Do not allow PKI-KMS workers to have names updated via API (hashicorp#3143)

Do not allow PKI-KMS workers to have names updated via API

This would cause their public IDs to change, which we do not want.

Descriptions are also disallowed, since those come from the config file.

This also adds logic to allow upgrading from old KMS method to new, with
a test.

Co-authored-by: Irena Rindos <[email protected]>

Author: jefferai

CHANGELOG.md

@@ -11,7 +11,11 @@ Canonical reference for changes, improvements, and bugfixes for Boundary.
   only recommended if compatibility with pre-0.13 workers using the KMS auth
   method is required. Requiring opting in removes some potentially confusing
   behavior for deciding when to use the old versus new mechanism. To opt in, add
-  `use_deprecated_kms_auth_method = true` to the `worker` config block.
+  `use_deprecated_kms_auth_method = true` to the `worker` config block. Note
+  that if a 0.13+ worker using KMS connects to a 0.13+ controller using KMS, the
+  transition to the new method will happen automatically. To go back to the old
+  method after that will require the worker to be deleted and re-added with the
+  `use_deprecated_kms_auth_method` config field specified.
 * When grants are added to roles additional validity checking is now performed.
   This extra validity checking is designed to reject grants that are not
   [documented grant

Makefile

@@ -36,7 +36,7 @@ golangci-lint:
 	$(eval GOLINT_INSTALLED := $(shell which golangci-lint))
 
 	if [ "$(GOLINT_INSTALLED)" = "" ]; then \
-		sh scripts/install-golangci-lint.sh -b $(GO_PATH)/bin v1.51.2; \
+		sh scripts/install-golangci-lint.sh -b $(GO_PATH)/bin v1.52.2; \
 	fi;
 
 .PHONY: cleangen

internal/daemon/controller/handlers/workers/worker_service.go

@@ -7,6 +7,7 @@ import (
 	"context"
 	"crypto/sha256"
 	"encoding/hex"
+	stderrors "errors"
 	"fmt"
 	"strings"
 
@@ -334,8 +335,25 @@ func (s Service) UpdateWorker(ctx context.Context, req *pbs.UpdateWorkerRequest)
 	if authResults.Error != nil {
 		return nil, authResults.Error
 	}
+
 	w, err := s.updateInRepo(ctx, authResults.Scope.GetId(), req.GetId(), req.GetUpdateMask().GetPaths(), req.GetItem())
-	if err != nil {
+	switch {
+	case err == nil:
+	case stderrors.Is(err, server.ErrCannotUpdateKmsWorkerViaApi):
+		// Treat this like a "bad field" error on name even though we couldn't
+		// return it in validation without having to make an additional call and
+		// a lot of additional logic
+		return nil, handlers.ValidateUpdateRequest(req, req.GetItem(), func() map[string]string {
+			badFields := make(map[string]string)
+			if req.GetItem().GetName().GetValue() != "" {
+				badFields[globals.NameField] = "KMS-registered workers cannot have their name updated via the API."
+			}
+			if req.GetItem().GetDescription().GetValue() != "" {
+				badFields[globals.DescriptionField] = "KMS-registered workers cannot have their description updated via the API."
+			}
+			return badFields
+		}, globals.WorkerPrefix)
+	default:
 		return nil, err
 	}