Add support for obfuscated id or alternate entity id #3261
Conversation
| byte[] encrypt(byte[] byteArray) { | ||
| try { | ||
| byte[] key = secretKey.getEncoded(); | ||
| SecretKeySpec secretKeySpec = new SecretKeySpec(key, "AES"); |
There was a problem hiding this comment.
Does this encryption include randomization or padding? The ID should be stable so we should hash instead of encrypt.
There was a problem hiding this comment.
This class is just for testing purposes. I felt it was best that users used a dedicated crypto library eg. https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/crypto/encrypt/BytesEncryptor.html which would provide more options and this approach is less likely to introduce a CVE into the Elide library.
The com.yahoo.elide.core.security.obfuscation.FunctionIdObfuscator should make it easy to integrate with other libraries as they just need to supply a obfuscation and deobfuscation function.
For Spring I added a com.yahoo.elide.spring.security.obfuscation.BytesEncryptorIdObfuscator that would allow easy integration with org.springframework.security.crypto.encrypt.BytesEncryptor.
5b9f63b
to
9df7c85
Compare
Resolves #522
Description
This adds support for 2 different ways of not exposing the primary key of the entity if the primary key undesirably leaks information.
IdObfuscatorthat can obfuscate the id. Typically an encryption algorithm is used.@EntityIdthat will be used to look up the record instead of the@Id.Two alternate means are provided to let users choose which best suits their needs.
The
IdObfuscatormeans that no additional column is required but some computation is required to always required to convert the ids. These ids will not be visible on the database level. Also sorting will typically take place on the underlying primary key and not the obfuscated value. If encryption is used for the obfuscation the user will need to safeguard those keys appropriately, also any changes to those keys or algorithm may mean that the ids will also correspondingly change.Using the
@EntityIdallows the entity to have a totally separate column to identify the record that is not linked to the primary key in any way. A user could for instance choose Cuid2 as the entity id for its records. Sorting on id will sort on the entity id as this is a real column.Motivation and Context
The primary key may undesirably leak information, however at the same time using a random value as the primary key may affect performance.
How Has This Been Tested?
Added the appropriate unit and integration tests.
License
I confirm that this contribution is made under an Apache 2.0 license and that I have the authority necessary to make this contribution on behalf of its copyright owner.