manager

package
v0.2.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 4, 2026 License: Apache-2.0 Imports: 68 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	CertificateIssuerPluginName = "CERT_ISSUER"
	DefaultKeyBitSize           = 3076
)
View Source 
const (
	BYOKActionImportKeyMaterial BYOKAction = "IMPORT_KEY_MATERIAL"
	BYOKActionGetImportParams   BYOKAction = "GET_IMPORT_PARAMETERS"
	IsEditableCryptoAccess      string     = "isEditable"
)
View Source 
const (
	DefaultHYOKCertCommonName            = "default.hyok.cmk"
	DefaultProviderConfigCacheExpiration = 24 * time.Hour
)
View Source 
const (
	DefaultCertName = "hyok-default"
)
View Source 
const (
	GRPCErrorCodeHYOKAuthFailed errs.GRPCErrorCode = "HYOK_AUTH_FAILED"
)
View Source 
const (
	WorkflowSystemArtifactPropertyKey = "NAME"
)

Variables

View Source 
var (
	ErrInvalidP7CertNoParse  = errors.New("returned invalid p7 cert: could not parse pkcs7")
	ErrInvalidCertEmptyChain = errors.New("empty certificate chain")

	ErrCertificateManager   = errors.New("certificate manager error")
	ErrCertificatePublicKey = errors.New("could not find a certificate with given public key")
	ErrCannotRotateOldCerts = errors.New("cannot rotate old tenant default certificates")

	ErrDefaultTenantCertificateAlreadyExists = errors.New(
		"default tenant certificate already exists; only one is allowed per tenant",
	)
	ErrDefaultTenantError = errors.New("default tenant cert error")
)
View Source 
var (
	ErrIncompatibleQueryField = errors.New("incompatible query field")

	ErrLoadCryptoCerts         = errors.New("failed to load crypto certs")
	ErrUnmarshalCryptoCerts    = errors.New("failed to unmarshal crypto certs")
	ErrSetCryptoCerts          = errors.New("failed to set crypto certs")
	ErrPluginNotFound          = errors.New("plugin not found")
	ErrConfigNotFound          = errors.New("config not found")
	ErrKeyCreationFailed       = errors.New("failed to create key in provider")
	ErrKeyRegistration         = errors.New("failed to register key from provider")
	ErrUnsupportedKeyAlgorithm = errors.New("unsupported key algorithm")
	ErrInvalidKeyState         = errors.New("invalid key state")
	ErrHYOKKeyActionNotAllowed = errors.New("HYOK key action not allowed")
	ErrNameCannotBeEmpty       = errors.New("name field cannot be empty")
	ErrEventSendingFailed      = errors.New("failed to send event")
	ErrHYOKProviderKeyNotFound = errors.New("HYOK provider key not found")
	ErrConvertAccessData       = errors.New("failed to convert access data")

	ErrGetTags      = errors.New("failed getting tags")
	ErrDeletingTags = errors.New("failed to delete tags")

	ErrCreateKeyConfiguration       = errors.New("failed to create key configuration")
	ErrConnectedSystemToKeyConfig   = errors.New("system is connected to keyconfig")
	ErrInvalidKeyAdminGroup         = errors.New("invalid keyconfig admin group")
	ErrDeleteKeyConfiguration       = errors.New("failed to delete key configuration")
	ErrQueryKeyConfigurationList    = errors.New("failed to query key configuration list")
	ErrGettingKeyConfigByID         = errors.New("failed to get key configuration by ID")
	ErrKeyConfigurationNotFound     = errors.New("KeyConfiguration not found")
	ErrKeyConfigurationIDNotFound   = errors.New("KeyConfigurationID not found")
	ErrFailedToInitProvider         = errors.New("failed to init provider")
	ErrFailedToEnableProviderKey    = errors.New("failed to enable provider key")
	ErrFailedToDisableProviderKey   = errors.New("failed to disable provider key")
	ErrFailedToDeleteProvider       = errors.New("failed to delete provider")
	ErrGetProviderKey               = errors.New("failed to get provider key")
	ErrGetImportParamsFromProvider  = errors.New("failed to get import parameters from provider")
	ErrImportKeyMaterialsToProvider = errors.New("failed to import key materials to provider")
	ErrKeyIsNotEnabled              = errors.New("key is not enabled")
	ErrPrimaryKeyUnmark             = errors.New("primary key cannot be unmarked primary")

	ErrGetKeyDB                         = errors.New("failed to get key from database")
	ErrGettingKeyByID                   = errors.New("failed to get key by ID")
	ErrListKeysDB                       = errors.New("failed to list keys from database")
	ErrManagementDetailsUpdate          = errors.New("management credentials cannot be updated")
	ErrCryptoDetailsUpdate              = errors.New("crypto credentials cannot be updated")
	ErrCryptoRegionNotExists            = errors.New("crypto region does not exist")
	ErrNonEditableCryptoRegionUpdate    = errors.New("crypto region cant be updated as it's not editable")
	ErrBadCryptoRegionData              = errors.New("crypto region data invalid")
	ErrEditableCryptoRegionField        = errors.New("editable crypto region field has to be boolean")
	ErrUpdateKeyDB                      = errors.New("failed to update key in database")
	ErrCreateKeyDB                      = errors.New("failed to create key in database")
	ErrDeleteKeyDB                      = errors.New("failed to delete key from database")
	ErrSetImportParamsDB                = errors.New("failed to set import parameters in database")
	ErrDeleteImportParamsDB             = errors.New("failed to delete import parameters from database")
	ErrUpdateKeyConfiguration           = errors.New("failed to update key configuration")
	ErrUpdateKeyConfigurationDB         = errors.New("failed to update key configuration in database")
	ErrGetConfiguration                 = errors.New("failed to get configuration")
	ErrUpdatePrimary                    = errors.New("failed to update key primary state")
	ErrGetHYOKKeyInfoDB                 = errors.New("failed to get HYOK key info from database")
	ErrInvalidKeyTypeForHYOKSync        = errors.New("invalid key type for hyok sync")
	ErrListHYOKKeysDB                   = errors.New("failed to list hyok keys")
	ErrDeleteKey                        = errors.New("failed to delete key")
	ErrUpdatingTotalKeys                = errors.New("failed to update total keys")
	ErrUpdatingTotalSystems             = errors.New("failed to update total systems")
	ErrUnsupportedSystemAction          = errors.New("system action not supported")
	ErrKeyNotAssignedToKeyConfiguration = errors.New("key not assigned to key configuration")
	ErrUpdateKeyVersionDisabled         = errors.New("cannot update key version when key is disabled")
	ErrUpdateSystemNoRegClient          = errors.New("system cannot be updated since no registry client")
	ErrLinkSystemProcessingOrFailed     = errors.New("System cannot be linked in PROCESSING/FAILED state")
	ErrUnlinkSystemProcessingOrFailed   = errors.New("System cannot be unlinked in PROCESSING/FAILED state")
	ErrRetryNonFailedSystem             = errors.New("System can action only be retried on failed state")

