pkg setup for kms

Author: Jan Sternagel

internal/pkg/config/config.go

@@ -36,6 +36,7 @@ const (
 	RedisCustomEndpointKey             = "redis_custom_endpoint"
 	ResourceManagerEndpointKey         = "resource_manager_custom_endpoint"
 	SecretsManagerCustomEndpointKey    = "secrets_manager_custom_endpoint"
+	KMSCustomEndpointKey               = "kms_custom_endpoint"
 	ServiceAccountCustomEndpointKey    = "service_account_custom_endpoint"
 	ServiceEnablementCustomEndpointKey = "service_enablement_custom_endpoint"
 	ServerBackupCustomEndpointKey      = "serverbackup_custom_endpoint"
@@ -95,6 +96,7 @@ var ConfigKeys = []string{
 	RedisCustomEndpointKey,
 	ResourceManagerEndpointKey,
 	SecretsManagerCustomEndpointKey,
+	KMSCustomEndpointKey,
 	ServiceAccountCustomEndpointKey,
 	ServiceEnablementCustomEndpointKey,
 	ServerBackupCustomEndpointKey,
@@ -180,6 +182,7 @@ func setConfigDefaults() {
 	viper.SetDefault(PostgresFlexCustomEndpointKey, "")
 	viper.SetDefault(ResourceManagerEndpointKey, "")
 	viper.SetDefault(SecretsManagerCustomEndpointKey, "")
+	viper.SetDefault(KMSCustomEndpointKey, "")
 	viper.SetDefault(ServiceAccountCustomEndpointKey, "")
 	viper.SetDefault(ServiceEnablementCustomEndpointKey, "")
 	viper.SetDefault(ServerBackupCustomEndpointKey, "")

internal/pkg/services/kms/client/client.go

@@ -0,0 +1,45 @@
+package client
+
+import (
+	"github.com/stackitcloud/stackit-cli/internal/pkg/auth"
+	"github.com/stackitcloud/stackit-cli/internal/pkg/config"
+	"github.com/stackitcloud/stackit-cli/internal/pkg/errors"
+	"github.com/stackitcloud/stackit-cli/internal/pkg/print"
+	"github.com/stackitcloud/stackit-cli/internal/pkg/utils"
+
+	"github.com/spf13/viper"
+	sdkConfig "github.com/stackitcloud/stackit-sdk-go/core/config"
+	"github.com/stackitcloud/stackit-sdk-go/services/kms"
+)
+
+func ConfigureClient(p *print.Printer, cliVersion string) (*kms.APIClient, error) {
+	authCfgOption, err := auth.AuthenticationConfig(p, auth.AuthorizeUser)
+	if err != nil {
+		p.Debug(print.ErrorLevel, "configure authentication: %v", err)
+		return nil, &errors.AuthError{}
+	}
+	cfgOptions := []sdkConfig.ConfigurationOption{
+		utils.UserAgentConfigOption(cliVersion),
+		authCfgOption,
+	}
+
+	customEndpoint := viper.GetString(config.KMSCustomEndpointKey)
+
+	if customEndpoint != "" {
+		cfgOptions = append(cfgOptions, sdkConfig.WithEndpoint(customEndpoint))
+	}
+
+	if p.IsVerbosityDebug() {
+		cfgOptions = append(cfgOptions,
+			sdkConfig.WithMiddleware(print.RequestResponseCapturer(p, nil)),
+		)
+	}
+
+	apiClient, err := kms.NewAPIClient(cfgOptions...)
+	if err != nil {
+		p.Debug(print.ErrorLevel, "create new API client: %v", err)
+		return nil, &errors.AuthError{}
+	}
+
+	return apiClient, nil
+}

