acelyc111 commented on code in PR #1706:
URL:
https://github.com/apache/incubator-pegasus/pull/1706#discussion_r1446940918
##########
src/replica/storage/simple_kv/test/run.sh:
##########
@@ -113,12 +113,12 @@ fi
if [ ! -z "${cases}" ]; then
OLD_TEST_OPTS=${TEST_OPTS}
Review Comment:
TEST_OPTS is passed from the run.sh in root path, it may contains options
which are separated by `,`, it's needed to deal with it.
##########
src/replica/replica_stub.cpp:
##########
@@ -389,9 +439,47 @@ void replica_stub::initialize(const replication_options
&opts, bool clear /* = f
}
}
+ std::string server_key;
+ dsn::replication::replica_kms_info kms_info;
+ std::string kms_path = utils::filesystem::path_combine(
+ _options.data_dirs[0], dsn::replication::replica_kms_info::kKmsInfo);
+#ifndef MOCK_TEST
+ if (FLAGS_encrypt_data_at_rest && utils::is_empty(FLAGS_hadoop_kms_url)) {
+ CHECK(FLAGS_hadoop_kms_url, "hadoop_kms_url should not empty");
+ }
+#endif
+ if (FLAGS_encrypt_data_at_rest && !utils::is_empty(FLAGS_hadoop_kms_url)) {
+ key_provider.reset(new dsn::security::KMSKeyProvider(
+ ::absl::StrSplit(FLAGS_hadoop_kms_url, ",", ::absl::SkipEmpty()),
FLAGS_cluster_name));
+ auto error_code = dsn::utils::load_rjobj_from_file(
+ kms_path, dsn::utils::FileDataType::kNonSensitive, &kms_info);
+ if (error_code != dsn::ERR_OK) {
+ LOG_WARNING("It's normal to encounter a temporary inability to
open the kms-info file "
+ "during the first process launch. error_code = {}",
+ error_code);
+ }
+ // Upon the first launch, the encryption key should be empty. The
process will then retrieve
+ // EEK, IV, and KV from KMS.
+ // After the first launch, the encryption key, obtained from the
kms-info file, should not
+ // be empty. The process will then acquire the DEK from KMS.
+ if (!utils::filesystem::path_exists(kms_path)) {
+ auto err = key_provider->GenerateEncryptionKey(&kms_info);
+ CHECK(err, "get encryption key failed, err = {}", err);
Review Comment:
Use CHECK_OK to simplify the code here and other places.
##########
src/replica/replica_stub.cpp:
##########
@@ -389,9 +439,47 @@ void replica_stub::initialize(const replication_options
&opts, bool clear /* = f
}
}
+ std::string server_key;
+ dsn::replication::replica_kms_info kms_info;
+ std::string kms_path = utils::filesystem::path_combine(
+ _options.data_dirs[0], dsn::replication::replica_kms_info::kKmsInfo);
+#ifndef MOCK_TEST
Review Comment:
How abour moving it to `DSN_DEFINE_group_validator`?
##########
src/replica/replication_app_base.h:
##########
@@ -85,6 +85,26 @@ class replica_app_info
error_code store(const std::string &fname);
};
+// This class stores and loads EEK, IV, and KV from KMS as a JSON file.
+// To get the decrypted key, should POST EEK, IV, and KV to KMS.
+class replica_kms_info
Review Comment:
How about defining it as a struct, then the "public" words can be omitted.
##########
src/replica/replication_app_base.h:
##########
@@ -85,6 +85,26 @@ class replica_app_info
error_code store(const std::string &fname);
};
+// This class stores and loads EEK, IV, and KV from KMS as a JSON file.
+// To get the decrypted key, should POST EEK, IV, and KV to KMS.
+class replica_kms_info
Review Comment:
```suggestion
class kms_info
```
Because this is not a "replica" level info, it's a server wide info.
