cc/monitoring/monitoring.h

*e7b1675dSTing-Kang Chang// Copyright 2022 Google LLC
*e7b1675dSTing-Kang Chang//
*e7b1675dSTing-Kang Chang// Licensed under the Apache License, Version 2.0 (the "License");
*e7b1675dSTing-Kang Chang// you may not use this file except in compliance with the License.
*e7b1675dSTing-Kang Chang// You may obtain a copy of the License at
*e7b1675dSTing-Kang Chang//
*e7b1675dSTing-Kang Chang//     http://www.apache.org/licenses/LICENSE-2.0
*e7b1675dSTing-Kang Chang//
*e7b1675dSTing-Kang Chang// Unless required by applicable law or agreed to in writing, software
*e7b1675dSTing-Kang Chang// distributed under the License is distributed on an "AS IS" BASIS,
*e7b1675dSTing-Kang Chang// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
*e7b1675dSTing-Kang Chang// See the License for the specific language governing permissions and
*e7b1675dSTing-Kang Chang// limitations under the License.
*e7b1675dSTing-Kang Chang//
*e7b1675dSTing-Kang Chang///////////////////////////////////////////////////////////////////////////////
*e7b1675dSTing-Kang Chang#ifndef TINK_MONITORING_MONITORING_H_
*e7b1675dSTing-Kang Chang#define TINK_MONITORING_MONITORING_H_
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang#include <cstdint>
*e7b1675dSTing-Kang Chang#include <memory>
*e7b1675dSTing-Kang Chang#include <string>
*e7b1675dSTing-Kang Chang#include <vector>
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang#include "absl/container/flat_hash_map.h"
*e7b1675dSTing-Kang Chang#include "tink/internal/key_status_util.h"
*e7b1675dSTing-Kang Chang#include "tink/key_status.h"
*e7b1675dSTing-Kang Chang#include "tink/util/statusor.h"
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Changnamespace crypto {
*e7b1675dSTing-Kang Changnamespace tink {
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang// Immutable representation of a KeySet in a certain point in time for the
*e7b1675dSTing-Kang Chang// purpose of monitoring operations involving cryptographic keys.
*e7b1675dSTing-Kang Changclass MonitoringKeySetInfo {
*e7b1675dSTing-Kang Chang public:
*e7b1675dSTing-Kang Chang  // Description about each entry of the KeySet.
*e7b1675dSTing-Kang Chang  class Entry {
*e7b1675dSTing-Kang Chang   public:
*e7b1675dSTing-Kang Chang    // Constructs a new KeySet entry with a given `status`, `key_id`,
*e7b1675dSTing-Kang Chang    // `key_type`, and `key_prefix`.
*e7b1675dSTing-Kang Chang    Entry(KeyStatus status, uint32_t key_id, absl::string_view key_type,
*e7b1675dSTing-Kang Chang          absl::string_view key_prefix)
*e7b1675dSTing-Kang Chang        : status_(status),
*e7b1675dSTing-Kang Chang          key_id_(key_id),
*e7b1675dSTing-Kang Chang          key_type_(key_type),
*e7b1675dSTing-Kang Chang          key_prefix_(key_prefix) {}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang    // Returns the status of this entry.
*e7b1675dSTing-Kang Chang    std::string GetStatus() const { return internal::ToKeyStatusName(status_); }
*e7b1675dSTing-Kang Chang    // Returns the ID of the entry within the keyset.
*e7b1675dSTing-Kang Chang    uint32_t GetKeyId() const { return key_id_; }
*e7b1675dSTing-Kang Chang    // Returns the key type.
*e7b1675dSTing-Kang Chang    std::string GetKeyType() const { return key_type_; }
*e7b1675dSTing-Kang Chang    // Returns the key prefix.
*e7b1675dSTing-Kang Chang    std::string GetKeyPrefix() const { return key_prefix_; }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang   private:
*e7b1675dSTing-Kang Chang    const KeyStatus status_;
*e7b1675dSTing-Kang Chang    // Identifies a key within a keyset.
*e7b1675dSTing-Kang Chang    const uint32_t key_id_;
*e7b1675dSTing-Kang Chang    // This field stores the key type.
*e7b1675dSTing-Kang Chang    const std::string key_type_;
*e7b1675dSTing-Kang Chang    // Stores the key output prefix.
*e7b1675dSTing-Kang Chang    const std::string key_prefix_;
*e7b1675dSTing-Kang Chang  };
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  // Constructs a MonitoringKeySetInfo object with the given
*e7b1675dSTing-Kang Chang  // `keyset_annotations`, `keyset_entries` and primary key ID `primary_key_id`.
*e7b1675dSTing-Kang Chang  MonitoringKeySetInfo(
*e7b1675dSTing-Kang Chang      const absl::flat_hash_map<std::string, std::string>& keyset_annotations,
*e7b1675dSTing-Kang Chang      const std::vector<Entry>& keyset_entries, uint32_t primary_key_id)
*e7b1675dSTing-Kang Chang      : keyset_annotations_(keyset_annotations),
*e7b1675dSTing-Kang Chang        keyset_entries_(keyset_entries),
*e7b1675dSTing-Kang Chang        primary_key_id_(primary_key_id) {}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  // Returns a const reference to the annotations of this keyset.
*e7b1675dSTing-Kang Chang  const absl::flat_hash_map<std::string, std::string>& GetAnnotations() const {
*e7b1675dSTing-Kang Chang    return keyset_annotations_;
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang  // Returns a const reference to the array of entries for this keyset.
