/// <inheritdoc/>
public override async Task <ItemResponse <DataEncryptionKeyProperties> > RewrapDataEncryptionKeyAsync(
string id,
EncryptionKeyWrapMetadata newWrapMetadata,
ItemRequestOptions requestOptions = null,
CancellationToken cancellationToken = default)
{
if (newWrapMetadata == null)
{
throw new ArgumentNullException(nameof(newWrapMetadata));
}
CosmosDiagnosticsContext diagnosticsContext = CosmosDiagnosticsContext.Create(requestOptions);
DataEncryptionKeyProperties dekProperties = await this.FetchDataEncryptionKeyPropertiesAsync(
id,
diagnosticsContext,
cancellationToken);
byte[] rawkey = null;
if (string.Equals(dekProperties.EncryptionAlgorithm, CosmosEncryptionAlgorithm.AEAes256CbcHmacSha256Randomized))
{
InMemoryRawDek inMemoryRawDek = await this.FetchUnwrappedAsync(
dekProperties,
diagnosticsContext,
cancellationToken);
rawkey = inMemoryRawDek.DataEncryptionKey.RawKey;
}
else if (string.Equals(dekProperties.EncryptionAlgorithm, CosmosEncryptionAlgorithm.MdeAeadAes256CbcHmac256Randomized))
{
EncryptionKeyUnwrapResult encryptionKeyUnwrapResult = await this.DekProvider.MdeKeyWrapProvider.UnwrapKeyAsync(
dekProperties.WrappedDataEncryptionKey,
dekProperties.EncryptionKeyWrapMetadata,
cancellationToken);
rawkey = encryptionKeyUnwrapResult.DataEncryptionKey;
}
(byte[] wrappedDek, EncryptionKeyWrapMetadata updatedMetadata, InMemoryRawDek updatedRawDek) = await this.WrapAsync(
id,
rawkey,
dekProperties.EncryptionAlgorithm,
newWrapMetadata,
diagnosticsContext,
cancellationToken);
if (requestOptions == null)
{
requestOptions = new ItemRequestOptions();
}
requestOptions.IfMatchEtag = dekProperties.ETag;
DataEncryptionKeyProperties newDekProperties = new DataEncryptionKeyProperties(dekProperties)
{
WrappedDataEncryptionKey = wrappedDek,
EncryptionKeyWrapMetadata = updatedMetadata,
};
ItemResponse <DataEncryptionKeyProperties> response;
try
{
response = await this.DekProvider.Container.ReplaceItemAsync(
newDekProperties,
newDekProperties.Id,
new PartitionKey(newDekProperties.Id),
requestOptions,
cancellationToken);
Debug.Assert(response.Resource != null);
}
catch (CosmosException ex)
{
if (!ex.StatusCode.Equals(HttpStatusCode.PreconditionFailed))
{
throw;
}
// Handle if exception is due to etag mismatch. The scenario is as follows - say there are 2 clients A and B that both have the DEK properties cached.
// From A, rewrap worked and the DEK is updated. Now from B, rewrap was attempted later based on the cached properties which will fail due to etag mismatch.
// To address this, we do an explicit read, which reads the key from storage and updates the cached properties; and then attempt rewrap again.
