Adding encryption_at_rest endpoints under the standard rest package

ashwin2002 · ashwin2002 · commit 59e164f7fc71 · 2026-05-15T04:53:01.000Z
Change-Id: Ie16d8811a0d2466201c7a46e98b415543d9db4a4 Reviewed-on: https://review.couchbase.org/c/TAF/+/245053 Tested-by: Build Bot <build@couchbase.com> Reviewed-by: <pulkit.matta@couchbase.com> Tested-by: Ashwin <ashwin.govindarajulu@couchbase.com>
diff --git a/AGENTS.md b/AGENTS.md
@@ -262,6 +262,11 @@ agents/
 ### Available agents & skills
 See [agents/AGENTS.md](agents/AGENTS.md) for the full list of agents and skills.
 
+### AGENTS.md-first rule
+Before opening any `.py` file in a directory, read that directory's `AGENTS.md` if one exists.
+AGENTS.md files pre-compile file-to-class mappings, method inventories, inheritance chains, and known stubs — reading them first avoids redundant file reads.
+If the subdirectory also has an AGENTS.md (e.g. `buckets/AGENTS.md`), read that too before its `.py` files.
+
 ---
 
 ## Supporting Documentation
diff --git a/couchbase_utils/cb_server_rest_util/security/AGENTS.md b/couchbase_utils/cb_server_rest_util/security/AGENTS.md
@@ -45,9 +45,19 @@ No REST methods implemented yet — placeholder class.
 | Method | Verb | Path |
 |---|---|---|
 | `list_encryption_at_rest_keys` | GET | `/settings/encryptionKeys/` |
+| `get_encryption_at_rest_key` | GET | `/settings/encryptionKeys/{KEY_ID}` |
 | `create_encryption_at_rest_key` | POST | `/settings/encryptionKeys` |
-| `update_encryption_at_rest_key` | PUT | `/settings/encryptionKeys/{keyId}` |
-| `test_encryption_at_rest_key` | POST | `/settings/encryptionKeys/{keyId}/test` |
+| `update_encryption_at_rest_key` | PUT | `/settings/encryptionKeys/{KEY_ID}` |
+| `delete_encryption_at_rest_key` | DELETE | `/settings/encryptionKeys/{KEY_ID}` |
+| `test_encryption_at_rest_key` | POST | `/settings/encryptionKeys/{KEY_ID}/test` |
+| `test_encryption_at_rest_key_changes` | PUT | `/settings/encryptionKeys/{KEY_ID}/test` |
+| `get_encryption_at_rest_settings` | GET | `/settings/security/encryptionAtRest` |
+| `set_encryption_at_rest_settings` | POST | `/settings/security/encryptionAtRest` |
+| `drop_encryption_deks_for_bucket` | POST | `/controller/dropEncryptionAtRestDeks/bucket/{BUCKET_NAME}` |
+| `drop_encryption_deks_for_type` | POST | `/controller/dropEncryptionAtRestDeks/{TYPE}` — `audit\|config\|log` |
+| `rotate_encryption_at_rest_key` | POST | `/controller/rotateEncryptionKey/{KEY_ID}` |
+| `force_encryption_at_rest_for_bucket` | POST | `/controller/forceEncryptionAtRest/bucket/{BUCKET_NAME}` |
+| `force_encryption_at_rest_for_type` | POST | `/controller/forceEncryptionAtRest/{TYPE}` — `audit\|config\|log` |
 
 ### jwt.py — `JWTAPI`
 
@@ -94,6 +104,6 @@ If you encounter such an import, warn the user and replace it with `self.request
 
