IC-445 Adds fields encryption

Author: fernandomora

.scalafmt.conf

@@ -1,7 +1,7 @@
 version                          = 2.6.4
 align.openParenCallSite          = true
 align.openParenDefnSite          = true
-maxColumn                        = 160
+maxColumn                        = 120
 continuationIndent.defnSite      = 2
 assumeStandardLibraryStripMargin = true
 danglingParentheses.preset       = true

build.sbt

@@ -19,9 +19,11 @@ lazy val root = (project in file("."))
     Compile / packageSrc / mappings := Seq(),
     testFrameworks += new TestFramework("weaver.framework.CatsEffect"),
     scalafmtOnCompile := true,
+    Test / scalacOptions --= Seq("-Xfatal-warnings"),
     libraryDependencies ++= Seq(
       "co.fs2" %% "fs2-core" % "3.2.2",
       "co.fs2" %% "fs2-io" % "3.2.2",
+      "com.google.crypto.tink" % "tink" % "1.6.1",
       "com.softwaremill.magnolia1_2" %% "magnolia" % "1.0.0-M7",
       "de.siegmar" % "fastcsv" % "1.0.3",
       "org.mapdb" % "mapdb" % "3.0.8",

src/main/scala/com/intenthq/StreamOps.scala

@@ -8,9 +8,12 @@ import scala.concurrent.duration.FiniteDuration
 import StreamOps._
 
 class StreamChunkOps[F[_], O](s: fs2.Stream[F, Chunk[O]]) {
-  private val parallelismEnabled: Boolean = scala.util.Properties.envOrNone("FS2_PARALLELISM").map(_.toBoolean).getOrElse(true)
+  private val parallelismEnabled: Boolean =
+    scala.util.Properties.envOrNone("FS2_PARALLELISM").map(_.toBoolean).getOrElse(true)
 
-  def parEvalMapChunksUnordered[F2[x] >: F[x]: Concurrent, O2](parallelism: Int)(f: Chunk[O] => F2[Chunk[O2]]): Stream[F2, O2] =
+  def parEvalMapChunksUnordered[F2[x] >: F[x]: Concurrent, O2](
+    parallelism: Int
+  )(f: Chunk[O] => F2[Chunk[O2]]): Stream[F2, O2] =
     if (!parallelismEnabled)
       s.flatMap(chunk => Stream.evalUnChunk(f(chunk)))
     else

src/main/scala/com/intenthq/action_processor/integrations/aggregations/Aggregate.scala

@@ -13,7 +13,7 @@ import scala.jdk.CollectionConverters._
 
 object Aggregate {
 
-  def noop[I]: fs2.Pipe[IO, I, (I, Long)] = _.map(_ -> 1L)
+  def noop[I]: fs2.Pipe[IO, I, I] = identity
 
   private def loadAggRepository[K](mapDbSettings: MapDbSettings): Resource[IO, HTreeMap[K, Long]] = {
 
@@ -32,28 +32,41 @@ object Aggregate {
       )
   }
 
-  def aggregateByKeys[I, K](feedContext: FeedContext[IO], keys: I => List[K], counter: I => Long): fs2.Pipe[IO, I, (K, Long)] =
+  def aggregateByKeys[I, K](feedContext: FeedContext[IO],
+                            keys: I => List[K],
+                            counter: I => Long
+  ): fs2.Pipe[IO, I, (K, Long)] =
     sourceStream => {
 
       // This pipe aggregates all the elemens and returns a single Map as an aggregate repository
       val aggregateInRepository: fs2.Pipe[IO, I, ConcurrentMap[K, Long]] =
         in => {
           fs2.Stream
-            .resource[IO, ConcurrentMap[K, Long]](loadAggRepository(feedContext.mapDbSettings))
+            .resource[IO, ConcurrentMap[K, Long]](
+              loadAggRepository(feedContext.mapDbSettings)
+            )
             .flatMap { aggRepository =>
               fs2.Stream.exec(IO.delay(println("Starting aggregation"))) ++
                 in.evalMapChunk { o =>
                   IO.delay {
                     keys(o).foreach { value =>
-                      val previousCounter = aggRepository.getOrDefault(value, 0L)
+                      val previousCounter =
+                        aggRepository.getOrDefault(value, 0L)
                       aggRepository.put(value, counter(o) + previousCounter)
                     }
                     aggRepository
                   }
                 }
                   // Returns last aggRepository with the counter of elements
-                  .fold((aggRepository, 0L)) { case ((_, previousRows), aggRepository) => (aggRepository, previousRows + 1) }
-                  .evalMapChunk { case (aggRepository, n) => IO.delay(println(s"Finished aggregation of $n rows")).as(aggRepository) }
+                  .fold((aggRepository, 0L)) {
+                    case ((_, previousRows), aggRepository) =>
+                      (aggRepository, previousRows + 1)
+                  }
+                  .evalMapChunk {
+                    case (aggRepository, n) =>
+                      IO.delay(println(s"Finished aggregation of $n rows"))
+                        .as(aggRepository)
+                  }
             }
         }
 

