diff --git a/go.mod b/go.mod index a805fb690..7c7ae7ef1 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,7 @@ module github.com/ceph/ceph-csi go 1.20 require ( - github.com/IBM/keyprotect-go-client v0.10.0 + github.com/IBM/keyprotect-go-client v0.12.2 github.com/aws/aws-sdk-go v1.44.333 github.com/aws/aws-sdk-go-v2/service/sts v1.21.5 github.com/ceph/ceph-csi/api v0.0.0-00010101000000-000000000000 diff --git a/go.sum b/go.sum index 5644dd150..8a12c87a3 100644 --- a/go.sum +++ b/go.sum @@ -643,8 +643,8 @@ github.com/DataDog/datadog-go v3.2.0+incompatible h1:qSG2N4FghB1He/r2mFrWKCaL7dX github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ= github.com/DataDog/zstd v1.4.4/go.mod h1:1jcaCB/ufaK+sKp1NBhlGmpz41jOoPQ35bpF36t7BBo= github.com/IBM/keyprotect-go-client v0.5.1/go.mod h1:5TwDM/4FRJq1ZOlwQL1xFahLWQ3TveR88VmL1u3njyI= -github.com/IBM/keyprotect-go-client v0.10.0 h1:UdVOwJfyVNmL4O3Aw2eGluiEr5FpV5h8EaNVJKCtLvY= -github.com/IBM/keyprotect-go-client v0.10.0/go.mod h1:yr8h2noNgU8vcbs+vhqoXp3Lmv73PI0zAc6VMgFvWwM= +github.com/IBM/keyprotect-go-client v0.12.2 h1:Cjxcqin9Pl0xz3MnxdiVd4v/eIa79xL3hQpSbwOr/DQ= +github.com/IBM/keyprotect-go-client v0.12.2/go.mod h1:yr8h2noNgU8vcbs+vhqoXp3Lmv73PI0zAc6VMgFvWwM= github.com/Jeffail/gabs v1.1.1 h1:V0uzR08Hj22EX8+8QMhyI9sX2hwRu+/RJhJUmnwda/E= github.com/Jeffail/gabs v1.1.1/go.mod h1:6xMvQMK4k33lb7GUUpaAPh6nKMmemQeg5d4gn7/bOXc= github.com/JohnCGriffin/overflow v0.0.0-20211019200055-46fa312c352c/go.mod h1:X0CRv0ky0k6m906ixxpzmDRLvX58TFUKS2eePweuyxk= diff --git a/vendor/github.com/IBM/keyprotect-go-client/README.md b/vendor/github.com/IBM/keyprotect-go-client/README.md index a8131e473..218b42e04 100644 --- a/vendor/github.com/IBM/keyprotect-go-client/README.md +++ b/vendor/github.com/IBM/keyprotect-go-client/README.md @@ -1,4 +1,4 @@ -# IBM Cloud Go SDK Version 0.9.2 +# IBM Cloud Go SDK # keyprotect-go-client diff --git a/vendor/github.com/IBM/keyprotect-go-client/key_rings.go b/vendor/github.com/IBM/keyprotect-go-client/key_rings.go index eddb0710f..a88961c9a 100644 --- a/vendor/github.com/IBM/keyprotect-go-client/key_rings.go +++ b/vendor/github.com/IBM/keyprotect-go-client/key_rings.go @@ -3,6 +3,8 @@ package kp import ( "context" "fmt" + "net/http" + "strconv" "time" ) @@ -18,7 +20,7 @@ type KeyRing struct { type KeyRings struct { Metadata KeysMetadata `json:"metadata"` - KeyRings []KeyRing `json:"resources"` + KeyRings []KeyRing `json:"resources"` } // CreateRing method creates a key ring in the instance with the provided name @@ -57,11 +59,24 @@ func (c *Client) GetKeyRings(ctx context.Context) (*KeyRings, error) { return &rings, nil } +type DeleteKeyRingQueryOption func(*http.Request) + +func WithForce(force bool) DeleteKeyRingQueryOption { + return func(req *http.Request) { + query := req.URL.Query() + query.Add("force", strconv.FormatBool(force)) + req.URL.RawQuery = query.Encode() + } +} + // DeleteRing method deletes the key ring with the provided name in the instance // For information please refer to the link below: // https://cloud.ibm.com/docs/key-protect?topic=key-protect-managing-key-rings#delete-key-ring-api -func (c *Client) DeleteKeyRing(ctx context.Context, id string) error { +func (c *Client) DeleteKeyRing(ctx context.Context, id string, opts ...DeleteKeyRingQueryOption) error { req, err := c.newRequest("DELETE", fmt.Sprintf(path+"/%s", id), nil) + for _, opt := range opts { + opt(req) + } if err != nil { return err } diff --git a/vendor/github.com/IBM/keyprotect-go-client/keys.go b/vendor/github.com/IBM/keyprotect-go-client/keys.go index 0bde6b231..6039fa82b 100644 --- a/vendor/github.com/IBM/keyprotect-go-client/keys.go +++ b/vendor/github.com/IBM/keyprotect-go-client/keys.go @@ -133,22 +133,118 @@ type KeyVersion struct { CreationDate *time.Time `json:"creationDate,omitempty"` } +// This function returns a string so we can pass extra info not in the key struct if needed +type CreateKeyOption func(k *Key) + +func WithExpiration(expiration *time.Time) CreateKeyOption { + return func(key *Key) { + key.Expiration = expiration + } +} + +func WithDescription(description string) CreateKeyOption { + return func(key *Key) { + key.Description = description + } +} + +func WithPayload(payload string, encryptedNonce, iv *string, sha1 bool) CreateKeyOption { + return func(key *Key) { + key.Payload = payload + if !key.Extractable { + hasNonce := encryptedNonce != nil && *encryptedNonce != "" + hasIV := iv != nil && *iv != "" + if hasNonce { + key.EncryptedNonce = *encryptedNonce + } + if hasIV { + key.IV = *iv + } + // Encryption algo field is only for secure import. + // Only included it if either nonce or IV are specified. + // API will error if only one of IV or nonce are specified but the other is empty. + if hasNonce || hasIV { + algorithm := AlgorithmRSAOAEP256 + if sha1 { + algorithm = AlgorithmRSAOAEP1 + } + key.EncryptionAlgorithm = algorithm + } + } + } +} + +func WithAliases(aliases []string) CreateKeyOption { + return func(key *Key) { + key.Aliases = aliases + } +} + +func WithTags(tags []string) CreateKeyOption { + return func(key *Key) { + key.Tags = tags + } +} + +func (c *Client) CreateKeyWithOptions(ctx context.Context, name string, extractable bool, options ...CreateKeyOption) (*Key, error) { + key := &Key{ + Name: name, + Type: keyType, + Extractable: extractable, + } + for _, opt := range options { + opt(key) + } + return c.createKeyResource(ctx, *key, keysPath) +} + +func (c *Client) CreateKeyWithPolicyOverridesWithOptions(ctx context.Context, name string, extractable bool, policy Policy, options ...CreateKeyOption) (*Key, error) { + key := &Key{ + Name: name, + Type: keyType, + Extractable: extractable, + } + for _, opt := range options { + opt(key) + } + /* + Setting the value of rotationInterval to -1 in case user passes 0 value + as we want to retain the param `interval_month` after marshalling + so that we can get correct error msg from REST API saying interval_month should be between 1 to 12 + Otherwise the param would not be sent to REST API in case of value 0 + and it would throw error saying interval_month is missing + */ + if policy.Rotation != nil && policy.Rotation.Interval == 0 { + policy.Rotation.Interval = -1 + } + key.Rotation = policy.Rotation + key.DualAuthDelete = policy.DualAuth + + return c.createKeyResource(ctx, *key, keysWithPolicyOverridesPath) +} + // CreateKey creates a new KP key. func (c *Client) CreateKey(ctx context.Context, name string, expiration *time.Time, extractable bool) (*Key, error) { - return c.CreateImportedKey(ctx, name, expiration, "", "", "", extractable) + return c.CreateKeyWithOptions(ctx, name, extractable, WithExpiration(expiration)) } // CreateImportedKey creates a new KP key from the given key material. func (c *Client) CreateImportedKey(ctx context.Context, name string, expiration *time.Time, payload, encryptedNonce, iv string, extractable bool) (*Key, error) { - key := c.createKeyTemplate(ctx, name, expiration, payload, encryptedNonce, iv, extractable, nil, AlgorithmRSAOAEP256, nil) - return c.createKey(ctx, key) + return c.CreateKeyWithOptions(ctx, name, extractable, + WithExpiration(expiration), + WithPayload(payload, &encryptedNonce, &iv, false), + ) } // CreateImportedKeyWithSHA1 creates a new KP key from the given key material // using RSAES OAEP SHA 1 as encryption algorithm. -func (c *Client) CreateImportedKeyWithSHA1(ctx context.Context, name string, expiration *time.Time, payload, encryptedNonce, iv string, extractable bool, aliases []string) (*Key, error) { - key := c.createKeyTemplate(ctx, name, expiration, payload, encryptedNonce, iv, extractable, aliases, AlgorithmRSAOAEP1, nil) - return c.createKey(ctx, key) +func (c *Client) CreateImportedKeyWithSHA1(ctx context.Context, name string, expiration *time.Time, + payload, encryptedNonce, iv string, extractable bool, aliases []string) (*Key, error) { + return c.CreateKeyWithOptions(ctx, name, extractable, + WithExpiration(expiration), + WithPayload(payload, &encryptedNonce, &iv, true), + WithAliases(aliases), + ) } // CreateRootKey creates a new, non-extractable key resource without @@ -189,47 +285,64 @@ func (c *Client) CreateKeyWithAliases(ctx context.Context, name string, expirati // For more information please refer to the links below: // https://cloud.ibm.com/docs/key-protect?topic=key-protect-import-root-keys#import-root-key-api // https://cloud.ibm.com/docs/key-protect?topic=key-protect-import-standard-keys#import-standard-key-gui -func (c *Client) CreateImportedKeyWithAliases(ctx context.Context, name string, expiration *time.Time, payload, encryptedNonce, iv string, extractable bool, aliases []string) (*Key, error) { - key := c.createKeyTemplate(ctx, name, expiration, payload, encryptedNonce, iv, extractable, aliases, AlgorithmRSAOAEP256, nil) - return c.createKey(ctx, key) +func (c *Client) CreateImportedKeyWithAliases(ctx context.Context, name string, expiration *time.Time, + payload, encryptedNonce, iv string, extractable bool, aliases []string) (*Key, error) { + return c.CreateKeyWithOptions(ctx, name, extractable, + WithExpiration(expiration), + WithPayload(payload, &encryptedNonce, &iv, false), + WithAliases(aliases), + ) } -func (c *Client) createKeyTemplate(ctx context.Context, name string, expiration *time.Time, payload, encryptedNonce, iv string, extractable bool, aliases []string, encryptionAlgorithm string, policy *Policy) Key { - key := Key{ - Name: name, - Type: keyType, - Extractable: extractable, - Payload: payload, - } - - if aliases != nil { - key.Aliases = aliases - } - - if !extractable && payload != "" && encryptedNonce != "" && iv != "" { - key.EncryptedNonce = encryptedNonce - key.IV = iv - key.EncryptionAlgorithm = encryptionAlgorithm - } - - if expiration != nil { - key.Expiration = expiration - } - - if policy != nil { - key.Rotation = policy.Rotation - key.DualAuthDelete = policy.DualAuth - } - - return key +// CreateImportedKeyWithPolicyOverridesWithSHA1 creates a new KP key with policy overrides from the given key material +// and key policy details using RSAES OAEP SHA 1 as encryption algorithm. +func (c *Client) CreateImportedKeyWithPolicyOverridesWithSHA1(ctx context.Context, name string, expiration *time.Time, + payload, encryptedNonce, iv string, extractable bool, aliases []string, policy Policy) (*Key, error) { + return c.CreateKeyWithPolicyOverridesWithOptions(ctx, name, extractable, policy, + WithExpiration(expiration), + WithPayload(payload, &encryptedNonce, &iv, true), + WithAliases(aliases), + ) } -func (c *Client) createKey(ctx context.Context, key Key) (*Key, error) { - return c.createKeyResource(ctx, key, keysPath) +// CreateKeyWithPolicyOverrides creates a new KP key with given key policy details +func (c *Client) CreateKeyWithPolicyOverrides(ctx context.Context, name string, expiration *time.Time, extractable bool, aliases []string, policy Policy) (*Key, error) { + return c.CreateKeyWithPolicyOverridesWithOptions(ctx, name, extractable, policy, + WithExpiration(expiration), + WithAliases(aliases), + ) } -func (c *Client) createKeyWithPolicyOverrides(ctx context.Context, key Key) (*Key, error) { - return c.createKeyResource(ctx, key, keysWithPolicyOverridesPath) +// CreateImportedKeyWithPolicyOverrides creates a new Imported KP key from the given key material and with given key policy details +func (c *Client) CreateImportedKeyWithPolicyOverrides(ctx context.Context, name string, expiration *time.Time, + payload, encryptedNonce, iv string, extractable bool, aliases []string, policy Policy) (*Key, error) { + return c.CreateKeyWithPolicyOverridesWithOptions(ctx, name, extractable, policy, + WithExpiration(expiration), + WithPayload(payload, &encryptedNonce, &iv, false), + WithAliases(aliases), + ) +} + +// CreateRootKeyWithPolicyOverrides creates a new, non-extractable key resource without key material and with given key policy details +func (c *Client) CreateRootKeyWithPolicyOverrides(ctx context.Context, name string, expiration *time.Time, aliases []string, policy Policy) (*Key, error) { + return c.CreateKeyWithPolicyOverrides(ctx, name, expiration, false, aliases, policy) +} + +// CreateStandardKeyWithPolicyOverrides creates a new, extractable key resource without key material and with given key policy details +func (c *Client) CreateStandardKeyWithPolicyOverrides(ctx context.Context, name string, expiration *time.Time, aliases []string, policy Policy) (*Key, error) { + return c.CreateKeyWithPolicyOverrides(ctx, name, expiration, true, aliases, policy) +} + +// CreateImportedRootKeyWithPolicyOverrides creates a new, non-extractable key resource with the given key material and with given key policy details +func (c *Client) CreateImportedRootKeyWithPolicyOverrides(ctx context.Context, name string, expiration *time.Time, + payload, encryptedNonce, iv string, aliases []string, policy Policy) (*Key, error) { + return c.CreateImportedKeyWithPolicyOverrides(ctx, name, expiration, payload, encryptedNonce, iv, false, aliases, policy) +} + +// CreateImportedStandardKeyWithPolicyOverrides creates a new, extractable key resource with the given key material and with given key policy details +func (c *Client) CreateImportedStandardKeyWithPolicyOverrides(ctx context.Context, name string, expiration *time.Time, + payload string, aliases []string, policy Policy) (*Key, error) { + return c.CreateImportedKeyWithPolicyOverrides(ctx, name, expiration, payload, "", "", true, aliases, policy) } func (c *Client) createKeyResource(ctx context.Context, key Key, path string) (*Key, error) { @@ -283,57 +396,6 @@ func (c *Client) SetKeyRing(ctx context.Context, idOrAlias, newKeyRingID string) return &response.Keys[0], nil } -// CreateImportedKeyWithPolicyOverridesWithSHA1 creates a new KP key with policy overrides from the given key material -// and key policy details using RSAES OAEP SHA 1 as encryption algorithm. -func (c *Client) CreateImportedKeyWithPolicyOverridesWithSHA1(ctx context.Context, name string, expiration *time.Time, payload, encryptedNonce, iv string, extractable bool, aliases []string, policy Policy) (*Key, error) { - /* - Setting the value of rotationInterval to -1 in case user passes 0 value as we want to retain the param `interval_month` after marshalling so that we can get correct error msg from REST API saying interval_month should be between 1 to 12 Otherwise the param would not be sent to REST API in case of value 0 and it would throw error saying interval_month is missing - */ - if policy.Rotation != nil && policy.Rotation.Interval == 0 { - policy.Rotation.Interval = -1 - } - key := c.createKeyTemplate(ctx, name, expiration, payload, encryptedNonce, iv, extractable, aliases, AlgorithmRSAOAEP1, &policy) - return