Files
wehub-resource-sync 498b235461
Build and test / Build and test AMD64 Ubuntu 22.04 (push) Failing after 0s
Publish Builder / amazonlinux2023 (push) Failing after 1s
Build and test / UT for Go (push) Has been skipped
Publish KRTE Images / KRTE (push) Failing after 1s
Build and test / Integration Test (push) Has been skipped
Build and test / Upload Code Coverage (push) Has been skipped
Publish Builder / rockylinux9 (push) Failing after 1s
Publish Builder / ubuntu22.04 (push) Failing after 0s
Publish Builder / ubuntu24.04 (push) Failing after 0s
Publish Gpu Builder / publish-gpu-builder (push) Failing after 1s
Publish Test Images / PyTest (push) Failing after 0s
Build and test / UT for Cpp (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 12:31:17 +08:00

548 lines
16 KiB
Go

// Licensed to the LF AI & Data foundation under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package hookutil
import (
"bytes"
"context"
"encoding/base64"
"fmt"
"strconv"
"strings"
"sync"
"github.com/cockroachdb/errors"
"github.com/samber/lo"
"go.uber.org/atomic"
"github.com/milvus-io/milvus-proto/go-api/v3/commonpb"
"github.com/milvus-io/milvus-proto/go-api/v3/hook"
"github.com/milvus-io/milvus/pkg/v3/common"
"github.com/milvus-io/milvus/pkg/v3/mlog"
"github.com/milvus-io/milvus/pkg/v3/proto/indexcgopb"
"github.com/milvus-io/milvus/pkg/v3/streaming/util/message"
"github.com/milvus-io/milvus/pkg/v3/util/merr"
"github.com/milvus-io/milvus/pkg/v3/util/paramtable"
)
var (
Cipher atomic.Value
initCipherOnce sync.Once
cipherReloadMutex sync.RWMutex
errCipherPluginMissing = errors.New("cipher plugin is missing")
)
type BackupInterface interface {
Backup(ezID int64) (string, error)
}
// GetCipher returns singleton hook.Cipher instance.
// If Milvus is not built with cipher plugin, it will return nil
// If Milvus is built with cipher plugin, it will return hook.Cipher
func GetCipher() hook.Cipher {
InitOnceCipher()
return Cipher.Load().(cipherContainer).cipher
}
func GetCipherWithState() CipherWithState {
cipher := GetCipher()
if cipher == nil {
return nil
}
cipherWithState, ok := cipher.(CipherWithState)
if !ok {
return nil
}
return cipherWithState
}
func IsClusterEncryptionEnabled() bool {
return GetCipher() != nil
}
// KeyState represents the state of a KMS key
type KeyState string
const (
KeyStateEnabled KeyState = "Enabled"
KeyStateDisabled KeyState = "Disabled"
KeyStatePendingDeletion KeyState = "PendingDeletion"
KeyStateUnknown KeyState = "Unknown"
)
// CipherWithState extends the base Cipher interface with
// GetStates
type CipherWithState interface {
hook.Cipher
// GetStates returns the state of KMS keys.
// Returns a map of ezID -> state.
GetStates() (map[int64]string, error)
}
type EZ struct {
EzID int64
CollectionID int64
}
func (ez *EZ) AsMessageConfig() *message.CipherConfig {
if ez == nil {
return nil
}
return &message.CipherConfig{EzID: ez.EzID, CollectionID: ez.CollectionID}
}
type CipherContext struct {
EZ
key []byte
}
// GetEzStates queries the state of KMS keys for the given EZ IDs.
// This uses type assertion to check if the cipher plugin implements CipherWithState.
// If not supported, returns an empty map and no error (backward compatible).
