From e30589bc171716fd58fe027b077e6d228624185d Mon Sep 17 00:00:00 2001 From: Juerg Wullschleger Date: Tue, 1 Oct 2024 02:18:41 -0700 Subject: [PATCH] Refactor hcvault.AEADOption. Instead of letting AEADOption change the vaultAEAD object itself, we define a new aeadParams object and let AEADOption change that. This will let us use AEADOption also with other AEAD implementations in the future. PiperOrigin-RevId: 680924120 Change-Id: I5c8bbdb6bfce869d52becd7e29e3acf0dd3bfd9f --- integration/hcvault/hcvault_aead.go | 31 +++++++++++++++++++---------- 1 file changed, 20 insertions(+), 11 deletions(-) diff --git a/integration/hcvault/hcvault_aead.go b/integration/hcvault/hcvault_aead.go index 3a95169..94a7346 100644 --- a/integration/hcvault/hcvault_aead.go +++ b/integration/hcvault/hcvault_aead.go @@ -41,12 +41,16 @@ const ( legacyAssociatedDataName = "context" ) +type aeadParams struct { + associatedDataName string +} + // AEADOption is an interface for defining options that are passed to [NewAEAD]. -type AEADOption interface{ set(*vaultAEAD) error } +type AEADOption interface{ set(*aeadParams) error } -type option func(*vaultAEAD) error +type option func(*aeadParams) error -func (o option) set(a *vaultAEAD) error { return o(a) } +func (o option) set(a *aeadParams) error { return o(a) } // WithLegacyContextParamater lets the remote AEAD populate the "context" parameter // in encrypt and decrypt requests instead of the "associated_data". @@ -61,14 +65,16 @@ func (o option) set(a *vaultAEAD) error { return o(a) } // parameter is required to be non-empty. // // Therefore: +// // - for keys with "derived=false", you should only use empty associated data. +// // - for keys with "derived=true", you should only use non-empty associated data. // // With Tink's "KMS envelope AEAD", always use a key with "derived=false". // // For reference, see https://developer.hashicorp.com/vault/api-docs/secret/transit. func WithLegacyContextParamater() AEADOption { - return option(func(a *vaultAEAD) error { + return option(func(a *aeadParams) error { a.associatedDataName = legacyAssociatedDataName return nil }) @@ -76,6 +82,15 @@ func WithLegacyContextParamater() AEADOption { // NewAEAD returns a new remote AEAD primitive for a HashiCorp Vault service. func NewAEAD(keyPath string, client *api.Logical, opts ...AEADOption) (tink.AEAD, error) { + params := &aeadParams{ + associatedDataName: defaultAssociatedDataName, + } + // Process options, if any. + for _, opt := range opts { + if err := opt.set(params); err != nil { + return nil, fmt.Errorf("failed setting option: %v", err) + } + } encKeyPath, decKeyPath, err := getEndpointPaths(keyPath) if err != nil { return nil, err @@ -84,13 +99,7 @@ func NewAEAD(keyPath string, client *api.Logical, opts ...AEADOption) (tink.AEAD encKeyPath: encKeyPath, decKeyPath: decKeyPath, client: client, - associatedDataName: defaultAssociatedDataName, - } - // Process options, if any. - for _, opt := range opts { - if err := opt.set(a); err != nil { - return nil, fmt.Errorf("failed setting option: %v", err) - } + associatedDataName: params.associatedDataName, } return a, nil }