feat: add possibility to disable data encryption. mongo connection. (#…

…1267) Signed-off-by: Stas D <[email protected]>
trustbloc · Apr 18, 2023 · 8ebbe19 · 8ebbe19
1 parent 3167b89
commit 8ebbe19
Show file tree

Hide file tree

Showing 9 changed files with 104 additions and 14 deletions.
diff --git a/cmd/vc-rest/startcmd/params.go b/cmd/vc-rest/startcmd/params.go
@@ -201,6 +201,11 @@ const (
  "For AES - Default: 256" +
  commonEnvVarUsageText + dataEncryptionKeyLengthEnvKey
 
+ dataEncryptionDisabledFlagName = "data-encryption-disabled"
+ dataEncryptionDisabledEnvKey = "VC_REST_DATA_ENCRYPTION_DISABLED" //nolint: gosec
+ dataEncryptionDisabledFlagUsage = "Data Encryption disable\\enable flag. Options: true\\false. Default: false. " +
+ commonEnvVarUsageText + dataEncryptionDisabledEnvKey
+
  requestTokensFlagName = "request-tokens"
  requestTokensEnvKey = "VC_REST_REQUEST_TOKENS" //nolint: gosec
  requestTokensFlagUsage = "Tokens used for http request " +
@@ -380,6 +385,7 @@ type startupParameters struct {
  dataEncryptionKeyLength int
  dataEncryptionCompressorAlgo string
  enableProfiler bool
+ dataEncryptionDisabled bool
 }
 
 type prometheusMetricsProviderParams struct {
@@ -532,6 +538,12 @@ func getStartupParameters(cmd *cobra.Command) (*startupParameters, error) {
  }
  }
 
+ dataEncryptionDisabled, _ := strconv.ParseBool(cmdutils.GetUserSetOptionalVarFromString(
+ cmd,
+ dataEncryptionDisabledFlagName,
+ dataEncryptionDisabledEnvKey,
+ ))
+
  requestTokens := getRequestTokens(cmd)
 
  loggingLevel := cmdutils.GetUserSetOptionalVarFromString(cmd, common.LogLevelFlagName, common.LogLevelEnvKey)
@@ -705,6 +717,7 @@ func getStartupParameters(cmd *cobra.Command) (*startupParameters, error) {
  dataEncryptionKeyLength: dataEncryptionKeyLength,
  enableProfiler: enableProfiler,
  dataEncryptionCompressorAlgo: dataEncryptionCompressionAlgo,
+ dataEncryptionDisabled: dataEncryptionDisabled,
  }, nil
 }
 
@@ -983,6 +996,7 @@ func createFlags(startCmd *cobra.Command) {
  startCmd.Flags().StringP(dataEncryptionKeyIDFlagName, "", "", dataEncryptionKeyIDFlagUsage)
  startCmd.Flags().StringP(dataEncryptionCompressionAlgorithmFlagName, "", "", dataEncryptionCompressionAlgorithmFlagUsage)
  startCmd.Flags().StringP(dataEncryptionKeyLengthFlagName, "", "", dataEncryptionKeyLengthFlagUsage)
+ startCmd.Flags().StringP(dataEncryptionDisabledFlagName, "", "", dataEncryptionDisabledFlagUsage)
  startCmd.Flags().StringSliceP(requestTokensFlagName, "", []string{}, requestTokensFlagUsage)
  startCmd.Flags().StringP(common.LogLevelFlagName, common.LogLevelFlagShorthand, "", common.LogLevelPrefixFlagUsage)
  startCmd.Flags().StringSliceP(contextProviderFlagName, "", []string{}, contextProviderFlagUsage)

diff --git a/cmd/vc-rest/startcmd/start.go b/cmd/vc-rest/startcmd/start.go
@@ -347,7 +347,6 @@ func buildEchoHandler(
  options startOpts,
 ) (*echo.Echo, error) {
  e := createEcho()
- e.Use(echomw.Gzip())
 
  e.HTTPErrorHandler = resterr.HTTPErrorHandler(conf.Tracer)
 
@@ -565,12 +564,18 @@ func buildEchoHandler(
 
  var oidc4ciService oidc4ci.ServiceInterface
 
+ var dataKeyEncryptor dataprotect.Crypto
+ dataKeyEncryptor = defaultVCSKeyManager.Crypto()
+ if conf.StartupParameters.dataEncryptionDisabled {
+ dataKeyEncryptor = dataprotect.NewNilCrypto()
+ }
  claimsDataProtector := dataprotect.NewDataProtector(
- defaultVCSKeyManager.Crypto(),
+ dataKeyEncryptor,
  conf.StartupParameters.dataEncryptionKeyID,
  dataprotect.NewAES(conf.StartupParameters.dataEncryptionKeyLength),
  dataprotect.NewCompressor(conf.StartupParameters.dataEncryptionCompressorAlgo),
  )
+
  oidc4ciService, err = oidc4ci.NewService(&oidc4ci.Config{
  TransactionStore: oidc4ciStore,
  ClaimDataStore: oidc4ciClaimDataStore,

