Ensure different key ids use different client instances (#196)

rayokota · web-flow · commit d1e7c67cf2ac · 2024-12-04T10:36:57.000-08:00
diff --git a/schemaregistry/rules/encryption/awskms/aws-client.ts b/schemaregistry/rules/encryption/awskms/aws-client.ts
@@ -10,12 +10,14 @@ import {AwsCredentialIdentity, AwsCredentialIdentityProvider} from "@smithy/type
 export class AwsKmsClient implements KmsClient {
 
   private kmsClient: KMSClient
+  private keyUri: string
   private keyId: string
 
   constructor(keyUri: string, creds?: AwsCredentialIdentity | AwsCredentialIdentityProvider) {
     if (!keyUri.startsWith(AwsKmsDriver.PREFIX)) {
       throw new Error(`key uri must start with ${AwsKmsDriver.PREFIX}`)
     }
+    this.keyUri = keyUri
     this.keyId = keyUri.substring(AwsKmsDriver.PREFIX.length)
     const tokens = this.keyId.split(':')
     if (tokens.length < 4) {
@@ -29,7 +31,7 @@ export class AwsKmsClient implements KmsClient {
   }
 
   supported(keyUri: string): boolean {
-    return keyUri.startsWith(AwsKmsDriver.PREFIX)
+    return this.keyUri === keyUri
   }
 
   async encrypt(plaintext: Buffer): Promise<Buffer> {
diff --git a/schemaregistry/rules/encryption/azurekms/azure-client.ts b/schemaregistry/rules/encryption/azurekms/azure-client.ts
@@ -7,18 +7,20 @@ export class AzureKmsClient implements KmsClient {
   private static ALGORITHM: EncryptionAlgorithm = 'RSA-OAEP-256'
 
   private kmsClient: CryptographyClient
+  private keyUri: string
   private keyId: string
 
   constructor(keyUri: string, creds: TokenCredential) {
     if (!keyUri.startsWith(AzureKmsDriver.PREFIX)) {
       throw new Error(`key uri must start with ${AzureKmsDriver.PREFIX}`)
     }
+    this.keyUri = keyUri
     this.keyId = keyUri.substring(AzureKmsDriver.PREFIX.length)
     this.kmsClient = new CryptographyClient(this.keyId, creds)
   }
 
   supported(keyUri: string): boolean {
-    return keyUri.startsWith(AzureKmsDriver.PREFIX)
+    return this.keyUri === keyUri
   }
 
   async encrypt(plaintext: Buffer): Promise<Buffer> {
diff --git a/schemaregistry/rules/encryption/gcpkms/gcp-client.ts b/schemaregistry/rules/encryption/gcpkms/gcp-client.ts
@@ -5,20 +5,22 @@ import {KeyManagementServiceClient} from "@google-cloud/kms";
 export class GcpKmsClient implements KmsClient {
 
   private kmsClient: KeyManagementServiceClient
+  private keyUri: string
   private keyId: string
 
   constructor(keyUri: string, creds?: GcpCredentials) {
     if (!keyUri.startsWith(GcpKmsDriver.PREFIX)) {
       throw new Error(`key uri must start with ${GcpKmsDriver.PREFIX}`)
     }
+    this.keyUri = keyUri
     this.keyId = keyUri.substring(GcpKmsDriver.PREFIX.length)
     this.kmsClient = creds != null
       ? new KeyManagementServiceClient({credentials: creds})
       : new KeyManagementServiceClient()
   }
 
   supported(keyUri: string): boolean {
-    return keyUri.startsWith(GcpKmsDriver.PREFIX)
+    return this.keyUri === keyUri
   }
 
   async encrypt(plaintext: Buffer): Promise<Buffer> {
diff --git a/schemaregistry/rules/encryption/hcvault/hcvault-client.ts b/schemaregistry/rules/encryption/hcvault/hcvault-client.ts
@@ -5,13 +5,15 @@ import NodeVault from "node-vault";
 export class HcVaultClient implements KmsClient {
 
