diff options
author | Eric Avdey <eiri@eiri.ca> | 2020-03-19 21:37:15 -0300 |
---|---|---|
committer | Eric Avdey <eiri@eiri.ca> | 2020-04-07 02:35:56 -0300 |
commit | f6c21be95e00fc2bbac25e4adf01cba1a5fddac2 (patch) | |
tree | 201d33a0c2c36910a258c4be6b20e1482ee55947 | |
parent | fecdee1deaf928b3d85b9c0287a39530446315a9 (diff) | |
download | couchdb-f6c21be95e00fc2bbac25e4adf01cba1a5fddac2.tar.gz |
Add on/off config switch for encryption
-rw-r--r-- | rel/overlay/etc/default.ini | 5 | ||||
-rw-r--r-- | src/fabric/src/fabric2_encryption.erl | 5 | ||||
-rw-r--r-- | src/fabric/src/fabric2_fdb.erl | 42 |
3 files changed, 37 insertions, 15 deletions
diff --git a/rel/overlay/etc/default.ini b/rel/overlay/etc/default.ini index d2a2c7257..a9b4dbbd4 100644 --- a/rel/overlay/etc/default.ini +++ b/rel/overlay/etc/default.ini @@ -703,4 +703,7 @@ compaction = false [couch_rate.views] limiter = couch_rate_limiter -opts = #{budget => 100, target => 2500, window => 60000, sensitivity => 1000}
\ No newline at end of file +opts = #{budget => 100, target => 2500, window => 60000, sensitivity => 1000} + +[encryption] +enabled = false diff --git a/src/fabric/src/fabric2_encryption.erl b/src/fabric/src/fabric2_encryption.erl index cb9958b5e..a4e40bd4b 100644 --- a/src/fabric/src/fabric2_encryption.erl +++ b/src/fabric/src/fabric2_encryption.erl @@ -52,7 +52,10 @@ start_link() -> get_wrapped_kek(DbName) when is_binary(DbName) -> - gen_server:call(?MODULE, {get_wrapped_kek, DbName}). + case config:get_boolean("encryption", "enabled", false) of + true -> gen_server:call(?MODULE, {get_wrapped_kek, DbName}); + false -> {ok, false} + end. encode(WrappedKEK, DbName, DocId, UpdateCounter, DocBody) diff --git a/src/fabric/src/fabric2_fdb.erl b/src/fabric/src/fabric2_fdb.erl index 17c98b791..3ecf4769b 100644 --- a/src/fabric/src/fabric2_fdb.erl +++ b/src/fabric/src/fabric2_fdb.erl @@ -202,7 +202,7 @@ create(#{} = Db0, Options) -> {?DB_CONFIG, <<"uuid">>, UUID}, {?DB_CONFIG, <<"revs_limit">>, ?uint2bin(1000)}, {?DB_CONFIG, <<"security_doc">>, <<"{}">>}, - {?DB_CONFIG, <<"wrapped_kek">>, WrappedKEK}, + {?DB_CONFIG, <<"wrapped_kek">>, erlfdb_tuple:pack({WrappedKEK})}, {?DB_STATS, <<"doc_count">>, ?uint2bin(0)}, {?DB_STATS, <<"doc_del_count">>, ?uint2bin(0)}, {?DB_STATS, <<"doc_design_count">>, ?uint2bin(0)}, @@ -271,7 +271,7 @@ open(#{} = Db0, Options) -> uuid => <<>>, revs_limit => 1000, security_doc => {[]}, - wrapped_kek => <<>>, + wrapped_kek => false, user_ctx => UserCtx, @@ -473,7 +473,9 @@ load_config(#{} = Db) -> <<"uuid">> -> DbAcc#{uuid := V}; <<"revs_limit">> -> DbAcc#{revs_limit := ?bin2uint(V)}; <<"security_doc">> -> DbAcc#{security_doc := ?JSON_DECODE(V)}; - <<"wrapped_kek">> -> DbAcc#{wrapped_kek := V} + <<"wrapped_kek">> -> + {WrappedKEK} = erlfdb_tuple:unpack(V), + DbAcc#{wrapped_kek := WrappedKEK} end end, Db, erlfdb:wait(Future)). @@ -1375,13 +1377,20 @@ doc_to_fdb(Db, #doc{} = Doc) -> DiskAtts = lists:map(fun couch_att:to_disk_term/1, Atts), - UpdateCounter = get_stat(Db, <<"update_count">>), - BinBody = term_to_binary(Body, [{compressed, 0}, {minor_version, 1}]), - {ok, Encoded} = fabric2_encryption:encode( - WrappedKEK, DbName, Id, UpdateCounter, BinBody), + ValueTerm = case WrappedKEK of + false -> + {Body, DiskAtts, Deleted}; + _ -> + UpdateCounter = get_stat(Db, <<"update_count">>), + BinBody = term_to_binary(Body, + [{compressed, 0}, {minor_version, 1}]), + {ok, Encoded} = fabric2_encryption:encode( + WrappedKEK, DbName, Id, UpdateCounter, BinBody), + {UpdateCounter, Encoded, DiskAtts, Deleted} + end, + + Value = term_to_binary(ValueTerm, [{minor_version, 1}]), - Value = term_to_binary({UpdateCounter, Encoded, DiskAtts, Deleted}, - [{minor_version, 1}]), Chunks = chunkify_binary(Value), {Rows, _} = lists:mapfoldl(fun(Chunk, ChunkId) -> @@ -1402,11 +1411,18 @@ fdb_to_doc(Db, DocId, Pos, Path, BinRows) when is_list(BinRows) -> } = Db, Bin = iolist_to_binary(BinRows), - {UpdateCounter, Encoded, DiskAtts, Deleted} = binary_to_term(Bin, [safe]), + ValueTerm = binary_to_term(Bin, [safe]), - {ok, BinBody} = fabric2_encryption:decode( - WrappedKEK, DbName, DocId, UpdateCounter, Encoded), - Body = binary_to_term(BinBody, [safe]), + {Body, DiskAtts, Deleted} = case WrappedKEK of + false -> + ValueTerm; + _ -> + {UpdateCounter, Encoded, DiskAtts0, Deleted0} = ValueTerm, + {ok, BinBody} = fabric2_encryption:decode( + WrappedKEK, DbName, DocId, UpdateCounter, Encoded), + Body0 = binary_to_term(BinBody, [safe]), + {Body0, DiskAtts0, Deleted0} + end, Atts = lists:map(fun(Att) -> couch_att:from_disk_term(Db, DocId, Att) |