Feat/per dataset ops

[coderdan]

Summary

Changes

Adds "via" dataset variants of entry points to the EncryptedTable. These methods allow for the selection of a specific dataset before performing an operation.

• EncryptedTable::put is as before and uses the default dataset for the client
• EncryptedTable::put_via allows a dataset to be specified via its id (uuid)
• Similar methods have been added for get and delete
• The QueryBuilder has been given a via builder method to provide a specific dataset to use during queries

The decrypt_all method has not been modified as decryption operations will use the dataset ID encoded into the ciphertext payload (AAD) to determine which dataset was used to encrypt. If the client does not have access to any dataset associated with a record passed to decrypt_all, the operation will fail.

This uses the pre-release version of cipherstash-client, 0.13.0-pre.1.

Acknowledgment

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

[freshtonic]

Does this mean different records in the same EncryptedTable could have been encrypted with different encryption keys, and does decryption handle that gracefully?

[freshtonic]

This looks really good - nice work.

I answered my own question around the decryption after I read the code. My understanding is that if multiple records in a table are encrypted via different datasets, they will not decrypt unless decrypted via the same dataset ID that they were encrypted with, and that is handled gracefully.

[coderdan]

This looks really good - nice work.

I answered my own question around the decryption after I read the code. My understanding is that if multiple records in a table are encrypted via different datasets, they will not decrypt unless decrypted via the same dataset ID that they were encrypted with, and that is handled gracefully.

Thanks, @freshtonic. Yep, that's correct!