feat(policy): Allow the deletion of a key. (#2575)

c-r33d · web-flow · commit 82b96f023662 · 2025-07-29T16:12:52.000Z
### Proposed Changes

1.) Add the ability to delete a key under the unsafe service.
2.) Update changelog and release-please information

&gt;[!IMPORTANT]
&gt;When deleting a key the key id and the kas uri within the request body
are
&gt;case-sensitive. Meaning they must match **exactly** what you have in
the database.

### Checklist

- [ ] I have added or updated unit tests
- [ ] I have added or updated integration tests (if appropriate)
- [ ] I have added or updated documentation

### Testing Instructions
diff --git a/.github/release-please/release-please-manifest.json b/.github/release-please/release-please-manifest.json
@@ -3,7 +3,7 @@
   "lib/ocrypto": "0.3.0",
   "lib/flattening": "0.1.3",
   "lib/identifier": "0.0.2",
-  "protocol/go": "0.6.0",
-  "sdk": "0.6.0",
+  "protocol/go": "0.6.2",
+  "sdk": "0.6.1",
   "service": "0.7.0"
-}
+}
diff --git a/protocol/go/CHANGELOG.md b/protocol/go/CHANGELOG.md
@@ -1,14 +1,24 @@
 # Changelog
 
-## [0.6.0](https://github.com/opentdf/platform/compare/protocol/go/v0.5.0...protocol/go/v0.6.0) (2025-07-09)
+## [0.6.2](https://github.com/opentdf/platform/compare/protocol/go/v0.6.1...protocol/go/v0.6.2) (2025-07-22)
+
+### Features
+
+* **policy:** Add validation to delete keys [backport to release/protocol/go/v0.6] ([#2577](https://github.com/opentdf/platform/issues/2577)) ([f1f5819](https://github.com/opentdf/platform/commit/f1f5819f95eda5b98cf002a43bd47a4e5b2c62d0))
+
+## [0.6.1](https://github.com/opentdf/platform/compare/protocol/go/v0.6.0...protocol/go/v0.6.1) (2025-07-22)
 
+### Features
+
+* **policy:** Change return type for delete key proto. [backport to release/protocol/go/v0.6] ([#2568](https://github.com/opentdf/platform/issues/2568)) ([bb38eca](https://github.com/opentdf/platform/commit/bb38ecaf75feee91484b1a2f8e835e2fc57633d7))
+
+## [0.6.0](https://github.com/opentdf/platform/compare/protocol/go/v0.5.0...protocol/go/v0.6.0) (2025-07-09)
 
 ### Features
 
 * **authz:** sensible request limit upper bounds ([#2526](https://github.com/opentdf/platform/issues/2526)) ([b3093cc](https://github.com/opentdf/platform/commit/b3093cce2ffd1f1cdaec884967dc96a40caa2903))
 * **policy:** Add list key mappings rpc. ([#2533](https://github.com/opentdf/platform/issues/2533)) ([fbc2724](https://github.com/opentdf/platform/commit/fbc2724a066b5e4121838a958cb926a1ab5bdcde))
 
