RUBY-2405 Add GCP KMS support (#2374)

Author: comandeo-mongo

.evergreen/config-atlas.yml

@@ -166,14 +166,20 @@ functions:
           MONGO_RUBY_DRIVER_AWS_SECRET="${fle_aws_secret}"
           MONGO_RUBY_DRIVER_AWS_REGION="${fle_aws_region}"
           MONGO_RUBY_DRIVER_AWS_ARN="${fle_aws_arn}"
+
           MONGO_RUBY_DRIVER_AZURE_TENANT_ID="${fle_azure_tenant_id}"
           MONGO_RUBY_DRIVER_AZURE_CLIENT_ID="${fle_azure_client_id}"
           MONGO_RUBY_DRIVER_AZURE_CLIENT_SECRET="${fle_azure_client_secret}"
           MONGO_RUBY_DRIVER_AZURE_IDENTITY_PLATFORM_ENDPOINT="${fle_azure_identity_platform_endpoint}"
           MONGO_RUBY_DRIVER_AZURE_KEY_VAULT_ENDPOINT="${fle_azure_key_vault_endpoint}"
           MONGO_RUBY_DRIVER_AZURE_KEY_NAME="${fle_azure_key_name}"
+
           MONGO_RUBY_DRIVER_GCP_EMAIL="${fle_gcp_email}"
           MONGO_RUBY_DRIVER_GCP_PRIVATE_KEY="${fle_gcp_private_key}"
+          MONGO_RUBY_DRIVER_GCP_PROJECT_ID="${fle_gcp_project_id}"
+          MONGO_RUBY_DRIVER_GCP_LOCATION="${fle_gcp_location}"
+          MONGO_RUBY_DRIVER_GCP_KEY_RING="${fle_gcp_key_ring}"
+          MONGO_RUBY_DRIVER_GCP_KEY_NAME="${fle_gcp_key_name}"
           MONGO_RUBY_DRIVER_MONGOCRYPTD_PORT="${fle_mongocryptd_port}"
           EOT
 

.evergreen/config.yml

@@ -183,14 +183,20 @@ functions:
           MONGO_RUBY_DRIVER_AWS_SECRET="${fle_aws_secret}"
           MONGO_RUBY_DRIVER_AWS_REGION="${fle_aws_region}"
           MONGO_RUBY_DRIVER_AWS_ARN="${fle_aws_arn}"
+
           MONGO_RUBY_DRIVER_AZURE_TENANT_ID="${fle_azure_tenant_id}"
           MONGO_RUBY_DRIVER_AZURE_CLIENT_ID="${fle_azure_client_id}"
           MONGO_RUBY_DRIVER_AZURE_CLIENT_SECRET="${fle_azure_client_secret}"
           MONGO_RUBY_DRIVER_AZURE_IDENTITY_PLATFORM_ENDPOINT="${fle_azure_identity_platform_endpoint}"
           MONGO_RUBY_DRIVER_AZURE_KEY_VAULT_ENDPOINT="${fle_azure_key_vault_endpoint}"
           MONGO_RUBY_DRIVER_AZURE_KEY_NAME="${fle_azure_key_name}"
+
           MONGO_RUBY_DRIVER_GCP_EMAIL="${fle_gcp_email}"
           MONGO_RUBY_DRIVER_GCP_PRIVATE_KEY="${fle_gcp_private_key}"
+          MONGO_RUBY_DRIVER_GCP_PROJECT_ID="${fle_gcp_project_id}"
+          MONGO_RUBY_DRIVER_GCP_LOCATION="${fle_gcp_location}"
+          MONGO_RUBY_DRIVER_GCP_KEY_RING="${fle_gcp_key_ring}"
+          MONGO_RUBY_DRIVER_GCP_KEY_NAME="${fle_gcp_key_name}"
           MONGO_RUBY_DRIVER_MONGOCRYPTD_PORT="${fle_mongocryptd_port}"
           EOT
 