internal/pkg/services/kms/utils/utils.go

@@ -0,0 +1,47 @@
+package utils
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	"github.com/stackitcloud/stackit-sdk-go/services/kms"
+)
+
+type KMSClient interface {
+	GetKeyExecute(ctx context.Context, projectId string, regionId string, keyRingId string, keyId string) (*kms.Key, error)
+	GetKeyRingExecute(ctx context.Context, projectId string, regionId string, keyRingId string) (*kms.KeyRing, error)
+	GetWrappingKeyExecute(ctx context.Context, projectId string, regionId string, keyRingId string, wrappingKeyId string) (*kms.WrappingKey, error)
+}
+
+func GetKeyName(ctx context.Context, apiClient KMSClient, projectId, region, keyRingId, keyId string) (string, error) {
+	resp, err := apiClient.GetKeyExecute(ctx, projectId, region, keyRingId, keyId)
+	if err != nil {
+		return "", fmt.Errorf("get KMS Key: %w", err)
+	}
+	return *resp.DisplayName, nil
+}
+
+func GetKeyDeletionDate(ctx context.Context, apiClient KMSClient, projectId, region, keyRingId, keyId string) (time.Time, error) {
+	resp, err := apiClient.GetKeyExecute(ctx, projectId, region, keyRingId, keyId)
+	if err != nil {
+		return time.Now(), fmt.Errorf("get KMS Key: %w", err)
+	}
+	return *resp.DeletionDate, nil
+}
+
+func GetKeyRingName(ctx context.Context, apiClient KMSClient, projectId, id, region string) (string, error) {
+	resp, err := apiClient.GetKeyRingExecute(ctx, projectId, region, id)
+	if err != nil {
+		return "", fmt.Errorf("get KMS Key Ring: %w", err)
+	}
+	return *resp.DisplayName, nil
+}
+
+func GetWrappingKeyName(ctx context.Context, apiClient KMSClient, projectId, region, keyRingId, wrappingKeyId string) (string, error) {
+	resp, err := apiClient.GetWrappingKeyExecute(ctx, projectId, region, keyRingId, wrappingKeyId)
+	if err != nil {
+		return "", fmt.Errorf("get KMS Wrapping Key: %w", err)
+	}
+	return *resp.DisplayName, nil
+}