func GetEzStates() (map[int64]KeyState, error) {
if GetCipherWithState() == nil {
return make(map[int64]KeyState), nil
}
states, err := GetCipherWithState().GetStates()
if err != nil {
return nil, err
}
result := make(map[int64]KeyState)
for ezID, state := range states {
result[ezID] = KeyState(state)
}
return result, nil
}
func ContainsCipherProperties(properties []*commonpb.KeyValuePair, deletedKeys []string) bool {
for _, property := range properties {
if property.Key == common.EncryptionEnabledKey ||
property.Key == common.EncryptionEzIDKey ||
property.Key == common.EncryptionRootKeyKey {
return true
}
}
return lo.ContainsBy(deletedKeys, func(data string) bool {
return lo.Contains([]string{
common.EncryptionEnabledKey,
common.EncryptionEzIDKey,
common.EncryptionRootKeyKey,
}, data)
})
}
func GetEzByCollProperties(collProperties []*commonpb.KeyValuePair, collectionID int64) *EZ {
if len(collProperties) == 0 {
return nil
}
for _, property := range collProperties {
if property.Key == common.EncryptionEzIDKey {
ezID, _ := strconv.ParseInt(property.Value, 10, 64)
return &EZ{
EzID: ezID,
CollectionID: collectionID,
}
}
}
return nil
}
func CreateEZByDBProperties(dbProperties []*commonpb.KeyValuePair) error {
ezID, hasEzID := ParseEzIDFromProperties(dbProperties)
if !hasEzID {
return nil
}
for _, property := range dbProperties {
if property.GetKey() == common.EncryptionRootKeyKey {
return CreateEZ(ezID, property.GetValue())
}
}
return nil
}
// When creating a new database
// System will encrypt the DB If defaultKey is not empty.
// However, if user controls with "cipher.enabled" and "cipher.key", respect the user's choice.
// An encrypted DB's properties will contain two properties:
// cipher.ezID, cipher.key
//
// Property consistency: DB without cipher.ezID and cipher.Key is NOT encrypted
// - Encrypted DB: cipher.ezID and cipher.key are not empty
// - Non-encrypted DB: no cipher.* key in properties
func TidyDBCipherProperties(ezID int64, dbProperties []*commonpb.KeyValuePair) ([]*commonpb.KeyValuePair, error) {
defaultRootKey := paramtable.GetCipherParams().DefaultRootKey.GetValue()
defaultEncrypt := len(defaultRootKey) > 0
for _, property := range dbProperties {
switch property.Key {
case common.EncryptionEnabledKey:
value := strings.ToLower(property.Value)
if value != "true" && value != "false" {
return nil, merr.WrapErrParameterInvalidMsg("invalid value for %s: %q, must be \"true\" or \"false\"",
common.EncryptionEnabledKey, property.Value)
}
defaultEncrypt = value == "true"
mlog.Info(context.TODO(), "User explicitly controls encryption", mlog.Int64("ezID", ezID), mlog.Bool("value", defaultEncrypt))
case common.EncryptionRootKeyKey:
defaultRootKey = property.Value
mlog.Info(context.TODO(), "User explicitly set rootKey", mlog.Int64("ezID", ezID), mlog.String("value", property.GetValue()))
}
}
cipher := GetCipher()
// If cipher plugin is missing but encryption is requested, return error
if cipher == nil && defaultEncrypt {
return nil, errCipherPluginMissing
}
// No plugin or not encrypted
if cipher == nil || !defaultEncrypt {
return removeCipherProperties(dbProperties), nil
}
if defaultRootKey == "" {
return nil, merr.WrapErrParameterInvalidMsg("encryption enabled but no key provided and no default key configured")
}
result := removeCipherProperties(dbProperties)
result = append(result,
&commonpb.KeyValuePair{
Key: common.EncryptionEzIDKey,
Value: strconv.FormatInt(ezID, 10),
},
&commonpb.KeyValuePair{
Key: common.EncryptionRootKeyKey,
Value: defaultRootKey,
},
)
return result, nil
}
func removeCipherProperties(properties []*commonpb.KeyValuePair) []*commonpb.KeyValuePair {
result := make([]*commonpb.KeyValuePair, 0, len(properties))
for _, property := range properties {
if property.Key != common.EncryptionEnabledKey &&
property.Key != common.EncryptionEzIDKey &&
property.Key != common.EncryptionRootKeyKey {
result = append(result, property)
}
}
return result
}
func TidyCollPropsByDBProps(collProps, dbProps []*commonpb.KeyValuePair) []*commonpb.KeyValuePair {
newCollProps := []*commonpb.KeyValuePair{}
for _, property := range collProps {
