Pull through file/streaming encrypt+decrypt (and unmanaged of the same)

Author: skeet70

Cargo.lock

@@ -10,7 +10,7 @@ bindgen = "0.72"
 cfg-if = "1"
 env_logger = { version = "0.11", default-features = false }
 flapigen = { git = "https://github.com/Dushistov/flapigen-rs.git", rev = "49a59f68" }
-ironoxide = { version = "4.2", features = [
+ironoxide = { path = "../ironoxide", features = [
   "blocking",
   "beta",
   "tls-rustls",

Cargo.toml

@@ -1411,3 +1411,113 @@ mod blind_index_search {
             .collect())
     }
 }
+
+mod document_file_encrypt_result {
+    use super::*;
+
+    pub fn id(d: &DocumentFileEncryptResult) -> DocumentId {
+        d.id().clone()
+    }
+    pub fn name(d: &DocumentFileEncryptResult) -> Option<DocumentName> {
+        d.name().cloned()
+    }
+    pub fn created(d: &DocumentFileEncryptResult) -> OffsetDateTime {
+        *d.created()
+    }
+    pub fn last_updated(d: &DocumentFileEncryptResult) -> OffsetDateTime {
+        *d.last_updated()
+    }
+}
+
+impl document_access_change_result::DocumentAccessChange for DocumentFileEncryptResult {
+    fn changed(&self) -> document_access_change_result::SucceededResult {
+        document_access_change_result::to_succeeded_result(self.grants())
+    }
+
+    fn errors(&self) -> document_access_change_result::FailedResult {
+        document_access_change_result::to_failed_result(self.access_errs())
+    }
+}
+
+mod document_file_encrypt_unmanaged_result {
+    use super::*;
+
+    pub fn id(d: &DocumentFileEncryptUnmanagedResult) -> DocumentId {
+        d.id().clone()
+    }
+    pub fn encrypted_deks(d: &DocumentFileEncryptUnmanagedResult) -> Vec<i8> {
+        u8_conv(d.encrypted_deks()).to_vec()
+    }
+}
+
+impl document_access_change_result::DocumentAccessChange for DocumentFileEncryptUnmanagedResult {
+    fn changed(&self) -> document_access_change_result::SucceededResult {
+        document_access_change_result::to_succeeded_result(self.grants())
+    }
+
+    fn errors(&self) -> document_access_change_result::FailedResult {
+        document_access_change_result::to_failed_result(self.access_errs())
+    }
+}
+
+mod document_file_decrypt_result {
+    use super::*;
+
+    pub fn id(d: &DocumentFileDecryptResult) -> DocumentId {
+        d.id().clone()
+    }
+    pub fn name(d: &DocumentFileDecryptResult) -> Option<DocumentName> {
+        d.name().cloned()
+    }
+}
+
+mod document_file_decrypt_unmanaged_result {
+    use super::*;
+    use crate::document_decrypt_unmanaged_result::UserOrGroupId;
+
+    pub fn id(d: &DocumentFileDecryptUnmanagedResult) -> DocumentId {
+        d.id().clone()
+    }
+    pub fn access_via(d: &DocumentFileDecryptUnmanagedResult) -> UserOrGroupId {
+        let (id, is_user) = match d.access_via() {
+            UserOrGroup::User { id } => (id.id().to_string(), true),
+            UserOrGroup::Group { id } => (id.id().to_string(), false),
+        };
+        UserOrGroupId::new(id, is_user)
+    }
+}
+
+fn document_file_encrypt(
+    sdk: &IronOxide,
+    source_path: &str,
+    destination_path: &str,
+    opts: &DocumentEncryptOpts,
+) -> Result<DocumentFileEncryptResult, String> {
+    Ok(sdk.document_file_encrypt(source_path, destination_path, opts)?)
+}
+
+fn document_file_decrypt(
+    sdk: &IronOxide,
+    source_path: &str,
+    destination_path: &str,
+) -> Result<DocumentFileDecryptResult, String> {
+    Ok(sdk.document_file_decrypt(source_path, destination_path)?)
+}
+
+fn document_file_encrypt_unmanaged(
+    sdk: &IronOxide,
+    source_path: &str,
+    destination_path: &str,
+    opts: &DocumentEncryptOpts,
+) -> Result<DocumentFileEncryptUnmanagedResult, String> {
+    Ok(sdk.document_file_encrypt_unmanaged(source_path, destination_path, opts)?)
+}
+
+fn document_file_decrypt_unmanaged(
+    sdk: &IronOxide,
+    source_path: &str,
+    destination_path: &str,
+    encrypted_deks: &[i8],
+) -> Result<DocumentFileDecryptUnmanagedResult, String> {
+    Ok(sdk.document_file_decrypt_unmanaged(source_path, destination_path, i8_conv(encrypted_deks))?)
+}

common/lib.rs

@@ -757,6 +757,66 @@ class DocumentAccessResult {
     pre_build_generate_equals_and_hashcode DocumentAccessResult;
 });
 
