Documentation ¶
Overview ¶
Package encryptor contains code related with parsing DBMS specific queries with raw data that should be encrypted, with encryption logic and loading schema description and encryption settings
Index ¶
- Constants
- Variables
- func DeletePlaceholderSettingsFromClientSession(session base.ClientSession)
- func DeleteQueryDataItemsFromClientSession(session base.ClientSession)
- func EmptyCheckFunction(setting config.ColumnEncryptionSetting) bool
- func EncryptionSettingFromContext(ctx context.Context) (config.ColumnEncryptionSetting, bool)
- func FilterTableExpressions(statement sqlparser.Statement) (sqlparser.TableExprs, error)
- func GetColumnSetting(column *sqlparser.ColName, tableName string, ...) config.ColumnEncryptionSetting
- func GetWhereStatements(stmt sqlparser.Statement) ([]*sqlparser.Where, error)
- func NewContextWithEncryptionSetting(ctx context.Context, setting config.ColumnEncryptionSetting) context.Context
- func ParsePlaceholderIndex(placeholder *sqlparser.SQLVal) (int, error)
- func ParseSearchQueryPlaceholdersSettings(statement sqlparser.Statement, schemaStore config.TableSchemaStore) map[int]config.ColumnEncryptionSetting
- func PgEncodeToHexString(data []byte) []byte
- func PlaceholderSettingsFromClientSession(session base.ClientSession) map[int]config.ColumnEncryptionSetting
- func SaveQueryDataItemsToClientSession(session base.ClientSession, items []*QueryDataItem)
- func StandaloneAcraBlockEncryptorFilterFunction(setting config.ColumnEncryptionSetting) bool
- func StandaloneAcraStructEncryptorFilterFunction(setting config.ColumnEncryptionSetting) bool
- func UpdateExpressionValue(ctx context.Context, expr sqlparser.Expr, coder DBDataCoder, ...) error
- func UpdateUnaryExpressionValue(ctx context.Context, expr *sqlparser.UnaryExpr, coder DBDataCoder, ...) error
- type AcrawriterDataEncryptor
- type AliasToTableMap
- type AliasedTableName
- type ChainDataEncryptor
- type CheckFunction
- type ColumnInfo
- type ConfigStorage
- type DBDataCoder
- type DataEncryptor
- type DataEncryptorContext
- type MysqlDBDataCoder
- type PostgresqlDBDataCoder
- type QueryDataEncryptor
- func (encryptor *QueryDataEncryptor) GetQueryEncryptionSettings() []*QueryDataItem
- func (encryptor *QueryDataEncryptor) ID() string
- func (encryptor *QueryDataEncryptor) OnBind(ctx context.Context, statement sqlparser.Statement, values []base.BoundValue) ([]base.BoundValue, bool, error)
- func (encryptor *QueryDataEncryptor) OnColumn(ctx context.Context, data []byte) (context.Context, []byte, error)
- func (encryptor *QueryDataEncryptor) OnQuery(ctx context.Context, query base.OnQueryObject) (base.OnQueryObject, bool, error)
- type QueryDataItem
- type SearchableExprItem
- type SearchableQueryFilter
- type SearchableQueryFilterMode
Constants ¶
const ( QueryFilterModeSearchableEncryption = iota QueryFilterModeConsistentTokenization )
QueryFilterModeSearchableEncryption list of supported modes for filtering comparisons for searchable and tokenized values
const InvalidPlaceholderIndex = -1
InvalidPlaceholderIndex value that represent invalid index for sql placeholders
Variables ¶
var ErrInconsistentPlaceholder = errors.New("inconsistent placeholder usage")
ErrInconsistentPlaceholder is returned when a placeholder refers to multiple different columns.
var ErrInvalidPlaceholder = errors.New("invalid placeholder value")
ErrInvalidPlaceholder is returned when Acra cannot parse SQL placeholder expression.
