zerokms_protocol/

lib.rs

mod base64_array;
mod base64_vec;
mod error;
mod identified_by;

use cts_common::claims::{
    ClientPermission, DataKeyPermission, KeysetPermission, Permission, Scope,
};
pub use identified_by::*;

mod unverified_context;

use serde::{Deserialize, Serialize};
use std::{
    borrow::Cow,
    fmt::{self, Debug, Display, Formatter},
    ops::Deref,
};
use uuid::Uuid;
use zeroize::{Zeroize, ZeroizeOnDrop};

pub use cipherstash_config;
/// Re-exports
pub use error::*;

pub use crate::unverified_context::{UnverifiedContext, UnverifiedContextValue};
pub use crate::{IdentifiedBy, Name};
pub mod testing;

pub trait ViturResponse: Serialize + for<'de> Deserialize<'de> + Send {}

pub trait ViturRequest: Serialize + for<'de> Deserialize<'de> + Sized + Send {
    type Response: ViturResponse;

    const SCOPE: Scope;
    const ENDPOINT: &'static str;
}

/// Request message to create a new [Keyset] with the given name and description.
///
/// Requies the `dataset:create` scope.
#[derive(Debug, Serialize, Deserialize)]
pub struct CreateKeysetRequest<'a> {
    pub name: Cow<'a, str>,
    pub description: Cow<'a, str>,
}

impl ViturRequest for CreateKeysetRequest<'_> {
    type Response = Keyset;

    const ENDPOINT: &'static str = "create-keyset";
    const SCOPE: Scope = Scope::with_permission(Permission::Keyset(KeysetPermission::Create));
}

/// Request message to list all [Keyset]s.
///
/// Requires the `dataset:list` scope.
/// Response is a vector of [Keyset]s.
#[derive(Default, Debug, Serialize, Deserialize)]
pub struct ListKeysetRequest {
    #[serde(default)]
    pub show_disabled: bool,
}

impl ViturRequest for ListKeysetRequest {
    type Response = Vec<Keyset>;

    const ENDPOINT: &'static str = "list-keysets";
    const SCOPE: Scope = Scope::with_permission(Permission::Keyset(KeysetPermission::List));
}

/// Struct representing a keyset.
/// This is the response to a [CreateKeysetRequest] and a in a vector in the response to a [ListKeysetRequest].
#[derive(Debug, Serialize, Deserialize, PartialEq, Eq)]
pub struct Keyset {
    pub id: Uuid,
    pub name: String,
    pub description: String,
    pub is_disabled: bool,
}

impl ViturResponse for Keyset {}
impl ViturResponse for Vec<Keyset> {}

/// Represents an empty response for requests that don't return any data.
#[derive(Default, Debug, Serialize, Deserialize)]
pub struct EmptyResponse {}

impl ViturResponse for EmptyResponse {}

/// Request message to create a new client with the given name, description and keyset_id.
///
/// Requires the `client:create` scope.
/// Response is a [CreateClientResponse].
#[derive(Debug, Serialize, Deserialize)]
pub struct CreateClientRequest<'a> {
    #[serde(alias = "dataset_id")]
    pub keyset_id: IdentifiedBy,
    pub name: Cow<'a, str>,
    pub description: Cow<'a, str>,
}

impl ViturRequest for CreateClientRequest<'_> {
    type Response = CreateClientResponse;

    const ENDPOINT: &'static str = "create-client";
    const SCOPE: Scope = Scope::with_permission(Permission::Client(ClientPermission::Create));
}

/// Response message to a [CreateClientRequest].
///
/// Contains the `client_id` and the `client_key`, the latter being a base64 encoded 32 byte key.
/// The `client_key` should be considered sensitive and should be stored securely.
#[derive(Debug, Serialize, Deserialize)]
pub struct CreateClientResponse {
    pub id: Uuid,
    #[serde(rename = "dataset_id")]
    pub keyset_id: Uuid,
    pub name: String,
    pub description: String,
    pub client_key: ViturKeyMaterial,
}

impl ViturResponse for CreateClientResponse {}

/// Request message to list all clients.
///
/// Requires the `client:list` scope.
/// Response is a vector of [KeysetClient]s.
#[derive(Debug, Serialize, Deserialize)]
pub struct ListClientRequest;

impl ViturRequest for ListClientRequest {
    type Response = Vec<KeysetClient>;

    const ENDPOINT: &'static str = "list-clients";
    const SCOPE: Scope = Scope::with_permission(Permission::Client(ClientPermission::List));
}

