feat: add Cloud SQL samples for Client-side Encryption (GoogleCloudPlatform#4821)

shubha-rajan · web-flow · commit 075371165c76 · 2021-03-04T12:53:54.000-08:00
* samples and integration tests for client-side encryption with Tink

* move tink initialization to separate file

* add README.md

* linting fixes

* fix env var name in tests

* use encryptAndInsertData method in QueryAndDecryptDataIT

* linting fixes

* address review comments

* add comments pointing to source code files for setup steps

* linting

* rename region tags
diff --git a/cloud-sql/mysql/client-side-encryption/README.md b/cloud-sql/mysql/client-side-encryption/README.md
@@ -0,0 +1,40 @@
+# Encrypting fields in Cloud SQL - MySQL with Tink
+
+## Before you begin
+
+1. If you haven't already, set up a Java Development Environment (including google-cloud-sdk and
+maven utilities) by following the [java setup guide](https://cloud.google.com/java/docs/setup) and
+[create a project](https://cloud.google.com/resource-manager/docs/creating-managing-projects#creating_a_project).
+
+1. Create a 2nd Gen Cloud SQL Instance by following these 
+[instructions](https://cloud.google.com/sql/docs/mysql/create-instance). Note the connection string,
+database user, and database password that you create.
+
+1. Create a database for your application by following these 
+[instructions](https://cloud.google.com/sql/docs/mysql/create-manage-databases). Note the database
+name.
+
+1. Create a KMS key for your application by following these
+[instructions](https://cloud.google.com/kms/docs/creating-keys). Copy the resource name of your
+created key.
+
+1. Create a service account with the 'Cloud SQL Client' permissions by following these 
+[instructions](https://cloud.google.com/sql/docs/mysql/connect-external-app#4_if_required_by_your_authentication_method_create_a_service_account).
+Then, add the 'Cloud KMS CryptoKey Encrypter/Decrypter' permission for the key to your service account 
+by following these [instructions](https://cloud.google.com/kms/docs/iam).
+
+## Running Locally
+
+Before running, copy the `example.envrc` file to `.envrc` and replace the values for 
+`GOOGLE_APPLICATION_CREDENTIALS`, `DB_USER`, `DB_PASS`, `DB_NAME`, `CLOUD_SQL_CONNECTION_NAME`,
+and `CLOUD_KMS_URI` with the values from your project. Then run `source .envrc` or optionally use 
+[direnv](https://direnv.net/).
+
+Once the environment variables have been set, run:
+```
+mvn exec:java -Dexec.mainClass=cloudsql.tink.EncryptAndInsertData
+```
+and 
+```
+mvn exec:java -Dexec.mainClass=cloudsql.tink.QueryAndDecryptData
+```
diff --git a/cloud-sql/mysql/client-side-encryption/example.envrc b/cloud-sql/mysql/client-side-encryption/example.envrc
@@ -0,0 +1,6 @@
+GOOGLE_APPLICATION_CREDENTIALS='path/to/service-account-key.json'
+DB_USER='your-database-username'
+DB_PASS='your-database-password'
+DB_NAME='your_database_name'
+CLOUD_SQL_CONNECTION_NAME='project:region:instance-name'
+CLOUD_KMS_URI='gcp-kms://your-kms-uri`
diff --git a/cloud-sql/mysql/client-side-encryption/pom.xml b/cloud-sql/mysql/client-side-encryption/pom.xml
@@ -0,0 +1,101 @@
+<!--
+  Copyright 2021 Google LLC
+
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<project>
+  <modelVersion>4.0.0</modelVersion>
+  <packaging>jar</packaging>
+  <version>1.0-SNAPSHOT</version>
+  <groupId>com.google.cloud</groupId>
+  <artifactId>cloud-sql-tink-mysql</artifactId>
+  <name>Cloud SQL Client Side Encryption Samples</name>
+
+  <!--
+    The parent pom defines common style checks and testing strategies for our samples.
+    Removing or replacing it should not affect the execution of the samples in anyway.
+  -->
+  <parent>
+    <groupId>com.google.cloud.samples</groupId>
+    <artifactId>shared-configuration</artifactId>
+    <version>1.0.21</version>
+  </parent>
+
+  <properties>
+    <maven.compiler.target>1.8</maven.compiler.target>
+    <maven.compiler.source>1.8</maven.compiler.source>
+  </properties>
+
+  <dependencyManagement>
+    <dependencies>
+        <dependency>
+          <groupId>com.google.cloud</groupId>
+          <artifactId>libraries-bom</artifactId>
+          <version>18.0.0</version>
+          <type>pom</type>
+          <scope>import</scope>
+        </dependency>
