feat(encryption): key manager

apache · Dec 25, 2023 · 02af965 · 02af965
1 parent 52404e7
commit 02af965
Show file tree

Hide file tree

Showing 5 changed files with 19 additions and 19 deletions.
diff --git a/src/replica/kms_key_provider.cpp b/src/replica/kms_key_provider.cpp
@@ -23,8 +23,9 @@
 namespace dsn {
 namespace security {
 
-dsn::error_s KMSKeyProvider::DecryptEncryptionKey(const dsn::replication::replica_kms_info &kms_info,
-                                                  std::string *decrypted_key)
+dsn::error_s
+KMSKeyProvider::DecryptEncryptionKey(const dsn::replication::replica_kms_info &kms_info,
+                                     std::string *decrypted_key)
 {
     return client_.DecryptEncryptionKey(kms_info, decrypted_key);
 }

diff --git a/src/replica/kms_key_provider.h b/src/replica/kms_key_provider.h
@@ -27,7 +27,7 @@
 namespace dsn {
 namespace replication {
 class replica_kms_info;
-}  // namespace replication
+} // namespace replication
 
 namespace security {
 // This class is to generating EEK IV KV from KMS (a.k.a Key Manager Service) and get DEK from KMS.

diff --git a/src/replica/replica_stub.cpp b/src/replica/replica_stub.cpp
@@ -334,18 +334,19 @@ DSN_DEFINE_group_validator(encrypt_data_not_support_close, [](std::string &messa
     std::vector<std::string> dirs;
     std::string data_dirs;
     // In some unit test FLAGS_data_dirs may not set.
-    if(!dsn::utils::is_empty(FLAGS_data_dirs)){
+    if (!dsn::utils::is_empty(FLAGS_data_dirs)) {
         data_dirs = FLAGS_data_dirs;
     } else {
         return true;
     }
     utils::split_args(data_dirs.c_str(), dirs, ',');
     std::string kms_path = utils::filesystem::path_combine(dirs[0], ".kms_info");
     if (!FLAGS_encrypt_data_at_rest && utils::filesystem::path_exists(kms_path)) {
-        message = fmt::format("[pegasus.server] encrypt_data_at_rest = ({}), but kms_info file path = ({}) is exist."
-                              "Pegasus dont support close encrypt after enable encrypt.",
-                              FLAGS_encrypt_data_at_rest,
-                              kms_path);
+        message = fmt::format(
+            "[pegasus.server] encrypt_data_at_rest = ({}), but kms_info file path = ({}) is exist."
+            "Pegasus dont support close encrypt after enable encrypt.",
+            FLAGS_encrypt_data_at_rest,
+            kms_path);
         return false;
     }
     return true;
@@ -458,13 +459,11 @@ void replica_stub::initialize(const replication_options &opts, bool clear /* = f
         // After first launch, the encryption key should not empty and get from kms-info file. The
         // process get DEK from KMS.
         if (kms_info.eek.empty()) {
-            auto err =
-                key_provider->GenerateEncryptionKey(&kms_info);
+            auto err = key_provider->GenerateEncryptionKey(&kms_info);
             CHECK(err, "get encryption key failed, err = {}", err);
         }
-        CHECK(
-            key_provider->DecryptEncryptionKey(kms_info, &server_key),
-            "get decryption key failed");
+        CHECK(key_provider->DecryptEncryptionKey(kms_info, &server_key),
+              "get decryption key failed");
         FLAGS_server_key = server_key.c_str();
     }
 

diff --git a/src/replica/test/replica_http_service_test.cpp b/src/replica/test/replica_http_service_test.cpp
@@ -36,9 +36,9 @@ using std::map;
 using std::string;
 
 namespace dsn {
-namespace security{
+namespace security {
 DSN_DECLARE_bool(enable_acl);
-} //namespace security
+} // namespace security
 namespace replication {
 DSN_DECLARE_bool(duplication_enabled);
 DSN_DECLARE_bool(fd_disabled);
@@ -52,7 +52,8 @@ class replica_http_service_test : public replica_test_base
         // Disable unnecessary works before starting stub.
         FLAGS_fd_disabled = true;
         FLAGS_duplication_enabled = false;
-        // Set FLAGS_enable_acl true to make group validator encrypt_data_at_rest_pre_check succeed when encrypt_data_at_rest is true. 
+        // Set FLAGS_enable_acl true to make group validator encrypt_data_at_rest_pre_check succeed
+        // when encrypt_data_at_rest is true.
         dsn::security::FLAGS_enable_acl = true;
         stub->initialize_start();
 

diff --git a/src/runtime/security/kms_client.h b/src/runtime/security/kms_client.h
@@ -27,7 +27,7 @@
 namespace dsn {
 namespace replication {
 class replica_kms_info;
-}  // namespace replication
+} // namespace replication
 
 namespace security {
 // A class to generate encryption_key from KMS for writing file which implemented based on http
@@ -47,8 +47,7 @@ class KMSClient
                                       std::string *decrypted_key);
 
     // Generated the EEK, IV, KV from KMS.
-    dsn::error_s
-    GenerateEncryptionKey(dsn::replication::replica_kms_info *kms_info);
+    dsn::error_s GenerateEncryptionKey(dsn::replication::replica_kms_info *kms_info);
 
 private:
     dsn::error_s GenerateEncryptionKeyFromKMS(const std::string &key_name,