/// Struct representing the keyset ids associated with a client
/// which could be a single keyset or multiple keysets.
#[derive(Debug, Deserialize, Serialize, PartialEq, Eq)]
#[serde(untagged)]
pub enum ClientKeysetId {
    Single(Uuid),
    Multiple(Vec<Uuid>),
}

/// A `Uuid` is comparable with `ClientKeysetId` if the `ClientKeysetId` is a `Single` variant.
impl PartialEq<Uuid> for ClientKeysetId {
    fn eq(&self, other: &Uuid) -> bool {
        if let ClientKeysetId::Single(id) = self {
            id == other
        } else {
            false
        }
    }
}

/// Response type for a [ListClientRequest].
#[derive(Debug, Serialize, Deserialize)]
pub struct KeysetClient {
    pub id: Uuid,
    #[serde(alias = "dataset_id")]
    pub keyset_id: ClientKeysetId,
    pub name: String,
    pub description: String,
}

impl ViturResponse for Vec<KeysetClient> {}

/// Request message to delete a client and all associated authority keys.
///
/// Requires the `client:revoke` scope.
/// Response is an [DeleteClientResponse].
#[derive(Debug, Serialize, Deserialize)]
pub struct DeleteClientRequest {
    pub client_id: Uuid,
}

impl ViturRequest for DeleteClientRequest {
    type Response = DeleteClientResponse;

    const ENDPOINT: &'static str = "delete-client";
    const SCOPE: Scope = Scope::with_permission(Permission::Client(ClientPermission::Delete));
}

#[derive(Default, Debug, Serialize, Deserialize)]
pub struct DeleteClientResponse {}

impl ViturResponse for DeleteClientResponse {}

/// Key material type used in [GenerateKeyRequest] and [RetrieveKeyRequest] as well as [CreateClientResponse].
#[derive(Serialize, Deserialize, Zeroize, ZeroizeOnDrop)]
pub struct ViturKeyMaterial(#[serde(with = "base64_vec")] Vec<u8>);
opaque_debug::implement!(ViturKeyMaterial);

impl From<Vec<u8>> for ViturKeyMaterial {
    fn from(inner: Vec<u8>) -> Self {
        Self(inner)
    }
}

impl Deref for ViturKeyMaterial {
    type Target = [u8];

    fn deref(&self) -> &Self::Target {
        &self.0
    }
}

#[derive(Clone, Copy, Debug, Eq, Hash, PartialEq, Serialize, Deserialize, Zeroize)]
#[serde(transparent)]
pub struct KeyId(#[serde(with = "base64_array")] [u8; 16]);

impl KeyId {
    pub fn into_inner(self) -> [u8; 16] {
        self.0
    }
}

impl Display for KeyId {
    fn fmt(&self, f: &mut Formatter<'_>) -> fmt::Result {
        write!(f, "{}", const_hex::encode(self.0))
    }
}

impl From<[u8; 16]> for KeyId {
    fn from(inner: [u8; 16]) -> Self {
        Self(inner)
    }
}

impl AsRef<[u8; 16]> for KeyId {
    fn as_ref(&self) -> &[u8; 16] {
        &self.0
    }
}

/// Represents generated data key material which is used by the client to derive data keys with its own key material.
///
/// Returned in the response to a [GenerateKeyRequest].
#[derive(Debug, Serialize, Deserialize)]
pub struct GeneratedKey {
    pub key_material: ViturKeyMaterial,
    // FIXME: Use Vitamin C Equatable type
    #[serde(with = "base64_vec")]
    pub tag: Vec<u8>,
}

/// Response to a [GenerateKeyRequest].
#[derive(Debug, Serialize, Deserialize)]
pub struct GenerateKeyResponse {
    pub keys: Vec<GeneratedKey>,
}

impl ViturResponse for GenerateKeyResponse {}

/// A specification for generating a data key used in a [GenerateKeyRequest].
#[derive(Debug, Serialize, Deserialize, Clone)]
pub struct GenerateKeySpec<'a> {
    // FIXME: Remove ID and have the server generate it instead
    #[serde(alias = "id")]
    pub iv: KeyId,
    // TODO: Deprecate descriptor in favor of context
    pub descriptor: Cow<'a, str>,

