func GetURIAndCerts()

in client/vpc/vpc.go [63:95]

• 27 lines of code
• 7 McCabe index (conditional complexity)

func GetURIAndCerts(ctx context.Context, client CloudEKMClient, cryptoKey *rpb.CryptoKey) (string, *x509.CertPool, error) {
	ekmConnName := cryptoKey.GetCryptoKeyBackend()
	if len(ekmConnName) == 0 {
		return "", nil, errors.New("No EKM Connection name specified")
	}

	ekmConn, err := client.GetEkmConnection(ctx, &ekmpb.GetEkmConnectionRequest{Name: ekmConnName})
	if err != nil {
		return "", nil, fmt.Errorf("error retrieving KMS EkmConnection: %w", err)
	}

	if len(ekmConn.GetServiceResolvers()) == 0 {
		return "", nil, fmt.Errorf("No service resolvers found for EkmConnection %v", ekmConnName)
	}
	sr := ekmConn.GetServiceResolvers()[0]
	leafCerts, err := toCertPool(sr.GetServerCertificates())
	if err != nil {
		return "", nil, err
	}

	// For EXTERNAL_VPC, construct the URI using the hostname from the EkmConnection and key
	// path from ExternalProtectionLevelOptions.
	cryptoKeyVer := cryptoKey.GetPrimary()
	if cryptoKeyVer == nil {
		return "", nil, errors.New("No CryptoKeyVersion found")
	}
	if cryptoKeyVer.ExternalProtectionLevelOptions == nil {
		return "", nil, errors.New("CryptoKeyVersion does not have external protection level options despite being EXTERNAL_VPC protection level")
	}
	keyPath := cryptoKeyVer.GetExternalProtectionLevelOptions().GetEkmConnectionKeyPath()

	return externalURI(sr.GetHostname(), keyPath), leafCerts, nil
}