Skip to content

Commit

Permalink
Revert "refactor: typesafe encrypted DB columns (#2400)"
Browse files Browse the repository at this point in the history
This reverts commit f75a5f0.
  • Loading branch information
gak committed Aug 19, 2024
1 parent f75a5f0 commit ac0b904
Show file tree
Hide file tree
Showing 18 changed files with 84 additions and 193 deletions.
6 changes: 1 addition & 5 deletions .go-arch-lint.yml
Original file line number Diff line number Diff line change
Expand Up @@ -100,8 +100,4 @@ deps:
- common
- internal
- sql
- leases
encoding:
mayDependOn:
- common
- internal
- leases
7 changes: 3 additions & 4 deletions backend/controller/cronjobs/sql/models.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

9 changes: 4 additions & 5 deletions backend/controller/dal/async_calls.go
Original file line number Diff line number Diff line change
Expand Up @@ -115,7 +115,7 @@ func (d *DAL) AcquireAsyncCall(ctx context.Context) (call *AsyncCall, err error)
return nil, fmt.Errorf("failed to parse origin key %q: %w", row.Origin, err)
}

decryptedRequest, err := d.decrypt(&row.Request)
decryptedRequest, err := d.decrypt(encryption.AsyncSubKey, row.Request)
if err != nil {
return nil, fmt.Errorf("failed to decrypt async call request: %w", err)
}
Expand Down Expand Up @@ -158,12 +158,11 @@ func (d *DAL) CompleteAsyncCall(ctx context.Context,
didScheduleAnotherCall = false
switch result := result.(type) {
case either.Left[[]byte, string]: // Successful response.
var encryptedResult encryption.EncryptedAsyncColumn
err := d.encrypt(result.Get(), &encryptedResult)
encryptedResult, err := d.encrypt(encryption.AsyncSubKey, result.Get())
if err != nil {
return false, fmt.Errorf("failed to encrypt async call result: %w", err)
}
_, err = tx.db.SucceedAsyncCall(ctx, optional.Some(encryptedResult), call.ID)
_, err = tx.db.SucceedAsyncCall(ctx, encryptedResult, call.ID)
if err != nil {
return false, dalerrs.TranslatePGError(err) //nolint:wrapcheck
}
Expand Down Expand Up @@ -228,7 +227,7 @@ func (d *DAL) LoadAsyncCall(ctx context.Context, id int64) (*AsyncCall, error) {
if err != nil {
return nil, fmt.Errorf("failed to parse origin key %q: %w", row.Origin, err)
}
request, err := d.decrypt(&row.Request)
request, err := d.decrypt(encryption.AsyncSubKey, row.Request)
if err != nil {
return nil, fmt.Errorf("failed to decrypt async call request: %w", err)
}
Expand Down
18 changes: 7 additions & 11 deletions backend/controller/dal/dal.go
Original file line number Diff line number Diff line change
Expand Up @@ -709,11 +709,10 @@ func (d *DAL) SetDeploymentReplicas(ctx context.Context, key model.DeploymentKey
return dalerrs.TranslatePGError(err)
}
}
var payload encryption.EncryptedTimelineColumn
err = d.encryptJSON(map[string]interface{}{
payload, err := d.encryptJSON(encryption.TimelineSubKey, map[string]interface{}{
"prev_min_replicas": deployment.MinReplicas,
"min_replicas": minReplicas,
}, &payload)
})
if err != nil {
return fmt.Errorf("failed to encrypt payload for InsertDeploymentUpdatedEvent: %w", err)
}
Expand Down Expand Up @@ -783,11 +782,10 @@ func (d *DAL) ReplaceDeployment(ctx context.Context, newDeploymentKey model.Depl
}
}

