Skip to content

Commit

Permalink
*: move encryptionkm to pkg (#5772)
Browse files Browse the repository at this point in the history 
ref #5766

Signed-off-by: Ryan Leung <rleungx@gmail.com>
  • Loading branch information
@rleungx
rleungx authored Dec 13, 2022
1 parent 7ab1c9c commit aa3ab28
Show file tree
Hide file tree
Showing 8 changed files with 583 additions and 606 deletions.
513 changes: 513 additions & 0 deletions pkg/encryption/key_manager.go
View file

Large diffs are not rendered by default.

115 changes: 57 additions & 58 deletions server/encryptionkm/key_manager_test.go → pkg/encryption/key_manager_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@
// See the License for the specific language governing permissions and
// limitations under the License.

package encryptionkm
package encryption

import (
"context"
Expand All @@ -29,7 +29,6 @@ import (
"github.com/pingcap/kvproto/pkg/encryptionpb"
"github.com/stretchr/testify/require"
"github.com/tikv/pd/pkg/election"
"github.com/tikv/pd/pkg/encryption"
"github.com/tikv/pd/pkg/utils/etcdutil"
"github.com/tikv/pd/pkg/utils/tempurl"
"github.com/tikv/pd/pkg/utils/typeutil"
Expand Down Expand Up @@ -116,11 +115,11 @@ func TestNewKeyManagerBasic(t *testing.T) {
// Initialize.
client := newTestEtcd(t, re)
// Use default config.
config := &encryption.Config{}
config := &Config{}
err := config.Adjust()
re.NoError(err)
// Create the key manager.
m, err := NewKeyManager(client, config)
m, err := NewManager(client, config)
re.NoError(err)
// Check config.
re.Equal(encryptionpb.EncryptionMethod_PLAINTEXT, m.method)
Expand All @@ -141,20 +140,20 @@ func TestNewKeyManagerWithCustomConfig(t *testing.T) {
// Custom config
rotatePeriod, err := time.ParseDuration("100h")
re.NoError(err)
config := &encryption.Config{
config := &Config{
DataEncryptionMethod: "aes128-ctr",
DataKeyRotationPeriod: typeutil.NewDuration(rotatePeriod),
MasterKey: encryption.MasterKeyConfig{
MasterKey: MasterKeyConfig{
Type: "file",
MasterKeyFileConfig: encryption.MasterKeyFileConfig{
MasterKeyFileConfig: MasterKeyFileConfig{
FilePath: keyFile,
},
},
}
err = config.Adjust()
re.NoError(err)
// Create the key manager.
m, err := NewKeyManager(client, config)
m, err := NewManager(client, config)
re.NoError(err)
// Check config.
re.Equal(encryptionpb.EncryptionMethod_AES128_CTR, m.method)
Expand All @@ -178,11 +177,11 @@ func TestNewKeyManagerLoadKeys(t *testing.T) {
keyFile := newTestKeyFile(t, re)
leadership := newTestLeader(re, client)
// Use default config.
config := &encryption.Config{}
config := &Config{}
err := config.Adjust()
re.NoError(err)
// Store initial keys in etcd.
masterKeyMeta := newMasterKey(keyFile)
masterKeyMeta := newTestMasterKey(keyFile)
keys := &encryptionpb.KeyDictionary{
CurrentKeyId: 123,
Keys: map[uint64]*encryptionpb.DataKey{
Expand All @@ -197,7 +196,7 @@ func TestNewKeyManagerLoadKeys(t *testing.T) {
err = saveKeys(leadership, masterKeyMeta, keys, defaultKeyManagerHelper())
re.NoError(err)
// Create the key manager.
m, err := NewKeyManager(client, config)
m, err := NewManager(client, config)
re.NoError(err)
// Check config.
re.Equal(encryptionpb.EncryptionMethod_PLAINTEXT, m.method)
Expand All @@ -217,11 +216,11 @@ func TestGetCurrentKey(t *testing.T) {
// Initialize.
client := newTestEtcd(t, re)
// Use default config.
config := &encryption.Config{}
config := &Config{}
err := config.Adjust()
re.NoError(err)
// Create the key manager.
