cosmian_kms_server_database 5.12.0

Crate containing the database for the Cosmian KMS server and the supported stores
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375

use async_trait::async_trait;
use cosmian_kmip::kmip_2_1::{
    kmip_attributes::Attributes,
    kmip_data_structures::KeyMaterial,
    kmip_objects::{
        Certificate, Object, OpaqueObject, PrivateKey, PublicKey, SecretData, SymmetricKey,
    },
    kmip_types::KeyFormatType,
};
use cosmian_kms_interfaces::ObjectsStore;
use cosmian_logger::{debug, error, info, trace};
use serde_json::Value;
use sqlx::{Executor, IntoArguments, Row};

use crate::{
    DbError,
    error::{DbResult, DbResultHelper},
    stores::{
        migrate::{DbState, HasDatabase, Migrate, SqlMigrate},
        sql::{database::SqlDatabase, migrations::key_material_old::KeyMaterial421},
    },
};

#[async_trait(?Send)]
impl<T, DB> Migrate for T
where
    T: SqlDatabase<DB> + ObjectsStore + HasDatabase<Database = DB>,
    DB: sqlx::Database,
    for<'z> &'z mut DB::Connection: Executor<'z, Database = DB>,
    for<'z> DB::Arguments<'z>: IntoArguments<'z, DB>,
    for<'z> i16: sqlx::Encode<'z, DB> + sqlx::Decode<'z, DB> + sqlx::Type<DB>,
    for<'z> String: sqlx::Encode<'z, DB> + sqlx::Decode<'z, DB> + sqlx::Type<DB>,
    for<'z> &'z str: sqlx::Encode<'z, DB> + sqlx::Decode<'z, DB> + sqlx::Type<DB>,
    for<'z> Vec<u8>: sqlx::Encode<'z, DB> + sqlx::Decode<'z, DB> + sqlx::Type<DB>,
    for<'w, 'z> sqlx::types::Json<&'w Value>: sqlx::Encode<'z, DB>,
    for<'z> sqlx::types::Json<Value>: sqlx::Decode<'z, DB> + sqlx::Type<DB>,
    usize: sqlx::ColumnIndex<<DB as sqlx::Database>::Row>,
{
    async fn get_db_state(&self) -> DbResult<Option<DbState>> {
        match sqlx::query(self.get_query("select-parameter")?)
            .bind("db_state")
            .fetch_optional(self.get_pool())
            .await
            .map_err(DbError::from)?
        {
            None => {
                trace!("No state found, old KMS version database");
                Ok(None)
            }
            Some(row) => {
                let json = row.get::<String, _>(0);
                Ok(Some(
                    serde_json::from_str(&json).context("failed deserializing the DB state")?,
                ))
            }
        }
    }

    async fn set_db_state(&self, state: DbState) -> DbResult<()> {
        sqlx::query(self.get_query("upsert-parameter")?)
            .bind("db_state")
            .bind(serde_json::to_string(&state).context("failed serializing the DB state")?)
            .execute(self.get_pool())
            .await
            .map_err(DbError::from)?;
        Ok(())
    }

    async fn get_current_db_version(&self) -> DbResult<Option<String>> {
        sqlx::query(self.get_query("select-parameter")?)
            .bind("db_version")
            .fetch_optional(self.get_pool())
            .await
            .map_err(DbError::from)?
            .map_or_else(
                || {
                    trace!("No current DB version, old KMS version database");
                    Ok(None)
                },
                |row| Ok(Some(row.get::<String, _>(0))),
            )
    }

    async fn set_current_db_version(&self, version: &str) -> DbResult<()> {
        sqlx::query(self.get_query("upsert-parameter")?)
            .bind("db_version")
            .bind(version)
            .execute(self.get_pool())
            .await
            .map_err(DbError::from)?;
        Ok(())
    }
}

#[async_trait(?Send)]
impl<T, DB> SqlMigrate<DB> for T
where
    T: SqlDatabase<DB> + ObjectsStore + HasDatabase<Database = DB>,
    DB: sqlx::Database,
    for<'z> &'z mut DB::Connection: Executor<'z, Database = DB>,
    for<'z> DB::Arguments<'z>: IntoArguments<'z, DB>,
    for<'z> i16: sqlx::Encode<'z, DB> + sqlx::Decode<'z, DB> + sqlx::Type<DB>,
    for<'z> String: sqlx::Encode<'z, DB> + sqlx::Decode<'z, DB> + sqlx::Type<DB>,
    for<'z> &'z str: sqlx::Encode<'z, DB> + sqlx::Decode<'z, DB> + sqlx::Type<DB>,
    for<'z> Vec<u8>: sqlx::Encode<'z, DB> + sqlx::Decode<'z, DB> + sqlx::Type<DB>,
    for<'w, 'z> sqlx::types::Json<&'w Value>: sqlx::Encode<'z, DB>,
    for<'z> sqlx::types::Json<Value>: sqlx::Decode<'z, DB> + sqlx::Type<DB>,
    usize: sqlx::ColumnIndex<<DB as sqlx::Database>::Row>,
{
    async fn migrate_from_4_12_0_to_4_13_0(&self) -> DbResult<()> {
        trace!("Migrating from 4.12.0 to 4.13.0");

