MB-61292: Permanently remove retired keys after 3 months

Change-Id: I117175202e6d88f90a1d0fbd71bcb85284aafb79
Reviewed-on: https://review.couchbase.org/c/ns_server/+/221116
Reviewed-by: Navdeep S Boparai <[email protected]>
Tested-by: Timofey Barmin <[email protected]>
Well-Formed: Build Bot <[email protected]>

Author: timofey-barmin

apps/ns_server/src/cb_cluster_secrets.erl

@@ -92,7 +92,8 @@
                            rotate_keks => undefined,
                            dek_cleanup => undefined,
                            rotate_deks => undefined,
-                           dek_info_update => undefined}
+                           dek_info_update => undefined,
+                           remove_retired_keys => undefined}
                          :: #{atom() := reference() | undefined},
                 deks = undefined :: #{cb_deks:dek_kind() := deks_info()} |
                                     undefined,
@@ -707,7 +708,8 @@ init([Type]) ->
                           run_jobs(_),
                           restart_dek_cleanup_timer(_),
                           restart_rotation_timer(_),
-                          restart_dek_info_update_timer(true, _)])}.
+                          restart_dek_info_update_timer(true, _),
+                          restart_remove_retired_timer(_)])}.
 
 handle_call({call, {M, F, A} = MFA}, _From,
             #state{proc_type = ?MASTER_PROC} = State) ->
@@ -861,6 +863,13 @@ handle_info({timer, dek_info_update} = Msg,
     {_Res, NewState} = calculate_dek_info(State),
     {noreply, restart_dek_info_update_timer(false, NewState)};
 
+handle_info({timer, remove_retired_keys} = Msg,
+            #state{proc_type = ?NODE_PROC} = State) ->
+    ?log_debug("Remove retired keys timer"),
+    misc:flush(Msg),
+    encryption_service:cleanup_retired_keys(),
+    {noreply, restart_remove_retired_timer(State)};
+
 handle_info(Info, State) ->
     ?log_warning("Unhandled info: ~p", [Info]),
     {noreply, State}.
@@ -1607,6 +1616,7 @@ maybe_read_deks(#state{proc_type = ?NODE_PROC, deks = undefined} = State) ->
                       NewAcc
                   end, NewState2, Kinds),
     ok = garbage_collect_keks(),
+    encryption_service:cleanup_retired_keys(),
 
     %% We should rotate here (when process is starting) because we can
     %% hypothetically crash after calling set_active() but before calling
@@ -2445,6 +2455,29 @@ dek_rotation_time(Kind, #{is_enabled := true, active_id := ActiveId,
             {error, E}
     end.
 
+-spec calculate_next_remove_retired_time(calendar:datetime()) ->
+          non_neg_integer().
+calculate_next_remove_retired_time({{Year, Month, _Day},
+                                    {_Hour, _Min, _Sec}} = Now) ->
+    %% We want to remove retired keys at 12:00:00 of the first day of next month
+    %% Calculate first day of next month
+    {NextYear, NextMonth} =
+        case Month of
+            12 -> {Year + 1, 1};
+            _ -> {Year, Month + 1}
+        end,
+    NextTime = {{NextYear, NextMonth, 1}, {12, 0, 0}},
+    CurrentSecs = calendar:datetime_to_gregorian_seconds(Now),
+    NextSecs = calendar:datetime_to_gregorian_seconds(NextTime),
+    (NextSecs - CurrentSecs) * 1000.
+
+-spec restart_remove_retired_timer(#state{}) -> #state{}.
+restart_remove_retired_timer(#state{proc_type = ?MASTER_PROC} = State) ->
+    State;
+restart_remove_retired_timer(#state{proc_type = ?NODE_PROC} = State) ->
+    Time = calculate_next_remove_retired_time(calendar:universal_time()),
+    restart_timer(remove_retired_keys, Time, State).
+
 validate_for_config_encryption(#{type := T,
                                  data := #{encrypt_by := nodeSecretManager}},
                                Snapshot) when T == ?GENERATED_KEY_TYPE;
@@ -3305,4 +3338,39 @@ update_next_rotation_time_test() ->
     ?assertEqual(Future(3 * D - 1), Calc(Past(12 * D + 1), 3, true)),
     ?assertEqual(Future(1),         Calc(Past(12 * D - 1), 3, true)).
 
