manager

package
v0.3.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 23, 2026 License: Apache-2.0 Imports: 68 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	CertificateIssuerPluginName = "CERT_ISSUER"
	DefaultKeyBitSize           = 3076
)
View Source 
const (
	BYOKActionImportKeyMaterial BYOKAction = "IMPORT_KEY_MATERIAL"
	BYOKActionGetImportParams   BYOKAction = "GET_IMPORT_PARAMETERS"
	IsEditableCryptoAccess      string     = "isEditable"
)
View Source 
const (
	DefaultHYOKCertCommonName            = "default.hyok.cmk"
	DefaultProviderConfigCacheExpiration = 24 * time.Hour
)
View Source 
const (
	DefaultCertName = "hyok-default"
)
View Source 
const (
	GRPCErrorCodeHYOKAuthFailed errs.GRPCErrorCode = "HYOK_AUTH_FAILED"
)
View Source 
const (
	WorkflowSystemArtifactPropertyKey = "NAME"
)

Variables

View Source 
var (
	ErrInvalidP7CertNoParse  = errors.New("returned invalid p7 cert: could not parse pkcs7")
	ErrInvalidCertEmptyChain = errors.New("empty certificate chain")

	ErrCertificateManager   = errors.New("certificate manager error")
	ErrCertificatePublicKey = errors.New("could not find a certificate with given public key")
	ErrCannotRotateOldCerts = errors.New("cannot rotate old tenant default certificates")

	ErrDefaultTenantCertificateAlreadyExists = errors.New(
		"default tenant certificate already exists; only one is allowed per tenant",
	)
	ErrDefaultTenantError = errors.New("default tenant cert error")
)
View Source 
var (
	ErrIncompatibleQueryField = errors.New("incompatible query field")

	ErrLoadCryptoCerts         = errors.New("failed to load crypto certs")
	ErrUnmarshalCryptoCerts    = errors.New("failed to unmarshal crypto certs")
	ErrSetCryptoCerts          = errors.New("failed to set crypto certs")
	ErrPluginNotFound          = errors.New("plugin not found")
	ErrConfigNotFound          = errors.New("config not found")
	ErrKeyCreationFailed       = errors.New("failed to create key in provider")
	ErrKeyRegistration         = errors.New("failed to register key from provider")
	ErrUnsupportedKeyAlgorithm = errors.New("unsupported key algorithm")
	ErrInvalidKeyState         = errors.New("invalid key state")
	ErrHYOKKeyActionNotAllowed = errors.New("HYOK key action not allowed")
	ErrNameCannotBeEmpty       = errors.New("name field cannot be empty")
	ErrEventSendingFailed      = errors.New("failed to send event")
	ErrHYOKProviderKeyNotFound = errors.New("HYOK provider key not found")
	ErrConvertAccessData       = errors.New("failed to convert access data")

	ErrGetTags      = errors.New("failed getting tags")
	ErrDeletingTags = errors.New("failed to delete tags")

	ErrCreateKeyConfiguration       = errors.New("failed to create key configuration")
	ErrConnectedSystemToKeyConfig   = errors.New("system is connected to keyconfig")
	ErrInvalidKeyAdminGroup         = errors.New("invalid keyconfig admin group")
	ErrDeleteKeyConfiguration       = errors.New("failed to delete key configuration")
	ErrQueryKeyConfigurationList    = errors.New("failed to query key configuration list")
	ErrGettingKeyConfigByID         = errors.New("failed to get key configuration by ID")
	ErrKeyConfigurationNotFound     = errors.New("KeyConfiguration not found")
	ErrKeyConfigurationIDNotFound   = errors.New("KeyConfigurationID not found")
	ErrFailedToInitProvider         = errors.New("failed to init provider")
	ErrFailedToEnableProviderKey    = errors.New("failed to enable provider key")
	ErrFailedToDisableProviderKey   = errors.New("failed to disable provider key")
	ErrFailedToDeleteProvider       = errors.New("failed to delete provider")
	ErrGetProviderKey               = errors.New("failed to get provider key")
	ErrGetImportParamsFromProvider  = errors.New("failed to get import parameters from provider")
	ErrImportKeyMaterialsToProvider = errors.New("failed to import key materials to provider")
	ErrKeyIsNotEnabled              = errors.New("key is not enabled")
	ErrPrimaryKeyUnmark             = errors.New("primary key cannot be unmarked primary")

	ErrGetKeyDB                         = errors.New("failed to get key from database")
	ErrGettingKeyByID                   = errors.New("failed to get key by ID")
	ErrListKeysDB                       = errors.New("failed to list keys from database")
	ErrManagementDetailsUpdate          = errors.New("management credentials cannot be updated")
	ErrCryptoDetailsUpdate              = errors.New("crypto credentials cannot be updated")
	ErrCryptoRegionNotExists            = errors.New("crypto region does not exist")
	ErrNonEditableCryptoRegionUpdate    = errors.New("crypto region cant be updated as it's not editable")
	ErrBadCryptoRegionData              = errors.New("crypto region data invalid")
	ErrEditableCryptoRegionField        = errors.New("editable crypto region field has to be boolean")
	ErrUpdateKeyDB                      = errors.New("failed to update key in database")
	ErrCreateKeyDB                      = errors.New("failed to create key in database")
	ErrDeleteKeyDB                      = errors.New("failed to delete key from database")
	ErrSetImportParamsDB                = errors.New("failed to set import parameters in database")
	ErrDeleteImportParamsDB             = errors.New("failed to delete import parameters from database")
	ErrUpdateKeyConfiguration           = errors.New("failed to update key configuration")
	ErrUpdateKeyConfigurationDB         = errors.New("failed to update key configuration in database")
	ErrGetConfiguration                 = errors.New("failed to get configuration")
	ErrUpdatePrimary                    = errors.New("failed to update key primary state")
	ErrGetHYOKKeyInfoDB                 = errors.New("failed to get HYOK key info from database")
	ErrInvalidKeyTypeForHYOKSync        = errors.New("invalid key type for hyok sync")
	ErrListHYOKKeysDB                   = errors.New("failed to list hyok keys")
	ErrDeleteKey                        = errors.New("failed to delete key")
	ErrUpdatingTotalKeys                = errors.New("failed to update total keys")
	ErrUpdatingTotalSystems             = errors.New("failed to update total systems")
	ErrUnsupportedSystemAction          = errors.New("system action not supported")
	ErrKeyNotAssignedToKeyConfiguration = errors.New("key not assigned to key configuration")
	ErrUpdateKeyVersionDisabled         = errors.New("cannot update key version when key is disabled")
	ErrUpdateSystemNoRegClient          = errors.New("system cannot be updated since no registry client")
	ErrLinkSystemProcessingOrFailed     = errors.New("system cannot be linked in PROCESSING/FAILED state")
	ErrUnlinkSystemProcessing           = errors.New("system cannot be unlinked in PROCESSING state")
	ErrRetryNonFailedSystem             = errors.New("system can action only be retried on failed state")