await this.ReadDataEncryptionKeyAsync(
newDekProperties.Id,
requestOptions,
cancellationToken);
return(await this.RewrapDataEncryptionKeyAsync(
id,
newWrapMetadata,
requestOptions,
cancellationToken));
}
this.DekProvider.DekCache.SetDekProperties(id, response.Resource);
if (string.Equals(dekProperties.EncryptionAlgorithm, CosmosEncryptionAlgorithm.AEAes256CbcHmacSha256Randomized))
{
this.DekProvider.DekCache.SetRawDek(id, updatedRawDek);
}
return(response);
}
public override async Task <ItemResponse <DataEncryptionKeyProperties> > CreateDataEncryptionKeyAsync(
string id,
string encryptionAlgorithm,
EncryptionKeyWrapMetadata encryptionKeyWrapMetadata,
ItemRequestOptions requestOptions = null,
CancellationToken cancellationToken = default)
{
if (string.IsNullOrEmpty(id))
{
throw new ArgumentNullException(nameof(id));
}
if (!CosmosEncryptionAlgorithm.VerifyIfSupportedAlgorithm(encryptionAlgorithm))
{
throw new ArgumentException(string.Format("Unsupported Encryption Algorithm {0}", encryptionAlgorithm), nameof(encryptionAlgorithm));
}
if (encryptionKeyWrapMetadata == null)
{
throw new ArgumentNullException(nameof(encryptionKeyWrapMetadata));
}
CosmosDiagnosticsContext diagnosticsContext = CosmosDiagnosticsContext.Create(requestOptions);
byte[] wrappedDek = null;
EncryptionKeyWrapMetadata updatedMetadata = null;
InMemoryRawDek inMemoryRawDek = null;
if (string.Equals(encryptionAlgorithm, CosmosEncryptionAlgorithm.AEAes256CbcHmacSha256Randomized))
{
(wrappedDek, updatedMetadata, inMemoryRawDek) = await this.GenerateAndWrapRawDekForLegacyEncAlgoAsync(
id,
encryptionAlgorithm,
encryptionKeyWrapMetadata,
diagnosticsContext,
cancellationToken);
}
else if (string.Equals(encryptionAlgorithm, CosmosEncryptionAlgorithm.MdeAeadAes256CbcHmac256Randomized))
{
(wrappedDek, updatedMetadata) = this.GenerateAndWrapPdekForMdeEncAlgo(encryptionKeyWrapMetadata);
}
DataEncryptionKeyProperties dekProperties = new DataEncryptionKeyProperties(
id,
encryptionAlgorithm,
wrappedDek,
updatedMetadata,
DateTime.UtcNow);
ItemResponse <DataEncryptionKeyProperties> dekResponse = await this.DekProvider.Container.CreateItemAsync(
dekProperties,
new PartitionKey(dekProperties.Id),
cancellationToken : cancellationToken);
this.DekProvider.DekCache.SetDekProperties(id, dekResponse.Resource);
if (string.Equals(encryptionAlgorithm, CosmosEncryptionAlgorithm.AEAes256CbcHmacSha256Randomized))
{
this.DekProvider.DekCache.SetRawDek(id, inMemoryRawDek);
}
return(dekResponse);
}
public override async Task <ItemResponse <T> > CreateItemAsync <T>(
T item,
PartitionKey?partitionKey = null,
ItemRequestOptions requestOptions = null,
CancellationToken cancellationToken = default)
{
if (item == null)
{
throw new ArgumentNullException(nameof(item));
}
if (!(requestOptions is EncryptionItemRequestOptions encryptionItemRequestOptions) ||
encryptionItemRequestOptions.EncryptionOptions == null)
{
return(await this.container.CreateItemAsync <T>(
item,
partitionKey,
requestOptions,
cancellationToken));
}
if (partitionKey == null)
{
throw new NotSupportedException($"{nameof(partitionKey)} cannot be null for operations using {nameof(EncryptionContainer)}.");
}
CosmosDiagnosticsContext diagnosticsContext = CosmosDiagnosticsContext.Create(requestOptions);
using (diagnosticsContext.CreateScope("CreateItem"))
{
ResponseMessage responseMessage;
if (item is EncryptableItem encryptableItem)
{
using (Stream streamPayload = encryptableItem.ToStream(this.CosmosSerializer))
{
responseMessage = await this.CreateItemHelperAsync(
streamPayload,
partitionKey.Value,
requestOptions,
decryptResponse : false,
diagnosticsContext,
cancellationToken);
}
encryptableItem.SetDecryptableItem(
EncryptionProcessor.BaseSerializer.FromStream <JObject>(responseMessage.Content),
this.Encryptor,
this.CosmosSerializer);
return(new EncryptionItemResponse <T>(
responseMessage,
item));
}
else
{
using (Stream itemStream = this.CosmosSerializer.ToStream <T>(item))
{
responseMessage = await this.CreateItemHelperAsync(
itemStream,
partitionKey.Value,
requestOptions,
decryptResponse : true,
diagnosticsContext,
cancellationToken);
}
return(this.ResponseFactory.CreateItemResponse <T>(responseMessage));
}
}
}