##########
src/security/kms_client.cpp:
##########
@@ -0,0 +1,182 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+#include <initializer_list>
+#include <map>
+#include <stdexcept>
+#include <string>
+#include <vector>
+
+#include "absl/strings/escaping.h"
+#include "fmt/core.h"
+#include "http/http_client.h"
+#include "http/http_method.h"
+#include "http/http_status_code.h"
+#include "nlohmann/json.hpp"
+#include "nlohmann/json_fwd.hpp"
+#include "security/kms_client.h"
+#include "replica/replication_app_base.h"
+#include "utils/error_code.h"
+#include "utils/fmt_logging.h"
+
+namespace dsn {
+namespace security {
+
+dsn::error_s KMSClient::DecryptEncryptionKey(const
dsn::replication::replica_kms_info &kms_info,
+ std::string *decrypted_key)
+{
+ nlohmann::json payload;
+ payload["name"] = cluster_key_name_;
+ std::string iv_plain = ::absl::HexStringToBytes(kms_info.iv);
+ std::string iv_b64;
+ ::absl::WebSafeBase64Escape(iv_plain, &iv_b64);
+ payload["iv"] = iv_b64;
+ std::string eek_plain = ::absl::HexStringToBytes(kms_info.eek);
+ std::string eek_b64;
+ ::absl::WebSafeBase64Escape(eek_plain, &eek_b64);
+ payload["material"] = eek_b64;
+
+ http_client client;
+ RETURN_NOT_OK(client.init());
+ RETURN_NOT_OK(client.set_auth(http_auth_type::SPNEGO));
+
+ std::vector<std::string> urls;
+ urls.reserve(kms_urls_.size());
+ for (const auto &url : kms_urls_) {
+
urls.emplace_back(fmt::format("{}/v1/keyversion/{}/_eek?eek_op=decrypt", url,
kms_info.kv));
+ }
+ client.clear_header_fields();
+ client.set_content_type("application/json");
+ client.set_accept("*/*");
+
+ RETURN_NOT_OK(client.with_post_method(payload.dump()));
+
+ nlohmann::json j;
+ for (const auto &url : urls) {
+ RETURN_NOT_OK(client.set_url(url));
+ std::string resp;
+ auto err = client.exec_method(&resp);
+ if (err.code() == ERR_NETWORK_FAILURE || err.code() == ERR_TIMEOUT) {
+ continue;
+ } else {
+ RETURN_NOT_OK(err);
+ }
Review Comment:
```suggestion
RETURN_NOT_OK(err);
```
##########
src/security/kms_client.cpp:
##########
@@ -0,0 +1,182 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+#include <initializer_list>
+#include <map>
+#include <stdexcept>
+#include <string>
+#include <vector>
+
+#include "absl/strings/escaping.h"
+#include "fmt/core.h"
+#include "http/http_client.h"
+#include "http/http_method.h"
+#include "http/http_status_code.h"
+#include "nlohmann/json.hpp"
+#include "nlohmann/json_fwd.hpp"
+#include "security/kms_client.h"
+#include "replica/replication_app_base.h"
+#include "utils/error_code.h"
+#include "utils/fmt_logging.h"
+
+namespace dsn {
+namespace security {
+
+dsn::error_s KMSClient::DecryptEncryptionKey(const
dsn::replication::replica_kms_info &kms_info,
+ std::string *decrypted_key)
+{
+ nlohmann::json payload;
+ payload["name"] = cluster_key_name_;
+ std::string iv_plain = ::absl::HexStringToBytes(kms_info.iv);
+ std::string iv_b64;
+ ::absl::WebSafeBase64Escape(iv_plain, &iv_b64);
+ payload["iv"] = iv_b64;
+ std::string eek_plain = ::absl::HexStringToBytes(kms_info.eek);
+ std::string eek_b64;
+ ::absl::WebSafeBase64Escape(eek_plain, &eek_b64);
+ payload["material"] = eek_b64;
+
+ http_client client;
+ RETURN_NOT_OK(client.init());
+ RETURN_NOT_OK(client.set_auth(http_auth_type::SPNEGO));
+
+ std::vector<std::string> urls;
+ urls.reserve(kms_urls_.size());
+ for (const auto &url : kms_urls_) {
+
urls.emplace_back(fmt::format("{}/v1/keyversion/{}/_eek?eek_op=decrypt", url,
kms_info.kv));
+ }
+ client.clear_header_fields();
+ client.set_content_type("application/json");
+ client.set_accept("*/*");
+
+ RETURN_NOT_OK(client.with_post_method(payload.dump()));
+
+ nlohmann::json j;
+ for (const auto &url : urls) {
+ RETURN_NOT_OK(client.set_url(url));
+ std::string resp;
+ auto err = client.exec_method(&resp);
+ if (err.code() == ERR_NETWORK_FAILURE || err.code() == ERR_TIMEOUT) {
+ continue;
+ } else {
+ RETURN_NOT_OK(err);
+ }
+ http_status_code http_status;
+ client.get_http_status(http_status);
+ if (http_status == http_status_code::kOk) {
+ try {
+ j = nlohmann::json::parse(resp);
+ } catch (nlohmann::json::exception &exp) {
+ LOG_ERROR("encode kms_info to json failed: {}, data = [{}]",
exp.what(), resp);
+ }
+ break;
+ }
+ LOG_WARNING(
+ "The http status is ({}), and url is ({})",
get_http_status_message(http_status), url);
+ }
+
+ std::string dek_b64;
+ if (j.contains("material")) {
Review Comment:
How about defining a new macro like `RETURN_ERR_S_NOT_TRUE` to simplify the
code here and some other places.
