DGS-19840 Ensure use of DEK object is thread-safe (#268)

* DGS-19840 Ensure use of DEK object is thread-safe

* Minor renaming

Author: rayokota

schemaregistry/rules/encryption/dekregistry/dekregistry-client.ts

@@ -54,6 +54,9 @@ interface DekClient {
   registerDek(kekName: string, subject: string, algorithm: string, version: number,
               encryptedKeyMaterial?: string): Promise<Dek>;
   getDek(kekName: string, subject: string, algorithm: string, version: number, deleted: boolean): Promise<Dek>;
+  getDekEncryptedKeyMaterialBytes(dek: Dek): Promise<Buffer | null>;
+  getDekKeyMaterialBytes(dek: Dek): Promise<Buffer | null>;
+  setDekKeyMaterial(dek: Dek, keyMaterialBytes: Buffer): Promise<void>;
   close(): Promise<void>;
 }
 
@@ -90,53 +93,6 @@ class DekRegistryClient implements DekClient {
     return new DekRegistryClient(config)
   }
 
-  static getEncryptedKeyMaterialBytes(dek: Dek): Buffer | null {
-    if (!dek.encryptedKeyMaterial) {
-      return null;
-    }
-
-    if (!dek.encryptedKeyMaterialBytes) {
-      try {
-        const bytes = Buffer.from(dek.encryptedKeyMaterial, 'base64');
-        dek.encryptedKeyMaterialBytes = bytes;
-      } catch (err) {
-        if (err instanceof Error) {
-          throw new Error(`Failed to decode base64 string: ${err.message}`);
-        }
-        throw new Error(`Unknown error: ${err}`);
-      }
-    }
-
-    return dek.encryptedKeyMaterialBytes;
-  }
-
-  static getKeyMaterialBytes(dek: Dek): Buffer | null {
-    if (!dek.keyMaterial) {
-      return null;
-    }
-
-    if (!dek.keyMaterialBytes) {
-      try {
-        const bytes = Buffer.from(dek.keyMaterial, 'base64');
-        dek.keyMaterialBytes = bytes;
-      } catch (err) {
-        if (err instanceof Error) {
-          throw new Error(`Failed to decode base64 string: ${err.message}`);
-        }
-        throw new Error(`Unknown error: ${err}`);
-      }
-    }
-
-    return dek.keyMaterialBytes;
-  }
-
-  static setKeyMaterial(dek: Dek, keyMaterialBytes: Buffer): void {
-    if (keyMaterialBytes) {
-      const str = keyMaterialBytes.toString('base64');
-      dek.keyMaterial = str;
-    }
-  }
-
   config(): ClientConfig {
     return this.clientConfig;
   }
@@ -238,6 +194,63 @@ class DekRegistryClient implements DekClient {
     });
   }
 
+  async getDekEncryptedKeyMaterialBytes(dek: Dek): Promise<Buffer | null> {
+    if (!dek.encryptedKeyMaterial) {
+      return null;
+    }
+
+    if (!dek.encryptedKeyMaterialBytes) {
+      await this.dekMutex.runExclusive(async () => {
+        if (!dek.encryptedKeyMaterialBytes) {
+          try {
+            const bytes = Buffer.from(dek.encryptedKeyMaterial!, 'base64');
+            dek.encryptedKeyMaterialBytes = bytes;
+          } catch (err) {
+            if (err instanceof Error) {
+              throw new Error(`Failed to decode base64 string: ${err.message}`);
+            }
+            throw new Error(`Unknown error: ${err}`);
+          }
+        }
+      })
+    }
+
+    return dek.encryptedKeyMaterialBytes!;
+  }
+
+  async getDekKeyMaterialBytes(dek: Dek): Promise<Buffer | null> {
+    if (!dek.keyMaterial) {
+      return null;
+    }
+
+    if (!dek.keyMaterialBytes) {
+      await this.dekMutex.runExclusive(async () => {
+        if (!dek.keyMaterialBytes) {
+          try {
+            const bytes = Buffer.from(dek.keyMaterial!, 'base64');
+            dek.keyMaterialBytes = bytes;
+          } catch (err) {
+            if (err instanceof Error) {
+              throw new Error(`Failed to decode base64 string: ${err.message}`);
+            }
+            throw new Error(`Unknown error: ${err}`);
+          }
+        }
+      })
+    }
+
+    return dek.keyMaterialBytes!;
+  }
+
+  async setDekKeyMaterial(dek: Dek, keyMaterialBytes: Buffer): Promise<void> {
+    await this.dekMutex.runExclusive(async () => {
+      if (keyMaterialBytes) {
+        const str = keyMaterialBytes.toString('base64');
+        dek.keyMaterial = str;
+      }
+    })
+  }
+
   async close(): Promise<void> {
     return;
   }

schemaregistry/rules/encryption/dekregistry/mock-dekregistry-client.ts

@@ -97,6 +97,53 @@ class MockDekRegistryClient implements DekClient {
     throw new RestError(`Dek not found: ${subject}`, 404, 40400);
   }
 