-
 ### Bug Fixes
 
 * **core:** Allow 521 curve to be used ([#2485](https://github.com/opentdf/platform/issues/2485)) ([aaf43dc](https://github.com/opentdf/platform/commit/aaf43dc368b4cabbc9affa0a6075abd335aa57e3))
diff --git a/sdk/CHANGELOG.md b/sdk/CHANGELOG.md
diff --git a/service/go.mod b/service/go.mod
@@ -33,7 +33,7 @@ require (
 	github.com/opentdf/platform/lib/flattening v0.1.3
 	github.com/opentdf/platform/lib/identifier v0.0.2
 	github.com/opentdf/platform/lib/ocrypto v0.3.0
-	github.com/opentdf/platform/protocol/go v0.5.0
+	github.com/opentdf/platform/protocol/go v0.6.2
 	github.com/opentdf/platform/sdk v0.5.0
 	github.com/pressly/goose/v3 v3.24.3
 	github.com/spf13/cobra v1.9.1
diff --git a/service/go.sum b/service/go.sum
@@ -251,8 +251,8 @@ github.com/opentdf/platform/lib/identifier v0.0.2 h1:h3zR+IZ/4/X5UOYUp/aTA0OcX1Q
 github.com/opentdf/platform/lib/identifier v0.0.2/go.mod h1:/tHnLlSVOq3qmbIYSvKrtuZchQfagenv4wG5twl4oRs=
 github.com/opentdf/platform/lib/ocrypto v0.3.0 h1:/nHlIj6kqZ9XT9M45vAbzoMV8USeCj7GRuhFR6JH+RA=
 github.com/opentdf/platform/lib/ocrypto v0.3.0/go.mod h1:VuVHTye/smLiRZ5Ls4sZ14R+PtN9Egwj8D1Hv5X9iP0=
-github.com/opentdf/platform/protocol/go v0.5.0 h1:C/jUpg+DfG5gdznT909UXzKktQPLCe2hgaXBmmwk/Z0=
-github.com/opentdf/platform/protocol/go v0.5.0/go.mod h1:FwoNd0HJaxGCZf74de/yFpVP4HEjkUMoF6Br79W0TBk=
+github.com/opentdf/platform/protocol/go v0.6.2 h1:seLTEP4xBRF2BG1vbuWzQqNo58g3wtkzCV+Z4ExRXnM=
+github.com/opentdf/platform/protocol/go v0.6.2/go.mod h1:FwoNd0HJaxGCZf74de/yFpVP4HEjkUMoF6Br79W0TBk=
 github.com/opentdf/platform/sdk v0.5.0 h1:K4a8kWUtt5EJktFC55egicsp9537SI1+bmJPMIsYrKg=
 github.com/opentdf/platform/sdk v0.5.0/go.mod h1:Qxwq9zjUVkBZs3xZUOPls5gdX4d0y2nsoZvJ93hyWAU=
 github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+1B0VhjKrZUs=
diff --git a/service/integration/attribute_values_test.go b/service/integration/attribute_values_test.go
@@ -870,11 +870,15 @@ func (s *AttributeValuesSuite) Test_AssignPublicKeyToAttributeValue_Returns_Erro
 
 func (s *AttributeValuesSuite) Test_AssignPublicKeyToAttributeValue_NotActiveKey_Fail() {
 	var kasID string
-	keyIDs := make([]string, 0)
+	keys := make([]*policy.KasKey, 0)
 	defer func() {
-		for _, keyID := range keyIDs {
-			// delete the kas key
-			_, err := s.db.PolicyClient.DeleteKey(s.ctx, keyID)
+		for _, key := range keys {
+			r := &unsafe.UnsafeDeleteKasKeyRequest{
+				Id:     key.GetKey().GetId(),
+				Kid:    key.GetKey().GetKeyId(),
+				KasUri: key.GetKasUri(),
+			}
+			_, err := s.db.PolicyClient.UnsafeDeleteKey(s.ctx, key, r)
 			s.Require().NoError(err)
 		}
 
@@ -913,7 +917,7 @@ func (s *AttributeValuesSuite) Test_AssignPublicKeyToAttributeValue_NotActiveKey
 	toBeRotatedKey, err := s.db.PolicyClient.CreateKey(s.ctx, kasKey)
 	s.Require().NoError(err)
 	s.NotNil(toBeRotatedKey)
-	keyIDs = append(keyIDs, toBeRotatedKey.GetKasKey().GetKey().GetId())
+	keys = append(keys, toBeRotatedKey.GetKasKey())
 
 	// rotate the key
 	newKey := &kasregistry.RotateKeyRequest_NewKey{
@@ -927,7 +931,7 @@ func (s *AttributeValuesSuite) Test_AssignPublicKeyToAttributeValue_NotActiveKey
 	rotatedInKey, err := s.db.PolicyClient.RotateKey(s.ctx, toBeRotatedKey.GetKasKey(), newKey)
 	s.Require().NoError(err)
 	s.NotNil(rotatedInKey)
-	keyIDs = append(keyIDs, rotatedInKey.GetKasKey().GetKey().GetId())
+	keys = append(keys, rotatedInKey.GetKasKey())
 