##########
src/security/kms_client.cpp:
##########
@@ -0,0 +1,182 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+#include <initializer_list>
+#include <map>
+#include <stdexcept>
+#include <string>
+#include <vector>
+
+#include "absl/strings/escaping.h"
+#include "fmt/core.h"
+#include "http/http_client.h"
+#include "http/http_method.h"
+#include "http/http_status_code.h"
+#include "nlohmann/json.hpp"
+#include "nlohmann/json_fwd.hpp"
+#include "security/kms_client.h"
+#include "replica/replication_app_base.h"
+#include "utils/error_code.h"
+#include "utils/fmt_logging.h"
+
+namespace dsn {
+namespace security {
+
+dsn::error_s KMSClient::DecryptEncryptionKey(const
dsn::replication::replica_kms_info &kms_info,
+ std::string *decrypted_key)
+{
+ nlohmann::json payload;
+ payload["name"] = cluster_key_name_;
+ std::string iv_plain = ::absl::HexStringToBytes(kms_info.iv);
+ std::string iv_b64;
+ ::absl::WebSafeBase64Escape(iv_plain, &iv_b64);
+ payload["iv"] = iv_b64;
+ std::string eek_plain = ::absl::HexStringToBytes(kms_info.eek);
+ std::string eek_b64;
+ ::absl::WebSafeBase64Escape(eek_plain, &eek_b64);
+ payload["material"] = eek_b64;
+
+ http_client client;
+ RETURN_NOT_OK(client.init());
+ RETURN_NOT_OK(client.set_auth(http_auth_type::SPNEGO));
+
+ std::vector<std::string> urls;
+ urls.reserve(kms_urls_.size());
+ for (const auto &url : kms_urls_) {
+
urls.emplace_back(fmt::format("{}/v1/keyversion/{}/_eek?eek_op=decrypt", url,
kms_info.kv));
+ }
+ client.clear_header_fields();
+ client.set_content_type("application/json");
+ client.set_accept("*/*");
+
+ RETURN_NOT_OK(client.with_post_method(payload.dump()));
+
+ nlohmann::json j;
+ for (const auto &url : urls) {
+ RETURN_NOT_OK(client.set_url(url));
+ std::string resp;
+ auto err = client.exec_method(&resp);
+ if (err.code() == ERR_NETWORK_FAILURE || err.code() == ERR_TIMEOUT) {
+ continue;
+ } else {
+ RETURN_NOT_OK(err);
+ }
+ http_status_code http_status;
+ client.get_http_status(http_status);
+ if (http_status == http_status_code::kOk) {
+ try {
+ j = nlohmann::json::parse(resp);
+ } catch (nlohmann::json::exception &exp) {
+ LOG_ERROR("encode kms_info to json failed: {}, data = [{}]",
exp.what(), resp);
+ }
+ break;
+ }
+ LOG_WARNING(
+ "The http status is ({}), and url is ({})",
get_http_status_message(http_status), url);
+ }
+
+ std::string dek_b64;
+ if (j.contains("material")) {
+ dek_b64 = j.at("material");
+ } else {
+ return dsn::error_s::make(ERR_INVALID_DATA, "Null material received");
+ }
+ std::string dek_plain;
+ if (!::absl::WebSafeBase64Unescape(dek_b64, &dek_plain)) {
+ return dsn::error_s::make(ERR_INVALID_DATA, "Invalid IV received");
+ }
+ *decrypted_key = ::absl::BytesToHexString(dek_plain);
+ return dsn::error_s::ok();
+}
+
+dsn::error_s KMSClient::GenerateEncryptionKeyFromKMS(const std::string
&key_name,
+
dsn::replication::replica_kms_info *kms_info)
+{
+ http_client client;
+ RETURN_NOT_OK(client.init());
+ RETURN_NOT_OK(client.set_auth(http_auth_type::SPNEGO));
+
+ std::vector<std::string> urls;
+ urls.reserve(kms_urls_.size());
+ for (const auto &url : kms_urls_) {
+ urls.emplace_back(
+ fmt::format("{}/v1/key/{}/_eek?eek_op=generate&num_keys=1", url,
key_name));
+ }
+
+ nlohmann::json j = nlohmann::json::object();
+ for (const auto &url : urls) {
+ RETURN_NOT_OK(client.set_url(url));
+ RETURN_NOT_OK(client.with_get_method());
+ std::string resp;
+ auto err = client.exec_method(&resp);
+ if (err.code() == ERR_NETWORK_FAILURE || err.code() == ERR_TIMEOUT) {
+ continue;
+ } else {
+ RETURN_NOT_OK(err);
+ }
Review Comment:
```suggestion
RETURN_NOT_OK(err);
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
