Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(engine): json encryption key rollover #6247

Merged
merged 2 commits into from
Aug 3, 2022
Merged

fix(engine): json encryption key rollover #6247

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
14dc0b0
fix(engine): json encryption key rollover
fsamin Aug 3, 2022
f9062ba
fix(engine): json encryption key rollover
fsamin Aug 3, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 7 additions & 2 deletions engine/gorpmapper/dao.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,10 @@ func (m *Mapper) UpdateColumns(db gorp.SqlExecutor, i interface{}, columnFilter
hasPlaceHolder = true
break
}
if field.Kind() == reflect.Struct && field.IsZero() {
hasPlaceHolder = true
break
}
}

// If the data has encrypted data
Expand All @@ -99,8 +103,9 @@ func (m *Mapper) UpdateColumns(db gorp.SqlExecutor, i interface{}, columnFilter
for _, f := range mapping.EncryptedFields {
// Reset the field to the decrypted value if the value is set to the placeholder
field := val.FieldByName(f.Name)
if field.Interface() == sdk.PasswordPlaceholder {
oldVal := valTuple.FieldByName(f.Name)
oldVal := valTuple.FieldByName(f.Name)

if field.Interface() == sdk.PasswordPlaceholder || field.Kind() == reflect.Struct && field.IsZero() {
field.Set(oldVal)
}
}
Expand Down
44 changes: 44 additions & 0 deletions engine/gorpmapper/encryption_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,11 +23,15 @@ func TestEncryption(t *testing.T) {
Data: "data",
SensitiveData: "sensitive-data",
AnotherSensitiveData: "another-sensitive-data",
SensitiveJsonData: gorpmapper.SensitiveJsonData{
Data: "some-data",
},
}

require.NoError(t, m.InsertAndSign(context.TODO(), db, &d))
assert.Equal(t, sdk.PasswordPlaceholder, d.SensitiveData)
assert.Equal(t, sdk.PasswordPlaceholder, d.AnotherSensitiveData)
assert.Zero(t, d.SensitiveJsonData)

// UpdateAndSign should not save place holders
require.NoError(t, m.UpdateAndSign(context.TODO(), db, &d))
Expand Down Expand Up @@ -82,6 +86,7 @@ func TestEncryption(t *testing.T) {
require.Equal(t, d.Data, d2.Data)
require.Equal(t, "sensitive--data", d2.SensitiveData)
require.Equal(t, "another-sensitive-data", d2.AnotherSensitiveData)
assert.Equal(t, "some-data", d2.SensitiveJsonData.Data)
}

func TestEncryption_Multiple(t *testing.T) {
Expand All @@ -94,13 +99,15 @@ func TestEncryption_Multiple(t *testing.T) {
Data: "data-1",
SensitiveData: "sensitive-data-1",
AnotherSensitiveData: "another-sensitive-data-1",
SensitiveJsonData: gorpmapper.SensitiveJsonData{Data: "json-sentitive-data-1"},
}
require.NoError(t, m.InsertAndSign(context.TODO(), db, &d1))

var d2 = gorpmapper.TestEncryptedData{
Data: "data-2",
SensitiveData: "sensitive-data-2",
AnotherSensitiveData: "another-sensitive-data-2",
SensitiveJsonData: gorpmapper.SensitiveJsonData{Data: "json-sentitive-data-2"},
}
require.NoError(t, m.InsertAndSign(context.TODO(), db, &d2))

Expand All @@ -114,11 +121,13 @@ func TestEncryption_Multiple(t *testing.T) {
require.Equal(t, "data-1", dslice[0].Data)
require.Equal(t, sdk.PasswordPlaceholder, dslice[0].SensitiveData)
require.Equal(t, sdk.PasswordPlaceholder, dslice[0].AnotherSensitiveData)
require.Zero(t, dslice[0].SensitiveJsonData)

require.Equal(t, d2.ID, dslice[1].ID)
require.Equal(t, "data-2", dslice[1].Data)
require.Equal(t, sdk.PasswordPlaceholder, dslice[1].SensitiveData)
require.Equal(t, sdk.PasswordPlaceholder, dslice[1].AnotherSensitiveData)
require.Zero(t, dslice[1].SensitiveJsonData)