// Ignore already have ez property, likely from backup collection's schema
if property.Key == common.EncryptionEzIDKey {
continue
}
newCollProps = append(newCollProps, property)
}
// Set the new database's encryption properties
if ezProps := getCollEzPropsByDBProps(dbProps); ezProps != nil {
newCollProps = append(newCollProps, ezProps)
}
return newCollProps
}
func getCollEzPropsByDBProps(dbProperties []*commonpb.KeyValuePair) *commonpb.KeyValuePair {
for _, property := range dbProperties {
if property.Key == common.EncryptionEzIDKey {
return &commonpb.KeyValuePair{
Key: common.EncryptionEzIDKey,
Value: property.Value,
}
}
}
return nil
}
func IsDBEncrypted(dbProperties []*commonpb.KeyValuePair) bool {
hasEzID, hasKey := false, false
for _, property := range dbProperties {
if property.Key == common.EncryptionEzIDKey && property.Value != "" {
hasEzID = true
} else if property.Key == common.EncryptionRootKeyKey && property.Value != "" {
hasKey = true
}
}
return hasEzID && hasKey
}
func RemoveEZByDBProperties(dbProperties []*commonpb.KeyValuePair) error {
ezID, has := ParseEzIDFromProperties(dbProperties)
if !has {
return nil
}
return RemoveEZ(ezID)
}
// GetStoragePluginContext returns the local plugin context for RPC from datacoord to datanode
func GetStoragePluginContext(collProps []*commonpb.KeyValuePair, collectionID int64) []*commonpb.KeyValuePair {
if ez := GetEzByCollProperties(collProps, collectionID); ez != nil {
pluginContext, err := GetPluginContext(ez.EzID, ez.CollectionID)
if err != nil {
mlog.Error(context.TODO(), "failed to get plugin context", mlog.Err(err))
return nil
}
return pluginContext
}
return nil
}
// Non nill return
func GetReadStoragePluginContext(importEzk string) []*commonpb.KeyValuePair {
readContext, err := ImportEZ(importEzk)
if err != nil {
mlog.Error(context.TODO(), "failed to import ezk", mlog.Err(err))
return []*commonpb.KeyValuePair{}
}
return readContext
}
// RegisterEZsFromPluginContext registers all EZ contexts from plugin context.
// This processes ALL CipherConfigUnsafeEZK entries (for both read and write contexts).
func RegisterEZsFromPluginContext(context []*commonpb.KeyValuePair) error {
if !IsClusterEncryptionEnabled() {
return nil
}
for _, value := range context {
if value.GetKey() == CipherConfigUnsafeEZK {
ezID, encryptionKey, err := decodeEZContext(value.GetValue())
if err != nil {
return err
}
if err := CreateLocalEZ(ezID, encryptionKey); err != nil {
return err
}
}
}
return nil
}
// GetCPluginContext gets C++ plugin context from the first CipherConfigUnsafeEZK entry.
// Used for creating indexcgopb.StoragePluginContext for C++ segcore.
func GetCPluginContext(context []*commonpb.KeyValuePair, collectionID int64) (*indexcgopb.StoragePluginContext, error) {
if !IsClusterEncryptionEnabled() {
return nil, nil
}
for _, value := range context {
if value.GetKey() == CipherConfigUnsafeEZK {
ezID, encryptionKey, err := decodeEZContext(value.GetValue())
if err != nil {
return nil, err
}
return &indexcgopb.StoragePluginContext{
CollectionId: collectionID,
EncryptionZoneId: ezID,
EncryptionKey: encryptionKey,
}, nil
}
}
return nil, nil
}
func GetCPluginContextByEzID(ezID int64) (*indexcgopb.StoragePluginContext, error) {
if !IsClusterEncryptionEnabled() {
return nil, nil
}
key := GetCipher().GetUnsafeKey(ezID, 0)
if len(key) == 0 {
return nil, merr.WrapErrParameterInvalidMsg("cannot get ez key for ezID=%d", ezID)
}
return &indexcgopb.StoragePluginContext{
EncryptionZoneId: ezID,
EncryptionKey: base64.StdEncoding.EncodeToString(key),
CollectionId: 0,
}, nil
}
func BackupEZKFromDBProperties(dbProperties []*commonpb.KeyValuePair) (string, error) {
if !IsDBEncrypted(dbProperties) {
return "", merr.WrapErrParameterInvalidMsg("not an encryption zone")
}
ezID, hasEzID := ParseEzIDFromProperties(dbProperties)
if !hasEzID {
return "", merr.WrapErrServiceInternalMsg("encryption enabled but no ezID found")
}
return BackupEZ(ezID)
}
// For test only
func InitTestCipher() {
InitOnceCipher()
storeCipher(testCipher{})
}
// cipherContainer is Container to wrap hook.Cipher interface
// this struct is used to be stored in atomic.Value
// since different type stored in it will cause panicking.