 	// Get an attribute value
 	attrValue := s.f.GetAttributeValueKey("example.com/attr/attr1/value/value1")
diff --git a/service/integration/attributes_test.go b/service/integration/attributes_test.go
@@ -1222,11 +1222,15 @@ func (s *AttributesSuite) Test_AssociatePublicKeyToAttribute_Returns_Error_When_
 
 func (s *AttributesSuite) Test_AssociatePublicKeyToAttribute_NotActiveKey_Fail() {
 	var kasID string
-	keyIDs := make([]string, 0)
+	keys := make([]*policy.KasKey, 0)
 	defer func() {
-		for _, keyID := range keyIDs {
-			// delete the kas key
-			_, err := s.db.PolicyClient.DeleteKey(s.ctx, keyID)
+		for _, key := range keys {
+			r := &unsafe.UnsafeDeleteKasKeyRequest{
+				Id:     key.GetKey().GetId(),
+				Kid:    key.GetKey().GetKeyId(),
+				KasUri: key.GetKasUri(),
+			}
+			_, err := s.db.PolicyClient.UnsafeDeleteKey(s.ctx, key, r)
 			s.Require().NoError(err)
 		}
 
@@ -1265,7 +1269,7 @@ func (s *AttributesSuite) Test_AssociatePublicKeyToAttribute_NotActiveKey_Fail()
 	toBeRotatedKey, err := s.db.PolicyClient.CreateKey(s.ctx, kasKey)
 	s.Require().NoError(err)
 	s.NotNil(toBeRotatedKey)
-	keyIDs = append(keyIDs, toBeRotatedKey.GetKasKey().GetKey().GetId())
+	keys = append(keys, toBeRotatedKey.GetKasKey())
 
 	// rotate the key
 	newKey := &kasregistry.RotateKeyRequest_NewKey{
@@ -1279,7 +1283,7 @@ func (s *AttributesSuite) Test_AssociatePublicKeyToAttribute_NotActiveKey_Fail()
 	rotatedInKey, err := s.db.PolicyClient.RotateKey(s.ctx, toBeRotatedKey.GetKasKey(), newKey)
 	s.Require().NoError(err)
 	s.NotNil(rotatedInKey)
-	keyIDs = append(keyIDs, rotatedInKey.GetKasKey().GetKey().GetId())
+	keys = append(keys, rotatedInKey.GetKasKey())
 
 	resp, err := s.db.PolicyClient.AssignPublicKeyToAttribute(s.ctx, &attributes.AttributeKey{
 		AttributeId: s.f.GetAttributeKey("example.com/attr/attr1").ID,
diff --git a/service/integration/kas_registry_key_test.go b/service/integration/kas_registry_key_test.go
@@ -13,6 +13,7 @@ import (
 	"github.com/opentdf/platform/protocol/go/policy/kasregistry"
 	"github.com/opentdf/platform/protocol/go/policy/keymanagement"
 	"github.com/opentdf/platform/protocol/go/policy/namespaces"
+	"github.com/opentdf/platform/protocol/go/policy/unsafe"
 	"github.com/opentdf/platform/service/internal/fixtures"
 	"github.com/opentdf/platform/service/pkg/db"
 	"github.com/stretchr/testify/suite"
@@ -150,7 +151,11 @@ func (s *KasRegistryKeySuite) Test_CreateKasKey_Success() {
 	s.Equal(validKeyID1, resp.GetKasKey().GetKey().GetPrivateKeyCtx().GetKeyId())
 	s.Nil(resp.GetKasKey().GetKey().GetProviderConfig())
 
-	_, err = s.db.PolicyClient.DeleteKey(s.ctx, resp.GetKasKey().GetKey().GetId())
+	_, err = s.db.PolicyClient.UnsafeDeleteKey(s.ctx, resp.GetKasKey(), &unsafe.UnsafeDeleteKasKeyRequest{
+		Id:     resp.GetKasKey().GetKey().GetId(),
+		KasUri: resp.GetKasKey().GetKasUri(),
+		Kid:    resp.GetKasKey().GetKey().GetKeyId(),
+	})
 	s.Require().NoError(err)
 }
 
@@ -1505,6 +1510,89 @@ func (s *KasRegistryKeySuite) Test_ListKeyMappings_Multiple_Mixed_Mappings() {
 	s.Equal(int32(0), mappedResponse.GetPagination().GetNextOffset())
 }
 
