enable remote encryption support for remote and synced databases

Author: avinassh

libsql/Cargo.toml

@@ -102,6 +102,7 @@ sync = [
   "stream",
   "remote",
   "replication",
+  "dep:base64",
   "dep:tower",
   "dep:hyper",
   "dep:http",
@@ -131,6 +132,7 @@ hrana = [
 serde = ["dep:serde"]
 remote = [
   "hrana",
+  "dep:base64",
   "dep:tower",
   "dep:hyper",
   "dep:hyper",

libsql/examples/encryption_sync.rs

@@ -1,6 +1,7 @@
 // Example of using offline writes with encryption
 
-use libsql::{params, Builder, EncryptionContext, EncryptionKey};
+use libsql::{params, Builder};
+use libsql::{EncryptionContext, EncryptionKey};
 
 #[tokio::main]
 async fn main() {
@@ -24,7 +25,8 @@ async fn main() {
         None
     };
 
-    let db_builder = Builder::new_synced_database(db_path, sync_url, auth_token, encryption);
+    let db_builder =
+        Builder::new_synced_database(db_path, sync_url, auth_token).remote_encryption(encryption);
 
     let db = match db_builder.build().await {
         Ok(db) => db,

libsql/src/database.rs

@@ -8,6 +8,8 @@ pub use builder::Builder;
 pub use libsql_sys::{Cipher, EncryptionConfig};
 
 use crate::{Connection, Result};
+#[cfg(any(feature = "remote", feature = "sync"))]
+use base64::{engine::general_purpose, Engine};
 use std::fmt;
 use std::sync::atomic::AtomicU64;
 
@@ -100,7 +102,7 @@ enum DbType {
         auth_token: String,
         connector: crate::util::ConnectorService,
         _bg_abort: Option<std::sync::Arc<crate::sync::DropAbort>>,
-        remote_encryption: Option<crate::sync::EncryptionContext>,
+        remote_encryption: Option<EncryptionContext>,
     },
     #[cfg(feature = "remote")]
     Remote {
@@ -109,6 +111,7 @@ enum DbType {
         connector: crate::util::ConnectorService,
         version: Option<String>,
         namespace: Option<String>,
+        remote_encryption: Option<EncryptionContext>,
     },
 }
 
@@ -545,6 +548,7 @@ cfg_remote! {
                     connector: crate::util::ConnectorService::new(svc),
                     version,
                     namespace: None,
+                    remote_encryption: None
                 },
                 max_write_replication_index: Default::default(),
             })
@@ -733,6 +737,7 @@ impl Database {
                 connector,
                 version,
                 namespace,
+                remote_encryption,
             } => {
                 let conn = std::sync::Arc::new(
                     crate::hrana::connection::HttpConnection::new_with_connector(
@@ -741,7 +746,7 @@ impl Database {
                         connector.clone(),
                         version.as_ref().map(|s| s.as_str()),
                         namespace.as_ref().map(|s| s.as_str()),
-                        None,
+                        remote_encryption.clone(),
                     ),
                 );
 
@@ -785,3 +790,29 @@ impl std::fmt::Debug for Database {
         f.debug_struct("Database").finish()
     }
 }
+
+#[cfg(any(feature = "remote", feature = "sync"))]
+#[derive(Debug, Clone)]
+pub enum EncryptionKey {
+    /// The key is a base64-encoded string.
+    Base64Encoded(String),
+    /// The key is a byte array.
+    Bytes(Vec<u8>),
+}
+
+#[cfg(any(feature = "remote", feature = "sync"))]
+impl EncryptionKey {
+    pub fn as_string(&self) -> String {
+        match self {
+            EncryptionKey::Base64Encoded(s) => s.clone(),
+            EncryptionKey::Bytes(b) => general_purpose::STANDARD.encode(b),
+        }
+    }
+}
+
+#[cfg(any(feature = "remote", feature = "sync"))]
+#[derive(Debug, Clone)]
+pub struct EncryptionContext {
+    /// The base64-encoded key for the encryption, sent on every request.
+    pub key: EncryptionKey,
+}

libsql/src/database/builder.rs

@@ -5,7 +5,8 @@ cfg_core! {
 use super::DbType;
 use crate::{Database, Result};
 
-pub use crate::sync::EncryptionContext;
+#[cfg(any(feature = "remote", feature = "sync"))]
+pub use crate::database::EncryptionContext;
 