var ErrUnsupportedQueryType = errors.New("unsupported Query type")
ErrUnsupportedQueryType represent error related unsupported Query type
var ErrUpdateLeaveDataUnchanged = errors.New("updateFunc didn't change data")
ErrUpdateLeaveDataUnchanged show that data wasn't changed in UpdateExpressionValue with updateFunc
Functions ¶
func DeletePlaceholderSettingsFromClientSession ¶
func DeletePlaceholderSettingsFromClientSession(session base.ClientSession)
DeletePlaceholderSettingsFromClientSession delete items from ClientSession
func DeleteQueryDataItemsFromClientSession ¶
func DeleteQueryDataItemsFromClientSession(session base.ClientSession)
DeleteQueryDataItemsFromClientSession delete items from ClientSession
func EmptyCheckFunction ¶
func EmptyCheckFunction(setting config.ColumnEncryptionSetting) bool
EmptyCheckFunction always return false
func EncryptionSettingFromContext ¶
func EncryptionSettingFromContext(ctx context.Context) (config.ColumnEncryptionSetting, bool)
EncryptionSettingFromContext extracts column encryption settings for a context, or returns "nil" if there the context does not contain it.
func FilterTableExpressions ¶
func FilterTableExpressions(statement sqlparser.Statement) (sqlparser.TableExprs, error)
FilterTableExpressions check if sqlparser.Statement contains TableExprs
func GetColumnSetting ¶
func GetColumnSetting(column *sqlparser.ColName, tableName string, schemaStore config.TableSchemaStore) config.ColumnEncryptionSetting
GetColumnSetting get ColumnEncryptionSetting from schemaStore based on tableName and column
func GetWhereStatements ¶
GetWhereStatements parse all Where expressions
func NewContextWithEncryptionSetting ¶
func NewContextWithEncryptionSetting(ctx context.Context, setting config.ColumnEncryptionSetting) context.Context
NewContextWithEncryptionSetting makes a new context containing column encryption settings.
func ParsePlaceholderIndex ¶
ParsePlaceholderIndex parse placeholder index if SQLVal is PgPlaceholder/ValArg otherwise return error and InvalidPlaceholderIndex
func ParseSearchQueryPlaceholdersSettings ¶
func ParseSearchQueryPlaceholdersSettings(statement sqlparser.Statement, schemaStore config.TableSchemaStore) map[int]config.ColumnEncryptionSetting
ParseSearchQueryPlaceholdersSettings parse encryption settings of statement with placeholders
func PgEncodeToHexString ¶
PgEncodeToHexString encodes to hex with \x prefix
func PlaceholderSettingsFromClientSession ¶
func PlaceholderSettingsFromClientSession(session base.ClientSession) map[int]config.ColumnEncryptionSetting
PlaceholderSettingsFromClientSession return stored in client session ColumnEncryptionSettings related to placeholders or create new and save in session
func SaveQueryDataItemsToClientSession ¶
func SaveQueryDataItemsToClientSession(session base.ClientSession, items []*QueryDataItem)
SaveQueryDataItemsToClientSession save slice of QueryDataItem into ClientSession
func StandaloneAcraBlockEncryptorFilterFunction ¶
func StandaloneAcraBlockEncryptorFilterFunction(setting config.ColumnEncryptionSetting) bool
StandaloneAcraBlockEncryptorFilterFunction return true if operation should be applied only if setting configured for encryption without any other operations like tokenization/masking
func StandaloneAcraStructEncryptorFilterFunction ¶
func StandaloneAcraStructEncryptorFilterFunction(setting config.ColumnEncryptionSetting) bool
StandaloneAcraStructEncryptorFilterFunction return true if operation should be applied only if setting configured for encryption without any other operations like tokenization/masking
func UpdateExpressionValue ¶
func UpdateExpressionValue(ctx context.Context, expr sqlparser.Expr, coder DBDataCoder, setting config.ColumnEncryptionSetting, updateFunc func(context.Context, []byte) ([]byte, error)) error
UpdateExpressionValue decode value from DB related string to binary format, call updateFunc, encode to DB string format and replace value in expression with new
func UpdateUnaryExpressionValue ¶
func UpdateUnaryExpressionValue(ctx context.Context, expr *sqlparser.UnaryExpr, coder DBDataCoder, setting config.ColumnEncryptionSetting, updateFunc func(context.Context, []byte) ([]byte, error)) error
UpdateUnaryExpressionValue updates supported unary expression By now, supported are only `_binary` charsets, that are parsed as unary expr.
