Protect Transform - Support Key Encryption Key lookups per row / query

[benbromhead]

Users need some way of using different key encryption keys based on some properties of the row that is to be protected. We need to further research what's the best way to do this.

E.g.

• A templating based approach. Allow shotover to substitute record/row/column values into the key lookup string (this could introduce security vulns if we don't sanitise).
• User defined function... just let the user write a function in say javascript or something

[benbromhead]

Example for templating:

INSERT (customer_id, name, private_data) INTO some table WHERE customer_id = foo, name = John, private_data = kjsdhksdjhkjsdfhkjsdfh.

- protect:
    - key_lookup_fields: [customer_id]
    - template: "{customer_id}-prodkey"

foo-prodkey is then the key encryption key we ask AWS KMS (or equiv) for

[conorbros]

---
sources:
  - Cassandra:
      name: "cassandra"
      listen_addr: "127.0.0.1:9042"
      chain:
        - Protect:
            key_manager:
              Local:
                keys:
                  customer_id-kek: Ht8M1nDO/7fay+cft71M2Xy7j30EnLAsA84hSUMCm1k=
                  customer_id2-kek: Ht8M1nDO/7fay+cft71M2Xy7j30EnLAsA84hSUMCm1k=
                  otherkey-kek: Ht8M1nDO/7fay+cft71M2Xy7j30EnLAsA84hSUMCm1k=
                  otherkey2-kek: Ht8M1nDO/7fay+cft71M2Xy7j30EnLAsA84hSUMCm1k=
            keyspace_table_columns:
              test_protect_keyspace:
                test_table:
                  col1: "customer_id"
                  col2: "otherkey"
                test_table2:
                  col1: "customer_id2"
                  col2: "otherkey2"
        - CassandraSinkSingle:
            remote_address: "127.0.0.1:9043"
            connect_timeout_ms: 3000