    #[serde(default)]
    pub context: Cow<'a, [Context]>,
}

impl<'a> GenerateKeySpec<'a> {
    pub fn new(iv: [u8; 16], descriptor: &'a str) -> Self {
        Self {
            iv: KeyId(iv),
            descriptor: Cow::from(descriptor),
            context: Default::default(),
        }
    }

    pub fn new_with_context(
        iv: [u8; 16],
        descriptor: &'a str,
        context: Cow<'a, [Context]>,
    ) -> Self {
        Self {
            iv: KeyId(iv),
            descriptor: Cow::from(descriptor),
            context,
        }
    }
}
/// Represents a contextual attribute for a data key which is used to "lock" the key to a specific context.
/// Context attributes are included key tag generation which is in turn used as AAD in the final encryption step in the client.
/// Context attributes should _never_ include any sensitive information.
#[derive(Debug, Serialize, Deserialize, Clone)]
// TODO: Use Cow?
pub enum Context {
    /// A tag that can be used to identify the key.
    Tag(String),

    /// A key-value pair that can be used to identify the key.
    /// For example, a key-value pair could be `("user_id", "1234")`.
    Value(String, String),

    /// A claim from the identity of the principal that is requesting the key.
    /// The claim value is read from the claims list after token verification and prior to key generation.
    ///
    /// For example, a claim could be `"sub"`.
    #[serde(alias = "identityClaim")]
    IdentityClaim(String),
}

impl Context {
    pub fn new_tag(tag: impl Into<String>) -> Self {
        Self::Tag(tag.into())
    }

    pub fn new_value(key: impl Into<String>, value: impl Into<String>) -> Self {
        Self::Value(key.into(), value.into())
    }

    pub fn new_identity_claim(claim: &str) -> Self {
        Self::IdentityClaim(claim.to_string())
    }
}

/// A request message to generate a data key made on behalf of a client
/// in the given keyset.
///
/// Requires the `data_key:generate` scope.
/// Response is a [GenerateKeyResponse].
///
/// See also [GenerateKeySpec].
#[derive(Debug, Serialize, Deserialize)]
pub struct GenerateKeyRequest<'a> {
    pub client_id: Uuid,
    #[serde(alias = "dataset_id")]
    pub keyset_id: Option<IdentifiedBy>,
    pub keys: Cow<'a, [GenerateKeySpec<'a>]>,
    #[serde(default)]
    pub unverified_context: Cow<'a, UnverifiedContext>,
}

impl ViturRequest for GenerateKeyRequest<'_> {
    type Response = GenerateKeyResponse;

    const ENDPOINT: &'static str = "generate-data-key";
    const SCOPE: Scope = Scope::with_permission(Permission::DataKey(DataKeyPermission::Generate));
}

/// Returned type from a [RetrieveKeyRequest].
#[derive(Debug, Serialize, Deserialize)]
pub struct RetrievedKey {
    pub key_material: ViturKeyMaterial,
}

/// Response to a [RetrieveKeyRequest].
/// Contains a list of [RetrievedKey]s.
#[derive(Debug, Serialize, Deserialize)]
pub struct RetrieveKeyResponse {
    pub keys: Vec<RetrievedKey>,
}

impl ViturResponse for RetrieveKeyResponse {}

/// A specification for retrieving a data key used in a [RetrieveKeyRequest].
#[derive(Debug, Serialize, Deserialize, Clone)]
pub struct RetrieveKeySpec<'a> {
    #[serde(alias = "id")]
    pub iv: KeyId,
    // TODO: Make Descriptor Optional
    pub descriptor: Cow<'a, str>,
    pub tag: Cow<'a, [u8]>,

    #[serde(default)]
    pub context: Cow<'a, [Context]>,

    // Since this field will be removed in the future allow older versions of Vitur to be able to
    // parse a RetrieveKeySpec that doesn't include the tag_version.
    #[serde(default)]
    pub tag_version: usize,
}

impl<'a> RetrieveKeySpec<'a> {
    const DEFAULT_TAG_VERSION: usize = 0;

    pub fn new(id: KeyId, tag: &'a [u8], descriptor: &'a str) -> Self {
        Self {
            iv: id,
            descriptor: Cow::from(descriptor),
            tag: Cow::from(tag),
            context: Cow::Owned(Vec::new()),
            tag_version: Self::DEFAULT_TAG_VERSION,
        }
    }

    pub fn with_context(mut self, context: Cow<'a, [Context]>) -> Self {
        self.context = context;
        self
    }
}