src/main/scala/com/intenthq/action_processor/integrations/aggregations/NoAggregate.scala

@@ -7,5 +7,5 @@ import scala.annotation.unused
 
 trait NoAggregate[I] {
   self: Feed[I, I] =>
-  override def transform(@unused feedContext: FeedContext[IO]): fs2.Pipe[IO, I, (I, Long)] = Aggregate.noop
+  override def transform(@unused feedContext: FeedContext[IO]): fs2.Pipe[IO, I, I] = Aggregate.noop
 }

src/main/scala/com/intenthq/action_processor/integrations/encryption/Encryption.scala

@@ -0,0 +1,61 @@
+package com.intenthq.action_processor.integrations.encryption
+
+import cats.syntax.all._
+import cats.{ApplicativeError, MonadError}
+import com.google.crypto.tink.subtle.AesSiv
+import com.intenthq.action_processor.integrations.encryption.ByteArrayStringOps._
+import com.intenthq.action_processor.integrations.feeds.Feed
+
+import java.nio.charset.StandardCharsets.UTF_8
+import java.util.Base64
+
+case class EncryptionKey private (bytes: Array[Byte]) {
+  private val aesSiv: AesSiv = new AesSiv(bytes)
+  def encrypt[F[_]: ApplicativeError[*[_], Throwable]](string: String): F[String] =
+    ApplicativeError[F, Throwable].catchNonFatal(
+      aesSiv.encryptDeterministically(string.getBytes(UTF_8), Array.emptyByteArray).asBase64StringFromBytes
+    )
+  def decrypt[F[_]: MonadError[*[_], Throwable]](base64String: String): F[String] =
+    for {
+      bytes <- base64String.asBytesFromBase64String[F]
+      decrypted <-
+        ApplicativeError[F, Throwable].catchNonFatal(aesSiv.decryptDeterministically(bytes, Array.emptyByteArray))
+    } yield new String(decrypted, UTF_8)
+}
+
+object EncryptionKey {
+  def fromBytes(bytes: Array[Byte]): Either[Throwable, EncryptionKey] =
+    Either.catchNonFatal(EncryptionKey(bytes))
+  def fromBase64String[F[_]: MonadError[*[_], Throwable]](base64String: String): F[EncryptionKey] =
+    for {
+      bytes <- base64String.asBytesFromBase64String[F]
+      encryptionKey <- ApplicativeError[F, Throwable].catchNonFatal(EncryptionKey(bytes))
+    } yield encryptionKey
+}
+
+object ByteArrayStringOps {
+  implicit class StringSyntax(val string: String) extends AnyVal {
+    def asBytesFromBase64String[F[_]: ApplicativeError[*[_], Throwable]]: F[Array[Byte]] =
+      ApplicativeError[F, Throwable].catchNonFatal(Base64.getDecoder.decode(string))
+  }
+
+  implicit class ByteArraySyntax(val bytes: Array[Byte]) extends AnyVal {
+    def asBase64StringFromBytes: String = Base64.getEncoder.withoutPadding().encodeToString(bytes)
+  }
+}
+
+class EncryptionKeyNotFound(feedName: String)
+    extends Exception(s"Encryption key not provided. Required in feed $feedName")
+
+trait EncryptionForFeed[I, O] { self: Feed[I, O] =>
+  def encryptedField[F[_]: ApplicativeError[*[_], Throwable], T](
+    maybeEncryptionKey: Option[EncryptionKey]
+  )(fieldToEncrypt: I => String)(setEncryptedField: (I, String) => O): fs2.Pipe[F, I, O] =
+    maybeEncryptionKey match {
+      case None => _ => fs2.Stream.raiseError[F](new EncryptionKeyNotFound(feedName))
+      case Some(encryptionKey) =>
+        _.evalMap(input =>
+          encryptionKey.encrypt(fieldToEncrypt(input)).map(encrypted => setEncryptedField(input, encrypted))
+        )
+    }
+}

src/main/scala/com/intenthq/action_processor/integrations/encryption/EncryptionKeyGeneratorApp.scala

