feat(deps): upgrade cipherstash-client from 0.33.2 to 0.34.0-alpha.4

Adapt proxy to breaking API changes in cipherstash-client 0.34:
- Update ZeroKMS client initialization for new builder API
- Add authentication strategy detection with AutoStrategy
- Use valid UUID placeholders in example config
- Add documentation URLs to config validation error messages
- Use ZEROKMS log target constant for consistency
- Update development docs for new credential requirements

Author: tobyhede

Cargo.lock

@@ -43,8 +43,8 @@ debug = true
 
 [workspace.dependencies]
 sqltk = { version = "0.10.0" }
-cipherstash-client = { version = "0.33.2" }
-cts-common = { version = "0.4.1" }
+cipherstash-client = { version = "0.34.0-alpha.4" }
+cts-common = { version = "0.34.0-alpha.4" }
 
 thiserror = "2.0.9"
 tokio = { version = "1.44.2", features = ["full"] }

Cargo.toml

@@ -501,29 +501,14 @@ Certificates are generated by `mkcert`, and live in `tests/tls/`.
 
 #### Configuration: development endpoints
 
+ZeroKMS and CTS host endpoints can be configured for local development using environment variables.
 
-ZeroKMS and CTS host endpoints can be configured for local development.
+These are read directly by `cipherstash-client` and do not require proxy configuration:
 
-Env variables are `CS_DEVELOPMENT__ZEROKMS_HOST` and `CS_DEVELOPMENT__CTS_HOST`.
-
-
-```toml
-
-[development]
-# ZeroKMS host
-# Optional
-# Defaults to CipherStash Production ZeroKMS host
-# Env: CS_DEVELOPMENT__ZEROKMS_HOST
-zerokms_host = "1.1.1.1"
-
-
-# CTS host
-# Optional
-# Defaults to CipherStash Production CTS host
-# Env: CS_DEVELOPMENT__CTS_HOST
-cts_host = "1.1.1.1"
-
-```
+| Variable | Description |
+|---|---|
+| `CS_ZEROKMS_HOST` | Override ZeroKMS endpoint (default: resolved from JWT `services` claim) |
+| `CS_CTS_HOST` | Override CTS auth endpoint (default: resolved from workspace CRN region) |
 
 
 

DEVELOPMENT.md

@@ -24,6 +24,6 @@ workspace_crn = "workspace_crn"
 client_access_key = "client_access_key"
 
 [encrypt]
-default_keyset_id = "default_keyset_id"
-client_id = "client_id"
+default_keyset_id = "00000000-0000-0000-0000-000000000000"
+client_id = "00000000-0000-0000-0000-000000000000"
 client_key = "client_key"

cipherstash-proxy-example.toml

@@ -43,6 +43,8 @@ services:
       - CS_PROMETHEUS__ENABLED=${CS_PROMETHEUS__ENABLED:-true}
       - CS_DATABASE__INSTALL_EQL=true            # install EQL into the PostgreSQL database
       - CS_DATABASE__INSTALL_EXAMPLE_SCHEMA=true # install example schema into the PostgreSQL database
+      - CS_CTS_HOST=${CS_CTS_HOST:-}
+      - CS_ZEROKMS_HOST=${CS_ZEROKMS_HOST:-}
     networks:
       - cipherstash
 

docker-compose.yml

@@ -55,8 +55,8 @@ tokio-util = { version = "0.7.13", features = ["rt"] }
 tracing = { workspace = true }
 tracing-subscriber = { workspace = true }
 uuid = { version = "1.11.0", features = ["serde", "v4"] }
+vitaminc-protected = "0.1.0-pre4.2"
 x509-parser = "0.17.0"
-vitaminc-protected = "0.1.0-pre2"
 
 
 [dev-dependencies]

packages/cipherstash-proxy/Cargo.toml

@@ -9,6 +9,7 @@ use crate::Args;
 use cipherstash_client::config::vars::{
     CS_CLIENT_ACCESS_KEY, CS_CLIENT_ID, CS_CLIENT_KEY, CS_DEFAULT_KEYSET_ID, CS_WORKSPACE_CRN,
 };
+use cipherstash_client::zerokms::ClientKey;
 use config::{Config, Environment};
 use cts_common::Crn;
 use regex::Regex;
@@ -42,7 +43,7 @@ pub struct AuthConfig {
 
