From 07e9dede2cb10ceaa055b9b2486f688edf9008d6 Mon Sep 17 00:00:00 2001 From: Madhu Rajanna Date: Thu, 10 Mar 2022 17:27:38 +0530 Subject: [PATCH 1/3] rbd: check volume details from original volumeID Checking volume details for the existing volumeID first. if details like OMAP, RBD Image, Pool doesnot exists try to use clusterIDMapping to look for the correct informations. fixes: #2929 Signed-off-by: Madhu Rajanna --- internal/rbd/nodeserver.go | 44 +++++++++++--------------------------- 1 file changed, 13 insertions(+), 31 deletions(-) diff --git a/internal/rbd/nodeserver.go b/internal/rbd/nodeserver.go index e1df954b7..606ba8375 100644 --- a/internal/rbd/nodeserver.go +++ b/internal/rbd/nodeserver.go @@ -25,7 +25,6 @@ import ( "strings" csicommon "github.com/ceph/ceph-csi/internal/csi-common" - "github.com/ceph/ceph-csi/internal/journal" "github.com/ceph/ceph-csi/internal/util" "github.com/ceph/ceph-csi/internal/util/fscrypt" "github.com/ceph/ceph-csi/internal/util/log" @@ -144,14 +143,12 @@ func healerStageTransaction(ctx context.Context, cr *util.Credentials, volOps *r // this function also receive the credentials and secrets args as it differs in its data. // The credentials are used directly by functions like voljournal.Connect() and other functions // like genVolFromVolumeOptions() make use of secrets. -// nolint:gocyclo,cyclop // reduce complexity func populateRbdVol( ctx context.Context, req *csi.NodeStageVolumeRequest, cr *util.Credentials, ) (*rbdVolume, error) { var err error - var j *journal.Connection volID := req.GetVolumeId() isBlock := req.GetVolumeCapability().GetBlock() != nil disableInUseChecks := false @@ -173,11 +170,7 @@ func populateRbdVol( disableInUseChecks = true } - - rv, err := genVolFromVolumeOptions(ctx, req.GetVolumeContext(), disableInUseChecks, true) - if err != nil { - return nil, status.Error(codes.Internal, err.Error()) - } + var rv *rbdVolume isStaticVol := parseBoolOption(ctx, req.GetVolumeContext(), staticVol, false) // get rbd image name from the volume journal @@ -187,35 +180,24 @@ func populateRbdVol( // if migration static volume, use imageName as volID volID = req.GetVolumeContext()["imageName"] } + rv, err = genVolFromVolumeOptions(ctx, req.GetVolumeContext(), disableInUseChecks, true) + if err != nil { + return nil, status.Error(codes.Internal, err.Error()) + } rv.RbdImageName = volID } else { - var vi util.CSIIdentifier - var imageAttributes *journal.ImageAttributes - err = vi.DecomposeCSIID(volID) + rv, err = GenVolFromVolID(ctx, volID, cr, req.GetSecrets()) if err != nil { - err = fmt.Errorf("error decoding volume ID (%s): %w", volID, err) + rv.Destroy() + log.ErrorLog(ctx, "error generating volume %s: %v", volID, err) - return nil, status.Error(codes.Internal, err.Error()) + return nil, status.Errorf(codes.Internal, "error generating volume %s: %v", volID, err) } - - j, err = volJournal.Connect(rv.Monitors, rv.RadosNamespace, cr) - if err != nil { - log.ErrorLog(ctx, "failed to establish cluster connection: %v", err) - - return nil, status.Error(codes.Internal, err.Error()) + rv.DataPool = req.GetVolumeContext()["dataPool"] + var ok bool + if rv.Mounter, ok = req.GetVolumeContext()["mounter"]; !ok { + rv.Mounter = rbdDefaultMounter } - defer j.Destroy() - - imageAttributes, err = j.GetImageAttributes( - ctx, rv.Pool, vi.ObjectUUID, false) - if err != nil { - err = fmt.Errorf("error fetching image attributes for volume ID (%s): %w", volID, err) - - return nil, status.Error(codes.Internal, err.Error()) - } - rv.RbdImageName = imageAttributes.ImageName - // set owner after extracting the owner name from the journal - rv.Owner = imageAttributes.Owner } err = rv.Connect(cr) From 8650538b78b5eda0c73a5884d53f6d3d5b5b6329 Mon Sep 17 00:00:00 2001 From: Rakshith R Date: Tue, 11 Oct 2022 12:18:20 +0530 Subject: [PATCH 2/3] rbd: setup encryption if rbdVol exits during CreateVol This commit adds code to setup encryption on a rbdVol being repaired in a followup CreateVolume request. This is fixes a bug wherein encryption metadata may not have been set in previous request due to container restart. Fixes: #3402 Signed-off-by: Rakshith R --- internal/rbd/controllerserver.go | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/internal/rbd/controllerserver.go b/internal/rbd/controllerserver.go index 0ed109ae4..efa324407 100644 --- a/internal/rbd/controllerserver.go +++ b/internal/rbd/controllerserver.go @@ -508,6 +508,15 @@ func (cs *ControllerServer) repairExistingVolume(ctx context.Context, req *csi.C return nil, err } + + default: + // setup encryption again to make sure everything is in place. + if rbdVol.isBlockEncrypted() { + err := rbdVol.setupBlockEncryption(ctx) + if err != nil { + return nil, fmt.Errorf("failed to setup encryption for image %s: %w", rbdVol, err) + } + } } // Set metadata on restart of provisioner pod when image exist From fe13fff9fa1ecd1fbcc52a8dc57a7d9851d739c0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 7 Nov 2022 20:03:12 +0000 Subject: [PATCH 3/3] rebase: bump github.com/IBM/keyprotect-go-client from 0.8.1 to 0.9.0 Bumps [github.com/IBM/keyprotect-go-client](https://github.com/IBM/keyprotect-go-client) from 0.8.1 to 0.9.0. - [Release notes](https://github.com/IBM/keyprotect-go-client/releases) - [Commits](https://github.com/IBM/keyprotect-go-client/compare/v0.8.1...v0.9.0) --- updated-dependencies: - dependency-name: github.com/IBM/keyprotect-go-client dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- go.mod | 2 +- go.sum | 4 +- .../keyprotect-go-client/.secrets.baseline | 268 ++++++++++++++++++ .../IBM/keyprotect-go-client/.travis.yml | 7 +- .../IBM/keyprotect-go-client/README.md | 198 +++++++++---- .../IBM/keyprotect-go-client/instances.go | 109 +++++-- .../IBM/keyprotect-go-client/keys.go | 81 +++++- .../IBM/keyprotect-go-client/listkeys.go | 99 +++++++ .../IBM/keyprotect-go-client/policy.go | 61 +++- vendor/modules.txt | 2 +- 10 files changed, 727 insertions(+), 104 deletions(-) create mode 100644 vendor/github.com/IBM/keyprotect-go-client/.secrets.baseline diff --git a/go.mod b/go.mod index c44b11bc7..03b0ea7c7 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,7 @@ module github.com/ceph/ceph-csi go 1.17 require ( - github.com/IBM/keyprotect-go-client v0.8.1 + github.com/IBM/keyprotect-go-client v0.9.0 github.com/aws/aws-sdk-go v1.44.127 github.com/aws/aws-sdk-go-v2/service/sts v1.17.1 github.com/ceph/ceph-csi/api v0.0.0-00010101000000-000000000000 diff --git a/go.sum b/go.sum index 2afc2ae26..c830c0cb4 100644 --- a/go.sum +++ b/go.sum @@ -88,8 +88,8 @@ github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3 github.com/DataDog/zstd v1.4.4/go.mod h1:1jcaCB/ufaK+sKp1NBhlGmpz41jOoPQ35bpF36t7BBo= github.com/GoogleCloudPlatform/k8s-cloud-provider v1.18.1-0.20220218231025-f11817397a1b/go.mod h1:FNj4KYEAAHfYu68kRYolGoxkaJn+6mdEsaM12VTwuI0= github.com/IBM/keyprotect-go-client v0.5.1/go.mod h1:5TwDM/4FRJq1ZOlwQL1xFahLWQ3TveR88VmL1u3njyI= -github.com/IBM/keyprotect-go-client v0.8.1 h1:viTQCtoeWQeDRTe8S0ed++uM4J2uf1DGuQbV9mNTCj8= -github.com/IBM/keyprotect-go-client v0.8.1/go.mod h1:yr8h2noNgU8vcbs+vhqoXp3Lmv73PI0zAc6VMgFvWwM= +github.com/IBM/keyprotect-go-client v0.9.0 h1:UwbyEHcaGlmLNK7PW0qo9VlxneN+0/2zoGBubHzbtro= +github.com/IBM/keyprotect-go-client v0.9.0/go.mod h1:yr8h2noNgU8vcbs+vhqoXp3Lmv73PI0zAc6VMgFvWwM= github.com/JeffAshton/win_pdh v0.0.0-20161109143554-76bb4ee9f0ab/go.mod h1:3VYc5hodBMJ5+l/7J4xAyMeuM2PNuepvHlGs8yilUCA= github.com/Jeffail/gabs v1.1.1 h1:V0uzR08Hj22EX8+8QMhyI9sX2hwRu+/RJhJUmnwda/E= github.com/Jeffail/gabs v1.1.1/go.mod h1:6xMvQMK4k33lb7GUUpaAPh6nKMmemQeg5d4gn7/bOXc= diff --git a/vendor/github.com/IBM/keyprotect-go-client/.secrets.baseline b/vendor/github.com/IBM/keyprotect-go-client/.secrets.baseline new file mode 100644 index 000000000..7573fa3a1 --- /dev/null +++ b/vendor/github.com/IBM/keyprotect-go-client/.secrets.baseline @@ -0,0 +1,268 @@ +{ + "exclude": { + "files": "go.sum|^.secrets.baseline$", + "lines": null + }, + "generated_at": "2022-09-30T10:57:54Z", + "plugins_used": [ + { + "name": "AWSKeyDetector" + }, + { + "name": "ArtifactoryDetector" + }, + { + "name": "AzureStorageKeyDetector" + }, + { + "base64_limit": 4.5, + "name": "Base64HighEntropyString" + }, + { + "name": "BasicAuthDetector" + }, + { + "name": "BoxDetector" + }, + { + "name": "CloudantDetector" + }, + { + "ghe_instance": "github.ibm.com", + "name": "GheDetector" + }, + { + "name": "GitHubTokenDetector" + }, + { + "hex_limit": 3, + "name": "HexHighEntropyString" + }, + { + "name": "IbmCloudIamDetector" + }, + { + "name": "IbmCosHmacDetector" + }, + { + "name": "JwtTokenDetector" + }, + { + "keyword_exclude": null, + "name": "KeywordDetector" + }, + { + "name": "MailchimpDetector" + }, + { + "name": "NpmDetector" + }, + { + "name": "PrivateKeyDetector" + }, + { + "name": "SlackDetector" + }, + { + "name": "SoftlayerDetector" + }, + { + "name": "SquareOAuthDetector" + }, + { + "name": "StripeDetector" + }, + { + "name": "TwilioKeyDetector" + } + ], + "results": { + "README.md": [ + { + "hashed_secret": "93fcbf4c3221f6e6fc21e07ec6e87ad94e60bd26", + "is_secret": false, + "is_verified": false, + "line_number": 35, + "type": "Secret Keyword", + "verified_result": null + }, + { + "hashed_secret": "0b60828897517e2b8013af62b288e055bf0d095d", + "is_secret": false, + "is_verified": false, + "line_number": 126, + "type": "Secret Keyword", + "verified_result": null + } + ], + "example_cycle_test.go": [ + { + "hashed_secret": "f75b33f87ffeacb3a4f793a09693e672e07449ff", + "is_secret": false, + "is_verified": false, + "line_number": 27, + "type": "Secret Keyword", + "verified_result": null + } + ], + "example_test.go": [ + { + "hashed_secret": "e80b5f30389f2162470fe780e27b90146e5fb0ca", + "is_secret": false, + "is_verified": false, + "line_number": 81, + "type": "Base64 High Entropy String", + "verified_result": null + }, + { + "hashed_secret": "75d5cc62475c1ed3db14215d819514749ae25f53", + "is_secret": false, + "is_verified": false, + "line_number": 181, + "type": "Secret Keyword", + "verified_result": null + } + ], + "iam/iam.go": [ + { + "hashed_secret": "f75b33f87ffeacb3a4f793a09693e672e07449ff", + "is_secret": false, + "is_verified": false, + "line_number": 51, + "type": "Secret Keyword", + "verified_result": null + }, + { + "hashed_secret": "3e4bdbe0b80e63c22b178576e906810777387b50", + "is_secret": false, + "is_verified": false, + "line_number": 120, + "type": "Secret Keyword", + "verified_result": null + } + ], + "integration_test.go": [ + { + "hashed_secret": "f75b33f87ffeacb3a4f793a09693e672e07449ff", + "is_secret": false, + "is_verified": false, + "line_number": 57, + "type": "Secret Keyword", + "verified_result": null + } + ], + "kp_test.go": [ + { + "hashed_secret": "11634ea6495b17ca913d24b49dca32b40e491dc0", + "is_secret": false, + "is_verified": false, + "line_number": 44, + "type": "Secret Keyword", + "verified_result": null + }, + { + "hashed_secret": "9f4ed0cc38e03da4c3caf3d8500e0af69cfaefd3", + "is_secret": false, + "is_verified": false, + "line_number": 189, + "type": "JSON Web Token", + "verified_result": null + }, + { + "hashed_secret": "3e48fe9928e96dde5f50bd5514ccaecc504e378e", + "is_secret": false, + "is_verified": false, + "line_number": 629, + "type": "Secret Keyword", + "verified_result": null + }, + { + "hashed_secret": "1db0b23a23282227489c79a9fd31998add2b66f5", + "is_secret": false, + "is_verified": false, + "line_number": 