mirror of
https://github.com/ceph/ceph-csi.git
synced 2025-06-13 10:33:35 +00:00
cleanup: refactor functions to accept a context parameter
Signed-off-by: Praveen M <m.praveen@ibm.com>
This commit is contained in:
Praveen M
mergify[bot]
@ -183,7 +183,7 @@ func (kms *awsMetadataKMS) getService() (*awsKMS.KMS, error) {
|
||||
}
|
||||
|
||||
// EncryptDEK uses the Amazon KMS and the configured CMK to encrypt the DEK.
|
||||
func (kms *awsMetadataKMS) EncryptDEK(volumeID, plainDEK string) (string, error) {
|
||||
func (kms *awsMetadataKMS) EncryptDEK(ctx context.Context, volumeID, plainDEK string) (string, error) {
|
||||
svc, err := kms.getService()
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("could not get KMS service: %w", err)
|
||||
@ -205,7 +205,7 @@ func (kms *awsMetadataKMS) EncryptDEK(volumeID, plainDEK string) (string, error)
|
||||
}
|
||||
|
||||
// DecryptDEK uses the Amazon KMS and the configured CMK to decrypt the DEK.
|
||||
func (kms *awsMetadataKMS) DecryptDEK(volumeID, encryptedDEK string) (string, error) {
|
||||
func (kms *awsMetadataKMS) DecryptDEK(ctx context.Context, volumeID, encryptedDEK string) (string, error) {
|
||||
svc, err := kms.getService()
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("could not get KMS service: %w", err)
|
||||
@ -227,6 +227,6 @@ func (kms *awsMetadataKMS) DecryptDEK(volumeID, encryptedDEK string) (string, er
|
||||
return string(result.Plaintext), nil
|
||||
}
|
||||
|
||||
func (kms *awsMetadataKMS) GetSecret(volumeID string) (string, error) {
|
||||
func (kms *awsMetadataKMS) GetSecret(ctx context.Context, volumeID string) (string, error) {
|
||||
return "", ErrGetSecretUnsupported
|
||||
}
|
||||
|
||||
@ -193,7 +193,7 @@ func (as *awsSTSMetadataKMS) getServiceWithSTS() (*awsKMS.KMS, error) {
|
||||
}
|
||||
|
||||
// EncryptDEK uses the Amazon KMS and the configured CMK to encrypt the DEK.
|
||||
func (as *awsSTSMetadataKMS) EncryptDEK(_, plainDEK string) (string, error) {
|
||||
func (as *awsSTSMetadataKMS) EncryptDEK(ctx context.Context, _, plainDEK string) (string, error) {
|
||||
svc, err := as.getServiceWithSTS()
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("failed to get KMS service: %w", err)
|
||||
@ -213,7 +213,7 @@ func (as *awsSTSMetadataKMS) EncryptDEK(_, plainDEK string) (string, error) {
|
||||
}
|
||||
|
||||
// DecryptDEK uses the Amazon KMS and the configured CMK to decrypt the DEK.
|
||||
func (as *awsSTSMetadataKMS) DecryptDEK(_, encryptedDEK string) (string, error) {
|
||||
func (as *awsSTSMetadataKMS) DecryptDEK(ctx context.Context, _, encryptedDEK string) (string, error) {
|
||||
svc, err := as.getServiceWithSTS()
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("failed to get KMS service: %w", err)
|
||||
|
||||
@ -204,14 +204,14 @@ func (kms *keyProtectKMS) getService() error {
|
||||
}
|
||||
|
||||
// EncryptDEK uses the KeyProtect KMS and the configured CRK to encrypt the DEK.
