From fafb022b9261ab8f30bdbbca73320092584190cc Mon Sep 17 00:00:00 2001 From: Mitchell Williams Date: Mon, 25 Mar 2024 18:02:53 -0600 Subject: [PATCH 1/2] fix: update minVersion on /config endpoint set min_decryption_version, min_encryption_version and min_available_version --- .../vault/VaultEncryptionService.java | 20 +++++++++++-------- .../vault/VaultEncryptionServiceTest.groovy | 17 ++++++++++------ 2 files changed, 23 insertions(+), 14 deletions(-) diff --git a/encryption-service-vault/src/main/java/com/mx/path/service/facility/security/vault/VaultEncryptionService.java b/encryption-service-vault/src/main/java/com/mx/path/service/facility/security/vault/VaultEncryptionService.java index 555b070..036773b 100644 --- a/encryption-service-vault/src/main/java/com/mx/path/service/facility/security/vault/VaultEncryptionService.java +++ b/encryption-service-vault/src/main/java/com/mx/path/service/facility/security/vault/VaultEncryptionService.java @@ -18,6 +18,7 @@ import com.bettercloud.vault.response.AuthResponse; import com.bettercloud.vault.response.LogicalResponse; import com.bettercloud.vault.response.VaultResponse; +import com.google.common.collect.ImmutableMap; import com.mx.path.core.common.configuration.Configuration; import com.mx.path.core.common.lang.Strings; import com.mx.path.core.common.security.EncryptionService; @@ -116,13 +117,13 @@ public final void rotateKeys() { return; } - int minDecryptVersion = key.currentKeyVersion() - configuration.getNumKeysToKeep(); + int minVersion = key.currentKeyVersion() - configuration.getNumKeysToKeep() + 1; - if (minDecryptVersion < 1) { - minDecryptVersion = 1; + if (minVersion < 1) { + minVersion = 1; } - setMinDecryptionVersion(minDecryptVersion); + setMinVersion(minVersion); } /** @@ -189,15 +190,18 @@ final VaultTransitKey loadKey() { } /** - * Set the minimum decryption key + * Set the minimum decryption key, minimum encryption key and minimum available version * *

Does not raise exception on failure. * - * @param minDecryptionVersion + * @param minVersion */ - final void setMinDecryptionVersion(int minDecryptionVersion) { + final void setMinVersion(int minVersion) { try { - VaultResponse response = logicalWriteWithReauthentication("transit/keys/" + configuration.getKeyName(), Collections.singletonMap("min_decryption_version", minDecryptionVersion)); + VaultResponse response = logicalWriteWithReauthentication("transit/keys/" + configuration.getKeyName() + "/config", ImmutableMap.of( + "min_decryption_version", minVersion, + "min_encryption_version", minVersion, + "min_available_version", minVersion)); validateVaultOperationResponse(response, "Unable to update vault key"); } catch (RuntimeException e) { LOGGER.warn("Unable to update vault key", e); diff --git a/encryption-service-vault/src/test/groovy/com/mx/path/service/facility/security/vault/VaultEncryptionServiceTest.groovy b/encryption-service-vault/src/test/groovy/com/mx/path/service/facility/security/vault/VaultEncryptionServiceTest.groovy index ab1d37f..9ff1905 100644 --- a/encryption-service-vault/src/test/groovy/com/mx/path/service/facility/security/vault/VaultEncryptionServiceTest.groovy +++ b/encryption-service-vault/src/test/groovy/com/mx/path/service/facility/security/vault/VaultEncryptionServiceTest.groovy @@ -18,13 +18,12 @@ import com.bettercloud.vault.api.Logical import com.bettercloud.vault.response.AuthResponse import com.bettercloud.vault.response.LogicalResponse import com.bettercloud.vault.rest.RestResponse -import com.mx.path.core.common.collection.ObjectMap +import com.google.common.collect.ImmutableMap import spock.lang.Specification import spock.lang.Unroll class VaultEncryptionServiceTest extends Specification { - ObjectMap configuration Logical logicalDriver VaultEncryptionService subject Vault vaultDriver @@ -458,7 +457,10 @@ class VaultEncryptionServiceTest extends Specification { when: subject.rotateKeys() verify(logicalDriver).write("transit/keys/" + config.getKeyName() + "/rotate", null) - verify(logicalDriver).write("transit/keys/" + config.getKeyName(), Collections.singletonMap("min_decryption_version", 2)) + verify(logicalDriver).write("transit/keys/" + config.getKeyName() + "/config", ImmutableMap.of( + "min_available_version", 3, + "min_decryption_version", 3, + "min_encryption_version", 3)) then: true @@ -497,13 +499,16 @@ class VaultEncryptionServiceTest extends Specification { } @Unroll - def "setMinDecryptionVersion() interacts with driver"() { + def "setMinVersion() interacts with driver"() { when: subject = new VaultEncryptionService(config) subject.setDriver(vaultDriver) - subject.setMinDecryptionVersion(12) - verify(logicalDriver).write("transit/keys/" + config.getKeyName(), Collections.singletonMap("min_decryption_version", 12)) + subject.setMinVersion(12) + verify(logicalDriver).write("transit/keys/" + config.getKeyName() + "/config", ImmutableMap.of( + "min_available_version", 12, + "min_decryption_version", 12, + "min_encryption_version", 12)) then: true From 3a40761cf721ec025af21cf084343b20497b827c Mon Sep 17 00:00:00 2001 From: Mitchell Williams Date: Tue, 26 Mar 2024 10:11:48 -0600 Subject: [PATCH 2/2] fix: drop setting min_available_version --- .../facility/security/vault/VaultEncryptionService.java | 5 ++--- .../security/vault/VaultEncryptionServiceTest.groovy | 2 -- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/encryption-service-vault/src/main/java/com/mx/path/service/facility/security/vault/VaultEncryptionService.java b/encryption-service-vault/src/main/java/com/mx/path/service/facility/security/vault/VaultEncryptionService.java index 036773b..a144f6a 100644 --- a/encryption-service-vault/src/main/java/com/mx/path/service/facility/security/vault/VaultEncryptionService.java +++ b/encryption-service-vault/src/main/java/com/mx/path/service/facility/security/vault/VaultEncryptionService.java @@ -190,7 +190,7 @@ final VaultTransitKey loadKey() { } /** - * Set the minimum decryption key, minimum encryption key and minimum available version + * Set the minimum decryption key and minimum encryption key * *

Does not raise exception on failure. * @@ -200,8 +200,7 @@ final void setMinVersion(int minVersion) { try { VaultResponse response = logicalWriteWithReauthentication("transit/keys/" + configuration.getKeyName() + "/config", ImmutableMap.of( "min_decryption_version", minVersion, - "min_encryption_version", minVersion, - "min_available_version", minVersion)); + "min_encryption_version", minVersion)); validateVaultOperationResponse(response, "Unable to update vault key"); } catch (RuntimeException e) { LOGGER.warn("Unable to update vault key", e); diff --git a/encryption-service-vault/src/test/groovy/com/mx/path/service/facility/security/vault/VaultEncryptionServiceTest.groovy b/encryption-service-vault/src/test/groovy/com/mx/path/service/facility/security/vault/VaultEncryptionServiceTest.groovy index 9ff1905..36e41b4 100644 --- a/encryption-service-vault/src/test/groovy/com/mx/path/service/facility/security/vault/VaultEncryptionServiceTest.groovy +++ b/encryption-service-vault/src/test/groovy/com/mx/path/service/facility/security/vault/VaultEncryptionServiceTest.groovy @@ -458,7 +458,6 @@ class VaultEncryptionServiceTest extends Specification { subject.rotateKeys() verify(logicalDriver).write("transit/keys/" + config.getKeyName() + "/rotate", null) verify(logicalDriver).write("transit/keys/" + config.getKeyName() + "/config", ImmutableMap.of( - "min_available_version", 3, "min_decryption_version", 3, "min_encryption_version", 3)) @@ -506,7 +505,6 @@ class VaultEncryptionServiceTest extends Specification { subject.setMinVersion(12) verify(logicalDriver).write("transit/keys/" + config.getKeyName() + "/config", ImmutableMap.of( - "min_available_version", 12, "min_decryption_version", 12, "min_encryption_version", 12))