Types ¶
type AcrawriterDataEncryptor ¶
type AcrawriterDataEncryptor struct {
// contains filtered or unexported fields
}
AcrawriterDataEncryptor implement DataEncryptor and encrypt data with AcraStructs
func NewAcrawriterDataEncryptor ¶
func NewAcrawriterDataEncryptor(keystore keystore.PublicKeyStore) (*AcrawriterDataEncryptor, error)
NewAcrawriterDataEncryptor return new AcrawriterDataEncryptor initialized with keystore
func NewStandaloneDataEncryptor ¶
func NewStandaloneDataEncryptor(keystore keystore.PublicKeyStore) (*AcrawriterDataEncryptor, error)
NewStandaloneDataEncryptor return new DataEncryptor that uses AcraStruct to encrypt data as separate OnColumn processor and checks that passed setting configured only for transparent AcraStruct encryption
func (*AcrawriterDataEncryptor) EncryptWithClientID ¶
func (encryptor *AcrawriterDataEncryptor) EncryptWithClientID(clientID, data []byte, setting config.ColumnEncryptionSetting) ([]byte, error)
EncryptWithClientID encrypt with explicit client id
type AliasToTableMap ¶
AliasToTableMap store table alias as key and table name as value
func NewAliasToTableMapFromTables ¶
func NewAliasToTableMapFromTables(tables []*AliasedTableName) AliasToTableMap
NewAliasToTableMapFromTables create AliasToTableMap from slice of aliased tables
type AliasedTableName ¶
type AliasedTableName struct { TableName sqlparser.TableName As sqlparser.TableIdent }
AliasedTableName store TableName and related As value together
func GetTablesWithAliases ¶
func GetTablesWithAliases(tables sqlparser.TableExprs) []*AliasedTableName
GetTablesWithAliases collect all tables from all update TableExprs which may be as subquery/table/join/etc collect only table names and ignore aliases for subqueries
type ChainDataEncryptor ¶
type ChainDataEncryptor struct {
// contains filtered or unexported fields
}
ChainDataEncryptor implements DataEncryptor and pass data to all encryptors on each call All encryptors should return untouched data if don't do anything with data
func NewChainDataEncryptor ¶
func NewChainDataEncryptor(encryptors ...DataEncryptor) *ChainDataEncryptor
NewChainDataEncryptor return new ChainDataEncryptor
func (*ChainDataEncryptor) EncryptWithClientID ¶
func (chainEncryptor *ChainDataEncryptor) EncryptWithClientID(clientID, data []byte, setting config.ColumnEncryptionSetting) ([]byte, error)
EncryptWithClientID encrypt with explicit client id
type CheckFunction ¶
type CheckFunction func(setting config.ColumnEncryptionSetting) bool
CheckFunction return true if operation should be skipped
type ColumnInfo ¶
ColumnInfo info object that represent column data
func FindColumnInfo ¶
func FindColumnInfo(fromExpr sqlparser.TableExprs, colName *sqlparser.ColName, schemaStore config.TableSchemaStore) (ColumnInfo, error)
FindColumnInfo get ColumnInfo from TableExprs, ColName and TableSchemaStore
func MapColumnsToAliases ¶
func MapColumnsToAliases(selectQuery *sqlparser.Select, tableSchemaStore config.TableSchemaStore) ([]*ColumnInfo, error)
MapColumnsToAliases parse slice of ColumnInfo from sqlparser.Select and config.TableSchemaStore
type ConfigStorage ¶
type ConfigStorage interface { filesystem.Storage GetEncryptorConfigPath() string }
ConfigStorage describe main Storage interface for loading encryptor config from different sources
type DBDataCoder ¶
type DBDataCoder interface { Decode(sqlparser.Expr, config.ColumnEncryptionSetting) ([]byte, error) Encode(sqlparser.Expr, []byte, config.ColumnEncryptionSetting) ([]byte, error) }