.evergreen/config/common.yml.erb

@@ -248,14 +248,20 @@ functions:
           MONGO_RUBY_DRIVER_AWS_SECRET="${fle_aws_secret}"
           MONGO_RUBY_DRIVER_AWS_REGION="${fle_aws_region}"
           MONGO_RUBY_DRIVER_AWS_ARN="${fle_aws_arn}"
+
           MONGO_RUBY_DRIVER_AZURE_TENANT_ID="${fle_azure_tenant_id}"
           MONGO_RUBY_DRIVER_AZURE_CLIENT_ID="${fle_azure_client_id}"
           MONGO_RUBY_DRIVER_AZURE_CLIENT_SECRET="${fle_azure_client_secret}"
           MONGO_RUBY_DRIVER_AZURE_IDENTITY_PLATFORM_ENDPOINT="${fle_azure_identity_platform_endpoint}"
           MONGO_RUBY_DRIVER_AZURE_KEY_VAULT_ENDPOINT="${fle_azure_key_vault_endpoint}"
           MONGO_RUBY_DRIVER_AZURE_KEY_NAME="${fle_azure_key_name}"
+
           MONGO_RUBY_DRIVER_GCP_EMAIL="${fle_gcp_email}"
           MONGO_RUBY_DRIVER_GCP_PRIVATE_KEY="${fle_gcp_private_key}"
+          MONGO_RUBY_DRIVER_GCP_PROJECT_ID="${fle_gcp_project_id}"
+          MONGO_RUBY_DRIVER_GCP_LOCATION="${fle_gcp_location}"
+          MONGO_RUBY_DRIVER_GCP_KEY_RING="${fle_gcp_key_ring}"
+          MONGO_RUBY_DRIVER_GCP_KEY_NAME="${fle_gcp_key_name}"
           MONGO_RUBY_DRIVER_MONGOCRYPTD_PORT="${fle_mongocryptd_port}"
           EOT
 

docs/reference/client-side-encryption.txt

@@ -305,7 +305,8 @@ Both automatic encryption and explicit encryption require an encryption master k
 This master key is used to encrypt data keys, which are in turn used to encrypt
 user data. The master key can be generated in one of two ways: by creating a
 local key, or by creating a key in a key management service. Currently
-Ruby driver supports AWS Key Management Service (KMS) and Azure Key Vault.
+Ruby driver supports AWS Key Management Service (KMS), Azure Key Vault, and
+Google Cloud Key Management (GCP KMS).
 
