MINOR refactor of DEK creation (#275)

rayokota · web-flow · commit 9cb18baf2b24 · 2025-03-18T09:02:58.000-07:00
* MINOR refactor of DEK creation

* Minor fix
diff --git a/schemaregistry/rules/encryption/encrypt-executor.ts b/schemaregistry/rules/encryption/encrypt-executor.ts
@@ -388,21 +388,14 @@ export class FieldEncryptionExecutorTransform implements FieldTransform {
         encryptedDek = await kmsClient.encrypt(rawDek)
       }
       const newVersion = isExpired ? dek!.version! + 1 : null
-      const newDekId: DekId = {
-        kekName: this.kekName,
-        subject: ctx.subject,
-        version: newVersion,
-        algorithm: this.cryptor.dekFormat,
-        deleted: isRead,
-      }
-      // encryptedDek may be passed as null if kek is shared
-      dek = await this.storeDekToRegistry(newDekId, encryptedDek)
-      if (dek == null) {
-        // handle conflicts (409)
-        dek = await this.retrieveDekFromRegistry(dekId)
-      }
-      if (dek == null) {
-        throw new RuleError(`no dek found for ${this.kekName} during produce`)
+      try {
+        dek = await this.createDek(dekId, newVersion, encryptedDek)
+      } catch (err) {
+        if (dek == null) {
+          throw err;
+        }
+        console.warn("failed to create dek for %s, subject %s, version %d, using existing dek",
+          this.kekName, ctx.subject, newVersion)
       }
     }
 
@@ -419,6 +412,27 @@ export class FieldEncryptionExecutorTransform implements FieldTransform {
     return dek
   }
 
+  async createDek(dekId: DekId, newVersion: number | null, encryptedDek: Buffer | null): Promise<Dek> {
+    const newDekId: DekId = {
+      kekName: dekId.kekName,
+      subject: dekId.subject,
+      version: newVersion,
+      algorithm: dekId.algorithm,
+      deleted: dekId.deleted,
+    }
+    // encryptedDek may be passed as null if kek is shared
+    let dek = await this.storeDekToRegistry(newDekId, encryptedDek)
+    if (dek == null) {
+      // handle conflicts (409)
+      dek = await this.retrieveDekFromRegistry(dekId)
+    }
+    if (dek == null) {
+      throw new RuleError(`no dek found for ${dekId.kekName} during produce`)
+    }
+
+    return dek
+  }
+
   async retrieveDekFromRegistry(key: DekId): Promise<Dek | null> {
     try {
         let dek: Dek