internal/pkg/services/kms/utils/utils_test.go

@@ -0,0 +1,257 @@
+package utils
+
+import (
+	"context"
+	"fmt"
+	"testing"
+	"time"
+
+	"github.com/google/uuid"
+	"github.com/stackitcloud/stackit-sdk-go/services/kms"
+)
+
+var (
+	testProjectId     = uuid.NewString()
+	testRegion        = "eu01"
+	testKeyRingId     = uuid.NewString()
+	testKeyId         = uuid.NewString()
+	testWrappingKeyId = uuid.NewString()
+)
+
+const (
+	testKeyName         = "my-test-key"
+	testKeyRingName     = "my-key-ring"
+	testWrappingKeyName = "my-wrapping-key"
+)
+
+type kmsClientMocked struct {
+	getKeyFails         bool
+	getKeyResp          *kms.Key
+	getKeyRingFails     bool
+	getKeyRingResp      *kms.KeyRing
+	getWrappingKeyFails bool
+	getWrappingKeyResp  *kms.WrappingKey
+}
+
+// Implement the KMSClient interface methods for the mock.
+func (m *kmsClientMocked) GetKeyExecute(_ context.Context, _, _, _, _ string) (*kms.Key, error) {
+	if m.getKeyFails {
+		return nil, fmt.Errorf("could not get key")
+	}
+	return m.getKeyResp, nil
+}
+
+func (m *kmsClientMocked) GetKeyRingExecute(_ context.Context, _, _, _ string) (*kms.KeyRing, error) {
+	if m.getKeyRingFails {
+		return nil, fmt.Errorf("could not get key ring")
+	}
+	return m.getKeyRingResp, nil
+}
+
+func (m *kmsClientMocked) GetWrappingKeyExecute(_ context.Context, _, _, _, _ string) (*kms.WrappingKey, error) {
+	if m.getWrappingKeyFails {
+		return nil, fmt.Errorf("could not get wrapping key")
+	}
+	return m.getWrappingKeyResp, nil
+}
+
+func TestGetKeyName(t *testing.T) {
+	keyName := testKeyName
+
+	tests := []struct {
+		description    string
+		getKeyFails    bool
+		getKeyResp     *kms.Key
+		isValid        bool
+		expectedOutput string
+	}{
+		{
+			description: "base",
+			getKeyResp: &kms.Key{
+				DisplayName: &keyName,
+			},
+			isValid:        true,
+			expectedOutput: testKeyName,
+		},
+		{
+			description: "get key fails",
+			getKeyFails: true,
+			isValid:     false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.description, func(t *testing.T) {
+			client := &kmsClientMocked{
+				getKeyFails: tt.getKeyFails,
+				getKeyResp:  tt.getKeyResp,
+			}
+
+			output, err := GetKeyName(context.Background(), client, testProjectId, testRegion, testKeyRingId, testKeyId)
+
+			if tt.isValid && err != nil {
+				t.Errorf("failed on valid input: %v", err)
+			}
+			if !tt.isValid && err == nil {
+				t.Errorf("did not fail on invalid input")
+			}
+			if !tt.isValid {
+				return
+			}
+			if output != tt.expectedOutput {
+				t.Errorf("expected output to be %q, got %q", tt.expectedOutput, output)
+			}
+		})
+	}
+}
+
+// TestGetKeyDeletionDate tests the GetKeyDeletionDate function.
+func TestGetKeyDeletionDate(t *testing.T) {
+	mockTime := time.Date(2025, 8, 20, 0, 0, 0, 0, time.UTC)
+
+	tests := []struct {
+		description    string
+		getKeyFails    bool
+		getKeyResp     *kms.Key
+		isValid        bool
+		expectedOutput time.Time
+	}{
+		{
+			description: "base",
+			getKeyResp: &kms.Key{
+				DeletionDate: &mockTime,
+			},
+			isValid:        true,
+			expectedOutput: mockTime,
+		},
+		{
+			description: "get key fails",
+			getKeyFails: true,
+			isValid:     false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.description, func(t *testing.T) {
+			client := &kmsClientMocked{
+				getKeyFails: tt.getKeyFails,
+				getKeyResp:  tt.getKeyResp,
+			}
+
+			output, err := GetKeyDeletionDate(context.Background(), client, testProjectId, testRegion, testKeyRingId, testKeyId)
+
+			if tt.isValid && err != nil {
+				t.Errorf("failed on valid input: %v", err)
+			}
+			if !tt.isValid && err == nil {
+				t.Errorf("did not fail on invalid input")
+			}
+			if !tt.isValid {
+				return
+			}
+			if !output.Equal(tt.expectedOutput) {
+				t.Errorf("expected output to be %v, got %v", tt.expectedOutput, output)
+			}
+		})
+	}
+}
+
+// TestGetKeyRingName tests the GetKeyRingName function.
+func TestGetKeyRingName(t *testing.T) {
+	keyRingName := testKeyRingName
+
+	tests := []struct {
+		description     string
+		getKeyRingFails bool
+		getKeyRingResp  *kms.KeyRing
+		isValid         bool
+		expectedOutput  string
+	}{
+		{
+			description: "base",
+			getKeyRingResp: &kms.KeyRing{
+				DisplayName: &keyRingName,
+			},
+			isValid:        true,
+			expectedOutput: testKeyRingName,
+		},
+		{
+			description:     "get key ring fails",
+			getKeyRingFails: true,
+			isValid:         false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.description, func(t *testing.T) {
+			client := &kmsClientMocked{
+				getKeyRingFails: tt.getKeyRingFails,
+				getKeyRingResp:  tt.getKeyRingResp,
+			}
+
+			output, err := GetKeyRingName(context.Background(), client, testProjectId, testKeyRingId, testRegion)
+
+			if tt.isValid && err != nil {
+				t.Errorf("failed on valid input: %v", err)
+			}
+			if !tt.isValid && err == nil {
+				t.Errorf("did not fail on invalid input")
+			}
+			if !tt.isValid {
+				return
+			}
+			if output != tt.expectedOutput {
+				t.Errorf("expected output to be %q, got %q", tt.expectedOutput, output)
+			}
+		})
+	}
+}
+
+func TestGetWrappingKeyName(t *testing.T) {
+	wrappingKeyName := testWrappingKeyName
+	tests := []struct {
+		description         string
+		getWrappingKeyFails bool
+		getWrappingKeyResp  *kms.WrappingKey
+		isValid             bool
+		expectedOutput      string
+	}{
+		{
+			description: "base",
+			getWrappingKeyResp: &kms.WrappingKey{
+				DisplayName: &wrappingKeyName,
+			},
+			isValid:        true,
+			expectedOutput: testWrappingKeyName,
+		},
+		{
+			description:         "get wrapping key fails",
+			getWrappingKeyFails: true,
+			isValid:             false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.description, func(t *testing.T) {
+			client := &kmsClientMocked{
+				getWrappingKeyFails: tt.getWrappingKeyFails,
+				getWrappingKeyResp:  tt.getWrappingKeyResp,
+			}
+
+			output, err := GetWrappingKeyName(context.Background(), client, testProjectId, testRegion, testKeyRingId, testWrappingKeyId)
+
+			if tt.isValid && err != nil {
+				t.Errorf("failed on valid input: %v", err)
+			}
+			if !tt.isValid && err == nil {
+				t.Errorf("did not fail on invalid input")
+			}
+			if !tt.isValid {
+				return
+			}
+			if output != tt.expectedOutput {
+				t.Errorf("expected output to be %q, got %q", tt.expectedOutput, output)
+			}
+		})
+	}
+}