Update key management for database service
This commit is contained in:
@@ -1,124 +1,53 @@
|
||||
import Foundation
|
||||
import DataLiteCore
|
||||
|
||||
/// A protocol for supplying encryption keys to `DatabaseService` instances.
|
||||
/// A protocol for providing encryption keys to a database service.
|
||||
///
|
||||
/// `DatabaseServiceKeyProvider` encapsulates all responsibilities for managing encryption keys
|
||||
/// for one or more `DatabaseService` instances. It allows a database service to delegate key
|
||||
/// retrieval, secure storage, rotation, and access control, enabling advanced security strategies
|
||||
/// such as per-user key derivation, hardware-backed keys, biometric authentication, or ephemeral
|
||||
/// in-memory secrets.
|
||||
/// `DatabaseServiceKeyProvider` is responsible for managing encryption keys used
|
||||
/// by a database service. This makes it possible to implement different strategies for storing
|
||||
/// and retrieving keys: static, dynamic, hardware-backed, biometric, and others.
|
||||
///
|
||||
/// The provider is queried automatically by the database service whenever a new connection
|
||||
/// is created or re-established (for example, during service initialization, after a reconnect,
|
||||
/// or when the service requests a key rotation).
|
||||
/// - The service requests a key when establishing or restoring a connection.
|
||||
/// - If decryption fails, the service may ask the provider whether it should attempt to reconnect.
|
||||
/// - If applying a key fails (for example, the key does not match or the
|
||||
/// ``databaseService(keyFor:)`` method throws an error), this error is reported
|
||||
/// to the provider through ``databaseService(_:didReceive:)``.
|
||||
///
|
||||
/// Error handling and diagnostics related specifically to encryption or key operations
|
||||
/// (such as when a key is unavailable, authentication is denied, or decryption fails)
|
||||
/// are reported to the provider via the optional ``databaseService(_:didReceive:)`` callback.
|
||||
/// The provider is **not** notified of generic database or connection errors unrelated to
|
||||
/// encryption.
|
||||
/// - Important: The provider does not receive notifications about general database errors.
|
||||
///
|
||||
/// - Important: This protocol is **exclusively** for cryptographic key management.
|
||||
/// It must not be used for generic database error handling or for concerns unrelated to
|
||||
/// encryption, authorization, or key lifecycle.
|
||||
/// ## Topics
|
||||
///
|
||||
/// ## Key Availability
|
||||
/// ### Instance Methods
|
||||
///
|
||||
/// There are two distinct scenarios for returning a key:
|
||||
///
|
||||
/// - **No Encryption Needed:**
|
||||
/// Return `nil` if the target database does not require encryption (i.e., should be opened
|
||||
/// in plaintext mode). This is not an error; the database service will attempt to open the
|
||||
/// database without a key. If the database is in fact encrypted, this will result in a
|
||||
/// decryption error at the SQLite level (e.g., `SQLITE_NOTADB`), which is handled by the
|
||||
/// database service as a normal failure.
|
||||
///
|
||||
/// - **Key Temporarily Unavailable:**
|
||||
/// Also return `nil` if the key is *temporarily* unavailable for any reason (for example,
|
||||
/// the user has not yet authenticated, the device is locked, a remote key is still loading,
|
||||
/// or UI authorization has not been granted).
|
||||
/// Returning `nil` in this case means the database service will not attempt to open
|
||||
/// the database with a key. This will not trigger an error callback.
|
||||
/// When the key later becomes available (for example, after user authentication or
|
||||
/// successful network retrieval), **the provider is responsible for calling**
|
||||
/// ``DatabaseService/reconnect()`` on the service to re-attempt the operation with the key.
|
||||
///
|
||||
/// - **Error Situations:**
|
||||
/// Only throw an error if a *permanent* or *unexpected* failure occurs (for example,
|
||||
/// a hardware security error, a fatal storage problem, or a cryptographic failure
|
||||
/// that cannot be resolved by waiting or user action).
|
||||
/// Thrown errors will be reported to the provider via the error callback, and may be
|
||||
/// surfaced to the UI or logs.
|
||||
///
|
||||
/// - Tip: Never throw for temporary unavailability (such as "user has not unlocked" or
|
||||
/// "still waiting for user action")—just return `nil` in these cases.
|
||||
/// Use thrown errors only for non-recoverable or unexpected failures.
|
||||
///
|
||||
/// ## Error Callback
|
||||
///
|
||||
/// The method ``databaseService(_:didReceive:)`` will be called only for errors thrown by
|
||||
/// ``databaseServiceKey(_:)`` or by the key application process (such as if the key fails
|
||||
/// to decrypt the database).
|
||||
/// It will *not* be called for generic database or connection errors.