+func (s *KasRegistryKeySuite) Test_UnsafeDeleteKey_InvalidId_Fail() {
+	resp, err := s.db.PolicyClient.UnsafeDeleteKey(s.ctx, &policy.KasKey{}, &unsafe.UnsafeDeleteKasKeyRequest{
+		Id: "invalid-uuid",
+	})
+	s.Require().Error(err)
+	s.Nil(resp)
+	s.Require().ErrorContains(err, db.ErrUUIDInvalid.Error())
+}
+
+func (s *KasRegistryKeySuite) Test_DeleteKey_WrongKasUriOrKid_Fail() {
+	// Create a key
+	req := kasregistry.CreateKeyRequest{
+		KasId:        s.kasKeys[0].KeyAccessServerID,
+		KeyId:        uuid.NewString(),
+		KeyAlgorithm: policy.Algorithm_ALGORITHM_EC_P256,
+		KeyMode:      policy.KeyMode_KEY_MODE_CONFIG_ROOT_KEY,
+		PublicKeyCtx: &policy.PublicKeyCtx{Pem: keyCtx},
+		PrivateKeyCtx: &policy.PrivateKeyCtx{
+			WrappedKey: keyCtx,
+			KeyId:      validKeyID1,
+		},
+	}
+	resp, err := s.db.PolicyClient.CreateKey(s.ctx, &req)
+	s.Require().NoError(err)
+	s.NotNil(resp)
+
+	defer func() {
+		r := unsafe.UnsafeDeleteKasKeyRequest{
+			Id:     resp.GetKasKey().GetKey().GetId(),
+			KasUri: resp.GetKasKey().GetKasUri(),
+			Kid:    resp.GetKasKey().GetKey().GetKeyId(),
+		}
+		_, err := s.db.PolicyClient.UnsafeDeleteKey(s.ctx, resp.GetKasKey(), &r)
+		s.Require().NoError(err)
+	}()
+
+	// Attempt to delete with incorrect Kid
+	deleteResp, err := s.db.PolicyClient.UnsafeDeleteKey(s.ctx, resp.GetKasKey(), &unsafe.UnsafeDeleteKasKeyRequest{Id: resp.GetKasKey().GetKey().GetId(), KasUri: resp.GetKasKey().GetKasUri(), Kid: "wrong-KID"})
+	s.Require().Error(err)
+	s.Nil(deleteResp)
+	s.Require().ErrorIs(err, db.ErrKIDMismatch)
+
+	deleteResp, err = s.db.PolicyClient.UnsafeDeleteKey(s.ctx, resp.GetKasKey(), &unsafe.UnsafeDeleteKasKeyRequest{Id: resp.GetKasKey().GetKey().GetId(), KasUri: "wrong-kas-uri", Kid: resp.GetKasKey().GetKey().GetKeyId()})
+	s.Require().Error(err)
+	s.Nil(deleteResp)
+	s.Require().ErrorIs(err, db.ErrKasURIMismatch)
+}
+
+func (s *KasRegistryKeySuite) Test_DeleteKey_Success() {
+	// Create KAS server
+	req := kasregistry.CreateKeyRequest{
+		KasId:        s.kasKeys[0].KeyAccessServerID,
+		KeyId:        uuid.NewString(),
+		KeyAlgorithm: policy.Algorithm_ALGORITHM_EC_P256,
+		KeyMode:      policy.KeyMode_KEY_MODE_CONFIG_ROOT_KEY,
+		PublicKeyCtx: &policy.PublicKeyCtx{Pem: keyCtx},
+		PrivateKeyCtx: &policy.PrivateKeyCtx{
+			WrappedKey: keyCtx,
+			KeyId:      validKeyID1,
+		},
+	}
+	resp, err := s.db.PolicyClient.CreateKey(s.ctx, &req)
+	s.Require().NoError(err)
+	s.NotNil(resp)
+
+	deleteResp, err := s.db.PolicyClient.UnsafeDeleteKey(s.ctx, resp.GetKasKey(), &unsafe.UnsafeDeleteKasKeyRequest{
+		Id:     resp.GetKasKey().GetKey().GetId(),
+		Kid:    resp.GetKasKey().GetKey().GetKeyId(),
+		KasUri: resp.GetKasKey().GetKasUri(),
+	})
+	s.Require().NoError(err)
+	s.NotNil(deleteResp)
+	s.Equal(resp.GetKasKey().GetKey().GetId(), deleteResp.GetId())
+
+	// Verify it's deleted
+	getResp, err := s.db.PolicyClient.GetKey(s.ctx, &kasregistry.GetKeyRequest_Id{
+		Id: resp.GetKasKey().GetKey().GetId(),
+	})
+	s.Require().Error(err)
+	s.Nil(getResp)
+	s.Require().ErrorContains(err, db.ErrNotFound.Error())
+}
+
 func (s *KasRegistryKeySuite) validateKeyMapping(mapping *kasregistry.KeyMapping, expectedKey *policy.KasKey, expectedNamespace []*policy.Namespace, expectedAttrDef []*policy.Attribute, expectedValue []*policy.Value) {
 	s.Equal(expectedKey.GetKey().GetKeyId(), mapping.GetKid())
 	s.Equal(expectedKey.GetKasUri(), mapping.GetKasUri())
@@ -1745,7 +1833,17 @@ func (s *KasRegistryKeySuite) cleanupKeys(keyIDs []string, keyAccessServerIDs []
 	s.Require().NoError(err)
 
