Change the data structure

Author: BewareMyPower

include/pulsar/EncryptionContext.h

@@ -21,6 +21,7 @@
 #include <cstdint>
 #include <string>
 #include <unordered_map>
+#include <vector>
 
 #include "CompressionType.h"
 #include "defines.h"
@@ -34,8 +35,16 @@ class MessageMetadata;
 class Message;
 
 struct PULSAR_PUBLIC EncryptionKey {
+    std::string key;
     std::string value;
     std::unordered_map<std::string, std::string> metadata;
+
+    explicit EncryptionKey() = default;
+
+    // Support in-place construction
+    EncryptionKey(const std::string& key, const std::string& value,
+                  const decltype(EncryptionKey::metadata)& metadata)
+        : key(key), value(value), metadata(metadata) {}
 };
 
 /**
@@ -50,9 +59,10 @@ class PULSAR_PUBLIC EncryptionContext {
           batchSize_(-1),
           isDecryptionFailed_(false) {}
     EncryptionContext(const EncryptionContext&) = default;
+    EncryptionContext(EncryptionContext&&) noexcept = default;
     EncryptionContext(const proto::MessageMetadata& metadata, bool isDecryptionFailed);
 
-    using KeysType = std::unordered_map<std::string, EncryptionKey>;
+    using KeysType = std::vector<EncryptionKey>;
 
     /**
      * @return the map of encryption keys used for the message
@@ -95,15 +105,15 @@ class PULSAR_PUBLIC EncryptionContext {
     bool isDecryptionFailed() const noexcept { return isDecryptionFailed_; }
 
    private:
-    const KeysType keys_;
-    const std::string param_;
-    const std::string algorithm_;
-    const CompressionType compressionType_;
-    const uint32_t uncompressedMessageSize_;
-    const int32_t batchSize_;
-    const bool isDecryptionFailed_;
-
-    friend class MessageImpl;
+    KeysType keys_;
+    std::string param_;
+    std::string algorithm_;
+    CompressionType compressionType_;
+    uint32_t uncompressedMessageSize_;
+    int32_t batchSize_;
+    bool isDecryptionFailed_;
+
+    friend class ConsumerImpl;
 };
 
 }  // namespace pulsar

lib/Commands.cc

@@ -927,9 +927,10 @@ Message Commands::deSerializeSingleMessageInBatch(Message& batchedMessage, int32
     auto messageId = MessageIdBuilder::from(m).batchIndex(batchIndex).batchSize(batchSize).build();
     auto batchedMessageId = std::make_shared<BatchedMessageIdImpl>(*(messageId.impl_), acker);
 
+    // TODO: fix the encryption context is not set
     auto msgImpl = std::make_shared<MessageImpl>(messageId, batchedMessage.impl_->brokerEntryMetadata,
                                                  batchedMessage.impl_->metadata, payload, metadata,
-                                                 batchedMessage.impl_->topicName_, false);
+                                                 batchedMessage.impl_->topicName_, std::nullopt);
     msgImpl->cnx_ = batchedMessage.impl_->cnx_;
 
     return Message(msgImpl);

lib/ConsumerImpl.cc

@@ -554,10 +554,16 @@ void ConsumerImpl::messageReceived(const ClientConnectionPtr& cnx, const proto::
         return;
     }
 
-    auto decryptResult = decryptMessageIfNeeded(cnx, msg, metadata, payload);
+    auto encryptionContext = metadata.encryption_keys_size() > 0
+                                 ? optional<EncryptionContext>{std::in_place, metadata, false}
+                                 : std::nullopt;
+
+    auto decryptResult = decryptMessageIfNeeded(cnx, encryptionContext, payload, msg.message_id());
     if (decryptResult == FAILED) {
         // Message was discarded due to decryption failure or not consumed due to decryption failure
         return;
+    } else if (decryptResult == CONSUME_ENCRYPTED) {
+        encryptionContext->isDecryptionFailed_ = true;
     }
 
     auto redeliveryCount = msg.redelivery_count();
@@ -582,10 +588,8 @@ void ConsumerImpl::messageReceived(const ClientConnectionPtr& cnx, const proto::
         }
     }
 