m, err := NewKeyManager(client, config)
m, err := NewManager(client, config)
re.NoError(err)
// Test encryption disabled.
currentKeyID, currentKey, err := m.GetCurrentKey()
Expand Down Expand Up @@ -262,7 +261,7 @@ func TestGetKey(t *testing.T) {
keyFile := newTestKeyFile(t, re)
leadership := newTestLeader(re, client)
// Store initial keys in etcd.
masterKeyMeta := newMasterKey(keyFile)
masterKeyMeta := newTestMasterKey(keyFile)
keys := &encryptionpb.KeyDictionary{
CurrentKeyId: 123,
Keys: map[uint64]*encryptionpb.DataKey{
Expand All @@ -283,11 +282,11 @@ func TestGetKey(t *testing.T) {
err := saveKeys(leadership, masterKeyMeta, keys, defaultKeyManagerHelper())
re.NoError(err)
// Use default config.
config := &encryption.Config{}
config := &Config{}
err = config.Adjust()
re.NoError(err)
// Create the key manager.
m, err := NewKeyManager(client, config)
m, err := NewManager(client, config)
re.NoError(err)
// Get existing key.
key, err := m.GetKey(uint64(123))
Expand Down Expand Up @@ -317,7 +316,7 @@ func TestLoadKeyEmpty(t *testing.T) {
keyFile := newTestKeyFile(t, re)
leadership := newTestLeader(re, client)
// Store initial keys in etcd.
masterKeyMeta := newMasterKey(keyFile)
masterKeyMeta := newTestMasterKey(keyFile)
keys := &encryptionpb.KeyDictionary{
CurrentKeyId: 123,
Keys: map[uint64]*encryptionpb.DataKey{
Expand All @@ -332,11 +331,11 @@ func TestLoadKeyEmpty(t *testing.T) {
err := saveKeys(leadership, masterKeyMeta, keys, defaultKeyManagerHelper())
re.NoError(err)
// Use default config.
config := &encryption.Config{}
config := &Config{}
err = config.Adjust()
re.NoError(err)
// Create the key manager.
m, err := NewKeyManager(client, config)
m, err := NewManager(client, config)
re.NoError(err)
// Simulate keys get deleted.
_, err = client.Delete(context.Background(), EncryptionKeysPath)
Expand All @@ -361,7 +360,7 @@ func TestWatcher(t *testing.T) {
reloadEvent <- e
}
// Use default config.
config := &encryption.Config{}
config := &Config{}
err := config.Adjust()
re.NoError(err)
// Create the key manager.
Expand All @@ -373,7 +372,7 @@ func TestWatcher(t *testing.T) {
_, err = m.GetKey(456)
re.Error(err)
// Update keys in etcd
masterKeyMeta := newMasterKey(keyFile)
masterKeyMeta := newTestMasterKey(keyFile)
keys := &encryptionpb.KeyDictionary{
CurrentKeyId: 123,
Keys: map[uint64]*encryptionpb.DataKey{
Expand Down Expand Up @@ -427,11 +426,11 @@ func TestSetLeadershipWithEncryptionOff(t *testing.T) {
// Initialize.
client := newTestEtcd(t, re)
// Use default config.
config := &encryption.Config{}
config := &Config{}
err := config.Adjust()
re.NoError(err)
// Create the key manager.
m, err := NewKeyManager(client, config)
m, err := NewManager(client, config)
re.NoError(err)
re.Nil(m.keys.Load())
// Set leadership
Expand Down Expand Up @@ -462,11 +461,11 @@ func TestSetLeadershipWithEncryptionEnabling(t *testing.T) {
reloadEvent <- e
}
// Config with encryption on.
config := &encryption.Config{
config := &Config{
DataEncryptionMethod: "aes128-ctr",
MasterKey: encryption.MasterKeyConfig{
MasterKey: MasterKeyConfig{
Type: "file",
MasterKeyFileConfig: encryption.MasterKeyFileConfig{
MasterKeyFileConfig: MasterKeyFileConfig{
FilePath: keyFile,
},
},
Expand Down Expand Up @@ -538,11 +537,11 @@ func TestSetLeadershipWithEncryptionMethodChanged(t *testing.T) {
err := saveKeys(leadership, masterKeyMeta, keys, defaultKeyManagerHelper())
re.NoError(err)
// Config with different encrption method.
config := &encryption.Config{