@@ -0,0 +1,18 @@
+package com.intenthq.action_processor.integrations.encryption
+
+object EncryptionKeyGeneratorApp extends App {
+  private val KEY_SIZE_IN_BYTES = 64
+  private val random = {
+    val random = new java.security.SecureRandom()
+    random.nextLong() // force seeding
+    random
+  }
+
+  def newRandomKey(): Array[Byte] = {
+    val bytes = Array.ofDim[Byte](KEY_SIZE_IN_BYTES)
+    random.nextBytes(bytes)
+    bytes
+  }
+
+  println(java.util.Base64.getEncoder.withoutPadding().encodeToString(newRandomKey()))
+}

src/main/scala/com/intenthq/action_processor/integrations/feeds/CSVFeed.scala

@@ -9,7 +9,7 @@ import fs2.Stream
 
 import scala.jdk.CollectionConverters._
 
-trait ParseCSVInput[O] extends Feed[Iterable[String], O] {
+trait CSVFeed[O] extends Feed[Iterable[String], O] {
 
   protected lazy val csvReader: CsvReader = new CsvReader
 

src/main/scala/com/intenthq/action_processor/integrations/feeds/Feed.scala

@@ -7,16 +7,16 @@ import cats.effect.IO
 trait Feed[I, O] {
 
   def toString(i: I): String = i.toString
-
   lazy val feedName: String = getClass.getSimpleName.stripSuffix("$")
+
   def date(feedContext: FeedContext[IO], clock: Clock = Clock.systemDefaultZone()): IO[LocalDate] =
     feedContext.filter.date.fold(IO.delay(java.time.LocalDate.now(clock)))(IO.pure)
   def part(feedContext: FeedContext[IO]): Int = feedContext.filter.time.fold(0)(_.getHour)
 
   def inputStream(feedContext: FeedContext[IO]): fs2.Stream[IO, I]
-  def transform(feedContext: FeedContext[IO]): fs2.Pipe[IO, I, (O, Long)]
-  def serialize(o: O, counter: Long): Array[Byte]
-  val serialization: fs2.Pipe[IO, (O, Long), Array[Byte]] = _.map((serialize _).tupled)
+  def transform(feedContext: FeedContext[IO]): fs2.Pipe[IO, I, O]
+  def serialize(o: O): Array[Byte]
+  val serialization: fs2.Pipe[IO, O, Array[Byte]] = _.map(serialize)
 
   def stream(feedContext: FeedContext[IO]): fs2.Stream[IO, Array[Byte]] =
     inputStream(feedContext)

src/main/scala/com/intenthq/action_processor/integrations/feeds/FeedContext.scala

@@ -1,9 +1,17 @@
 package com.intenthq.action_processor.integrations.feeds
 
-import java.time.{LocalDate, LocalTime}
-
 import com.intenthq.action_processor.integrations.config.MapDbSettings
+import com.intenthq.action_processor.integrations.encryption.EncryptionKey
 import com.intenthq.embeddings.Mapping
 
+import java.time.{LocalDate, LocalTime}
+
 case class FeedFilter(date: Option[LocalDate], time: Option[LocalTime])
-case class FeedContext[F[_]](embeddings: Option[Mapping[String, List[String], F]], filter: FeedFilter, mapDbSettings: MapDbSettings)
+object FeedFilter {
+  val empty: FeedFilter = FeedFilter(None, None)
+}
+case class FeedContext[F[_]](embeddings: Option[Mapping[String, List[String], F]],
+                             filter: FeedFilter,
+                             mapDbSettings: MapDbSettings,
+                             encryptionKey: Option[EncryptionKey]
+)

src/main/scala/com/intenthq/action_processor/integrations/feeds/PostgresFeed.scala