|
||||
func (kms *keyProtectKMS) EncryptDEK(volumeID, plainDEK string) (string, error) {
|
||||
func (kms *keyProtectKMS) EncryptDEK(ctx context.Context, volumeID, plainDEK string) (string, error) {
|
||||
if err := kms.getService(); err != nil {
|
||||
return "", fmt.Errorf("could not get KMS service: %w", err)
|
||||
}
|
||||
|
||||
dekByteSlice := []byte(plainDEK)
|
||||
aadVolID := []string{volumeID}
|
||||
result, err := kms.client.Wrap(context.TODO(), kms.customerRootKey, dekByteSlice, &aadVolID)
|
||||
result, err := kms.client.Wrap(ctx, kms.customerRootKey, dekByteSlice, &aadVolID)
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("failed to wrap the DEK: %w", err)
|
||||
}
|
||||
@ -223,7 +223,7 @@ func (kms *keyProtectKMS) EncryptDEK(volumeID, plainDEK string) (string, error)
|
||||
}
|
||||
|
||||
// DecryptDEK uses the Key protect KMS and the configured CRK to decrypt the DEK.
|
||||
func (kms *keyProtectKMS) DecryptDEK(volumeID, encryptedDEK string) (string, error) {
|
||||
func (kms *keyProtectKMS) DecryptDEK(ctx context.Context, volumeID, encryptedDEK string) (string, error) {
|
||||
if err := kms.getService(); err != nil {
|
||||
return "", fmt.Errorf("could not get KMS service: %w", err)
|
||||
}
|
||||
@ -235,7 +235,7 @@ func (kms *keyProtectKMS) DecryptDEK(volumeID, encryptedDEK string) (string, err
|
||||
}
|
||||
|
||||
aadVolID := []string{volumeID}
|
||||
result, err := kms.client.Unwrap(context.TODO(), kms.customerRootKey, ciphertextBlob, &aadVolID)
|
||||
result, err := kms.client.Unwrap(ctx, kms.customerRootKey, ciphertextBlob, &aadVolID)
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("failed to unwrap the DEK: %w", err)
|
||||
}
|
||||
@ -243,6 +243,6 @@ func (kms *keyProtectKMS) DecryptDEK(volumeID, encryptedDEK string) (string, err
|
||||
return string(result), nil
|
||||
}
|
||||
|
||||
func (kms *keyProtectKMS) GetSecret(volumeID string) (string, error) {
|
||||
func (kms *keyProtectKMS) GetSecret(ctx context.Context, volumeID string) (string, error) {
|
||||
return "", ErrGetSecretUnsupported
|
||||
}
|
||||
|
||||
@ -180,7 +180,7 @@ func initKMIPKMS(args ProviderInitArgs) (EncryptionKMS, error) {
|
||||
}
|
||||
|
||||
// EncryptDEK uses the KMIP encrypt operation to encrypt the DEK.
|
||||
func (kms *kmipKMS) EncryptDEK(_, plainDEK string) (string, error) {
|
||||
func (kms *kmipKMS) EncryptDEK(ctx context.Context, _, plainDEK string) (string, error) {
|
||||
conn, err := kms.connect()
|
||||
if err != nil {
|
||||
return "", err
|
||||
@ -236,7 +236,7 @@ func (kms *kmipKMS) EncryptDEK(_, plainDEK string) (string, error) {
|
||||
}
|
||||
|
||||
// DecryptDEK uses the KMIP decrypt operation to decrypt the DEK.
|
||||
func (kms *kmipKMS) DecryptDEK(_, encryptedDEK string) (string, error) {
|
||||
func (kms *kmipKMS) DecryptDEK(ctx context.Context, _, encryptedDEK string) (string, error) {
|
||||
conn, err := kms.connect()
|
||||
if err != nil {
|
||||
return "", err
|
||||
@ -500,7 +500,7 @@ func (kms *kmipKMS) verifyResponse(
|
||||
return &batchItem, nil
|
||||
}
|
||||
|
||||
func (kms *kmipKMS) GetSecret(volumeID string) (string, error) {
|
||||
func (kms *kmipKMS) GetSecret(ctx context.Context, volumeID string) (string, error) {
|
||||
return "", ErrGetSecretUnsupported
|
||||
}
|
||||
|
||||
|
||||
@ -331,18 +331,18 @@ type EncryptionKMS interface {
|
||||
// EncryptDEK provides a way for a KMS to encrypt a DEK. In case the
|
||||
// encryption is done transparently inside the KMS service, the
|
||||
// function can return an unencrypted value.