-    auto msgImpl =
-        std::make_shared<MessageImpl>(messageId, brokerEntryMetadata, metadata, payload, std::nullopt,
-                                      getTopicPtr(), decryptResult == CONSUME_ENCRYPTED);
-    Message m(msgImpl);
+    Message m{std::make_shared<MessageImpl>(messageId, brokerEntryMetadata, metadata, payload, std::nullopt,
+                                            getTopicPtr(), std::move(encryptionContext))};
     m.impl_->cnx_ = cnx.get();
     m.impl_->setRedeliveryCount(msg.redelivery_count());
 
@@ -811,10 +815,10 @@ uint32_t ConsumerImpl::receiveIndividualMessagesFromBatch(const ClientConnection
     return batchSize - skippedMessages;
 }
 
-auto ConsumerImpl::decryptMessageIfNeeded(const ClientConnectionPtr& cnx, const proto::CommandMessage& msg,
-                                          const proto::MessageMetadata& metadata, SharedBuffer& payload)
-    -> DecryptResult {
-    if (metadata.encryption_keys_size() == 0) {
+auto ConsumerImpl::decryptMessageIfNeeded(const ClientConnectionPtr& cnx,
+                                          const optional<EncryptionContext>& context, SharedBuffer& payload,
+                                          const proto::MessageIdData& msgId) -> DecryptResult {
+    if (!context.has_value()) {
         return DECRYPTED;
     }
 
@@ -826,18 +830,18 @@ auto ConsumerImpl::decryptMessageIfNeeded(const ClientConnectionPtr& cnx, const
         } else if (config_.getCryptoFailureAction() == ConsumerCryptoFailureAction::DISCARD) {
             LOG_WARN(getName() << "Skipping decryption since CryptoKeyReader is not implemented and config "
                                   "is set to discard");
-            discardCorruptedMessage(cnx, msg.message_id(), CommandAck_ValidationError_DecryptionError);
+            discardCorruptedMessage(cnx, msgId, CommandAck_ValidationError_DecryptionError);
         } else {
             LOG_ERROR(getName() << "Message delivery failed since CryptoKeyReader is not implemented to "
                                    "consume encrypted message");
-            auto messageId = MessageIdBuilder::from(msg.message_id()).build();
+            auto messageId = MessageIdBuilder::from(msgId).build();
             unAckedMessageTrackerPtr_->add(messageId);
         }
         return FAILED;
     }
 
     SharedBuffer decryptedPayload;
-    if (msgCrypto_->decrypt(metadata, payload, config_.getCryptoKeyReader(), decryptedPayload)) {
+    if (msgCrypto_->decrypt(*context, payload, config_.getCryptoKeyReader(), decryptedPayload)) {
         payload = decryptedPayload;
         return DECRYPTED;
     }
@@ -849,10 +853,10 @@ auto ConsumerImpl::decryptMessageIfNeeded(const ClientConnectionPtr& cnx, const
         return CONSUME_ENCRYPTED;
     } else if (config_.getCryptoFailureAction() == ConsumerCryptoFailureAction::DISCARD) {
         LOG_WARN(getName() << "Discarding message since decryption failed and config is set to discard");
-        discardCorruptedMessage(cnx, msg.message_id(), CommandAck_ValidationError_DecryptionError);
+        discardCorruptedMessage(cnx, msgId, CommandAck_ValidationError_DecryptionError);
     } else {
         LOG_ERROR(getName() << "Message delivery failed since unable to decrypt incoming message");
-        auto messageId = MessageIdBuilder::from(msg.message_id()).build();
+        auto messageId = MessageIdBuilder::from(msgId).build();
         unAckedMessageTrackerPtr_->add(messageId);
     }
     return FAILED;

lib/ConsumerImpl.h

@@ -64,6 +64,7 @@ using UnAckedMessageTrackerPtr = std::shared_ptr<UnAckedMessageTrackerInterface>
 namespace proto {
 class CommandMessage;
 class BrokerEntryMetadata;
+class MessageIdData;
 class MessageMetadata;
 }  // namespace proto
 
