Пример #1
0
        private void TestBuilderPathWithSpecifiedInterfaces()
        {
            SessionFactory.IMetastoreStep metastoreStep =
                SessionFactory.NewBuilder(TestProductId, TestServiceId);
            Assert.NotNull(metastoreStep);

            IMetastore <JObject> metastore = new InMemoryMetastoreImpl <JObject>();

            SessionFactory.ICryptoPolicyStep cryptoPolicyStep =
                metastoreStep.WithMetastore(metastore);
            Assert.NotNull(cryptoPolicyStep);

            CryptoPolicy cryptoPolicy = new NeverExpiredCryptoPolicy();

            SessionFactory.IKeyManagementServiceStep keyManagementServiceStep =
                cryptoPolicyStep.WithCryptoPolicy(cryptoPolicy);
            Assert.NotNull(keyManagementServiceStep);

            KeyManagementService keyManagementService = new StaticKeyManagementServiceImpl(TestStaticMasterKey);

            SessionFactory.IBuildStep buildStep =
                keyManagementServiceStep.WithKeyManagementService(keyManagementService);
            Assert.NotNull(buildStep);

            SessionFactory sessionFactory = buildStep.Build();

            Assert.NotNull(sessionFactory);
        }
Пример #2
0
        public void IDecryptTheEncrypted_Data()
        {
            KeyManagementService keyManagementService = new StaticKeyManagementServiceImpl(KeyManagementStaticMasterKey);

            AdoMetastoreImpl metastore = AdoMetastoreImpl
                                         .NewBuilder(MySqlClientFactory.Instance, AdoConnectionString)
                                         .Build();

            CryptoPolicy cryptoPolicy = BasicExpiringCryptoPolicy
                                        .NewBuilder()
                                        .WithKeyExpirationDays(KeyExpiryDays)
                                        .WithRevokeCheckMinutes(RevokeCheckMinutes)
                                        .Build();

            // Create a session factory for the test
            using (SessionFactory sessionFactory = SessionFactory
                                                   .NewBuilder(DefaultProductId, DefaultServiceId)
                                                   .WithMetastore(metastore)
                                                   .WithCryptoPolicy(cryptoPolicy)
                                                   .WithKeyManagementService(keyManagementService)
                                                   .Build())
            {
                // Now create an actual session for a partition (which in our case is a dummy id). This session is used
                // for a transaction and is disposed automatically after use due to the IDisposable implementation.
                using (Session <byte[], byte[]> sessionBytes = sessionFactory.GetSessionBytes(DefaultPartitionId))
                {
                    decryptedPayload = Encoding.UTF8.GetString(sessionBytes.Decrypt(encryptedPayload));
                }
            }
        }
Пример #3
0
        private static object[] GenerateMocks(KeyState cacheIK, KeyState metaIK, KeyState cacheSK, KeyState metaSK)
        {
            AppEncryptionPartition appEncryptionPartition = new AppEncryptionPartition(
                cacheIK + "CacheIK_" + metaIK + "MetaIK_" + DateTimeUtils.GetCurrentTimeAsUtcIsoDateTimeOffset() + "_" + Random.Next(),
                cacheSK + "CacheSK_" + metaSK + "MetaSK_" + DateTimeUtils.GetCurrentTimeAsUtcIsoDateTimeOffset() + "_" + Random.Next(),
                DefaultProductId);

            // TODO Update to create KeyManagementService based on config/param once we plug in AWS KMS
            KeyManagementService kms = new StaticKeyManagementServiceImpl(KeyManagementStaticMasterKey);

            CryptoKeyHolder cryptoKeyHolder = CryptoKeyHolder.GenerateIKSK();

            // TODO Pass Metastore type to enable spy generation once we plug in external metastore types
            Mock <MemoryPersistenceImpl <JObject> > metastorePersistence = MetastoreMock.CreateMetastoreMock(appEncryptionPartition, kms, metaIK, metaSK, cryptoKeyHolder);

            CacheMock cacheMock = CacheMock.CreateCacheMock(cacheIK, cacheSK, cryptoKeyHolder);

            // Mimics (mostly) the old TimeBasedCryptoPolicyImpl settings
            CryptoPolicy cryptoPolicy = BasicExpiringCryptoPolicy.NewBuilder()
                                        .WithKeyExpirationDays(KeyExpiryDays)
                                        .WithRevokeCheckMinutes(int.MaxValue)
                                        .WithCanCacheIntermediateKeys(false)
                                        .WithCanCacheSystemKeys(false)
                                        .Build();

            SecureCryptoKeyDictionary <DateTimeOffset> intermediateKeyCache = cacheMock.IntermediateKeyCache;
            SecureCryptoKeyDictionary <DateTimeOffset> systemKeyCache       = cacheMock.SystemKeyCache;

            EnvelopeEncryptionJsonImpl envelopeEncryptionJson = new EnvelopeEncryptionJsonImpl(
                appEncryptionPartition,
                metastorePersistence.Object,
                systemKeyCache,
                new FakeSecureCryptoKeyDictionaryFactory <DateTimeOffset>(intermediateKeyCache),
                new BouncyAes256GcmCrypto(),
                cryptoPolicy,
                kms);

            IEnvelopeEncryption <byte[]> envelopeEncryptionByteImpl = new EnvelopeEncryptionBytesImpl(envelopeEncryptionJson);

            // Need to manually set a no-op metrics instance
            IMetrics metrics = new MetricsBuilder()
                               .Configuration.Configure(options => options.Enabled = false)
                               .Build();