	ErrRotateBYOKKey                       = errors.New("byok key must not be rotated")
	ErrUnsupportedBYOKProvider             = errors.New("unsupported BYOK provider")
	ErrBuildImportParams                   = errors.New("error building import parameters")
	ErrMarshalProviderParams               = errors.New("error marshaling provider parameters")
	ErrExtractCommonImportFields           = errors.New("error extracting common import fields")
	ErrInvalidKeyTypeForImportParams       = errors.New("invalid key type for import parameters")
	ErrInvalidKeyStateForImportParams      = errors.New("invalid key state for import parameters")
	ErrInvalidKeyTypeForImportKeyMaterial  = errors.New("invalid key type for import key materials")
	ErrInvalidKeyStateForImportKeyMaterial = errors.New("invalid key state for import key materials")
	ErrInvalidBYOKAction                   = errors.New("invalid BYOK action")
	ErrEmptyKeyMaterial                    = errors.New("key material cannot be empty")
	ErrInvalidBase64KeyMaterial            = errors.New("key material must be base64 encoded")
	ErrMissingOrExpiredImportParams        = errors.New("import parameters missing or expired")

	ErrGetKeyVersionDB         = errors.New("failed to get key version from database")
	ErrGetPrimaryKeyVersionDB  = errors.New("failed to get primary key version from database")
	ErrListKeyVersionsDB       = errors.New("failed to list key versions from database")
	ErrUpdateKeyVersionDB      = errors.New("failed to update key version in database")
	ErrCreateKeyVersionDB      = errors.New("failed to create key version in database")
	ErrInvalidKeyVersionNumber = errors.New("invalid key version number")

	ErrListTenants      = errors.New("failed to list tenants from database")
	ErrGetTenantInfo    = errors.New("failed to get tenant info")
	ErrTenantNotAllowed = errors.New("user has no permission to access tenant")

	ErrListGroups            = errors.New("failed to list groups from database")
	ErrGetGroups             = errors.New("failed to get group from database")
	ErrCreateGroups          = errors.New("failed to create group from database")
	ErrUpdateGroups          = errors.New("failed to update group from database")
	ErrDeleteGroups          = errors.New("failed to delete group from database")
	ErrInvalidGroupUpdate    = errors.New("group cannot be updated")
	ErrInvalidGroupDelete    = errors.New("group cannot be deleted")
	ErrMultipleRolesInGroups = errors.New("users with multiple roles are not allowed")
	ErrZeroRolesInGroups     = errors.New("users without any roles are not allowed")

	ErrCheckIAMExistenceOfGroups = errors.New("failed to check IAM existence of groups")
	ErrCheckTenantHasIAMGroups   = errors.New("failed to check tenant has IAM groups")

	ErrNoBodyForCustomerHeldDB = errors.New(
		"body must be provided for customer held key rotation",
	)
	ErrBodyForNoCustomerHeldDB = errors.New(
		"body must be provided only for customer held key rotation",
	)

	ErrQueryLabelList    = errors.New("failed to query system list")
	ErrFetchLabel        = errors.New("failed to fetch label")
	ErrUpdateLabelDB     = errors.New("failed to update label")
	ErrInsertLabel       = errors.New("failed to insert label")
	ErrDeleteLabelDB     = errors.New("failed to delete label")
	ErrGetKeyIDDB        = errors.New("KeyID is required")
	ErrEmptyInputLabelDB = errors.New("invalid input empty label name")

	ErrQuerySystemList           = errors.New("failed to query system list")
	ErrGettingSystem             = errors.New("failed to get system")
	ErrCreatingSystem            = errors.New("failed to create system")
	ErrGettingSystemByID         = errors.New("failed to get system by ID")
	ErrGettingSystemLinkByID     = errors.New("failed to get system link by ID")
	ErrConnectSystemNoPrimaryKey = errors.New("system cannot be connect without an enabled primary key")
	ErrUpdateSystem              = errors.New("failed to update system")
	ErrSystemNotLinked           = errors.New("system is not linked to a key configuration")
	ErrFailedToReencryptSystem   = errors.New("system reencrypt failed on new key")

	ErrGetWorkflowDB        = errors.New("failed to get workflow")
	ErrOngoingWorkflowExist = errors.New("ongoing workflow for artifact already exists")
	ErrCreateWorkflowDB     = errors.New("failed to create workflow")
	ErrCheckWorkflow        = errors.New("failed to check workflow")
	ErrCheckOngoingWorkflow = errors.New("failed to check ongoing workflow for artifact")
	ErrValidateActor        = errors.New("failed to validate actor for workflow transition")
	ErrAddApproversDB       = errors.New("failed to add approvers to workflow")
	ErrAddApproverGroupsDB  = errors.New("failed to add approver groups to workflow")
	ErrApplyTransition      = errors.New("failed to apply transition to workflow")
	ErrInDBTransaction      = errors.New(
		"error when executing sequence of operations in a transaction",
	)
	ErrWorkflowCannotTransitionDB = errors.New("workflow cannot transition to specified state")
	ErrUpdateApproverDecision     = errors.New("failed to update approver decision")
	ErrGetKeyConfigFromArtifact   = errors.New("failed to get key configuration from artifact")
	ErrAutoAssignApprover         = errors.New("failed to auto assign approver")
	ErrCreateApproverAssignTask   = errors.New("failed to create auto approver assignment task")

