Merge pull request #315 from cipherstash/refactor-rename-encrypt-to-proxy

refactor: rename Encrypt module to Proxy for better clarity

Author: tobyhede

packages/cipherstash-proxy/src/lib.rs

@@ -3,20 +3,20 @@
 pub mod cli;
 pub mod config;
 pub mod connect;
-pub mod encrypt;
 pub mod eql;
 pub mod error;
 pub mod log;
 pub mod postgresql;
 pub mod prometheus;
+pub mod proxy;
 pub mod tls;
 
 pub use crate::cli::Args;
 pub use crate::cli::Migrate;
 pub use crate::config::{DatabaseConfig, ServerConfig, TandemConfig, TlsConfig};
-pub use crate::encrypt::Encrypt;
 pub use crate::eql::{EqlEncrypted, ForQuery, Identifier, Plaintext};
 pub use crate::log::init;
+pub use crate::proxy::Proxy;
 
 use std::mem;
 

packages/cipherstash-proxy/src/log/mod.rs

@@ -18,6 +18,7 @@ pub const AUTHENTICATION: &str = "authentication";
 pub const CONFIG: &str = "config";
 pub const CONTEXT: &str = "context";
 pub const ENCRYPT: &str = "encrypt";
+pub const PROXY: &str = "proxy";
 pub const DECRYPT: &str = "decrypt";
 pub const ENCODING: &str = "encoding";
 pub const ENCRYPT_CONFIG: &str = "encrypt_config";

packages/cipherstash-proxy/src/main.rs

@@ -1,8 +1,8 @@
 use cipherstash_proxy::config::TandemConfig;
 use cipherstash_proxy::connect::{self, AsyncStream};
-use cipherstash_proxy::encrypt::Encrypt;
 use cipherstash_proxy::error::Error;
 use cipherstash_proxy::prometheus::CLIENTS_ACTIVE_CONNECTIONS;
+use cipherstash_proxy::proxy::Proxy;
 use cipherstash_proxy::{cli, log, postgresql as pg, prometheus, tls, Args};
 use clap::Parser;
 use metrics::gauge;
@@ -53,16 +53,16 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
     runtime.block_on(async move {
         let shutdown_timeout = &config.server.shutdown_timeout();
 
-        let mut encrypt = init(config).await;
+        let mut proxy = init(config).await;
 
-        let mut listener = connect::bind_with_retry(&encrypt.config.server).await;
+        let mut listener = connect::bind_with_retry(&proxy.config.server).await;
         let tracker = TaskTracker::new();
 
         let mut client_id = 0;
 
-        if encrypt.config.prometheus_enabled() {
-            let host = encrypt.config.server.host.to_owned();
-            match prometheus::start(host, encrypt.config.prometheus.port) {
+        if proxy.config.prometheus_enabled() {
+            let host = proxy.config.server.host.to_owned();
+            match prometheus::start(host, proxy.config.prometheus.port) {
                 Ok(_) => {}
                 Err(err) => {
                     error!(
@@ -82,7 +82,7 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
             },
             _ = sighup() => {
                 info!(msg = "Received SIGHUP. Reloading configuration");
-                (listener, encrypt) = reload_config(listener, &args, encrypt).await;
+                (listener, proxy) = reload_config(listener, &args, proxy).await;
                 info!(msg = "Reloaded configuration");
             },
             _ = sigterm() => {
@@ -91,16 +91,16 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
             },
             Ok(client_stream) = AsyncStream::accept(&listener) => {
 
-                    let encrypt = encrypt.clone();
+                    let proxy = proxy.clone();
 
                     client_id += 1;
 
                     tracker.spawn(async move {
-                        let encrypt = encrypt.clone();
+                        let proxy = proxy.clone();
 
                         gauge!(CLIENTS_ACTIVE_CONNECTIONS).increment(1);
 
-                        match pg::handler(client_stream, encrypt, client_id).await {
+                        match pg::handler(client_stream, proxy, client_id).await {
                             Ok(_) => (),
                             Err(err) => {
 
@@ -145,9 +145,9 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
 
 ///
 /// Validate various configuration options and
-/// Init the Encrypt service
+/// Init the Proxy service
 ///
-async fn init(mut config: TandemConfig) -> Encrypt {
+async fn init(mut config: TandemConfig) -> Proxy {
     if config.encrypt.default_keyset_id.is_none() {
         warn!(msg = "Default Keyset Id has not been configured");
         warn!(msg = "A Keyset Identifier must be set using the `SET CIPHERSTASH.KEYSET_ID` or `SET CIPHERSTASH.KEYSET_NAME` commands");
@@ -216,25 +216,25 @@ async fn init(mut config: TandemConfig) -> Encrypt {
         }
     }
 
