diff options
author | Eric Avdey <eiri@eiri.ca> | 2020-04-02 14:57:54 -0300 |
---|---|---|
committer | Eric Avdey <eiri@eiri.ca> | 2020-04-07 02:37:13 -0300 |
commit | 9d121e370e72ffb5f50061d13b8d3f5b851e56d5 (patch) | |
tree | f57f38588e5ba57c4cd4c9ea1ba687ff159c3e49 | |
parent | 2cc8d4ff8b04d4c4f1c295afc96afbc986377f64 (diff) | |
download | couchdb-9d121e370e72ffb5f50061d13b8d3f5b851e56d5.tar.gz |
Change interface for plugin's unwrap_kek
If getting KEK requires a database name, then depending on an encryption
provider it could be also necessary for unwrapping it too, so pass it to
unwrap function just in case.
-rw-r--r-- | src/fabric/src/fabric2_encryption.erl | 8 | ||||
-rw-r--r-- | src/fabric/src/fabric2_encryption_plugin.erl | 10 | ||||
-rw-r--r-- | src/fabric/src/fabric2_encryption_provider.erl | 8 |
3 files changed, 13 insertions, 13 deletions
diff --git a/src/fabric/src/fabric2_encryption.erl b/src/fabric/src/fabric2_encryption.erl index b3bd0fd59..ab11cc48f 100644 --- a/src/fabric/src/fabric2_encryption.erl +++ b/src/fabric/src/fabric2_encryption.erl @@ -142,7 +142,7 @@ handle_call({encrypt, WrappedKEK, DbName, DocId, DocRev, Value}, From, St) -> waiters := Waiters } = St, - {ok, KEK} = unwrap_kek(Cache, WrappedKEK), + {ok, KEK} = unwrap_kek(Cache, DbName, WrappedKEK), {_Pid, Ref} = erlang:spawn_monitor(?MODULE, do_encrypt, [KEK, DbName, DocId, DocRev, Value]), @@ -157,7 +157,7 @@ handle_call({decrypt, WrappedKEK, DbName, DocId, DocRev, Value}, From, St) -> waiters := Waiters } = St, - {ok, KEK} = unwrap_kek(Cache, WrappedKEK), + {ok, KEK} = unwrap_kek(Cache, DbName, WrappedKEK), {_Pid, Ref} = erlang:spawn_monitor(?MODULE, do_decrypt, [KEK, DbName, DocId, DocRev, Value]), @@ -258,13 +258,13 @@ get_dek(KEK, DocId, DocRev) when bit_size(KEK) == 256 -> {ok, DEK}. -unwrap_kek(Cache, WrappedKEK) -> +unwrap_kek(Cache, DbName, WrappedKEK) -> case ets:lookup(Cache, WrappedKEK) of [#entry{id = WrappedKEK, kek = KEK}] -> {ok, KEK}; [] -> {ok, KEK, WrappedKEK} = fabric2_encryption_plugin:unwrap_kek( - WrappedKEK), + DbName, WrappedKEK), Entry = #entry{id = WrappedKEK, kek = KEK}, true = ets:insert(Cache, Entry), {ok, KEK} diff --git a/src/fabric/src/fabric2_encryption_plugin.erl b/src/fabric/src/fabric2_encryption_plugin.erl index 807a807f8..ec9dcb968 100644 --- a/src/fabric/src/fabric2_encryption_plugin.erl +++ b/src/fabric/src/fabric2_encryption_plugin.erl @@ -15,7 +15,7 @@ -export([ get_aad/1, get_wrapped_kek/1, - unwrap_kek/1 + unwrap_kek/2 ]). @@ -35,11 +35,11 @@ get_wrapped_kek(DbName) -> maybe_handle(get_kek, [DbName], Default). --spec unwrap_kek(WrappedKEK :: binary()) -> +-spec unwrap_kek(DbName :: binary(), WrappedKEK :: binary()) -> {ok, KEK :: binary(), WrappedKEK :: binary()} | {error, Error :: term()}. -unwrap_kek(WrappedKEK) -> - Default = fun fabric2_encryption_provider:unwrap_kek/1, - maybe_handle(unwrap_kek, [WrappedKEK], Default). +unwrap_kek(DbName, WrappedKEK) -> + Default = fun fabric2_encryption_provider:unwrap_kek/2, + maybe_handle(unwrap_kek, [DbName, WrappedKEK], Default). diff --git a/src/fabric/src/fabric2_encryption_provider.erl b/src/fabric/src/fabric2_encryption_provider.erl index 6f7adc197..a695f8664 100644 --- a/src/fabric/src/fabric2_encryption_provider.erl +++ b/src/fabric/src/fabric2_encryption_provider.erl @@ -15,7 +15,7 @@ -export([ get_aad/1, get_kek/1, - unwrap_kek/1 + unwrap_kek/2 ]). @@ -42,7 +42,7 @@ get_kek(_DbName) -> end. -unwrap_kek(WrappedKEK) -> +unwrap_kek(_DbName, WrappedKEK) -> case get_mek() of {ok, MEK} -> case couch_keywrap:key_unwrap(MEK, WrappedKEK) of @@ -132,7 +132,7 @@ get_unwrap_kek_test_() -> {"should unwrap valid wrapped kek", fun test_unwrap_kek/0}, {"should return error on invalid wrapped key", - ?_assertMatch({error, _}, unwrap_kek(<<0:320>>))} + ?_assertMatch({error, _}, unwrap_kek(<<"db">>, <<0:320>>))} ] end }. @@ -156,7 +156,7 @@ test_get_kek() -> test_unwrap_kek() -> WrappedKEK = <<16#0c714838ba4b937fdde5a2ca8a318ead3c2c49ddfc77eef90e1a954f18962848f601d18f7cf32bb9:320>>, - Resp = unwrap_kek(WrappedKEK), + Resp = unwrap_kek(<<"db">>, WrappedKEK), ?assertMatch({ok, _, _}, Resp), {ok, KEK, WrappedKEK2} = Resp, ?assertEqual(256, bit_size(KEK)), |