Update KMS method signatures to standardize on KeyringException

It came up during the review of [] that it doesn't make a lot of sense
for encrypt() and decrypt() to not throw the same kinds of Exceptions,
especially not for the same kind of problem, just because one happens to use a
Retrier in its internal implementation and the other doesn't.

-------------
Created by MOE: https://github.com/google/moe
MOE_MIGRATED_REVID=201054057

java/google/registry/keyring/kms/KmsConnection.java

@@ -14,7 +14,7 @@
 
 package google.registry.keyring.kms;
 
-import java.io.IOException;
+import google.registry.keyring.api.KeyringException;
 
 /** An abstraction to simplify Cloud KMS operations. */
 interface KmsConnection {
@@ -34,9 +34,15 @@ interface KmsConnection {
    * {@code MAX_SECRET_SIZE_BYTES}.
    *
    * <p>If no applicable CryptoKey or CryptoKeyVersion exist, they will be created.
+   *
+   * @throws KeyringException on encryption failure.
    */
-  EncryptResponse encrypt(String cryptoKeyName, byte[] plaintext) throws IOException;
+  EncryptResponse encrypt(String cryptoKeyName, byte[] plaintext);
 
-  /** Decrypts a Cloud KMS encrypted and encoded value with CryptoKey {@code cryptoKeyName}. */
-  byte[] decrypt(String cryptoKeyName, String encodedCiphertext) throws IOException;
+  /**
+   * Decrypts a Cloud KMS encrypted and encoded value with CryptoKey {@code cryptoKeyName}.
+   *
+   * @throws KeyringException on decryption failure.
+   */
+  byte[] decrypt(String cryptoKeyName, String encodedCiphertext);
 }

java/google/registry/keyring/kms/KmsConnectionImpl.java

@@ -57,11 +57,20 @@ class KmsConnectionImpl implements KmsConnection {
   }
 
   @Override
-  public EncryptResponse encrypt(String cryptoKeyName, byte[] value) throws IOException {
+  public EncryptResponse encrypt(String cryptoKeyName, byte[] value) {
     checkArgument(
         value.length <= MAX_SECRET_SIZE_BYTES,
         "Value to encrypt was larger than %s bytes",
         MAX_SECRET_SIZE_BYTES);
+    try {
+      return attemptEncrypt(cryptoKeyName, value);
+    } catch (IOException e) {
+      throw new KeyringException(
+          String.format("CloudKMS encrypt operation failed for secret %s", cryptoKeyName), e);
+    }
+  }
+
+  private EncryptResponse attemptEncrypt(String cryptoKeyName, byte[] value) throws IOException {
     String fullKeyRingName = getKeyRingName(projectId, kmsKeyRingName);
     try {
       kms.projects().locations().keyRings().get(fullKeyRingName).execute();

java/google/registry/keyring/kms/KmsKeyring.java

@@ -192,7 +192,7 @@ public class KmsKeyring implements Keyring {
 
     try {
       return kmsConnection.decrypt(secret.getName(), encryptedData);
-    } catch (IOException e) {
+    } catch (Exception e) {
       throw new KeyringException(
           String.format("CloudKMS decrypt operation failed for secret %s", keyName), e);
     }

javatests/google/registry/keyring/kms/FakeKmsConnection.java

@@ -15,7 +15,6 @@
 package google.registry.keyring.kms;
 
 import com.google.common.io.BaseEncoding;
-import java.io.IOException;
 import org.bouncycastle.util.Arrays;
 
 class FakeKmsConnection implements KmsConnection {
@@ -29,7 +28,7 @@ class FakeKmsConnection implements KmsConnection {
    * and the name of the cryptoKeyVersion is {@code cryptoKeyName + "/foo"}.
    */
   @Override
-  public EncryptResponse encrypt(String cryptoKeyName, byte[] plaintext) throws IOException {
+  public EncryptResponse encrypt(String cryptoKeyName, byte[] plaintext) {
     return EncryptResponse.create(
         BaseEncoding.base64().encode(Arrays.reverse(plaintext)), cryptoKeyName + "/foo");
   }
@@ -40,7 +39,7 @@ class FakeKmsConnection implements KmsConnection {
    * <p>The plaintext is the encodedCiphertext base64-decoded and then reversed.
    */
   @Override
-  public byte[] decrypt(String cryptoKeyName, String encodedCiphertext) throws IOException {
+  public byte[] decrypt(String cryptoKeyName, String encodedCiphertext) {
     return Arrays.reverse(BaseEncoding.base64().decode(encodedCiphertext));
   }
 }