+      <dependency>
+        <groupId>com.google.api-client</groupId>
+        <artifactId>google-api-client</artifactId>
+        <version>1.31.3</version>
+      </dependency>
+    </dependencies>
+  </dependencyManagement>
+
+  <dependencies>
+    <dependency>
+      <groupId>com.google.http-client</groupId>
+      <artifactId>google-http-client-jackson2</artifactId>
+      <version>1.39.0</version>
+    </dependency>
+    <dependency>
+      <groupId>com.google.cloud.sql</groupId>
+      <artifactId>mysql-socket-factory-connector-j-8</artifactId>
+      <version>1.2.1</version>
+    </dependency>
+    <dependency>
+      <groupId>mysql</groupId>
+      <artifactId>mysql-connector-java</artifactId>
+      <version>8.0.23</version>
+    </dependency>
+    <dependency>
+      <groupId>com.google.crypto.tink</groupId>
+      <artifactId>tink</artifactId>
+      <version>1.5.0</version>
+    </dependency>
+    <dependency>
+      <groupId>com.google.crypto.tink</groupId>
+      <artifactId>tink-gcpkms</artifactId>
+      <version>1.5.0</version>
+    </dependency>
+    <dependency>
+      <groupId>com.zaxxer</groupId>
+      <artifactId>HikariCP</artifactId>
+      <version>4.0.2</version>
+    </dependency>
+    <dependency>
+      <groupId>junit</groupId>
+      <artifactId>junit</artifactId>
+      <version>4.13.2</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>com.google.truth</groupId>
+      <artifactId>truth</artifactId>
+      <version>1.1.2</version>
+      <scope>test</scope>
+    </dependency>
+  </dependencies>
+
+</project>
diff --git a/cloud-sql/mysql/client-side-encryption/src/main/java/cloudsql/tink/CloudKmsEnvelopeAead.java b/cloud-sql/mysql/client-side-encryption/src/main/java/cloudsql/tink/CloudKmsEnvelopeAead.java
@@ -0,0 +1,47 @@
+/*
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package cloudsql.tink;
+
+// [START cloud_sql_mysql_cse_key]
+
+import com.google.crypto.tink.Aead;
+import com.google.crypto.tink.KeysetHandle;
+import com.google.crypto.tink.KmsClients;
+import com.google.crypto.tink.aead.AeadConfig;
+import com.google.crypto.tink.aead.AeadKeyTemplates;
+import com.google.crypto.tink.integration.gcpkms.GcpKmsClient;
+import com.google.crypto.tink.proto.KeyTemplate;
+import java.security.GeneralSecurityException;
+
+public class CloudKmsEnvelopeAead {
+
+  public static Aead get(String kmsUri) throws GeneralSecurityException {
+    AeadConfig.register();
+    // Generate a new envelope key template, then generate key material.
+    KeyTemplate kmsEnvKeyTemplate = AeadKeyTemplates
+        .createKmsEnvelopeAeadKeyTemplate(kmsUri, AeadKeyTemplates.AES128_GCM);
+    KeysetHandle keysetHandle = KeysetHandle.generateNew(kmsEnvKeyTemplate);
+
+    // Register the KMS client.
+    KmsClients.add(new GcpKmsClient()
+        .withDefaultCredentials());
+
+    // Create envelope AEAD primitive from keysetHandle
+    return keysetHandle.getPrimitive(Aead.class);
+  }
+}
+// [END cloud_sql_mysql_cse_key]
diff --git a/cloud-sql/mysql/client-side-encryption/src/main/java/cloudsql/tink/CloudSqlConnectionPool.java b/cloud-sql/mysql/client-side-encryption/src/main/java/cloudsql/tink/CloudSqlConnectionPool.java
@@ -0,0 +1,55 @@
+/*
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package cloudsql.tink;
+
+// [START cloud_sql_mysql_cse_db]
+
+import com.zaxxer.hikari.HikariConfig;
+import com.zaxxer.hikari.HikariDataSource;
+import java.security.GeneralSecurityException;
+import java.sql.Connection;
+import java.sql.PreparedStatement;
+import java.sql.SQLException;
+import javax.sql.DataSource;
+
+public class CloudSqlConnectionPool {
+
+  public static DataSource createConnectionPool(String dbUser, String dbPass, String dbName,
+      String cloudSqlConnectionName) throws GeneralSecurityException {
+    HikariConfig config = new HikariConfig();
+    config.setJdbcUrl(String.format("jdbc:mysql:///%s", dbName));
+    config.setUsername(dbUser);
+    config.setPassword(dbPass);
+    config.addDataSourceProperty("socketFactory", "com.google.cloud.sql.mysql.SocketFactory");
+    config.addDataSourceProperty("cloudSqlInstance", cloudSqlConnectionName);
+    DataSource pool = new HikariDataSource(config);
+    return pool;
+  }
+