 #[derive(Debug, Deserialize, Clone, PartialEq)]
 pub struct EncryptConfig {
-    pub client_id: String,
+    pub client_id: Uuid,
     pub client_key: String,
     pub default_keyset_id: Option<Uuid>,
 }
@@ -66,12 +67,6 @@ pub struct DevelopmentConfig {
 
     #[serde(default)]
     pub enable_mapping_errors: bool,
-
-    #[serde(default)]
-    pub zerokms_host: Option<String>,
-
-    #[serde(default)]
-    pub cts_host: Option<String>,
 }
 
 /// Config defaults to a file called `tandem` in the current directory.
@@ -191,7 +186,7 @@ impl TandemConfig {
         }
 
         // Source order is important!
-        let config = Config::builder()
+        let config: TandemConfig = Config::builder()
             .add_source(config::File::with_name(&args.config_file_path).required(false))
             .add_source(cs_env_source)
             .add_source(stash_setup_source)
@@ -203,7 +198,16 @@ impl TandemConfig {
                 //  - missing parameters are returned by at least two different errors, depending the source of the error
                 // Easier to inspect the error message.
                 match err.to_string() {
-                    s if s.contains("UUID parsing failed") => ConfigError::InvalidDatasetId,
+                    s if s.contains("UUID parsing failed") => {
+                        if s.contains("client_id") && !s.contains("keyset") {
+                            ConfigError::InvalidParameter {
+                                name: "client_id".to_string(),
+                                value: "invalid UUID".to_string(),
+                            }
+                        } else {
+                            ConfigError::InvalidDefaultKeysetId
+                        }
+                    }
                     s if s.contains("missing field") => {
                         let (field, key) = extract_missing_field_and_key(&s);
                         match (field, key) {
@@ -222,6 +226,8 @@ impl TandemConfig {
                 }
             })?;
 
+        config.encrypt.build_client_key()?;
+
         Ok(config)
     }
 
@@ -246,18 +252,6 @@ impl TandemConfig {
         }
     }
 
-    pub fn zerokms_host(&self) -> Option<String> {
-        self.development
-            .as_ref()
-            .and_then(|dev| dev.zerokms_host.clone())
-    }
-
-    pub fn cts_host(&self) -> Option<String> {
-        self.development
-            .as_ref()
-            .and_then(|dev| dev.cts_host.clone())
-    }
-
     pub fn use_structured_logging(&self) -> bool {
         matches!(self.log.format, LogFormat::Structured)
     }
@@ -326,8 +320,8 @@ impl TandemConfig {
                 client_access_key: "test".to_string(),
             },
             encrypt: EncryptConfig {
-                client_id: "test".to_string(),
-                client_key: "test".to_string(),
+                client_id: Uuid::parse_str("00000000-0000-0000-0000-000000000001").unwrap(),
+                client_key: "a4627031a16b7065726d75746174696f6e900e05030d0608090007020c04010b0a0f6770325f66726f6da16b7065726d75746174696f6e900608000a0204030f01070d090e0b0c056570325f746fa16b7065726d75746174696f6e90000908060701030a05040e020d0b0c0f627033a16b7065726d75746174696f6e982107181d130d05181f08040a181c1002181e010311181818200b0f0e0915181b0c16171819060012181a14".to_string(),
                 default_keyset_id: Some(
                     Uuid::parse_str("00000000-0000-0000-0000-000000000000").unwrap(),
                 ),
@@ -340,6 +334,13 @@ impl TandemConfig {
     }
 }
 