type cipherContainer struct {
cipher hook.Cipher
}
func storeCipher(cipher hook.Cipher) {
Cipher.Store(cipherContainer{cipher: cipher})
}
func initCipher() error {
storeCipher(nil)
pathGo := paramtable.GetCipherParams().SoPathGo.GetValue()
pathCpp := paramtable.GetCipherParams().SoPathCpp.GetValue()
if pathGo == "" || pathCpp == "" {
mlog.Info(context.TODO(), "empty so path for cipher plugin, skip to load plugin")
return nil
}
cipherVal, err := LoadPlugin[hook.Cipher](pathGo, "CipherPlugin")
if err != nil {
return err
}
initConfigs := buildCipherInitConfig()
if err = cipherVal.Init(initConfigs); err != nil {
return merr.Wrap(err, "fail to init configs for the cipher plugin")
}
registerCallback()
storeCipher((cipherVal))
return nil
}
func InitOnceCipher() {
initCipherOnce.Do(func() {
err := initCipher()
if err != nil {
mlog.Panic(context.TODO(),
fmt.Sprintf("fail to init cipher plugin, go_so_path=%s, cpp_so_path=%s, error=%v",
paramtable.GetCipherParams().SoPathGo.GetValue(),
paramtable.GetCipherParams().SoPathCpp.GetValue(),
err))
}
})
}
func buildCipherInitConfig() map[string]string {
initConfigs := lo.Assign(paramtable.Get().EtcdCfg.GetAll(), paramtable.GetCipherParams().GetAll())
initConfigs[CipherConfigMilvusRoleName] = paramtable.GetRole()
initConfigs[paramtable.Get().LocalStorageCfg.Path.Key] = paramtable.Get().LocalStorageCfg.Path.GetValue()
return initConfigs
}
func registerCallback() {
params := paramtable.GetCipherParams()
params.DefaultRootKey.RegisterCallback(reloadCipherConfig)
params.KmsAwsRoleARN.RegisterCallback(reloadCipherConfig)
params.KmsAwsExternalID.RegisterCallback(reloadCipherConfig)
params.RotationPeriodInHours.RegisterCallback(reloadCipherConfig)
params.UpdatePerieldInMinutes.RegisterCallback(reloadCipherConfig)
mlog.Info(context.TODO(), "cipher config callbacks registered")
}
func reloadCipherConfig(ctx context.Context, key, oldValue, newValue string) error {
cipher := GetCipher()
if cipher == nil {
mlog.Warn(ctx, "cipher plugin not loaded, skip config reload", mlog.String("key", key))
return nil
}
cipherReloadMutex.Lock()
defer cipherReloadMutex.Unlock()
mlog.Info(ctx, "reloading cipher plugin config",
mlog.String("key", key),
mlog.String("oldValue", oldValue),
mlog.String("newValue", newValue))
initConfigs := buildCipherInitConfig()
if err := cipher.Init(initConfigs); err != nil {
mlog.Error(ctx, "fail to reload cipher plugin config",
mlog.String("key", key),
mlog.Err(err))
return err
}
mlog.Info(ctx, "cipher plugin config reloaded successfully", mlog.String("key", key))
return nil
}
// testCipher encryption will append magicStr to plainText, magicStr is str of ezID and collectionID
type testCipher struct{}
var (
_ hook.Cipher = (*testCipher)(nil)
_ CipherWithState = (*testCipher)(nil)
_ hook.Encryptor = (*testCryptoImpl)(nil)
_ hook.Decryptor = (*testCryptoImpl)(nil)
)
func (d testCipher) Init(params map[string]string) error {
return nil
}
func (d testCipher) GetEncryptor(ezID, collectionID int64) (encryptor hook.Encryptor, safeKey []byte, err error) {
return createTestCryptoImpl(ezID, collectionID), []byte("safe key"), nil
}
func (d testCipher) GetDecryptor(ezID, collectionID int64, safeKey []byte) (hook.Decryptor, error) {
return createTestCryptoImpl(ezID, collectionID), nil
}
func (d testCipher) GetUnsafeKey(ezID, collectionID int64) []byte {
return []byte("unsafe key")
}
func (d testCipher) GetStates() (map[int64]string, error) {
return map[int64]string{}, nil
}
// append magicStr to plainText
type testCryptoImpl struct {
magicStr string
}
func createTestCryptoImpl(ezID, collectionID int64) testCryptoImpl {
return testCryptoImpl{fmt.Sprintf("%d%d", ezID, collectionID)}
}
func (c testCryptoImpl) Encrypt(plainText []byte) (cipherText []byte, err error) {
return append(plainText, []byte(c.magicStr)...), nil
}
func (c testCryptoImpl) Decrypt(cipherText []byte) (plainText []byte, err error) {
return bytes.TrimSuffix(cipherText, []byte(c.magicStr)), nil
}