feat(encrption):add kms key manager

apache · Jan 12, 2024 · 5706cce · 5706cce
1 parent 6e28f52
commit 5706cce
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 29 deletions.
diff --git a/src/replica/replication_app_base.h b/src/replica/replication_app_base.h
@@ -96,8 +96,8 @@ struct kms_info
     static const std::string kKmsInfo; // json file name
 
     kms_info(const std::string &e_key = "",
-                     const std::string &i = "",
-                     const std::string &k_version = "")
+             const std::string &i = "",
+             const std::string &k_version = "")
         : eek(e_key), iv(i), kv(k_version)
     {
     }

diff --git a/src/security/kms_client.cpp b/src/security/kms_client.cpp
@@ -36,13 +36,6 @@
 namespace dsn {
 namespace security {
 
-#define RETURN_ERRS_NOT_TRUE(exp, code, ...)                                                       \
-    do {                                                                                           \
-        if (dsn_unlikely(!exp)) {                                                                  \
-            return dsn::error_s::make(code, fmt::format(__VA_ARGS__));                             \
-        }                                                                                          \
-    } while (false);
-
 dsn::error_s KMSClient::DecryptEncryptionKey(const dsn::replication::kms_info &kms_info,
                                              std::string *decrypted_key)
 {
@@ -96,12 +89,15 @@ dsn::error_s KMSClient::DecryptEncryptionKey(const dsn::replication::kms_info &k
     }
 
     std::string dek_b64;
-    RETURN_ERRS_NOT_TRUE(j.contains("material"), ERR_INVALID_DATA, "Null material received");
-    dek_b64 = j.at("material");
-
+    if (j.contains("material")) {
+        dek_b64 = j.at("material");
+    } else {
+        return dsn::error_s::make(ERR_INVALID_DATA, "Null material received");
+    }
     std::string dek_plain;
-    RETURN_ERRS_NOT_TRUE(::absl::WebSafeBase64Unescape(dek_b64, &dek_plain), ERR_INVALID_DATA, "Invalid IV received");
-
+    if (!::absl::WebSafeBase64Unescape(dek_b64, &dek_plain)) {
+        return dsn::error_s::make(ERR_INVALID_DATA, "Invalid IV received");
+    }
     *decrypted_key = ::absl::BytesToHexString(dek_plain);
     return dsn::error_s::ok();
 }
@@ -144,23 +140,33 @@ dsn::error_s KMSClient::GenerateEncryptionKeyFromKMS(const std::string &key_name
             "The http status is ({}), and url is ({})", get_http_status_message(http_status), url);
     }
 
-    RETURN_ERRS_NOT_TRUE(!j["versionName"].is_null(), ERR_INVALID_DATA, "Null versionName received");
-    j["versionName"].get_to(kms_info->kv);
-
+    if (!j["versionName"].is_null()) {
+        j["versionName"].get_to(kms_info->kv);
+    } else {
+        return dsn::error_s::make(ERR_INVALID_DATA, "Null versionName received");
+    }
     std::string iv_b64;
-    RETURN_ERRS_NOT_TRUE(!j["iv"].is_null(), ERR_INVALID_DATA, "Null IV received");
-    j["iv"].get_to(iv_b64);
-
+    if (!j["iv"].is_null()) {
+        j["iv"].get_to(iv_b64);
+    } else {
+        return dsn::error_s::make(ERR_INVALID_DATA, "Null IV received");
+    }
     std::string iv_plain;
-    RETURN_ERRS_NOT_TRUE(::absl::WebSafeBase64Unescape(iv_b64, &iv_plain), ERR_INVALID_DATA, "Invalid IV received");
+    if (!::absl::WebSafeBase64Unescape(iv_b64, &iv_plain)) {
+        return dsn::error_s::make(ERR_INVALID_DATA, "Invalid IV received");
+    }
     kms_info->iv = ::absl::BytesToHexString(iv_plain);
-
     std::string key_b64;
-    RETURN_ERRS_NOT_TRUE(!j["encryptedKeyVersion"].is_null() && !j["encryptedKeyVersion"]["material"].is_null(), ERR_INVALID_DATA, "Null encryptedKeyVersion or material received");
-    j["encryptedKeyVersion"]["material"].get_to(key_b64);
-
+    if (!j["encryptedKeyVersion"].is_null() && !j["encryptedKeyVersion"]["material"].is_null()) {
+        j["encryptedKeyVersion"]["material"].get_to(key_b64);
+    } else {
+        return dsn::error_s::make(ERR_INVALID_DATA,
+                                  "Null encryptedKeyVersion or material received");
+    }
     std::string key_plain;
-    RETURN_ERRS_NOT_TRUE(::absl::WebSafeBase64Unescape(key_b64, &key_plain), ERR_INVALID_DATA, "Invalid encryption key received");
+    if (!::absl::WebSafeBase64Unescape(key_b64, &key_plain)) {
+        return dsn::error_s::make(ERR_INVALID_DATA, "Invalid encryption key received");
+    }
     kms_info->eek = ::absl::BytesToHexString(key_plain);
     return dsn::error_s::ok();
 }
@@ -170,7 +176,5 @@ dsn::error_s KMSClient::GenerateEncryptionKey(dsn::replication::kms_info *kms_in
     return GenerateEncryptionKeyFromKMS(cluster_key_name_, kms_info);
 }
 
-#undef RETURN_ERRS_NOT_TRUE
-
 } // namespace security
-} // namespace dsn
+} // namespace dsn