/// Request to retrieve a data key on behalf of a client in the given keyset.
/// Requires the `data_key:retrieve` scope.
/// Response is a [RetrieveKeyResponse].
///
/// See also [RetrieveKeySpec].
#[derive(Debug, Serialize, Deserialize)]
pub struct RetrieveKeyRequest<'a> {
    pub client_id: Uuid,
    #[serde(alias = "dataset_id")]
    pub keyset_id: Option<IdentifiedBy>,
    pub keys: Cow<'a, [RetrieveKeySpec<'a>]>,
    #[serde(default)]
    pub unverified_context: UnverifiedContext,
}

impl ViturRequest for RetrieveKeyRequest<'_> {
    type Response = RetrieveKeyResponse;

    const ENDPOINT: &'static str = "retrieve-data-key";
    const SCOPE: Scope = Scope::with_permission(Permission::DataKey(DataKeyPermission::Retrieve));
}

/// Request to retrieve a data key on behalf of a client in the given keyset.
/// Requires the `data_key:retrieve` scope.
/// Response is a [RetrieveKeyResponse].
///
/// See also [RetrieveKeySpec].
#[derive(Debug, Serialize, Deserialize)]
pub struct RetrieveKeyRequestFallible<'a> {
    pub client_id: Uuid,
    #[serde(alias = "dataset_id")]
    pub keyset_id: Option<IdentifiedBy>,
    pub keys: Cow<'a, [RetrieveKeySpec<'a>]>,
    #[serde(default)]
    pub unverified_context: Cow<'a, UnverifiedContext>,
}

impl ViturRequest for RetrieveKeyRequestFallible<'_> {
    type Response = RetrieveKeyResponseFallible;

    const ENDPOINT: &'static str = "retrieve-data-key-fallible";
    const SCOPE: Scope = Scope::with_permission(Permission::DataKey(DataKeyPermission::Retrieve));
}

/// Response to a [RetrieveKeyRequest] with per-key error handling
#[derive(Debug, Serialize, Deserialize)]
pub struct RetrieveKeyResponseFallible {
    pub keys: Vec<Result<RetrievedKey, String>>, // TODO: Error?
}

impl ViturResponse for RetrieveKeyResponseFallible {}

/// Request message to disable a keyset.
/// Requires the `dataset:disable` scope.
/// Response is an [EmptyResponse].
#[derive(Debug, Serialize, Deserialize)]
pub struct DisableKeysetRequest {
    #[serde(alias = "dataset_id")]
    pub keyset_id: IdentifiedBy,
}

impl ViturRequest for DisableKeysetRequest {
    type Response = EmptyResponse;

    const ENDPOINT: &'static str = "disable-keyset";
    const SCOPE: Scope = Scope::with_permission(Permission::Keyset(KeysetPermission::Disable));
}

/// Request message to enable a keyset that has was previously disabled.
/// Requires the `dataset:enable` scope.
/// Response is an [EmptyResponse].
#[derive(Debug, Serialize, Deserialize)]
pub struct EnableKeysetRequest {
    #[serde(alias = "dataset_id")]
    pub keyset_id: IdentifiedBy,
}

impl ViturRequest for EnableKeysetRequest {
    type Response = EmptyResponse;

    const ENDPOINT: &'static str = "enable-keyset";
    const SCOPE: Scope = Scope::with_permission(Permission::Keyset(KeysetPermission::Enable));
}

/// Request message to modify a keyset with the given keyset_id.
/// `name` and `description` are optional and will be updated if provided.
///
/// Requires the `dataset:modify` scope.
/// Response is an [EmptyResponse].
#[derive(Debug, Serialize, Deserialize)]
pub struct ModifyKeysetRequest<'a> {
    #[serde(alias = "dataset_id")]
    pub keyset_id: IdentifiedBy,

    pub name: Option<Cow<'a, str>>,
    pub description: Option<Cow<'a, str>>,
}

impl ViturRequest for ModifyKeysetRequest<'_> {
    type Response = EmptyResponse;

    const ENDPOINT: &'static str = "modify-keyset";
    const SCOPE: Scope = Scope::with_permission(Permission::Keyset(KeysetPermission::Modify));
}