	ErrLoadIdentityManagementPlugin = errors.New("failed to load identity management plugin")

	ErrTenantNotExist = errors.New("tenantID does not exist")
	ErrEmptyTenantID  = errors.New("tenantID cannot be empty")

	ErrPoolIsDrained               = errors.New("pool is drained")
	ErrCouldNotSaveConfiguration   = errors.New("could not save configuration")
	ErrCouldNotRemoveConfiguration = errors.New("could not remove configuration")
	ErrOnboardingInProgress        = errors.New("another onboarding is already in progress")
	ErrCreatingGroups              = errors.New("creating user groups for existing tenant")
	ErrInvalidGroupType            = errors.New("invalid group type")

	ErrSchemaNameLength = errors.New("schema name length must be between 3 and 63 characters")
	ErrCreatingTenant   = errors.New("creating tenant failed")
	ErrValidatingTenant = errors.New("tenant validation failed")
	ErrInvalidSchema    = errors.New("invalid schema name pattern")

	ErrGroupRole = errors.New("unsupported role for group creation")
)
View Source 
var (
	ErrGetDefaultCerts                  = errors.New("failed to get default certificates")
	ErrDecodingCert                     = errors.New("failed to decode certificate")
	ErrCheckKeyConfigManagedByIAMGroups = errors.New("failed to check key configurations managed by IAM groups")
	ErrKeyConfigurationNotAllowed       = errors.New("user has no permission to access key configuration")
)
View Source 
var (
	ErrCreateKeystore                = errors.New("failed to create keystore")
	ErrInvalidKeystore               = errors.New("invalid keystore")
	ErrCreateProtobufStruct          = errors.New("failed to create protobuf struct")
	ErrGetTenantFromCtx              = errors.New("failed to get tenant from context")
	ErrGetDefaultTenantCertificate   = errors.New("failed to get default tenant HYOK certificate")
	ErrGetDefaultKeystoreCertificate = errors.New("failed to get default keystore certificate")
	ErrAddConfigToPool               = errors.New("failed to add keystore configuration to pool")
	ErrCountKeystorePool             = errors.New("failed to get keystore pool size")
)
View Source 
var (
	ErrGettingSystemList = errors.New("error getting system list")
	ErrUpdatingSystem    = errors.New("error updating system")
	ErrNoPluginInCatalog = errors.New("no plugin in catalog")
	ErrNoSystem          = errors.New("no system found")
)
View Source 
var (
	ErrGetKeyConfig = errors.New("error getting keyconfig")
	ErrCreateTag    = errors.New("error setting tags")
)
View Source 
var (
	ErrMarshalConfig            = errors.New("error marshalling tenant config")
	ErrUnmarshalConfig          = errors.New("error unmarshalling tenant config")
	ErrGetDefaultKeystore       = errors.New("failed to get default keystore")
	ErrSetDefaultKeystore       = errors.New("failed to set default keystore")
	ErrGetKeystoreFromPool      = errors.New("failed to get keystore config from pool")
	ErrGetWorkflowConfig        = errors.New("failed to get workflow config")
	ErrSetWorkflowConfig        = errors.New("failed to set workflow config")
	ErrRetentionLessThanMinimum = errors.New("retention is less than the minimum allowed (" +
		strconv.Itoa(minimumRetentionPeriodDays) + " day)")
	ErrWorkflowEnableDisableNotAllowed = errors.New("workflow enable/disable is only allowed for ROLE_TEST tenants")
)
View Source 
var (
	ErrWorkflowApproverDecision   = errors.New("workflow approver decision")
	ErrWorkflowNotAllowed         = errors.New("user has no permission to access workflow")
	ErrWorkflowCreationNotAllowed = errors.New("user has no permission to create workflow")
)
View Source 
var ErrGRPCHYOKAuthFailed = errs.GRPCError{
	Code:        GRPCErrorCodeHYOKAuthFailed,
	BaseMessage: "failed to authenticate with the keystore provider",
}
View Source 
var SystemEvents = []string{
	proto.TaskType_SYSTEM_LINK.String(),
	proto.TaskType_SYSTEM_UNLINK.String(),
	proto.TaskType_SYSTEM_SWITCH.String(),
}
View Source 
var UnavailableKeyStates = []string{
	string(cmkapi.KeyStatePENDINGDELETION),
	string(cmkapi.KeyStateDELETED),
	string(cmkapi.KeyStateFORBIDDEN),
	string(cmkapi.KeyStateUNKNOWN),
}

Functions

func BuildImportParams 

func BuildImportParams(
	key *model.Key,
	importParamsResp *keystoreopv1.GetImportParametersResponse,
) (*model.ImportParams, error)

BuildImportParams creates import parameters for the specified provider

func IsUnavailableKeyState 

func IsUnavailableKeyState(state string) bool

Types

type BYOKAction 

type BYOKAction string

BYOKAction constants represent the actions that can be performed on a BYOK key during the import process.

type CertificateManager 

type CertificateManager struct {
	// contains filtered or unexported fields
}

func NewCertificateManager 

func NewCertificateManager(
	ctx context.Context,
	repo repo.Repo,
	svcRegistry *cmkpluginregistry.Registry,
	cfg *config.Certificates,
) *CertificateManager

func (*CertificateManager) GetCertificate 

func (m *CertificateManager) GetCertificate(
	ctx context.Context,
	certificateID *uuid.UUID,
) (*model.Certificate, error)

func (*CertificateManager) RequestNewCertificate 

func (m *CertificateManager) RequestNewCertificate(
	ctx context.Context,
	privateKey *rsa.PrivateKey,
	args model.RequestCertArgs,
) (*model.Certificate, *rsa.PrivateKey, error)

func (*CertificateManager) RotateCertificate 

func (m *CertificateManager) RotateCertificate(ctx context.Context,
	args model.RequestCertArgs,
) (*model.Certificate, *rsa.PrivateKey, error)

func (*CertificateManager) RotateExpiredCertificates added in v0.3.0 

func (m *CertificateManager) RotateExpiredCertificates(ctx context.Context) error

func (*CertificateManager) UpdateCertificate 

func (m *CertificateManager) UpdateCertificate(ctx context.Context, certificateID *uuid.UUID,
	autoRotate bool,
) (*model.Certificate, error)

type ClientCertificate 

type ClientCertificate struct {
	Name    string
	RootCA  string
	Subject string
}

