From 9354e78289fde933f485c663df960b0bc6e24df5 Mon Sep 17 00:00:00 2001
From: Monis Khan <i@monis.app>
Date: Fri, 24 Mar 2023 16:23:40 -0400
Subject: [PATCH] no-op: split transformer interface

Signed-off-by: Monis Khan <mok@microsoft.com>
---
 .../value/encrypt/envelope/kmsv2/cache.go      | 18 +++++-------------
 .../value/encrypt/envelope/kmsv2/envelope.go   |  2 +-
 .../apiserver/pkg/storage/value/transformer.go | 14 +++++++++++---
 3 files changed, 17 insertions(+), 17 deletions(-)

diff --git a/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/cache.go b/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/cache.go
index fa4be57ab14..c677f54b5ba 100644
--- a/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/cache.go
+++ b/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/cache.go
@@ -18,7 +18,6 @@ limitations under the License.
 package kmsv2
 
 import (
-	"context"
 	"crypto/sha256"
 	"hash"
 	"sync"
@@ -30,17 +29,10 @@ import (
 	"k8s.io/utils/clock"
 )
 
-// prevent decryptTransformer from drifting from value.Transformer
-var _ decryptTransformer = value.Transformer(nil)
-
-// decryptTransformer is the decryption subset of value.Transformer.
-// this exists purely to statically enforce that transformers placed in the cache are not used for encryption.
+// simpleCache stores the decryption subset of value.Transformer (value.Read).
+// this statically enforces that transformers placed in the cache are not used for encryption.
 // this is relevant in the context of nonce collision since transformers that are created
 // from encrypted DEKs retrieved from etcd cannot maintain their nonce counter state.
-type decryptTransformer interface {
-	TransformFromStorage(ctx context.Context, data []byte, dataCtx value.Context) (out []byte, stale bool, err error)
-}
-
 type simpleCache struct {
 	cache *utilcache.Expiring
 	ttl   time.Duration
@@ -64,16 +56,16 @@ func newSimpleCache(clock clock.Clock, ttl time.Duration) *simpleCache {
 }
 
 // given a key, return the transformer, or nil if it does not exist in the cache
-func (c *simpleCache) get(key []byte) decryptTransformer {
+func (c *simpleCache) get(key []byte) value.Read {
 	record, ok := c.cache.Get(c.keyFunc(key))
 	if !ok {
 		return nil
 	}
-	return record.(decryptTransformer)
+	return record.(value.Read)
 }
 
 // set caches the record for the key
-func (c *simpleCache) set(key []byte, transformer decryptTransformer) {
+func (c *simpleCache) set(key []byte, transformer value.Read) {
 	if len(key) == 0 {
 		panic("key must not be empty")
 	}
diff --git a/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/envelope.go b/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/envelope.go
index e372e62de7c..f7dd4e984ca 100644
--- a/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/envelope.go
+++ b/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/envelope.go
@@ -227,7 +227,7 @@ func (t *envelopeTransformer) TransformToStorage(ctx context.Context, data []byt
 }
 
 // addTransformerForDecryption inserts a new transformer to the Envelope cache of DEKs for future reads.
-func (t *envelopeTransformer) addTransformerForDecryption(cacheKey []byte, key []byte) (decryptTransformer, error) {
+func (t *envelopeTransformer) addTransformerForDecryption(cacheKey []byte, key []byte) (value.Read, error) {
 	block, err := aes.NewCipher(key)
 	if err != nil {
 		return nil, err
diff --git a/staging/src/k8s.io/apiserver/pkg/storage/value/transformer.go b/staging/src/k8s.io/apiserver/pkg/storage/value/transformer.go
index cb48ed50c71..7b5307df208 100644
--- a/staging/src/k8s.io/apiserver/pkg/storage/value/transformer.go
+++ b/staging/src/k8s.io/apiserver/pkg/storage/value/transformer.go
@@ -40,17 +40,25 @@ type Context interface {
 	AuthenticatedData() []byte
 }
 
-// Transformer allows a value to be transformed before being read from or written to the underlying store. The methods
-// must be able to undo the transformation caused by the other.
-type Transformer interface {
+type Read interface {
 	// TransformFromStorage may transform the provided data from its underlying storage representation or return an error.
 	// Stale is true if the object on disk is stale and a write to etcd should be issued, even if the contents of the object
 	// have not changed.
 	TransformFromStorage(ctx context.Context, data []byte, dataCtx Context) (out []byte, stale bool, err error)
+}
+
+type Write interface {
 	// TransformToStorage may transform the provided data into the appropriate form in storage or return an error.
 	TransformToStorage(ctx context.Context, data []byte, dataCtx Context) (out []byte, err error)
 }
 
+// Transformer allows a value to be transformed before being read from or written to the underlying store. The methods
+// must be able to undo the transformation caused by the other.
+type Transformer interface {
+	Read
+	Write
+}
+
 // ResourceTransformers returns a transformer for the provided resource.
 type ResourceTransformers interface {
 	TransformerForResource(resource schema.GroupResource) Transformer