 ## Notes
 
-- `EncryptionAtRest` is not yet included in `SecurityRestAPI`'s inheritance chain — verify before using via `rest.security`.
+- `EncryptionAtRest` is included in `SecurityRestAPI` — all encryption methods are accessible via `rest.security`.
 - `disable_jwt` makes two sequential requests (GET then PUT) — this is a known pattern exception; do not split.
 - `Auditing` class is a stub; REST methods for `/settings/audit` are not yet implemented.
diff --git a/couchbase_utils/cb_server_rest_util/security/encryption_at_rest.py b/couchbase_utils/cb_server_rest_util/security/encryption_at_rest.py
@@ -0,0 +1,143 @@
+"""
+https://docs.couchbase.com/server/current/rest-api/security/encryption-at-rest/encryption-at-rest.html
+"""
+from cb_server_rest_util.connection import CBRestConnection
+
+
+class EncryptionAtRest(CBRestConnection):
+    def __init__(self):
+        super(EncryptionAtRest, self).__init__()
+
+    def list_encryption_at_rest_keys(self):
+        """
+        GET /settings/encryptionKeys/
+        https://docs.couchbase.com/server/current/rest-api/security/encryption-at-rest/manage-encryption-keys.html#list-keys
+        """
+        api = self.base_url + "/settings/encryptionKeys"
+        status, content, _ = self.request(api, self.GET)
+        return status, content
+
+    def get_encryption_at_rest_key(self, key_id):
+        """
+        GET /settings/encryptionKeys/{KEY_ID}
+        https://docs.couchbase.com/server/current/rest-api/security/encryption-at-rest/manage-encryption-keys.html#list-keys
+        """
+        api = self.base_url + f"/settings/encryptionKeys/{key_id}"
+        status, content, _ = self.request(api, self.GET)
+        return status, content
+
+    def create_encryption_at_rest_key(self, params):
+        """
+        POST /settings/encryptionKeys
+        https://docs.couchbase.com/server/current/rest-api/security/encryption-at-rest/manage-encryption-keys.html#create-key
+        """
+        api = self.base_url + '/settings/encryptionKeys'
+        status, content, _ = self.request(api, method=self.POST, params=params)
+        return status, content
+
+    def update_encryption_at_rest_key(self, key_id, params):
+        """
+        PUT /settings/encryptionKeys/{KEY_ID}
+        https://docs.couchbase.com/server/current/rest-api/security/encryption-at-rest/manage-encryption-keys.html#create-key
+        """
+        api = self.base_url + f'/settings/encryptionKeys/{key_id}'
+        status, content, _ = self.request(api, method=self.PUT, params=params)
+        return status, content
+
+    def delete_encryption_at_rest_key(self, key_id):
+        """
+        DELETE /settings/encryptionKeys/{KEY_ID}
+        https://docs.couchbase.com/server/current/rest-api/security/encryption-at-rest/manage-encryption-keys.html#delete-key
+        """
+        api = self.base_url + f'/settings/encryptionKeys/{key_id}'
+        status, content, _ = self.request(api, method=self.DELETE)
+        return status, content
+
+    def test_encryption_at_rest_key(self, key_id):
+        """
+        POST /settings/encryptionKeys/{KEY_ID}/test
+        https://docs.couchbase.com/server/current/rest-api/security/encryption-at-rest/manage-encryption-keys.html#test-key
+        """
+        api = self.base_url + f'/settings/encryptionKeys/{key_id}/test'
+        status, content, _ = self.request(api, method=self.POST)
+        return status, content
+
+    def test_encryption_at_rest_key_changes(self, key_id, params):
+        """
+        PUT /settings/encryptionKeys/{KEY_ID}/test
+        https://docs.couchbase.com/server/current/rest-api/security/encryption-at-rest/manage-encryption-keys.html#test-key-changes
+        :param params: updated key config (name, type, data, usage)
+        """
+        api = self.base_url + f'/settings/encryptionKeys/{key_id}/test'
+        status, content, _ = self.request(api, method=self.PUT, params=params)
+        return status, content
+
+    def get_encryption_at_rest_settings(self):
+        """
+        GET /settings/security/encryptionAtRest
+        https://docs.couchbase.com/server/current/rest-api/security/encryption-at-rest/manage-system-encryption-at-rest.html#get-settings
+        Returns audit, config, and log encryption-at-rest settings.
