Skip to content

feat(core): Deprecate server.CryptoProvider for kas.keyring#1834

Closed
dmihalcik-virtru wants to merge 9 commits intomainfrom
feature/cryptwo
Closed

feat(core): Deprecate server.CryptoProvider for kas.keyring#1834
dmihalcik-virtru wants to merge 9 commits intomainfrom
feature/cryptwo

Conversation

@dmihalcik-virtru
Copy link
Member

@dmihalcik-virtru dmihalcik-virtru commented Jan 3, 2025
edited
Loading

Proposed Changes

  • Replace access.CryptoProvider with recrypt.Provider, with simplified interface for implementation of 3rd party crypto layers
  • refactors code to use it
  • supports for old config formats, adds more tests around them
  • TK (later): Expose this to service constructor somehow? How can I pass a live object to a packed-in service?

Checklist

  • I have added or updated unit tests
  • I have added or updated integration tests (if appropriate)
  • I have added or updated documentation

Testing Instructions

@dmihalcik-virtru dmihalcik-virtru changed the title feat!(core): Replaces crypto provider with new interface feat(core)!: Replaces crypto provider with new interface Jan 3, 2025
jentfoo
jentfoo previously approved these changes Jan 6, 2025
View reviewed changes
@dmihalcik-virtru dmihalcik-virtru force-pushed the feature/cryptwo branch 3 times, most recently from 23f9d81 to 6f2bb64 Compare January 9, 2025 21:37
@dmihalcik-virtru dmihalcik-virtru changed the title feat(core)!: Replaces crypto provider with new interface feat(core)!: Deprecate server.CryptoProvider for kas.keyring Jan 10, 2025
@dmihalcik-virtru dmihalcik-virtru marked this pull request as ready for review January 10, 2025 17:06
@dmihalcik-virtru dmihalcik-virtru requested review from a team as code owners January 10, 2025 17:06
@dmihalcik-virtru dmihalcik-virtru changed the title feat(core)!: Deprecate server.CryptoProvider for kas.keyring feat(core): Deprecate server.CryptoProvider for kas.keyring Jan 10, 2025
@dmihalcik-virtru
chore(core): Refactor Crypto Providers
99d1990 
- New service crypto package, recrypto, which provides a shared interface for necessary TDF operations, both for ZTDF (Wrap) and Nano (Derive)
- This includes a shift to yet another configuration for the crypto layer. Notably, the keys can now be completely configured in the `services.kas.keyring`, without needing the `server.cryptoprovider` field
@dmihalcik-virtru
WIP support deprecated configuration
177c884
@dmihalcik-virtru
fixes
6809c53
@dmihalcik-virtru
fixes
a0af13f
@dmihalcik-virtru
updgrade fifiixedss
44e1ccb
@dmihalcik-virtru
example and test fixes
7a0da5a
@dmihalcik-virtru
Update configuration.md
42d9649
@dmihalcik-virtru
Update configuration.md
9276d24
@dmihalcik-virtru
rename to simplify
57a5d9b
pflynn-virtru
pflynn-virtru reviewed Jan 15, 2025
View reviewed changes
service/pkg/server/services.go
logger.Debug("updating kas key configuration", slog.String("namespace", ns), slog.Any("legacyConfig", cfg.Server.CryptoConfig2024))
// Upgrade the the kas configuration, if there is a legacy `CryptoProvider` configuration
// present in the otdf server config.
if cfg.Server.CryptoConfig2024 != nil {
Copy link
Member

@pflynn-virtru pflynn-virtru Jan 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cfg.Server.CryptoConfig2024 is this the legacy config renamed. should the new config be named cfg.Server.CryptoConfig2025. I have also seen append _V1
is this versioned in the yaml?

Copy link
Member Author

@dmihalcik-virtru dmihalcik-virtru Jan 16, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is no new config under Server; after this it is moved entirely to the services.kas field.

The type names are not exposed in the YAML config file, and the names of the fields can/will be overridden with tags (e.g. mapstructure:"config2025") as needed. The config struct types and their fields need to be exported (capitalized) for use with the mapstructure library, but we have as of yet not treated them as part of the API and subject to standard versioning considerations. However, we may want to do that before marking this whole library as 1.x.

I did a grep through our internal code and was unable to find references to the moved/removed/renamed types

pflynn-virtru
pflynn-virtru previously approved these changes Jan 15, 2025
View reviewed changes
@jakedoublev jakedoublev mentioned this pull request Jan 28, 2025
Open
@dmihalcik-virtru dmihalcik-virtru marked this pull request as draft February 12, 2025 17:27
@github-actions github-actions bot added the Stale label Jun 13, 2025
@policy-bot-opentdf policy-bot-opentdf bot dismissed pflynn-virtru’s stale review June 13, 2025 00:17

Invalidated by push of 57a5d9b

@dmihalcik-virtru
Copy link
Member Author

dmihalcik-virtru commented Sep 3, 2025

We are moving more and more to allowing integrators to customize the configuration, so I don't want to do something so normative and fixed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pflynn-virtru pflynn-virtru pflynn-virtru left review comments

@jentfoo jentfoo Awaiting requested review from jentfoo

Assignees

No one assigned

Labels

Stale

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dmihalcik-virtru @jentfoo @pflynn-virtru