kms: add context.Context to KMS API calls (#15327)

This commit adds a `context.Context` to the the KMS `{Stat, CreateKey, GenerateKey}` API calls. The context will be used to terminate external calls as soon as the client requests gets canceled. A follow-up PR will add a `context.Context` to the remaining `DecryptKey` API call. Signed-off-by: Andreas Auernhammer <hi@aead.dev>
2025-11-07 12:52:58 -05:00 · 2022-07-19 03:54:27 +02:00
parent 957e3ed729
commit 242d06274a
18 changed files with 64 additions and 65 deletions
--- a/internal/kms/kes.go
+++ b/internal/kms/kes.go
@@ -23,7 +23,6 @@ import (
 	"crypto/x509"
 	"errors"
 	"strings"
-	"time"

 	"github.com/minio/kes"
 )
@@ -100,9 +99,7 @@ var _ KMS = (*kesClient)(nil) // compiler check

 // Stat returns the current KES status containing a
 // list of KES endpoints and the default key ID.
-func (c *kesClient) Stat() (Status, error) {
-	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
-	defer cancel()
+func (c *kesClient) Stat(ctx context.Context) (Status, error) {
 	if _, err := c.client.Version(ctx); err != nil {
 		return Status{}, err
 	}
@@ -124,8 +121,8 @@ func (c *kesClient) Metrics(ctx context.Context) (kes.Metric, error) {
 //
 // If the a key with the same keyID already exists then
 // CreateKey returns kes.ErrKeyExists.
-func (c *kesClient) CreateKey(keyID string) error {
-	return c.client.CreateKey(context.Background(), keyID)
+func (c *kesClient) CreateKey(ctx context.Context, keyID string) error {
+	return c.client.CreateKey(ctx, keyID)
 }

 // GenerateKey generates a new data encryption key using
@@ -136,15 +133,15 @@ func (c *kesClient) CreateKey(keyID string) error {
 // The context is associated and tied to the generated DEK.
 // The same context must be provided when the generated
 // key should be decrypted.
-func (c *kesClient) GenerateKey(keyID string, ctx Context) (DEK, error) {
+func (c *kesClient) GenerateKey(ctx context.Context, keyID string, cryptoCtx Context) (DEK, error) {
 	if keyID == "" {
 		keyID = c.defaultKeyID
 	}
-	ctxBytes, err := ctx.MarshalText()
+	ctxBytes, err := cryptoCtx.MarshalText()
 	if err != nil {
 		return DEK{}, err
 	}
-	dek, err := c.client.GenerateKey(context.Background(), keyID, ctxBytes)
+	dek, err := c.client.GenerateKey(ctx, keyID, ctxBytes)
 	if err != nil {
 		return DEK{}, err
 	}
--- a/internal/kms/kms.go
+++ b/internal/kms/kms.go
@@ -30,13 +30,13 @@ import (
 // different KMS implementations.
 type KMS interface {
 	// Stat returns the current KMS status.
-	Stat() (Status, error)
+	Stat(cxt context.Context) (Status, error)

 	// Metrics returns a KMS metric snapshot.
 	Metrics(ctx context.Context) (kes.Metric, error)

 	// CreateKey creates a new key at the KMS with the given key ID.
-	CreateKey(keyID string) error
+	CreateKey(ctx context.Context, keyID string) error

 	// GenerateKey generates a new data encryption key using the
 	// key referenced by the key ID.
@@ -50,7 +50,7 @@ type KMS interface {
 	// should be decrypted. Therefore, it is the callers
 	// responsibility to remember the corresponding context for
 	// a particular DEK. The context may be nil.
-	GenerateKey(keyID string, context Context) (DEK, error)
+	GenerateKey(ctx context.Context, keyID string, context Context) (DEK, error)

 	// DecryptKey decrypts the ciphertext with the key referenced
 	// by the key ID. The context must match the context value
--- a/internal/kms/single-key.go
+++ b/internal/kms/single-key.go
@@ -83,7 +83,7 @@ const ( // algorithms used to derive and encrypt DEKs
 	algorithmChaCha20Poly1305 = "ChaCha20Poly1305"
 )

-func (kms secretKey) Stat() (Status, error) {
+func (kms secretKey) Stat(context.Context) (Status, error) {
 	return Status{
 		Name:       "SecretKey",
 		DefaultKey: kms.keyID,
@@ -94,11 +94,11 @@ func (secretKey) Metrics(ctx context.Context) (kes.Metric, error) {
 	return kes.Metric{}, errors.New("kms: metrics are not supported")
 }

-func (secretKey) CreateKey(string) error {
+func (secretKey) CreateKey(context.Context, string) error {
 	return errors.New("kms: creating keys is not supported")
 }

-func (kms secretKey) GenerateKey(keyID string, context Context) (DEK, error) {
+func (kms secretKey) GenerateKey(_ context.Context, keyID string, context Context) (DEK, error) {
 	if keyID == "" {
 		keyID = kms.keyID
 	}
--- a/internal/kms/single-key_test.go
+++ b/internal/kms/single-key_test.go
@@ -19,6 +19,7 @@ package kms

 import (
 	"bytes"
+	"context"
 	"encoding/base64"
 	"testing"
 )
@@ -29,7 +30,7 @@ func TestSingleKeyRoundtrip(t *testing.T) {
 		t.Fatalf("Failed to initialize KMS: %v", err)
 	}

-	key, err := KMS.GenerateKey("my-key", Context{})
+	key, err := KMS.GenerateKey(context.Background(), "my-key", Context{})
 	if err != nil {
 		t.Fatalf("Failed to generate key: %v", err)
 	}