@@ -213,6 +213,9 @@ replace_secret(OldProps, NewProps) ->
213213 {error , not_found | bad_encrypt_id () |
214214 bad_usage_change ()}.
215215replace_secret_internal (OldProps , NewProps ) ->
216+ % % Make sure we have most recent information about which secrets are in use
217+ % % This is needed for verification of 'usage' modification
218+ maybe_reset_deks_counters (),
216219 Props = copy_static_props (OldProps , NewProps ),
217220 Res =
218221 chronicle_compat :txn (
@@ -1261,14 +1264,22 @@ validate_dek_related_usage_change(NewProps, PrevProps, Snapshot) ->
12611264 % % 1. [{bucket_encryption, "a"}] -> [{bucket_encryption, "b"}].
12621265 % % 2. [{bucket_encryption, "a"}] -> [config_encryption].
12631266 #{id := Id } = PrevProps ,
1267+ % % Check existing deks. If this secret still encrypts any deks, we should
1268+ % % not allow corresponding usage removal
1269+ KindsOfExistingDeks = get_dek_kinds_used_by_secret_id (Id , Snapshot ),
12641270 DekKindRequirements =
12651271 fun (Kind ) ->
12661272 #{required_usage := Requirement } = cb_deks :dek_config (Kind ),
1267- {succ , RV } = call_dek_callback (encryption_method_callback , Kind ,
1268- [Snapshot ]),
1269- case {ok , {secret , Id }} == RV of
1273+ case lists :member (Kind , KindsOfExistingDeks ) of
12701274 true -> {true , Requirement };
1271- false -> false
1275+ false ->
1276+ {succ , RV } = call_dek_callback (encryption_method_callback ,
1277+ Kind ,
1278+ [Snapshot ]),
1279+ case {ok , {secret , Id }} == RV of
1280+ true -> {true , Requirement };
1281+ false -> false
1282+ end
12721283 end
12731284 end ,
12741285 InUseList = lists :filtermap (DekKindRequirements ,
0 commit comments