diff --git a/service/internal/security/in_process_provider.go b/service/internal/security/in_process_provider.go index 520c5085de..8b343c0e99 100644 --- a/service/internal/security/in_process_provider.go +++ b/service/internal/security/in_process_provider.go @@ -97,8 +97,10 @@ func (k *KeyDetailsAdapter) ExportCertificate(_ context.Context) (string, error) } func (k *KeyDetailsAdapter) ProviderConfig() *policy.KeyProviderConfig { - // Provider config is not supported for this adapter. - return nil + return &policy.KeyProviderConfig{ + Manager: inProcessSystemName, + Name: "static", + } } // NewSecurityProviderAdapter creates a new adapter that implements SecurityProvider using a CryptoProvider diff --git a/service/kas/access/publicKey_test.go b/service/kas/access/publicKey_test.go index 53e9686240..b51a610312 100644 --- a/service/kas/access/publicKey_test.go +++ b/service/kas/access/publicKey_test.go @@ -182,7 +182,9 @@ func TestPublicKeyWithSecurityProvider(t *testing.T) { // Create Provider with the mock security provider delegator := trust.NewDelegatingKeyService(mockProvider, logger.CreateTestLogger(), nil) - delegator.RegisterKeyManager(mockProvider.Name(), func(_ *trust.KeyManagerFactoryOptions) (trust.KeyManager, error) { return mockProvider, nil }) + delegator.RegisterKeyManagerCtx(mockProvider.Name(), func(_ context.Context, _ *trust.KeyManagerFactoryOptions) (trust.KeyManager, error) { + return mockProvider, nil + }) kas := Provider{ KeyDelegator: delegator, KASConfig: KASConfig{ @@ -351,7 +353,7 @@ func TestStandardCertificateHandlerEmpty(t *testing.T) { inProcess := security.NewSecurityProviderAdapter(c, nil, nil) delegator := trust.NewDelegatingKeyService(inProcess, logger.CreateTestLogger(), nil) - delegator.RegisterKeyManager(inProcess.Name(), func(_ *trust.KeyManagerFactoryOptions) (trust.KeyManager, error) { + delegator.RegisterKeyManagerCtx(inProcess.Name(), func(_ context.Context, _ *trust.KeyManagerFactoryOptions) (trust.KeyManager, error) { return inProcess, nil }) diff --git a/service/kas/kas.go b/service/kas/kas.go index 95ffdc3876..71eede23bb 100644 --- a/service/kas/kas.go +++ b/service/kas/kas.go @@ -61,7 +61,7 @@ func NewRegistration() *serviceregistry.Service[kasconnect.AccessServiceHandler] } } - var kmgrNames []string + var kmgrs []string if kasCfg.Preview.KeyManagement { srp.Logger.Info("preview feature: key management is enabled") @@ -75,23 +75,26 @@ func NewRegistration() *serviceregistry.Service[kasconnect.AccessServiceHandler] // Configure new delegation service p.KeyDelegator = trust.NewDelegatingKeyService(NewPlatformKeyIndexer(srp.SDK, kasURL.String(), srp.Logger), srp.Logger, cacheClient) - for _, manager := range srp.KeyManagerFactories { - p.KeyDelegator.RegisterKeyManager(manager.Name, manager.Factory) - kmgrNames = append(kmgrNames, manager.Name) + if len(srp.KeyManagerFactories) > 0 { + srp.Logger.Error("kas service ignores legacy KeyManagerFactories; using KeyManagerCtxFactories instead") + } + for _, manager := range srp.KeyManagerCtxFactories { + p.KeyDelegator.RegisterKeyManagerCtx(manager.Name, manager.Factory) + kmgrs = append(kmgrs, manager.Name) } // Register Basic Key Manager - p.KeyDelegator.RegisterKeyManager(security.BasicManagerName, func(opts *trust.KeyManagerFactoryOptions) (trust.KeyManager, error) { + p.KeyDelegator.RegisterKeyManagerCtx(security.BasicManagerName, func(_ context.Context, opts *trust.KeyManagerFactoryOptions) (trust.KeyManager, error) { bm, err := security.NewBasicManager(opts.Logger, opts.Cache, kasCfg.RootKey) if err != nil { return nil, err } return bm, nil }) - kmgrNames = append(kmgrNames, security.BasicManagerName) + kmgrs = append(kmgrs, security.BasicManagerName) // Explicitly set the default manager for session key generation. // This should be configurable, e.g., defaulting to BasicManager or an HSM if available. - p.KeyDelegator.SetDefaultMode(security.BasicManagerName) // Example: default to BasicManager + p.KeyDelegator.SetDefaultMode(security.BasicManagerName, "", nil) // Example: default to BasicManager } else { // Set up both the legacy CryptoProvider and the new SecurityProvider kasCfg.UpgradeMapToKeyring(srp.OTDF.CryptoProvider) @@ -100,14 +103,14 @@ func NewRegistration() *serviceregistry.Service[kasconnect.AccessServiceHandler] inProcessService := initSecurityProviderAdapter(p.CryptoProvider, kasCfg, srp.Logger) p.KeyDelegator = trust.NewDelegatingKeyService(inProcessService, srp.Logger, nil) - p.KeyDelegator.RegisterKeyManager(inProcessService.Name(), func(*trust.KeyManagerFactoryOptions) (trust.KeyManager, error) { + p.KeyDelegator.RegisterKeyManagerCtx(inProcessService.Name(), func(_ context.Context, _ *trust.KeyManagerFactoryOptions) (trust.KeyManager, error) { return inProcessService, nil }) // Set default for non-key-management mode - p.KeyDelegator.SetDefaultMode(inProcessService.Name()) - kmgrNames = append(kmgrNames, inProcessService.Name()) + p.KeyDelegator.SetDefaultMode(inProcessService.Name(), "", nil) + kmgrs = append(kmgrs, inProcessService.Name()) } - srp.Logger.Info("kas registered trust.KeyManagers", slog.Any("key_managers", kmgrNames)) + srp.Logger.Info("kas registered trust.KeyManagers", slog.Any("key_managers", kmgrs)) p.SDK = srp.SDK p.Logger = srp.Logger diff --git a/service/policy/db/actions.sql.go b/service/policy/db/actions.sql.go index 38dc9171d1..22ab6b526e 100644 --- a/service/policy/db/actions.sql.go +++ b/service/policy/db/actions.sql.go @@ -1,6 +1,6 @@ // Code generated by sqlc. DO NOT EDIT. // versions: -// sqlc v1.29.0 +// sqlc v1.30.0 // source: actions.sql package db diff --git a/service/policy/db/attribute_fqn.sql.go b/service/policy/db/attribute_fqn.sql.go index e66c59a770..ad4ed6b043 100644 --- a/service/policy/db/attribute_fqn.sql.go +++ b/service/policy/db/attribute_fqn.sql.go @@ -1,6 +1,6 @@ // Code generated by sqlc. DO NOT EDIT. // versions: -// sqlc v1.29.0 +// sqlc v1.30.0 // source: attribute_fqn.sql package db diff --git a/service/policy/db/attribute_values.sql.go b/service/policy/db/attribute_values.sql.go index a717774581..65f84c44ee 100644 --- a/service/policy/db/attribute_values.sql.go +++ b/service/policy/db/attribute_values.sql.go @@ -1,6 +1,6 @@ // Code generated by sqlc. DO NOT EDIT. // versions: -// sqlc v1.29.0 +// sqlc v1.30.0 // source: attribute_values.sql package db diff --git a/service/policy/db/attributes.sql.go b/service/policy/db/attributes.sql.go index 33edec005d..6b315d6693 100644 --- a/service/policy/db/attributes.sql.go +++ b/service/policy/db/attributes.sql.go @@ -1,6 +1,6 @@ // Code generated by sqlc. DO NOT EDIT. // versions: -// sqlc v1.29.0 +// sqlc v1.30.0 // source: attributes.sql package db diff --git a/service/policy/db/copyfrom.go b/service/policy/db/copyfrom.go index 999216a76b..2f450ac823 100644 --- a/service/policy/db/copyfrom.go +++ b/service/policy/db/copyfrom.go @@ -1,6 +1,6 @@ // Code generated by sqlc. DO NOT EDIT. // versions: -// sqlc v1.29.0 +// sqlc v1.30.0 // source: copyfrom.go package db diff --git a/service/policy/db/db.go b/service/policy/db/db.go index d3d2e33af1..95f1a604c9 100644 --- a/service/policy/db/db.go +++ b/service/policy/db/db.go @@ -1,6 +1,6 @@ // Code generated by sqlc. DO NOT EDIT. // versions: -// sqlc v1.29.0 +// sqlc v1.30.0 package db diff --git a/service/policy/db/key_access_server_registry.go b/service/policy/db/key_access_server_registry.go index a7c94c22bd..1f35df3b27 100644 --- a/service/policy/db/key_access_server_registry.go +++ b/service/policy/db/key_access_server_registry.go @@ -480,6 +480,7 @@ func (c PolicyDBClient) GetKey(ctx context.Context, identifier any) (*policy.Kas if key.ProviderConfigID.Valid { providerConfig = &policy.KeyProviderConfig{} providerConfig.Id = UUIDToString(key.ProviderConfigID) + providerConfig.Manager = key.PcManager.String providerConfig.Name = key.ProviderName.String providerConfig.ConfigJson = key.PcConfig providerConfig.Metadata = &common.Metadata{} diff --git a/service/policy/db/key_access_server_registry.sql.go b/service/policy/db/key_access_server_registry.sql.go index acca6e60be..a721107292 100644 --- a/service/policy/db/key_access_server_registry.sql.go +++ b/service/policy/db/key_access_server_registry.sql.go @@ -1,6 +1,6 @@ // Code generated by sqlc. DO NOT EDIT. // versions: -// sqlc v1.29.0 +// sqlc v1.30.0 // source: key_access_server_registry.sql package db @@ -179,6 +179,7 @@ SELECT 'updated_at', kask.updated_at ) ) AS metadata, + pc.manager AS pc_manager, pc.provider_name, pc.config AS pc_config, JSON_STRIP_NULLS(JSON_BUILD_OBJECT('labels', pc.metadata -> 'labels', 'created_at', pc.created_at, 'updated_at', pc.updated_at)) AS pc_metadata, @@ -215,6 +216,7 @@ type getKeyRow struct { KeyAccessServerID string `json:"key_access_server_id"` KasUri string `json:"kas_uri"` Metadata []byte `json:"metadata"` + PcManager pgtype.Text `json:"pc_manager"` ProviderName pgtype.Text `json:"provider_name"` PcConfig []byte `json:"pc_config"` PcMetadata []byte `json:"pc_metadata"` @@ -241,6 +243,7 @@ type getKeyRow struct { // 'updated_at', kask.updated_at // ) // ) AS metadata, +// pc.manager AS pc_manager, // pc.provider_name, // pc.config AS pc_config, // JSON_STRIP_NULLS(JSON_BUILD_OBJECT('labels', pc.metadata -> 'labels', 'created_at', pc.created_at, 'updated_at', pc.updated_at)) AS pc_metadata, @@ -276,6 +279,7 @@ func (q *Queries) getKey(ctx context.Context, arg getKeyParams) (getKeyRow, erro &i.KeyAccessServerID, &i.KasUri, &i.Metadata, + &i.PcManager, &i.ProviderName, &i.PcConfig, &i.PcMetadata, diff --git a/service/policy/db/key_management.sql.go b/service/policy/db/key_management.sql.go index 2e7ed0de4b..6e265e292f 100644 --- a/service/policy/db/key_management.sql.go +++ b/service/policy/db/key_management.sql.go @@ -1,6 +1,6 @@ // Code generated by sqlc. DO NOT EDIT. // versions: -// sqlc v1.29.0 +// sqlc v1.30.0 // source: key_management.sql package db diff --git a/service/policy/db/models.go b/service/policy/db/models.go index 9d9f20e4c8..e0409af9e3 100644 --- a/service/policy/db/models.go +++ b/service/policy/db/models.go @@ -1,6 +1,6 @@ // Code generated by sqlc. DO NOT EDIT. // versions: -// sqlc v1.29.0 +// sqlc v1.30.0 package db diff --git a/service/policy/db/namespaces.sql.go b/service/policy/db/namespaces.sql.go index 86d34ad3b2..b988a20140 100644 --- a/service/policy/db/namespaces.sql.go +++ b/service/policy/db/namespaces.sql.go @@ -1,6 +1,6 @@ // Code generated by sqlc. DO NOT EDIT. // versions: -// sqlc v1.29.0 +// sqlc v1.30.0 // source: namespaces.sql package db diff --git a/service/policy/db/obligations.sql.go b/service/policy/db/obligations.sql.go index 6d5b4deffb..3d7fbecfc7 100644 --- a/service/policy/db/obligations.sql.go +++ b/service/policy/db/obligations.sql.go @@ -1,6 +1,6 @@ // Code generated by sqlc. DO NOT EDIT. // versions: -// sqlc v1.29.0 +// sqlc v1.30.0 // source: