search

IBM / keyprotect-go-client

Go SDK for interacting with the IBM Cloud KeyProtect service.
Apache License 2.0
6 stars 29 forks source link

Support disabling of key rotation policy in KP Go SDK #91

Closed EktaBharti1998 closed 2 years ago

EktaBharti1998 commented 2 years ago

Title: Add enabled param for key rotation policy in Go SDK

Issue/Task Reference: https://github.ibm.com/kms/kmk/issues/1345

EktaBharti1998 commented 2 years ago
Integration test results ``` ektabharti@Ektas-MacBook-Pro keyprotect-go-client % go test -v -tags=integration ./... === RUN TestWrapUnwrap integration_test.go:86: CRK created successfully: id=cbd048bd-0733-422b-b270-e6dbac5ebe79 integration_test.go:103: Key deleted: id=cbd048bd-0733-422b-b270-e6dbac5ebe79 --- PASS: TestWrapUnwrap (7.14s) === RUN TestWrapUnwrapWithAlias integration_test.go:118: CRK created successfully: id=c47cee79-50ed-4dee-b36d-f84ec6692da6 integration_test.go:122: CRK Alias created successfully: id=&{c47cee79-50ed-4dee-b36d-f84ec6692da6 myaliasnew IBMid-5500086WKD 2022-09-09 07:21:01 +0000 UTC} integration_test.go:126: Get Key successfully: id=c47cee79-50ed-4dee-b36d-f84ec6692da6 --- PASS: TestWrapUnwrapWithAlias (5.76s) === RUN TestRotatedKeyHasLastUpdatedAndRotated integration_test.go:156: CRK created successfully: id=29cdbf4e-443b-4d27-9436-80cca8637c4f integration_test.go:163: CRK rotated successfully: id=29cdbf4e-443b-4d27-9436-80cca8637c4f integration_test.go:179: Key deleted: id=29cdbf4e-443b-4d27-9436-80cca8637c4f --- PASS: TestRotatedKeyHasLastUpdatedAndRotated (6.02s) === RUN TestExtractableKey integration_test.go:208: CRK created successfully: id=ac3e2225-98f5-4b5a-bff6-3c8367d50620 --- PASS: TestExtractableKey (7.85s) === RUN TestRotationInstancePolicy --- PASS: TestRotationInstancePolicy (10.14s) === RUN TestKeyRotationPolicy --- PASS: TestKeyRotationPolicy (7.11s) === RUN TestKeys === RUN TestKeys/New_API === RUN TestKeys/New_API_with_Logger === RUN TestKeys/Timeout === RUN TestKeys/Get_Keys === RUN TestKeys/Wrap_Create_DEK === RUN TestKeys/Wrap_Unwrap_v2 === RUN TestKeys/Unwrap_on_Deleted_should_return_err_with_410_Gone === RUN TestKeys/Imported_Create_Delete === RUN TestKeys/Create_Delete === RUN TestKeys/Imported_Rotate === RUN TestKeys/Imported_Rotate_Unwrap === RUN TestKeys/Rotate_Unwrap === RUN TestKeys/Timeout#01 === RUN TestKeys/Auth_Context === RUN TestKeys/Auth_in_Config === RUN TestKeys/Wrap_and_Unwrap_AAD === RUN TestKeys/API_Key_Timeout === RUN TestKeys/Bad_Config === RUN TestKeys/Bad_API_Key === RUN TestKeys/Create_Key_Without_Expiration === RUN TestKeys/Create === RUN TestKeys/Rotate === RUN TestKeys/Get_Key === RUN TestKeys/Get_Key_Metadata === RUN TestKeys/List_Key_Versions === RUN TestKeys/Wrap_Unwrap === RUN TestKeys/Delete_Key === RUN TestKeys/Create_Standard_Key === RUN TestKeys/Create_Imported_Standard_Key --- PASS: TestKeys (0.02s) --- PASS: TestKeys/New_API (0.00s) --- PASS: TestKeys/New_API_with_Logger (0.00s) --- PASS: TestKeys/Timeout (0.00s) --- PASS: TestKeys/Get_Keys (0.00s) --- PASS: TestKeys/Wrap_Create_DEK (0.00s) --- PASS: TestKeys/Wrap_Unwrap_v2 (0.00s) --- PASS: TestKeys/Unwrap_on_Deleted_should_return_err_with_410_Gone (0.00s) --- PASS: TestKeys/Imported_Create_Delete (0.00s) --- PASS: TestKeys/Create_Delete (0.00s) --- PASS: TestKeys/Imported_Rotate (0.00s) --- PASS: TestKeys/Imported_Rotate_Unwrap (0.00s) --- PASS: TestKeys/Rotate_Unwrap (0.00s) --- PASS: TestKeys/Timeout#01 (0.00s) --- PASS: TestKeys/Auth_Context (0.00s) --- PASS: TestKeys/Auth_in_Config (0.00s) --- PASS: TestKeys/Wrap_and_Unwrap_AAD (0.00s) --- PASS: TestKeys/API_Key_Timeout (0.00s) --- PASS: TestKeys/Bad_Config (0.00s) --- PASS: TestKeys/Bad_API_Key (0.00s) --- PASS: TestKeys/Create_Key_Without_Expiration (0.00s) --- PASS: TestKeys/Create (0.00s) --- PASS: TestKeys/Rotate (0.00s) --- PASS: TestKeys/Get_Key (0.00s) --- PASS: TestKeys/Get_Key_Metadata (0.00s) --- PASS: TestKeys/List_Key_Versions (0.00s) --- PASS: TestKeys/Wrap_Unwrap (0.00s) --- PASS: TestKeys/Delete_Key (0.00s) --- PASS: TestKeys/Create_Standard_Key (0.00s) --- PASS: TestKeys/Create_Imported_Standard_Key (0.00s) === RUN TestMisc === RUN TestMisc/Redact_Values --- PASS: TestMisc (0.00s) --- PASS: TestMisc/Redact_Values (0.00s) === RUN TestImportTokens === RUN TestImportTokens/ImportToken_Create === RUN TestImportTokens/ImportToken_Get === RUN TestImportTokens/Assert_context_authorization_override === RUN TestImportTokens/Dump_Implementations --- PASS: TestImportTokens (0.00s) --- PASS: TestImportTokens/ImportToken_Create (0.00s) --- PASS: TestImportTokens/ImportToken_Get (0.00s) --- PASS: TestImportTokens/Assert_context_authorization_override (0.00s) --- PASS: TestImportTokens/Dump_Implementations (0.00s) === RUN TestKPCheckRetry === RUN TestKPCheckRetry/No_retry_on_successful_codes === RUN TestKPCheckRetry/No_retry_on_400-level_codes === RUN TestKPCheckRetry/Retry_on_429 === RUN TestKPCheckRetry/Retry_on_500+ === RUN TestKPCheckRetry/No_retry_on_501 === RUN TestKPCheckRetry/Retry_on_connection_failures === RUN TestKPCheckRetry/No_retry_on_context_failures --- PASS: TestKPCheckRetry (0.00s) --- PASS: TestKPCheckRetry/No_retry_on_successful_codes (0.00s) --- PASS: TestKPCheckRetry/No_retry_on_400-level_codes (0.00s) --- PASS: TestKPCheckRetry/Retry_on_429 (0.00s) --- PASS: TestKPCheckRetry/Retry_on_500+ (0.00s) --- PASS: TestKPCheckRetry/No_retry_on_501 (0.00s) --- PASS: TestKPCheckRetry/Retry_on_connection_failures (0.00s) --- PASS: TestKPCheckRetry/No_retry_on_context_failures (0.00s) === RUN TestDo_ConnectionError_HasCorrelationID --- PASS: TestDo_ConnectionError_HasCorrelationID (0.00s) === RUN TestDo_CorrelationID_Set --- PASS: TestDo_CorrelationID_Set (0.00s) === RUN TestDo_KPErrorResponseWithReasons_IsErrorStruct --- PASS: TestDo_KPErrorResponseWithReasons_IsErrorStruct (0.00s) === RUN TestDo_KPErrorResponseWithoutReasons_IsErrorStruct --- PASS: TestDo_KPErrorResponseWithoutReasons_IsErrorStruct (0.00s) === RUN TestDeleteKey_ForceOptTrue_URLHasForce --- PASS: TestDeleteKey_ForceOptTrue_URLHasForce (0.00s) === RUN TestDeleteKey_WithRegistrations_ErrorCases --- PASS: TestDeleteKey_WithRegistrations_ErrorCases (0.00s) === RUN TestRegistrationsList --- PASS: TestRegistrationsList (0.00s) === RUN TestRestoreKey --- PASS: TestRestoreKey (0.00s) === RUN TestSetAndGetMultipleInstancePolicies --- PASS: TestSetAndGetMultipleInstancePolicies (0.00s) === RUN TestSetAndGetDualAuthInstancePolicy --- PASS: TestSetAndGetDualAuthInstancePolicy (0.00s) === RUN TestSetAndGetRotationInstancePolicy --- PASS: TestSetAndGetRotationInstancePolicy (0.00s) === RUN TestSetAndGetAllowedNetworkPolicy --- PASS: TestSetAndGetAllowedNetworkPolicy (0.00s) === RUN TestSetAndGetAllowedIPInstancePolicy --- PASS: TestSetAndGetAllowedIPInstancePolicy (0.00s) === RUN TestSetAndGetKeyCreateImportAccessInstancePolicy --- PASS: TestSetAndGetKeyCreateImportAccessInstancePolicy (0.00s) === RUN TestSetMetricsPolicy --- PASS: TestSetMetricsPolicy (0.00s) === RUN TestSetAllowedIPPolicyError --- PASS: TestSetAllowedIPPolicyError (0.00s) === RUN TestGetPrivateEndpointPortNumber --- PASS: TestGetPrivateEndpointPortNumber (0.00s) === RUN TestSetInstanceDualAuthPolicyError --- PASS: TestSetInstanceDualAuthPolicyError (0.00s) === RUN TestSetRotationInstancePolicyError --- PASS: TestSetRotationInstancePolicyError (0.00s) === RUN TestSetKeyPolicies --- PASS: TestSetKeyPolicies (0.00s) === RUN TestEnabeOrDisableRotationPolicy --- PASS: TestEnabeOrDisableRotationPolicy (0.00s) === RUN TestGetKeyPolicies --- PASS: TestGetKeyPolicies (0.00s) === RUN TestDisableKey --- PASS: TestDisableKey (0.00s) === RUN TestEnableKey --- PASS: TestEnableKey (0.00s) === RUN TestInitiate_DualAuthDelete --- PASS: TestInitiate_DualAuthDelete (0.00s) === RUN TestCancel_DualAuthDelete --- PASS: TestCancel_DualAuthDelete (0.00s) === RUN TestCreateKeyRing --- PASS: TestCreateKeyRing (0.00s) === RUN TestDeleteKeyRing --- PASS: TestDeleteKeyRing (0.00s) === RUN TestGetKeyRings --- PASS: TestGetKeyRings (0.00s) === RUN TestSetKeyRing --- PASS: TestSetKeyRing (0.00s) === RUN TestGetKeyVerifyKeyRingDetail --- PASS: TestGetKeyVerifyKeyRingDetail (0.00s) === RUN TestCreateKeyWithAliases --- PASS: TestCreateKeyWithAliases (0.00s) === RUN TestCreateImportedKeyWithAliases --- PASS: TestCreateImportedKeyWithAliases (0.00s) === RUN TestCreateKeyAlias --- PASS: TestCreateKeyAlias (0.00s) === RUN TestDeleteKeyAlias --- PASS: TestDeleteKeyAlias (0.00s) === RUN TestPurgeKey --- PASS: TestPurgeKey (0.00s) === RUN TestGetPurgeKey --- PASS: TestGetPurgeKey (0.00s) === RUN TestWrapWithAlias kp_test.go:3816: wrap value --- PASS: TestWrapWithAlias (0.00s) === RUN TestUnWrapWithAlias --- PASS: TestUnWrapWithAlias (0.00s) === RUN TestGetKeyWithAlias --- PASS: TestGetKeyWithAlias (0.00s) === RUN TestGetKeyMetadataWithAlias --- PASS: TestGetKeyMetadataWithAlias (0.00s) === RUN TestListKeyVersions --- PASS: TestListKeyVersions (0.00s) === RUN TestListKeys --- PASS: TestListKeys (0.00s) === RUN TestRotate2WithoutPayload --- PASS: TestRotate2WithoutPayload (0.00s) === RUN TestRotate2WithPayload --- PASS: TestRotate2WithPayload (0.00s) === RUN TestRotate2SecurelyImport --- PASS: TestRotate2SecurelyImport (0.00s) === RUN TestRotate2GeneratedKeyWithPayload --- PASS: TestRotate2GeneratedKeyWithPayload (0.00s) === RUN TestRotate2ImportedKeyWithoutPayload --- PASS: TestRotate2ImportedKeyWithoutPayload (0.00s) === RUN TestSyncAssociatedResources --- PASS: TestSyncAssociatedResources (0.00s) === RUN TestSyncAssociatedResourcesError --- PASS: TestSyncAssociatedResourcesError (0.00s) === RUN TestListKeySort --- PASS: TestListKeySort (0.00s) === RUN TestListKeySearch --- PASS: TestListKeySearch (0.00s) PASS ok github.com/IBM/keyprotect-go-client 45.189s ? github.com/IBM/keyprotect-go-client/cmd/kp-token [no test files] === RUN TestToken_EmptyAPIKey_ReturnsError --- PASS: TestToken_EmptyAPIKey_ReturnsError (0.00s) === RUN TestToken_ValidToken_ReturnsCachedCopy --- PASS: TestToken_ValidToken_ReturnsCachedCopy (0.00s) === RUN TestToken_InvalidToken_ReturnsNewToken --- PASS: TestToken_InvalidToken_ReturnsNewToken (0.00s) === RUN TestValid_NotExpired_ReturnsTrue --- PASS: TestValid_NotExpired_ReturnsTrue (0.00s) === RUN TestValid_Expired_ReturnsFalse --- PASS: TestValid_Expired_ReturnsFalse (0.00s) === RUN TestValid_EmptyAccessToken_ReturnsFalse --- PASS: TestValid_EmptyAccessToken_ReturnsFalse (0.00s) === RUN TestValid_NilToken_ReturnsFalse --- PASS: TestValid_NilToken_ReturnsFalse (0.00s) === RUN TestError_NilContextOrResp_NoNilDeref --- PASS: TestError_NilContextOrResp_NoNilDeref (0.00s) PASS ok github.com/IBM/keyprotect-go-client/iam (cached) ```