ClientCertificate represents the client certificates

type CommonImportFields 

type CommonImportFields struct {
	PublicKeyPEM      string
	WrappingAlgorithm string
	HashFunction      string
}

CommonImportFields contains fields that are common across all providers

type GroupIAMExistence 

type GroupIAMExistence struct {
	IAMIdentifier string
	Exists        bool
}

type GroupManager 

type GroupManager struct {
	// contains filtered or unexported fields
}

func NewGroupManager 

func NewGroupManager(
	repository repo.Repo,
	svcRegistry *cmkpluginregistry.Registry,
	userManager User,
) *GroupManager

func (*GroupManager) BuildIAMIdentifier 

func (m *GroupManager) BuildIAMIdentifier(groupType, tenantID string) (string, error)

BuildIAMIdentifier creates an IAM identifier for a group based on its type and tenant ID.

func (*GroupManager) CheckIAMExistenceOfGroups 

func (m *GroupManager) CheckIAMExistenceOfGroups(
	ctx context.Context,
	iamIdentifiers []string,
) ([]GroupIAMExistence, error)

func (*GroupManager) CreateDefaultGroups 

func (m *GroupManager) CreateDefaultGroups(ctx context.Context) error

CreateDefaultGroups creates the default admin and auditor groups for a tenant.

func (*GroupManager) CreateGroup 

func (m *GroupManager) CreateGroup(ctx context.Context, group *model.Group) (*model.Group, error)

func (*GroupManager) DeleteGroupByID 

func (m *GroupManager) DeleteGroupByID(ctx context.Context, id uuid.UUID) error

func (*GroupManager) GetGroupByID 

func (m *GroupManager) GetGroupByID(ctx context.Context, id uuid.UUID) (*model.Group, error)

func (*GroupManager) GetGroups 

func (m *GroupManager) GetGroups(ctx context.Context, pagination repo.Pagination) ([]*model.Group, int, error)

func (*GroupManager) GetIdentityManagementPlugin 

func (m *GroupManager) GetIdentityManagementPlugin() (idmv1.IdentityManagementServiceClient, error)

func (*GroupManager) UpdateGroup 

func (m *GroupManager) UpdateGroup(
	ctx context.Context,
	id uuid.UUID,
	patchGroup cmkapi.GroupPatch,
) (*model.Group, error)

type HYOKKeystore 

type HYOKKeystore struct {
	Provider []string `json:"provider"`
	Allow    bool
}

type KeyConfigFilter 

type KeyConfigFilter struct {
	Expand     bool
	Pagination repo.Pagination
}

type KeyConfigManager 

type KeyConfigManager struct {
	// contains filtered or unexported fields
}

func NewKeyConfigManager 

func NewKeyConfigManager(
	repository repo.Repo,
	certManager *CertificateManager,
	user User,
	tagManager Tags,
	cmkAuditor *auditor.Auditor,
	cfg *config.Config,
) *KeyConfigManager

func (*KeyConfigManager) DeleteKeyConfigurationByID 

func (m *KeyConfigManager) DeleteKeyConfigurationByID(
	ctx context.Context,
	keyConfigID uuid.UUID,
) error

func (*KeyConfigManager) GetClientCertificates 

func (m *KeyConfigManager) GetClientCertificates(ctx context.Context) (
	map[model.CertificatePurpose][]*ClientCertificate, error,
)

GetClientCertificates retrieves the client certificates

func (*KeyConfigManager) GetKeyConfigurationByID 

func (m *KeyConfigManager) GetKeyConfigurationByID(
	ctx context.Context,
	keyConfigID uuid.UUID,
) (*model.KeyConfiguration, error)

func (*KeyConfigManager) GetKeyConfigurations 

func (m *KeyConfigManager) GetKeyConfigurations(
	ctx context.Context,
	filter KeyConfigFilter,
) ([]*model.KeyConfiguration, int, error)

func (*KeyConfigManager) PostKeyConfigurations 

func (m *KeyConfigManager) PostKeyConfigurations(
	ctx context.Context,
	keyConfiguration *model.KeyConfiguration,
) (*model.KeyConfiguration, error)

func (*KeyConfigManager) UpdateKeyConfigurationByID 

func (m *KeyConfigManager) UpdateKeyConfigurationByID(
	ctx context.Context,
	keyConfigID uuid.UUID,
	patchKeyConfig cmkapi.KeyConfigurationPatch,
) (*model.KeyConfiguration, error)

type KeyConfigurationAPI 

type KeyConfigurationAPI interface {
	GetKeyConfigurations(ctx context.Context, filter KeyConfigFilter) ([]*model.KeyConfiguration, int, error)
	PostKeyConfigurations(ctx context.Context, key *model.KeyConfiguration) (*model.KeyConfiguration, error)
	DeleteKeyConfigurationByID(ctx context.Context, keyConfigID uuid.UUID) error
	GetKeyConfigurationByID(ctx context.Context, keyConfigID uuid.UUID) (*model.KeyConfiguration, error)
	UpdateKeyConfigurationByID(
		ctx context.Context,
		keyConfigID uuid.UUID,
		patchKeyConfig cmkapi.KeyConfigurationPatch,
	) (*model.KeyConfiguration, error)
	GetClientCertificates(ctx context.Context) (map[model.CertificatePurpose][]*ClientCertificate, error)
}

type KeyManager 

type KeyManager struct {
	ProviderConfigManager
	// contains filtered or unexported fields
}

