encryptor

package
v0.0.0-...-982e07a Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 19, 2023 License: Apache-2.0 Imports: 19 Imported by: 0

Documentation

Overview

Package encryptor contains code related with parsing DBMS specific queries with raw data that should be encrypted, with encryption logic and loading schema description and encryption settings

Index

Constants

View Source 
const (
	QueryFilterModeSearchableEncryption = iota
	QueryFilterModeConsistentTokenization
)

QueryFilterModeSearchableEncryption list of supported modes for filtering comparisons for searchable and tokenized values

View Source 
const InvalidPlaceholderIndex = -1

InvalidPlaceholderIndex value that represent invalid index for sql placeholders

Variables

View Source 
var ErrInconsistentPlaceholder = errors.New("inconsistent placeholder usage")

ErrInconsistentPlaceholder is returned when a placeholder refers to multiple different columns.

View Source 
var ErrInvalidPlaceholder = errors.New("invalid placeholder value")

ErrInvalidPlaceholder is returned when Acra cannot parse SQL placeholder expression.

View Source 
var ErrUnsupportedQueryType = errors.New("unsupported Query type")

ErrUnsupportedQueryType represent error related unsupported Query type

View Source 
var ErrUpdateLeaveDataUnchanged = errors.New("updateFunc didn't change data")

ErrUpdateLeaveDataUnchanged show that data wasn't changed in UpdateExpressionValue with updateFunc

Functions

func DeletePlaceholderSettingsFromClientSession 

func DeletePlaceholderSettingsFromClientSession(session base.ClientSession)

DeletePlaceholderSettingsFromClientSession delete items from ClientSession

func DeleteQueryDataItemsFromClientSession 

func DeleteQueryDataItemsFromClientSession(session base.ClientSession)

DeleteQueryDataItemsFromClientSession delete items from ClientSession

func EmptyCheckFunction 

func EmptyCheckFunction(setting config.ColumnEncryptionSetting) bool

EmptyCheckFunction always return false

func EncryptionSettingFromContext 

func EncryptionSettingFromContext(ctx context.Context) (config.ColumnEncryptionSetting, bool)

EncryptionSettingFromContext extracts column encryption settings for a context, or returns "nil" if there the context does not contain it.

func FilterTableExpressions 

func FilterTableExpressions(statement sqlparser.Statement) (sqlparser.TableExprs, error)

FilterTableExpressions check if sqlparser.Statement contains TableExprs

func GetColumnSetting 

func GetColumnSetting(column *sqlparser.ColName, tableName string, schemaStore config.TableSchemaStore) config.ColumnEncryptionSetting

GetColumnSetting get ColumnEncryptionSetting from schemaStore based on tableName and column

func GetWhereStatements 

func GetWhereStatements(stmt sqlparser.Statement) ([]*sqlparser.Where, error)

GetWhereStatements parse all Where expressions

func NewContextWithEncryptionSetting 

func NewContextWithEncryptionSetting(ctx context.Context, setting config.ColumnEncryptionSetting) context.Context

NewContextWithEncryptionSetting makes a new context containing column encryption settings.

func ParsePlaceholderIndex 

func ParsePlaceholderIndex(placeholder *sqlparser.SQLVal) (int, error)

ParsePlaceholderIndex parse placeholder index if SQLVal is PgPlaceholder/ValArg otherwise return error and InvalidPlaceholderIndex

func ParseSearchQueryPlaceholdersSettings 

func ParseSearchQueryPlaceholdersSettings(statement sqlparser.Statement, schemaStore config.TableSchemaStore) map[int]config.ColumnEncryptionSetting

ParseSearchQueryPlaceholdersSettings parse encryption settings of statement with placeholders

func PgEncodeToHexString 

func PgEncodeToHexString(data []byte) []byte

PgEncodeToHexString encodes to hex with \x prefix

func PlaceholderSettingsFromClientSession 

func PlaceholderSettingsFromClientSession(session base.ClientSession) map[int]config.ColumnEncryptionSetting

PlaceholderSettingsFromClientSession return stored in client session ColumnEncryptionSettings related to placeholders or create new and save in session

func SaveQueryDataItemsToClientSession 

func SaveQueryDataItemsToClientSession(session base.ClientSession, items []*QueryDataItem)

