Skip to content

Commit

Permalink
ClientEncryption: Adds latest Encryption package as dependency for re…
Browse files Browse the repository at this point in the history 
…levant samples (#3069)

Update encryption and re-encryption samples to use the latest Encryption package.
  • Loading branch information
@abhijitpai
abhijitpai authored Mar 11, 2022
1 parent b2aff3f commit 290881a
Show file tree
Hide file tree
Showing 4 changed files with 36 additions and 22 deletions.
3 changes: 2 additions & 1 deletion Microsoft.Azure.Cosmos.Samples/Usage/Encryption/Encryption.csproj
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,8 @@
</PropertyGroup>
<ItemGroup>
<PackageReference Include="Azure.Identity" Version="1.5.0" />
<PackageReference Include="Microsoft.Azure.Cosmos.Encryption" Version="1.0.0-previewV19" />
<PackageReference Include="Azure.Security.KeyVault.Keys" Version="4.2.0" />
<PackageReference Include="Microsoft.Azure.Cosmos.Encryption" Version="1.0.0-previewV20" />
<PackageReference Include="Microsoft.Extensions.Configuration" Version="2.2.0" />
<PackageReference Include="Microsoft.Extensions.Configuration.FileExtensions" Version="2.2.0" />
<PackageReference Include="Microsoft.Extensions.Configuration.Json" Version="2.2.0" />
Expand Down
42 changes: 26 additions & 16 deletions Microsoft.Azure.Cosmos.Samples/Usage/Encryption/Program.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,9 @@
using System.Security.Cryptography.X509Certificates;
using System.Threading.Tasks;
using Azure.Core;
using Azure.Core.Cryptography;
using Azure.Identity;
using Azure.Security.KeyVault.Keys.Cryptography;
using Cosmos.Samples.Shared;
using Microsoft.Azure.Cosmos;
using Microsoft.Azure.Cosmos.Encryption;
Expand Down Expand Up @@ -54,11 +56,11 @@ public static async Task Main(string[] _)

// Get the Token Credential that is capable of providing an OAuth Token.
TokenCredential tokenCredential = GetTokenCredential(configuration);
AzureKeyVaultKeyWrapProvider azureKeyVaultKeyWrapProvider = new AzureKeyVaultKeyWrapProvider(tokenCredential);
KeyResolver keyResolver = new KeyResolver(tokenCredential);

Program.client = Program.CreateClientInstance(configuration, azureKeyVaultKeyWrapProvider);
Program.client = Program.CreateClientInstance(configuration, keyResolver);

await Program.AdminSetupAsync(client, azureKeyVaultKeyWrapProvider);
await Program.AdminSetupAsync(client);
await Program.RunDemoAsync();
}
catch (CosmosException cre)
Expand All @@ -79,7 +81,7 @@ public static async Task Main(string[] _)
}
// </Main>

private static CosmosClient CreateClientInstance(IConfigurationRoot configuration, AzureKeyVaultKeyWrapProvider azureKeyVaultKeyWrapProvider)
private static CosmosClient CreateClientInstance(IConfigurationRoot configuration, IKeyEncryptionKeyResolver keyResolver)
{
string endpoint = configuration["EndPointUrl"];
if (string.IsNullOrEmpty(endpoint))
Expand All @@ -96,7 +98,7 @@ private static CosmosClient CreateClientInstance(IConfigurationRoot configuratio
CosmosClient encryptionCosmosClient = new CosmosClient(endpoint, authKey);

// enable encryption support on the cosmos client.
return encryptionCosmosClient.WithEncryption(azureKeyVaultKeyWrapProvider);
return encryptionCosmosClient.WithEncryption(keyResolver, KeyEncryptionKeyResolverName.AzureKeyVault);
}

private static X509Certificate2 GetCertificate(string clientCertThumbprint)
Expand Down Expand Up @@ -130,7 +132,7 @@ private static TokenCredential GetTokenCredential(IConfigurationRoot configurati
if (string.IsNullOrEmpty(tenantId))
{
throw new ArgumentNullException("Please specify a valid TenantId in the appSettings.json");
}
}

// Certificate's public key must be at least 2048 bits.
string clientCertThumbprint = configuration["ClientCertThumbprint"];
Expand All @@ -146,7 +148,7 @@ private static TokenCredential GetTokenCredential(IConfigurationRoot configurati
/// Administrative operations - create the database, container, and generate the necessary client encryption keys.
/// These are initializations and are expected to be invoked only once - do not invoke these before every item request.
/// </summary>
private static async Task AdminSetupAsync(CosmosClient client, AzureKeyVaultKeyWrapProvider azureKeyVaultKeyWrapProvider)
private static async Task AdminSetupAsync(CosmosClient client)
{
Database database = await client.CreateDatabaseIfNotExistsAsync(Program.encryptedDatabaseId);

Expand All @@ -160,21 +162,29 @@ private static async Task AdminSetupAsync(CosmosClient client, AzureKeyVaultKeyW
// Create the Client Encryption Keys for Encrypting the configured Paths.
await database.CreateClientEncryptionKeyAsync(
"key1",
DataEncryptionKeyAlgorithm.AeadAes256CbcHmacSha256,
new EncryptionKeyWrapMetadata(azureKeyVaultKeyWrapProvider.ProviderName, "akvMasterKey", MasterKeyUrl));
DataEncryptionAlgorithm.AeadAes256CbcHmacSha256,
new EncryptionKeyWrapMetadata(
KeyEncryptionKeyResolverName.AzureKeyVault,
"akvMasterKey",
MasterKeyUrl,
EncryptionAlgorithm.RsaOaep.ToString()));

await database.CreateClientEncryptionKeyAsync(
"key2",
DataEncryptionKeyAlgorithm.AeadAes256CbcHmacSha256,
new EncryptionKeyWrapMetadata(azureKeyVaultKeyWrapProvider.ProviderName, "akvMasterKey", MasterKeyUrl));
DataEncryptionAlgorithm.AeadAes256CbcHmacSha256,
new EncryptionKeyWrapMetadata(
KeyEncryptionKeyResolverName.AzureKeyVault,
"akvMasterKey",
MasterKeyUrl,
EncryptionAlgorithm.RsaOaep.ToString()));

