New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Extend acra-keys destroy with specific rotated key #641
Conversation
Extended acra-keys destroy with destroying specific rotated key
return ErrInvalidIndex | ||
} | ||
|
||
rotatedKey := rotatedKeyFiles[index-1] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
do we sure that ReadDir returns files in the expected order? can it be changed in other filesystems?
or will be better to sort on keystore by name (that contains timestamp) side to be sure that it works similar in all environments?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
According to ReadDir it returns a list of directory entries sorted by filename. So we need to check the implementation of Storage
interface to match that requirement
keystore/v2/keystore/hmac.go
Outdated
return err | ||
} | ||
// Index represent virtual index of key | ||
// 1 is always index of current key of the keystore |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this comment confuse a bit because we decrement by one below... IMHO, we should describe here, that keyrings have internal index starting from 0 and we get index here that represents virtual index starting from 1.
p.s. does it work correctly with destroyed keys? What key will be destroyed, if we have current
+ destroyed
+ rotated
+ rotated
and we call acra-keys destroy --index 2
? will it destroy first rotated or destroy second time already destroyed? can we test that case?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added!
Fixed after review
keystore/v2/keystore/keyStore.go
Outdated
return ErrInvalidIndex | ||
} | ||
// 1 is always index of current key of the keystore, so we need to subtract 1 from search index | ||
// as slice element enumeration starts from 0 subtract 1 again |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lets add more explanation of why we decrease 2:
keyring internally stores keys from older to newer and the newest key has index
len(keys) -1
. So we decrease once to start from thelen(keys)-1
position. Incoming parameterindex
represents the virtual index starting from 1 where 1 is the newest key. But slices work with 0-indexation, so we decrease one more time.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added
Extended comment above tricky part
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
great job
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I forgot about integration tests... can you add integration tests to be sure that whole flow works from executing binary?
Extended
acra-keys
destroy
with destroying the specific rotated keys.--index
representing the key to destroy.StorageRotatedKeyDestruction
Checklist
with new changes