Update KMS method signatures to standardize on KeyringException

It came up during the review of [] that it doesn't make a lot of sense for encrypt() and decrypt() to not throw the same kinds of Exceptions, especially not for the same kind of problem, just because one happens to use a Retrier in its internal implementation and the other doesn't. ------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=201054057
2025-05-14 08:27:14 +02:00 · 2018-06-18 14:01:37 -07:00 · 2018-06-18 14:01:37 -07:00 · a7256f5edd
commit a7256f5edd
parent f971583dc0
4 changed files with 24 additions and 10 deletions
--- a/java/google/registry/keyring/kms/KmsConnection.java
+++ b/java/google/registry/keyring/kms/KmsConnection.java
@ -14,7 +14,7 @@

 package google.registry.keyring.kms;

-import java.io.IOException;
+import google.registry.keyring.api.KeyringException;

 /** An abstraction to simplify Cloud KMS operations. */
 interface KmsConnection {
@ -34,9 +34,15 @@ interface KmsConnection {
   * {@code MAX_SECRET_SIZE_BYTES}.
   *
   * <p>If no applicable CryptoKey or CryptoKeyVersion exist, they will be created.
+   *
+   * @throws KeyringException on encryption failure.
   */
-  EncryptResponse encrypt(String cryptoKeyName, byte[] plaintext) throws IOException;
+  EncryptResponse encrypt(String cryptoKeyName, byte[] plaintext);

-  /** Decrypts a Cloud KMS encrypted and encoded value with CryptoKey {@code cryptoKeyName}. */
-  byte[] decrypt(String cryptoKeyName, String encodedCiphertext) throws IOException;
+  /**
+   * Decrypts a Cloud KMS encrypted and encoded value with CryptoKey {@code cryptoKeyName}.
+   *
+   * @throws KeyringException on decryption failure.
+   */
+  byte[] decrypt(String cryptoKeyName, String encodedCiphertext);
 }
--- a/java/google/registry/keyring/kms/KmsConnectionImpl.java
+++ b/java/google/registry/keyring/kms/KmsConnectionImpl.java
@ -57,11 +57,20 @@ class KmsConnectionImpl implements KmsConnection {
  }

  @Override
-  public EncryptResponse encrypt(String cryptoKeyName, byte[] value) throws IOException {
+  public EncryptResponse encrypt(String cryptoKeyName, byte[] value) {
    checkArgument(
        value.length <= MAX_SECRET_SIZE_BYTES,
        "Value to encrypt was larger than %s bytes",
        MAX_SECRET_SIZE_BYTES);
+    try {
+      return attemptEncrypt(cryptoKeyName, value);
+    } catch (IOException e) {
+      throw new KeyringException(
+          String.format("CloudKMS encrypt operation failed for secret %s", cryptoKeyName), e);
+    }
+  }
+
+  private EncryptResponse attemptEncrypt(String cryptoKeyName, byte[] value) throws IOException {
    String fullKeyRingName = getKeyRingName(projectId, kmsKeyRingName);
    try {
      kms.projects().locations().keyRings().get(fullKeyRingName).execute();
@ -143,7 +152,7 @@ class KmsConnectionImpl implements KmsConnection {
    }
  }

-  private byte[] attemptDecrypt(String cryptoKeyName, String encodedCiphertext) throws IOException{
+  private byte[] attemptDecrypt(String cryptoKeyName, String encodedCiphertext) throws IOException {
    return kms.projects()
        .locations()
        .keyRings()
--- a/java/google/registry/keyring/kms/KmsKeyring.java
+++ b/java/google/registry/keyring/kms/KmsKeyring.java
@ -192,7 +192,7 @@ public class KmsKeyring implements Keyring {

    try {
      return kmsConnection.decrypt(secret.getName(), encryptedData);
-    } catch (IOException e) {
+    } catch (Exception e) {
      throw new KeyringException(
          String.format("CloudKMS decrypt operation failed for secret %s", keyName), e);
    }
--- a/javatests/google/registry/keyring/kms/FakeKmsConnection.java
+++ b/javatests/google/registry/keyring/kms/FakeKmsConnection.java
@ -15,7 +15,6 @@
 package google.registry.keyring.kms;

 import com.google.common.io.BaseEncoding;
-import java.io.IOException;
 import org.bouncycastle.util.Arrays;

 class FakeKmsConnection implements KmsConnection {
@ -29,7 +28,7 @@ class FakeKmsConnection implements KmsConnection {
   * and the name of the cryptoKeyVersion is {@code cryptoKeyName + "/foo"}.
   */
  @Override
-  public EncryptResponse encrypt(String cryptoKeyName, byte[] plaintext) throws IOException {
+  public EncryptResponse encrypt(String cryptoKeyName, byte[] plaintext) {
    return EncryptResponse.create(
        BaseEncoding.base64().encode(Arrays.reverse(plaintext)), cryptoKeyName + "/foo");
  }
@ -40,7 +39,7 @@ class FakeKmsConnection implements KmsConnection {
   * <p>The plaintext is the encodedCiphertext base64-decoded and then reversed.
   */
  @Override
-  public byte[] decrypt(String cryptoKeyName, String encodedCiphertext) throws IOException {
+  public byte[] decrypt(String cryptoKeyName, String encodedCiphertext) {
    return Arrays.reverse(BaseEncoding.base64().decode(encodedCiphertext));
  }
 }