enable remote encryption support for remote and synced databases

Author: avinassh

libsql/examples/encryption_sync.rs

@@ -1,6 +1,7 @@
 // Example of using offline writes with encryption
 
-use libsql::{params, Builder, EncryptionContext, EncryptionKey};
+use libsql::{params, Builder};
+use libsql::{EncryptionContext, EncryptionKey};
 
 #[tokio::main]
 async fn main() {
@@ -24,7 +25,8 @@ async fn main() {
         None
     };
 
-    let db_builder = Builder::new_synced_database(db_path, sync_url, auth_token, encryption);
+    let db_builder =
+        Builder::new_synced_database(db_path, sync_url, auth_token).remote_encryption(encryption);
 
     let db = match db_builder.build().await {
         Ok(db) => db,

libsql/src/database.rs

@@ -8,6 +8,8 @@ pub use builder::Builder;
 pub use libsql_sys::{Cipher, EncryptionConfig};
 
 use crate::{Connection, Result};
+use base64::engine::general_purpose;
+use base64::Engine;
 use std::fmt;
 use std::sync::atomic::AtomicU64;
 
@@ -100,7 +102,7 @@ enum DbType {
         auth_token: String,
         connector: crate::util::ConnectorService,
         _bg_abort: Option<std::sync::Arc<crate::sync::DropAbort>>,
-        remote_encryption: Option<crate::sync::EncryptionContext>,
+        remote_encryption: Option<EncryptionContext>,
     },
     #[cfg(feature = "remote")]
     Remote {
@@ -109,6 +111,7 @@ enum DbType {
         connector: crate::util::ConnectorService,
         version: Option<String>,
         namespace: Option<String>,
+        remote_encryption: Option<EncryptionContext>,
     },
 }
 
@@ -545,6 +548,7 @@ cfg_remote! {
                     connector: crate::util::ConnectorService::new(svc),
                     version,
                     namespace: None,
+                    remote_encryption: None
                 },
                 max_write_replication_index: Default::default(),
             })
@@ -733,6 +737,7 @@ impl Database {
                 connector,
                 version,
                 namespace,
+                remote_encryption,
             } => {
                 let conn = std::sync::Arc::new(
                     crate::hrana::connection::HttpConnection::new_with_connector(
@@ -741,7 +746,7 @@ impl Database {
                         connector.clone(),
                         version.as_ref().map(|s| s.as_str()),
                         namespace.as_ref().map(|s| s.as_str()),
-                        None,
+                        remote_encryption.clone(),
                     ),
                 );
 
@@ -785,3 +790,26 @@ impl std::fmt::Debug for Database {
         f.debug_struct("Database").finish()
     }
 }
+
+#[derive(Debug, Clone)]
+pub enum EncryptionKey {
+    /// The key is a base64-encoded string.
+    Base64Encoded(String),
+    /// The key is a byte array.
+    Bytes(Vec<u8>),
+}
+
+impl EncryptionKey {
+    pub fn as_string(&self) -> String {
+        match self {
+            EncryptionKey::Base64Encoded(s) => s.clone(),
+            EncryptionKey::Bytes(b) => general_purpose::STANDARD.encode(b),
+        }
+    }
+}
+
+#[derive(Debug, Clone)]
+pub struct EncryptionContext {
+    /// The base64-encoded key for the encryption, sent on every request.
+    pub key: EncryptionKey,
+}

libsql/src/database/builder.rs

@@ -5,7 +5,7 @@ cfg_core! {
 use super::DbType;
 use crate::{Database, Result};
 
-pub use crate::sync::EncryptionContext;
+pub use crate::database::EncryptionContext;
 
