Add on/off config switch for encryption

author: Eric Avdey <eiri@eiri.ca> 2020-03-19 21:37:15 -0300
committer: Eric Avdey <eiri@eiri.ca> 2020-04-07 02:35:56 -0300
commit: f6c21be95e00fc2bbac25e4adf01cba1a5fddac2 (patch)
tree: 201d33a0c2c36910a258c4be6b20e1482ee55947
parent: fecdee1deaf928b3d85b9c0287a39530446315a9 (diff)
download: couchdb-f6c21be95e00fc2bbac25e4adf01cba1a5fddac2.tar.gz
3 files changed, 37 insertions, 15 deletions
diff --git a/rel/overlay/etc/default.ini b/rel/overlay/etc/default.ini
index d2a2c7257..a9b4dbbd4 100644
--- a/rel/overlay/etc/default.ini
+++ b/rel/overlay/etc/default.ini
@@ -703,4 +703,7 @@ compaction = false
 
 [couch_rate.views]
 limiter = couch_rate_limiter
-opts = #{budget => 100, target => 2500, window => 60000, sensitivity => 1000}
-\ No newline at end of file
+opts = #{budget => 100, target => 2500, window => 60000, sensitivity => 1000}
+
+[encryption]
+enabled = false
diff --git a/src/fabric/src/fabric2_encryption.erl b/src/fabric/src/fabric2_encryption.erl
index cb9958b5e..a4e40bd4b 100644
--- a/src/fabric/src/fabric2_encryption.erl
+++ b/src/fabric/src/fabric2_encryption.erl
@@ -52,7 +52,10 @@ start_link() ->
 
 
 get_wrapped_kek(DbName) when is_binary(DbName) ->
-    gen_server:call(?MODULE, {get_wrapped_kek, DbName}).
+    case config:get_boolean("encryption", "enabled", false) of
+        true -> gen_server:call(?MODULE, {get_wrapped_kek, DbName});
+        false -> {ok, false}
+    end.
 
 
 encode(WrappedKEK, DbName, DocId, UpdateCounter, DocBody)
diff --git a/src/fabric/src/fabric2_fdb.erl b/src/fabric/src/fabric2_fdb.erl
index 17c98b791..3ecf4769b 100644
--- a/src/fabric/src/fabric2_fdb.erl
+++ b/src/fabric/src/fabric2_fdb.erl
@@ -202,7 +202,7 @@ create(#{} = Db0, Options) ->
         {?DB_CONFIG, <<"uuid">>, UUID},
         {?DB_CONFIG, <<"revs_limit">>, ?uint2bin(1000)},
         {?DB_CONFIG, <<"security_doc">>, <<"{}">>},
-        {?DB_CONFIG, <<"wrapped_kek">>, WrappedKEK},
+        {?DB_CONFIG, <<"wrapped_kek">>, erlfdb_tuple:pack({WrappedKEK})},
         {?DB_STATS, <<"doc_count">>, ?uint2bin(0)},
         {?DB_STATS, <<"doc_del_count">>, ?uint2bin(0)},
         {?DB_STATS, <<"doc_design_count">>, ?uint2bin(0)},
@@ -271,7 +271,7 @@ open(#{} = Db0, Options) ->
         uuid => <<>>,
         revs_limit => 1000,
         security_doc => {[]},
-        wrapped_kek => <<>>,
+        wrapped_kek => false,
 
         user_ctx => UserCtx,
 
@@ -473,7 +473,9 @@ load_config(#{} = Db) ->
             <<"uuid">> ->  DbAcc#{uuid := V};
             <<"revs_limit">> -> DbAcc#{revs_limit := ?bin2uint(V)};
             <<"security_doc">> -> DbAcc#{security_doc := ?JSON_DECODE(V)};
-            <<"wrapped_kek">> -> DbAcc#{wrapped_kek := V}
+            <<"wrapped_kek">> ->
+                {WrappedKEK} = erlfdb_tuple:unpack(V),
+                DbAcc#{wrapped_kek := WrappedKEK}
         end
     end, Db, erlfdb:wait(Future)).
 
@@ -1375,13 +1377,20 @@ doc_to_fdb(Db, #doc{} = Doc) ->
 
     DiskAtts = lists:map(fun couch_att:to_disk_term/1, Atts),
 
-    UpdateCounter = get_stat(Db, <<"update_count">>),
-    BinBody = term_to_binary(Body, [{compressed, 0}, {minor_version, 1}]),
-    {ok, Encoded} = fabric2_encryption:encode(
-        WrappedKEK, DbName, Id, UpdateCounter, BinBody),
+    ValueTerm = case WrappedKEK of
+        false ->
+            {Body, DiskAtts, Deleted};
+        _ ->
+            UpdateCounter = get_stat(Db, <<"update_count">>),
+            BinBody = term_to_binary(Body,
+                [{compressed, 0}, {minor_version, 1}]),
+            {ok, Encoded} = fabric2_encryption:encode(
+                WrappedKEK, DbName, Id, UpdateCounter, BinBody),
+            {UpdateCounter, Encoded, DiskAtts, Deleted}
+    end,
+
+    Value = term_to_binary(ValueTerm, [{minor_version, 1}]),
 
-    Value = term_to_binary({UpdateCounter, Encoded, DiskAtts, Deleted},
-        [{minor_version, 1}]),
     Chunks = chunkify_binary(Value),
 
     {Rows, _} = lists:mapfoldl(fun(Chunk, ChunkId) ->
@@ -1402,11 +1411,18 @@ fdb_to_doc(Db, DocId, Pos, Path, BinRows) when is_list(BinRows) ->
     } = Db,
 
     Bin = iolist_to_binary(BinRows),
-    {UpdateCounter, Encoded, DiskAtts, Deleted} = binary_to_term(Bin, [safe]),
+    ValueTerm = binary_to_term(Bin, [safe]),
 
-    {ok, BinBody} = fabric2_encryption:decode(
-        WrappedKEK, DbName, DocId, UpdateCounter, Encoded),
-    Body = binary_to_term(BinBody, [safe]),
+    {Body, DiskAtts, Deleted} = case WrappedKEK of
+        false ->
+            ValueTerm;
+        _ ->
+            {UpdateCounter, Encoded, DiskAtts0, Deleted0} = ValueTerm,
+            {ok, BinBody} = fabric2_encryption:decode(
+                WrappedKEK, DbName, DocId, UpdateCounter, Encoded),
+            Body0 = binary_to_term(BinBody, [safe]),
+            {Body0, DiskAtts0, Deleted0}
+    end,
 
     Atts = lists:map(fun(Att) ->
         couch_att:from_disk_term(Db, DocId, Att)
author	Eric Avdey <eiri@eiri.ca>	2020-03-19 21:37:15 -0300
committer	Eric Avdey <eiri@eiri.ca>	2020-04-07 02:35:56 -0300
commit	f6c21be95e00fc2bbac25e4adf01cba1a5fddac2 (patch)
tree	201d33a0c2c36910a258c4be6b20e1482ee55947
parent	fecdee1deaf928b3d85b9c0287a39530446315a9 (diff)
download	couchdb-f6c21be95e00fc2bbac25e4adf01cba1a5fddac2.tar.gz