config := &Config{
DataEncryptionMethod: "aes256-ctr",
MasterKey: encryption.MasterKeyConfig{
MasterKey: MasterKeyConfig{
Type: "file",
MasterKeyFileConfig: encryption.MasterKeyFileConfig{
MasterKeyFileConfig: MasterKeyFileConfig{
FilePath: keyFile,
},
},
Expand Down Expand Up @@ -593,7 +592,7 @@ func TestSetLeadershipWithCurrentKeyExposed(t *testing.T) {
reloadEvent <- e
}
// Update keys in etcd
masterKeyMeta := newMasterKey(keyFile)
masterKeyMeta := newTestMasterKey(keyFile)
keys := &encryptionpb.KeyDictionary{
CurrentKeyId: 123,
Keys: map[uint64]*encryptionpb.DataKey{
Expand All @@ -608,11 +607,11 @@ func TestSetLeadershipWithCurrentKeyExposed(t *testing.T) {
err := saveKeys(leadership, masterKeyMeta, keys, defaultKeyManagerHelper())
re.NoError(err)
// Config with different encrption method.
config := &encryption.Config{
config := &Config{
DataEncryptionMethod: "aes128-ctr",
MasterKey: encryption.MasterKeyConfig{
MasterKey: MasterKeyConfig{
Type: "file",
MasterKeyFileConfig: encryption.MasterKeyFileConfig{
MasterKeyFileConfig: MasterKeyFileConfig{
FilePath: keyFile,
},
},
Expand Down Expand Up @@ -664,7 +663,7 @@ func TestSetLeadershipWithCurrentKeyExpired(t *testing.T) {
reloadEvent <- e
}
// Update keys in etcd
masterKeyMeta := newMasterKey(keyFile)
masterKeyMeta := newTestMasterKey(keyFile)
keys := &encryptionpb.KeyDictionary{
CurrentKeyId: 123,
Keys: map[uint64]*encryptionpb.DataKey{
Expand All @@ -681,12 +680,12 @@ func TestSetLeadershipWithCurrentKeyExpired(t *testing.T) {
// Config with 100s rotation period.
rotationPeriod, err := time.ParseDuration("100s")
re.NoError(err)
config := &encryption.Config{
config := &Config{
DataEncryptionMethod: "aes128-ctr",
DataKeyRotationPeriod: typeutil.NewDuration(rotationPeriod),
MasterKey: encryption.MasterKeyConfig{
MasterKey: MasterKeyConfig{
Type: "file",
MasterKeyFileConfig: encryption.MasterKeyFileConfig{
MasterKeyFileConfig: MasterKeyFileConfig{
FilePath: keyFile,
},
},
Expand Down Expand Up @@ -740,7 +739,7 @@ func TestSetLeadershipWithMasterKeyChanged(t *testing.T) {
reloadEvent <- e
}
// Update keys in etcd
masterKeyMeta := newMasterKey(keyFile)
masterKeyMeta := newTestMasterKey(keyFile)
keys := &encryptionpb.KeyDictionary{
CurrentKeyId: 123,
Keys: map[uint64]*encryptionpb.DataKey{
Expand All @@ -755,11 +754,11 @@ func TestSetLeadershipWithMasterKeyChanged(t *testing.T) {
err := saveKeys(leadership, masterKeyMeta, keys, defaultKeyManagerHelper())
re.NoError(err)
// Config with a different master key.
config := &encryption.Config{
config := &Config{
DataEncryptionMethod: "aes128-ctr",
MasterKey: encryption.MasterKeyConfig{
MasterKey: MasterKeyConfig{
Type: "file",
MasterKeyFileConfig: encryption.MasterKeyFileConfig{
MasterKeyFileConfig: MasterKeyFileConfig{
FilePath: keyFile2,
},
},
Expand Down Expand Up @@ -804,7 +803,7 @@ func TestSetLeadershipMasterKeyWithCiphertextKey(t *testing.T) {
helper.newMasterKey = func(
meta *encryptionpb.MasterKey,
ciphertext []byte,
) (*encryption.MasterKey, error) {
) (*MasterKey, error) {
if newMasterKeyCalled < 2 {
// initial load and save. no ciphertextKey
re.Nil(ciphertext)
Expand All @@ -813,10 +812,10 @@ func TestSetLeadershipMasterKeyWithCiphertextKey(t *testing.T) {
re.Equal(ciphertext, outputCiphertextKey)
}
newMasterKeyCalled += 1
return encryption.NewCustomMasterKeyForTest(outputMasterKey, outputCiphertextKey), nil
return NewCustomMasterKeyForTest(outputMasterKey, outputCiphertextKey), nil
