Client Encryption: Adds support to use gateway cache to get client encryption key properties (Azure#27210)

* Encryption gateway cache changes

* Adding test case

* Resolving comments

* Resolving comments

* Upstream merge

* Resolving conflicts

* Resolving conflicts

* Adding test case

* Adding test case

* Resolving comments

* Fixing spot bugs

* Fixing encryption key read public surface area

* Fixing encryption key read public surface area

* Fixing CI build

* Fixing CI build

* Fixing CI build

* Fixing CI build

Co-authored-by: Aayush Kataria <[email protected]>
Co-authored-by: Aayush Kataria <[email protected]>

Author: 3 people

sdk/cosmos/azure-cosmos-encryption/src/main/java/com/azure/cosmos/encryption/CosmosEncryptionAsyncClient.java

@@ -11,9 +11,12 @@
 import com.azure.cosmos.CosmosAsyncContainer;
 import com.azure.cosmos.CosmosAsyncDatabase;
 import com.azure.cosmos.CosmosException;
+import com.azure.cosmos.encryption.implementation.Constants;
 import com.azure.cosmos.encryption.implementation.EncryptionImplementationBridgeHelpers;
 import com.azure.cosmos.encryption.implementation.keyprovider.EncryptionKeyStoreProviderImpl;
 import com.azure.cosmos.implementation.HttpConstants;
+import com.azure.cosmos.implementation.ImplementationBridgeHelpers;
+import com.azure.cosmos.implementation.RequestOptions;
 import com.azure.cosmos.implementation.Utils;
 import com.azure.cosmos.implementation.apachecommons.lang.StringUtils;
 import com.azure.cosmos.implementation.caches.AsyncCache;
@@ -41,6 +44,7 @@ public final class CosmosEncryptionAsyncClient implements Closeable {
     private final KeyEncryptionKeyResolver keyEncryptionKeyResolver;
     private final String keyEncryptionKeyResolverName;
     private final EncryptionKeyStoreProviderImpl encryptionKeyStoreProviderImpl;
+    private final static ImplementationBridgeHelpers.CosmosAsyncClientEncryptionKeyHelper.CosmosAsyncClientEncryptionKeyAccessor cosmosAsyncClientEncryptionKeyAccessor = ImplementationBridgeHelpers.CosmosAsyncClientEncryptionKeyHelper.getCosmosAsyncClientEncryptionKeyAccessor();
 
     CosmosEncryptionAsyncClient(CosmosAsyncClient cosmosAsyncClient,
                                 KeyEncryptionKeyResolver keyEncryptionKeyResolver,
@@ -114,31 +118,45 @@ Mono<CosmosClientEncryptionKeyProperties> getClientEncryptionPropertiesAsync(
         String clientEncryptionKeyId,
         String databaseRid,
         CosmosAsyncContainer cosmosAsyncContainer,
-        boolean shouldForceRefresh) {
+        boolean shouldForceRefresh,
+        String ifNoneMatchEtag,
+        boolean shouldForceRefreshGateway) {
         /// Client Encryption key Id is unique within a Database.
         String cacheKey = databaseRid + "/" + clientEncryptionKeyId;
-        if (!shouldForceRefresh) {
+
+        // this allows us to read from the Gateway Cache. If an IfNoneMatchEtag is passed the logic around the gateway
+        // cache allows us to fetch the latest ClientEncryptionKeyProperties from the servers if the gateway cache has
+        // a stale value. This can happen if a client connected via different Gateway has re wrapped the key.
+        RequestOptions requestOptions = new RequestOptions();
+        requestOptions.setHeader(Constants.ALLOW_CACHED_READS_HEADER, String.valueOf(true));
+        requestOptions.setHeader(Constants.DATABASE_RID_HEADER, databaseRid);
+
+        if (StringUtils.isNotEmpty(ifNoneMatchEtag)) {
+            requestOptions.setIfNoneMatchETag(ifNoneMatchEtag);
+        }
+
+        if (!shouldForceRefresh && !shouldForceRefreshGateway) {
             return this.clientEncryptionKeyPropertiesCacheByKeyId.getAsync(cacheKey, null, () -> {
                 return this.fetchClientEncryptionKeyPropertiesAsync(cosmosAsyncContainer,
-                    clientEncryptionKeyId);
+                    clientEncryptionKeyId, requestOptions);
             });
         } else {
             return this.clientEncryptionKeyPropertiesCacheByKeyId.getAsync(cacheKey, null, () ->
                 this.fetchClientEncryptionKeyPropertiesAsync(cosmosAsyncContainer,
-                    clientEncryptionKeyId)
+                    clientEncryptionKeyId, requestOptions)
             ).flatMap(cachedClientEncryptionProperties -> this.clientEncryptionKeyPropertiesCacheByKeyId.getAsync(cacheKey, cachedClientEncryptionProperties, () ->
                 this.fetchClientEncryptionKeyPropertiesAsync(cosmosAsyncContainer,
-                    clientEncryptionKeyId)));
+                    clientEncryptionKeyId, requestOptions)));
         }
     }
 
