From fe13fff9fa1ecd1fbcc52a8dc57a7d9851d739c0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 7 Nov 2022 20:03:12 +0000 Subject: [PATCH] rebase: bump github.com/IBM/keyprotect-go-client from 0.8.1 to 0.9.0 Bumps [github.com/IBM/keyprotect-go-client](https://github.com/IBM/keyprotect-go-client) from 0.8.1 to 0.9.0. - [Release notes](https://github.com/IBM/keyprotect-go-client/releases) - [Commits](https://github.com/IBM/keyprotect-go-client/compare/v0.8.1...v0.9.0) --- updated-dependencies: - dependency-name: github.com/IBM/keyprotect-go-client dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- go.mod | 2 +- go.sum | 4 +- .../keyprotect-go-client/.secrets.baseline | 268 ++++++++++++++++++ .../IBM/keyprotect-go-client/.travis.yml | 7 +- .../IBM/keyprotect-go-client/README.md | 198 +++++++++---- .../IBM/keyprotect-go-client/instances.go | 109 +++++-- .../IBM/keyprotect-go-client/keys.go | 81 +++++- .../IBM/keyprotect-go-client/listkeys.go | 99 +++++++ .../IBM/keyprotect-go-client/policy.go | 61 +++- vendor/modules.txt | 2 +- 10 files changed, 727 insertions(+), 104 deletions(-) create mode 100644 vendor/github.com/IBM/keyprotect-go-client/.secrets.baseline diff --git a/go.mod b/go.mod index c44b11bc7..03b0ea7c7 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,7 @@ module github.com/ceph/ceph-csi go 1.17 require ( - github.com/IBM/keyprotect-go-client v0.8.1 + github.com/IBM/keyprotect-go-client v0.9.0 github.com/aws/aws-sdk-go v1.44.127 github.com/aws/aws-sdk-go-v2/service/sts v1.17.1 github.com/ceph/ceph-csi/api v0.0.0-00010101000000-000000000000 diff --git a/go.sum b/go.sum index 2afc2ae26..c830c0cb4 100644 --- a/go.sum +++ b/go.sum @@ -88,8 +88,8 @@ github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3 github.com/DataDog/zstd v1.4.4/go.mod h1:1jcaCB/ufaK+sKp1NBhlGmpz41jOoPQ35bpF36t7BBo= github.com/GoogleCloudPlatform/k8s-cloud-provider v1.18.1-0.20220218231025-f11817397a1b/go.mod h1:FNj4KYEAAHfYu68kRYolGoxkaJn+6mdEsaM12VTwuI0= github.com/IBM/keyprotect-go-client v0.5.1/go.mod h1:5TwDM/4FRJq1ZOlwQL1xFahLWQ3TveR88VmL1u3njyI= -github.com/IBM/keyprotect-go-client v0.8.1 h1:viTQCtoeWQeDRTe8S0ed++uM4J2uf1DGuQbV9mNTCj8= -github.com/IBM/keyprotect-go-client v0.8.1/go.mod h1:yr8h2noNgU8vcbs+vhqoXp3Lmv73PI0zAc6VMgFvWwM= +github.com/IBM/keyprotect-go-client v0.9.0 h1:UwbyEHcaGlmLNK7PW0qo9VlxneN+0/2zoGBubHzbtro= +github.com/IBM/keyprotect-go-client v0.9.0/go.mod h1:yr8h2noNgU8vcbs+vhqoXp3Lmv73PI0zAc6VMgFvWwM= github.com/JeffAshton/win_pdh v0.0.0-20161109143554-76bb4ee9f0ab/go.mod h1:3VYc5hodBMJ5+l/7J4xAyMeuM2PNuepvHlGs8yilUCA= github.com/Jeffail/gabs v1.1.1 h1:V0uzR08Hj22EX8+8QMhyI9sX2hwRu+/RJhJUmnwda/E= github.com/Jeffail/gabs v1.1.1/go.mod h1:6xMvQMK4k33lb7GUUpaAPh6nKMmemQeg5d4gn7/bOXc= diff --git a/vendor/github.com/IBM/keyprotect-go-client/.secrets.baseline b/vendor/github.com/IBM/keyprotect-go-client/.secrets.baseline new file mode 100644 index 000000000..7573fa3a1 --- /dev/null +++ b/vendor/github.com/IBM/keyprotect-go-client/.secrets.baseline @@ -0,0 +1,268 @@ +{ + "exclude": { + "files": "go.sum|^.secrets.baseline$", + "lines": null + }, + "generated_at": "2022-09-30T10:57:54Z", + "plugins_used": [ + { + "name": "AWSKeyDetector" + }, + { + "name": "ArtifactoryDetector" + }, + { + "name": "AzureStorageKeyDetector" + }, + { + "base64_limit": 4.5, + "name": "Base64HighEntropyString" + }, + { + "name": "BasicAuthDetector" + }, + { + "name": "BoxDetector" + }, + { + "name": "CloudantDetector" + }, + { + "ghe_instance": "github.ibm.com", + "name": "GheDetector" + }, + { + "name": "GitHubTokenDetector" + }, + { + "hex_limit": 3, + "name": "HexHighEntropyString" + }, + { + "name": "IbmCloudIamDetector" + }, + { + "name": "IbmCosHmacDetector" + }, + { + "name": "JwtTokenDetector" + }, + { + "keyword_exclude": null, + "name": "KeywordDetector" + }, + { + "name": "MailchimpDetector" + }, + { + "name": "NpmDetector" + }, + { + "name": "PrivateKeyDetector" + }, + { + "name": "SlackDetector" + }, + { + "name": "SoftlayerDetector" + }, + { + "name": "SquareOAuthDetector" + }, + { + "name": "StripeDetector" + }, + { + "name": "TwilioKeyDetector" + } + ], + "results": { + "README.md": [ + { + "hashed_secret": "93fcbf4c3221f6e6fc21e07ec6e87ad94e60bd26", + "is_secret": false, + "is_verified": false, + "line_number": 35, + "type": "Secret Keyword", + "verified_result": null + }, + { + "hashed_secret": "0b60828897517e2b8013af62b288e055bf0d095d", + "is_secret": false, + "is_verified": false, + "line_number": 126, + "type": "Secret Keyword", + "verified_result": null + } + ], + "example_cycle_test.go": [ + { + "hashed_secret": "f75b33f87ffeacb3a4f793a09693e672e07449ff", + "is_secret": false, + "is_verified": false, + "line_number": 27, + "type": "Secret Keyword", + "verified_result": null + } + ], + "example_test.go": [ + { + "hashed_secret": "e80b5f30389f2162470fe780e27b90146e5fb0ca", + "is_secret": false, + "is_verified": false, + "line_number": 81, + "type": "Base64 High Entropy String", + "verified_result": null + }, + { + "hashed_secret": "75d5cc62475c1ed3db14215d819514749ae25f53", + "is_secret": false, + "is_verified": false, + "line_number": 