        // Add the column attributes to the objects' table
        if sqlx::query("SELECT attributes from objects")
            .execute(self.get_pool())
            .await
            .is_ok()
        {
            trace!("Column attributes already exists, nothing to do");
            return Ok(());
        }

        trace!("Column attributes does not exist, adding it");
        sqlx::query(self.get_query("add-column-attributes")?)
            .execute(self.get_pool())
            .await
            .map_err(DbError::from)?;

        // Fill the `attributes` column with the object attributes
        let uids = sqlx::query("SELECT id FROM objects")
            .fetch_all(self.get_pool())
            .await?
            .into_iter()
            .map(|row| row.get::<String, _>(0))
            .collect::<Vec<String>>();
        trace!("uids={}", uids.len());

        let select_query = format!(
            "SELECT object FROM objects WHERE id = {binder}",
            binder = self.binder(1)
        );
        let update_query = self.get_query("update-object-with-object")?;
        for uid in &uids {
            trace!("migrating object with id={uid}");
            let op_fut = async {
                let row = sqlx::query(select_query.as_str())
                    .bind(uid)
                    .fetch_one(self.get_pool())
                    .await?;

                // Before 4.22.1, serialization to JSON was done with the `DBObject` struct
                let db_object: Value = serde_json::from_slice(&row.get::<Vec<u8>, _>(0))
                    .context("migrate_from_4_12_0_to_4_13_0 failed deserializing the object")?;
                let object = db_object_to_object(&db_object)?;
                let object_json = serde_json::to_value(&object).context(
                    "migrate_from_4_12_0_to_4_13_0 failed: failed to serialize the object",
                )?;
                trace!(
                    "migrate_from_4_12_0_to_4_13_0: object (type: {})={:?}",
                    object.object_type(),
                    uid
                );
                let mut attributes = match object.attributes() {
                    Ok(attrs) => attrs.clone(),
                    Err(_error) => {
                        // For example, a Certificate object has no KMIP-attribute
                        Attributes::default()
                    }
                };
                attributes.set_object_type(object.object_type());
                trace!("attributes={}", attributes);
                let attributes_json = serde_json::to_value(&attributes).context(
                    "migrate_from_4_12_0_to_4_13_0: failed serializing the attributes to JSON",
                )?;
                // Update the object and attributes in the database
                sqlx::query(update_query)
                    .bind(object_json)
                    .bind(attributes_json)
                    .bind(uid.to_owned())
                    .execute(self.get_pool())
                    .await?;
                Ok::<_, DbError>(())
            };
            if let Err(e) = op_fut.await {
                error!("migrate_from_4_12_0_to_4_13_0: failed migrating {uid}: {e}");
            }
        }
        info!(
            "Migration from 4.12.0 to 4.13.0 completed: {} objects migrated",
            uids.len()
        );
        Ok(())
    }

    async fn migrate_to_4_22_2(&self) -> DbResult<()> {
        debug!("Migrating to 4.22.1+");

        let uids = sqlx::query("SELECT id FROM objects")
            .fetch_all(self.get_pool())
            .await?
            .into_iter()
            .map(|row| row.get::<String, _>(0))
            .collect::<Vec<String>>();

        let select_query = format!(
            "SELECT object, attributes FROM objects WHERE id = {binder}",
            binder = self.binder(1)
        );
        let update_query = self.get_query("update-object-with-object")?;
        for uid in &uids {
            trace!("migrate to 4_22_1+: migrating object with id={uid}");
            let op_fut = async {
                let row = sqlx::query(select_query.as_str())
                    .bind(uid)
                    .fetch_one(self.get_pool())
                    .await?;
                // Migrate DBObject --> Object
                let db_object_json = row.get::<Value, _>(0);
                if let Ok(_e) = serde_json::from_value::<Object>(db_object_json.clone()) {
                    // already migrated
                    return Ok::<_, DbError>(());
                }
                let db_object_value: Value = serde_json::from_value(db_object_json)
                    .context("failed deserializing the object")?;

                let object = db_object_to_object(&db_object_value)?;

                let object_json = serde_json::to_value(&object)
                    .context("migration to 4.22.1+ failed: failed to serialize the object")?;
                // Migrate Attributes --> Attributes
                let attributes_json = row.get::<Value, usize>(1);
                let mut attributes: Attributes = serde_json::from_value(attributes_json)
                    .context("migration to 4.22.1+ failed: failed to deserialize the attributes")?;
                // update an issue that ObjectType is not always correctly set (e.g., certificates)
                attributes.object_type = Some(object.object_type());
                let attributes_json = serde_json::to_value(attributes)
                    .context("migration to 4.22.1+ failed: serializing the attributes to JSON")?;
                // Update the object and attributes in the database
                sqlx::query(update_query)
                    .bind(object_json)
                    .bind(attributes_json)
                    .bind(uid.to_owned())
                    .execute(self.get_pool())
                    .await?;
                Ok::<_, DbError>(())
            };
            if let Err(e) = op_fut.await {
                error!("migration to 4.22.1+ failed migrating {uid}: {e}");
            }
        }
        info!(
            "Migration to 4.22.1+ completed: {} objects migrated",
            uids.len()
        );
        Ok(())
    }
}

