Merge branch 'master' into upgrade_azserect_client

api_test.go

@@ -6,6 +6,7 @@ package kes
 
 import (
 	"bytes"
+	"crypto/hmac"
 	"errors"
 	"net/http"
 	"runtime"
@@ -15,7 +16,7 @@ import (
 	"time"
 
 	"aead.dev/mem"
-	"github.com/minio/kes-go"
+	"github.com/minio/kms-go/kes"
 )
 
 func TestImportKey(t *testing.T) {
@@ -54,6 +55,7 @@ func TestAPI(t *testing.T) {
 	t.Run("v1/key/import", testImportKey)
 	t.Run("v1/key/describe", testDescribeKey)
 	t.Run("v1/key/generate", testGenerateKey)
+	t.Run("v1/key/hmac", testHMAC)
 	t.Run("v1/key/encrypt", testEncryptDecryptKey) // also tests decryption
 	t.Run("v1/key/list", testListKeys)
 	t.Run("v1/identity/describe", testDescribeIdentity)
@@ -335,6 +337,53 @@ func testGenerateKey(t *testing.T) {
 	}
 }
 
+func testHMAC(t *testing.T) {
+	t.Parallel()
+
+	ctx := testContext(t)
+	srv, url := startServer(ctx, nil)
+	defer srv.Close()
+
+	message1 := []byte("Hello World")
+	message2 := []byte("Hello World!")
+
+	client := defaultClient(url)
+	for i, test := range validNameTests {
+		err := client.CreateKey(ctx, test.Name)
+		if err == nil && test.ShouldFail {
+			t.Errorf("Test %d: setup: creating key '%s' should have failed", i, test.Name)
+		}
+		if err != nil && !test.ShouldFail {
+			t.Errorf("Test %d: setup: failed to create key '%s': %v", i, test.Name, err)
+		}
+
+		if test.ShouldFail {
+			continue
+		}
+
+		sum1, err := client.HMAC(ctx, test.Name, message1)
+		if err != nil {
+			t.Errorf("Test %d: failed to compute HMAC with key '%s': %v", i, test.Name, err)
+		}
+		sum2, err := client.HMAC(ctx, test.Name, message2)
+		if err != nil {
+			t.Errorf("Test %d: failed to compute HMAC with key '%s': %v", i, test.Name, err)
+		}
+		if hmac.Equal(sum1, sum2) {
+			t.Errorf("Test %d: HMACs of different messages are equal: got '%x' and '%x'", i, sum1, sum2)
+		}
+
+		verifySum, err := client.HMAC(ctx, test.Name, message1)
+		if err != nil {
+			t.Errorf("Test %d: failed to compute HMAC with key '%s': %v", i, test.Name, err)
+		}
+
+		if !hmac.Equal(sum1, verifySum) {
+			t.Errorf("Test %d: HMACs of equal messages are not equal: got '%x' and '%x'", i, sum1, verifySum)
+		}
+	}
+}
+
 func testEncryptDecryptKey(t *testing.T) {
 	t.Parallel()
 

audit.go

@@ -11,8 +11,8 @@ import (
 	"net/netip"
 	"time"
 
-	"github.com/minio/kes-go"
 	"github.com/minio/kes/internal/api"
+	"github.com/minio/kms-go/kes"
 )
 
 // AuditRecord describes an audit event logged by a KES server.

auth.go

@@ -13,8 +13,8 @@ import (
 	"net/http"
 	"sync/atomic"
 
-	"github.com/minio/kes-go"
 	"github.com/minio/kes/internal/api"
+	"github.com/minio/kms-go/kes"
 )
 
 // verifyIdentity authenticates client requests by verifying that

cmd/kes/identity.go

@@ -24,9 +24,9 @@ import (
 	"time"
 
 	tui "github.com/charmbracelet/lipgloss"
-	"github.com/minio/kes-go"
 	"github.com/minio/kes/internal/cli"
 	"github.com/minio/kes/internal/https"
+	"github.com/minio/kms-go/kes"
 	flag "github.com/spf13/pflag"
 	"golang.org/x/term"
 )
@@ -39,7 +39,6 @@ Commands:
     of                       Compute a KES identity from a certificate.
     info                     Get information about a KES identity.
     ls                       List KES identities.
-    rm                       Remove a KES identity.
 