// Test that GetAll replaces encrypted values with clearValue if WithDecryption options is used
query = gorpmapper.NewQuery("SELECT * FROM test_encrypted_data WHERE id IN ($1, $2) ORDER BY id").Args(d1.ID, d2.ID)
Expand All @@ -138,9 +147,44 @@ func TestEncryption_Multiple(t *testing.T) {
require.Equal(t, "data-1", dslice[0].Data)
require.Equal(t, "sensitive-data-1", dslice[0].SensitiveData)
require.Equal(t, "another-sensitive-data-1", dslice[0].AnotherSensitiveData)
require.Equal(t, "json-sentitive-data-1", dslice[0].SensitiveJsonData.Data)

require.Equal(t, d2.ID, dslice[1].ID)
require.Equal(t, "data-2", dslice[1].Data)
require.Equal(t, "sensitive-data-2", dslice[1].SensitiveData)
require.Equal(t, "another-sensitive-data-2", dslice[1].AnotherSensitiveData)
require.Equal(t, "json-sentitive-data-2", dslice[1].SensitiveJsonData.Data)
}

func TestRollEncryptedTupleByPrimaryKey(t *testing.T) {
m := gorpmapper.New()
m.Register(m.NewTableMapping(gorpmapper.TestEncryptedData{}, "test_encrypted_data", true, "id"))

db, _ := test.SetupPGWithMapper(t, m, sdk.TypeAPI)

var d1 = gorpmapper.TestEncryptedData{
Data: "data-1",
SensitiveData: "sensitive-data-1",
AnotherSensitiveData: "another-sensitive-data-1",
SensitiveJsonData: gorpmapper.SensitiveJsonData{Data: "json-sentitive-data-1"},
}
require.NoError(t, m.InsertAndSign(context.TODO(), db, &d1))
require.NoError(t, m.UpdateAndSign(context.TODO(), db, &d1))

require.NoError(t, m.RollEncryptedTupleByPrimaryKey(context.Background(), db, "gorpmapper.TestEncryptedData", d1.ID))

var query = gorpmapper.NewQuery("select * from test_encrypted_data where id = $1").Args(d1.ID)
var d2 gorpmapper.TestEncryptedData
_, err := m.Get(context.TODO(), db, query, &d2, gorpmapping.GetOptions.WithDecryption)
require.NoError(t, err)

isValid, err := m.CheckSignature(d2, d2.Signature)
require.NoError(t, err)
require.True(t, isValid)

require.Equal(t, d1.ID, d2.ID)
require.Equal(t, d1.Data, d2.Data)
require.Equal(t, "sensitive-data-1", d2.SensitiveData)
require.Equal(t, "another-sensitive-data-1", d2.AnotherSensitiveData)
assert.Equal(t, "json-sentitive-data-1", d2.SensitiveJsonData.Data)
}
13 changes: 9 additions & 4 deletions engine/gorpmapper/types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,10 +37,15 @@ func (fs CanonicalForms) Latest() (*CanonicalForm, CanonicalForms) {

type TestEncryptedData struct {
SignedEntity
ID int64 `db:"id"`
Data string `db:"data"`
SensitiveData string `db:"sensitive_data" gorpmapping:"encrypted,Data"`
AnotherSensitiveData string `db:"another_sensitive_data" gorpmapping:"encrypted,ID,Data"`
ID int64 `db:"id"`
Data string `db:"data"`
SensitiveData string `db:"sensitive_data" gorpmapping:"encrypted,Data"`
AnotherSensitiveData string `db:"another_sensitive_data" gorpmapping:"encrypted,ID,Data"`
SensitiveJsonData SensitiveJsonData `db:"sensitive_json_data" gorpmapping:"encrypted,ID"`
}

type SensitiveJsonData struct {
Data string
}

func (e TestEncryptedData) Canonical() CanonicalForms {
Expand Down
5 changes: 5 additions & 0 deletions engine/sql/api/247_database_encryption_test.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
-- +migrate Up
ALTER TABLE test_encrypted_data ADD COLUMN sensitive_json_data BYTEA;

-- +migrate Down
ALTER TABLE test_encrypted_data DROP COLUMN sensitive_json_data;
5 changes: 5 additions & 0 deletions engine/sql/cdn/017_database_encryption_test.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
-- +migrate Up
ALTER TABLE test_encrypted_data ADD COLUMN sensitive_json_data BYTEA;

-- +migrate Down
ALTER TABLE test_encrypted_data DROP COLUMN sensitive_json_data;