mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-01-22 21:31:14 -05:00
Remove kekID from cryptmapper
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
This commit is contained in:
parent
7626765d87
commit
5660f813f0
@ -31,23 +31,20 @@ var packageLock = sync.Mutex{}
|
||||
type CryptMapper struct {
|
||||
mapper DeviceMapper
|
||||
kms KeyCreator
|
||||
kekID string
|
||||
}
|
||||
|
||||
// New initializes a new CryptMapper with the given kms client and key-encryption-key ID.
|
||||
// kms is used to fetch data encryption keys for the dm-crypt volumes.
|
||||
// kekID is the ID of the key used to encrypt the data encryption keys.
|
||||
func New(kms KeyCreator, kekID string, mapper DeviceMapper) *CryptMapper {
|
||||
func New(kms KeyCreator, mapper DeviceMapper) *CryptMapper {
|
||||
return &CryptMapper{
|
||||
mapper: mapper,
|
||||
kms: kms,
|
||||
kekID: kekID,
|
||||
}
|
||||
}
|
||||
|
||||
// KeyCreator is an interface to create data encryption keys.
|
||||
type KeyCreator interface {
|
||||
GetDEK(ctx context.Context, kekID, dekID string, dekSize int) ([]byte, error)
|
||||
GetDEK(ctx context.Context, dekID string, dekSize int) ([]byte, error)
|
||||
}
|
||||
|
||||
// DeviceMapper is an interface for device mapper methods.
|
||||
@ -175,7 +172,7 @@ func (c *CryptMapper) OpenCryptDevice(ctx context.Context, source, volumeID stri
|
||||
if integrity {
|
||||
keySize = keySizeIntegrity
|
||||
}
|
||||
dek, err := c.kms.GetDEK(ctx, c.kekID, volumeID, keySize)
|
||||
dek, err := c.kms.GetDEK(ctx, volumeID, keySize)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
|
@ -94,7 +94,7 @@ func TestCloseCryptDevice(t *testing.T) {
|
||||
})
|
||||
}
|
||||
|
||||
mapper := New(kms.NewStaticKMS(), "", &stubCryptDevice{})
|
||||
mapper := New(kms.NewStaticKMS(), &stubCryptDevice{})
|
||||
err := mapper.CloseCryptDevice("volume01-unit-test")
|
||||
assert.NoError(t, err)
|
||||
}
|
||||
@ -227,7 +227,7 @@ func TestOpenCryptDevice(t *testing.T) {
|
||||
})
|
||||
}
|
||||
|
||||
mapper := New(kms.NewStaticKMS(), "", &stubCryptDevice{})
|
||||
mapper := New(kms.NewStaticKMS(), &stubCryptDevice{})
|
||||
_, err := mapper.OpenCryptDevice(context.Background(), "/dev/some-device", "volume01", false)
|
||||
assert.NoError(t, err)
|
||||
}
|
||||
|
@ -24,7 +24,7 @@ func NewConstellationKMS(coordinatorEndpoint string) *ConstellationKMS {
|
||||
}
|
||||
|
||||
// GetDEK connects to the Constellation Coordinators VPN API to request a data encryption key derived from the Constellation's master secret.
|
||||
func (k *ConstellationKMS) GetDEK(ctx context.Context, kekID, dekID string, dekSize int) ([]byte, error) {
|
||||
func (k *ConstellationKMS) GetDEK(ctx context.Context, dekID string, dekSize int) ([]byte, error) {
|
||||
conn, err := grpc.DialContext(ctx, k.endpoint, grpc.WithTransportCredentials(insecure.NewCredentials()))
|
||||
if err != nil {
|
||||
return nil, err
|
||||
|
@ -46,7 +46,7 @@ func TestConstellationKMS(t *testing.T) {
|
||||
endpoint: listener.Addr().String(),
|
||||
vpn: tc.vpn,
|
||||
}
|
||||
res, err := kms.GetDEK(context.Background(), "master-key", "data-key", 64)
|
||||
res, err := kms.GetDEK(context.Background(), "data-key", 64)
|
||||
|
||||
if tc.errExpected {
|
||||
assert.Error(err)
|
||||
|
@ -15,7 +15,7 @@ func NewStaticKMS() *staticKMS {
|
||||
}
|
||||
|
||||
// GetDEK returns the key of staticKMS.
|
||||
func (k *staticKMS) GetDEK(ctx context.Context, kekID, dekID string, dekSize int) ([]byte, error) {
|
||||
func (k *staticKMS) GetDEK(ctx context.Context, dekID string, dekSize int) ([]byte, error) {
|
||||
key := make([]byte, dekSize)
|
||||
for i := range key {
|
||||
key[i] = 0x41
|
||||
|
@ -23,7 +23,7 @@ func main() {
|
||||
defer klog.Flush()
|
||||
flag.Parse()
|
||||
|
||||
mapper := cryptmapper.New(kms.NewStaticKMS(), "", &cryptmapper.CryptDevice{})
|
||||
mapper := cryptmapper.New(kms.NewStaticKMS(), &cryptmapper.CryptDevice{})
|
||||
|
||||
if *close {
|
||||
err := mapper.CloseCryptDevice(*volumeID)
|
||||
|
@ -49,7 +49,7 @@ func TestOpenAndClose(t *testing.T) {
|
||||
defer teardown()
|
||||
|
||||
kms := kms.NewStaticKMS()
|
||||
mapper := cryptmapper.New(kms, "", &cryptmapper.CryptDevice{})
|
||||
mapper := cryptmapper.New(kms, &cryptmapper.CryptDevice{})
|
||||
|
||||
newPath, err := mapper.OpenCryptDevice(context.Background(), DevicePath, DeviceName, false)
|
||||
require.NoError(err)
|
||||
@ -76,7 +76,7 @@ func TestOpenAndCloseIntegrity(t *testing.T) {
|
||||
defer teardown()
|
||||
|
||||
kms := kms.NewStaticKMS()
|
||||
mapper := cryptmapper.New(kms, "", &cryptmapper.CryptDevice{})
|
||||
mapper := cryptmapper.New(kms, &cryptmapper.CryptDevice{})
|
||||
|
||||
newPath, err := mapper.OpenCryptDevice(context.Background(), DevicePath, DeviceName, true)
|
||||
require.NoError(err)
|
||||
|
Loading…
Reference in New Issue
Block a user