecated: Use GetBaseKeyResponse.ProtoReflect.Descriptor instead. +func (*GetBaseKeyResponse) Descriptor() ([]byte, []int) { return file_policy_kasregistry_key_access_server_registry_proto_rawDescGZIP(), []int{45} } -func (x *GetDefaultKeysResponse) GetDefaultKasKeys() []*DefaultKasKey { +func (x *GetBaseKeyResponse) GetBaseKey() *SimpleKasKey { if x != nil { - return x.DefaultKasKeys + return x.BaseKey } return nil } -type SetDefaultKeyResponse struct { +type SetBaseKeyResponse struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields - NewDefaultKasKey *DefaultKasKey `protobuf:"bytes,1,opt,name=new_default_kas_key,json=newDefaultKasKey,proto3" json:"new_default_kas_key,omitempty"` // The key that was set as default - PreviousDefaultKasKey *DefaultKasKey `protobuf:"bytes,2,opt,name=previous_default_kas_key,json=previousDefaultKasKey,proto3" json:"previous_default_kas_key,omitempty"` // The previous default key, if any + NewBaseKey *SimpleKasKey `protobuf:"bytes,1,opt,name=new_base_key,json=newBaseKey,proto3" json:"new_base_key,omitempty"` // The key that was set as base + PreviousBaseKey *SimpleKasKey `protobuf:"bytes,2,opt,name=previous_base_key,json=previousBaseKey,proto3" json:"previous_base_key,omitempty"` // The previous base key, if any } -func (x *SetDefaultKeyResponse) Reset() { - *x = SetDefaultKeyResponse{} +func (x *SetBaseKeyResponse) Reset() { + *x = SetBaseKeyResponse{} if protoimpl.UnsafeEnabled { mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[46] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) @@ -3145,13 +3076,13 @@ func (x *SetDefaultKeyResponse) Reset() { } } -func (x *SetDefaultKeyResponse) String() string { +func (x *SetBaseKeyResponse) String() string { return protoimpl.X.MessageStringOf(x) } -func (*SetDefaultKeyResponse) ProtoMessage() {} +func (*SetBaseKeyResponse) ProtoMessage() {} -func (x *SetDefaultKeyResponse) ProtoReflect() protoreflect.Message { +func (x *SetBaseKeyResponse) ProtoReflect() protoreflect.Message { mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[46] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) @@ -3163,21 +3094,21 @@ func (x *SetDefaultKeyResponse) ProtoReflect() protoreflect.Message { return mi.MessageOf(x) } -// Deprecated: Use SetDefaultKeyResponse.ProtoReflect.Descriptor instead. -func (*SetDefaultKeyResponse) Descriptor() ([]byte, []int) { +// Deprecated: Use SetBaseKeyResponse.ProtoReflect.Descriptor instead. +func (*SetBaseKeyResponse) Descriptor() ([]byte, []int) { return file_policy_kasregistry_key_access_server_registry_proto_rawDescGZIP(), []int{46} } -func (x *SetDefaultKeyResponse) GetNewDefaultKasKey() *DefaultKasKey { +func (x *SetBaseKeyResponse) GetNewBaseKey() *SimpleKasKey { if x != nil { - return x.NewDefaultKasKey + return x.NewBaseKey } return nil } -func (x *SetDefaultKeyResponse) GetPreviousDefaultKasKey() *DefaultKasKey { +func (x *SetBaseKeyResponse) GetPreviousBaseKey() *SimpleKasKey { if x != nil { - return x.PreviousDefaultKasKey + return x.PreviousBaseKey } return nil } @@ -4258,177 +4189,161 @@ var file_policy_kasregistry_key_access_server_registry_proto_rawDesc = []byte{ 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x52, 0x6f, 0x74, 0x61, 0x74, 0x65, 0x64, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x52, 0x10, 0x72, 0x6f, 0x74, 0x61, 0x74, 0x65, 0x64, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, - 0x73, 0x22, 0xc5, 0x01, 0x0a, 0x14, 0x53, 0x65, 0x74, 0x44, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, - 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1a, 0x0a, 0x02, 0x69, 0x64, - 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x08, 0xba, 0x48, 0x05, 0x72, 0x03, 0xb0, 0x01, 0x01, - 0x48, 0x00, 0x52, 0x02, 0x69, 0x64, 0x12, 0x38, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20, - 0x01, 0x28, 0x0b, 0x32, 0x24, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, - 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x4b, 0x61, 0x73, 0x4b, 0x65, 0x79, 0x49, - 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, 0x72, 0x48, 0x00, 0x52, 0x03, 0x6b, 0x65, 0x79, - 0x12, 0x42, 0x0a, 0x08, 0x74, 0x64, 0x66, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x18, 0x03, 0x20, 0x01, - 0x28, 0x0e, 0x32, 0x1b, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, - 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x54, 0x64, 0x66, 0x54, 0x79, 0x70, 0x65, 0x42, - 0x0a, 0xba, 0x48, 0x07, 0x82, 0x01, 0x04, 0x18, 0x01, 0x18, 0x02, 0x52, 0x07, 0x74, 0x64, 0x66, - 0x54, 0x79, 0x70, 0x65, 0x42, 0x13, 0x0a, 0x0a, 0x61, 0x63, 0x74, 0x69, 0x76, 0x65, 0x5f, 0x6b, - 0x65, 0x79, 0x12, 0x05, 0xba, 0x48, 0x02, 0x08, 0x01, 0x22, 0x57, 0x0a, 0x13, 0x44, 0x65, 0x66, - 0x61, 0x75, 0x6c, 0x74, 0x4b, 0x61, 0x73, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, - 0x12, 0x1c, 0x0a, 0x09, 0x61, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x18, 0x01, 0x20, - 0x01, 0x28, 0x09, 0x52, 0x09, 0x61, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x12, 0x10, - 0x0a, 0x03, 0x6b, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x69, 0x64, - 0x12, 0x10, 0x0a, 0x03, 0x70, 0x65, 0x6d, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x70, - 0x65, 0x6d, 0x22, 0x8b, 0x01, 0x0a, 0x0d, 0x44, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x4b, 0x61, - 0x73, 0x4b, 0x65, 0x79, 0x12, 0x19, 0x0a, 0x08, 0x74, 0x64, 0x66, 0x5f, 0x74, 0x79, 0x70, 0x65, - 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x74, 0x64, 0x66, 0x54, 0x79, 0x70, 0x65, 0x12, - 0x17, 0x0a, 0x07, 0x6b, 0x61, 0x73, 0x5f, 0x75, 0x72, 0x69, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, - 0x52, 0x06, 0x6b, 0x61, 0x73, 0x55, 0x72, 0x69, 0x12, 0x46, 0x0a, 0x0a, 0x70, 0x75, 0x62, 0x6c, - 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x27, 0x2e, 0x70, - 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, - 0x79, 0x2e, 0x44, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x4b, 0x61, 0x73, 0x50, 0x75, 0x62, 0x6c, - 0x69, 0x63, 0x4b, 0x65, 0x79, 0x52, 0x09, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, - 0x22, 0x17, 0x0a, 0x15, 0x47, 0x65, 0x74, 0x44, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x4b, 0x65, - 0x79, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x22, 0x65, 0x0a, 0x16, 0x47, 0x65, 0x74, - 0x44, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x4b, 0x65, 0x79, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, - 0x6e, 0x73, 0x65, 0x12, 0x4b, 0x0a, 0x10, 0x64, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x5f, 0x6b, - 0x61, 0x73, 0x5f, 0x6b, 0x65, 0x79, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x21, 0x2e, - 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, - 0x72, 0x79, 0x2e, 0x44, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x4b, 0x61, 0x73, 0x4b, 0x65, 0x79, - 0x52, 0x0e, 0x64, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x4b, 0x61, 0x73, 0x4b, 0x65, 0x79, 0x73, - 0x22, 0xc5, 0x01, 0x0a, 0x15, 0x53, 0x65, 0x74, 0x44, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x4b, - 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x50, 0x0a, 0x13, 0x6e, 0x65, - 0x77, 0x5f, 0x64, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x5f, 0x6b, 0x61, 0x73, 0x5f, 0x6b, 0x65, - 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x21, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, - 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x44, 0x65, 0x66, - 0x61, 0x75, 0x6c, 0x74, 0x4b, 0x61, 0x73, 0x4b, 0x65, 0x79, 0x52, 0x10, 0x6e, 0x65, 0x77, 0x44, - 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x4b, 0x61, 0x73, 0x4b, 0x65, 0x79, 0x12, 0x5a, 0x0a, 0x18, - 0x70, 0x72, 0x65, 0x76, 0x69, 0x6f, 0x75, 0x73, 0x5f, 0x64, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, - 0x5f, 0x6b, 0x61, 0x73, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x21, + 0x73, 0x22, 0x7e, 0x0a, 0x11, 0x53, 0x65, 0x74, 0x42, 0x61, 0x73, 0x65, 0x4b, 0x65, 0x79, 0x52, + 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1a, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, + 0x28, 0x09, 0x42, 0x08, 0xba, 0x48, 0x05, 0x72, 0x03, 0xb0, 0x01, 0x01, 0x48, 0x00, 0x52, 0x02, + 0x69, 0x64, 0x12, 0x38, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, + 0x24, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, + 0x73, 0x74, 0x72, 0x79, 0x2e, 0x4b, 0x61, 0x73, 0x4b, 0x65, 0x79, 0x49, 0x64, 0x65, 0x6e, 0x74, + 0x69, 0x66, 0x69, 0x65, 0x72, 0x48, 0x00, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x42, 0x13, 0x0a, 0x0a, + 0x61, 0x63, 0x74, 0x69, 0x76, 0x65, 0x5f, 0x6b, 0x65, 0x79, 0x12, 0x05, 0xba, 0x48, 0x02, 0x08, + 0x01, 0x22, 0x56, 0x0a, 0x12, 0x53, 0x69, 0x6d, 0x70, 0x6c, 0x65, 0x4b, 0x61, 0x73, 0x50, 0x75, + 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x1c, 0x0a, 0x09, 0x61, 0x6c, 0x67, 0x6f, 0x72, + 0x69, 0x74, 0x68, 0x6d, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x61, 0x6c, 0x67, 0x6f, + 0x72, 0x69, 0x74, 0x68, 0x6d, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, + 0x28, 0x09, 0x52, 0x03, 0x6b, 0x69, 0x64, 0x12, 0x10, 0x0a, 0x03, 0x70, 0x65, 0x6d, 0x18, 0x03, + 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x70, 0x65, 0x6d, 0x22, 0x6e, 0x0a, 0x0c, 0x53, 0x69, 0x6d, + 0x70, 0x6c, 0x65, 0x4b, 0x61, 0x73, 0x4b, 0x65, 0x79, 0x12, 0x17, 0x0a, 0x07, 0x6b, 0x61, 0x73, + 0x5f, 0x75, 0x72, 0x69, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x6b, 0x61, 0x73, 0x55, + 0x72, 0x69, 0x12, 0x45, 0x0a, 0x0a, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, + 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x26, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, + 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x53, 0x69, 0x6d, 0x70, + 0x6c, 0x65, 0x4b, 0x61, 0x73, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x52, 0x09, + 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x22, 0x13, 0x0a, 0x11, 0x47, 0x65, 0x74, + 0x42, 0x61, 0x73, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x22, 0x51, + 0x0a, 0x12, 0x47, 0x65, 0x74, 0x42, 0x61, 0x73, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, + 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x3b, 0x0a, 0x08, 0x62, 0x61, 0x73, 0x65, 0x5f, 0x6b, 0x65, 0x79, + 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x20, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, + 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x53, 0x69, 0x6d, 0x70, + 0x6c, 0x65, 0x4b, 0x61, 0x73, 0x4b, 0x65, 0x79, 0x52, 0x07, 0x62, 0x61, 0x73, 0x65, 0x4b, 0x65, + 0x79, 0x22, 0xa6, 0x01, 0x0a, 0x12, 0x53, 0x65, 0x74, 0x42, 0x61, 0x73, 0x65, 0x4b, 0x65, 0x79, + 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x42, 0x0a, 0x0c, 0x6e, 0x65, 0x77, 0x5f, + 0x62, 0x61, 0x73, 0x65, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x20, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, - 0x74, 0x72, 0x79, 0x2e, 0x44, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x4b, 0x61, 0x73, 0x4b, 0x65, - 0x79, 0x52, 0x15, 0x70, 0x72, 0x65, 0x76, 0x69, 0x6f, 0x75, 0x73, 0x44, 0x65, 0x66, 0x61, 0x75, - 0x6c, 0x74, 0x4b, 0x61, 0x73, 0x4b, 0x65, 0x79, 0x2a, 0x49, 0x0a, 0x07, 0x54, 0x64, 0x66, 0x54, - 0x79, 0x70, 0x65, 0x12, 0x18, 0x0a, 0x14, 0x54, 0x44, 0x46, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, - 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x11, 0x0a, - 0x0d, 0x54, 0x44, 0x46, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x5a, 0x54, 0x44, 0x46, 0x10, 0x01, - 0x12, 0x11, 0x0a, 0x0d, 0x54, 0x44, 0x46, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x4e, 0x41, 0x4e, - 0x4f, 0x10, 0x02, 0x32, 0x80, 0x0d, 0x0a, 0x1e, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, - 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x53, - 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x99, 0x01, 0x0a, 0x14, 0x4c, 0x69, 0x73, 0x74, 0x4b, - 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x12, - 0x2f, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, - 0x73, 0x74, 0x72, 0x79, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, - 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, - 0x1a, 0x30, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, - 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, - 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, - 0x73, 0x65, 0x22, 0x1e, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x15, 0x12, 0x13, 0x2f, 0x6b, 0x65, 0x79, - 0x2d, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x2d, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x90, - 0x02, 0x01, 0x12, 0x98, 0x01, 0x0a, 0x12, 0x47, 0x65, 0x74, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, - 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x12, 0x2d, 0x2e, 0x70, 0x6f, 0x6c, 0x69, - 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x47, - 0x65, 0x74, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, - 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x2e, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, - 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x47, 0x65, + 0x74, 0x72, 0x79, 0x2e, 0x53, 0x69, 0x6d, 0x70, 0x6c, 0x65, 0x4b, 0x61, 0x73, 0x4b, 0x65, 0x79, + 0x52, 0x0a, 0x6e, 0x65, 0x77, 0x42, 0x61, 0x73, 0x65, 0x4b, 0x65, 0x79, 0x12, 0x4c, 0x0a, 0x11, + 0x70, 0x72, 0x65, 0x76, 0x69, 0x6f, 0x75, 0x73, 0x5f, 0x62, 0x61, 0x73, 0x65, 0x5f, 0x6b, 0x65, + 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x20, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, + 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x53, 0x69, 0x6d, + 0x70, 0x6c, 0x65, 0x4b, 0x61, 0x73, 0x4b, 0x65, 0x79, 0x52, 0x0f, 0x70, 0x72, 0x65, 0x76, 0x69, + 0x6f, 0x75, 0x73, 0x42, 0x61, 0x73, 0x65, 0x4b, 0x65, 0x79, 0x32, 0xeb, 0x0c, 0x0a, 0x1e, 0x4b, + 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, + 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x99, 0x01, + 0x0a, 0x14, 0x4c, 0x69, 0x73, 0x74, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, + 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x12, 0x2f, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, + 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x4c, 0x69, 0x73, 0x74, + 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, + 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x30, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, + 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, - 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x23, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x1a, - 0x12, 0x18, 0x2f, 0x6b, 0x65, 0x79, 0x2d, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x2d, 0x73, 0x65, - 0x72, 0x76, 0x65, 0x72, 0x73, 0x2f, 0x7b, 0x69, 0x64, 0x7d, 0x90, 0x02, 0x01, 0x12, 0x9c, 0x01, - 0x0a, 0x15, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, - 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x12, 0x30, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, - 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x43, 0x72, 0x65, - 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, - 0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x31, 0x2e, 0x70, 0x6f, 0x6c, 0x69, - 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x43, - 0x72, 0x65, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, - 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x1e, 0x82, 0xd3, - 0xe4, 0x93, 0x02, 0x18, 0x3a, 0x01, 0x2a, 0x22, 0x13, 0x2f, 0x6b, 0x65, 0x79, 0x2d, 0x61, 0x63, - 0x63, 0x65, 0x73, 0x73, 0x2d, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x12, 0xa1, 0x01, 0x0a, - 0x15, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, - 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x12, 0x30, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, - 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x55, 0x70, 0x64, 0x61, - 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, - 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x31, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, - 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x55, 0x70, - 0x64, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, - 0x76, 0x65, 0x72, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x23, 0x82, 0xd3, 0xe4, - 0x93, 0x02, 0x1d, 0x3a, 0x01, 0x2a, 0x32, 0x18, 0x2f, 0x6b, 0x65, 0x79, 0x2d, 0x61, 0x63, 0x63, - 0x65, 0x73, 0x73, 0x2d, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x2f, 0x7b, 0x69, 0x64, 0x7d, - 0x12, 0x9e, 0x01, 0x0a, 0x15, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41, 0x63, - 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x12, 0x30, 0x2e, 0x70, 0x6f, 0x6c, - 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, - 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, - 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x31, 0x2e, 0x70, - 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, - 0x79, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, + 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x1e, 0x82, 0xd3, 0xe4, 0x93, 0x02, + 0x15, 0x12, 0x13, 0x2f, 0x6b, 0x65, 0x79, 0x2d, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x2d, 0x73, + 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x90, 0x02, 0x01, 0x12, 0x98, 0x01, 0x0a, 0x12, 0x47, 0x65, + 0x74, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, + 0x12, 0x2d, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, + 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x47, 0x65, 0x74, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, + 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, + 0x2e, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, + 0x73, 0x74, 0x72, 0x79, 0x2e, 0x47, 0x65, 0x74, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, - 0x20, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x1a, 0x2a, 0x18, 0x2f, 0x6b, 0x65, 0x79, 0x2d, 0x61, 0x63, + 0x23, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x1a, 0x12, 0x18, 0x2f, 0x6b, 0x65, 0x79, 0x2d, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x2d, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x2f, 0x7b, 0x69, 0x64, - 0x7d, 0x12, 0xaf, 0x01, 0x0a, 0x19, 0x4c, 0x69, 0x73, 0x74, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, - 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x47, 0x72, 0x61, 0x6e, 0x74, 0x73, 0x12, - 0x34, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, - 0x73, 0x74, 0x72, 0x79, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, - 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x47, 0x72, 0x61, 0x6e, 0x74, 0x73, 0x52, 0x65, - 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x35, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, - 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x4b, - 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x47, 0x72, - 0x61, 0x6e, 0x74, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x25, 0x82, 0xd3, - 0xe4, 0x93, 0x02, 0x1c, 0x12, 0x1a, 0x2f, 0x6b, 0x65, 0x79, 0x2d, 0x61, 0x63, 0x63, 0x65, 0x73, - 0x73, 0x2d, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x2f, 0x67, 0x72, 0x61, 0x6e, 0x74, 0x73, - 0x90, 0x02, 0x01, 0x12, 0x5a, 0x0a, 0x09, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, - 0x12, 0x24, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, - 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x52, - 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x25, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, - 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x43, 0x72, 0x65, 0x61, - 0x74, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, - 0x51, 0x0a, 0x06, 0x47, 0x65, 0x74, 0x4b, 0x65, 0x79, 0x12, 0x21, 0x2e, 0x70, 0x6f, 0x6c, 0x69, - 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x47, - 0x65, 0x74, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x22, 0x2e, 0x70, - 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, - 0x79, 0x2e, 0x47, 0x65, 0x74, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, - 0x22, 0x00, 0x12, 0x57, 0x0a, 0x08, 0x4c, 0x69, 0x73, 0x74, 0x4b, 0x65, 0x79, 0x73, 0x12, 0x23, + 0x7d, 0x90, 0x02, 0x01, 0x12, 0x9c, 0x01, 0x0a, 0x15, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x4b, + 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x12, 0x30, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, - 0x74, 0x72, 0x79, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x4b, 0x65, 0x79, 0x73, 0x52, 0x65, 0x71, 0x75, - 0x65, 0x73, 0x74, 0x1a, 0x24, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, - 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x4b, 0x65, 0x79, - 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x5a, 0x0a, 0x09, 0x55, - 0x70, 0x64, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x12, 0x24, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, - 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x55, 0x70, - 0x64, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x25, - 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, - 0x74, 