863, + "type": "Secret Keyword", + "verified_result": null + }, + { + "hashed_secret": "f7f8eb2ffbd249e8c0e2ce429466c04a6342318b", + "is_secret": false, + "is_verified": false, + "line_number": 986, + "type": "Secret Keyword", + "verified_result": null + }, + { + "hashed_secret": "90f826b48e4e4832be16dd63237e7aede72ec384", + "is_secret": false, + "is_verified": false, + "line_number": 1800, + "type": "Secret Keyword", + "verified_result": null + }, + { + "hashed_secret": "0599eac7c4ebc38a9fb5407c1cee19877850ff78", + "is_secret": false, + "is_verified": false, + "line_number": 3514, + "type": "Base64 High Entropy String", + "verified_result": null + }, + { + "hashed_secret": "4a8f6f853d71b777faef1c0f50d59df808f377a7", + "is_secret": false, + "is_verified": false, + "line_number": 4019, + "type": "Base64 High Entropy String", + "verified_result": null + }, + { + "hashed_secret": "8ee338cf3361b4fbd663c51393c44ea685e7e31b", + "is_secret": false, + "is_verified": false, + "line_number": 4020, + "type": "Base64 High Entropy String", + "verified_result": null + }, + { + "hashed_secret": "7200008cccd3ebe5eb314c7ce57bbe95113e11ff", + "is_secret": false, + "is_verified": false, + "line_number": 4055, + "type": "Base64 High Entropy String", + "verified_result": null + }, + { + "hashed_secret": "7056dab9fea569e2fcb5122c763bfe90d3fa8204", + "is_secret": false, + "is_verified": false, + "line_number": 4523, + "type": "Base64 High Entropy String", + "verified_result": null + }, + { + "hashed_secret": "54b1ab73986eecb14a1839184e4b51ce9668b35e", + "is_secret": false, + "is_verified": false, + "line_number": 4568, + "type": "Base64 High Entropy String", + "verified_result": null + } + ], + "policy.go": [ + { + "hashed_secret": "6a361a4e087eab69b48211aecc712bdc3403b2eb", + "is_secret": false, + "is_verified": false, + "line_number": 335, + "type": "Secret Keyword", + "verified_result": null + } + ] + }, + "version": "0.13.1+ibm.52.dss", + "word_list": { + "file": null, + "hash": null + } +} diff --git a/vendor/github.com/IBM/keyprotect-go-client/.travis.yml b/vendor/github.com/IBM/keyprotect-go-client/.travis.yml index f269b7b4b..35b38d341 100644 --- a/vendor/github.com/IBM/keyprotect-go-client/.travis.yml +++ b/vendor/github.com/IBM/keyprotect-go-client/.travis.yml @@ -1,9 +1,10 @@ language: go dist: xenial -go: - - 1.14.x - - 1.15.x +go: + - 1.17.x + - 1.18.x + - 1.19.x env: - GO111MODULE=on diff --git a/vendor/github.com/IBM/keyprotect-go-client/README.md b/vendor/github.com/IBM/keyprotect-go-client/README.md index 7d27aafb0..0005f125e 100644 --- a/vendor/github.com/IBM/keyprotect-go-client/README.md +++ b/vendor/github.com/IBM/keyprotect-go-client/README.md @@ -113,6 +113,31 @@ fmt.Println(key.ID, key.Name) crkID := key.ID ``` +### Generating a root key with policy overrides (CRK) + +```go +enable := true +// Specify policy data +policy := kp.Policy{ + Rotation: &kp.Rotation{ + Enabled: &enable, + Interval: 3, + }, + DualAuth: &kp.DualAuth{ + Enabled: &enable, + }, +} + +// Create a root key named MyRootKey with a rotation and a dualAuthDelete policy +key, err := client.CreateRootKeyWithPolicyOverrides(ctx, "MyRootKey", nil, nil, policy) +if err != nil { + fmt.Println(err) +} +fmt.Println(key.ID, key.Name) + +crkID := key.ID +``` + ### Wrapping and Unwrapping a DEK using a specific Root Key. ```go @@ -171,7 +196,51 @@ dek = nil // Save the wrapped DEK for later. Call Unwrap to use it, make // sure to specify the same AAD. ``` -### Fetching List Key Versions With Parameters. + +### Fetching keys based on query parameters + +```go + +limit := uint32(5) +offset := uint32(0) +extractable := false +keyStates := []kp.KeyState{kp.KeyState(kp.Active), kp.KeyState(kp.Suspended)} +searchStr := "foobar" +searchQuery, _ := kp.GetKeySearchQuery(&searchStr, kp.ApplyNot(), kp.AddAliasScope()) + +listKeysOptions := &kp.ListKeysOptions{ + Limit : &limit, + Offset : &offset, + Extractable : &extractable, + State : keyStates, + Search: searchQuery, +} + +keys, err := client.ListKeys(ctx, listKeysOptions) +if err != nil { + fmt.Println(err) +} +fmt.Println(keys) +``` + +### Fetching keys in ascending or descending sorted order of parameters + +```go +srtStr, _ := kp.GetKeySortStr(kp.WithCreationDate(), WithImportedDesc()) + +listKeysOptions := &kp.ListKeysOptions{ + Sort:srtStr, +} + +keys, err := client.ListKeys(ctx, listKeysOptions) +if err != nil { + fmt.Println(err) +} +fmt.Println(keys) +``` +For more information about KeySearch visit: https://cloud.ibm.com/apidocs/key-protect#kp-get-key-search-api + +### Fetching key versions based on query parameters ```go @@ -192,20 +261,76 @@ if err != nil { fmt.Println(keyVersions) ``` -### Fetching List Key With Parameters. +### Enable instance rotation policy ```go -limit := uint32(5) -offset := uint32(0) -extractable := false -keyStates := []kp.KeyState{kp.KeyState(kp.Active), kp.KeyState(kp.Suspended)} +intervalMonth := 3 +enable := true + +err := client.SetRotationInstancePolicy(context.Background(), enable, &intervalMonth) +if err != nil { + fmt.Println(err) +} + +rotationInstancePolicy, err := client.GetRotationInstancePolicy(context.Background()) +if err != nil { + fmt.Println(err) +} +fmt.Println(rotationInstancePolicy) +``` + +### Set key rotation policy + +```go + +rotationInterval := 3 +enabled := true +keyRotationPolicy, err := client.SetRotationPolicy(context.Background(), "key_id_or_alias", rotationInterval, enabled) +if err != nil { + fmt.Println(err) +} +fmt.Println(keyRotationPolicy) +``` + +### Enable key rotation policy + +```go + +keyRotationPolicy, err := client.EnableRotationPolicy(context.Background(), "key_id_or_alias") +if err != nil { + fmt.Println(err) +} +fmt.Println(keyRotationPolicy) +``` + +### List