+calculate_next_remove_retired_time_test() ->
+    TimeDiff = fun (A, B) ->
+                    (calendar:datetime_to_gregorian_seconds(A) -
+                     calendar:datetime_to_gregorian_seconds(B)) * 1000
+               end,
+    %% Test mid-month case
+    MidMonth = {{2023, 6, 15}, {14, 30, 45}},
+    ExpectedMidMonth = TimeDiff({{2023, 7, 1}, {12, 0, 0}}, MidMonth),
+    ?assertEqual(ExpectedMidMonth,
+                 calculate_next_remove_retired_time(MidMonth)),
+
+    %% Test end of month case
+    EndMonth = {{2023, 6, 30}, {23, 59, 59}},
+    ExpectedEndMonth = TimeDiff({{2023, 7, 1}, {12, 0, 0}}, EndMonth),
+    ?assertEqual(ExpectedEndMonth,
+                 calculate_next_remove_retired_time(EndMonth)),
+
+    %% Test start of month case
+    StartMonth = {{2023, 6, 1}, {0, 0, 0}},
+    ExpectedStartMonth = TimeDiff({{2023, 7, 1}, {12, 0, 0}}, StartMonth),
+    ?assertEqual(ExpectedStartMonth,
+                 calculate_next_remove_retired_time(StartMonth)),
+
+    %% Test December case (year rollover)
+    December = {{2023, 12, 15}, {12, 0, 0}},
+    ExpectedDecember = TimeDiff({{2024, 1, 1}, {12, 0, 0}}, December),
+    ?assertEqual(ExpectedDecember,
+                 calculate_next_remove_retired_time(December)),
+
+    %% Test exactly at noon on first of month
+    AtNoon = {{2023, 6, 1}, {12, 0, 0}},
+    ExpectedAtNoon = TimeDiff({{2023, 7, 1}, {12, 0, 0}}, AtNoon),
+    ?assertEqual(ExpectedAtNoon,
+                 calculate_next_remove_retired_time(AtNoon)).
+
 -endif.

apps/ns_server/src/encryption_service.erl

@@ -39,6 +39,7 @@
          decode_key_info/1,
          garbage_collect_keks/1,
          garbage_collect_keys/2,
+         cleanup_retired_keys/0,
          maybe_rotate_integrity_tokens/1,
          remove_old_integrity_tokens/1,
          get_key_ids_in_use/0]).
@@ -55,6 +56,8 @@
 
 -define(RUNNER, {cb_gosecrets_runner, ns_server:get_babysitter_node()}).
 -define(RESTART_WAIT_TIMEOUT, 120000).
+-define(RETIRED_KEYS_RETENTION_MONTHS,
+        ?get_param(retired_keys_retention_months, 3)).
 
 start_link() ->
     gen_server:start_link({local, ?MODULE}, ?MODULE, [], []).
@@ -562,8 +565,144 @@ select_files_to_retire(Dir, _KeyIdsInUse, {error, Reason}) ->
                [Dir, Reason]),
     [].
 
+cleanup_retired_keys() ->
+    cleanup_retired_keys(calendar:universal_time(),
+                         ?RETIRED_KEYS_RETENTION_MONTHS).
+
+cleanup_retired_keys({{CurrentYear, CurrentMonth, _}, _}, RetentionMonths) ->
+    ?log_debug("Cleanup retired keys"),
+    RetiredDir = retired_keys_dir(),
+    maybe
+        {ok, Dirs} ?= file:list_dir(RetiredDir),
+        CurrentMonths = CurrentYear * 12 + CurrentMonth,
+        lists:foreach(
+          fun (DirName) ->
+              FullPath = filename:join(RetiredDir, DirName),
+              maybe
+                  {dir, true} ?= {dir, filelib:is_dir(FullPath)},
+                  {ok, {Year, Month}} ?= parse_retired_dir_name(DirName),
+                  DirMonths = Year * 12 + Month,
+                  {old, true} ?=
+                      {old, CurrentMonths - DirMonths > RetentionMonths},
+                  AllFiles = file:list_dir(FullPath),
+                  ?log_info("Permanently removing retired keys directory ~s as "
+                            "it is older than ~b months. Keys to be "
+                            "removed: ~.0p",
+                            [FullPath, RetentionMonths, AllFiles]),
+                  ok ?= misc:rm_rf(FullPath)
+              else
+                  {dir, false} ->
+                      ?log_warning("Invalid retired keys directory name "
+                                   "(not a directory): ~s, will be "
+                                   "ignored", [FullPath]);
+                  error ->
+                      ?log_warning("Invalid retired keys directory name: ~s, "
+                                   "will be ignored", [DirName]);
+                  {old, false} ->
+                      ok;
+                  {error, Reason} ->
+                      ?log_error("Failed to remove retired keys directory ~s: "
+                                 "~p", [FullPath, Reason])
+              end
+          end, Dirs),
+        ok
+    else
+        {error, enoent} ->
+            ok;
+        {error, Reason} ->
+            ?log_error("Failed to list retired keys directory ~s: ~p",
+                       [RetiredDir, Reason]),
+            ok
+    end.
+
+parse_retired_dir_name(DirName) ->
+    try
+        [YearStr, MonthStr] = string:tokens(DirName, "-"),
+        Year = list_to_integer(YearStr),
+        Month = list_to_integer(MonthStr),
+        case calendar:valid_date(Year, Month, 1) of
+            true -> {ok, {Year, Month}};
+            false -> error
+        end
+    catch
+        _:_ -> error
+    end.
+
 -ifdef(TEST).
 