|
||||
EncryptDEK(volumeID, plainDEK string) (string, error)
|
||||
EncryptDEK(ctx context.Context, volumeID, plainDEK string) (string, error)
|
||||
|
||||
// DecryptDEK provides a way for a KMS to decrypt a DEK. In case the
|
||||
// encryption is done transparently inside the KMS service, the
|
||||
// function does not need to do anything except return the encyptedDEK
|
||||
// as it was received.
|
||||
DecryptDEK(volumeID, encyptedDEK string) (string, error)
|
||||
DecryptDEK(ctx context.Context, volumeID, encyptedDEK string) (string, error)
|
||||
|
||||
// GetSecret allows external key management systems to
|
||||
// retrieve keys used in EncryptDEK / DecryptDEK to use them
|
||||
// directly. Example: fscrypt uses this to unlock raw protectors
|
||||
GetSecret(volumeID string) (string, error)
|
||||
GetSecret(ctx context.Context, volumeID string) (string, error)
|
||||
}
|
||||
|
||||
// DEKStoreType describes what DEKStore needs to be configured when using a
|
||||
@ -364,11 +364,11 @@ const (
|
||||
// the KMS can not store passphrases for volumes.
|
||||
type DEKStore interface {
|
||||
// StoreDEK saves the DEK in the configured store.
|
||||
StoreDEK(volumeID string, dek string) error
|
||||
StoreDEK(ctx context.Context, volumeID string, dek string) error
|
||||
// FetchDEK reads the DEK from the configured store and returns it.
|
||||
FetchDEK(volumeID string) (string, error)
|
||||
FetchDEK(ctx context.Context, volumeID string) (string, error)
|
||||
// RemoveDEK deletes the DEK from the configured store.
|
||||
RemoveDEK(volumeID string) error
|
||||
RemoveDEK(ctx context.Context, volumeID string) error
|
||||
}
|
||||
|
||||
// integratedDEK is a DEKStore that can not be configured. Either the KMS does
|
||||
@ -380,15 +380,15 @@ func (i integratedDEK) RequiresDEKStore() DEKStoreType {
|
||||
return DEKStoreIntegrated
|
||||
}
|
||||
|
||||
func (i integratedDEK) EncryptDEK(volumeID, plainDEK string) (string, error) {
|
||||
func (i integratedDEK) EncryptDEK(ctx context.Context, volumeID, plainDEK string) (string, error) {
|
||||
return plainDEK, nil
|
||||
}
|
||||
|
||||
func (i integratedDEK) DecryptDEK(volumeID, encyptedDEK string) (string, error) {
|
||||
func (i integratedDEK) DecryptDEK(ctx context.Context, volumeID, encyptedDEK string) (string, error) {
|
||||
return encyptedDEK, nil
|
||||
}
|
||||
|
||||
func (i integratedDEK) GetSecret(volumeID string) (string, error) {
|
||||
func (i integratedDEK) GetSecret(ctx context.Context, volumeID string) (string, error) {
|
||||
return "", ErrGetSecretIntegrated
|
||||
}
|
||||
|
||||
|
||||
@ -78,19 +78,19 @@ func (kms secretsKMS) Destroy() {
|
||||
}
|
||||
|
||||
// FetchDEK returns passphrase from Kubernetes secrets.
|
||||
func (kms secretsKMS) FetchDEK(key string) (string, error) {
|
||||
func (kms secretsKMS) FetchDEK(ctx context.Context, key string) (string, error) {
|
||||
return kms.passphrase, nil
|
||||
}
|
||||
|
||||
// StoreDEK does nothing, as there is no passphrase per key (volume), so
|
||||
// no need to store is anywhere.
|
||||
func (kms secretsKMS) StoreDEK(key, value string) error {
|
||||
func (kms secretsKMS) StoreDEK(ctx context.Context, key, value string) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
// RemoveDEK is doing nothing as no new passphrases are saved with
|
||||
// secretsKMS.
|
||||
func (kms secretsKMS) RemoveDEK(key string) error {
|
||||
func (kms secretsKMS) RemoveDEK(ctx context.Context, key string) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
@ -206,9 +206,9 @@ type encryptedMetedataDEK struct {
|
||||
// the secretsKMS and the volumeID.
