internal async Task <EncryptionSettings> GetEncryptionSettingForPropertyAsync(
string propertyName,
EncryptionProcessor encryptionProcessor,
CancellationToken cancellationToken)
{
CachedEncryptionSettings cachedEncryptionSettings = await this.EncryptionSettingCacheByPropertyName.GetAsync(
propertyName,
obsoleteValue : null,
async() => await this.FetchCachedEncryptionSettingsAsync(propertyName, encryptionProcessor, cancellationToken),
cancellationToken);
if (cachedEncryptionSettings == null)
{
return(null);
}
// we just cache the algo for the property for a duration of 1 hour and when it expires we try to fetch the cached Encrypted key
// from the Cosmos Client and try to create a Protected Data Encryption Key which tries to unwrap the key.
// 1) Try to check if the KEK has been revoked may be post rotation. If the request fails this could mean the KEK was revoked,
// the user might have rewraped the Key and that is when we try to force fetch it from the Backend.
// So we only read back from the backend only when an operation like wrap/unwrap with the Master Key fails.
if (cachedEncryptionSettings.EncryptionSettingsExpiryUtc <= DateTime.UtcNow)
{
cachedEncryptionSettings = await this.EncryptionSettingCacheByPropertyName.GetAsync(
propertyName,
obsoleteValue : null,
async() => await this.FetchCachedEncryptionSettingsAsync(propertyName, encryptionProcessor, cancellationToken),
cancellationToken,
forceRefresh : true);
}
return(cachedEncryptionSettings.EncryptionSettings);
}
internal void SetEncryptionSettingForProperty(string propertyName, EncryptionSettings encryptionSettings, DateTime expiryUtc)
{
CachedEncryptionSettings cachedEncryptionSettings = new CachedEncryptionSettings(encryptionSettings, expiryUtc);
this.EncryptionSettingCacheByPropertyName.Set(propertyName, cachedEncryptionSettings);
}