@@ -201,8 +202,8 @@ class ConsumerImpl : public ConsumerImplBase {
         CONSUME_ENCRYPTED,
         FAILED
     };
-    DecryptResult decryptMessageIfNeeded(const ClientConnectionPtr& cnx, const proto::CommandMessage& msg,
-                                         const proto::MessageMetadata& metadata, SharedBuffer& payload);
+    DecryptResult decryptMessageIfNeeded(const ClientConnectionPtr&, const optional<EncryptionContext>&,
+                                         SharedBuffer& payload, const proto::MessageIdData&);
 
     // TODO - Convert these functions to lambda when we move to C++11
     Result receiveHelper(Message& msg);

lib/EncryptionContext.cc

@@ -18,20 +18,19 @@
  */
 #include <pulsar/EncryptionContext.h>
 
-#include <unordered_map>
-
 #include "PulsarApi.pb.h"
 
 namespace pulsar {
 
 static EncryptionContext::KeysType encryptedKeysFromMetadata(const proto::MessageMetadata& msgMetadata) {
     EncryptionContext::KeysType keys;
     for (auto&& key : msgMetadata.encryption_keys()) {
-        decltype(EncryptionKey::metadata) keyMetadata;
-        for (auto&& entry : key.metadata()) {
-            keyMetadata[entry.key()] = entry.value();
+        decltype(EncryptionKey::metadata) metadata;
+        for (int i = 0; i < key.metadata_size(); i++) {
+            const auto& entry = key.metadata(i);
+            metadata[entry.key()] = entry.value();
         }
-        keys[key.key()] = EncryptionKey{key.value(), keyMetadata};
+        keys.emplace_back(key.key(), key.value(), std::move(metadata));
     }
     return keys;
 }

lib/MessageCrypto.cc

@@ -394,13 +394,13 @@ bool MessageCrypto::encrypt(const std::set<std::string>& encKeys, const CryptoKe
     return true;
 }
 
-bool MessageCrypto::decryptDataKey(const proto::EncryptionKeys& encKeys, const CryptoKeyReader& keyReader) {
-    const auto& keyName = encKeys.key();
-    const auto& encryptedDataKey = encKeys.value();
-    const auto& encKeyMeta = encKeys.metadata();
+bool MessageCrypto::decryptDataKey(const EncryptionKey& encKeys, const CryptoKeyReader& keyReader) {
+    const auto& keyName = encKeys.key;
+    const auto& encryptedDataKey = encKeys.value;
+    const auto& encKeyMeta = encKeys.metadata;
     StringMap keyMeta;
     for (auto iter = encKeyMeta.begin(); iter != encKeyMeta.end(); iter++) {
-        keyMeta[iter->key()] = iter->value();
+        keyMeta[iter->first] = iter->second;
     }
 
     // Read the private key info using callback
@@ -451,11 +451,10 @@ bool MessageCrypto::decryptDataKey(const proto::EncryptionKeys& encKeys, const C
     return true;
 }
 
-bool MessageCrypto::decryptData(const std::string& dataKeySecret, const proto::MessageMetadata& msgMetadata,
+bool MessageCrypto::decryptData(const std::string& dataKeySecret, const EncryptionContext& context,
                                 SharedBuffer& payload, SharedBuffer& decryptedPayload) {
     // unpack iv and encrypted data
-    msgMetadata.encryption_param().copy(reinterpret_cast<char*>(iv_.get()),
-                                        msgMetadata.encryption_param().size());
+    context.param().copy(reinterpret_cast<char*>(iv_.get()), context.param().size());
 
     EVP_CIPHER_CTX* cipherCtx = NULL;
     decryptedPayload = SharedBuffer::allocate(payload.readableBytes() + EVP_MAX_BLOCK_LENGTH + tagLen_);
@@ -518,15 +517,14 @@ bool MessageCrypto::decryptData(const std::string& dataKeySecret, const proto::M
     return true;
 }
 
