feat(encryption): add kms key management

apache · Dec 1, 2023 · 20b4cb0 · 20b4cb0
1 parent f4776b5
commit 20b4cb0
Show file tree

Hide file tree

Showing 3 changed files with 48 additions and 45 deletions.
diff --git a/src/replica/default_key_provider.h b/src/replica/default_key_provider.h
@@ -28,46 +28,48 @@
 namespace dsn {
 namespace security {
 
-class DefaultKeyProvider : public KeyProvider {
+class DefaultKeyProvider : public KeyProvider
+{
 public:
-  ~DefaultKeyProvider() override {}
-  dsn::error_s DecryptEncryptionKey(const std::string& encryption_key,
-                              const std::string& /*iv*/,
-                              const std::string& /*key_version*/,
-                              std::string* decrypted_key) override {
-    *decrypted_key = ::absl::HexStringToBytes(encryption_key);
+    ~DefaultKeyProvider() override {}
+    dsn::error_s DecryptEncryptionKey(const std::string &encryption_key,
+                                      const std::string & /*iv*/,
+                                      const std::string & /*key_version*/,
+                                      std::string *decrypted_key) override
+    {
+        *decrypted_key = ::absl::HexStringToBytes(encryption_key);
 
 #ifdef __linux__
-    memfrob(decrypted_key->data(), decrypted_key->length());
+        memfrob(decrypted_key->data(), decrypted_key->length());
 #else
-    // On Linux, memfrob() bitwise XORs the data with the magic number that is
-    // the answer to the ultimate question of life, the universe, and
-    // everything. On Mac, we do this manually.
-    const uint8_t kMagic = 42;
-    for (auto i = 0; i < decrypted_key->length(); ++i) {
-      decrypted_key->data()[i] ^= kMagic;
-    }
+        // On Linux, memfrob() bitwise XORs the data with the magic number that is
+        // the answer to the ultimate question of life, the universe, and
+        // everything. On Mac, we do this manually.
+        const uint8_t kMagic = 42;
+        for (auto i = 0; i < decrypted_key->length(); ++i) {
+            decrypted_key->data()[i] ^= kMagic;
+        }
 #endif
-    *decrypted_key = ::absl::BytesToHexString(*decrypted_key);
-    return dsn::error_s::ok();
-  }
-
-  dsn::error_s GenerateEncryptionKey(std::string* encryption_key,
-                               std::string* iv,
-                               std::string* key_version) override {
-    unsigned char key_bytes[32];
-    unsigned char iv_bytes[32];
-    int num_bytes = 16;
-    std::string dek;
-    RAND_bytes(key_bytes, num_bytes);
-    dek = ::absl::BytesToHexString(reinterpret_cast<const char*>(key_bytes));
-    RAND_bytes(iv_bytes, num_bytes);
-    *iv = ::absl::BytesToHexString(reinterpret_cast<const char*>(iv_bytes));
-    DecryptEncryptionKey(dek, *iv, *key_version, encryption_key);
-    *key_version = "encryptionkey@0";
-    return dsn::error_s::ok();
-  }
+        *decrypted_key = ::absl::BytesToHexString(*decrypted_key);
+        return dsn::error_s::ok();
+    }
 
+    dsn::error_s GenerateEncryptionKey(std::string *encryption_key,
+                                       std::string *iv,
+                                       std::string *key_version) override
+    {
+        unsigned char key_bytes[32];
+        unsigned char iv_bytes[32];
+        int num_bytes = 16;
+        std::string dek;
+        RAND_bytes(key_bytes, num_bytes);
+        dek = ::absl::BytesToHexString(reinterpret_cast<const char *>(key_bytes));
+        RAND_bytes(iv_bytes, num_bytes);
+        *iv = ::absl::BytesToHexString(reinterpret_cast<const char *>(iv_bytes));
+        DecryptEncryptionKey(dek, *iv, *key_version, encryption_key);
+        *key_version = "encryptionkey@0";
+        return dsn::error_s::ok();
+    }
 };
 } // namespace security
 } // namespace dsn
diff --git a/src/replica/replica_stub.h b/src/replica/replica_stub.h
@@ -77,7 +77,7 @@ class nfs_node;
 
 namespace security {
 class KeyProvider;
-}  // namespace security
+} // namespace security
 
 namespace service {
 class copy_request;

diff --git a/src/replica/test/defaul_key_provider_test.cpp b/src/replica/test/defaul_key_provider_test.cpp
@@ -28,18 +28,19 @@ namespace security {
 
 class DefaultKeyProviderTest : public testing::Test
 {
- protected:
-  DefaultKeyProvider key_provider;
+protected:
+    DefaultKeyProvider key_provider;
 };
 
-TEST_F(DefaultKeyProviderTest, TestEncryptAndDecrypt) {
-  string encryption_key;
-  string iv;
-  string version;
-  string decrypted_key;
-  ASSERT_TRUE(key_provider.GenerateEncryptionKey(&encryption_key, &iv, &version));
-  ASSERT_TRUE(key_provider.DecryptEncryptionKey(encryption_key, iv, version, &decrypted_key));
-  ASSERT_NE(encryption_key, decrypted_key);
+TEST_F(DefaultKeyProviderTest, TestEncryptAndDecrypt)
+{
+    string encryption_key;
+    string iv;
+    string version;
+    string decrypted_key;
+    ASSERT_TRUE(key_provider.GenerateEncryptionKey(&encryption_key, &iv, &version));
+    ASSERT_TRUE(key_provider.DecryptEncryptionKey(encryption_key, iv, version, &decrypted_key));
+    ASSERT_NE(encryption_key, decrypted_key);
 }
 
 } // namespace security