search

cossacklabs / acra

Database security suite. Database proxy with field-level encryption, search through encrypted data, SQL injections prevention, intrusion detection, honeypots. Supports client-side and proxy-side ("transparent") encryption. SQL, NoSQL.
https://www.cossacklabs.com/acra/
Apache License 2.0
1.33k stars 128 forks source link

Added MasterKeyLoader abstraction #559

Closed Zhaars closed 2 years ago

Zhaars commented 2 years ago

One of the key concepts with AcraMasterKeyLoaders(AMK) mentioned by @Lagovas is to have enough flexibility with AcraEE.

Possible scenarios could be when we want to extend some functionality related to AMKL in AcraEE(added new KMS, or have some custom cases). So this PR contains some draft ideas to have some kind of abstraction that helps us have the generic approach to creating MKL.

The key thing is to have MasterKeyLoaderFactory interface that can create any MasterKeyLoader.

type MasterKeyLoaderFactory interface {
    CreateMasterKeyLoader() (MasterKeyLoader, error)
}

MasterKeyLoaderCreator - represent the current implementation of MasterKeyLoaderFactory which depends on provided loadStrategy. So if need to have some custom behavior in AcraEE we need to reimplement the EE version of MasterKeyLoaderCreator and the remaining code should be as is.

P.S Feel free to suggest any better naming or ideas.

Checklist

Lagovas commented 2 years ago

There is open question, how we can replace existing implementation with new one? For example in acra-ee we will create new implementation in file acra/keystore/keyloader/ee_loader.go:

type EEMasterKeyLoaderCreator struct {
    loadStrategy string
    envName      string
}

func NewEEMasterKeyLoaderFactory(loadStrategy string) MasterKeyLoaderFactory {
    return EEMasterKeyLoaderCreator{
        loadStrategy: loadStrategy,
        envName:      keystore.AcraMasterKeyVarName,
    }
}

How it will replace default implementation in acra-server.go ?

Zhaars commented 2 years ago

There is open question, how we can replace existing implementation with new one? For example in acra-ee we will create new implementation in file acra/keystore/keyloader/ee_loader.go:

type EEMasterKeyLoaderCreator struct {
  loadStrategy string
  envName      string
}

func NewEEMasterKeyLoaderFactory(loadStrategy string) MasterKeyLoaderFactory {
  return EEMasterKeyLoaderCreator{
      loadStrategy: loadStrategy,
      envName:      keystore.AcraMasterKeyVarName,
  }
}

How it will replace default implementation in acra-server.go ?

@Lagovas Can we do a similar trick as we did with aws_enable via build flags? I mean switch on standard implementation by default but when we want to use another ee version switch off standard and switch on ee version.