0x72, 0x79, 0x2e, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, - 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x5a, 0x0a, 0x09, 0x52, 0x6f, 0x74, 0x61, 0x74, - 0x65, 0x4b, 0x65, 0x79, 0x12, 0x24, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, - 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x52, 0x6f, 0x74, 0x61, 0x74, 0x65, - 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x25, 0x2e, 0x70, 0x6f, 0x6c, - 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, - 0x52, 0x6f, 0x74, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, - 0x65, 0x22, 0x00, 0x12, 0x66, 0x0a, 0x0d, 0x53, 0x65, 0x74, 0x44, 0x65, 0x66, 0x61, 0x75, 0x6c, - 0x74, 0x4b, 0x65, 0x79, 0x12, 0x28, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, - 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x53, 0x65, 0x74, 0x44, 0x65, 0x66, - 0x61, 0x75, 0x6c, 0x74, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x29, - 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, - 0x74, 0x72, 0x79, 0x2e, 0x53, 0x65, 0x74, 0x44, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x4b, 0x65, - 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x69, 0x0a, 0x0e, 0x47, - 0x65, 0x74, 0x44, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x4b, 0x65, 0x79, 0x73, 0x12, 0x29, 0x2e, + 0x74, 0x72, 0x79, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, + 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, + 0x1a, 0x31, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, + 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41, + 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x73, 0x70, 0x6f, + 0x6e, 0x73, 0x65, 0x22, 0x1e, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x18, 0x3a, 0x01, 0x2a, 0x22, 0x13, + 0x2f, 0x6b, 0x65, 0x79, 0x2d, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x2d, 0x73, 0x65, 0x72, 0x76, + 0x65, 0x72, 0x73, 0x12, 0xa1, 0x01, 0x0a, 0x15, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x4b, 0x65, + 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x12, 0x30, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, - 0x72, 0x79, 0x2e, 0x47, 0x65, 0x74, 0x44, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x4b, 0x65, 0x79, - 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x2a, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, - 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x47, 0x65, - 0x74, 0x44, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x4b, 0x65, 0x79, 0x73, 0x52, 0x65, 0x73, 0x70, - 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x42, 0xdb, 0x01, 0x0a, 0x16, 0x63, 0x6f, 0x6d, 0x2e, 0x70, + 0x72, 0x79, 0x2e, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, + 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, + 0x31, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, + 0x73, 0x74, 0x72, 0x79, 0x2e, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41, 0x63, + 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, + 0x73, 0x65, 0x22, 0x23, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x1d, 0x3a, 0x01, 0x2a, 0x32, 0x18, 0x2f, + 0x6b, 0x65, 0x79, 0x2d, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x2d, 0x73, 0x65, 0x72, 0x76, 0x65, + 0x72, 0x73, 0x2f, 0x7b, 0x69, 0x64, 0x7d, 0x12, 0x9e, 0x01, 0x0a, 0x15, 0x44, 0x65, 0x6c, 0x65, + 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, + 0x72, 0x12, 0x30, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, + 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x4b, 0x65, 0x79, + 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x71, 0x75, + 0x65, 0x73, 0x74, 0x1a, 0x31, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, + 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x4b, + 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, + 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x20, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x1a, 0x2a, 0x18, + 0x2f, 0x6b, 0x65, 0x79, 0x2d, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x2d, 0x73, 0x65, 0x72, 0x76, + 0x65, 0x72, 0x73, 0x2f, 0x7b, 0x69, 0x64, 0x7d, 0x12, 0xaf, 0x01, 0x0a, 0x19, 0x4c, 0x69, 0x73, + 0x74, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, + 0x47, 0x72, 0x61, 0x6e, 0x74, 0x73, 0x12, 0x34, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, + 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x4c, 0x69, 0x73, 0x74, + 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x47, + 0x72, 0x61, 0x6e, 0x74, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x35, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, - 0x79, 0x42, 0x1c, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, - 0x65, 0x72, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, - 0x01, 0x5a, 0x3a, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6f, 0x70, - 0x65, 0x6e, 0x74, 0x64, 0x66, 0x2f, 0x70, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x2f, 0x70, - 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x2f, 0x67, 0x6f, 0x2f, 0x70, 0x6f, 0x6c, 0x69, 0x63, - 0x79, 0x2f, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0xa2, 0x02, 0x03, - 0x50, 0x4b, 0x58, 0xaa, 0x02, 0x12, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b, 0x61, 0x73, - 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0xca, 0x02, 0x12, 0x50, 0x6f, 0x6c, 0x69, 0x63, - 0x79, 0x5c, 0x4b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0xe2, 0x02, 0x1e, - 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x5c, 0x4b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, - 0x72, 0x79, 0x5c, 0x47, 0x50, 0x42, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0xea, 0x02, - 0x13, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x3a, 0x3a, 0x4b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, - 0x73, 0x74, 0x72, 0x79, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x79, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, + 0x65, 0x72, 0x76, 0x65, 0x72, 0x47, 0x72, 0x61, 0x6e, 0x74, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, + 0x6e, 0x73, 0x65, 0x22, 0x25, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x1c, 0x12, 0x1a, 0x2f, 0x6b, 0x65, + 0x79, 0x2d, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x2d, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, + 0x2f, 0x67, 0x72, 0x61, 0x6e, 0x74, 0x73, 0x90, 0x02, 0x01, 0x12, 0x5a, 0x0a, 0x09, 0x43, 0x72, + 0x65, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x12, 0x24, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, + 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x43, 0x72, 0x65, + 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x25, 0x2e, + 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, + 0x72, 0x79, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, + 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x51, 0x0a, 0x06, 0x47, 0x65, 0x74, 0x4b, 0x65, 0x79, + 0x12, 0x21, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, + 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x47, 0x65, 0x74, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, + 0x65, 0x73, 0x74, 0x1a, 0x22, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, + 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x47, 0x65, 0x74, 0x4b, 0x65, 0x79, 0x52, + 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x57, 0x0a, 0x08, 0x4c, 0x69, 0x73, + 0x74, 0x4b, 0x65, 0x79, 0x73, 0x12, 0x23, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, + 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x4b, + 0x65, 0x79, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x24, 0x2e, 0x70, 0x6f, 0x6c, + 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, + 0x4c, 0x69, 0x73, 0x74, 0x4b, 0x65, 0x79, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, + 0x22, 0x00, 0x12, 0x5a, 0x0a, 0x09, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x12, + 0x24, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, + 0x73, 0x74, 0x72, 0x79, 0x2e, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65, + 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x25, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, + 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x55, 0x70, 0x64, 0x61, 0x74, + 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x5a, + 0x0a, 0x09, 0x52, 0x6f, 0x74, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x12, 0x24, 0x2e, 0x70, 0x6f, + 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, + 0x2e, 0x52, 0x6f, 0x74, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, + 0x74, 0x1a, 0x25, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, + 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x52, 0x6f, 0x74, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, + 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x5d, 0x0a, 0x0a, 0x53, 0x65, + 0x74, 0x42, 0x61, 0x73, 0x65, 0x4b, 0x65, 0x79, 0x12, 0x25, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, + 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x53, 0x65, + 0x74, 0x42, 0x61, 0x73, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, + 0x26, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, + 0x73, 0x74, 0x72, 0x79, 0x2e, 0x53, 0x65, 0x74, 0x42, 0x61, 0x73, 0x65, 0x4b, 0x65, 0x79, 0x52, + 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x5d, 0x0a, 0x0a, 0x47, 0x65, 0x74, + 0x42, 0x61, 0x73, 0x65, 0x4b, 0x65, 0x79, 0x12, 0x25, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, + 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x47, 0x65, 0x74, + 0x42, 0x61, 0x73, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x26, + 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, + 0x74, 0x72, 0x79, 0x2e, 0x47, 0x65, 0x74, 0x42, 0x61, 0x73, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65, + 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x42, 0xdb, 0x01, 0x0a, 0x16, 0x63, 0x6f, 0x6d, + 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, + 0x74, 0x72, 0x79, 0x42, 0x1c, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, + 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x50, 0x72, 0x6f, 0x74, + 0x6f, 0x50, 0x01, 0x5a, 0x3a, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, + 0x6f, 0x70, 0x65, 0x6e, 0x74, 0x64, 0x66, 0x2f, 0x70, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, + 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x2f, 0x67, 0x6f, 0x2f, 0x70, 0x6f, 0x6c, + 0x69, 0x63, 0x79, 0x2f, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0xa2, + 0x02, 0x03, 0x50, 0x4b, 0x58, 0xaa, 0x02, 0x12, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b, + 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0xca, 0x02, 0x12, 0x50, 0x6f, 0x6c, + 0x69, 0x63, 0x79, 0x5c, 0x4b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0xe2, + 0x02, 0x1e, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x5c, 0x4b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, + 0x73, 0x74, 0x72, 0x79, 0x5c, 0x47, 0x50, 0x42, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, + 0xea, 0x02, 0x13, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x3a, 0x3a, 0x4b, 0x61, 0x73, 0x72, 0x65, + 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( @@ -4443,185 +4358,182 @@ func file_policy_kasregistry_key_access_server_registry_proto_rawDescGZIP() []by return file_policy_kasregistry_key_access_server_registry_proto_rawDescData } -var file_policy_kasregistry_key_access_server_registry_proto_enumTypes = make([]protoimpl.EnumInfo, 1) var file_policy_kasregistry_key_access_server_registry_proto_msgTypes = make([]protoimpl.MessageInfo, 51) var file_policy_kasregistry_key_access_server_registry_proto_goTypes = []interface{}{ - (TdfType)(0), // 0: policy.kasregistry.TdfType - (*GetKeyAccessServerRequest)(nil), // 1: policy.kasregistry.GetKeyAccessServerRequest - (*GetKeyAccessServerResponse)(nil), // 2: policy.kasregistry.GetKeyAccessServerResponse - (*ListKeyAccessServersRequest)(nil), // 3: policy.kasregistry.ListKeyAccessServersRequest - (*ListKeyAccessServersResponse)(nil), // 4: policy.kasregistry.ListKeyAccessServersResponse - (*CreateKeyAccessServerRequest)(nil), // 5: policy.kasregistry.CreateKeyAccessServerRequest - (*CreateKeyAccessServerResponse)(nil), // 6: policy.kasregistry.CreateKeyAccessServerResponse - (*UpdateKeyAccessServerRequest)(nil), // 7: policy.kasregistry.UpdateKeyAccessServerRequest - (*UpdateKeyAccessServerResponse)(nil), // 8: policy.kasregistry.UpdateKeyAccessServerResponse - (*DeleteKeyAccessServerRequest)(nil), // 9: policy.kasregistry.DeleteKeyAccessServerRequest - (*DeleteKeyAccessServerResponse)(nil), // 10: policy.kasregistry.DeleteKeyAccessServerResponse - (*GrantedPolicyObject)(nil), // 11: policy.kasregistry.GrantedPolicyObject - (*KeyAccessServerGrants)(nil), // 12: policy.kasregistry.KeyAccessServerGrants - (*CreatePublicKeyRequest)(nil), // 13: policy.kasregistry.CreatePublicKeyRequest - (*CreatePublicKeyResponse)(nil), // 14: policy.kasregistry.CreatePublicKeyResponse - (*GetPublicKeyRequest)(nil), // 15: policy.kasregistry.GetPublicKeyRequest - (*GetPublicKeyResponse)(nil), // 16: policy.kasregistry.GetPublicKeyResponse - (*ListPublicKeysRequest)(nil), // 17: policy.kasregistry.ListPublicKeysRequest - (*ListPublicKeysResponse)(nil), // 18: policy.kasregistry.ListPublicKeysResponse - (*ListPublicKeyMappingRequest)(nil), // 19: policy.kasregistry.ListPublicKeyMappingRequest - (*ListPublicKeyMappingResponse)(nil), // 20: policy.kasregistry.ListPublicKeyMappingResponse - (*UpdatePublicKeyRequest)(nil), // 21: policy.kasregistry.UpdatePublicKeyRequest - (*UpdatePublicKeyResponse)(nil), // 22: policy.kasregistry.UpdatePublicKeyResponse - (*DeactivatePublicKeyRequest)(nil), // 23: policy.kasregistry.DeactivatePublicKeyRequest - (*DeactivatePublicKeyResponse)(nil), // 24: policy.kasregistry.DeactivatePublicKeyResponse - (*ActivatePublicKeyRequest)(nil), // 25: policy.kasregistry.ActivatePublicKeyRequest - (*ActivatePublicKeyResponse)(nil), // 26: policy.kasregistry.ActivatePublicKeyResponse - (*ListKeyAccessServerGrantsRequest)(nil), // 27: policy.kasregistry.ListKeyAccessServerGrantsRequest - (*ListKeyAccessServerGrantsResponse)(nil), // 28: policy.kasregistry.ListKeyAccessServerGrantsResponse - (*CreateKeyRequest)(nil), // 29: policy.kasregistry.CreateKeyRequest - (*CreateKeyResponse)(nil), // 30: policy.kasregistry.CreateKeyResponse - (*GetKeyRequest)(nil), // 31: policy.kasregistry.GetKeyRequest - (*GetKeyResponse)(nil), // 32: policy.kasregistry.GetKeyResponse - (*ListKeysRequest)(nil), // 33: policy.kasregistry.ListKeysRequest - (*ListKeysResponse)(nil), // 34: policy.kasregistry.ListKeysResponse - (*UpdateKeyRequest)(nil), // 35: policy.kasregistry.UpdateKeyRequest - (*UpdateKeyResponse)(nil), // 36: policy.kasregistry.UpdateKeyResponse - (*KasKeyIdentifier)(nil), // 37: policy.kasregistry.KasKeyIdentifier - (*RotateKeyRequest)(nil), // 38: policy.kasregistry.RotateKeyRequest - (*ChangeMappings)(nil), // 39: policy.kasregistry.ChangeMappings - (*RotatedResources)(nil), // 40: policy.kasregistry.RotatedResources - (*RotateKeyResponse)(nil), // 41: policy.kasregistry.RotateKeyResponse - (*SetDefaultKeyRequest)(nil), // 42: policy.kasregistry.SetDefaultKeyRequest - (*DefaultKasPublicKey)(nil), // 43: policy.kasregistry.DefaultKasPublicKey - (*DefaultKasKey)(nil), // 44: policy.kasregistry.DefaultKasKey - (*GetDefaultKeysRequest)(nil), // 45: policy.kasregistry.GetDefaultKeysRequest - (*GetDefaultKeysResponse)(nil), // 46: policy.kasregistry.GetDefaultKeysResponse - (*SetDefaultKeyResponse)(nil), // 47: policy.kasregistry.SetDefaultKeyResponse - (*ListPublicKeyMappingResponse_PublicKeyMapping)(nil), // 48: policy.kasregistry.ListPublicKeyMappingResponse.PublicKeyMapping - (*ListPublicKeyMappingResponse_PublicKey)(nil), // 49: policy.kasregistry.ListPublicKeyMappingResponse.PublicKey - (*ListPublicKeyMappingResponse_Association)(nil), // 50: policy.kasregistry.ListPublicKeyMappingResponse.Association - (*RotateKeyRequest_NewKey)(nil), // 51: policy.kasregistry.RotateKeyRequest.NewKey - (*policy.KeyAccessServer)(nil), // 52: policy.KeyAccessServer - (*policy.PageRequest)(nil), // 53: policy.PageRequest - (*policy.PageResponse)(nil), // 54: policy.PageResponse - (*policy.PublicKey)(nil), // 55: policy.PublicKey - (policy.SourceType)(0), // 56: policy.SourceType - (*common.MetadataMutable)(nil), // 57: common.MetadataMutable - (common.MetadataUpdateEnum)(0), // 58: common.MetadataUpdateEnum - (*policy.KasPublicKey)(nil), // 59: policy.KasPublicKey - (*policy.Key)(nil), // 60: policy.Key - (policy.Algorithm)(0), // 61: policy.Algorithm - (policy.KeyMode)(0), // 62: policy.KeyMode - (*policy.KasPublicKeyCtx)(nil), // 63: policy.KasPublicKeyCtx - (*policy.KasPrivateKeyCtx)(nil), // 64: policy.KasPrivateKeyCtx - (*policy.KasKey)(nil), // 65: policy.KasKey - (policy.KeyStatus)(0), // 66: policy.KeyStatus + (*GetKeyAccessServerRequest)(nil), // 0: policy.kasregistry.GetKeyAccessServerRequest + (*GetKeyAccessServerResponse)(nil), // 1: policy.kasregistry.GetKeyAccessServerResponse + (*ListKeyAccessServersRequest)(nil), // 2: policy.kasregistry.ListKeyAccessServersRequest + (*ListKeyAccessServersResponse)(nil), // 3: policy.kasregistry.ListKeyAccessServersResponse + (*CreateKeyAccessServerRequest)(nil), // 4: policy.kasregistry.CreateKeyAccessServerRequest + (*CreateKeyAccessServerResponse)(nil), // 5: policy.kasregistry.CreateKeyAccessServerResponse + (*UpdateKeyAccessServerRequest)(nil), // 6: policy.kasregistry.UpdateKeyAccessServerRequest + (*UpdateKeyAccessServerResponse)(nil), // 7: policy.kasregistry.UpdateKeyAccessServerResponse + (*DeleteKeyAccessServerRequest)(nil), // 8: policy.kasregistry.DeleteKeyAccessServerRequest + (*DeleteKeyAccessServerResponse)(nil), // 9: policy.kasregistry.DeleteKeyAccessServerResponse + (*GrantedPolicyObject)(nil), // 10: policy.kasregistry.GrantedPolicyObject + (*KeyAccessServerGrants)(nil), // 11: policy.kasregistry.KeyAccessServerGrants + (*CreatePublicKeyRequest)(nil), // 12: policy.kasregistry.CreatePublicKeyRequest + (*CreatePublicKeyResponse)(nil), // 13: policy.kasregistry.CreatePublicKeyResponse + (*GetPublicKeyRequest)(nil), // 14: policy.kasregistry.GetPublicKeyRequest + (*GetPublicKeyResponse)(nil), // 15: policy.kasregistry.GetPublicKeyResponse + (*ListPublicKeysRequest)(nil), // 16: policy.kasregistry.ListPublicKeysRequest + (*ListPublicKeysResponse)(nil), // 17: policy.kasregistry.ListPublicKeysResponse + (*ListPublicKeyMappingRequest)(nil), // 18: policy.kasregistry.ListPublicKeyMappingRequest + (*ListPublicKeyMappingResponse)(nil), // 19: policy.kasregistry.ListPublicKeyMappingResponse + (*UpdatePublicKeyRequest)(nil), // 20: policy.kasregistry.UpdatePublicKeyRequest + (*UpdatePublicKeyResponse)(nil), // 21: policy.kasregistry.UpdatePublicKeyResponse + (*DeactivatePublicKeyRequest)(nil), // 22: policy.kasregistry.DeactivatePublicKeyRequest + (*DeactivatePublicKeyResponse)(nil), // 23: policy.kasregistry.DeactivatePublicKeyResponse + (*ActivatePublicKeyRequest)(nil), // 24: policy.kasregistry.ActivatePublicKeyRequest + (*ActivatePublicKeyResponse)(nil), // 25: policy.kasregistry.ActivatePublicKeyResponse + (*ListKeyAccessServerGrantsRequest)(nil), // 26: policy.kasregistry.ListKeyAccessServerGrantsRequest + (*ListKeyAccessServerGrantsResponse)(nil), // 27: policy.kasregistry.ListKeyAccessServerGrantsResponse + (*CreateKeyRequest)(nil), // 28: policy.kasregistry.CreateKeyRequest + (*CreateKeyResponse)(nil), // 29: policy.kasregistry.CreateKeyResponse + (*GetKeyRequest)(nil), // 30: policy.kasregistry.GetKeyRequest + (*GetKeyResponse)(nil), // 31: policy.kasregistry.GetKeyResponse + (*ListKeysRequest)(nil), // 32: policy.kasregistry.ListKeysRequest + (*ListKeysResponse)(nil), // 33: policy.kasregistry.ListKeysResponse + (*UpdateKeyRequest)(nil), // 34: policy.kasregistry.UpdateKeyRequest + (*UpdateKeyResponse)(nil), // 35: policy.kasregistry.UpdateKeyResponse + (*KasKeyIdentifier)(nil), // 36: policy.kasregistry.KasKeyIdentifier + (*RotateKeyRequest)(nil), // 37: policy.kasregistry.RotateKeyRequest + (*ChangeMappings)(nil), // 38: policy.kasregistry.ChangeMappings + (*RotatedResources)(nil), // 39: policy.kasregistry.RotatedResources + (*RotateKeyResponse)(nil), // 40: policy.kasregistry.RotateKeyResponse + (*SetBaseKeyRequest)(nil), // 41: policy.kasregistry.SetBaseKeyRequest + (*SimpleKasPublicKey)(nil), // 42: policy.kasregistry.SimpleKasPublicKey + (*SimpleKasKey)(nil), // 43: policy.kasregistry.SimpleKasKey + (*GetBaseKeyRequest)(nil), // 44: policy.kasregistry.GetBaseKeyRequest + (*GetBaseKeyResponse)(nil), // 45: policy.kasregistry.GetBaseKeyResponse + (*SetBaseKeyResponse)(nil), // 46: policy.kasregistry.SetBaseKeyResponse + (*ListPublicKeyMappingResponse_PublicKeyMapping)(nil), // 47: policy.kasregistry.ListPublicKeyMappingResponse.PublicKeyMapping + (*ListPublicKeyMappingResponse_PublicKey)(nil), // 