Remove kekID from cryptmapper

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2024-10-01 01:36:09 -04:00 · 2022-03-24 15:21:19 +01:00 · 2022-03-24 15:21:19 +01:00 · 5660f813f0
commit 5660f813f0
parent 7626765d87
7 changed files with 11 additions and 14 deletions
--- a/mount/cryptmapper/cryptmapper.go
+++ b/mount/cryptmapper/cryptmapper.go
@ -31,23 +31,20 @@ var packageLock = sync.Mutex{}
 type CryptMapper struct {
 	mapper DeviceMapper
 	kms    KeyCreator
-	kekID  string
 }

 // New initializes a new CryptMapper with the given kms client and key-encryption-key ID.
 // kms is used to fetch data encryption keys for the dm-crypt volumes.
-// kekID is the ID of the key used to encrypt the data encryption keys.
-func New(kms KeyCreator, kekID string, mapper DeviceMapper) *CryptMapper {
+func New(kms KeyCreator, mapper DeviceMapper) *CryptMapper {
 	return &CryptMapper{
 		mapper: mapper,
 		kms:    kms,
-		kekID:  kekID,
 	}
 }

 // KeyCreator is an interface to create data encryption keys.
 type KeyCreator interface {
-	GetDEK(ctx context.Context, kekID, dekID string, dekSize int) ([]byte, error)
+	GetDEK(ctx context.Context, dekID string, dekSize int) ([]byte, error)
 }

 // DeviceMapper is an interface for device mapper methods.
@ -175,7 +172,7 @@ func (c *CryptMapper) OpenCryptDevice(ctx context.Context, source, volumeID stri
 	if integrity {
 		keySize = keySizeIntegrity
 	}
-	dek, err := c.kms.GetDEK(ctx, c.kekID, volumeID, keySize)
+	dek, err := c.kms.GetDEK(ctx, volumeID, keySize)
 	if err != nil {
 		return "", err
 	}
--- a/mount/cryptmapper/cryptmapper_test.go
+++ b/mount/cryptmapper/cryptmapper_test.go
@ -94,7 +94,7 @@ func TestCloseCryptDevice(t *testing.T) {
 		})
 	}

-	mapper := New(kms.NewStaticKMS(), "", &stubCryptDevice{})
+	mapper := New(kms.NewStaticKMS(), &stubCryptDevice{})
 	err := mapper.CloseCryptDevice("volume01-unit-test")
 	assert.NoError(t, err)
 }
@ -227,7 +227,7 @@ func TestOpenCryptDevice(t *testing.T) {
 		})
 	}

-	mapper := New(kms.NewStaticKMS(), "", &stubCryptDevice{})
+	mapper := New(kms.NewStaticKMS(), &stubCryptDevice{})
 	_, err := mapper.OpenCryptDevice(context.Background(), "/dev/some-device", "volume01", false)
 	assert.NoError(t, err)
 }
--- a/mount/kms/constellation.go
+++ b/mount/kms/constellation.go
@ -24,7 +24,7 @@ func NewConstellationKMS(coordinatorEndpoint string) *ConstellationKMS {
 }

 // GetDEK connects to the Constellation Coordinators VPN API to request a data encryption key derived from the Constellation's master secret.
-func (k *ConstellationKMS) GetDEK(ctx context.Context, kekID, dekID string, dekSize int) ([]byte, error) {
+func (k *ConstellationKMS) GetDEK(ctx context.Context, dekID string, dekSize int) ([]byte, error) {
 	conn, err := grpc.DialContext(ctx, k.endpoint, grpc.WithTransportCredentials(insecure.NewCredentials()))
 	if err != nil {
 		return nil, err
--- a/mount/kms/constellation_test.go
+++ b/mount/kms/constellation_test.go
@ -46,7 +46,7 @@ func TestConstellationKMS(t *testing.T) {
 				endpoint: listener.Addr().String(),
 				vpn:      tc.vpn,
 			}
-			res, err := kms.GetDEK(context.Background(), "master-key", "data-key", 64)
+			res, err := kms.GetDEK(context.Background(), "data-key", 64)

 			if tc.errExpected {
 				assert.Error(err)
--- a/mount/kms/static.go
+++ b/mount/kms/static.go
@ -15,7 +15,7 @@ func NewStaticKMS() *staticKMS {
 }

 // GetDEK returns the key of staticKMS.
-func (k *staticKMS) GetDEK(ctx context.Context, kekID, dekID string, dekSize int) ([]byte, error) {
+func (k *staticKMS) GetDEK(ctx context.Context, dekID string, dekSize int) ([]byte, error) {
 	key := make([]byte, dekSize)
 	for i := range key {
 		key[i] = 0x41
--- a/mount/test/manual/main.go
+++ b/mount/test/manual/main.go
@ -23,7 +23,7 @@ func main() {
 	defer klog.Flush()
 	flag.Parse()

-	mapper := cryptmapper.New(kms.NewStaticKMS(), "", &cryptmapper.CryptDevice{})
+	mapper := cryptmapper.New(kms.NewStaticKMS(), &cryptmapper.CryptDevice{})

 	if *close {
 		err := mapper.CloseCryptDevice(*volumeID)
--- a/mount/test/mount_integration_test.go
+++ b/mount/test/mount_integration_test.go
@ -49,7 +49,7 @@ func TestOpenAndClose(t *testing.T) {
 	defer teardown()

 	kms := kms.NewStaticKMS()
-	mapper := cryptmapper.New(kms, "", &cryptmapper.CryptDevice{})
+	mapper := cryptmapper.New(kms, &cryptmapper.CryptDevice{})

 	newPath, err := mapper.OpenCryptDevice(context.Background(), DevicePath, DeviceName, false)
 	require.NoError(err)
@ -76,7 +76,7 @@ func TestOpenAndCloseIntegrity(t *testing.T) {
 	defer teardown()

 	kms := kms.NewStaticKMS()
-	mapper := cryptmapper.New(kms, "", &cryptmapper.CryptDevice{})
+	mapper := cryptmapper.New(kms, &cryptmapper.CryptDevice{})

 	newPath, err := mapper.OpenCryptDevice(context.Background(), DevicePath, DeviceName, true)
 	require.NoError(err)