 /// A builder for [`Database`]. This struct can be used to build
 /// all variants of [`Database`]. These variants include:
@@ -52,8 +53,6 @@ impl Builder<()> {
             path: impl AsRef<std::path::Path>,
             url: String,
             auth_token: String,
-            #[cfg(feature = "sync")]
-            remote_encryption: Option<crate::sync::EncryptionContext>,
         ) -> Builder<RemoteReplica> {
             Builder {
                 inner: RemoteReplica {
@@ -64,6 +63,7 @@ impl Builder<()> {
                         connector: None,
                         version: None,
                         namespace: None,
+                        remote_encryption: None
                     },
                     encryption_config: None,
                     read_your_writes: true,
@@ -73,7 +73,7 @@ impl Builder<()> {
                     #[cfg(feature = "sync")]
                     sync_protocol: Default::default(),
                     #[cfg(feature = "sync")]
-                    remote_encryption,
+                    remote_encryption: None
                 },
             }
         }
@@ -98,7 +98,6 @@ impl Builder<()> {
             path: impl AsRef<std::path::Path>,
             url: String,
             auth_token: String,
-            remote_encryption: Option<EncryptionContext>,
         ) -> Builder<SyncedDatabase> {
             Builder {
                 inner: SyncedDatabase {
@@ -110,13 +109,14 @@ impl Builder<()> {
                         connector: None,
                         version: None,
                         namespace: None,
+                        remote_encryption: None,
                     },
                     connector: None,
                     read_your_writes: true,
                     remote_writes: false,
                     push_batch_size: 0,
                     sync_interval: None,
-                    remote_encryption,
+                    remote_encryption: None,
                 },
             }
         }
@@ -132,6 +132,7 @@ impl Builder<()> {
                     connector: None,
                     version: None,
                     namespace: None,
+                    remote_encryption: None,
                 },
             }
         }
@@ -146,6 +147,7 @@ cfg_replication_or_remote_or_sync! {
         connector: Option<crate::util::ConnectorService>,
         version: Option<String>,
         namespace: Option<String>,
+        remote_encryption: Option<EncryptionContext>,
     }
 }
 
@@ -238,7 +240,7 @@ cfg_replication! {
         #[cfg(feature = "sync")]
         sync_protocol: super::SyncProtocol,
         #[cfg(feature = "sync")]
-        remote_encryption: Option<crate::sync::EncryptionContext>,
+        remote_encryption: Option<EncryptionContext>,
     }
 
     /// Local replica configuration type in [`Builder`].
@@ -300,6 +302,13 @@ cfg_replication! {
             self
         }
 
+        /// Set the encryption context if the database is encrypted in remote server.
+        #[cfg(feature = "sync")]
+        pub fn remote_encryption(mut self, encryption_context: EncryptionContext) -> Builder<RemoteReplica> {
+            self.inner.remote_encryption = Some(encryption_context);
+            self
+        }
+
         pub fn http_request_callback<F>(mut self, f: F) -> Builder<RemoteReplica>
         where
             F: Fn(&mut http::Request<()>) + Send + Sync + 'static
@@ -347,6 +356,7 @@ cfg_replication! {
                         connector,
                         version,
                         namespace,
+                        ..
                     },
                 encryption_config,
                 read_your_writes,
@@ -415,10 +425,11 @@ cfg_replication! {
 
                         if res.status().is_success() {
                             tracing::trace!("Using sync protocol v2 for {}", url);
-                            let builder = Builder::new_synced_database(path, url, auth_token, remote_encryption)
+                            let builder = Builder::new_synced_database(path, url, auth_token)
                                 .connector(connector)
                                 .remote_writes(true)
-                                .read_your_writes(read_your_writes);
+                                .read_your_writes(read_your_writes)
+                                .remote_encryption(remote_encryption);
 
                             let builder = if let Some(sync_interval) = sync_interval {
                                 builder.sync_interval(sync_interval)
@@ -475,7 +486,10 @@ cfg_replication! {
 
 
             Ok(Database {
-                db_type: DbType::Sync { db, encryption_config },
+                db_type: DbType::Sync {
+                    db,
+                    encryption_config,
+                },
                 max_write_replication_index: Default::default(),
             })
         }
@@ -515,6 +529,7 @@ cfg_replication! {
                 connector,
                 version,
                 namespace,
+                ..
             }) = remote
             {
                 let connector = if let Some(connector) = connector {
@@ -565,7 +580,7 @@ cfg_sync! {
         read_your_writes: bool,
         push_batch_size: u32,
         sync_interval: Option<std::time::Duration>,
-        remote_encryption: Option<crate::sync::EncryptionContext>,
+        remote_encryption: Option<EncryptionContext>,
     }
 
     impl Builder<SyncedDatabase> {
@@ -598,6 +613,12 @@ cfg_sync! {
             self
         }
 