*e7b1675dSTing-Kang Chang  const std::vector<Entry>& GetEntries() const { return keyset_entries_; }
*e7b1675dSTing-Kang Chang  // Returns the ID of the primary key in this keyset.
*e7b1675dSTing-Kang Chang  uint32_t GetPrimaryKeyId() const { return primary_key_id_; }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang private:
*e7b1675dSTing-Kang Chang  // Annotations of this keyset in the form 'key' -> 'value'.
*e7b1675dSTing-Kang Chang  const absl::flat_hash_map<std::string, std::string> keyset_annotations_;
*e7b1675dSTing-Kang Chang  const std::vector<Entry> keyset_entries_;
*e7b1675dSTing-Kang Chang  const uint32_t primary_key_id_;
*e7b1675dSTing-Kang Chang};
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang// Defines a context for monitoring events, wich includes the primitive and API
*e7b1675dSTing-Kang Chang// used, and info on the keyset.
*e7b1675dSTing-Kang Changclass MonitoringContext {
*e7b1675dSTing-Kang Chang public:
*e7b1675dSTing-Kang Chang  // Construct a new context for the given `primitive`, `api_function` and
*e7b1675dSTing-Kang Chang  // `keyset_info`.
*e7b1675dSTing-Kang Chang  MonitoringContext(absl::string_view primitive, absl::string_view api_function,
*e7b1675dSTing-Kang Chang                    const MonitoringKeySetInfo& keyset_info)
*e7b1675dSTing-Kang Chang      : primitive_(primitive),
*e7b1675dSTing-Kang Chang        api_function_(api_function),
*e7b1675dSTing-Kang Chang        keyset_info_(keyset_info) {}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  // Returns the primitive.
*e7b1675dSTing-Kang Chang  std::string GetPrimitive() const { return primitive_; }
*e7b1675dSTing-Kang Chang  // Returns the API function.
*e7b1675dSTing-Kang Chang  std::string GetApi() const { return api_function_; }
*e7b1675dSTing-Kang Chang  // Returns a constant reference to the keyset info.
*e7b1675dSTing-Kang Chang  const MonitoringKeySetInfo& GetKeySetInfo() const { return keyset_info_; }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang private:
*e7b1675dSTing-Kang Chang  const std::string primitive_;
*e7b1675dSTing-Kang Chang  const std::string api_function_;
*e7b1675dSTing-Kang Chang  const MonitoringKeySetInfo keyset_info_;
*e7b1675dSTing-Kang Chang};
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang// Interface for a monitoring client which can be registered with Tink. A
*e7b1675dSTing-Kang Chang// monitoring client getis informed by Tink about certain events happening
*e7b1675dSTing-Kang Chang// during cryptographic operations.
*e7b1675dSTing-Kang Changclass MonitoringClient {
*e7b1675dSTing-Kang Chang public:
*e7b1675dSTing-Kang Chang  virtual ~MonitoringClient() = default;
*e7b1675dSTing-Kang Chang  // Logs a successful use of `key_id` on an input of `num_bytes_as_input`. Tink
*e7b1675dSTing-Kang Chang  // primitive wrappers call this method when they successfully used a key to
*e7b1675dSTing-Kang Chang  // carry out a primitive method, e.g. Aead::Encrypt(). As a consequence,
*e7b1675dSTing-Kang Chang  // subclasses of MonitoringClient should be mindful on the amount of work
*e7b1675dSTing-Kang Chang  // performed by this method, as this will be called on each cryptographic
*e7b1675dSTing-Kang Chang  // operation. Implementations of MonitoringClient are responsible to add
*e7b1675dSTing-Kang Chang  // context to identify, e.g., the primitive and the API function.
*e7b1675dSTing-Kang Chang  virtual void Log(uint32_t key_id, int64_t num_bytes_as_input) = 0;
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  // Logs a failure. Tink calls this method when a cryptographic operation
*e7b1675dSTing-Kang Chang  // failed, e.g. no key could be found to decrypt a ciphertext. In this
*e7b1675dSTing-Kang Chang  // case the failure is not associated with a specific key, therefore this
*e7b1675dSTing-Kang Chang  // method has no arguments. The MonitoringClient implementation is responsible
*e7b1675dSTing-Kang Chang  // to add context to identify where the failure comes from.
*e7b1675dSTing-Kang Chang  virtual void LogFailure() = 0;
*e7b1675dSTing-Kang Chang};
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang// Interface for a factory class that creates monitoring clients.
*e7b1675dSTing-Kang Changclass MonitoringClientFactory {
*e7b1675dSTing-Kang Chang public:
*e7b1675dSTing-Kang Chang  virtual ~MonitoringClientFactory() = default;
*e7b1675dSTing-Kang Chang  // Create a new monitoring client that logs events related to the given
*e7b1675dSTing-Kang Chang  // `context`.
*e7b1675dSTing-Kang Chang  virtual crypto::tink::util::StatusOr<std::unique_ptr<MonitoringClient>> New(
*e7b1675dSTing-Kang Chang      const MonitoringContext& context) = 0;
*e7b1675dSTing-Kang Chang};
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang}  // namespace tink
*e7b1675dSTing-Kang Chang}  // namespace crypto
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang#endif  // TINK_MONITORING_MONITORING_H_