From f4776b52338bd4160e59e6a099fe9f1a8e732cc2 Mon Sep 17 00:00:00 2001
From: yujingwei <yujingwei@sensorsdata.cn>
Date: Fri, 1 Dec 2023 17:09:01 +0800
Subject: [PATCH] feat(encryption): add kms key management

---
 src/replica/default_key_provider.h            | 73 +++++++++++++++++++
 src/replica/test/defaul_key_provider_test.cpp | 46 ++++++++++++
 2 files changed, 119 insertions(+)
 create mode 100644 src/replica/default_key_provider.h
 create mode 100644 src/replica/test/defaul_key_provider_test.cpp

diff --git a/src/replica/default_key_provider.h b/src/replica/default_key_provider.h
new file mode 100644
index 00000000000..f20a5ba1e0f
--- /dev/null
+++ b/src/replica/default_key_provider.h
@@ -0,0 +1,73 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+#pragma once
+
+#include <string>
+#include <openssl/rand.h>
+
+#include "absl/strings/escaping.h"
+#include "replica/key_provider.h"
+#include "utils/error_code.h"
+#include "utils/fmt_logging.h"
+
+namespace dsn {
+namespace security {
+
+class DefaultKeyProvider : public KeyProvider {
+public:
+  ~DefaultKeyProvider() override {}
+  dsn::error_s DecryptEncryptionKey(const std::string& encryption_key,
+                              const std::string& /*iv*/,
+                              const std::string& /*key_version*/,
+                              std::string* decrypted_key) override {
+    *decrypted_key = ::absl::HexStringToBytes(encryption_key);
+
+#ifdef __linux__
+    memfrob(decrypted_key->data(), decrypted_key->length());
+#else
+    // On Linux, memfrob() bitwise XORs the data with the magic number that is
+    // the answer to the ultimate question of life, the universe, and
+    // everything. On Mac, we do this manually.
+    const uint8_t kMagic = 42;
+    for (auto i = 0; i < decrypted_key->length(); ++i) {
+      decrypted_key->data()[i] ^= kMagic;
+    }
+#endif
+    *decrypted_key = ::absl::BytesToHexString(*decrypted_key);
+    return dsn::error_s::ok();
+  }
+
+  dsn::error_s GenerateEncryptionKey(std::string* encryption_key,
+                               std::string* iv,
+                               std::string* key_version) override {
+    unsigned char key_bytes[32];
+    unsigned char iv_bytes[32];
+    int num_bytes = 16;
+    std::string dek;
+    RAND_bytes(key_bytes, num_bytes);
+    dek = ::absl::BytesToHexString(reinterpret_cast<const char*>(key_bytes));
+    RAND_bytes(iv_bytes, num_bytes);
+    *iv = ::absl::BytesToHexString(reinterpret_cast<const char*>(iv_bytes));
+    DecryptEncryptionKey(dek, *iv, *key_version, encryption_key);
+    *key_version = "encryptionkey@0";
+    return dsn::error_s::ok();
+  }
+
+};
+} // namespace security
+} // namespace dsn
diff --git a/src/replica/test/defaul_key_provider_test.cpp b/src/replica/test/defaul_key_provider_test.cpp
new file mode 100644
index 00000000000..dd460f63884
--- /dev/null
+++ b/src/replica/test/defaul_key_provider_test.cpp
@@ -0,0 +1,46 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+#include <string>
+
+#include "gtest/gtest.h"
+#include "replica/default_key_provider.h"
+#include "test_util/test_util.h"
+
+using std::string;
+
+namespace dsn {
+namespace security {
+
+class DefaultKeyProviderTest : public testing::Test
+{
+ protected:
+  DefaultKeyProvider key_provider;
+};
+
+TEST_F(DefaultKeyProviderTest, TestEncryptAndDecrypt) {
+  string encryption_key;
+  string iv;
+  string version;
+  string decrypted_key;
+  ASSERT_TRUE(key_provider.GenerateEncryptionKey(&encryption_key, &iv, &version));
+  ASSERT_TRUE(key_provider.DecryptEncryptionKey(encryption_key, iv, version, &decrypted_key));
+  ASSERT_NE(encryption_key, decrypted_key);
+}
+
+} // namespace security
+} // namespace dsn