Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Extend acra-keys destroy with specific rotated key #641

Merged
merged 4 commits into from Mar 1, 2023
Merged

Extend acra-keys destroy with specific rotated key #641

merged 4 commits into from Mar 1, 2023

Conversation

Zhaars
Copy link
Contributor

@Zhaars Zhaars commented Feb 21, 2023

Extended acra-keys destroy with destroying the specific rotated keys.

  • Introduce a new flag --index representing the key to destroy.
  • Introduce new interface for destruction of rotated key StorageRotatedKeyDestruction

Checklist

@Zhaars
zhars/extend_destroy_with_specific_rotated_key
d75ad14 
Extended acra-keys destroy with destroying specific rotated key
@Zhaars Zhaars requested a review from Lagovas February 21, 2023 21:29
Lagovas
Lagovas reviewed Feb 21, 2023
View reviewed changes
keystore/filesystem/server_keystore.go
return ErrInvalidIndex
}

rotatedKey := rotatedKeyFiles[index-1]
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we sure that ReadDir returns files in the expected order? can it be changed in other filesystems?
or will be better to sort on keystore by name (that contains timestamp) side to be sure that it works similar in all environments?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

According to ReadDir it returns a list of directory entries sorted by filename. So we need to check the implementation of Storage interface to match that requirement

keystore/v2/keystore/hmac.go Outdated
return err
}
// Index represent virtual index of key
// 1 is always index of current key of the keystore
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this comment confuse a bit because we decrement by one below... IMHO, we should describe here, that keyrings have internal index starting from 0 and we get index here that represents virtual index starting from 1.

p.s. does it work correctly with destroyed keys? What key will be destroyed, if we have current + destroyed + rotated + rotated and we call acra-keys destroy --index 2? will it destroy first rotated or destroy second time already destroyed? can we test that case?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added!

@Zhaars Zhaars requested a review from Lagovas February 22, 2023 16:08
Lagovas
Lagovas reviewed Feb 22, 2023
View reviewed changes
keystore/v2/keystore/keyStore.go Outdated
return ErrInvalidIndex
}
// 1 is always index of current key of the keystore, so we need to subtract 1 from search index
// as slice element enumeration starts from 0 subtract 1 again
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lets add more explanation of why we decrease 2:

keyring internally stores keys from older to newer and the newest key has index len(keys) -1. So we decrease once to start from the len(keys)-1 position. Incoming parameter index represents the virtual index starting from 1 where 1 is the newest key. But slices work with 0-indexation, so we decrease one more time.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added

@Zhaars
zhars/extend_destroy_with_specific_rotated_key
85eb86e 
Extended comment above tricky part
Lagovas
Lagovas approved these changes Feb 22, 2023
View reviewed changes
Copy link
Collaborator

@Lagovas Lagovas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

great job

Lagovas
Lagovas requested changes Feb 22, 2023
View reviewed changes
Copy link
Collaborator

@Lagovas Lagovas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I forgot about integration tests... can you add integration tests to be sure that whole flow works from executing binary?

@Zhaars Zhaars mentioned this pull request Feb 23, 2023
Merged
@Zhaars Zhaars merged commit c42db60 into master Mar 1, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Lagovas Lagovas Lagovas approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@Zhaars @Lagovas