 Local Master Key
 ~~~~~~~~~~~~~~~~
@@ -380,7 +381,7 @@ See the `Local Master Key`_ section for more information about generating a new
 local master key.
 
 Create a Data Key Using a Remote Master Key
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 If you have created an AWS KMS master key, note the access key ID and the secret access
 key of the IAM user that has permissions to use the key. Additionally, note
@@ -389,9 +390,20 @@ use that information to generate a data key.
 
 If you have created an Azure master key, note the tenant id, the client id, and
 the client secret of the application that has permissions to use the key.
-Additionally, note the key name, key version (id any), and key vault endpoint
+Additionally, note the key name, key version (if any), and key vault endpoint
 for your master key. You will use that information to generate a data key.
 
+If you have created a GCP KMS master key, note the email and the private key,
+and the client secret of the application that has permissions to use the key.
+Additionally, note the project id, location, key ring, key name, and
+key version (if any) for your master key. You will use that information to
+generate a data key.
+
+Please note that GCP private key can be in different formats. Ruby driver
+supports DER encoded RSA private key as base64 encoded string. For MRI Ruby
+the driver additionally support PEM encoded RSA private key.
+
+
 .. code-block:: ruby
 
   # A Mongo::Client instance that will be used to connect to the key vault
@@ -412,6 +424,12 @@ for your master key. You will use that information to generate a data key.
         tenant_id: 'AZURE-TENANT-ID',
         client_id: 'AZURE-CLIENT-ID',
         client_secret: 'AZURE-CLIENT-SECRET'
+      },
+      gcp: {
+        email: 'GCP-EMAIL',
+        # :private_key value should be GCP private key as base64 encoded
+        # DER RSA private key, or PEM RSA private key, if you are using MRI Ruby.
+        private_key: 'GCP-PRIVATE-KEY',
       }
     }
   )
@@ -423,7 +441,6 @@ for your master key. You will use that information to generate a data key.
         region: 'REGION-OF-YOUR-MASTER-KEY',
         key: 'ARN-OF-YOUR-MASTER-KEY'
       }
-
     }
   )
   # => <BSON::Binary... type=ciphertext...>
@@ -435,7 +452,19 @@ for your master key. You will use that information to generate a data key.
         key_vault_endpoint: 'AZURE-KEY-VAULT-ENDPOINT',
         key_name: 'AZURE-KEY-NAME'
       }
+    }
+  )
+  # => <BSON::Binary... type=ciphertext...>
 
+  gcp_data_key_id = client_encryption.create_data_key(
+    'gcp',
+    {
+      master_key: {
+        project_id: 'GCP-PROJECT-ID',
+        location: 'GCP-LOCATION',
+        key_ring: 'GCP-KEY-RING',
+        key_name: 'GCP-KEY-NAME',
+      }
     }
   )
   # => <BSON::Binary... type=ciphertext...>

lib/mongo/crypt/binding.rb

@@ -1082,6 +1082,45 @@ def self.setopt_crypto_hooks(handle,
         end
       end
 
+      # @!method self.mongocrypt_setopt_crypto_hook_sign_rsaes_pkcs1_v1_5(crypt, sign_rsaes_pkcs1_v1_5, ctx=nil)
+      #   @api private
+      #
+      #   Set a crypto hook for the RSASSA-PKCS1-v1_5 algorithm with a SHA-256 hash.
+      #   @param [ FFI::Pointer ] crypt A pointer to a mongocrypt_t object.
+      #   @param [ Proc ] sign_rsaes_pkcs1_v1_5 A RSASSA-PKCS1-v1_5 signing method.
+      #   @param [ FFI::Pointer | nil ] ctx An optional pointer to a context object
+      #     that may have been set when hooks were enabled.
+      #   @return [ Boolean ] Whether setting this option succeeded.
+      attach_function(
+        :mongocrypt_setopt_crypto_hook_sign_rsaes_pkcs1_v1_5,
+        [
+          :pointer,
+          :mongocrypt_hmac_fn,
+          :pointer
+        ],
+        :bool
+      )
+
+      # Set a crypto hook for the RSASSA-PKCS1-v1_5 algorithm with
+      #   a SHA-256 hash oh the Handle.
+      #
+      # @param [ Mongo::Crypt::Handle ] handle
+      # @param [ Method ] rsaes_pkcs_signature_cb A RSASSA-PKCS1-v1_5 signing method.
+      #
+      # @raise [ Mongo::Error::CryptError ] If the callbacks aren't set successfully
+      def self.setopt_crypto_hook_sign_rsaes_pkcs1_v1_5(
+        handle,
+        rsaes_pkcs_signature_cb
+      )
+        check_status(handle) do
+          mongocrypt_setopt_crypto_hook_sign_rsaes_pkcs1_v1_5(
+            handle.ref,
+            rsaes_pkcs_signature_cb,
+            nil
+          )
+        end
+      end
+
       # Raise a Mongo::Error::CryptError based on the status of the underlying
       # mongocrypt_t object.
       #

lib/mongo/crypt/encryption_io.rb

@@ -124,11 +124,11 @@ def mark_command(cmd)
         return response.first
       end
 
-      # Get information about the AWS encryption key and feed it to the the
+      # Get information about the remote KMS encryption key and feed it to the the
       # KmsContext object
       #