obligations.sql package db diff --git a/service/policy/db/queries/key_access_server_registry.sql b/service/policy/db/queries/key_access_server_registry.sql index 50892767f3..78b9e47b9f 100644 --- a/service/policy/db/queries/key_access_server_registry.sql +++ b/service/policy/db/queries/key_access_server_registry.sql @@ -188,6 +188,7 @@ SELECT 'updated_at', kask.updated_at ) ) AS metadata, + pc.manager AS pc_manager, pc.provider_name, pc.config AS pc_config, JSON_STRIP_NULLS(JSON_BUILD_OBJECT('labels', pc.metadata -> 'labels', 'created_at', pc.created_at, 'updated_at', pc.updated_at)) AS pc_metadata, diff --git a/service/policy/db/registered_resources.sql.go b/service/policy/db/registered_resources.sql.go index cc6ede2b31..1aeba4aa96 100644 --- a/service/policy/db/registered_resources.sql.go +++ b/service/policy/db/registered_resources.sql.go @@ -1,6 +1,6 @@ // Code generated by sqlc. DO NOT EDIT. // versions: -// sqlc v1.29.0 +// sqlc v1.30.0 // source: registered_resources.sql package db diff --git a/service/policy/db/resource_mapping.sql.go b/service/policy/db/resource_mapping.sql.go index 41f483aae6..10cfdf84cb 100644 --- a/service/policy/db/resource_mapping.sql.go +++ b/service/policy/db/resource_mapping.sql.go @@ -1,6 +1,6 @@ // Code generated by sqlc. DO NOT EDIT. // versions: -// sqlc v1.29.0 +// sqlc v1.30.0 // source: resource_mapping.sql package db diff --git a/service/policy/db/subject_mappings.sql.go b/service/policy/db/subject_mappings.sql.go index 6915454a30..18a1a66e57 100644 --- a/service/policy/db/subject_mappings.sql.go +++ b/service/policy/db/subject_mappings.sql.go @@ -1,6 +1,6 @@ // Code generated by sqlc. DO NOT EDIT. // versions: -// sqlc v1.29.0 +// sqlc v1.30.0 // source: subject_mappings.sql package db diff --git a/service/policy/keymanagement/key_management.go b/service/policy/keymanagement/key_management.go index 7a9ca5ff2c..440da3b885 100644 --- a/service/policy/keymanagement/key_management.go +++ b/service/policy/keymanagement/key_management.go @@ -69,8 +69,11 @@ func NewRegistration(ns string, dbRegister serviceregistry.DBRegister) *servicer // Register key managers in well-known configuration ksvc.keyManagerFactories = make([]registeredManagers, 0, len(srp.KeyManagerFactories)) + if len(srp.KeyManagerFactories) > 0 { + srp.Logger.Error("keymanagement: ignoring legacy KeyManagerFactories; using KeyManagerCtxFactories instead") + } managersMap := make(map[string]any) - for i, factory := range srp.KeyManagerFactories { + for i, factory := range srp.KeyManagerCtxFactories { rm := registeredManagers{ Name: factory.Name, Description: "Key manager: " + factory.Name, diff --git a/service/trust/delegating_key_service.go b/service/trust/delegating_key_service.go index 781c2d3ca9..bc6ea4ccb0 100644 --- a/service/trust/delegating_key_service.go +++ b/service/trust/delegating_key_service.go @@ -11,6 +11,7 @@ import ( "sync" "github.com/opentdf/platform/lib/ocrypto" + "github.com/opentdf/platform/protocol/go/policy" "github.com/opentdf/platform/service/logger" "github.com/opentdf/platform/service/pkg/cache" ) @@ -18,6 +19,21 @@ import ( type KeyManagerFactoryOptions struct { Logger *logger.Logger Cache *cache.Cache + Config *policy.KeyProviderConfig +} + +type keyManagerDesignation struct { + Manager, Name string +} + +func (kmd keyManagerDesignation) String() string { + return fmt.Sprintf("%s#%s", kmd.Manager, kmd.Name) +} + +type loadedManager struct { + keyManagerDesignation + *policy.KeyProviderConfig + KeyManager } // KeyManagerFactory defines the signature for functions that can create KeyManager instances. @@ -32,13 +48,14 @@ type