api: change ManagerKmip.IsValidKey to use QueryCryptoKeyStatus

BREAKING: IsValidKey now requires a key providerID param.
vmware · Oct 29, 2024 · 5c54c3f · 5c54c3f
1 parent ca05e10
commit 5c54c3f
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 4 deletions.
diff --git a/crypto/manager_kmip.go b/crypto/manager_kmip.go
@@ -353,17 +353,33 @@ func (m ManagerKmip) ListKeys(
 	return res.Returnval, nil
 }
 
+const keyStateNotActiveOrEnabled = string(types.CryptoManagerKmipCryptoKeyStatusKeyUnavailableReasonKeyStateNotActiveOrEnabled)
+
+// IsValidKey returns true if QueryCryptoKeyStatus results indicate the key is available or unavailable reason is `KeyStateNotActiveOrEnabled`.
+// This method is only valid for standard providers and will always return false for native providers.
 func (m ManagerKmip) IsValidKey(
 	ctx context.Context,
+	providerID,
 	keyID string) (bool, error) {
 
-	keys, err := m.ListKeys(ctx, nil)
+	id := []types.CryptoKeyId{{
+		KeyId: keyID,
+		ProviderId: &types.KeyProviderId{
+			Id: providerID,
+		}},
+	}
+
+	res, err := m.QueryCryptoKeyStatus(ctx, id, CheckKeyAvailable)
 	if err != nil {
 		return false, err
 	}
 
-	for i := range keys {
-		if keys[i].KeyId == keyID {
+	for _, status := range res {
+		if status.KeyAvailable != nil && *status.KeyAvailable {
+			return true, nil
+		}
+
+		if status.Reason == keyStateNotActiveOrEnabled {
 			return true, nil
 		}
 	}

diff --git a/crypto/manager_kmip_test.go b/crypto/manager_kmip_test.go
@@ -987,7 +987,7 @@ func TestCryptoManagerKmip(t *testing.T) {
 			assert.NoError(t, err)
 			assert.NotEmpty(t, keyID)
 
-			ok, err := m.IsValidKey(ctx, keyID)
+			ok, err := m.IsValidKey(ctx, providerID, keyID)
 			assert.NoError(t, err)
 			assert.True(t, ok)
 		})