func NewKeyManager 

func NewKeyManager(
	repo repo.Repo,
	svcRegistry *cmkpluginregistry.Registry,
	tenantConfigs *TenantConfigManager,
	keyConfigManager *KeyConfigManager,
	user User,
	certManager *CertificateManager,
	eventFactory *eventprocessor.EventFactory,
	cmkAuditor *auditor.Auditor,
) *KeyManager

func (*KeyManager) Create 

func (km *KeyManager) Create(
	ctx context.Context,
	key *model.Key,
) (*model.Key, error)

func (*KeyManager) Delete 

func (km *KeyManager) Delete(ctx context.Context, keyID uuid.UUID) error

func (*KeyManager) Detach added in v0.3.0 

func (km *KeyManager) Detach(ctx context.Context, key *model.Key) error

func (*KeyManager) Get 

func (km *KeyManager) Get(ctx context.Context, keyID uuid.UUID) (*model.Key, error)

func (*KeyManager) GetImportParams 

func (km *KeyManager) GetImportParams(ctx context.Context, keyID uuid.UUID) (*model.ImportParams, error)

func (*KeyManager) GetKeys 

func (km *KeyManager) GetKeys(
	ctx context.Context,
	keyConfigID *uuid.UUID,
	pagination repo.Pagination,
) ([]*model.Key, int, error)

func (*KeyManager) ImportKeyMaterial 

func (km *KeyManager) ImportKeyMaterial(
	ctx context.Context,
	keyID uuid.UUID,
	wrappedKeyMaterial string,
) (*model.Key, error)

func (*KeyManager) SyncHYOKKeys 

func (km *KeyManager) SyncHYOKKeys(ctx context.Context) error

func (*KeyManager) UpdateKey 

func (km *KeyManager) UpdateKey(ctx context.Context, keyID uuid.UUID, keyPatch cmkapi.KeyPatch) (*model.Key, error)

func (*KeyManager) UpdateVersion 

func (km *KeyManager) UpdateVersion(ctx context.Context, keyID uuid.UUID, version int) error

type KeyVersion 

type KeyVersion interface {
	GetKeyVersions(ctx context.Context, keyID uuid.UUID, skip int, top int) ([]model.KeyVersion, int, error)
	CreateKeyVersion(ctx context.Context, keyID uuid.UUID, nativeID *string) (*model.KeyVersion, error)
	GetKeyVersionByNumber(ctx context.Context, keyID uuid.UUID, version string) (*model.KeyVersion, error)
	UpdateKeyVersion(
		ctx context.Context,
		keyID uuid.UUID,
		version string,
		enabled *bool,
	) error
}

type KeyVersionManager 

type KeyVersionManager struct {
	ProviderConfigManager
	// contains filtered or unexported fields
}

func NewKeyVersionManager 

func NewKeyVersionManager(
	repo repo.Repo,
	svcRegistry *cmkpluginregistry.Registry,
	tenantConfigs *TenantConfigManager,
	certManager *CertificateManager,
	cmkAuditor *auditor.Auditor,
) *KeyVersionManager

func (*KeyVersionManager) AddKeyVersion 

func (kvm *KeyVersionManager) AddKeyVersion(ctx context.Context,
	key model.Key,
	_ *string,
) (*model.KeyVersion, error)

AddKeyVersion creates a new key version in repository and client provider.

func (*KeyVersionManager) CreateKeyVersion 

func (kvm *KeyVersionManager) CreateKeyVersion(
	ctx context.Context,
	keyID uuid.UUID,
	nativeID *string,
) (*model.KeyVersion, error)

func (*KeyVersionManager) GetByKeyIDAndByNumber 

func (kvm *KeyVersionManager) GetByKeyIDAndByNumber(
	ctx context.Context,
	keyID uuid.UUID,
	keyVersionNumber string,
) (*model.KeyVersion, error)

func (*KeyVersionManager) GetKeyVersions 

func (kvm *KeyVersionManager) GetKeyVersions(
	ctx context.Context,
	keyID uuid.UUID,
	pagination repo.Pagination,
) ([]*model.KeyVersion, int, error)

type Label 

type Label interface {
	GetKeyLabels(
		ctx context.Context,
		keyID uuid.UUID,
		pagination repo.Pagination,
	) ([]*model.KeyLabel, int, error)
	CreateOrUpdateLabel(
		ctx context.Context,
		keyID uuid.UUID,
		labels []*model.KeyLabel,
	) error
	DeleteLabel(
		ctx context.Context,
		keyID uuid.UUID,
		labelName string,
	) (bool, error)
}

type LabelManager 

type LabelManager struct {
	// contains filtered or unexported fields
}

func NewLabelManager 

func NewLabelManager(
	repository repo.Repo,
) *LabelManager

func (*LabelManager) CreateOrUpdateLabel 

func (m *LabelManager) CreateOrUpdateLabel(
	ctx context.Context,
	keyID uuid.UUID,
	labels []*model.KeyLabel,
) error

func (*LabelManager) DeleteLabel 

func (m *LabelManager) DeleteLabel(
	ctx context.Context,
	keyID uuid.UUID,
	labelName string,
) (bool, error)

func (*LabelManager) GetKeyLabels 

func (m *LabelManager) GetKeyLabels(
	ctx context.Context,
	keyID uuid.UUID,
	pagination repo.Pagination,
) ([]*model.KeyLabel, int, error)

type Manager 

type Manager struct {
	Keys          *KeyManager
	KeyVersions   *KeyVersionManager
	TenantConfigs *TenantConfigManager
	System        System
	KeyConfig     KeyConfigurationAPI
	Tags          Tags
	Labels        Label
	Workflow      Workflow
	Certificates  *CertificateManager
	Group         *GroupManager
	User          User

	Tenant Tenant

	Catalog      *cmkpluginregistry.Registry
	EventFactory *eventprocessor.EventFactory
	Auditor      *auditor.Auditor
}

func New 

func New(
	ctx context.Context,
	repo repo.Repo,
	config *config.Config,
	clientsFactory clients.Factory,
	svcRegistry *cmkpluginregistry.Registry,
	eventFactory *eventprocessor.EventFactory,
	asyncClient async.Client,
	migrator db.Migrator,
) *Manager

type OffboardingResult 

type OffboardingResult struct {
	// Status indicates the outcome of the offboarding process.
	Status OffboardingStatus
}