181, + "type": "Secret Keyword", + "verified_result": null + } + ], + "iam/iam.go": [ + { + "hashed_secret": "f75b33f87ffeacb3a4f793a09693e672e07449ff", + "is_secret": false, + "is_verified": false, + "line_number": 51, + "type": "Secret Keyword", + "verified_result": null + }, + { + "hashed_secret": "3e4bdbe0b80e63c22b178576e906810777387b50", + "is_secret": false, + "is_verified": false, + "line_number": 120, + "type": "Secret Keyword", + "verified_result": null + } + ], + "integration_test.go": [ + { + "hashed_secret": "f75b33f87ffeacb3a4f793a09693e672e07449ff", + "is_secret": false, + "is_verified": false, + "line_number": 57, + "type": "Secret Keyword", + "verified_result": null + } + ], + "kp_test.go": [ + { + "hashed_secret": "11634ea6495b17ca913d24b49dca32b40e491dc0", + "is_secret": false, + "is_verified": false, + "line_number": 44, + "type": "Secret Keyword", + "verified_result": null + }, + { + "hashed_secret": "9f4ed0cc38e03da4c3caf3d8500e0af69cfaefd3", + "is_secret": false, + "is_verified": false, + "line_number": 189, + "type": "JSON Web Token", + "verified_result": null + }, + { + "hashed_secret": "3e48fe9928e96dde5f50bd5514ccaecc504e378e", + "is_secret": false, + "is_verified": false, + "line_number": 629, + "type": "Secret Keyword", + "verified_result": null + }, + { + "hashed_secret": "1db0b23a23282227489c79a9fd31998add2b66f5", + "is_secret": false, + "is_verified": false, + "line_number": 863, + "type": "Secret Keyword", + "verified_result": null + }, + { + "hashed_secret": "f7f8eb2ffbd249e8c0e2ce429466c04a6342318b", + "is_secret": false, + "is_verified": false, + "line_number": 986, + "type": "Secret Keyword", + "verified_result": null + }, + { + "hashed_secret": "90f826b48e4e4832be16dd63237e7aede72ec384", + "is_secret": false, + "is_verified": false, + "line_number": 1800, + "type": "Secret Keyword", + "verified_result": null + }, + { + "hashed_secret": "0599eac7c4ebc38a9fb5407c1cee19877850ff78", + "is_secret": false, + "is_verified": false, + "line_number": 3514, + "type": "Base64 High Entropy String", + "verified_result": null + }, + { + "hashed_secret": "4a8f6f853d71b777faef1c0f50d59df808f377a7", + "is_secret": false, + "is_verified": false, + "line_number": 4019, + "type": "Base64 High Entropy String", + "verified_result": null + }, + { + "hashed_secret": "8ee338cf3361b4fbd663c51393c44ea685e7e31b", + "is_secret": false, + "is_verified": false, + "line_number": 4020, + "type": "Base64 High Entropy String", + "verified_result": null + }, + { + "hashed_secret": "7200008cccd3ebe5eb314c7ce57bbe95113e11ff", + "is_secret": false, + "is_verified": false, + "line_number": 4055, + "type": "Base64 High Entropy String", + "verified_result": null + }, + { + "hashed_secret": "7056dab9fea569e2fcb5122c763bfe90d3fa8204", + "is_secret": false, + "is_verified": false, + "line_number": 4523, + "type": "Base64 High Entropy String", + "verified_result": null + }, + { + "hashed_secret": "54b1ab73986eecb14a1839184e4b51ce9668b35e", + "is_secret": false, + "is_verified": false, + "line_number": 4568, + "type": "Base64 High Entropy String", + "verified_result": null + } + ], + "policy.go": [ + { + "hashed_secret": "6a361a4e087eab69b48211aecc712bdc3403b2eb", + "is_secret": false, + "is_verified": false, + "line_number": 335, + "type": "Secret Keyword", + "verified_result": null + } + ] + }, + "version": "0.13.1+ibm.52.dss", + "word_list": { + "file": null, + "hash": null + } +} diff --git a/vendor/github.com/IBM/keyprotect-go-client/.travis.yml b/vendor/github.com/IBM/keyprotect-go-client/.travis.yml index f269b7b4b..35b38d341 100644 --- a/vendor/github.com/IBM/keyprotect-go-client/.travis.yml +++ b/vendor/github.com/IBM/keyprotect-go-client/.travis.yml @@ -1,9 +1,10 @@ language: go dist: xenial -go: - - 1.14.x - - 1.15.x +go: + - 1.17.x + - 1.18.x + - 1.19.x env: - GO111MODULE=on diff --git a/vendor/github.com/IBM/keyprotect-go-client/README.md b/vendor/github.com/IBM/keyprotect-go-client/README.md index 7d27aafb0..0005f125e 100644 --- a/vendor/github.com/IBM/keyprotect-go-client/README.md +++ b/vendor/github.com/IBM/keyprotect-go-client/README.md @@ -113,6 +113,31 @@ fmt.Println(key.ID, key.Name) crkID := key.ID ``` +### Generating a root key with policy overrides (CRK) + +```go +enable := true +// Specify policy data +policy := kp.Policy{ + Rotation: &kp.Rotation{ + Enabled: &enable, + Interval: 3, + }, + DualAuth: &kp.DualAuth{ + Enabled: &enable, + }, +} + +// Create a root key named MyRootKey with a rotation and a dualAuthDelete policy +key, err := client.CreateRootKeyWithPolicyOverrides(ctx, "MyRootKey", nil, nil, policy) +if err != nil { + fmt.Println(err) +} +fmt.Println(key.ID, key.Name) + +crkID := key.ID +``` + ### Wrapping and Unwrapping a DEK using a specific Root Key. ```go @@ -171,7 +196,51 @@ dek = nil // Save the wrapped DEK for later. Call Unwrap to use it, make // sure to specify the same AAD. ``` -### Fetching List Key Versions With Parameters. + +### Fetching keys based on query parameters + +```go + +limit := uint32(5) +offset := uint32(0) +extractable := false +keyStates := []kp.KeyState{kp.KeyState(kp.Active), kp.KeyState(kp.Suspended)} +searchStr := "foobar" +searchQuery, _ := kp.GetKeySearchQuery(&searchStr, kp.ApplyNot(), kp.AddAliasScope()) + +listKeysOptions := &kp.ListKeysOptions{ + Limit : &limit, + Offset : &offset, + Extractable : &extractable, + State : keyStates, + Search: searchQuery, +} + +keys, err := client.ListKeys(ctx, listKeysOptions) +if err != nil { + fmt.Println(err) +} +fmt.Println(keys) +``` + +### Fetching keys in ascending or descending sorted order of parameters + +```go +srtStr, _ := kp.GetKeySortStr(kp.WithCreationDate(), WithImportedDesc()) + +listKeysOptions := &kp.ListKeysOptions{ + Sort:srtStr, +} + +keys, err := client.ListKeys(ctx, listKeysOptions) +if err != nil { + fmt.Println(err) +} +fmt.Println(keys) +``` +For more information about KeySearch visit: https://cloud.ibm.com/apidocs/key-protect#kp-get-key-search-api + +### Fetching key versions based on query parameters ```go @@ -192,20 +261,76 @@ if err != nil { fmt.Println(keyVersions) ``` -### Fetching List Key With Parameters. +### Enable instance rotation policy ```go -limit := uint32(5) -offset := uint32(0) -extractable := false -keyStates := []kp.KeyState{kp.KeyState(kp.Active), kp.KeyState(kp.Suspended)} +intervalMonth := 3 +enable := true + +err := client.SetRotationInstancePolicy(context.Background(), enable, &intervalMonth) +if err != nil { + fmt.Println(err) +} + +rotationInstancePolicy, err := client.GetRotationInstancePolicy(context.Background()) +if err != nil { + fmt.Println(err) +} +fmt.Println(rotationInstancePolicy) +``` + +### Set key rotation policy + +```go + +rotationInterval := 3 +enabled := true +keyRotationPolicy, err := client.SetRotationPolicy(context.Background(), "key_id_or_alias", rotationInterval, enabled) +if err != nil { + fmt.Println(err) +} +fmt.Println(keyRotationPolicy) +``` + +### Enable key rotation policy + +```go + +keyRotationPolicy, err := client.EnableRotationPolicy(context.Background(), "key_id_or_alias") +if err != nil { + fmt.Println(err) +} +fmt.Println(keyRotationPolicy) +``` + +### List keys based on filter properties + +```go +// Option-1 - Directly passing the filter query in the format that the API supports. +filterQuery := "creationDate=gt:\"2022-07-05T00:00:00Z\" state=1,5 extractable=false" listKeysOptions := &kp.ListKeysOptions{ - Limit : &limit, - Offset : &offset, - Extractable : &extractable, - State : keyStates, + Filter:&filterQuery, +} + +keys, err := client.ListKeys(ctx, listKeysOptions) +if err != nil { + fmt.Println(err) +} +fmt.Println(keys) + +// Option-2 - Using the builder provided by SDK to construct the filter query +fb := kp.GetFilterQueryBuilder() +dateQ := time.Date(2022, 07, 04, 07, 43, 23, 100, time.UTC) + +filterQuery := fb.CreationDate().GreaterThan(dateQ). + State([]kp.KeyState{kp.KeyState(kp.Destroyed), kp.KeyState(kp.Active)}). + Extractable(true). + Build() + +listKeysOptions := &kp.ListKeysOptions{ + Filter:&filterQuery, } keys, err := client.ListKeys(ctx, listKeysOptions) @@ -214,56 +339,3 @@ if err != nil { } fmt.Println(keys) ``` - -### Fetching List Key In Sorted Ascending Order Based On Paramaeters. - -```go -srtStr, _ := kp.GetKeySortStr(kp.WithCreationDate(), kp.WithImported()) - -listKeysOptions := &kp.ListKeysOptions{ - Sort:srtStr, -} - -keys, err := client.ListKeys(ctx, listKeysOptions) -if err != nil { - fmt.Println(err) -} -fmt.Println(keys) -``` - -### Fetching List Key In Sorted Descending Order Based On Paramaeters. - -```go -srtStr, _ := GetKeySortStr(WithCreationDateDesc(), WithImportedDesc()) - -listKeysOptions := &ListKeysOptions{ - Sort: srtStr, -} - -keys, err := client.ListKeys(ctx, listKeysOptions) -if err != nil { - fmt.Println(err) -} -fmt.Println(keys) -``` - -For more information about KeySearch visit: https://cloud.ibm.com/apidocs/key-protect#kp-get-key-search-api - -### Using Search functionality in list Keys API - -```go - -searchStr := "foobar" -srcStr2, _ := kp.GetKeySearchQuery(&searchStr, kp.ApplyNot(), kp.AddAliasScope()) - -listKeysOptions := &kp.ListKeysOptions{ - Search: srcStr2, - } - -keys, err := client.ListKeys(ctx, listKeysOptions) -if err != nil { - fmt.Println(err) - } -fmt.Println(keys) - -``` diff --git a/vendor/github.com/IBM/keyprotect-go-client/instances.go b/vendor/github.com/IBM/keyprotect-go-client/instances.go index 257950648..83b922541 100644 --- a/vendor/github.com/IBM/keyprotect-go-client/instances.go +++ b/vendor/github.com/IBM/keyprotect-go-client/instances.go @@ -17,14 +17,12 @@ package kp import ( "context" "fmt" + "net/http" "net/url" "time" ) const ( - // DualAuthDelete defines the policy type as dual auth delete - DualAuthDelete = "dualAuthDelete" - // AllowedNetwork defines the policy type as allowed network AllowedNetwork = "allowedNetwork" @@ -44,7 +42,6 @@ const ( EnforceToken = "EnforceToken" ) - // InstancePolicy represents a instance-level policy of a key as returned by the KP API. // this policy enables dual authorization for deleting a key type InstancePolicy struct { @@ -62,7 +59,7 @@ type PolicyData struct { Attributes *Attributes `json:"attributes,omitempty"` } -// Attributes contains the detals of allowed network policy type +// Attributes contains the details of an instance policy type Attributes struct { AllowedNetwork *string `json:"allowed_network,omitempty"` AllowedIP IPAddresses `json:"allowed_ip,omitempty"` @@ -71,6 +68,7 @@ type Attributes struct { ImportRootKey *bool `json:"import_root_key,omitempty"` ImportStandardKey *bool `json:"import_standard_key,omitempty"` EnforceToken *bool `json:"enforce_token,omitempty"` + IntervalMonth *int `json:"interval_month,omitempty"` } // IPAddresses ... @@ -154,7 +152,7 @@ func (c *Client) GetKeyCreateImportAccessInstancePolicy(ctx context.Context) (*I } func (c *Client) getInstancePolicy(ctx context.Context, policyType string, policyResponse *InstancePolicies) error { - req, err := c.newRequest("GET", "instance/policies", nil) + req, err := c.newRequest(http.MethodGet, "instance/policies", nil) if err != nil { return err } @@ -185,11 +183,26 @@ func (c *Client) GetMetricsInstancePolicy(ctx context.Context) (*InstancePolicy, return &policyResponse.Policies[0], nil } +// GetRotationInstancePolicy retrieves the rotation policy details associated with the instance +func (c *Client) GetRotationInstancePolicy(ctx context.Context) (*InstancePolicy, error) { + policyResponse := InstancePolicies{} + + err := c.getInstancePolicy(ctx, RotationPolicy, &policyResponse) + if err != nil { + return nil, err + } + + if len(policyResponse.Policies) == 0 { + return nil, nil + } + return &policyResponse.Policies[0], nil +} + // GetInstancePolicies retrieves all policies of an Instance. func (c *Client) GetInstancePolicies(ctx context.Context) ([]InstancePolicy, error) { policyresponse := InstancePolicies{} - req, err := c.newRequest("GET", "instance/policies", nil) + req, err := c.newRequest(http.MethodGet, "instance/policies", nil) if err != nil { return nil, err } @@ -203,7 +216,7 @@ func (c *Client) GetInstancePolicies(ctx context.Context) ([]InstancePolicy, err } func (c *Client) setInstancePolicy(ctx context.Context, policyType string, policyRequest InstancePolicies) error { - req, err := c.newRequest("PUT", "instance/policies", &policyRequest) + req, err := c.newRequest(http.MethodPut, "instance/policies", &policyRequest) if err != nil { return err } @@ -242,6 +255,49 @@ func (c *Client) SetDualAuthInstancePolicy(ctx context.Context, enable bool) err return err } +func addRotationInstancePolicyData(enable bool, intervalMonth *int) (InstancePolicy, error) { + + rotationPolicyData := InstancePolicy{ + PolicyType: RotationPolicy, + PolicyData: PolicyData{ + Enabled: &enable, + }, + } + + if enable && intervalMonth == nil { + return InstancePolicy{}, fmt.Errorf("Interval Month is required to enable rotation instance policy") + } else if !enable && intervalMonth != nil { + return InstancePolicy{}, fmt.Errorf("Interval Month should only be provided if the policy is being enabled") + } else if intervalMonth != nil { + rotationPolicyData.PolicyData.Attributes = &Attributes{ + IntervalMonth: intervalMonth, + } + } + + return rotationPolicyData, nil +} + +// SetRotationInstancePolicy updates the rotation instance policy details associated with an instance. +func (c *Client) SetRotationInstancePolicy(ctx context.Context, enable bool, intervalMonth *int) error { + + rotationPolicyData, err := addRotationInstancePolicyData(enable, intervalMonth) + if err != nil { + return err + } + + policyRequest := InstancePolicies{ + Metadata: PoliciesMetadata{ + CollectionType: policyType, + NumberOfPolicies: 1, + }, + Policies: []InstancePolicy{rotationPolicyData}, + } + + err = c.setInstancePolicy(ctx, RotationPolicy, policyRequest) + + return err +} + // SetAllowedIPInstancePolices updates the allowed IP instance policy details associated with an instance. // For more information can refet to the Key Protect docs in the link below: // https://cloud.ibm.com/docs/key-protect?topic=key-protect-manage-allowed-ip @@ -394,21 +450,27 @@ type AllowedIPPolicyData struct { // KeyAccessInstancePolicyData defines the attribute input for the Key Create Import Access instance policy type KeyCreateImportAccessInstancePolicy struct { - Enabled bool - CreateRootKey bool + Enabled bool + CreateRootKey bool CreateStandardKey bool - ImportRootKey bool + ImportRootKey bool ImportStandardKey bool - EnforceToken bool + EnforceToken bool +} + +type RotationPolicyData struct { + Enabled bool + IntervalMonth *int } // MultiplePolicies defines the input for the SetInstancPolicies method that can hold multiple policy details type MultiplePolicies struct { - DualAuthDelete *BasicPolicyData - AllowedNetwork *AllowedNetworkPolicyData - AllowedIP *AllowedIPPolicyData - Metrics *BasicPolicyData + DualAuthDelete *BasicPolicyData + AllowedNetwork *AllowedNetworkPolicyData + AllowedIP *AllowedIPPolicyData + Metrics *BasicPolicyData KeyCreateImportAccess *KeyCreateImportAccessInstancePolicy + Rotation *RotationPolicyData } // SetInstancePolicies updates single or multiple policy details of an instance. @@ -465,7 +527,7 @@ func (c *Client) SetInstancePolicies(ctx context.Context, policies