feat(encryption): add kms key management

apache · Dec 19, 2023 · 4b255ca · 4b255ca
1 parent c83437a
commit 4b255ca
Show file tree

Hide file tree

Showing 7 changed files with 39 additions and 30 deletions.
diff --git a/src/replica/replica_stub.cpp b/src/replica/replica_stub.cpp
@@ -224,7 +224,7 @@ DSN_DECLARE_string(server_encrypted_key);
 
 namespace dsn {
 
-namespace security{
+namespace security {
 DSN_DECLARE_bool(enable_acl);
 }
 namespace replication {
@@ -284,8 +284,10 @@ DSN_TAG_VARIABLE(config_sync_interval_ms, FT_MUTABLE);
 DSN_DEFINE_validator(config_sync_interval_ms, [](uint32_t value) -> bool { return value > 0; });
 DSN_DEFINE_group_validator(encrypt_data_at_rest, [](std::string &message) -> bool {
     if (!dsn::security::FLAGS_enable_acl || !FLAGS_encrypt_data_at_rest) {
-        message = fmt::format("FLAGS_enable_acl = ({}) FLAGS_encrypt_data_at_rest = ({}),should be true at the same time", 
-            dsn::security::FLAGS_enable_acl, FLAGS_encrypt_data_at_rest);
+        message = fmt::format("FLAGS_enable_acl = ({}) FLAGS_encrypt_data_at_rest = ({}),should be "
+                              "true at the same time",
+                              dsn::security::FLAGS_enable_acl,
+                              FLAGS_encrypt_data_at_rest);
         return false;
     }
     return true;
@@ -474,12 +476,15 @@ void replica_stub::initialize(const replication_options &opts, bool clear /* = f
     // get and store Encrypted Encryption Key(eek),Initialization Vector(iv),Key Version from kms
     if (key_provider && !utils::is_empty(FLAGS_hadoop_kms_url)) {
         get_kms_key(_options.data_dirs[0], &encryption_key, &iv, &key_version);
-        // The encryption key should empty when process upon the first launch. And the process will get eek,iv,kv from kms 
-        // After first launch, the encryption key should not empty and get from kms-info file. The process get Decrypted Encryption Key(dek) from kms
+        // The encryption key should empty when process upon the first launch. And the process will
+        // get eek,iv,kv from kms
+        // After first launch, the encryption key should not empty and get from kms-info file. The
+        // process get Decrypted Encryption Key(dek) from kms
         if (encryption_key.empty()) {
             auto err = key_provider->GenerateEncryptionKey(&encryption_key, &iv, &key_version);
             CHECK(key_provider->GenerateEncryptionKey(&encryption_key, &iv, &key_version),
-                  "get encryption key failed, err = {}", err);
+                  "get encryption key failed, err = {}",
+                  err);
         }
         CHECK(key_provider->DecryptEncryptionKey(encryption_key, iv, key_version, &server_key),
               "get decryption key failed");

diff --git a/src/replica/replication_app_base.cpp b/src/replica/replication_app_base.cpp
@@ -100,7 +100,8 @@ error_code replica_init_info::store(const std::string &dir)
 
 error_code replica_init_info::load_json(const std::string &fname)
 {
-    return replication::load_json_generic<replica_init_info, dsn::utils::FileDataType::kSensitive>(fname, *this);
+    return replication::load_json_generic<replica_init_info, dsn::utils::FileDataType::kSensitive>(
+        fname, *this);
 }
 
 error_code replica_init_info::store_json(const std::string &fname)

diff --git a/src/replica/replication_app_base.h b/src/replica/replication_app_base.h
@@ -89,15 +89,14 @@ template <typename T, dsn::utils::FileDataType FileType>
 error_code load_json_generic(const std::string &fname, T &object)
 {
     std::string data;
-    auto s = rocksdb::ReadFileToString(
-        dsn::utils::PegasusEnv(FileType), fname, &data);
+    auto s = rocksdb::ReadFileToString(dsn::utils::PegasusEnv(FileType), fname, &data);
     LOG_AND_RETURN_NOT_TRUE(ERROR, s.ok(), ERR_FILE_OPERATION_FAILED, "read file {} failed", fname);
-    LOG_AND_RETURN_NOT_TRUE(ERROR,
-                            json::json_forwarder<T>::decode(
-                                blob::create_from_bytes(std::move(data)), object),
-                            ERR_FILE_OPERATION_FAILED,
-                            "decode json from file {} failed",
-                            fname);
+    LOG_AND_RETURN_NOT_TRUE(
+        ERROR,
+        json::json_forwarder<T>::decode(blob::create_from_bytes(std::move(data)), object),
+        ERR_FILE_OPERATION_FAILED,
+        "decode json from file {} failed",
+        fname);
     return ERR_OK;
 }
 } // namespace