+foreign_class!(
+/// Result of file encryption (managed). Contains metadata about the encrypted document.
+class DocumentFileEncryptResult {
+    self_type DocumentFileEncryptResult;
+    private constructor = empty;
+    /// Unique (within the segment) id of the document
+    fn document_file_encrypt_result::id(&self) -> DocumentId; alias getId;
+    /// Non-unique document name
+    fn document_file_encrypt_result::name(&self) -> Option<DocumentName>; alias getName;
+    /// When the document was created
+    fn document_file_encrypt_result::created(&self) -> OffsetDateTime; alias getCreated;
+    /// When the document was last updated
+    fn document_file_encrypt_result::last_updated(&self) -> OffsetDateTime; alias getLastUpdated;
+    /// Get the users and groups whose access was successfully granted
+    fn DocumentAccessChange::changed(&self) -> SucceededResult; alias getChanged;
+    /// Get the users and groups whose access failed to be granted
+    fn DocumentAccessChange::errors(&self) -> FailedResult; alias getErrors;
+    pre_build_generate_equals_and_hashcode DocumentFileEncryptResult;
+});
+
+foreign_class!(
+/// Result of file encryption (unmanaged). Contains the document ID and encrypted DEKs.
+class DocumentFileEncryptUnmanagedResult {
+    self_type DocumentFileEncryptUnmanagedResult;
+    private constructor = empty;
+    /// Unique (within the segment) id of the document
+    fn document_file_encrypt_unmanaged_result::id(&self) -> DocumentId; alias getId;
+    /// Bytes of encrypted document encryption keys (EDEKs)
+    fn document_file_encrypt_unmanaged_result::encrypted_deks(&self) -> Vec<i8>; alias getEncryptedDeks;
+    /// Get the users and groups whose access was successfully granted
+    fn DocumentAccessChange::changed(&self) -> SucceededResult; alias getChanged;
+    /// Get the users and groups whose access failed to be granted
+    fn DocumentAccessChange::errors(&self) -> FailedResult; alias getErrors;
+    pre_build_generate_equals_and_hashcode DocumentFileEncryptUnmanagedResult;
+});
+
+foreign_class!(
+/// Result of file decryption (managed). Contains minimal metadata about the decrypted document.
+class DocumentFileDecryptResult {
+    self_type DocumentFileDecryptResult;
+    private constructor = empty;
+    /// Unique (within the segment) id of the document
+    fn document_file_decrypt_result::id(&self) -> DocumentId; alias getId;
+    /// Non-unique document name
+    fn document_file_decrypt_result::name(&self) -> Option<DocumentName>; alias getName;
+    pre_build_generate_equals_and_hashcode DocumentFileDecryptResult;
+});
+
+foreign_class!(
+/// Result of file decryption (unmanaged). Contains the document ID and access info.
+class DocumentFileDecryptUnmanagedResult {
+    self_type DocumentFileDecryptUnmanagedResult;
+    private constructor = empty;
+    /// Unique (within the segment) id of the document
+    fn document_file_decrypt_unmanaged_result::id(&self) -> DocumentId; alias getId;
+    /// User/Group that granted access to the encrypted data
+    fn document_file_decrypt_unmanaged_result::access_via(&self) -> UserOrGroupId; alias getAccessViaUserOrGroup;
+    pre_build_generate_equals_and_hashcode DocumentFileDecryptUnmanagedResult;
+});
+
 foreign_class!(
 /// Policy evaluation caching config
 ///
@@ -1066,6 +1126,41 @@ class IronOxide {
     /// @return result containing updated EDEKs and per-user/group success/failure
     fn document_revoke_access_unmanaged(&self, edeks: &[i8], userRevokes: &[UserId], groupRevokes: &[GroupId])
         -> Result<DocumentAccessUnmanagedResult, String>; alias documentRevokeAccessUnmanaged;
+    /// Encrypt a file from source path to destination path (managed).
+    /// Uses streaming I/O with constant memory usage. The output format is identical to documentEncrypt.
+    ///
+    /// @param sourcePath       path to the plaintext file to encrypt
+    /// @param destinationPath  path where the encrypted file will be written
+    /// @param encryptOpts      optional document encrypt parameters
+    /// @return metadata about the encrypted document including id, name, timestamps, and access grants/errors
+    fn document_file_encrypt(&self, sourcePath: &str, destinationPath: &str, encryptOpts: &DocumentEncryptOpts)
+        -> Result<DocumentFileEncryptResult, String>; alias documentFileEncrypt;
+    /// Decrypt an encrypted file to destination path (managed).
+    /// Uses streaming I/O with constant memory usage.
+    ///
+    /// @param sourcePath       path to the encrypted file to decrypt
+    /// @param destinationPath  path where the decrypted file will be written
+    /// @return metadata about the decrypted document including id and name
+    fn document_file_decrypt(&self, sourcePath: &str, destinationPath: &str)
+        -> Result<DocumentFileDecryptResult, String>; alias documentFileDecrypt;
+    /// Encrypt a file from source path to destination path (unmanaged).
+    /// Uses streaming I/O with constant memory usage. Returns encrypted DEKs instead of storing them on the server.
+    ///
+    /// @param sourcePath       path to the plaintext file to encrypt
+    /// @param destinationPath  path where the encrypted file will be written
+    /// @param encryptOpts      optional document encrypt parameters
+    /// @return document ID, encrypted DEKs, and access grants/errors
+    fn document_file_encrypt_unmanaged(&self, sourcePath: &str, destinationPath: &str, encryptOpts: &DocumentEncryptOpts)
+        -> Result<DocumentFileEncryptUnmanagedResult, String>; alias documentFileEncryptUnmanaged;
+    /// Decrypt an encrypted file to destination path (unmanaged).
+    /// Uses streaming I/O with constant memory usage. Caller provides encrypted DEKs.
+    ///
+    /// @param sourcePath       path to the encrypted file to decrypt
+    /// @param destinationPath  path where the decrypted file will be written
+    /// @param encryptedDeks    encrypted document encryption keys
+    /// @return document ID and the user/group that granted access
+    fn document_file_decrypt_unmanaged(&self, sourcePath: &str, destinationPath: &str, encryptedDeks: &[i8])
+        -> Result<DocumentFileDecryptUnmanagedResult, String>; alias documentFileDecryptUnmanaged;
     /// Initialize IronOxide with a device and a pre-populated public key cache.
     ///
     /// @param init            device context used to initialize the IronOxide with a set of device keys

