Skip to content

Commit

Permalink
feat: add env variable for enable key manager service (#5442)
Browse files Browse the repository at this point in the history 
Co-authored-by: dracarys18 <[email protected]>
  • Loading branch information
@ArjunKarthik @dracarys18
ArjunKarthik and dracarys18 committed Jul 29, 2024
1 parent 2d235a6 commit 344661b
Show file tree
Hide file tree
Showing 7 changed files with 65 additions and 83 deletions.
1 change: 1 addition & 0 deletions crates/common_utils/src/types/keymanager.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ use crate::{

#[derive(Debug)]
pub struct KeyManagerState {
pub enabled: Option<bool>,
pub url: String,
pub client_idle_timeout: Option<u64>,
#[cfg(feature = "keymanager_mtls")]
Expand Down
135 changes: 56 additions & 79 deletions crates/hyperswitch_domain_models/src/type_encryption.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,26 +17,19 @@ mod encrypt {
crypto,
encryption::Encryption,
errors::{self, CustomResult},
types::keymanager::{Identifier, KeyManagerState},
keymanager::call_encryption_service,
transformers::{ForeignFrom, ForeignTryFrom},
types::keymanager::{
BatchDecryptDataResponse, BatchEncryptDataRequest, BatchEncryptDataResponse,
DecryptDataResponse, EncryptDataRequest, EncryptDataResponse, Identifier,
KeyManagerState, TransientBatchDecryptDataRequest, TransientDecryptDataRequest,
},
};
use error_stack::ResultExt;
use http::Method;
use masking::{PeekInterface, Secret};
use router_env::{instrument, tracing};
use router_env::{instrument, logger, tracing};
use rustc_hash::FxHashMap;
#[cfg(feature = "encryption_service")]
use {
common_utils::{
keymanager::call_encryption_service,
transformers::{ForeignFrom, ForeignTryFrom},
types::keymanager::{
BatchDecryptDataResponse, BatchEncryptDataRequest, BatchEncryptDataResponse,
DecryptDataResponse, EncryptDataRequest, EncryptDataResponse,
TransientBatchDecryptDataRequest, TransientDecryptDataRequest,
},
},
http::Method,
router_env::logger,
};

use super::metrics;

Expand Down Expand Up @@ -104,6 +97,17 @@ mod encrypt {
) -> CustomResult<FxHashMap<String, Self>, errors::CryptoError>;
}

fn is_encryption_service_enabled(_state: &KeyManagerState) -> bool {
#[cfg(feature = "encryption_service")]
{
_state.enabled.unwrap_or_default()
}
#[cfg(not(feature = "encryption_service"))]
{
false
}
}

#[async_trait]
impl<
V: crypto::DecodeMessage + crypto::EncodeMessage + Send + 'static,
Expand All @@ -119,12 +123,10 @@ mod encrypt {
key: &[u8],
crypt_algo: V,
) -> CustomResult<Self, errors::CryptoError> {
#[cfg(not(feature = "encryption_service"))]
{
// If encryption service is not enabled, fall back to application encryption or else call encryption service
if !is_encryption_service_enabled(state) {
Self::encrypt(masked_data, key, crypt_algo).await
}
#[cfg(feature = "encryption_service")]
{
} else {
let result: Result<
EncryptDataResponse,
error_stack::Report<errors::KeyManagerClientError>,
Expand Down Expand Up @@ -156,12 +158,10 @@ mod encrypt {
key: &[u8],
crypt_algo: V,
) -> CustomResult<Self, errors::CryptoError> {
#[cfg(not(feature = "encryption_service"))]
{
// If encryption service is not enabled, fall back to application encryption or else call encryption service
if !is_encryption_service_enabled(state) {
Self::decrypt(encrypted_data, key, crypt_algo).await
}
#[cfg(feature = "encryption_service")]
{
} else {
let result: Result<
DecryptDataResponse,
error_stack::Report<errors::KeyManagerClientError>,
Expand Down Expand Up @@ -227,13 +227,10 @@ mod encrypt {
key: &[u8],
crypt_algo: V,
) -> CustomResult<FxHashMap<String, Self>, errors::CryptoError> {
#[cfg(not(feature = "encryption_service"))]
{
// If encryption service is not enabled, fall back to application encryption or else call encryption service
if !is_encryption_service_enabled(state) {
Self::batch_encrypt(masked_data, key, crypt_algo).await
}

