This is an automated email from the ASF dual-hosted git repository. rnewson pushed a commit to branch database_encryption in repository https://gitbox.apache.org/repos/asf/couchdb.git
commit f56a693675ddb4ef8169b09d9ea79efbbb4a090b Author: Robert Newson <[email protected]> AuthorDate: Mon May 23 20:23:51 2022 +0100 compile time key manager --- src/aegis/rebar.config.script | 42 ++++++++++++++++++++++++++++++++ src/aegis/src/aegis_key_manager.erl | 11 +++------ src/aegis/src/aegis_key_manager_noop.erl | 25 +++++++++++++++++++ src/couch/src/couch_file.erl | 2 ++ 4 files changed, 72 insertions(+), 8 deletions(-) diff --git a/src/aegis/rebar.config.script b/src/aegis/rebar.config.script new file mode 100644 index 000000000..cb334032b --- /dev/null +++ b/src/aegis/rebar.config.script @@ -0,0 +1,42 @@ +% Licensed under the Apache License, Version 2.0 (the "License"); you may not +% use this file except in compliance with the License. You may obtain a copy of +% the License at +% +% http://www.apache.org/licenses/LICENSE-2.0 +% +% Unless required by applicable law or agreed to in writing, software +% distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +% WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +% License for the specific language governing permissions and limitations under +% the License. + + +CoverProps = [ + {cover_enabled, true}, + {cover_print_enabled, true} +], + +CouchConfig = case filelib:is_file(os:getenv("COUCHDB_CONFIG")) of + true -> + {ok, Result} = file:consult(os:getenv("COUCHDB_CONFIG")), + Result; + false -> + [] +end. + +AegisKeyManager = case lists:keyfind(aegis_key_manager, 1, CouchConfig) of + {aegis_key_manager, Module} when Module /= "" -> + list_to_atom(Module); + _ -> + aegis_key_manager_noop +end, + +CurrentOpts = case lists:keyfind(erl_opts, 1, CONFIG) of + {erl_opts, Opts} -> Opts; + false -> [] +end, + +Config = CoverProps ++ CONFIG, + +AegisOpts = {d, 'AEGIS_KEY_MANAGER', AegisKeyManager}, +lists:keystore(erl_opts, 1, Config, {erl_opts, [AegisOpts | CurrentOpts]}). \ No newline at end of file diff --git a/src/aegis/src/aegis_key_manager.erl b/src/aegis/src/aegis_key_manager.erl index 62793438a..353b3cd65 100644 --- a/src/aegis/src/aegis_key_manager.erl +++ b/src/aegis/src/aegis_key_manager.erl @@ -22,6 +22,7 @@ -callback wrap_key(DataEncryptionKey :: dek()) -> {ok, WrappedKey :: wek()} + | dont_encrypt | {error, Reason :: term()}. -callback unwrap_key(WrappedKey :: wek()) -> @@ -29,13 +30,7 @@ | {error, Reason :: term()}. wrap_key(DataEncryptionKey) -> - Module = key_manager_module(), - Module:wrap_key(DataEncryptionKey). + ?AEGIS_KEY_MANAGER:wrap_key(DataEncryptionKey). unwrap_key(WrappedKey) -> - Module = key_manager_module(), - Module:unwrap_key(WrappedKey). - -key_manager_module() -> - Module = config:get("aegis", "key_manager_module", "aegis_key_manager_config"), - list_to_atom(Module). + ?AEGIS_KEY_MANAGER:unwrap_key(WrappedKey). diff --git a/src/aegis/src/aegis_key_manager_noop.erl b/src/aegis/src/aegis_key_manager_noop.erl new file mode 100644 index 000000000..757dfd183 --- /dev/null +++ b/src/aegis/src/aegis_key_manager_noop.erl @@ -0,0 +1,25 @@ +% Licensed under the Apache License, Version 2.0 (the "License"); you may not +% use this file except in compliance with the License. You may obtain a copy of +% the License at +% +% http://www.apache.org/licenses/LICENSE-2.0 +% +% Unless required by applicable law or agreed to in writing, software +% distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +% WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +% License for the specific language governing permissions and limitations under +% the License. + +-module(aegis_key_manager_noop). +-behaviour(aegis_key_manager). + +-export([ + wrap_key/1, + unwrap_key/1 +]). + +wrap_key(_DataEncryptionKey) -> + dont_encrypt. + +unwrap_key(_DataEncryptionKey) -> + {error, encryption_not_supported}. diff --git a/src/couch/src/couch_file.erl b/src/couch/src/couch_file.erl index 2e2ef4c7e..c015f805a 100644 --- a/src/couch/src/couch_file.erl +++ b/src/couch/src/couch_file.erl @@ -958,6 +958,8 @@ init_crypto(#file{eof = 0} = File0) -> {error, Reason} -> {error, Reason} end; + dont_encrypt -> + {ok, File0}; {error, Reason} -> {error, Reason} end;