-    match Encrypt::init(config).await {
-        Ok(encrypt) => {
-            info!(msg = "Connected to CipherStash Encrypt");
+    match Proxy::init(config).await {
+        Ok(proxy) => {
+            info!(msg = "Connected to CipherStash Proxy");
             info!(
                 msg = "Connected to Database",
-                database = encrypt.config.database.name,
-                host = encrypt.config.database.host,
-                port = encrypt.config.database.port,
-                username = encrypt.config.database.username,
-                eql_version = encrypt.eql_version,
+                database = proxy.config.database.name,
+                host = proxy.config.database.host,
+                port = proxy.config.database.port,
+                username = proxy.config.database.username,
+                eql_version = proxy.eql_version,
             );
-            if encrypt.eql_version.as_deref() != EQL_VERSION_AT_BUILD_TIME {
+            if proxy.eql_version.as_deref() != EQL_VERSION_AT_BUILD_TIME {
                 warn!(
                     msg = "installed version of EQL is different to the version that Proxy was built with",
                     eql_build_version = EQL_VERSION_AT_BUILD_TIME,
-                    eql_installed_version = encrypt.eql_version,
+                    eql_installed_version = proxy.eql_version,
                 );
             }
-            encrypt
+            proxy
         }
         Err(err) => {
             error!(
@@ -261,29 +261,25 @@ async fn sighup() -> std::io::Result<()> {
     Ok(())
 }
 
-async fn reload_config(
-    listener: TcpListener,
-    args: &Args,
-    encrypt: Encrypt,
-) -> (TcpListener, Encrypt) {
+async fn reload_config(listener: TcpListener, args: &Args, proxy: Proxy) -> (TcpListener, Proxy) {
     let new_config = match TandemConfig::load(args) {
         Ok(config) => config,
         Err(err) => {
             warn!(
                 msg = "Configuration could not be reloaded: {}",
                 error = err.to_string()
             );
-            return (listener, encrypt);
+            return (listener, proxy);
         }
     };
 
-    let new_encrypt = init(new_config).await;
+    let new_proxy = init(new_config).await;
 
     // Explicit drop needed here to free the network resources before binding if using the same address & port
     std::mem::drop(listener);
 
     (
-        connect::bind_with_retry(&new_encrypt.config.server).await,
-        new_encrypt,
+        connect::bind_with_retry(&new_proxy.config.server).await,
+        new_proxy,
     )
 }

packages/cipherstash-proxy/src/postgresql/backend.rs

@@ -7,7 +7,6 @@ use super::messages::row_description::RowDescription;
 use super::messages::BackendCode;
 use super::Column;
 use crate::connect::Sender;
-use crate::encrypt::Encrypt;
 use crate::eql::EqlEncrypted;
 use crate::error::{EncryptError, Error};
 use crate::log::{CONTEXT, DEVELOPMENT, MAPPER, PROTOCOL};
@@ -20,6 +19,7 @@ use crate::prometheus::{
     DECRYPTION_ERROR_TOTAL, DECRYPTION_REQUESTS_TOTAL, ROWS_ENCRYPTED_TOTAL,
     ROWS_PASSTHROUGH_TOTAL, ROWS_TOTAL, SERVER_BYTES_RECEIVED_TOTAL,
 };
+use crate::proxy::Proxy;
 use bytes::BytesMut;
 use metrics::{counter, histogram};
 use std::time::Instant;
@@ -79,7 +79,7 @@ where
     /// Reader for incoming messages from server
     server_reader: R,
     /// Encryption service for column decryption
-    encrypt: Encrypt,
+    proxy: Proxy,
     /// Session context with portal and statement metadata
     context: Context,
     /// Buffer for batching DataRow messages before decryption
@@ -98,17 +98,12 @@ where
     /// * `server_reader` - Stream for reading messages from the PostgreSQL server
     /// * `encrypt` - Encryption service for handling column decryption
     /// * `context` - Session context shared with the frontend
-    pub fn new(
-        client_sender: Sender,
-        server_reader: R,
-        encrypt: Encrypt,
-        context: Context,
-    ) -> Self {
+    pub fn new(client_sender: Sender, server_reader: R, proxy: Proxy, context: Context) -> Self {
         let buffer = MessageBuffer::new();
         Backend {
             client_sender,
             server_reader,
-            encrypt,
+            proxy,
             context,
             buffer,
         }
@@ -155,7 +150,7 @@ where
     /// Returns `Ok(())` on successful message processing, or an `Error` if a fatal
     /// error occurs that should terminate the connection.
     pub async fn rewrite(&mut self) -> Result<(), Error> {
-        let connection_timeout = self.encrypt.config.database.connection_timeout();
+        let connection_timeout = self.proxy.config.database.connection_timeout();
 
         let (code, mut bytes) = protocol::read_message(
             &mut self.server_reader,
@@ -167,7 +162,7 @@ where
         let sent: u64 = bytes.len() as u64;
         counter!(SERVER_BYTES_RECEIVED_TOTAL).increment(sent);
 
-        if self.encrypt.is_passthrough() {
+        if self.proxy.is_passthrough() {
             debug!(target: DEVELOPMENT,
                 client_id = self.context.client_id,
                 msg = "Passthrough enabled"
@@ -255,7 +250,7 @@ where
                     msg = "ReadyForQuery"
                 );
                 if self.context.schema_changed() {
-                    self.encrypt.reload_schema().await;
+                    self.proxy.reload_schema().await;
                 }
             }
 
@@ -456,15 +451,15 @@ where
 
         // Decrypt CipherText -> Plaintext
         let plaintexts = self
-            .encrypt
+            .proxy
             .decrypt(keyset_id, ciphertexts)
             .await
             .inspect_err(|_| {
                 counter!(DECRYPTION_ERROR_TOTAL).increment(1);
             })?;
 
         // Avoid the iter calculation if we can
-        if self.encrypt.config.prometheus_enabled() {
+        if self.proxy.config.prometheus_enabled() {
             let decrypted_count =
                 plaintexts
                     .iter()