Change interface for plugin's unwrap_kek

If getting KEK requires a database name, then depending on an encryption
provider it could be also necessary for unwrapping it too, so pass it to
unwrap function just in case.

3 files changed, 13 insertions, 13 deletions

diff --git a/src/fabric/src/fabric2_encryption.erl b/src/fabric/src/fabric2_encryption.erl
index b3bd0fd59..ab11cc48f 100644
--- a/src/fabric/src/fabric2_encryption.erl
+++ b/src/fabric/src/fabric2_encryption.erl
@@ -142,7 +142,7 @@ handle_call({encrypt, WrappedKEK, DbName, DocId, DocRev, Value}, From, St) ->
         waiters := Waiters
     } = St,
 
-    {ok, KEK} = unwrap_kek(Cache, WrappedKEK),
+    {ok, KEK} = unwrap_kek(Cache, DbName, WrappedKEK),
     {_Pid, Ref} = erlang:spawn_monitor(?MODULE,
         do_encrypt, [KEK, DbName, DocId, DocRev, Value]),
 
@@ -157,7 +157,7 @@ handle_call({decrypt, WrappedKEK, DbName, DocId, DocRev, Value}, From, St) ->
         waiters := Waiters
     } = St,
 
-    {ok, KEK} = unwrap_kek(Cache, WrappedKEK),
+    {ok, KEK} = unwrap_kek(Cache, DbName, WrappedKEK),
     {_Pid, Ref} = erlang:spawn_monitor(?MODULE,
         do_decrypt, [KEK, DbName, DocId, DocRev, Value]),
 
@@ -258,13 +258,13 @@ get_dek(KEK, DocId, DocRev) when bit_size(KEK) == 256 ->
     {ok, DEK}.
 
 
-unwrap_kek(Cache, WrappedKEK) ->
+unwrap_kek(Cache, DbName, WrappedKEK) ->
     case ets:lookup(Cache, WrappedKEK) of
         [#entry{id = WrappedKEK, kek = KEK}] ->
             {ok, KEK};
         [] ->
             {ok, KEK, WrappedKEK} = fabric2_encryption_plugin:unwrap_kek(
-                WrappedKEK),
+                DbName, WrappedKEK),
             Entry = #entry{id = WrappedKEK, kek = KEK},
             true = ets:insert(Cache, Entry),
             {ok, KEK}
diff --git a/src/fabric/src/fabric2_encryption_plugin.erl b/src/fabric/src/fabric2_encryption_plugin.erl
index 807a807f8..ec9dcb968 100644
--- a/src/fabric/src/fabric2_encryption_plugin.erl
+++ b/src/fabric/src/fabric2_encryption_plugin.erl
@@ -15,7 +15,7 @@
 -export([
     get_aad/1,
     get_wrapped_kek/1,
-    unwrap_kek/1
+    unwrap_kek/2
 ]).
 
 
@@ -35,11 +35,11 @@ get_wrapped_kek(DbName) ->
     maybe_handle(get_kek, [DbName], Default).
 
 
--spec unwrap_kek(WrappedKEK :: binary()) ->
+-spec unwrap_kek(DbName :: binary(), WrappedKEK :: binary()) ->
     {ok, KEK :: binary(), WrappedKEK :: binary()} | {error, Error :: term()}.
-unwrap_kek(WrappedKEK) ->
-    Default = fun fabric2_encryption_provider:unwrap_kek/1,
-    maybe_handle(unwrap_kek, [WrappedKEK], Default).
+unwrap_kek(DbName, WrappedKEK) ->
+    Default = fun fabric2_encryption_provider:unwrap_kek/2,
+    maybe_handle(unwrap_kek, [DbName, WrappedKEK], Default).
 
 
 
diff --git a/src/fabric/src/fabric2_encryption_provider.erl b/src/fabric/src/fabric2_encryption_provider.erl
index 6f7adc197..a695f8664 100644
--- a/src/fabric/src/fabric2_encryption_provider.erl
+++ b/src/fabric/src/fabric2_encryption_provider.erl
@@ -15,7 +15,7 @@
 -export([
     get_aad/1,
     get_kek/1,
-    unwrap_kek/1
+    unwrap_kek/2
 ]).
 
 
@@ -42,7 +42,7 @@ get_kek(_DbName) ->
     end.
 
 
-unwrap_kek(WrappedKEK) ->
+unwrap_kek(_DbName, WrappedKEK) ->
     case get_mek() of
         {ok, MEK} ->
             case couch_keywrap:key_unwrap(MEK, WrappedKEK) of
@@ -132,7 +132,7 @@ get_unwrap_kek_test_() ->
                 {"should unwrap valid wrapped kek",
                 fun test_unwrap_kek/0},
                 {"should return error on invalid wrapped key",
-                ?_assertMatch({error, _}, unwrap_kek(<<0:320>>))}
+                ?_assertMatch({error, _}, unwrap_kek(<<"db">>, <<0:320>>))}
             ]
         end
     }.
@@ -156,7 +156,7 @@ test_get_kek() ->
 
 test_unwrap_kek() ->
     WrappedKEK = <<16#0c714838ba4b937fdde5a2ca8a318ead3c2c49ddfc77eef90e1a954f18962848f601d18f7cf32bb9:320>>,
-    Resp = unwrap_kek(WrappedKEK),
+    Resp = unwrap_kek(<<"db">>, WrappedKEK),
     ?assertMatch({ok, _, _}, Resp),
     {ok, KEK, WrappedKEK2} = Resp,
     ?assertEqual(256, bit_size(KEK)),