OffboardingResult represents the result of a tenant offboarding attempt.

type OffboardingStatus 

type OffboardingStatus int

OffboardingStatus represents the status of the tenant offboarding process. 

const (
	OffboardingProcessing OffboardingStatus = iota + 1
	OffboardingFailed
	OffboardingSuccess
)

type Pool 

type Pool struct {
	// contains filtered or unexported fields
}

Pool stores available configurations.

func NewPool 

func NewPool(repo repo.Repo) *Pool

NewPool creates a new instance of Pool.

func (*Pool) Add 

func (c *Pool) Add(ctx context.Context, cfg *model.Keystore) (*model.Keystore, error)

Add `KeystoreConfiguration` to the pool.

func (*Pool) Count 

func (c *Pool) Count(ctx context.Context) (int, error)

func (*Pool) Pop 

func (c *Pool) Pop(ctx context.Context) (*model.Keystore, error)

Pop `KeystoreConfiguration` from the pool and return it.

type ProviderCachedKey 

type ProviderCachedKey struct {
	KeyStore string
	Provider string
	Tenant   string
}

func (ProviderCachedKey) String 

func (k ProviderCachedKey) String() string

type ProviderConfig 

type ProviderConfig struct {
	Config     *kscommonv1.KeystoreInstanceConfig
	Client     keystoreopv1.KeystoreInstanceKeyOperationClient
	Expiration time.Time // Optional expiration time for the provider config
}

func NewProviderConfig 

func NewProviderConfig(
	config *kscommonv1.KeystoreInstanceConfig,
	client keystoreopv1.KeystoreInstanceKeyOperationClient,
	expiration *time.Time,
) *ProviderConfig

func (ProviderConfig) IsExpired 

func (c ProviderConfig) IsExpired() bool

type ProviderConfigManager 

type ProviderConfigManager struct {
	// contains filtered or unexported fields
}

func (*ProviderConfigManager) AddKeystoreToPool 

func (pmc *ProviderConfigManager) AddKeystoreToPool(
	ctx context.Context,
	provider string,
	config map[string]any,
) error

func (*ProviderConfigManager) CreateKeystore 

func (pmc *ProviderConfigManager) CreateKeystore(ctx context.Context) (string, map[string]any, error)

func (*ProviderConfigManager) FillKeystorePool 

func (pmc *ProviderConfigManager) FillKeystorePool(ctx context.Context, size int) error

func (*ProviderConfigManager) GetDefaultKeystoreFromCatalog 

func (pmc *ProviderConfigManager) GetDefaultKeystoreFromCatalog() (string, error)

func (*ProviderConfigManager) GetOrInitProvider 

func (pmc *ProviderConfigManager) GetOrInitProvider(ctx context.Context, key *model.Key) (*ProviderConfig, error)

type ProviderImportFields 

type ProviderImportFields struct {
	ProviderParams map[string]any
	Expires        *time.Time
}

ProviderImportFields contains provider-specific parameters and optional expiration

type System 

type System interface {
	GetAllSystems(ctx context.Context, params repo.QueryMapper) ([]*model.System, int, error)
	GetSystemByID(ctx context.Context, keyConfigID uuid.UUID) (*model.System, error)
	RefreshSystemsData(ctx context.Context) bool
	LinkSystemAction(ctx context.Context, systemID uuid.UUID, patchSystem cmkapi.SystemPatch) (*model.System, error)
	UnlinkSystemAction(ctx context.Context, systemID uuid.UUID, trigger string) error
	GetRecoveryActions(ctx context.Context, sytemID uuid.UUID) (cmkapi.SystemRecoveryAction, error)
	SendRecoveryActions(
		ctx context.Context,
		systemID uuid.UUID,
		action cmkapi.SystemRecoveryActionBodyAction,
	) error
}

type SystemFilter 

type SystemFilter struct {
	KeyConfigID uuid.UUID
	Region      string
	Type        string
	Skip        int
	Top         int
	Count       bool
}

func (SystemFilter) GetPagination added in v0.3.0 

func (s SystemFilter) GetPagination() repo.Pagination

func (SystemFilter) GetQuery 

func (s SystemFilter) GetQuery(_ context.Context) *repo.Query

func (SystemFilter) GetString 

func (s SystemFilter) GetString(field repo.QueryField) (string, error)

func (SystemFilter) GetUUID 

func (s SystemFilter) GetUUID(field repo.QueryField) (uuid.UUID, error)

type SystemInformation 

type SystemInformation struct {
	// contains filtered or unexported fields
}

func NewSystemInformationManager 

func NewSystemInformationManager(repo repo.Repo,
	svcRegistry *cmkpluginregistry.Registry, systemCfg *config.System,
) (*SystemInformation, error)

func (*SystemInformation) UpdateSystemByExternalID 

func (m *SystemInformation) UpdateSystemByExternalID(ctx context.Context, externalID string) error

func (*SystemInformation) UpdateSystems 

func (m *SystemInformation) UpdateSystems(ctx context.Context) error

type SystemManager 

type SystemManager struct {
	KeyConfigManager *KeyConfigManager
	ContextModelsCfg config.System
	// contains filtered or unexported fields
}

func NewSystemManager 

func NewSystemManager(
	ctx context.Context,
	repository repo.Repo,
	clientsFactory clients.Factory,
	eventFactory *eventprocessor.EventFactory,
	svcRegistry *cmkpluginregistry.Registry,
	cfg *config.Config,
	keyConfigManager *KeyConfigManager,
	user User,
) *SystemManager

func (*SystemManager) GetAllSystems 

func (m *SystemManager) GetAllSystems(
	ctx context.Context,
	params repo.QueryMapper,
) ([]*model.System, int, error)

func (*SystemManager) GetRecoveryActions 

func (m *SystemManager) GetRecoveryActions(
	ctx context.Context,
	systemID uuid.UUID,
) (cmkapi.SystemRecoveryAction, error)

func (*SystemManager) GetSystemByID 

func (m *SystemManager) GetSystemByID(ctx context.Context, systemID uuid.UUID) (*model.System, error)

func (*SystemManager) LinkSystemAction 

func (m *SystemManager) LinkSystemAction(
	ctx context.Context,
	systemID uuid.UUID,
	patchSystem cmkapi.SystemPatch,
) (*model.System, error)

func (*SystemManager) RefreshSystemsData 

func (m *SystemManager) RefreshSystemsData(ctx context.Context) bool

func (*SystemManager) SendRecoveryActions 

func (m *SystemManager) SendRecoveryActions(
	ctx context.Context,
	systemID uuid.UUID,
	action cmkapi.SystemRecoveryActionBodyAction,
) error

func (*SystemManager) UnlinkSystemAction 

func (m *SystemManager) UnlinkSystemAction(ctx context.Context, systemID uuid.UUID, trigger string) error