DBDataCoder encode/decode binary data to correct string form for specific db
type DataEncryptor ¶
type DataEncryptor interface { // EncryptWithClientID encrypt with explicit client id EncryptWithClientID(clientID, data []byte, setting config.ColumnEncryptionSetting) ([]byte, error) }
DataEncryptor replace raw data in queries with encrypted
type DataEncryptorContext ¶
type DataEncryptorContext struct { Keystore keystore.DataEncryptorKeyStore Context context.Context }
DataEncryptorContext store data for DataEncryptor
type MysqlDBDataCoder ¶
type MysqlDBDataCoder struct{}
MysqlDBDataCoder implement DBDataCoder for MySQL
func (*MysqlDBDataCoder) Decode ¶
func (*MysqlDBDataCoder) Decode(expr sqlparser.Expr, _ config.ColumnEncryptionSetting) ([]byte, error)
Decode decode literals from string to byte slice
func (*MysqlDBDataCoder) Encode ¶
func (*MysqlDBDataCoder) Encode(expr sqlparser.Expr, data []byte, _ config.ColumnEncryptionSetting) ([]byte, error)
Encode data to correct literal from binary data for this expression
type PostgresqlDBDataCoder ¶
type PostgresqlDBDataCoder struct{}
PostgresqlDBDataCoder responsible to handle decoding/encoding SQL literals before/after QueryEncryptor handlers
Acra captures SQL queries like `INSERT INTO users (age, username, email, photo) VALUES (123, 'john_wick', 'johnwick@mail.com', '\xaabbcc');` and manipulates with SQL values `123`, `'john_wick'`, `'johnwick@mail.com'`, `'\xaabbcc'`. On first stage Acra decodes with Decode method values from SQL literals into binary or leave as is. For example hex encoded values decoded into binary" `'\xaabbcc'` decoded into []byte{170,187,204} and passed to QueryEncryptor's callbacks `EncryptWithClientID` After that it should be encoded with Encode method from binary form into SQL to replace values in the query.
func (*PostgresqlDBDataCoder) Decode ¶
func (*PostgresqlDBDataCoder) Decode(expr sqlparser.Expr, setting config.ColumnEncryptionSetting) ([]byte, error)
Decode hex/escaped literals to raw binary values for encryption/decryption. String values left as is because it doesn't need any decoding. Historically Int values had support only for tokenization and operated over string SQL literals.
func (*PostgresqlDBDataCoder) Encode ¶
func (*PostgresqlDBDataCoder) Encode(expr sqlparser.Expr, data []byte, setting config.ColumnEncryptionSetting) ([]byte, error)
Encode data to correct literal from binary data for this expression
type QueryDataEncryptor ¶
type QueryDataEncryptor struct {
// contains filtered or unexported fields
}
QueryDataEncryptor parse query and encrypt raw data according to TableSchemaStore
func NewMysqlQueryEncryptor ¶
func NewMysqlQueryEncryptor(schema config.TableSchemaStore, parser *sqlparser.Parser, dataEncryptor DataEncryptor) (*QueryDataEncryptor, error)
NewMysqlQueryEncryptor create QueryDataEncryptor with MySQLDBDataCoder
func NewPostgresqlQueryEncryptor ¶
func NewPostgresqlQueryEncryptor(schema config.TableSchemaStore, parser *sqlparser.Parser, dataEncryptor DataEncryptor) (*QueryDataEncryptor, error)
NewPostgresqlQueryEncryptor create QueryDataEncryptor with PostgresqlDBDataCoder
func (*QueryDataEncryptor) GetQueryEncryptionSettings ¶
func (encryptor *QueryDataEncryptor) GetQueryEncryptionSettings() []*QueryDataItem
GetQueryEncryptionSettings returns collected in OnQuery callback encryptor settings
func (*QueryDataEncryptor) ID ¶
func (encryptor *QueryDataEncryptor) ID() string
ID returns name of this QueryObserver.
