From 7fb65dae5b11fa94c2ef2d62ebd6d6f3d93eaa81 Mon Sep 17 00:00:00 2001 From: Mitchell Williams Date: Thu, 21 Mar 2024 14:39:36 -0600 Subject: [PATCH] fix: add vault printouts and adjust tests set min_encryption_version and min_available_version too --- .../security/vault/VaultEncryptionService.java | 17 ++++++----------- .../vault/VaultEncryptionServiceTest.groovy | 11 +++++++++-- 2 files changed, 15 insertions(+), 13 deletions(-) diff --git a/encryption-service-vault/src/main/java/com/mx/path/service/facility/security/vault/VaultEncryptionService.java b/encryption-service-vault/src/main/java/com/mx/path/service/facility/security/vault/VaultEncryptionService.java index 593cda5..ff65231 100644 --- a/encryption-service-vault/src/main/java/com/mx/path/service/facility/security/vault/VaultEncryptionService.java +++ b/encryption-service-vault/src/main/java/com/mx/path/service/facility/security/vault/VaultEncryptionService.java @@ -1,8 +1,6 @@ package com.mx.path.service.facility.security.vault; import java.nio.charset.StandardCharsets; -import java.time.LocalDateTime; -import java.time.ZoneOffset; import java.util.Base64; import java.util.Collections; import java.util.Map; @@ -10,11 +8,9 @@ import javax.annotation.Nullable; -import com.google.common.collect.ImmutableMap; import lombok.Getter; import lombok.Setter; -import com.bettercloud.vault.SslConfig; import com.bettercloud.vault.Vault; import com.bettercloud.vault.VaultConfig; import com.bettercloud.vault.VaultException; @@ -22,6 +18,7 @@ import com.bettercloud.vault.response.AuthResponse; import com.bettercloud.vault.response.LogicalResponse; import com.bettercloud.vault.response.VaultResponse; +import com.google.common.collect.ImmutableMap; import com.mx.path.core.common.configuration.Configuration; import com.mx.path.core.common.lang.Strings; import com.mx.path.core.common.security.EncryptionService; @@ -144,7 +141,7 @@ final Vault buildVaultDriver(@Nullable String authToken) { .token(authToken) .engineVersion(configuration.getEngineVersion()) .address(configuration.getUri()) -// .sslConfig(new SslConfig().verify(false).build()) + // .sslConfig(new SslConfig().verify(false).build()) .build(); Vault newDriver = new Vault(vaultConfig); @@ -205,14 +202,12 @@ final VaultTransitKey loadKey() { */ final void setMinDecryptionVersion(int minDecryptionVersion) { try { - //FIXME this is not setting `min_encryption_version` or `min_available_version` //FIXME should `min_available_version` and `min_decyprtion_version` always be the same and `min_encryption_version` be ahead? -// VaultResponse response = logicalWriteWithReauthentication("transit/keys/" + configuration.getKeyName(), Collections.singletonMap("min_decryption_version", minDecryptionVersion)); + // VaultResponse response = logicalWriteWithReauthentication("transit/keys/" + configuration.getKeyName(), Collections.singletonMap("min_decryption_version", minDecryptionVersion)); VaultResponse response = logicalWriteWithReauthentication("transit/keys/" + configuration.getKeyName(), ImmutableMap.of( - "min_decryption_version", minDecryptionVersion, - "min_encryption_version", minDecryptionVersion, - "min_available_version", minDecryptionVersion - )); + "min_decryption_version", minDecryptionVersion, + "min_encryption_version", minDecryptionVersion, + "min_available_version", minDecryptionVersion)); validateVaultOperationResponse(response, "Unable to update vault key"); } catch (RuntimeException e) { LOGGER.warn("Unable to update vault key", e); diff --git a/encryption-service-vault/src/test/groovy/com/mx/path/service/facility/security/vault/VaultEncryptionServiceTest.groovy b/encryption-service-vault/src/test/groovy/com/mx/path/service/facility/security/vault/VaultEncryptionServiceTest.groovy index ab1d37f..39e534b 100644 --- a/encryption-service-vault/src/test/groovy/com/mx/path/service/facility/security/vault/VaultEncryptionServiceTest.groovy +++ b/encryption-service-vault/src/test/groovy/com/mx/path/service/facility/security/vault/VaultEncryptionServiceTest.groovy @@ -18,6 +18,7 @@ import com.bettercloud.vault.api.Logical import com.bettercloud.vault.response.AuthResponse import com.bettercloud.vault.response.LogicalResponse import com.bettercloud.vault.rest.RestResponse +import com.google.common.collect.ImmutableMap import com.mx.path.core.common.collection.ObjectMap import spock.lang.Specification @@ -458,7 +459,10 @@ class VaultEncryptionServiceTest extends Specification { when: subject.rotateKeys() verify(logicalDriver).write("transit/keys/" + config.getKeyName() + "/rotate", null) - verify(logicalDriver).write("transit/keys/" + config.getKeyName(), Collections.singletonMap("min_decryption_version", 2)) + verify(logicalDriver).write("transit/keys/" + config.getKeyName(), ImmutableMap.of( + "min_decryption_version", 2, + "min_encryption_version", 2, + "min_available_version", 2)) then: true @@ -503,7 +507,10 @@ class VaultEncryptionServiceTest extends Specification { subject.setDriver(vaultDriver) subject.setMinDecryptionVersion(12) - verify(logicalDriver).write("transit/keys/" + config.getKeyName(), Collections.singletonMap("min_decryption_version", 12)) + verify(logicalDriver).write("transit/keys/" + config.getKeyName(), ImmutableMap.of( + "min_decryption_version", 12, + "min_encryption_version", 12, + "min_available_version", 12)) then: true