From 8f91c672d4c0a8138ae9dd1059166856b3e9b9d7 Mon Sep 17 00:00:00 2001
From: Niels de Vos <ndevos@redhat.com>
Date: Thu, 3 Dec 2020 09:25:52 +0100
Subject: [PATCH] util: add EncryptionKMS.Destroy()

Add a new method to the EncryptionKMS interface so that resources can be
freed when EncryptionKMS instances get freed.

With the move to using the libopenstorage API, a temporary file needs to
store the optional CA certificate. The Destroy() method of the
vaultConnection type now removes this file.

The rbdVolume uses the EncryptionKMS type now, so call the new Destroy()
method from withing rbdVolume.Destroy().

Signed-off-by: Niels de Vos <ndevos@redhat.com>
---
 internal/rbd/rbd_util.go |  3 +++
 internal/util/crypto.go  |  6 ++++++
 internal/util/vault.go   | 13 ++++++++++++-
 3 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/internal/rbd/rbd_util.go b/internal/rbd/rbd_util.go
index 142e9a3c8..9e6004cf2 100644
--- a/internal/rbd/rbd_util.go
+++ b/internal/rbd/rbd_util.go
@@ -169,6 +169,9 @@ func (rv *rbdVolume) Destroy() {
 	if rv.conn != nil {
 		rv.conn.Destroy()
 	}
+	if rv.KMS != nil {
+		rv.KMS.Destroy()
+	}
 }
 
 // String returns the image-spec (pool/{namespace/}image) format of the image.
diff --git a/internal/util/crypto.go b/internal/util/crypto.go
index 04057ac74..269ad3fbd 100644
--- a/internal/util/crypto.go
+++ b/internal/util/crypto.go
@@ -51,6 +51,7 @@ const (
 // EncryptionKMS provides external Key Management System for encryption
 // passphrases storage.
 type EncryptionKMS interface {
+	Destroy()
 	GetPassphrase(key string) (string, error)
 	SavePassphrase(key, value string) error
 	DeletePassphrase(key string) error
@@ -75,6 +76,11 @@ func initSecretsKMS(secrets map[string]string) (EncryptionKMS, error) {
 	return SecretsKMS{passphrase: passphraseValue}, nil
 }
 
+// Destroy frees all used resources.
+func (kms SecretsKMS) Destroy() {
+	// nothing to do
+}
+
 // GetPassphrase returns passphrase from Kubernetes secrets.
 func (kms SecretsKMS) GetPassphrase(key string) (string, error) {
 	return kms.passphrase, nil
diff --git a/internal/util/vault.go b/internal/util/vault.go
index a9b91e9fe..d585510f7 100644
--- a/internal/util/vault.go
+++ b/internal/util/vault.go
@@ -167,7 +167,6 @@ func (vc *vaultConnection) initConnection(kmsID string, config map[string]interf
 		if err != nil {
 			return fmt.Errorf("failed to create temporary file for Vault CA: %w", err)
 		}
-		// TODO: delete f.Name() when vaultConnection is destroyed
 	}
 
 	// update the existing config only if no config is available yet
@@ -201,6 +200,18 @@ func (vc *vaultConnection) connectVault() error {
 	return nil
 }
 
+// Destroy frees allocated resources. For a vaultConnection that means removing
+// the created temporary files.
+func (vc *vaultConnection) Destroy() {
+	if vc.vaultConfig != nil {
+		tmpFile, ok := vc.vaultConfig[api.EnvVaultCACert]
+		if ok {
+			// ignore error on failure to remove tmpfile (gosec complains)
+			_ = os.Remove(tmpFile.(string))
+		}
+	}
+}
+
 // InitVaultKMS returns an interface to HashiCorp Vault KMS.
 func InitVaultKMS(kmsID string, config map[string]interface{}, secrets map[string]string) (EncryptionKMS, error) {
 	kms := &VaultKMS{}