PC-1140 - Encrypt deployment keys at rest

Summary:
This encrypts deployment keys are rest. Does not drop exsiting keys, which will be done next.
We use a secondary hash to speed up searches.

Test Plan: N/A

Reviewers: michelle, vihang

Reviewed By: michelle

JIRA Issues: PC-1140

Differential Revision: https://phab.corp.pixielabs.ai/D9558

GitOrigin-RevId: 17c4f2c

src/cloud/vzmgr/deploymentkey/deployment_keys.go

@@ -60,7 +60,9 @@ func (s *Service) Create(ctx context.Context, req *vzmgrpb.CreateDeploymentKeyRe
 
 	var id uuid.UUID
 	var ts time.Time
-	query := `INSERT INTO vizier_deployment_keys(org_id, user_id, key, description) VALUES($1, $2, PGP_SYM_ENCRYPT($3, $4), $5) RETURNING id, created_at`
+	query := `INSERT INTO vizier_deployment_keys(org_id, user_id, hashed_key, encrypted_key, description)
+                VALUES($1, $2, sha256($3), PGP_SYM_ENCRYPT($3::text, $4::text), $5)
+              RETURNING id, created_at`
 	keyID, err := uuid.NewV4()
 	if err != nil {
 		return nil, err
@@ -90,8 +92,11 @@ func (s *Service) List(ctx context.Context, req *vzmgrpb.ListDeploymentKeyReques
 	}
 
 	// Return all clusters when the OrgID matches.
-	query := `SELECT id, org_id, PGP_SYM_DECRYPT(key::bytea, $1), created_at, description from vizier_deployment_keys WHERE org_id=$2 ORDER BY created_at`
-	rows, err := s.db.QueryxContext(ctx, query, s.dbKey, sCtx.Claims.GetUserClaims().OrgID)
+	query := `SELECT id, org_id, CONVERT_FROM(PGP_SYM_DECRYPT(encrypted_key, $2::text)::bytea, 'UTF8'), created_at, description
+                FROM vizier_deployment_keys
+                WHERE org_id=$1
+                ORDER BY created_at`
+	rows, err := s.db.QueryxContext(ctx, query, sCtx.Claims.GetUserClaims().OrgID, s.dbKey)
 	if err != nil {
 		if err == sql.ErrNoRows {
 			return &vzmgrpb.ListDeploymentKeyResponse{}, nil
@@ -140,8 +145,10 @@ func (s *Service) Get(ctx context.Context, req *vzmgrpb.GetDeploymentKeyRequest)
 	var key string
 	var createdAt time.Time
 	var desc string
-	query := `SELECT PGP_SYM_DECRYPT(key::bytea, $1), created_at, description from vizier_deployment_keys WHERE org_id=$2 and id=$3`
-	err = s.db.QueryRowxContext(ctx, query, s.dbKey, sCtx.Claims.GetUserClaims().OrgID, tokenID).Scan(&key, &createdAt, &desc)
+	query := `SELECT CONVERT_FROM(PGP_SYM_DECRYPT(encrypted_key, $3::text)::bytea, 'UTF8'), created_at, description
+                FROM vizier_deployment_keys
+                WHERE org_id=$1 AND id=$2`
+	err = s.db.QueryRowxContext(ctx, query, sCtx.Claims.GetUserClaims().OrgID, tokenID, s.dbKey).Scan(&key, &createdAt, &desc)
 	if err != nil {
 		return nil, status.Error(codes.NotFound, "No such deployment key")
 	}
@@ -167,7 +174,8 @@ func (s *Service) Delete(ctx context.Context, req *uuidpb.UUID) (*types.Empty, e
 		return nil, status.Error(codes.InvalidArgument, "invalid id format")
 	}
 
-	query := `DELETE from vizier_deployment_keys WHERE org_id=$1 and id=$2`
+	query := `DELETE FROM vizier_deployment_keys
+                WHERE org_id=$1 AND id=$2`
 	res, err := s.db.ExecContext(ctx, query, sCtx.Claims.GetUserClaims().OrgID, tokenID)
 	if err != nil {
 		log.WithError(err).Error("Failed to delete deployment token")
@@ -189,7 +197,9 @@ func (s *Service) Delete(ctx context.Context, req *uuidpb.UUID) (*types.Empty, e
 