MultiplePolic policy := InstancePolicy{ PolicyType: KeyCreateImportAccess, PolicyData: PolicyData{ - Enabled: &(policies.KeyCreateImportAccess.Enabled), + Enabled: &(policies.KeyCreateImportAccess.Enabled), Attributes: &Attributes{}, }, } @@ -489,6 +551,15 @@ func (c *Client) SetInstancePolicies(ctx context.Context, policies MultiplePolic resPolicies = append(resPolicies, policy) } + if policies.Rotation != nil { + policy, err := addRotationInstancePolicyData(policies.Rotation.Enabled, policies.Rotation.IntervalMonth) + if err != nil { + return err + } + + resPolicies = append(resPolicies, policy) + } + policyRequest := InstancePolicies{ Metadata: PoliciesMetadata{ CollectionType: policyType, @@ -499,7 +570,7 @@ func (c *Client) SetInstancePolicies(ctx context.Context, policies MultiplePolic policyresponse := Policies{} - req, err := c.newRequest("PUT", "instance/policies", &policyRequest) + req, err := c.newRequest(http.MethodPut, "instance/policies", &policyRequest) if err != nil { return err } @@ -526,7 +597,7 @@ type privatePort struct { func (c *Client) GetAllowedIPPrivateNetworkPort(ctx context.Context) (int, error) { var portResponse portResponse - req, err := c.newRequest("GET", "instance/allowed_ip_port", nil) + req, err := c.newRequest(http.MethodGet, "instance/allowed_ip_port", nil) if err != nil { return 0, err } diff --git a/vendor/github.com/IBM/keyprotect-go-client/keys.go b/vendor/github.com/IBM/keyprotect-go-client/keys.go index 3b4ca35a2..a8671578b 100644 --- a/vendor/github.com/IBM/keyprotect-go-client/keys.go +++ b/vendor/github.com/IBM/keyprotect-go-client/keys.go @@ -19,6 +19,7 @@ import ( "encoding/base64" "fmt" "log" + "net/http" "net/url" "strconv" "time" @@ -32,7 +33,9 @@ const ( ) var ( - preferHeaders = []string{"return=minimal", "return=representation"} + preferHeaders = []string{"return=minimal", "return=representation"} + keysPath = "keys" + keysWithPolicyOverridesPath = "keys_with_policy_overrides" ) // PreferReturn designates the value for the "Prefer" header. @@ -80,6 +83,7 @@ type Key struct { PurgeAllowedFrom *time.Time `json:"purgeAllowedFrom,omitempty"` PurgeScheduledOn *time.Time `json:"purgeScheduledOn,omitempty"` DualAuthDelete *DualAuth `json:"dualAuthDelete,omitempty"` + Rotation *Rotation `json:"rotation,omitempty"` } // KeysMetadata represents the metadata of a collection of keys. @@ -129,14 +133,14 @@ func (c *Client) CreateKey(ctx context.Context, name string, expiration *time.Ti // CreateImportedKey creates a new KP key from the given key material. func (c *Client) CreateImportedKey(ctx context.Context, name string, expiration *time.Time, payload, encryptedNonce, iv string, extractable bool) (*Key, error) { - key := c.createKeyTemplate(ctx, name, expiration, payload, encryptedNonce, iv, extractable, nil, AlgorithmRSAOAEP256) + key := c.createKeyTemplate(ctx, name, expiration, payload, encryptedNonce, iv, extractable, nil, AlgorithmRSAOAEP256, nil) return c.createKey(ctx, key) } // CreateImportedKeyWithSHA1 creates a new KP key from the given key material // using RSAES OAEP SHA 1 as encryption algorithm. func (c *Client) CreateImportedKeyWithSHA1(ctx context.Context, name string, expiration *time.Time, payload, encryptedNonce, iv string, extractable bool, aliases []string) (*Key, error) { - key := c.createKeyTemplate(ctx, name, expiration, payload, encryptedNonce, iv, extractable, aliases, AlgorithmRSAOAEP1) + key := c.createKeyTemplate(ctx, name, expiration, payload, encryptedNonce, iv, extractable, aliases, AlgorithmRSAOAEP1, nil) return c.createKey(ctx, key) } @@ -179,11 +183,11 @@ func (c *Client) CreateKeyWithAliases(ctx context.Context, name string, expirati // https://cloud.ibm.com/docs/key-protect?topic=key-protect-import-root-keys#import-root-key-api // https://cloud.ibm.com/docs/key-protect?topic=key-protect-import-standard-keys#import-standard-key-gui func (c *Client) CreateImportedKeyWithAliases(ctx context.Context, name string, expiration *time.Time, payload, encryptedNonce, iv string, extractable bool, aliases []string) (*Key, error) { - key := c.createKeyTemplate(ctx, name, expiration, payload, encryptedNonce, iv, extractable, aliases, AlgorithmRSAOAEP256) + key := c.createKeyTemplate(ctx, name, expiration, payload, encryptedNonce, iv, extractable, aliases, AlgorithmRSAOAEP256, nil) return c.createKey(ctx, key) } -func (c *Client) createKeyTemplate(ctx context.Context, name string, expiration *time.Time, payload, encryptedNonce, iv string, extractable bool, aliases []string, encryptionAlgorithm string) Key { +func (c *Client) createKeyTemplate(ctx context.Context, name string, expiration *time.Time, payload, encryptedNonce, iv string, extractable bool, aliases []string, encryptionAlgorithm string, policy *Policy) Key { key := Key{ Name: name, Type: keyType, @@ -205,10 +209,23 @@ func (c *Client) createKeyTemplate(ctx context.Context, name string, expiration key.Expiration = expiration } + if policy != nil { + key.Rotation = policy.Rotation + key.DualAuthDelete = policy.DualAuth + } + return key } func (c *Client) createKey(ctx context.Context, key