From 233ed578e3531d2cdd345679962298f938c0f882 Mon Sep 17 00:00:00 2001 From: David Mihalcik Date: Wed, 8 Oct 2025 09:53:52 -0400 Subject: [PATCH 1/4] chore(core): Log names of registered trust.mgrs This assists with debugging misspelled or forgotten mgrs --- service/kas/kas.go | 7 ++++++- service/trust/delegating_key_service.go | 4 ++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/service/kas/kas.go b/service/kas/kas.go index 8989d6bbce..95ffdc3876 100644 --- a/service/kas/kas.go +++ b/service/kas/kas.go @@ -61,6 +61,8 @@ func NewRegistration() *serviceregistry.Service[kasconnect.AccessServiceHandler] } } + var kmgrNames []string + if kasCfg.Preview.KeyManagement { srp.Logger.Info("preview feature: key management is enabled") @@ -75,10 +77,10 @@ func NewRegistration() *serviceregistry.Service[kasconnect.AccessServiceHandler] p.KeyDelegator = trust.NewDelegatingKeyService(NewPlatformKeyIndexer(srp.SDK, kasURL.String(), srp.Logger), srp.Logger, cacheClient) for _, manager := range srp.KeyManagerFactories { p.KeyDelegator.RegisterKeyManager(manager.Name, manager.Factory) + kmgrNames = append(kmgrNames, manager.Name) } // Register Basic Key Manager - p.KeyDelegator.RegisterKeyManager(security.BasicManagerName, func(opts *trust.KeyManagerFactoryOptions) (trust.KeyManager, error) { bm, err := security.NewBasicManager(opts.Logger, opts.Cache, kasCfg.RootKey) if err != nil { @@ -86,6 +88,7 @@ func NewRegistration() *serviceregistry.Service[kasconnect.AccessServiceHandler] } return bm, nil }) + kmgrNames = append(kmgrNames, security.BasicManagerName) // Explicitly set the default manager for session key generation. // This should be configurable, e.g., defaulting to BasicManager or an HSM if available. p.KeyDelegator.SetDefaultMode(security.BasicManagerName) // Example: default to BasicManager @@ -102,7 +105,9 @@ func NewRegistration() *serviceregistry.Service[kasconnect.AccessServiceHandler] }) // Set default for non-key-management mode p.KeyDelegator.SetDefaultMode(inProcessService.Name()) + kmgrNames = append(kmgrNames, inProcessService.Name()) } + srp.Logger.Info("kas registered trust.KeyManagers", slog.Any("key_managers", kmgrNames)) p.SDK = srp.SDK p.Logger = srp.Logger diff --git a/service/trust/delegating_key_service.go b/service/trust/delegating_key_service.go index dadee744ea..781c2d3ca9 100644 --- a/service/trust/delegating_key_service.go +++ b/service/trust/delegating_key_service.go @@ -6,6 +6,8 @@ import ( "errors" "fmt" "log/slog" + "maps" + "slices" "sync" "github.com/opentdf/platform/lib/ocrypto" @@ -198,6 +200,7 @@ func (d *DelegatingKeyService) getKeyManager(ctx context.Context, name string) ( factory, factoryExists := d.managerFactories[name] // Read defaultMode under lock for comparison. currentDefaultMode := d.defaultMode + allNames := slices.Collect(maps.Keys(d.managerFactories)) d.mutex.Unlock() if factoryExists { @@ -221,6 +224,7 @@ func (d *DelegatingKeyService) getKeyManager(ctx context.Context, name string) ( // If 'name' was the defaultMode, _defKM will error if its factory is also missing. // If 'name' was not the defaultMode, we fall back to the default manager. d.l.Debug("key manager factory not found for name, attempting to use/load default", + slog.Any("key_managers", allNames), slog.String("requested_name", name), slog.String("configured_default_mode", currentDefaultMode), ) From 983b2bcc4ba2d506f65262a12ca050a8fd3bc1ee Mon Sep 17 00:00:00 2001 From: David Mihalcik Date: Wed, 15 Oct 2025 12:07:58 -0400 Subject: [PATCH 2/4] Update key_management.go --- service/policy/keymanagement/key_management.go | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/service/policy/keymanagement/key_management.go b/service/policy/keymanagement/key_management.go index d9b6afd915..11cfc220dd 100644 --- a/service/policy/keymanagement/key_management.go +++ b/service/policy/keymanagement/key_management.go @@ -112,6 +112,7 @@ func (ksvc Service) CreateProviderConfig(ctx context.Context, req *connect.Reque return nil, connect.NewError(connect.CodeInvalidArgument, errors.New("manager field is required")) } if !ksvc.isManagerRegistered(manager) { + ksvc.logger.InfoContext(ctx, "unregistered manager type", slog.String("manager", manager), slog.Any("registered_managers", ksvc.listManagerNames())) return nil, connect.NewError(connect.CodeInvalidArgument, fmt.Errorf("manager type '%s' is not registered", manager)) } @@ -278,3 +279,11 @@ func (ksvc *Service) isManagerRegistered(managerName string) bool { } return false } + +func (ksvc Service) listManagerNames() []string { + names := make([]string, 0, len(ksvc.keyManagerFactories)) + for _, factory := range ksvc.keyManagerFactories { + names = append(names, factory.Name) + } + return names +} From 134b2e241309251910d6e76821ca84b404d4cdb8 Mon Sep 17 00:00:00 2001 From: David Mihalcik Date: Wed, 15 Oct 2025 12:54:00 -0400 Subject: [PATCH 3/4] don't restrict provider manager names --- service/policy/keymanagement/key_management.go | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/service/policy/keymanagement/key_management.go b/service/policy/keymanagement/key_management.go index 11cfc220dd..39c43bb24a 100644 --- a/service/policy/keymanagement/key_management.go +++ b/service/policy/keymanagement/key_management.go @@ -112,8 +112,7 @@ func (ksvc Service) CreateProviderConfig(ctx context.Context, req *connect.Reque return nil, connect.NewError(connect.CodeInvalidArgument, errors.New("manager field is required")) } if !ksvc.isManagerRegistered(manager) { - ksvc.logger.InfoContext(ctx, "unregistered manager type", slog.String("manager", manager), slog.Any("registered_managers", ksvc.listManagerNames())) - return nil, connect.NewError(connect.CodeInvalidArgument, fmt.Errorf("manager type '%s' is not registered", manager)) + ksvc.logger.WarnContext(ctx, "create provider: manager type is not registered", slog.String("manager", manager), slog.Any("registered_managers", ksvc.listManagerNames())) } auditParams := audit.PolicyEventParams{ @@ -187,10 +186,8 @@ func (ksvc Service) UpdateProviderConfig(ctx context.Context, req *connect.Reque // Validate manager type if provided manager := req.Msg.GetManager() - if manager != "" { - if !ksvc.isManagerRegistered(manager) { - return nil, connect.NewError(connect.CodeInvalidArgument, fmt.Errorf("manager type '%s' is not registered", manager)) - } + if manager != "" && !ksvc.isManagerRegistered(manager) { + ksvc.logger.WarnContext(ctx, "update provider: manager type is not registered", slog.String("manager", manager)) } auditParams := audit.PolicyEventParams{ From f17cfcb87591999cfdc57139f5cad639b0ed4eea Mon Sep 17 00:00:00 2001 From: David Mihalcik Date: Wed, 15 Oct 2025 13:06:46 -0400 Subject: [PATCH 4/4] Update key_management.go --- service/policy/keymanagement/key_management.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/service/policy/keymanagement/key_management.go b/service/policy/keymanagement/key_management.go index 39c43bb24a..7a9ca5ff2c 100644 --- a/service/policy/keymanagement/key_management.go +++ b/service/policy/keymanagement/key_management.go @@ -112,7 +112,9 @@ func (ksvc Service) CreateProviderConfig(ctx context.Context, req *connect.Reque return nil, connect.NewError(connect.CodeInvalidArgument, errors.New("manager field is required")) } if !ksvc.isManagerRegistered(manager) { - ksvc.logger.WarnContext(ctx, "create provider: manager type is not registered", slog.String("manager", manager), slog.Any("registered_managers", ksvc.listManagerNames())) + ksvc.logger.WarnContext(ctx, "create provider: manager type is not registered", + slog.String("manager", manager), + slog.Any("registered_managers", ksvc.listManagerNames())) } auditParams := audit.PolicyEventParams{