From 242d06274a4fa0a79c6dd468d1084b5680062e75 Mon Sep 17 00:00:00 2001 From: Andreas Auernhammer Date: Tue, 19 Jul 2022 03:54:27 +0200 Subject: [PATCH] kms: add `context.Context` to KMS API calls (#15327) This commit adds a `context.Context` to the the KMS `{Stat, CreateKey, GenerateKey}` API calls. The context will be used to terminate external calls as soon as the client requests gets canceled. A follow-up PR will add a `context.Context` to the remaining `DecryptKey` API call. Signed-off-by: Andreas Auernhammer --- cmd/admin-bucket-handlers.go | 2 +- cmd/admin-handlers.go | 12 +++++----- cmd/bucket-encryption-handlers.go | 2 +- cmd/bucket-handlers.go | 2 +- cmd/bucket-metadata-sys.go | 2 +- cmd/bucket-metadata.go | 6 ++--- cmd/common-main.go | 2 +- cmd/config-encrypted.go | 4 ++-- cmd/disk-cache-backend.go | 14 +++++------ cmd/encryption-v1.go | 40 +++++++++++++++---------------- cmd/format-disk-cache.go | 2 +- cmd/object-handlers.go | 4 ++-- cmd/tier.go | 2 +- internal/config/crypto.go | 5 ++-- internal/kms/kes.go | 15 +++++------- internal/kms/kms.go | 6 ++--- internal/kms/single-key.go | 6 ++--- internal/kms/single-key_test.go | 3 ++- 18 files changed, 64 insertions(+), 65 deletions(-) diff --git a/cmd/admin-bucket-handlers.go b/cmd/admin-bucket-handlers.go index c739ad5ba..7c5043a99 100644 --- a/cmd/admin-bucket-handlers.go +++ b/cmd/admin-bucket-handlers.go @@ -953,7 +953,7 @@ func (a adminAPIHandlers) ImportBucketMetadataHandler(w http.ResponseWriter, r * kmsKey := encConfig.KeyID() if kmsKey != "" { kmsContext := kms.Context{"MinIO admin API": "ServerInfoHandler"} // Context for a test key operation - _, err := GlobalKMS.GenerateKey(kmsKey, kmsContext) + _, err := GlobalKMS.GenerateKey(ctx, kmsKey, kmsContext) if err != nil { if errors.Is(err, kes.ErrKeyNotFound) { writeErrorResponse(ctx, w, importError(ctx, errKMSKeyNotFound, file.Name, bucket), r.URL) diff --git a/cmd/admin-handlers.go b/cmd/admin-handlers.go index 1e628dfde..5df38e8f6 100644 --- a/cmd/admin-handlers.go +++ b/cmd/admin-handlers.go @@ -1615,7 +1615,7 @@ func (a adminAPIHandlers) KMSCreateKeyHandler(w http.ResponseWriter, r *http.Req return } - if err := GlobalKMS.CreateKey(r.Form.Get("key-id")); err != nil { + if err := GlobalKMS.CreateKey(ctx, r.Form.Get("key-id")); err != nil { writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL) return } @@ -1637,7 +1637,7 @@ func (a adminAPIHandlers) KMSStatusHandler(w http.ResponseWriter, r *http.Reques return } - stat, err := GlobalKMS.Stat() + stat, err := GlobalKMS.Stat(ctx) if err != nil { writeCustomErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrInternalError), err.Error(), r.URL) return @@ -1676,7 +1676,7 @@ func (a adminAPIHandlers) KMSKeyStatusHandler(w http.ResponseWriter, r *http.Req return } - stat, err := GlobalKMS.Stat() + stat, err := GlobalKMS.Stat(ctx) if err != nil { writeCustomErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrInternalError), err.Error(), r.URL) return @@ -1692,7 +1692,7 @@ func (a adminAPIHandlers) KMSKeyStatusHandler(w http.ResponseWriter, r *http.Req kmsContext := kms.Context{"MinIO admin API": "KMSKeyStatusHandler"} // Context for a test key operation // 1. Generate a new key using the KMS. - key, err := GlobalKMS.GenerateKey(keyID, kmsContext) + key, err := GlobalKMS.GenerateKey(ctx, keyID, kmsContext) if err != nil { response.EncryptionErr = err.Error() resp, err := json.Marshal(response) @@ -2542,7 +2542,7 @@ func fetchKMSStatus() madmin.KMS { return kmsStat } - stat, err := GlobalKMS.Stat() + stat, err := GlobalKMS.Stat(context.Background()) if