Attached screenshot for the newly added test case:

Screenshot 2022-09-08 at 3 32 32 PM

Attached screenshot for the newly added integration test case:

Screenshot 2022-09-09 at 1 01 04 PM
EktaBharti1998 commented 2 years ago

Attached evidences for successful creation of key rotation policy for following functions calls:

SetRotationPolicy with only rotationInterval as 3 ``` policy, err := client.SetRotationPolicy(ctx, "5482bd5a-d118-4e86-aa07-d58cab9b2ff6", 3) ektabharti@Ektas-MacBook-Pro sdk-test % ./sdk-test ------ Create Rotation Key Policy ------ Rotation enabled value is: true Rotation interval value is: 3 ```
SetRotationPolicy with rotationInterval as 5 and enabled as false ``` policy, err := client.SetRotationPolicy(ctx, "5482bd5a-d118-4e86-aa07-d58cab9b2ff6", 5, false) ektabharti@Ektas-MacBook-Pro sdk-test % ./sdk-test ------ Create Rotation Key Policy ------ Rotation enabled value is: false Rotation interval value is: 5 ```
SetRotationPolicy with rotationInterval as 3 and enabled as true ``` policy, err := client.SetRotationPolicy(ctx, "5482bd5a-d118-4e86-aa07-d58cab9b2ff6", 3, true) ektabharti@Ektas-MacBook-Pro sdk-test % ./sdk-test ------ Create Rotation Key Policy ------ Rotation enabled value is: true Rotation interval value is: 3 ```
DisableRotationPolicy ``` policy, err := client.DisableRotationPolicy(ctx, "5482bd5a-d118-4e86-aa07-d58cab9b2ff6") ektabharti@Ektas-MacBook-Pro sdk-test % ./sdk-test ------ Disable Rotation Policies ------ Rotation enabled value is: false Rotation interval value is: 3 ```
EnableRotationPolicy ``` policy, err := client.EnableRotationPolicy(ctx, "5482bd5a-d118-4e86-aa07-d58cab9b2ff6") ektabharti@Ektas-MacBook-Pro sdk-test % ./sdk-test ------ Enable Rotation Policies ------ Rotation enabled value is: true Rotation interval value is: 3 ```
SetPolicies with dualAuthEnable as true and rotationInterval(only) as 3 ``` policies, err := client.SetPolicies(ctx, "5482bd5a-d118-4e86-aa07-d58cab9b2ff6", true, 3, true, true) ektabharti@Ektas-MacBook-Pro sdk-test % ./sdk-test ------ Create All Key Policies ------ Rotation enabled value is: true Rotation interval value is: 3 DualAuthDelete Enabled value: true ```
SetPolicies with dualAuthEnable as true and rotationInterval as 5 and rotationEnable as false ``` policies, err := client.SetPolicies(ctx, "5482bd5a-d118-4e86-aa07-d58cab9b2ff6", true, 5, true, true, false) ektabharti@Ektas-MacBook-Pro sdk-test % ./sdk-test ------ Create All Key Policies ------ Rotation enabled value is: false Rotation interval value is: 5 DualAuthDelete Enabled value: true ```
SetPolicies with with dualAuthEnable as true and rotationInterval as 3 and rotationEnable as true ``` policies, err := client.SetPolicies(ctx, "5482bd5a-d118-4e86-aa07-d58cab9b2ff6", true, 5, true, true, true) ektabharti@Ektas-MacBook-Pro sdk-test % ./sdk-test ------ Create All Key Policies ------ Rotation enabled value is: true Rotation interval value is: 5 DualAuthDelete Enabled value: true ```

Attached evidences for expected failures while creation of key rotation policy for following functions calls:

