fix(core): Move key management under policy. (#597)

1.) Move key management commands under policy.
2.) Refactor key management tests.
3.) Remove unneeded json checks

(cherry picked from commit d657e96)

Author: opentdf-automation[bot]

cmd/key-management.go

@@ -5,7 +5,7 @@ import (
 )
 
 // KeyCmd is the command for managing keys
-var keyMngmtCmd = man.Docs.GetCommand("key-management")
+var keyMngmtCmd = man.Docs.GetCommand("policy/key-management")
 
 func init() {
 	keyMngmtCmd.PersistentFlags().BoolVar(
@@ -14,5 +14,5 @@ func init() {
 		keyMngmtCmd.GetDocFlag("json").DefaultAsBool(),
 		keyMngmtCmd.GetDocFlag("json").Description,
 	)
-	RootCmd.AddCommand(&keyMngmtCmd.Command)
+	policyCmd.AddCommand(&keyMngmtCmd.Command)
 }

cmd/keymanagement-provider.go

@@ -1,19 +1,14 @@
 package cmd
 
 import (
-	"encoding/json"
+	"fmt"
 
 	"github.com/evertras/bubble-table/table"
 	"github.com/opentdf/otdfctl/pkg/cli"
 	"github.com/opentdf/otdfctl/pkg/man"
 	"github.com/spf13/cobra"
 )
 
-func isJSON(str string) bool {
-	var js json.RawMessage
-	return json.Unmarshal([]byte(str), &js) == nil
-}
-
 func createProviderConfig(cmd *cobra.Command, args []string) {
 	c := cli.New(cmd, args)
 	h := NewHandler(c)
@@ -23,10 +18,6 @@ func createProviderConfig(cmd *cobra.Command, args []string) {
 	config := c.Flags.GetRequiredString("config")
 	metadataLabels = c.Flags.GetStringSlice("label", metadataLabels, cli.FlagsStringSliceOptions{Min: 0})
 
-	if !isJSON(config) {
-		cli.ExitWithError("Invalid JSON format for config ", nil)
-	}
-
 	// Do not need to get provider config after, since this endpoint returns the created config.
 	pc, err := h.CreateProviderConfig(c.Context(), name, []byte(config), getMetadataMutable(metadataLabels))
 	if err != nil {
@@ -90,21 +81,11 @@ func updateProviderConfig(cmd *cobra.Command, args []string) {
 		cli.ExitWithError("At least one field (name, config, or metadata labels) must be updated", nil)
 	}
 
-	if config != "" && !isJSON(config) {
-		cli.ExitWithError("Cannot update provider config with invalid json", nil)
-	}
-
-	_, err := h.UpdateProviderConfig(c.Context(), id, name, []byte(config), getMetadataMutable(metadataLabels), getMetadataUpdateBehavior())
+	pc, err := h.UpdateProviderConfig(c.Context(), id, name, []byte(config), getMetadataMutable(metadataLabels), getMetadataUpdateBehavior())
 	if err != nil {
 		cli.ExitWithError("Failed to update provider config", err)
 	}
 
-	// Get updated provider config.
-	pc, err := h.GetProviderConfig(c.Context(), id, "")
-	if err != nil {
-		cli.ExitWithError("Failed to get provider config", err)
-	}
-
 	rows := [][]string{
 		{"ID", pc.GetId()},
 		{"Name", pc.GetName()},
@@ -166,8 +147,17 @@ func deleteProviderConfig(cmd *cobra.Command, args []string) {
 	defer h.Close()
 
 	id := c.Flags.GetRequiredID("id")
+	force := c.Flags.GetOptionalBool("force")
 
-	err := h.DeleteProviderConfig(c.Context(), id)
+	// Get provider config.
+	pc, err := h.GetProviderConfig(c.Context(), id, "")
+	if err != nil {
+		cli.ExitWithError("Failed to get provider config", err)
+	}
+
+	cli.ConfirmAction(cli.ActionDelete, fmt.Sprintf("key provider config with id: %s", id), fmt.Sprintf("Provider Name: %s", pc.GetName()), force)
+
+	err = h.DeleteProviderConfig(c.Context(), id)
 	if err != nil {
 		cli.ExitWithError("Failed to delete provider config", err)
 	}
@@ -183,7 +173,7 @@ func deleteProviderConfig(cmd *cobra.Command, args []string) {
 
 func init() {
 	// Create Provider Config
-	createDoc := man.Docs.GetCommand("key-management/provider/create",
+	createDoc := man.Docs.GetCommand("policy/key-management/provider/create",
 		man.WithRun(createProviderConfig),
 	)
 	createDoc.Flags().StringP(
@@ -201,7 +191,7 @@ func init() {
 	injectLabelFlags(&createDoc.Command, false)
 
 	// Get Provider Config
-	getDoc := man.Docs.GetCommand("key-management/provider/get",
+	getDoc := man.Docs.GetCommand("policy/key-management/provider/get",
 		man.WithRun(getProviderConfig),
 	)
 	getDoc.Flags().StringP(
@@ -220,7 +210,7 @@ func init() {
 	getDoc.MarkFlagsMutuallyExclusive("id", "name")
 
 	// Update Provider Config
-	updateDoc := man.Docs.GetCommand("key-management/provider/update",
+	updateDoc := man.Docs.GetCommand("policy/key-management/provider/update",
 		man.WithRun(updateProviderConfig),
 	)
 	updateDoc.Flags().StringP(
@@ -244,13 +234,13 @@ func init() {
 	injectLabelFlags(&updateDoc.Command, true)
 