+impl EncryptConfig {
+    pub fn build_client_key(&self) -> Result<ClientKey, Error> {
+        ClientKey::from_hex_v1(self.client_id, &self.client_key)
+            .map_err(|_| Error::from(ConfigError::InvalidClientKey))
+    }
+}
+
 impl PrometheusConfig {
     pub fn default_port() -> u16 {
         9930
@@ -426,9 +427,12 @@ mod tests {
             temp_env::with_vars(
                 [
                     // Orignal recipe ENV var
-                    ("CS_ENCRYPT__CLIENT_ID", Some("CS_ENCRYPT__CLIENT_ID")),
-                    (CS_CLIENT_ID, Some("CS_CLIENT_ID")),
-                    (CS_CLIENT_KEY, Some("CS_CLIENT_KEY")),
+                    (
+                        "CS_ENCRYPT__CLIENT_ID",
+                        Some("11111111-1111-1111-1111-111111111111"),
+                    ),
+                    (CS_CLIENT_ID, Some("22222222-2222-2222-2222-222222222222")),
+                    (CS_CLIENT_KEY, Some("a4627031a16b7065726d75746174696f6e900e05030d0608090007020c04010b0a0f6770325f66726f6da16b7065726d75746174696f6e900608000a0204030f01070d090e0b0c056570325f746fa16b7065726d75746174696f6e90000908060701030a05040e020d0b0c0f627033a16b7065726d75746174696f6e982107181d130d05181f08040a181c1002181e010311181818200b0f0e0915181b0c16171819060012181a14")),
                     (
                         CS_DEFAULT_KEYSET_ID,
                         Some("dd0a239f-02e2-4c8e-ba20-d9f0f85af9ac"),
@@ -440,7 +444,10 @@ mod tests {
                         TandemConfig::build_path("tests/config/cipherstash-proxy-test.toml")
                             .unwrap();
 
-                    assert_eq!(config.encrypt.client_id, "CS_CLIENT_ID".to_string());
+                    assert_eq!(
+                        config.encrypt.client_id,
+                        Uuid::parse_str("22222222-2222-2222-2222-222222222222").unwrap()
+                    );
 
                     assert_eq!(
                         config.auth.client_access_key,
@@ -474,8 +481,8 @@ mod tests {
                             .unwrap();
 
                     assert_eq!(
-                        &config.encrypt.client_id,
-                        "dd0a239f-02e2-4c8e-ba20-d9f0f85af9ac"
+                        config.encrypt.client_id,
+                        Uuid::parse_str("dd0a239f-02e2-4c8e-ba20-d9f0f85af9ac").unwrap()
                     );
                 },
             );
@@ -512,6 +519,22 @@ mod tests {
         });
     }
 
+    #[test]
+    fn invalid_client_id_uuid() {
+        with_no_cs_vars(|| {
+            let result =
+                TandemConfig::build_path("tests/config/cipherstash-proxy-bad-client-id.toml");
+            assert!(result.is_err());
+            let err = result.unwrap_err();
+            // Should produce InvalidParameter for client_id, not InvalidDatasetId
+            assert!(
+                err.to_string().contains("Invalid client_id"),
+                "Expected 'Invalid client_id' but got: {}",
+                err
+            );
+        });
+    }
+
     #[test]
     fn prometheus_config() {
         with_no_cs_vars(|| {
@@ -584,7 +607,7 @@ mod tests {
     fn default_env_vars() -> Vec<(&'static str, Option<&'static str>)> {
         vec![
             ("CS_CLIENT_ID", Some("00000000-0000-0000-0000-000000000000")),
-            ("CS_CLIENT_KEY", Some("CS_CLIENT_KEY")),
+            ("CS_CLIENT_KEY", Some("a4627031a16b7065726d75746174696f6e900e05030d0608090007020c04010b0a0f6770325f66726f6da16b7065726d75746174696f6e900608000a0204030f01070d090e0b0c056570325f746fa16b7065726d75746174696f6e90000908060701030a05040e020d0b0c0f627033a16b7065726d75746174696f6e982107181d130d05181f08040a181c1002181e010311181818200b0f0e0915181b0c16171819060012181a14")),
             (
                 "CS_DEFAULT_KEYSET_ID",
                 Some("00000000-0000-0000-0000-000000000000"),

packages/cipherstash-proxy/src/config/tandem.rs

@@ -15,9 +15,6 @@ pub enum Error {
     #[error("Connection closed after cancel request")]
     CancelRequest,
 
