feat(core): Actually use KeyManager ProviderConfig (#2837)

### Proposed Changes

- Looking up a key now loads the `manager` field in the key provider
- This is required, as the manager should be the factory key, not the
name
- This allows us to load the same manager multiple times with different
configs.

HOWEVER the config is only looked at on the first load; we should update
this so it evicts and reloads the provider if the config changes. This
hopefully will come in a follow-up.

Similarly, we don't have much in the way of integration tests for these,
since we don't include a key manager that takes a config. I'll look into
starting the Vault sample plugin back up and running.

While I'm here, since our downstream deps no longer create them, I've
removed support for the `KeyManagerFactory` that does *not* take a
context object.

### Checklist

- [x] I have added or updated unit tests
- [ ] I have added or updated integration tests (if appropriate)
- [ ] I have added or updated documentation

### Testing Instructions

Author: dmihalcik-virtru

service/internal/security/in_process_provider.go

@@ -97,8 +97,10 @@ func (k *KeyDetailsAdapter) ExportCertificate(_ context.Context) (string, error)
 }
 
 func (k *KeyDetailsAdapter) ProviderConfig() *policy.KeyProviderConfig {
-	// Provider config is not supported for this adapter.
-	return nil
+	return &policy.KeyProviderConfig{
+		Manager: inProcessSystemName,
+		Name:    "static",
+	}
 }
 
 // NewSecurityProviderAdapter creates a new adapter that implements SecurityProvider using a CryptoProvider

service/kas/access/publicKey_test.go

@@ -182,7 +182,9 @@ func TestPublicKeyWithSecurityProvider(t *testing.T) {
 
 	// Create Provider with the mock security provider
 	delegator := trust.NewDelegatingKeyService(mockProvider, logger.CreateTestLogger(), nil)
-	delegator.RegisterKeyManager(mockProvider.Name(), func(_ *trust.KeyManagerFactoryOptions) (trust.KeyManager, error) { return mockProvider, nil })
+	delegator.RegisterKeyManagerCtx(mockProvider.Name(), func(_ context.Context, _ *trust.KeyManagerFactoryOptions) (trust.KeyManager, error) {
+		return mockProvider, nil
+	})
 	kas := Provider{
 		KeyDelegator: delegator,
 		KASConfig: KASConfig{
@@ -351,7 +353,7 @@ func TestStandardCertificateHandlerEmpty(t *testing.T) {
 	inProcess := security.NewSecurityProviderAdapter(c, nil, nil)
 
 	delegator := trust.NewDelegatingKeyService(inProcess, logger.CreateTestLogger(), nil)
-	delegator.RegisterKeyManager(inProcess.Name(), func(_ *trust.KeyManagerFactoryOptions) (trust.KeyManager, error) {
+	delegator.RegisterKeyManagerCtx(inProcess.Name(), func(_ context.Context, _ *trust.KeyManagerFactoryOptions) (trust.KeyManager, error) {
 		return inProcess, nil
 	})
 

service/kas/kas.go

@@ -61,7 +61,7 @@ func NewRegistration() *serviceregistry.Service[kasconnect.AccessServiceHandler]
 					}
 				}
 
-				var kmgrNames []string
+				var kmgrs []string
 
 				if kasCfg.Preview.KeyManagement {
 					srp.Logger.Info("preview feature: key management is enabled")
@@ -75,23 +75,26 @@ func NewRegistration() *serviceregistry.Service[kasconnect.AccessServiceHandler]
 
 					// Configure new delegation service
 					p.KeyDelegator = trust.NewDelegatingKeyService(NewPlatformKeyIndexer(srp.SDK, kasURL.String(), srp.Logger), srp.Logger, cacheClient)
-					for _, manager := range srp.KeyManagerFactories {
-						p.KeyDelegator.RegisterKeyManager(manager.Name, manager.Factory)
-						kmgrNames = append(kmgrNames, manager.Name)
+					if len(srp.KeyManagerFactories) > 0 {
+						srp.Logger.Error("kas service ignores legacy KeyManagerFactories; using KeyManagerCtxFactories instead")
+					}
+					for _, manager := range srp.KeyManagerCtxFactories {
+						p.KeyDelegator.RegisterKeyManagerCtx(manager.Name, manager.Factory)
+						kmgrs = append(kmgrs, manager.Name)
 					}
 
 					// Register Basic Key Manager
-					p.KeyDelegator.RegisterKeyManager(security.BasicManagerName, func(opts *trust.KeyManagerFactoryOptions) (trust.KeyManager, error) {
+					p.KeyDelegator.RegisterKeyManagerCtx(security.BasicManagerName, func(_ context.Context, opts *trust.KeyManagerFactoryOptions) (trust.KeyManager, error) {
 						bm, err := security.NewBasicManager(opts.Logger, opts.Cache, kasCfg.RootKey)
 						if err != nil {
 							return nil, err
 						}
 						return bm, nil
 					})
-					kmgrNames = append(kmgrNames, security.BasicManagerName)
+					kmgrs = append(kmgrs, security.BasicManagerName)
 					// Explicitly set the default manager for session key generation.
 					// This should be configurable, e.g., defaulting to BasicManager or an HSM if available.
-					p.KeyDelegator.SetDefaultMode(security.BasicManagerName) // Example: default to BasicManager
+					p.KeyDelegator.SetDefaultMode(security.BasicManagerName, "", nil) // Example: default to BasicManager
 				} else {
 					// Set up both the legacy CryptoProvider and the new SecurityProvider
 					kasCfg.UpgradeMapToKeyring(srp.OTDF.CryptoProvider)
@@ -100,14 +103,14 @@ func NewRegistration() *serviceregistry.Service[kasconnect.AccessServiceHandler]
 					inProcessService := initSecurityProviderAdapter(p.CryptoProvider, kasCfg, srp.Logger)
 
 					p.KeyDelegator = trust.NewDelegatingKeyService(inProcessService, srp.Logger, nil)
-					p.KeyDelegator.RegisterKeyManager(inProcessService.Name(), func(*trust.KeyManagerFactoryOptions) (trust.KeyManager, error) {
+					p.KeyDelegator.RegisterKeyManagerCtx(inProcessService.Name(), func(_ context.Context, _ *trust.KeyManagerFactoryOptions) (trust.KeyManager, error) {
 						return inProcessService, nil
 					})
 					// Set default for non-key-management mode
-					p.KeyDelegator.SetDefaultMode(inProcessService.Name())
-					kmgrNames = append(kmgrNames, inProcessService.Name())
+					p.KeyDelegator.SetDefaultMode(inProcessService.Name(), "", nil)
+					kmgrs = append(kmgrs, inProcessService.Name())
 				}
-				srp.Logger.Info("kas registered trust.KeyManagers", slog.Any("key_managers", kmgrNames))
+				srp.Logger.Info("kas registered trust.KeyManagers", slog.Any("key_managers", kmgrs))
 
 				p.SDK = srp.SDK
 				p.Logger = srp.Logger

service/policy/db/actions.sql.go

@@ -480,6 +480,7 @@ func (c PolicyDBClient) GetKey(ctx context.Context, identifier any) (*policy.Kas
 	if key.ProviderConfigID.Valid {
 		providerConfig = &policy.KeyProviderConfig{}
 		providerConfig.Id = UUIDToString(key.ProviderConfigID)
+		providerConfig.Manager = key.PcManager.String
 		providerConfig.Name = key.ProviderName.String
 		providerConfig.ConfigJson = key.PcConfig
 		providerConfig.Metadata = &common.Metadata{}