Merge pull request #324 from microsoft/user/jirenugo/aks-ee

Adding structures for key service
microsoft · Dec 20, 2024 · d74c5b4 · d74c5b4
2 parents 1a32f82 + eba854f
commit d74c5b4
Show file tree

Hide file tree

Showing 9 changed files with 1,038 additions and 231 deletions.
diff --git a/go.mod b/go.mod
@@ -18,10 +18,10 @@ require (
 require (
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	golang.org/x/net v0.32.0 // indirect
+	golang.org/x/net v0.33.0 // indirect
 	golang.org/x/sys v0.28.0 // indirect
 	golang.org/x/text v0.21.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20241216192217-9240e9c98484 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20241219184827-bd154493cd20 // indirect
 	google.golang.org/protobuf v1.36.0 // indirect
 )
 

diff --git a/go.sum b/go.sum
@@ -35,8 +35,8 @@ golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96b
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
-golang.org/x/net v0.32.0 h1:ZqPmj8Kzc+Y6e0+skZsuACbx+wzMgo5MQsJh9Qd6aYI=
-golang.org/x/net v0.32.0/go.mod h1:CwU0IoeOlnQQWJ6ioyFrfRuomB8GKF6KbYXZVyeXNfs=
+golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=
+golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -64,8 +64,8 @@ golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20241216192217-9240e9c98484 h1:Z7FRVJPSMaHQxD0uXU8WdgFh8PseLM8Q8NzhnpMrBhQ=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20241216192217-9240e9c98484/go.mod h1:lcTa1sDdWEIHMWlITnIczmw5w60CF9ffkb8Z+DVmmjA=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20241219184827-bd154493cd20 h1:aiR3J9AR6kgxKXDbsWpnjcNbN8dsYMAw6IJVl40rzX8=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20241219184827-bd154493cd20/go.mod h1:lcTa1sDdWEIHMWlITnIczmw5w60CF9ffkb8Z+DVmmjA=
 google.golang.org/grpc v1.59.0 h1:Z5Iec2pjwb+LEOqzpB2MR12/eKFhDPhuqW91O+4bwUk=
 google.golang.org/grpc v1.59.0/go.mod h1:aUPDwccQo6OTjy7Hct4AfBPD1GptF4fyUjIkQ9YtF98=
 google.golang.org/protobuf v1.36.0 h1:mjIs9gYtt56AzC4ZaffQuh88TZurBGhIJMBZGSxNerQ=

diff --git a/rpc/common/moc_common_common.pb.go b/rpc/common/moc_common_common.pb.go
diff --git a/rpc/common/moc_common_common.proto b/rpc/common/moc_common_common.proto
@@ -255,6 +255,7 @@ enum ProviderAccessOperation {
 	Key_UnwrapKey					= 505; 
 	Key_Sign 						= 506; 
 	Key_Verify 						= 507; 
+	Key_Rotate                      = 508;
 
 	VirtualMachine_Create 				= 600; 
 	VirtualMachine_Update 				= 601; 

diff --git a/rpc/common/moc_common_security.pb.go b/rpc/common/moc_common_security.pb.go
diff --git a/rpc/common/moc_common_security.proto b/rpc/common/moc_common_security.proto
@@ -87,3 +87,14 @@ message Scope {
 	ProviderType providerType = 3;
 	string resource = 4;
 }
+
+message PrivateKeyWrappingInfo {
+	string WrappingKeyName = 1;
+	bytes WrappingKeyPublic = 2 [(sensitive) = true];
+	KeyWrappingAlgorithm WrappingAlgorithm = 3;
+}
+
+message SignVerifyParams {
+	JSONWebKeySignatureAlgorithm  algorithm  = 1;
+	string signature = 2  [(sensitive) = true];
+}
diff --git a/rpc/gen_proto.sh b/rpc/gen_proto.sh
@@ -57,6 +57,7 @@ Module="security"
 echo "Generating $Agent/$Module protoc"
 protoc -I $Agent/$Module/identity -I ./common $Agent/$Module/identity/moc_nodeagent_identity.proto --go_out=plugins=grpc:../bld/gen/
 protoc -I $Agent/$Module/keyvault/secret -I ./common $Agent/$Module/keyvault/secret/moc_nodeagent_secret.proto  --go_out=plugins=grpc:../bld/gen/
+protoc -I $Agent/$Module/keyvault/key -I ./common $Agent/$Module/keyvault/key/moc_nodeagent_key.proto  --go_out=plugins=grpc:../bld/gen/
 protoc -I $Agent/$Module/keyvault -I ./common -I $Agent/$Module/keyvault/secret $Agent/$Module/keyvault/moc_nodeagent_keyvault.proto  --go_out=plugins=grpc:../bld/gen/
 protoc -I $Agent/$Module/authentication -I ./common -I $Agent/$Module/identity $Agent/$Module/authentication/moc_nodeagent_authentication.proto --go_out=plugins=grpc:../bld/gen/
 protoc -I $Agent/$Module/certificate -I ./common -I $Agent/$Module/certificate $Agent/$Module/certificate/moc_nodeagent_certificate.proto --go_out=plugins=grpc:../bld/gen/

diff --git a/rpc/nodeagent/security/keyvault/key/moc_nodeagent_key.proto b/rpc/nodeagent/security/keyvault/key/moc_nodeagent_key.proto
@@ -0,0 +1,67 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the Apache v2.0 license.
+
+syntax = "proto3";
+option go_package = "github.com/microsoft/moc/rpc/nodeagent/security";
+package moc.nodeagent.security;
+
+import "google/protobuf/wrappers.proto";
+import "moc_common_common.proto";
+import "moc_common_security.proto";
+import "google/protobuf/timestamp.proto";
+
+
+message KeyRequest {
+	repeated Key Keys = 1;
+	Operation OperationType = 2;
+}
+
+message KeyResponse {
+	repeated Key Keys = 1;
+	google.protobuf.BoolValue Result = 2;
+	string  Error = 3;
+}
+
+message KeyOperationRequest {
+	Key key = 1;
+	string Data = 2 [(sensitive) = true];
+	Algorithm algorithm = 3;
+	SignVerifyParams  SignVerifyParams = 4;
+	ProviderAccessOperation OperationType = 5;
+}
+
+message KeyOperationResponse {
+	string Data = 1 [(sensitive) = true];
+	google.protobuf.BoolValue Result = 2;
+	string  Error = 3;
+	Key key = 4;
+}
+
+message Key {
+	string name = 1;
+	string id = 2;
+	string locationName = 3;
+	// Public Key Value
+	bytes publicKey = 4 [(sensitive) = true];
+	JsonWebKeyType type = 5;
+	string vaultName = 6;
+	Status status = 7;
+	KeySize size = 8;
+	JsonWebKeyCurveName curve = 9;
+	repeated KeyOperation keyOps = 10;
+	Tags tags = 11;
+	Entity entity = 12;
+
+	int64 keyRotationFrequencyInSeconds = 13;
+	uint32 keyVersion = 14;
+	google.protobuf.Timestamp creationTime = 15;
+
+	// Private Key Value and wrapping information
+	bytes privateKey = 16 [(sensitive) = true];
+	PrivateKeyWrappingInfo privateKeyWrappingInfo = 17;
+}
+
+service KeyAgent {
+	rpc Invoke(KeyRequest) returns (KeyResponse) {}
+	rpc Operate(KeyOperationRequest) returns (KeyOperationResponse) {}
+}