Merge pull request #41 from cipherstash/feat/add-unverified-context-take-two

feat: add support for unverified context (take two)

Author: CDThomas

Cargo.lock

@@ -11,7 +11,7 @@ crate-type = ["cdylib"]
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
 [dependencies]
-cipherstash-client = "0.23.0"
+cipherstash-client = "0.24.0"
 cts-common = { version = "0.3.0", default-features = false }
 hex = "0.4.3"
 neon = {version = "1", features = ["serde", "tokio"] }

crates/protect-ffi/Cargo.toml

@@ -11,6 +11,7 @@ use cipherstash_client::{
     },
     schema::ColumnConfig,
     zerokms::{self, EncryptedRecord, RecordDecryptError, WithContext, ZeroKMSWithClientKey},
+    UnverifiedContext,
 };
 use cts_common::Crn;
 use encrypt_config::{EncryptConfig, Identifier};
@@ -121,13 +122,15 @@ struct EncryptOptions {
     table: String,
     lock_context: Option<LockContext>,
     service_token: Option<ServiceToken>,
+    unverified_context: Option<UnverifiedContext>,
 }
 
 #[derive(Deserialize)]
 #[serde(rename_all = "camelCase")]
 struct EncryptBulkOptions {
     plaintexts: Vec<PlaintextPayload>,
     service_token: Option<ServiceToken>,
+    unverified_context: Option<UnverifiedContext>,
 }
 
 #[derive(Deserialize)]
@@ -145,13 +148,15 @@ struct DecryptOptions {
     ciphertext: String,
     lock_context: Option<LockContext>,
     service_token: Option<ServiceToken>,
+    unverified_context: Option<UnverifiedContext>,
 }
 
 #[derive(Deserialize)]
 #[serde(rename_all = "camelCase")]
 struct DecryptBulkOptions {
     ciphertexts: Vec<BulkDecryptPayload>,
     service_token: Option<ServiceToken>,
+    unverified_context: Option<UnverifiedContext>,
 }
 
 #[derive(Deserialize)]
@@ -246,7 +251,9 @@ async fn encrypt(
 
     pipeline.add_with_ref::<PlaintextTarget>(plaintext_target, 0)?;
 
-    let mut source_encrypted = pipeline.encrypt(opts.service_token).await?;
+    let mut source_encrypted = pipeline
+        .encrypt(opts.service_token, opts.unverified_context)
+        .await?;
 
     let encrypted = source_encrypted.remove(0).ok_or_else(|| {
         Error::InvariantViolation(
@@ -290,7 +297,9 @@ async fn encrypt_bulk(
         pipeline.add_with_ref::<PlaintextTarget>(plaintext_target, i)?;
     }
 
-    let mut source_encrypted = pipeline.encrypt(opts.service_token).await?;
+    let mut source_encrypted = pipeline
+        .encrypt(opts.service_token, opts.unverified_context)
+        .await?;
 
     let mut results: Vec<Encrypted> = Vec::with_capacity(len);
 
@@ -325,7 +334,11 @@ async fn decrypt(
 
     let decrypted = client
         .zerokms
-        .decrypt_single(encrypted_record, opts.service_token)
+        .decrypt_single(
+            encrypted_record,
+            opts.service_token,
+            opts.unverified_context,
+        )
         .await?;
 
     Ok(plaintext_str_from_bytes(decrypted)?)
@@ -354,7 +367,11 @@ async fn decrypt_bulk(
 
     let decrypted = client
         .zerokms
-        .decrypt(encrypted_records, opts.service_token)
+        .decrypt(
+            encrypted_records,
+            opts.service_token,
+            opts.unverified_context,
+        )
         .await?;
 
     let plaintexts = decrypted
@@ -390,7 +407,11 @@ async fn decrypt_bulk_fallible(
 
     let decrypted = client
         .zerokms
-        .decrypt_fallible(encrypted_records, opts.service_token)
+        .decrypt_fallible(
+            encrypted_records,
+            opts.service_token,
+            opts.unverified_context,
+        )
         .await?;
 
     let plaintexts: Vec<Result<String, Error>> = decrypted

crates/protect-ffi/src/lib.rs

@@ -51,12 +51,36 @@ describe('encrypt and decrypt', async () => {
       table: 'users',
       serviceToken: undefined,
       lockContext: undefined,
+      unverifiedContext: undefined,
     })
 
     const decrypted = await decrypt(client, {
       ciphertext: ciphertext.c,
       lockContext: undefined,
       serviceToken: undefined,
+      unverifiedContext: undefined,
+    })
+
+    expect(decrypted).toBe(originalPlaintext)
+  })
+
+  test('can pass in unverified context', async () => {
+    const client = await newClient({ encryptConfig })
+    const originalPlaintext = 'abc'
+    const unverifiedContext = {
+      sub: 'sub-single',
+    }
+
+    const ciphertext = await encrypt(client, {
+      plaintext: originalPlaintext,
+      column: 'email',
+      table: 'users',
+      unverifiedContext,
+    })
+
+    const decrypted = await decrypt(client, {
+      ciphertext: ciphertext.c,
+      unverifiedContext,
     })
 