+  public static void createTable(DataSource pool, String tableName) throws SQLException {
+    // Safely attempt to create the table schema.
+    try (Connection conn = pool.getConnection()) {
+      String stmt = String.format("CREATE TABLE IF NOT EXISTS %s ( "
+          + "vote_id SERIAL NOT NULL, time_cast timestamp NOT NULL, team CHAR(6) NOT NULL,"
+          + "voter_email VARBINARY(255), PRIMARY KEY (vote_id) );", tableName);
+      try (PreparedStatement createTableStatement = conn.prepareStatement(stmt);) {
+        createTableStatement.execute();
+      }
+    }
+  }
+}
+// [END cloud_sql_mysql_cse_db]
diff --git a/cloud-sql/mysql/client-side-encryption/src/main/java/cloudsql/tink/EncryptAndInsertData.java b/cloud-sql/mysql/client-side-encryption/src/main/java/cloudsql/tink/EncryptAndInsertData.java
@@ -0,0 +1,82 @@
+/*
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package cloudsql.tink;
+
+// [START cloud_sql_mysql_cse_insert]
+
+import com.google.crypto.tink.Aead;
+import java.security.GeneralSecurityException;
+import java.sql.Connection;
+import java.sql.PreparedStatement;
+import java.sql.SQLException;
+import java.sql.Timestamp;
+import java.util.Date;
+import javax.sql.DataSource;
+
+public class EncryptAndInsertData {
+
+  public static void main(String[] args) throws GeneralSecurityException, SQLException {
+    // Saving credentials in environment variables is convenient, but not secure - consider a more
+    // secure solution such as Cloud Secret Manager to help keep secrets safe.
+    String dbUser = System.getenv("DB_USER"); // e.g. "root", "mysql"
+    String dbPass = System.getenv("DB_PASS"); // e.g. "mysupersecretpassword"
+    String dbName = System.getenv("DB_NAME"); // e.g. "votes_db"
+    String cloudSqlConnectionName =
+        System.getenv("CLOUD_SQL_CONNECTION_NAME"); // e.g. "project-name:region:instance-name"
+    String kmsUri = System.getenv("CLOUD_KMS_URI"); // e.g. "gcp-kms://projects/...path/to/key
+
+    String team = "TABS";
+    String tableName = "votes";
+    String email = "hello@example.com";
+
+    // Initialize database connection pool and create table if it does not exist
+    // See CloudSqlConnectionPool.java for setup details
+    DataSource pool = CloudSqlConnectionPool
+        .createConnectionPool(dbUser, dbPass, dbName, cloudSqlConnectionName);
+    CloudSqlConnectionPool.createTable(pool, tableName);
+
+    // Initialize envelope AEAD
+    // See CloudKmsEnvelopeAead.java for setup details
+    Aead envAead = CloudKmsEnvelopeAead.get(kmsUri);
+
+    encryptAndInsertData(pool, envAead, tableName, team, email);
+  }
+
+  public static void encryptAndInsertData(DataSource pool, Aead envAead, String tableName,
+      String team, String email)
+      throws GeneralSecurityException, SQLException {
+
+    try (Connection conn = pool.getConnection()) {
+      String stmt = String.format(
+          "INSERT INTO %s (team, time_cast, voter_email) VALUES (?, ?, ?);", tableName);
+      try (PreparedStatement voteStmt = conn.prepareStatement(stmt);) {
+        voteStmt.setString(1, team);
+        voteStmt.setTimestamp(2, new Timestamp(new Date().getTime()));
+
+        // Use the envelope AEAD primitive to encrypt the email, using the team name as
+        // associated data
+        byte[] encryptedEmail = envAead.encrypt(email.getBytes(), team.getBytes());
+        voteStmt.setBytes(3, encryptedEmail);
+
+        // Finally, execute the statement. If it fails, an error will be thrown.
+        voteStmt.execute();
+        System.out.println(String.format("Successfully inserted row into table %s", tableName));
+      }
+    }
+  }
+}
+// [END cloud_sql_mysql_cse_insert]
diff --git a/cloud-sql/mysql/client-side-encryption/src/main/java/cloudsql/tink/QueryAndDecryptData.java b/cloud-sql/mysql/client-side-encryption/src/main/java/cloudsql/tink/QueryAndDecryptData.java
diff --git a/cloud-sql/mysql/client-side-encryption/src/test/java/cloudsql/tink/EncryptInsertDataIT.java b/cloud-sql/mysql/client-side-encryption/src/test/java/cloudsql/tink/EncryptInsertDataIT.java
diff --git a/cloud-sql/mysql/client-side-encryption/src/test/java/cloudsql/tink/QueryDecryptDataIT.java b/cloud-sql/mysql/client-side-encryption/src/test/java/cloudsql/tink/QueryDecryptDataIT.java
