From 50901d2e836bcbe83ad24eac69c4b4aa81c81338 Mon Sep 17 00:00:00 2001
From: Mitchell Williams <Mitchell.Williams@mx.com>
Date: Thu, 21 Mar 2024 14:58:45 -0600
Subject: [PATCH] fix: only set min_decryption_version

---
 .../security/vault/VaultEncryptionService.java      | 13 ++++++-------
 .../vault/VaultEncryptionServiceTest.groovy         | 11 ++---------
 2 files changed, 8 insertions(+), 16 deletions(-)

diff --git a/encryption-service-vault/src/main/java/com/mx/path/service/facility/security/vault/VaultEncryptionService.java b/encryption-service-vault/src/main/java/com/mx/path/service/facility/security/vault/VaultEncryptionService.java
index ff65231..8dbf966 100644
--- a/encryption-service-vault/src/main/java/com/mx/path/service/facility/security/vault/VaultEncryptionService.java
+++ b/encryption-service-vault/src/main/java/com/mx/path/service/facility/security/vault/VaultEncryptionService.java
@@ -18,7 +18,6 @@
 import com.bettercloud.vault.response.AuthResponse;
 import com.bettercloud.vault.response.LogicalResponse;
 import com.bettercloud.vault.response.VaultResponse;
-import com.google.common.collect.ImmutableMap;
 import com.mx.path.core.common.configuration.Configuration;
 import com.mx.path.core.common.lang.Strings;
 import com.mx.path.core.common.security.EncryptionService;
@@ -141,7 +140,6 @@ final Vault buildVaultDriver(@Nullable String authToken) {
           .token(authToken)
           .engineVersion(configuration.getEngineVersion())
           .address(configuration.getUri())
-          //          .sslConfig(new SslConfig().verify(false).build())
           .build();
 
       Vault newDriver = new Vault(vaultConfig);
@@ -203,11 +201,12 @@ final VaultTransitKey loadKey() {
   final void setMinDecryptionVersion(int minDecryptionVersion) {
     try {
       //FIXME should `min_available_version` and `min_decyprtion_version` always be the same and `min_encryption_version` be ahead?
-      //            VaultResponse response = logicalWriteWithReauthentication("transit/keys/" + configuration.getKeyName(), Collections.singletonMap("min_decryption_version", minDecryptionVersion));
-      VaultResponse response = logicalWriteWithReauthentication("transit/keys/" + configuration.getKeyName(), ImmutableMap.of(
-          "min_decryption_version", minDecryptionVersion,
-          "min_encryption_version", minDecryptionVersion,
-          "min_available_version", minDecryptionVersion));
+      VaultResponse response = logicalWriteWithReauthentication("transit/keys/" + configuration.getKeyName() + "/config", Collections.singletonMap("min_decryption_version", minDecryptionVersion));
+
+      //      VaultResponse response = logicalWriteWithReauthentication("transit/keys/" + configuration.getKeyName() + "/config", ImmutableMap.of(
+      //          "min_decryption_version", minDecryptionVersion,
+      //          "min_encryption_version", minDecryptionVersion,
+      //          "min_available_version", minDecryptionVersion));
       validateVaultOperationResponse(response, "Unable to update vault key");
     } catch (RuntimeException e) {
       LOGGER.warn("Unable to update vault key", e);
diff --git a/encryption-service-vault/src/test/groovy/com/mx/path/service/facility/security/vault/VaultEncryptionServiceTest.groovy b/encryption-service-vault/src/test/groovy/com/mx/path/service/facility/security/vault/VaultEncryptionServiceTest.groovy
index 39e534b..acda048 100644
--- a/encryption-service-vault/src/test/groovy/com/mx/path/service/facility/security/vault/VaultEncryptionServiceTest.groovy
+++ b/encryption-service-vault/src/test/groovy/com/mx/path/service/facility/security/vault/VaultEncryptionServiceTest.groovy
@@ -18,7 +18,6 @@ import com.bettercloud.vault.api.Logical
 import com.bettercloud.vault.response.AuthResponse
 import com.bettercloud.vault.response.LogicalResponse
 import com.bettercloud.vault.rest.RestResponse
-import com.google.common.collect.ImmutableMap
 import com.mx.path.core.common.collection.ObjectMap
 
 import spock.lang.Specification
@@ -459,10 +458,7 @@ class VaultEncryptionServiceTest extends Specification {
     when:
     subject.rotateKeys()
     verify(logicalDriver).write("transit/keys/" + config.getKeyName() + "/rotate", null)
-    verify(logicalDriver).write("transit/keys/" + config.getKeyName(), ImmutableMap.of(
-        "min_decryption_version", 2,
-        "min_encryption_version", 2,
-        "min_available_version", 2))
+    verify(logicalDriver).write("transit/keys/" + config.getKeyName() + "/config", Collections.singletonMap("min_decryption_version", 2))
 
     then:
     true
@@ -507,10 +503,7 @@ class VaultEncryptionServiceTest extends Specification {
     subject.setDriver(vaultDriver)
 
     subject.setMinDecryptionVersion(12)
-    verify(logicalDriver).write("transit/keys/" + config.getKeyName(), ImmutableMap.of(
-        "min_decryption_version", 12,
-        "min_encryption_version", 12,
-        "min_available_version", 12))
+    verify(logicalDriver).write("transit/keys/" + config.getKeyName() + "/config", Collections.singletonMap("min_decryption_version", 12))
 
     then:
     true