Key) (*Key, error) { + return c.createKeyResource(ctx, key, keysPath) +} + +func (c *Client) createKeyWithPolicyOverrides(ctx context.Context, key Key) (*Key, error) { + return c.createKeyResource(ctx, key, keysWithPolicyOverridesPath) +} + +func (c *Client) createKeyResource(ctx context.Context, key Key, path string) (*Key, error) { keysRequest := Keys{ Metadata: KeysMetadata{ CollectionType: keyType, @@ -217,11 +234,10 @@ func (c *Client) createKey(ctx context.Context, key Key) (*Key, error) { Keys: []Key{key}, } - req, err := c.newRequest("POST", "keys", &keysRequest) + req, err := c.newRequest(http.MethodPost, path, &keysRequest) if err != nil { return nil, err } - keysResponse := Keys{} if _, err := c.do(ctx, req, &keysResponse); err != nil { return nil, err @@ -260,6 +276,57 @@ func (c *Client) SetKeyRing(ctx context.Context, idOrAlias, newKeyRingID string) return &response.Keys[0], nil } +// CreateImportedKeyWithPolicyOverridesWithSHA1 creates a new KP key with policy overrides from the given key material +// and key policy details using RSAES OAEP SHA 1 as encryption algorithm. +func (c *Client) CreateImportedKeyWithPolicyOverridesWithSHA1(ctx context.Context, name string, expiration *time.Time, payload, encryptedNonce, iv string, extractable bool, aliases []string, policy Policy) (*Key, error) { + /* + Setting the value of rotationInterval to -1 in case user passes 0 value as we want to retain the param `interval_month` after marshalling so that we can get correct error msg from REST API saying interval_month should be between 1 to 12 Otherwise the param would not be sent to REST API in case of value 0 and it would throw error saying interval_month is missing + */ + if policy.Rotation != nil && policy.Rotation.Interval == 0 { + policy.Rotation.Interval = -1 + } + key := c.createKeyTemplate(ctx, name, expiration, payload, encryptedNonce, iv, extractable, aliases, AlgorithmRSAOAEP1, &policy) + return c.createKeyWithPolicyOverrides(ctx, key) +} + +// CreateKeyWithPolicyOverrides creates a new KP key with given key policy details +func (c *Client) CreateKeyWithPolicyOverrides(ctx context.Context, name string, expiration *time.Time, extractable bool, aliases []string, policy Policy) (*Key, error) { + return c.CreateImportedKeyWithPolicyOverrides(ctx, name, expiration, "", "", "", extractable, aliases, policy) +} + +// CreateImportedKeyWithPolicyOverrides creates a new Imported KP key from the given key material and with given key policy details +func (c *Client) CreateImportedKeyWithPolicyOverrides(ctx context.Context, name string, expiration *time.Time, payload, encryptedNonce, iv string, extractable bool, aliases []string, policy Policy) (*Key, error) { + /* + Setting the value of rotationInterval to -1 in case user passes 0 value as we want to retain the param `interval_month` after marshalling so that we can get correct error msg from REST API saying interval_month should be between 1 to 12 Otherwise the param would not be sent to REST API in case of value 0 and it would throw error saying interval_month is missing + */ + if policy.Rotation != nil && policy.Rotation.Interval == 0 { + policy.Rotation.Interval = -1 + } + key := c.createKeyTemplate(ctx, name, expiration, payload, encryptedNonce, iv, extractable, aliases, AlgorithmRSAOAEP256, &policy) + + return c.createKeyWithPolicyOverrides(ctx, key) +} + +// CreateRootKeyWithPolicyOverrides creates a new, non-extractable key resource without key material and with given key policy details +func (c *Client) CreateRootKeyWithPolicyOverrides(ctx context.Context, name string, expiration *time.Time, aliases []string, policy Policy) (*Key, error) { + return c.CreateKeyWithPolicyOverrides(ctx, name, expiration, false, aliases, policy) +} + +// CreateStandardKeyWithPolicyOverrides creates a new, extractable key resource without key material and with given key policy details +func (c *Client) CreateStandardKeyWithPolicyOverrides(ctx context.Context, name string, expiration *time.Time, aliases []string, policy Policy) (*Key, error) { + return c.CreateKeyWithPolicyOverrides(ctx, name, expiration, true, aliases, policy) +} + +// CreateImportedRootKeyWithPolicyOverrides creates a new, non-extractable key resource with the given key material and with given key policy details +func (c *Client) CreateImportedRootKeyWithPolicyOverrides(ctx context.Context, name string, expiration *time.Time, payload, encryptedNonce, iv string, aliases []string, policy Policy) (*Key, error) { + return c.CreateImportedKeyWithPolicyOverrides(ctx, name, expiration, payload, encryptedNonce, iv, false, aliases, policy) +} + +// CreateImportedStandardKeyWithPolicyOverrides creates a new, extractable key resource with the given key material and with given key policy details +func (c *Client) CreateImportedStandardKeyWithPolicyOverrides(ctx context.Context, name string, expiration *time.Time, payload string, aliases []string, policy Policy) (*Key, error) { + return c.CreateImportedKeyWithPolicyOverrides(ctx, name, expiration, payload, "", "", true, aliases, policy) +} + // GetKeys retrieves a collection of keys that