48: policy.kasregistry.ListPublicKeyMappingResponse.PublicKey + (*ListPublicKeyMappingResponse_Association)(nil), // 49: policy.kasregistry.ListPublicKeyMappingResponse.Association + (*RotateKeyRequest_NewKey)(nil), // 50: policy.kasregistry.RotateKeyRequest.NewKey + (*policy.KeyAccessServer)(nil), // 51: policy.KeyAccessServer + (*policy.PageRequest)(nil), // 52: policy.PageRequest + (*policy.PageResponse)(nil), // 53: policy.PageResponse + (*policy.PublicKey)(nil), // 54: policy.PublicKey + (policy.SourceType)(0), // 55: policy.SourceType + (*common.MetadataMutable)(nil), // 56: common.MetadataMutable + (common.MetadataUpdateEnum)(0), // 57: common.MetadataUpdateEnum + (*policy.KasPublicKey)(nil), // 58: policy.KasPublicKey + (*policy.Key)(nil), // 59: policy.Key + (policy.Algorithm)(0), // 60: policy.Algorithm + (policy.KeyMode)(0), // 61: policy.KeyMode + (*policy.KasPublicKeyCtx)(nil), // 62: policy.KasPublicKeyCtx + (*policy.KasPrivateKeyCtx)(nil), // 63: policy.KasPrivateKeyCtx + (*policy.KasKey)(nil), // 64: policy.KasKey + (policy.KeyStatus)(0), // 65: policy.KeyStatus } var file_policy_kasregistry_key_access_server_registry_proto_depIdxs = []int32{ - 52, // 0: policy.kasregistry.GetKeyAccessServerResponse.key_access_server:type_name -> policy.KeyAccessServer - 53, // 1: policy.kasregistry.ListKeyAccessServersRequest.pagination:type_name -> policy.PageRequest - 52, // 2: policy.kasregistry.ListKeyAccessServersResponse.key_access_servers:type_name -> policy.KeyAccessServer - 54, // 3: policy.kasregistry.ListKeyAccessServersResponse.pagination:type_name -> policy.PageResponse - 55, // 4: policy.kasregistry.CreateKeyAccessServerRequest.public_key:type_name -> policy.PublicKey - 56, // 5: policy.kasregistry.CreateKeyAccessServerRequest.source_type:type_name -> policy.SourceType - 57, // 6: policy.kasregistry.CreateKeyAccessServerRequest.metadata:type_name -> common.MetadataMutable - 52, // 7: policy.kasregistry.CreateKeyAccessServerResponse.key_access_server:type_name -> policy.KeyAccessServer - 55, // 8: policy.kasregistry.UpdateKeyAccessServerRequest.public_key:type_name -> policy.PublicKey - 56, // 9: policy.kasregistry.UpdateKeyAccessServerRequest.source_type:type_name -> policy.SourceType - 57, // 10: policy.kasregistry.UpdateKeyAccessServerRequest.metadata:type_name -> common.MetadataMutable - 58, // 11: policy.kasregistry.UpdateKeyAccessServerRequest.metadata_update_behavior:type_name -> common.MetadataUpdateEnum - 52, // 12: policy.kasregistry.UpdateKeyAccessServerResponse.key_access_server:type_name -> policy.KeyAccessServer - 52, // 13: policy.kasregistry.DeleteKeyAccessServerResponse.key_access_server:type_name -> policy.KeyAccessServer - 52, // 14: policy.kasregistry.KeyAccessServerGrants.key_access_server:type_name -> policy.KeyAccessServer - 11, // 15: policy.kasregistry.KeyAccessServerGrants.namespace_grants:type_name -> policy.kasregistry.GrantedPolicyObject - 11, // 16: policy.kasregistry.KeyAccessServerGrants.attribute_grants:type_name -> policy.kasregistry.GrantedPolicyObject - 11, // 17: policy.kasregistry.KeyAccessServerGrants.value_grants:type_name -> policy.kasregistry.GrantedPolicyObject - 59, // 18: policy.kasregistry.CreatePublicKeyRequest.key:type_name -> policy.KasPublicKey - 57, // 19: policy.kasregistry.CreatePublicKeyRequest.metadata:type_name -> common.MetadataMutable - 60, // 20: policy.kasregistry.CreatePublicKeyResponse.key:type_name -> policy.Key - 60, // 21: policy.kasregistry.GetPublicKeyResponse.key:type_name -> policy.Key - 53, // 22: policy.kasregistry.ListPublicKeysRequest.pagination:type_name -> policy.PageRequest - 60, // 23: policy.kasregistry.ListPublicKeysResponse.keys:type_name -> policy.Key - 54, // 24: policy.kasregistry.ListPublicKeysResponse.pagination:type_name -> policy.PageResponse - 53, // 25: policy.kasregistry.ListPublicKeyMappingRequest.pagination:type_name -> policy.PageRequest - 48, // 26: policy.kasregistry.ListPublicKeyMappingResponse.public_key_mappings:type_name -> policy.kasregistry.ListPublicKeyMappingResponse.PublicKeyMapping - 54, // 27: policy.kasregistry.ListPublicKeyMappingResponse.pagination:type_name -> policy.PageResponse - 57, // 28: policy.kasregistry.UpdatePublicKeyRequest.metadata:type_name -> common.MetadataMutable - 58, // 29: policy.kasregistry.UpdatePublicKeyRequest.metadata_update_behavior:type_name -> common.MetadataUpdateEnum - 60, // 30: policy.kasregistry.UpdatePublicKeyResponse.key:type_name -> policy.Key - 60, // 31: policy.kasregistry.DeactivatePublicKeyResponse.key:type_name -> policy.Key - 60, // 32: policy.kasregistry.ActivatePublicKeyResponse.key:type_name -> policy.Key - 53, // 33: policy.kasregistry.ListKeyAccessServerGrantsRequest.pagination:type_name -> policy.PageRequest - 12, // 34: policy.kasregistry.ListKeyAccessServerGrantsResponse.grants:type_name -> policy.kasregistry.KeyAccessServerGrants - 54, // 35: policy.kasregistry.ListKeyAccessServerGrantsResponse.pagination:type_name -> policy.PageResponse - 61, // 36: policy.kasregistry.CreateKeyRequest.key_algorithm:type_name -> policy.Algorithm - 62, // 37: policy.kasregistry.CreateKeyRequest.key_mode:type_name -> policy.KeyMode - 63, // 38: policy.kasregistry.CreateKeyRequest.public_key_ctx:type_name -> policy.KasPublicKeyCtx - 64, // 39: policy.kasregistry.CreateKeyRequest.private_key_ctx:type_name -> policy.KasPrivateKeyCtx - 57, // 40: policy.kasregistry.CreateKeyRequest.metadata:type_name -> common.MetadataMutable - 65, // 41: policy.kasregistry.CreateKeyResponse.kas_key:type_name -> policy.KasKey - 37, // 42: policy.kasregistry.GetKeyRequest.key:type_name -> policy.kasregistry.KasKeyIdentifier - 65, // 43: policy.kasregistry.GetKeyResponse.kas_key:type_name -> policy.KasKey - 61, // 44: policy.kasregistry.ListKeysRequest.key_algorithm:type_name -> policy.Algorithm - 53, // 45: policy.kasregistry.ListKeysRequest.pagination:type_name -> policy.PageRequest - 65, // 46: policy.kasregistry.ListKeysResponse.kas_keys:type_name -> policy.KasKey - 54, // 47: policy.kasregistry.ListKeysResponse.pagination:type_name -> policy.PageResponse - 66, // 48: policy.kasregistry.UpdateKeyRequest.key_status:type_name -> policy.KeyStatus - 57, // 49: policy.kasregistry.UpdateKeyRequest.metadata:type_name -> common.MetadataMutable - 58, // 50: policy.kasregistry.UpdateKeyRequest.metadata_update_behavior:type_name -> common.MetadataUpdateEnum - 65, // 51: policy.kasregistry.UpdateKeyResponse.kas_key:type_name -> policy.KasKey - 37, // 52: policy.kasregistry.RotateKeyRequest.key:type_name -> policy.kasregistry.KasKeyIdentifier - 51, // 53: policy.kasregistry.RotateKeyRequest.new_key:type_name -> policy.kasregistry.RotateKeyRequest.NewKey - 65, // 54: policy.kasregistry.RotatedResources.rotated_out_key:type_name -> policy.KasKey - 39, // 55: policy.kasregistry.RotatedResources.attribute_definition_mappings:type_name -> policy.kasregistry.ChangeMappings - 39, // 56: policy.kasregistry.RotatedResources.attribute_value_mappings:type_name -> policy.kasregistry.ChangeMappings - 39, // 57: policy.kasregistry.RotatedResources.namespace_mappings:type_name -> policy.kasregistry.ChangeMappings - 65, // 58: policy.kasregistry.RotateKeyResponse.kas_key:type_name -> policy.KasKey - 40, // 59: policy.kasregistry.RotateKeyResponse.rotated_resources:type_name -> policy.kasregistry.RotatedResources - 37, // 60: policy.kasregistry.SetDefaultKeyRequest.key:type_name -> policy.kasregistry.KasKeyIdentifier - 0, // 61: policy.kasregistry.SetDefaultKeyRequest.tdf_type:type_name -> policy.kasregistry.TdfType - 43, // 62: policy.kasregistry.DefaultKasKey.public_key:type_name -> policy.kasregistry.DefaultKasPublicKey - 44, // 63: policy.kasregistry.GetDefaultKeysResponse.default_kas_keys:type_name -> policy.kasregistry.DefaultKasKey - 44, // 64: policy.kasregistry.SetDefaultKeyResponse.new_default_kas_key:type_name -> policy.kasregistry.DefaultKasKey - 44, // 65: policy.kasregistry.SetDefaultKeyResponse.previous_default_kas_key:type_name -> policy.kasregistry.DefaultKasKey - 49, // 66: policy.kasregistry.ListPublicKeyMappingResponse.PublicKeyMapping.public_keys:type_name -> policy.kasregistry.ListPublicKeyMappingResponse.PublicKey - 60, // 67: policy.kasregistry.ListPublicKeyMappingResponse.PublicKey.key:type_name -> policy.Key - 50, // 68: policy.kasregistry.ListPublicKeyMappingResponse.PublicKey.values:type_name -> policy.kasregistry.ListPublicKeyMappingResponse.Association - 50, // 69: policy.kasregistry.ListPublicKeyMappingResponse.PublicKey.definitions:type_name -> policy.kasregistry.ListPublicKeyMappingResponse.Association - 50, // 70: policy.kasregistry.ListPublicKeyMappingResponse.PublicKey.namespaces:type_name -> policy.kasregistry.ListPublicKeyMappingResponse.Association - 61, // 71: policy.kasregistry.RotateKeyRequest.NewKey.algorithm:type_name -> policy.Algorithm - 62, // 72: policy.kasregistry.RotateKeyRequest.NewKey.key_mode:type_name -> policy.KeyMode - 63, // 73: policy.kasregistry.RotateKeyRequest.NewKey.public_key_ctx:type_name -> policy.KasPublicKeyCtx - 64, // 74: policy.kasregistry.RotateKeyRequest.NewKey.private_key_ctx:type_name -> policy.KasPrivateKeyCtx - 57, // 75: policy.kasregistry.RotateKeyRequest.NewKey.metadata:type_name -> common.MetadataMutable - 3, // 76: policy.kasregistry.KeyAccessServerRegistryService.ListKeyAccessServers:input_type -> policy.kasregistry.ListKeyAccessServersRequest - 1, // 77: policy.kasregistry.KeyAccessServerRegistryService.GetKeyAccessServer:input_type -> policy.kasregistry.GetKeyAccessServerRequest - 5, // 78: policy.kasregistry.KeyAccessServerRegistryService.CreateKeyAccessServer:input_type -> policy.kasregistry.CreateKeyAccessServerRequest - 7, // 79: policy.kasregistry.KeyAccessServerRegistryService.UpdateKeyAccessServer:input_type -> policy.kasregistry.UpdateKeyAccessServerRequest - 9, // 80: policy.kasregistry.KeyAccessServerRegistryService.DeleteKeyAccessServer:input_type -> policy.kasregistry.DeleteKeyAccessServerRequest - 27, // 81: policy.kasregistry.KeyAccessServerRegistryService.ListKeyAccessServerGrants:input_type -> policy.kasregistry.ListKeyAccessServerGrantsRequest - 29, // 82: policy.kasregistry.KeyAccessServerRegistryService.CreateKey:input_type -> policy.kasregistry.CreateKeyRequest - 31, // 83: policy.kasregistry.KeyAccessServerRegistryService.GetKey:input_type -> policy.kasregistry.GetKeyRequest - 33, // 84: policy.kasregistry.KeyAccessServerRegistryService.ListKeys:input_type -> policy.kasregistry.ListKeysRequest - 35, // 85: policy.kasregistry.KeyAccessServerRegistryService.UpdateKey:input_type -> policy.kasregistry.UpdateKeyRequest - 38, // 86: policy.kasregistry.KeyAccessServerRegistryService.RotateKey:input_type -> policy.kasregistry.RotateKeyRequest - 42, // 87: policy.kasregistry.KeyAccessServerRegistryService.SetDefaultKey:input_type -> policy.kasregistry.SetDefaultKeyRequest - 45, // 88: policy.kasregistry.KeyAccessServerRegistryService.GetDefaultKeys:input_type -> policy.kasregistry.GetDefaultKeysRequest - 4, // 89: policy.kasregistry.KeyAccessServerRegistryService.ListKeyAccessServers:output_type -> policy.kasregistry.ListKeyAccessServersResponse - 2, // 90: policy.kasregistry.KeyAccessServerRegistryService.GetKeyAccessServer:output_type -> policy.kasregistry.GetKeyAccessServerResponse - 6, // 91: policy.kasregistry.KeyAccessServerRegistryService.CreateKeyAccessServer:output_type -> policy.kasregistry.CreateKeyAccessServerResponse - 8, // 92: policy.kasregistry.KeyAccessServerRegistryService.UpdateKeyAccessServer:output_type -> policy.kasregistry.UpdateKeyAccessServerResponse - 10, // 93: policy.kasregistry.KeyAccessServerRegistryService.DeleteKeyAccessServer:output_type -> policy.kasregistry.DeleteKeyAccessServerResponse - 28, // 94: policy.kasregistry.KeyAccessServerRegistryService.ListKeyAccessServerGrants:output_type -> policy.kasregistry.ListKeyAccessServerGrantsResponse - 30, // 95: policy.kasregistry.KeyAccessServerRegistryService.CreateKey:output_type -> policy.kasregistry.CreateKeyResponse - 32, // 96: policy.kasregistry.KeyAccessServerRegistryService.GetKey:output_type -> policy.kasregistry.GetKeyResponse - 34, // 97: policy.kasregistry.KeyAccessServerRegistryService.ListKeys:output_type -> policy.kasregistry.ListKeysResponse - 36, // 98: policy.kasregistry.KeyAccessServerRegistryService.UpdateKey:output_type -> policy.kasregistry.UpdateKeyResponse - 41, // 99: policy.kasregistry.KeyAccessServerRegistryService.RotateKey:output_type -> policy.kasregistry.RotateKeyResponse - 47, // 100: policy.kasregistry.KeyAccessServerRegistryService.SetDefaultKey:output_type -> policy.kasregistry.SetDefaultKeyResponse - 46, // 101: policy.kasregistry.KeyAccessServerRegistryService.GetDefaultKeys:output_type -> policy.kasregistry.GetDefaultKeysResponse - 89, // [89:102] is the sub-list for method output_type - 76, // [76:89] is the sub-list for method input_type - 76, // [76:76] is the sub-list for extension type_name - 76, // [76:76] is the sub-list for extension extendee - 0, // [0:76] is the sub-list for field type_name + 51, // 0: policy.kasregistry.GetKeyAccessServerResponse.key_access_server:type_name -> policy.KeyAccessServer + 52, // 1: policy.kasregistry.ListKeyAccessServersRequest.pagination:type_name -> policy.PageRequest + 51, // 2: policy.kasregistry.ListKeyAccessServersResponse.key_access_servers:type_name -> policy.KeyAccessServer + 53, // 3: policy.kasregistry.ListKeyAccessServersResponse.pagination:type_name -> policy.PageResponse + 54, // 4: policy.kasregistry.CreateKeyAccessServerRequest.public_key:type_name -> policy.PublicKey + 55, // 5: policy.kasregistry.CreateKeyAccessServerRequest.source_type:type_name -> policy.SourceType + 56, // 6: policy.kasregistry.CreateKeyAccessServerRequest.metadata:type_name -> common.MetadataMutable + 51, // 7: policy.kasregistry.CreateKeyAccessServerResponse.key_access_server:type_name -> policy.KeyAccessServer + 54, // 8: policy.kasregistry.UpdateKeyAccessServerRequest.public_key:type_name -> policy.PublicKey + 55, // 9: policy.kasregistry.UpdateKeyAccessServerRequest.source_type:type_name -> policy.SourceType + 56, // 10: policy.kasregistry.UpdateKeyAccessServerRequest.metadata:type_name -> common.MetadataMutable + 57, // 11: policy.kasregistry.UpdateKeyAccessServerRequest.metadata_update_behavior:type_name -> common.MetadataUpdateEnum + 51, // 12: policy.kasregistry.UpdateKeyAccessServerResponse.key_access_server:type_name -> policy.KeyAccessServer + 51, // 13: policy.kasregistry.DeleteKeyAccessServerResponse.key_access_server:type_name -> policy.KeyAccessServer + 51, // 14: policy.kasregistry.KeyAccessServerGrants.key_access_server:type_name -> policy.KeyAccessServer + 10, // 15: policy.kasregistry.KeyAccessServerGrants.namespace_grants:type_name -> policy.kasregistry.GrantedPolicyObject + 10, // 16: policy.kasregistry.KeyAccessServerGrants.attribute_grants:type_name -> policy.kasregistry.GrantedPolicyObject + 10, // 17: policy.kasregistry.KeyAccessServerGrants.value_grants:type_name -> policy.kasregistry.GrantedPolicyObject + 58, // 18: policy.kasregistry.CreatePublicKeyRequest.key:type_name -> policy.KasPublicKey + 56, // 19: policy.kasregistry.CreatePublicKeyRequest.metadata:type_name -> common.MetadataMutable + 59, // 20: policy.kasregistry.CreatePublicKeyResponse.key:type_name -> policy.Key + 59, // 21: policy.kasregistry.GetPublicKeyResponse.key:type_name -> policy.Key + 52, // 22: policy.kasregistry.ListPublicKeysRequest.pagination:type_name -> policy.PageRequest + 59, // 23: policy.kasregistry.ListPublicKeysResponse.keys:type_name -> policy.Key + 53, // 24: policy.kasregistry.ListPublicKeysResponse.pagination:type_name -> policy.PageResponse + 52, // 25: policy.kasregistry.ListPublicKeyMappingRequest.pagination:type_name -> policy.PageRequest + 47, // 26: policy.kasregistry.ListPublicKeyMappingResponse.public_key_mappings:type_name -> policy.kasregistry.ListPublicKeyMappingResponse.PublicKeyMapping + 53, // 27: policy.kasregistry.ListPublicKeyMappingResponse.pagination:type_name -> policy.PageResponse + 56, // 28: policy.kasregistry.UpdatePublicKeyRequest.metadata:type_name -> common.MetadataMutable + 57, // 29: policy.kasregistry.UpdatePublicKeyRequest.metadata_update_behavior:type_name -> common.MetadataUpdateEnum + 59, // 30: policy.kasregistry.UpdatePublicKeyResponse.key:type_name -> policy.Key + 59, // 31: policy.kasregistry.DeactivatePublicKeyResponse.key:type_name -> policy.Key + 59, // 32: policy.kasregistry.ActivatePublicKeyResponse.key:type_name -> policy.Key + 52, // 33: policy.kasregistry.ListKeyAccessServerGrantsRequest.pagination:type_name -> policy.PageRequest + 11, // 34: policy.kasregistry.ListKeyAccessServerGrantsResponse.grants:type_name -> policy.kasregistry.KeyAccessServerGrants + 53, // 35: policy.kasregistry.ListKeyAccessServerGrantsResponse.pagination:type_name -> policy.PageResponse + 60, // 36: policy.kasregistry.CreateKeyRequest.key_algorithm:type_name -> policy.Algorithm + 61, // 37: policy.kasregistry.CreateKeyRequest.key_mode:type_name -> policy.KeyMode + 62, // 38: policy.kasregistry.CreateKeyRequest.public_key_ctx:type_name -> policy.KasPublicKeyCtx + 63, // 39: policy.kasregistry.CreateKeyRequest.private_key_ctx:type_name -> policy.KasPrivateKeyCtx + 56, // 40: policy.kasregistry.CreateKeyRequest.metadata:type_name -> common.MetadataMutable + 64, // 41: policy.kasregistry.CreateKeyResponse.kas_key:type_name -> policy.KasKey + 36, // 42: policy.kasregistry.GetKeyRequest.key:type_name -> policy.kasregistry.KasKeyIdentifier + 64, // 43: policy.kasregistry.GetKeyResponse.kas_key:type_name -> policy.KasKey + 60, // 44: policy.kasregistry.ListKeysRequest.key_algorithm:type_name -> policy.Algorithm + 52, // 45: policy.kasregistry.ListKeysRequest.pagination:type_name -> policy.PageRequest + 64, // 46: policy.kasregistry.ListKeysResponse.kas_keys:type_name -> policy.KasKey + 53, // 47: policy.kasregistry.ListKeysResponse.pagination:type_name -> policy.PageResponse + 65, // 48: policy.kasregistry.UpdateKeyRequest.key_status:type_name -> policy.KeyStatus + 56, // 49: policy.kasregistry.UpdateKeyRequest.metadata:type_name -> common.MetadataMutable + 57, // 50: policy.kasregistry.UpdateKeyRequest.metadata_update_behavior:type_name -> common.MetadataUpdateEnum + 64, // 51: policy.kasregistry.UpdateKeyResponse.kas_key:type_name -> policy.KasKey + 36, // 52: policy.kasregistry.RotateKeyRequest.key:type_name -> policy.kasregistry.KasKeyIdentifier + 50, // 53: policy.kasregistry.RotateKeyRequest.new_key:type_name -> policy.kasregistry.RotateKeyRequest.NewKey + 64, // 54: policy.kasregistry.RotatedResources.rotated_out_key:type_name -> policy.KasKey + 38, // 55: policy.kasregistry.RotatedResources.attribute_definition_mappings:type_name -> policy.kasregistry.ChangeMappings + 38, // 56: policy.kasregistry.RotatedResources.attribute_value_mappings:type_name -> policy.kasregistry.ChangeMappings + 38, // 57: policy.kasregistry.RotatedResources.namespace_mappings:type_name -> policy.kasregistry.ChangeMappings + 64, // 58: policy.kasregistry.RotateKeyResponse.kas_key:type_name -> policy.KasKey + 39, // 59: policy.kasregistry.RotateKeyResponse.rotated_resources:type_name -> policy.kasregistry.RotatedResources + 36, // 60: policy.kasregistry.SetBaseKeyRequest.key:type_name -> policy.kasregistry.KasKeyIdentifier + 42, // 61: policy.kasregistry.SimpleKasKey.public_key:type_name -> policy.kasregistry.SimpleKasPublicKey + 43, // 62: policy.kasregistry.GetBaseKeyResponse.base_key:type_name -> policy.kasregistry.SimpleKasKey + 43, // 63: policy.kasregistry.SetBaseKeyResponse.new_base_key:type_name -> policy.kasregistry.SimpleKasKey + 43, // 64: policy.kasregistry.SetBaseKeyResponse.previous_base_key:type_name -> policy.kasregistry.SimpleKasKey + 48, // 65: policy.kasregistry.ListPublicKeyMappingResponse.PublicKeyMapping.public_keys:type_name -> policy.kasregistry.ListPublicKeyMappingResponse.PublicKey + 59, // 66: policy.kasregistry.ListPublicKeyMappingResponse.PublicKey.key:type_name -> policy.Key + 49, // 67: policy.kasregistry.ListPublicKeyMappingResponse.PublicKey.values:type_name -> policy.kasregistry.ListPublicKeyMappingResponse.Association + 49, // 68: policy.kasregistry.ListPublicKeyMappingResponse.PublicKey.definitions:type_name -> policy.kasregistry.ListPublicKeyMappingResponse.Association + 49, // 69: policy.kasregistry.ListPublicKeyMappingResponse.PublicKey.namespaces:type_name -> policy.kasregistry.ListPublicKeyMappingResponse.Association + 60, // 70: policy.kasregistry.RotateKeyRequest.NewKey.algorithm:type_name -> policy.Algorithm + 61, // 71: policy.kasregistry.RotateKeyRequest.NewKey.key_mode:type_name -> policy.KeyMode + 62, // 72: policy.kasregistry.RotateKeyRequest.NewKey.public_key_ctx:type_name -> policy.KasPublicKeyCtx + 63, // 73: policy.kasregistry.RotateKeyRequest.NewKey.private_key_ctx:type_name -> policy.KasPrivateKeyCtx + 56, // 74: policy.kasregistry.RotateKeyRequest.NewKey.metadata:type_name -> common.MetadataMutable + 2, // 75: policy.kasregistry.KeyAccessServerRegistryService.ListKeyAccessServers:input_type -> policy.kasregistry.ListKeyAccessServersRequest + 0, // 76: policy.kasregistry.KeyAccessServerRegistryService.GetKeyAccessServer:input_type -> policy.kasregistry.GetKeyAccessServerRequest + 4, // 77: policy.kasregistry.KeyAccessServerRegistryService.CreateKeyAccessServer:input_type -> policy.kasregistry.CreateKeyAccessServerRequest + 6, // 78: policy.kasregistry.KeyAccessServerRegistryService.UpdateKeyAccessServer:input_type -> policy.kasregistry.UpdateKeyAccessServerRequest + 8, // 79: policy.kasregistry.KeyAccessServerRegistryService.DeleteKeyAccessServer:input_type -> policy.kasregistry.DeleteKeyAccessServerRequest + 26, // 80: policy.kasregistry.KeyAccessServerRegistryService.ListKeyAccessServerGrants:input_type -> policy.kasregistry.ListKeyAccessServerGrantsRequest + 28, // 81: policy.kasregistry.KeyAccessServerRegistryService.CreateKey:input_type -> policy.kasregistry.CreateKeyRequest + 30, // 82: policy.kasregistry.KeyAccessServerRegistryService.GetKey:input_type -> policy.kasregistry.GetKeyRequest + 32, // 83: policy.kasregistry.KeyAccessServerRegistryService.ListKeys:input_type -> policy.kasregistry.ListKeysRequest + 34, // 84: policy.kasregistry.KeyAccessServerRegistryService.UpdateKey:input_type -> policy.kasregistry.UpdateKeyRequest + 37, // 85: policy.kasregistry.KeyAccessServerRegistryService.RotateKey:input_type -> policy.kasregistry.RotateKeyRequest + 41, // 86: policy.kasregistry.KeyAccessServerRegistryService.SetBaseKey:input_type -> policy.kasregistry.SetBaseKeyRequest + 44, // 87: policy.kasregistry.KeyAccessServerRegistryService.GetBaseKey:input_type -> policy.kasregistry.GetBaseKeyRequest + 3, // 88: policy.kasregistry.KeyAccessServerRegistryService.ListKeyAccessServers:output_type -> policy.kasregistry.ListKeyAccessServersResponse + 1, // 89: policy.kasregistry.KeyAccessServerRegistryService.GetKeyAccessServer:output_type -> policy.kasregistry.GetKeyAccessServerResponse + 5, // 90: policy.kasregistry.KeyAccessServerRegistryService.CreateKeyAccessServer:output_type -> policy.kasregistry.CreateKeyAccessServerResponse + 7, // 91: policy.kasregistry.KeyAccessServerRegistryService.UpdateKeyAccessServer:output_type -> policy.kasregistry.UpdateKeyAccessServerResponse + 9, // 92: policy.kasregistry.KeyAccessServerRegistryService.DeleteKeyAccessServer:output_type -> policy.kasregistry.DeleteKeyAccessServerResponse + 27, // 93: policy.kasregistry.KeyAccessServerRegistryService.ListKeyAccessServerGrants:output_type -> policy.kasregistry.ListKeyAccessServerGrantsResponse + 29, // 94: policy.kasregistry.KeyAccessServerRegistryService.CreateKey:output_type -> policy.kasregistry.CreateKeyResponse + 31, // 95: policy.kasregistry.KeyAccessServerRegistryService.GetKey:output_type -> policy.kasregistry.GetKeyResponse + 33, // 96: policy.kasregistry.KeyAccessServerRegistryService.ListKeys:output_type -> policy.kasregistry.ListKeysResponse + 35, // 97: policy.kasregistry.KeyAccessServerRegistryService.UpdateKey:output_type -> policy.kasregistry.UpdateKeyResponse + 40, // 98: policy.kasregistry.KeyAccessServerRegistryService.RotateKey:output_type -> policy.kasregistry.RotateKeyResponse + 46, // 99: policy.kasregistry.KeyAccessServerRegistryService.SetBaseKey:output_type -> policy.kasregistry.SetBaseKeyResponse + 45, // 100: policy.kasregistry.KeyAccessServerRegistryService.GetBaseKey:output_type -> policy.kasregistry.GetBaseKeyResponse + 88, // [88:101] is the sub-list for method output_type + 75, // [75:88] is the sub-list for method input_type + 75, // [75:75] is the sub-list for extension type_name + 75, // [75:75] is the sub-list for extension extendee + 0, // [0:75] is the sub-list for field type_name } func init() { file_policy_kasregistry_key_access_server_registry_proto_init() } @@ -5123,7 +5035,7 @@ func file_policy_kasregistry_key_access_server_registry_proto_init() { } } file_policy_kasregistry_key_access_server_registry_proto_msgTypes[41].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*SetDefaultKeyRequest); i { + switch v := v.(*SetBaseKeyRequest); i { case 0: return &v.state case 1: @@ -5135,7 +5047,7 @@ func file_policy_kasregistry_key_access_server_registry_proto_init() { } } file_policy_kasregistry_key_access_server_registry_proto_msgTypes[42].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*DefaultKasPublicKey); i { + switch v := v.(*SimpleKasPublicKey); i { case 0: return &v.state case 1: @@ -5147,7 +5059,7 @@ func file_policy_kasregistry_key_access_server_registry_proto_init() { } } file_policy_kasregistry_key_access_server_registry_proto_msgTypes[43].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*DefaultKasKey); i { + switch v := v.(*SimpleKasKey); i { case 0: return &v.state case 1: @@ -5159,7 +5071,7 @@ func file_policy_kasregistry_key_access_server_registry_proto_init() { } } file_policy_kasregistry_key_access_server_registry_proto_msgTypes[44].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*GetDefaultKeysRequest); i { + switch v := v.(*GetBaseKeyRequest); i { case 0: return &v.state case 1: @@ -5171,7 +5083,7 @@ func file_policy_kasregistry_key_access_server_registry_proto_init() { } } file_policy_kasregistry_key_access_server_registry_proto_msgTypes[45].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*GetDefaultKeysResponse); i { + switch v := v.(*GetBaseKeyResponse); i { case 0: return &v.state case 1: @@ -5183,7 +5095,7 @@ func file_policy_kasregistry_key_access_server_registry_proto_init() { } } file_policy_kasregistry_key_access_server_registry_proto_msgTypes[46].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*SetDefaultKeyResponse); i { + switch v := v.(*SetBaseKeyResponse); i { case 0: return &v.state case 1: @@ -5280,22 +5192,21 @@ func file_policy_kasregistry_key_access_server_registry_proto_init() { (*RotateKeyRequest_Key)(nil), } file_policy_kasregistry_key_access_server_registry_proto_msgTypes[41].OneofWrappers = []interface{}{ - (*SetDefaultKeyRequest_Id)(nil), - (*SetDefaultKeyRequest_Key)(nil), + (*SetBaseKeyRequest_Id)(nil), + (*SetBaseKeyRequest_Key)(nil), } type x struct{} out := protoimpl.TypeBuilder{ File: protoimpl.DescBuilder{ GoPackagePath: reflect.TypeOf(x{}).PkgPath(), RawDescriptor: file_policy_kasregistry_key_access_server_registry_proto_rawDesc, - NumEnums: 1, + NumEnums: 0, NumMessages: 51, NumExtensions: 0, NumServices: 1, }, GoTypes: file_policy_kasregistry_key_access_server_registry_proto_goTypes, DependencyIndexes: file_policy_kasregistry_key_access_server_registry_proto_depIdxs, - EnumInfos: file_policy_kasregistry_key_access_server_registry_proto_enumTypes, MessageInfos: file_policy_kasregistry_key_access_server_registry_proto_msgTypes, }.Build() File_policy_kasregistry_key_access_server_registry_proto = out.File diff --git a/protocol/go/policy/kasregistry/key_access_server_registry_grpc.pb.go b/protocol/go/policy/kasregistry/key_access_server_registry_grpc.pb.go index d37de0099c..c931a42d77 100644 --- a/protocol/go/policy/kasregistry/key_access_server_registry_grpc.pb.go +++ b/protocol/go/policy/kasregistry/key_access_server_registry_grpc.pb.go @@ -30,8 +30,8 @@ const ( KeyAccessServerRegistryService_ListKeys_FullMethodName = "/policy.kasregistry.KeyAccessServerRegistryService/ListKeys" KeyAccessServerRegistryService_UpdateKey_FullMethodName = "/policy.kasregistry.KeyAccessServerRegistryService/UpdateKey" KeyAccessServerRegistryService_RotateKey_FullMethodName = "/policy.kasregistry.KeyAccessServerRegistryService/RotateKey" - KeyAccessServerRegistryService_SetDefaultKey_FullMethodName = "/policy.kasregistry.KeyAccessServerRegistryService/SetDefaultKey" - KeyAccessServerRegistryService_GetDefaultKeys_FullMethodName = "/policy.kasregistry.KeyAccessServerRegistryService/GetDefaultKeys" + KeyAccessServerRegistryService_SetBaseKey_FullMethodName = "/policy.kasregistry.KeyAccessServerRegistryService/SetBaseKey" + KeyAccessServerRegistryService_GetBaseKey_FullMethodName = "/policy.kasregistry.KeyAccessServerRegistryService/GetBaseKey" ) // KeyAccessServerRegistryServiceClient is the client API for KeyAccessServerRegistryService service. @@ -57,9 +57,9 @@ type KeyAccessServerRegistryServiceClient interface { // Request to rotate a key in the Key Access Service. RotateKey(ctx context.Context, in *RotateKeyRequest, opts ...grpc.CallOption) (*RotateKeyResponse, error) // Request to set the default a default kas key. - SetDefaultKey(ctx context.Context, in *SetDefaultKeyRequest, opts ...grpc.CallOption) (*SetDefaultKeyResponse, error) + SetBaseKey(ctx context.Context, in *SetBaseKeyRequest, opts ...grpc.CallOption) (*SetBaseKeyResponse, error) // Get Default kas keys - GetDefaultKeys(ctx context.Context, in *GetDefaultKeysRequest, opts ...grpc.CallOption) (*GetDefaultKeysResponse, error) + GetBaseKey(ctx context.Context, in *GetBaseKeyRequest, opts ...grpc.CallOption) (*GetBaseKeyResponse, error) } type keyAccessServerRegistryServiceClient struct { @@ -169,18 +169,18 @@ func (c *keyAccessServerRegistryServiceClient) RotateKey(ctx context.Context, in return out, nil } -func (c *keyAccessServerRegistryServiceClient) SetDefaultKey(ctx context.Context, in *SetDefaultKeyRequest, opts ...grpc.CallOption) (*SetDefaultKeyResponse, error) { - out := new(SetDefaultKeyResponse) - err := c.cc.Invoke(ctx, KeyAccessServerRegistryService_SetDefaultKey_FullMethodName, in, out, opts...) +func (c *keyAccessServerRegistryServiceClient) SetBaseKey(ctx context.Context, in *SetBaseKeyRequest, opts ...grpc.CallOption) (*SetBaseKeyResponse, error) { + out := new(SetBaseKeyResponse) + err := c.cc.Invoke(ctx, KeyAccessServerRegistryService_SetBaseKey_FullMethodName, in, out, opts...) if err != nil { return nil, err } return out, nil } -func (c *keyAccessServerRegistryServiceClient) GetDefaultKeys(ctx context.Context, in *GetDefaultKeysRequest, opts ...grpc.CallOption) (*GetDefaultKeysResponse, error) { - out := new(GetDefaultKeysResponse) - err := c.cc.Invoke(ctx, KeyAccessServerRegistryService_GetDefaultKeys_FullMethodName, in, out, opts...) +func (c *keyAccessServerRegistryServiceClient) GetBaseKey(ctx context.Context, in *GetBaseKeyRequest, opts ...grpc.CallOption) (*GetBaseKeyResponse, error) { + out := new(GetBaseKeyResponse) + err := c.cc.Invoke(ctx, KeyAccessServerRegistryService_GetBaseKey_FullMethodName, in, out, opts...) if err != nil { return nil, err } @@ -210,9 +210,9 @@ type KeyAccessServerRegistryServiceServer interface { // Request to rotate a key in the Key Access Service. RotateKey(context.Context, *RotateKeyRequest) (*RotateKeyResponse, error) // Request to set the default a default kas key. - SetDefaultKey(context.Context, *SetDefaultKeyRequest) (*SetDefaultKeyResponse, error) + SetBaseKey(context.Context, *SetBaseKeyRequest) (*SetBaseKeyResponse, error) // Get Default kas keys - GetDefaultKeys(context.Context, *GetDefaultKeysRequest) (*GetDefaultKeysResponse, error) + GetBaseKey(context.Context, *GetBaseKeyRequest) (*GetBaseKeyResponse, error) mustEmbedUnimplementedKeyAccessServerRegistryServiceServer() } @@ -253,11 +253,11 @@ func (UnimplementedKeyAccessServerRegistryServiceServer) UpdateKey(context.Conte func (UnimplementedKeyAccessServerRegistryServiceServer) RotateKey(context.Context, *RotateKeyRequest) (*RotateKeyResponse, error) { return nil, status.Errorf(codes.Unimplemented, "method RotateKey not implemented") } -func (UnimplementedKeyAccessServerRegistryServiceServer) SetDefaultKey(context.Context, *SetDefaultKeyRequest) (*SetDefaultKeyResponse, error) { - return nil, status.Errorf(codes.Unimplemented, "method SetDefaultKey not implemented") +func (UnimplementedKeyAccessServerRegistryServiceServer) SetBaseKey(context.Context, *SetBaseKeyRequest) (*SetBaseKeyResponse, error) { + return nil, status.Errorf(codes.Unimplemented, "method SetBaseKey not implemented") } -func (UnimplementedKeyAccessServerRegistryServiceServer) GetDefaultKeys(context.Context, *GetDefaultKeysRequest) (*GetDefaultKeysResponse, error) { - return nil, status.Errorf(codes.Unimplemented, "method GetDefaultKeys not implemented") +func (UnimplementedKeyAccessServerRegistryServiceServer) GetBaseKey(context.Context, *GetBaseKeyRequest) (*GetBaseKeyResponse, error) { + return nil, status.Errorf(codes.Unimplemented, "method GetBaseKey not implemented") } func (UnimplementedKeyAccessServerRegistryServiceServer) mustEmbedUnimplementedKeyAccessServerRegistryServiceServer() { } @@ -471,38 +471,38 @@ func _KeyAccessServerRegistryService_RotateKey_Handler(srv interface{}, ctx cont return interceptor(ctx, in, info, handler) } -func _KeyAccessServerRegistryService_SetDefaultKey_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { - in := new(SetDefaultKeyRequest) +func _KeyAccessServerRegistryService_SetBaseKey_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(SetBaseKeyRequest) if err := dec(in); err != nil { return nil, err } if interceptor == nil { - return srv.(KeyAccessServerRegistryServiceServer).SetDefaultKey(ctx, in) + return srv.(KeyAccessServerRegistryServiceServer).SetBaseKey(ctx, in) } info := &grpc.UnaryServerInfo{ Server: srv, - FullMethod: KeyAccessServerRegistryService_SetDefaultKey_FullMethodName, + FullMethod: KeyAccessServerRegistryService_SetBaseKey_FullMethodName, } handler := func(ctx context.Context, req interface{}) (interface{}, error) { - return srv.(KeyAccessServerRegistryServiceServer).SetDefaultKey(ctx, req.(*SetDefaultKeyRequest)) + return srv.(KeyAccessServerRegistryServiceServer).SetBaseKey(ctx, req.(*SetBaseKeyRequest)) } return interceptor(ctx, in, info, handler) } -func _KeyAccessServerRegistryService_GetDefaultKeys_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { - in := new(GetDefaultKeysRequest) +func _KeyAccessServerRegistryService_GetBaseKey_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(GetBaseKeyRequest) if err := dec(in); err != nil { return nil, err } if interceptor == nil { - return srv.(KeyAccessServerRegistryServiceServer).GetDefaultKeys(ctx, in) + return srv.(KeyAccessServerRegistryServiceServer).GetBaseKey(ctx, in) } info := &grpc.UnaryServerInfo{ Server: srv, - FullMethod: KeyAccessServerRegistryService_GetDefaultKeys_FullMethodName, + FullMethod: KeyAccessServerRegistryService_GetBaseKey_FullMethodName, } handler := func(ctx context.Context, req interface{}) (interface{}, error) { - return srv.(KeyAccessServerRegistryServiceServer).GetDefaultKeys(ctx, req.(*GetDefaultKeysRequest)) + return srv.(KeyAccessServerRegistryServiceServer).GetBaseKey(ctx, req.(*GetBaseKeyRequest)) } return interceptor(ctx, in, info, handler) } @@ -559,12 +559,12 @@ var KeyAccessServerRegistryService_ServiceDesc = grpc.ServiceDesc{ Handler: _KeyAccessServerRegistryService_RotateKey_Handler, }, { - MethodName: "SetDefaultKey", - Handler: _KeyAccessServerRegistryService_SetDefaultKey_Handler, + MethodName: "SetBaseKey", + Handler: _KeyAccessServerRegistryService_SetBaseKey_Handler, }, { - MethodName: "GetDefaultKeys", - Handler: _KeyAccessServerRegistryService_GetDefaultKeys_Handler, + MethodName: "GetBaseKey", + Handler: _KeyAccessServerRegistryService_GetBaseKey_Handler, }, }, Streams: []grpc.StreamDesc{}, diff --git a/service/integration/kas_registry_key_test.go b/service/integration/kas_registry_key_test.go index 11affd70f6..a8c9a59949 100644 --- a/service/integration/kas_registry_key_test.go +++ b/service/integration/kas_registry_key_test.go @@ -292,17 +292,6 @@ func (s *KasRegistryKeySuite) Test_UpdateKey_InvalidKeyId_Fails() { s.Require().ErrorContains(err, db.ErrUUIDInvalid.Error()) } -func (s *KasRegistryKeySuite) Test_UpdateKey_AlreadyActiveKeyWithSameAlgo_Fails() { - req := kasregistry.UpdateKeyRequest{ - Id: s.kasKeys[1].ID, - KeyStatus: policy.KeyStatus_KEY_STATUS_ACTIVE, - } - resp, err := s.db.PolicyClient.UpdateKey(s.ctx, &req) - s.Require().Error(err) - s.Nil(resp) - s.Require().ErrorContains(err, "key cannot be updated") -} - func (s *KasRegistryKeySuite) Test_UpdateKeyStatus_Success() { req := kasregistry.UpdateKeyRequest{ Id: s.kasKeys[1].ID, @@ -688,9 +677,9 @@ func (s *KasRegistryKeySuite) Test_RotateKey_NoAttributeKeyMapping_Success() { } // Ensure there is no default key mapping - defaultKasKeys, err := s.db.PolicyClient.GetDefaultKasKeys(s.ctx) + baseKey, err := s.db.PolicyClient.GetBaseKey(s.ctx) s.Require().NoError(err) - s.Empty(defaultKasKeys) + s.Empty(baseKey) rotatedInKey, err := s.db.PolicyClient.RotateKey(s.ctx, keyMap[rotateKey], &newKey) s.Require().NoError(err) @@ -718,12 +707,12 @@ func (s *KasRegistryKeySuite) Test_RotateKey_NoAttributeKeyMapping_Success() { s.Equal(policy.KeyStatus_KEY_STATUS_INACTIVE, oldKey.GetKey().GetKeyStatus()) // Ensure there are no default kas keys after rotation - defaultKasKeys, err = s.db.PolicyClient.GetDefaultKasKeys(s.ctx) + baseKey, err = s.db.PolicyClient.GetBaseKey(s.ctx) s.Require().NoError(err) - s.Empty(defaultKasKeys) + s.Empty(baseKey) } -func (s *KasRegistryKeySuite) Test_RotateKey_NoDefaultKeyRotated_Success() { +func (s *KasRegistryKeySuite) Test_RotateKey_NoBaseKeyRotated_Success() { keyIDs := make([]string, 0) kasIDs := make([]string, 0) defer func() { @@ -751,18 +740,17 @@ func (s *KasRegistryKeySuite) Test_RotateKey_NoDefaultKeyRotated_Success() { WrappedKey: keyCtx, }, } - _, err = s.db.PolicyClient.SetDefaultKey(s.ctx, &kasregistry.SetDefaultKeyRequest{ - ActiveKey: &kasregistry.SetDefaultKeyRequest_Id{ + _, err = s.db.PolicyClient.SetBaseKey(s.ctx, &kasregistry.SetBaseKeyRequest{ + ActiveKey: &kasregistry.SetBaseKeyRequest_Id{ Id: keyMap[nonRotateKey].GetKey().GetId(), }, - TdfType: kasregistry.TdfType_TDF_TYPE_ZTDF, }) s.Require().NoError(err) // Ensure there is no default key mapping - defaultKasKeys, err := s.db.PolicyClient.GetDefaultKasKeys(s.ctx) + baseKey, err := s.db.PolicyClient.GetBaseKey(s.ctx) s.Require().NoError(err) - s.Len(defaultKasKeys, 1) + s.Require().NotNil(baseKey) rotatedInKey, err := s.db.PolicyClient.RotateKey(s.ctx, keyMap[rotateKey], &newKey) s.Require().NoError(err) @@ -770,13 +758,13 @@ func (s *KasRegistryKeySuite) Test_RotateKey_NoDefaultKeyRotated_Success() { keyIDs = append(keyIDs, rotatedInKey.GetKasKey().GetKey().GetId()) // Check that the rotated in key is now the ZTDF default key. - defaultKasKeys, err = s.db.PolicyClient.GetDefaultKasKeys(s.ctx) + baseKey, err = s.db.PolicyClient.GetBaseKey(s.ctx) s.Require().NoError(err) - s.Len(defaultKasKeys, 1) - s.Equal(keyMap[nonRotateKey].GetKey().GetKeyId(), defaultKasKeys[0].GetPublicKey().GetKid()) + s.Require().NotNil(baseKey) + s.Equal(keyMap[nonRotateKey].GetKey().GetKeyId(), baseKey.GetPublicKey().GetKid()) } -func (s *KasRegistryKeySuite) Test_RotateKey_OneDefaultKeyRotated_Success() { +func (s *KasRegistryKeySuite) Test_RotateKey_BaseKeyRotated_Success() { keyIDs := make([]string, 0) kasIDs := make([]string, 0) defer func() { @@ -806,200 +794,25 @@ func (s *KasRegistryKeySuite) Test_RotateKey_OneDefaultKeyRotated_Success() { } // Set default key mapping - _, err = s.db.PolicyClient.SetDefaultKey(s.ctx, &kasregistry.SetDefaultKeyRequest{ - ActiveKey: &kasregistry.SetDefaultKeyRequest_Id{ - Id: keyMap[rotateKey].GetKey().GetId(), - }, - TdfType: kasregistry.TdfType_TDF_TYPE_ZTDF, - }) - s.Require().NoError(err) - _, err = s.db.PolicyClient.SetDefaultKey(s.ctx, &kasregistry.SetDefaultKeyRequest{ - ActiveKey: &kasregistry.SetDefaultKeyRequest_Id{ - Id: keyMap[nonRotateKey].GetKey().GetId(), - }, - TdfType: kasregistry.TdfType_TDF_TYPE_NANO, - }) - s.Require().NoError(err) - - // Ensure there is no default key mapping - defaultKasKeys, err := s.db.PolicyClient.GetDefaultKasKeys(s.ctx) - s.Require().NoError(err) - s.Len(defaultKasKeys, 2) - - rotatedInKey, err := s.db.PolicyClient.RotateKey(s.ctx, keyMap[rotateKey], &newKey) - s.Require().NoError(err) - s.NotNil(rotatedInKey) - keyIDs = append(keyIDs, rotatedInKey.GetKasKey().GetKey().GetId()) - - // Check that the rotated in key is now the ZTDF default key. - defaultKasKeys, err = s.db.PolicyClient.GetDefaultKasKeys(s.ctx) - s.Require().NoError(err) - s.Len(defaultKasKeys, 2) - // Check that rotated in key is the default key. - var newRotatedInDefaultKey *kasregistry.DefaultKasKey - var nonRotatedInDefaultKey *kasregistry.DefaultKasKey - for _, defaultKasKey := range defaultKasKeys { - s.NotEqual(defaultKasKey.GetPublicKey().GetKid(), keyMap[rotateKey].GetKey().GetId()) - if defaultKasKey.GetPublicKey().GetKid() == keyMap[nonRotateKey].GetKey().GetKeyId() { - nonRotatedInDefaultKey = defaultKasKey - } else if