keys based on filter properties + +```go +// Option-1 - Directly passing the filter query in the format that the API supports. +filterQuery := "creationDate=gt:\"2022-07-05T00:00:00Z\" state=1,5 extractable=false" listKeysOptions := &kp.ListKeysOptions{ - Limit : &limit, - Offset : &offset, - Extractable : &extractable, - State : keyStates, + Filter:&filterQuery, +} + +keys, err := client.ListKeys(ctx, listKeysOptions) +if err != nil { + fmt.Println(err) +} +fmt.Println(keys) + +// Option-2 - Using the builder provided by SDK to construct the filter query +fb := kp.GetFilterQueryBuilder() +dateQ := time.Date(2022, 07, 04, 07, 43, 23, 100, time.UTC) + +filterQuery := fb.CreationDate().GreaterThan(dateQ). + State([]kp.KeyState{kp.KeyState(kp.Destroyed), kp.KeyState(kp.Active)}). + Extractable(true). + Build() + +listKeysOptions := &kp.ListKeysOptions{ + Filter:&filterQuery, } keys, err := client.ListKeys(ctx, listKeysOptions) @@ -214,56 +339,3 @@ if err != nil { } fmt.Println(keys) ``` - -### Fetching List Key In Sorted Ascending Order Based On Paramaeters. - -```go -srtStr, _ := kp.GetKeySortStr(kp.WithCreationDate(), kp.WithImported()) - -listKeysOptions := &kp.ListKeysOptions{ - Sort:srtStr, -} - -keys, err := client.ListKeys(ctx, listKeysOptions) -if err != nil { - fmt.Println(err) -} -fmt.Println(keys) -``` - -### Fetching List Key In Sorted Descending Order Based On Paramaeters. - -```go -srtStr, _ := GetKeySortStr(WithCreationDateDesc(), WithImportedDesc()) - -listKeysOptions := &ListKeysOptions{ - Sort: srtStr, -} - -keys, err := client.ListKeys(ctx, listKeysOptions) -if err != nil { - fmt.Println(err) -} -fmt.Println(keys) -``` - -For more information about KeySearch visit: https://cloud.ibm.com/apidocs/key-protect#kp-get-key-search-api - -### Using Search functionality in list Keys API - -```go - -searchStr := "foobar" -srcStr2, _ := kp.GetKeySearchQuery(&searchStr, kp.ApplyNot(), kp.AddAliasScope()) - -listKeysOptions := &kp.ListKeysOptions{ - Search: srcStr2, - } - -keys, err := client.ListKeys(ctx, listKeysOptions) -if err != nil { - fmt.Println(err) - } -fmt.Println(keys) - -``` diff --git a/vendor/github.com/IBM/keyprotect-go-client/instances.go b/vendor/github.com/IBM/keyprotect-go-client/instances.go index 257950648..83b922541 100644 --- a/vendor/github.com/IBM/keyprotect-go-client/instances.go +++ b/vendor/github.com/IBM/keyprotect-go-client/instances.go @@ -17,14 +17,12 @@ package kp import ( "context" "fmt" + "net/http" "net/url" "time" ) const ( - // DualAuthDelete defines the policy type as dual auth delete - DualAuthDelete = "dualAuthDelete" - // AllowedNetwork defines the policy type as allowed network AllowedNetwork = "allowedNetwork" @@ -44,7 +42,6 @@ const ( EnforceToken = "EnforceToken" ) - // InstancePolicy represents a instance-level policy of a key as returned by the KP API. // this policy enables dual authorization for deleting a key type InstancePolicy struct { @@ -62,7 +59,7 @@ type PolicyData struct { Attributes *Attributes `json:"attributes,omitempty"` } -// Attributes contains the detals of allowed network policy type +// Attributes contains the details of an instance policy type Attributes struct { AllowedNetwork *string `json:"allowed_network,omitempty"` AllowedIP IPAddresses `json:"allowed_ip,omitempty"` @@ -71,6 +68,7 @@ type Attributes struct { ImportRootKey *bool `json:"import_root_key,omitempty"` ImportStandardKey *bool `json:"import_standard_key,omitempty"` EnforceToken *bool `json:"enforce_token,omitempty"` + IntervalMonth *int `json:"interval_month,omitempty"` } // IPAddresses ... @@ -154,7 +152,7 @@ func (c *Client) GetKeyCreateImportAccessInstancePolicy(ctx context.Context) (*I } func (c *Client) getInstancePolicy(ctx context.Context, policyType string, policyResponse *InstancePolicies) error { - req, err := c.newRequest("GET", "instance/policies", nil) + req, err := c.newRequest(http.MethodGet, "instance/policies", nil) if err != nil { return err } @@ -185,11 +183,26 @@ func (c *Client) GetMetricsInstancePolicy(ctx context.Context) (*InstancePolicy, return &policyResponse.Policies[0], nil } +// GetRotationInstancePolicy retrieves the rotation policy details associated with the instance +func (c *Client) GetRotationInstancePolicy(ctx context.Context) (*InstancePolicy, error) { + policyResponse := InstancePolicies{} + + err := c.getInstancePolicy(ctx, RotationPolicy, &policyResponse) + if err != nil { + return nil, err + } + + if len(policyResponse.Policies) == 0 { + return nil, nil + } + return &policyResponse.Policies[0], nil +} + // GetInstancePolicies retrieves all policies of an Instance. func (c *Client) GetInstancePolicies(ctx context.Context) ([]InstancePolicy, error) { policyresponse := InstancePolicies{} - req, err := c.newRequest("GET", "instance/policies", nil) + req, err := c.newRequest(http.MethodGet, "instance/policies", nil) if err != nil { return nil, err } @@ -203,7 +216,7 @@ func (c *Client) GetInstancePolicies(ctx context.Context) ([]InstancePolicy, err } func (c *Client) setInstancePolicy(ctx context.Context, policyType string, policyRequest InstancePolicies) error { - req, err := c.newRequest("PUT", "instance/policies", &policyRequest) + req, err := c.newRequest(http.MethodPut, "instance/policies", &policyRequest) if err != nil { return err } @@ -242,6 +255,49 @@ func (c *Client) SetDualAuthInstancePolicy(ctx context.Context, enable bool) err return err } +func addRotationInstancePolicyData(enable bool, intervalMonth *int) (InstancePolicy, error) { + + rotationPolicyData := InstancePolicy{ + PolicyType: RotationPolicy, + PolicyData: PolicyData{ + Enabled: &enable, + }, + } + + if enable && intervalMonth == nil { + return