err != nil { kmsStat.Status = string(madmin.ItemOffline) return kmsStat @@ -2555,7 +2555,7 @@ func fetchKMSStatus() madmin.KMS { kmsContext := kms.Context{"MinIO admin API": "ServerInfoHandler"} // Context for a test key operation // 1. Generate a new key using the KMS. - key, err := GlobalKMS.GenerateKey("", kmsContext) + key, err := GlobalKMS.GenerateKey(context.Background(), "", kmsContext) if err != nil { kmsStat.Encrypt = fmt.Sprintf("Encryption failed: %v", err) } else { diff --git a/cmd/bucket-encryption-handlers.go b/cmd/bucket-encryption-handlers.go index 3686bcfc8..62c388bf6 100644 --- a/cmd/bucket-encryption-handlers.go +++ b/cmd/bucket-encryption-handlers.go @@ -90,7 +90,7 @@ func (api objectAPIHandlers) PutBucketEncryptionHandler(w http.ResponseWriter, r kmsKey := encConfig.KeyID() if kmsKey != "" { kmsContext := kms.Context{"MinIO admin API": "ServerInfoHandler"} // Context for a test key operation - _, err := GlobalKMS.GenerateKey(kmsKey, kmsContext) + _, err := GlobalKMS.GenerateKey(ctx, kmsKey, kmsContext) if err != nil { if errors.Is(err, kes.ErrKeyNotFound) { writeErrorResponse(ctx, w, toAPIError(ctx, errKMSKeyNotFound), r.URL) diff --git a/cmd/bucket-handlers.go b/cmd/bucket-handlers.go index 9dac30d37..8ea58cde0 100644 --- a/cmd/bucket-handlers.go +++ b/cmd/bucket-handlers.go @@ -1067,7 +1067,7 @@ func (api objectAPIHandlers) PostPolicyBucketHandler(w http.ResponseWriter, r *h return } } - reader, objectEncryptionKey, err = newEncryptReader(hashReader, kind, keyID, key, bucket, object, metadata, kmsCtx) + reader, objectEncryptionKey, err = newEncryptReader(ctx, hashReader, kind, keyID, key, bucket, object, metadata, kmsCtx) if err != nil { writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL) return diff --git a/cmd/bucket-metadata-sys.go b/cmd/bucket-metadata-sys.go index 73aa45b76..9b6253b2e 100644 --- a/cmd/bucket-metadata-sys.go +++ b/cmd/bucket-metadata-sys.go @@ -136,7 +136,7 @@ func (sys *BucketMetadataSys) Update(ctx context.Context, bucket string, configF meta.ReplicationConfigXML = configData meta.ReplicationConfigUpdatedAt = updatedAt case bucketTargetsFile: - meta.BucketTargetsConfigJSON, meta.BucketTargetsConfigMetaJSON, err = encryptBucketMetadata(meta.Name, configData, kms.Context{ + meta.BucketTargetsConfigJSON, meta.BucketTargetsConfigMetaJSON, err = encryptBucketMetadata(ctx, meta.Name, configData, kms.Context{ bucket: meta.Name, bucketTargetsFile: bucketTargetsFile, }) diff --git a/cmd/bucket-metadata.go b/cmd/bucket-metadata.go index 2e97027b5..cb2da0a70 100644 --- a/cmd/bucket-metadata.go +++ b/cmd/bucket-metadata.go @@ -438,7 +438,7 @@ func (b *BucketMetadata) migrateTargetConfig(ctx context.Context, objectAPI Obje return nil } - encBytes, metaBytes, err := encryptBucketMetadata(b.Name, b.BucketTargetsConfigJSON, kms.Context{b.Name: b.Name, bucketTargetsFile: bucketTargetsFile}) + encBytes, metaBytes, err := encryptBucketMetadata(ctx, b.Name, b.BucketTargetsConfigJSON, kms.Context{b.Name: b.Name, bucketTargetsFile: bucketTargetsFile}) if err != nil { return err } @@ -449,14 +449,14 @@ func (b *BucketMetadata) migrateTargetConfig(ctx context.Context, objectAPI Obje } // encrypt bucket metadata if kms is configured. -func encryptBucketMetadata(bucket string, input []byte, kmsContext kms.Context) (output, metabytes []byte, err error) { +func encryptBucketMetadata(ctx context.Context, bucket string, input []byte, kmsContext kms.Context) (output, metabytes []byte, err error) { if GlobalKMS == nil { output = input return } metadata := make(map[string]string) - key, err := GlobalKMS.GenerateKey("", kmsContext) + key, err := GlobalKMS.GenerateKey(ctx, "", kmsContext) if err != nil { return } diff --git a/cmd/common-main.go b/cmd/common-main.go index 71ae5b2cd..f6a6d71b7 100644 --- a/cmd/common-main.go +++ b/cmd/common-main.go @@ -868,7 +868,7 @@ func handleKMSConfig() { // This implicitly checks that we can communicate to KES. We don't treat // a policy error as failure condition since MinIO may not have the permission // to create keys - just to generate/decrypt data encryption keys. - if err = KMS.CreateKey(defaultKeyID); err != nil && !errors.Is(err, kes.ErrKeyExists) && !errors.Is(err, kes.ErrNotAllowed) { + if err = KMS.CreateKey(context.Background(), defaultKeyID); err != nil && !errors.Is(err, kes.ErrKeyExists) && !errors.Is(err, kes.ErrNotAllowed) { logger.Fatal(err, "Unable to initialize a connection to KES as specified by the shell environment") } GlobalKMS = KMS diff --git a/cmd/config-encrypted.go b/cmd/config-encrypted.go index ec8ee0fd3..a248c06aa 100644 --- a/cmd/config-encrypted.go +++ b/cmd/config-encrypted.go @@ -70,7 +70,7 @@ func migrateIAMConfigsEtcdToEncrypted(ctx context.Context, client *etcd.Client) } if encrypted && GlobalKMS != nil { - stat, err := GlobalKMS.Stat() + stat, err := GlobalKMS.Stat(ctx) if err != nil { return err } @@ -139,7 +139,7 @@ func migrateConfigPrefixToEncrypted(objAPI ObjectLayer, encrypted bool) error { return nil } if encrypted && GlobalKMS != nil { - stat, err := GlobalKMS.Stat() + stat, err := GlobalKMS.Stat(context.Background()) if err != nil { return err } diff --git a/cmd/disk-cache-backend.go b/cmd/disk-cache-backend.go index 73ad09d46..80f500ae2 100644 --- a/cmd/disk-cache-backend.go +++ b/cmd/disk-cache-backend.go @@ -797,8 +797,8 @@ func (c *diskCache) bitrotWriteToCache(cachePath, fileName string, reader io.Rea return bytesWritten, base64.StdEncoding.EncodeToString(md5sumCurr), nil } -func newCacheEncryptReader(content io.Reader, bucket, object string, metadata map[string]string) (r io.Reader, err error) { - objectEncryptionKey, err := newCacheEncryptMetadata(bucket, object, metadata) +func newCacheEncryptReader(ctx context.Context, content io.Reader, bucket, object string, metadata map[string]string) (r io.Reader, err error) { + objectEncryptionKey, err := newCacheEncryptMetadata(ctx, bucket, object, metadata) if err != nil { return nil, err } @@ -810,12 +810,12 @@ func newCacheEncryptReader(content io.Reader, bucket, object string, metadata ma return reader, nil } -func newCacheEncryptMetadata(bucket, object string, metadata map[string]string) ([]byte, error) { +func newCacheEncryptMetadata(ctx context.Context, bucket, object string, metadata map[string]string) ([]byte, error) { var sealedKey crypto.SealedKey if globalCacheKMS == nil { return nil, errKMSNotConfigured } - key, err := globalCacheKMS.GenerateKey("", kms.Context{bucket: pathJoin(bucket, object)}) + key, err := globalCacheKMS.GenerateKey(ctx, "", kms.Context{bucket: pathJoin(bucket, object)}) if err != nil { return nil, err } @@ -891,7 +891,7 @@ func (c *diskCache) put(ctx context.Context, bucket, object string, data io.Read reader := data actualSize := uint64(size) if globalCacheKMS != nil { - reader, err = newCacheEncryptReader(data, bucket, object, metadata) + reader, err = newCacheEncryptReader(ctx, data, bucket, object, metadata) if err != nil { removeAll(cachePath) return oi, err @@ -948,7 +948,7 @@ func (c *diskCache) putRange(ctx context.Context, bucket, object string, data io // objSize is the actual size of object (with encryption overhead if any) objSize := uint64(size) if