+         /// Set the encryption context if the database is encrypted in remote server.
+        pub fn remote_encryption(mut self, encryption_context: Option<EncryptionContext>) -> Builder<SyncedDatabase> {
+            self.inner.remote_encryption = encryption_context;
+            self
+        }
+
         /// Provide a custom http connector that will be used to create http connections.
         pub fn connector<C>(mut self, connector: C) -> Builder<SyncedDatabase>
         where
@@ -624,6 +645,7 @@ cfg_sync! {
                         connector: _,
                         version: _,
                         namespace: _,
+                        ..
                     },
                 connector,
                 remote_writes,
@@ -759,6 +781,12 @@ cfg_remote! {
             self
         }
 
+        /// Set the encryption context if the database is encrypted in remote server.
+        pub fn remote_encryption(mut self, encryption_context: EncryptionContext) -> Builder<Remote> {
+            self.inner.remote_encryption = Some(encryption_context);
+            self
+        }
+
         /// Build the remote database client.
         pub async fn build(self) -> Result<Database> {
             let Remote {
@@ -767,6 +795,7 @@ cfg_remote! {
                 connector,
                 version,
                 namespace,
+                remote_encryption,
             } = self.inner;
 
             let connector = if let Some(connector) = connector {
@@ -789,6 +818,7 @@ cfg_remote! {
                     connector,
                     version,
                     namespace,
+                    remote_encryption
                 },
                 max_write_replication_index: Default::default(),
             })

libsql/src/hrana/hyper.rs

@@ -27,16 +27,18 @@ pub struct HttpSender {
     inner: hyper::Client<ConnectorService, hyper::Body>,
     version: HeaderValue,
     namespace: Option<HeaderValue>,
-    #[cfg(feature = "sync")]
-    remote_encryption: Option<crate::sync::EncryptionContext>,
+    #[cfg(any(feature = "remote", feature = "sync"))]
+    remote_encryption: Option<crate::database::EncryptionContext>,
 }
 
 impl HttpSender {
     pub fn new(
         connector: ConnectorService,
         version: Option<&str>,
         namespace: Option<&str>,
-        #[cfg(feature = "sync")] remote_encryption: Option<crate::sync::EncryptionContext>,
+        #[cfg(any(feature = "remote", feature = "sync"))] remote_encryption: Option<
+            crate::database::EncryptionContext,
+        >,
     ) -> Self {
         let ver = version.unwrap_or(env!("CARGO_PKG_VERSION"));
 
@@ -48,7 +50,7 @@ impl HttpSender {
             inner,
             version,
             namespace,
-            #[cfg(feature = "sync")]
+            #[cfg(any(feature = "remote", feature = "sync"))]
             remote_encryption,
         }
     }
@@ -67,6 +69,7 @@ impl HttpSender {
             req_builder = req_builder.header("x-namespace", namespace);
         }
 
+        #[cfg(any(feature = "remote", feature = "sync"))]
         if let Some(remote_encryption) = &self.remote_encryption {
             req_builder =
                 req_builder.header("x-turso-encryption-key", remote_encryption.key.as_string());
@@ -135,13 +138,15 @@ impl HttpConnection<HttpSender> {
         connector: ConnectorService,
         version: Option<&str>,
         namespace: Option<&str>,
-        #[cfg(feature = "sync")] remote_encryption: Option<crate::sync::EncryptionContext>,
+        #[cfg(any(feature = "remote", feature = "sync"))] remote_encryption: Option<
+            crate::database::EncryptionContext,
+        >,
     ) -> Self {
         let inner = HttpSender::new(
             connector,
             version,
             namespace,
-            #[cfg(feature = "sync")]
+            #[cfg(any(feature = "remote", feature = "sync"))]
             remote_encryption,
         );
         Self::new(url.into(), token.into(), inner)

libsql/src/lib.rs

@@ -132,8 +132,8 @@ pub mod params;
 cfg_sync! {
     mod sync;
     pub use database::SyncProtocol;
-    pub use sync::EncryptionContext;
-    pub use sync::EncryptionKey;
+    pub use database::EncryptionContext;
+    pub use database::EncryptionKey;
 }
 
 cfg_replication! {