fix(core): Load in-process key manager, too

dmihalcik-virtru · dmihalcik-virtru · commit 06beb6f187e2 · 2025-09-16T13:01:37.000-04:00
- when key management is enabled and the in-process key manager has some configured keys, load it
- these keys will still be accessible with the provider `opentdf.io/in-process` for the key ids present in the config file
diff --git a/service/kas/kas.go b/service/kas/kas.go
@@ -61,7 +61,8 @@ func NewRegistration() *serviceregistry.Service[kasconnect.AccessServiceHandler]
 					}
 				}
 
-				if kasCfg.Preview.KeyManagement {
+				useKeyManagement := kasCfg.Preview.KeyManagement
+				if useKeyManagement {
 					srp.Logger.Info("preview feature: key management is enabled")
 
 					kasURL, err := determineKASURL(srp, kasCfg)
@@ -89,7 +90,8 @@ func NewRegistration() *serviceregistry.Service[kasconnect.AccessServiceHandler]
 					// Explicitly set the default manager for session key generation.
 					// This should be configurable, e.g., defaulting to BasicManager or an HSM if available.
 					p.KeyDelegator.SetDefaultMode(security.BasicManagerName) // Example: default to BasicManager
-				} else {
+				}
+				if !useKeyManagement || len(kasCfg.Keyring) > 0 || kasCfg.ECCertID != "" || kasCfg.RSACertID != "" {
 					// Set up both the legacy CryptoProvider and the new SecurityProvider
 					kasCfg.UpgradeMapToKeyring(srp.OTDF.CryptoProvider)
 					p.CryptoProvider = srp.OTDF.CryptoProvider