 /// A builder for [`Database`]. This struct can be used to build
 /// all variants of [`Database`]. These variants include:
@@ -52,8 +52,6 @@ impl Builder<()> {
             path: impl AsRef<std::path::Path>,
             url: String,
             auth_token: String,
-            #[cfg(feature = "sync")]
-            remote_encryption: Option<crate::sync::EncryptionContext>,
         ) -> Builder<RemoteReplica> {
             Builder {
                 inner: RemoteReplica {
@@ -64,6 +62,7 @@ impl Builder<()> {
                         connector: None,
                         version: None,
                         namespace: None,
+                        remote_encryption: None
                     },
                     encryption_config: None,
                     read_your_writes: true,
@@ -73,7 +72,7 @@ impl Builder<()> {
                     #[cfg(feature = "sync")]
                     sync_protocol: Default::default(),
                     #[cfg(feature = "sync")]
-                    remote_encryption,
+                    remote_encryption: None
                 },
             }
         }
@@ -98,7 +97,6 @@ impl Builder<()> {
             path: impl AsRef<std::path::Path>,
             url: String,
             auth_token: String,
-            remote_encryption: Option<EncryptionContext>,
         ) -> Builder<SyncedDatabase> {
             Builder {
                 inner: SyncedDatabase {
@@ -110,13 +108,14 @@ impl Builder<()> {
                         connector: None,
                         version: None,
                         namespace: None,
+                        remote_encryption: None,
                     },
                     connector: None,
                     read_your_writes: true,
                     remote_writes: false,
                     push_batch_size: 0,
                     sync_interval: None,
-                    remote_encryption,
+                    remote_encryption: None,
                 },
             }
         }
@@ -132,6 +131,7 @@ impl Builder<()> {
                     connector: None,
                     version: None,
                     namespace: None,
+                    remote_encryption: None,
                 },
             }
         }
@@ -146,6 +146,7 @@ cfg_replication_or_remote_or_sync! {
         connector: Option<crate::util::ConnectorService>,
         version: Option<String>,
         namespace: Option<String>,
+        remote_encryption: Option<EncryptionContext>,
     }
 }
 
@@ -238,7 +239,7 @@ cfg_replication! {
         #[cfg(feature = "sync")]
         sync_protocol: super::SyncProtocol,
         #[cfg(feature = "sync")]
-        remote_encryption: Option<crate::sync::EncryptionContext>,
+        remote_encryption: Option<EncryptionContext>,
     }
 
     /// Local replica configuration type in [`Builder`].
@@ -300,6 +301,13 @@ cfg_replication! {
             self
         }
 
+        /// Set the encryption context if the database is encrypted in remote server.
+        #[cfg(feature = "sync")]
+        pub fn remote_encryption(mut self, encryption_context: EncryptionContext) -> Builder<RemoteReplica> {
+            self.inner.remote_encryption = Some(encryption_context);
+            self
+        }
+
         pub fn http_request_callback<F>(mut self, f: F) -> Builder<RemoteReplica>
         where
             F: Fn(&mut http::Request<()>) + Send + Sync + 'static
@@ -347,6 +355,7 @@ cfg_replication! {
                         connector,
                         version,
                         namespace,
+                        ..
                     },
                 encryption_config,
                 read_your_writes,
@@ -415,10 +424,11 @@ cfg_replication! {
 
                         if res.status().is_success() {
                             tracing::trace!("Using sync protocol v2 for {}", url);
-                            let builder = Builder::new_synced_database(path, url, auth_token, remote_encryption)
+                            let builder = Builder::new_synced_database(path, url, auth_token)
                                 .connector(connector)
                                 .remote_writes(true)
-                                .read_your_writes(read_your_writes);
+                                .read_your_writes(read_your_writes)
+                                .remote_encryption(remote_encryption);
 
                             let builder = if let Some(sync_interval) = sync_interval {
                                 builder.sync_interval(sync_interval)
@@ -475,7 +485,10 @@ cfg_replication! {
 
 
             Ok(Database {
-                db_type: DbType::Sync { db, encryption_config },
+                db_type: DbType::Sync {
+                    db,
+                    encryption_config,
+                },
                 max_write_replication_index: Default::default(),
             })
         }
@@ -515,6 +528,7 @@ cfg_replication! {
                 connector,
                 version,
                 namespace,
+                ..
             }) = remote
             {
                 let connector = if let Some(connector) = connector {
@@ -565,7 +579,7 @@ cfg_sync! {
         read_your_writes: bool,
         push_batch_size: u32,
         sync_interval: Option<std::time::Duration>,
-        remote_encryption: Option<crate::sync::EncryptionContext>,
+        remote_encryption: Option<EncryptionContext>,
     }
 
     impl Builder<SyncedDatabase> {
@@ -598,6 +612,12 @@ cfg_sync! {
             self
         }
 
+         /// Set the encryption context if the database is encrypted in remote server.
+        pub fn remote_encryption(mut self, encryption_context: Option<EncryptionContext>) -> Builder<SyncedDatabase> {
+            self.inner.remote_encryption = encryption_context;
+            self
+        }
+
         /// Provide a custom http connector that will be used to create http connections.
         pub fn connector<C>(mut self, connector: C) -> Builder<SyncedDatabase>
         where
@@ -624,6 +644,7 @@ cfg_sync! {
                         connector: _,
                         version: _,
                         namespace: _,
+                        ..
                     },
                 connector,
                 remote_writes,
@@ -759,6 +780,12 @@ cfg_remote! {
             self
         }
 