       # @param [ Mongo::Crypt::KmsContext ] kms_context A KmsContext object
-      #   corresponding to one AWS KMS data key. Contains information about
+      #   corresponding to one remote KMS data key. Contains information about
       #   the endpoint at which to establish a TLS connection and the message
       #   to send on that connection.
       def feed_kms(kms_context)

lib/mongo/crypt/handle.rb

@@ -159,7 +159,19 @@ def do_hmac_sha(digest_name, key_binary_p, input_binary_p,
         end
       end
 
-      # We are buildling libmongocrypt without crypto functions to remove the
+      # Perform signing using RSASSA-PKCS1-v1_5 with SHA256 hash and write
+      # the output to the provided mongocrypt_binary_t object.
+      def do_rsaes_pkcs_signature(key_binary_p, input_binary_p,
+        output_binary_p, status_p)
+        key = Binary.from_pointer(key_binary_p).to_s
+        input = Binary.from_pointer(input_binary_p).to_s
+
+        write_binary_string_and_set_status(output_binary_p, status_p) do
+          Hooks.rsaes_pkcs_signature(key, input)
+        end
+      end
+
+      # We are building libmongocrypt without crypto functions to remove the
       # external dependency on OpenSSL. This method binds native Ruby crypto
       # methods to the underlying mongocrypt_t object so that libmongocrypt can
       # still perform cryptography.
@@ -225,6 +237,16 @@ def set_crypto_hooks
           @hmac_sha_256,
           @hmac_hash,
         )
+
+        @rsaes_pkcs_signature_cb = Proc.new do |_, key_binary_p, input_binary_p,
+          output_binary_p, status_p|
+          do_rsaes_pkcs_signature(key_binary_p, input_binary_p, output_binary_p, status_p)
+        end
+
+        Binding.setopt_crypto_hook_sign_rsaes_pkcs1_v1_5(
+          self,
+          @rsaes_pkcs_signature_cb
+        )
       end
 
       # Initialize the underlying mongocrypt_t object and raise an error if the operation fails

lib/mongo/crypt/hooks.rb

@@ -88,6 +88,28 @@ def hash_sha256(input)
         Digest::SHA2.new(256).digest(input)
       end
       module_function :hash_sha256
+
+      # An RSASSA-PKCS1-v1_5 with SHA-256 signature function.
+      #
+      # @param [ String ] key The PKCS#8 private key in DER format, base64 encoded.
+      # @param [ String ] input The data to be signed.
+      #
+      # @return [ String ] The signature.
+      def rsaes_pkcs_signature(key, input)
+        private_key = if BSON::Environment.jruby?
+          # JRuby cannot read DER format, we need to convert key into PEM first.
+          key_pem = [
+            "-----BEGIN PRIVATE KEY-----",
+            Base64.strict_encode64(Base64.decode64(key)).scan(/.{1,64}/),
+            "-----END PRIVATE KEY-----",
+          ].join("\n")
+          OpenSSL::PKey::RSA.new(key_pem)
+        else
+          OpenSSL::PKey.read(Base64.decode64(key))
+        end
+        private_key.sign(OpenSSL::Digest::SHA256.new, input)
+      end
+      module_function :rsaes_pkcs_signature
     end
   end
 end

lib/mongo/crypt/kms.rb

@@ -75,4 +75,5 @@ def validate_param(key, opts, format_hint, required: true)
 require "mongo/crypt/kms/master_key_document"
 require 'mongo/crypt/kms/aws'
 require 'mongo/crypt/kms/azure'
+require 'mongo/crypt/kms/gcp'
 require 'mongo/crypt/kms/local'

lib/mongo/crypt/kms/azure.rb

@@ -105,7 +105,7 @@ class MasterKeyDocument
         #
         # @raise [ ArgumentError ] If required options are missing or incorrectly.
           def initialize(opts)
-            if opts.is_a?(Hash)
+            unless opts.is_a?(Hash)
               raise ArgumentError.new(
                 'Key document options must contain a key named :master_key with a Hash value'
               )

lib/mongo/crypt/kms/credentials.rb

@@ -46,11 +46,14 @@ def initialize(kms_providers)
           if kms_providers.key?(:azure)
             @azure = Azure::Credentials.new(kms_providers[:azure])
           end
+          if kms_providers.key?(:gcp)
+            @gcp = GCP::Credentials.new(kms_providers[:gcp])
+          end
           if kms_providers.key?(:local)
             @local = Local::Credentials.new(kms_providers[:local])
           end
-          if @aws.nil? && @azure.nil? && @local.nil?
-            raise ArgumentError.new("KMS providers options must have one of the following keys: :aws, :azure, :local")
+          if @aws.nil? && @azure.nil? && @gcp.nil? && @local.nil?
+            raise ArgumentError.new("KMS providers options must have one of the following keys: :aws, :azure, :gcp, :local")
           end
         end
 
@@ -61,6 +64,7 @@ def to_document
           BSON::Document.new({}).tap do |bson|
             bson[:aws] = @aws.to_document if @aws
             bson[:azure] = @azure.to_document if @azure
+            bson[:gcp] = @gcp.to_document if @gcp
             bson[:local] = @local.to_document if @local
           end
         end