Revert "Transit UX improvements: show key policy, configs on write (h…

…ashicorp#20652)" This reverts commit d52d307.
Nordix · Mar 8, 2024 · 3942219 · 3942219
1 parent 6f67d28
commit 3942219
Show file tree

Hide file tree

Showing 7 changed files with 35 additions and 58 deletions.
diff --git a/builtin/logical/transit/backend_test.go b/builtin/logical/transit/backend_test.go
@@ -1072,7 +1072,9 @@ func testConvergentEncryptionCommon(t *testing.T, ver int, keyType keysutil.KeyT
 	if err != nil {
 		t.Fatal(err)
 	}
-	require.NotNil(t, resp, "expected populated request")
+	if resp != nil {
+		t.Fatal("expected nil response")
+	}
 
 	p, err := keysutil.LoadPolicy(context.Background(), storage, path.Join("policy", "testkey"))
 	if err != nil {
@@ -1565,7 +1567,9 @@ func TestBadInput(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	require.NotNil(t, resp, "expected populated request")
+	if resp != nil {
+		t.Fatal("expected nil response")
+	}
 
 	req.Path = "decrypt/test"
 	req.Data = map[string]interface{}{
@@ -1654,7 +1658,9 @@ func TestTransit_AutoRotateKeys(t *testing.T) {
 				if err != nil {
 					t.Fatal(err)
 				}
-				require.NotNil(t, resp, "expected populated request")
+				if resp != nil {
+					t.Fatal("expected nil response")
+				}
 
 				// Write a key with an auto rotate value one day in the future
 				req = &logical.Request{
@@ -1669,7 +1675,9 @@ func TestTransit_AutoRotateKeys(t *testing.T) {
 				if err != nil {
 					t.Fatal(err)
 				}
-				require.NotNil(t, resp, "expected populated request")
+				if resp != nil {
+					t.Fatal("expected nil response")
+				}
 
 				// Run the rotation check and ensure none of the keys have rotated
 				b.checkAutoRotateAfter = time.Now()

diff --git a/builtin/logical/transit/path_cache_config.go b/builtin/logical/transit/path_cache_config.go
@@ -84,11 +84,7 @@ func (b *backend) pathCacheConfigWrite(ctx context.Context, req *logical.Request
 		return nil, err
 	}
 
-	return &logical.Response{
-		Data: map[string]interface{}{
-			"size": cacheSize,
-		},
-	}, nil
+	return nil, nil
 }
 
 type configCache struct {

diff --git a/builtin/logical/transit/path_keys.go b/builtin/logical/transit/path_keys.go
@@ -254,14 +254,12 @@ func (b *backend) pathPolicyWrite(ctx context.Context, req *logical.Request, d *
 		p.Unlock()
 	}
 
-	resp, err := b.formatKeyPolicy(p, nil)
-	if err != nil {
-		return nil, err
-	}
+	resp := &logical.Response{}
 	if !upserted {
 		resp.AddWarning(fmt.Sprintf("key %s already existed", name))
 	}
-	return resp, nil
+
+	return nil, nil
 }
 
 // Built-in helper type for returning asymmetric keys
@@ -289,19 +287,6 @@ func (b *backend) pathPolicyRead(ctx context.Context, req *logical.Request, d *f
 	}
 	defer p.Unlock()
 
-	contextRaw := d.Get("context").(string)
-	var context []byte
-	if len(contextRaw) != 0 {
-		context, err = base64.StdEncoding.DecodeString(contextRaw)
-		if err != nil {
-			return logical.ErrorResponse("failed to base64-decode context"), logical.ErrInvalidRequest
-		}
-	}
-
-	return b.formatKeyPolicy(p, context)
-}
-
-func (b *backend) formatKeyPolicy(p *keysutil.Policy, context []byte) (*logical.Response, error) {
 	// Return the response
 	resp := &logical.Response{
 		Data: map[string]interface{}{
@@ -358,6 +343,15 @@ func (b *backend) formatKeyPolicy(p *keysutil.Policy, context []byte) (*logical.
 		}
 	}
 