common/lib.rs.in

@@ -1,5 +1,7 @@
 #include "acutest.h"
 #include <cstdlib>
+#include <cstdio>
+#include <fstream>
 #include <iostream>
 #include <random>
 #include "IronOxide.hpp"
@@ -273,6 +275,46 @@ void export_reimport_public_key_cache(void)
     TEST_CHECK_(doc_list.getResult().as_slice().size() >= 0, "Should be able to list documents after reinit with cache.");
 }
 
+void file_encrypt_decrypt_unmanaged_roundtrip(void)
+{
+    DeviceContext d = unwrap(DeviceContext::fromJsonString(deviceContextString));
+    IronOxide sdk = unwrap(IronOxide::initialize(d, IronOxideConfig()));
+
+    // Create temp file paths
+    std::string source_path = "/tmp/ironoxide_cpp_test_source.txt";
+    std::string encrypted_path = "/tmp/ironoxide_cpp_test_encrypted.iron";
+    std::string decrypted_path = "/tmp/ironoxide_cpp_test_decrypted.txt";
+
+    // Write test data to source file
+    std::string test_data = "Hello, streaming encryption from C++!";
+    {
+        std::ofstream out(source_path, std::ios::binary);
+        out.write(test_data.data(), test_data.size());
+    }
+
+    // Encrypt file
+    auto encrypt_result = unwrap(sdk.documentFileEncryptUnmanaged(source_path.c_str(), encrypted_path.c_str(), DocumentEncryptOpts()));
+    TEST_CHECK_(encrypt_result.getId().getId().to_std_string().length() == 32, "Document ID should be 32 chars.");
+    TEST_CHECK_(encrypt_result.getEncryptedDeks().size() > 0, "Encrypted DEKs should be non-empty.");
+
+    // Decrypt file
+    auto decrypt_result = unwrap(sdk.documentFileDecryptUnmanaged(
+        encrypted_path.c_str(),
+        decrypted_path.c_str(),
+        vec_to_slice(encrypt_result.getEncryptedDeks())));
+    TEST_CHECK_(decrypt_result.getId() == encrypt_result.getId(), "Document IDs should match.");
+
+    // Read decrypted file and verify contents
+    std::ifstream in(decrypted_path, std::ios::binary);
+    std::string decrypted_data((std::istreambuf_iterator<char>(in)), std::istreambuf_iterator<char>());
+    TEST_CHECK_(decrypted_data == test_data, "Decrypted file content should match original.");
+
+    // Cleanup temp files
+    std::remove(source_path.c_str());
+    std::remove(encrypted_path.c_str());
+    std::remove(decrypted_path.c_str());
+}
+
 TEST_LIST = {
     {"test_user_id", test_user_id},
     {"test_user_id_error", test_user_id_error},
@@ -288,4 +330,5 @@ TEST_LIST = {
     {"unmanaged_metadata_and_id", unmanaged_metadata_and_id},
     {"unmanaged_grant_access", unmanaged_grant_access},
     {"export_reimport_public_key_cache", export_reimport_public_key_cache},
+    {"file_encrypt_decrypt_unmanaged_roundtrip", file_encrypt_decrypt_unmanaged_roundtrip},
     {NULL, NULL}};