issue-176: root kms client & key provider (#2574)

cloud/blockstore/libs/root_kms/iface/client.cpp

@@ -0,0 +1,52 @@
+#include "client.h"
+
+#include <cloud/blockstore/libs/encryption/encryption_key.h>
+#include <cloud/blockstore/public/api/protos/encryption.pb.h>
+
+namespace NCloud::NBlockStore {
+
+using namespace NThreading;
+
+namespace {
+
+////////////////////////////////////////////////////////////////////////////////
+
+class TRootKmsClientStub: public IRootKmsClient
+{
+public:
+    void Start() override
+    {}
+
+    void Stop() override
+    {}
+
+    auto Decrypt(const TString& keyId, const TString& ciphertext)
+        -> TFuture<TResultOrError<TEncryptionKey>> override
+    {
+        Y_UNUSED(keyId);
+        Y_UNUSED(ciphertext);
+        return MakeFuture<TResultOrError<TEncryptionKey>>(TErrorResponse(
+            E_NOT_IMPLEMENTED,
+            "RootKmsClientStub can't decrypt cyphertext"));
+    }
+
+    auto GenerateDataEncryptionKey(const TString& keyId)
+        -> TFuture<TResultOrError<NProto::TKmsKey>> override
+    {
+        Y_UNUSED(keyId);
+        return MakeFuture<TResultOrError<NProto::TKmsKey>>(TErrorResponse(
+            E_NOT_IMPLEMENTED,
+            "RootKmsClientStub can't generate DEK"));
+    }
+};
+
+}   // namespace
+
+////////////////////////////////////////////////////////////////////////////////
+
+IRootKmsClientPtr CreateRootKmsClientStub()
+{
+    return std::make_shared<TRootKmsClientStub>();
+}
+
+}   // namespace NCloud::NBlockStore

cloud/blockstore/libs/root_kms/iface/client.h

@@ -0,0 +1,38 @@
+#pragma once
+
+#include "public.h"
+
+#include <cloud/storage/core/libs/common/error.h>
+#include <cloud/storage/core/libs/common/startable.h>
+
+#include <library/cpp/threading/future/future.h>
+
+namespace NCloud::NBlockStore {
+
+////////////////////////////////////////////////////////////////////////////////
+
+class TEncryptionKey;
+
+namespace NProto {
+
+class TKmsKey;
+
+}   // namespace NProto
+
+////////////////////////////////////////////////////////////////////////////////
+
+struct IRootKmsClient
+    : public IStartable
+{
+    virtual auto Decrypt(const TString& keyId, const TString& ciphertext)
+        -> NThreading::TFuture<TResultOrError<TEncryptionKey>> = 0;
+
+    virtual auto GenerateDataEncryptionKey(const TString& keyId)
+        -> NThreading::TFuture<TResultOrError<NProto::TKmsKey>> = 0;
+};
+
+////////////////////////////////////////////////////////////////////////////////
+
+IRootKmsClientPtr CreateRootKmsClientStub();
+
+}   // namespace NCloud::NBlockStore

cloud/blockstore/libs/root_kms/iface/key_provider.cpp

@@ -0,0 +1,66 @@
+#include "key_provider.h"
+
+#include "client.h"
+
+#include <cloud/blockstore/libs/encryption/encryption_key.h>
+#include <cloud/storage/core/libs/coroutine/executor.h>
+
+#include <library/cpp/string_utils/base64/base64.h>
+
+#include <util/generic/string.h>
+#include <util/string/builder.h>
+
+namespace NCloud::NBlockStore {
+
+using namespace NThreading;
+
+namespace {
+
+////////////////////////////////////////////////////////////////////////////////
+
+class TRootKmsKeyProvider
+    : public IRootKmsKeyProvider
+{
+private:
+    const IRootKmsClientPtr Client;
+    const TString KeyId;
+
+public:
+    TRootKmsKeyProvider(
+            IRootKmsClientPtr client,
+            TString keyId)
+        : Client(std::move(client))
+        , KeyId(std::move(keyId))
+    {}
+
+    auto GetKey(const NProto::TKmsKey& kmsKey, const TString& diskId)
+        -> TFuture<TResultOrError<TEncryptionKey>> override
+    {
+        Y_UNUSED(diskId);
+
+        return Client->Decrypt(kmsKey.GetKekId(), kmsKey.GetEncryptedDEK());
+    }
+
+    auto GenerateDataEncryptionKey(const TString& diskId)
+        -> TFuture<TResultOrError<NProto::TKmsKey>> override
+    {
+        Y_UNUSED(diskId);
+
+        return Client->GenerateDataEncryptionKey(KeyId);
+    }
+};
+
+}   // namespace
+
+////////////////////////////////////////////////////////////////////////////////
+
+IRootKmsKeyProviderPtr CreateRootKmsKeyProvider(
+    IRootKmsClientPtr client,
+    TString keyId)
+{
+    return std::make_shared<TRootKmsKeyProvider>(
+        std::move(client),
+        std::move(keyId));
+}
+
+}   // namespace NCloud::NBlockStore

cloud/blockstore/libs/root_kms/iface/key_provider.h

@@ -0,0 +1,16 @@
+#pragma once
+
+#include "public.h"
+
+#include <cloud/blockstore/libs/encryption/public.h>
+#include <cloud/storage/core/libs/common/error.h>
+
+namespace NCloud::NBlockStore {
+
+////////////////////////////////////////////////////////////////////////////////
+
+IRootKmsKeyProviderPtr CreateRootKmsKeyProvider(
+    IRootKmsClientPtr client,
+    TString keyId);
+
+}   // namespace NCloud::NBlockStore

cloud/blockstore/libs/root_kms/iface/public.h

@@ -0,0 +1,12 @@
+#pragma once
+
+#include <memory>
+
+namespace NCloud::NBlockStore {
+
+////////////////////////////////////////////////////////////////////////////////
+
+struct IRootKmsClient;
+using IRootKmsClientPtr = std::shared_ptr<IRootKmsClient>;
+
+}   // namespace NCloud::NBlockStore

cloud/blockstore/libs/root_kms/iface/ya.make

@@ -0,0 +1,13 @@
+LIBRARY()
+
+SRCS(
+    client.cpp
+    key_provider.cpp
+)
+
+PEERDIR(
+    cloud/blockstore/config
+    cloud/blockstore/libs/common
+)
+
+END()