private static SessionFactory CreateDefaultSessionFactory( string productId, string serviceId, KeyManagementService keyManagementService, IMetastore <JObject> metastore) { return(SessionFactory.NewBuilder(productId, serviceId) .WithMetastore(metastore) .WithNeverExpiredCryptoPolicy() .WithKeyManagementService(keyManagementService) .Build()); }
public SessionFactory( string productId, string serviceId, IMetastore <JObject> metastore, SecureCryptoKeyDictionaryFactory <DateTimeOffset> secureCryptoKeyDictionaryFactory, CryptoPolicy cryptoPolicy, KeyManagementService keyManagementService) { this.productId = productId; this.serviceId = serviceId; this.metastore = metastore; this.secureCryptoKeyDictionaryFactory = secureCryptoKeyDictionaryFactory; systemKeyCache = secureCryptoKeyDictionaryFactory.CreateSecureCryptoKeyDictionary(); this.cryptoPolicy = cryptoPolicy; this.keyManagementService = keyManagementService; }
/// <summary> /// Initializes a new instance of the <see cref="EnvelopeEncryptionJsonImpl"/> class using the provided /// parameters. This is an implementation of <see cref="IEnvelopeEncryption{TD}"/> which uses /// <see cref="JObject"/> as the Data Row Record format. /// </summary> /// /// <param name="partition">A <see cref="GoDaddy.Asherah.AppEncryption.Partition"/> object.</param> /// <param name="metastore">A <see cref="IMetastore{T}"/> implementation used to store system & intermediate /// keys.</param> /// <param name="systemKeyCache">A <see cref="ConcurrentDictionary{TKey,TValue}"/> based implementation for /// caching system keys.</param> /// <param name="intermediateKeyCache">A <see cref="ConcurrentDictionary{TKey,TValue}"/> based implementation /// for caching intermediate keys.</param> /// <param name="aeadEnvelopeCrypto">An implementation of /// <see cref="GoDaddy.Asherah.Crypto.Envelope.AeadEnvelopeCrypto"/>, used to encrypt/decrypt keys and /// envelopes.</param> /// <param name="cryptoPolicy">A <see cref="GoDaddy.Asherah.Crypto.CryptoPolicy"/> implementation that dictates /// the various behaviors of Asherah.</param> /// <param name="keyManagementService">A <see cref="GoDaddy.Asherah.AppEncryption.Kms.KeyManagementService"/> /// implementation that generates the top level master key and encrypts the system keys using the master key. /// </param> public EnvelopeEncryptionJsonImpl( Partition partition, IMetastore <JObject> metastore, SecureCryptoKeyDictionary <DateTimeOffset> systemKeyCache, SecureCryptoKeyDictionary <DateTimeOffset> intermediateKeyCache, AeadEnvelopeCrypto aeadEnvelopeCrypto, CryptoPolicy cryptoPolicy, KeyManagementService keyManagementService) { this.partition = partition; this.metastore = metastore; this.systemKeyCache = systemKeyCache; this.intermediateKeyCache = intermediateKeyCache; crypto = aeadEnvelopeCrypto; this.cryptoPolicy = cryptoPolicy; this.keyManagementService = keyManagementService; }
/// <summary> /// Initializes a new instance of the <see cref="SessionFactory"/> class. /// </summary> /// /// <param name="productId">A unique identifier for a product.</param> /// <param name="serviceId">A unique identifier for a service.</param> /// <param name="metastore">A <see cref="IMetastore{T}"/> implementation used to store system & intermediate /// keys.</param> /// <param name="systemKeyCache">A <see cref="ConcurrentDictionary{TKey,TValue}"/> based implementation for /// caching system keys.</param> /// <param name="cryptoPolicy">A <see cref="GoDaddy.Asherah.Crypto.CryptoPolicy"/> implementation that dictates /// the various behaviors of Asherah.</param> /// <param name="keyManagementService">A <see cref="GoDaddy.Asherah.AppEncryption.Kms.KeyManagementService"/> /// implementation that generates the top level master key and encrypts the system keys using the master key. /// </param> public SessionFactory( string productId, string serviceId, IMetastore <JObject> metastore, SecureCryptoKeyDictionary <DateTimeOffset> systemKeyCache, CryptoPolicy cryptoPolicy, KeyManagementService keyManagementService) { this.productId = productId; this.serviceId = serviceId; this.metastore = metastore; this.systemKeyCache = systemKeyCache; this.cryptoPolicy = cryptoPolicy; this.keyManagementService = keyManagementService; semaphoreLocks = new ConcurrentDictionary <string, object>(); SessionCache = new MemoryCache(new MemoryCacheOptions()); }
