feat(core): New Key Index and Manager Plugin SPI #2095
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Standard Benchmark Skipped or FailedBulk Benchmark Results
Error Summary
|
dmihalcik-virtru
force-pushed
the
DSPX-494-key-provider-framework
branch
from
3564c73 to
d6e1613
Compare
Standard Benchmark Skipped or FailedBulk Benchmark Results
Error Summary
|
Standard Benchmark Skipped or FailedBulk Benchmark Results
Error Summary
|
dmihalcik-virtru
changed the title
There was a problem hiding this comment.
Pull Request Overview
This PR introduces new key and security provider functionality that integrates a new SecurityProvider interface while maintaining backward compatibility with the legacy CryptoProvider. Key changes include switching decryption and key export functions to use the new SecurityProvider adapter, updating tracing calls to p.Start(ctx, …), and modifying various methods to handle salted key operations.
Reviewed Changes
Copilot reviewed 15 out of 15 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| service/kas/kas.go | Added SecurityProvider initialization alongside legacy CryptoProvider. |
| service/kas/access/rewrap.go | Migrated decryption and policy binding verification to use SecurityProvider. |
| service/kas/access/publicKey.go | Updated key lookup and export to use the new SecurityProvider. |
| service/kas/access/provider.go | Introduced SecurityProvider field and accessor methods for backward compatibility. |
| service/internal/security/* | Added new functions for salted decryption and key derivation. |
| sdk/* and lib/ocrypto/* | Updated tests and encryption/decryption calls to use the new salted APIs. |
Comments suppressed due to low confidence (2)
service/kas/access/provider.go:25
- [nitpick] Consider renaming the deprecated GetCryptoProvider() method to GetLegacyCryptoProvider() so that the distinction between the new SecurityProvider and legacy CryptoProvider is clearer.
SecurityProvider security.KeyManager
service/kas/access/rewrap.go:516
- [nitpick] Ensure that converting the key identifier using security.KeyIdentifier is consistently applied across the codebase and that GetKid() reliably returns a valid identifier string.
kid := security.KeyIdentifier(kao.GetKeyAccessObject().GetKid())
Standard Benchmark Skipped or FailedBulk Benchmark Results
Error Summary
|
Standard Benchmark Skipped or FailedBulk Benchmark Results
Error Summary
|
Standard Benchmark Skipped or FailedBulk Benchmark Results
|
Standard Benchmark Skipped or FailedBulk Benchmark Results
|
Standard Benchmark Skipped or FailedBulk Benchmark Results
|
Standard Benchmark Skipped or FailedBulk Benchmark Results
|
dmihalcik-virtru
force-pushed
the
DSPX-494-key-provider-framework
branch
from
00bc170 to
b5735fe
Compare
Standard Benchmark Skipped or FailedBulk Benchmark Results
|
Benchmark results, click to expandBulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
Error Summary:
Standard Benchmark Metrics Skipped or Failed |
c-r33d
reviewed
Apr 25, 2025
Benchmark results, click to expandBulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
Error Summary:
Standard Benchmark Metrics Skipped or Failed |
Introduces SecurityProvider and KeyLookup interfaces
Benchmark results, click to expandBulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
Error Summary:
Standard Benchmark Metrics Skipped or Failed |
i'm still used to reentrant locks
Benchmark results, click to expandBulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
Error Summary:
Standard Benchmark Metrics Skipped or Failed |
Benchmark results, click to expandBulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
Error Summary:
Standard Benchmark Metrics Skipped or Failed |
c-r33d
reviewed
May 2, 2025
c-r33d
reviewed
May 2, 2025
c-r33d
previously approved these changes
May 2, 2025
There was a problem hiding this comment.
Pull Request Overview
This PR introduces novel key and security provider capabilities by adding new interfaces (Encapsulator, ProtectedKey, KeyManager, etc.) and updating service logic to support trust‐based key management. Key changes include:
- Implementing new trust package interfaces and updating key management abstractions.
- Refactoring server startup and KAS provider logic to conditionally use the trust key index/manager over the legacy crypto provider.
- Updating tests and provider adapter layers to align with the new key management semantics.
