func getKekCryptoKey()

in client/client.go [196:224]

• 22 lines of code
• 6 McCabe index (conditional complexity)

func getKekCryptoKey(ctx context.Context, kmsClient cloudkms.Client, kekInfo *configpb.KekInfo) (*rpb.CryptoKey, error) {
	_, ok := kekInfo.GetKekType().(*configpb.KekInfo_KekUri)
	// No-op if this does not describe a KEK URI.
	if !ok {
		return nil, fmt.Errorf("cannot retrieve KEK Metadata for a non-KEK")
	}

	uri := kekInfo.GetKekUri()
	// Verify that the URI indicates a GCP KMS key.
	if !strings.HasPrefix(uri, gcpKeyPrefix) {
		return nil, fmt.Errorf("%v does not have the expected URI prefix, want %v", uri, gcpKeyPrefix)
	}

	cryptoKey, err := kmsClient.GetCryptoKey(ctx, &spb.GetCryptoKeyRequest{Name: strings.TrimPrefix(uri, gcpKeyPrefix)})
	if err != nil {
		return nil, fmt.Errorf("error retrieving key metadata: %v", err)
	}

	cryptoKeyVer := cryptoKey.GetPrimary()
	if cryptoKeyVer.GetState() != rpb.CryptoKeyVersion_ENABLED {
		return nil, fmt.Errorf("CryptoKeyVersion for %v is not enabled", uri)
	}

	if cryptoKeyVer.ProtectionLevel == rpb.ProtectionLevel_PROTECTION_LEVEL_UNSPECIFIED {
		return nil, fmt.Errorf("unspecified protection level %v", cryptoKeyVer.GetProtectionLevel())
	}

	return cryptoKey, nil
}