defaultKasKey.GetPublicKey().GetKid() == rotatedInKey.GetKasKey().GetKey().GetKeyId() { - newRotatedInDefaultKey = defaultKasKey - } - } - s.NotNil(newRotatedInDefaultKey) - s.NotNil(nonRotatedInDefaultKey) - s.Equal(newRotatedInDefaultKey.GetTdfType(), kasregistry.TdfType_TDF_TYPE_ZTDF.String()) - s.Equal(nonRotatedInDefaultKey.GetTdfType(), kasregistry.TdfType_TDF_TYPE_NANO.String()) -} - -func (s *KasRegistryKeySuite) Test_RotateKey_TwoDefaultKeyRotated_Success() { - keyIDs := make([]string, 0) - kasIDs := make([]string, 0) - defer func() { - s.cleanupKeys(keyIDs, kasIDs) - }() - - kasReq := kasregistry.CreateKeyAccessServerRequest{ - Name: "test_rotate_key_kas", - Uri: "https://test-rotate-key.opentdf.io", - } - kas, err := s.db.PolicyClient.CreateKeyAccessServer(s.ctx, &kasReq) - s.Require().NoError(err) - s.NotNil(kas) - kasIDs = append(kasIDs, kas.GetId()) - - keyMap := s.setupKeysForRotate(kas.GetId()) - keyIDs = append(keyIDs, keyMap[rotateKey].GetKey().GetId(), keyMap[nonRotateKey].GetKey().GetId()) - newKey := kasregistry.RotateKeyRequest_NewKey{ - KeyId: "new_key_id", - Algorithm: policy.Algorithm_ALGORITHM_EC_P521, - KeyMode: policy.KeyMode_KEY_MODE_CONFIG_ROOT_KEY, - PublicKeyCtx: &policy.KasPublicKeyCtx{Pem: keyCtx}, - PrivateKeyCtx: &policy.KasPrivateKeyCtx{ - KeyId: validKeyID1, - WrappedKey: keyCtx, - }, - } - - // Set default key mapping - _, err = s.db.PolicyClient.SetDefaultKey(s.ctx, &kasregistry.SetDefaultKeyRequest{ - ActiveKey: &kasregistry.SetDefaultKeyRequest_Id{ - Id: keyMap[rotateKey].GetKey().GetId(), - }, - TdfType: kasregistry.TdfType_TDF_TYPE_ZTDF, - }) - s.Require().NoError(err) - _, err = s.db.PolicyClient.SetDefaultKey(s.ctx, &kasregistry.SetDefaultKeyRequest{ - ActiveKey: &kasregistry.SetDefaultKeyRequest_Id{ + _, err = s.db.PolicyClient.SetBaseKey(s.ctx, &kasregistry.SetBaseKeyRequest{ + ActiveKey: &kasregistry.SetBaseKeyRequest_Id{ Id: keyMap[rotateKey].GetKey().GetId(), }, - TdfType: kasregistry.TdfType_TDF_TYPE_NANO, }) s.Require().NoError(err) - // Ensure there is no default key mapping - defaultKasKeys, err := s.db.PolicyClient.GetDefaultKasKeys(s.ctx) - s.Require().NoError(err) - s.Len(defaultKasKeys, 2) - rotatedInKey, err := s.db.PolicyClient.RotateKey(s.ctx, keyMap[rotateKey], &newKey) s.Require().NoError(err) s.NotNil(rotatedInKey) keyIDs = append(keyIDs, rotatedInKey.GetKasKey().GetKey().GetId()) - // Check that the rotated in key is now the ZTDF default key. - defaultKasKeys, err = s.db.PolicyClient.GetDefaultKasKeys(s.ctx) + baseKey, err := s.db.PolicyClient.GetBaseKey(s.ctx) s.Require().NoError(err) - s.Len(defaultKasKeys, 2) - // Check that rotated in key is the default key. - var newZtdfKey *kasregistry.DefaultKasKey - var newNanoKey *kasregistry.DefaultKasKey - for _, defaultKasKey := range defaultKasKeys { - s.NotEqual(defaultKasKey.GetPublicKey().GetKid(), keyMap[rotateKey].GetKey().GetId()) - switch defaultKasKey.GetTdfType() { - case kasregistry.TdfType_TDF_TYPE_ZTDF.String(): - newZtdfKey = defaultKasKey - case kasregistry.TdfType_TDF_TYPE_NANO.String(): - newNanoKey = defaultKasKey - default: - s.Fail("Unexpected TDF type") - } - } - s.NotNil(newZtdfKey) - s.NotNil(newNanoKey) - s.Equal(rotatedInKey.GetKasKey().GetKey().GetKeyId(), newZtdfKey.GetPublicKey().GetKid()) - s.Equal(rotatedInKey.GetKasKey().GetKey().GetKeyId(), newNanoKey.GetPublicKey().GetKid()) + s.Require().NotNil(baseKey) + s.Equal(rotatedInKey.GetKasKey().GetKey().GetKeyId(), baseKey.GetPublicKey().GetKid()) } -func (s *KasRegistryKeySuite) Test_RotateKey_NanoDefaultKey_NewKeyIsNotECC_Fail() { - keyIDs := make([]string, 0) - kasIDs := make([]string, 0) - defer func() { - s.cleanupKeys(keyIDs, kasIDs) - }() - - kasReq := kasregistry.CreateKeyAccessServerRequest{ - Name: "test_rotate_key_kas", - Uri: "https://test-rotate-key.opentdf.io", - } - kas, err := s.db.PolicyClient.CreateKeyAccessServer(s.ctx, &kasReq) - s.Require().NoError(err) - s.NotNil(kas) - kasIDs = append(kasIDs, kas.GetId()) - - keyMap := s.setupKeysForRotate(kas.GetId()) - keyIDs = append(keyIDs, keyMap[rotateKey].GetKey().GetId(), keyMap[nonRotateKey].GetKey().GetId()) - newKey := kasregistry.RotateKeyRequest_NewKey{ - KeyId: "new_key_id", - Algorithm: policy.Algorithm_ALGORITHM_RSA_2048, - KeyMode: policy.KeyMode_KEY_MODE_CONFIG_ROOT_KEY, - PublicKeyCtx: &policy.KasPublicKeyCtx{Pem: keyCtx}, - PrivateKeyCtx: &policy.KasPrivateKeyCtx{ - KeyId: validKeyID1, - WrappedKey: keyCtx, - }, - } - _, err = s.db.PolicyClient.SetDefaultKey(s.ctx, &kasregistry.SetDefaultKeyRequest{ - ActiveKey: &kasregistry.SetDefaultKeyRequest_Id{ - Id: keyMap[rotateKey].GetKey().GetId(), - }, - TdfType: kasregistry.TdfType_TDF_TYPE_NANO, - }) - s.Require().NoError(err) - - // Ensure there is no default key mapping - defaultKasKeys, err := s.db.PolicyClient.GetDefaultKasKeys(s.ctx) - s.Require().NoError(err) - s.Len(defaultKasKeys, 1) - - rotatedInKey, err := s.db.PolicyClient.RotateKey(s.ctx, keyMap[rotateKey], &newKey) - s.Require().Error(err) - s.Require().ErrorContains(err, "not valid for TDF type NANO") - s.Nil(rotatedInKey) - - // Check that the rotated in key is now the ZTDF default key. - defaultKasKeys, err = s.db.PolicyClient.GetDefaultKasKeys(s.ctx) - s.Require().NoError(err) - s.Len(defaultKasKeys, 1) - s.Equal(keyMap[rotateKey].GetKey().GetKeyId(), defaultKasKeys[0].GetPublicKey().GetKid()) - - // This is a workaround to get the key ID of the new key that was not rotated in, as it - // would not be inserted into the database when run as a transcation at the service level. - resp, err := s.db.PolicyClient.GetKey(s.ctx, &kasregistry.GetKeyRequest_Key{ - Key: &kasregistry.KasKeyIdentifier{ - Identifier: &kasregistry.KasKeyIdentifier_Uri{ - Uri: kas.GetUri(), - }, - Kid: newKey.GetKeyId(), - }, - }) - s.Require().NoError(err) - s.NotNil(resp) - - keyIDs = append(keyIDs, resp.GetKey().GetId()) -} - -func (s *KasRegistryKeySuite) Test_SetDefaultKey_KasKeyNotFound_Fails() { +func (s *KasRegistryKeySuite) Test_SetBaseKey_KasKeyNotFound_Fails() { keyIDs := make([]string, 0) kasIDs := make([]string, 0) defer func() { @@ -1036,129 +849,21 @@ func (s *KasRegistryKeySuite) Test_SetDefaultKey_KasKeyNotFound_Fails() { keyIDs = append(keyIDs, key.GetKasKey().GetKey().GetId()) // Ensure there is no default key mapping - defaultKasKeys, err := s.db.PolicyClient.GetDefaultKasKeys(s.ctx) + baseKey, err := s.db.PolicyClient.GetBaseKey(s.ctx) s.Require().NoError(err) - s.Empty(defaultKasKeys) + s.Require().Nil(baseKey) // Set default key mapping - _, err = s.db.PolicyClient.SetDefaultKey(s.ctx, &kasregistry.SetDefaultKeyRequest{ - ActiveKey: &kasregistry.SetDefaultKeyRequest_Id{ + _, err = s.db.PolicyClient.SetBaseKey(s.ctx, &kasregistry.SetBaseKeyRequest{ + ActiveKey: &kasregistry.SetBaseKeyRequest_Id{ Id: uuid.NewString(), }, - TdfType: kasregistry.TdfType_TDF_TYPE_ZTDF, }) s.Require().Error(err) s.Require().ErrorContains(err, "not found") } -func (s *KasRegistryKeySuite) Test_SetDefaultKey_CannotSetNonECCAlgForNano_Fails() { - keyIDs := make([]string, 0) - kasIDs := make([]string, 0) - defer func() { - s.cleanupKeys(keyIDs, kasIDs) - }() - - // Create a new KAS server - kasReq := kasregistry.CreateKeyAccessServerRequest{ - Name: "test_default_key_kas", - Uri: "https://test-default-key.opentdf.io", - } - kas, err := s.db.PolicyClient.CreateKeyAccessServer(s.ctx, &kasReq) - s.Require().NoError(err) - s.NotNil(kas) - kasIDs = append(kasIDs, kas.GetId()) - - // Create a key for the KAS - keyReq := kasregistry.CreateKeyRequest{ - KasId: kas.GetId(), - KeyId: "default_key_id", - KeyAlgorithm: policy.Algorithm_ALGORITHM_RSA_2048, - KeyMode: policy.KeyMode_KEY_MODE_CONFIG_ROOT_KEY, - PublicKeyCtx: &policy.KasPublicKeyCtx{ - Pem: keyCtx, - }, - PrivateKeyCtx: &policy.KasPrivateKeyCtx{ - KeyId: validKeyID1, - WrappedKey: keyCtx, - }, - } - key, err := s.db.PolicyClient.CreateKey(s.ctx, &keyReq) - s.Require().NoError(err) - s.NotNil(key) - keyIDs = append(keyIDs, key.GetKasKey().GetKey().GetId()) - - // Ensure there is no default key mapping - defaultKasKeys, err := s.db.PolicyClient.GetDefaultKasKeys(s.ctx) - s.Require().NoError(err) - s.Empty(defaultKasKeys) - - // Set default key mapping - _, err = s.db.PolicyClient.SetDefaultKey(s.ctx, &kasregistry.SetDefaultKeyRequest{ - ActiveKey: &kasregistry.SetDefaultKeyRequest_Id{ - Id: key.GetKasKey().GetKey().GetId(), - }, - TdfType: kasregistry.TdfType_TDF_TYPE_NANO, - }) - s.Require().Error(err) - s.Require().ErrorContains(err, "not valid for TDF type NANO") -} - -func (s *KasRegistryKeySuite) Test_SetDefaultKey_NoDefaultKeys_ZTDFInsert_Success() { - keyIDs := make([]string, 0) - kasIDs := make([]string, 0) - defer func() { - s.cleanupKeys(keyIDs, kasIDs) - }() - - // Create a new KAS server - kasReq := kasregistry.CreateKeyAccessServerRequest{ - Name: "test_default_key_kas", - Uri: "https://test-default-key.opentdf.io", - } - kas, err := s.db.PolicyClient.CreateKeyAccessServer(s.ctx, &kasReq) - s.Require().NoError(err) - s.NotNil(kas) - kasIDs = append(kasIDs, kas.GetId()) - - // Create a key for the KAS - keyReq := kasregistry.CreateKeyRequest{ - KasId: kas.GetId(), - KeyId: "default_key_id", - KeyAlgorithm: policy.Algorithm_ALGORITHM_RSA_2048, - KeyMode: policy.KeyMode_KEY_MODE_CONFIG_ROOT_KEY, - PublicKeyCtx: &policy.KasPublicKeyCtx{ - Pem: keyCtx, - }, - PrivateKeyCtx: &policy.KasPrivateKeyCtx{ - KeyId: validKeyID1, - WrappedKey: keyCtx, - }, - } - key, err := s.db.PolicyClient.CreateKey(s.ctx, &keyReq) - s.Require().NoError(err) - s.NotNil(key) - keyIDs = append(keyIDs, key.GetKasKey().GetKey().GetId()) - - // Ensure there is no default key mapping - defaultKasKeys, err := s.db.PolicyClient.GetDefaultKasKeys(s.ctx) - s.Require().NoError(err) - s.Empty(defaultKasKeys) - - // Set default key mapping - defaultKeys, err := s.db.PolicyClient.SetDefaultKey(s.ctx, &kasregistry.SetDefaultKeyRequest{ - ActiveKey: &kasregistry.SetDefaultKeyRequest_Id{ - Id: key.GetKasKey().GetKey().GetId(), - }, - TdfType: kasregistry.TdfType_TDF_TYPE_ZTDF, - }) - s.Require().NoError(err) - s.NotNil(defaultKeys) - s.Nil(defaultKeys.GetPreviousDefaultKasKey()) - s.Equal(key.GetKasKey().GetKey().GetKeyId(), defaultKeys.GetNewDefaultKasKey().GetPublicKey().GetKid()) - s.Equal(kasregistry.TdfType_TDF_TYPE_ZTDF.String(), defaultKeys.GetNewDefaultKasKey().GetTdfType()) -} - -func (s *KasRegistryKeySuite) Test_SetDefaultKey_NoDefaultKeys_NanoInsert_Success() { +func (s *KasRegistryKeySuite) Test_SetBaseKey_Insert_Success() { keyIDs := make([]string, 0) kasIDs := make([]string, 0) defer func() { @@ -1195,25 +900,23 @@ func (s *KasRegistryKeySuite) Test_SetDefaultKey_NoDefaultKeys_NanoInsert_Succes keyIDs = append(keyIDs, key.GetKasKey().GetKey().GetId()) // Ensure there is no default key mapping - defaultKasKeys, err := s.db.PolicyClient.GetDefaultKasKeys(s.ctx) + baseKey, err := s.db.PolicyClient.GetBaseKey(s.ctx) s.Require().NoError(err) - s.Empty(defaultKasKeys) + s.Require().Nil(baseKey) // Set default key mapping - defaultKeys, err := s.db.PolicyClient.SetDefaultKey(s.ctx, &kasregistry.SetDefaultKeyRequest{ - ActiveKey: &kasregistry.SetDefaultKeyRequest_Id{ + newBaseKey, err := s.db.PolicyClient.SetBaseKey(s.ctx, &kasregistry.SetBaseKeyRequest{ + ActiveKey: &kasregistry.SetBaseKeyRequest_Id{ Id: key.GetKasKey().GetKey().GetId(), }, - TdfType: kasregistry.TdfType_TDF_TYPE_NANO, }) s.Require().NoError(err) - s.NotNil(defaultKeys) - s.Nil(defaultKeys.GetPreviousDefaultKasKey()) - s.Equal(key.GetKasKey().GetKey().GetKeyId(), defaultKeys.GetNewDefaultKasKey().GetPublicKey().GetKid()) - s.Equal(kasregistry.TdfType_TDF_TYPE_NANO.String(), defaultKeys.GetNewDefaultKasKey().GetTdfType()) + s.NotNil(newBaseKey) + s.Nil(newBaseKey.GetPreviousBaseKey()) + s.Equal(key.GetKasKey().GetKey().GetKeyId(), newBaseKey.GetNewBaseKey().GetPublicKey().GetKid()) } -func (s *KasRegistryKeySuite) Test_SetDefaultKey_ZTDFKeyExists_ZTDFUpdate_Success() { +func (s *KasRegistryKeySuite) Test_SetBaseKey_CannotSetPublicKeyOnlyKey_Fails() { keyIDs := make([]string, 0) kasIDs := make([]string, 0) defer func() { @@ -1235,111 +938,32 @@ func (s *KasRegistryKeySuite) Test_SetDefaultKey_ZTDFKeyExists_ZTDFUpdate_Succes KasId: kas.GetId(), KeyId: "default_key_id", KeyAlgorithm: policy.Algorithm_ALGORITHM_RSA_2048, - KeyMode: policy.KeyMode_KEY_MODE_CONFIG_ROOT_KEY, + KeyMode: policy.KeyMode_KEY_MODE_PUBLIC_KEY_ONLY, PublicKeyCtx: &policy.KasPublicKeyCtx{ Pem: keyCtx, }, - PrivateKeyCtx: &policy.KasPrivateKeyCtx{ - KeyId: validKeyID1, - WrappedKey: keyCtx, - }, } key, err := s.db.PolicyClient.CreateKey(s.ctx, &keyReq) s.Require().NoError(err) s.NotNil(key) keyIDs = append(keyIDs, key.GetKasKey().GetKey().GetId()) - // Create a second key for the KAS - keyReq2 := kasregistry.CreateKeyRequest{ - KasId: kas.GetId(), - KeyId: "default_key_id_2", - KeyAlgorithm: policy.Algorithm_ALGORITHM_RSA_2048, - KeyMode: policy.KeyMode_KEY_MODE_CONFIG_ROOT_KEY, - PublicKeyCtx: &policy.KasPublicKeyCtx{ - Pem: keyCtx, - }, - PrivateKeyCtx: &policy.KasPrivateKeyCtx{ - KeyId: validKeyID1, - WrappedKey: keyCtx, - }, - } - key2, err := s.db.PolicyClient.CreateKey(s.ctx, &keyReq2) - s.Require().NoError(err) - s.NotNil(key2) - keyIDs = append(keyIDs, key2.GetKasKey().GetKey().GetId()) - - // Create a third key for the KAS - keyReq3 := kasregistry.CreateKeyRequest{ - KasId: kas.GetId(), - KeyId: "default_key_id_3", - KeyAlgorithm: policy.Algorithm_ALGORITHM_EC_P256, - KeyMode: policy.KeyMode_KEY_MODE_CONFIG_ROOT_KEY, - PublicKeyCtx: &policy.KasPublicKeyCtx{ - Pem: keyCtx, - }, - PrivateKeyCtx: &policy.KasPrivateKeyCtx{ - KeyId: validKeyID1, - WrappedKey: keyCtx, - }, - } - key3, err := s.db.PolicyClient.CreateKey(s.ctx, &keyReq3) - s.Require().NoError(err) - s.NotNil(key3) - keyIDs = append(keyIDs, key3.GetKasKey().GetKey().GetId()) - // Ensure there is no default key mapping - defaultKasKeys, err := s.db.PolicyClient.GetDefaultKasKeys(s.ctx) + baseKey, err := s.db.PolicyClient.GetBaseKey(s.ctx) s.Require().NoError(err) - s.Empty(defaultKasKeys) + s.Require().Nil(baseKey) // Set default key mapping - defaultKeys, err := s.db.PolicyClient.SetDefaultKey(s.ctx, &kasregistry.SetDefaultKeyRequest{ - ActiveKey: &kasregistry.SetDefaultKeyRequest_Id{ + _, err = s.db.PolicyClient.SetBaseKey(s.ctx, &kasregistry.SetBaseKeyRequest{ + ActiveKey: &kasregistry.SetBaseKeyRequest_Id{ Id: key.GetKasKey().GetKey().GetId(), }, - TdfType: kasregistry.TdfType_TDF_TYPE_ZTDF, - }) - s.Require().NoError(err) - s.NotNil(defaultKeys) - s.Nil(defaultKeys.GetPreviousDefaultKasKey()) - s.Equal(key.GetKasKey().GetKey().GetKeyId(), defaultKeys.GetNewDefaultKasKey().GetPublicKey().GetKid()) - s.Equal(kasregistry.TdfType_TDF_TYPE_ZTDF.String(), defaultKeys.GetNewDefaultKasKey().GetTdfType()) - - // Set nano key - _, err = s.db.PolicyClient.SetDefaultKey(s.ctx, &kasregistry.SetDefaultKeyRequest{ - ActiveKey: &kasregistry.SetDefaultKeyRequest_Id{ - Id: key3.GetKasKey().GetKey().GetId(), - }, - TdfType: kasregistry.TdfType_TDF_TYPE_NANO, - }) - s.Require().NoError(err) - - // Update default key mapping - defaultKeys2, err := s.db.PolicyClient.SetDefaultKey(s.ctx, &kasregistry.SetDefaultKeyRequest{ - ActiveKey: &kasregistry.SetDefaultKeyRequest_Id{ - Id: key2.GetKasKey().GetKey().GetId(), - }, - TdfType: kasregistry.TdfType_TDF_TYPE_ZTDF, }) - s.Require().NoError(err) - s.NotNil(defaultKeys2) - s.NotNil(defaultKeys2.GetPreviousDefaultKasKey()) - s.Equal(key2.GetKasKey().GetKey().GetKeyId(), defaultKeys2.GetNewDefaultKasKey().GetPublicKey().GetKid()) - s.Equal(kasregistry.TdfType_TDF_TYPE_ZTDF.String(), defaultKeys2.GetNewDefaultKasKey().GetTdfType()) - s.Equal(key.GetKasKey().GetKey().GetKeyId(), defaultKeys2.GetPreviousDefaultKasKey().GetPublicKey().GetKid()) - - // Ensure nano key is still the same - defaultKasKeys, err = s.db.PolicyClient.GetDefaultKasKeys(s.ctx) - s.Require().NoError(err) - s.Len(defaultKasKeys, 2) - for _, defaultKasKey := range defaultKasKeys { - if defaultKasKey.GetTdfType() == kasregistry.TdfType_TDF_TYPE_NANO.String() { - s.Equal(key3.GetKasKey().GetKey().GetKeyId(), defaultKasKey.GetPublicKey().GetKid()) - } - } + s.Require().Error(err) + s.Require().ErrorContains(err, "KEY_MODE_PUBLIC_KEY_ONLY as default key") } -func (s *KasRegistryKeySuite) Test_SetDefaultKey_NanoKeyExists_NanoUpdate_Success() { +func (s *KasRegistryKeySuite) Test_SetBaseKey_CannotSetInactiveKey_Fails() { keyIDs := make([]string, 0) kasIDs := make([]string, 0) defer func() { @@ -1360,7 +984,7 @@ func (s *KasRegistryKeySuite) Test_SetDefaultKey_NanoKeyExists_NanoUpdate_Succes keyReq := kasregistry.CreateKeyRequest{ KasId: kas.GetId(), KeyId: "default_key_id", - KeyAlgorithm: policy.Algorithm_ALGORITHM_EC_P256, + KeyAlgorithm: policy.Algorithm_ALGORITHM_RSA_2048, KeyMode: policy.KeyMode_KEY_MODE_CONFIG_ROOT_KEY, PublicKeyCtx: &policy.KasPublicKeyCtx{ Pem: keyCtx, @@ -1375,142 +999,26 @@ func (s *KasRegistryKeySuite) Test_SetDefaultKey_NanoKeyExists_NanoUpdate_Succes s.NotNil(key) keyIDs = append(keyIDs, key.GetKasKey().GetKey().GetId()) - // Create a second key for the KAS - keyReq2 := kasregistry.CreateKeyRequest{ - KasId: kas.GetId(), - KeyId: "default_key_id_2", - KeyAlgorithm: policy.Algorithm_ALGORITHM_EC_P256, - KeyMode: policy.KeyMode_KEY_MODE_CONFIG_ROOT_KEY, - PublicKeyCtx: &policy.KasPublicKeyCtx{ - Pem: keyCtx, - }, - PrivateKeyCtx: &policy.KasPrivateKeyCtx{ - KeyId: validKeyID1, - WrappedKey: keyCtx, - }, - } - key2, err := s.db.PolicyClient.CreateKey(s.ctx, &keyReq2) - s.Require().NoError(err) - s.NotNil(key2) - keyIDs = append(keyIDs, key2.GetKasKey().GetKey().GetId()) - - // Create a third key for the KAS - keyReq3 := kasregistry.CreateKeyRequest{ - KasId: kas.GetId(), - KeyId: "default_key_id_3", - KeyAlgorithm: policy.Algorithm_ALGORITHM_RSA_2048, - KeyMode: policy.KeyMode_KEY_MODE_CONFIG_ROOT_KEY, - PublicKeyCtx: &policy.KasPublicKeyCtx{ - Pem: keyCtx, - }, - PrivateKeyCtx: &policy.KasPrivateKeyCtx{ - KeyId: validKeyID1, - WrappedKey: keyCtx, - }, - } - key3, err := s.db.PolicyClient.CreateKey(s.ctx, &keyReq3) - s.Require().NoError(err) - s.NotNil(key3) - keyIDs = append(keyIDs, key3.GetKasKey().GetKey().GetId()) - // Ensure there is no default key mapping - defaultKasKeys, err := s.db.PolicyClient.GetDefaultKasKeys(s.ctx) + baseKey, err := s.db.PolicyClient.GetBaseKey(s.ctx) s.Require().NoError(err) - s.Empty(defaultKasKeys) + s.Require().Nil(baseKey) - // Set default nano key mapping - defaultKeys, err := s.db.PolicyClient.SetDefaultKey(s.ctx, &kasregistry.SetDefaultKeyRequest{ - ActiveKey: &kasregistry.SetDefaultKeyRequest_Id{ - Id: key.GetKasKey().GetKey().GetId(), - }, - TdfType: kasregistry.TdfType_TDF_TYPE_NANO, - }) - s.Require().NoError(err) - s.NotNil(defaultKeys) - s.Nil(defaultKeys.GetPreviousDefaultKasKey()) - s.Equal(key.GetKasKey().GetKey().GetKeyId(), defaultKeys.GetNewDefaultKasKey().GetPublicKey().GetKid()) - s.Equal(kasregistry.TdfType_TDF_TYPE_NANO.String(), defaultKeys.GetNewDefaultKasKey().GetTdfType()) - - // Set default ztdf key mapping - _, err = s.db.PolicyClient.SetDefaultKey(s.ctx, &kasregistry.SetDefaultKeyRequest{ - ActiveKey: &kasregistry.SetDefaultKeyRequest_Id{ - Id: key3.GetKasKey().GetKey().GetId(), - }, - TdfType: kasregistry.TdfType_TDF_TYPE_ZTDF, + // Update the key status to inactive + _, err = s.db.PolicyClient.UpdateKey(s.ctx, &kasregistry.UpdateKeyRequest{ + Id: key.GetKasKey().GetKey().GetId(), + KeyStatus: policy.KeyStatus_KEY_STATUS_INACTIVE, }) s.Require().NoError(err) - // Update default nano key mapping - defaultKeys2, err := s.db.PolicyClient.SetDefaultKey(s.ctx, &kasregistry.SetDefaultKeyRequest{ - ActiveKey: &kasregistry.SetDefaultKeyRequest_Id{ - Id: key2.GetKasKey().GetKey().GetId(), - }, - TdfType: kasregistry.TdfType_TDF_TYPE_NANO, - }) - s.Require().NoError(err) - s.NotNil(defaultKeys2) - s.NotNil(defaultKeys2.GetPreviousDefaultKasKey()) - s.Equal(key2.GetKasKey().GetKey().GetKeyId(), defaultKeys2.GetNewDefaultKasKey().GetPublicKey().GetKid()) - s.Equal(kasregistry.TdfType_TDF_TYPE_NANO.String(), defaultKeys2.GetNewDefaultKasKey().GetTdfType()) - s.Equal(key.GetKasKey().GetKey().GetKeyId(), defaultKeys2.GetPreviousDefaultKasKey().GetPublicKey().GetKid()) - - // Ensure ztdf key is still the same - defaultKasKeys, err = s.db.PolicyClient.GetDefaultKasKeys(s.ctx) - s.Require().NoError(err) - s.Len(defaultKasKeys, 2) - for _, defaultKasKey := range defaultKasKeys { - if defaultKasKey.GetTdfType() == kasregistry.TdfType_TDF_TYPE_ZTDF.String() { - s.Equal(key3.GetKasKey().GetKey().GetKeyId(), defaultKasKey.GetPublicKey().GetKid()) - } - } -} - -func (s *KasRegistryKeySuite) Test_SetDefaultKey_CannotSetPublicKeyOnlyKey_Fails() { - keyIDs := make([]string, 0) - kasIDs := make([]string, 0) - defer func() { - s.cleanupKeys(keyIDs, kasIDs) - }() - - // Create a new KAS server - kasReq := kasregistry.CreateKeyAccessServerRequest{ - Name: "test_default_key_kas", - Uri: "https://test-default-key.opentdf.io", - } - kas, err := s.db.PolicyClient.CreateKeyAccessServer(s.ctx, &kasReq) - s.Require().NoError(err) - s.NotNil(kas) - kasIDs = append(kasIDs, kas.GetId()) - - // Create a key for the KAS - keyReq := kasregistry.CreateKeyRequest{ - KasId: kas.GetId(), - KeyId: "default_key_id", - KeyAlgorithm: policy.Algorithm_ALGORITHM_RSA_2048, - KeyMode: policy.KeyMode_KEY_MODE_PUBLIC_KEY_ONLY, - PublicKeyCtx: &policy.KasPublicKeyCtx{ - Pem: keyCtx, - }, - } - key, err := s.db.PolicyClient.CreateKey(s.ctx, &keyReq) - s.Require().NoError(err) - s.NotNil(key) - keyIDs = append(keyIDs, key.GetKasKey().GetKey().GetId()) - - // Ensure there is no default key mapping - defaultKasKeys, err := s.db.PolicyClient.GetDefaultKasKeys(s.ctx) - s.Require().NoError(err) - s.Empty(defaultKasKeys) - // Set default key mapping - _, err = s.db.PolicyClient.SetDefaultKey(s.ctx, &kasregistry.SetDefaultKeyRequest{ - ActiveKey: &kasregistry.SetDefaultKeyRequest_Id{ + _, err = s.db.PolicyClient.SetBaseKey(s.ctx, &kasregistry.SetBaseKeyRequest{ + ActiveKey: &kasregistry.SetBaseKeyRequest_Id{ Id: key.GetKasKey().GetKey().GetId(), }, - TdfType: kasregistry.TdfType_TDF_TYPE_ZTDF, }) s.Require().Error(err) - s.Require().ErrorContains(err, "KEY_MODE_PUBLIC_KEY_ONLY as default key") + s.Require().ErrorContains(err, "cannot set key of status") } func (s *KasRegistryKeySuite) setupKeysForRotate(kasID string) map[string]*policy.KasKey { @@ -1718,7 +1226,7 @@ func (s *KasRegistryKeySuite) cleanupAttrs(attrValueIDs []string, namespaceIDs [ } func (s *KasRegistryKeySuite) cleanupKeys(keyIDs []string, keyAccessServerIDs []string) { - err := s.db.PolicyClient.DeleteAllDefaultKeys(s.ctx) + err := s.db.PolicyClient.DeleteAllBaseKeys(s.ctx) s.Require().NoError(err) for _, id := range keyIDs { diff --git a/service/pkg/db/marshalHelpers.go b/service/pkg/db/marshalHelpers.go index 50c8ce04b7..99baee0289 100644 --- a/service/pkg/db/marshalHelpers.go +++ b/service/pkg/db/marshalHelpers.go @@ -144,46 +144,29 @@ func formatAlg(alg policy.Algorithm) (string, error) { } } -func UnmarshalDefaultKasKey(keysJSON []byte, key *kasregistry.DefaultKasKey) error { +func UnmarshalSimpleKasKey(keysJSON []byte) (*kasregistry.SimpleKasKey, error) { + var key *kasregistry.SimpleKasKey if keysJSON != nil { + key = &kasregistry.SimpleKasKey{} if err := protojson.Unmarshal(keysJSON, key); err != nil { - return err + return nil, err } alg, err := strconv.ParseInt(key.GetPublicKey().GetAlgorithm(), 10, 32) if err != nil { - return err + return nil, err } algorithm, err := formatAlg(policy.Algorithm(alg)) if err != nil { - return err + return nil, err } // Base64 decode the public key pem, err := base64.StdEncoding.DecodeString(key.GetPublicKey().GetPem()) if err != nil { - return err + return nil, err } key.PublicKey.Pem = string(pem) key.PublicKey.Algorithm = algorithm } - return nil -} - -func DefaultKasKeysProtoJSON(keysJSON []byte) ([]*kasregistry.DefaultKasKey, error) { - var ( - keys []*kasregistry.DefaultKasKey - raw []json.RawMessage - ) - if err := json.Unmarshal(keysJSON, &raw); err != nil { - return nil, err - } - for _, r := range raw { - k := kasregistry.DefaultKasKey{} - err := UnmarshalDefaultKasKey(r, &k) - if err != nil { - return nil, err - } - keys = append(keys, &k) - } - return keys, nil + return key, nil } diff --git a/service/policy/db/copyfrom.go b/service/policy/db/copyfrom.go index 999216a76b..9998d2eed4 100644 --- a/service/policy/db/copyfrom.go +++ b/service/policy/db/copyfrom.go @@ -1,6 +1,6 @@ // Code generated by sqlc. DO NOT EDIT. // versions: -// sqlc v1.29.0 +// sqlc v1.28.0 // source: copyfrom.go package db diff --git a/service/policy/db/key_access_server_registry.go b/service/policy/db/key_access_server_registry.go index 2ccf369a7d..2aefeb8d47 100644 --- a/service/policy/db/key_access_server_registry.go +++ b/service/policy/db/key_access_server_registry.go @@ -403,7 +403,7 @@ func (c PolicyDBClient) CreateKey(ctx context.Context, r *kasregistry.CreateKeyR return nil, err } - key, err := c.Queries.createKey(ctx, createKeyParams{ + id, err := c.Queries.createKey(ctx, createKeyParams{ KeyAccessServerID: kasID, KeyAlgorithm: algo, KeyID: keyID, @@ -418,31 +418,15 @@ func (c PolicyDBClient) CreateKey(ctx context.Context, r *kasregistry.CreateKeyR return nil, db.WrapIfKnownInvalidQueryErr(err) } - metadata := &common.Metadata{} - if err := unmarshalMetadata(key.Metadata, metadata); err != nil { - return nil, err - } - - publicKeyCtx, privateKeyCtx, err := unmarshalPrivatePublicKeyContext(key.PublicKeyCtx, key.PrivateKeyCtx) + key, err := c.GetKey(ctx, &kasregistry.GetKeyRequest_Id{ + Id: id, + }) if err != nil { - return nil, err + return nil, db.WrapIfKnownInvalidQueryErr(err) } return &kasregistry.CreateKeyResponse{ - KasKey: &policy.KasKey{ - KasId: key.KeyAccessServerID, - Key: &policy.AsymmetricKey{ - Id: key.ID, - KeyId: key.KeyID, - KeyStatus: policy.KeyStatus(key.KeyStatus), - KeyAlgorithm: policy.Algorithm(key.KeyAlgorithm), - KeyMode: policy.KeyMode(key.KeyMode), - PrivateKeyCtx: privateKeyCtx, - PublicKeyCtx: publicKeyCtx, - ProviderConfig: pc, - Metadata: metadata, - }, - }, + KasKey: key, }, nil } @@ -517,7 +501,8 @@ func (c PolicyDBClient) GetKey(ctx context.Context, identifier any) (*policy.Kas } return &policy.KasKey{ - KasId: key.KeyAccessServerID, + KasId: key.KeyAccessServerID, + KasUri: key.KasUri, Key: &policy.AsymmetricKey{ Id: key.ID, KeyId: key.KeyID, @@ -538,21 +523,6 @@ func (c PolicyDBClient) UpdateKey(ctx context.Context, r *kasregistry.UpdateKeyR return nil, db.ErrUUIDInvalid } - // Add check to see if a key exists with the updated keys given algo and if that key is active. - // If so, return an error. - keyStatus := r.GetKeyStatus() - if keyStatus == policy.KeyStatus_KEY_STATUS_ACTIVE { - activeKeyExists, err := c.Queries.isUpdateKeySafe(ctx, isUpdateKeySafeParams{ - ID: r.GetId(), - KeyStatus: int32(keyStatus), - }) - if err != nil { - return nil, db.WrapIfKnownInvalidQueryErr(err) - } else if activeKeyExists { - return nil, errors.New("key cannot be updated to active when another key with the same algorithm is already active for a KAS") - } - } - // if extend we need to merge the metadata metadataJSON, _, err := db.MarshalUpdateMetadata(r.GetMetadata(), r.GetMetadataUpdateBehavior(), func() (*common.Metadata, error) { a, err := c.GetKey(ctx, &kasregistry.GetKeyRequest_Id{ @@ -569,7 +539,7 @@ func (c PolicyDBClient) UpdateKey(ctx context.Context, r *kasregistry.UpdateKeyR count, err := c.Queries.updateKey(ctx, updateKeyParams{ ID: id, - KeyStatus: pgtypeInt4(int32(keyStatus), keyStatus != policy.KeyStatus_KEY_STATUS_UNSPECIFIED), + KeyStatus: pgtypeInt4(int32(r.GetKeyStatus()), r.GetKeyStatus() != policy.KeyStatus_KEY_STATUS_UNSPECIFIED), Metadata: metadataJSON, }) if err != nil { @@ -637,7 +607,8 @@ func (c PolicyDBClient) ListKeys(ctx context.Context, r *kasregistry.ListKeysReq } keys[i] = &policy.KasKey{ - KasId: key.KeyAccessServerID, + KasId: key.KeyAccessServerID, + KasUri: key.KasUri, Key: &policy.AsymmetricKey{ Id: key.ID, KeyId: key.KeyID, @@ -697,7 +668,6 @@ func (c PolicyDBClient) RotateKey(ctx context.Context, activeKey *policy.KasKey, }, } - // Step 1: Update old key to inactive. rotatedOutKey, err := c.UpdateKey(ctx, &kasregistry.UpdateKeyRequest{ Id: activeKey.GetKey().GetId(), KeyStatus: policy.KeyStatus_KEY_STATUS_INACTIVE, @@ -706,7 +676,6 @@ func (c PolicyDBClient) RotateKey(ctx context.Context, activeKey *policy.KasKey, return nil, err } - // Step 2: Create new key. newKasKey, err := c.CreateKey(ctx, &kasregistry.CreateKeyRequest{ KasId: activeKey.GetKasId(), KeyId: newKey.GetKeyId(), @@ -721,19 +690,16 @@ func (c PolicyDBClient) RotateKey(ctx context.Context, activeKey *policy.KasKey, return nil, err } - // Step 3: Check if the rotated out key is currently a default key. If so, update. - err = c.rotateDefaultKey(ctx, rotatedOutKey.GetKey().GetId(), newKasKey.GetKasKey().GetKey().GetId()) + err = c.rotateBaseKey(ctx, rotatedOutKey, newKasKey.GetKasKey().GetKey().GetId()) if err != nil { return nil, err } - // Step 4: Update Namespace/Attribute/Value tables to use the new key. rotatedIDs, err := c.rotatePublicKeyTables(ctx, activeKey.GetKey().GetId(), newKasKey.GetKasKey().GetKey().GetId()) if err != nil { return nil, err } - // Step 5: Populate the rotated resources. if err := c.populateChangeMappings(ctx, rotatedIDs, rotateKeyResp.GetRotatedResources()); err != nil { return nil, err } @@ -827,24 +793,16 @@ func (c PolicyDBClient) rotatePublicKeyTables(ctx context.Context, oldKeyID, new return rotatedIDs, nil } -func (c PolicyDBClient) rotateDefaultKey(ctx context.Context, rotatedOutKeyID, newKeyID string) error { - defaultKeys, err := c.GetDefaultKeysByID(ctx, rotatedOutKeyID) +func (c PolicyDBClient) rotateBaseKey(ctx context.Context, rotatedOutKeyID *policy.KasKey, newKeyID string) error { + baseKey, err := c.GetBaseKey(ctx) if err != nil { - return db.WrapIfKnownInvalidQueryErr(err) + return err } - // It's possible that the rotated out key was mapped to both modes: ztdf/nano. - // If the key algorithm is of type ECC. - for _, defaultKey := range defaultKeys { - tdfType, ok := kasregistry.TdfType_value[defaultKey.GetTdfType()] - if !ok { - return fmt.Errorf("invalid TDF type: %s", defaultKey.GetTdfType()) - } - - _, err = c.SetDefaultKey(ctx, &kasregistry.SetDefaultKeyRequest{ - ActiveKey: &kasregistry.SetDefaultKeyRequest_Id{ + if baseKey.GetPublicKey().GetKid() == rotatedOutKeyID.GetKey().GetKeyId() && baseKey.GetKasUri() == rotatedOutKeyID.GetKasUri() { + _, err := c.SetBaseKey(ctx, &kasregistry.SetBaseKeyRequest{ + ActiveKey: &kasregistry.SetBaseKeyRequest_Id{ Id: newKeyID, }, - TdfType: kasregistry.TdfType(tdfType), }) if err != nil { return err @@ -854,78 +812,28 @@ func (c PolicyDBClient) rotateDefaultKey(ctx context.Context, rotatedOutKeyID, n return nil } -func (c PolicyDBClient) GetDefaultKasKeys(ctx context.Context) ([]*kasregistry.DefaultKasKey, error) { - keys, err := c.Queries.getDefaultKeys(ctx) - if err != nil { - return nil, db.WrapIfKnownInvalidQueryErr(err) - } - - var defaultKeys []*kasregistry.DefaultKasKey - if len(keys) > 0 { - defaultKeys, err = db.DefaultKasKeysProtoJSON(keys) - if err != nil { - return nil, err - } - } - - return defaultKeys, nil -} - -func (c PolicyDBClient) GetDefaultKeysByID(ctx context.Context, id string) ([]*kasregistry.DefaultKasKey, error) { - keys, err := c.Queries.getDefaultKeysById(ctx, pgtypeUUID(id)) - if err != nil { - return nil, db.WrapIfKnownInvalidQueryErr(err) - } - - var defaultKeys []*kasregistry.DefaultKasKey - if len(keys) > 0 { - defaultKeys, err = db.DefaultKasKeysProtoJSON(keys) - if err != nil { - return nil, err - } - } - - return defaultKeys, nil -} - -func (c PolicyDBClient) GetDefaultKasKeyByMode(ctx context.Context, tdfType kasregistry.TdfType) (*kasregistry.DefaultKasKey, error) { - key, err := c.getDefaultKasKeyByMode(ctx, pgtypeText(tdfType.String())) +func (c PolicyDBClient) GetBaseKey(ctx context.Context) (*kasregistry.SimpleKasKey, error) { + key, err := c.Queries.getBaseKey(ctx) if err != nil && !errors.Is(db.WrapIfKnownInvalidQueryErr(err), db.ErrNotFound) { - c.logger.Error("GetDefaultKasKeyByMode", "error", err) return nil, db.WrapIfKnownInvalidQueryErr(err) } - var defaultKey *kasregistry.DefaultKasKey - if len(key) > 0 { - defaultKey = &kasregistry.DefaultKasKey{} - err = db.UnmarshalDefaultKasKey(key, defaultKey) - if err != nil { - return nil, err - } + baseKey, err := db.UnmarshalSimpleKasKey(key) + if err != nil { + return nil, err } - return defaultKey, nil + return baseKey, nil } -func isAlgValidForNano(alg policy.Algorithm) bool { - switch alg { - case policy.Algorithm_ALGORITHM_EC_P256, policy.Algorithm_ALGORITHM_EC_P384, policy.Algorithm_ALGORITHM_EC_P521: - return true - case policy.Algorithm_ALGORITHM_RSA_2048, policy.Algorithm_ALGORITHM_RSA_4096, policy.Algorithm_ALGORITHM_UNSPECIFIED: - return false - default: - return false - } -} - -func (c PolicyDBClient) SetDefaultKey(ctx context.Context, r *kasregistry.SetDefaultKeyRequest) (*kasregistry.SetDefaultKeyResponse, error) { +func (c PolicyDBClient) SetBaseKey(ctx context.Context, r *kasregistry.SetBaseKeyRequest) (*kasregistry.SetBaseKeyResponse, error) { var identifier any switch r.GetActiveKey().(type) { - case *kasregistry.SetDefaultKeyRequest_Id: + case *kasregistry.SetBaseKeyRequest_Id: identifier = &kasregistry.GetKeyRequest_Id{ Id: r.GetId(), } - case *kasregistry.SetDefaultKeyRequest_Key: + case *kasregistry.SetBaseKeyRequest_Key: identifier = &kasregistry.GetKeyRequest_Key{ Key: r.GetKey(), } @@ -938,68 +846,52 @@ func (c PolicyDBClient) SetDefaultKey(ctx context.Context, r *kasregistry.SetDef if keyToSet.GetKey().GetKeyMode() == policy.KeyMode_KEY_MODE_PUBLIC_KEY_ONLY { return nil, fmt.Errorf("cannot set key of mode %s as default key", keyToSet.GetKey().GetKeyMode().String()) } + if keyToSet.GetKey().GetKeyStatus() != policy.KeyStatus_KEY_STATUS_ACTIVE { + return nil, fmt.Errorf("cannot set key of status %s as default key", keyToSet.GetKey().GetKeyStatus().String()) + } - previousDefaultKey, err := c.GetDefaultKasKeyByMode(ctx, r.GetTdfType()) + previousDefaultKey, err := c.GetBaseKey(ctx) if err != nil { return nil, err } - // If default key is nano, cipher must be ECC. - if r.GetTdfType() == kasregistry.TdfType_TDF_TYPE_NANO && !isAlgValidForNano(keyToSet.GetKey().GetKeyAlgorithm()) { - return nil, fmt.Errorf("key algorithm %s is not valid for TDF type NANO", keyToSet.GetKey().GetKeyAlgorithm().String()) - } - // A trigger is set for BEFORE INSERT which will update the // the key reference to the one being inserted, if present. // If not, the insert will continue. - _, err = c.Queries.setDefaultKasKey(ctx, setDefaultKasKeyParams{ - KeyAccessServerKeyID: pgtypeUUID(keyToSet.GetKey().GetId()), - TdfType: r.GetTdfType().String(), - }) + _, err = c.Queries.setBaseKey(ctx, pgtypeUUID(keyToSet.GetKey().GetId())) if err != nil { return nil, db.WrapIfKnownInvalidQueryErr(err) } // Get the new default key. - newDefaultKey, err := c.GetDefaultKasKeyByMode(ctx, r.GetTdfType()) + newBaseKey, err := c.GetBaseKey(ctx) if err != nil { return nil, err } // Set wellknown config - if err := c.SetDefaultKeyOnWellKnownConfig(ctx); err != nil { + if err := c.SetBaseKeyOnWellKnownConfig(ctx); err != nil { return nil, err } - return &kasregistry.SetDefaultKeyResponse{ - NewDefaultKasKey: newDefaultKey, - PreviousDefaultKasKey: previousDefaultKey, + return &kasregistry.SetBaseKeyResponse{ + NewBaseKey: newBaseKey, + PreviousBaseKey: previousDefaultKey, }, nil } -func (c PolicyDBClient) SetDefaultKeyOnWellKnownConfig(ctx context.Context) error { - defaultKeys, err := c.GetDefaultKasKeys(ctx) - if err != nil { - return err - } - - defaultKeyArr := make([]any, len(defaultKeys)) - for i, key := range defaultKeys { - defaultKeyArr[i] = key - } - - keyMapBytes, err := json.Marshal(defaultKeyArr) +func (c PolicyDBClient) SetBaseKeyOnWellKnownConfig(ctx context.Context) error { + baseKey, err := c.GetBaseKey(ctx) if err != nil { return err } - genericKeyArr := make([]any, len(defaultKeyArr)) - err = json.Unmarshal(keyMapBytes, &genericKeyArr) + keyMapBytes, err := protojson.Marshal(baseKey) if err != nil { return err } - wellknownconfiguration.UpdateConfigurationDefaultKey(genericKeyArr) + wellknownconfiguration.UpdateConfigurationBaseKey(string(keyMapBytes)) return nil } @@ -1008,8 +900,8 @@ func (c PolicyDBClient) SetDefaultKeyOnWellKnownConfig(ctx context.Context) erro TESTING ONLY ************************ */ -func (c PolicyDBClient) DeleteAllDefaultKeys(ctx context.Context) error { - _, err := c.Queries.deleteAllDefaultKasKeys(ctx) +func (c PolicyDBClient) DeleteAllBaseKeys(ctx context.Context) error { + _, err := c.Queries.deleteAllBaseKeys(ctx) if err != nil { return db.WrapIfKnownInvalidQueryErr(err) } diff --git a/service/policy/db/migrations/20250512000000_default_keys_table.md b/service/policy/db/migrations/20250512000000_base_keys_table.md similarity index 55% rename from service/policy/db/migrations/20250512000000_default_keys_table.md rename to service/policy/db/migrations/20250512000000_base_keys_table.md index b2f5094075..861fde7b8c 100644 --- a/service/policy/db/migrations/20250512000000_default_keys_table.md +++ b/service/policy/db/migrations/20250512000000_base_keys_table.md @@ -1,14 +1,13 @@ ```mermaid erDiagram - default_kas_keys { + base_keys { uuid id PK uuid key_access_server_key_id FK - character_varying tdf_type UK } - default_kas_keys }o--|| key_access_server_keys : "key_access_server_key_id" + base_keys }o--|| key_access_server_keys : "key_access_server_key_id" ``` diff --git a/service/policy/db/migrations/20250512000000_base_keys_table.sql b/service/policy/db/migrations/20250512000000_base_keys_table.sql new file mode 100644 index 0000000000..4d2a7e7fe9 --- /dev/null +++ b/service/policy/db/migrations/20250512000000_base_keys_table.sql @@ -0,0 +1,45 @@ +-- +goose Up +-- +goose StatementBegin +CREATE TABLE IF NOT EXISTS base_keys ( + id UUID DEFAULT gen_random_uuid() CONSTRAINT base_key_pkey PRIMARY KEY, + key_access_server_key_id UUID CONSTRAINT key_access_server_key_id_fkey REFERENCES key_access_server_keys(id) ON DELETE RESTRICT +); + +-- Trigger Function +CREATE OR REPLACE FUNCTION upsert_base_keys() +RETURNS TRIGGER AS $$ +BEGIN + -- Check if a row exists with the same tdf_type and key_access_server_id + IF ( + SELECT count(*) + FROM base_keys + ) > 0 THEN + -- Update the existing row + UPDATE base_keys + SET key_access_server_key_id = NEW.key_access_server_key_id; + + RETURN NULL; -- Important: Returning NULL prevents the original INSERT from proceeding, as the upsert has already happened + + ELSE + -- Insert a new row (the original INSERT will proceed) + RETURN NEW; -- Important: Returning NEW allows the original INSERT to proceed + END IF; +END; +$$ LANGUAGE 'plpgsql'; + +-- Trigger +CREATE TRIGGER before_insert_or_update_base_keys +BEFORE INSERT ON base_keys +FOR EACH ROW +EXECUTE FUNCTION upsert_base_keys(); +-- +goose StatementEnd + + + +-- +goose Down +-- +goose StatementBegin +DROP TRIGGER IF EXISTS before_insert_or_update_base_keys ON base_keys; +DROP FUNCTION IF EXISTS upsert_base_keys; + +DROP TABLE IF EXISTS base_keys; +-- +goose StatementEnd \ No newline at end of file diff --git a/service/policy/db/migrations/20250512000000_default_keys_table.sql b/service/policy/db/migrations/20250512000000_default_keys_table.sql deleted file mode 100644 index 579c2cddc5..0000000000 --- a/service/policy/db/migrations/20250512000000_default_keys_table.sql +++ /dev/null @@ -1,49 +0,0 @@ --- +goose Up --- +goose StatementBegin -CREATE TABLE IF NOT EXISTS default_kas_keys ( - id UUID DEFAULT gen_random_uuid() CONSTRAINT default_key_pkey PRIMARY KEY, - key_access_server_key_id UUID CONSTRAINT key_access_server_key_id_fkey REFERENCES key_access_server_keys(id) ON DELETE RESTRICT, - tdf_type VARCHAR(255) NOT NULL, - CONSTRAINT unique_tdf_type UNIQUE (tdf_type) -- Ensure only one row per tdf_type -); - --- Trigger Function -CREATE OR REPLACE FUNCTION upsert_default_kas_keys() -RETURNS TRIGGER AS $$ -BEGIN - -- Check if a row exists with the same tdf_type and key_access_server_id - IF EXISTS ( - SELECT 1 - FROM default_kas_keys - WHERE tdf_type = NEW.tdf_type - ) THEN - -- Update the existing row - UPDATE default_kas_keys - SET key_access_server_key_id = NEW.key_access_server_key_id - WHERE tdf_type = NEW.tdf_type; - - RETURN NULL; -- Important: Returning NULL prevents the original INSERT from proceeding, as the upsert has already happened - - ELSE - -- Insert a new row (the original INSERT will proceed) - RETURN NEW; -- Important: Returning NEW allows the original INSERT to proceed - END IF; -END; -$$ LANGUAGE 'plpgsql'; - --- Trigger -CREATE TRIGGER before_insert_or_update_default_kas_keys -BEFORE INSERT ON default_kas_keys -FOR EACH ROW -EXECUTE FUNCTION upsert_default_kas_keys(); --- +goose StatementEnd - - - --- +goose Down --- +goose StatementBegin -DROP TRIGGER IF EXISTS before_insert_or_update_default_kas_keys ON default_kas_keys; -DROP FUNCTION IF EXISTS upsert_default_kas_keys; - -DROP TABLE IF EXISTS default_kas_keys; --- +goose StatementEnd \ No newline at end of file diff --git a/service/policy/db/models.go b/service/policy/db/models.go index cf7fe88ec9..95429785fa 100644 --- a/service/policy/db/models.go +++ b/service/policy/db/models.go @@ -226,10 +226,9 @@ type AttributeValuePublicKeyMap struct { KeyAccessServerKeyID string `json:"key_access_server_key_id"` } -type DefaultKasKey struct { +type BaseKey struct { ID string `json:"id"` KeyAccessServerKeyID pgtype.UUID `json:"key_access_server_key_id"` - TdfType string `json:"tdf_type"` } // Table to store the known registrations of key access servers (KASs) diff --git a/service/policy/db/query.sql b/service/policy/db/query.sql index a1dc9ad2cb..a012457940 100644 --- a/service/policy/db/query.sql +++ b/service/policy/db/query.sql @@ -167,54 +167,10 @@ DELETE FROM key_access_servers WHERE id = $1; -- Key Access Server Keys ------------------------------------------------------------------ -- name: createKey :one -WITH inserted AS ( - INSERT INTO key_access_server_keys +INSERT INTO key_access_server_keys (key_access_server_id, key_algorithm, key_id, key_mode, key_status, metadata, private_key_ctx, public_key_ctx, provider_config_id) - VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9) - RETURNING * -) -SELECT - id, - key_id, - key_status, - key_mode, - key_algorithm, - private_key_ctx, - public_key_ctx, - provider_config_id, - key_access_server_id, - JSON_STRIP_NULLS( - JSON_BUILD_OBJECT( - 'labels', metadata -> 'labels', - 'created_at', created_at, - 'updated_at', updated_at - ) - ) AS metadata -FROM inserted; - --- name: checkIfKeyExists :one -SELECT EXISTS ( - SELECT 1 - FROM key_access_server_keys - WHERE key_access_server_id = $1 AND key_status = $2 AND key_algorithm = $3 -); - --- name: isUpdateKeySafe :one -WITH keyToUpdate AS ( - SELECT - kask.key_access_server_id AS kas_id, - kask.key_algorithm - FROM key_access_server_keys AS kask - WHERE kask.id = $1 -) -SELECT EXISTS ( - SELECT 1 - FROM key_access_server_keys AS kask - INNER JOIN keyToUpdate ON kask.key_access_server_id = keyToUpdate.kas_id - WHERE kask.key_access_server_id = keyToUpdate.kas_id - AND kask.key_status = $2 - AND kask.key_algorithm = keyToUpdate.key_algorithm -); +VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9) +RETURNING id; -- name: getKey :one SELECT @@ -227,6 +183,7 @@ SELECT kask.public_key_ctx, kask.provider_config_id, kask.key_access_server_id, + kas.uri AS kas_uri, JSON_STRIP_NULLS( JSON_BUILD_OBJECT( 'labels', kask.metadata -> 'labels', @@ -259,7 +216,8 @@ WHERE id = $1; -- name: listKeys :many WITH listed AS ( SELECT - kas.id AS kas_id + kas.id AS kas_id, + kas.uri AS kas_uri FROM key_access_servers AS kas WHERE (sqlc.narg('kas_id')::uuid IS NULL OR kas.id = sqlc.narg('kas_id')::uuid) AND (sqlc.narg('kas_name')::text IS NULL OR kas.name = sqlc.narg('kas_name')::text) @@ -276,6 +234,7 @@ SELECT kask.public_key_ctx, kask.provider_config_id, kask.key_access_server_id, + listed.kas_uri AS kas_uri, JSON_STRIP_NULLS( JSON_BUILD_OBJECT( 'labels', kask.metadata -> 'labels', @@ -1737,61 +1696,25 @@ WHERE id = $1; ---------------------------------------------------------------- -- Default KAS Keys ---------------------------------------------------------------- --- name: getDefaultKeys :one -SELECT - JSONB_AGG( - DISTINCT JSONB_BUILD_OBJECT( - 'tdf_type', dkk.tdf_type, - 'kas_uri', kas.uri, - 'public_key', JSONB_BUILD_OBJECT( - 'algorithm', kask.key_algorithm::TEXT, - 'kid', kask.key_id, - 'pem', kask.public_key_ctx ->> 'pem' - ) - ) - ) AS default_key -FROM default_kas_keys dkk -INNER JOIN key_access_server_keys kask ON dkk.key_access_server_key_id = kask.id -INNER JOIN key_access_servers kas ON kask.key_access_server_id = kas.id; --- name: getDefaultKasKeyByMode :one +-- name: getBaseKey :one SELECT DISTINCT JSONB_BUILD_OBJECT( - 'tdf_type', dkk.tdf_type, 'kas_uri', kas.uri, 'public_key', JSONB_BUILD_OBJECT( 'algorithm', kask.key_algorithm::TEXT, 'kid', kask.key_id, 'pem', kask.public_key_ctx ->> 'pem' ) - ) AS default_key -FROM default_kas_keys dkk -INNER JOIN key_access_server_keys kask ON dkk.key_access_server_key_id = kask.id -INNER JOIN key_access_servers kas ON kask.key_access_server_id = kas.id -WHERE (dkk.tdf_type = sqlc.narg('tdf_type')::TEXT); - --- name: setDefaultKasKey :execrows -INSERT INTO default_kas_keys (key_access_server_key_id, tdf_type) -VALUES ($1, $2); + ) AS base_keys +FROM base_keys bk +INNER JOIN key_access_server_keys kask ON bk.key_access_server_key_id = kask.id +INNER JOIN key_access_servers kas ON kask.key_access_server_id = kas.id; --- name: getDefaultKeysById :one -SELECT - JSONB_AGG( - DISTINCT JSONB_BUILD_OBJECT( - 'tdf_type', dkk.tdf_type, - 'kas_uri', kas.uri, - 'public_key', JSONB_BUILD_OBJECT( - 'algorithm', kask.key_algorithm::TEXT, - 'kid', kask.key_id, - 'pem', kask.public_key_ctx ->> 'pem' - ) - ) - ) AS default_key -FROM default_kas_keys dkk -INNER JOIN key_access_server_keys kask ON dkk.key_access_server_key_id = kask.id -INNER JOIN key_access_servers kas ON kask.key_access_server_id = kas.id -WHERE (sqlc.narg('key_access_server_key_id')::UUID IS NULL OR dkk.key_access_server_key_id = sqlc.narg('key_access_server_key_id')::UUID); - --- name: deleteAllDefaultKasKeys :execrows -DELETE FROM default_kas_keys; +-- name: setBaseKey :execrows +INSERT INTO base_keys (key_access_server_key_id) +VALUES ($1); + +-- name: deleteAllBaseKeys :execrows +DELETE FROM base_keys; diff --git a/service/policy/db/query.sql.go b/service/policy/db/query.sql.go index 16fbae58c7..e176869282 100644 --- a/service/policy/db/query.sql.go +++ b/service/policy/db/query.sql.go @@ -2888,34 +2888,6 @@ func (q *Queries) assignPublicKeyToNamespace(ctx context.Context, arg assignPubl return i, err } -const checkIfKeyExists = `-- name: checkIfKeyExists :one -SELECT EXISTS ( - SELECT 1 - FROM key_access_server_keys - WHERE key_access_server_id = $1 AND key_status = $2 AND key_algorithm = $3 -) -` - -type checkIfKeyExistsParams struct { - KeyAccessServerID string `json:"key_access_server_id"` - KeyStatus int32 `json:"key_status"` - KeyAlgorithm int32 `json:"key_algorithm"` -} - -// checkIfKeyExists -// -// SELECT EXISTS ( -// SELECT 1 -// FROM key_access_server_keys -// WHERE key_access_server_id = $1 AND key_status = $2 AND key_algorithm = $3 -// ) -func (q *Queries) checkIfKeyExists(ctx context.Context, arg checkIfKeyExistsParams) (bool, error) { - row := q.db.QueryRow(ctx, checkIfKeyExists, arg.KeyAccessServerID, arg.KeyStatus, arg.KeyAlgorithm) - var exists bool - err := row.Scan(&exists) - return exists, err -} - const createCustomAction = `-- name: createCustomAction :one INSERT INTO actions (name, metadata, is_standard) VALUES ($1, $2, FALSE) @@ -2940,30 +2912,10 @@ func (q *Queries) createCustomAction(ctx context.Context, arg createCustomAction } const createKey = `-- name: createKey :one -WITH inserted AS ( - INSERT INTO key_access_server_keys +INSERT INTO key_access_server_keys (key_access_server_id, key_algorithm, key_id, key_mode, key_status, metadata, private_key_ctx, public_key_ctx, provider_config_id) - VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9) - RETURNING id, key_id, key_algorithm, key_status, key_mode, public_key_ctx, private_key_ctx, expiration, provider_config_id, metadata, created_at, updated_at, key_access_server_id -) -SELECT - id, - key_id, - key_status, - key_mode, - key_algorithm, - private_key_ctx, - public_key_ctx, - provider_config_id, - key_access_server_id, - JSON_STRIP_NULLS( - JSON_BUILD_OBJECT( - 'labels', metadata -> 'labels', - 'created_at', created_at, - 'updated_at', updated_at - ) - ) AS metadata -FROM inserted +VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9) +RETURNING id ` type createKeyParams struct { @@ -2978,48 +2930,15 @@ type createKeyParams struct { ProviderConfigID pgtype.UUID `json:"provider_config_id"` } -type createKeyRow struct { - ID string `json:"id"` - KeyID string `json:"key_id"` - KeyStatus int32 `json:"key_status"` - KeyMode int32 `json:"key_mode"` - KeyAlgorithm int32 `json:"key_algorithm"` - PrivateKeyCtx []byte `json:"private_key_ctx"` - PublicKeyCtx []byte `json:"public_key_ctx"` - ProviderConfigID pgtype.UUID `json:"provider_config_id"` - KeyAccessServerID string `json:"key_access_server_id"` - Metadata []byte `json:"metadata"` -} - // --------------------------------------------------------------- // Key Access Server Keys // ---------------------------------------------------------------- // -// WITH inserted AS ( -// INSERT INTO key_access_server_keys +// INSERT INTO key_access_server_keys // (key_access_server_id, key_algorithm, key_id, key_mode, key_status, metadata, private_key_ctx, public_key_ctx, provider_config_id) -// VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9) -// RETURNING id, key_id, key_algorithm, key_status, key_mode, public_key_ctx, private_key_ctx, expiration, provider_config_id, metadata, created_at, updated_at, key_access_server_id -// ) -// SELECT -// id, -// key_id, -// key_status, -// key_mode, -// key_algorithm, -// private_key_ctx, -// public_key_ctx, -// provider_config_id, -// key_access_server_id, -// JSON_STRIP_NULLS( -// JSON_BUILD_OBJECT( -// 'labels', metadata -> 'labels', -// 'created_at', created_at, -// 'updated_at', updated_at -// ) -// ) AS metadata -// FROM inserted -func (q *Queries) createKey(ctx context.Context, arg createKeyParams) (createKeyRow, error) { +// VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9) +// RETURNING id +func (q *Queries) createKey(ctx context.Context, arg createKeyParams) (string, error) { row := q.db.QueryRow(ctx, createKey, arg.KeyAccessServerID, arg.KeyAlgorithm, @@ -3031,20 +2950,9 @@ func (q *Queries) createKey(ctx context.Context, arg createKeyParams) (createKey arg.PublicKeyCtx, arg.ProviderConfigID, ) - var i createKeyRow - err := row.Scan( - &i.ID, - &i.KeyID, - &i.KeyStatus, - &i.KeyMode, - &i.KeyAlgorithm, - &i.PrivateKeyCtx, - &i.PublicKeyCtx, - &i.ProviderConfigID, - &i.KeyAccessServerID, - &i.Metadata, - ) - return i, err + var id string + err := row.Scan(&id) + return id, err } const createOrListActionsByName = `-- name: createOrListActionsByName :many @@ -3342,15 +3250,15 @@ func (q *Queries) createSubjectMapping(ctx context.Context, arg createSubjectMap return id, err } -const deleteAllDefaultKasKeys = `-- name: deleteAllDefaultKasKeys :execrows -DELETE FROM default_kas_keys +const deleteAllBaseKeys = `-- name: deleteAllBaseKeys :execrows +DELETE FROM base_keys ` -// deleteAllDefaultKasKeys +// deleteAllBaseKeys // -// DELETE FROM default_kas_keys -func (q *Queries) deleteAllDefaultKasKeys(ctx context.Context) (int64, error) { - result, err := q.db.Exec(ctx, deleteAllDefaultKasKeys) +// DELETE FROM base_keys +func (q *Queries) deleteAllBaseKeys(ctx context.Context) (int64, error) { + result, err := q.db.Exec(ctx, deleteAllBaseKeys) if err != nil { return 0, err } @@ -3517,132 +3425,43 @@ func (q *Queries) getAction(ctx context.Context, arg getActionParams) (getAction return i, err } -const getDefaultKasKeyByMode = `-- name: getDefaultKasKeyByMode :one +const getBaseKey = `-- name: getBaseKey :one + SELECT DISTINCT JSONB_BUILD_OBJECT( - 'tdf_type', dkk.tdf_type, 'kas_uri', kas.uri, 'public_key', JSONB_BUILD_OBJECT( 'algorithm', kask.key_algorithm::TEXT, 'kid', kask.key_id, 'pem', kask.public_key_ctx ->> 'pem' ) - ) AS default_key -FROM default_kas_keys dkk -INNER JOIN key_access_server_keys kask ON dkk.key_access_server_key_id = kask.id + ) AS base_keys +FROM base_keys bk +INNER JOIN key_access_server_keys kask ON bk.key_access_server_key_id = kask.id INNER JOIN key_access_servers kas ON kask.key_access_server_id = kas.id -WHERE (dkk.tdf_type = $1::TEXT) ` -// getDefaultKasKeyByMode +// -------------------------------------------------------------- +// Default KAS Keys +// -------------------------------------------------------------- // // SELECT // DISTINCT JSONB_BUILD_OBJECT( -// 'tdf_type', dkk.tdf_type, // 'kas_uri', kas.uri, // 'public_key', JSONB_BUILD_OBJECT( // 'algorithm', kask.key_algorithm::TEXT, // 'kid', kask.key_id, // 'pem', kask.public_key_ctx ->> 'pem' // ) -// ) AS default_key -// FROM default_kas_keys dkk -// INNER JOIN key_access_server_keys kask ON dkk.key_access_server_key_id = kask.id -// INNER JOIN key_access_servers kas ON kask.key_access_server_id = kas.id -// WHERE (dkk.tdf_type = $1::TEXT) -func (q *Queries) getDefaultKasKeyByMode(ctx context.Context, tdfType pgtype.Text) ([]byte, error) { - row := q.db.QueryRow(ctx, getDefaultKasKeyByMode, tdfType) - var default_key []byte - err := row.Scan(&default_key) - return default_key, err -} - -const getDefaultKeys = `-- name: getDefaultKeys :one -SELECT - JSONB_AGG( - DISTINCT JSONB_BUILD_OBJECT( - 'tdf_type', dkk.tdf_type, - 'kas_uri', kas.uri, - 'public_key', JSONB_BUILD_OBJECT( - 'algorithm', kask.key_algorithm::TEXT, - 'kid', kask.key_id, - 'pem', kask.public_key_ctx ->> 'pem' - ) - ) - ) AS default_key -FROM default_kas_keys dkk -INNER JOIN key_access_server_keys kask ON dkk.key_access_server_key_id = kask.id -INNER JOIN key_access_servers kas ON kask.key_access_server_id = kas.id -` - -// -------------------------------------------------------------- -// Default KAS Keys -// -------------------------------------------------------------- -// -// SELECT -// JSONB_AGG( -// DISTINCT JSONB_BUILD_OBJECT( -// 'tdf_type', dkk.tdf_type, -// 'kas_uri', kas.uri, -// 'public_key', JSONB_BUILD_OBJECT( -// 'algorithm', kask.key_algorithm::TEXT, -// 'kid', kask.key_id, -// 'pem', kask.public_key_ctx ->> 'pem' -// ) -// ) -// ) AS default_key -// FROM default_kas_keys dkk -// INNER JOIN key_access_server_keys kask ON dkk.key_access_server_key_id = kask.id +// ) AS base_keys +// FROM base_keys bk +// INNER JOIN key_access_server_keys kask ON bk.key_access_server_key_id = kask.id // INNER JOIN key_access_servers kas ON kask.key_access_server_id = kas.id -func (q *Queries) getDefaultKeys(ctx context.Context) ([]byte, error) { - row := q.db.QueryRow(ctx, getDefaultKeys) - var default_key []byte - err := row.Scan(&default_key) - return default_key, err -} - -const getDefaultKeysById = `-- name: getDefaultKeysById :one -SELECT - JSONB_AGG( - DISTINCT JSONB_BUILD_OBJECT( - 'tdf_type', dkk.tdf_type, - 'kas_uri', kas.uri, - 'public_key', JSONB_BUILD_OBJECT( - 'algorithm', kask.key_algorithm::TEXT, - 'kid', kask.key_id, - 'pem', kask.public_key_ctx ->> 'pem' - ) - ) - ) AS default_key -FROM default_kas_keys dkk -INNER JOIN key_access_server_keys kask ON dkk.key_access_server_key_id = kask.id -INNER JOIN key_access_servers kas ON kask.key_access_server_id = kas.id -WHERE ($1::UUID IS NULL OR dkk.key_access_server_key_id = $1::UUID) -` - -// getDefaultKeysById -// -// SELECT -// JSONB_AGG( -// DISTINCT JSONB_BUILD_OBJECT( -// 'tdf_type', dkk.tdf_type, -// 'kas_uri', kas.uri, -// 'public_key', JSONB_BUILD_OBJECT( -// 'algorithm', kask.key_algorithm::TEXT, -// 'kid', kask.key_id, -// 'pem', kask.public_key_ctx ->> 'pem' -// ) -// ) -// ) AS default_key -// FROM default_kas_keys dkk -// INNER JOIN key_access_server_keys kask ON dkk.key_access_server_key_id = kask.id -// INNER JOIN key_access_servers kas ON kask.key_access_server_id = kas.id -// WHERE ($1::UUID IS NULL OR dkk.key_access_server_key_id = $1::UUID) -func (q *Queries) getDefaultKeysById(ctx context.Context, keyAccessServerKeyID pgtype.UUID) ([]byte, error) { - row := q.db.QueryRow(ctx, getDefaultKeysById, keyAccessServerKeyID) - var default_key []byte - err := row.Scan(&default_key) - return default_key, err +func (q *Queries) getBaseKey(ctx context.Context) ([]byte, error) { + row := q.db.QueryRow(ctx, getBaseKey) + var base_keys []byte + err := row.Scan(&base_keys) + return base_keys, err } const getKey = `-- name: getKey :one @@ -3656,6 +3475,7 @@ SELECT kask.public_key_ctx, kask.provider_config_id, kask.key_access_server_id, + kas.uri AS kas_uri, JSON_STRIP_NULLS( JSON_BUILD_OBJECT( 'labels', kask.metadata -> 'labels', @@ -3696,6 +3516,7 @@ type getKeyRow struct { PublicKeyCtx []byte `json:"public_key_ctx"` ProviderConfigID pgtype.UUID `json:"provider_config_id"` KeyAccessServerID string `json:"key_access_server_id"` + KasUri string `json:"kas_uri"` Metadata []byte `json:"metadata"` ProviderName pgtype.Text `json:"provider_name"` PcConfig []byte `json:"pc_config"` @@ -3714,6 +3535,7 @@ type getKeyRow struct { // kask.public_key_ctx, // kask.provider_config_id, // kask.key_access_server_id, +// kas.uri AS kas_uri, // JSON_STRIP_NULLS( // JSON_BUILD_OBJECT( // 'labels', kask.metadata -> 'labels', @@ -3753,6 +3575,7 @@ func (q *Queries) getKey(ctx context.Context, arg getKeyParams) (getKeyRow, erro &i.PublicKeyCtx, &i.ProviderConfigID, &i.KeyAccessServerID, + &i.KasUri, &i.Metadata, &i.ProviderName, &i.PcConfig, @@ -4037,53 +3860,6 @@ func (q *Queries) getSubjectMapping(ctx context.Context, id string) (getSubjectM return i, err } -const isUpdateKeySafe = `-- name: isUpdateKeySafe :one -WITH keyToUpdate AS ( - SELECT - kask.key_access_server_id AS kas_id, - kask.key_algorithm - FROM key_access_server_keys AS kask - WHERE kask.id = $1 -) -SELECT EXISTS ( - SELECT 1 - FROM key_access_server_keys AS kask - INNER JOIN keyToUpdate ON kask.key_access_server_id = keyToUpdate.kas_id - WHERE kask.key_access_server_id = keyToUpdate.kas_id - AND kask.key_status = $2 - AND kask.key_algorithm = keyToUpdate.key_algorithm -) -` - -type isUpdateKeySafeParams struct { - ID string `json:"id"` - KeyStatus int32 `json:"key_status"` -} - -// isUpdateKeySafe -// -// WITH keyToUpdate AS ( -// SELECT -// kask.key_access_server_id AS kas_id, -// kask.key_algorithm -// FROM key_access_server_keys AS kask -// WHERE kask.id = $1 -// ) -// SELECT EXISTS ( -// SELECT 1 -// FROM key_access_server_keys AS kask -// INNER JOIN keyToUpdate ON kask.key_access_server_id = keyToUpdate.kas_id -// WHERE kask.key_access_server_id = keyToUpdate.kas_id -// AND kask.key_status = $2 -// AND kask.key_algorithm = keyToUpdate.key_algorithm -// ) -func (q *Queries) isUpdateKeySafe(ctx context.Context, arg isUpdateKeySafeParams) (bool, error) { - row := q.db.QueryRow(ctx, isUpdateKeySafe, arg.ID, arg.KeyStatus) - var exists bool - err := row.Scan(&exists) - return exists, err -} - const listActions = `-- name: listActions :many WITH counted AS ( @@ -4673,7 +4449,8 @@ func (q *Queries) listAttributesByDefOrValueFqns(ctx context.Context, fqns []str const listKeys = `-- name: listKeys :many WITH listed AS ( SELECT - kas.id AS kas_id + kas.id AS kas_id, + kas.uri AS kas_uri FROM key_access_servers AS kas WHERE ($4::uuid IS NULL OR kas.id = $4::uuid) AND ($5::text IS NULL OR kas.name = $5::text) @@ -4690,6 +4467,7 @@ SELECT kask.public_key_ctx, kask.provider_config_id, kask.key_access_server_id, + listed.kas_uri AS kas_uri, JSON_STRIP_NULLS( JSON_BUILD_OBJECT( 'labels', kask.metadata -> 'labels', @@ -4731,6 +4509,7 @@ type listKeysRow struct { PublicKeyCtx []byte `json:"public_key_ctx"` ProviderConfigID pgtype.UUID `json:"provider_config_id"` KeyAccessServerID string `json:"key_access_server_id"` + KasUri string `json:"kas_uri"` Metadata []byte `json:"metadata"` ProviderName pgtype.Text `json:"provider_name"` ProviderConfig []byte `json:"provider_config"` @@ -4741,7 +4520,8 @@ type listKeysRow struct { // // WITH listed AS ( // SELECT -// kas.id AS kas_id +// kas.id AS kas_id, +// kas.uri AS kas_uri // FROM key_access_servers AS kas // WHERE ($4::uuid IS NULL OR kas.id = $4::uuid) // AND ($5::text IS NULL OR kas.name = $5::text) @@ -4758,6 +4538,7 @@ type listKeysRow struct { // kask.public_key_ctx, // kask.provider_config_id, // kask.key_access_server_id, +// listed.kas_uri AS kas_uri, // JSON_STRIP_NULLS( // JSON_BUILD_OBJECT( // 'labels', kask.metadata -> 'labels', @@ -4804,6 +4585,7 @@ func (q *Queries) listKeys(ctx context.Context, arg listKeysParams) ([]listKeysR &i.PublicKeyCtx, &i.ProviderConfigID, &i.KeyAccessServerID, + &i.KasUri, &i.Metadata, &i.ProviderName, &i.ProviderConfig, @@ -5518,22 +5300,17 @@ func (q *Queries) rotatePublicKeyForNamespace(ctx context.Context, arg rotatePub return items, nil } -const setDefaultKasKey = `-- name: setDefaultKasKey :execrows -INSERT INTO default_kas_keys (key_access_server_key_id, tdf_type) -VALUES ($1, $2) +const setBaseKey = `-- name: setBaseKey :execrows +INSERT INTO base_keys (key_access_server_key_id) +VALUES ($1) ` -type setDefaultKasKeyParams struct { - KeyAccessServerKeyID pgtype.UUID `json:"key_access_server_key_id"` - TdfType string `json:"tdf_type"` -} - -// setDefaultKasKey +// setBaseKey // -// INSERT INTO default_kas_keys (key_access_server_key_id, tdf_type) -// VALUES ($1, $2) -func (q *Queries) setDefaultKasKey(ctx context.Context, arg setDefaultKasKeyParams) (int64, error) { - result, err := q.db.Exec(ctx, setDefaultKasKey, arg.KeyAccessServerKeyID, arg.TdfType) +// INSERT INTO base_keys (key_access_server_key_id) +// VALUES ($1) +func (q *Queries) setBaseKey(ctx context.Context, keyAccessServerKeyID pgtype.UUID) (int64, error) { + result, err := q.db.Exec(ctx, setBaseKey, keyAccessServerKeyID) if err != nil { return 0, err } diff --git a/service/policy/db/schema_erd.md b/service/policy/db/schema_erd.md index 1665c687f8..658100f515 100644 --- a/service/policy/db/schema_erd.md +++ b/service/policy/db/schema_erd.md @@ -93,10 +93,9 @@ erDiagram character_varying value UK "Value of the attribute (i.e. #quot;manager#quot; or #quot;admin#quot; on an attribute for titles), unique within the definition" } - default_kas_keys { + base_keys { uuid id PK uuid key_access_server_key_id FK - character_varying tdf_type UK } goose_db_version { @@ -247,7 +246,7 @@ erDiagram registered_resource_action_attribute_values }o--|| attribute_values : "attribute_value_id" resource_mappings }o--|| attribute_values : "attribute_value_id" subject_mappings }o--|| attribute_values : "attribute_value_id" - default_kas_keys }o--|| key_access_server_keys : "key_access_server_key_id" + base_keys }o--|| key_access_server_keys : "key_access_server_key_id" key_access_server_keys }o--|| key_access_servers : "key_access_server_id" sym_key }o--|| provider_config : "provider_config_id" registered_resource_action_attribute_values }o--|| registered_resource_values : "registered_resource_value_id" diff --git a/service/policy/kasregistry/key_access_server_registry.go b/service/policy/kasregistry/key_access_server_registry.go index ce5d3aa8f4..d7c35e7aaa 100644 --- a/service/policy/kasregistry/key_access_server_registry.go +++ b/service/policy/kasregistry/key_access_server_registry.go @@ -72,7 +72,7 @@ func NewRegistration(ns string, dbRegister serviceregistry.DBRegister) *servicer kasrSvc.logger = logger kasrSvc.dbClient = policydb.NewClient(srp.DBClient, logger, int32(cfg.ListRequestLimitMax), int32(cfg.ListRequestLimitDefault)) - if err = kasrSvc.dbClient.SetDefaultKeyOnWellKnownConfig(context.TODO()); err != nil { + if err = kasrSvc.dbClient.SetBaseKeyOnWellKnownConfig(context.TODO()); err != nil { logger.Error("error setting well-known config", slog.String("error", err.Error())) panic(err) } @@ -436,16 +436,16 @@ func (s KeyAccessServerRegistry) RotateKey(ctx context.Context, r *connect.Reque return connect.NewResponse(resp), nil } -func (s KeyAccessServerRegistry) SetDefaultKey(ctx context.Context, r *connect.Request[kasr.SetDefaultKeyRequest]) (*connect.Response[kasr.SetDefaultKeyResponse], error) { - resp := &kasr.SetDefaultKeyResponse{} +func (s KeyAccessServerRegistry) SetBaseKey(ctx context.Context, r *connect.Request[kasr.SetBaseKeyRequest]) (*connect.Response[kasr.SetBaseKeyResponse], error) { + resp := &kasr.SetBaseKeyResponse{} var objectID string switch i := r.Msg.GetActiveKey().