#[cfg(feature = "encryption_service")]
{
} else {
let result: Result<
BatchEncryptDataResponse,
error_stack::Report<errors::KeyManagerClientError>,
Expand Down Expand Up @@ -264,13 +261,10 @@ mod encrypt {
key: &[u8],
crypt_algo: V,
) -> CustomResult<FxHashMap<String, Self>, errors::CryptoError> {
#[cfg(not(feature = "encryption_service"))]
{
// If encryption service is not enabled, fall back to application encryption or else call encryption service
if !is_encryption_service_enabled(state) {
Self::batch_decrypt(encrypted_data, key, crypt_algo).await
}

#[cfg(feature = "encryption_service")]
{
} else {
let result: Result<
BatchDecryptDataResponse,
error_stack::Report<errors::KeyManagerClientError>,
Expand Down Expand Up @@ -356,12 +350,10 @@ mod encrypt {
key: &[u8],
crypt_algo: V,
) -> CustomResult<Self, errors::CryptoError> {
#[cfg(not(feature = "encryption_service"))]
{
// If encryption service is not enabled, fall back to application encryption or else call encryption service
if !is_encryption_service_enabled(state) {
Self::encrypt(masked_data, key, crypt_algo).await
}
#[cfg(feature = "encryption_service")]
{
} else {
let result: Result<
EncryptDataResponse,
error_stack::Report<errors::KeyManagerClientError>,
Expand Down Expand Up @@ -393,12 +385,10 @@ mod encrypt {
key: &[u8],
crypt_algo: V,
) -> CustomResult<Self, errors::CryptoError> {
#[cfg(not(feature = "encryption_service"))]
{
// If encryption service is not enabled, fall back to application encryption or else call encryption service
if !is_encryption_service_enabled(state) {
Self::decrypt(encrypted_data, key, crypt_algo).await
}
#[cfg(feature = "encryption_service")]
{
} else {
let result: Result<
DecryptDataResponse,
error_stack::Report<errors::KeyManagerClientError>,
Expand Down Expand Up @@ -465,12 +455,10 @@ mod encrypt {
key: &[u8],
crypt_algo: V,
) -> CustomResult<FxHashMap<String, Self>, errors::CryptoError> {
#[cfg(not(feature = "encryption_service"))]
{
// If encryption service is not enabled, fall back to application encryption or else call encryption service
if !is_encryption_service_enabled(state) {
Self::batch_encrypt(masked_data, key, crypt_algo).await
}
#[cfg(feature = "encryption_service")]
{
} else {
let result: Result<
BatchEncryptDataResponse,
error_stack::Report<errors::KeyManagerClientError>,
Expand Down Expand Up @@ -501,12 +489,10 @@ mod encrypt {
key: &[u8],
crypt_algo: V,
) -> CustomResult<FxHashMap<String, Self>, errors::CryptoError> {
#[cfg(not(feature = "encryption_service"))]
{
// If encryption service is not enabled, fall back to application encryption or else call encryption service
if !is_encryption_service_enabled(state) {
Self::batch_decrypt(encrypted_data, key, crypt_algo).await
}
#[cfg(feature = "encryption_service")]
{
} else {
let result: Result<
BatchDecryptDataResponse,
error_stack::Report<errors::KeyManagerClientError>,
Expand Down Expand Up @@ -590,12 +576,10 @@ mod encrypt {
key: &[u8],
crypt_algo: V,
) -> CustomResult<Self, errors::CryptoError> {
#[cfg(not(feature = "encryption_service"))]
{
// If encryption service is not enabled, fall back to application encryption or else call encryption service
if !is_encryption_service_enabled(state) {
Self::encrypt(masked_data, key, crypt_algo).await
}
#[cfg(feature = "encryption_service")]
{
} else {
let result: Result<
EncryptDataResponse,
error_stack::Report<errors::KeyManagerClientError>,
Expand Down Expand Up @@ -627,12 +611,10 @@ mod encrypt {
key: &[u8],
crypt_algo: V,
) -> CustomResult<Self, errors::CryptoError> {
#[cfg(not(feature = "encryption_service"))]
{
// If encryption service is not enabled, fall back to application encryption or else call encryption service
if !is_encryption_service_enabled(state) {
Self::decrypt(encrypted_data, key, crypt_algo).await
}
#[cfg(feature = "encryption_service")]
{
} else {
let result: Result<
DecryptDataResponse,
error_stack::Report<errors::KeyManagerClientError>,
Expand Down Expand Up @@ -694,13 +676,10 @@ mod encrypt {
key: &[u8],
crypt_algo: V,
) -> CustomResult<FxHashMap<String, Self>, errors::CryptoError> {
#[cfg(not(feature = "encryption_service"))]
{
// If encryption service is not enabled, fall back to application encryption or else call encryption service
if !is_encryption_service_enabled(state) {
Self::batch_encrypt(masked_data, key, crypt_algo).await
}