/// Request message to grant a client access to a keyset.
/// Requires the `dataset:grant` scope.
///
/// Response is an [EmptyResponse].
#[derive(Debug, Serialize, Deserialize)]
pub struct GrantKeysetRequest {
    pub client_id: Uuid,
    #[serde(alias = "dataset_id")]
    pub keyset_id: IdentifiedBy,
}

impl ViturRequest for GrantKeysetRequest {
    type Response = EmptyResponse;

    const ENDPOINT: &'static str = "grant-keyset";
    const SCOPE: Scope = Scope::with_permission(Permission::Keyset(KeysetPermission::Grant));
}

/// Request message to revoke a client's access to a keyset.
/// Requires the `dataset:revoke` scope.
/// Response is an [EmptyResponse].
#[derive(Debug, Serialize, Deserialize)]
pub struct RevokeKeysetRequest {
    pub client_id: Uuid,
    #[serde(alias = "dataset_id")]
    pub keyset_id: IdentifiedBy,
}

impl ViturRequest for RevokeKeysetRequest {
    type Response = EmptyResponse;

    const ENDPOINT: &'static str = "revoke-keyset";
    const SCOPE: Scope = Scope::with_permission(Permission::Keyset(KeysetPermission::Revoke));
}

/// Request to load a keyset on behalf of a client.
/// This is used by clients before indexing or querying data and includes
/// key material which can be derived by the client to generate encrypted index terms.
///
/// If a keyset_id is not provided the client's default keyset will be loaded.
///
/// Requires the `data_key:retrieve` scope (though this may change in the future).
/// Response is a [LoadKeysetResponse].
#[derive(Debug, Serialize, Deserialize, PartialEq, PartialOrd)]
pub struct LoadKeysetRequest {
    pub client_id: Uuid,
    #[serde(alias = "dataset_id")]
    pub keyset_id: Option<IdentifiedBy>,
}

impl ViturRequest for LoadKeysetRequest {
    type Response = LoadKeysetResponse;

    const ENDPOINT: &'static str = "load-keyset";

    // NOTE: We don't currently support the ability to allow an operation
    // based on any one of several possible scopes so we'll just use `data_key:retrieve` for now.
    // This should probably be allowed for any operation that requires indexing or querying.
    const SCOPE: Scope = Scope::with_permission(Permission::DataKey(DataKeyPermission::Retrieve));
}

/// Response to a [LoadKeysetRequest].
/// The response includes the key material required to derive data keys.
/// It is analogous to a [RetrieveKeyResponse] but where the server generated the key.
#[derive(Debug, Serialize, Deserialize)]
pub struct LoadKeysetResponse {
    pub partial_index_key: RetrievedKey,
    #[serde(rename = "dataset")]
    pub keyset: Keyset,
}

impl ViturResponse for LoadKeysetResponse {}

#[cfg(test)]
mod test {
    use serde_json::json;
    use uuid::Uuid;

    use crate::{IdentifiedBy, LoadKeysetRequest, Name};

    mod backwards_compatible_deserialisation {
        use super::*;

        #[test]
        fn when_dataset_id_is_uuid() {
            let client_id = Uuid::new_v4();
            let dataset_id = Uuid::new_v4();

            let json = json!({
                "client_id": client_id,
                "dataset_id": dataset_id,
            });

            let req: LoadKeysetRequest = serde_json::from_value(json).unwrap();

            assert_eq!(
                req,
                LoadKeysetRequest {
                    client_id,
                    keyset_id: Some(IdentifiedBy::Uuid(dataset_id))
                }
            );
        }

        #[test]
        fn when_keyset_id_is_uuid() {
            let client_id = Uuid::new_v4();
            let keyset_id = Uuid::new_v4();

            let json = json!({
                "client_id": client_id,
                "keyset_id": keyset_id,
            });

            let req: LoadKeysetRequest = serde_json::from_value(json).unwrap();

            assert_eq!(
                req,
                LoadKeysetRequest {
                    client_id,
                    keyset_id: Some(IdentifiedBy::Uuid(keyset_id))
                }
            );
        }

        #[test]
        fn when_dataset_id_is_id_name() {
            let client_id = Uuid::new_v4();
            let dataset_id = IdentifiedBy::Name(Name::new_untrusted("some-dataset-name"));

            let json = json!({
                "client_id": client_id,
                "dataset_id": dataset_id,
            });

            let req: LoadKeysetRequest = serde_json::from_value(json).unwrap();

            assert_eq!(
                req,
                LoadKeysetRequest {
                    client_id,
                    keyset_id: Some(dataset_id)
                }
            );
        }
    }
}