var payload encryption.EncryptedTimelineColumn
err = d.encryptJSON(map[string]any{
payload, err := d.encryptJSON(encryption.TimelineSubKey, map[string]any{
"min_replicas": int32(minReplicas),
"replaced": replacedDeploymentKey,
}, &payload)
})
if err != nil {
return fmt.Errorf("replace deployment failed to encrypt payload: %w", err)
}
Expand Down Expand Up @@ -1059,8 +1057,7 @@ func (d *DAL) InsertLogEvent(ctx context.Context, log *LogEvent) error {
"error": log.Error,
"stack": log.Stack,
}
var encryptedPayload encryption.EncryptedTimelineColumn
err := d.encryptJSON(payload, &encryptedPayload)
encryptedPayload, err := d.encryptJSON(encryption.TimelineSubKey, payload)
if err != nil {
return fmt.Errorf("failed to encrypt log payload: %w", err)
}
Expand Down Expand Up @@ -1140,14 +1137,13 @@ func (d *DAL) InsertCallEvent(ctx context.Context, call *CallEvent) error {
if pr, ok := call.ParentRequestKey.Get(); ok {
parentRequestKey = optional.Some(pr.String())
}
var payload encryption.EncryptedTimelineColumn
err := d.encryptJSON(map[string]any{
payload, err := d.encryptJSON(encryption.TimelineSubKey, map[string]any{
"duration_ms": call.Duration.Milliseconds(),
"request": call.Request,
"response": call.Response,
"error": call.Error,
"stack": call.Stack,
}, &payload)
})
if err != nil {
return fmt.Errorf("failed to encrypt call payload: %w", err)
}
Expand Down
28 changes: 14 additions & 14 deletions backend/controller/dal/encryption.go
Original file line number Diff line number Diff line change
Expand Up @@ -10,45 +10,45 @@ import (
"github.com/TBD54566975/ftl/internal/log"
)

func (d *DAL) encrypt(cleartext []byte, dest encryption.Encrypted) error {
func (d *DAL) encrypt(subKey encryption.SubKey, cleartext []byte) ([]byte, error) {
if d.encryptor == nil {
return fmt.Errorf("encryptor not set")
return nil, fmt.Errorf("encryptor not set")
}

err := d.encryptor.Encrypt(cleartext, dest)
v, err := d.encryptor.Encrypt(subKey, cleartext)
if err != nil {
return fmt.Errorf("failed to encrypt binary with subkey %s: %w", dest.SubKey(), err)
return nil, fmt.Errorf("failed to encrypt binary with subkey %s: %w", subKey, err)
}

return nil
return v, nil
}

func (d *DAL) decrypt(encrypted encryption.Encrypted) ([]byte, error) {
func (d *DAL) decrypt(subKey encryption.SubKey, encrypted []byte) ([]byte, error) {
if d.encryptor == nil {
return nil, fmt.Errorf("encryptor not set")
}

v, err := d.encryptor.Decrypt(encrypted)
v, err := d.encryptor.Decrypt(subKey, encrypted)
if err != nil {
return nil, fmt.Errorf("failed to decrypt binary with subkey %s: %w", encrypted.SubKey(), err)
return nil, fmt.Errorf("failed to decrypt binary with subkey %s: %w", subKey, err)
}

return v, nil
}

func (d *DAL) encryptJSON(v any, dest encryption.Encrypted) error {
func (d *DAL) encryptJSON(subKey encryption.SubKey, v any) ([]byte, error) {
serialized, err := json.Marshal(v)
if err != nil {
return fmt.Errorf("failed to marshal JSON: %w", err)
return nil, fmt.Errorf("failed to marshal JSON: %w", err)
}

return d.encrypt(serialized, dest)
return d.encrypt(subKey, serialized)
}

func (d *DAL) decryptJSON(encrypted encryption.Encrypted, v any) error { //nolint:unparam
decrypted, err := d.decrypt(encrypted)
func (d *DAL) decryptJSON(subKey encryption.SubKey, encrypted []byte, v any) error { //nolint:unparam
decrypted, err := d.decrypt(subKey, encrypted)
if err != nil {
return fmt.Errorf("failed to decrypt json with subkey %s: %w", encrypted.SubKey(), err)
return fmt.Errorf("failed to decrypt json with subkey %s: %w", subKey, err)
}

if err = json.Unmarshal(decrypted, v); err != nil {
Expand Down
9 changes: 5 additions & 4 deletions backend/controller/dal/events.go
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ import (
"github.com/TBD54566975/ftl/backend/controller/sql"
dalerrs "github.com/TBD54566975/ftl/backend/dal"
"github.com/TBD54566975/ftl/backend/schema"
"github.com/TBD54566975/ftl/internal/encryption"
"github.com/TBD54566975/ftl/internal/log"
"github.com/TBD54566975/ftl/internal/model"
)
Expand Down Expand Up @@ -348,7 +349,7 @@ func (d *DAL) transformRowsToTimelineEvents(deploymentKeys map[int64]model.Deplo
switch row.Type {
case sql.EventTypeLog:
var jsonPayload eventLogJSON
if err := d.decryptJSON(&row.Payload, &jsonPayload); err != nil {
if err := d.decryptJSON(encryption.TimelineSubKey, row.Payload, &jsonPayload); err != nil {
return nil, fmt.Errorf("failed to decrypt log event: %w", err)
}