-bool MessageCrypto::getKeyAndDecryptData(const proto::MessageMetadata& msgMetadata, SharedBuffer& payload,
+bool MessageCrypto::getKeyAndDecryptData(const EncryptionContext& context, SharedBuffer& payload,
                                          SharedBuffer& decryptedPayload) {
     SharedBuffer decryptedData;
     bool dataDecrypted = false;
 
-    for (auto iter = msgMetadata.encryption_keys().begin(); iter != msgMetadata.encryption_keys().end();
-         iter++) {
-        const std::string& keyName = iter->key();
-        const std::string& encDataKey = iter->value();
+    for (auto&& kv : context.keys()) {
+        const std::string& keyName = kv.key;
+        const std::string& encDataKey = kv.value;
         unsigned char keyDigest[EVP_MAX_MD_SIZE];
         unsigned int digestLen = 0;
         getDigest(keyName, encDataKey.c_str(), encDataKey.size(), keyDigest, digestLen);
@@ -539,7 +537,7 @@ bool MessageCrypto::getKeyAndDecryptData(const proto::MessageMetadata& msgMetada
             // retruns a different key, decryption fails. At this point, we would
             // call decryptDataKey to refresh the cache and come here again to decrypt.
             auto dataKeyEntry = dataKeyCacheIter->second;
-            if (decryptData(dataKeyEntry.first, msgMetadata, payload, decryptedPayload)) {
+            if (decryptData(dataKeyEntry.first, context, payload, decryptedPayload)) {
                 dataDecrypted = true;
                 break;
             }
@@ -552,17 +550,16 @@ bool MessageCrypto::getKeyAndDecryptData(const proto::MessageMetadata& msgMetada
     return dataDecrypted;
 }
 
-bool MessageCrypto::decrypt(const proto::MessageMetadata& msgMetadata, SharedBuffer& payload,
+bool MessageCrypto::decrypt(const EncryptionContext& context, SharedBuffer& payload,
                             const CryptoKeyReaderPtr& keyReader, SharedBuffer& decryptedPayload) {
     // Attempt to decrypt using the existing key
-    if (getKeyAndDecryptData(msgMetadata, payload, decryptedPayload)) {
+    if (getKeyAndDecryptData(context, payload, decryptedPayload)) {
         return true;
     }
 
     // Either first time, or decryption failed. Attempt to regenerate data key
     bool isDataKeyDecrypted = false;
-    for (int index = 0; index < msgMetadata.encryption_keys_size(); index++) {
-        const proto::EncryptionKeys& encKeys = msgMetadata.encryption_keys(index);
+    for (auto&& encKeys : context.keys()) {
         if (decryptDataKey(encKeys, *keyReader)) {
             isDataKeyDecrypted = true;
             break;
@@ -574,7 +571,7 @@ bool MessageCrypto::decrypt(const proto::MessageMetadata& msgMetadata, SharedBuf
         return false;
     }
 
-    return getKeyAndDecryptData(msgMetadata, payload, decryptedPayload);
+    return getKeyAndDecryptData(context, payload, decryptedPayload);
 }
 
 } /* namespace pulsar */

lib/MessageCrypto.h

@@ -26,10 +26,10 @@
 #include <openssl/rsa.h>
 #include <openssl/ssl.h>
 #include <pulsar/CryptoKeyReader.h>
+#include <pulsar/EncryptionContext.h>
 