DelegatingKeyService struct { // Lookup key manager by mode for a given key identifier index KeyIndex - // Lazily create key managers based on their mode + // Lazily create key managers based on their manager managerFactories map[string]KeyManagerFactoryCtx // Cache of key managers to avoid creating them multiple times - managers map[string]KeyManager + managers map[keyManagerDesignation]loadedManager - defaultMode string + defaultMode keyManagerDesignation + defaultModeCfg []byte defaultKeyManager KeyManager @@ -54,30 +71,23 @@ func NewDelegatingKeyService(index KeyIndex, l *logger.Logger, c *cache.Cache) * return &DelegatingKeyService{ index: index, managerFactories: make(map[string]KeyManagerFactoryCtx), - managers: make(map[string]KeyManager), + managers: make(map[keyManagerDesignation]loadedManager), l: l, c: c, } } -func (d *DelegatingKeyService) RegisterKeyManager(name string, factory KeyManagerFactory) { - d.mutex.Lock() - defer d.mutex.Unlock() - d.managerFactories[name] = func(_ context.Context, opts *KeyManagerFactoryOptions) (KeyManager, error) { - return factory(opts) - } -} - func (d *DelegatingKeyService) RegisterKeyManagerCtx(name string, factory KeyManagerFactoryCtx) { d.mutex.Lock() defer d.mutex.Unlock() d.managerFactories[name] = factory } -func (d *DelegatingKeyService) SetDefaultMode(name string) { +func (d *DelegatingKeyService) SetDefaultMode(manager, name string, cfg []byte) { d.mutex.Lock() defer d.mutex.Unlock() - d.defaultMode = name + d.defaultMode = keyManagerDesignation{Manager: manager, Name: name} + d.defaultModeCfg = slices.Clone(cfg) } // Implementing KeyIndex methods @@ -105,12 +115,16 @@ func (d *DelegatingKeyService) Name() string { func (d *DelegatingKeyService) Decrypt(ctx context.Context, keyID KeyIdentifier, ciphertext []byte, ephemeralPublicKey []byte) (ocrypto.ProtectedKey, error) { keyDetails, err := d.index.FindKeyByID(ctx, keyID) if err != nil { - return nil, fmt.Errorf("unable to find key by ID '%s' within index %s: %w", keyID, d.index, err) + return nil, fmt.Errorf("decrypt: unable to find key by ID '%s' within index %s: %w", keyID, d.index, err) } - manager, err := d.getKeyManager(ctx, keyDetails.System()) + pcfg := keyDetails.ProviderConfig() + if pcfg == nil { + return nil, fmt.Errorf("decrypt: key details for key ID '%s' returned nil ProviderConfig", keyID) + } + manager, err := d.getKeyManager(ctx, pcfg) if err != nil { - return nil, fmt.Errorf("unable to get key manager for system '%s': %w", keyDetails.System(), err) + return nil, fmt.Errorf("decrypt: unable to get key manager [%s#%s]: %w", pcfg.GetManager(), pcfg.GetName(), err) } return manager.Decrypt(ctx, keyDetails, ciphertext, ephemeralPublicKey) @@ -119,12 +133,16 @@ func (d *DelegatingKeyService) Decrypt(ctx context.Context, keyID KeyIdentifier, func (d *DelegatingKeyService) DeriveKey(ctx context.Context, keyID KeyIdentifier, ephemeralPublicKeyBytes []byte, curve elliptic.Curve) (ProtectedKey, error) { keyDetails, err := d.index.FindKeyByID(ctx, keyID) if err != nil { - return nil, fmt.Errorf("unable to find key by ID '%s' in index %s: %w", keyID, d.index, err) + return nil, fmt.Errorf("derive: unable to find key by ID '%s' in index %s: %w", keyID, d.index, err) } - manager, err := d.getKeyManager(ctx, keyDetails.System()) + pcfg := keyDetails.ProviderConfig() + if pcfg == nil { + return nil, fmt.Errorf("derive: key details for key ID '%s' returned nil ProviderConfig", keyID) + } + manager, err := d.getKeyManager(ctx, pcfg) if err != nil { - return nil, fmt.Errorf("unable to get key manager for system '%s': %w", keyDetails.System(), err) + return