MB-61292: Add /encryptionAtRest API

Adds API to manage encryption-at-rest for configuration.
The same API will be used in future to manage encryption
for other parts like logs.

GET /settings/security/encryptionAtRest/config
POST /settings/security/encryptionAtRest/config

encryptionMethod = disabled | encryption_service | secret
encryptionSecretId = -1 | secret_id

Change-Id: Ib752a1f62bff10b0f7d106898d0585b0da904045
Reviewed-on: https://review.couchbase.org/c/ns_server/+/211733
Well-Formed: Build Bot <[email protected]>
Reviewed-by: Navdeep S Boparai <[email protected]>
Tested-by: Timofey Barmin <[email protected]>

Author: timofey-barmin

apps/ns_server/src/cb_cluster_secrets.erl

@@ -49,7 +49,9 @@
          rotate/1,
          get_secret_by_kek_id_map/1,
          ensure_can_encrypt_dek_kind/3,
-         generate_raw_key/1]).
+         is_allowed_usage_for_secret/3,
+         generate_raw_key/1,
+         sync_with_all_node_monitors/0]).
 
 %% gen_server callbacks
 -export([init/1, handle_call/3, handle_cast/2, handle_info/2,
@@ -349,6 +351,19 @@ ensure_can_encrypt_dek_kind(SecretId, DekKind, Snapshot) ->
         {error, not_found} -> {error, not_found}
     end.
 
+-spec is_allowed_usage_for_secret(secret_id(), secret_usage(),
+                                  chronicle_snapshot()) ->
+          ok | {error, not_allowed | not_found}.
+is_allowed_usage_for_secret(SecretId, Usage, Snapshot) ->
+    maybe
+        {ok, #{usage := AllowedUsages}} ?= get_secret(SecretId, Snapshot),
+        true ?= is_allowed([Usage], AllowedUsages),
+        ok
+    else
+        false -> {error, not_allowed};
+        {error, not_found} -> {error, not_found}
+    end.
+
 -spec get_secret_by_kek_id_map(chronicle_snapshot()) ->
                                                     #{kek_id() := secret_id()}.
 get_secret_by_kek_id_map(Snapshot) ->

apps/ns_server/src/chronicle_local.erl

@@ -153,12 +153,8 @@ sync() ->
     gen_server2:call(?MODULE, sync, ?CALL_TIMEOUT).
 
 get_encryption(Snapshot) ->
-    Settings = chronicle_compat:get(Snapshot,
-                                    ?CHRONICLE_ENCR_AT_REST_SETTINGS_KEY,
-                                    #{default => #{}}),
-    ConfigEncryptionSettings = maps:get(config_encryption, Settings,
-                                        #{encryption => disabled,
-                                          secret_id => ?SECRET_ID_NOT_SET}),
+    #{config_encryption := ConfigEncryptionSettings} =
+        menelaus_web_encr_at_rest:get_settings(Snapshot),
     {ok, case ConfigEncryptionSettings of
              #{encryption := disabled} -> disabled;
              #{encryption := encryption_service} -> encryption_service;

apps/ns_server/src/menelaus_web.erl

@@ -509,6 +509,9 @@ get_action(Req, {AppRoot, IsSSL, Plugins}, Path, PathTokens) ->
                 ["settings", "passwordPolicy"] ->
                     {{[admin, security], read},
                      fun menelaus_web_rbac:handle_get_password_policy/1};
+                ["settings", "security", "encryptionAtRest" | PathRest] ->
+                    {{[admin, security], read},
+                     fun menelaus_web_encr_at_rest:handle_get/2, [PathRest]};
                 ["settings", "security" | Keys] ->
                     {{[admin, security], read},
                      fun menelaus_web_settings:handle_get/3, [security, Keys]};
@@ -794,6 +797,9 @@ get_action(Req, {AppRoot, IsSSL, Plugins}, Path, PathTokens) ->
                 ["settings", "passwordPolicy"] ->
                     {{[admin, security], write},
                      fun menelaus_web_rbac:handle_post_password_policy/1};
+                ["settings", "security", "encryptionAtRest" | PathRest] ->
+                    {{[admin, security], write},
+                     fun menelaus_web_encr_at_rest:handle_post/2, [PathRest]};
                 ["settings", "security" | Keys] ->
                     {{[admin, security], write},
                      fun menelaus_web_settings:handle_post/3, [security, Keys]};