	ErrRotateBYOKKey                       = errors.New("byok key must not be rotated")
	ErrUnsupportedBYOKProvider             = errors.New("unsupported BYOK provider")
	ErrBuildImportParams                   = errors.New("error building import parameters")
	ErrMarshalProviderParams               = errors.New("error marshaling provider parameters")
	ErrExtractCommonImportFields           = errors.New("error extracting common import fields")
	ErrInvalidKeyTypeForImportParams       = errors.New("invalid key type for import parameters")
	ErrInvalidKeyStateForImportParams      = errors.New("invalid key state for import parameters")
	ErrInvalidKeyTypeForImportKeyMaterial  = errors.New("invalid key type for import key materials")
	ErrInvalidKeyStateForImportKeyMaterial = errors.New("invalid key state for import key materials")
	ErrInvalidBYOKAction                   = errors.New("invalid BYOK action")
	ErrEmptyKeyMaterial                    = errors.New("key material cannot be empty")
	ErrInvalidBase64KeyMaterial            = errors.New("key material must be base64 encoded")
	ErrMissingOrExpiredImportParams        = errors.New("import parameters missing or expired")

	ErrGetKeyVersionDB         = errors.New("failed to get key version from database")
	ErrGetPrimaryKeyVersionDB  = errors.New("failed to get primary key version from database")
	ErrListKeyVersionsDB       = errors.New("failed to list key versions from database")
	ErrUpdateKeyVersionDB      = errors.New("failed to update key version in database")
	ErrCreateKeyVersionDB      = errors.New("failed to create key version in database")
	ErrInvalidKeyVersionNumber = errors.New("invalid key version number")

	ErrListTenants      = errors.New("failed to list tenants from database")
	ErrGetTenantInfo    = errors.New("failed to get tenant info")
	ErrTenantNotAllowed = errors.New("user has no permission to access tenant")

	ErrListGroups            = errors.New("failed to list groups from database")
	ErrGetGroups             = errors.New("failed to get group from database")
	ErrCreateGroups          = errors.New("failed to create group from database")
	ErrUpdateGroups          = errors.New("failed to update group from database")
	ErrDeleteGroups          = errors.New("failed to delete group from database")
	ErrInvalidGroupUpdate    = errors.New("group cannot be updated")
	ErrInvalidGroupDelete    = errors.New("group cannot be deleted")
	ErrMultipleRolesInGroups = errors.New("users with multiple roles are not allowed")
	ErrZeroRolesInGroups     = errors.New("users without any roles are not allowed")

	ErrCheckIAMExistenceOfGroups = errors.New("failed to check IAM existence of groups")
	ErrCheckTenantHasIAMGroups   = errors.New("failed to check tenant has IAM groups")

	ErrNoBodyForCustomerHeldDB = errors.New(
		"body must be provided for customer held key rotation",
	)
	ErrBodyForNoCustomerHeldDB = errors.New(
		"body must be provided only for customer held key rotation",
	)

	ErrQueryLabelList    = errors.New("failed to query system list")
	ErrFetchLabel        = errors.New("failed to fetch label")
	ErrUpdateLabelDB     = errors.New("failed to update label")
	ErrInsertLabel       = errors.New("failed to insert label")
	ErrDeleteLabelDB     = errors.New("failed to delete label")
	ErrGetKeyIDDB        = errors.New("KeyID is required")
	ErrEmptyInputLabelDB = errors.New("invalid input empty label name")

	ErrQuerySystemList         = errors.New("failed to query system list")
	ErrGettingSystem           = errors.New("failed to get system")
	ErrCreatingSystem          = errors.New("failed to create system")
	ErrGettingSystemByID       = errors.New("failed to get system by ID")
	ErrGettingSystemLinkByID   = errors.New("failed to get system link by ID")
	ErrAddSystemNoPrimaryKey   = errors.New("system cannot be added without an enabled primary key")
	ErrUpdateSystem            = errors.New("failed to update system")
	ErrSystemNotLinked         = errors.New("system is not linked to a key configuration")
	ErrFailedToReencryptSystem = errors.New("system reencrypt failed on new key")

	ErrGetWorkflowDB        = errors.New("failed to get workflow")
	ErrOngoingWorkflowExist = errors.New("ongoing workflow for artifact already exists")
	ErrCreateWorkflowDB     = errors.New("failed to create workflow")
	ErrCheckWorkflow        = errors.New("failed to check workflow")
	ErrCheckOngoingWorkflow = errors.New("failed to check ongoing workflow for artifact")
	ErrValidateActor        = errors.New("failed to validate actor for workflow transition")
	ErrAddApproversDB       = errors.New("failed to add approvers to workflow")
	ErrAddApproverGroupsDB  = errors.New("failed to add approver groups to workflow")
	ErrApplyTransition      = errors.New("failed to apply transition to workflow")
	ErrInDBTransaction      = errors.New(
		"error when executing sequence of operations in a transaction",
	)
	ErrWorkflowCannotTransitionDB = errors.New("workflow cannot transition to specified state")
	ErrUpdateApproverDecision     = errors.New("failed to update approver decision")
	ErrGetKeyConfigFromArtifact   = errors.New("failed to get key configuration from artifact")
	ErrAutoAssignApprover         = errors.New("failed to auto assign approver")
	ErrCreateApproverAssignTask   = errors.New("failed to create auto approver assignment task")