+  async getDekEncryptedKeyMaterialBytes(dek: Dek): Promise<Buffer | null> {
+    if (!dek.encryptedKeyMaterial) {
+      return null;
+    }
+
+    if (!dek.encryptedKeyMaterialBytes) {
+      try {
+        const bytes = Buffer.from(dek.encryptedKeyMaterial!, 'base64');
+        dek.encryptedKeyMaterialBytes = bytes;
+      } catch (err) {
+        if (err instanceof Error) {
+          throw new Error(`Failed to decode base64 string: ${err.message}`);
+        }
+        throw new Error(`Unknown error: ${err}`);
+      }
+    }
+
+    return dek.encryptedKeyMaterialBytes!;
+  }
+
+  async getDekKeyMaterialBytes(dek: Dek): Promise<Buffer | null> {
+    if (!dek.keyMaterial) {
+      return null;
+    }
+
+    if (!dek.keyMaterialBytes) {
+      try {
+        const bytes = Buffer.from(dek.keyMaterial!, 'base64');
+        dek.keyMaterialBytes = bytes;
+      } catch (err) {
+        if (err instanceof Error) {
+          throw new Error(`Failed to decode base64 string: ${err.message}`);
+        }
+        throw new Error(`Unknown error: ${err}`);
+      }
+    }
+
+    return dek.keyMaterialBytes!;
+  }
+
+  async setDekKeyMaterial(dek: Dek, keyMaterialBytes: Buffer): Promise<void> {
+    if (keyMaterialBytes) {
+      const str = keyMaterialBytes.toString('base64');
+      dek.keyMaterial = str;
+    }
+  }
+
   async close() {
     return;
   }

schemaregistry/rules/encryption/encrypt-executor.ts

@@ -406,12 +406,14 @@ export class FieldEncryptionExecutorTransform implements FieldTransform {
       }
     }
 
-    if (DekRegistryClient.getKeyMaterialBytes(dek) == null) {
+    const keyMaterialBytes = await this.executor.client!.getDekKeyMaterialBytes(dek)
+    if (keyMaterialBytes == null) {
       if (kmsClient == null) {
         kmsClient = getKmsClient(this.executor.config!, kek)
       }
-      const rawDek = await kmsClient.decrypt(DekRegistryClient.getEncryptedKeyMaterialBytes(dek)!)
-      DekRegistryClient.setKeyMaterial(dek, rawDek)
+      const encryptedKeyMaterialBytes = await this.executor.client!.getDekEncryptedKeyMaterialBytes(dek)
+      const rawDek = await kmsClient.decrypt(encryptedKeyMaterialBytes!)
+      await this.executor.client!.setDekKeyMaterial(dek, rawDek)
     }
 
     return dek
@@ -478,8 +480,8 @@ export class FieldEncryptionExecutorTransform implements FieldTransform {
           version = -1
         }
         let dek = await this.getOrCreateDek(ctx, version)
-        let keyMaterialBytes = DekRegistryClient.getKeyMaterialBytes(dek)!
-        let ciphertext = await this.cryptor.encrypt(keyMaterialBytes, plaintext)
+        let keyMaterialBytes = await this.executor.client!.getDekKeyMaterialBytes(dek)
+        let ciphertext = await this.cryptor.encrypt(keyMaterialBytes!, plaintext)
         if (this.isDekRotated()) {
           ciphertext = this.prefixVersion(dek.version!, ciphertext)
         }
@@ -508,8 +510,8 @@ export class FieldEncryptionExecutorTransform implements FieldTransform {
           ciphertext = ciphertext.subarray(5)
         }
         let dek = await this.getOrCreateDek(ctx, version)
-        let keyMaterialBytes = DekRegistryClient.getKeyMaterialBytes(dek)!
-        let plaintext = await this.cryptor.decrypt(keyMaterialBytes, ciphertext)
+        let keyMaterialBytes = await this.executor.client!.getDekKeyMaterialBytes(dek)
+        let plaintext = await this.cryptor.decrypt(keyMaterialBytes!, ciphertext)
         return this.toObject(fieldCtx.type, plaintext)
       }
       default: