MB-61292: Support for encrypting logs upon enable log encryption

This patch will enable it for debug log

Change-Id: I7eca83f3677a49ce055be0123f93a9bff6c56c44
Reviewed-on: https://review.couchbase.org/c/ns_server/+/216151
Tested-by: Navdeep S Boparai <[email protected]>
Reviewed-by: Timofey Barmin <[email protected]>
Well-Formed: Build Bot <[email protected]>

Author: boparai11

apps/ale/src/ale.erl

@@ -21,8 +21,16 @@
          sync_sink/1,
          sync_all_sinks/0,
          init_log_encryption_ds/1,
+         get_sink_ds/1,
          set_global_log_deks_snapshot/1,
          get_global_log_deks_snapshot/0,
+         set_log_deks_snapshot/1,
+
+         %% Callbacks for encryption
+         create_no_deks_snapshot/0,
+         file_encrypt_state_match/2,
+         file_encrypt_init/2,
+         file_encrypt_chunk/2,
 
          with_configuration_batching/1,
 
@@ -122,28 +130,95 @@ set_sink_loglevel(LoggerName, SinkName, LogLevel) ->
 get_sink_loglevel(LoggerName, SinkName) ->
     gen_server:call(?MODULE, {get_sink_loglevel, LoggerName, SinkName}).
 
-sync_sink(SinkName) ->
+call_disk_sink(SinkName, Call, Timeout) ->
     try
-        gen_server:call(ale_utils:sink_id(SinkName), sync, infinity)
+        gen_server:call(ale_utils:sink_id(SinkName), Call, Timeout)
     catch
         exit:{noproc, _} ->
             {error, unknown_sink}
     end.
 
+sync_sink(SinkName) ->
+    call_disk_sink(SinkName, sync, infinity).
+
 sync_all_sinks() ->
     Sinks = gen_server:call(?MODULE, get_sink_names, infinity),
     [sync_sink(SinkName) || SinkName <- Sinks],
     ok.
 
+get_encr_enabled_disk_sinks() ->
+    #{ale_utils:sink_id(disk_debug) => true}.
+
+is_encr_enabled_sink(SinkId) ->
+    EncrEnabledSinks = get_encr_enabled_disk_sinks(),
+    case maps:find(SinkId, EncrEnabledSinks) of
+        {ok, true} ->
+            true;
+        _ ->
+            false
+    end.
+
+set_log_deks_snapshot(LogsDS) ->
+    set_global_log_deks_snapshot(LogsDS),
+    Sinks = gen_server:call(?MODULE, get_sink_names, infinity),
+    EncryptedSinks =
+        lists:filter(
+            fun(SinkName) ->
+                is_encr_enabled_sink(ale_utils:sink_id(SinkName))
+           end, Sinks),
+    RVs =
+        misc:parallel_map(
+          fun(SinkName) ->
+                  {SinkName, call_disk_sink(SinkName,
+                                            notify_active_key_updt, infinity)}
+          end, EncryptedSinks, infinity),
+
+    Failures = [Result || {_Sink, R} = Result <- RVs, R =/= ok],
+    case Failures of
+        [] ->
+            ok;
+        _ ->
+            {error, Failures}
+    end.
+
 init_log_encryption_ds(LogDS) ->
     set_global_log_deks_snapshot(LogDS).
 
+get_sink_ds(SinkId) ->
+    case is_encr_enabled_sink(SinkId) of
+        true ->
+            get_global_log_deks_snapshot();
+        false ->
+            create_no_deks_snapshot()
+    end.
+
 set_global_log_deks_snapshot(LogsDs) ->
     persistent_term:put(log_deks_snapshot, LogsDs).
 
 get_global_log_deks_snapshot() ->
     persistent_term:get(log_deks_snapshot, undefined).
 
+get_encryption_cb(CbType) ->
+    CBs = persistent_term:get(ale_encryption_callbacks, undefined),
+    #{CbType := Callback} = CBs,
+    Callback.
+
+create_no_deks_snapshot() ->
+    Callback = get_encryption_cb(create_no_deks_snapshot),
+    Callback().
+
+file_encrypt_state_match(DS, EncrState) ->
+    Callback = get_encryption_cb(file_encrypt_state_match),
+    Callback(DS, EncrState).
+
+file_encrypt_init(FileName, DS) ->
+    Callback = get_encryption_cb(file_encrypt_init),
+    Callback(FileName, DS).
+
+file_encrypt_chunk(Data, EncrState) ->
+    Callback = get_encryption_cb(file_encrypt_chunk),
+    Callback(Data, EncrState).
+
 get_effective_loglevel(LoggerName) ->
     call_logger_impl(LoggerName, get_effective_loglevel, []).
 
@@ -334,10 +409,37 @@ init([]) ->
     %% Erlang starts this for us when we disable default handler.
     _ = logger:remove_handler(simple),
 
+    case application:get_env(ale, encryption_callbacks) of
+        {ok, EncrCBs} ->
+            persistent_term:put(ale_encryption_callbacks,
+                                EncrCBs);
+        _ ->
+            persistent_term:put(ale_encryption_callbacks,
+                                default_encr_disabled_cbs())
+    end,
+
     ok = set_error_logger_handler(),
     ok = set_noisy_progress_reports_handler(),
     {ok, State3}.
 
+default_encr_disabled_cbs() ->
+    #{create_no_deks_snapshot =>
+          fun() ->
+                  #{}
+          end,
+      file_encrypt_state_match =>
+          fun(_DS, _EncrState) ->
+                  true
+          end,
+      file_encrypt_init =>
+          fun(_FileName, _DS) ->
+                  {<<>>, #{}}
+          end,
+      file_encrypt_chunk =>
+          fun(Data, EncrState) ->
+                  {Data, EncrState}
+          end}.
+
 handle_call(get_state, _From, State) ->
     {reply, State, State};
 

apps/ale/src/ale_disk_sink.erl

@@ -46,7 +46,8 @@
           rotation_size :: non_neg_integer(),
           rotation_num_files :: pos_integer(),
           rotation_compress :: boolean(),
-          rotation_check_interval :: non_neg_integer()
+          rotation_check_interval :: non_neg_integer(),
+          encr_state :: any()
          }).
 
 start_link(Name, Path) ->
@@ -96,17 +97,22 @@ init([Name, Path, Opts]) ->
 
     {ok, State}.
 
-handle_call(sync, From, #state{worker = Worker} = State) ->
-    NewState = flush_buffer(State),
-
+do_work(Worker, Call, From, Timeout) ->
     Parent = self(),
     proc_lib:spawn_link(
       fun () ->
-              gen_server:reply(From, gen_server:call(Worker, sync, infinity)),
+              gen_server:reply(From, gen_server:call(Worker, Call, Timeout)),
               erlang:unlink(Parent)
-      end),
+      end).
 
+handle_call(sync, From, #state{worker = Worker} = State) ->
+    NewState = flush_buffer(State),
+    do_work(Worker, sync, From, infinity),
     {noreply, NewState};
+handle_call(notify_active_key_updt, From,
+            #state{worker = Worker} = State) ->
+    do_work(Worker, notify_active_key_updt, From, infinity),
+    {noreply, State};
 handle_call(Request, _From, State) ->
     {stop, {unexpected_call, Request}, State}.
 
@@ -287,16 +293,18 @@ do_rotate_file(From0, To0, Compress) ->
             Error
     end.
 
-maybe_rotate_files(#worker_state{sink_name = Name,
-                                 file_size = FileSize,
-                                 rotation_size = RotSize} = State)
-  when RotSize =/= 0, FileSize >= RotSize ->
+do_rotate_files(#worker_state{sink_name = Name} = State) ->
     time_stat(Name, rotation_time,
               fun () ->
                       ok = rotate_files(State),
                       ok = maybe_compress_post_rotate(State),
                       open_log_file(State)
-              end);
+              end).
+
+maybe_rotate_files(#worker_state{file_size = FileSize,
+                                 rotation_size = RotSize} = State)
+  when RotSize =/= 0, FileSize >= RotSize ->
+    do_rotate_files(State);
 maybe_rotate_files(State) ->
     State.
 
@@ -428,16 +436,21 @@ spawn_worker(WorkerState) ->
               worker_init(WorkerState)
       end).
 
-worker_init(#worker_state{rotation_check_interval = RotCheckInterval} = State0) ->
+worker_init(#worker_state{rotation_check_interval = RotCheckInterval,
+                          path = Path} = State0) ->
     case RotCheckInterval > 0 of
         true ->
             erlang:send_after(RotCheckInterval, self(), check_file);
         false ->
             ok
     end,
-    worker_loop(open_log_file(State0)).
 
-worker_loop(State) ->
+    DS = ale:create_no_deks_snapshot(),
+    {<<>>, EncrState} = ale:file_encrypt_init(filename:basename(Path), DS),
+    worker_loop(
+        open_log_file(State0#worker_state{encr_state = EncrState})).
+
+worker_loop(#worker_state{sink_name = SinkName} = State) ->
     NewState =
         receive
             {write, Data0, DataSize0} ->
@@ -450,6 +463,13 @@ worker_loop(State) ->
             {'$gen_call', From, sync} ->
                 gen_server:reply(From, ok),
                 State;
+            {'$gen_call', From, notify_active_key_updt} ->
+                #worker_state{encr_state = EncrState} = State,
+                DS = ale:get_sink_ds(SinkName),
+                UpdtReq = not ale:file_encrypt_state_match(DS, EncrState),
+                UpdatedState = process_key_update_work(UpdtReq, DS, State),
+                gen_server:reply(From, ok),
+                UpdatedState;
             Msg ->
                 exit({unexpected_msg, Msg})
         end,
@@ -466,22 +486,46 @@ receive_more_writes(Data, DataSize) ->
             {Data, DataSize}
     end.
 
