Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

refactor: removed basilisk feature #3281

Merged
merged 3 commits into from
Jan 10, 2024
Merged

refactor: removed basilisk feature #3281

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
f45fd84
refactor: remove basilisk feature
venkatesh-juspay Jan 8, 2024
d58c83f
refactor: cargo clippy
venkatesh-juspay Jan 9, 2024
076c905
refactor: remove basilisk related variables
venkatesh-juspay Jan 10, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 0 additions & 6 deletions config/config.example.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -139,12 +139,6 @@ connectors_with_delayed_session_response = "trustpay,payme" # List of connectors
connectors_with_webhook_source_verification_call = "paypal" # List of connectors which has additional source verification api-call

[jwekey] # 4 priv/pub key pair
locker_key_identifier1 = "" # key identifier for key rotation , should be same as basilisk
locker_key_identifier2 = "" # key identifier for key rotation , should be same as basilisk
locker_encryption_key1 = "" # public key 1 in pem format, corresponding private key in basilisk
locker_encryption_key2 = "" # public key 2 in pem format, corresponding private key in basilisk
locker_decryption_key1 = "" # private key 1 in pem format, corresponding public key in basilisk
locker_decryption_key2 = "" # private key 2 in pem format, corresponding public key in basilisk
vault_encryption_key = "" # public key in pem format, corresponding private key in basilisk-hs
rust_locker_encryption_key = "" # public key in pem format, corresponding private key in rust locker
vault_private_key = "" # private key in pem format, corresponding public key in basilisk-hs
Expand Down
6 changes: 0 additions & 6 deletions config/development.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -80,12 +80,6 @@ fallback_api_key = "YOUR API KEY HERE"
redis_lock_timeout = 26000

[jwekey]
locker_key_identifier1 = ""
locker_key_identifier2 = ""
locker_encryption_key1 = ""
locker_encryption_key2 = ""
locker_decryption_key1 = ""
locker_decryption_key2 = ""
vault_encryption_key = ""
rust_locker_encryption_key = ""
vault_private_key = ""
Expand Down
6 changes: 0 additions & 6 deletions config/docker_compose.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,12 +58,6 @@ mock_locker = true
basilisk_host = ""

[jwekey]
locker_key_identifier1 = ""
locker_key_identifier2 = ""
locker_encryption_key1 = ""
locker_encryption_key2 = ""
locker_decryption_key1 = ""
locker_decryption_key2 = ""
vault_encryption_key = ""
rust_locker_encryption_key = ""
vault_private_key = ""
Expand Down
3 changes: 1 addition & 2 deletions crates/router/Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,9 +14,8 @@ s3 = ["dep:aws-sdk-s3", "dep:aws-config"]
kms = ["external_services/kms", "dep:aws-config"]
email = ["external_services/email", "dep:aws-config", "olap"]
frm = []
basilisk = ["kms"]
stripe = ["dep:serde_qs"]
release = ["kms", "stripe", "basilisk", "s3", "email", "backwards_compatibility", "business_profile_routing", "accounts_cache", "kv_store", "connector_choice_mca_id", "profile_specific_fallback_routing", "vergen"]
release = ["kms", "stripe", "s3", "email", "backwards_compatibility", "business_profile_routing", "accounts_cache", "kv_store", "connector_choice_mca_id", "profile_specific_fallback_routing", "vergen"]
olap = ["data_models/olap", "storage_impl/olap", "scheduler/olap", "dep:analytics"]
oltp = ["storage_impl/oltp"]
kv_store = ["scheduler/kv_store"]
Expand Down
8 changes: 0 additions & 8 deletions crates/router/src/configs/kms.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,19 +13,11 @@ impl KmsDecrypt for settings::Jwekey {
kms_client: &KmsClient,
) -> CustomResult<Self::Output, KmsError> {
(
self.locker_encryption_key1,
self.locker_encryption_key2,
self.locker_decryption_key1,
self.locker_decryption_key2,
self.vault_encryption_key,
self.rust_locker_encryption_key,
self.vault_private_key,
self.tunnel_private_key,
) = tokio::try_join!(
kms_client.decrypt(self.locker_encryption_key1),
kms_client.decrypt(self.locker_encryption_key2),
kms_client.decrypt(self.locker_decryption_key1),
kms_client.decrypt(self.locker_decryption_key2),
kms_client.decrypt(self.vault_encryption_key),
kms_client.decrypt(self.rust_locker_encryption_key),
kms_client.decrypt(self.vault_private_key),
Expand Down
6 changes: 0 additions & 6 deletions crates/router/src/configs/settings.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -499,12 +499,6 @@ pub struct EphemeralConfig {
#[derive(Debug, Deserialize, Clone, Default)]
#[serde(default)]
pub struct Jwekey {
pub locker_key_identifier1: String,
pub locker_key_identifier2: String,
pub locker_encryption_key1: String,
pub locker_encryption_key2: String,
pub locker_decryption_key1: String,
pub locker_decryption_key2: String,
pub vault_encryption_key: String,
pub rust_locker_encryption_key: String,
pub vault_private_key: String,
Expand Down
264 changes: 0 additions & 264 deletions crates/router/src/core/payment_methods/vault.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,6 @@ use common_utils::{
generate_id_with_default_len,
};
use error_stack::{report, IntoReport, ResultExt};
#[cfg(feature = "basilisk")]
use josekit::jwe;
use masking::PeekInterface;
use router_env::{instrument, tracing};
use scheduler::{types::process_data, utils as process_tracker_utils};
Expand All @@ -23,11 +21,7 @@ use crate::{
},
utils::{self, StringExt},
};
#[cfg(feature = "basilisk")]
use crate::{core::payment_methods::transformers as payment_methods, services, settings};
const VAULT_SERVICE_NAME: &str = "CARD";
#[cfg(feature = "basilisk")]
const VAULT_VERSION: &str = "0";