diff --git a/cmd/vc-rest/startcmd/start_test.go b/cmd/vc-rest/startcmd/start_test.go
@@ -282,6 +282,7 @@ func TestStartCmdValidArgs(t *testing.T) {
  "--" + otelExporterTypeFlagName, "STDOUT",
  "--" + dataEncryptionKeyIDFlagName, "12345",
  "--" + dataEncryptionKeyLengthFlagName, "256",
+ "--" + dataEncryptionDisabledFlagName, "true",
  }
 
  startCmd.SetArgs(args)

diff --git a/pkg/dataprotect/aes_test.go b/pkg/dataprotect/aes_test.go
@@ -39,5 +39,5 @@ func TestTooLongKey(t *testing.T) {
  ciphertext, key, err := aes.Encrypt([]byte("This is a secret message"))
  assert.Empty(t, ciphertext)
  assert.Empty(t, key)
- assert.ErrorContains(t, err, "crypto/aes: invalid key size 64")
+ assert.ErrorContains(t, err, "invalid key size 64")
 }
diff --git a/pkg/dataprotect/dataprotect.go b/pkg/dataprotect/dataprotect.go
@@ -12,7 +12,7 @@ import (
 
 //go:generate mockgen -source dataprotect.go -destination dataprotect_mocks_test.go -package dataprotect_test
 
-type crypto interface {
+type Crypto interface {
  Decrypt(cipher, aad, nonce []byte, kh interface{}) ([]byte, error)
  Encrypt(msg, aad []byte, kh interface{}) ([]byte, []byte, error)
 }
@@ -28,14 +28,14 @@ type DataCompressor interface {
 }
 
 type DataProtector struct {
- keyProtector crypto
+ keyProtector Crypto
  cryptoKeyID string
  dataProtector dataEncryptor
  dataCompressor DataCompressor
 }
 
 func NewDataProtector(
- crypto crypto,
+ crypto Crypto,
  cryptoKeyID string,
  dataEncryptor dataEncryptor,
  dataCompressor DataCompressor,

diff --git a/pkg/dataprotect/dataprotect_test.go b/pkg/dataprotect/dataprotect_test.go
@@ -23,7 +23,7 @@ const (
 
 func TestNewDataProtectorEncrypt(t *testing.T) {
  t.Run("success", func(t *testing.T) {
- keyProtector := NewMockcrypto(gomock.NewController(t))
+ keyProtector := NewMockCrypto(gomock.NewController(t))
  encrypt := NewMockdataEncryptor(gomock.NewController(t))
  compress := NewMockDataCompressor(gomock.NewController(t))
 
@@ -52,7 +52,7 @@ func TestNewDataProtectorEncrypt(t *testing.T) {
  })
 
  t.Run("data encrypt err", func(t *testing.T) {
- keyProtector := NewMockcrypto(gomock.NewController(t))
+ keyProtector := NewMockCrypto(gomock.NewController(t))
  encrypt := NewMockdataEncryptor(gomock.NewController(t))
  compress := NewMockDataCompressor(gomock.NewController(t))
 
@@ -67,7 +67,7 @@ func TestNewDataProtectorEncrypt(t *testing.T) {
  })
 
  t.Run("encrypt err", func(t *testing.T) {
- keyProtector := NewMockcrypto(gomock.NewController(t))
+ keyProtector := NewMockCrypto(gomock.NewController(t))
  encrypt := NewMockdataEncryptor(gomock.NewController(t))
  compress := NewMockDataCompressor(gomock.NewController(t))
  compress.EXPECT().Compress(gomock.Any()).Return(nil, nil)
@@ -84,7 +84,7 @@ func TestNewDataProtectorEncrypt(t *testing.T) {
  })
 
  t.Run("compress err", func(t *testing.T) {
- keyProtector := NewMockcrypto(gomock.NewController(t))
+ keyProtector := NewMockCrypto(gomock.NewController(t))
  encrypt := NewMockdataEncryptor(gomock.NewController(t))
  compress := NewMockDataCompressor(gomock.NewController(t))
  compress.EXPECT().Compress(gomock.Any()).Return(nil, errors.New("can not compress"))
@@ -99,7 +99,7 @@ func TestNewDataProtectorEncrypt(t *testing.T) {
 
 func TestDecrypt(t *testing.T) {
  t.Run("success", func(t *testing.T) {
- keyProtector := NewMockcrypto(gomock.NewController(t))
+ keyProtector := NewMockCrypto(gomock.NewController(t))
  dataProtector := NewMockdataEncryptor(gomock.NewController(t))
  compress := NewMockDataCompressor(gomock.NewController(t))
 
@@ -131,7 +131,7 @@ func TestDecrypt(t *testing.T) {
  })
 
  t.Run("fail decrypt key", func(t *testing.T) {
- keyProtector := NewMockcrypto(gomock.NewController(t))
+ keyProtector := NewMockCrypto(gomock.NewController(t))
  dataProtector := NewMockdataEncryptor(gomock.NewController(t))
  compress := NewMockDataCompressor(gomock.NewController(t))
 