UnlinkSystemAction unlinks a system. Trigger is used to determinate what triggered the system unlink By default is not set, it's only set for tenant decomission to trigger the unmap system whenever the event finishes

type TagManager 

type TagManager struct {
	// contains filtered or unexported fields
}

func NewTagManager 

func NewTagManager(r repo.Repo) *TagManager

func (*TagManager) DeleteTags 

func (m *TagManager) DeleteTags(ctx context.Context, itemID uuid.UUID) error

func (*TagManager) GetTags 

func (m *TagManager) GetTags(ctx context.Context, itemID uuid.UUID) ([]string, error)

func (*TagManager) SetTags 

func (m *TagManager) SetTags(ctx context.Context, itemID uuid.UUID, values []string) error

type Tags 

type Tags interface {
	SetTags(ctx context.Context, itemID uuid.UUID, values []string) error
	GetTags(ctx context.Context, itemID uuid.UUID) ([]string, error)
	DeleteTags(ctx context.Context, itemID uuid.UUID) error
}

type Tenant 

type Tenant interface {
	GetTenant(ctx context.Context) (*model.Tenant, error) // Get tenant from context
	ListTenantInfo(ctx context.Context, issuerURL *string, pagination repo.Pagination) ([]*model.Tenant, int, error)
	CreateTenant(ctx context.Context, tenant *model.Tenant) error
	OffboardTenant(ctx context.Context) (OffboardingResult, error)
	DeleteTenant(ctx context.Context) error
}

type TenantConfigManager 

type TenantConfigManager struct {
	// contains filtered or unexported fields
}

func NewTenantConfigManager 

func NewTenantConfigManager(
	repo repo.Repo,
	svcRegistry *cmkpluginregistry.Registry,
	deploymentConfig *config.Config,
) *TenantConfigManager

func (*TenantConfigManager) GetDefaultKeystoreConfig 

func (m *TenantConfigManager) GetDefaultKeystoreConfig(ctx context.Context) (*model.KeystoreConfig, error)

GetDefaultKeystoreConfig retrieves the default keystore config If the config doesn't exist, it gets the config from the pool and sets it

func (*TenantConfigManager) GetTenantsKeystores 

func (m *TenantConfigManager) GetTenantsKeystores() (TenantKeystores, error)

func (*TenantConfigManager) GetWorkflowConfig 

func (m *TenantConfigManager) GetWorkflowConfig(ctx context.Context) (*model.WorkflowConfig, error)

func (*TenantConfigManager) SetWorkflowConfig 

func (m *TenantConfigManager) SetWorkflowConfig(
	ctx context.Context,
	workflowConfig *model.WorkflowConfig,
) (*model.WorkflowConfig, error)

SetWorkflowConfig stores the workflow config or creates default if nil

func (*TenantConfigManager) UpdateWorkflowConfig added in v0.3.0 

func (m *TenantConfigManager) UpdateWorkflowConfig(
	ctx context.Context,
	update *cmkapi.TenantWorkflowConfiguration,
) (*model.WorkflowConfig, error)

UpdateWorkflowConfig retrieves existing config, merges with updates, and saves

type TenantKeystores 

type TenantKeystores struct {
	Default model.KeystoreConfig
	HYOK    HYOKKeystore
}

type TenantManager 

type TenantManager struct {
	// contains filtered or unexported fields
}

func NewTenantManager 

func NewTenantManager(
	repo repo.Repo,
	sysManager System,
	keyManager *KeyManager,
	user User,
	cmkAuditor *auditor.Auditor,
	migrator db.Migrator,
) *TenantManager

func (*TenantManager) CreateTenant 

func (m *TenantManager) CreateTenant(ctx context.Context, tenant *model.Tenant) error

func (*TenantManager) DeleteTenant 

func (m *TenantManager) DeleteTenant(ctx context.Context) error

func (*TenantManager) GetTenant 

func (m *TenantManager) GetTenant(ctx context.Context) (*model.Tenant, error)

func (*TenantManager) GetTenantByID 

func (m *TenantManager) GetTenantByID(ctx context.Context, tenantID string) (*model.Tenant, error)

func (*TenantManager) ListTenantInfo 

func (m *TenantManager) ListTenantInfo(
	ctx context.Context,
	issuerURL *string,
	pagination repo.Pagination,
) ([]*model.Tenant, int, error)

func (*TenantManager) OffboardTenant 

func (m *TenantManager) OffboardTenant(ctx context.Context) (OffboardingResult, error)

