feat(encryption): add kms key management

apache · Dec 13, 2023 · 4a23bdf · 4a23bdf
1 parent 2c16de5
commit 4a23bdf
Show file tree

Hide file tree

Showing 3 changed files with 50 additions and 10 deletions.
diff --git a/src/replica/replica_stub.cpp b/src/replica/replica_stub.cpp
@@ -590,18 +590,17 @@ void replica_stub::initialize(bool clear /* = false*/)
     _access_controller = std::make_unique<dsn::security::access_controller>();
 }
 
-dsn::error_s store_kms_key(std::string data_dir,
+dsn::error_s store_kms_key(const std::string &data_dir,
                            std::string encryption_key,
                            std::string iv,
                            std::string key_version)
 {
     replica_kms_info kms_info(encryption_key, iv, key_version);
     auto err = kms_info.store(data_dir);
-    if (dsn::ERR_OK == err) {
-        return dsn::error_s::ok();
-    } else {
-        return dsn::error_s::make(err, "Can't open replica_encrypted_key file to write");
+    if (!err.is_ok()) {
+        return dsn::error_s::make(err, "Can't open kms-info file to write");
     }
+    return dsn::error_s::ok();
 }
 
 void get_kms_key(std::string data_dir,
@@ -614,9 +613,7 @@ void get_kms_key(std::string data_dir,
     *encryption_key = kms_info.encryption_key;
     *iv = kms_info.iv;
     *key_version = kms_info.key_version;
-    if (dsn::ERR_OK != err) {
-        CHECK(err, "Can't open replica_encrypted_key file to read");
-    }
+    CHECK_OK(err, "Can't open replica_encrypted_key file to read");
 }
 
 void replica_stub::initialize(const replication_options &opts, bool clear /* = false*/)
@@ -650,9 +647,12 @@ void replica_stub::initialize(const replication_options &opts, bool clear /* = f
     std::string iv;
     std::string key_version;
     std::string server_key;
-    // get and store eek from kms
+    // get and store Encrypted Encryption Key(eek),Initialization Vector(iv),Key Version from kms
     if (key_provider && !utils::is_empty(FLAGS_hadoop_kms_url)) {
+        CHECK(_options.data_dirs[0], "data_dirs is empty");
         get_kms_key(_options.data_dirs[0], &encryption_key, &iv, &key_version);
+        // The encryption key should empty when process upon the first launch. And the process will get eek,iv,kv from kms 
+        // After first launch, the encryption key should not empty. And the process get Decrypted Encryption Key(dek) from kms
         if (encryption_key.empty()) {
             CHECK(key_provider->GenerateEncryptionKey(&encryption_key, &iv, &key_version),
                   "get encryption key failed");

diff --git a/src/replica/replication_app_base.cpp b/src/replica/replication_app_base.cpp
@@ -61,7 +61,7 @@ namespace dsn {
 namespace replication {
 
 const std::string replica_init_info::kInitInfo = ".init-info";
-const std::string replica_kms_info::kFileName = ".kms-info";
+const std::string replica_kms_info::kKmsInfo = ".kms-info";
 
 error_code replica_init_info::load(const std::string &dir)
 {

diff --git a/src/runtime/security/kms_client.h b/src/runtime/security/kms_client.h
@@ -26,6 +26,46 @@
 
 namespace dsn {
 namespace security {
+// A library for http client that provides convenient APIs to access http services, implemented
+// based on http client (https://curl.se/libcurl/c/).
+//
+// A class to implement 
+// This class is not thread-safe. Thus maintain one instance for each thread.
+//
+// Example of useing Kms client:
+// --------------------------------------------------------
+// Create an instance of http_client:
+// GenerateEncryptionKey
+//
+// It's necessary to initialize the new instance before coming into use:
+// DecryptEncryptionKey
+//
+// Specify the target url that you would request for:
+// err = client.set_url(method);
+//
+// If you would use GET method, call `with_get_method`:
+// err = client.with_get_method();
+//
+// If you would use POST method, call `with_post_method` with post data:
+// err = client.with_post_method(post_data);
+//
+// Submit the request to remote http service:
+// err = client.exec_method();
+//
+// If response data should be processed, use callback function:
+// auto callback = [...](const void *data, size_t length) {
+//     ......
+//     return true;
+// };
+// err = client.exec_method(callback);
+//
+// Or just provide a string pointer:
+// std::string response;
+// err = client.exec_method(&response);
+//
+// Get the http status code after requesting:
+// long http_status;
+// err = client.get_http_status(http_status);
 class KMSClient
 {
 public: