Merge pull request #11 from ccfelius/secrets

made secrets work
ccfelius · Nov 18, 2024 · 872dbe8 · 872dbe8
2 parents 4baa3ee + 0defac3
commit 872dbe8
Show file tree

Hide file tree

Showing 3 changed files with 107 additions and 26 deletions.
diff --git a/src/core/functions/scalar/encrypt_to_etype.cpp b/src/core/functions/scalar/encrypt_to_etype.cpp
@@ -115,26 +115,46 @@ GetSimpleEncryptionState(ExpressionState &state) {
       "simple_encryption");
 }
 
-unique_ptr<SecretEntry> GetSecretEntry(ExpressionState &state) {
+
+std::string GetKeyFromSecret(ExpressionState &state) {
 
   auto &info = GetEncryptionBindInfo(state);
   auto &secret_manager = SecretManager::Get(info.context);
   auto transaction = CatalogTransaction::GetSystemCatalogTransaction(info.context);
+  auto secret_match = secret_manager.LookupSecret(transaction, "encryption", "encryption");
 
-  return secret_manager.GetSecretByName(transaction, "internal");
-}
+  if (!secret_match.HasMatch()) {
+    throw InvalidInputException("No 'encryption' secret found. Please create a secret with 'CREATE SECRET' first.");
+  }
+
+  auto &secret = secret_match.GetSecret();
+  if (secret.GetType() != "encryption") {
+    throw InvalidInputException("Invalid secret type. Expected 'encryption', got '%s'", secret.GetType());
+  }
+
+  const auto *kv_secret = dynamic_cast<const KeyValueSecret *>(&secret);
+  if (!kv_secret) {
+    throw InvalidInputException("Invalid secret format for 'encryption' secret.");
+  }
 
-void GetKeyFromSecret(shared_ptr<SimpleEncryptionState> simple_encryption_state,
-                      ExpressionState &state) {
+  Value token_value;
+  if (!kv_secret->TryGetValue("token", token_value)) {
+    throw InvalidInputException("'token' not found in 'encryption' secret.");
+  }
+
+//
+//  // Parse optional label parameter
+//  std::string label = ""; // Default to fetching all emails if no label is provided
+//  if (input.named_parameters.find("mail_label") != input.named_parameters.end()) {
+//    label = input.named_parameters.at("mail_label").GetValue<std::string>();
+//  }
 
-  auto secret_entry = GetSecretEntry(state);
-  auto &secret = secret_entry->secret;
-  auto encryption_secret = KeyValueSecret(*secret);
+  std::string token = token_value.ToString();
 
-  // do some stuffffff
-  auto x = encryption_secret.redact_keys;
+  return token;
 }
 
+
 bool HasSpace(shared_ptr<SimpleEncryptionState> simple_encryption_state,
               uint64_t size) {
   uint32_t max_value = ~0u;
@@ -144,6 +164,7 @@ bool HasSpace(shared_ptr<SimpleEncryptionState> simple_encryption_state,
   return false;
 }
 
+
 void SetIV(shared_ptr<SimpleEncryptionState> simple_encryption_state) {
   simple_encryption_state->iv[0] = simple_encryption_state->iv[1] = 0;
   simple_encryption_state->encryption_state->GenerateRandomData(
@@ -180,7 +201,7 @@ void EncryptToEtype(LogicalType result_struct, Vector &input_vector,
   result.ReferenceAndSetType(struct_vector);
 
   if ((simple_encryption_state->counter == 0) || (HasSpace(simple_encryption_state, size) == false)) {
-    // generate new random IV and reset counter
+    // generate new random IV and reset counter (if strart or if there is no space left)
     SetIV(simple_encryption_state);
     simple_encryption_state->counter = 0;
   }
@@ -214,6 +235,8 @@ void EncryptToEtype(LogicalType result_struct, Vector &input_vector,
         return ENCRYPTED_TYPE{simple_encryption_state->iv[0],
                               simple_encryption_state->iv[1], encrypted_data};
       });
+
+  encryption_state->Finalize(simple_encryption_state->buffer_p, 0, nullptr, NULL);
 }
 
 template <typename T>
@@ -252,6 +275,12 @@ static void EncryptDataToEtype(DataChunk &args, ExpressionState &state,
   auto vector_type = input_vector.GetType();
   auto size = args.size();
 