Expand All @@ -370,7 +371,7 @@ func (d *DAL) transformRowsToTimelineEvents(deploymentKeys map[int64]model.Deplo

case sql.EventTypeCall:
var jsonPayload eventCallJSON
if err := d.decryptJSON(&row.Payload, &jsonPayload); err != nil {
if err := d.decryptJSON(encryption.TimelineSubKey, row.Payload, &jsonPayload); err != nil {
return nil, fmt.Errorf("failed to decrypt call event: %w", err)
}
var sourceVerb optional.Option[schema.Ref]
Expand All @@ -395,7 +396,7 @@ func (d *DAL) transformRowsToTimelineEvents(deploymentKeys map[int64]model.Deplo

case sql.EventTypeDeploymentCreated:
var jsonPayload eventDeploymentCreatedJSON
if err := d.decryptJSON(&row.Payload, &jsonPayload); err != nil {
if err := d.decryptJSON(encryption.TimelineSubKey, row.Payload, &jsonPayload); err != nil {
return nil, fmt.Errorf("failed to decrypt call event: %w", err)
}
out = append(out, &DeploymentCreatedEvent{
Expand All @@ -410,7 +411,7 @@ func (d *DAL) transformRowsToTimelineEvents(deploymentKeys map[int64]model.Deplo

case sql.EventTypeDeploymentUpdated:
var jsonPayload eventDeploymentUpdatedJSON
if err := d.decryptJSON(&row.Payload, &jsonPayload); err != nil {
if err := d.decryptJSON(encryption.TimelineSubKey, row.Payload, &jsonPayload); err != nil {
return nil, fmt.Errorf("failed to decrypt call event: %w", err)
}
out = append(out, &DeploymentUpdatedEvent{
Expand Down
9 changes: 4 additions & 5 deletions backend/controller/dal/fsm.go
Original file line number Diff line number Diff line change
Expand Up @@ -32,11 +32,11 @@ import (
//
// Note: no validation of the FSM is performed.
func (d *DAL) StartFSMTransition(ctx context.Context, fsm schema.RefKey, instanceKey string, destinationState schema.RefKey, request []byte, encrypted bool, retryParams schema.RetryParams) (err error) {
var encryptedRequest encryption.EncryptedAsyncColumn
var encryptedRequest []byte
if encrypted {
encryptedRequest = encryption.EncryptedAsyncColumn(request)
encryptedRequest = request
} else {
err = d.encrypt(request, &encryptedRequest)
encryptedRequest, err = d.encrypt(encryption.AsyncSubKey, request)
if err != nil {
return fmt.Errorf("failed to encrypt FSM request: %w", err)
}
Expand Down Expand Up @@ -146,8 +146,7 @@ func (d *DAL) PopNextFSMEvent(ctx context.Context, fsm schema.RefKey, instanceKe
}

func (d *DAL) SetNextFSMEvent(ctx context.Context, fsm schema.RefKey, instanceKey string, nextState schema.RefKey, request json.RawMessage, requestType schema.Type) error {
var encryptedRequest encryption.EncryptedAsyncColumn
err := d.encryptJSON(request, &encryptedRequest)
encryptedRequest, err := d.encryptJSON(encryption.AsyncSubKey, request)
if err != nil {
return fmt.Errorf("failed to encrypt FSM request: %w", err)
}
Expand Down
3 changes: 1 addition & 2 deletions backend/controller/dal/pubsub.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,8 +21,7 @@ import (
)

func (d *DAL) PublishEventForTopic(ctx context.Context, module, topic, caller string, payload []byte) error {
var encryptedPayload encryption.EncryptedAsyncColumn
err := d.encrypt(payload, &encryptedPayload)
encryptedPayload, err := d.encrypt(encryption.AsyncSubKey, payload)
if err != nil {
return fmt.Errorf("failed to encrypt payload: %w", err)
}
Expand Down
7 changes: 3 additions & 4 deletions backend/controller/sql/models.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 1 addition & 2 deletions backend/controller/sql/querier.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

17 changes: 8 additions & 9 deletions backend/controller/sql/queries.sql.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit ac0b904

Please sign in to comment.