     Mono<CosmosClientEncryptionKeyProperties> fetchClientEncryptionKeyPropertiesAsync(
         CosmosAsyncContainer container,
-        String clientEncryptionKeyId) {
+        String clientEncryptionKeyId, RequestOptions requestOptions) {
         CosmosAsyncClientEncryptionKey clientEncryptionKey =
             container.getDatabase().getClientEncryptionKey(clientEncryptionKeyId);
 
-        return clientEncryptionKey.read().map(cosmosClientEncryptionKeyResponse ->
+        return cosmosAsyncClientEncryptionKeyAccessor.readClientEncryptionKey(clientEncryptionKey, requestOptions).map(cosmosClientEncryptionKeyResponse ->
             cosmosClientEncryptionKeyResponse.getProperties()
         ).onErrorResume(throwable -> {
             if (!(throwable instanceof Exception)) {
@@ -215,9 +233,10 @@ private CosmosContainerProperties getContainerPropertiesWithVersionValidation(Co
     static {
         EncryptionImplementationBridgeHelpers.CosmosEncryptionAsyncClientHelper.seCosmosEncryptionAsyncClientAccessor(new EncryptionImplementationBridgeHelpers.CosmosEncryptionAsyncClientHelper.CosmosEncryptionAsyncClientAccessor() {
             @Override
-            public Mono<CosmosClientEncryptionKeyProperties> getClientEncryptionPropertiesAsync(CosmosEncryptionAsyncClient cosmosEncryptionAsyncClient, String clientEncryptionKeyId, String databaseRid, CosmosAsyncContainer cosmosAsyncContainer, boolean shouldForceRefresh) {
+            public Mono<CosmosClientEncryptionKeyProperties> getClientEncryptionPropertiesAsync(CosmosEncryptionAsyncClient cosmosEncryptionAsyncClient, String clientEncryptionKeyId, String databaseRid, CosmosAsyncContainer cosmosAsyncContainer, boolean shouldForceRefresh, String ifNoneMatchEtag,
+                                                                                                boolean shouldForceRefreshGateway) {
                 return cosmosEncryptionAsyncClient.getClientEncryptionPropertiesAsync(clientEncryptionKeyId,
-                    databaseRid, cosmosAsyncContainer, shouldForceRefresh);
+                    databaseRid, cosmosAsyncContainer, shouldForceRefresh, ifNoneMatchEtag, shouldForceRefreshGateway);
             }
 
             @Override

sdk/cosmos/azure-cosmos-encryption/src/main/java/com/azure/cosmos/encryption/CosmosEncryptionAsyncDatabase.java

