internal async Task <(byte[], EncryptionKeyWrapMetadata, InMemoryRawDek)> WrapAsync(
byte[] key,
CosmosEncryptionAlgorithm encryptionAlgorithmId,
EncryptionKeyWrapMetadata metadata,
CosmosDiagnosticsContext diagnosticsContext,
CancellationToken cancellationToken)
{
EncryptionKeyWrapProvider encryptionKeyWrapProvider = this.ClientContext.ClientOptions.EncryptionKeyWrapProvider;
if (encryptionKeyWrapProvider == null)
{
throw new ArgumentException(ClientResources.EncryptionKeyWrapProviderNotConfigured);
}
EncryptionKeyWrapResult keyWrapResponse;
using (diagnosticsContext.CreateScope("WrapDataEncryptionKey"))
{
keyWrapResponse = await encryptionKeyWrapProvider.WrapKeyAsync(key, metadata, cancellationToken);
}
// Verify
DataEncryptionKeyProperties tempDekProperties = new DataEncryptionKeyProperties(this.Id, encryptionAlgorithmId, keyWrapResponse.WrappedDataEncryptionKey, keyWrapResponse.EncryptionKeyWrapMetadata);
InMemoryRawDek roundTripResponse = await this.UnwrapAsync(tempDekProperties, diagnosticsContext, cancellationToken);
if (!roundTripResponse.RawDek.SequenceEqual(key))
{
throw CosmosExceptionFactory.CreateBadRequestException(ClientResources.KeyWrappingDidNotRoundtrip,
diagnosticsContext: diagnosticsContext);
}
return(keyWrapResponse.WrappedDataEncryptionKey, keyWrapResponse.EncryptionKeyWrapMetadata, roundTripResponse);
}
internal async Task <(DataEncryptionKeyProperties, InMemoryRawDek)> FetchUnwrappedAsync(
CosmosDiagnosticsContext diagnosticsContext,
CancellationToken cancellationToken)
{
DataEncryptionKeyProperties dekProperties = null;
try
{
dekProperties = await this.ClientContext.DekCache.GetOrAddByNameLinkUriAsync(
this.LinkUri,
this.Database.Id,
this.ReadResourceAsync,
diagnosticsContext,
cancellationToken);
}
catch (CosmosException ex) when(ex.StatusCode == HttpStatusCode.NotFound)
{
throw CosmosExceptionFactory.CreateNotFoundException(
ClientResources.DataEncryptionKeyNotFound,
diagnosticsContext: diagnosticsContext,
innerException: ex);
}
InMemoryRawDek inMemoryRawDek = await this.ClientContext.DekCache.GetOrAddRawDekAsync(
dekProperties,
this.UnwrapAsync,
diagnosticsContext,
cancellationToken);
return(dekProperties, inMemoryRawDek);
}
internal async Task <(DataEncryptionKeyProperties, InMemoryRawDek)> FetchUnwrappedByRidAsync(
string rid,
CosmosDiagnosticsContext diagnosticsContext,
CancellationToken cancellationToken)
{
string dekRidSelfLink = PathsHelper.GeneratePath(ResourceType.ClientEncryptionKey, rid, isFeed: false);
// Server self links end with / but client generate links don't - match them.
if (!dekRidSelfLink.EndsWith("/"))
{
dekRidSelfLink += "/";
}
DataEncryptionKeyProperties dekProperties = null;
try
{
dekProperties = await this.ClientContext.DekCache.GetOrAddByRidSelfLinkAsync(
dekRidSelfLink,
this.Database.Id,
this.ReadResourceByRidSelfLinkAsync,
this.LinkUri,
diagnosticsContext,
cancellationToken);
}
catch (CosmosException ex) when(ex.StatusCode == HttpStatusCode.NotFound)
{
throw CosmosExceptionFactory.CreateNotFoundException(
ClientResources.DataEncryptionKeyNotFound,
diagnosticsContext: diagnosticsContext,
innerException: ex);
}
InMemoryRawDek inMemoryRawDek = await this.ClientContext.DekCache.GetOrAddRawDekAsync(
dekProperties,
this.UnwrapAsync,
diagnosticsContext,
cancellationToken);
return(dekProperties, inMemoryRawDek);
}
public async Task <InMemoryRawDek> GetOrAddRawDekAsync(
DataEncryptionKeyProperties dekProperties,
Func <DataEncryptionKeyProperties, CosmosDiagnosticsContext, CancellationToken, Task <InMemoryRawDek> > unwrapper,
CosmosDiagnosticsContext diagnosticsContext,
CancellationToken cancellationToken)
{
InMemoryRawDek inMemoryRawDek = await this.RawDekByRidSelfLinkCache.GetAsync(
dekProperties.SelfLink,
null,
() => unwrapper(dekProperties, diagnosticsContext, cancellationToken),
cancellationToken);
if (inMemoryRawDek.RawDekExpiry <= DateTime.UtcNow)
{
inMemoryRawDek = await this.RawDekByRidSelfLinkCache.GetAsync(
dekProperties.SelfLink,
null,
() => unwrapper(dekProperties, diagnosticsContext, cancellationToken),
cancellationToken,
forceRefresh : true);
}
return(inMemoryRawDek);
}
public void SetRawDek(string dekRidSelfLink, InMemoryRawDek inMemoryRawDek)
{
this.RawDekByRidSelfLinkCache.Set(dekRidSelfLink, inMemoryRawDek);
}