#[cfg(feature = "encryption_service")]
{
} else {
let result: Result<
BatchEncryptDataResponse,
error_stack::Report<errors::KeyManagerClientError>,
Expand Down Expand Up @@ -731,12 +710,10 @@ mod encrypt {
key: &[u8],
crypt_algo: V,
) -> CustomResult<FxHashMap<String, Self>, errors::CryptoError> {
#[cfg(not(feature = "encryption_service"))]
{
// If encryption service is not enabled, fall back to application encryption or else call encryption service
if !is_encryption_service_enabled(state) {
Self::batch_decrypt(encrypted_data, key, crypt_algo).await
}
#[cfg(feature = "encryption_service")]
{
} else {
let result: Result<
BatchDecryptDataResponse,
error_stack::Report<errors::KeyManagerClientError>,
Expand Down
5 changes: 3 additions & 2 deletions crates/router/Cargo.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,10 +12,11 @@ license.workspace = true
default = ["kv_store", "stripe", "oltp", "olap", "accounts_cache", "dummy_connector", "payouts", "payout_retry", "retry", "frm", "tls", "v1"]
olap = ["hyperswitch_domain_models/olap", "storage_impl/olap", "scheduler/olap", "api_models/olap", "dep:analytics"]
tls = ["actix-web/rustls-0_22"]
keymanager_mtls = ["reqwest/rustls-tls", "common_utils/keymanager_mtls"]
encryption_service = ["hyperswitch_domain_models/encryption_service", "common_utils/encryption_service"]
email = ["external_services/email", "scheduler/email", "olap"]
# keymanager_create, keymanager_mtls, encryption_service should not be removed or added to default feature. Once this features were enabled it can't be disabled as these are breaking changes.
keymanager_create = []
keymanager_mtls = ["reqwest/rustls-tls", "common_utils/keymanager_mtls"]
encryption_service = ["hyperswitch_domain_models/encryption_service", "common_utils/encryption_service"]
frm = ["api_models/frm", "hyperswitch_domain_models/frm", "hyperswitch_connectors/frm", "hyperswitch_interfaces/frm"]
stripe = ["dep:serde_qs"]
release = ["stripe", "email", "accounts_cache", "kv_store", "vergen", "recon", "external_services/aws_kms", "external_services/aws_s3", "keymanager_mtls", "keymanager_create", "encryption_service"]
Expand Down
1 change: 1 addition & 0 deletions crates/router/src/configs/defaults.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8936,6 +8936,7 @@ impl Default for super::settings::ApiKeys {
impl Default for super::settings::KeyManagerConfig {
fn default() -> Self {
Self {
enabled: None,
url: String::from("localhost:5000"),
#[cfg(feature = "keymanager_mtls")]
ca: String::default().into(),
Expand Down
1 change: 1 addition & 0 deletions crates/router/src/configs/settings.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -220,6 +220,7 @@ pub struct KvConfig {

#[derive(Debug, Deserialize, Clone)]
pub struct KeyManagerConfig {
pub enabled: Option<bool>,
pub url: String,
#[cfg(feature = "keymanager_mtls")]
pub cert: Secret<String>,
Expand Down
4 changes: 2 additions & 2 deletions crates/router/src/routes/admin.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -772,15 +772,15 @@ pub async fn merchant_account_transfer_keys(
payload: web::Json<api_models::admin::MerchantKeyTransferRequest>,
) -> HttpResponse {
let flow = Flow::ConfigKeyFetch;
api::server_wrap(
Box::pin(api::server_wrap(
flow,
state,
&req,
payload.into_inner(),
|state, _, req, _| transfer_key_store_to_key_manager(state, req),
&auth::AdminApiAuth,
api_locking::LockAction::NotApplicable,
)
))
.await
}

Expand Down
1 change: 1 addition & 0 deletions crates/router/src/types/domain/types.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ impl From<&crate::SessionState> for KeyManagerState {
fn from(state: &crate::SessionState) -> Self {
let conf = state.conf.key_manager.get_inner();
Self {
enabled: conf.enabled,
url: conf.url.clone(),
client_idle_timeout: state.conf.proxy.idle_pool_connection_timeout,
#[cfg(feature = "keymanager_mtls")]
Expand Down

0 comments on commit 344661b

Please sign in to comment.