From e1f1031cc78ca0a47996350aaa81a4d48c4b29b5 Mon Sep 17 00:00:00 2001
From: Tobie Morgan Hitchcock <tobie@abcum.com>
Date: Mon, 18 Jul 2016 23:00:01 +0100
Subject: [PATCH] Add global datastore encryption

---
 kvs/boltdb/ds.go   |  1 +
 kvs/boltdb/main.go |  2 +-
 kvs/boltdb/tx.go   | 16 ++++++++++++++++
 kvs/mysql/ds.go    |  1 +
 kvs/mysql/main.go  |  2 +-
 kvs/mysql/tx.go    | 16 ++++++++++++++++
 kvs/pgsql/ds.go    |  1 +
 kvs/pgsql/main.go  |  2 +-
 kvs/pgsql/tx.go    | 16 ++++++++++++++++
 9 files changed, 54 insertions(+), 3 deletions(-)

diff --git a/kvs/boltdb/ds.go b/kvs/boltdb/ds.go
index c1adaebc..a49eb9d8 100644
--- a/kvs/boltdb/ds.go
+++ b/kvs/boltdb/ds.go
@@ -22,6 +22,7 @@ import (
 
 type DS struct {
 	db *bolt.DB
+	ck []byte
 }
 
 func (ds *DS) Txn(writable bool) (txn kvs.TX, err error) {
diff --git a/kvs/boltdb/main.go b/kvs/boltdb/main.go
index cad6692a..74387a2d 100644
--- a/kvs/boltdb/main.go
+++ b/kvs/boltdb/main.go
@@ -42,6 +42,6 @@ func New(opts *cnf.Options) (ds kvs.DS, err error) {
 		return nil
 	})
 
-	return &DS{db: db}, err
+	return &DS{db: db, ck: opts.DB.Key}, err
 
 }
diff --git a/kvs/boltdb/tx.go b/kvs/boltdb/tx.go
index 2a69681d..a7e3c5b2 100644
--- a/kvs/boltdb/tx.go
+++ b/kvs/boltdb/tx.go
@@ -158,6 +158,11 @@ func (tx *TX) Put(key, val []byte) (err error) {
 		return
 	}
 
+	if val, err = cryp.Encrypt(tx.ds.ck, val); err != nil {
+		err = &kvs.CKError{err}
+		return
+	}
+
 	if val, err = cryp.Encrypt(tx.ck, val); err != nil {
 		err = &kvs.CKError{err}
 		return
@@ -195,6 +200,11 @@ func (tx *TX) CPut(key, val, exp []byte) (err error) {
 		return
 	}
 
+	if val, err = cryp.Encrypt(tx.ds.ck, val); err != nil {
+		err = &kvs.CKError{err}
+		return
+	}
+
 	if val, err = cryp.Encrypt(tx.ck, val); err != nil {
 		err = &kvs.CKError{err}
 		return
@@ -355,6 +365,12 @@ func get(tx *TX, key, val []byte) (kv *KV, err error) {
 		return
 	}
 
+	kv.val, err = cryp.Decrypt(tx.ds.ck, kv.val)
+	if err != nil {
+		err = &kvs.CKError{err}
+		return
+	}
+
 	kv.val, err = snap.Decode(kv.val)
 	if err != nil {
 		err = &kvs.DBError{err}
diff --git a/kvs/mysql/ds.go b/kvs/mysql/ds.go
index 1e64ba60..eeb3d34a 100644
--- a/kvs/mysql/ds.go
+++ b/kvs/mysql/ds.go
@@ -22,6 +22,7 @@ import (
 
 type DS struct {
 	db *sql.DB
+	ck []byte
 }
 
 func (ds *DS) Txn(writable bool) (txn kvs.TX, err error) {
diff --git a/kvs/mysql/main.go b/kvs/mysql/main.go
index d7c44c5a..63fdfdab 100644
--- a/kvs/mysql/main.go
+++ b/kvs/mysql/main.go
@@ -36,6 +36,6 @@ func New(opts *cnf.Options) (ds kvs.DS, err error) {
 
 	db, err = sql.Open("mysql", path)
 