 	for _, id := range keyIDs {
-		_, err := s.db.PolicyClient.DeleteKey(s.ctx, id)
+		key, err := s.db.PolicyClient.GetKey(s.ctx, &kasregistry.GetKeyRequest_Id{
+			Id: id,
+		})
+		s.Require().NoError(err)
+		s.NotNil(key)
+		r := unsafe.UnsafeDeleteKasKeyRequest{
+			Id:     key.GetKey().GetId(),
+			KasUri: key.GetKasUri(),
+			Kid:    key.GetKey().GetKeyId(),
+		}
+		_, err = s.db.PolicyClient.UnsafeDeleteKey(s.ctx, key, &r)
 		s.Require().NoError(err)
 	}
 	for _, id := range keyAccessServerIDs {
diff --git a/service/integration/kas_registry_test.go b/service/integration/kas_registry_test.go
@@ -9,6 +9,7 @@ import (
 	"github.com/opentdf/platform/protocol/go/common"
 	"github.com/opentdf/platform/protocol/go/policy"
 	"github.com/opentdf/platform/protocol/go/policy/kasregistry"
+	"github.com/opentdf/platform/protocol/go/policy/unsafe"
 
 	"github.com/opentdf/platform/service/internal/fixtures"
 	"github.com/opentdf/platform/service/pkg/db"
@@ -789,7 +790,11 @@ func (s *KasRegistrySuite) Test_DeleteKeyAccessServer_WithChildKeys_Fails() {
 	s.Nil(deleted)
 
 	// Remove key to clean up
-	_, err = s.db.PolicyClient.DeleteKey(s.ctx, createdKey.GetKasKey().GetKey().GetId())
+	_, err = s.db.PolicyClient.UnsafeDeleteKey(s.ctx, createdKey.GetKasKey(), &unsafe.UnsafeDeleteKasKeyRequest{
+		Id:     createdKey.GetKasKey().GetKey().GetId(),
+		Kid:    createdKey.GetKasKey().GetKey().GetKeyId(),
+		KasUri: createdKey.GetKasKey().GetKasUri(),
+	})
 	s.Require().NoError(err)
 
 	// Delete the KAS
diff --git a/service/integration/keymanagement_test.go b/service/integration/keymanagement_test.go
@@ -11,6 +11,7 @@ import (
 	"github.com/opentdf/platform/protocol/go/policy"
 	"github.com/opentdf/platform/protocol/go/policy/kasregistry"
 	"github.com/opentdf/platform/protocol/go/policy/keymanagement"
+	"github.com/opentdf/platform/protocol/go/policy/unsafe"
 	"github.com/opentdf/platform/service/internal/fixtures"
 	"github.com/opentdf/platform/service/pkg/db"
 	"github.com/stretchr/testify/suite"
@@ -389,10 +390,14 @@ func (s *KeyManagementSuite) Test_DeleteProviderConfig_InUse_Fails() {
 	// Create a provider config
 	pcIDs := make([]string, 0)
 	var kasID string
-	var keyID string
+	var kasKey *policy.KasKey
 	defer func() {
-		if keyID != "" {
-			_, err := s.db.PolicyClient.DeleteKey(s.ctx, keyID)
+		if kasKey != nil {
+			_, err := s.db.PolicyClient.UnsafeDeleteKey(s.ctx, kasKey, &unsafe.UnsafeDeleteKasKeyRequest{
+				Id:     kasKey.GetKey().GetId(),
+				Kid:    kasKey.GetKey().GetKeyId(),
+				KasUri: kasKey.GetKasUri(),
+			})
 			s.Require().NoError(err)
 		}
 		if kasID != "" {
@@ -441,7 +446,7 @@ func (s *KeyManagementSuite) Test_DeleteProviderConfig_InUse_Fails() {
 	})
 	s.Require().NoError(err)
 	s.NotNil(key)
-	keyID = key.GetKasKey().GetKey().GetId()
+	kasKey = key.GetKasKey()
 