nil, fmt.Errorf("derive: unable to get key manager [%s#%s]: %w", pcfg.GetManager(), pcfg.GetName(), err) } return manager.DeriveKey(ctx, keyDetails, ephemeralPublicKeyBytes, curve) @@ -159,9 +177,10 @@ func (d *DelegatingKeyService) _defKM(ctx context.Context) (KeyManager, error) { // Default manager not cached, need to initialize it. // Get the defaultMode name while still holding the lock. defaultModeName := d.defaultMode + defaultModeCfg := d.defaultModeCfg d.mutex.Unlock() // Unlock before calling getKeyManager to avoid re-entrant lock on the same goroutine. - if defaultModeName == "" { + if defaultModeName.Manager == "" { return nil, errors.New("no default key manager mode configured") } @@ -169,7 +188,12 @@ func (d *DelegatingKeyService) _defKM(ctx context.Context) (KeyManager, error) { // This call to getKeyManager will handle its own locking and, // due to the check `if name == currentDefaultMode` in getKeyManager, // will error out if `defaultModeName` itself is not found, preventing recursion. - manager, err := d.getKeyManager(ctx, defaultModeName) + cfg := policy.KeyProviderConfig{ + Manager: defaultModeName.Manager, + Name: defaultModeName.Name, + ConfigJson: defaultModeCfg, + } + manager, err := d.getKeyManager(ctx, &cfg) if err != nil { return nil, fmt.Errorf("failed to get default key manager for mode '%s': %w", defaultModeName, err) } @@ -187,36 +211,44 @@ func (d *DelegatingKeyService) _defKM(ctx context.Context) (KeyManager, error) { return managerToReturn, nil } -func (d *DelegatingKeyService) getKeyManager(ctx context.Context, name string) (KeyManager, error) { +func (d *DelegatingKeyService) getKeyManager(ctx context.Context, cfg *policy.KeyProviderConfig) (KeyManager, error) { d.mutex.Lock() // Check For Manager First - if manager, exists := d.managers[name]; exists { + designation := keyManagerDesignation{ + Manager: cfg.GetManager(), + Name: cfg.GetName(), + } + if manager, exists := d.managers[designation]; exists { d.mutex.Unlock() - return manager, nil + return manager.KeyManager, nil } // Check Factory - factory, factoryExists := d.managerFactories[name] + factory, factoryExists := d.managerFactories[designation.Manager] // Read defaultMode under lock for comparison. currentDefaultMode := d.defaultMode - allNames := slices.Collect(maps.Keys(d.managerFactories)) + allManagers := slices.Collect(maps.Keys(d.managerFactories)) d.mutex.Unlock() if factoryExists { - options := &KeyManagerFactoryOptions{Logger: d.l.With("key-manager", name), Cache: d.c} + options := &KeyManagerFactoryOptions{ + Logger: d.l.With("key-manager", designation.String()), + Cache: d.c, + Config: cfg, + } managerFromFactory, err := factory(ctx, options) if err != nil { - return nil, fmt.Errorf("factory for key manager '%s' failed: %w", name, err) + return nil, fmt.Errorf("factory for key manager '%s' failed: %w", designation, err) } // If err is nil (checked above) but managerFromFactory is still nil, // the factory implementation is problematic. if managerFromFactory == nil { - return nil, fmt.Errorf("factory for key manager '%s' returned nil manager without an error", name) + return nil, fmt.Errorf("factory for key manager '%s' returned nil manager without an error", designation) } d.mutex.Lock() - d.managers[name] = managerFromFactory // Cache the newly created manager + d.managers[designation] = loadedManager{designation, cfg, managerFromFactory} d.mutex.Unlock() return managerFromFactory, nil } @@ -224,9 +256,9 @@ func (d *DelegatingKeyService) getKeyManager(ctx context.Context, name string) ( // If 'name' was the defaultMode, _defKM will error