	ErrLoadIdentityManagementPlugin = errors.New("failed to load identity management plugin")

	ErrTenantNotExist = errors.New("tenantID does not exist")
	ErrEmptyTenantID  = errors.New("tenantID cannot be empty")

	ErrPoolIsDrained               = errors.New("pool is drained")
	ErrCouldNotSaveConfiguration   = errors.New("could not save configuration")
	ErrCouldNotRemoveConfiguration = errors.New("could not remove configuration")
	ErrOnboardingInProgress        = errors.New("another onboarding is already in progress")
	ErrCreatingGroups              = errors.New("creating user groups for existing tenant")
	ErrInvalidGroupType            = errors.New("invalid group type")

	ErrSchemaNameLength = errors.New("schema name length must be between 3 and 63 characters")
	ErrCreatingTenant   = errors.New("creating tenant failed")
	ErrValidatingTenant = errors.New("tenant validation failed")
	ErrInvalidSchema    = errors.New("invalid schema name pattern")

	ErrGroupRole = errors.New("unsupported role for group creation")
)
View Source 
var (
	ErrGetDefaultCerts                  = errors.New("failed to get default certificates")
	ErrDecodingCert                     = errors.New("failed to decode certificate")
	ErrCheckKeyConfigManagedByIAMGroups = errors.New("failed to check key configurations managed by IAM groups")
	ErrKeyConfigurationNotAllowed       = errors.New("user has no permission to access key configuration")
)
View Source 
var (
	ErrCreateKeystore                = errors.New("failed to create keystore")
	ErrInvalidKeystore               = errors.New("invalid keystore")
	ErrCreateProtobufStruct          = errors.New("failed to create protobuf struct")
	ErrGetTenantFromCtx              = errors.New("failed to get tenant from context")
	ErrGetDefaultTenantCertificate   = errors.New("failed to get default tenant HYOK certificate")
	ErrGetDefaultKeystoreCertificate = errors.New("failed to get default keystore certificate")
	ErrAddConfigToPool               = errors.New("failed to add keystore configuration to pool")
	ErrCountKeystorePool             = errors.New("failed to get keystore pool size")
)
View Source 
var (
	ErrSisPlugin         = errors.New("system information plugin error")
	ErrGettingSystemList = errors.New("error getting system list")
	ErrUpdatingSystem    = errors.New("error updating system")
	ErrNoPluginInCatalog = errors.New("no plugin in catalog")
	ErrNoSystem          = errors.New("no system found")
)
View Source 
var (
	ErrGetKeyConfig = errors.New("error getting keyconfig")
	ErrCreateTag    = errors.New("error setting tags")
)
View Source 
var (
	ErrMarshalConfig            = errors.New("error marshalling tenant config")
	ErrUnmarshalConfig          = errors.New("error unmarshalling tenant config")
	ErrGetDefaultKeystore       = errors.New("failed to get default keystore")
	ErrSetDefaultKeystore       = errors.New("failed to set default keystore")
	ErrGetKeystoreFromPool      = errors.New("failed to get keystore config from pool")
	ErrGetWorkflowConfig        = errors.New("failed to get workflow config")
	ErrSetWorkflowConfig        = errors.New("failed to set workflow config")
	ErrRetentionLessThanMinimum = errors.New("retention is less than the minimum allowed (" +
		strconv.Itoa(minimumRetentionPeriodDays) + " day)")
)
View Source 
var (
	ErrWorkflowApproverDecision   = errors.New("workflow approver decision")
	ErrWorkflowNotAllowed         = errors.New("user has no permission to access workflow")
	ErrWorkflowCreationNotAllowed = errors.New("user has no permission to create workflow")
)
View Source 
var ErrGRPCHYOKAuthFailed = errs.GRPCError{
	Code:        GRPCErrorCodeHYOKAuthFailed,
	BaseMessage: "failed to authenticate with the keystore provider",
}
View Source 
var SystemEvents = []string{
	proto.TaskType_SYSTEM_LINK.String(),
	proto.TaskType_SYSTEM_UNLINK.String(),
	proto.TaskType_SYSTEM_SWITCH.String(),
}
View Source 
var UnavailableKeyStates = []string{
	string(cmkapi.KeyStatePENDINGDELETION),
	string(cmkapi.KeyStateDELETED),
	string(cmkapi.KeyStateFORBIDDEN),
	string(cmkapi.KeyStateUNKNOWN),
}

Functions

func BuildImportParams 

func BuildImportParams(
	key *model.Key,
	importParamsResp *keystoreopv1.GetImportParametersResponse,
) (*model.ImportParams, error)

BuildImportParams creates import parameters for the specified provider

func DecodeCertificateChain 

func DecodeCertificateChain(certificationChain []byte) ([]*x509.Certificate, []byte, error)

func IsUnavailableKeyState 

func IsUnavailableKeyState(state string) bool

Types

type BYOKAction 

type BYOKAction string

BYOKAction constants represent the actions that can be performed on a BYOK key during the import process.