 	_, err = s.db.PolicyClient.DeleteProviderConfig(s.ctx, pc.GetId())
 	s.Require().Error(err)
diff --git a/service/integration/namespaces_test.go b/service/integration/namespaces_test.go
@@ -12,6 +12,7 @@ import (
 	"github.com/opentdf/platform/protocol/go/policy/attributes"
 	"github.com/opentdf/platform/protocol/go/policy/kasregistry"
 	"github.com/opentdf/platform/protocol/go/policy/namespaces"
+	"github.com/opentdf/platform/protocol/go/policy/unsafe"
 	"github.com/opentdf/platform/service/internal/fixtures"
 	"github.com/opentdf/platform/service/pkg/db"
 	"github.com/stretchr/testify/suite"
@@ -927,11 +928,15 @@ func (s *NamespacesSuite) Test_AssociatePublicKeyToNamespace_Returns_Error_When_
 func (s *NamespacesSuite) Test_AssignPublicKeyToNamespace_NotActiveKey_Fail() {
 	var kasID string
 	var namespaceID string
-	keyIDs := make([]string, 0)
+	keys := make([]*policy.KasKey, 0)
 	defer func() {
-		for _, keyID := range keyIDs {
-			// delete the kas key
-			_, err := s.db.PolicyClient.DeleteKey(s.ctx, keyID)
+		for _, key := range keys {
+			r := &unsafe.UnsafeDeleteKasKeyRequest{
+				Id:     key.GetKey().GetId(),
+				Kid:    key.GetKey().GetKeyId(),
+				KasUri: key.GetKasUri(),
+			}
+			_, err := s.db.PolicyClient.UnsafeDeleteKey(s.ctx, key, r)
 			s.Require().NoError(err)
 		}
 
@@ -975,7 +980,7 @@ func (s *NamespacesSuite) Test_AssignPublicKeyToNamespace_NotActiveKey_Fail() {
 	s.Require().NoError(err)
 	s.NotNil(toBeRotatedKey)
 	originalKeyID := toBeRotatedKey.GetKasKey().GetKey().GetId()
-	keyIDs = append(keyIDs, originalKeyID)
+	keys = append(keys, toBeRotatedKey.GetKasKey())
 
 	// rotate the key
 	rotateNewKeyReq := &kasregistry.RotateKeyRequest_NewKey{
@@ -989,7 +994,7 @@ func (s *NamespacesSuite) Test_AssignPublicKeyToNamespace_NotActiveKey_Fail() {
 	rotatedInKey, err := s.db.PolicyClient.RotateKey(s.ctx, toBeRotatedKey.GetKasKey(), rotateNewKeyReq)
 	s.Require().NoError(err)
 	s.NotNil(rotatedInKey)
-	keyIDs = append(keyIDs, rotatedInKey.GetKasKey().GetKey().GetId())
+	keys = append(keys, rotatedInKey.GetKasKey())
 
 	createdNamespace, err := s.db.PolicyClient.CreateNamespace(s.ctx, &namespaces.CreateNamespaceRequest{Name: "test-kas-ns.com"})
 	s.Require().NoError(err)
diff --git a/service/pkg/db/errors.go b/service/pkg/db/errors.go
diff --git a/service/policy/db/key_access_server_registry.go b/service/policy/db/key_access_server_registry.go
diff --git a/service/policy/unsafe/unsafe.go b/service/policy/unsafe/unsafe.go