+cleanup_retired_keys_test() ->
+    %% Create temp directory for test
+    RetiredDir = retired_keys_dir(),
+    ok = filelib:ensure_dir(RetiredDir ++ "/"),
+
+    %% Helper to create test directories and files
+    CreateTestDir =
+        fun (YearMonth) ->
+            Dir = filename:join(RetiredDir, YearMonth),
+            ok = filelib:ensure_dir(Dir ++ "/"),
+            ok = file:write_file(filename:join(Dir, "test.key.1"), <<"test">>)
+        end,
+
+    try
+        %% Create test directories for different months
+        lists:foreach(CreateTestDir, [
+            "2023-10",  %% Should be removed (>3 months old)
+            "2023-11",  %% Should be removed (>3 months old) 
+            "2023-12",  %% Should stay (3 months old)
+            "2024-01",  %% Should stay (2 months old)
+            "2025-02"   %% Should stay (in future)
+        ]),
+
+        %% Also create some invalid directory names that should be ignored
+        lists:foreach(CreateTestDir, [
+            "not-a-date",
+            "2023-13",
+            "2023-0",
+            "2023"
+        ]),
+        %% Create a file in retiredKeysDir, should be ignored
+        ok = file:write_file(filename:join(RetiredDir, "test.key.1"),
+                             <<"test">>),
+
+        %% Run cleanup with reference date of 2024-03-01 and 3 month retention
+        ok = cleanup_retired_keys({{2024, 3, 1}, {0,0,0}}, 3),
+
+        %% Verify correct directories were removed/kept
+        ?assertNot(filelib:is_dir(filename:join(RetiredDir, "2023-10"))),
+        ?assertNot(filelib:is_dir(filename:join(RetiredDir, "2023-11"))),
+        ?assert(filelib:is_dir(filename:join(RetiredDir, "2023-12"))),
+        ?assert(filelib:is_dir(filename:join(RetiredDir, "2024-01"))),
+        ?assert(filelib:is_dir(filename:join(RetiredDir, "2025-02"))),
+
+        %% Invalid directories and files should still exist since they were
+        %% ignored
+        ?assert(filelib:is_dir(filename:join(RetiredDir, "not-a-date"))),
+        ?assert(filelib:is_dir(filename:join(RetiredDir, "2023-13"))),
+        ?assert(filelib:is_dir(filename:join(RetiredDir, "2023-0"))),
+        ?assert(filelib:is_dir(filename:join(RetiredDir, "2023"))),
+        ?assert(filelib:is_file(filename:join(RetiredDir, "test.key.1")))
+
+    after
+        %% Cleanup test directory
+        ok = misc:rm_rf(RetiredDir)
+    end.
+
+parse_retired_dir_name_test() ->
+    ?assertEqual({ok, {2023, 12}}, parse_retired_dir_name("2023-12")),
+    ?assertEqual({ok, {2024, 1}}, parse_retired_dir_name("2024-1")),
+    ?assertEqual({ok, {2024, 1}}, parse_retired_dir_name("2024-01")),
+    ?assertEqual(error, parse_retired_dir_name("2024-13")),
+    ?assertEqual(error, parse_retired_dir_name("2024-0")),
+    ?assertEqual(error, parse_retired_dir_name("2024")),
+    ?assertEqual(error, parse_retired_dir_name("2024-")),
+    ?assertEqual(error, parse_retired_dir_name("2024-")),
+    ?assertEqual(error, parse_retired_dir_name("-12")),
+    ?assertEqual(error, parse_retired_dir_name("abc-12")),
+    ?assertEqual(error, parse_retired_dir_name("2024-abc")),
+    ?assertEqual(error, parse_retired_dir_name("")),
+    ?assertEqual(error, parse_retired_dir_name("2024-12-25")).
+
+
 -define(A, "a0000000-0000-0000-0000-000000000000").
 -define(B, "b0000000-0000-0000-0000-000000000000").
 -define(C, "c0000000-0000-0000-0000-000000000000").
@@ -630,15 +769,15 @@ key_path(Kind) ->
 bucket_dek_id(Bucket, DekId) ->
     iolist_to_binary(filename:join([Bucket, "deks", DekId])).
 
+retired_keys_dir() ->
+    filename:join(path_config:component_path(data), "retired_keys").
+
 retire_key(Kind, Filename) ->
     Dir = key_path(Kind),
     FromPath = filename:join(Dir, Filename),
     {{Y, M, _}, _} = calendar:universal_time(),
     MonthDir = lists:flatten(io_lib:format("~b-~b", [Y, M])),
-    ToPath = filename:join([path_config:component_path(data),
-                            "retired_keys",
-                            MonthDir,
-                            Filename]),
+    ToPath = filename:join([retired_keys_dir(), MonthDir, Filename]),
     case filelib:ensure_dir(ToPath) of
         ok ->
             case misc:atomic_rename(FromPath, ToPath) of