remove package kms and keserv

This commit removes the two packages `kms` and `keserv`. Both packages are no longer needed since better implementations are available via the `kv` and `edge` package. This cleans up a some code and removes two layers of indirection. Signed-off-by: Andreas Auernhammer <[email protected]>
minio · May 8, 2023 · f37fe50 · f37fe50
1 parent 1e46c48
commit f37fe50
Show file tree

Hide file tree

Showing 37 changed files with 586 additions and 3,379 deletions.
diff --git a/cmd/kes/migrate.go b/cmd/kes/migrate.go
@@ -16,8 +16,8 @@ import (
 
 	"github.com/fatih/color"
 	"github.com/minio/kes-go"
+	"github.com/minio/kes/edge"
 	"github.com/minio/kes/internal/cli"
-	"github.com/minio/kes/keserv"
 	flag "github.com/spf13/pflag"
 	"golang.org/x/term"
 )
@@ -86,21 +86,32 @@ func migrateCmd(args []string) {
 	ctx, cancel := signal.NotifyContext(context.Background(), os.Kill, os.Interrupt)
 	defer cancel()
 
-	sourceConfig, err := keserv.ReadServerConfig(fromPath)
+	file, err := os.Open(fromPath)
 	if err != nil {
 		cli.Fatalf("failed to read '--from' config file: %v", err)
 	}
+	sourceConfig, err := edge.ReadServerConfigYAML(file)
+	if err != nil {
+		cli.Fatalf("failed to read '--from' config file: %v", err)
+	}
+	file.Close()
 
-	targetConfig, err := keserv.ReadServerConfig(toPath)
+	file, err = os.Open(toPath)
 	if err != nil {
 		cli.Fatalf("failed to read '--to' config file: %v", err)
 	}
 
-	src, err := sourceConfig.KMS.Connect(ctx)
+	targetConfig, err := edge.ReadServerConfigYAML(file)
+	if err != nil {
+		cli.Fatalf("failed to read '--to' config file: %v", err)
+	}
+	file.Close()
+
+	src, err := sourceConfig.KeyStore.Connect(ctx)
 	if err != nil {
 		cli.Fatal(err)
 	}
-	dst, err := targetConfig.KMS.Connect(ctx)
+	dst, err := targetConfig.KeyStore.Connect(ctx)
 	if err != nil {
 		cli.Fatal(err)
 	}
@@ -133,11 +144,15 @@ func migrateCmd(args []string) {
 	}()
 
 	// Finally, we start the actual migration.
-	for iterator.Next() {
-		name := iterator.Name()
+	for {
+		name, ok := iterator.Next()
+		if !ok {
+			break
+		}
 		if ok, _ := filepath.Match(pattern, name); !ok {
 			continue
 		}
+		fmt.Println(name)
 
 		key, err := src.Get(ctx, name)
 		if err != nil {

diff --git a/edge/server-config.go b/edge/server-config.go
@@ -18,7 +18,6 @@ import (
 	"github.com/minio/kes/internal/keystore/gemalto"
 	kesstore "github.com/minio/kes/internal/keystore/kes"
 	"github.com/minio/kes/internal/keystore/vault"
-	"github.com/minio/kes/kms"
 	"github.com/minio/kes/kv"
 )
 
@@ -242,7 +241,7 @@ type FSKeyStore struct {
 
 // Connect returns a kv.Store that stores key-value pairs in a path on the filesystem.
 func (s *FSKeyStore) Connect(context.Context) (kv.Store[string, []byte], error) {
-	return wrap(fs.NewConn(s.Path))
+	return fs.NewStore(s.Path)
 }
 
 // KESKeyStore is a structure containing the configuration
@@ -278,13 +277,13 @@ type KESKeyStore struct {
 
 // Connect returns a kv.Store that stores key-value pairs on a KES server.
 func (s *KESKeyStore) Connect(ctx context.Context) (kv.Store[string, []byte], error) {
-	return wrap(kesstore.Connect(ctx, &kesstore.Config{
+	return kesstore.Connect(ctx, &kesstore.Config{
 		Endpoints:   s.Endpoints,
 		Enclave:     s.Enclave,
 		Certificate: s.CertificateFile,
 		PrivateKey:  s.PrivateKeyFile,
 		CAPath:      s.CAPath,
-	}))
+	})
 }
 
