feat: Enforce EDV document ID format in EDVFormatProvider

[DRK3]

Signed-off-by: Derek Trider Derek.Trider@securekey.com

also closes #2228

[DRK3]

An explanation of why this is needed:

While working on the EDV REST provider, I realized an issue with the approach I was taking. The spec says that the ID in a structured document and encrypted document MUST be a Base58-encoded 128-bit random value. This PR provides a solution to that problem while still allowing the client to use a "regular" non-Base58-encoded 128-bit random value.

Here's how it works:

• The EDVFormatProvider is initialized with a key to be used for HMAC operations.
• When storing documents, an EDV-compatible ID is randomly generated. This is the ID that is used for the underlying provider. The "user-provided" key (the one that's passed into the EDVFormatProvider) is hashed using an HMAC function. The hashed value is set as an EDV encrypted index
• When retrieving documents, the "user-provided" key is hashed. This hashed value is then used to query the underlying provider for the original document.

This generic indexing+querying approach should work with the upcoming EDV REST provider and any other providers that support querying.

@sandrask @troyronda And anyone else who reviews this: let me know what you think of this approach.

[DRK3]

I realize this name is a little bit funny. Let me know if you have any suggestions.

[baha-ai]

MACDigester is better as we are usually talking about a message digest when referring to Mac.

[DRK3]

Done!

[llorllale]

Approved. Messy workaround necessary - request to remove this document ID constraint from the spec was filed a while ago: https://github.com/decentralized-identity/secure-data-store/issues/112

failing CI

[baha-ai]

query argument is not refactored following the signature change above

[DRK3]

Fixed

[codecov]

Codecov Report

Merging #2263 into master will decrease coverage by 0.02%.
The diff coverage is 86.48%.

@@            Coverage Diff             @@
##           master    #2263      +/-   ##
==========================================
- Coverage   89.90%   89.87%   -0.03%     
==========================================
  Files         226      226              
  Lines       15103    15158      +55     
==========================================
+ Hits        13579    13624      +45     
- Misses        903      908       +5     
- Partials      621      626       +5     

Impacted Files	Coverage Δ
pkg/storage/wrapper/prefix/prefix_wrapper.go	94.44% <ø> (ø)
pkg/storage/edv/formatprovider/formatprovider.go	90.09% <84.84%> (-9.91%)	⬇️
...storage/edv/documentprocessor/documentprocessor.go	86.66% <100.00%> (+0.95%)	⬆️
pkg/storage/mem/mem_store.go	100.00% <100.00%> (+1.08%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update f8f6921...b51ab9a. Read the comment docs.

[llorllale]

Just noticed these issues:

• DocumentProcessor is inside the edv/formatprovider package instead of being a first-class storage citizen (like we discussed previously). To recall: the "document processor" encrypts all artifacts into a standard form and would be reused with other storage implementations
• It looks like the documentprocessor does not encrypt the indexed attribute collection. Does it really need to be an argument? It's not even returned from Decrypt(), so there is an asymmetry here

[DRK3]

• The DocumentProcessor is used by the EDVFormatProvider, which allows the EDV format to be reused with any other storage implementation. There's no need for a "standard form".
• The indexed attributes are hashed before being passed in to the DocumentProcessor. This is what allows the documents to be queried. This allows us to still get documents based on a key per the usual provider method signature, so from the outside, an EDVFormatProvider (with whatever underlying provider you want) still works the same as any other provider. StructuredDocuments don't have encrypted indices, so they aren't returned.

[DRK3]

Now, I could create some sort of even more general DocumentProcessor class that just assumes JWE as what's being used for encryption. Or I could make it even more general and have it deal with just []byte. What do you think?

[DRK3]

Just realized one potentially confusing thing: the EDV spec calls them "Encrypted Indices", although they're actually HMACed.

[DRK3]

Note that the EDVFormatProvider will still require the more specific DocumentProcessor that deals with Structured and Encrypted Documents per the spec

[llorllale]

@DRK3

Now, I could create some sort of even more general DocumentProcessor class that just assumes JWE as what's being used for encryption. Or I could make it even more general and have it deal with just []byte. What do you think?

Last time we agreed we'd use the EDV format across all stores. The format would be pluggable, thus we'd have an "edv format" and potentially other formats. All would adhere to some common interface. This interface would a first-class citizen under storage or somewhere not far from it.

I guess we can regroup on monday.

[llorllale]

Output of monday's session will be a GitHub issue with the high-level tasks and design of pluggable encrypted formats that can be reused across all store implementations

[llorllale]

Wrote down general direction here: #2199 (comment)

[DRK3]

Created an issue and added a ToDo above the FormatProvider: #2273

[DRK3]

My next PR will be to generalize this FormatProvider. This will involve moving it out of the edv folder and moving logic around to different places

[llorllale]

Let's first discuss this PR's direction as indicated here

[troyronda]

Why isn't formatStore a pointer receiver (i.e., *formatStore)?

when in doubt, use a pointer receiver.

[DRK3]

Yes, that's a mistake. I had originally fixed it in this PR (you'll see it if you go back a few force-commits), but since I'll be moving this entire file per #2263 (comment), I figured that it would make more sense to keep this PR small and fix it in the next one. I'll make a note in that issue to fix it so that I don't miss it.