#[expect(dead_code)]
fn db_object_to_object(db_object: &Value) -> Result<Object, DbError> {
    let object_type = db_object["object_type"].as_str().ok_or_else(|| {
        DbError::DatabaseError(format!(
            "migration to 4.22.1+ failed: object_type not found in object: {db_object:?}",
        ))
    })?;
    let mut content = db_object["object"].clone();
    // make sure we can actually deserialize and re-serialize the objects
    Ok(match object_type {
        "PrivateKey" => {
            migrate_key_material(&mut content)?;
            let obj = serde_json::from_value::<PrivateKey>(content).map_err(|e| {
                DbError::DatabaseError(format!(
                    "migration to 4.22.1+ failed: failed to deserialize PrivateKey: {e}"
                ))
            })?;
            Object::PrivateKey(obj)
        }
        "PublicKey" => {
            let obj = serde_json::from_value::<PublicKey>(content).map_err(|e| {
                DbError::DatabaseError(format!(
                    "migration to 4.22.1+ failed: failed to deserialize PublicKey: {e}"
                ))
            })?;
            Object::PublicKey(obj)
        }
        "Certificate" => {
            let obj = serde_json::from_value::<Certificate>(content).map_err(|e| {
                DbError::DatabaseError(format!(
                    "migration to 4.22.1+ failed: failed to deserialize Certificate: {e}"
                ))
            })?;
            Object::Certificate(obj)
        }
        "SymmetricKey" => {
            let obj = serde_json::from_value::<SymmetricKey>(content).map_err(|e| {
                DbError::DatabaseError(format!(
                    "migration to 4.22.1+ failed: failed to deserialize SymmetricKey: {e}"
                ))
            })?;
            Object::SymmetricKey(obj)
        }
        "SecretData" => {
            let obj = serde_json::from_value::<SecretData>(content).map_err(|e| {
                DbError::DatabaseError(format!(
                    "migration to 4.22.1+ failed: failed to deserialize SecretData: {e}"
                ))
            })?;
            Object::SecretData(obj)
        }
        "OpaqueObject" => {
            let obj = serde_json::from_value::<OpaqueObject>(content).map_err(|e| {
                DbError::DatabaseError(format!(
                    "migration to 4.22.1+ failed: failed to deserialize OpaqueObject: {e}"
                ))
            })?;
            Object::OpaqueObject(obj)
        }
        x => {
            return Err(DbError::DatabaseError(format!(
                "migration to 4.22.1+ failed: unknown object type: {x}"
            )));
        }
    })
}
/// Migrate the `KeyMaterial` which used `BigUint` to `KeyMaterial` which uses `BigInt`
fn migrate_key_material(content: &mut Value) -> Result<(), DbError> {
    let key_format_type = content
        .get("KeyBlock")
        .and_then(|kb| kb.get("KeyFormatType"))
        .and_then(|kft| kft.as_str())
        .ok_or_else(|| {
            DbError::DatabaseError(format!(
                "migration to 4.22.1+ failed: KeyFormatType not found in object: {content:?}",
            ))
        })
        .and_then(|kft_str| {
            KeyFormatType::try_from(kft_str).map_err(|e| {
                DbError::DatabaseError(format!(
                    "migration to 4.22.1+ failed: Unknown KeyFormatType: {e}"
                ))
            })
        })?;

    let key_material_value = content
        .get("KeyBlock")
        .and_then(|kb| kb.get("KeyValue"))
        .and_then(|kv| kv.get("KeyMaterial"))
        .ok_or_else(|| {
            DbError::DatabaseError(format!(
                "migration to 4.22.1+ failed: KeyMaterial not found in object: {content:?}",
            ))
        })?;

    let key_material_4_21: KeyMaterial421 = serde_json::from_value(key_material_value.clone())
        .map_err(|e| {
            DbError::DatabaseError(format!(
                "migration to 4.22.1+ failed: failed to deserialize KeyMaterial 4.21: {e}"
            ))
        })?;
    let key_material: KeyMaterial = key_material_4_21.into();

    // Safely update the nested value
    if let Some(key_block) = content.get_mut("KeyBlock") {
        if let Some(key_value) = key_block.get_mut("KeyValue") {
            if let Some(key_material_field) = key_value.get_mut("KeyMaterial") {
                *key_material_field = key_material.to_json_value(key_format_type).map_err(|e| {
                    DbError::DatabaseError(format!(
                        "migration to 4.22.1+ failed: failed to serialize KeyMaterial: {e}"
                    ))
                })?;
            }
        }
    }
    Ok(())
}