@@ -6,5 +6,6 @@ import scala.util.Properties
 
 trait PostgresFeed[I, O] extends SQLFeed[I, O] with PgDoobieImplicits {
   override val driver: String = "org.postgresql.Driver"
-  override protected val jdbcUrl: String = Properties.envOrElse("POSTGRESQL_JDBC_URL", "jdbc:postgresql://localhost:5432/database")
+  override protected val jdbcUrl: String =
+    Properties.envOrElse("POSTGRESQL_JDBC_URL", "jdbc:postgresql://localhost:5432/database")
 }

src/main/scala/com/intenthq/action_processor/integrations/repositories/MapDBRepository.scala

@@ -13,7 +13,8 @@ object MapDBRepository {
   def load(mapDBSettings: MapDbSettings): Resource[IO, DB] = {
     val dbInitOp = for {
       now <- IO.delay(LocalDateTime.now())
-      dbFile <- IO.delay(new File(Paths.get(mapDBSettings.dbPath.toString, s"dbb-${now.toLocalDate}-${now.toLocalTime}").toUri))
+      dbFile <-
+        IO.delay(new File(Paths.get(mapDBSettings.dbPath.toString, s"dbb-${now.toLocalDate}-${now.toLocalTime}").toUri))
       createDb <- IO.blocking {
         DBMaker
           .fileDB(dbFile.getAbsolutePath)
@@ -26,6 +27,8 @@ object MapDBRepository {
           .make()
       }
     } yield (createDb, dbFile)
-    Resource.make(dbInitOp)(db => IO.delay(db._1.close()).guarantee(IO.delay(Files.deleteIfExists(db._2.toPath)).void)).map(_._1)
+    Resource
+      .make(dbInitOp)(db => IO.delay(db._1.close()).guarantee(IO.delay(Files.deleteIfExists(db._2.toPath)).void))
+      .map(_._1)
   }
 }

src/main/scala/com/intenthq/action_processor/integrations/serializations/csv/Csv.scala

@@ -13,7 +13,8 @@ object Csv {
 
   type Typeclass[A] = Csv[A]
 
-  def join[A](ctx: CaseClass[Csv, A]): Csv[A] = (a: A) => ctx.parameters.flatMap(p => p.typeclass.toCSV(p.dereference(a)))
+  def join[A](ctx: CaseClass[Csv, A]): Csv[A] =
+    (a: A) => ctx.parameters.flatMap(p => p.typeclass.toCSV(p.dereference(a)))
 
   def split[A](ctx: SealedTrait[Csv, A]): Csv[A] = (a: A) => ctx.split(a)(sub => sub.typeclass.toCSV(sub.cast(a)))
 
@@ -26,10 +27,17 @@ object Csv {
   implicit val csvDouble: Csv[Double] = (a: Double) => Seq(a.toString)
   implicit val csvBigDecimal: Csv[BigDecimal] = (a: BigDecimal) => Seq(a.toString)
   implicit val csvBoolean: Csv[Boolean] = (a: Boolean) => Seq(a.toString)
-  implicit val csvLocalDate: Csv[LocalDate] = (a: LocalDate) => Seq(java.time.format.DateTimeFormatter.ofPattern("yyyy-MM-dd").format(a))
-  implicit val csvLocalTime: Csv[LocalTime] = (a: LocalTime) => Seq(java.time.format.DateTimeFormatter.ofPattern("HH:mm:ss").format(a))
+  implicit val csvLocalDate: Csv[LocalDate] = (a: LocalDate) =>
+    Seq(java.time.format.DateTimeFormatter.ofPattern("yyyy-MM-dd").format(a))
+  implicit val csvLocalTime: Csv[LocalTime] = (a: LocalTime) =>
+    Seq(java.time.format.DateTimeFormatter.ofPattern("HH:mm:ss").format(a))
   implicit val csvInstant: Csv[Instant] = (a: Instant) => Seq(a.toString)
-  implicit val csvLocalDateTime: Csv[LocalDateTime] = (a: LocalDateTime) => Seq(java.time.format.DateTimeFormatter.ofPattern("yyyy-MM-dd'T'HH:mm:ss").format(a))
+  implicit val csvLocalDateTime: Csv[LocalDateTime] = (a: LocalDateTime) =>
+    Seq(
+      java.time.format.DateTimeFormatter
+        .ofPattern("yyyy-MM-dd'T'HH:mm:ss")
+        .format(a)
+    )
 