OffboardTenant is a method to trigger the events to offboard a tenant - OffboardingProcessing: if any step is still in progress (retry later) - OffboardingFailed: if any step has failed permanently - OffboardingSuccess: if all steps completed successfully - error: if the offboarding process encounters an unexpected error, in which case it should be retried later

type User 

type User interface {
	HasTenantAccess(ctx context.Context) (bool, error)
	HasSystemAccess(ctx context.Context, action authz.Action, system *model.System) (bool, error)
	HasKeyAccess(ctx context.Context, action authz.Action, keyConfig uuid.UUID) (bool, error)
	HasKeyConfigAccess(
		ctx context.Context,
		action authz.Action,
		keyConfig *model.KeyConfiguration,
	) (bool, error)
	GetRoleFromIAM(ctx context.Context, iamIdentifiers []string) (constants.Role, error)
	GetUserInfo(ctx context.Context) (UserInfo, error)
	NeedsGroupFiltering(
		ctx context.Context,
		action authz.Action,
		resource authz.ResourceTypeName,
	) (bool, error)
}

func NewUserManager 

func NewUserManager(r repo.Repo, cmkAuditor *auditor.Auditor) User

type UserInfo 

type UserInfo struct {
	Email      string
	FamilyName string
	GivenName  string
	Identifier string
	Role       string
}

type Workflow 

type Workflow interface {
	CheckWorkflow(ctx context.Context, workflow *model.Workflow) (WorkflowStatus, error)
	GetWorkflows(ctx context.Context, params repo.QueryMapper) ([]*model.Workflow, int, error)
	CreateWorkflow(ctx context.Context, workflow *model.Workflow) (*model.Workflow, error)
	GetWorkflowByID(ctx context.Context, workflowID uuid.UUID) (*model.Workflow, error)
	ListWorkflowApprovers(
		ctx context.Context,
		id uuid.UUID,
		decisionMade bool,
		pagination repo.Pagination,
	) ([]*model.WorkflowApprover, int, error)
	GetWorkflowAvailableTransitions(ctx context.Context, workflow *model.Workflow) ([]wf.Transition, error)
	GetWorkflowApprovalSummary(ctx context.Context, workflow *model.Workflow) (*wf.ApprovalSummary, error)
	TransitionWorkflow(
		ctx context.Context,
		workflowID uuid.UUID,
		transition wf.Transition,
	) (*model.Workflow, error)
	WorkflowConfig(ctx context.Context) (*model.WorkflowConfig, error)
	IsWorkflowRequired(ctx context.Context) (bool, error)
	CleanupTerminalWorkflows(ctx context.Context) error
}

type WorkflowFilter 

type WorkflowFilter struct {
	State                  string
	ArtifactType           string
	ArtifactID             uuid.UUID
	ArtifactName           string
	ParametersResourceName string
	ActionType             string
	Skip                   int
	Top                    int
	Count                  bool
}

func NewWorkflowFilterFromOData 

func NewWorkflowFilterFromOData(queryMapper odata.QueryOdataMapper) (*WorkflowFilter, error)

func (WorkflowFilter) GetPagination added in v0.3.0 

func (w WorkflowFilter) GetPagination() repo.Pagination

func (WorkflowFilter) GetQuery 

func (w WorkflowFilter) GetQuery(_ context.Context) *repo.Query

func (WorkflowFilter) GetString 

func (w WorkflowFilter) GetString(field repo.QueryField) (string, error)

func (WorkflowFilter) GetUUID 

func (w WorkflowFilter) GetUUID(field repo.QueryField) (uuid.UUID, error)

type WorkflowManager 

type WorkflowManager struct {
	// contains filtered or unexported fields
}

func NewWorkflowManager 

func NewWorkflowManager(
	repository repo.Repo,
	keyManager *KeyManager,
	keyConfigurationManager *KeyConfigManager,
	systemManager *SystemManager,
	groupManager *GroupManager,
	userManager User,
	asyncClient async.Client,
	tenantConfigManager *TenantConfigManager,
	cfg *config.Config,
) *WorkflowManager

func (*WorkflowManager) AutoAssignApprovers 

func (w *WorkflowManager) AutoAssignApprovers(
	ctx context.Context,
	workflowID uuid.UUID,
) (*model.Workflow, error)

func (*WorkflowManager) CheckWorkflow 

func (w *WorkflowManager) CheckWorkflow(
	ctx context.Context,
	workflow *model.Workflow,
) (WorkflowStatus, error)

func (*WorkflowManager) CleanupTerminalWorkflows 

func (w *WorkflowManager) CleanupTerminalWorkflows(ctx context.Context) error

func (*WorkflowManager) CreateWorkflow 

func (w *WorkflowManager) CreateWorkflow(
	ctx context.Context,
	workflow *model.Workflow,
) (*model.Workflow, error)

func (*WorkflowManager) GetWorkflowApprovalSummary 

func (w *WorkflowManager) GetWorkflowApprovalSummary(
	ctx context.Context,
	workflow *model.Workflow,
) (*wf.ApprovalSummary, error)

func (*WorkflowManager) GetWorkflowAvailableTransitions 

func (w *WorkflowManager) GetWorkflowAvailableTransitions(
	ctx context.Context,
	workflow *model.Workflow,
) ([]wf.Transition, error)

func (*WorkflowManager) GetWorkflowByID 

func (w *WorkflowManager) GetWorkflowByID(ctx context.Context, workflowID uuid.UUID) (*model.Workflow, error)

func (*WorkflowManager) GetWorkflows 

func (w *WorkflowManager) GetWorkflows(
	ctx context.Context,
	params repo.QueryMapper,
) ([]*model.Workflow, int, error)

func (*WorkflowManager) IsWorkflowRequired 

func (w *WorkflowManager) IsWorkflowRequired(ctx context.Context) (bool, error)

func (*WorkflowManager) ListWorkflowApprovers 

func (w *WorkflowManager) ListWorkflowApprovers(
	ctx context.Context,
	id uuid.UUID,
	decisionMade bool,
	pagination repo.Pagination,
) ([]*model.WorkflowApprover, int, error)

ListWorkflowApprovers retrieves a paginated list of approvers for a given workflow ID. Returns a slice of WorkflowApprover, the total count, and an error if any occurs.

func (*WorkflowManager) TransitionWorkflow 

func (w *WorkflowManager) TransitionWorkflow(
	ctx context.Context,
	workflowID uuid.UUID,
	transition wf.Transition,
) (*model.Workflow, error)

func (*WorkflowManager) WorkflowConfig 

func (w *WorkflowManager) WorkflowConfig(ctx context.Context) (*model.WorkflowConfig, error)

type WorkflowStatus 

type WorkflowStatus struct {
	Enabled    bool
	Exists     bool
	Valid      bool
	CanCreate  bool
	ErrDetails error
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.