+	contextRaw := d.Get("context").(string)
+	var context []byte
+	if len(contextRaw) != 0 {
+		context, err = base64.StdEncoding.DecodeString(contextRaw)
+		if err != nil {
+			return logical.ErrorResponse("failed to base64-decode context"), logical.ErrInvalidRequest
+		}
+	}
+
 	switch p.Type {
 	case keysutil.KeyType_AES128_GCM96, keysutil.KeyType_AES256_GCM96, keysutil.KeyType_ChaCha20_Poly1305:
 		retKeys := map[string]int64{}

diff --git a/builtin/logical/transit/path_keys_config.go b/builtin/logical/transit/path_keys_config.go
@@ -97,8 +97,6 @@ func (b *backend) pathKeysConfigWrite(ctx context.Context, req *logical.Request,
 	}
 	defer p.Unlock()
 
-	var warning string
-
 	originalMinDecryptionVersion := p.MinDecryptionVersion
 	originalMinEncryptionVersion := p.MinEncryptionVersion
 	originalDeletionAllowed := p.DeletionAllowed
@@ -115,6 +113,8 @@ func (b *backend) pathKeysConfigWrite(ctx context.Context, req *logical.Request,
 		}
 	}()
 
+	resp = &logical.Response{}
+
 	persistNeeded := false
 
 	minDecryptionVersionRaw, ok := d.GetOk("min_decryption_version")
@@ -127,7 +127,7 @@ func (b *backend) pathKeysConfigWrite(ctx context.Context, req *logical.Request,
 
 		if minDecryptionVersion == 0 {
 			minDecryptionVersion = 1
-			warning = "since Vault 0.3, transit key numbering starts at 1; forcing minimum to 1"
+			resp.AddWarning("since Vault 0.3, transit key numbering starts at 1; forcing minimum to 1")
 		}
 
 		if minDecryptionVersion != p.MinDecryptionVersion {
@@ -225,14 +225,7 @@ func (b *backend) pathKeysConfigWrite(ctx context.Context, req *logical.Request,
 	}
 
 	if !persistNeeded {
-		resp, err := b.formatKeyPolicy(p, nil)
-		if err != nil {
-			return nil, err
-		}
-		if warning != "" {
-			resp.AddWarning(warning)
-		}
-		return resp, nil
+		return nil, nil
 	}
 
 	switch {
@@ -242,18 +235,11 @@ func (b *backend) pathKeysConfigWrite(ctx context.Context, req *logical.Request,
 		return logical.ErrorResponse("min decryption version should not be less then min available version"), nil
 	}
 
-	if err := p.Persist(ctx, req.Storage); err != nil {
-		return nil, err
+	if len(resp.Warnings) == 0 {
+		return nil, p.Persist(ctx, req.Storage)
 	}
 
-	resp, err = b.formatKeyPolicy(p, nil)
-	if err != nil {
-		return nil, err
-	}
-	if warning != "" {
-		resp.AddWarning(warning)
-	}
-	return resp, nil
+	return resp, p.Persist(ctx, req.Storage)
 }
 
 const pathKeysConfigHelpSyn = `Configure a named encryption key`

diff --git a/builtin/logical/transit/path_rotate.go b/builtin/logical/transit/path_rotate.go
@@ -64,7 +64,6 @@ func (b *backend) pathRotateWrite(ctx context.Context, req *logical.Request, d *
 	if !b.System().CachingDisabled() {
 		p.Lock(true)
 	}
-	defer p.Unlock()
 
 	if p.Type == keysutil.KeyType_MANAGED_KEY {
 		var keyId string
@@ -79,11 +78,8 @@ func (b *backend) pathRotateWrite(ctx context.Context, req *logical.Request, d *
 		err = p.Rotate(ctx, req.Storage, b.GetRandomReader())
 	}
 
-	if err != nil {
-		return nil, err
-	}
-
-	return b.formatKeyPolicy(p, nil)
+	p.Unlock()
+	return nil, err
 }
 
 const pathRotateHelpSyn = `Rotate named encryption key`

diff --git a/builtin/logical/transit/path_trim.go b/builtin/logical/transit/path_trim.go
@@ -100,7 +100,7 @@ func (b *backend) pathTrimUpdate() framework.OperationFunc {
 			return nil, err
 		}
 
-		return b.formatKeyPolicy(p, nil)
+		return nil, nil
 	}
 }
 

diff --git a/changelog/20652.txt b/changelog/20652.txt
-Original file line number
+Diff line change
@@ Expand Up @@
     			return nil, err
     		}
-    		return b.formatKeyPolicy(p, nil)
+    		return nil, nil
     	}
     }
@@ Expand Down @@