+        """
+        api = self.base_url + "/settings/security/encryptionAtRest"
+        status, content, _ = self.request(api, self.GET)
+        return status, content
+
+    def set_encryption_at_rest_settings(self, params):
+        """
+        POST /settings/security/encryptionAtRest
+        https://docs.couchbase.com/server/current/rest-api/security/encryption-at-rest/manage-system-encryption-at-rest.html#change-settings
+        :param params: dict with keys like audit.encryptionMethod, config.encryptionKeyId, etc.
+        """
+        api = self.base_url + "/settings/security/encryptionAtRest"
+        status, content, _ = self.request(api, method=self.POST, params=params)
+        return status, content
+
+    def drop_encryption_deks_for_bucket(self, bucket_name):
+        """
+        POST /controller/dropEncryptionAtRestDeks/bucket/{BUCKET_NAME}
+        https://docs.couchbase.com/server/current/rest-api/security/encryption-at-rest/drop-encryption-deks.html#drop-bucket
+        Rotates DEKs for a bucket and re-encrypts its data.
+        """
+        api = self.base_url + f"/controller/dropEncryptionAtRestDeks/bucket/{bucket_name}"
+        status, content, _ = self.request(api, method=self.POST)
+        return status, content
+
+    def drop_encryption_deks_for_type(self, data_type):
+        """
+        POST /controller/dropEncryptionAtRestDeks/{TYPE}
+        https://docs.couchbase.com/server/current/rest-api/security/encryption-at-rest/drop-encryption-deks.html#drop-type
+        :param data_type: "audit" | "config" | "log"
+        """
+        api = self.base_url + f"/controller/dropEncryptionAtRestDeks/{data_type}"
+        status, content, _ = self.request(api, method=self.POST)
+        return status, content
+
+    def rotate_encryption_at_rest_key(self, key_id):
+        """
+        POST /controller/rotateEncryptionKey/{KEY_ID}
+        https://docs.couchbase.com/server/current/rest-api/security/encryption-at-rest/rotate-encryption-at-rest-key.html#rotate-key
+        Creates a new key version and re-encrypts all DEKs encrypted with the previous version.
+        """
+        api = self.base_url + f"/controller/rotateEncryptionKey/{key_id}"
+        status, content, _ = self.request(api, method=self.POST)
+        return status, content
+
+    def force_encryption_at_rest_for_bucket(self, bucket_name):
+        """
+        POST /controller/forceEncryptionAtRest/bucket/{BUCKET_NAME}
+        https://docs.couchbase.com/server/current/rest-api/security/encryption-at-rest/force-encryption-at-rest.html#bucket
+        Forces encryption of unencrypted data in a bucket.
+        """
+        api = self.base_url + f"/controller/forceEncryptionAtRest/bucket/{bucket_name}"
+        status, content, _ = self.request(api, method=self.POST)
+        return status, content
+
+    def force_encryption_at_rest_for_type(self, data_type):
+        """
+        POST /controller/forceEncryptionAtRest/{TYPE}
+        https://docs.couchbase.com/server/current/rest-api/security/encryption-at-rest/force-encryption-at-rest.html#type
+        :param data_type: "audit" | "config" | "log"
+        """
+        api = self.base_url + f"/controller/forceEncryptionAtRest/{data_type}"
+        status, content, _ = self.request(api, method=self.POST)
+        return status, content
diff --git a/couchbase_utils/cb_server_rest_util/security/security_api.py b/couchbase_utils/cb_server_rest_util/security/security_api.py
@@ -1,12 +1,13 @@
 from cb_server_rest_util.security.auditing import Auditing
 from cb_server_rest_util.security.certificate_management import CertificateMangementAPI
+from cb_server_rest_util.security.encryption_at_rest import EncryptionAtRest
 from cb_server_rest_util.security.rbac_authorization import RbacAuthorization
 from cb_server_rest_util.security.restrict_node_addition import \
     NodeInitAddition
 
 
-class SecurityRestAPI(Auditing, CertificateMangementAPI, NodeInitAddition,
-                      RbacAuthorization):
+class SecurityRestAPI(Auditing, CertificateMangementAPI, EncryptionAtRest,
+                      NodeInitAddition, RbacAuthorization):
     def __init__(self, server):
         super(SecurityRestAPI, self).__init__()
 
