fixing cache for recording encryption

Author: eriktate

lib/auth/init.go

@@ -91,6 +91,7 @@ type RecordingEncryptionManager interface {
 	services.RecordingEncryption
 	recordingencryption.Resolver
 	recordingencryption.DecryptionKeyFinder
+	SetCache(recordingencryption.Cache)
 }
 
 // InitConfig is auth server init config

lib/auth/recordingencryption/manager.go

@@ -44,40 +44,53 @@ type EncryptionKeyStore interface {
 	GetDecrypter(ctx context.Context, keyPair *types.EncryptionKeyPair) (crypto.Decrypter, error)
 }
 
+type Cache interface {
+	GetRecordingEncryption(context.Context) (*recordingencryptionv1.RecordingEncryption, error)
+}
+
 // ManagerConfig captures all of the dependencies required to instantiate a Manager.
 type ManagerConfig struct {
+	Cache    Cache
 	Backend  services.RecordingEncryption
 	KeyStore EncryptionKeyStore
 	Logger   *slog.Logger
 }
 
 // NewManager returns a new Manager using the given ManagerConfig.
 func NewManager(cfg ManagerConfig) (*Manager, error) {
-	if cfg.Logger == nil {
-		cfg.Logger = slog.Default()
-	}
-
-	if cfg.Backend == nil {
+	switch {
+	case cfg.Backend == nil:
 		return nil, trace.BadParameter("backend is required")
+	case cfg.KeyStore == nil:
+		return nil, trace.BadParameter("key store is required")
+	case cfg.Cache == nil:
+		return nil, trace.BadParameter("cache is required")
 	}
 
-	if cfg.KeyStore == nil {
-		return nil, trace.BadParameter("key store is required")
+	if cfg.Logger == nil {
+		cfg.Logger = slog.Default()
 	}
 
 	return &Manager{
 		RecordingEncryption: cfg.Backend,
+		cache:               cfg.Cache,
 		keyStore:            cfg.KeyStore,
 		logger:              cfg.Logger,
 	}, nil
 }
 
+// SetCache allows for overwriting the configured cache used by Manager.
+func (m *Manager) SetCache(cache Cache) {
+	m.cache = cache
+}
+
 // A Manager wraps a services.RecordingEncryption and EncryptionKeyStore in order to provide more complex operations
 // than the CRUD methods exposed by services.RecordingEncryption. It primarily handles resolving RecordingEncryption
 // state and searching for accessible decryption keys.
 type Manager struct {
 	services.RecordingEncryption
 
+	cache    Cache
 	logger   *slog.Logger
 	keyStore EncryptionKeyStore
 	uploader events.MultipartUploader
@@ -281,7 +294,7 @@ func (m *Manager) searchActiveKeys(ctx context.Context, activeKeys []*recordinge
 // FindDecryptionKey returns the first accessible decryption key that matches one of the given public keys.
 func (m *Manager) FindDecryptionKey(publicKeys ...[]byte) (*types.EncryptionKeyPair, error) {
 	ctx := context.Background()
-	encryption, err := m.GetRecordingEncryption(ctx)
+	encryption, err := m.cache.GetRecordingEncryption(ctx)
 	if err != nil {
 		return nil, trace.Wrap(err)
 	}

lib/cache/cache.go

@@ -205,7 +205,7 @@ func ForAuth(cfg Config) Config {
 		{Kind: types.KindGitServer},
 		{Kind: types.KindWorkloadIdentity},
 		{Kind: types.KindHealthCheckConfig},
-		// {Kind: types.KindRecordingEncryption},
+		{Kind: types.KindRecordingEncryption},
 	}
 	cfg.QueueSize = defaults.AuthQueueSize
 	// We don't want to enable partial health for auth cache because auth uses an event stream

lib/cache/collections.go

@@ -723,14 +723,14 @@ func setupCollections(c Config) (*collections, error) {
 
 			out.secReportsStates = collect
 			out.byKind[resourceKind] = out.secReportsStates
-		// case types.KindRecordingEncryption:
-		// 	collect, err := newRecordingEncryptionCollection(c.RecordingEncryption, watch)
-		// 	if err != nil {
-		// 		return nil, trace.Wrap(err)
-		// 	}
-
-		// 	out.recordingEncryption = collect
-		// 	out.byKind[resourceKind] = out.recordingEncryption
+		case types.KindRecordingEncryption:
+			collect, err := newRecordingEncryptionCollection(c.RecordingEncryption, watch)
+			if err != nil {
+				return nil, trace.Wrap(err)
+			}
+
+			out.recordingEncryption = collect
+			out.byKind[resourceKind] = out.recordingEncryption
 		default:
 			if _, ok := out.byKind[resourceKind]; !ok {
 				return nil, trace.BadParameter("resource %q is not supported", watch.Kind)

lib/service/service.go

@@ -2109,6 +2109,7 @@ func (process *TeleportProcess) initAuthService() error {
 
 	recordingEncryptionManager, err := recordingencryption.NewManager(recordingencryption.ManagerConfig{
 		Backend:  localRecordingEncryption,
+		Cache:    localRecordingEncryption,
 		KeyStore: keyStore,
 		Logger:   logger,
 	})
@@ -2298,6 +2299,7 @@ func (process *TeleportProcess) initAuthService() error {
 				return trace.Wrap(err)
 			}
 			as.Cache = cache
+			as.RecordingEncryptionManager.SetCache(cache)
 
 			return nil
 		})
@@ -2658,7 +2660,7 @@ func (process *TeleportProcess) initAuthService() error {
 	})
 
 	recordingEncryptionWatchCfg := recordingencryption.WatchConfig{
-		Events:        authServer.Events,
+		Events:        authServer,
 		Resolver:      authServer,
 		ClusterConfig: authServer,
 		LockConfig: &backend.RunWhileLockedConfig{
@@ -2784,6 +2786,7 @@ func (process *TeleportProcess) newAccessCacheForServices(cfg accesspoint.Config
 	cfg.PluginStaticCredentials = services.PluginStaticCredentials
 	cfg.GitServers = services.GitServers
 	cfg.HealthCheckConfig = services.HealthCheckConfig
+	cfg.RecordingEncryption = services.RecordingEncryptionManager
 
 	return accesspoint.NewCache(cfg)
 }