   implicit def deriveCsv[A]: Csv[A] = macro Magnolia.gen[A]
 }

src/test/scala/com/intenthq/action_processor/integrations/CSVFeedSpec.scala

@@ -62,9 +62,11 @@ trait CSVFeedSpecResources { self: IOSuite =>
   }
 }
 
-class ExampleLocalFileSource(override val localFilePath: String) extends LocalFileFeed[Iterable[String], Iterable[String]] with NoAggregate[Iterable[String]] {
+class ExampleLocalFileSource(override val localFilePath: String)
+    extends LocalFileFeed[Iterable[String], Iterable[String]]
+    with NoAggregate[Iterable[String]] {
 
   protected val parseInput: Pipe[IO, Byte, Iterable[String]] = ParseCSVInput.parseInput[IO]('|')
 
-  override def serialize(o: Iterable[String], counter: Long): Array[Byte] = CsvSerialization.columnsAsCsv(o)
+  override def serialize(o: Iterable[String]): Array[Byte] = CsvSerialization.columnsAsCsv(o)
 }

src/test/scala/com/intenthq/action_processor/integrations/EncryptionSpec.scala

@@ -0,0 +1,52 @@
+package com.intenthq.action_processor.integrations
+
+import cats.effect.IO
+import cats.syntax.all._
+import com.intenthq.action_processor.integrations.config.MapDbSettings
+import com.intenthq.action_processor.integrations.encryption.{EncryptionForFeed, EncryptionKey}
+import com.intenthq.action_processor.integrations.feeds.{Feed, FeedContext, FeedFilter}
+import com.intenthq.action_processor.integrations.serializations.csv.Csv._
+import com.intenthq.action_processor.integrations.serializations.csv.CsvSerialization
+import fs2.Pipe
+import weaver.SimpleIOSuite
+
+import java.nio.charset.StandardCharsets.UTF_8
+
+object EncryptionSpec extends SimpleIOSuite {
+
+  case class User(userId: String, age: Int)
+  case class EncryptedUser(encryptedUserId: String, age: Int)
+
+  class EncryptedFeed(users: User*) extends Feed[User, User] with EncryptionForFeed[User, User] {
+    override def inputStream(feedContext: FeedContext[IO]): fs2.Stream[IO, User] = fs2.Stream.emits(users)
+    override def transform(feedContext: FeedContext[IO]): Pipe[IO, User, User] =
+      encryptedField(feedContext.encryptionKey)(user => user.userId)((user, encrypted) => user.copy(userId = encrypted))
+    override def serialize(o: User): Array[Byte] = CsvSerialization.serialize(o)
+  }
+
+  test("A feed with a given encryption key uses it to encrypt a given column") {
+    for {
+      encryptionKey <-
+        EncryptionKey
+          .fromBase64String(
+            "L8zhPwpQ47adVtfd6Ool8Xr3Yhl4EGXqd3pV86dVu6AXT4OOZrjz72h1B/Bx5BlHkSC5LajTmFayPPv5dtRDdA"
+          )
+      feedContext = FeedContext[IO](embeddings = None,
+                                    filter = FeedFilter.empty,
+                                    mapDbSettings = MapDbSettings.Default,
+                                    encryptionKey = Some(encryptionKey)
+      )
+      sourceUsers = List(User("userid-1", 1), User("userid-2", 2), User("userid-3", 3))
+      feed = new EncryptedFeed(sourceUsers: _*)
+      encryptedUsers = List(User("9/krxGDVzUhCibNRrE8XqA+HoLZo1NLk", 1),
+                            User("2pOZaBpNhBjlHIR9RGkoye9vWsUGN7LA", 2),
+                            User("B7gpZU+FFISFCAY0EBL5J/kId6Mh602c", 3)
+      )
+      expectedEncryptedUser = encryptedUsers.map(user => new String(CsvSerialization.serialize(user), UTF_8))
+      encryptedLines <- feed.stream(feedContext).map(new String(_, UTF_8)).compile.toList
+      decryptedUsers <- encryptedUsers.traverse(user =>
+        encryptionKey.decrypt(user.userId).map(decrypted => user.copy(userId = decrypted))
+      )
+    } yield expect(encryptedLines == expectedEncryptedUser) and expect(decryptedUsers == sourceUsers)
+  }
+}