type CertificateManager 

type CertificateManager struct {
	// contains filtered or unexported fields
}

func NewCertificateManager 

func NewCertificateManager(
	ctx context.Context,
	repo repo.Repo,
	catalog *plugincatalog.Catalog,
	cfg *config.Certificates,
) *CertificateManager

func (*CertificateManager) GeneratePrivateKey 

func (m *CertificateManager) GeneratePrivateKey() (*rsa.PrivateKey, error)

func (*CertificateManager) GetAllCertificates 

func (m *CertificateManager) GetAllCertificates(
	ctx context.Context,
	certificateID *uuid.UUID,
) ([]*model.Certificate, int, error)

func (*CertificateManager) GetCertificate 

func (m *CertificateManager) GetCertificate(
	ctx context.Context,
	certificateID *uuid.UUID,
) (*model.Certificate, error)

func (*CertificateManager) GetCertificatesForRotation 

func (m *CertificateManager) GetCertificatesForRotation(ctx context.Context,
) ([]*model.Certificate, int, error)

func (*CertificateManager) GetDefaultKeystoreCertificate 

func (m *CertificateManager) GetDefaultKeystoreCertificate(ctx context.Context) (*model.Certificate, bool, error)

func (*CertificateManager) GetDefaultTenantCertificate 

func (m *CertificateManager) GetDefaultTenantCertificate(ctx context.Context) (*model.Certificate, bool, error)

func (*CertificateManager) IsTenantDefaultCertExist 

func (m *CertificateManager) IsTenantDefaultCertExist(ctx context.Context) (bool, error)

func (*CertificateManager) RequestNewCertificate 

func (m *CertificateManager) RequestNewCertificate(
	ctx context.Context,
	privateKey *rsa.PrivateKey,
	args model.RequestCertArgs,
) (*model.Certificate, *rsa.PrivateKey, error)

func (*CertificateManager) RotateCertificate 

func (m *CertificateManager) RotateCertificate(ctx context.Context,
	args model.RequestCertArgs,
) (*model.Certificate, *rsa.PrivateKey, error)

func (*CertificateManager) UpdateCertificate 

func (m *CertificateManager) UpdateCertificate(ctx context.Context, certificateID *uuid.UUID,
	autoRotate bool,
) (*model.Certificate, error)

type ClientCertificate 

type ClientCertificate struct {
	Name    string
	RootCA  string
	Subject string
}

ClientCertificate represents the client certificates

type CommonImportFields 

type CommonImportFields struct {
	PublicKeyPEM      string
	WrappingAlgorithm string
	HashFunction      string
}

CommonImportFields contains fields that are common across all providers

type GroupIAMExistence 

type GroupIAMExistence struct {
	IAMIdentifier string
	Exists        bool
}

type GroupManager 

type GroupManager struct {
	// contains filtered or unexported fields
}

func NewGroupManager 

func NewGroupManager(
	repository repo.Repo,
	catalog *plugincatalog.Catalog,
	userManager User,
) *GroupManager

func (*GroupManager) BuildIAMIdentifier 

func (m *GroupManager) BuildIAMIdentifier(groupType, tenantID string) (string, error)

BuildIAMIdentifier creates an IAM identifier for a group based on its type and tenant ID.

func (*GroupManager) CheckIAMExistenceOfGroups 

func (m *GroupManager) CheckIAMExistenceOfGroups(
	ctx context.Context,
	iamIdentifiers []string,
) ([]GroupIAMExistence, error)

func (*GroupManager) CreateDefaultGroups 

func (m *GroupManager) CreateDefaultGroups(ctx context.Context) error

CreateDefaultGroups creates the default admin and auditor groups for a tenant.

func (*GroupManager) CreateGroup 

func (m *GroupManager) CreateGroup(ctx context.Context, group *model.Group) (*model.Group, error)

func (*GroupManager) DeleteGroupByID 

func (m *GroupManager) DeleteGroupByID(ctx context.Context, id uuid.UUID) error

func (*GroupManager) GetGroupByID 

func (m *GroupManager) GetGroupByID(ctx context.Context, id uuid.UUID) (*model.Group, error)

func (*GroupManager) GetGroups 

func (m *GroupManager) GetGroups(ctx context.Context, skip int, top int) ([]*model.Group, int, error)

func (*GroupManager) GetIdentityManagementPlugin 

func (m *GroupManager) GetIdentityManagementPlugin() (idmv1.IdentityManagementServiceClient, error)

func (*GroupManager) UpdateGroup 

func (m *GroupManager) UpdateGroup(
	ctx context.Context,
	id uuid.UUID,
	patchGroup cmkapi.GroupPatch,
) (*model.Group, error)

type HYOKKeystore 

type HYOKKeystore struct {
	Provider []string `json:"provider"`
	Allow    bool
}

type KeyConfigFilter 

type KeyConfigFilter struct {
	Expand bool
	Skip   int
	Top    int
}

type KeyConfigManager 

type KeyConfigManager struct {
	// contains filtered or unexported fields
}

func NewKeyConfigManager 

func NewKeyConfigManager(
	repository repo.Repo,
	certManager *CertificateManager,
	user User,
	tagManager Tags,
	cmkAuditor *auditor.Auditor,
	cfg *config.Config,
) *KeyConfigManager

func (*KeyConfigManager) DeleteKeyConfigurationByID 

func (m *KeyConfigManager) DeleteKeyConfigurationByID(
	ctx context.Context,
	keyConfigID uuid.UUID,
) error

func (*KeyConfigManager) GetClientCertificates 

func (m *KeyConfigManager) GetClientCertificates(ctx context.Context) (
	map[model.CertificatePurpose][]*ClientCertificate, error,
)

GetClientCertificates retrieves the client certificates

func (*KeyConfigManager) GetKeyConfigurationByID 

func (m *KeyConfigManager) GetKeyConfigurationByID(
	ctx context.Context,
	keyConfigID uuid.UUID,
) (*model.KeyConfiguration, error)

func (*KeyConfigManager) GetKeyConfigurations 

func (m *KeyConfigManager) GetKeyConfigurations(
	ctx context.Context,
	filter KeyConfigFilter,
) ([]*model.KeyConfiguration, int, error)

func (*KeyConfigManager) PostKeyConfigurations 

func (m *KeyConfigManager) PostKeyConfigurations(
	ctx context.Context,
	keyConfiguration *model.KeyConfiguration,
) (*model.KeyConfiguration, error)

func (*KeyConfigManager) UpdateKeyConfigurationByID 

func (m *KeyConfigManager) UpdateKeyConfigurationByID(
	ctx context.Context,
	keyConfigID uuid.UUID,
	patchKeyConfig cmkapi.KeyConfigurationPatch,
) (*model.KeyConfiguration, error)