+        /// Set the encryption context if the database is encrypted in remote server.
+        pub fn remote_encryption(mut self, encryption_context: EncryptionContext) -> Builder<Remote> {
+            self.inner.remote_encryption = Some(encryption_context);
+            self
+        }
+
         /// Build the remote database client.
         pub async fn build(self) -> Result<Database> {
             let Remote {
@@ -767,6 +794,7 @@ cfg_remote! {
                 connector,
                 version,
                 namespace,
+                remote_encryption,
             } = self.inner;
 
             let connector = if let Some(connector) = connector {
@@ -789,6 +817,7 @@ cfg_remote! {
                     connector,
                     version,
                     namespace,
+                    remote_encryption
                 },
                 max_write_replication_index: Default::default(),
             })

libsql/src/hrana/hyper.rs

@@ -28,15 +28,15 @@ pub struct HttpSender {
     version: HeaderValue,
     namespace: Option<HeaderValue>,
     #[cfg(feature = "sync")]
-    remote_encryption: Option<crate::sync::EncryptionContext>,
+    remote_encryption: Option<crate::database::EncryptionContext>,
 }
 
 impl HttpSender {
     pub fn new(
         connector: ConnectorService,
         version: Option<&str>,
         namespace: Option<&str>,
-        #[cfg(feature = "sync")] remote_encryption: Option<crate::sync::EncryptionContext>,
+        #[cfg(feature = "sync")] remote_encryption: Option<crate::database::EncryptionContext>,
     ) -> Self {
         let ver = version.unwrap_or(env!("CARGO_PKG_VERSION"));
 
@@ -135,7 +135,7 @@ impl HttpConnection<HttpSender> {
         connector: ConnectorService,
         version: Option<&str>,
         namespace: Option<&str>,
-        #[cfg(feature = "sync")] remote_encryption: Option<crate::sync::EncryptionContext>,
+        #[cfg(feature = "sync")] remote_encryption: Option<crate::database::EncryptionContext>,
     ) -> Self {
         let inner = HttpSender::new(
             connector,

libsql/src/lib.rs

@@ -132,8 +132,8 @@ pub mod params;
 cfg_sync! {
     mod sync;
     pub use database::SyncProtocol;
-    pub use sync::EncryptionContext;
-    pub use sync::EncryptionKey;
+    pub use database::EncryptionContext;
+    pub use database::EncryptionKey;
 }
 
 cfg_replication! {

libsql/src/local/database.rs

@@ -212,7 +212,7 @@ impl Database {
         flags: OpenFlags,
         endpoint: String,
         auth_token: String,
-        remote_encryption: Option<crate::sync::EncryptionContext>,
+        remote_encryption: Option<crate::database::EncryptionContext>,
     ) -> Result<Database> {
         let db_path = db_path.into();
         let endpoint = if endpoint.starts_with("libsql:") {
@@ -222,8 +222,14 @@ impl Database {
         };
         let mut db = Database::open(&db_path, flags)?;
 
-        let sync_ctx =
-            SyncContext::new(connector, db_path.into(), endpoint, Some(auth_token), remote_encryption).await?;
+        let sync_ctx = SyncContext::new(
+            connector,
+            db_path.into(),
+            endpoint,
+            Some(auth_token),
+            remote_encryption,
+        )
+        .await?;
         db.sync_ctx = Some(Arc::new(Mutex::new(sync_ctx)));
 
         Ok(db)

libsql/src/sync.rs

@@ -1,7 +1,6 @@
 use crate::{local::Connection, util::ConnectorService, Error, Result};
 
-use base64::engine::general_purpose;
-use base64::Engine;
+use crate::database::EncryptionContext;
 use bytes::Bytes;
 use chrono::Utc;
 use http::{HeaderValue, StatusCode};
@@ -119,29 +118,6 @@ struct PushFramesResult {
     baton: Option<String>,
 }
 
-#[derive(Debug, Clone)]
-pub enum EncryptionKey {
-    /// The key is a base64-encoded string.
-    Base64Encoded(String),
-    /// The key is a byte array.
-    Bytes(Vec<u8>),
-}
-
-impl EncryptionKey {
-    pub fn as_string(&self) -> String {
-        match self {
-            EncryptionKey::Base64Encoded(s) => s.clone(),
-            EncryptionKey::Bytes(b) => general_purpose::STANDARD.encode(b),
-        }
-    }
-}
-
-#[derive(Debug, Clone)]
-pub struct EncryptionContext {
-    /// The base64-encoded key for the encryption, sent on every request.
-    pub key: EncryptionKey,
-}
-
 pub struct SyncContext {
     db_path: String,
     client: hyper::Client<ConnectorService, Body>,