pub struct SupplementaryVaultData {
pub customer_id: Option<String>,
Expand Down Expand Up @@ -806,11 +800,6 @@ pub async fn create_tokenize(
}
Err(err) => {
logger::error!("Redis Temp locker Failed: {:?}", err);

#[cfg(feature = "basilisk")]
return old_create_tokenize(state, value1, value2, lookup_key).await;

#[cfg(not(feature = "basilisk"))]
Err(err)
}
}
Expand Down Expand Up @@ -874,11 +863,6 @@ pub async fn get_tokenized_data(
}
Err(err) => {
logger::error!("Redis Temp locker Failed: {:?}", err);

#[cfg(feature = "basilisk")]
return old_get_tokenized_data(state, lookup_key, _should_get_value2).await;

#[cfg(not(feature = "basilisk"))]
Err(err)
}
}
Expand Down Expand Up @@ -925,11 +909,6 @@ pub async fn delete_tokenized_data(state: &routes::AppState, lookup_key: &str) -
}
Err(err) => {
logger::error!("Redis Temp locker Failed: {:?}", err);

#[cfg(feature = "basilisk")]
return old_delete_tokenized_data(state, lookup_key).await;

#[cfg(not(feature = "basilisk"))]
Err(err)
}
}
Expand Down Expand Up @@ -1056,246 +1035,3 @@ pub async fn retry_delete_tokenize(
}

// Fallback logic of old temp locker needs to be removed later

#[cfg(feature = "basilisk")]
async fn get_locker_jwe_keys(
keys: &settings::ActiveKmsSecrets,
) -> CustomResult<(String, String), errors::EncryptionError> {
let keys = keys.jwekey.peek();
let key_id = get_key_id(keys);
let (public_key, private_key) = if key_id == keys.locker_key_identifier1 {
(&keys.locker_encryption_key1, &keys.locker_decryption_key1)
} else if key_id == keys.locker_key_identifier2 {
(&keys.locker_encryption_key2, &keys.locker_decryption_key2)
} else {
return Err(errors::EncryptionError.into());
};