type KeyConfigurationAPI 

type KeyConfigurationAPI interface {
	GetKeyConfigurations(ctx context.Context, filter KeyConfigFilter) ([]*model.KeyConfiguration, int, error)
	PostKeyConfigurations(ctx context.Context, key *model.KeyConfiguration) (*model.KeyConfiguration, error)
	DeleteKeyConfigurationByID(ctx context.Context, keyConfigID uuid.UUID) error
	GetKeyConfigurationByID(ctx context.Context, keyConfigID uuid.UUID) (*model.KeyConfiguration, error)
	UpdateKeyConfigurationByID(
		ctx context.Context,
		keyConfigID uuid.UUID,
		patchKeyConfig cmkapi.KeyConfigurationPatch,
	) (*model.KeyConfiguration, error)
	GetClientCertificates(ctx context.Context) (map[model.CertificatePurpose][]*ClientCertificate, error)
}

type KeyManager 

type KeyManager struct {
	ProviderConfigManager
	// contains filtered or unexported fields
}

func NewKeyManager 

func NewKeyManager(
	repo repo.Repo,
	catalog *plugincatalog.Catalog,
	tenantConfigs *TenantConfigManager,
	keyConfigManager *KeyConfigManager,
	user User,
	certManager *CertificateManager,
	reconciler *eventprocessor.CryptoReconciler,
	cmkAuditor *auditor.Auditor,
) *KeyManager

func (*KeyManager) Create 

func (km *KeyManager) Create(
	ctx context.Context,
	key *model.Key,
) (*model.Key, error)

func (*KeyManager) Delete 

func (km *KeyManager) Delete(ctx context.Context, keyID uuid.UUID) error

func (*KeyManager) Detatch 

func (km *KeyManager) Detatch(ctx context.Context, key *model.Key) error

func (*KeyManager) Get 

func (km *KeyManager) Get(ctx context.Context, keyID uuid.UUID) (*model.Key, error)

func (*KeyManager) GetImportParams 

func (km *KeyManager) GetImportParams(ctx context.Context, keyID uuid.UUID) (*model.ImportParams, error)

func (*KeyManager) GetKeys 

func (km *KeyManager) GetKeys(
	ctx context.Context,
	keyConfigID *uuid.UUID,
	skip int,
	top int,
) ([]*model.Key, int, error)

func (*KeyManager) ImportKeyMaterial 

func (km *KeyManager) ImportKeyMaterial(
	ctx context.Context,
	keyID uuid.UUID,
	wrappedKeyMaterial string,
) (*model.Key, error)

func (*KeyManager) SyncHYOKKeys 

func (km *KeyManager) SyncHYOKKeys(ctx context.Context) error

func (*KeyManager) UpdateKey 

func (km *KeyManager) UpdateKey(ctx context.Context, keyID uuid.UUID, keyPatch cmkapi.KeyPatch) (*model.Key, error)

func (*KeyManager) UpdateVersion 

func (km *KeyManager) UpdateVersion(ctx context.Context, keyID uuid.UUID, version int) error

type KeyVersion 

type KeyVersion interface {
	GetKeyVersions(ctx context.Context, keyID uuid.UUID, skip int, top int) ([]model.KeyVersion, int, error)
	CreateKeyVersion(ctx context.Context, keyID uuid.UUID, nativeID *string) (*model.KeyVersion, error)
	GetKeyVersionByNumber(ctx context.Context, keyID uuid.UUID, version string) (*model.KeyVersion, error)
	UpdateKeyVersion(
		ctx context.Context,
		keyID uuid.UUID,
		version string,
		enabled *bool,
	) error
}

type KeyVersionManager 

type KeyVersionManager struct {
	ProviderConfigManager
	// contains filtered or unexported fields
}

func NewKeyVersionManager 

func NewKeyVersionManager(
	repo repo.Repo,
	catalog *plugincatalog.Catalog,
	tenantConfigs *TenantConfigManager,
	certManager *CertificateManager,
	cmkAuditor *auditor.Auditor,
) *KeyVersionManager

func (*KeyVersionManager) AddKeyVersion 

func (kvm *KeyVersionManager) AddKeyVersion(ctx context.Context,
	key model.Key,
	_ *string,
) (*model.KeyVersion, error)

AddKeyVersion creates a new key version in repository and client provider.

func (*KeyVersionManager) CreateKeyVersion 

func (kvm *KeyVersionManager) CreateKeyVersion(
	ctx context.Context,
	keyID uuid.UUID,
	nativeID *string,
) (*model.KeyVersion, error)

func (*KeyVersionManager) GetByKeyIDAndByNumber 

func (kvm *KeyVersionManager) GetByKeyIDAndByNumber(
	ctx context.Context,
	keyID uuid.UUID,
	keyVersionNumber string,
) (*model.KeyVersion, error)

func (*KeyVersionManager) GetKeyVersions 

func (kvm *KeyVersionManager) GetKeyVersions(
	ctx context.Context,
	keyID uuid.UUID,
	skip int,
	top int,
) ([]*model.KeyVersion, int, error)

type Label 

type Label interface {
	GetKeyLabels(
		ctx context.Context,
		keyID uuid.UUID,
		skip int,
		top int,
	) ([]*model.KeyLabel, int, error)
	CreateOrUpdateLabel(
		ctx context.Context,
		keyID uuid.UUID,
		labels []*model.KeyLabel,
	) error
	DeleteLabel(
		ctx context.Context,
		keyID uuid.UUID,
		labelName string,
	) (bool, error)
}

type LabelManager 

type LabelManager struct {
	// contains filtered or unexported fields
}

func NewLabelManager 

func NewLabelManager(
	repository repo.Repo,
) *LabelManager

func (*LabelManager) CreateOrUpdateLabel 

func (m *LabelManager) CreateOrUpdateLabel(
	ctx context.Context,
	keyID uuid.UUID,
	labels []*model.KeyLabel,
) error

func (*LabelManager) DeleteLabel 

func (m *LabelManager) DeleteLabel(
	ctx context.Context,
	keyID uuid.UUID,
	labelName string,
) (bool, error)

func (*LabelManager) GetKeyLabels 

func (m *LabelManager) GetKeyLabels(
	ctx context.Context,
	keyID uuid.UUID,
	skip int,
	top int,
) ([]*model.KeyLabel, int, error)

type Manager 

type Manager struct {
	Keys          *KeyManager
	KeyVersions   *KeyVersionManager
	TenantConfigs *TenantConfigManager
	System        System
	KeyConfig     KeyConfigurationAPI
	Tags          Tags
	Labels        Label
	Workflow      Workflow
	Certificates  *CertificateManager
	Group         *GroupManager
	User          User