-write_data(Data, DataSize,
+maybe_encrypt_data(InputData, EncrState) ->
+    ale:file_encrypt_chunk(InputData, EncrState).
+
+write_data(InputData, InputDataSize,
            #worker_state{sink_name = Name,
                          file = File,
                          file_size = FileSize,
-                         parent = Parent} = State) ->
-    broadcast_stat(Name, write_size, DataSize),
-
+                         parent = Parent,
+                         encr_state = EncrState} = State) ->
+    {WriteData, NewEncrState} = maybe_encrypt_data(InputData, EncrState),
+    WriteDataSize = byte_size(WriteData),
+    broadcast_stat(Name, write_size, WriteDataSize),
     time_stat(Name, write_time,
               fun () ->
-                      ok = file:write(File, Data)
+                      ok = file:write(File, WriteData)
               end),
 
-    Parent ! {written, DataSize},
-    NewState = State#worker_state{file_size = FileSize + DataSize},
+    Parent ! {written, InputDataSize},
+    NewState = State#worker_state{file_size = FileSize + WriteDataSize,
+                                  encr_state = NewEncrState},
     maybe_rotate_files(NewState).
 
+process_key_update_work(false = _UpdtReq, _DS, State) ->
+    State;
+process_key_update_work(true = _UpdtReq, DS,
+                        #worker_state{sink_name = Name,
+                                      path = Path} = State) ->
+    {Header, EncryptState} =
+        ale:file_encrypt_init(filename:basename(Path), DS),
+    NewState = do_rotate_files(State),
+    #worker_state{file = File,
+                  file_size = 0,
+                  path = Path} = NewState,
+    time_stat(Name, write_time,
+              fun () ->
+                      ok = file:write(File, Header)
+              end),
+    NewState#worker_state{file_size = byte_size(Header),
+                          encr_state = EncryptState}.
+
 remove_unnecessary_log_files(LogFilePath, NumFiles) ->
     Dir = filename:dirname(LogFilePath),
     Name = filename:basename(LogFilePath),

apps/ns_babysitter/src/ns_babysitter_bootstrap.erl

@@ -18,6 +18,8 @@ start() ->
 
 start({nocookie, nologdek}) ->
     try
+        application:set_env(ale, encryption_callbacks, ?ALE_ENCR_CALLBACKS),
+
         ok = application:start(ale),
         ok = application:start(sasl),
         ok = application:start(ns_babysitter, permanent),

apps/ns_couchdb/src/ns_couchdb.erl

@@ -30,6 +30,7 @@
 start({Cookie, LogDeks}) ->
     application:set_env(ns_server, babysitter_cookie, Cookie),
     application:set_env(ns_server, initial_log_deks, LogDeks),
+    application:set_env(ale, encryption_callbacks, ?ALE_ENCR_CALLBACKS),
     application:start(ns_common, permanent),
     application:start(ns_couchdb, permanent).
 

apps/ns_server/include/ns_common.hrl

@@ -461,4 +461,22 @@
                          ?FUNCTION_NAME, Args)
         end).
 
--endif.
+-define(ALE_ENCR_CALLBACKS,
+    #{create_no_deks_snapshot =>
+          fun() ->
+                  cb_crypto:create_deks_snapshot(undefined, [], undefined)
+          end,
+      file_encrypt_state_match =>
+          fun(DS, EncrState) ->
+                  cb_crypto:file_encrypt_state_match(DS, EncrState)
+          end,
+      file_encrypt_init =>
+          fun(FileName, DS) ->
+                  cb_crypto:file_encrypt_init(FileName, DS)
+          end,
+      file_encrypt_chunk =>
+          fun(Data, EncrState) ->
+                  cb_crypto:file_encrypt_chunk(Data, EncrState)
+          end}).
+
+-endif.

apps/ns_server/src/cb_crypto.erl

@@ -32,6 +32,7 @@
          file_encrypt_chunk/2,
 
          read_file/2,
+         file_encrypt_state_match/2,
          file_decrypt_init/3,
          file_decrypt_next_chunk/2,
 
@@ -113,6 +114,18 @@ atomic_write_file(Path, Bytes, DekSnapshot, Opts) when is_binary(Bytes) ->
           encrypt_to_file(IODevice, Filename, Bytes, MaxChunkSize, DekSnapshot)
       end).
 
+get_key_id(undefined) ->
+    undefined;
+get_key_id(#{id := KeyId} = _Key) ->
+    KeyId.
+
+-spec file_encrypt_state_match(#dek_snapshot{},
+                               #file_encr_state{}) -> boolean().
+file_encrypt_state_match(#dek_snapshot{active_key = ActiveKey},
+                         #file_encr_state{key = FileActiveKey}) ->
+
+    get_key_id(ActiveKey) =:= get_key_id(FileActiveKey).
+
 -spec file_encrypt_init(string(), #dek_snapshot{}) ->
           {binary(), #file_encr_state{}}.
 file_encrypt_init(Filename,