 Options:
     -h, --help               Print command line options.
@@ -54,7 +53,6 @@ func identityCmd(args []string) {
 		"of":   ofIdentityCmd,
 		"info": infoIdentityCmd,
 		"ls":   lsIdentityCmd,
-		"rm":   rmIdentityCmd,
 	}
 
 	if len(args) < 2 {
@@ -480,7 +478,6 @@ Options:
                              is detected - colors are automatically disabled if
                              the output goes to a pipe.
                              Possible values: *auto*, never, always.
-    -e, --enclave <name>     Operate within the specified enclave.
 
     -h, --help               Print command line options.
 
@@ -497,12 +494,10 @@ func lsIdentityCmd(args []string) {
 		jsonFlag           bool
 		colorFlag          colorOption
 		insecureSkipVerify bool
-		enclaveName        string
 	)
 	cmd.BoolVar(&jsonFlag, "json", false, "Print identities in JSON format")
 	cmd.Var(&colorFlag, "color", "Specify when to use colored output")
 	cmd.BoolVarP(&insecureSkipVerify, "insecure", "k", false, "Skip TLS certificate validation")
-	cmd.StringVarP(&enclaveName, "enclave", "e", "", "Operate within the specified enclave")
 	if err := cmd.Parse(args[1:]); err != nil {
 		if errors.Is(err, flag.ErrHelp) {
 			os.Exit(2)
@@ -522,7 +517,7 @@ func lsIdentityCmd(args []string) {
 	ctx, cancelCtx := signal.NotifyContext(context.Background(), os.Interrupt, os.Kill)
 	defer cancelCtx()
 
-	enclave := newEnclave(enclaveName, insecureSkipVerify)
+	enclave := newClient(insecureSkipVerify)
 	iter := &kes.ListIter[kes.Identity]{
 		NextFunc: enclave.ListIdentities,
 	}
@@ -556,50 +551,3 @@ func lsIdentityCmd(args []string) {
 	}
 	fmt.Print(buf)
 }
-
-const rmIdentityCmdUsage = `Usage:
-    kes identity rm <identity>...
-
-Options:
-    -k, --insecure           Skip TLS certificate validation.
-    -e, --enclave <name>     Operate within the specified enclave.
-
-    -h, --help               Print command line options.
-
-Examples:
-    $ kes identity rm 736bf58626441e3e134a2daf2e6a8441b40e1abc0eac510878168c8aac9f2b0b
-`
-
-func rmIdentityCmd(args []string) {
-	cmd := flag.NewFlagSet(args[0], flag.ContinueOnError)
-	cmd.Usage = func() { fmt.Fprint(os.Stderr, rmIdentityCmdUsage) }
-
-	var (
-		insecureSkipVerify bool
-		enclaveName        string
-	)
-	cmd.BoolVarP(&insecureSkipVerify, "insecure", "k", false, "Skip TLS certificate validation")
-	cmd.StringVarP(&enclaveName, "enclave", "e", "", "Operate within the specified enclave")
-	if err := cmd.Parse(args[1:]); err != nil {
-		if errors.Is(err, flag.ErrHelp) {
-			os.Exit(2)
-		}
-		cli.Fatalf("%v. See 'kes identity rm --help'", err)
-	}
-	if cmd.NArg() == 0 {
-		cli.Fatal("no identity specified. See 'kes identity rm --help'")
-	}
-
-	client := newClient(insecureSkipVerify)
-	ctx, cancel := signal.NotifyContext(context.Background(), os.Interrupt, os.Kill)
-	defer cancel()
-
-	for _, identity := range cmd.Args() {
-		if err := client.DeleteIdentity(ctx, kes.Identity(identity)); err != nil {
-			if errors.Is(err, context.Canceled) {
-				os.Exit(1)
-			}
-			cli.Fatalf("failed to remove identity %q: %v", identity, err)
-		}
-	}
-}

cmd/kes/key.go

@@ -17,8 +17,8 @@ import (
 	"strings"
 
 	tui "github.com/charmbracelet/lipgloss"
-	"github.com/minio/kes-go"
 	"github.com/minio/kes/internal/cli"
+	"github.com/minio/kms-go/kes"
 	flag "github.com/spf13/pflag"
 )
 
@@ -132,7 +132,6 @@ const importKeyCmdUsage = `Usage:
 
 Options:
     -k, --insecure           Skip TLS certificate validation.
-    -e, --enclave <name>     Operate within the specified enclave.
 