	Tenant Tenant

	Catalog    *plugincatalog.Catalog
	Reconciler *eventprocessor.CryptoReconciler
	Auditor    *auditor.Auditor
}

func New 

func New(
	ctx context.Context,
	repo repo.Repo,
	config *config.Config,
	clientsFactory clients.Factory,
	catalog *plugincatalog.Catalog,
	reconciler *eventprocessor.CryptoReconciler,
	asyncClient async.Client,
	migrator db.Migrator,
) *Manager

type OffboardingResult 

type OffboardingResult struct {
	// Status indicates the outcome of the offboarding process.
	Status OffboardingStatus
}

OffboardingResult represents the result of a tenant offboarding attempt.

type OffboardingStatus 

type OffboardingStatus int

OffboardingStatus represents the status of the tenant offboarding process. 

const (
	OffboardingProcessing OffboardingStatus = iota + 1
	OffboardingFailed
	OffboardingSuccess
)

type Pool 

type Pool struct {
	// contains filtered or unexported fields
}

Pool stores available configurations.

func NewPool 

func NewPool(repo repo.Repo) *Pool

NewPool creates a new instance of Pool.

func (*Pool) Add 

func (c *Pool) Add(ctx context.Context, cfg *model.Keystore) (*model.Keystore, error)

Add `KeystoreConfiguration` to the pool.

func (*Pool) Count 

func (c *Pool) Count(ctx context.Context) (int, error)

func (*Pool) Pop 

func (c *Pool) Pop(ctx context.Context) (*model.Keystore, error)

Pop `KeystoreConfiguration` from the pool and return it.

type ProviderCachedKey 

type ProviderCachedKey struct {
	KeyStore string
	Provider string
	Tenant   string
}

func (ProviderCachedKey) String 

func (k ProviderCachedKey) String() string

type ProviderConfig 

type ProviderConfig struct {
	Config     *kscommonv1.KeystoreInstanceConfig
	Client     keystoreopv1.KeystoreInstanceKeyOperationClient
	Expiration time.Time // Optional expiration time for the provider config
}

func NewProviderConfig 

func NewProviderConfig(
	config *kscommonv1.KeystoreInstanceConfig,
	client keystoreopv1.KeystoreInstanceKeyOperationClient,
	expiration *time.Time,
) *ProviderConfig

func (ProviderConfig) IsExpired 

func (c ProviderConfig) IsExpired() bool

type ProviderConfigManager 

type ProviderConfigManager struct {
	// contains filtered or unexported fields
}

func (*ProviderConfigManager) AddKeystoreToPool 

func (pmc *ProviderConfigManager) AddKeystoreToPool(
	ctx context.Context,
	provider string,
	config map[string]any,
) error

func (*ProviderConfigManager) CreateKeystore 

func (pmc *ProviderConfigManager) CreateKeystore(ctx context.Context) (string, map[string]any, error)

func (*ProviderConfigManager) FillKeystorePool 

func (pmc *ProviderConfigManager) FillKeystorePool(ctx context.Context, size int) error

func (*ProviderConfigManager) GetDefaultKeystoreFromCatalog 

func (pmc *ProviderConfigManager) GetDefaultKeystoreFromCatalog() (string, error)

func (*ProviderConfigManager) GetOrInitProvider 

func (pmc *ProviderConfigManager) GetOrInitProvider(ctx context.Context, key *model.Key) (*ProviderConfig, error)

type ProviderImportFields 

type ProviderImportFields struct {
	ProviderParams map[string]any
	Expires        *time.Time
}

ProviderImportFields contains provider-specific parameters and optional expiration

type System 

type System interface {
	GetAllSystems(ctx context.Context, params repo.QueryMapper) ([]*model.System, int, error)
	GetSystemByID(ctx context.Context, keyConfigID uuid.UUID) (*model.System, error)
	RefreshSystemsData(ctx context.Context) bool
	LinkSystemAction(ctx context.Context, systemID uuid.UUID, patchSystem cmkapi.SystemPatch) (*model.System, error)
	UnlinkSystemAction(ctx context.Context, systemID uuid.UUID) error
	GetRecoveryActions(ctx context.Context, sytemID uuid.UUID) (cmkapi.SystemRecoveryAction, error)
	SendRecoveryActions(
		ctx context.Context,
		systemID uuid.UUID,
		action cmkapi.SystemRecoveryActionBodyAction,
	) error
}

type SystemFilter 

type SystemFilter struct {
	KeyConfigID uuid.UUID
	Region      string
	Type        string
	Skip        int
	Top         int
}

func (SystemFilter) GetQuery 

func (s SystemFilter) GetQuery(_ context.Context) *repo.Query

func (SystemFilter) GetString 

func (s SystemFilter) GetString(field repo.QueryField) (string, error)

func (SystemFilter) GetUUID 

func (s SystemFilter) GetUUID(field repo.QueryField) (uuid.UUID, error)

type SystemInformation 

type SystemInformation struct {
	// contains filtered or unexported fields
}

func NewSystemInformationManager 

func NewSystemInformationManager(repo repo.Repo,
	catalog *plugincatalog.Catalog, systemCfg *config.System,
) (*SystemInformation, error)

func (*SystemInformation) UpdateSystemByExternalID 

func (si *SystemInformation) UpdateSystemByExternalID(ctx context.Context, externalID string) error

func (*SystemInformation) UpdateSystems 

func (si *SystemInformation) UpdateSystems(ctx context.Context) error

type SystemManager 

type SystemManager struct {
	KeyConfigManager *KeyConfigManager
	ContextModelsCfg config.System
	// contains filtered or unexported fields
}

