From b60dd286c69acd6b41ba56801ec8f0c6d0308b34 Mon Sep 17 00:00:00 2001
From: Niels de Vos <ndevos@redhat.com>
Date: Mon, 1 Mar 2021 16:35:35 +0100
Subject: [PATCH] util: use the KMS as DEKStore if it supports it

Signed-off-by: Niels de Vos <ndevos@redhat.com>
---
 internal/util/crypto.go       | 30 ++++++++++++++++++++++++++++--
 internal/util/secretskms.go   |  2 ++
 internal/util/vault.go        |  1 +
 internal/util/vault_tokens.go |  1 +
 4 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/internal/util/crypto.go b/internal/util/crypto.go
index 9c29c15f7..1f15a3cea 100644
--- a/internal/util/crypto.go
+++ b/internal/util/crypto.go
@@ -66,13 +66,39 @@ var (
 
 type VolumeEncryption struct {
 	KMS EncryptionKMS
+
+	// dekStore that will be used, this can be the EncryptionKMS or a
+	// different object implementing the DEKStore interface.
+	dekStore DEKStore
 }
 
-// NewVolumeEncryption creates a new instance of VolumeEncryption.
+// NewVolumeEncryption creates a new instance of VolumeEncryption and
+// configures the DEKStore. If the KMS does not provide a DEKStore interface,
+// the VolumeEncryption will be created *and* a ErrDEKStoreNeeded is returned.
+// Callers that receive a ErrDEKStoreNeeded error, should use
+// VolumeEncryption.SetDEKStore() to configure an alternative storage for the
+// DEKs.
 func NewVolumeEncryption(kms EncryptionKMS) (*VolumeEncryption, error) {
 	ve := &VolumeEncryption{KMS: kms}
 
-	return ve, nil
+	if kms.requiresDEKStore() == DEKStoreIntegrated {
+		dekStore, ok := kms.(DEKStore)
+		if !ok {
+			return nil, fmt.Errorf("KMS %T does not implement the "+
+				"DEKStore interface", kms)
+		}
+
+		ve.dekStore = dekStore
+		return ve, nil
+	}
+
+	return ve, ErrDEKStoreNeeded
+}
+
+// SetDEKStore sets the DEKStore for this VolumeEncryption instance. It will be
+// used when StoreNewCryptoPassphrase() or RemoveDEK() is called.
+func (ve *VolumeEncryption) SetDEKStore(dekStore DEKStore) {
+	ve.dekStore = dekStore
 }
 
 // Destroy frees any resources that the VolumeEncryption instance allocated.
diff --git a/internal/util/secretskms.go b/internal/util/secretskms.go
index e6dc810ea..45320ecd4 100644
--- a/internal/util/secretskms.go
+++ b/internal/util/secretskms.go
@@ -30,6 +30,8 @@ const (
 
 // SecretsKMS is default KMS implementation that means no KMS is in use.
 type SecretsKMS struct {
+	integratedDEK
+
 	passphrase string
 }
 
diff --git a/internal/util/vault.go b/internal/util/vault.go
index 465073946..91889aaa7 100644
--- a/internal/util/vault.go
+++ b/internal/util/vault.go
@@ -79,6 +79,7 @@ type vaultConnection struct {
 
 type VaultKMS struct {
 	vaultConnection
+	integratedDEK
 
 	// vaultPassphrasePath (VPP) used to be added before the "key" of the
 	// secret (like /v1/secret/data/<VPP>/key)
diff --git a/internal/util/vault_tokens.go b/internal/util/vault_tokens.go
index 120ae4b0f..ca04a57ee 100644
--- a/internal/util/vault_tokens.go
+++ b/internal/util/vault_tokens.go
@@ -161,6 +161,7 @@ Example JSON structure in the KMS config is,
 */
 type VaultTokensKMS struct {
 	vaultConnection
+	integratedDEK
 
 	// Tenant is the name of the owner of the volume
 	Tenant string