record signature listener implementation in misk-jooq

GitOrigin-RevId: 1d72aa13fa35d80d36e4b12b2ef6a1fa4c148c4c

Author: jiyoonie9

misk-jooq/api/misk-jooq.api

@@ -117,6 +117,12 @@ public final class misk/jooq/listeners/AvoidUsingSelectStarListener$Companion {
 	public final fun getSelectStarFromRegex ()Lkotlin/text/Regex;
 }
 
+public final class misk/jooq/listeners/DataIntegrityException : org/jooq/exception/DataAccessException {
+	public fun <init> (Ljava/lang/String;)V
+	public fun <init> (Ljava/lang/String;Ljava/lang/Exception;)V
+	public synthetic fun <init> (Ljava/lang/String;Ljava/lang/Exception;ILkotlin/jvm/internal/DefaultConstructorMarker;)V
+}
+
 public final class misk/jooq/listeners/JooqSQLLogger : org/jooq/ExecuteListener {
 	public static final field Companion Lmisk/jooq/listeners/JooqSQLLogger$Companion;
 	public fun <init> ()V
@@ -156,6 +162,42 @@ public final class misk/jooq/listeners/JooqTimestampRecordListenerOptions {
 	public fun toString ()Ljava/lang/String;
 }
 
+public abstract interface class misk/jooq/listeners/RecordHasher {
+	public abstract fun computeMac (Ljava/lang/String;[B)[B
+	public abstract fun verifyMac (Ljava/lang/String;[B[B)V
+}
+
+public final class misk/jooq/listeners/RecordSignatureListener : org/jooq/RecordListener {
+	public static final field Companion Lmisk/jooq/listeners/RecordSignatureListener$Companion;
+	public fun <init> (Lmisk/jooq/listeners/RecordHasher;Ljava/util/List;)V
+	public fun insertStart (Lorg/jooq/RecordContext;)V
+	public fun loadEnd (Lorg/jooq/RecordContext;)V
+	public fun updateStart (Lorg/jooq/RecordContext;)V
+}
+
+public final class misk/jooq/listeners/RecordSignatureListener$Companion {
+	public final fun getLog ()Lmu/KLogger;
+}
+
+public final class misk/jooq/listeners/TableSignatureDetails {
+	public fun <init> (Ljava/lang/String;Ljava/util/List;Lorg/jooq/TableField;Lorg/jooq/Table;Z)V
+	public final fun component1 ()Ljava/lang/String;
+	public final fun component2 ()Ljava/util/List;
+	public final fun component3 ()Lorg/jooq/TableField;
+	public final fun component4 ()Lorg/jooq/Table;
+	public final fun component5 ()Z
+	public final fun copy (Ljava/lang/String;Ljava/util/List;Lorg/jooq/TableField;Lorg/jooq/Table;Z)Lmisk/jooq/listeners/TableSignatureDetails;
+	public static synthetic fun copy$default (Lmisk/jooq/listeners/TableSignatureDetails;Ljava/lang/String;Ljava/util/List;Lorg/jooq/TableField;Lorg/jooq/Table;ZILjava/lang/Object;)Lmisk/jooq/listeners/TableSignatureDetails;
+	public fun equals (Ljava/lang/Object;)Z
+	public final fun getAllowNullSignatures ()Z
+	public final fun getColumns ()Ljava/util/List;
+	public final fun getSignatureKeyName ()Ljava/lang/String;
+	public final fun getSignatureRecordColumn ()Lorg/jooq/TableField;
+	public final fun getTable ()Lorg/jooq/Table;
+	public fun hashCode ()I
+	public fun toString ()Ljava/lang/String;
+}
+
 public class misk/jooq/testgen/DefaultCatalog : org/jooq/impl/CatalogImpl {
 	public static final field Companion Lmisk/jooq/testgen/DefaultCatalog$Companion;
 	public fun <init> ()V