c.createKeyWithPolicyOverrides(ctx, key) -} - -// CreateKeyWithPolicyOverrides creates a new KP key with given key policy details -func (c *Client) CreateKeyWithPolicyOverrides(ctx context.Context, name string, expiration *time.Time, extractable bool, aliases []string, policy Policy) (*Key, error) { - return c.CreateImportedKeyWithPolicyOverrides(ctx, name, expiration, "", "", "", extractable, aliases, policy) -} - -// CreateImportedKeyWithPolicyOverrides creates a new Imported KP key from the given key material and with given key policy details -func (c *Client) CreateImportedKeyWithPolicyOverrides(ctx context.Context, name string, expiration *time.Time, payload, encryptedNonce, iv string, extractable bool, aliases []string, policy Policy) (*Key, error) { - /* - Setting the value of rotationInterval to -1 in case user passes 0 value as we want to retain the param `interval_month` after marshalling so that we can get correct error msg from REST API saying interval_month should be between 1 to 12 Otherwise the param would not be sent to REST API in case of value 0 and it would throw error saying interval_month is missing - */ - if policy.Rotation != nil && policy.Rotation.Interval == 0 { - policy.Rotation.Interval = -1 - } - key := c.createKeyTemplate(ctx, name, expiration, payload, encryptedNonce, iv, extractable, aliases, AlgorithmRSAOAEP256, &policy) - - return c.createKeyWithPolicyOverrides(ctx, key) -} - -// CreateRootKeyWithPolicyOverrides creates a new, non-extractable key resource without key material and with given key policy details -func (c *Client) CreateRootKeyWithPolicyOverrides(ctx context.Context, name string, expiration *time.Time, aliases []string, policy Policy) (*Key, error) { - return c.CreateKeyWithPolicyOverrides(ctx, name, expiration, false, aliases, policy) -} - -// CreateStandardKeyWithPolicyOverrides creates a new, extractable key resource without key material and with given key policy details -func (c *Client) CreateStandardKeyWithPolicyOverrides(ctx context.Context, name string, expiration *time.Time, aliases []string, policy Policy) (*Key, error) { - return c.CreateKeyWithPolicyOverrides(ctx, name, expiration, true, aliases, policy) -} - -// CreateImportedRootKeyWithPolicyOverrides creates a new, non-extractable key resource with the given key material and with given key policy details -func (c *Client) CreateImportedRootKeyWithPolicyOverrides(ctx context.Context, name string, expiration *time.Time, payload, encryptedNonce, iv string, aliases []string, policy Policy) (*Key, error) { - return c.CreateImportedKeyWithPolicyOverrides(ctx, name, expiration, payload, encryptedNonce, iv, false, aliases, policy) -} - -// CreateImportedStandardKeyWithPolicyOverrides creates a new, extractable key resource with the given key material and with given key policy details -func (c *Client) CreateImportedStandardKeyWithPolicyOverrides(ctx context.Context, name string, expiration *time.Time, payload string, aliases []string, policy Policy) (*Key, error) { - return c.CreateImportedKeyWithPolicyOverrides(ctx, name, expiration, payload, "", "", true, aliases, policy) -} - // GetKeys retrieves a collection of keys that can be paged through. func (c *Client) GetKeys(ctx context.Context, limit int, offset int) (*Keys, error) { if limit == 0 { diff --git a/vendor/modules.txt b/vendor/modules.txt index 87a215cee..8b5c1c871 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -1,4 +1,4 @@ -# github.com/IBM/keyprotect-go-client v0.10.0 +# github.com/IBM/keyprotect-go-client v0.12.2 ## explicit; go 1.15 github.com/IBM/keyprotect-go-client github.com/IBM/keyprotect-go-client/iam