@@ -156,7 +156,7 @@ func TestDecrypt(t *testing.T) {
  })
 
  t.Run("fail decrypt key", func(t *testing.T) {
- keyProtector := NewMockcrypto(gomock.NewController(t))
+ keyProtector := NewMockCrypto(gomock.NewController(t))
  dataProtector := NewMockdataEncryptor(gomock.NewController(t))
  compress := NewMockDataCompressor(gomock.NewController(t))
 
@@ -184,7 +184,7 @@ func TestDecrypt(t *testing.T) {
  })
 
  t.Run("fail decompress", func(t *testing.T) {
- keyProtector := NewMockcrypto(gomock.NewController(t))
+ keyProtector := NewMockCrypto(gomock.NewController(t))
  dataProtector := NewMockdataEncryptor(gomock.NewController(t))
  compress := NewMockDataCompressor(gomock.NewController(t))
 

diff --git a/pkg/dataprotect/nilcrypto.go b/pkg/dataprotect/nilcrypto.go
@@ -0,0 +1,22 @@
+/*
+Copyright SecureKey Technologies Inc. All Rights Reserved.
+
+SPDX-License-Identifier: Apache-2.0
+*/
+
+package dataprotect
+
+type NilCrypto struct {
+}
+
+func NewNilCrypto() *NilCrypto {
+ return &NilCrypto{}
+}
+
+func (n *NilCrypto) Encrypt(msg, _ []byte, _ interface{}) ([]byte, []byte, error) {
+ return msg, nil, nil
+}
+
+func (n *NilCrypto) Decrypt(_, aad, _ []byte, _ interface{}) ([]byte, error) {
+ return aad, nil
+}
diff --git a/pkg/dataprotect/nilcrypto_test.go b/pkg/dataprotect/nilcrypto_test.go
@@ -0,0 +1,44 @@
+/*
+Copyright SecureKey Technologies Inc. All Rights Reserved.
+
+SPDX-License-Identifier: Apache-2.0
+*/
+
+package dataprotect_test
+
+import (
+ "testing"
+
+ "github.com/stretchr/testify/assert"
+
+ "github.com/trustbloc/vcs/pkg/dataprotect"
+)
+
+func TestNilCryptoEncryptDecrypt(t *testing.T) {
+ nilCrypto := dataprotect.NewNilCrypto()
+ testData := []byte("This is a sample text to demonstrate the NilCrypto encryption and decryption process.")
+
+ encryptedData, _, err := nilCrypto.Encrypt(testData, nil, nil)
+ assert.NoError(t, err, "Failed to encrypt data")
+ assert.Equal(t, testData, encryptedData, "Encrypted data should be the same as original data")
+
+ decryptedData, err := nilCrypto.Decrypt(nil, encryptedData, nil, nil)
+ assert.NoError(t, err, "Failed to decrypt data")
+ assert.Equal(t, testData, decryptedData, "Decrypted data should be the same as original data")
+}
+
+func TestNilCryptoEncryptError(t *testing.T) {
+ nilCrypto := dataprotect.NewNilCrypto()
+ testData := make([]byte, 0)
+
+ _, _, err := nilCrypto.Encrypt(testData, nil, nil)
+ assert.NoError(t, err, "Encrypt should not return an error when encrypting empty data")
+}
+
+func TestNilCryptoDecryptError(t *testing.T) {
+ nilCrypto := dataprotect.NewNilCrypto()
+ testData := make([]byte, 0)
+
+ _, err := nilCrypto.Decrypt(nil, testData, nil, nil)
+ assert.NoError(t, err, "Decrypt should not return an error when decrypting empty data")
+}
diff --git a/pkg/storage/mongodb/client.go b/pkg/storage/mongodb/client.go
@@ -13,6 +13,8 @@ import (
 
  "go.mongodb.org/mongo-driver/mongo"
  mongooptions "go.mongodb.org/mongo-driver/mongo/options"
+ "go.mongodb.org/mongo-driver/mongo/readpref"
+ "go.mongodb.org/mongo-driver/mongo/writeconcern"
  "go.opentelemetry.io/contrib/instrumentation/go.mongodb.org/mongo-driver/mongo/otelmongo"
  "go.opentelemetry.io/otel/trace"
 )
@@ -38,6 +40,8 @@ func New(connString string, databaseName string, opts ...ClientOpt) (*Client, er
 
  mongoOpts := mongooptions.Client()
  mongoOpts.ApplyURI(connString)
+ mongoOpts.SetWriteConcern(writeconcern.New(writeconcern.WMajority(), writeconcern.WTimeout(op.timeout)))
+ mongoOpts.ReadPreference = readpref.Nearest()
 
  if op.traceProvider != nil {
  mongoOpts.Monitor = otelmongo.NewMonitor(otelmongo.WithTracerProvider(op.traceProvider))