 // VaultKeyStore is a structure containing the configuration
@@ -417,7 +416,7 @@ func (s *VaultKeyStore) Connect(ctx context.Context) (kv.Store[string, []byte],
 			JWT:    s.Kubernetes.JWT,
 		}
 	}
-	return wrap(vault.Connect(ctx, c))
+	return vault.Connect(ctx, c)
 }
 
 // FortanixKeyStore is a structure containing the
@@ -446,12 +445,12 @@ type FortanixKeyStore struct {
 
 // Connect returns a kv.Store that stores key-value pairs on a Fortanix SDKMS server.
 func (s *FortanixKeyStore) Connect(ctx context.Context) (kv.Store[string, []byte], error) {
-	return wrap(fortanix.Connect(ctx, &fortanix.Config{
+	return fortanix.Connect(ctx, &fortanix.Config{
 		Endpoint: s.Endpoint,
 		GroupID:  s.GroupID,
 		APIKey:   fortanix.APIKey(s.APIKey),
 		CAPath:   s.CAPath,
-	}))
+	})
 }
 
 // KeySecureKeyStore is a structure containing the
@@ -483,14 +482,14 @@ type KeySecureKeyStore struct {
 
 // Connect returns a kv.Store that stores key-value pairs on a Gemalto KeySecure instance.
 func (s *KeySecureKeyStore) Connect(ctx context.Context) (kv.Store[string, []byte], error) {
-	return wrap(gemalto.Connect(ctx, &gemalto.Config{
+	return gemalto.Connect(ctx, &gemalto.Config{
 		Endpoint: s.Endpoint,
 		CAPath:   s.CAPath,
 		Login: gemalto.Credentials{
 			Token:  s.Token,
 			Domain: s.Domain,
 		},
-	}))
+	})
 }
 
 // GCPSecretManagerKeyStore is a structure containing the
@@ -534,7 +533,7 @@ type GCPSecretManagerKeyStore struct {
 
 // Connect returns a kv.Store that stores key-value pairs on GCP SecretManager.
 func (s *GCPSecretManagerKeyStore) Connect(ctx context.Context) (kv.Store[string, []byte], error) {
-	return wrap(gcp.Connect(ctx, &gcp.Config{
+	return gcp.Connect(ctx, &gcp.Config{
 		Endpoint:  s.Endpoint,
 		ProjectID: s.ProjectID,
 		Scopes:    s.Scopes,
@@ -544,7 +543,7 @@ func (s *GCPSecretManagerKeyStore) Connect(ctx context.Context) (kv.Store[string
 			KeyID:    s.KeyID,
 			Key:      s.Key,
 		},
-	}))
+	})
 }
 
 // AWSSecretsManagerKeyStore is a structure containing the
@@ -580,7 +579,7 @@ type AWSSecretsManagerKeyStore struct {
 
 // Connect returns a kv.Store that stores key-value pairs on AWS SecretsManager.
 func (s *AWSSecretsManagerKeyStore) Connect(ctx context.Context) (kv.Store[string, []byte], error) {
-	return wrap(aws.Connect(ctx, &aws.Config{
+	return aws.Connect(ctx, &aws.Config{
 		Addr:     s.Endpoint,
 		Region:   s.Region,
 		KMSKeyID: s.KMSKey,
@@ -589,7 +588,7 @@ func (s *AWSSecretsManagerKeyStore) Connect(ctx context.Context) (kv.Store[strin
 			SecretKey:    s.SecretKey,
 			SessionToken: s.SessionToken,
 		},
-	}))
+	})
 }
 
