vcsim: add QueryCryptoKeyStatus

vmware · Oct 29, 2024 · ca05e10 · ca05e10
1 parent 66fc63a
commit ca05e10
Show file tree

Hide file tree

Showing 2 changed files with 100 additions and 0 deletions.
diff --git a/govc/test/kms.bats b/govc/test/kms.bats
@@ -80,3 +80,48 @@ load test_helper
   run govc kms.rm nkp
   assert_success
 }
+
+@test "kms.key" {
+  vcsim_env
+
+  run govc kms.add -N nkp
+  assert_success
+
+  host=$(govc env -x GOVC_URL_HOST)
+
+  run govc kms.add -n my-server -a "$host" skp
+  assert_success
+
+  export GOVC_SHOW_UNRELEASED=true
+
+  run govc kms.key.create nkp
+  assert_failure # Cannot generate keys with native key provider
+
+  run govc kms.key.create skp
+  assert_success
+  skey="$output"
+
+  run govc kms.key.info -p skp "$skey"
+  assert_success
+
+  run govc kms.key.info -json "$skey"
+  assert_success
+
+  run jq .status[].keyAvailable <<<"$output"
+  assert_success "false" # provider not specified
+
+  run govc kms.key.info -json -p skp "$skey"
+  assert_success
+
+  run jq .status[].keyAvailable <<<"$output"
+  assert_success "true"
+
+  run govc kms.key.info -p nkp "$skey"
+  assert_success
+
+  run govc kms.key.info -json -p nkp "$skey"
+  assert_success
+
+  run jq .status[].keyAvailable <<<"$output"
+  assert_success "false" # wrong provider for key
+}
diff --git a/simulator/crypto_manager_kmip.go b/simulator/crypto_manager_kmip.go
@@ -21,6 +21,7 @@ import (
 
 	"github.com/google/uuid"
 
+	"github.com/vmware/govmomi/crypto"
 	"github.com/vmware/govmomi/vim25/methods"
 	"github.com/vmware/govmomi/vim25/mo"
 	"github.com/vmware/govmomi/vim25/soap"
@@ -537,6 +538,60 @@ func (m *CryptoManagerKmip) ListKeys(
 	return &body
 }
 
+func (m *CryptoManagerKmip) QueryCryptoKeyStatus(
+	ctx *Context, req *types.QueryCryptoKeyStatus) soap.HasFault {
+
+	status := make([]types.CryptoManagerKmipCryptoKeyStatus, len(req.KeyIds))
+
+	servers := make(map[string]types.KmipClusterInfo, len(m.KmipServers))
+	for _, p := range m.KmipServers {
+		servers[p.KeyId] = p
+	}
+
+	for i, id := range req.KeyIds {
+		s := types.CryptoManagerKmipCryptoKeyStatus{KeyId: id}
+
+		if req.CheckKeyBitMap&crypto.CheckKeyAvailable != 0 {
+			s.KeyAvailable = types.NewBool(false)
+			s.Reason = string(types.CryptoManagerKmipCryptoKeyStatusKeyUnavailableReasonKeyStateMissingInKMS)
+
+			providerID := ""
+			if id.ProviderId != nil {
+				providerID = id.ProviderId.Id
+			}
+			cluster := servers[providerID]
+			if pid, ok := m.keyIDToProviderID[id.KeyId]; ok {
+				if cluster.ManagementType == string(types.KmipClusterInfoKmsManagementTypeNativeProvider) {
+					s.Reason = string(types.CryptoManagerKmipCryptoKeyStatusKeyUnavailableReasonKeyStateManagedByNKP)
+				} else if pid == providerID {
+					*s.KeyAvailable = true
+					s.Reason = ""
+				}
+			}
+		}
+
+		if req.CheckKeyBitMap&crypto.CheckKeyUsedByVms != 0 {
+			for _, obj := range ctx.Map.All("VirtualMachine") {
+				ctx.WithLock(obj, func() {
+					if key := obj.(*VirtualMachine).Config.KeyId; key != nil {
+						if *key == id {
+							status[i].EncryptedVMs = append(status[i].EncryptedVMs, obj.Reference())
+						}
+					}
+				})
+			}
+		}
+
+		status[i] = s
+	}
+
+	return &methods.QueryCryptoKeyStatusBody{
+		Res: &types.QueryCryptoKeyStatusResponse{
+			Returnval: status,
+		},
+	}
+}
+
 func getDefaultProvider(
 	ctx *Context,
 	vm *VirtualMachine,