if its factory is also missing. // If 'name' was not the defaultMode, we fall back to the default manager. d.l.Debug("key manager factory not found for name, attempting to use/load default", - slog.Any("key_managers", allNames), - slog.String("requested_name", name), - slog.String("configured_default_mode", currentDefaultMode), + slog.Any("key_managers", allManagers), + slog.Any("requested_name", designation), + slog.Any("configured_default_mode", currentDefaultMode), ) return d._defKM(ctx) // _defKM handles erroring if the default manager itself cannot be loaded. } diff --git a/service/trust/delegating_key_service_test.go b/service/trust/delegating_key_service_test.go index 1828c95fb7..7e6c8b1d71 100644 --- a/service/trust/delegating_key_service_test.go +++ b/service/trust/delegating_key_service_test.go @@ -259,6 +259,7 @@ func (suite *DelegatingKeyServiceTestSuite) TestListKeysWith_Legacy() { func (suite *DelegatingKeyServiceTestSuite) TestDecrypt() { mockKeyDetails := &MockKeyDetails{} + mockKeyDetails.On("ProviderConfig").Return(&policy.KeyProviderConfig{Manager: "mockManager", Name: "mock-01"}) mockKeyDetails.On("System").Return("mockManager") suite.mockIndex.On("FindKeyByID", mock.Anything, KeyIdentifier("key1")).Return(mockKeyDetails, nil) @@ -266,7 +267,7 @@ func (suite *DelegatingKeyServiceTestSuite) TestDecrypt() { mockProtectedKey.On("DecryptAESGCM", mock.Anything, mock.Anything, mock.Anything).Return([]byte("decrypted"), nil) suite.mockManagerA.On("Decrypt", mock.Anything, mockKeyDetails, []byte("ciphertext"), []byte("ephemeralKey")).Return(mockProtectedKey, nil) - suite.service.RegisterKeyManager("mockManager", func(_ *KeyManagerFactoryOptions) (KeyManager, error) { + suite.service.RegisterKeyManagerCtx("mockManager", func(_ context.Context, _ *KeyManagerFactoryOptions) (KeyManager, error) { return suite.mockManagerA, nil }) @@ -277,6 +278,7 @@ func (suite *DelegatingKeyServiceTestSuite) TestDecrypt() { func (suite *DelegatingKeyServiceTestSuite) TestDeriveKey() { mockKeyDetails := &MockKeyDetails{} + mockKeyDetails.On("ProviderConfig").Return(&policy.KeyProviderConfig{Manager: "mockManager", Name: "mock-01"}) mockKeyDetails.On("System").Return("mockManager") suite.mockIndex.On("FindKeyByID", mock.Anything, KeyIdentifier("key1")).Return(mockKeyDetails, nil) @@ -284,7 +286,7 @@ func (suite *DelegatingKeyServiceTestSuite) TestDeriveKey() { mockProtectedKey.On("Export", mock.Anything).Return([]byte("exported"), nil) suite.mockManagerA.On("DeriveKey", mock.Anything, mockKeyDetails, []byte("ephemeralKey"), elliptic.P256()).Return(mockProtectedKey, nil) - suite.service.RegisterKeyManager("mockManager", func(_ *KeyManagerFactoryOptions) (KeyManager, error) { + suite.service.RegisterKeyManagerCtx("mockManager", func(_ context.Context, _ *KeyManagerFactoryOptions) (KeyManager, error) { return suite.mockManagerA, nil }) @@ -294,10 +296,10 @@ func (suite *DelegatingKeyServiceTestSuite) TestDeriveKey() { } func (suite *DelegatingKeyServiceTestSuite) TestGenerateECSessionKey() { - suite.service.RegisterKeyManager("default", func(_ *KeyManagerFactoryOptions) (KeyManager, error) { + suite.service.RegisterKeyManagerCtx("default", func(_ context.Context, _ *KeyManagerFactoryOptions) (KeyManager, error) { return suite.mockManagerA, nil }) - suite.service.defaultMode = "default" + suite.service.defaultMode = keyManagerDesignation{Manager: "default"} suite.mockManagerA.On("GenerateECSessionKey", mock.Anything, "ephemeralPublicKey").Return(&MockEncapsulator{}, nil) encapsulator, err := suite.service.GenerateECSessionKey(context.Background(), "ephemeralPublicKey")