|
||||
// The resulting encryptedDEK contains a JSON with the encrypted DEK and the
|
||||
// nonce that was used for encrypting.
|
||||
func (kms secretsMetadataKMS) EncryptDEK(volumeID, plainDEK string) (string, error) {
|
||||
func (kms secretsMetadataKMS) EncryptDEK(ctx context.Context, volumeID, plainDEK string) (string, error) {
|
||||
// use the passphrase from the secretKMS
|
||||
passphrase, err := kms.secretsKMS.FetchDEK(volumeID)
|
||||
passphrase, err := kms.secretsKMS.FetchDEK(ctx, volumeID)
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("failed to get passphrase: %w", err)
|
||||
}
|
||||
@ -236,9 +236,9 @@ func (kms secretsMetadataKMS) EncryptDEK(volumeID, plainDEK string) (string, err
|
||||
|
||||
// DecryptDEK takes the JSON formatted `encryptedMetadataDEK` contents, and it
|
||||
// fetches secretKMS passphrase to decrypt the DEK.
|
||||
func (kms secretsMetadataKMS) DecryptDEK(volumeID, encryptedDEK string) (string, error) {
|
||||
func (kms secretsMetadataKMS) DecryptDEK(ctx context.Context, volumeID, encryptedDEK string) (string, error) {
|
||||
// use the passphrase from the secretKMS
|
||||
passphrase, err := kms.secretsKMS.FetchDEK(volumeID)
|
||||
passphrase, err := kms.secretsKMS.FetchDEK(ctx, volumeID)
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("failed to get passphrase: %w", err)
|
||||
}
|
||||
@ -263,9 +263,9 @@ func (kms secretsMetadataKMS) DecryptDEK(volumeID, encryptedDEK string) (string,
|
||||
return string(dek), nil
|
||||
}
|
||||
|
||||
func (kms secretsMetadataKMS) GetSecret(volumeID string) (string, error) {
|
||||
func (kms secretsMetadataKMS) GetSecret(ctx context.Context, volumeID string) (string, error) {
|
||||
// use the passphrase from the secretKMS
|
||||
return kms.secretsKMS.FetchDEK(volumeID)
|
||||
return kms.secretsKMS.FetchDEK(ctx, volumeID)
|
||||
}
|
||||
|
||||
// generateCipher returns a AEAD cipher based on a passphrase and salt
|
||||
|
||||
@ -17,6 +17,7 @@ limitations under the License.
|
||||
package kms
|
||||
|
||||
import (
|
||||
"context"
|
||||
"testing"
|
||||
|
||||
"github.com/stretchr/testify/assert"
|
||||
@ -103,19 +104,21 @@ func TestWorkflowSecretsMetadataKMS(t *testing.T) {
|
||||
// plainDEK is the (LUKS) passphrase for the volume
|
||||
plainDEK := "usually created with generateNewEncryptionPassphrase()"
|
||||
|
||||
encryptedDEK, err := kms.EncryptDEK(volumeID, plainDEK)
|
||||
ctx := context.TODO()
|
||||
|
||||
encryptedDEK, err := kms.EncryptDEK(ctx, volumeID, plainDEK)
|
||||
assert.NoError(t, err)
|
||||
assert.NotEqual(t, "", encryptedDEK)
|
||||
assert.NotEqual(t, plainDEK, encryptedDEK)
|
||||
|
||||
// with an incorrect volumeID, decrypting should fail
|
||||
decryptedDEK, err := kms.DecryptDEK("incorrect-volumeID", encryptedDEK)
|
||||
decryptedDEK, err := kms.DecryptDEK(ctx, "incorrect-volumeID", encryptedDEK)
|
||||
assert.Error(t, err)
|
||||
assert.Equal(t, "", decryptedDEK)
|
||||
assert.NotEqual(t, plainDEK, decryptedDEK)
|
||||
|
||||
// with the right volumeID, decrypting should return the plainDEK
|
||||
decryptedDEK, err = kms.DecryptDEK(volumeID, encryptedDEK)
|
||||
decryptedDEK, err = kms.DecryptDEK(ctx, volumeID, encryptedDEK)
|
||||
assert.NoError(t, err)
|
||||
assert.NotEqual(t, "", decryptedDEK)
|
||||
assert.Equal(t, plainDEK, decryptedDEK)
|
||||
|
||||
@ -17,6 +17,7 @@ limitations under the License.