@@ -11,6 +11,7 @@
 import com.azure.cosmos.encryption.implementation.mdesrc.cryptography.KeyEncryptionKey;
 import com.azure.cosmos.encryption.implementation.mdesrc.cryptography.MicrosoftDataEncryptionException;
 import com.azure.cosmos.encryption.implementation.mdesrc.cryptography.ProtectedDataEncryptionKey;
+import com.azure.cosmos.implementation.ImplementationBridgeHelpers;
 import com.azure.cosmos.implementation.apachecommons.lang.StringUtils;
 import com.azure.cosmos.models.CosmosClientEncryptionKeyProperties;
 import com.azure.cosmos.models.CosmosClientEncryptionKeyResponse;
@@ -27,6 +28,7 @@
 public final class CosmosEncryptionAsyncDatabase {
     private final CosmosAsyncDatabase cosmosAsyncDatabase;
     private final CosmosEncryptionAsyncClient cosmosEncryptionAsyncClient;
+    private final static ImplementationBridgeHelpers.CosmosAsyncClientEncryptionKeyHelper.CosmosAsyncClientEncryptionKeyAccessor cosmosAsyncClientEncryptionKeyAccessor = ImplementationBridgeHelpers.CosmosAsyncClientEncryptionKeyHelper.getCosmosAsyncClientEncryptionKeyAccessor();
 
     CosmosEncryptionAsyncDatabase(CosmosAsyncDatabase cosmosAsyncDatabase,
                                   CosmosEncryptionAsyncClient cosmosEncryptionAsyncClient) {
@@ -145,7 +147,7 @@ public Mono<CosmosClientEncryptionKeyResponse> rewrapClientEncryptionKey(String
         try {
             CosmosAsyncClientEncryptionKey clientEncryptionKey =
                 this.cosmosAsyncDatabase.getClientEncryptionKey(clientEncryptionKeyId);
-            return clientEncryptionKey.read().flatMap(cosmosClientEncryptionKeyResponse -> {
+            return cosmosAsyncClientEncryptionKeyAccessor.readClientEncryptionKey(clientEncryptionKey, null).flatMap(cosmosClientEncryptionKeyResponse -> {
                 CosmosClientEncryptionKeyProperties clientEncryptionKeyProperties =
                     cosmosClientEncryptionKeyResponse.getProperties();
                 try {

sdk/cosmos/azure-cosmos-encryption/src/main/java/com/azure/cosmos/encryption/implementation/Constants.java

@@ -11,4 +11,8 @@ public class Constants {
     public static final String IS_CLIENT_ENCRYPTED_HEADER = "x-ms-cosmos-is-client-encrypted";
 
     public static final String INCORRECT_CONTAINER_RID_SUB_STATUS = "1024";
+
+    public static final String ALLOW_CACHED_READS_HEADER = "x-ms-cosmos-allow-cachedreads";
+
+    public static final String DATABASE_RID_HEADER = "x-ms-cosmos-database-rid";
 }

sdk/cosmos/azure-cosmos-encryption/src/main/java/com/azure/cosmos/encryption/implementation/EncryptionImplementationBridgeHelpers.java

@@ -94,7 +94,9 @@ Mono<CosmosClientEncryptionKeyProperties> getClientEncryptionPropertiesAsync(
                 String clientEncryptionKeyId,
                 String databaseRid,
                 CosmosAsyncContainer cosmosAsyncContainer,
-                boolean shouldForceRefresh);
+                boolean shouldForceRefresh,
+                String ifNoneMatchEtag,
+                boolean shouldForceRefreshGateway);
 
             Mono<CosmosContainerProperties> getContainerPropertiesAsync(
                 CosmosEncryptionAsyncClient cosmosEncryptionAsyncClient,

sdk/cosmos/azure-cosmos-encryption/src/main/java/com/azure/cosmos/encryption/implementation/EncryptionProcessor.java