misk-jooq/src/main/kotlin/misk/jooq/listeners/RecordHasher.kt

@@ -0,0 +1,26 @@
+package misk.jooq.listeners
+
+/**
+ * Interface for computing and verifying MAC signatures for database records.
+ */
+interface RecordHasher {
+  /**
+   * Computes a MAC signature for the given data using the specified key.
+   * @param keyName The name of the key to use for signing
+   * @param data The data to sign
+   * @return The MAC signature as a byte array
+   * @throws IllegalArgumentException if the key name is not found
+   * @throws RuntimeException if signature computation fails
+   */
+  fun computeMac(keyName: String, data: ByteArray): ByteArray
+
+  /**
+   * Verifies a MAC signature for the given data using the specified key.
+   * @param keyName The name of the key to use for verification
+   * @param providedMac The MAC to verify
+   * @param data The data that was signed
+   * @throws IllegalArgumentException if the key name is not found
+   * @throws SecurityException if verification fails
+   */
+  fun verifyMac(keyName: String, providedMac: ByteArray, data: ByteArray)
+}

misk-jooq/src/main/kotlin/misk/jooq/listeners/RecordSignatureListener.kt

@@ -0,0 +1,218 @@
+package misk.jooq.listeners
+
+import misk.jooq.toInstant
+import java.nio.ByteBuffer
+import java.time.LocalDateTime
+import java.time.temporal.ChronoUnit
+import org.jooq.Record
+import org.jooq.RecordContext
+import org.jooq.Table
+import org.jooq.TableField
+import org.jooq.exception.DataAccessException
+import misk.logging.getLogger
+import org.jooq.RecordListener
+
+/**
+ * Using this listener will allow you to guard against direct DB updates. This listener will compute a MAC signature
+ * from the column values provided and store the mac into another column in the DB. When it comes time to retrieve the
+ * record, the mac will be verified with column data again. If the column data has been changed, then the mac will not
+ * validate, and you will get an exception.
+ *
+ * Things to remember: Add this in when your service is slightly mature. You can't arbitrarily change the columns used
+ * nor change the column order in creating the mac later on. This will prevent all old rows from being read.
+ *
+ * You can add this listener behind a flag and correct the signatures using a backfill and then use this listener again
+ *
+ * Also, general Jooq RecordListener rules apply. Specifically - As such, a RecordListener does not affect any bulk DML
+ * statements (e.g. a DSLContext.update(Table)), whose affected records are not available to clients more info here
+ * [org.jooq.RecordListener]
+ *
+ * Important! If you use the [JooqTimestampRecordListener] make sure this listener is added after the
+ * [RecordSignatureListener] if you are using created_at and updated_at columns in the signature. So something like this
+ *
+ * To see a more the full example see the [RecordSignatureListenerTest]
+ */
+class RecordSignatureListener(
+  private val recordHasher: RecordHasher,
+  private val tableSignatureDetails: List<TableSignatureDetails>,
+) : RecordListener {
+
+  /**
+   * We are overriding insertStart and updateStart instead of storeStart() which is called regardless of whether it is
+   * an update or an insert. The reason is, people generally add another listener - JooqTimestampRecordListener which
+   * sets the timestamp for created_at and updated_at columns. If these columns form part of the signature then these
+   * values need to be set before the signature can be calculated. The JooqTimestampRecordListener has insertStart and
+   * updateStart overridden. Jooq looks to be calling storeStart() on all listeners before moving on to call
+   * insertStart() and updateStart() on all listeners. So either all listeners need to implement storeStart() or
+   * insertStart() and updateStart(). We can mix the 2 styles and guarantee an order.
+   */
+  override fun insertStart(ctx: RecordContext?) = updateSignature(ctx)
+
+  override fun updateStart(ctx: RecordContext?) = updateSignature(ctx)
+