public AppJsonEncryptionImplTest() { partition = new Partition("PARTITION", "SYSTEM", "PRODUCT"); Dictionary <string, JObject> memoryPersistence = new Dictionary <string, JObject>(); dataPersistence = new AdhocPersistence <JObject>( key => memoryPersistence.TryGetValue(key, out JObject result) ? result : Option <JObject> .None, (key, jsonObject) => memoryPersistence.Add(key, jsonObject)); metastore = new InMemoryMetastoreImpl <JObject>(); keyManagementService = new DummyKeyManagementService(); AeadEnvelopeCrypto aeadEnvelopeCrypto = new BouncyAes256GcmCrypto(); // Generate a dummy systemKey document CryptoKey systemKey = aeadEnvelopeCrypto.GenerateKey(); byte[] encryptedSystemKey = keyManagementService.EncryptKey(systemKey); EnvelopeKeyRecord systemKeyRecord = new EnvelopeKeyRecord(DateTimeOffset.UtcNow, null, encryptedSystemKey); // Write out the dummy systemKey record memoryPersistence.TryAdd(partition.SystemKeyId, systemKeyRecord.ToJson()); }
public ICryptoPolicyStep WithMetastore(IMetastore <JObject> metastore) { this.metastore = metastore; return(this); }
public ICryptoPolicyStep WithInMemoryMetastore() { metastore = new InMemoryMetastoreImpl <JObject>(); return(this); }
private static async void App(Options options) { IMetastore <JObject> metastore = null; KeyManagementService keyManagementService = null; if (options.Metastore == Metastore.ADO) { if (options.AdoConnectionString != null) { logger.LogInformation("using ADO-based metastore..."); metastore = AdoMetastoreImpl .NewBuilder(MySqlClientFactory.Instance, options.AdoConnectionString) .Build(); } else { logger.LogError("ADO connection string is a mandatory parameter with Metastore Type: ADO"); Console.WriteLine(HelpText.AutoBuild(cmdOptions, null, null)); return; } } else if (options.Metastore == Metastore.DYNAMODB) { logger.LogInformation("using DynamoDB-based metastore..."); AWSConfigs.AWSRegion = "us-west-2"; metastore = DynamoDbMetastoreImpl.NewBuilder().Build(); } else { logger.LogInformation("using in-memory metastore..."); metastore = new InMemoryMetastoreImpl <JObject>(); } if (options.Kms == Kms.AWS) { if (options.PreferredRegion != null && options.RegionToArnTuples != null) { Dictionary <string, string> regionToArnDictionary = new Dictionary <string, string>(); foreach (string regionArnPair in options.RegionToArnTuples) { string[] regionArnArray = regionArnPair.Split("="); regionToArnDictionary.Add(regionArnArray[0], regionArnArray[1]); } logger.LogInformation("using AWS KMS..."); keyManagementService = AwsKeyManagementServiceImpl .NewBuilder(regionToArnDictionary, options.PreferredRegion).Build(); } else { logger.LogError("Preferred region and <region>=<arn> tuples are mandatory with KMS Type: AWS"); Console.WriteLine(HelpText.AutoBuild(cmdOptions, null, null)); return; } } else { logger.LogInformation("using static KMS..."); keyManagementService = new StaticKeyManagementServiceImpl("mysupersecretstaticmasterkey!!!!"); } CryptoPolicy cryptoPolicy = BasicExpiringCryptoPolicy .NewBuilder() .WithKeyExpirationDays(KeyExpirationDays) .WithRevokeCheckMinutes(CacheCheckMinutes) .Build(); // Setup metrics reporters and always include console. IMetricsBuilder metricsBuilder = new MetricsBuilder() .Report.ToConsole(consoleOptions => consoleOptions.FlushInterval = TimeSpan.FromSeconds(60)); // CloudWatch metrics generation if (options.EnableCloudWatch) { // Fill in when we open source our App.Metrics cloudwatch reporter separately } IMetrics metrics = metricsBuilder.Build(); // Create a session factory for this app. Normally this would be done upon app startup and the // same factory would be used anytime a new session is needed for a partition (e.g., shopper). // We've split it out into multiple using blocks to underscore this point. using (SessionFactory sessionFactory = SessionFactory .NewBuilder("productId", "reference_app") .WithMetastore(metastore) .WithCryptoPolicy(cryptoPolicy) .WithKeyManagementService(keyManagementService) .WithMetrics(metrics) .Build()) { // Now create an actual session for a partition (which in our case is a pretend shopper id). This session is used // for a transaction and is disposed automatically after use due to the IDisposable implementation. using (Session <byte[], byte[]> sessionBytes = sessionFactory.GetSessionBytes("shopper123")) { const string originalPayloadString = "mysupersecretpayload"; foreach (int i in Enumerable.Range(0, options.Iterations)) { string dataRowString; // If we get a DRR as a command line argument, we want to directly decrypt it if (options.Drr != null) { dataRowString = options.Drr; } else { // Encrypt the payload byte[] dataRowRecordBytes = sessionBytes.Encrypt(Encoding.UTF8.GetBytes(originalPayloadString)); // Consider this us "persisting" the DRR dataRowString = Convert.ToBase64String(dataRowRecordBytes); } logger.LogInformation("dataRowRecord as string = {dataRow}", dataRowString); byte[] newDataRowRecordBytes = Convert.FromBase64String(dataRowString); // Decrypt the payload string decryptedPayloadString = Encoding.UTF8.GetString(sessionBytes.Decrypt(newDataRowRecordBytes)); logger.LogInformation("decryptedPayloadString = {payload}", decryptedPayloadString); logger.LogInformation("matches = {result}", originalPayloadString.Equals(decryptedPayloadString)); } } } // Force final publish of metrics await Task.WhenAll(((IMetricsRoot)metrics).ReportRunner.RunAllAsync()); }
internal static Mock <IMetastore <JObject> > CreateMetastoreMock( Partition partition, KeyManagementService kms, KeyState metaIK, KeyState metaSK, CryptoKeyHolder cryptoKeyHolder, IMetastore <JObject> metastore) { CryptoKey systemKey = cryptoKeyHolder.SystemKey; Mock <IMetastore <JObject> > metastoreSpy = new Mock <IMetastore <JObject> >(); metastoreSpy .Setup(x => x.Load(It.IsAny <string>(), It.IsAny <DateTimeOffset>())) .Returns <string, DateTimeOffset>(metastore.Load); metastoreSpy .Setup(x => x.LoadLatest(It.IsAny <string>())) .Returns <string>(metastore.LoadLatest); metastoreSpy .Setup(x => x.Store(It.IsAny <string>(), It.IsAny <DateTimeOffset>(), It.IsAny <JObject>())) .Returns <string, DateTimeOffset, JObject>(metastore.Store); if (metaSK != KeyState.Empty) { if (metaSK == KeyState.Retired) { // We create a revoked copy of the same key DateTimeOffset created = systemKey.GetCreated(); systemKey = systemKey .WithKey(bytes => Crypto.GenerateKeyFromBytes(bytes, created, true)); } EnvelopeKeyRecord systemKeyRecord = new EnvelopeKeyRecord( systemKey.GetCreated(), null, kms.EncryptKey(systemKey), systemKey.IsRevoked()); metastore.Store( partition.SystemKeyId, systemKeyRecord.Created, systemKeyRecord.ToJson()); } if (metaIK != KeyState.Empty) { CryptoKey intermediateKey = cryptoKeyHolder.IntermediateKey; if (metaIK == KeyState.Retired) { // We create a revoked copy of the same key DateTimeOffset created = intermediateKey.GetCreated(); intermediateKey = intermediateKey .WithKey(bytes => Crypto.GenerateKeyFromBytes(bytes, created, true)); } EnvelopeKeyRecord intermediateKeyRecord = new EnvelopeKeyRecord( intermediateKey.GetCreated(), new KeyMeta(partition.SystemKeyId, systemKey.GetCreated()), Crypto.EncryptKey(intermediateKey, systemKey), intermediateKey.IsRevoked()); metastore.Store( partition.IntermediateKeyId, intermediateKeyRecord.Created, intermediateKeyRecord.ToJson()); } return(metastoreSpy); }
public static SessionFactory CreateDefaultSessionFactory( KeyManagementService keyManagementService, IMetastore <JObject> metastore) { return(CreateDefaultSessionFactory(DefaultProductId, DefaultServiceId, keyManagementService, metastore)); }