chore: refactor API in package cipher for easier dependency injection (…

…#4103)
ory · Sep 16, 2024 · 9aefc0a · 9aefc0a
1 parent 198e79b
commit 9aefc0a
Show file tree

Hide file tree

Showing 8 changed files with 30 additions and 43 deletions.
diff --git a/cipher/aes.go b/cipher/aes.go
@@ -12,19 +12,13 @@ import (
 	"github.com/ory/herodot"
 
 	"github.com/pkg/errors"
-
-	"github.com/ory/kratos/driver/config"
 )
 
 type AES struct {
-	c AESConfiguration
-}
-
-type AESConfiguration interface {
-	config.Provider
+	c SecretsProvider
 }
 
-func NewCryptAES(c AESConfiguration) *AES {
+func NewCryptAES(c SecretsProvider) *AES {
 	return &AES{c: c}
 }
 
@@ -36,11 +30,11 @@ func (a *AES) Encrypt(ctx context.Context, message []byte) (string, error) {
 		return "", nil
 	}
 
-	if len(a.c.Config().SecretsCipher(ctx)) == 0 {
+	if len(a.c.SecretsCipher(ctx)) == 0 {
 		return "", errors.WithStack(herodot.ErrInternalServerError.WithReason("Unable to encrypt message because no cipher secrets were configured."))
 	}
 
-	ciphertext, err := cryptopasta.Encrypt(message, &a.c.Config().SecretsCipher(ctx)[0])
+	ciphertext, err := cryptopasta.Encrypt(message, &a.c.SecretsCipher(ctx)[0])
 	return hex.EncodeToString(ciphertext), errors.WithStack(err)
 }
 
@@ -52,7 +46,7 @@ func (a *AES) Decrypt(ctx context.Context, ciphertext string) ([]byte, error) {
 		return nil, nil
 	}
 
-	secrets := a.c.Config().SecretsCipher(ctx)
+	secrets := a.c.SecretsCipher(ctx)
 	if len(secrets) == 0 {
 		return nil, errors.WithStack(herodot.ErrInternalServerError.WithReason("Unable to decipher the encrypted message because no AES secrets were configured."))
 	}

diff --git a/cipher/chacha20.go b/cipher/chacha20.go
@@ -14,18 +14,13 @@ import (
 	"golang.org/x/crypto/chacha20poly1305"
 
 	"github.com/ory/herodot"
-	"github.com/ory/kratos/driver/config"
 )
 
-type ChaCha20Configuration interface {
-	config.Provider
-}
-
 type XChaCha20Poly1305 struct {
-	c ChaCha20Configuration
+	c SecretsProvider
 }
 
-func NewCryptChaCha20(c ChaCha20Configuration) *XChaCha20Poly1305 {
+func NewCryptChaCha20(c SecretsProvider) *XChaCha20Poly1305 {
 	return &XChaCha20Poly1305{c: c}
 }
 
@@ -35,11 +30,11 @@ func (c *XChaCha20Poly1305) Encrypt(ctx context.Context, message []byte) (string
 		return "", nil
 	}
 
-	if len(c.c.Config().SecretsCipher(ctx)) == 0 {
+	if len(c.c.SecretsCipher(ctx)) == 0 {
 		return "", errors.WithStack(herodot.ErrInternalServerError.WithReason("Unable to encrypt message because no cipher secrets were configured."))
 	}
 
-	aead, err := chacha20poly1305.NewX(c.c.Config().SecretsCipher(ctx)[0][:])
+	aead, err := chacha20poly1305.NewX(c.c.SecretsCipher(ctx)[0][:])
 	if err != nil {
 		return "", herodot.ErrInternalServerError.WithWrap(err).WithReason("Unable to generate key")
 	}
@@ -65,7 +60,7 @@ func (c *XChaCha20Poly1305) Decrypt(ctx context.Context, ciphertext string) ([]b
 		return nil, nil
 	}
 
