util: move existing KMS implementations to the DEKStore interface

Use DEKStore API for Fetching and Storing passphrases. Drop the fallback for the old KMS interface that is now provided as DEKStore. The original implementation has been re-used for the DEKStore interface. This also moves GetCryptoPassphrase/StoreNewCryptoPassphrase functions to methods of VolumeEncryption. Signed-off-by: Niels de Vos <ndevos@redhat.com>
2025-06-13 02:33:34 +00:00 · 2021-02-15 10:24:47 +01:00
parent b60dd286c6
commit 9ac7f56400
7 changed files with 50 additions and 31 deletions
--- a/internal/util/crypto.go
+++ b/internal/util/crypto.go
@ -106,13 +106,20 @@ func (ve *VolumeEncryption) Destroy() {
 	ve.KMS.Destroy()
 }

+// RemoveDEK deletes the DEK for a particular volumeID from the DEKStore linked
+// with this VolumeEncryption instance.
+func (ve *VolumeEncryption) RemoveDEK(volumeID string) error {
+	if ve.dekStore == nil {
+		return ErrDEKStoreNotFound
+	}
+
+	return ve.dekStore.RemoveDEK(volumeID)
+}
+
 // EncryptionKMS provides external Key Management System for encryption
 // passphrases storage.
 type EncryptionKMS interface {
 	Destroy()
-	GetPassphrase(key string) (string, error)
-	SavePassphrase(key, value string) error
-	DeletePassphrase(key string) error
 	GetID() string

 	// requiresDEKStore returns the DEKStoreType that is needed to be
@ -148,6 +155,13 @@ type DEKStore interface {
 	RemoveDEK(volumeID string) error
 }

+// integratedDEK is a DEKStore that can not be configured. Either the KMS does
+// not use a DEK, or the DEK is stored in the KMS without additional
+// configuration options.
+type integratedDEK struct{}
+
+func (i integratedDEK) requiresDEKStore() DEKStoreType { return DEKStoreIntegrated }
+
 // GetKMS returns an instance of Key Management System.
 //
 // - tenant is the owner of the Volume, used to fetch the Vault Token from the
@ -209,12 +223,13 @@ func GetKMS(tenant, kmsID string, secrets map[string]string) (EncryptionKMS, err
 }

 // StoreNewCryptoPassphrase generates a new passphrase and saves it in the KMS.
-func StoreNewCryptoPassphrase(volumeID string, kms EncryptionKMS) error {
+func (ve *VolumeEncryption) StoreNewCryptoPassphrase(volumeID string) error {
 	passphrase, err := generateNewEncryptionPassphrase()
 	if err != nil {
 		return fmt.Errorf("failed to generate passphrase for %s: %w", volumeID, err)
 	}
-	err = kms.SavePassphrase(volumeID, passphrase)
+
+	err = ve.dekStore.StoreDEK(volumeID, passphrase)
 	if err != nil {
 		return fmt.Errorf("failed to save the passphrase for %s: %w", volumeID, err)
 	}
@ -222,8 +237,8 @@ func StoreNewCryptoPassphrase(volumeID string, kms EncryptionKMS) error {
 }

 // GetCryptoPassphrase Retrieves passphrase to encrypt volume.
-func GetCryptoPassphrase(volumeID string, kms EncryptionKMS) (string, error) {
-	passphrase, err := kms.GetPassphrase(volumeID)
+func (ve *VolumeEncryption) GetCryptoPassphrase(volumeID string) (string, error) {
+	passphrase, err := ve.dekStore.FetchDEK(volumeID)
 	if err != nil {
 		return "", err
 	}