// Configure the required Paths to be Encrypted with appropriate settings.
ClientEncryptionIncludedPath path1 = new ClientEncryptionIncludedPath()
{
Path = "/SubTotal",
ClientEncryptionKeyId = "key1",
EncryptionType = EncryptionType.Deterministic,
EncryptionAlgorithm = DataEncryptionKeyAlgorithm.AeadAes256CbcHmacSha256
EncryptionAlgorithm = DataEncryptionAlgorithm.AeadAes256CbcHmacSha256
};

// non primitive data type.Leaves get encrypted.
Expand All @@ -183,15 +193,15 @@ await database.CreateClientEncryptionKeyAsync(
Path = "/Items",
ClientEncryptionKeyId = "key2",
EncryptionType = EncryptionType.Deterministic,
EncryptionAlgorithm = DataEncryptionKeyAlgorithm.AeadAes256CbcHmacSha256
EncryptionAlgorithm = DataEncryptionAlgorithm.AeadAes256CbcHmacSha256
};

ClientEncryptionIncludedPath path3 = new ClientEncryptionIncludedPath()
{
Path = "/OrderDate",
ClientEncryptionKeyId = "key1",
EncryptionType = EncryptionType.Deterministic,
EncryptionAlgorithm = DataEncryptionKeyAlgorithm.AeadAes256CbcHmacSha256
EncryptionAlgorithm = DataEncryptionAlgorithm.AeadAes256CbcHmacSha256
};

// Create a container with the appropriate partition key definition (we choose the "AccountNumber" property here) and throughput (we choose 1000 here).
Expand All @@ -205,7 +215,7 @@ await database.DefineContainer(Program.encryptedContainerId, "/AccountNumber")
.CreateAsync(throughput: 1000);

// gets a Container with Encryption Support.
containerWithEncryption = await database.GetContainer(Program.encryptedContainerId).InitializeEncryptionAsync();
containerWithEncryption = await database.GetContainer(Program.encryptedContainerId).InitializeEncryptionAsync();
}

private static async Task RunDemoAsync()
Expand Down Expand Up @@ -313,4 +323,4 @@ private static async Task CleanupAsync()
}
}
}
}
}
10 changes: 6 additions & 4 deletions Microsoft.Azure.Cosmos.Samples/Usage/ReEncryption/Program.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,8 @@
using System.Net;
using System.Threading;
using System.IO;
using Azure.Core.Cryptography;
using Azure.Security.KeyVault.Keys.Cryptography;

// ----------------------------------------------------------------------------------------------------------
// Prerequisites -
Expand Down Expand Up @@ -87,9 +89,9 @@ public static async Task Main(string[] _)

// Get the Token Credential that is capable of providing an OAuth Token.
TokenCredential tokenCredential = Program.GetTokenCredential(configuration);
AzureKeyVaultKeyWrapProvider azureKeyVaultWrapProvider = new AzureKeyVaultKeyWrapProvider(tokenCredential);
KeyResolver keyResolver = new KeyResolver(tokenCredential);

Program.client = Program.CreateClientInstance(configuration, azureKeyVaultWrapProvider);
Program.client = Program.CreateClientInstance(configuration, keyResolver);

await Program.CreateAndRunReEncryptionTasks();
}
Expand All @@ -112,7 +114,7 @@ public static async Task Main(string[] _)

private static CosmosClient CreateClientInstance(
IConfigurationRoot configuration,
AzureKeyVaultKeyWrapProvider azureKeyVaultKeyWrapProvider)
IKeyEncryptionKeyResolver keyResolver)
{
string endpoint = configuration["EndPointUrl"];
if (string.IsNullOrEmpty(endpoint))
Expand All @@ -133,7 +135,7 @@ private static CosmosClient CreateClientInstance(
CosmosClient encryptionCosmosClient = new CosmosClient(endpoint, authKey, options);

// enable encryption support on the cosmos client.
return encryptionCosmosClient.WithEncryption(azureKeyVaultKeyWrapProvider);
return encryptionCosmosClient.WithEncryption(keyResolver, KeyEncryptionKeyResolverName.AzureKeyVault);
}

private static X509Certificate2 GetCertificate(string clientCertThumbprint)
Expand Down
3 changes: 2 additions & 1 deletion Microsoft.Azure.Cosmos.Samples/Usage/ReEncryption/ReEncryption.csproj
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,8 @@
</PropertyGroup>
<ItemGroup>
<PackageReference Include="Azure.Identity" Version="1.5.0" />
<PackageReference Include="Microsoft.Azure.Cosmos.Encryption" Version="1.0.0-previewV19" />
<PackageReference Include="Azure.Security.KeyVault.Keys" Version="4.2.0" />
<PackageReference Include="Microsoft.Azure.Cosmos.Encryption" Version="1.0.0-previewV20" />
<PackageReference Include="Microsoft.Extensions.Configuration" Version="2.2.0" />
<PackageReference Include="Microsoft.Extensions.Configuration.FileExtensions" Version="2.2.0" />
<PackageReference Include="Microsoft.Extensions.Configuration.Json" Version="2.2.0" />
Expand Down

0 comments on commit 290881a

Please sign in to comment.