SaveQueryDataItemsToClientSession save slice of QueryDataItem into ClientSession

func StandaloneAcraBlockEncryptorFilterFunction 

func StandaloneAcraBlockEncryptorFilterFunction(setting config.ColumnEncryptionSetting) bool

StandaloneAcraBlockEncryptorFilterFunction return true if operation should be applied only if setting configured for encryption without any other operations like tokenization/masking

func StandaloneAcraStructEncryptorFilterFunction 

func StandaloneAcraStructEncryptorFilterFunction(setting config.ColumnEncryptionSetting) bool

StandaloneAcraStructEncryptorFilterFunction return true if operation should be applied only if setting configured for encryption without any other operations like tokenization/masking

func UpdateExpressionValue 

func UpdateExpressionValue(ctx context.Context, expr sqlparser.Expr, coder DBDataCoder, setting config.ColumnEncryptionSetting, updateFunc func(context.Context, []byte) ([]byte, error)) error

UpdateExpressionValue decode value from DB related string to binary format, call updateFunc, encode to DB string format and replace value in expression with new

func UpdateUnaryExpressionValue 

func UpdateUnaryExpressionValue(ctx context.Context, expr *sqlparser.UnaryExpr, coder DBDataCoder, setting config.ColumnEncryptionSetting, updateFunc func(context.Context, []byte) ([]byte, error)) error

UpdateUnaryExpressionValue updates supported unary expression By now, supported are only `_binary` charsets, that are parsed as unary expr.

Types

type AcrawriterDataEncryptor 

type AcrawriterDataEncryptor struct {
	// contains filtered or unexported fields
}

AcrawriterDataEncryptor implement DataEncryptor and encrypt data with AcraStructs

func NewAcrawriterDataEncryptor 

func NewAcrawriterDataEncryptor(keystore keystore.PublicKeyStore) (*AcrawriterDataEncryptor, error)

NewAcrawriterDataEncryptor return new AcrawriterDataEncryptor initialized with keystore

func NewStandaloneDataEncryptor 

func NewStandaloneDataEncryptor(keystore keystore.PublicKeyStore) (*AcrawriterDataEncryptor, error)

NewStandaloneDataEncryptor return new DataEncryptor that uses AcraStruct to encrypt data as separate OnColumn processor and checks that passed setting configured only for transparent AcraStruct encryption

func (*AcrawriterDataEncryptor) EncryptWithClientID 

func (encryptor *AcrawriterDataEncryptor) EncryptWithClientID(clientID, data []byte, setting config.ColumnEncryptionSetting) ([]byte, error)

EncryptWithClientID encrypt with explicit client id

type AliasToTableMap 

type AliasToTableMap map[string]string

AliasToTableMap store table alias as key and table name as value

func NewAliasToTableMapFromTables 

func NewAliasToTableMapFromTables(tables []*AliasedTableName) AliasToTableMap

NewAliasToTableMapFromTables create AliasToTableMap from slice of aliased tables

type AliasedTableName 

type AliasedTableName struct {
	TableName sqlparser.TableName
	As        sqlparser.TableIdent
}

AliasedTableName store TableName and related As value together

func GetTablesWithAliases 

func GetTablesWithAliases(tables sqlparser.TableExprs) []*AliasedTableName

GetTablesWithAliases collect all tables from all update TableExprs which may be as subquery/table/join/etc collect only table names and ignore aliases for subqueries

type ChainDataEncryptor 

type ChainDataEncryptor struct {
	// contains filtered or unexported fields
}

ChainDataEncryptor implements DataEncryptor and pass data to all encryptors on each call All encryptors should return untouched data if don't do anything with data

func NewChainDataEncryptor 

func NewChainDataEncryptor(encryptors ...DataEncryptor) *ChainDataEncryptor

NewChainDataEncryptor return new ChainDataEncryptor

func (*ChainDataEncryptor) EncryptWithClientID 

func (chainEncryptor *ChainDataEncryptor) EncryptWithClientID(clientID, data []byte, setting config.ColumnEncryptionSetting) ([]byte, error)

EncryptWithClientID encrypt with explicit client id

type CheckFunction 

type CheckFunction func(setting config.ColumnEncryptionSetting) bool

CheckFunction return true if operation should be skipped

type ColumnInfo 

type ColumnInfo struct {
	Name  string
	Table string
	Alias string
}

ColumnInfo info object that represent column data

func FindColumnInfo 

func FindColumnInfo(fromExpr sqlparser.TableExprs, colName *sqlparser.ColName, schemaStore config.TableSchemaStore) (ColumnInfo, error)