Ok((public_key.to_string(), private_key.to_string()))
}

#[cfg(feature = "basilisk")]
#[instrument(skip(state, value1, value2))]
pub async fn old_create_tokenize(
state: &routes::AppState,
value1: String,
value2: Option<String>,
lookup_key: String,
) -> RouterResult<String> {
let payload_to_be_encrypted = api::TokenizePayloadRequest {
value1,
value2: value2.unwrap_or_default(),
lookup_key,
service_name: VAULT_SERVICE_NAME.to_string(),
};
let payload = utils::Encode::<api::TokenizePayloadRequest>::encode_to_string_of_json(
&payload_to_be_encrypted,
)
.change_context(errors::ApiErrorResponse::InternalServerError)?;

let (public_key, private_key) = get_locker_jwe_keys(&state.kms_secrets)
.await
.change_context(errors::ApiErrorResponse::InternalServerError)
.attach_printable("Error getting Encryption key")?;
let encrypted_payload = services::encrypt_jwe(payload.as_bytes(), public_key)
.await
.change_context(errors::ApiErrorResponse::InternalServerError)
.attach_printable("Error getting Encrypt JWE response")?;

let create_tokenize_request = api::TokenizePayloadEncrypted {
payload: encrypted_payload,
key_id: get_key_id(&state.conf.jwekey).to_string(),
version: Some(VAULT_VERSION.to_string()),
};
let request = payment_methods::mk_crud_locker_request(
&state.conf.locker,
"/tokenize",
create_tokenize_request,
)
.change_context(errors::ApiErrorResponse::InternalServerError)
.attach_printable("Making tokenize request failed")?;
let response = services::call_connector_api(state, request)
.await
.change_context(errors::ApiErrorResponse::InternalServerError)?;

match response {
Ok(r) => {
let resp: api::TokenizePayloadEncrypted = r
.response
.parse_struct("TokenizePayloadEncrypted")
.change_context(errors::ApiErrorResponse::InternalServerError)
.attach_printable("Decoding Failed for TokenizePayloadEncrypted")?;
let alg = jwe::RSA_OAEP_256;
let decrypted_payload = services::decrypt_jwe(
&resp.payload,
services::KeyIdCheck::RequestResponseKeyId((
get_key_id(&state.conf.jwekey),
&resp.key_id,
)),
private_key,
alg,
)
.await
.change_context(errors::ApiErrorResponse::InternalServerError)
.attach_printable("Decrypt Jwe failed for TokenizePayloadEncrypted")?;
let get_response: api::GetTokenizePayloadResponse = decrypted_payload
.parse_struct("GetTokenizePayloadResponse")
.change_context(errors::ApiErrorResponse::InternalServerError)
.attach_printable(
"Error getting GetTokenizePayloadResponse from tokenize response",
)?;
Ok(get_response.lookup_key)
}
Err(err) => {
metrics::TEMP_LOCKER_FAILURES.add(&metrics::CONTEXT, 1, &[]);
Err(errors::ApiErrorResponse::InternalServerError)
.into_report()
.attach_printable(format!("Got 4xx from the basilisk locker: {err:?}"))
}
}
}

#[cfg(feature = "basilisk")]
pub async fn old_get_tokenized_data(
state: &routes::AppState,
lookup_key: &str,
should_get_value2: bool,
) -> RouterResult<api::TokenizePayloadRequest> {
metrics::GET_TOKENIZED_CARD.add(&metrics::CONTEXT, 1, &[]);
let payload_to_be_encrypted = api::GetTokenizePayloadRequest {
lookup_key: lookup_key.to_string(),
get_value2: should_get_value2,
service_name: VAULT_SERVICE_NAME.to_string(),
};
let payload = serde_json::to_string(&payload_to_be_encrypted)
.map_err(|_x| errors::ApiErrorResponse::InternalServerError)?;

