-
Notifications
You must be signed in to change notification settings - Fork 1.3k
/
Copy pathClientEncryptionOptions.cs
173 lines (156 loc) · 7.17 KB
/
ClientEncryptionOptions.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
/* Copyright 2019-present MongoDB Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
using System;
using System.Collections.Generic;
using MongoDB.Driver.Core.Misc;
namespace MongoDB.Driver.Encryption
{
/// <summary>
/// Client encryption options.
/// </summary>
public sealed class ClientEncryptionOptions
{
// private fields
private TimeSpan? _keyExpiration;
private readonly IMongoClient _keyVaultClient;
private readonly CollectionNamespace _keyVaultNamespace;
private readonly IReadOnlyDictionary<string, IReadOnlyDictionary<string, object>> _kmsProviders;
private readonly IReadOnlyDictionary<string, SslSettings> _tlsOptions;
// constructors
/// <summary>
/// Initializes a new instance of the <see cref="ClientEncryptionOptions"/> class.
/// </summary>
/// <param name="keyVaultClient">The key vault client.</param>
/// <param name="keyVaultNamespace">The key vault namespace.</param>
/// <param name="kmsProviders">The KMS providers.</param>
/// <param name="tlsOptions">The tls options.</param>
public ClientEncryptionOptions(
IMongoClient keyVaultClient,
CollectionNamespace keyVaultNamespace,
IReadOnlyDictionary<string, IReadOnlyDictionary<string, object>> kmsProviders,
Optional<IReadOnlyDictionary<string, SslSettings>> tlsOptions = default)
: this(keyVaultClient, keyVaultNamespace, kmsProviders, tlsOptions, keyExpiration: null)
{
}
private ClientEncryptionOptions(
IMongoClient keyVaultClient,
CollectionNamespace keyVaultNamespace,
IReadOnlyDictionary<string, IReadOnlyDictionary<string, object>> kmsProviders,
Optional<IReadOnlyDictionary<string, SslSettings>> tlsOptions = default,
Optional<TimeSpan?> keyExpiration = default)
{
_keyVaultClient = Ensure.IsNotNull(keyVaultClient, nameof(keyVaultClient));
_keyVaultNamespace = Ensure.IsNotNull(keyVaultNamespace, nameof(keyVaultNamespace));
_kmsProviders = Ensure.IsNotNull(kmsProviders, nameof(kmsProviders));
_tlsOptions = tlsOptions.WithDefault(new Dictionary<string, SslSettings>());
_keyExpiration = keyExpiration.WithDefault(null);
EnsureKmsProvidersAreValid(_kmsProviders);
EnsureKmsProvidersTlsSettingsAreValid(_tlsOptions);
}
// public properties
/// <summary>
/// Gets the data encryption key cache expiration time.
/// </summary>
public TimeSpan? KeyExpiration => _keyExpiration;
/// <summary>
/// Gets the key vault client.
/// </summary>
/// <value>
/// The key vault client.
/// </value>
public IMongoClient KeyVaultClient => _keyVaultClient;
/// <summary>
/// Gets the key vault namespace.
/// </summary>
/// <value>
/// The key vault namespace.
/// </value>
public CollectionNamespace KeyVaultNamespace => _keyVaultNamespace;
/// <summary>
/// Gets the KMS providers.
/// </summary>
/// <value>
/// The KMS providers.
/// </value>
public IReadOnlyDictionary<string, IReadOnlyDictionary<string, object>> KmsProviders => _kmsProviders;
/// <summary>
/// Gets the tls options.
/// </summary>
/// <value>
/// The tls options.
/// </value>
public IReadOnlyDictionary<string, SslSettings> TlsOptions => _tlsOptions;
/// <summary>
/// Returns a new ClientEncryptionOptions instance with some settings changed.
/// </summary>
/// <param name="keyVaultClient">The key vault client.</param>
/// <param name="keyVaultNamespace">The key vault namespace.</param>
/// <param name="kmsProviders">The KMS providers.</param>
/// <param name="tlsOptions">The tls options.</param>
/// <returns>A new ClientEncryptionOptions instance.</returns>
public ClientEncryptionOptions With(
Optional<IMongoClient> keyVaultClient = default,
Optional<CollectionNamespace> keyVaultNamespace = default,
Optional<IReadOnlyDictionary<string, IReadOnlyDictionary<string, object>>> kmsProviders = default,
Optional<IReadOnlyDictionary<string, SslSettings>> tlsOptions = default)
{
return new ClientEncryptionOptions(
keyVaultClient: keyVaultClient.WithDefault(_keyVaultClient),
keyVaultNamespace: keyVaultNamespace.WithDefault(_keyVaultNamespace),
kmsProviders: kmsProviders.WithDefault(_kmsProviders),
tlsOptions: Optional.Create(tlsOptions.WithDefault(_tlsOptions)),
keyExpiration: _keyExpiration);
}
/// <summary>
/// Sets the data encryption key cache expiration time. If not set, it defaults to 60 seconds.
/// If set to TimeSpan.Zero, the cache never expires.
/// </summary>
/// <param name="keyExpiration">The data encryption key cache expiration time.</param>
public void SetKeyExpiration(TimeSpan? keyExpiration)
{
_keyExpiration = keyExpiration;
}
private static void EnsureKmsProvidersAreValid(IReadOnlyDictionary<string, IReadOnlyDictionary<string, object>> kmsProviders)
{
foreach (var kmsProvider in kmsProviders)
{
foreach (var option in Ensure.IsNotNull(kmsProvider.Value, nameof(kmsProvider)))
{
var optionValue = Ensure.IsNotNull(option.Value, "kmsProviderOption");
var isValid = optionValue is byte[] || optionValue is string;
if (!isValid)
{
throw new ArgumentException($"Invalid kms provider option type: {optionValue.GetType().Name}.");
}
}
}
}
private static void EnsureKmsProvidersTlsSettingsAreValid(IReadOnlyDictionary<string, SslSettings> kmsProviderTlsSettings)
{
if (kmsProviderTlsSettings == null)
{
return;
}
foreach (var kmsProviderTlsSetting in kmsProviderTlsSettings)
{
var kmsProviderTlsSettingValue = Ensure.IsNotNull(kmsProviderTlsSetting.Value, nameof(kmsProviderTlsSetting.Value));
if (kmsProviderTlsSettingValue.ServerCertificateValidationCallback != null) // tlsInsecure
{
throw new ArgumentException("Insecure TLS options prohibited.");
}
}
}
}
}