 #include <boost/date_time/posix_time/ptime.hpp>
 #include <boost/scoped_array.hpp>
-#include <iostream>
 #include <map>
 #include <mutex>
 #include <set>
@@ -90,15 +90,15 @@ class MessageCrypto {
     /*
      * Decrypt the payload using the data key. Keys used to encrypt data key can be retrieved from msgMetadata
      *
-     * @param msgMetadata Message Metadata
+     * @param context the context of encryption
      * @param payload Message which needs to be decrypted
      * @param keyReader KeyReader implementation to retrieve key value
      * @param decryptedPayload Contains decrypted payload if success
      *
      * @return true if success
      */
-    bool decrypt(const proto::MessageMetadata& msgMetadata, SharedBuffer& payload,
-                 const CryptoKeyReaderPtr& keyReader, SharedBuffer& decryptedPayload);
+    bool decrypt(const EncryptionContext& context, SharedBuffer& payload, const CryptoKeyReaderPtr& keyReader,
+                 SharedBuffer& decryptedPayload);
 
    private:
     typedef std::unique_lock<std::mutex> Lock;
@@ -137,10 +137,10 @@ class MessageCrypto {
 
     Result addPublicKeyCipher(const std::string& keyName, const CryptoKeyReaderPtr& keyReader);
 
-    bool decryptDataKey(const proto::EncryptionKeys& encKeys, const CryptoKeyReader& keyReader);
-    bool decryptData(const std::string& dataKeySecret, const proto::MessageMetadata& msgMetadata,
+    bool decryptDataKey(const EncryptionKey& encKeys, const CryptoKeyReader& keyReader);
+    bool decryptData(const std::string& dataKeySecret, const EncryptionContext& context,
                      SharedBuffer& payload, SharedBuffer& decPayload);
-    bool getKeyAndDecryptData(const proto::MessageMetadata& msgMetadata, SharedBuffer& payload,
+    bool getKeyAndDecryptData(const EncryptionContext& context, SharedBuffer& payload,
                               SharedBuffer& decryptedPayload);
     std::string stringToHex(const std::string& inputStr, size_t len);
     std::string stringToHex(const char* inputStr, size_t len);

lib/MessageImpl.cc

@@ -27,13 +27,14 @@ namespace pulsar {
 MessageImpl::MessageImpl(const MessageId& messageId, const proto::BrokerEntryMetadata& brokerEntryMetadata,
                          const proto::MessageMetadata& metadata, const SharedBuffer& payload,
                          const optional<proto::SingleMessageMetadata>& singleMetadata,
-                         const std::shared_ptr<std::string>& topicName, bool isDecryptionFailed)
+                         const std::shared_ptr<std::string>& topicName,
+                         optional<EncryptionContext>&& encryptionContext)
     : messageId(messageId),
       brokerEntryMetadata(brokerEntryMetadata),
       metadata(metadata),
       payload(payload),
       topicName_(topicName),
-      encryptionContext_(std::in_place, metadata, isDecryptionFailed) {
+      encryptionContext_(std::move(encryptionContext)) {
     if (singleMetadata.has_value()) {
         this->metadata.clear_properties();
         if (singleMetadata->properties_size() > 0) {

lib/MessageImpl.h

@@ -44,7 +44,8 @@ class MessageImpl {
     MessageImpl(const MessageId& messageId, const proto::BrokerEntryMetadata& brokerEntryMetadata,
                 const proto::MessageMetadata& metadata, const SharedBuffer& payload,
                 const optional<proto::SingleMessageMetadata>& singleMetadata,
-                const std::shared_ptr<std::string>& topicName, bool undecryptedPayload);
+                const std::shared_ptr<std::string>& topicName,
+                optional<EncryptionContext>&& encryptionContext);
 
     const Message::StringMap& properties();
 

tests/EncryptionTests.cc

@@ -49,8 +49,9 @@ static std::vector<std::string> decryptValue(const Message& message) {
     MessageCrypto crypto{"test", false};
     auto msgImpl = PulsarFriend::getMessageImplPtr(message);
     SharedBuffer decryptedPayload;
-    // TODO: change the parameters to get context from EncryptionContext directly
-    if (!crypto.decrypt(msgImpl->metadata, msgImpl->payload, getDefaultCryptoKeyReader(), decryptedPayload)) {
+    auto originalPayload =
+        SharedBuffer::copy(static_cast<const char*>(message.getData()), message.getLength());
+    if (!crypto.decrypt(*context, originalPayload, getDefaultCryptoKeyReader(), decryptedPayload)) {
         throw std::runtime_error("Decryption failed");
     }