+  // Get the encryption key from DuckDB Secrets Manager
+  auto encryption_key = GetKeyFromSecret(state);
+
+  // Check if a key is already present in the state
+  // if not, generate a new key
+
   // Get the encryption key from client input
   auto &key_vector = args.data[1];
   D_ASSERT(key_vector.GetVectorType() == VectorType::CONSTANT_VECTOR);

diff --git a/src/core/functions/secrets/authentication.cpp b/src/core/functions/secrets/authentication.cpp
@@ -35,12 +35,12 @@ bool CheckKeySize(const uint32_t size){
   case 32:
     return true;
   default:
-    throw InvalidInputException("Invalid size for data encryption key: '%d', expected: 16, 24, or 32", size);
+    return false;
   }
 }
 
-string_t GetDataEncryptionKey(const uint32_t size){
 
+string_t GetDataEncryptionKey(const uint32_t size){
   switch(size){
   case 16:
     return GenerateDataEncryptionKey(16);
@@ -53,6 +53,7 @@ string_t GetDataEncryptionKey(const uint32_t size){
   }
 }
 
+
 // This code partly copied / inspired by the gsheets extension for duckdb
 static void AddSecretParameter(const std::string &key, const CreateSecretInput &input,
                        KeyValueSecret &result) {
@@ -64,39 +65,55 @@ static void AddSecretParameter(const std::string &key, const CreateSecretInput &
   }
 }
 
+
 static void RegisterCommonSecretParameters(CreateSecretFunction &function) {
-  function.named_parameters["client"] = LogicalType::VARCHAR;
-  function.named_parameters["master"] = LogicalType::VARCHAR;
-  function.named_parameters["key_id"] = LogicalType::VARCHAR;
+  function.named_parameters["key_value"] = LogicalType::VARCHAR;
+  function.named_parameters["key_name"] = LogicalType::VARCHAR;
+  function.named_parameters["length"] = LogicalType::INTEGER;
 }
 
-static void InsertColumnKeys(KeyValueSecret &result, string column_key_name) {
-  result.redact_keys.insert(column_key_name);
+
+static void RedactSensitiveKeys(KeyValueSecret &result) {
+  result.redact_keys.insert("token");
 }
 
-static unique_ptr<BaseSecret>
-CreateKeyEncryptionKey(ClientContext &context, CreateSecretInput &input) {
 
-  // leave this for now
+static unique_ptr<BaseSecret> CreateKeyEncryptionKey(ClientContext &context, CreateSecretInput &input) {
+
   auto scope = input.scope;
 
   // create new KV secret
   auto result =
       make_uniq<KeyValueSecret>(scope, input.type, input.provider, input.name);
 
-  // Manage specific secret options
-  // can be called if a data encryption key (DEK) needs to be stored
-  AddSecretParameter("column_encryption_key", input, *result);
+  // check key size
+  auto length = input.options["length"].GetValue<uint32_t>();
+
+  if (!CheckKeySize(length)){
+    throw InvalidInputException("Invalid size for encryption key: '%d', expected: 16, 24, or 32", length);
+  }
+
+
+  // get the results from the user input
+  auto password = input.options["key_value"].GetValue<std::string>();
+  auto key_name = input.options["key_name"].GetValue<std::string>();
+
+  // todo: generate key from user input
+  // get token from user input
+  std::string token = "0123456789112345";
+
+  // Store the token in the secret
+  result->secret_map["token"] = Value(token);
 
   // Hide (redact) sensitive information
-  result->redact_keys.insert("column");
+  RedactSensitiveKeys(*result);
 
   return std::move(result);
 }
 
 void CoreSecretFunctions::RegisterStoreEncryptSecretFunction(DatabaseInstance &db) {
 
-  string type = "internal";
+  string type = "encryption";
 
   // Register the new secret type
   SecretType secret_type;

diff --git a/test/sql/secrets/secrets_encryption.test b/test/sql/secrets/secrets_encryption.test
@@ -0,0 +1,35 @@
+# name: test/sql/secrets/secrets_encryption.test
+# description: Test secret creation for internal encryption
+# group: [simple-encryption/secrets]
+
+statement ok
+PRAGMA enable_verification;
+
+require simple_encryption
+
+# Ensure any currently stored secrets don't interfere with the test
+statement ok
+set allow_persistent_secrets=false;
+
+# Create an internal secret (for internal encryption of columns)
+statement ok
+CREATE SECRET test_key (
+	TYPE ENCRYPTION,
+    KEY_NAME 'key_1',
+    KEY_VALUE '0123456789112345',
+    LENGTH 16
+);
+
+# Create an internal secret (for internal encryption of columns)
+statement error
+CREATE SECRET test_wrong_length (
+	TYPE ENCRYPTION,
+    KEY_NAME 'key_1',
+    KEY_VALUE '0123456789112345',
+    LENGTH 99
+);
+----
+Invalid Input Error: Invalid size for encryption key: '99', expected: 16, 24, or 32
+
+statement ok
+SELECT encrypt(11, '0123456789112345');