     -h, --help               Print command line options.
 
@@ -144,12 +143,8 @@ func importKeyCmd(args []string) {
 	cmd := flag.NewFlagSet(args[0], flag.ContinueOnError)
 	cmd.Usage = func() { fmt.Fprint(os.Stderr, importKeyCmdUsage) }
 
-	var (
-		insecureSkipVerify bool
-		enclaveName        string
-	)
+	var insecureSkipVerify bool
 	cmd.BoolVarP(&insecureSkipVerify, "insecure", "k", false, "Skip TLS certificate validation")
-	cmd.StringVarP(&enclaveName, "enclave", "e", "", "Operate within the specified enclave")
 	if err := cmd.Parse(args[1:]); err != nil {
 		if errors.Is(err, flag.ErrHelp) {
 			os.Exit(2)
@@ -174,7 +169,7 @@ func importKeyCmd(args []string) {
 	ctx, cancel := signal.NotifyContext(context.Background(), os.Interrupt, os.Kill)
 	defer cancel()
 
-	enclave := newEnclave(enclaveName, insecureSkipVerify)
+	enclave := newClient(insecureSkipVerify)
 	if err = enclave.ImportKey(ctx, name, &kes.ImportKeyRequest{Key: key}); err != nil {
 		if errors.Is(err, context.Canceled) {
 			os.Exit(1)
@@ -313,7 +308,7 @@ func lsKeyCmd(args []string) {
 	ctx, cancelCtx := signal.NotifyContext(context.Background(), os.Interrupt, os.Kill)
 	defer cancelCtx()
 
-	enclave := newEnclave(enclaveName, insecureSkipVerify)
+	enclave := newClient(insecureSkipVerify)
 	iter := &kes.ListIter[string]{
 		NextFunc: enclave.ListKeys,
 	}

cmd/kes/log.go

@@ -15,8 +15,8 @@ import (
 	"time"
 
 	tui "github.com/charmbracelet/lipgloss"
-	"github.com/minio/kes-go"
 	"github.com/minio/kes/internal/cli"
+	"github.com/minio/kms-go/kes"
 
 	flag "github.com/spf13/pflag"
 )

cmd/kes/main.go

@@ -17,10 +17,10 @@ import (
 	"time"
 
 	tui "github.com/charmbracelet/lipgloss"
-	"github.com/minio/kes-go"
 	"github.com/minio/kes/internal/cli"
 	"github.com/minio/kes/internal/https"
 	"github.com/minio/kes/internal/sys"
+	"github.com/minio/kms-go/kes"
 	flag "github.com/spf13/pflag"
 	"golang.org/x/term"
 )
@@ -227,14 +227,6 @@ func newClient(insecureSkipVerify bool) *kes.Client {
 	})
 }
 
-func newEnclave(name string, insecureSkipVerify bool) *kes.Enclave {
-	client := newClient(insecureSkipVerify)
-	if name == "" {
-		name = os.Getenv("KES_ENCLAVE")
-	}
-	return client.Enclave(name)
-}
-
 func isTerm(f *os.File) bool { return term.IsTerminal(int(f.Fd())) }
 
 func decodePrivateKey(pemBlock []byte) (*pem.Block, error) {

cmd/kes/metric.go

@@ -17,8 +17,8 @@ import (
 
 	"aead.dev/mem"
 	tui "github.com/charmbracelet/lipgloss"
-	"github.com/minio/kes-go"
 	"github.com/minio/kes/internal/cli"
+	"github.com/minio/kms-go/kes"
 	flag "github.com/spf13/pflag"
 )
 

cmd/kes/migrate.go

@@ -16,9 +16,9 @@ import (
 	"time"
 
 	"github.com/fatih/color"
-	"github.com/minio/kes-go"
 	"github.com/minio/kes/internal/cli"
 	"github.com/minio/kes/kesconf"
+	"github.com/minio/kms-go/kes"
 	flag "github.com/spf13/pflag"
 	"golang.org/x/term"
 )