+  private fun updateSignature(ctx: RecordContext?) {
+    if (ctx?.record() == null) return
+    val tableSignature = tableSignatureDetails.find { ctx.record().field(it.signatureRecordColumn) != null } ?: return
+
+    val concatenatedByteArray = concatenateByteArrayFromColumnValues(tableSignature, ctx)
+    val signature = recordHasher.computeMac(tableSignature.signatureKeyName, concatenatedByteArray)
+    ctx.record().set(tableSignature.signatureRecordColumn, signature)
+  }
+
+  override fun loadEnd(ctx: RecordContext?) {
+    if (ctx?.record() == null) return
+    val tableSignature = tableSignatureDetails.find { ctx.record().field(it.signatureRecordColumn) != null } ?: return
+
+    // Skip validation if all signature columns are null (indicates a partially loaded record)
+    val allColumnsNull = tableSignature.columns.all { column ->
+      ctx.record().get(column) == null
+    }
+    if (allColumnsNull) return
+
+    val concatenatedByteArray = concatenateByteArrayFromColumnValues(tableSignature, ctx)
+    val signature =
+      ctx.record().get(tableSignature.signatureRecordColumn)
+        ?: if (!tableSignature.allowNullSignatures) {
+          throw DataIntegrityException(exceptionMessage("Signature is null", tableSignature, ctx))
+        } else {
+          return
+        }
+
+    try {
+      recordHasher.verifyMac(tableSignature.signatureKeyName, signature, concatenatedByteArray)
+    } catch (e: Exception) {
+      log.warn(e) {
+        exceptionMessage("The data in the database does not match the record signature on the", tableSignature, ctx)
+      }
+
+      throw DataIntegrityException(
+        exceptionMessage("The data in the database does not match the record signature on the", tableSignature, ctx),
+        cause = e,
+      )
+    }
+  }
+
+  private fun concatenateByteArrayFromColumnValues(
+    tableSignature: TableSignatureDetails,
+    ctx: RecordContext,
+  ): ByteArray {
+    /**
+    Here, we have implemented LV (length-value) encoding scheme.
+    Encoding the column values and concatenating them as byte array in this manner
+    prevents these two distinct records creating the same signature,
+    given that signature is built using values from foo and bar columns.
+
+    Encoding scheme:
+    - null: 4 bytes with value -1 (no data follows)
+    - non-null: 4 bytes with length >= 0, followed by that many bytes of data
+
+    more info here: https://en.wikipedia.org/wiki/Type%E2%80%93length%E2%80%93value
+
+    without LV encoding
+    id | foo    | bar   |
+    1  | ab     | c     | bytearray(ab) + bytearray(c)
+    2  | a      | bc    | bytearray(a) + bytearray(bc)
+    result: the two bytearrays from record 1 and record 2 are the same
+
+    with LV encoding
+    id | foo    | bar   |
+    1  | ab     | c     | (lengthByte(2) + bytearray(ab)) + (lengthByte(1) + (bytearray(c))
+    2  | a      | bc    | (lengthByte(1) + bytearray(a)) + (lengthByte(2) + bytearray(bc))
+    result: the two bytearrays from record 1 and record 2 are NOT the same
+
+    We also encode null values with a special marker (-1) to prevent collisions like:
+    id | foo    | bar   |
+    1  | null   | a     | bytearray(special_for_null) + (lengthByte(1) + bytearray(a))
+    2  | a      | null  | (lengthByte(1) + bytearray(a)) + bytearray(special_for_null)
+
+    bytearray(special_for_null) cannot be conflicted with other real values
+     */
+    return tableSignature.columns.fold(ByteArray(0)) { bytes, column ->
+      when (val columnValue = ctx.record().get(column)) {
+        // For null values, encode with -1 as a special marker (no value bytes follow)
+        null -> {
+          val nullMarker = ByteBuffer.allocate(4).putInt(-1).array()
+          bytes + nullMarker
+        }
+
+        // For ByteArray values, prepend the length (4 bytes) then the value
+        is ByteArray -> {
+          val lengthBytes = ByteBuffer.allocate(4).putInt(columnValue.size).array()
+          bytes + lengthBytes + columnValue
+        }
+
+        // For LocalDateTime, convert to bytes first, then apply Length-Value encoding
