Skip to content

[Client encryption] Add synchronous initialization to CosmosDataEncryptionKeyProvider #5423

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 10 commits into
base: master
Choose a base branch
from
Open

[Client encryption] Add synchronous initialization to CosmosDataEncryptionKeyProvider #5423

wants to merge 10 commits into from

Conversation

@MartinSarkany
Copy link
Contributor

@MartinSarkany MartinSarkany commented Sep 24, 2025
edited
Loading

Pull Request Template

Description

Adds synchronous initialization to CosmosDataEncryptionKeyProvider.
Depends on #5418 due to TestEncryptionKeyStoreProvider being introduced there.

Type of change

Please delete options that are not relevant.

  • [] New feature (non-breaking change which adds functionality)

Closing issues

closes #5400

@MartinSarkany MartinSarkany marked this pull request as ready for review September 24, 2025 15:41
@MartinSarkany MartinSarkany changed the title Add synchronous initialization to CosmosDataEncryptionKeyProvider [Client encryption] Add synchronous initialization to CosmosDataEncryptionKeyProvider Sep 24, 2025
juraj-blazek
juraj-blazek reviewed Sep 24, 2025
View reviewed changes
Copy link
Contributor

@juraj-blazek juraj-blazek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need to regenerate public API contracts, too

@MartinSarkany
Copy link
Contributor Author

MartinSarkany commented Sep 24, 2025

We need to regenerate public API contracts, too

I'll update it after #5373 that fixes the contracts is merged. It is broken at the moment.

@adamnova
Copy link
Contributor

adamnova commented Sep 29, 2025

We need to regenerate public API contracts, too

I'll update it after #5373 that fixes the contracts is merged. It is broken at the moment.

But it should work for .net 6 at least.

kirankumarkolli
kirankumarkolli reviewed Nov 11, 2025
View reviewed changes
Microsoft.Azure.Cosmos.Encryption.Custom/src/CosmosDataEncryptionKeyProvider.cs
/// Initialize using an existing Cosmos DB container for storing wrapped DEKs.
/// </summary>
/// <param name="container">Existing Cosmos DB container.</param>
public void Initialize(Container container)
Copy link
Member

@kirankumarkolli kirankumarkolli Nov 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are assumptions about the partition-key which were validated in initialization
Its even high impactful post initialization if CosmosDB is unavailable right?

Copy link
Contributor Author

@MartinSarkany MartinSarkany Nov 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added it to XML doc.

kirankumarkolli
kirankumarkolli reviewed Nov 12, 2025
View reviewed changes
Microsoft.Azure.Cosmos.Encryption.Custom/src/CosmosDataEncryptionKeyProvider.cs Outdated
}

/// <summary>
/// Initialize using an existing Cosmos DB container for storing wrapped DEKs.
Copy link
Member

@kirankumarkolli kirankumarkolli Nov 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please include the container requirements (ex: partitionKeyDefinition)
And also call out right usage pattern

Copy link
Contributor Author

@MartinSarkany MartinSarkany Nov 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I extended the XML doc with these details.

kirankumarkolli
kirankumarkolli reviewed Nov 12, 2025
View reviewed changes
Microsoft.Azure.Cosmos.Encryption.Custom/src/CosmosDataEncryptionKeyProvider.cs Outdated
{
this.ThrowIfAlreadyInitialized();

this.container = container ?? throw new ArgumentNullException(nameof(container));
Copy link
Member

@kirankumarkolli kirankumarkolli Nov 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thoughts on handling non-existing containers on Fetch* API's? (i.e. on failure attempt re-create it)

Copy link
Member

@kirankumarkolli kirankumarkolli Nov 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Concurrency control is also an important aspect

Copy link
Contributor Author

@MartinSarkany MartinSarkany Nov 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I fixed the race condition.

However, I'm not sure about container re-creation as the container should exist after successful initialization and we probably can't re-create the same container if it's initialized using the Initialize() method. The caller has an option to react to failure by providing a new Container or using InitializeAsync() instead.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kirankumarkolli kirankumarkolli kirankumarkolli left review comments

@FabianMeiswinkel FabianMeiswinkel Awaiting requested review from FabianMeiswinkel FabianMeiswinkel is a code owner

@sboshra sboshra Awaiting requested review from sboshra sboshra is a code owner

@Pilchie Pilchie Awaiting requested review from Pilchie Pilchie is a code owner

+2 more reviewers

@juraj-blazek juraj-blazek juraj-blazek approved these changes

@adamnova adamnova adamnova approved these changes

Reviewers whose approvals may not affect merge requirements

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Client encryption]: Initialize CosmosDataEncryptionKeyProvider without making a backend call

4 participants

@MartinSarkany @adamnova @kirankumarkolli @juraj-blazek