Issue #3595619: validate each Master KEK via its wrap plugin in the status check

Frank Mablyrequested to merge
issue/pdv-3595619:3595619-master-kek-status into 1.x

The "PDV: Master KEK" status check hardcoded the local-wrap test (strlen(getKeyValue()) === 32), so any Master KEK handled by a non-local wrap -- e.g. vault_transit (OpenBao/Vault Transit), whose Key value is the Transit key name, not 32 raw bytes -- was always reported "N of N tenant Master KEK(s) unusable", even when sealing/unsealing works. Confirmed on a live OpenBao Transit setup (the pdv_vault_transit Key value was 10 bytes).

Fix

  • Add MasterKeyWrapInterface::isUsable(string $masterKeyId): bool: optimistic default in MasterKeyWrapBase, overridden by Local (256-bit secret) and VaultTransit (reads the Transit key, proving the store is reachable and the key exists). Genuine "backend unreachable" detection is kept, but per wrap.
  • Centralize the key-type to wrap selection on MasterKeyWrapPluginManager::wrapperForKeyType(), reused by SubjectKeyManager (refactored) and the status check -- no duplication.
  • RequirementsHook resolves the wrap by the Master KEK's key type and delegates to isUsable().

Test coverage (the gap that let this through)

MasterKeyRequirementTest: a non-local (claimed-type) Master KEK is reported usable; the local 256-bit one is usable; an undersized local one is still flagged. The non-local test fails against the old hardcoded check (verified: it reported Error instead of OK).

phpcs (Drupal, DrupalPractice) + phpstan clean; the new test and the existing MasterKeyWrapDispatchTest pass.

Merge request reports