-    #[error(transparent)]
-    Client(#[from] cipherstash_client::config::errors::ConfigError),
-
     #[error(transparent)]
     Config(#[from] ConfigError),
 
@@ -72,6 +69,9 @@ pub enum ZeroKMSError {
     #[error("ZeroKMS authentication failed. Check the configured credentials. For help visit {}#zerokms-authentication-failed", ERROR_DOC_BASE_URL)]
     AuthenticationFailed,
 
+    #[error(transparent)]
+    Builder(#[from] cipherstash_client::zerokms::ZeroKMSBuilderError),
+
     #[error(transparent)]
     System(#[from] cipherstash_client::zerokms::Error),
 }
@@ -116,17 +116,20 @@ pub enum ConfigError {
     #[error(transparent)]
     Certificate(#[from] rustls_pki_types::pem::Error),
 
-    #[error(transparent)]
-    EncryptConfig(#[from] cipherstash_client::config::errors::ConfigError),
-
     #[error(transparent)]
     Database(#[from] tokio_postgres::Error),
 
     #[error(transparent)]
     FileOrEnvironment(#[from] config::ConfigError),
 
-    #[error("Dataset id is not a valid UUID.")]
-    InvalidDatasetId,
+    #[error("Client key is not valid. For help visit {}", ERROR_DOC_CONFIG_URL)]
+    InvalidClientKey,
+
+    #[error(
+        "default_keyset_id is not a valid UUID. For help visit {}",
+        ERROR_DOC_CONFIG_URL
+    )]
+    InvalidDefaultKeysetId,
 
     #[error("Server host {name} is not a valid server name")]
     InvalidServerName { name: String },
@@ -436,6 +439,12 @@ impl From<config::ConfigError> for Error {
     }
 }
 
+impl From<cipherstash_client::zerokms::ZeroKMSBuilderError> for Error {
+    fn from(e: cipherstash_client::zerokms::ZeroKMSBuilderError) -> Self {
+        Error::ZeroKMS(e.into())
+    }
+}
+
 impl From<cipherstash_client::encryption::TypeParseError> for Error {
     fn from(e: cipherstash_client::encryption::TypeParseError) -> Self {
         Error::Encrypt(e.into())

packages/cipherstash-proxy/src/error.rs

@@ -168,10 +168,10 @@ pub trait EncryptionService: Send + Sync {
 
 #[cfg(test)]
 mod tests {
-    use super::*;
     use crate::config::TandemConfig;
     use crate::test_helpers::with_no_cs_vars;
-    use cts_common::WorkspaceId;
+
+    use super::zerokms;
 
     fn build_tandem_config(env: Vec<(&str, Option<&str>)>) -> TandemConfig {
         with_no_cs_vars(|| {
@@ -195,28 +195,23 @@ mod tests {
     }
 
     #[test]
-    fn build_zerokms_config_with_crn() {
+    fn init_zerokms_client_with_crn() {
         with_no_cs_vars(|| {
             let mut env = default_env_vars();
-            env.push(("CS_CLIENT_ACCESS_KEY", Some("client-access-key")));
+            env.push(("CS_CLIENT_ACCESS_KEY", Some("CSAKtestKeyId.testKeySecret")));
             env.push((
                 "CS_WORKSPACE_CRN",
                 Some("crn:ap-southeast-2.aws:3KISDURL3ZCWYZ2O"),
             ));
 
             let tandem_config = build_tandem_config(env);
 
-            let zerokms_config = zerokms::build_zerokms_config(&tandem_config).unwrap();
-
-            assert_eq!(
-                WorkspaceId::try_from("3KISDURL3ZCWYZ2O").unwrap(),
-                zerokms_config.workspace_id()
+            let result = zerokms::init_zerokms_client(&tandem_config);
+            assert!(
+                result.is_ok(),
+                "init_zerokms_client failed: {:?}",
+                result.err()
             );
-
-            assert!(zerokms_config
-                .base_url()
-                .to_string()
-                .contains("ap-southeast-2.aws"));
         });
     }
 }