InstancePolicy{}, fmt.Errorf("Interval Month is required to enable rotation instance policy") + } else if !enable && intervalMonth != nil { + return InstancePolicy{}, fmt.Errorf("Interval Month should only be provided if the policy is being enabled") + } else if intervalMonth != nil { + rotationPolicyData.PolicyData.Attributes = &Attributes{ + IntervalMonth: intervalMonth, + } + } + + return rotationPolicyData, nil +} + +// SetRotationInstancePolicy updates the rotation instance policy details associated with an instance. +func (c *Client) SetRotationInstancePolicy(ctx context.Context, enable bool, intervalMonth *int) error { + + rotationPolicyData, err := addRotationInstancePolicyData(enable, intervalMonth) + if err != nil { + return err + } + + policyRequest := InstancePolicies{ + Metadata: PoliciesMetadata{ + CollectionType: policyType, + NumberOfPolicies: 1, + }, + Policies: []InstancePolicy{rotationPolicyData}, + } + + err = c.setInstancePolicy(ctx, RotationPolicy, policyRequest) + + return err +} + // SetAllowedIPInstancePolices updates the allowed IP instance policy details associated with an instance. // For more information can refet to the Key Protect docs in the link below: // https://cloud.ibm.com/docs/key-protect?topic=key-protect-manage-allowed-ip @@ -394,21 +450,27 @@ type AllowedIPPolicyData struct { // KeyAccessInstancePolicyData defines the attribute input for the Key Create Import Access instance policy type KeyCreateImportAccessInstancePolicy struct { - Enabled bool - CreateRootKey bool + Enabled bool + CreateRootKey bool CreateStandardKey bool - ImportRootKey bool + ImportRootKey bool ImportStandardKey bool - EnforceToken bool + EnforceToken bool +} + +type RotationPolicyData struct { + Enabled bool + IntervalMonth *int } // MultiplePolicies defines the input for the SetInstancPolicies method that can hold multiple policy details type MultiplePolicies struct { - DualAuthDelete *BasicPolicyData - AllowedNetwork *AllowedNetworkPolicyData - AllowedIP *AllowedIPPolicyData - Metrics *BasicPolicyData + DualAuthDelete *BasicPolicyData + AllowedNetwork *AllowedNetworkPolicyData + AllowedIP *AllowedIPPolicyData + Metrics *BasicPolicyData KeyCreateImportAccess *KeyCreateImportAccessInstancePolicy + Rotation *RotationPolicyData } // SetInstancePolicies updates single or multiple policy details of an instance. @@ -465,7 +527,7 @@ func (c *Client) SetInstancePolicies(ctx context.Context, policies MultiplePolic policy := InstancePolicy{ PolicyType: KeyCreateImportAccess, PolicyData: PolicyData{ - Enabled: &(policies.KeyCreateImportAccess.Enabled), + Enabled: &(policies.KeyCreateImportAccess.Enabled), Attributes: &Attributes{}, }, } @@ -489,6 +551,15 @@ func (c *Client) SetInstancePolicies(ctx context.Context, policies MultiplePolic resPolicies = append(resPolicies, policy) } + if policies.Rotation != nil { + policy, err := addRotationInstancePolicyData(policies.Rotation.Enabled, policies.Rotation.IntervalMonth) + if err != nil { + return err + } + + resPolicies = append(resPolicies, policy) + } + policyRequest := InstancePolicies{ Metadata: PoliciesMetadata{ CollectionType: policyType, @@ -499,7 +570,7 @@ func (c *Client) SetInstancePolicies(ctx context.Context, policies MultiplePolic policyresponse := Policies{} - req, err := c.newRequest("PUT", "instance/policies", &policyRequest) + req, err := c.newRequest(http.MethodPut, "instance/policies", &policyRequest) if err != nil { return err } @@ -526,7 +597,7 @@ type privatePort struct { func (c *Client) GetAllowedIPPrivateNetworkPort(ctx context.Context) (int, error) { var portResponse portResponse - req, err := c.newRequest("GET", "instance/allowed_ip_port", nil) + req, err := c.newRequest(http.MethodGet, "instance/allowed_ip_port", nil) if err != nil { return 0, err } diff --git a/vendor/github.com/IBM/keyprotect-go-client/keys.go b/vendor/github.com/IBM/keyprotect-go-client/keys.go index 3b4ca35a2..a8671578b 100644 --- a/vendor/github.com/IBM/keyprotect-go-client/keys.go +++ b/vendor/github.com/IBM/keyprotect-go-client/keys.go @@ -19,6 +19,7 @@ import ( "encoding/base64" "fmt" "log" + "net/http" "net/url" "strconv" "time" @@ -32,7 +33,9 @@ const ( ) var ( - preferHeaders = []string{"return=minimal", "return=representation"} + preferHeaders = []string{"return=minimal", "return=representation"} + keysPath = "keys" + keysWithPolicyOverridesPath = "keys_with_policy_overrides" ) // PreferReturn designates the value for the "Prefer" header. @@ -80,6 +83,7 @@ type Key struct { PurgeAllowedFrom *time.Time `json:"purgeAllowedFrom,omitempty"` PurgeScheduledOn *time.Time `json:"purgeScheduledOn,omitempty"` DualAuthDelete *DualAuth `json:"dualAuthDelete,omitempty"` + Rotation *Rotation `json:"rotation,omitempty"` } // KeysMetadata represents the metadata of a collection of keys. @@ -129,14 +133,14 @@ func (c *Client) CreateKey(ctx context.Context, name string, expiration *time.Ti // CreateImportedKey creates a new KP key from the given key material. func (c *Client) CreateImportedKey(ctx context.Context, name string, expiration *time.Time, payload, encryptedNonce, iv string, extractable bool) (*Key, error) { - key := c.createKeyTemplate(ctx, name, expiration, payload, encryptedNonce, iv, extractable, nil, AlgorithmRSAOAEP256) + key := c.createKeyTemplate(ctx, name, expiration, payload, encryptedNonce, iv, extractable, nil, AlgorithmRSAOAEP256, nil) return c.createKey(ctx, key) } // CreateImportedKeyWithSHA1 creates a new KP key from the given key material // using RSAES OAEP SHA 1 as encryption algorithm. func (c *Client) CreateImportedKeyWithSHA1(ctx context.Context, name string, expiration *time.Time, payload, encryptedNonce, iv string, extractable bool, aliases []string) (*Key, error) { - key := c.createKeyTemplate(ctx, name, expiration, payload, encryptedNonce, iv, extractable, aliases, AlgorithmRSAOAEP1) + key := c.createKeyTemplate(ctx, name, expiration, payload, encryptedNonce, iv, extractable, aliases, AlgorithmRSAOAEP1, nil) return c.createKey(ctx, key) } @@ -179,11 +183,11 @@ func (c *Client) CreateKeyWithAliases(ctx context.Context, name string, expirati // https://cloud.ibm.com/docs/key-protect?topic=key-protect-import-root-keys#import-root-key-api // https://cloud.ibm.com/docs/key-protect?topic=key-protect-import-standard-keys#import-standard-key-gui func (c *Client) CreateImportedKeyWithAliases(ctx context.Context, name string, expiration *time.Time, payload, encryptedNonce, iv string, extractable bool, aliases []string) (*Key, error) { - key := c.createKeyTemplate(ctx, name, expiration, payload, encryptedNonce, iv, extractable, aliases, AlgorithmRSAOAEP256) + key := c.createKeyTemplate(ctx, name, expiration, payload, encryptedNonce, iv, extractable, aliases, AlgorithmRSAOAEP256, nil) return c.createKey(ctx, key) } -func (c *Client) createKeyTemplate(ctx context.Context, name string, expiration *time.Time, payload, encryptedNonce, iv string, extractable bool, aliases []string, encryptionAlgorithm string) Key { +func (c *Client) createKeyTemplate(ctx context.Context, name string, expiration *time.Time, payload, encryptedNonce, iv string, extractable bool, aliases []string, encryptionAlgorithm string, policy *Policy) Key { key := Key{ Name: name, Type: keyType, @@ -205,10 +209,23 @@ func (c *Client) createKeyTemplate(ctx context.Context, name string, expiration key.Expiration = expiration } + if policy != nil { + key.Rotation = policy.Rotation + key.DualAuthDelete = policy.DualAuth + } + return key } func (c *Client) createKey(ctx context.Context, key Key) (*Key, error) { + return c.createKeyResource(ctx, key, keysPath) +} + +func (c *Client) createKeyWithPolicyOverrides(ctx context.Context, key Key) (*Key, error) { + return c.createKeyResource(ctx, key, keysWithPolicyOverridesPath) +} + +func (c *Client) createKeyResource(ctx context.Context, key Key, path string) (*Key, error) { keysRequest := Keys{ Metadata: KeysMetadata{ CollectionType: keyType, @@ -217,11 +234,10 @@ func (c *Client) createKey(ctx context.Context, key Key) (*Key, error) { Keys: []Key{key}, } - req, err := c.newRequest("POST", "keys", &keysRequest) + req, err := c.newRequest(http.MethodPost, path, &keysRequest) if err != nil { return nil, err } - keysResponse := Keys{} if _, err := c.do(ctx, req, &keysResponse); err != nil { return nil, err @@ -260,6 +276,57 @@ func (c *Client) SetKeyRing(ctx context.Context, idOrAlias, newKeyRingID string) return &response.Keys[0], nil } +// CreateImportedKeyWithPolicyOverridesWithSHA1 creates a new KP key with policy overrides from the given key material +// and key policy details using RSAES OAEP SHA 1 as encryption algorithm. +func (c *Client) CreateImportedKeyWithPolicyOverridesWithSHA1(ctx context.Context, name string, expiration *time.Time, payload, encryptedNonce, iv string, extractable bool, aliases []string, policy Policy) (*Key, error) { + /* + Setting the value of rotationInterval to -1 in case user passes 0 value as we want to retain the param `interval_month` after marshalling so that we can get correct error msg from REST API saying interval_month should be between 1 to 12 Otherwise the param would not be sent to REST API in case of value 0 and it would throw error saying interval_month is missing + */ + if policy.Rotation != nil && policy.Rotation.Interval == 0 { + policy.Rotation.Interval = -1 + } + key := c.createKeyTemplate(ctx, name, expiration, payload, encryptedNonce, iv, extractable, aliases, AlgorithmRSAOAEP1, &policy) + return c.createKeyWithPolicyOverrides(ctx, key) +} + +// CreateKeyWithPolicyOverrides creates a new KP key with given key policy details +func (c *Client) CreateKeyWithPolicyOverrides(ctx context.Context, name string, expiration *time.Time, extractable bool, aliases []string, policy Policy) (*Key, error) { + return c.CreateImportedKeyWithPolicyOverrides(ctx, name, expiration, "", "", "", extractable, aliases, policy) +} + +// CreateImportedKeyWithPolicyOverrides creates a new Imported KP key from the given key material and with given key policy details +func (c *Client) CreateImportedKeyWithPolicyOverrides(ctx context.Context, name string, expiration *time.Time, payload, encryptedNonce, iv string, extractable bool, aliases []string, policy Policy) (*Key, error) { + /* + Setting the value of rotationInterval to -1 in case user passes 0 value as we want to retain the param `interval_month` after marshalling so that we can get correct error msg from REST API saying interval_month should be between 1 to 12 Otherwise the param would not be sent to REST API in case of value 0 and it would throw error saying interval_month is missing + */ + if policy.Rotation != nil && policy.Rotation.Interval == 0 { + policy.Rotation.Interval = -1 + } + key := c.createKeyTemplate(ctx, name, expiration, payload, encryptedNonce, iv, extractable, aliases, AlgorithmRSAOAEP256, &policy) + + return c.createKeyWithPolicyOverrides(ctx, key) +} + +// CreateRootKeyWithPolicyOverrides creates a new, non-extractable key resource without key material and with given key policy details +func (c *Client) CreateRootKeyWithPolicyOverrides(ctx context.Context, name string, expiration *time.Time, aliases []string, policy Policy) (*Key, error) { + return c.CreateKeyWithPolicyOverrides(ctx, name, expiration, false, aliases, policy) +} + +// CreateStandardKeyWithPolicyOverrides creates a new, extractable key resource without key material and with given key policy details +func (c *Client) CreateStandardKeyWithPolicyOverrides(ctx context.Context, name string, expiration *time.Time, aliases []string, policy Policy) (*Key, error) { + return c.CreateKeyWithPolicyOverrides(ctx, name, expiration, true, aliases, policy) +} + +// CreateImportedRootKeyWithPolicyOverrides creates a new, non-extractable key resource with the given key material and with given key policy details +func (c *Client) CreateImportedRootKeyWithPolicyOverrides(ctx context.Context, name string, expiration *time.Time, payload, encryptedNonce, iv string, aliases []string, policy Policy) (*Key, error) { + return c.CreateImportedKeyWithPolicyOverrides(ctx, name, expiration, payload, encryptedNonce, iv, false, aliases, policy) +} + +// CreateImportedStandardKeyWithPolicyOverrides creates a new, extractable key resource with the given key material and with given key policy details +func (c *Client) CreateImportedStandardKeyWithPolicyOverrides(ctx context.Context, name string, expiration *time.Time, payload string, aliases []string, policy Policy) (*Key, error) { + return c.CreateImportedKeyWithPolicyOverrides(ctx, name, expiration, payload, "", "", true, aliases, policy) +} + // GetKeys retrieves a collection of keys that can be paged through. func (c *Client) GetKeys(ctx context.Context, limit int, offset int) (*Keys, error) { if limit == 0 { diff --git a/vendor/github.com/IBM/keyprotect-go-client/listkeys.go b/vendor/github.com/IBM/keyprotect-go-client/listkeys.go index e1ea7c3b4..6c13ba63b 100644 --- a/vendor/github.com/IBM/keyprotect-go-client/listkeys.go +++ b/vendor/github.com/IBM/keyprotect-go-client/listkeys.go @@ -20,6 +20,7 @@ import ( "fmt" "strconv" "strings" + "time" ) //ListKeysOptions struct to add the query parameters for the List Keys function @@ -30,6 +31,7 @@ type ListKeysOptions struct { State []KeyState Sort *string Search *string + Filter *string } // ListKeys retrieves a list of keys that are stored in your Key Protect service instance. @@ -67,6 +69,9 @@ func (c *Client) ListKeys(ctx context.Context, listKeysOptions *ListKeysOptions) if listKeysOptions.Sort != nil { values.Set("sort", fmt.Sprint(*listKeysOptions.Sort)) } + if listKeysOptions.Filter != nil { + values.Set("filter", fmt.Sprint(*listKeysOptions.Filter)) + } req.URL.RawQuery = values.Encode() } @@ -211,3 +216,97 @@ func AddAliasScope() SearchOpts { func AddKeyNameScope() SearchOpts { return buildSearcOpts("name") } + +// Filter related functions +type filterQuery struct { + queryStr string +} + +type FilterQueryBuilder struct { + filterQueryString filterQuery +} + +func GetFilterQueryBuilder() *FilterQueryBuilder { + return &FilterQueryBuilder{filterQuery{queryStr: ""}} +} + +func (fq *FilterQueryBuilder) Build() string { + return fq.filterQueryString.queryStr +} + +func (fq *FilterQueryBuilder) CreationDate() *FilterQueryBuilder { + fq.filterQueryString.queryStr = fq.filterQueryString.queryStr + " creationDate=" + return fq +} + +func (fq *FilterQueryBuilder) ExpirationDate() *FilterQueryBuilder { + fq.filterQueryString.queryStr = fq.filterQueryString.queryStr + " expirationDate=" + return fq +} + +func (fq *FilterQueryBuilder) LastRotationDate() *FilterQueryBuilder { + fq.filterQueryString.queryStr = fq.filterQueryString.queryStr + " lastRotateDate=" + return fq +} + +func (fq *FilterQueryBuilder) DeletionDate() *FilterQueryBuilder { + fq.filterQueryString.queryStr = fq.filterQueryString.queryStr + " deletionDate=" + return fq +} + +func (fq *FilterQueryBuilder) LastUpdateDate() *FilterQueryBuilder { + fq.filterQueryString.queryStr = fq.filterQueryString.queryStr + " lastUpdateDate=" + return fq +} + +func (fq *FilterQueryBuilder) State(states []KeyState) *FilterQueryBuilder { + str := " state=" + for _, val := range states { + str += strconv.Itoa(int(val)) + "," + } + // remove the extra comma appended at the end of the string + str = strings.TrimSuffix(str, ",") + fq.filterQueryString.queryStr = fq.filterQueryString.queryStr + str + return fq +} + +func (fq *FilterQueryBuilder) Extractable(val bool) *FilterQueryBuilder { + extractable := " extractable=" + strconv.FormatBool(val) + fq.filterQueryString.queryStr = fq.filterQueryString.queryStr + extractable + return fq +} + +func (fq *FilterQueryBuilder) GreaterThan(dateInput time.Time) *FilterQueryBuilder { + date := dateInput.Format(time.RFC3339Nano) + fq.filterQueryString.queryStr = fq.filterQueryString.queryStr + "gt:" + "\"" + date + "\"" + return fq +} + +func (fq *FilterQueryBuilder) GreaterThanOrEqual(dateInput time.Time) *FilterQueryBuilder { + date := dateInput.Format(time.RFC3339Nano) + fq.filterQueryString.queryStr = fq.filterQueryString.queryStr + "gte:" + "\"" + date + "\"" + return fq +} + +func (fq *FilterQueryBuilder) LessThan(dateInput time.Time) *FilterQueryBuilder { + date := dateInput.Format(time.RFC3339Nano) + fq.filterQueryString.queryStr = fq.filterQueryString.queryStr + "lt:" + "\"" + date + "\"" + return fq +} + +func (fq *FilterQueryBuilder) LessThanOrEqual(dateInput time.Time) *FilterQueryBuilder { + date := dateInput.Format(time.RFC3339Nano) + fq.filterQueryString.queryStr = fq.filterQueryString.queryStr + "lte:" + "\"" + date + "\"" + return fq +} + +func (fq *FilterQueryBuilder) Equal(dateInput time.Time) *FilterQueryBuilder { + date := dateInput.Format(time.RFC3339Nano) + fq.filterQueryString.queryStr = fq.filterQueryString.queryStr + "\"" + date + "\"" + return fq +} + +func (fq *FilterQueryBuilder) None() *FilterQueryBuilder { + fq.filterQueryString.queryStr = fq.filterQueryString.queryStr + "none" + return fq +} diff --git a/vendor/github.com/IBM/keyprotect-go-client/policy.go b/vendor/github.com/IBM/keyprotect-go-client/policy.go index 4c60970e9..ae7f872cd 100644 --- a/vendor/github.com/IBM/keyprotect-go-client/policy.go +++ b/vendor/github.com/IBM/keyprotect-go-client/policy.go @@ -22,9 +22,13 @@ import ( ) const ( - policyType = "application/vnd.ibm.kms.policy+json" + // DualAuthDelete defines the policy type as dual auth delete + DualAuthDelete = "dualAuthDelete" + //RotationPolicy defines the policy type as rotation RotationPolicy = "rotation" + + policyType = "application/vnd.ibm.kms.policy+json" ) // Policy represents a policy as returned by the KP API. @@ -40,7 +44,8 @@ type Policy struct { } type Rotation struct { - Interval int `json:"interval_month,omitempty"` + Enabled *bool `json:"enabled,omitempty"` + Interval int `json:"interval_month,omitempty"` } type DualAuth struct { @@ -152,7 +157,7 @@ func (c *Client) getPolicy(ctx context.Context, id, policyType string, policyres return err } -// GetRotationPolivy method retrieves rotation policy details of a key +// GetRotationPolicy method retrieves rotation policy details of a key // For more information can refet the Key Protect docs in the link below: // https://cloud.ibm.com/docs/key-protect?topic=key-protect-set-rotation-policy#view-rotation-policy-api func (c *Client) GetRotationPolicy(ctx context.Context, idOrAlias string) (*Policy, error) { @@ -207,13 +212,11 @@ func (c *Client) setPolicy(ctx context.Context, idOrAlias, policyType string, po return &policyresponse, nil } -// SetRotationPolicy updates the rotation policy associated with a key by specifying key ID or alias and rotation interval. -// For more information can refer the Key Protect docs in the link below: -// https://cloud.ibm.com/docs/key-protect?topic=key-protect-set-rotation-policy#update-rotation-policy-api -func (c *Client) SetRotationPolicy(ctx context.Context, idOrAlias string, rotationInterval int) (*Policy, error) { +func (c *Client) setKeyRotationPolicy(ctx context.Context, idOrAlias string, enable *bool, rotationInterval int) (*Policy, error) { policy := Policy{ Type: policyType, Rotation: &Rotation{ + Enabled: enable, Interval: rotationInterval, }, } @@ -238,6 +241,35 @@ func (c *Client) SetRotationPolicy(ctx context.Context, idOrAlias string, rotati return &policyresponse.Policies[0], nil } +func (c *Client) EnableRotationPolicy(ctx context.Context, idOrAlias string) (*Policy, error) { + enabled := true + return c.setKeyRotationPolicy(ctx, idOrAlias, &enabled, 0) +} + +func (c *Client) DisableRotationPolicy(ctx context.Context, idOrAlias string) (*Policy, error) { + enabled := false + return c.setKeyRotationPolicy(ctx, idOrAlias, &enabled, 0) +} + +// SetRotationPolicy updates the rotation policy associated with a key by specifying key ID or alias and rotation interval. +// For more information can refer the Key Protect docs in the link below: +// https://cloud.ibm.com/docs/key-protect?topic=key-protect-set-rotation-policy#update-rotation-policy-api +func (c *Client) SetRotationPolicy(ctx context.Context, idOrAlias string, rotationInterval int, enabled ...bool) (*Policy, error) { + /* + Setting the value of rotationInterval to -1 in case user passes 0 value as we want to retain the param `interval_month` after marshalling + so that we can get correct error msg from REST API saying interval_month should be between 1 to 12 + Otherwise the param would not be sent to REST API in case of value 0 and it would throw error saying interval_month is missing + */ + if rotationInterval == 0 { + rotationInterval = -1 + } + var enable *bool + if enabled != nil { + enable = &enabled[0] + } + return c.setKeyRotationPolicy(ctx, idOrAlias, enable, rotationInterval) +} + // SetDualAuthDeletePolicy updates the dual auth delete policy by passing the key ID or alias and enable detail // For more information can refer the Key Protect docs in the link below: // https://cloud.ibm.com/docs/key-protect?topic=key-protect-set-dual-auth-key-policy#create-dual-auth-key-policy-api @@ -273,12 +305,25 @@ func (c *Client) SetDualAuthDeletePolicy(ctx context.Context, idOrAlias string, // To set rotation policy for the key pass the setRotationPolicy parameter as true and set the rotationInterval detail. // To set dual auth delete policy for the key pass the setDualAuthDeletePolicy parameter as true and set the dualAuthEnable detail. // Both the policies can be set or either of the policies can be set. -func (c *Client) SetPolicies(ctx context.Context, idOrAlias string, setRotationPolicy bool, rotationInterval int, setDualAuthDeletePolicy, dualAuthEnable bool) ([]Policy, error) { +func (c *Client) SetPolicies(ctx context.Context, idOrAlias string, setRotationPolicy bool, rotationInterval int, setDualAuthDeletePolicy, dualAuthEnable bool, rotationEnable ...bool) ([]Policy, error) { + /* + Setting the value of rotationInterval to -1 in case user passes 0 value as we want to retain the param `interval_month` after marshalling + so that we can get correct error msg from REST API saying interval_month should be between 1 to 12 + Otherwise the param would not be sent to REST API in case of value 0 and it would throw error saying interval_month is missing + */ + if rotationInterval == 0 { + rotationInterval = -1 + } + var enable *bool + if rotationEnable != nil { + enable = &rotationEnable[0] + } policies := []Policy{} if setRotationPolicy { rotationPolicy := Policy{ Type: policyType, Rotation: &Rotation{ + Enabled: enable, Interval: rotationInterval, }, } diff --git a/vendor/modules.txt b/vendor/modules.txt index 6f25f264d..6f9227f33 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -1,4 +1,4 @@ -# github.com/IBM/keyprotect-go-client v0.8.1 +# github.com/IBM/keyprotect-go-client v0.9.0 ## explicit; go 1.15 github.com/IBM/keyprotect-go-client github.com/IBM/keyprotect-go-client/iam