   private kmsClient: NodeVault.client
+  private keyUri: string
   private keyId: string
   private keyName: string
 
   constructor(keyUri: string, namespace?: string, token?: string) {
     if (!keyUri.startsWith(HcVaultDriver.PREFIX)) {
       throw new Error(`key uri must start with ${HcVaultDriver.PREFIX}`)
     }
+    this.keyUri = keyUri
     this.keyId = keyUri.substring(HcVaultDriver.PREFIX.length)
     let url = new URL(this.keyId)
     let parts = url.pathname.split('/')
@@ -28,7 +30,7 @@ export class HcVaultClient implements KmsClient {
   }
 
   supported(keyUri: string): boolean {
-    return keyUri.startsWith(HcVaultDriver.PREFIX)
+    return this.keyUri === keyUri
   }
 
   async encrypt(plaintext: Buffer): Promise<Buffer> {

Original file line number	Diff line number	Diff line change
`@@ -10,12 +10,14 @@ import {AwsCredentialIdentity, AwsCredentialIdentityProvider} from "@smithy/type`
`10`	`10`	`export class AwsKmsClient implements KmsClient {`
`11`	`11`
`12`	`12`	`private kmsClient: KMSClient`
	`13`	`+ private keyUri: string`
`13`	`14`	`private keyId: string`
`14`	`15`
`15`	`16`	`constructor(keyUri: string, creds?: AwsCredentialIdentity \| AwsCredentialIdentityProvider) {`
`16`	`17`	`if (!keyUri.startsWith(AwsKmsDriver.PREFIX)) {`
`17`	`18`	throw new Error(`key uri must start with ${AwsKmsDriver.PREFIX}`)
`18`	`19`	`}`
	`20`	`+ this.keyUri = keyUri`
`19`	`21`	`this.keyId = keyUri.substring(AwsKmsDriver.PREFIX.length)`
`20`	`22`	`const tokens = this.keyId.split(':')`
`21`	`23`	`if (tokens.length < 4) {`
`@@ -29,7 +31,7 @@ export class AwsKmsClient implements KmsClient {`
`29`	`31`	`}`
`30`	`32`
`31`	`33`	`supported(keyUri: string): boolean {`
`32`		`- return keyUri.startsWith(AwsKmsDriver.PREFIX)`
	`34`	`+ return this.keyUri === keyUri`
`33`	`35`	`}`
`34`	`36`
`35`	`37`	`async encrypt(plaintext: Buffer): Promise<Buffer> {`
Original file line number	Diff line number	Diff line change
`@@ -7,18 +7,20 @@ export class AzureKmsClient implements KmsClient {`
`7`	`7`	`private static ALGORITHM: EncryptionAlgorithm = 'RSA-OAEP-256'`
`8`	`8`
`9`	`9`	`private kmsClient: CryptographyClient`
	`10`	`+ private keyUri: string`
`10`	`11`	`private keyId: string`
`11`	`12`
`12`	`13`	`constructor(keyUri: string, creds: TokenCredential) {`
`13`	`14`	`if (!keyUri.startsWith(AzureKmsDriver.PREFIX)) {`
`14`	`15`	throw new Error(`key uri must start with ${AzureKmsDriver.PREFIX}`)
`15`	`16`	`}`
	`17`	`+ this.keyUri = keyUri`
`16`	`18`	`this.keyId = keyUri.substring(AzureKmsDriver.PREFIX.length)`
`17`	`19`	`this.kmsClient = new CryptographyClient(this.keyId, creds)`
`18`	`20`	`}`
`19`	`21`
`20`	`22`	`supported(keyUri: string): boolean {`
`21`		`- return keyUri.startsWith(AzureKmsDriver.PREFIX)`
	`23`	`+ return this.keyUri === keyUri`
`22`	`24`	`}`
`23`	`25`
`24`	`26`	`async encrypt(plaintext: Buffer): Promise<Buffer> {`