Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-02-02 10:35:08 -05:00
Code Issues Packages Projects Releases Wiki Activity

Remove kekID from cryptmapper

Browse Source 
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
This commit is contained in:
Daniel Weiße 2022-03-24 15:21:19 +01:00 committed by Daniel Weiße
parent 7626765d87
commit 5660f813f0
7 changed files with 11 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
mount/cryptmapper/cryptmapper.go
View File

@ -31,23 +31,20 @@ var packageLock = sync.Mutex{}
type CryptMapper struct { type CryptMapper struct {
mapper DeviceMapper mapper DeviceMapper
kms KeyCreator kms KeyCreator
kekID string
} }
// New initializes a new CryptMapper with the given kms client and key-encryption-key ID. // New initializes a new CryptMapper with the given kms client and key-encryption-key ID.
// kms is used to fetch data encryption keys for the dm-crypt volumes. // kms is used to fetch data encryption keys for the dm-crypt volumes.
// kekID is the ID of the key used to encrypt the data encryption keys. func New(kms KeyCreator, mapper DeviceMapper) *CryptMapper {
func New(kms KeyCreator, kekID string, mapper DeviceMapper) *CryptMapper {
return &CryptMapper{ return &CryptMapper{
mapper: mapper, mapper: mapper,
kms: kms, kms: kms,
kekID: kekID,
} }
} }
// KeyCreator is an interface to create data encryption keys. // KeyCreator is an interface to create data encryption keys.
type KeyCreator interface { type KeyCreator interface {
GetDEK(ctx context.Context, kekID, dekID string, dekSize int) ([]byte, error) GetDEK(ctx context.Context, dekID string, dekSize int) ([]byte, error)
} }
// DeviceMapper is an interface for device mapper methods. // DeviceMapper is an interface for device mapper methods.
@ -175,7 +172,7 @@ func (c *CryptMapper) OpenCryptDevice(ctx context.Context, source, volumeID stri
if integrity { if integrity {
keySize = keySizeIntegrity keySize = keySizeIntegrity
} }
dek, err := c.kms.GetDEK(ctx, c.kekID, volumeID, keySize) dek, err := c.kms.GetDEK(ctx, volumeID, keySize)
if err != nil { if err != nil {
return "", err return "", err
} }

4
mount/cryptmapper/cryptmapper_test.go
View File

@ -94,7 +94,7 @@ func TestCloseCryptDevice(t *testing.T) {
}) })
} }
mapper := New(kms.NewStaticKMS(), "", &stubCryptDevice{}) mapper := New(kms.NewStaticKMS(), &stubCryptDevice{})
err := mapper.CloseCryptDevice("volume01-unit-test") err := mapper.CloseCryptDevice("volume01-unit-test")
assert.NoError(t, err) assert.NoError(t, err)
} }
@ -227,7 +227,7 @@ func TestOpenCryptDevice(t *testing.T) {
}) })
} }
mapper := New(kms.NewStaticKMS(), "", &stubCryptDevice{}) mapper := New(kms.NewStaticKMS(), &stubCryptDevice{})
_, err := mapper.OpenCryptDevice(context.Background(), "/dev/some-device", "volume01", false) _, err := mapper.OpenCryptDevice(context.Background(), "/dev/some-device", "volume01", false)
assert.NoError(t, err) assert.NoError(t, err)
} }

2
mount/kms/constellation.go
View File

@ -24,7 +24,7 @@ func NewConstellationKMS(coordinatorEndpoint string) *ConstellationKMS {
} }
// GetDEK connects to the Constellation Coordinators VPN API to request a data encryption key derived from the Constellation's master secret. // GetDEK connects to the Constellation Coordinators VPN API to request a data encryption key derived from the Constellation's master secret.
func (k *ConstellationKMS) GetDEK(ctx context.Context, kekID, dekID string, dekSize int) ([]byte, error) { func (k *ConstellationKMS) GetDEK(ctx context.Context, dekID string, dekSize int) ([]byte, error) {
conn, err := grpc.DialContext(ctx, k.endpoint, grpc.WithTransportCredentials(insecure.NewCredentials())) conn, err := grpc.DialContext(ctx, k.endpoint, grpc.WithTransportCredentials(insecure.NewCredentials()))
if err != nil { if err != nil {
return nil, err return nil, err

2
mount/kms/constellation_test.go
View File

@ -46,7 +46,7 @@ func TestConstellationKMS(t *testing.T) {
endpoint: listener.Addr().String(), endpoint: listener.Addr().String(),
vpn: tc.vpn, vpn: tc.vpn,
} }
res, err := kms.GetDEK(context.Background(), "master-key", "data-key", 64) res, err := kms.GetDEK(context.Background(), "data-key", 64)
if tc.errExpected { if tc.errExpected {
assert.Error(err) assert.Error(err)

2
mount/kms/static.go
View File

@ -15,7 +15,7 @@ func NewStaticKMS() *staticKMS {
} }
// GetDEK returns the key of staticKMS. // GetDEK returns the key of staticKMS.
func (k *staticKMS) GetDEK(ctx context.Context, kekID, dekID string, dekSize int) ([]byte, error) { func (k *staticKMS) GetDEK(ctx context.Context, dekID string, dekSize int) ([]byte, error) {
key := make([]byte, dekSize) key := make([]byte, dekSize)
for i := range key { for i := range key {
key[i] = 0x41 key[i] = 0x41

2
mount/test/manual/main.go
View File

@ -23,7 +23,7 @@ func main() {
defer klog.Flush() defer klog.Flush()
flag.Parse() flag.Parse()
mapper := cryptmapper.New(kms.NewStaticKMS(), "", &cryptmapper.CryptDevice{}) mapper := cryptmapper.New(kms.NewStaticKMS(), &cryptmapper.CryptDevice{})
if *close { if *close {
err := mapper.CloseCryptDevice(*volumeID) err := mapper.CloseCryptDevice(*volumeID)

4
mount/test/mount_integration_test.go
View File

@ -49,7 +49,7 @@ func TestOpenAndClose(t *testing.T) {
defer teardown() defer teardown()
kms := kms.NewStaticKMS() kms := kms.NewStaticKMS()
mapper := cryptmapper.New(kms, "", &cryptmapper.CryptDevice{}) mapper := cryptmapper.New(kms, &cryptmapper.CryptDevice{})
newPath, err := mapper.OpenCryptDevice(context.Background(), DevicePath, DeviceName, false) newPath, err := mapper.OpenCryptDevice(context.Background(), DevicePath, DeviceName, false)
require.NoError(err) require.NoError(err)
@ -76,7 +76,7 @@ func TestOpenAndCloseIntegrity(t *testing.T) {
defer teardown() defer teardown()
kms := kms.NewStaticKMS() kms := kms.NewStaticKMS()
mapper := cryptmapper.New(kms, "", &cryptmapper.CryptDevice{}) mapper := cryptmapper.New(kms, &cryptmapper.CryptDevice{})
newPath, err := mapper.OpenCryptDevice(context.Background(), DevicePath, DeviceName, true) newPath, err := mapper.OpenCryptDevice(context.Background(), DevicePath, DeviceName, true)
require.NoError(err) require.NoError(err)