FindColumnInfo get ColumnInfo from TableExprs, ColName and TableSchemaStore

func MapColumnsToAliases 

func MapColumnsToAliases(selectQuery *sqlparser.Select, tableSchemaStore config.TableSchemaStore) ([]*ColumnInfo, error)

MapColumnsToAliases parse slice of ColumnInfo from sqlparser.Select and config.TableSchemaStore

type ConfigStorage 

type ConfigStorage interface {
	filesystem.Storage
	GetEncryptorConfigPath() string
}

ConfigStorage describe main Storage interface for loading encryptor config from different sources

type DBDataCoder 

type DBDataCoder interface {
	Decode(sqlparser.Expr, config.ColumnEncryptionSetting) ([]byte, error)
	Encode(sqlparser.Expr, []byte, config.ColumnEncryptionSetting) ([]byte, error)
}

DBDataCoder encode/decode binary data to correct string form for specific db

type DataEncryptor 

type DataEncryptor interface {
	// EncryptWithClientID encrypt with explicit client id
	EncryptWithClientID(clientID, data []byte, setting config.ColumnEncryptionSetting) ([]byte, error)
}

DataEncryptor replace raw data in queries with encrypted

type DataEncryptorContext 

type DataEncryptorContext struct {
	Keystore keystore.DataEncryptorKeyStore
	Context  context.Context
}

DataEncryptorContext store data for DataEncryptor

type MysqlDBDataCoder 

type MysqlDBDataCoder struct{}

MysqlDBDataCoder implement DBDataCoder for MySQL

func (*MysqlDBDataCoder) Decode 

func (*MysqlDBDataCoder) Decode(expr sqlparser.Expr, _ config.ColumnEncryptionSetting) ([]byte, error)

Decode decode literals from string to byte slice

func (*MysqlDBDataCoder) Encode 

func (*MysqlDBDataCoder) Encode(expr sqlparser.Expr, data []byte, _ config.ColumnEncryptionSetting) ([]byte, error)

Encode data to correct literal from binary data for this expression

type PostgresqlDBDataCoder 

type PostgresqlDBDataCoder struct{}

PostgresqlDBDataCoder responsible to handle decoding/encoding SQL literals before/after QueryEncryptor handlers

Acra captures SQL queries like `INSERT INTO users (age, username, email, photo) VALUES (123, 'john_wick', 'johnwick@mail.com', '\xaabbcc');` and manipulates with SQL values `123`, `'john_wick'`, `'johnwick@mail.com'`, `'\xaabbcc'`. On first stage Acra decodes with Decode method values from SQL literals into binary or leave as is. For example hex encoded values decoded into binary" `'\xaabbcc'` decoded into []byte{170,187,204} and passed to QueryEncryptor's callbacks `EncryptWithClientID` After that it should be encoded with Encode method from binary form into SQL to replace values in the query.

func (*PostgresqlDBDataCoder) Decode 

func (*PostgresqlDBDataCoder) Decode(expr sqlparser.Expr, setting config.ColumnEncryptionSetting) ([]byte, error)

Decode hex/escaped literals to raw binary values for encryption/decryption. String values left as is because it doesn't need any decoding. Historically Int values had support only for tokenization and operated over string SQL literals.

func (*PostgresqlDBDataCoder) Encode 

func (*PostgresqlDBDataCoder) Encode(expr sqlparser.Expr, data []byte, setting config.ColumnEncryptionSetting) ([]byte, error)

Encode data to correct literal from binary data for this expression

type QueryDataEncryptor 

type QueryDataEncryptor struct {
	// contains filtered or unexported fields
}

QueryDataEncryptor parse query and encrypt raw data according to TableSchemaStore

func NewMysqlQueryEncryptor 

func NewMysqlQueryEncryptor(schema config.TableSchemaStore, parser *sqlparser.Parser, dataEncryptor DataEncryptor) (*QueryDataEncryptor, error)

NewMysqlQueryEncryptor create QueryDataEncryptor with MySQLDBDataCoder

func NewPostgresqlQueryEncryptor 

func NewPostgresqlQueryEncryptor(schema config.TableSchemaStore, parser *sqlparser.Parser, dataEncryptor DataEncryptor) (*QueryDataEncryptor, error)