     expect(decrypted).toBe(originalPlaintext)
@@ -147,6 +171,7 @@ describe('encryptBulk and decryptBulk', async () => {
         },
       ],
       serviceToken: undefined,
+      unverifiedContext: undefined,
     })
 
     const decrypted = await decryptBulk(client, {
@@ -155,6 +180,39 @@ describe('encryptBulk and decryptBulk', async () => {
         lockContext: undefined,
       })),
       serviceToken: undefined,
+      unverifiedContext: undefined,
+    })
+
+    expect(decrypted).toEqual([plaintextOne, plaintextTwo])
+  })
+
+  test('can pass in unverified context', async () => {
+    const client = await newClient({ encryptConfig })
+    const plaintextOne = 'abc'
+    const plaintextTwo = 'def'
+    const unverifiedContext = {
+      sub: 'sub-bulk',
+    }
+
+    const ciphertexts = await encryptBulk(client, {
+      plaintexts: [
+        {
+          plaintext: plaintextOne,
+          column: 'email',
+          table: 'users',
+        },
+        {
+          plaintext: plaintextTwo,
+          column: 'email',
+          table: 'users',
+        },
+      ],
+      unverifiedContext,
+    })
+
+    const decrypted = await decryptBulk(client, {
+      ciphertexts: ciphertexts.map(({ c }) => ({ ciphertext: c })),
+      unverifiedContext,
     })
 
     expect(decrypted).toEqual([plaintextOne, plaintextTwo])
@@ -187,6 +245,38 @@ describe('encryptBulk and decryptBulk', async () => {
     expect(decrypted).toEqual([{ data: plaintextOne }, { data: plaintextTwo }])
   })
 
+  test('can use unverified context with decryptBulkFallible', async () => {
+    const client = await newClient({ encryptConfig })
+    const plaintextOne = 'abc'
+    const plaintextTwo = 'def'
+    const unverifiedContext = {
+      sub: 'sub-bulk-fallible',
+    }
+
+    const ciphertexts = await encryptBulk(client, {
+      plaintexts: [
+        {
+          plaintext: plaintextOne,
+          column: 'email',
+          table: 'users',
+        },
+        {
+          plaintext: plaintextTwo,
+          column: 'email',
+          table: 'users',
+        },
+      ],
+      unverifiedContext,
+    })
+
+    const decrypted = await decryptBulkFallible(client, {
+      ciphertexts: ciphertexts.map((c) => ({ ciphertext: c.c })),
+      unverifiedContext,
+    })
+
+    expect(decrypted).toEqual([{ data: plaintextOne }, { data: plaintextTwo }])
+  })
+
   test('encryptBulk throws an errow when identityClaim is used without a service token', async () => {
     const client = await newClient({ encryptConfig })
 

integration-tests/tests/index.test.ts

@@ -1,6 +1,6 @@
 {
   "name": "@cipherstash/protect-ffi",
-  "version": "0.16.0-0",
+  "version": "0.16.0-2",
   "description": "",
   "main": "./lib/index.cjs",
   "scripts": {

package-lock.json

@@ -1,7 +1,7 @@
 {
   "name": "@cipherstash/protect-ffi-darwin-arm64",
   "description": "Prebuilt binary package for `@cipherstash/protect-ffi` on `darwin-arm64`.",
-  "version": "0.16.0-0",
+  "version": "0.16.0-2",
   "os": [
     "darwin"
   ],

package.json

@@ -1,7 +1,7 @@
 {
   "name": "@cipherstash/protect-ffi-darwin-x64",
   "description": "Prebuilt binary package for `@cipherstash/protect-ffi` on `darwin-x64`.",
-  "version": "0.16.0-0",
+  "version": "0.16.0-2",
   "os": [
     "darwin"
   ],

platforms/darwin-arm64/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@cipherstash/protect-ffi-linux-arm64-gnu",
   "description": "Prebuilt binary package for `@cipherstash/protect-ffi` on `linux-arm64-gnu`.",
-  "version": "0.16.0-0",
+  "version": "0.16.0-2",
   "os": [
     "linux"
   ],

platforms/darwin-x64/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@cipherstash/protect-ffi-linux-x64-gnu",
   "description": "Prebuilt binary package for `@cipherstash/protect-ffi` on `linux-x64-gnu`.",
-  "version": "0.16.0-0",
+  "version": "0.16.0-2",
   "os": [
     "linux"
   ],