|
||||
package kms
|
||||
|
||||
import (
|
||||
"context"
|
||||
"errors"
|
||||
"fmt"
|
||||
"os"
|
||||
@ -395,7 +396,7 @@ func initVaultKMS(args ProviderInitArgs) (EncryptionKMS, error) {
|
||||
|
||||
// FetchDEK returns passphrase from Vault. The passphrase is stored in a
|
||||
// data.data.passphrase structure.
|
||||
func (kms *vaultKMS) FetchDEK(key string) (string, error) {
|
||||
func (kms *vaultKMS) FetchDEK(ctx context.Context, key string) (string, error) {
|
||||
// Since the second return variable loss.Version is not used, there it is ignored.
|
||||
s, _, err := kms.secrets.GetSecret(filepath.Join(kms.vaultPassphrasePath, key), kms.keyContext)
|
||||
if err != nil {
|
||||
@ -415,7 +416,7 @@ func (kms *vaultKMS) FetchDEK(key string) (string, error) {
|
||||
}
|
||||
|
||||
// StoreDEK saves new passphrase in Vault.
|
||||
func (kms *vaultKMS) StoreDEK(key, value string) error {
|
||||
func (kms *vaultKMS) StoreDEK(ctx context.Context, key, value string) error {
|
||||
data := map[string]interface{}{
|
||||
"data": map[string]string{
|
||||
"passphrase": value,
|
||||
@ -433,7 +434,7 @@ func (kms *vaultKMS) StoreDEK(key, value string) error {
|
||||
}
|
||||
|
||||
// RemoveDEK deletes passphrase from Vault.
|
||||
func (kms *vaultKMS) RemoveDEK(key string) error {
|
||||
func (kms *vaultKMS) RemoveDEK(ctx context.Context, key string) error {
|
||||
pathKey := filepath.Join(kms.vaultPassphrasePath, key)
|
||||
err := kms.secrets.DeleteSecret(pathKey, kms.getDeleteKeyContext())
|
||||
if err != nil {
|
||||
|
||||
@ -459,7 +459,7 @@ func (vtc *vaultTenantConnection) getK8sClient() (*kubernetes.Clientset, error)
|
||||
|
||||
// FetchDEK returns passphrase from Vault. The passphrase is stored in a
|
||||
// data.data.passphrase structure.
|
||||
func (vtc *vaultTenantConnection) FetchDEK(key string) (string, error) {
|
||||
func (vtc *vaultTenantConnection) FetchDEK(ctx context.Context, key string) (string, error) {
|
||||
// Since the second return variable loss.Version is not used, there it is ignored.
|
||||
s, _, err := vtc.secrets.GetSecret(key, vtc.keyContext)
|
||||
if err != nil {
|
||||
@ -479,7 +479,7 @@ func (vtc *vaultTenantConnection) FetchDEK(key string) (string, error) {
|
||||
}
|
||||
|
||||
// StoreDEK saves new passphrase in Vault.
|
||||
func (vtc *vaultTenantConnection) StoreDEK(key, value string) error {
|
||||
func (vtc *vaultTenantConnection) StoreDEK(ctx context.Context, key, value string) error {
|
||||
data := map[string]interface{}{
|
||||
"data": map[string]string{
|
||||
"passphrase": value,
|
||||
@ -496,7 +496,7 @@ func (vtc *vaultTenantConnection) StoreDEK(key, value string) error {
|
||||
}
|
||||
|
||||
// RemoveDEK deletes passphrase from Vault.
|
||||
func (vtc *vaultTenantConnection) RemoveDEK(key string) error {
|
||||
func (vtc *vaultTenantConnection) RemoveDEK(ctx context.Context, key string) error {
|
||||
err := vtc.secrets.DeleteSecret(key, vtc.getDeleteKeyContext())
|
||||
if err != nil {
|
||||
return fmt.Errorf("delete passphrase at %s request to vault failed: %w", key, err)
|
||||
|
||||
Reference in New Issue
Block a user