can be paged through. func (c *Client) GetKeys(ctx context.Context, limit int, offset int) (*Keys, error) { if limit == 0 { diff --git a/vendor/github.com/IBM/keyprotect-go-client/listkeys.go b/vendor/github.com/IBM/keyprotect-go-client/listkeys.go index e1ea7c3b4..6c13ba63b 100644 --- a/vendor/github.com/IBM/keyprotect-go-client/listkeys.go +++ b/vendor/github.com/IBM/keyprotect-go-client/listkeys.go @@ -20,6 +20,7 @@ import ( "fmt" "strconv" "strings" + "time" ) //ListKeysOptions struct to add the query parameters for the List Keys function @@ -30,6 +31,7 @@ type ListKeysOptions struct { State []KeyState Sort *string Search *string + Filter *string } // ListKeys retrieves a list of keys that are stored in your Key Protect service instance. @@ -67,6 +69,9 @@ func (c *Client) ListKeys(ctx context.Context, listKeysOptions *ListKeysOptions) if listKeysOptions.Sort != nil { values.Set("sort", fmt.Sprint(*listKeysOptions.Sort)) } + if listKeysOptions.Filter != nil { + values.Set("filter", fmt.Sprint(*listKeysOptions.Filter)) + } req.URL.RawQuery = values.Encode() } @@ -211,3 +216,97 @@ func AddAliasScope() SearchOpts { func AddKeyNameScope() SearchOpts { return buildSearcOpts("name") } + +// Filter related functions +type filterQuery struct { + queryStr string +} + +type FilterQueryBuilder struct { + filterQueryString filterQuery +} + +func GetFilterQueryBuilder() *FilterQueryBuilder { + return &FilterQueryBuilder{filterQuery{queryStr: ""}} +} + +func (fq *FilterQueryBuilder) Build() string { + return fq.filterQueryString.queryStr +} + +func (fq *FilterQueryBuilder) CreationDate() *FilterQueryBuilder { + fq.filterQueryString.queryStr = fq.filterQueryString.queryStr + " creationDate=" + return fq +} + +func (fq *FilterQueryBuilder) ExpirationDate() *FilterQueryBuilder { + fq.filterQueryString.queryStr = fq.filterQueryString.queryStr + " expirationDate=" + return fq +} + +func (fq *FilterQueryBuilder) LastRotationDate() *FilterQueryBuilder { + fq.filterQueryString.queryStr = fq.filterQueryString.queryStr + " lastRotateDate=" + return fq +} + +func (fq *FilterQueryBuilder) DeletionDate() *FilterQueryBuilder { + fq.filterQueryString.queryStr = fq.filterQueryString.queryStr + " deletionDate=" + return fq +} + +func (fq *FilterQueryBuilder) LastUpdateDate() *FilterQueryBuilder { + fq.filterQueryString.queryStr = fq.filterQueryString.queryStr + " lastUpdateDate=" + return fq +} + +func (fq *FilterQueryBuilder) State(states []KeyState) *FilterQueryBuilder { + str := " state=" + for _, val := range states { + str += strconv.Itoa(int(val)) + "," + } + // remove the extra comma appended at the end of the string + str = strings.TrimSuffix(str, ",") + fq.filterQueryString.queryStr = fq.filterQueryString.queryStr + str + return fq +} + +func (fq *FilterQueryBuilder) Extractable(val bool) *FilterQueryBuilder { + extractable := " extractable=" + strconv.FormatBool(val) + fq.filterQueryString.queryStr = fq.filterQueryString.queryStr + extractable + return fq +} + +func (fq *FilterQueryBuilder) GreaterThan(dateInput time.Time) *FilterQueryBuilder { + date := dateInput.Format(time.RFC3339Nano) + fq.filterQueryString.queryStr = fq.filterQueryString.queryStr + "gt:" + "\"" + date + "\"" + return fq +} + +func (fq *FilterQueryBuilder) GreaterThanOrEqual(dateInput time.Time) *FilterQueryBuilder { + date := dateInput.Format(time.RFC3339Nano) + fq.filterQueryString.queryStr = fq.filterQueryString.queryStr + "gte:" + "\"" + date + "\"" + return fq +} + +func (fq *FilterQueryBuilder) LessThan(dateInput time.Time) *FilterQueryBuilder { + date := dateInput.Format(time.RFC3339Nano) + fq.filterQueryString.queryStr = fq.filterQueryString.queryStr + "lt:" + "\"" + date + "\"" + return fq +} + +func (fq *FilterQueryBuilder) LessThanOrEqual(dateInput time.Time) *FilterQueryBuilder { + date := dateInput.Format(time.RFC3339Nano) + fq.filterQueryString.queryStr = fq.filterQueryString.queryStr + "lte:" + "\"" + date + "\"" + return fq +} + +func (fq *FilterQueryBuilder) Equal(dateInput time.Time) *FilterQueryBuilder { + date := dateInput.Format(time.RFC3339Nano) + fq.filterQueryString.queryStr = fq.filterQueryString.queryStr + "\"" + date + "\"" + return fq +} + +func (fq *FilterQueryBuilder) None() *FilterQueryBuilder { + fq.filterQueryString.queryStr = fq.filterQueryString.queryStr + "none" + return fq +} diff --git a/vendor/github.com/IBM/keyprotect-go-client/policy.go b/vendor/github.com/IBM/keyprotect-go-client/policy.go index 4c60970e9..ae7f872cd 100644 --- a/vendor/github.com/IBM/keyprotect-go-client/policy.go +++ b/vendor/github.com/IBM/keyprotect-go-client/policy.go @@ -22,9 +22,13 @@ import ( ) const ( - policyType = "application/vnd.ibm.kms.policy+json" + // DualAuthDelete defines the policy type as dual auth delete + DualAuthDelete = "dualAuthDelete" + //RotationPolicy defines the policy type as rotation RotationPolicy = "rotation" + + policyType = "application/vnd.ibm.kms.policy+json" ) // Policy represents a policy as returned by the KP API. @@ -40,7 +44,8 @@ type Policy struct { } type Rotation struct { - Interval int `json:"interval_month,omitempty"` + Enabled *bool `json:"enabled,omitempty"` + Interval int `json:"interval_month,omitempty"` } type DualAuth struct { @@ -152,7 +157,7 @@ func (c *Client) getPolicy(ctx context.Context, id, policyType string, policyres return err } -// GetRotationPolivy method retrieves rotation policy details of a key +// GetRotationPolicy method retrieves rotation policy details of a key // For more information can refet the Key Protect docs in the link below: // https://cloud.ibm.com/docs/key-protect?topic=key-protect-set-rotation-policy#view-rotation-policy-api func (c *Client) GetRotationPolicy(ctx context.Context, idOrAlias string) (*Policy, error) { @@ -207,13 +212,11 @@ func (c *Client) setPolicy(ctx context.Context, idOrAlias, policyType string, po return &policyresponse, nil } -// SetRotationPolicy updates the rotation policy associated with a key by specifying key ID or alias and rotation interval. -// For more information can refer the Key Protect docs in the link below: -// https://cloud.ibm.com/docs/key-protect?topic=key-protect-set-rotation-policy#update-rotation-policy-api -func (c *Client) SetRotationPolicy(ctx context.Context, idOrAlias string, rotationInterval int) (*Policy, error) { +func (c *Client) setKeyRotationPolicy(ctx context.Context, idOrAlias string, enable *bool, rotationInterval int) (*Policy, error) { policy := Policy{ Type: policyType, Rotation: &Rotation{ + Enabled: enable, Interval: rotationInterval, }, } @@ -238,6 +241,35 @@ func (c *Client) SetRotationPolicy(ctx context.Context, idOrAlias string, rotati return &policyresponse.Policies[0], nil } +func (c *Client) EnableRotationPolicy(ctx context.Context, idOrAlias string) (*Policy, error) { + enabled := true + return c.setKeyRotationPolicy(ctx, idOrAlias, &enabled, 0) +} + +func (c *Client) DisableRotationPolicy(ctx context.Context, idOrAlias string) (*Policy, error) { + enabled := false + return c.setKeyRotationPolicy(ctx, idOrAlias, &enabled, 0) +} + +// SetRotationPolicy updates the rotation policy associated with a key by specifying key ID or alias and rotation interval. +// For more information can refer the Key Protect docs in the link below: +// https://cloud.ibm.com/docs/key-protect?topic=key-protect-set-rotation-policy#update-rotation-policy-api +func (c *Client) SetRotationPolicy(ctx context.Context, idOrAlias string, rotationInterval int, enabled ...bool) (*Policy, error) { + /* + Setting the value of rotationInterval to -1 in case user passes 0 value as we want to retain the param `interval_month` after marshalling + so that we can get correct error msg from REST API saying interval_month should be between 1 to 12 + Otherwise the param would not be sent to REST API in case of value 0 and it would throw error saying interval_month is missing + */ + if rotationInterval == 0 { + rotationInterval = -1 + } + var enable *bool + if enabled != nil { + enable = &enabled[0] + } + return c.setKeyRotationPolicy(ctx, idOrAlias, enable, rotationInterval) +} + // SetDualAuthDeletePolicy updates the dual auth delete policy by passing the key ID or alias and enable detail // For more information can refer the Key Protect docs in the link below: // https://cloud.ibm.com/docs/key-protect?topic=key-protect-set-dual-auth-key-policy#create-dual-auth-key-policy-api @@ -273,12 +305,25 @@ func (c *Client) SetDualAuthDeletePolicy(ctx context.Context, idOrAlias string, // To set rotation policy for the key pass the setRotationPolicy parameter as true and set the rotationInterval detail. // To set dual auth delete policy for the key pass the setDualAuthDeletePolicy parameter as true and set the dualAuthEnable detail. // Both the policies can be set or either of the policies can be set. -func (c *Client) SetPolicies(ctx context.Context, idOrAlias string, setRotationPolicy bool, rotationInterval int, setDualAuthDeletePolicy, dualAuthEnable bool) ([]Policy, error) { +func (c *Client) SetPolicies(ctx context.Context, idOrAlias string, setRotationPolicy bool, rotationInterval int, setDualAuthDeletePolicy, dualAuthEnable bool, rotationEnable ...bool) ([]Policy, error) { + /* + Setting the value of rotationInterval to -1 in case user passes 0 value as we want to retain the param `interval_month` after marshalling + so that we can get correct error msg from REST API saying interval_month should be between 1 to 12 + Otherwise the param would not be sent to REST API in case of value 0 and it would throw error saying interval_month is missing + */ + if rotationInterval == 0 { + rotationInterval = -1 + } + var enable *bool + if rotationEnable != nil { + enable = &rotationEnable[0] + } policies := []Policy{} if setRotationPolicy { rotationPolicy := Policy{ Type: policyType, Rotation: &Rotation{ + Enabled: enable, Interval: rotationInterval, }, } diff --git a/vendor/modules.txt b/vendor/modules.txt index 6f25f264d..6f9227f33 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -1,4 +1,4 @@ -# github.com/IBM/keyprotect-go-client v0.8.1 +# github.com/IBM/keyprotect-go-client v0.9.0 ## explicit; go 1.15 github.com/IBM/keyprotect-go-client github.com/IBM/keyprotect-go-client/iam