            MetricsUtil.SetMetricsInstance(metrics);

            return(new object[] { envelopeEncryptionByteImpl, metastorePersistence, cacheIK, metaIK, cacheSK, metaSK, appEncryptionPartition });
        }
Пример #4
0
        private static async void App(Options options)
        {
            IMetastore <JObject> metastore            = null;
            KeyManagementService keyManagementService = null;

            if (options.Metastore == Metastore.ADO)
            {
                if (options.AdoConnectionString != null)
                {
                    logger.LogInformation("using ADO-based metastore...");
                    metastore = AdoMetastoreImpl
                                .NewBuilder(MySqlClientFactory.Instance, options.AdoConnectionString)
                                .Build();
                }
                else
                {
                    logger.LogError("ADO connection string is a mandatory parameter with Metastore Type: ADO");
                    Console.WriteLine(HelpText.AutoBuild(cmdOptions, null, null));
                    return;
                }
            }
            else if (options.Metastore == Metastore.DYNAMODB)
            {
                logger.LogInformation("using DynamoDB-based metastore...");
                AWSConfigs.AWSRegion = "us-west-2";
                metastore            = DynamoDbMetastoreImpl.NewBuilder().Build();
            }
            else
            {
                logger.LogInformation("using in-memory metastore...");
                metastore = new InMemoryMetastoreImpl <JObject>();
            }

            if (options.Kms == Kms.AWS)
            {
                if (options.PreferredRegion != null && options.RegionToArnTuples != null)
                {
                    Dictionary <string, string> regionToArnDictionary = new Dictionary <string, string>();
                    foreach (string regionArnPair in options.RegionToArnTuples)
                    {
                        string[] regionArnArray = regionArnPair.Split("=");
                        regionToArnDictionary.Add(regionArnArray[0], regionArnArray[1]);
                    }

                    logger.LogInformation("using AWS KMS...");
                    keyManagementService = AwsKeyManagementServiceImpl
                                           .NewBuilder(regionToArnDictionary, options.PreferredRegion).Build();
                }
                else
                {
                    logger.LogError("Preferred region and <region>=<arn> tuples are mandatory with  KMS Type: AWS");
                    Console.WriteLine(HelpText.AutoBuild(cmdOptions, null, null));
                    return;
                }
            }
            else
            {
                logger.LogInformation("using static KMS...");
                keyManagementService = new StaticKeyManagementServiceImpl("mysupersecretstaticmasterkey!!!!");
            }

            CryptoPolicy cryptoPolicy = BasicExpiringCryptoPolicy
                                        .NewBuilder()
                                        .WithKeyExpirationDays(KeyExpirationDays)
                                        .WithRevokeCheckMinutes(CacheCheckMinutes)
                                        .Build();

            // Setup metrics reporters and always include console.
            IMetricsBuilder metricsBuilder = new MetricsBuilder()
                                             .Report.ToConsole(consoleOptions => consoleOptions.FlushInterval = TimeSpan.FromSeconds(60));

            // CloudWatch metrics generation
            if (options.EnableCloudWatch)
            {
                // Fill in when we open source our App.Metrics cloudwatch reporter separately
            }

            IMetrics metrics = metricsBuilder.Build();

            // Create a session factory for this app. Normally this would be done upon app startup and the
            // same factory would be used anytime a new session is needed for a partition (e.g., shopper).
            // We've split it out into multiple using blocks to underscore this point.
            using (SessionFactory sessionFactory = SessionFactory
                                                   .NewBuilder("productId", "reference_app")
                                                   .WithMetastore(metastore)
                                                   .WithCryptoPolicy(cryptoPolicy)
                                                   .WithKeyManagementService(keyManagementService)
                                                   .WithMetrics(metrics)
                                                   .Build())
            {
                // Now create an actual session for a partition (which in our case is a pretend shopper id). This session is used
                // for a transaction and is disposed automatically after use due to the IDisposable implementation.
                using (Session <byte[], byte[]> sessionBytes =
                           sessionFactory.GetSessionBytes("shopper123"))
                {
                    const string originalPayloadString = "mysupersecretpayload";
                    foreach (int i in Enumerable.Range(0, options.Iterations))
                    {
                        string dataRowString;

                        // If we get a DRR as a command line argument, we want to directly decrypt it
                        if (options.Drr != null)
                        {
                            dataRowString = options.Drr;
                        }
                        else
                        {
                            // Encrypt the payload
                            byte[] dataRowRecordBytes =
                                sessionBytes.Encrypt(Encoding.UTF8.GetBytes(originalPayloadString));

                            // Consider this us "persisting" the DRR
                            dataRowString = Convert.ToBase64String(dataRowRecordBytes);
                        }

                        logger.LogInformation("dataRowRecord as string = {dataRow}", dataRowString);

                        byte[] newDataRowRecordBytes = Convert.FromBase64String(dataRowString);

                        // Decrypt the payload
                        string decryptedPayloadString =
                            Encoding.UTF8.GetString(sessionBytes.Decrypt(newDataRowRecordBytes));

                        logger.LogInformation("decryptedPayloadString = {payload}", decryptedPayloadString);
                        logger.LogInformation("matches = {result}", originalPayloadString.Equals(decryptedPayloadString));
                    }
                }
            }

            // Force final publish of metrics
            await Task.WhenAll(((IMetricsRoot)metrics).ReportRunner.RunAllAsync());
        }