func NewSystemManager 

func NewSystemManager(
	ctx context.Context,
	repository repo.Repo,
	clientsFactory clients.Factory,
	reconciler *eventprocessor.CryptoReconciler,
	ctlg *plugincatalog.Catalog,
	cfg *config.Config,
	keyConfigManager *KeyConfigManager,
	user User,
) *SystemManager

func (*SystemManager) GetAllSystems 

func (m *SystemManager) GetAllSystems(
	ctx context.Context,
	params repo.QueryMapper,
) ([]*model.System, int, error)

func (*SystemManager) GetRecoveryActions 

func (m *SystemManager) GetRecoveryActions(
	ctx context.Context,
	systemID uuid.UUID,
) (cmkapi.SystemRecoveryAction, error)

func (*SystemManager) GetSystemByID 

func (m *SystemManager) GetSystemByID(ctx context.Context, systemID uuid.UUID) (*model.System, error)

func (*SystemManager) LinkSystemAction 

func (m *SystemManager) LinkSystemAction(
	ctx context.Context,
	systemID uuid.UUID,
	patchSystem cmkapi.SystemPatch,
) (*model.System, error)

func (*SystemManager) RefreshSystemsData 

func (m *SystemManager) RefreshSystemsData(ctx context.Context) bool

func (*SystemManager) SendRecoveryActions 

func (m *SystemManager) SendRecoveryActions(
	ctx context.Context,
	systemID uuid.UUID,
	action cmkapi.SystemRecoveryActionBodyAction,
) error

func (*SystemManager) UnlinkSystemAction 

func (m *SystemManager) UnlinkSystemAction(ctx context.Context, systemID uuid.UUID) error

type TagManager 

type TagManager struct {
	// contains filtered or unexported fields
}

func NewTagManager 

func NewTagManager(r repo.Repo) *TagManager

func (*TagManager) DeleteTags 

func (m *TagManager) DeleteTags(ctx context.Context, itemID uuid.UUID) error

func (*TagManager) GetTags 

func (m *TagManager) GetTags(ctx context.Context, itemID uuid.UUID) ([]string, error)

func (*TagManager) SetTags 

func (m *TagManager) SetTags(ctx context.Context, itemID uuid.UUID, values []string) error

type Tags 

type Tags interface {
	SetTags(ctx context.Context, itemID uuid.UUID, values []string) error
	GetTags(ctx context.Context, itemID uuid.UUID) ([]string, error)
	DeleteTags(ctx context.Context, itemID uuid.UUID) error
}

type Tenant 

type Tenant interface {
	GetTenant(ctx context.Context) (*model.Tenant, error) // Get tenant from context
	ListTenantInfo(ctx context.Context, issuerURL *string, skip int, top int) ([]*model.Tenant, int, error)
	CreateTenant(ctx context.Context, tenant *model.Tenant) error
	OffboardTenant(ctx context.Context) (OffboardingResult, error)
	DeleteTenant(ctx context.Context) error
}

type TenantConfigManager 

type TenantConfigManager struct {
	// contains filtered or unexported fields
}

func NewTenantConfigManager 

func NewTenantConfigManager(
	repo repo.Repo,
	catalog *plugincatalog.Catalog,
) *TenantConfigManager

func (*TenantConfigManager) GetDefaultKeystoreConfig 

func (m *TenantConfigManager) GetDefaultKeystoreConfig(ctx context.Context) (*model.KeystoreConfig, error)

GetDefaultKeystoreConfig retrieves the default keystore config If the config doesn't exist, it gets the config from the pool and sets it

func (*TenantConfigManager) GetTenantsKeystores 

func (m *TenantConfigManager) GetTenantsKeystores() (TenantKeystores, error)

func (*TenantConfigManager) GetWorkflowConfig 

func (m *TenantConfigManager) GetWorkflowConfig(ctx context.Context) (*model.WorkflowConfig, error)

func (*TenantConfigManager) SetWorkflowConfig 

func (m *TenantConfigManager) SetWorkflowConfig(
	ctx context.Context,
	workflowConfig *model.WorkflowConfig,
) (*model.WorkflowConfig, error)

SetWorkflowConfig stores the workflow config or creates default if nil

type TenantKeystores 

type TenantKeystores struct {
	Default model.KeystoreConfig
	HYOK    HYOKKeystore
}

type TenantManager 

type TenantManager struct {
	// contains filtered or unexported fields
}

func NewTenantManager 

func NewTenantManager(
	repo repo.Repo,
	sysManager System,
	keyManager *KeyManager,
	user User,
	cmkAuditor *auditor.Auditor,
	migrator db.Migrator,
) *TenantManager

func (*TenantManager) CreateTenant 

func (m *TenantManager) CreateTenant(ctx context.Context, tenant *model.Tenant) error

func (*TenantManager) DeleteTenant 

func (m *TenantManager) DeleteTenant(ctx context.Context) error

func (*TenantManager) GetTenant 

func (m *TenantManager) GetTenant(ctx context.Context) (*model.Tenant, error)

func (*TenantManager) GetTenantByID 

func (m *TenantManager) GetTenantByID(ctx context.Context, tenantID string) (*model.Tenant, error)

func (*TenantManager) ListTenantInfo 

func (m *TenantManager) ListTenantInfo(
	ctx context.Context,
	issuerURL *string,
	skip int,
	top int,
) ([]*model.Tenant, int, error)

func (*TenantManager) OffboardTenant 

func (m *TenantManager) OffboardTenant(ctx context.Context) (OffboardingResult, error)