diff --git a/src/runtime/security/kms_client.cpp b/src/runtime/security/kms_client.cpp
@@ -36,9 +36,9 @@ namespace dsn {
 namespace security {
 
 dsn::error_s KMSClient::DecryptEncryptionKey(const std::string &encryption_key,
-                                                    const std::string &iv,
-                                                    const std::string &key_version,
-                                                    std::string *decrypted_key)
+                                             const std::string &iv,
+                                             const std::string &key_version,
+                                             std::string *decrypted_key)
 {
     nlohmann::json post;
     post["name"] = cluster_key_name_;
@@ -92,7 +92,7 @@ dsn::error_s KMSClient::DecryptEncryptionKey(const std::string &encryption_key,
         client.get_http_status(http_status);
         if (http_status == 200) {
             j = nlohmann::json::parse(resp);
-        } else{
+        } else {
             LOG_WARNING("The http status is ({}), and url is ({})", http_status, url);
         }
     }
@@ -112,9 +112,9 @@ dsn::error_s KMSClient::DecryptEncryptionKey(const std::string &encryption_key,
 }
 
 dsn::error_s KMSClient::GenerateEncryptionKeyFromKMS(const std::string &key_name,
-                                                            std::string *encryption_key,
-                                                            std::string *iv,
-                                                            std::string *key_version)
+                                                     std::string *encryption_key,
+                                                     std::string *iv,
+                                                     std::string *key_version)
 {
     http_client client;
     auto err = client.init();
@@ -157,7 +157,7 @@ dsn::error_s KMSClient::GenerateEncryptionKeyFromKMS(const std::string &key_name
             nlohmann::json jsonObject = j.at(0);
             std::string res = jsonObject.dump();
             j = nlohmann::json::parse(res);
-        } else{
+        } else {
             LOG_WARNING("The http status is ({}), and url is ({})", http_status, url);
         }
     }
@@ -194,8 +194,8 @@ dsn::error_s KMSClient::GenerateEncryptionKeyFromKMS(const std::string &key_name
 }
 
 dsn::error_s KMSClient::GenerateEncryptionKey(std::string *encryption_key,
-                                                     std::string *iv,
-                                                     std::string *key_version)
+                                              std::string *iv,
+                                              std::string *key_version)
 {
     return GenerateEncryptionKeyFromKMS(cluster_key_name_, encryption_key, iv, key_version);
 }

diff --git a/src/runtime/security/kms_client.h b/src/runtime/security/kms_client.h
@@ -26,12 +26,14 @@
 
 namespace dsn {
 namespace security {
-// A class to generate encryption_key from kms for writing file which implemented based on http clinet
+// A class to generate encryption_key from kms for writing file which implemented based on http
+// client
 // This class is not thread-safe. Thus maintain one instance for each thread.
 //
 // Example of using Kms client:
 // --------------------------------------------------------
-// Generate and get the Encrypted Encryption Key(eek),Initialization Vector(iv),Key Version from kms:
+// Generate and get the Encrypted Encryption Key(eek),Initialization Vector(iv),Key Version from
+// kms:
 // std::string encryption_key;
 // std::string iv;
 // std::string key_version;

diff --git a/src/runtime/security/replica_kms_info.cpp b/src/runtime/security/replica_kms_info.cpp
@@ -70,7 +70,8 @@ error_code replica_kms_info::store(const std::string &dir)
 
 error_code replica_kms_info::load_json(const std::string &fname)
 {
-    return replication::load_json_generic<replica_kms_info, dsn::utils::FileDataType::kNonSensitive>(fname, *this);
+    return replication::load_json_generic<replica_kms_info,
+                                          dsn::utils::FileDataType::kNonSensitive>(fname, *this);
 }
 
 error_code replica_kms_info::store_json(const std::string &fname)

diff --git a/src/utils/env.cpp b/src/utils/env.cpp
@@ -62,8 +62,9 @@ rocksdb::Env *NewEncryptedEnv()
 {
     // Create an encryption provider.
     std::shared_ptr<rocksdb::EncryptionProvider> provider;
-    auto provider_id = fmt::format(
-        "id=AES;hex_instance_key={};method={}", FLAGS_server_encrypted_key, FLAGS_encryption_method);
+    auto provider_id = fmt::format("id=AES;hex_instance_key={};method={}",
+                                   FLAGS_server_encrypted_key,
+                                   FLAGS_encryption_method);
     auto s = rocksdb::EncryptionProvider::CreateFromString(
         rocksdb::ConfigOptions(), provider_id, &provider);
     CHECK(s.ok(), "Failed to create encryption provider: {}", s.ToString());