From 9eca35359f28af847f48b4445dd8c79d93ff9cf2 Mon Sep 17 00:00:00 2001
From: "opentdf-automation[bot]"
 <149537512+opentdf-automation[bot]@users.noreply.github.com>
Date: Thu, 30 Oct 2025 20:17:21 +0000
Subject: [PATCH] fix(core): Let default basic keymanager work again (#2858)

### Proposed Changes

The recent change to us the ProviderConfig accidentally makes that field
required for all keys already loaded from the policy db. Since most
(all) existing keys won't have this set, and any keys imported via the
command line tool's import don't have it set, we should keep the old
behavior

### Checklist

- [ ] I have added or updated unit tests
- [ ] I have added or updated integration tests (if appropriate)
- [ ] I have added or updated documentation

### Testing Instructions

(cherry picked from commit fb0b99dc6b4fd0cc5c243de474a683672df77b78)
---
 service/trust/delegating_key_service.go | 17 ++++-------------
 1 file changed, 4 insertions(+), 13 deletions(-)

diff --git a/service/trust/delegating_key_service.go b/service/trust/delegating_key_service.go
index bc6ea4ccb0..7eada4cd81 100644
--- a/service/trust/delegating_key_service.go
+++ b/service/trust/delegating_key_service.go
@@ -119,9 +119,6 @@ func (d *DelegatingKeyService) Decrypt(ctx context.Context, keyID KeyIdentifier,
 	}
 
 	pcfg := keyDetails.ProviderConfig()
-	if pcfg == nil {
-		return nil, fmt.Errorf("decrypt: key details for key ID '%s' returned nil ProviderConfig", keyID)
-	}
 	manager, err := d.getKeyManager(ctx, pcfg)
 	if err != nil {
 		return nil, fmt.Errorf("decrypt: unable to get key manager [%s#%s]: %w", pcfg.GetManager(), pcfg.GetName(), err)
@@ -137,9 +134,6 @@ func (d *DelegatingKeyService) DeriveKey(ctx context.Context, keyID KeyIdentifie
 	}
 
 	pcfg := keyDetails.ProviderConfig()
-	if pcfg == nil {
-		return nil, fmt.Errorf("derive: key details for key ID '%s' returned nil ProviderConfig", keyID)
-	}
 	manager, err := d.getKeyManager(ctx, pcfg)
 	if err != nil {
 		return nil, fmt.Errorf("derive: unable to get key manager [%s#%s]: %w", pcfg.GetManager(), pcfg.GetName(), err)
@@ -212,9 +206,11 @@ func (d *DelegatingKeyService) _defKM(ctx context.Context) (KeyManager, error) {
 }
 
 func (d *DelegatingKeyService) getKeyManager(ctx context.Context, cfg *policy.KeyProviderConfig) (KeyManager, error) {
-	d.mutex.Lock()
+	if cfg == nil {
+		return d._defKM(ctx)
+	}
 
-	// Check For Manager First
+	d.mutex.Lock()
 	designation := keyManagerDesignation{
 		Manager: cfg.GetManager(),
 		Name:    cfg.GetName(),
@@ -223,11 +219,7 @@ func (d *DelegatingKeyService) getKeyManager(ctx context.Context, cfg *policy.Ke
 		d.mutex.Unlock()
 		return manager.KeyManager, nil
 	}
-
-	// Check Factory
 	factory, factoryExists := d.managerFactories[designation.Manager]
-	// Read defaultMode under lock for comparison.
-	currentDefaultMode := d.defaultMode
 	allManagers := slices.Collect(maps.Keys(d.managerFactories))
 	d.mutex.Unlock()
 
@@ -258,7 +250,6 @@ func (d *DelegatingKeyService) getKeyManager(ctx context.Context, cfg *policy.Ke
 	d.l.Debug("key manager factory not found for name, attempting to use/load default",
 		slog.Any("key_managers", allManagers),
 		slog.Any("requested_name", designation),
-		slog.Any("configured_default_mode", currentDefaultMode),
 	)
 	return d._defKM(ctx) // _defKM handles erroring if the default manager itself cannot be loaded.
 }