NewPostgresqlQueryEncryptor create QueryDataEncryptor with PostgresqlDBDataCoder

func (*QueryDataEncryptor) GetQueryEncryptionSettings 

func (encryptor *QueryDataEncryptor) GetQueryEncryptionSettings() []*QueryDataItem

GetQueryEncryptionSettings returns collected in OnQuery callback encryptor settings

func (*QueryDataEncryptor) ID 

func (encryptor *QueryDataEncryptor) ID() string

ID returns name of this QueryObserver.

func (*QueryDataEncryptor) OnBind 

func (encryptor *QueryDataEncryptor) OnBind(ctx context.Context, statement sqlparser.Statement, values []base.BoundValue) ([]base.BoundValue, bool, error)

OnBind process bound values for prepared statement based on TableSchemaStore.

func (*QueryDataEncryptor) OnColumn 

func (encryptor *QueryDataEncryptor) OnColumn(ctx context.Context, data []byte) (context.Context, []byte, error)

OnColumn return new encryption setting context if info exist, otherwise column data and passed context will be returned

func (*QueryDataEncryptor) OnQuery 

func (encryptor *QueryDataEncryptor) OnQuery(ctx context.Context, query base.OnQueryObject) (base.OnQueryObject, bool, error)

OnQuery raw data in query according to TableSchemaStore

type QueryDataItem 

type QueryDataItem struct {
	// contains filtered or unexported fields
}

QueryDataItem stores information about table column and encryption setting

func NewQueryDataItem 

func NewQueryDataItem(setting config.ColumnEncryptionSetting, tableName, columnName, columnAlias string) *QueryDataItem

NewQueryDataItem create new QueryDataItem

func ParseQuerySettings 

func ParseQuerySettings(ctx context.Context, statement *sqlparser.Select, schemaStore config.TableSchemaStore) ([]*QueryDataItem, error)

ParseQuerySettings parse list of select query settings based on schemaStore

func QueryDataItemsFromClientSession 

func QueryDataItemsFromClientSession(session base.ClientSession) []*QueryDataItem

QueryDataItemsFromClientSession return QueryDataItems from ClientSession if saved otherwise nil

func (*QueryDataItem) ColumnAlias 

func (q *QueryDataItem) ColumnAlias() string

ColumnAlias if matched as alias to any data item

func (*QueryDataItem) ColumnName 

func (q *QueryDataItem) ColumnName() string

ColumnName return column name if it was matched to any

func (*QueryDataItem) Setting 

func (q *QueryDataItem) Setting() config.ColumnEncryptionSetting

Setting return associated ColumnEncryptionSetting or nil if not found

func (*QueryDataItem) TableName 

func (q *QueryDataItem) TableName() string

TableName return table name associated with item or empty string if it is not related to any table, or not recognized

type SearchableExprItem 

type SearchableExprItem struct {
	Expr    *sqlparser.ComparisonExpr
	Setting config.ColumnEncryptionSetting
}

SearchableExprItem represent the filtered value found by SearchableQueryFilter

type SearchableQueryFilter 

type SearchableQueryFilter struct {
	// contains filtered or unexported fields
}

SearchableQueryFilter filter searchable expression based on SearchableQueryFilterMode

func NewSearchableQueryFilter 

func NewSearchableQueryFilter(schemaStore config.TableSchemaStore, mode SearchableQueryFilterMode) *SearchableQueryFilter

NewSearchableQueryFilter create new SearchableQueryFilter from schemaStore and SearchableQueryFilterMode

func (*SearchableQueryFilter) ChangeSearchableOperator 

func (filter *SearchableQueryFilter) ChangeSearchableOperator(expr *sqlparser.ComparisonExpr)

ChangeSearchableOperator change the operator of ComparisonExpr to EqualStr|NotEqualStr depending on expr.Operator

func (*SearchableQueryFilter) FilterSearchableComparisons 

func (filter *SearchableQueryFilter) FilterSearchableComparisons(statement sqlparser.Statement) []SearchableExprItem

FilterSearchableComparisons filter search comparisons from statement

type SearchableQueryFilterMode 

type SearchableQueryFilterMode int

SearchableQueryFilterMode represent the mode work of SearchableQueryFilter

Source Files

View all Source files

Directories

Path Synopsis
common
consul
filesystem

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.