14a181620c
This DRYs up setting up encrypted columns for a model. You just need to specify the column or columns to be encrypted, and the plugin takes care of setting up the column_encryption plugin. Other advantages: * Model.redacted_columns is now an attr_reader, and does not need to check for encrypted columns every time it is called. * Model#before_destroy can look at Model.encrypted_columns (also an attr_reader), so it is simplified as well. Simplify the method while here by using hash key omission, and make sure the constant it uses is frozen.
34 lines
1.2 KiB
Ruby
34 lines
1.2 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
require_relative "../model"
|
|
|
|
class StorageKeyEncryptionKey < Sequel::Model
|
|
plugin ResourceMethods, encrypted_columns: [:key, :init_vector]
|
|
|
|
def secret_key_material_hash
|
|
# default to_hash doesn't decrypt encrypted columns, so implement
|
|
# this to decrypt keys when they need to be sent to a running copy
|
|
# of spdk.
|
|
{
|
|
"key" => key,
|
|
"init_vector" => init_vector,
|
|
"algorithm" => algorithm,
|
|
"auth_data" => auth_data
|
|
}
|
|
end
|
|
end
|
|
|
|
# Table: storage_key_encryption_key
|
|
# Columns:
|
|
# id | uuid | PRIMARY KEY
|
|
# algorithm | text | NOT NULL
|
|
# key | text | NOT NULL
|
|
# init_vector | text | NOT NULL
|
|
# auth_data | text | NOT NULL
|
|
# created_at | timestamp with time zone | NOT NULL DEFAULT now()
|
|
# Indexes:
|
|
# storage_key_encryption_key_pkey | PRIMARY KEY btree (id)
|
|
# Referenced By:
|
|
# vm_storage_volume | vm_storage_volume_key_encryption_key_1_id_fkey | (key_encryption_key_1_id) REFERENCES storage_key_encryption_key(id)
|
|
# vm_storage_volume | vm_storage_volume_key_encryption_key_2_id_fkey | (key_encryption_key_2_id) REFERENCES storage_key_encryption_key(id)
|