[template-graph] Add User-Side Data Encryption From Workflow Template Graph

Cargo.toml

@@ -5,6 +5,7 @@ members = [
     "attestation-service",
     "accless/libs/abe4",
     "accless/libs/jwt",
+    "template-graph",
     "workflows/finra/knative",
     "workflows/word-count/knative",
     "workflows/ml-inference/knative",
@@ -32,6 +33,7 @@ ark-std = "0.4.0"
 axum = "0.7"
 base64 = "^0.22"
 bytes = "1.4"
+blake3 = "1.5.1"
 chrono = "^0.4.38"
 clap = { version = "4.0" }
 cloudevents-sdk = { git = "https://github.com/cloudevents/sdk-rust.git", rev = "fa0aadb31de82956d44fba4b50c6a002d5bd0b7b" }

accless/libs/abe4/src/lib.rs

@@ -1,7 +1,7 @@
 mod curve;
 mod hashing;
-mod policy;
-mod scheme;
+pub mod policy;
+pub mod scheme;
 
 use ark_serialize::{CanonicalDeserialize, CanonicalSerialize};
 use base64::engine::{Engine as _, general_purpose};
@@ -107,6 +107,27 @@ struct EncryptOutput {
     ciphertext: String,
 }
 
+/// # Description
+///
+/// FFI wrapper for the CP-ABE encryption function.
+///
+/// This function takes a base64-encoded master public key and a policy string,
+/// encrypts a symmetric key under this policy, and returns the base64-encoded
+/// encrypted symmetric key and its ciphertext.
+///
+/// # Arguments
+///
+/// * `mpk_b64`: A C-style string containing the base64-encoded master public
+///   key.
+/// * `policy_str`: A C-style string containing the policy string.
+///
+/// # Returns
+///
+/// A C-style string containing a JSON object with two fields:
+/// - `gt`: The base64-encoded symmetric key (plaintext) that was encrypted.
+/// - `ciphertext`: The base64-encoded ciphertext of the symmetric key.
+///
+/// Returns a null pointer on error.
 #[allow(clippy::missing_safety_doc)]
 #[unsafe(no_mangle)]
 pub unsafe extern "C" fn encrypt_abe4(
@@ -142,6 +163,25 @@ pub unsafe extern "C" fn encrypt_abe4(
     CString::new(output_json).unwrap().into_raw()
 }
 
+/// # Description
+///
+/// FFI wrapper for the CP-ABE decryption function.
+///
+/// This function takes a base64-encoded user secret key, a global identifier,
+/// a policy string, and a base64-encoded ciphertext. It attempts to decrypt
+/// the ciphertext to recover the symmetric key.
+///
+/// # Arguments
+///
+/// * `usk_b64`: A C-style string containing the base64-encoded user secret key.
+/// * `gid`: A C-style string containing the global identifier of the user.
+/// * `policy_str`: A C-style string containing the policy string.
+/// * `ct_b64`: A C-style string containing the base64-encoded ciphertext.
+///
+/// # Returns
+///
+/// A C-style string containing the base64-encoded symmetric key if decryption
+/// is successful, or a null pointer otherwise.
 #[allow(clippy::missing_safety_doc)]
 #[unsafe(no_mangle)]
 pub unsafe extern "C" fn decrypt_abe4(

accless/libs/abe4/src/policy/mod.rs

@@ -165,12 +165,18 @@ fn fmt_expr(
             write!(f, "{:?}", t)
         }
         Expr::And(lhs, rhs) => {
+            write!(f, "(")?;
             fmt_expr(lhs, f)?;
             write!(f, " & ")?;
-            fmt_expr(rhs, f)
+            fmt_expr(rhs, f)?;
+            write!(f, ")")
         }
-        Expr::Or(_, _) => {
-            panic!("Not implemented")
+        Expr::Or(lhs, rhs) => {
+            write!(f, "(")?;
+            fmt_expr(lhs, f)?;
+            write!(f, " | ")?;
+            fmt_expr(rhs, f)?;
+            write!(f, ")")
         }
     }
 }

accless/libs/abe4/src/scheme/decrypt.rs

@@ -21,6 +21,28 @@ fn solve_lse(usk: &USK, policy: &Policy) -> Option<(Vec<usize>, Vec<usize>)> {
     Some((eps_vec, eps_not_vec))
 }
 
+/// # Description
+///
+/// Decrypts a ciphertext to recover the symmetric key.
+///
+/// This function attempts to decrypt a `Ciphertext` using a user's secret key
+/// (`USK`). If the user's attributes (embedded in the `USK`) satisfy the policy
+/// associated with the `Ciphertext`, the original symmetric key (`Gt`) is
+/// recovered. Otherwise, decryption fails and `None` is returned.
+///
+/// # Arguments
+///
+/// * `usk`: The user's secret key.
+/// * `gid`: The global identifier of the user.
+/// * `iota`: The `Iota` object derived from the user's attributes.
+/// * `tau`: The `Tau` object derived from the policy.
+/// * `policy`: The access control policy used for encryption.
+/// * `ct`: The ciphertext to be decrypted.
+///
+/// # Returns
+///
+/// An `Option<Gt>` containing the recovered symmetric key if decryption is
+/// successful, or `None` otherwise.
 pub fn decrypt(
     usk: &USK,
     gid: &str,

accless/libs/abe4/src/scheme/encrypt.rs

@@ -51,6 +51,29 @@ fn share_secret(
     (lambda_vec, mu_vec, n)
 }
 
+/// # Description
+///
+/// Encrypts a symmetric key using the CP-ABE scheme.
+///
+/// This function does not encrypt arbitrary plaintext data directly. Instead,
+/// it takes a policy and generates a symmetric key (`Gt`) that is encrypted
+/// under this policy. The returned `Ciphertext` can then be used to decrypt
+/// this symmetric key if the decryptor possesses a set of attributes that
+/// satisfy the policy.
+///
+/// # Arguments
+///
+/// * `rng`: A mutable reference to a random number generator.
+/// * `mpk`: The master public key.
+/// * `policy`: The access control policy under which the symmetric key will be
+///   encrypted.
+/// * `tau`: The `Tau` object derived from the policy.
+///
+/// # Returns
+///
+/// A tuple containing:
+/// - `Gt`: The symmetric key (plaintext) that was encrypted.
+/// - `Ciphertext`: The ciphertext of the symmetric key.
 pub fn encrypt(mut rng: impl Rng, mpk: &MPK, policy: &Policy, tau: &Tau) -> (Gt, Ciphertext) {
     let s = ScalarField::rand(&mut rng);
     let m = std::cmp::max(tau.get_max(), tau.get_tilde_max());

template-graph/Cargo.toml

@@ -0,0 +1,21 @@
+
+[package]
+name = "template-graph"
+version.workspace = true
+license-file.workspace = true
+edition.workspace = true
+authors.workspace = true
+description = "A library to parse and work with Accless workflow template graphs"
+homepage.workspace = true
+
+[dependencies]
+accless-abe4 = { path = "../accless/libs/abe4" }
+anyhow = { workspace = true }
+blake3 = { workspace = true }
+serde = { workspace = true, features = ["derive"] }
+serde_yaml = { workspace = true }
+
+[dev-dependencies]
+ark-std = { workspace = true }
+base64 = { workspace = true }
+ark-serialize = { workspace = true }