globalCacheKMS != nil { - reader, err = newCacheEncryptReader(data, bucket, object, metadata) + reader, err = newCacheEncryptReader(ctx, data, bucket, object, metadata) if err != nil { return err } @@ -1301,7 +1301,7 @@ func (c *diskCache) NewMultipartUpload(ctx context.Context, bucket, object, uID m.Stat.ModTime = UTCNow() if globalCacheKMS != nil { m.Meta[ReservedMetadataPrefix+"Encrypted-Multipart"] = "" - if _, err := newCacheEncryptMetadata(bucket, object, m.Meta); err != nil { + if _, err := newCacheEncryptMetadata(ctx, bucket, object, m.Meta); err != nil { return uploadID, err } } diff --git a/cmd/encryption-v1.go b/cmd/encryption-v1.go index f5ecc7e98..925ed1bcc 100644 --- a/cmd/encryption-v1.go +++ b/cmd/encryption-v1.go @@ -255,7 +255,7 @@ func ParseSSECustomerHeader(header http.Header) (key []byte, err error) { } // This function rotates old to new key. -func rotateKey(oldKey []byte, newKeyID string, newKey []byte, bucket, object string, metadata map[string]string, ctx kms.Context) error { +func rotateKey(ctx context.Context, oldKey []byte, newKeyID string, newKey []byte, bucket, object string, metadata map[string]string, cryptoCtx kms.Context) error { kind, _ := crypto.IsEncrypted(metadata) switch kind { case crypto.S3: @@ -275,7 +275,7 @@ func rotateKey(oldKey []byte, newKeyID string, newKey []byte, bucket, object str return err } - newKey, err := GlobalKMS.GenerateKey("", kms.Context{bucket: path.Join(bucket, object)}) + newKey, err := GlobalKMS.GenerateKey(ctx, "", kms.Context{bucket: path.Join(bucket, object)}) if err != nil { return err } @@ -291,8 +291,8 @@ func rotateKey(oldKey []byte, newKeyID string, newKey []byte, bucket, object str return err } - if len(ctx) == 0 { - _, _, _, ctx, err = crypto.S3KMS.ParseMetadata(metadata) + if len(cryptoCtx) == 0 { + _, _, _, cryptoCtx, err = crypto.S3KMS.ParseMetadata(metadata) if err != nil { return err } @@ -305,19 +305,19 @@ func rotateKey(oldKey []byte, newKeyID string, newKey []byte, bucket, object str // of the client provided context and add the bucket // key, if not present. kmsCtx := kms.Context{} - for k, v := range ctx { + for k, v := range cryptoCtx { kmsCtx[k] = v } if _, ok := kmsCtx[bucket]; !ok { kmsCtx[bucket] = path.Join(bucket, object) } - newKey, err := GlobalKMS.GenerateKey(newKeyID, kmsCtx) + newKey, err := GlobalKMS.GenerateKey(ctx, newKeyID, kmsCtx) if err != nil { return err } sealedKey := objectKey.Seal(newKey.Plaintext, crypto.GenerateIV(rand.Reader), crypto.S3KMS.String(), bucket, object) - crypto.S3KMS.CreateMetadata(metadata, newKey.KeyID, newKey.Ciphertext, sealedKey, ctx) + crypto.S3KMS.CreateMetadata(metadata, newKey.KeyID, newKey.Ciphertext, sealedKey, cryptoCtx) return nil case crypto.SSEC: sealedKey, err := crypto.SSEC.ParseMetadata(metadata) @@ -344,14 +344,14 @@ func rotateKey(oldKey []byte, newKeyID string, newKey []byte, bucket, object str } } -func newEncryptMetadata(kind crypto.Type, keyID string, key []byte, bucket, object string, metadata map[string]string, ctx kms.Context) (crypto.ObjectKey, error) { +func newEncryptMetadata(ctx context.Context, kind crypto.Type, keyID string, key []byte, bucket, object string, metadata map[string]string, cryptoCtx kms.Context) (crypto.ObjectKey, error) { var sealedKey crypto.SealedKey switch kind { case crypto.S3: if GlobalKMS == nil { return crypto.ObjectKey{}, errKMSNotConfigured } - key, err := GlobalKMS.GenerateKey("", kms.Context{bucket: path.Join(bucket, object)}) + key, err := GlobalKMS.GenerateKey(ctx, "", kms.Context{bucket: path.Join(bucket, object)}) if err != nil { return crypto.ObjectKey{}, err } @@ -372,13 +372,13 @@ func newEncryptMetadata(kind crypto.Type, keyID string, key []byte, bucket, obje // of the client provided context and add the bucket // key, if not present. kmsCtx := kms.Context{} - for k, v := range ctx { + for k, v := range cryptoCtx { kmsCtx[k] = v } if _, ok := kmsCtx[bucket]; !ok { kmsCtx[bucket] = path.Join(bucket, object) } - key, err := GlobalKMS.GenerateKey(keyID, kmsCtx) + key, err := GlobalKMS.GenerateKey(ctx, keyID, kmsCtx) if err != nil { if errors.Is(err, kes.ErrKeyNotFound) { return crypto.ObjectKey{}, errKMSKeyNotFound @@ -388,7 +388,7 @@ func newEncryptMetadata(kind crypto.Type, keyID string, key []byte, bucket, obje objectKey := crypto.GenerateKey(key.Plaintext, rand.Reader) sealedKey = objectKey.Seal(key.Plaintext, crypto.GenerateIV(rand.Reader), crypto.S3KMS.String(), bucket, object) - crypto.S3KMS.CreateMetadata(metadata, key.KeyID, key.Ciphertext, sealedKey, ctx) + crypto.S3KMS.CreateMetadata(metadata, key.KeyID, key.Ciphertext, sealedKey, cryptoCtx) return objectKey, nil case crypto.SSEC: objectKey := crypto.GenerateKey(key, rand.Reader) @@ -400,8 +400,8 @@ func newEncryptMetadata(kind crypto.Type, keyID string, key []byte, bucket, obje } } -func newEncryptReader(content io.Reader, kind crypto.Type, keyID string, key []byte, bucket, object string, metadata map[string]string, ctx kms.Context) (io.Reader, crypto.ObjectKey, error) { - objectEncryptionKey, err := newEncryptMetadata(kind, keyID, key, bucket, object, metadata, ctx) +func newEncryptReader(ctx context.Context, content io.Reader, kind crypto.Type, keyID string, key []byte, bucket, object string, metadata map[string]string, cryptoCtx kms.Context) (io.Reader, crypto.ObjectKey, error) { + objectEncryptionKey, err := newEncryptMetadata(ctx, kind, keyID, key, bucket, object, metadata, cryptoCtx) if err != nil { return nil, crypto.ObjectKey{}, err } @@ -418,9 +418,9 @@ func newEncryptReader(content io.Reader, kind crypto.Type, keyID string, key []b // SSE-S3 func setEncryptionMetadata(r *http.Request, bucket, object string, metadata map[string]string) (err error) { var ( - key []byte - keyID string - ctx kms.Context + key []byte + keyID string + kmsCtx kms.Context ) kind, _ := crypto.IsRequested(r.Header) switch kind { @@ -430,12 +430,12 @@ func setEncryptionMetadata(r *http.Request, bucket, object string, metadata map[ return err } case crypto.S3KMS: - keyID, ctx, err = crypto.S3KMS.ParseHTTP(r.Header) + keyID, kmsCtx, err = crypto.S3KMS.ParseHTTP(r.Header) if err != nil { return err } } - _, err = newEncryptMetadata(kind, keyID, key, bucket, object, metadata, ctx) + _, err = newEncryptMetadata(r.Context(), kind, keyID, key, bucket, object, metadata, kmsCtx) return } @@ -468,7 +468,7 @@ func EncryptRequest(content io.Reader, r *http.Request, bucket, object string, m return nil, crypto.ObjectKey{}, err } } - return newEncryptReader(content, kind, keyID, key, bucket, object, metadata, ctx) + return newEncryptReader(r.Context(), content, kind, keyID, key, bucket, object, metadata, ctx) } func decryptObjectInfo(key []byte, bucket, object string, metadata map[string]string) ([]byte, error) { diff --git a/cmd/format-disk-cache.go b/cmd/format-disk-cache.go index 878c79be3..04ed8c8f5 100644 --- a/cmd/format-disk-cache.go +++ b/cmd/format-disk-cache.go @@ -359,7 +359,7 @@ func migrateCacheData(ctx context.Context, c *diskCache, bucket, object, oldfile actualSize := uint64(st.Size()) if globalCacheKMS != nil { - reader, err = newCacheEncryptReader(readCloser, bucket, object, metadata) + reader, err = newCacheEncryptReader(ctx, readCloser, bucket, object, metadata) if err != nil { return err } diff --git a/cmd/object-handlers.go b/cmd/object-handlers.go index 01b4d6af8..bd12cead6 100644 --- a/cmd/object-handlers.go +++ b/cmd/object-handlers.go @@ -1249,7 +1249,7 @@ func (api objectAPIHandlers) CopyObjectHandler(w http.ResponseWriter, r *http.Re } } - if err = rotateKey(oldKey, newKeyID, newKey, srcBucket, srcObject, encMetadata, kmsCtx); err != nil { + if err = rotateKey(ctx, oldKey, newKeyID, newKey, srcBucket, srcObject, encMetadata, kmsCtx); err != nil { writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL) return } @@ -1287,7 +1287,7 @@ func (api objectAPIHandlers) CopyObjectHandler(w http.ResponseWriter, r *http.Re if isTargetEncrypted { var encReader io.Reader kind, _ := crypto.IsRequested(r.Header) - encReader, objEncKey, err = newEncryptReader(srcInfo.Reader, kind, newKeyID, newKey, dstBucket, dstObject, encMetadata, kmsCtx) + encReader, objEncKey, err = newEncryptReader(ctx, srcInfo.Reader, kind, newKeyID, newKey, dstBucket, dstObject, encMetadata, kmsCtx) if err != nil { writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL) return diff --git a/cmd/tier.go b/cmd/tier.go index 475be15a0..8ead2de46 100644 --- a/cmd/tier.go +++ b/cmd/tier.go @@ -287,7 +287,7 @@ func (config *TierConfigMgr) configReader() (*PutObjReader, *ObjectOptions, erro // Encrypt json encoded tier configurations metadata := make(map[string]string) - encBr, oek, err := newEncryptReader(hr, crypto.S3, "", nil, minioMetaBucket, tierConfigPath, metadata, kms.Context{}) + encBr, oek, err := newEncryptReader(context.Background(), hr, crypto.S3, "", nil, minioMetaBucket, tierConfigPath, metadata, kms.Context{}) if err != nil { return nil, nil, err } diff --git a/internal/config/crypto.go b/internal/config/crypto.go index cdf423fd7..c1029e153 100644 --- a/internal/config/crypto.go +++ b/internal/config/crypto.go @@ -19,6 +19,7 @@ package config import ( "bytes" + "context" "crypto/rand" "encoding/binary" "errors" @@ -61,13 +62,13 @@ func DecryptBytes(KMS kms.KMS, ciphertext []byte, context kms.Context) ([]byte, // // The same context must be provided when decrypting the // ciphertext. -func Encrypt(KMS kms.KMS, plaintext io.Reader, context kms.Context) (io.Reader, error) { +func Encrypt(KMS kms.KMS, plaintext io.Reader, ctx kms.Context) (io.Reader, error) { algorithm := sio.AES_256_GCM if !fips.Enabled && !sioutil.NativeAES() { algorithm = sio.ChaCha20Poly1305 } - key, err := KMS.GenerateKey("", context) + key, err := KMS.GenerateKey(context.Background(), "", ctx) if err != nil { return nil, err } diff --git a/internal/kms/kes.go b/internal/kms/kes.go index a7e3a9740..fa2d8cdc2 100644 --- a/internal/kms/kes.go +++ b/internal/kms/kes.go @@ -23,7 +23,6 @@ import ( "crypto/x509" "errors" "strings" - "time" "github.com/minio/kes" ) @@ -100,9 +99,7 @@ var _ KMS = (*kesClient)(nil) // compiler check // Stat returns the current KES status containing a // list of KES endpoints and the default key ID. -func (c *kesClient) Stat() (Status, error) { - ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second) - defer cancel() +func (c *kesClient) Stat(ctx context.Context) (Status, error) { if _, err := c.client.Version(ctx); err != nil { return Status{}, err } @@ -124,8 +121,8 @@ func (c *kesClient) Metrics(ctx context.Context) (kes.Metric, error) { // // If the a key with the same keyID already exists then // CreateKey returns kes.ErrKeyExists. -func (c *kesClient) CreateKey(keyID string) error { - return c.client.CreateKey(context.Background(), keyID) +func (c *kesClient) CreateKey(ctx context.Context, keyID string) error { + return c.client.CreateKey(ctx, keyID) } // GenerateKey generates a new data encryption key using @@ -136,15 +133,15 @@ func (c *kesClient) CreateKey(keyID string) error { // The context is associated and tied to the generated DEK. // The same context must be provided when the generated // key should be decrypted. -func (c *kesClient) GenerateKey(keyID string, ctx Context) (DEK, error) { +func (c *kesClient) GenerateKey(ctx context.Context, keyID string, cryptoCtx Context) (DEK, error) { if keyID == "" { keyID = c.defaultKeyID } - ctxBytes, err := ctx.MarshalText() + ctxBytes, err := cryptoCtx.MarshalText() if err != nil { return DEK{}, err } - dek, err := c.client.GenerateKey(context.Background(), keyID, ctxBytes) + dek, err := c.client.GenerateKey(ctx, keyID, ctxBytes) if err != nil { return DEK{}, err } diff --git a/internal/kms/kms.go b/internal/kms/kms.go index e59827194..954432c9f 100644 --- a/internal/kms/kms.go +++ b/internal/kms/kms.go @@ -30,13 +30,13 @@ import ( // different KMS implementations. type KMS interface { // Stat returns the current KMS status. - Stat() (Status, error) + Stat(cxt context.Context) (Status, error) // Metrics returns a KMS metric snapshot. Metrics(ctx context.Context) (kes.Metric, error) // CreateKey creates a new key at the KMS with the given key ID. - CreateKey(keyID string) error + CreateKey(ctx context.Context, keyID string) error // GenerateKey generates a new data encryption key using the // key referenced by the key ID. @@ -50,7 +50,7 @@ type KMS interface { // should be decrypted. Therefore, it is the callers // responsibility to remember the corresponding context for // a particular DEK. The context may be nil. - GenerateKey(keyID string, context Context) (DEK, error) + GenerateKey(ctx context.Context, keyID string, context Context) (DEK, error) // DecryptKey decrypts the ciphertext with the key referenced // by the key ID. The context must match the context value diff --git a/internal/kms/single-key.go b/internal/kms/single-key.go index b94ed29ef..687e37a77 100644 --- a/internal/kms/single-key.go +++ b/internal/kms/single-key.go @@ -83,7 +83,7 @@ const ( // algorithms used to derive and encrypt DEKs algorithmChaCha20Poly1305 = "ChaCha20Poly1305" ) -func (kms secretKey) Stat() (Status, error) { +func (kms secretKey) Stat(context.Context) (Status, error) { return Status{ Name: "SecretKey", DefaultKey: kms.keyID, @@ -94,11 +94,11 @@ func (secretKey) Metrics(ctx context.Context) (kes.Metric, error) { return kes.Metric{}, errors.New("kms: metrics are not supported") } -func (secretKey) CreateKey(string) error { +func (secretKey) CreateKey(context.Context, string) error { return errors.New("kms: creating keys is not supported") } -func (kms secretKey) GenerateKey(keyID string, context Context) (DEK, error) { +func (kms secretKey) GenerateKey(_ context.Context, keyID string, context Context) (DEK, error) { if keyID == "" { keyID = kms.keyID } diff --git a/internal/kms/single-key_test.go b/internal/kms/single-key_test.go index 714a5cf72..166f56cd8 100644 --- a/internal/kms/single-key_test.go +++ b/internal/kms/single-key_test.go @@ -19,6 +19,7 @@ package kms import ( "bytes" + "context" "encoding/base64" "testing" ) @@ -29,7 +30,7 @@ func TestSingleKeyRoundtrip(t *testing.T) { t.Fatalf("Failed to initialize KMS: %v", err) } - key, err := KMS.GenerateKey("my-key", Context{}) + key, err := KMS.GenerateKey(context.Background(), "my-key", Context{}) if err != nil { t.Fatalf("Failed to generate key: %v", err) }