SetRotationPolicy with enabled as true but 0 interval_month ``` policy, err := client.SetRotationPolicy(ctx, "5482bd5a-d118-4e86-aa07-d58cab9b2ff6", 0, true) ektabharti@Ektas-MacBook-Pro sdk-test % ./sdk-test ------ Create Rotation Key Policy ------ kp.Error: correlation_id='21d4edd4-2310-43bf-b00c-1af5af9bbaf0', msg='Bad Request: Key policy could not be created: Please see `reasons` for more details (INVALID_FIELD_ERR)', reasons='[INVALID_FIELD_ERR: The field `interval_month` must be: an integer between 1 and 12 (inclusive): Rotation interval must be 1 to 12 months - FOR_MORE_INFO_REFER: https://cloud.ibm.com/apidocs/key-protect]' ```
SetRotationPolicy with enabled as false but 0 interval_month ``` policy, err := client.SetRotationPolicy(ctx, "5482bd5a-d118-4e86-aa07-d58cab9b2ff6", 0, false) ektabharti@Ektas-MacBook-Pro sdk-test % ./sdk-test ------ Create Rotation Key Policy ------ kp.Error: correlation_id='c5d3ab03-01cf-4235-b17c-8109bb6881b3', msg='Bad Request: Key policy could not be created: Please see `reasons` for more details (INVALID_FIELD_ERR)', reasons='[INVALID_FIELD_ERR: The field `interval_month` must be: an integer between 1 and 12 (inclusive): Rotation interval must be 1 to 12 months - FOR_MORE_INFO_REFER: https://cloud.ibm.com/apidocs/key-protect]' ```
SetPolicies with rotation enabled as true but 0 interval_month ``` policies, err := client.SetPolicies(ctx, "5482bd5a-d118-4e86-aa07-d58cab9b2ff6", true, 0, true, true, true) ektabharti@Ektas-MacBook-Pro sdk-test % ./sdk-test ------ Create All Key Policies ------ kp.Error: correlation_id='2e35b7af-2d1a-4f15-96f0-a209f915c275', msg='Bad Request: Key policy could not be created: Please see `reasons` for more details (INVALID_FIELD_ERR)', reasons='[INVALID_FIELD_ERR: The field `interval_month` must be: an integer between 1 and 12 (inclusive): Rotation interval must be 1 to 12 months - FOR_MORE_INFO_REFER: https://cloud.ibm.com/apidocs/key-protect]' ```
SetPolicies with rotation enabled as false but 0 interval_month ``` policies, err := client.SetPolicies(ctx, "5482bd5a-d118-4e86-aa07-d58cab9b2ff6", true, 0, true, true, false) ektabharti@Ektas-MacBook-Pro sdk-test % ./sdk-test ------ Create All Key Policies ------ kp.Error: correlation_id='bc09fb26-cfd9-459e-ae3c-f82b376398cb', msg='Bad Request: Key policy could not be created: Please see `reasons` for more details (INVALID_FIELD_ERR)', reasons='[INVALID_FIELD_ERR: The field `interval_month` must be: an integer between 1 and 12 (inclusive): Rotation interval must be 1 to 12 months - FOR_MORE_INFO_REFER: https://cloud.ibm.com/apidocs/key-protect]' ```
EnableRotationPolicy on a key with no rotation policy ``` policy, err := client.GetPolicies(ctx, "b7267bfb-7679-453f-9c97-20f351be2108") ektabharti@Ektas-MacBook-Pro sdk-test % ./sdk-test ------ Get all Policies ------ POLICY: [] policy, err := client.EnableRotationPolicy(ctx, "b7267bfb-7679-453f-9c97-20f351be2108") ektabharti@Ektas-MacBook-Pro sdk-test % ./sdk-test ------ Enable Rotation Policies ------ kp.Error: correlation_id='325dbbdb-4182-481b-8149-343ff2d831b8', msg='Bad Request: Key policy could not be created: Please see `reasons` for more details (MISSING_FIELD_ERR)', reasons='[MISSING_FIELD_ERR: The field `interval_month` is required - FOR_MORE_INFO_REFER: https://cloud.ibm.com/apidocs/key-protect]' ```
DisableRotationPolicy on a key with no rotation policy ``` policy, err := client.GetPolicies(ctx, "b7267bfb-7679-453f-9c97-20f351be2108") ektabharti@Ektas-MacBook-Pro sdk-test % ./sdk-test ------ Get all Policies ------ POLICY: [] policy, err := client.DisableRotationPolicy(ctx, "b7267bfb-7679-453f-9c97-20f351be2108") ektabharti@Ektas-MacBook-Pro sdk-test % ./sdk-test ------ Disable Rotation Policies ------ kp.Error: correlation_id='c2e7a0a8-1d12-4225-b446-20a830786773', msg='Bad Request: Key policy could not be created: Please see `reasons` for more details (MISSING_FIELD_ERR)', reasons='[MISSING_FIELD_ERR: The field `interval_month` is required - FOR_MORE_INFO_REFER: https://cloud.ibm.com/apidocs/key-protect]' ```
EktaBharti1998 commented 2 years ago

looks neat.. thanks for adding detailed test case evidences.. Can you add an integration test case.. here is the scenario that I am thinking..

  1. create a key
  2. do get key - no pollicy blocks
  3. create a rot. policy with enabled as false
  4. do get key - policy block disabled rotation policy
  5. enable the rot. policy
  6. do get key - policy block with enabled policy

We cannot do get key as in REST API we don't have added the rotation policy block yet.