func (*QueryDataEncryptor) OnBind ¶
func (encryptor *QueryDataEncryptor) OnBind(ctx context.Context, statement sqlparser.Statement, values []base.BoundValue) ([]base.BoundValue, bool, error)
OnBind process bound values for prepared statement based on TableSchemaStore.
func (*QueryDataEncryptor) OnColumn ¶
func (encryptor *QueryDataEncryptor) OnColumn(ctx context.Context, data []byte) (context.Context, []byte, error)
OnColumn return new encryption setting context if info exist, otherwise column data and passed context will be returned
func (*QueryDataEncryptor) OnQuery ¶
func (encryptor *QueryDataEncryptor) OnQuery(ctx context.Context, query base.OnQueryObject) (base.OnQueryObject, bool, error)
OnQuery raw data in query according to TableSchemaStore
type QueryDataItem ¶
type QueryDataItem struct {
// contains filtered or unexported fields
}
QueryDataItem stores information about table column and encryption setting
func NewQueryDataItem ¶
func NewQueryDataItem(setting config.ColumnEncryptionSetting, tableName, columnName, columnAlias string) *QueryDataItem
NewQueryDataItem create new QueryDataItem
func ParseQuerySettings ¶
func ParseQuerySettings(ctx context.Context, statement *sqlparser.Select, schemaStore config.TableSchemaStore) ([]*QueryDataItem, error)
ParseQuerySettings parse list of select query settings based on schemaStore
func QueryDataItemsFromClientSession ¶
func QueryDataItemsFromClientSession(session base.ClientSession) []*QueryDataItem
QueryDataItemsFromClientSession return QueryDataItems from ClientSession if saved otherwise nil
func (*QueryDataItem) ColumnAlias ¶
func (q *QueryDataItem) ColumnAlias() string
ColumnAlias if matched as alias to any data item
func (*QueryDataItem) ColumnName ¶
func (q *QueryDataItem) ColumnName() string
ColumnName return column name if it was matched to any
func (*QueryDataItem) Setting ¶
func (q *QueryDataItem) Setting() config.ColumnEncryptionSetting
Setting return associated ColumnEncryptionSetting or nil if not found
func (*QueryDataItem) TableName ¶
func (q *QueryDataItem) TableName() string
TableName return table name associated with item or empty string if it is not related to any table, or not recognized
type SearchableExprItem ¶
type SearchableExprItem struct { Expr *sqlparser.ComparisonExpr Setting config.ColumnEncryptionSetting }
SearchableExprItem represent the filtered value found by SearchableQueryFilter
type SearchableQueryFilter ¶
type SearchableQueryFilter struct {
// contains filtered or unexported fields
}
SearchableQueryFilter filter searchable expression based on SearchableQueryFilterMode
func NewSearchableQueryFilter ¶
func NewSearchableQueryFilter(schemaStore config.TableSchemaStore, mode SearchableQueryFilterMode) *SearchableQueryFilter
NewSearchableQueryFilter create new SearchableQueryFilter from schemaStore and SearchableQueryFilterMode
func (*SearchableQueryFilter) ChangeSearchableOperator ¶
func (filter *SearchableQueryFilter) ChangeSearchableOperator(expr *sqlparser.ComparisonExpr)
ChangeSearchableOperator change the operator of ComparisonExpr to EqualStr|NotEqualStr depending on expr.Operator
func (*SearchableQueryFilter) FilterSearchableComparisons ¶
func (filter *SearchableQueryFilter) FilterSearchableComparisons(statement sqlparser.Statement) []SearchableExprItem
FilterSearchableComparisons filter search comparisons from statement
type SearchableQueryFilterMode ¶
type SearchableQueryFilterMode int
SearchableQueryFilterMode represent the mode work of SearchableQueryFilter