-	secrets := c.c.Config().SecretsCipher(ctx)
+	secrets := c.c.SecretsCipher(ctx)
 	if len(secrets) == 0 {
 		return nil, errors.WithStack(herodot.ErrInternalServerError.WithReason("Unable to decipher the encrypted message because no cipher secrets were configured."))
 	}

diff --git a/cipher/cipher.go b/cipher/cipher.go
@@ -23,3 +23,7 @@ type Cipher interface {
 type Provider interface {
 	Cipher(ctx context.Context) Cipher
 }
+
+type SecretsProvider interface {
+	SecretsCipher(ctx context.Context) [][32]byte
+}
diff --git a/cipher/cipher_test.go b/cipher/cipher_test.go
@@ -29,8 +29,8 @@ func TestCipher(t *testing.T) {
 	_, reg := internal.NewFastRegistryWithMocks(t, configx.WithValue(config.ViperKeySecretsDefault, goodSecret))
 
 	ciphers := []cipher.Cipher{
-		cipher.NewCryptAES(reg),
-		cipher.NewCryptChaCha20(reg),
+		cipher.NewCryptAES(reg.Config()),
+		cipher.NewCryptChaCha20(reg.Config()),
 	}
 
 	for _, c := range ciphers {
@@ -78,7 +78,7 @@ func TestCipher(t *testing.T) {
 		})
 	}
 
-	c := cipher.NewNoop(reg)
+	c := cipher.NewNoop()
 	t.Run(fmt.Sprintf("cipher=%T", c), func(t *testing.T) {
 		t.Parallel()
 		testAllWork(ctx, t, c)

diff --git a/cipher/noop.go b/cipher/noop.go
@@ -6,30 +6,21 @@ package cipher
 import (
 	"context"
 	"encoding/hex"
-
-	"github.com/ory/kratos/driver/config"
 )
 
 // Noop is default cipher implementation witch does not do encryption
+type Noop struct{}
 
-type NoopConfiguration interface {
-	config.Provider
-}
-
-type Noop struct {
-	c NoopConfiguration
-}
-
-func NewNoop(c NoopConfiguration) *Noop {
-	return &Noop{c: c}
+func NewNoop() *Noop {
+	return &Noop{}
 }
 
 // Encrypt encode message to hex
-func (c *Noop) Encrypt(_ context.Context, message []byte) (string, error) {
+func (*Noop) Encrypt(_ context.Context, message []byte) (string, error) {
 	return hex.EncodeToString(message), nil
 }
 
 // Decrypt decode the hex message
-func (c *Noop) Decrypt(_ context.Context, ciphertext string) ([]byte, error) {
+func (*Noop) Decrypt(_ context.Context, ciphertext string) ([]byte, error) {
 	return hex.DecodeString(ciphertext)
 }
diff --git a/driver/config/config.go b/driver/config/config.go
@@ -859,6 +859,10 @@ func (p *Config) SecretsSession(ctx context.Context) [][]byte {
 
 func (p *Config) SecretsCipher(ctx context.Context) [][32]byte {
 	secrets := p.GetProvider(ctx).Strings(ViperKeySecretsCipher)
+	return ToCipherSecrets(secrets)
+}
+
+func ToCipherSecrets(secrets []string) [][32]byte {
 	var cleanSecrets []string
 	for k := range secrets {
 		if len(secrets[k]) == 32 {
@@ -1615,7 +1619,6 @@ func (p *Config) DefaultConsistencyLevel(ctx context.Context) crdbx.ConsistencyL
 }
 
 func (p *Config) PasswordMigrationHook(ctx context.Context) *PasswordMigrationHook {
-
 	hook := &PasswordMigrationHook{
 		Enabled: p.GetProvider(ctx).BoolF(ViperKeyPasswordMigrationHook+".enabled", false),
 	}

diff --git a/driver/registry_default.go b/driver/registry_default.go
@@ -479,11 +479,11 @@ func (m *RegistryDefault) Cipher(ctx context.Context) cipher.Cipher {
 	if m.crypter == nil {
 		switch m.c.CipherAlgorithm(ctx) {
 		case "xchacha20-poly1305":
-			m.crypter = cipher.NewCryptChaCha20(m)
+			m.crypter = cipher.NewCryptChaCha20(m.Config())
 		case "aes":
-			m.crypter = cipher.NewCryptAES(m)
+			m.crypter = cipher.NewCryptAES(m.Config())
 		default:
-			m.crypter = cipher.NewNoop(m)
+			m.crypter = cipher.NewNoop()
 			m.l.Logger.Warning("No encryption configuration found. The default algorithm (noop) will be used, resulting in sensitive data being stored in plaintext")
 		}
 	}

diff --git a/identity/identity_test.go b/identity/identity_test.go
@@ -314,7 +314,7 @@ func TestVerifiableAddresses(t *testing.T) {
 type cipherProvider struct{}
 
 func (c *cipherProvider) Cipher(ctx context.Context) cipher.Cipher {
-	return cipher.NewNoop(nil)
+	return cipher.NewNoop()
 }
 
 func TestWithDeclassifiedCredentials(t *testing.T) {