Reviewed Changes
Copilot reviewed 16 out of 17 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| service/trust/key_manager.go | Introduced new trust interfaces for key encryption and decryption. |
| service/trust/key_index.go | Added types and methods for key identification and export. |
| service/trust/delegating_key_service.go | Implemented delegation logic for key managers with caching. |
| service/pkg/server/start.go | Updated server startup to enforce exclusive use of trust provider. |
| service/kas/* | Refactored key decryption and public key export to use trust APIs. |
| service/internal/security/* | Updated crypto provider adapters to wrap legacy implementations. |
Files not reviewed (1)
- service/go.mod: Language not supported
Comments suppressed due to low confidence (1)
service/trust/delegating_key_service.go:67
- [nitpick] The method name '_defKM' uses an unconventional underscore prefix. Consider renaming it to 'getDefaultKeyManager' for improved clarity.
func (d *DelegatingKeyService) _defKM() (KeyManager, error) {
Benchmark results, click to expandBulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
Error Summary:
Standard Benchmark Metrics Skipped or Failed |
dmihalcik-virtru
changed the title
strantalis
approved these changes
May 5, 2025
jakedoublev
pushed a commit
that referenced
this pull request
May 6, 2025
### Proposed Changes * Adds service/trust package, which includes an abstraction or core key lookup (`KeyIndex`) and runtime cryptographic operations (`KeyManager`). * Adds functional options for starting a platform service with custom providers of these services. ### Checklist - [ ] I have added or updated unit tests - [ ] I have added or updated integration tests (if appropriate) - [ ] I have added or updated documentation ### Testing Instructions
github-merge-queue bot
pushed a commit
that referenced
this pull request
May 22, 2025
🤖 I have created a release *beep* *boop* --- ## [0.5.3](service/v0.5.2...service/v0.5.3) (2025-05-22) ### Features * **authz:** authz v2 versioning implementation ([#2173](#2173)) ([557fc21](557fc21)) * **authz:** authz v2, ers v2 protos and gencode for ABAC with actions & registered resource ([#2124](#2124)) ([ea7992a](ea7992a)) * **authz:** export entity id prefix constant from entity instead of authorization service v1 ([#2261](#2261)) ([94079a9](94079a9)) * **authz:** subject mapping plugin support for ABAC with actions ([#2223](#2223)) ([d08b939](d08b939)) * bulk keycloak provisioning ([#2205](#2205)) ([59e4485](59e4485)) * **core:** add otel to opentdf services ([#1858](#1858)) ([53a7aa0](53a7aa0)) * **core:** Adds EC withSalt options ([#2126](#2126)) ([67b6fb8](67b6fb8)) * **core:** enhance db configuration options ([#2285](#2285)) ([ed9ff59](ed9ff59)) * **core:** New Key Index and Manager Plugin SPI ([#2095](#2095)) ([eb446fc](eb446fc)) * **core:** support onConfigUpdate hook when registering services ([#1992](#1992)) ([366d4dc](366d4dc)) * **core:** v2 ERS with proto updates ([#2210](#2210)) ([a161ef8](a161ef8)) * **policy:** actions crud service endpoints and proto validation ([#2037](#2037)) ([e933fa9](e933fa9)) * **policy:** actions service RPCs should actually hit storage layer CRUD ([#2063](#2063)) ([da4faf5](da4faf5)) * **policy:** add enhanced standard/custom actions protos ([#2020](#2020)) ([bbac53f](bbac53f)) * **policy:** Add platform key indexer. ([#2189](#2189)) ([861ef8d](861ef8d)) * **policy:** consume lib/identifier parse function ([#2181](#2181)) ([1cef22b](1cef22b)) * **policy:** DSPX-1018 NDR retrieval by FQN support ([#2131](#2131)) ([0001041](0001041)) * **policy:** DSPX-1057 registered resource action attribute