let (public_key, private_key) = get_locker_jwe_keys(&state.kms_secrets)
.await
.change_context(errors::ApiErrorResponse::InternalServerError)
.attach_printable("Error getting Encryption key")?;
let encrypted_payload = services::encrypt_jwe(payload.as_bytes(), public_key)
.await
.change_context(errors::ApiErrorResponse::InternalServerError)
.attach_printable("Error getting Encrypt JWE response")?;
let create_tokenize_request = api::TokenizePayloadEncrypted {
payload: encrypted_payload,
key_id: get_key_id(&state.conf.jwekey).to_string(),
version: Some("0".to_string()),
};
let request = payment_methods::mk_crud_locker_request(
&state.conf.locker,
"/tokenize/get",
create_tokenize_request,
)
.change_context(errors::ApiErrorResponse::InternalServerError)
.attach_printable("Making Get Tokenized request failed")?;
let response = services::call_connector_api(state, request)
.await
.change_context(errors::ApiErrorResponse::InternalServerError)?;
match response {
Ok(r) => {
let resp: api::TokenizePayloadEncrypted = r
.response
.parse_struct("TokenizePayloadEncrypted")
.change_context(errors::ApiErrorResponse::InternalServerError)
.attach_printable("Decoding Failed for TokenizePayloadEncrypted")?;
let alg = jwe::RSA_OAEP_256;
let decrypted_payload = services::decrypt_jwe(
&resp.payload,
services::KeyIdCheck::RequestResponseKeyId((
get_key_id(&state.conf.jwekey),
&resp.key_id,
)),
private_key,
alg,
)
.await
.change_context(errors::ApiErrorResponse::InternalServerError)
.attach_printable("GetTokenizedApi: Decrypt Jwe failed for TokenizePayloadEncrypted")?;
let get_response: api::TokenizePayloadRequest = decrypted_payload
.parse_struct("TokenizePayloadRequest")
.change_context(errors::ApiErrorResponse::InternalServerError)
.attach_printable("Error getting TokenizePayloadRequest from tokenize response")?;
Ok(get_response)
}
Err(err) => {
metrics::TEMP_LOCKER_FAILURES.add(&metrics::CONTEXT, 1, &[]);
match err.status_code {
404 => Err(errors::ApiErrorResponse::UnprocessableEntity {
message: "Token is invalid or expired".into(),
}
.into()),
_ => Err(errors::ApiErrorResponse::InternalServerError)
.into_report()
.attach_printable(format!("Got error from the basilisk locker: {err:?}")),
}
}
}
}

#[cfg(feature = "basilisk")]
pub async fn old_delete_tokenized_data(
state: &routes::AppState,
lookup_key: &str,
) -> RouterResult<()> {
metrics::DELETED_TOKENIZED_CARD.add(&metrics::CONTEXT, 1, &[]);
let payload_to_be_encrypted = api::DeleteTokenizeByTokenRequest {
lookup_key: lookup_key.to_string(),
service_name: VAULT_SERVICE_NAME.to_string(),
};
let payload = serde_json::to_string(&payload_to_be_encrypted)
.into_report()
.change_context(errors::ApiErrorResponse::InternalServerError)
.attach_printable("Error serializing api::DeleteTokenizeByTokenRequest")?;

let (public_key, _private_key) = get_locker_jwe_keys(&state.kms_secrets.clone())
.await
.change_context(errors::ApiErrorResponse::InternalServerError)
.attach_printable("Error getting Encryption key")?;
let encrypted_payload = services::encrypt_jwe(payload.as_bytes(), public_key)
.await
.change_context(errors::ApiErrorResponse::InternalServerError)
.attach_printable("Error getting Encrypt JWE response")?;
let create_tokenize_request = api::TokenizePayloadEncrypted {
payload: encrypted_payload,
key_id: get_key_id(&state.conf.jwekey).to_string(),
version: Some("0".to_string()),
};
let request = payment_methods::mk_crud_locker_request(
&state.conf.locker,
"/tokenize/delete/token",
create_tokenize_request,
)
.change_context(errors::ApiErrorResponse::InternalServerError)
.attach_printable("Making Delete Tokenized request failed")?;
let response = services::call_connector_api(state, request)
.await
.change_context(errors::ApiErrorResponse::InternalServerError)
.attach_printable("Error while making /tokenize/delete/token call to the locker")?;
match response {
Ok(r) => {
let _delete_response = std::str::from_utf8(&r.response)
.into_report()
.change_context(errors::ApiErrorResponse::InternalServerError)
.attach_printable("Decoding Failed for basilisk delete response")?;
Ok(())
}
Err(err) => {
metrics::TEMP_LOCKER_FAILURES.add(&metrics::CONTEXT, 1, &[]);
Err(errors::ApiErrorResponse::InternalServerError)
.into_report()
.attach_printable(format!("Got 4xx from the basilisk locker: {err:?}"))
}
}
}

#[cfg(feature = "basilisk")]
pub fn get_key_id(keys: &settings::Jwekey) -> &str {
let key_identifier = "1"; // [#46]: Fetch this value from redis or external sources
if key_identifier == "1" {
&keys.locker_key_identifier1
} else {
&keys.locker_key_identifier2
}
}
Loading
Loading