 // FetchOrgUserIDUsingDeploymentKey gets the org and user ID based on the deployment key.
 func (s *Service) FetchOrgUserIDUsingDeploymentKey(ctx context.Context, key string) (uuid.UUID, uuid.UUID, error) {
-	query := `SELECT org_id, user_id from vizier_deployment_keys WHERE PGP_SYM_DECRYPT(key::bytea, $2)=$1`
+	query := `SELECT org_id, user_id
+                FROM vizier_deployment_keys
+                WHERE hashed_key=sha256($1) AND PGP_SYM_DECRYPT(encrypted_key::bytea, $2::text)::bytea=$1`
 	var orgID uuid.UUID
 	var userID uuid.UUID
 	err := s.db.QueryRowxContext(ctx, query, key, s.dbKey).Scan(&orgID, &userID)

src/cloud/vzmgr/deploymentkey/deployment_keys_test.go

@@ -96,7 +96,8 @@ func createTestAPIUserContext() context.Context {
 func mustLoadTestData(db *sqlx.DB) {
 	db.MustExec(`DELETE FROM vizier_deployment_keys`)
 
-	insertVizierDeploymentKeys := `INSERT INTO vizier_deployment_keys(id, org_id, user_id, key, description) VALUES ($1, $2, $3, PGP_SYM_ENCRYPT($4, $5), $6)`
+	insertVizierDeploymentKeys := `INSERT INTO vizier_deployment_keys(id, org_id, user_id, hashed_key, encrypted_key, description)
+                                     VALUES ($1, $2, $3, sha256($4), PGP_SYM_ENCRYPT($4::text, $5::text), $6)`
 	db.MustExec(insertVizierDeploymentKeys, testKey1ID, testAuthOrgID, testAuthUserID, "key1", testDBKey, "here is a desc")
 	db.MustExec(insertVizierDeploymentKeys, testKey2ID, testAuthOrgID, testAuthUserID, "key2", testDBKey, "here is another one")
 	db.MustExec(insertVizierDeploymentKeys, testNonAuthUserKeyID.String(), testNonAuthOrgID, "123e4567-e89b-12d3-a456-426655440001", "key2", testDBKey, "some other desc")
@@ -373,7 +374,7 @@ func TestDeploymentKeyService_Delete_UnownedKey(t *testing.T) {
 
 			// Make DB query to make sure the Key still exists.
 			var key string
-			err = db.QueryRow(`SELECT PGP_SYM_DECRYPT(key::bytea, $1) from vizier_deployment_keys where id=$2`,
+			err = db.QueryRow(`SELECT CONVERT_FROM(PGP_SYM_DECRYPT(encrypted_key, $1::text)::bytea, 'UTF8') from vizier_deployment_keys where id=$2`,
 				testDBKey, testNonAuthUserKeyID).
 				Scan(&key)
 			require.NoError(t, err)

src/cloud/vzmgr/schema/000024_add_encrypted_deployment_key.down.sql

@@ -0,0 +1,7 @@
+DROP INDEX idx_vizier_deployment_keys_hashed_key;
+
+ALTER TABLE vizier_deployment_keys
+  DROP COLUMN hashed_key;
+
+ALTER TABLE vizier_deployment_keys
+  DROP COLUMN encrypted_key;

src/cloud/vzmgr/schema/000024_add_encrypted_deployment_key.up.sql

@@ -0,0 +1,9 @@
+ALTER TABLE vizier_deployment_keys
+  ADD COLUMN encrypted_key bytea;
+
+-- Hashed key stores a salted and hashed key that we can use for associative lookup.
+ALTER TABLE vizier_deployment_keys
+  ADD COLUMN hashed_key bytea;
+
+CREATE INDEX idx_vizier_deployment_keys_hashed_key
+  ON vizier_deployment_keys(hashed_key);