}
// Update keys in etcd
masterKeyMeta := newMasterKey(keyFile)
masterKeyMeta := newTestMasterKey(keyFile)
keys := &encryptionpb.KeyDictionary{
CurrentKeyId: 123,
Keys: map[uint64]*encryptionpb.DataKey{
Expand All @@ -831,11 +830,11 @@ func TestSetLeadershipMasterKeyWithCiphertextKey(t *testing.T) {
err := saveKeys(leadership, masterKeyMeta, keys, defaultKeyManagerHelper())
re.NoError(err)
// Config with a different master key.
config := &encryption.Config{
config := &Config{
DataEncryptionMethod: "aes128-ctr",
MasterKey: encryption.MasterKeyConfig{
MasterKey: MasterKeyConfig{
Type: "file",
MasterKeyFileConfig: encryption.MasterKeyFileConfig{
MasterKeyFileConfig: MasterKeyFileConfig{
FilePath: keyFile,
},
},
Expand Down Expand Up @@ -880,7 +879,7 @@ func TestSetLeadershipWithEncryptionDisabling(t *testing.T) {
reloadEvent <- e
}
// Update keys in etcd
masterKeyMeta := newMasterKey(keyFile)
masterKeyMeta := newTestMasterKey(keyFile)
keys := &encryptionpb.KeyDictionary{
CurrentKeyId: 123,
Keys: map[uint64]*encryptionpb.DataKey{
Expand All @@ -895,7 +894,7 @@ func TestSetLeadershipWithEncryptionDisabling(t *testing.T) {
err := saveKeys(leadership, masterKeyMeta, keys, defaultKeyManagerHelper())
re.NoError(err)
// Use default config.
config := &encryption.Config{}
config := &Config{}
err = config.Adjust()
re.NoError(err)
// Create the key manager.
Expand Down Expand Up @@ -947,7 +946,7 @@ func TestKeyRotation(t *testing.T) {
tickerEvent <- e
}
// Update keys in etcd
masterKeyMeta := newMasterKey(keyFile)
masterKeyMeta := newTestMasterKey(keyFile)
keys := &encryptionpb.KeyDictionary{
CurrentKeyId: 123,
Keys: map[uint64]*encryptionpb.DataKey{
Expand All @@ -964,12 +963,12 @@ func TestKeyRotation(t *testing.T) {
// Config with 100s rotation period.
rotationPeriod, err := time.ParseDuration("100s")
re.NoError(err)
config := &encryption.Config{
config := &Config{
DataEncryptionMethod: "aes128-ctr",
DataKeyRotationPeriod: typeutil.NewDuration(rotationPeriod),
MasterKey: encryption.MasterKeyConfig{
MasterKey: MasterKeyConfig{
Type: "file",
MasterKeyFileConfig: encryption.MasterKeyFileConfig{
MasterKeyFileConfig: MasterKeyFileConfig{
FilePath: keyFile,
},
},
Expand Down Expand Up @@ -1053,7 +1052,7 @@ func TestKeyRotationConflict(t *testing.T) {
}
}
// Update keys in etcd
masterKeyMeta := newMasterKey(keyFile)
masterKeyMeta := newTestMasterKey(keyFile)
keys := &encryptionpb.KeyDictionary{
CurrentKeyId: 123,
Keys: map[uint64]*encryptionpb.DataKey{
Expand All @@ -1070,12 +1069,12 @@ func TestKeyRotationConflict(t *testing.T) {
// Config with 100s rotation period.
rotationPeriod, err := time.ParseDuration("100s")
re.NoError(err)
config := &encryption.Config{
config := &Config{
DataEncryptionMethod: "aes128-ctr",
DataKeyRotationPeriod: typeutil.NewDuration(rotationPeriod),
MasterKey: encryption.MasterKeyConfig{
MasterKey: MasterKeyConfig{
Type: "file",
MasterKeyFileConfig: encryption.MasterKeyFileConfig{
MasterKeyFileConfig: MasterKeyFileConfig{
FilePath: keyFile,
},
},
Expand Down Expand Up @@ -1113,7 +1112,7 @@ func TestKeyRotationConflict(t *testing.T) {
re.True(proto.Equal(storedKeys, keys))
}

func newMasterKey(keyFile string) *encryptionpb.MasterKey {
func newTestMasterKey(keyFile string) *encryptionpb.MasterKey {
return &encryptionpb.MasterKey{
Backend: &encryptionpb.MasterKey_File{
File: &encryptionpb.MasterKeyFile{
Expand Down
Loading

0 comments on commit aa3ab28

Please sign in to comment.