 	// List Provider Configs
-	listDoc := man.Docs.GetCommand("key-management/provider/list",
+	listDoc := man.Docs.GetCommand("policy/key-management/provider/list",
 		man.WithRun(listProviderConfig),
 	)
 	injectListPaginationFlags(listDoc)
 
 	// Add Delete Provider Config
-	deleteDoc := man.Docs.GetCommand("key-management/provider/delete",
+	deleteDoc := man.Docs.GetCommand("policy/key-management/provider/delete",
 		man.WithRun(deleteProviderConfig),
 	)
 	deleteDoc.Flags().StringP(
@@ -259,8 +249,14 @@ func init() {
 		deleteDoc.GetDocFlag("id").Default,
 		deleteDoc.GetDocFlag("id").Description,
 	)
+	deleteDoc.Flags().BoolP(
+		deleteDoc.GetDocFlag("force").Name,
+		deleteDoc.GetDocFlag("force").Shorthand,
+		false,
+		deleteDoc.GetDocFlag("force").Description,
+	)
 
-	doc := man.Docs.GetCommand("key-management/provider",
+	doc := man.Docs.GetCommand("policy/key-management/provider",
 		man.WithSubcommands(createDoc, getDoc, updateDoc, listDoc, deleteDoc))
 
 	keyMngmtCmd.AddCommand(&doc.Command)

cmd/policy-attributes.go

@@ -315,7 +315,7 @@ func policyAssignKeyToAttribute(cmd *cobra.Command, args []string) {
 	// Get the attribute to show meaningful information in case of error
 	attrKey, err := h.AssignKeyToAttribute(c.Context(), attribute, keyID)
 	if err != nil {
-		errMsg := fmt.Sprintf("Failed to assign key: (%s) to attribue: (%s)", keyID, attribute)
+		errMsg := fmt.Sprintf("Failed to assign key: (%s) to attribute: (%s)", keyID, attribute)
 		cli.ExitWithError(errMsg, err)
 	}
 

docs/man/key-management/provider/_index.md

@@ -12,4 +12,4 @@ command:
       default: 'false'
 ---
 
-Set of commands for managing provider configuration.
+Set of commands for managing key configuration, currently supports managing key provider configuration via the `provider` command.

docs/man/key-management/_index.md renamed to docs/man/policy/key-management/_index.md

@@ -0,0 +1,19 @@
+---
+title: Provider configuration for Key Management
+
+command:
+  name: provider
+  hidden: true
+  aliases:
+    - p
+---
+
+Commands used for managing a key providers configuration. You should register key providers when creating keys where the key is either:
+
+1. Wrapped by a key stored outside of your KAS server. For example. if you created a key that is of `mode``provider`
+2. The actual wrapped key is not stored within the platform database, but a reference to the key is. For example, if you created a key that is of `mode` `remote`.
+
+**You should not** create provider configurations for keys of mode:
+
+- `local`
+- `public_key`

docs/man/policy/key-management/provider/_index.md

@@ -6,6 +6,9 @@ command:
     - d
     - remove
   flags:
+    - name: force
+      shorthand: f
+      description: Force the deletion of a provider configuration without confirmation
     - name: id
       shorthand: i
       description: ID of the provider config to delete
@@ -23,3 +26,7 @@ otdfctl keymanagement provider delete --id <provider-config-id>
 ```shell
 otdfctl keymanagement provider delete --id '04ba179c-2f77-4e0d-90c5-fe4d1c9aa3f7'
 ```
+
+```shell
+otdfctl keymanagement provider delete --id '04ba179c-2f77-4e0d-90c5-fe4d1c9aa3f7' --force
+```

docs/man/key-management/provider/create.md renamed to docs/man/policy/key-management/provider/create.md

@@ -6,7 +6,7 @@ command:
     - l
   flags:
     - name: limit
-      shorthand: L
+      shorthand: l
       description: Maximum number of results to return
       required: true
     - name: offset

docs/man/key-management/provider/delete.md renamed to docs/man/policy/key-management/provider/delete.md

@@ -13,7 +13,7 @@ run_otdfctl_kas_registry_create() {
 }
 
 run_otdfctl_provider_create() {
-  run sh -c "./otdfctl keymanagement provider create $HOST $WITH_CREDS $*"
+  run sh -c "./otdfctl policy keymanagement provider create $HOST $WITH_CREDS $*"
 }
 
 setup_file() {
@@ -41,7 +41,7 @@ setup() {
 }
 
 teardown_file() {
-  ./otdfctl keymanagement provider "$HOST" "$WITH_CREDS" delete --id "$PC_ID"
+  ./otdfctl keymanagement provider "$HOST" "$WITH_CREDS" delete --id "$PC_ID" --force
   # Cannot cleanup KAS registry and keys, since keys cannot be deleted currently.
   unset HOST WITH_CREDS KAS_REGISTRY_ID KAS_NAME KAS_URI PEM_B64 WRAPPING_KEY PC_ID
 }

docs/man/key-management/provider/get.md renamed to docs/man/policy/key-management/provider/get.md

@@ -34,8 +34,6 @@ setup() {
 
 teardown_file() {
   ./otdfctl $HOST $WITH_CREDS policy attributes namespace unsafe delete --id "$NS_ID" --force
-  # Cant delete kas registry with keys attached
-  #./otdfctl $HOST $WITH_CREDS policy kas-registry delete --id "$KAS_REG_ID" --force
 
   # clear out all test env vars
   unset HOST WITH_CREDS NS_NAME NS_FQN NS_ID NS_ID_FLAG KAS_REG_ID KAS_KEY_ID KAS_URI PEM_B64 PEM KAS_KEY_SYSTEM_ID