Adding RotatedKey resource and service#57576
Merged
Conversation
eriktate
force-pushed
the
eriktate/add-tags-to-encryption-keys
branch
from
664199b to
0e89496
Compare
eriktate
force-pushed
the
eriktate/rotated-keys-resource
branch
from
63d66c5 to
508e290
Compare
Joerger
reviewed
Aug 6, 2025
| @@ -105,18 +157,42 @@ func newRecordingEncryptionParser() *recordingEncryptionParser { | |||
| } | |||
|
|
|||
| func (p *recordingEncryptionParser) parse(event backend.Event) (types.Resource, error) { | |||
Contributor
There was a problem hiding this comment.
I'm not sure how to feel about using the same parser for the separate kinds, especially since we decided not to go with rotated_keys as a subkind. What do you think about just adding a separate parser for rotated keys?
Contributor
Author
There was a problem hiding this comment.
Yeah I'm not too sure about it either to be honest. I only combined them because they share a service, but that doesn't mean they have to share a parser as well. I can split these up 👍
Contributor
There was a problem hiding this comment.
I think you might have also combined them because they share a key prefix - rotated key events will actually be caught by the recordingEncryptionParser. Maybe you just need to filter out rotated keys in parse? It looks like that's what the userParser does since a lot of resources have the /web/users prefix.
But if there isn't any real reason to re-use the recording_encryption prefix (e.g. a delete on /web/users/<user> deletes all owned resources with /web/users/<user>/ prefix), I would just change the rotated key prefix to recording_encryption_rotated or something instead.
eriktate
force-pushed
the
eriktate/add-tags-to-encryption-keys
branch
from
0e89496 to
f1414fa
Compare
eriktate
force-pushed
the
eriktate/rotated-keys-resource
branch
from
508e290 to
54a4224
Compare
eriktate
force-pushed
the
eriktate/add-tags-to-encryption-keys
branch
from
f1414fa to
e28461b
Compare
eriktate
force-pushed
the
eriktate/rotated-keys-resource
branch
from
54a4224 to
4d2c853
Compare
rosstimothy
reviewed
Aug 7, 2025
| v1.KeyState state = 2; | ||
| } | ||
|
|
||
| // The empty body of a GetRotationState response. |
Contributor
There was a problem hiding this comment.
The comment says empty, but the message has one field. Let's rework the comments on these messages that reference an empty message.
Contributor
There was a problem hiding this comment.
It looks like this comment was update but all other empty messages still reference being empty. Let's change them all to be something meaningful-ish without referencing being empty so that if someone adds a field later without updating the comment there isn't a weird disconnect.
eriktate
force-pushed
the
eriktate/add-tags-to-encryption-keys
branch
2 times, most recently
from
adc5214 to
53cf180
Compare
eriktate
force-pushed
the
eriktate/rotated-keys-resource
branch
from
d36f4ea to
aab1fbd
Compare
eriktate
force-pushed
the
eriktate/add-tags-to-encryption-keys
branch
2 times, most recently
from
6954ed8 to
9756e5d
Compare
eriktate
force-pushed
the
eriktate/rotated-keys-resource
branch
3 times, most recently
from
6b4df30 to
f9dc21c
Compare
eriktate
force-pushed
the
eriktate/add-tags-to-encryption-keys
branch
from
82748f6 to
b9fbaad
Compare
Base automatically changed from
eriktate/add-tags-to-encryption-keys
to
master
August 13, 2025 15:35
eriktate
force-pushed
the
eriktate/rotated-keys-resource
branch
from
f9dc21c to
3efc234
Compare
eriktate
added
the
no-changelog
Joerger
approved these changes
Aug 13, 2025
eriktate
force-pushed
the
eriktate/rotated-keys-resource
branch
from
9dc4864 to
9f2fc98
Compare
eriktate
force-pushed
the
eriktate/rotated-keys-resource
branch
from
9f2fc98 to
b609982
Compare
rosstimothy
approved these changes
Aug 14, 2025
eriktate
added a commit
that referenced
this pull request
Aug 15, 2025
eriktate
added a commit
that referenced
this pull request
Aug 27, 2025
eriktate
added a commit
that referenced
this pull request
Sep 2, 2025
eriktate
added a commit
that referenced
this pull request
Sep 2, 2025
eriktate
added a commit
that referenced
this pull request
Sep 2, 2025
eriktate
added a commit
that referenced
this pull request
Sep 3, 2025
github-merge-queue Bot
pushed a commit
that referenced
this pull request
Sep 3, 2025
* adding support for encryption/decryption keys to keystore manager (#54428, #55652) * adds new protos for resources related to encrypted session recordings and updates the existing SessionRecordingConfig protos to include a Status (#54780) * adding local service implementation for recording encryption resources (#54816) * adding Manager for RecordingEncryption resources that handles shared ops more complex than CRUD (#55078) * Adding session recording plugin for `age` (#55120) * adding Manager for RecordingEncryption resources that handles shared ops more complex than CRUD * adding age plugin wrapping default X25519 Identity/Recipient implementation with hooks to more efficiently lookup private keys given their respective public key * Adding recording encryption and playback for `sync` modes (#54901) * adding cache for RecordingEncryption (#55857) * adding recording_encryption service protos (#55121) * adding async recording encryption with gRPC multipart uploader (#55859) * adding file configuration for encrypted session recording (#56200) * Switching recording encryption to unwrap keys using direct keystore RSA decryption (#56776) * adding manual key management config (#56920) * updating protos for recording encryption (#57055) * Add missing handling for recording encryption configs and keys (#57279) * updating protos for recording encryption * changing labels for encryption keys to prevent automatic cleanup, adjusting pkcs11 host UUID check to allow for key sharing of encryption keys, preventing cloud tenants from enabling manual key management, preventing use of recording encryption in FIPS mode * adding new protos for rotated keys and the local service for interacting (#57576) with them * Switching encryption keys from PEM to ASN.1 DER encoding (#58137) * using pregenerated RSA4096 key for keystore tests because generation is too slow (#58138) * extending precomputed RSA keys to support 4096-bit keys (#58251) * adding rotation process to Manager and exposing with new RPCs and (#57577) * adding rotation sub commands for recording encryption keys and fixing (#57780) broken session_recording_config when using fileconf * using more reliable method of validating key bit length
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR adds some new proto definitions and RPCs in support of rotating session recording encryption keys.
UpdateRotatedKeywas omitted from the API because the concept of updating a rotated key doesn't really make sense. The storedFingerprint(which is also the lookup key) is generated by the public key which itself is generated by the private key, so any sort of update would create an invalid resource.