+        is LocalDateTime -> {
+          val precision = column.dataType.precision()
+          val valueBytes = columnValue.toByteArray(precision)
+          val lengthBytes = ByteBuffer.allocate(4).putInt(valueBytes.size).array()
+          bytes + lengthBytes + valueBytes
+        }
+        // For all other types, convert to string, then to bytes, then apply Length-Value encoding
+        else -> {
+          val valueBytes = columnValue.toString().toByteArray()
+          val lengthBytes = ByteBuffer.allocate(4).putInt(valueBytes.size).array()
+          bytes + lengthBytes + valueBytes
+        }
+      }
+    }
+  }
+
+  /**
+   * MySQL's precision for a timestamp is millis. But in the Kube Pod, where the code runs the JVM timestamp is in
+   * nanos. So when we store the data, the signature is computed with nanos, but when we load the data from the DB, the
+   * nanos are lost and hence the signature computed is different. This method truncates the instant based on the
+   * precision. The check with precision is required to be able to test this on a MAC. Mac JVM's precision is millis. So
+   * in order to test truncation we need to create a mysql timestamp with a precision of 0. This also allows this
+   * signature to work for any column created in prod where the precision is 0 (in the sense, restricted to store
+   * seconds alone).
+   */
+  private fun LocalDateTime.toByteArray(precision: Int): ByteArray {
+    return when {
+      precision < 3 -> toInstant().truncatedTo(ChronoUnit.SECONDS).toEpochMilli().toString().toByteArray()
+      else -> toInstant().truncatedTo(ChronoUnit.MILLIS).toEpochMilli().toString().toByteArray()
+    }
+  }
+
+  private fun exceptionMessage(message: String, tableSignature: TableSignatureDetails, ctx: RecordContext): String {
+    return message +
+      " [Table=${tableSignature.table}] " +
+      "[PK=${tableSignature.table.primaryKey?.fields?.map { ctx.record().get(it) }?.joinToString(", ")}]"
+  }
+
+  companion object {
+    val log = getLogger<RecordSignatureListener>()
+  }
+}
+
+data class TableSignatureDetails(
+  /**
+   * The key name used to create the HMAC signature More details here -
+   * https://cash-dev-guide.squarecloudservices.com/security/key_management/ and
+   * https://github.com/google/tink/blob/master/docs/PRIMITIVES.md
+   */
+  val signatureKeyName: String,
+  /**
+   * The columns that need to be protected against direct change in the database. Please note: the value of these
+   * columns should be convertable deterministically into a string value or should be a byte array already such as BLOB
+   * types. Most SQL value types can be converted into a string via toString() call. Note:
+   * 1. JSON columns cannot be used as part of the signature columns as the string comparison of a JSON differs if there
+   *    are whitespace differences. MYSQL does not store JSON as a string and hence when it is retrieved there usually
+   *    are white space differences.
+   * 2. If a timestamp column is used in the signature, remember that MYSQL's precision is limited to millis. The MAC
+   *    JVM precision is limited to millis too. But the Kube pod where this is deployed has nano precision. So ensure
+   *    the timestamp is truncated to millis before setting it into the record.
+   */
+  val columns: List<TableField<out Record, out Any?>>,
+  /** The column where the HMAC signature (or hash) will be stored and then used to validate against */
+  val signatureRecordColumn: TableField<out Record, ByteArray?>,
+  /** The table that needs to be protected against direct change in the database. */
+  val table: Table<out Record>,
+  /**
+   * When adding this listener to an existing table, set this flag to true until you are sure that all records in the
+   * table have a signature set
+   */
+  val allowNullSignatures: Boolean,
+)
+
+class DataIntegrityException @JvmOverloads constructor(message: String, cause: Exception? = null) : DataAccessException(message, cause)