OffboardTenant is a method to trigger the events to offboard a tenant - OffboardingProcessing: if any step is still in progress (retry later) - OffboardingFailed: if any step has failed permanently - OffboardingSuccess: if all steps completed successfully - error: if the offboarding process encounters an unexpected error, in which case it should be retried later

type User 

type User interface {
	HasTenantAccess(ctx context.Context) (bool, error)
	HasSystemAccess(ctx context.Context, action authz.Action, system *model.System) (bool, error)
	HasKeyAccess(ctx context.Context, action authz.Action, keyConfig uuid.UUID) (bool, error)
	HasKeyConfigAccess(
		ctx context.Context,
		action authz.Action,
		keyConfig *model.KeyConfiguration,
	) (bool, error)
	GetRoleFromIAM(ctx context.Context, iamIdentifiers []string) (constants.Role, error)
	GetUserInfo(ctx context.Context) (UserInfo, error)
	NeedsGroupFiltering(
		ctx context.Context,
		action authz.Action,
		resource authz.ResourceTypeName,
	) (bool, error)
}

func NewUserManager 

func NewUserManager(r repo.Repo, cmkAuditor *auditor.Auditor) User

type UserInfo 

type UserInfo struct {
	Email      string
	FamilyName string
	GivenName  string
	Identifier string
	Role       string
}

type Workflow 

type Workflow interface {
	CheckWorkflow(ctx context.Context, workflow *model.Workflow) (WorkflowStatus, error)
	GetWorkflows(ctx context.Context, params repo.QueryMapper) ([]*model.Workflow, int, error)
	CreateWorkflow(ctx context.Context, workflow *model.Workflow) (*model.Workflow, error)
	GetWorkflowByID(ctx context.Context, workflowID uuid.UUID) (*model.Workflow, error)
	ListWorkflowApprovers(
		ctx context.Context,
		id uuid.UUID,
		decisionMade bool,
		skip int,
		top int,
	) ([]*model.WorkflowApprover, int, error)
	GetWorkflowAvailableTransitions(ctx context.Context, workflow *model.Workflow) ([]wf.Transition, error)
	GetWorkflowApprovalSummary(ctx context.Context, workflow *model.Workflow) (*wf.ApprovalSummary, error)
	TransitionWorkflow(
		ctx context.Context,
		workflowID uuid.UUID,
		transition wf.Transition,
	) (*model.Workflow, error)
	WorkflowConfig(ctx context.Context) (*model.WorkflowConfig, error)
	IsWorkflowRequired(ctx context.Context) (bool, error)
	CleanupTerminalWorkflows(ctx context.Context) error
}

type WorkflowFilter 

type WorkflowFilter struct {
	State                  string
	ArtifactType           string
	ArtifactID             uuid.UUID
	ArtifactName           string
	ParametersResourceName string
	ActionType             string
	Skip                   int
	Top                    int
}

func NewWorkflowFilterFromOData 

func NewWorkflowFilterFromOData(queryMapper odata.QueryOdataMapper) (*WorkflowFilter, error)

func (WorkflowFilter) GetQuery 

func (w WorkflowFilter) GetQuery(_ context.Context) *repo.Query

func (WorkflowFilter) GetString 

func (w WorkflowFilter) GetString(field repo.QueryField) (string, error)

func (WorkflowFilter) GetUUID 

func (w WorkflowFilter) GetUUID(field repo.QueryField) (uuid.UUID, error)

type WorkflowManager 

type WorkflowManager struct {
	// contains filtered or unexported fields
}

func NewWorkflowManager 

func NewWorkflowManager(
	repository repo.Repo,
	keyManager *KeyManager,
	keyConfigurationManager *KeyConfigManager,
	systemManager *SystemManager,
	groupManager *GroupManager,
	userManager User,
	asyncClient async.Client,
	tenantConfigManager *TenantConfigManager,
	cfg *config.Config,
) *WorkflowManager

func (*WorkflowManager) AutoAssignApprovers 

func (w *WorkflowManager) AutoAssignApprovers(
	ctx context.Context,
	workflowID uuid.UUID,
) (*model.Workflow, error)

func (*WorkflowManager) CheckWorkflow 

func (w *WorkflowManager) CheckWorkflow(ctx context.Context,
	workflow *model.Workflow,
) (WorkflowStatus, error)

func (*WorkflowManager) CleanupTerminalWorkflows 

func (w *WorkflowManager) CleanupTerminalWorkflows(ctx context.Context) error

func (*WorkflowManager) CreateWorkflow 

func (w *WorkflowManager) CreateWorkflow(
	ctx context.Context,
	workflow *model.Workflow,
) (*model.Workflow, error)

func (*WorkflowManager) GetWorkflowApprovalSummary 

func (w *WorkflowManager) GetWorkflowApprovalSummary(
	ctx context.Context,
	workflow *model.Workflow,
) (*wf.ApprovalSummary, error)

func (*WorkflowManager) GetWorkflowAvailableTransitions 

func (w *WorkflowManager) GetWorkflowAvailableTransitions(
	ctx context.Context,
	workflow *model.Workflow,
) ([]wf.Transition, error)

func (*WorkflowManager) GetWorkflowByID 

func (w *WorkflowManager) GetWorkflowByID(ctx context.Context, workflowID uuid.UUID) (*model.Workflow, error)

func (*WorkflowManager) GetWorkflows 

func (w *WorkflowManager) GetWorkflows(
	ctx context.Context,
	params repo.QueryMapper,
) ([]*model.Workflow, int, error)

func (*WorkflowManager) IsWorkflowRequired 

func (w *WorkflowManager) IsWorkflowRequired(ctx context.Context) (bool, error)

func (*WorkflowManager) ListWorkflowApprovers 

func (w *WorkflowManager) ListWorkflowApprovers(
	ctx context.Context,
	id uuid.UUID,
	decisionMade bool,
	skip int,
	top int,
) ([]*model.WorkflowApprover, int, error)

ListWorkflowApprovers retrieves a paginated list of approvers for a given workflow ID. Returns a slice of WorkflowApprover, the total count, and an error if any occurs.

func (*WorkflowManager) TransitionWorkflow 

func (w *WorkflowManager) TransitionWorkflow(
	ctx context.Context,
	workflowID uuid.UUID,
	transition wf.Transition,
) (*model.Workflow, error)

func (*WorkflowManager) WorkflowConfig 

func (w *WorkflowManager) WorkflowConfig(ctx context.Context) (*model.WorkflowConfig, error)

type WorkflowStatus 

type WorkflowStatus struct {
	Enabled bool
	Exists  bool
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.