 // AzureKeyVaultKeyStore is a structure containing the
@@ -628,80 +627,13 @@ func (s *AzureKeyVaultKeyStore) Connect(ctx context.Context) (kv.Store[string, [
 			ClientID: s.ClientID,
 			Secret:   s.ClientSecret,
 		}
-		return wrap(azure.ConnectWithCredentials(ctx, s.Endpoint, creds))
+		return azure.ConnectWithCredentials(ctx, s.Endpoint, creds)
 	case s.ManagedIdentityClientID != "":
 		creds := azure.ManagedIdentity{
 			ClientID: s.ManagedIdentityClientID,
 		}
-		return wrap(azure.ConnectWithIdentity(ctx, s.Endpoint, creds))
+		return azure.ConnectWithIdentity(ctx, s.Endpoint, creds)
 	default:
 		return nil, errors.New("edge: failed to connect to Azure KeyVault: no authentication method specified")
 	}
 }
-
-func wrap(conn kms.Conn, err error) (kv.Store[string, []byte], error) {
-	if err != nil {
-		return nil, err
-	}
-	return &store{conn: conn}, nil
-}
-
-type store struct {
-	conn kms.Conn
-}
-
-var _ kv.Store[string, []byte] = (*store)(nil) // compiler check
-
-func (s *store) Status(ctx context.Context) (kv.State, error) {
-	state, err := s.conn.Status(ctx)
-	if err == nil {
-		return kv.State(state), nil
-	}
-
-	if uErr, ok := kms.IsUnreachable(err); ok {
-		return kv.State{}, &kv.Unreachable{Err: uErr.Err}
-	}
-	if uErr, ok := kms.IsUnavailable(err); ok {
-		return kv.State{}, &kv.Unreachable{Err: uErr.Err}
-	}
-	return kv.State{}, err
-}
-
-func (s *store) Create(ctx context.Context, name string, value []byte) error {
-	return s.conn.Create(ctx, name, value)
-}
-
-func (s *store) Set(ctx context.Context, name string, value []byte) error {
-	return s.conn.Create(ctx, name, value)
-}
-
-func (s *store) Get(ctx context.Context, name string) ([]byte, error) {
-	return s.conn.Get(ctx, name)
-}
-
-func (s *store) Delete(ctx context.Context, name string) error {
-	return s.conn.Delete(ctx, name)
-}
-
-func (s *store) List(ctx context.Context) (kv.Iter[string], error) {
-	i, err := s.conn.List(ctx)
-	if err != nil {
-		return nil, err
-	}
-	return &iter{iter: i}, nil
-}
-
-type iter struct {
-	iter kms.Iter
-}
-
-var _ kv.Iter[string] = (*iter)(nil) // compiler check
-
-func (i *iter) Next() (string, bool) {
-	if next := i.iter.Next(); next {
-		return i.iter.Name(), next
-	}
-	return "", false
-}
-
-func (i *iter) Close() error { return i.iter.Close() }
diff --git a/internal/api/key.go b/internal/api/key.go
@@ -992,11 +992,11 @@ func listKey(config *RouterConfig) API {
 
 				var hasWritten bool
 				encoder := json.NewEncoder(w)
-				for iterator.Next() {
-					if ok, _ := path.Match(pattern, iterator.Name()); !ok || iterator.Name() == "" {
+				for name, next := iterator.Next(); next; name, next = iterator.Next() {
+					if ok, _ := path.Match(pattern, name); !ok || name == "" {
 						continue
 					}
-					key, err := enclave.GetKey(r.Context(), iterator.Name())
+					key, err := enclave.GetKey(r.Context(), name)
 					if err != nil {
 						return hasWritten, err
 					}
@@ -1007,7 +1007,7 @@ func listKey(config *RouterConfig) API {
 					}
 
 					err = encoder.Encode(Response{
-						Name:      iterator.Name(),
+						Name:      name,
 						ID:        key.ID(),
 						Algorithm: key.Algorithm(),
 						CreatedAt: key.CreatedAt(),

diff --git a/internal/api/status.go b/internal/api/status.go
@@ -13,7 +13,7 @@ import (
 	"github.com/minio/kes/internal/audit"
 	"github.com/minio/kes/internal/auth"
 	"github.com/minio/kes/internal/sys"
-	"github.com/minio/kes/kms"
+	"github.com/minio/kes/kv"
 )
 
 func status(config *RouterConfig) API {
@@ -193,7 +193,7 @@ func edgeStatus(config *EdgeRouterConfig) API {
 		state, err := config.Keys.Status(r.Context())
 		if err != nil {
 			response.KeyStoreUnavailable = true
-			_, response.KeyStoreUnreachable = kms.IsUnreachable(err)
+			_, response.KeyStoreUnreachable = kv.IsUnreachable(err)
 		} else {
 			latency := state.Latency.Round(time.Millisecond)
 			if latency == 0 { // Make sure we actually send a latency even if the key store respond time is < 1ms.