misk-jooq/src/test/kotlin/misk/jooq/config/ClientJooqTestingModule.kt

@@ -11,8 +11,13 @@ import misk.jooq.JooqModule
 import misk.jooq.listeners.JooqTimestampRecordListenerOptions
 import misk.logging.LogCollectorModule
 import org.jooq.impl.DefaultExecuteListenerProvider
+import org.jooq.impl.DefaultRecordListenerProvider
 import wisp.deployment.TESTING
 import jakarta.inject.Qualifier
+import misk.jooq.listeners.RecordSignatureListener
+import misk.jooq.listeners.TableSignatureDetails
+import misk.jooq.testgen.tables.references.RECORD_SIGNATURE_TEST
+import org.jooq.RecordListenerProvider
 
 class ClientJooqTestingModule : KAbstractModule() {
   override fun configure() {
@@ -46,12 +51,45 @@ class ClientJooqTestingModule : KAbstractModule() {
         createdAtColumnName = "created_at",
         updatedAtColumnName = "updated_at"
       ),
-      readerQualifier = JooqDBReadOnlyIdentifier::class
-    ) {
-      val executeListeners = this.executeListenerProviders().toMutableList()
-        .apply { add(DefaultExecuteListenerProvider(DeleteOrUpdateWithoutWhereListener())) }
-      set(*executeListeners.toTypedArray())
-    })
+      readerQualifier = JooqDBReadOnlyIdentifier::class,
+      jooqConfigExtension = {
+        // Since JooqTimestampRecordListener might overwrite record listeners, 
+        // we need to ensure both timestamp and signature listeners are present
+        val recordListeners = mutableListOf<RecordListenerProvider>()
+        
+        // Add any existing record listeners (like JooqTimestampRecordListener)
+        recordListeners.addAll(this.recordListenerProviders())
+        
+        // Add our RecordSignatureListener
+        recordListeners.add(
+          DefaultRecordListenerProvider(
+            RecordSignatureListener(
+              recordHasher = FakeRecordHasher(),
+              tableSignatureDetails = listOf(
+                TableSignatureDetails(
+                  signatureKeyName = "signature-record-test",
+                  table = RECORD_SIGNATURE_TEST,
+                  columns = listOf(
+                    RECORD_SIGNATURE_TEST.NAME,
+                    RECORD_SIGNATURE_TEST.UPDATED_BY,
+                    RECORD_SIGNATURE_TEST.BINARY_DATA,
+                  ),
+                  signatureRecordColumn = RECORD_SIGNATURE_TEST.RECORD_SIGNATURE,
+                  allowNullSignatures = false
+                )
+              ),
+            )
+          )
+        )
+        
+        set(*recordListeners.toTypedArray())
+        
+        // Add execute listeners separately
+        val existingExecuteListeners = this.executeListenerProviders().toMutableList()
+        existingExecuteListeners.add(DefaultExecuteListenerProvider(DeleteOrUpdateWithoutWhereListener()))
+        set(*existingExecuteListeners.toTypedArray())
+      }
+    ))
     install(JdbcTestingModule(JooqDBIdentifier::class))
     install(LogCollectorModule())
   }

misk-jooq/src/test/kotlin/misk/jooq/config/FakeRecordHasher.kt

@@ -0,0 +1,20 @@
+package misk.jooq.config
+
+import misk.jooq.listeners.RecordHasher
+
+// Fake implementation for testing
+class FakeRecordHasher : RecordHasher {
+
+  override fun computeMac(keyName: String, data: ByteArray): ByteArray {
+    // Simple hash for testing - not secure!
+    val fakeMac = "$keyName:${data.contentHashCode()}".toByteArray()
+    return fakeMac
+  }
+
+  override fun verifyMac(keyName: String, providedMac: ByteArray, data: ByteArray) {
+    val expectedFakeMac = "$keyName:${data.contentHashCode()}".toByteArray()
+    if (!providedMac.contentEquals(expectedFakeMac)) {
+      throw SecurityException("MAC verification failed")
+    }
+  }
+}