|
||||
///
|
||||
/// Implement this method if you wish to log, recover from, or respond to permanent key-related
|
||||
/// failures (such as prompting the user, resetting state, or displaying errors).
|
||||
public protocol DatabaseServiceKeyProvider: AnyObject {
|
||||
/// Returns the encryption key to be applied to the given database service.
|
||||
/// - ``databaseService(keyFor:)``
|
||||
/// - ``databaseService(shouldReconnect:)``
|
||||
/// - ``databaseService(_:didReceive:)``
|
||||
public protocol DatabaseServiceKeyProvider: AnyObject, Sendable {
|
||||
/// Returns the encryption key for the specified database service.
|
||||
///
|
||||
/// This method is invoked by the `DatabaseService` during connection initialization,
|
||||
/// reconnection, or explicit key rotation. Implementations may return a static key,
|
||||
/// derive it from external data, fetch it from secure hardware, or perform required
|
||||
/// user authentication.
|
||||
/// May return `nil` if the encryption key is currently unavailable or if the database
|
||||
/// does not require encryption.
|
||||
///
|
||||
/// - Parameter service: The requesting database service.
|
||||
/// - Returns: A `Connection.Key` representing the encryption key, or `nil` if encryption is
|
||||
/// not required for this database or the key is temporarily unavailable. Returning `nil`
|
||||
/// will cause the database service to attempt opening the database in plaintext mode.
|
||||
/// If the database is actually encrypted, access will fail with a decryption error.
|
||||
/// - Throws: Only throw for unrecoverable or unexpected errors (such as hardware failure,
|
||||
/// fatal storage issues, or irrecoverable cryptographic errors). Do **not** throw for
|
||||
/// temporary unavailability; instead, return `nil` and call ``DatabaseService/reconnect()``
|
||||
/// later when the key becomes available.
|
||||
///
|
||||
/// - Note: This method may be called multiple times during the lifecycle of a service,
|
||||
/// including after a failed decryption attempt or key rotation event.
|
||||
func databaseServiceKey(_ service: DatabaseService) throws -> Connection.Key?
|
||||
/// - Parameter service: The service requesting the key.
|
||||
/// - Returns: The encryption key or `nil`.
|
||||
/// - Throws: An error if the key cannot be retrieved.
|
||||
func databaseService(keyFor service: DatabaseServiceProtocol) throws -> Connection.Key?
|
||||
|
||||
/// Notifies the provider that the database service encountered an error
|
||||
/// related to key retrieval or application.
|
||||
/// Indicates whether the service should attempt to reconnect if applying the key fails.
|
||||
///
|
||||
/// This method is called **only** when the service fails to retrieve or apply an
|
||||
/// encryption key (e.g., if ``databaseServiceKey(_:)`` throws, or if the key fails
|
||||
/// to decrypt the database due to a password/key mismatch).
|
||||
///
|
||||
/// Use this callback to report diagnostics, trigger recovery logic, prompt the user
|
||||
/// for authentication, or update internal state.
|
||||
/// By default, this method does nothing; implement it only if you need to respond
|
||||
/// to key-related failures.
|
||||
/// - Parameter service: The database service.
|
||||
/// - Returns: `true` to attempt reconnection. Defaults to `false`.
|
||||
func databaseService(shouldReconnect service: DatabaseServiceProtocol) -> Bool
|
||||
|
||||
/// Notifies the provider of an error that occurred while retrieving or applying the key.
|
||||
///
|
||||
/// - Parameters:
|
||||
/// - service: The database service reporting the error.
|
||||
/// - error: The error encountered during key retrieval or application.
|
||||
func databaseService(_ service: DatabaseService, didReceive error: Error)
|
||||
|
||||
/// Informs the service whether it should attempt to reconnect automatically.
|
||||
///
|
||||
/// Return `true` if the service should retry connecting (for example, if the key may
|
||||
/// become available shortly). By default, returns `false`.
|
||||
///
|
||||
/// - Parameter service: The database service.
|
||||
/// - Returns: `true` to retry, `false` to abort.
|
||||
func databaseServiceShouldReconnect(_ service: DatabaseService) -> Bool
|
||||
func databaseService(_ service: DatabaseServiceProtocol, didReceive error: Error)
|
||||
}
|
||||
|
||||
public extension DatabaseServiceKeyProvider {
|
||||
/// Default no-op implementation for key-related error reporting.
|
||||
func databaseService(_ service: DatabaseService, didReceive error: Error) {}
|
||||
|
||||
/// Default implementation disables automatic reconnect attempts.
|
||||
func databaseServiceShouldReconnect(_ service: DatabaseService) -> Bool {
|
||||
false
|
||||
}
|
||||
func databaseService(shouldReconnect service: DatabaseServiceProtocol) -> Bool { false }
|
||||
func databaseService(_ service: DatabaseServiceProtocol, didReceive error: Error) {}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user