-	return &DS{db: db}, err
+	return &DS{db: db, ck: opts.DB.Key}, err
 
 }
diff --git a/kvs/mysql/tx.go b/kvs/mysql/tx.go
index 913b68da..195be267 100644
--- a/kvs/mysql/tx.go
+++ b/kvs/mysql/tx.go
@@ -186,6 +186,11 @@ func (tx *TX) Put(key, val []byte) (err error) {
 		return
 	}
 
+	if val, err = cryp.Encrypt(tx.ds.ck, val); err != nil {
+		err = &kvs.CKError{err}
+		return
+	}
+
 	if val, err = cryp.Encrypt(tx.ck, val); err != nil {
 		err = &kvs.CKError{err}
 		return
@@ -218,6 +223,11 @@ func (tx *TX) CPut(key, val, exp []byte) (err error) {
 		return
 	}
 
+	if val, err = cryp.Encrypt(tx.ds.ck, val); err != nil {
+		err = &kvs.CKError{err}
+		return
+	}
+
 	if val, err = cryp.Encrypt(tx.ck, val); err != nil {
 		err = &kvs.CKError{err}
 		return
@@ -336,6 +346,12 @@ func get(tx *TX, key, val []byte) (kv *KV, err error) {
 		return
 	}
 
+	kv.val, err = cryp.Decrypt(tx.ds.ck, kv.val)
+	if err != nil {
+		err = &kvs.CKError{err}
+		return
+	}
+
 	kv.val, err = snap.Decode(kv.val)
 	if err != nil {
 		err = &kvs.DBError{err}
diff --git a/kvs/pgsql/ds.go b/kvs/pgsql/ds.go
index 2f021a51..d0c327c5 100644
--- a/kvs/pgsql/ds.go
+++ b/kvs/pgsql/ds.go
@@ -22,6 +22,7 @@ import (
 
 type DS struct {
 	db *sql.DB
+	ck []byte
 }
 
 func (ds *DS) Txn(writable bool) (txn kvs.TX, err error) {
diff --git a/kvs/pgsql/main.go b/kvs/pgsql/main.go
index faf8202e..5b69a0fe 100644
--- a/kvs/pgsql/main.go
+++ b/kvs/pgsql/main.go
@@ -36,6 +36,6 @@ func New(opts *cnf.Options) (ds kvs.DS, err error) {
 
 	db, err = sql.Open("postgres", path)
 
-	return &DS{db: db}, err
+	return &DS{db: db, ck: opts.DB.Key}, err
 
 }
diff --git a/kvs/pgsql/tx.go b/kvs/pgsql/tx.go
index b9067533..91695d23 100644
--- a/kvs/pgsql/tx.go
+++ b/kvs/pgsql/tx.go
@@ -186,6 +186,11 @@ func (tx *TX) Put(key, val []byte) (err error) {
 		return
 	}
 
+	if val, err = cryp.Encrypt(tx.ds.ck, val); err != nil {
+		err = &kvs.CKError{err}
+		return
+	}
+
 	if val, err = cryp.Encrypt(tx.ck, val); err != nil {
 		err = &kvs.CKError{err}
 		return
@@ -218,6 +223,11 @@ func (tx *TX) CPut(key, val, exp []byte) (err error) {
 		return
 	}
 
+	if val, err = cryp.Encrypt(tx.ds.ck, val); err != nil {
+		err = &kvs.CKError{err}
+		return
+	}
+
 	if val, err = cryp.Encrypt(tx.ck, val); err != nil {
 		err = &kvs.CKError{err}
 		return
@@ -336,6 +346,12 @@ func get(tx *TX, key, val []byte) (kv *KV, err error) {
 		return
 	}
 
+	kv.val, err = cryp.Decrypt(tx.ds.ck, kv.val)
+	if err != nil {
+		err = &kvs.CKError{err}
+		return
+	}
+
 	kv.val, err = snap.Decode(kv.val)
 	if err != nil {
 		err = &kvs.DBError{err}