(type) { - case *kasr.SetDefaultKeyRequest_Id: - s.logger.Debug("Setting default key by ID", slog.String("ID", i.Id), slog.String("Tdf type", r.Msg.GetTdfType().String())) + case *kasr.SetBaseKeyRequest_Id: + s.logger.Debug("Setting base key by ID", slog.String("ID", i.Id)) objectID = i.Id - case *kasr.SetDefaultKeyRequest_Key: - s.logger.Debug("Setting default key by Key ID", slog.String("Active Key ID", i.Key.GetKid()), slog.String("Tdf type", r.Msg.GetTdfType().String())) + case *kasr.SetBaseKeyRequest_Key: + s.logger.Debug("Setting base key by Key ID", slog.String("Active Key ID", i.Key.GetKid())) objectID = i.Key.GetKid() default: return nil, connect.NewError(connect.CodeInvalidArgument, nil) @@ -459,15 +459,15 @@ func (s KeyAccessServerRegistry) SetDefaultKey(ctx context.Context, r *connect.R err := s.dbClient.RunInTx(ctx, func(txClient *policydb.PolicyDBClient) error { var err error - resp, err = txClient.SetDefaultKey(ctx, r.Msg) + resp, err = txClient.SetBaseKey(ctx, r.Msg) if err != nil { s.logger.Error("failed to set default key", slog.String("error", err.Error())) s.logger.Audit.PolicyCRUDFailure(ctx, auditParams) return err } - auditParams.Original = resp.GetPreviousDefaultKasKey() - auditParams.Updated = resp.GetNewDefaultKasKey() + auditParams.Original = resp.GetPreviousBaseKey() + auditParams.Updated = resp.GetNewBaseKey() s.logger.Audit.PolicyCRUDSuccess(ctx, auditParams) return nil @@ -479,14 +479,14 @@ func (s KeyAccessServerRegistry) SetDefaultKey(ctx context.Context, r *connect.R return connect.NewResponse(resp), nil } -func (s KeyAccessServerRegistry) GetDefaultKeys(ctx context.Context, _ *connect.Request[kasr.GetDefaultKeysRequest]) (*connect.Response[kasr.GetDefaultKeysResponse], error) { - s.logger.Debug("Getting Default KAS Keys") - resp := &kasr.GetDefaultKeysResponse{} +func (s KeyAccessServerRegistry) GetBaseKey(ctx context.Context, _ *connect.Request[kasr.GetBaseKeyRequest]) (*connect.Response[kasr.GetBaseKeyResponse], error) { + s.logger.Debug("Getting Base Key") + resp := &kasr.GetBaseKeyResponse{} - keys, err := s.dbClient.GetDefaultKasKeys(ctx) + key, err := s.dbClient.GetBaseKey(ctx) if err != nil { return nil, db.StatusifyError(err, db.ErrTextGetRetrievalFailed) } - resp.DefaultKasKeys = keys + resp.BaseKey = key return connect.NewResponse(resp), nil } diff --git a/service/policy/kasregistry/key_access_server_registry.proto b/service/policy/kasregistry/key_access_server_registry.proto index 4f7de3eb0f..922535ca47 100644 --- a/service/policy/kasregistry/key_access_server_registry.proto +++ b/service/policy/kasregistry/key_access_server_registry.proto @@ -599,17 +599,9 @@ message RotateKeyResponse { RotatedResources rotated_resources = 2; } -enum TdfType { - TDF_TYPE_UNSPECIFIED = 0; - TDF_TYPE_ZTDF = 1; - TDF_TYPE_NANO = 2; -} - -// Sets the specified key as the default key for the Key Access Server -// Note: The key must be active. -// Side effects: -// If a key of the same cipher is set as default, calling 'SetDefaultKey' will override that key with the specified key. -message SetDefaultKeyRequest { +// Sets the specified key as the base key for the Key Access Server +// Note: The key must be active. +message SetBaseKeyRequest { // Required oneof active_key { option (buf.validate.oneof).required = true; @@ -618,30 +610,27 @@ message SetDefaultKeyRequest { // Alternative way to specify the key using KAS ID and Key ID KasKeyIdentifier key = 2; } - // Required - TdfType tdf_type = 3 [(buf.validate.field).enum = {in: [1, 2]}]; // The type of TDF (e.g., ZTDF, Nano) } -message DefaultKasPublicKey { +message SimpleKasPublicKey { string algorithm = 1; string kid = 2; string pem = 3; } -message DefaultKasKey { - string tdf_type = 1; // The type of TDF (e.g., ZTDF, Nano) - string kas_uri = 2; // The URL of the Key Access Server - DefaultKasPublicKey public_key = 3; // The public key of the Key that belongs to the KAS +message SimpleKasKey { + string kas_uri = 1; // The URL of the Key Access Server + SimpleKasPublicKey public_key = 2; // The public key of the Key that belongs to the KAS }; -message GetDefaultKeysRequest {} -message GetDefaultKeysResponse { - repeated DefaultKasKey default_kas_keys = 1; // The list of default keys +message GetBaseKeyRequest {} +message GetBaseKeyResponse { + SimpleKasKey base_key = 1; // The list of default keys } -message SetDefaultKeyResponse { - DefaultKasKey new_default_kas_key = 1; // The key that was set as default - DefaultKasKey previous_default_kas_key = 2; // The previous default key, if any +message SetBaseKeyResponse { + SimpleKasKey new_base_key = 1; // The key that was set as base + SimpleKasKey previous_base_key = 2; // The previous base key, if any } service KeyAccessServerRegistryService { @@ -696,8 +685,8 @@ service KeyAccessServerRegistryService { rpc RotateKey(RotateKeyRequest) returns (RotateKeyResponse) {} // Request to set the default a default kas key. - rpc SetDefaultKey(SetDefaultKeyRequest) returns (SetDefaultKeyResponse) {} + rpc SetBaseKey(SetBaseKeyRequest) returns (SetBaseKeyResponse) {} // Get Default kas keys - rpc GetDefaultKeys(GetDefaultKeysRequest) returns (GetDefaultKeysResponse) {} + rpc GetBaseKey(GetBaseKeyRequest) returns (GetBaseKeyResponse) {} } diff --git a/service/policy/kasregistry/key_access_server_registry_keys_test.go b/service/policy/kasregistry/key_access_server_registry_keys_test.go index 01b6d25330..18f2edd8ea 100644 --- a/service/policy/kasregistry/key_access_server_registry_keys_test.go +++ b/service/policy/kasregistry/key_access_server_registry_keys_test.go @@ -1398,52 +1398,31 @@ func Test_RotateKeyAccessServer_Keys(t *testing.T) { func Test_SetDefault_Keys(t *testing.T) { testCases := []struct { name string - req *kasregistry.SetDefaultKeyRequest + req *kasregistry.SetBaseKeyRequest expectError bool errorMessage string }{ { name: "Invalid Request (empty)", - req: &kasregistry.SetDefaultKeyRequest{}, + req: &kasregistry.SetBaseKeyRequest{}, expectError: true, errorMessage: errMessageRequired, }, - { - name: "Invalid Request (empty active key)", - req: &kasregistry.SetDefaultKeyRequest{ - TdfType: kasregistry.TdfType_TDF_TYPE_NANO, - }, - expectError: true, - errorMessage: errMessageRequired, - }, - { - name: "Invalid Request (invalid tdf mode)", - req: &kasregistry.SetDefaultKeyRequest{ - ActiveKey: &kasregistry.SetDefaultKeyRequest_Id{ - Id: validUUID, - }, - TdfType: -1, - }, - expectError: true, - errorMessage: errMessageTdfType, - }, { name: "Valid Request (nano)", - req: &kasregistry.SetDefaultKeyRequest{ - ActiveKey: &kasregistry.SetDefaultKeyRequest_Id{ + req: &kasregistry.SetBaseKeyRequest{ + ActiveKey: &kasregistry.SetBaseKeyRequest_Id{ Id: validUUID, }, - TdfType: kasregistry.TdfType_TDF_TYPE_NANO, }, expectError: false, }, { name: "Valid Request (ztdf)", - req: &kasregistry.SetDefaultKeyRequest{ - ActiveKey: &kasregistry.SetDefaultKeyRequest_Id{ + req: &kasregistry.SetBaseKeyRequest{ + ActiveKey: &kasregistry.SetBaseKeyRequest_Id{ Id: validUUID, }, - TdfType: kasregistry.TdfType_TDF_TYPE_ZTDF, }, expectError: false, }, diff --git a/service/wellknownconfiguration/wellknown_configuration.go b/service/wellknownconfiguration/wellknown_configuration.go index c0aa529ed3..fb1968dcec 100644 --- a/service/wellknownconfiguration/wellknown_configuration.go +++ b/service/wellknownconfiguration/wellknown_configuration.go @@ -22,7 +22,7 @@ type WellKnownService struct { var ( wellKnownConfiguration = make(map[string]any) rwMutex sync.RWMutex - defaultKasKeyWellKnown = "default_kas_keys" + baseKeyWellKnown = "base_key" ) func RegisterConfiguration(namespace string, config any) error { @@ -36,10 +36,10 @@ func RegisterConfiguration(namespace string, config any) error { } // We should probably have a safe-guard as to what config can be updated -func UpdateConfigurationDefaultKey(config any) { +func UpdateConfigurationBaseKey(config any) { rwMutex.Lock() defer rwMutex.Unlock() - wellKnownConfiguration[defaultKasKeyWellKnown] = config + wellKnownConfiguration[baseKeyWellKnown] = config } func NewRegistration() *serviceregistry.Service[wellknownconfigurationconnect.WellKnownServiceHandler] { From abe504866f19fd3cd68cb47e46fa541cdcaae520 Mon Sep 17 00:00:00 2001 From: Chris Reed Date: Thu, 22 May 2025 18:41:10 -0500 Subject: [PATCH 11/15] fix encoding. --- service/policy/db/key_access_server_registry.go | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/service/policy/db/key_access_server_registry.go b/service/policy/db/key_access_server_registry.go index 2aefeb8d47..5a2ff30e27 100644 --- a/service/policy/db/key_access_server_registry.go +++ b/service/policy/db/key_access_server_registry.go @@ -886,12 +886,17 @@ func (c PolicyDBClient) SetBaseKeyOnWellKnownConfig(ctx context.Context) error { return err } - keyMapBytes, err := protojson.Marshal(baseKey) + keyMapBytes, err := json.Marshal(baseKey) if err != nil { return err } - wellknownconfiguration.UpdateConfigurationBaseKey(string(keyMapBytes)) + var keyMap map[string]any + if err := json.Unmarshal(keyMapBytes, &keyMap); err != nil { + return err + } + + wellknownconfiguration.UpdateConfigurationBaseKey(keyMap) return nil } From d69cfb386c801ab677fb13dd889f66aef148e649 Mon Sep 17 00:00:00 2001 From: Chris Reed Date: Fri, 23 May 2025 08:39:32 -0500 Subject: [PATCH 12/15] refactor. --- service/pkg/db/marshalHelpers.go | 4 +++- service/policy/db/copyfrom.go | 2 +- service/policy/db/db.go | 2 +- service/policy/db/models.go | 2 +- service/policy/db/query.sql.go | 2 +- service/policy/kasregistry/key_access_server_registry.proto | 2 +- service/wellknownconfiguration/wellknown_configuration.go | 1 - 7 files changed, 8 insertions(+), 7 deletions(-) diff --git a/service/pkg/db/marshalHelpers.go b/service/pkg/db/marshalHelpers.go index 99baee0289..b8f1fd8f68 100644 --- a/service/pkg/db/marshalHelpers.go +++ b/service/pkg/db/marshalHelpers.go @@ -152,6 +152,8 @@ func UnmarshalSimpleKasKey(keysJSON []byte) (*kasregistry.SimpleKasKey, error) { return nil, err } + // In the db, this is stored as an integer, which is parsed to a string + // and then converted to the correct algorithm format. alg, err := strconv.ParseInt(key.GetPublicKey().GetAlgorithm(), 10, 32) if err != nil { return nil, err @@ -160,7 +162,7 @@ func UnmarshalSimpleKasKey(keysJSON []byte) (*kasregistry.SimpleKasKey, error) { if err != nil { return nil, err } - // Base64 decode the public key + // The pem should always be present and base64 encoded, as it is required for creating a key. pem, err := base64.StdEncoding.DecodeString(key.GetPublicKey().GetPem()) if err != nil { return nil, err diff --git a/service/policy/db/copyfrom.go b/service/policy/db/copyfrom.go index 9998d2eed4..999216a76b 100644 --- a/service/policy/db/copyfrom.go +++ b/service/policy/db/copyfrom.go @@ -1,6 +1,6 @@ // Code generated by sqlc. DO NOT EDIT. // versions: -// sqlc v1.28.0 +// sqlc v1.29.0 // source: copyfrom.go package db diff --git a/service/policy/db/db.go b/service/policy/db/db.go index d006712653..d3d2e33af1 100644 --- a/service/policy/db/db.go +++ b/service/policy/db/db.go @@ -1,6 +1,6 @@ // Code generated by sqlc. DO NOT EDIT. // versions: -// sqlc v1.28.0 +// sqlc v1.29.0 package db diff --git a/service/policy/db/models.go b/service/policy/db/models.go index 95429785fa..0c2cd06b9f 100644 --- a/service/policy/db/models.go +++ b/service/policy/db/models.go @@ -1,6 +1,6 @@ // Code generated by sqlc. DO NOT EDIT. // versions: -// sqlc v1.28.0 +// sqlc v1.29.0 package db diff --git a/service/policy/db/query.sql.go b/service/policy/db/query.sql.go index e176869282..7b07f49480 100644 --- a/service/policy/db/query.sql.go +++ b/service/policy/db/query.sql.go @@ -1,6 +1,6 @@ // Code generated by sqlc. DO NOT EDIT. // versions: -// sqlc v1.28.0 +// sqlc v1.29.0 // source: query.sql package db diff --git a/service/policy/kasregistry/key_access_server_registry.proto b/service/policy/kasregistry/key_access_server_registry.proto index 922535ca47..61aea223ec 100644 --- a/service/policy/kasregistry/key_access_server_registry.proto +++ b/service/policy/kasregistry/key_access_server_registry.proto @@ -625,7 +625,7 @@ message SimpleKasKey { message GetBaseKeyRequest {} message GetBaseKeyResponse { - SimpleKasKey base_key = 1; // The list of default keys + SimpleKasKey base_key = 1; // The current base key } message SetBaseKeyResponse { diff --git a/service/wellknownconfiguration/wellknown_configuration.go b/service/wellknownconfiguration/wellknown_configuration.go index fb1968dcec..46071b9b68 100644 --- a/service/wellknownconfiguration/wellknown_configuration.go +++ b/service/wellknownconfiguration/wellknown_configuration.go @@ -35,7 +35,6 @@ func RegisterConfiguration(namespace string, config any) error { return nil } -// We should probably have a safe-guard as to what config can be updated func UpdateConfigurationBaseKey(config any) { rwMutex.Lock() defer rwMutex.Unlock() From 618b48a23e7c14c3214c6d8d89773a6a678f46be Mon Sep 17 00:00:00 2001 From: Chris Reed Date: Fri, 23 May 2025 08:39:59 -0500 Subject: [PATCH 13/15] refactor. --- docs/grpc/index.html | 2 +- .../policy/kasregistry/key_access_server_registry.swagger.json | 2 +- protocol/go/policy/kasregistry/key_access_server_registry.pb.go | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/grpc/index.html b/docs/grpc/index.html index 7a892e98ab..7cafda6788 100644 --- a/docs/grpc/index.html +++ b/docs/grpc/index.html @@ -9125,7 +9125,7 @@

    GetBaseKeyResponse

    base_key SimpleKasKey -

    The list of default keys

    +

    The current base key

    diff --git a/docs/openapi/policy/kasregistry/key_access_server_registry.swagger.json b/docs/openapi/policy/kasregistry/key_access_server_registry.swagger.json index d08361170d..b448b8ec0a 100644 --- a/docs/openapi/policy/kasregistry/key_access_server_registry.swagger.json +++ b/docs/openapi/policy/kasregistry/key_access_server_registry.swagger.json @@ -438,7 +438,7 @@ "properties": { "baseKey": { "$ref": "#/definitions/kasregistrySimpleKasKey", - "title": "The list of default keys" + "title": "The current base key" } } }, diff --git a/protocol/go/policy/kasregistry/key_access_server_registry.pb.go b/protocol/go/policy/kasregistry/key_access_server_registry.pb.go index 43011d0c7d..39df10aef7 100644 --- a/protocol/go/policy/kasregistry/key_access_server_registry.pb.go +++ b/protocol/go/policy/kasregistry/key_access_server_registry.pb.go @@ -3016,7 +3016,7 @@ type GetBaseKeyResponse struct { sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields - BaseKey *SimpleKasKey `protobuf:"bytes,1,opt,name=base_key,json=baseKey,proto3" json:"base_key,omitempty"` // The list of default keys + BaseKey *SimpleKasKey `protobuf:"bytes,1,opt,name=base_key,json=baseKey,proto3" json:"base_key,omitempty"` // The current base key } func (x *GetBaseKeyResponse) Reset() { From e3673f483c28a32d198de0a96f9d807c0e58e99c Mon Sep 17 00:00:00 2001 From: Chris Reed Date: Fri, 23 May 2025 10:35:36 -0500 Subject: [PATCH 14/15] refactor. --- .../policy/kasregistry/key_access_server_registry_keys_test.go | 1 - 1 file changed, 1 deletion(-) diff --git a/service/policy/kasregistry/key_access_server_registry_keys_test.go b/service/policy/kasregistry/key_access_server_registry_keys_test.go index 18f2edd8ea..ecaf013ac0 100644 --- a/service/policy/kasregistry/key_access_server_registry_keys_test.go +++ b/service/policy/kasregistry/key_access_server_registry_keys_test.go @@ -22,7 +22,6 @@ const ( errMessageKeyName = "key.name" errMessageKeyURI = "key.uri" errMessageKeyAlgo = "key_algorithm" - errMessageTdfType = "tdf_type" errMessageKeyMode = "key_mode_defined" // Updated for CEL rule ID errMessagePubKeyCtx = "public_key_ctx" errMessagePrivateKeyCtx = "The wrapped_key is required" // This seems to be a generic message, CEL rules are more specific From bf444f21f95f91383b8decfec896a7e6058b5986 Mon Sep 17 00:00:00 2001 From: Chris Reed Date: Fri, 23 May 2025 12:18:09 -0500 Subject: [PATCH 15/15] add code gen to proto generate. --- Makefile | 2 ++ sdk/sdkconnect/kasregistry.go | 20 ++++++++++++++++++++ 2 files changed, 22 insertions(+) diff --git a/Makefile b/Makefile index 9867407efd..cb63d8cddd 100644 --- a/Makefile +++ b/Makefile @@ -71,6 +71,8 @@ proto-generate: buf generate buf.build/grpc-ecosystem/grpc-gateway -o tmp-gen --template buf.gen.grpc.docs.yaml buf generate buf.build/grpc-ecosystem/grpc-gateway -o tmp-gen --template buf.gen.openapi.docs.yaml + go run ./sdk/internal/codegen + connect-wrapper-generate: go run ./sdk/internal/codegen diff --git a/sdk/sdkconnect/kasregistry.go b/sdk/sdkconnect/kasregistry.go index addd61099a..cbb740eecc 100644 --- a/sdk/sdkconnect/kasregistry.go +++ b/sdk/sdkconnect/kasregistry.go @@ -28,6 +28,8 @@ type KeyAccessServerRegistryServiceClient interface { ListKeys(ctx context.Context, req *kasregistry.ListKeysRequest) (*kasregistry.ListKeysResponse, error) UpdateKey(ctx context.Context, req *kasregistry.UpdateKeyRequest) (*kasregistry.UpdateKeyResponse, error) RotateKey(ctx context.Context, req *kasregistry.RotateKeyRequest) (*kasregistry.RotateKeyResponse, error) + SetBaseKey(ctx context.Context, req *kasregistry.SetBaseKeyRequest) (*kasregistry.SetBaseKeyResponse, error) + GetBaseKey(ctx context.Context, req *kasregistry.GetBaseKeyRequest) (*kasregistry.GetBaseKeyResponse, error) } func (w *KeyAccessServerRegistryServiceClientConnectWrapper) ListKeyAccessServers(ctx context.Context, req *kasregistry.ListKeyAccessServersRequest) (*kasregistry.ListKeyAccessServersResponse, error) { @@ -128,3 +130,21 @@ func (w *KeyAccessServerRegistryServiceClientConnectWrapper) RotateKey(ctx conte } return res.Msg, err } + +func (w *KeyAccessServerRegistryServiceClientConnectWrapper) SetBaseKey(ctx context.Context, req *kasregistry.SetBaseKeyRequest) (*kasregistry.SetBaseKeyResponse, error) { + // Wrap Connect RPC client request + res, err := w.KeyAccessServerRegistryServiceClient.SetBaseKey(ctx, connect.NewRequest(req)) + if res == nil { + return nil, err + } + return res.Msg, err +} + +func (w *KeyAccessServerRegistryServiceClientConnectWrapper) GetBaseKey(ctx context.Context, req *kasregistry.GetBaseKeyRequest) (*kasregistry.GetBaseKeyResponse, error) { + // Wrap Connect RPC client request + res, err := w.KeyAccessServerRegistryServiceClient.GetBaseKey(ctx, connect.NewRequest(req)) + if res == nil { + return nil, err + } + return res.Msg, err +}