diff --git a/encryption-service-vault/src/main/java/com/mx/path/service/facility/security/vault/VaultEncryptionService.java b/encryption-service-vault/src/main/java/com/mx/path/service/facility/security/vault/VaultEncryptionService.java index 555b070..a144f6a 100644 --- a/encryption-service-vault/src/main/java/com/mx/path/service/facility/security/vault/VaultEncryptionService.java +++ b/encryption-service-vault/src/main/java/com/mx/path/service/facility/security/vault/VaultEncryptionService.java @@ -18,6 +18,7 @@ import com.bettercloud.vault.response.AuthResponse; import com.bettercloud.vault.response.LogicalResponse; import com.bettercloud.vault.response.VaultResponse; +import com.google.common.collect.ImmutableMap; import com.mx.path.core.common.configuration.Configuration; import com.mx.path.core.common.lang.Strings; import com.mx.path.core.common.security.EncryptionService; @@ -116,13 +117,13 @@ public final void rotateKeys() { return; } - int minDecryptVersion = key.currentKeyVersion() - configuration.getNumKeysToKeep(); + int minVersion = key.currentKeyVersion() - configuration.getNumKeysToKeep() + 1; - if (minDecryptVersion < 1) { - minDecryptVersion = 1; + if (minVersion < 1) { + minVersion = 1; } - setMinDecryptionVersion(minDecryptVersion); + setMinVersion(minVersion); } /** @@ -189,15 +190,17 @@ final VaultTransitKey loadKey() { } /** - * Set the minimum decryption key + * Set the minimum decryption key and minimum encryption key * *

Does not raise exception on failure. * - * @param minDecryptionVersion + * @param minVersion */ - final void setMinDecryptionVersion(int minDecryptionVersion) { + final void setMinVersion(int minVersion) { try { - VaultResponse response = logicalWriteWithReauthentication("transit/keys/" + configuration.getKeyName(), Collections.singletonMap("min_decryption_version", minDecryptionVersion)); + VaultResponse response = logicalWriteWithReauthentication("transit/keys/" + configuration.getKeyName() + "/config", ImmutableMap.of( + "min_decryption_version", minVersion, + "min_encryption_version", minVersion)); validateVaultOperationResponse(response, "Unable to update vault key"); } catch (RuntimeException e) { LOGGER.warn("Unable to update vault key", e); diff --git a/encryption-service-vault/src/test/groovy/com/mx/path/service/facility/security/vault/VaultEncryptionServiceTest.groovy b/encryption-service-vault/src/test/groovy/com/mx/path/service/facility/security/vault/VaultEncryptionServiceTest.groovy index ab1d37f..36e41b4 100644 --- a/encryption-service-vault/src/test/groovy/com/mx/path/service/facility/security/vault/VaultEncryptionServiceTest.groovy +++ b/encryption-service-vault/src/test/groovy/com/mx/path/service/facility/security/vault/VaultEncryptionServiceTest.groovy @@ -18,13 +18,12 @@ import com.bettercloud.vault.api.Logical import com.bettercloud.vault.response.AuthResponse import com.bettercloud.vault.response.LogicalResponse import com.bettercloud.vault.rest.RestResponse -import com.mx.path.core.common.collection.ObjectMap +import com.google.common.collect.ImmutableMap import spock.lang.Specification import spock.lang.Unroll class VaultEncryptionServiceTest extends Specification { - ObjectMap configuration Logical logicalDriver VaultEncryptionService subject Vault vaultDriver @@ -458,7 +457,9 @@ class VaultEncryptionServiceTest extends Specification { when: subject.rotateKeys() verify(logicalDriver).write("transit/keys/" + config.getKeyName() + "/rotate", null) - verify(logicalDriver).write("transit/keys/" + config.getKeyName(), Collections.singletonMap("min_decryption_version", 2)) + verify(logicalDriver).write("transit/keys/" + config.getKeyName() + "/config", ImmutableMap.of( + "min_decryption_version", 3, + "min_encryption_version", 3)) then: true @@ -497,13 +498,15 @@ class VaultEncryptionServiceTest extends Specification { } @Unroll - def "setMinDecryptionVersion() interacts with driver"() { + def "setMinVersion() interacts with driver"() { when: subject = new VaultEncryptionService(config) subject.setDriver(vaultDriver) - subject.setMinDecryptionVersion(12) - verify(logicalDriver).write("transit/keys/" + config.getKeyName(), Collections.singletonMap("min_decryption_version", 12)) + subject.setMinVersion(12) + verify(logicalDriver).write("transit/keys/" + config.getKeyName() + "/config", ImmutableMap.of( + "min_decryption_version", 12, + "min_encryption_version", 12)) then: true