trelent-hyok 0.1.12

A Rust library implementing Hold Your Own Key (HYOK) encryption patterns with support for multiple cloud providers
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209

//! Hold Your Own Key (HYOK) encryption service.
//!
//! This library provides a flexible system for managing encrypted data using
//! customer-managed encryption keys. It supports:
//!
//! - Multiple key management services (AWS KMS, Azure Key Vault)
//! - Custom encryption strategies
//! - Key caching and persistence
//! - Type-safe data handling
//!
//! The library follows the envelope encryption pattern where data is encrypted
//! with Data Encryption Keys (DEKs) which are themselves protected by
//! Customer Managed Keys (CMKs).

pub mod cache;
pub mod cmk;
pub mod dek;
pub mod error;
mod held_data;
mod builder;
pub use builder::*;

pub use held_data::*;

use crate::dek::generator::DEKGenerator;
use crate::dek::persistence::DEKPersistService;
use crate::dek::scope::WithScope;
use crate::dek::DEK;
use crate::encryption::EncryptionStrategy;
use crate::error::encryption::EncryptionError;
use crate::error::generator::PersistError;
use futures_util::TryFutureExt;
use std::sync::Arc;

/// Main service for managing encrypted data using the HYOK pattern.
///
/// This service coordinates:
/// - Data Encryption Key (DEK) generation
/// - Key persistence and caching
/// - Encryption/decryption operations
/// - Scope-based key management
///
/// # Type Parameters
///
/// * `S` - The encryption strategy used for data protection
///
/// # Example
/// ```no_run
/// use hyokashi::{HYOKServiceBuilder, EncryptionStrategy};
///
///
///     let service = HYOKServiceBuilder::new()
///         .with_fixed_length_generator(32)
///         .with_aws_cmk(kms_client, "alias/my-key", algorithm)
///         .with_aws_persistence(secrets_client)
///         .build(encryption_strategy)?;
///
///     // Encrypt some data
///     let held = service.hold_value(data, "my-scope".into(), metadata).await?;
///
///     // Decrypt the data
///     let plain = service.release_value(held, "my-scope".into(), metadata).await?;
///
/// ```
pub struct HYOKService<S: EncryptionStrategy> {
    pub(crate) persist_service: Arc<DEKPersistService>,
    pub(crate) generator: DEKGenerator,
    pub(crate) strategy: S,
}

impl<S: EncryptionStrategy<EncryptionData = ED> + Send + Sync, ED: Send> HYOKService<S> {
    /// Creates a new HYOK service instance.
    ///
    /// # Arguments
    ///
    /// * `persist_service` - Service for key persistence and caching
    /// * `generator` - Strategy for generating new DEKs
    /// * `strategy` - Strategy for encrypting/decrypting data
    pub fn new(
        persist_service: Arc<DEKPersistService>,
        generator: DEKGenerator,
        strategy: S
    ) -> Self {
        Self {
            persist_service,
            generator,
            strategy,
        }
    }

    /// Decrypts an object using its scope to locate the appropriate DEK.
    ///
    /// # Arguments
    ///
    /// * `obj` - The encrypted object to decrypt
    ///
    /// # Type Parameters
    ///
    /// * `T` - The encrypted object type
    /// * `C` - The decrypted object type
    ///
    /// # Errors
    ///
    /// Returns an `EncryptionError` if:
    /// - DEK retrieval fails
    /// - Decryption fails
    /// - Type conversion fails
    pub async fn release_object<T, C>(&self, obj: &T) -> Result<C, EncryptionError>
        where T: ReleaseHeldObject<C, S> + WithScope
    {
        let scope = obj.get_scope();
        let dek = self
            .prep_dek(scope)
            .map_err(|e|
                EncryptionError::new(format!("Could not prep DEK, Error: {:?}", e))
            ).await?;
        let result = obj.release_object(dek.into(), &self.strategy).await;
        result
    }

    /// Decrypts a held value using the provided scope and metadata.
    ///
    /// # Arguments
    ///
    /// * `val` - The encrypted value to decrypt
    /// * `scope` - The scope identifier for locating the DEK
    /// * `encryption_data` - Additional metadata needed for decryption
    ///
    /// # Errors
    ///
    /// Returns an `EncryptionError` if:
    /// - DEK retrieval fails
    /// - Decryption fails
    pub async fn release_value(
        &self,
        val: HeldValue,
        scope: String,
        encryption_data: ED
    ) -> Result<Vec<u8>, EncryptionError> {
        let dek = self
            .prep_dek(scope)
            .map_err(|e|
                EncryptionError::new(format!("Could not prep DEK, Error: {:?}", e))
            ).await?;
        let result = val.release(dek.into(), &self.strategy, encryption_data).await;
        result
    }

    /// Encrypts data using a DEK associated with the provided scope.
    ///
    /// # Arguments
    ///
    /// * `val` - The data to encrypt
    /// * `scope` - The scope identifier for key management
    /// * `encryption_data` - Additional metadata needed for encryption
    ///
    /// # Errors
    ///
    /// Returns an `EncryptionError` if:
    /// - DEK retrieval or generation fails
    /// - Encryption fails
    pub async fn hold_value(
        &self,
        val: Vec<u8>,
        scope: String,
        encryption_data: ED
    ) -> Result<HeldValue, EncryptionError> {
        let dek = self
            .prep_dek(scope)
            .map_err(|e|
                EncryptionError::new(format!("Could not prep DEK, Error: {:?}", e))
            ).await?;
        Held(val, dek.into(), &self.strategy, encryption_data).await
    }

    /// Retrieves or generates a DEK for the specified scope.
    ///
    /// # Arguments
    ///
    /// * `scope` - The scope identifier for the DEK
    ///
    /// # Returns
    ///
    /// The DEK associated with the scope, generating and persisting
    /// a new one if none exists.
    ///
    /// # Errors
    ///
    /// Returns a `PersistError` if:
    /// - Key retrieval fails
    /// - Key generation fails
    /// - Key persistence fails
    pub async fn prep_dek(&self, scope: String) -> Result<DEK, PersistError> {
        let fetch_result = self.persist_service.fetch_dek(scope.clone()).await;
        let final_result = match fetch_result {
            Ok(dek) => Ok(dek.into()),
            _ => {
                let dek = self.generator
                    .new_dek()
                    .map_err(|e|
                        PersistError::Error(format!("Could not generate key, Error: {:?}", e))
                    )?;
                self.persist_service.save_dek(scope.clone(), dek.clone()).await?;
                Ok(dek.into())
            }
        };
        final_result
    }
}