apps/ns_server/src/menelaus_web_encr_at_rest.erl

@@ -0,0 +1,101 @@
+%% @author Couchbase <[email protected]>
+%% @copyright 2024-Present Couchbase, Inc.
+%%
+%% Use of this software is governed by the Business Source License included in
+%% the file licenses/BSL-Couchbase.txt.  As of the Change Date specified in that
+%% file, in accordance with the Business Source License, use of this software
+%% will be governed by the Apache License, Version 2.0, included in the file
+%% licenses/APL2.txt.
+%%
+-module(menelaus_web_encr_at_rest).
+
+-include("ns_common.hrl").
+-include_lib("ns_common/include/cut.hrl").
+-include("cb_cluster_secrets.hrl").
+
+-export([handle_get/2, handle_post/2, get_settings/1]).
+
+params() ->
+    [{"config.encryptionMethod",
+      #{cfg_key => [config_encryption, encryption],
+        type => {one_of, existing_atom,
+                 [disabled, encryption_service, secret]}}},
+     {"config.encryptionSecretId",
+      #{cfg_key => [config_encryption, secret_id],
+        type => {int, -1, infinity}}}].
+
+handle_get(Path, Req) ->
+    Settings = get_settings(direct),
+    List = maps:to_list(maps:map(fun (_, V) -> maps:to_list(V) end, Settings)),
+    menelaus_web_settings2:handle_get(Path, params(), undefined, List, Req).
+
+handle_post(Path, Req) ->
+    menelaus_web_settings2:handle_post(
+      fun (Params, Req2) ->
+          NewSettings = maps:map(fun (_, V) -> maps:from_list(V) end,
+                                 maps:groups_from_list(
+                                   fun ({[K1, _K2], _V}) -> K1 end,
+                                   fun ({[_K1, K2], V}) -> {K2, V} end,
+                                   Params)),
+          RV = chronicle_kv:transaction(
+                 kv, [?CHRONICLE_SECRETS_KEY,
+                      ?CHRONICLE_ENCR_AT_REST_SETTINGS_KEY],
+                 fun (Snapshot) ->
+                     #{config_encryption := Cfg} = ToApply =
+                        get_settings(Snapshot, NewSettings),
+                     case validate_sec_settings(config_encryption,
+                                                Cfg, Snapshot) of
+                         ok ->
+                             {commit, [{set,
+                                        ?CHRONICLE_ENCR_AT_REST_SETTINGS_KEY,
+                                        ToApply}]};
+                         {error, _} = Error ->
+                             {abort, Error}
+                     end
+                 end),
+         case RV of
+             {ok, _} ->
+                 cb_cluster_secrets:sync_with_all_node_monitors(),
+                 handle_get(Path, Req2);
+             {error, Msg} ->
+                 menelaus_util:reply_global_error(Req2, Msg)
+         end
+      end, Path, params(), undefined, Req).
+
+get_settings(Snapshot) -> get_settings(Snapshot, #{}).
+get_settings(Snapshot, ExtraSettings) ->
+    Merge = fun (Settings1, Settings2) ->
+                maps:merge_with(fun (_K, V1, V2) -> maps:merge(V1, V2) end,
+                                Settings1, Settings2)
+            end,
+    Settings = chronicle_compat:get(Snapshot,
+                                    ?CHRONICLE_ENCR_AT_REST_SETTINGS_KEY,
+                                    #{default => #{}}),
+    Merge(Merge(defaults(), Settings), ExtraSettings).
+
+defaults() ->
+    #{config_encryption => #{encryption => disabled,
+                             secret_id => ?SECRET_ID_NOT_SET}}.
+
+validate_sec_settings(_, #{encryption := disabled,
+                           secret_id := ?SECRET_ID_NOT_SET}, _) ->
+    ok;
+validate_sec_settings(_, #{encryption := disabled,
+                           secret_id := _}, _) ->
+    {error, "Secret id must not be set when encryption is disabled"};
+validate_sec_settings(_, #{encryption := encryption_service,
+                           secret_id := ?SECRET_ID_NOT_SET}, _) ->
+    ok;
+validate_sec_settings(_, #{encryption := encryption_service,
+                           secret_id := _}, _) ->
+    {error, "Secret id must not be set when encryption_service is used"};
+validate_sec_settings(_, #{encryption := secret,
+                        secret_id := ?SECRET_ID_NOT_SET}, _) ->
+    {error, "Secret id must be set"};
+validate_sec_settings(Name, #{encryption := secret,
+                              secret_id := Id}, Snapshot) ->
+    case cb_cluster_secrets:is_allowed_usage_for_secret(Id, Name, Snapshot) of
+        ok -> ok;
+        {error, not_found} -> {error, "Secret not found"};
+        {error, not_allowed} -> {error, "Secret not allowed"}
+    end.

cluster_tests/testsets/native_encryption_tests.py

@@ -34,6 +34,7 @@ def teardown(self):
         pass
 
     def test_teardown(self):
+        set_cfg_encryption(self.cluster, 'disabled', -1)
         self.cluster.delete_bucket(self.bucket_name)
         for s in get_secrets(self.cluster):
             delete_secret(self.cluster, s['id'])
@@ -559,6 +560,39 @@ def rotation_happened(key_num, expected_rotation_time_iso):
             lambda: rotation_happened(3, next_rotation),
             sleep_time=0.3, timeout=10)
 
+    def cfg_encryption_api_test(self):
+        secret = auto_generated_secret(usage=['bucket-encryption-*'])
+        bad_id = create_secret(self.random_node(), secret)
+        secret['usage'] = ['bucket-encryption-*', 'configuration-encryption']
+        good_id = create_secret(self.random_node(), secret)
+        node = self.random_node()
+        set_cfg_encryption(node, 'disabled', -1)
+        set_cfg_encryption(node, 'encryption_service', -1)
+        set_cfg_encryption(node, 'secret', -1, expected_code=400)
+        set_cfg_encryption(node, 'secret', bad_id, expected_code=400)
+        set_cfg_encryption(node, 'secret', good_id)
+
+        secret['usage'] = ['bucket-encryption-*']
+        errors = update_secret(node, good_id, secret, expected_code=400)
+        assert errors['_'] == 'can\'t modify usage as this secret is in use', \
+               f'unexpected error: {errors}'
+
+        set_cfg_encryption(node, 'encryption_service', -1)
+
+        update_secret(node, good_id, secret)
+
+
+def set_cfg_encryption(cluster, mode, secret, expected_code=200):
+    testlib.post_succ(cluster, '/settings/security/encryptionAtRest/config',
+                      json={'encryptionMethod': mode,
+                            'encryptionSecretId': secret},
+                      expected_code=expected_code)
+    if expected_code == 200:
+        r = testlib.get_succ(cluster, '/settings/security/encryptionAtRest')
+        r = r.json()
+        testlib.assert_eq(r['config']['encryptionMethod'], mode)
+        testlib.assert_eq(r['config']['encryptionSecretId'], secret)
+
 
 def auto_generated_secret(name=None,
                           usage=None,