@@ -18,6 +18,7 @@
 import com.azure.cosmos.implementation.apachecommons.lang.tuple.Pair;
 import com.azure.cosmos.models.ClientEncryptionIncludedPath;
 import com.azure.cosmos.models.ClientEncryptionPolicy;
+import com.azure.cosmos.models.CosmosClientEncryptionKeyProperties;
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.node.ArrayNode;
@@ -57,6 +58,7 @@ public class EncryptionProcessor {
     private ClientEncryptionPolicy clientEncryptionPolicy;
     private String containerRid;
     private String databaseRid;
+    private CosmosClientEncryptionKeyProperties cosmosClientEncryptionKeyProperties;
     private final EncryptionKeyStoreProviderImpl encryptionKeyStoreProviderImpl;
     private final static ImplementationBridgeHelpers.CosmosContainerPropertiesHelper.CosmosContainerPropertiesAccessor cosmosContainerPropertiesAccessor = ImplementationBridgeHelpers.CosmosContainerPropertiesHelper.getCosmosContainerPropertiesAccessor();
     private final static EncryptionImplementationBridgeHelpers.CosmosEncryptionAsyncClientHelper.CosmosEncryptionAsyncClientAccessor cosmosEncryptionAsyncClientAccessor =
@@ -108,11 +110,15 @@ public Mono<Void> initializeEncryptionSettingsAsync(boolean isRetry) {
             this.clientEncryptionPolicy.getIncludedPaths().stream()
                 .map(clientEncryptionIncludedPath -> clientEncryptionIncludedPath.getClientEncryptionKeyId()).distinct().forEach(clientEncryptionKeyId -> {
                 AtomicBoolean forceRefreshClientEncryptionKey = new AtomicBoolean(false);
+                AtomicBoolean forceRefreshClientEncryptionKeyGateway = new AtomicBoolean(false);
+                AtomicReference<String> existingCekEtag = new AtomicReference<>();
                 Mono<Object> clientEncryptionPropertiesMono =
                     cosmosEncryptionAsyncClientAccessor.getClientEncryptionPropertiesAsync(this.encryptionCosmosClient,
-                        clientEncryptionKeyId, this.databaseRid, this.cosmosAsyncContainer, forceRefreshClientEncryptionKey.get())
+                        clientEncryptionKeyId, this.databaseRid, this.cosmosAsyncContainer, forceRefreshClientEncryptionKey.get(),
+                        existingCekEtag.get(), forceRefreshClientEncryptionKeyGateway.get())
                         .publishOn(Schedulers.boundedElastic())
                         .flatMap(keyProperties -> {
+                            cosmosClientEncryptionKeyProperties = keyProperties;
                             ProtectedDataEncryptionKey protectedDataEncryptionKey;
                             try {
                                 // we pull out the Encrypted Client Encryption Key and Build the Protected Data
@@ -149,6 +155,13 @@ public Mono<Void> initializeEncryptionSettingsAsync(boolean isRetry) {
                             forceRefreshClientEncryptionKey.set(true);
                             return Mono.delay(Duration.ZERO).flux();
                         }
+                        // Retrying again to force refresh the gateway cache to fetch the latest client
+                        // encryption key to build ProtectedDataEncryptionKey object for the encryption setting.
+                        if (invalidKeyException != null && !forceRefreshClientEncryptionKeyGateway.get()) {
+                            forceRefreshClientEncryptionKeyGateway.set(true);
+                            existingCekEtag.set(cosmosClientEncryptionKeyProperties.getETag());
+                            return Mono.delay(Duration.ZERO).flux();
+                        }
                         return Flux.error(throwable);
                     }))));
                 monoList.add(clientEncryptionPropertiesMono);

sdk/cosmos/azure-cosmos-encryption/src/main/java/com/azure/cosmos/encryption/implementation/EncryptionSettings.java

@@ -26,6 +26,7 @@
 import java.time.Duration;
 import java.time.Instant;
 import java.util.concurrent.atomic.AtomicBoolean;
+import java.util.concurrent.atomic.AtomicReference;
 
 public final class EncryptionSettings {
     private final static Logger LOGGER = LoggerFactory.getLogger(EncryptionSettings.class);
@@ -37,6 +38,7 @@ public final class EncryptionSettings {
     private AeadAes256CbcHmac256EncryptionAlgorithm aeadAes256CbcHmac256EncryptionAlgorithm;
     private EncryptionType encryptionType;
     private String databaseRid;
+    private CosmosClientEncryptionKeyProperties cosmosClientEncryptionKeyProperties;
     private final static EncryptionImplementationBridgeHelpers.CosmosEncryptionAsyncClientHelper.CosmosEncryptionAsyncClientAccessor cosmosEncryptionAsyncClientAccessor =
         EncryptionImplementationBridgeHelpers.CosmosEncryptionAsyncClientHelper.getCosmosEncryptionAsyncClientAccessor();
 
@@ -71,17 +73,22 @@ Mono<CachedEncryptionSettings> fetchCachedEncryptionSettingsAsync(String propert
             cosmosEncryptionAsyncClientAccessor.getContainerPropertiesAsync(encryptionProcessor.getEncryptionCosmosClient(),
                 encryptionProcessor.getCosmosAsyncContainer(), false);
         AtomicBoolean forceRefreshClientEncryptionKey = new AtomicBoolean(false);
+        AtomicBoolean forceRefreshClientEncryptionKeyGateway = new AtomicBoolean(false);
         return containerPropertiesMono.flatMap(cosmosContainerProperties -> {
             if (cosmosContainerProperties.getClientEncryptionPolicy() != null) {
                 for (ClientEncryptionIncludedPath propertyToEncrypt : cosmosContainerProperties.getClientEncryptionPolicy().getIncludedPaths()) {
                     if (propertyToEncrypt.getPath().substring(1).equals(propertyName)) {
+                        AtomicReference<String> existingCekEtag = new AtomicReference<>();
                         return cosmosEncryptionAsyncClientAccessor.getClientEncryptionPropertiesAsync(encryptionProcessor.getEncryptionCosmosClient(),
                             propertyToEncrypt.getClientEncryptionKeyId(),
                             this.databaseRid,
                             encryptionProcessor.getCosmosAsyncContainer(),
-                            forceRefreshClientEncryptionKey.get())
+                            forceRefreshClientEncryptionKey.get(),
+                            existingCekEtag.get(),
+                            forceRefreshClientEncryptionKeyGateway.get())
                             .publishOn(Schedulers.boundedElastic())
                             .flatMap(keyProperties -> {
+                                cosmosClientEncryptionKeyProperties = keyProperties;
                                 ProtectedDataEncryptionKey protectedDataEncryptionKey;
                                 try {
                                     protectedDataEncryptionKey = buildProtectedDataEncryptionKey(keyProperties,
@@ -130,6 +137,13 @@ Mono<CachedEncryptionSettings> fetchCachedEncryptionSettingsAsync(String propert
                                     forceRefreshClientEncryptionKey.set(true);
                                     return Mono.delay(Duration.ZERO).flux();
                                 }
+                                // Retrying again to force refresh the gateway cache to fetch the latest client
+                                // encryption key to build ProtectedDataEncryptionKey object for the encryption setting.
+                                if (invalidKeyException != null && !forceRefreshClientEncryptionKeyGateway.get()) {
+                                    forceRefreshClientEncryptionKeyGateway.set(true);
+                                    existingCekEtag.set(cosmosClientEncryptionKeyProperties.getETag());
+                                    return Mono.delay(Duration.ZERO).flux();
+                                }
                                 return Flux.error(throwable);
                             }))));
                     }
@@ -139,9 +153,9 @@ Mono<CachedEncryptionSettings> fetchCachedEncryptionSettingsAsync(String propert
         });
     }
 
-    ProtectedDataEncryptionKey buildProtectedDataEncryptionKey(CosmosClientEncryptionKeyProperties keyProperties,
-                                                               EncryptionKeyStoreProvider encryptionKeyStoreProvider,
-                                                               String keyId) throws Exception {
+    public ProtectedDataEncryptionKey buildProtectedDataEncryptionKey(CosmosClientEncryptionKeyProperties keyProperties,
+                                                                      EncryptionKeyStoreProvider encryptionKeyStoreProvider,
+                                                                      String keyId) throws Exception {
 
         KeyEncryptionKey keyEncryptionKey =
             KeyEncryptionKey.getOrCreate(keyProperties.getEncryptionKeyWrapMetadata().getName(),
@@ -206,7 +220,7 @@ public void setDatabaseRid(String databaseRid) {
         this.databaseRid = databaseRid;
     }
 
-    void setEncryptionSettingForProperty(String propertyName, EncryptionSettings encryptionSettings,
+    public void setEncryptionSettingForProperty(String propertyName, EncryptionSettings encryptionSettings,
                                          Instant expiryUtc) {
         CachedEncryptionSettings cachedEncryptionSettings = new CachedEncryptionSettings(encryptionSettings, expiryUtc);
         this.encryptionSettingCacheByPropertyName.set(propertyName, cachedEncryptionSettings);