values (DB + Service implementation) ([#2191](#2191)) ([6bf1b2e](6bf1b2e)) * **policy:** DSPX-1057 registered resource action attribute values (protos only) ([#2217](#2217)) ([6375596](6375596)) * **policy:** DSPX-893 NDR define crud protos ([#2056](#2056)) ([55a5c27](55a5c27)) * **policy:** DSPX-898 NDR database schema ([#2055](#2055)) ([2a10a6a](2a10a6a)) * **policy:** DSPX-901 NDR database crud ([#2071](#2071)) ([20e0a5f](20e0a5f)) * **policy:** DSPX-902 NDR service crud implementation (2/2) ([#2066](#2066)) ([030ad33](030ad33)) * **policy:** DSPX-902 NDR service crud protos only (1/2) ([#2092](#2092)) ([24b6cb5](24b6cb5)) * **policy:** Finish resource mapping groups ([#2224](#2224)) ([5ff754e](5ff754e)) * **policy:** GetMatchedSubjectMappings should provide value FQN ([#2151](#2151)) ([ad80044](ad80044)) * **policy:** key management crud ([#2110](#2110)) ([4c3d53d](4c3d53d)) * **policy:** Key management proto ([#2115](#2115)) ([561f853](561f853)) * **policy:** Modify get request to search for keys by kasid with keyid. ([#2147](#2147)) ([780d2e4](780d2e4)) * **policy:** Restrict KAS deletion when tied to Key ([#2144](#2144)) ([4c4ab13](4c4ab13)) * **policy:** Return KAS Key structure ([#2172](#2172)) ([7f97b99](7f97b99)) * **policy:** rotate keys rpc ([#2180](#2180)) ([0d00743](0d00743)) * **policy:** stored enhanced actions database migration, CRUD queries, SM updates ([#2040](#2040)) ([e6b7c79](e6b7c79)) * **sdk:** Add a KAS allowlist ([#2085](#2085)) ([d7cfdf3](d7cfdf3)) * **sdk:** add nanotdf plaintext policy ([#2182](#2182)) ([e5c56db](e5c56db)) * **sdk:** Use ConnectRPC in the go client ([#2200](#2200)) ([fc34ee6](fc34ee6)) ### Bug Fixes * **core:** access pdp cleanup before actions in ABAC decisioning ([#2123](#2123)) ([9b38a3c](9b38a3c)) * **core:** Autobump service ([#2080](#2080)) ([006c724](006c724)) * **core:** Autobump service ([#2104](#2104)) ([1f72cc7](1f72cc7)) * **core:** Autobump service ([#2108](#2108)) ([be5b7d7](be5b7d7)) * **core:** bump to go 1.24 and bump service proto module dependencies ([#2064](#2064)) ([94891a0](94891a0)) * **core:** Fix DPoP with grpc-gateway ([#2044](#2044)) ([4483ef2](4483ef2)) * **core:** fix service go.mod ([#2141](#2141)) ([3b98f6d](3b98f6d)) * **core:** Improves errors when under heavy load ([#2132](#2132)) ([4490a14](4490a14)) * **core:** Let legacy KAOs use new trust plugins ([#2218](#2218)) ([5aa6916](5aa6916)) * **core:** migrate from mitchellh/mapstructure to go-viper/mapstructure ([#2087](#2087)) ([0a3a82e](0a3a82e)) * **core:** update viper to 1.20.1 ([#2088](#2088)) ([09099e9](09099e9)) * **core:** Updates vulnerable dep go/x/net ([#2072](#2072)) ([11c02cd](11c02cd)) * **deps:** bump github.com/creasty/defaults from 1.7.0 to 1.8.0 in /service ([#2242](#2242)) ([86a9b46](86a9b46)) * **deps:** bump github.com/jackc/pgx/v5 from 5.5.5 to 5.7.5 in /service ([#2249](#2249)) ([d8f3b67](d8f3b67)) * **deps:** bump the internal group across 1 directory with 2 updates ([#2296](#2296)) ([7f92c70](7f92c70)) * **deps:** bump toolchain in /lib/fixtures and /examples to resolve CVE GO-2025-3563 ([#2061](#2061)) ([9c16843](9c16843)) * handle empty private and public key ctx structs ([#2272](#2272)) ([f3fc647](f3fc647)) * **policy:** remove predefined rules in actions protos ([#2069](#2069)) ([060f059](060f059)) * **policy:** return kas uri on keys for definition, namespace and values ([#2186](#2186)) ([6c55fb8](6c55fb8)) * update key_mode to provide more context ([#2226](#2226)) ([44d0805](44d0805)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Proposed Changes
KeyIndex) and runtime cryptographic operations (KeyManager).Checklist
Testing Instructions