Add protocol for migration service
This commit is contained in:
@@ -3,51 +3,122 @@ import DataLiteCore
|
||||
|
||||
/// A protocol for supplying encryption keys to `DatabaseService` instances.
|
||||
///
|
||||
/// `DatabaseServiceKeyProvider` allows database services to delegate the responsibility of
|
||||
/// retrieving, managing, and applying encryption keys. This enables separation of concerns
|
||||
/// and allows for advanced strategies such as per-user key derivation, secure hardware-backed
|
||||
/// storage, or biometric access control.
|
||||
/// `DatabaseServiceKeyProvider` encapsulates all responsibilities for managing encryption keys
|
||||
/// for one or more `DatabaseService` instances. It allows a database service to delegate key
|
||||
/// retrieval, secure storage, rotation, and access control, enabling advanced security strategies
|
||||
/// such as per-user key derivation, hardware-backed keys, biometric authentication, or ephemeral
|
||||
/// in-memory secrets.
|
||||
///
|
||||
/// When assigned to a `DatabaseService`, the provider is queried automatically whenever a
|
||||
/// connection is created or re-established (e.g., during service initialization or reconnect).
|
||||
/// The provider is queried automatically by the database service whenever a new connection
|
||||
/// is created or re-established (for example, during service initialization, after a reconnect,
|
||||
/// or when the service requests a key rotation).
|
||||
///
|
||||
/// You can also implement error handling or diagnostics via the optional
|
||||
/// ``databaseService(_:didReceive:)`` method.
|
||||
/// Error handling and diagnostics related specifically to encryption or key operations
|
||||
/// (such as when a key is unavailable, authentication is denied, or decryption fails)
|
||||
/// are reported to the provider via the optional ``databaseService(_:didReceive:)`` callback.
|
||||
/// The provider is **not** notified of generic database or connection errors unrelated to
|
||||
/// encryption.
|
||||
///
|
||||
/// - Tip: You may throw from ``databaseServiceKey(_:)`` to indicate that the key is temporarily
|
||||
/// unavailable or access is denied.
|
||||
/// - Important: This protocol is **exclusively** for cryptographic key management.
|
||||
/// It must not be used for generic database error handling or for concerns unrelated to
|
||||
/// encryption, authorization, or key lifecycle.
|
||||
///
|
||||
/// ## Key Availability
|
||||
///
|
||||
/// There are two distinct scenarios for returning a key:
|
||||
///
|
||||
/// - **No Encryption Needed:**
|
||||
/// Return `nil` if the target database does not require encryption (i.e., should be opened
|
||||
/// in plaintext mode). This is not an error; the database service will attempt to open the
|
||||
/// database without a key. If the database is in fact encrypted, this will result in a
|
||||
/// decryption error at the SQLite level (e.g., `SQLITE_NOTADB`), which is handled by the
|
||||
/// database service as a normal failure.
|
||||
///
|
||||
/// - **Key Temporarily Unavailable:**
|
||||
/// Also return `nil` if the key is *temporarily* unavailable for any reason (for example,
|
||||
/// the user has not yet authenticated, the device is locked, a remote key is still loading,
|
||||
/// or UI authorization has not been granted).
|
||||
/// Returning `nil` in this case means the database service will not attempt to open
|
||||
/// the database with a key. This will not trigger an error callback.
|
||||
/// When the key later becomes available (for example, after user authentication or
|
||||
/// successful network retrieval), **the provider is responsible for calling**
|
||||
/// ``DatabaseService/reconnect()`` on the service to re-attempt the operation with the key.
|
||||
///
|
||||
/// - **Error Situations:**
|
||||
/// Only throw an error if a *permanent* or *unexpected* failure occurs (for example,
|
||||
/// a hardware security error, a fatal storage problem, or a cryptographic failure
|
||||
/// that cannot be resolved by waiting or user action).
|
||||
/// Thrown errors will be reported to the provider via the error callback, and may be
|
||||
/// surfaced to the UI or logs.
|
||||
///
|
||||
/// - Tip: Never throw for temporary unavailability (such as "user has not unlocked" or
|
||||
/// "still waiting for user action")—just return `nil` in these cases.
|
||||
/// Use thrown errors only for non-recoverable or unexpected failures.
|
||||
///
|
||||
/// ## Error Callback
|
||||
///
|
||||
/// The method ``databaseService(_:didReceive:)`` will be called only for errors thrown by
|
||||
/// ``databaseServiceKey(_:)`` or by the key application process (such as if the key fails
|
||||
/// to decrypt the database).
|
||||
/// It will *not* be called for generic database or connection errors.
|
||||
///
|
||||
/// Implement this method if you wish to log, recover from, or respond to permanent key-related
|
||||
/// failures (such as prompting the user, resetting state, or displaying errors).
|
||||
public protocol DatabaseServiceKeyProvider: AnyObject {
|
||||
/// Returns the encryption key to be applied to the given database service.
|
||||
///
|
||||
/// This method is invoked by the `DatabaseService` during initialization or reconnection
|
||||
/// to retrieve the encryption key that should be applied to the new connection.
|
||||
///
|
||||
/// Implementations may return a static key, derive it from metadata, or load it from
|
||||
/// secure storage. If the key is unavailable (e.g., user not authenticated, system locked),
|
||||
/// this method may throw to indicate failure.
|
||||
/// This method is invoked by the `DatabaseService` during connection initialization,
|
||||
/// reconnection, or explicit key rotation. Implementations may return a static key,
|
||||
/// derive it from external data, fetch it from secure hardware, or perform required
|
||||
/// user authentication.
|
||||
///
|
||||
/// - Parameter service: The requesting database service.
|
||||
/// - Returns: A `Connection.Key` representing the encryption key.
|
||||
/// - Throws: Any error indicating that the key cannot be retrieved.
|
||||
func databaseServiceKey(_ service: DatabaseService) throws -> Connection.Key
|
||||
|
||||
/// Notifies the provider that the database service encountered an error while applying a key.
|
||||
/// - Returns: A `Connection.Key` representing the encryption key, or `nil` if encryption is
|
||||
/// not required for this database or the key is temporarily unavailable. Returning `nil`
|
||||
/// will cause the database service to attempt opening the database in plaintext mode.
|
||||
/// If the database is actually encrypted, access will fail with a decryption error.
|
||||
/// - Throws: Only throw for unrecoverable or unexpected errors (such as hardware failure,
|
||||
/// fatal storage issues, or irrecoverable cryptographic errors). Do **not** throw for
|
||||
/// temporary unavailability; instead, return `nil` and call ``DatabaseService/reconnect()``
|
||||
/// later when the key becomes available.
|
||||
///
|
||||
/// This method is called when the service fails to retrieve or apply the encryption key.
|
||||
/// You can use it to report diagnostics, attempt recovery, or update internal state.
|
||||
/// - Note: This method may be called multiple times during the lifecycle of a service,
|
||||
/// including after a failed decryption attempt or key rotation event.
|
||||
func databaseServiceKey(_ service: DatabaseService) throws -> Connection.Key?
|
||||
|
||||
/// Notifies the provider that the database service encountered an error
|
||||
/// related to key retrieval or application.
|
||||
///
|
||||
/// The default implementation is a no-op.
|
||||
/// This method is called **only** when the service fails to retrieve or apply an
|
||||
/// encryption key (e.g., if ``databaseServiceKey(_:)`` throws, or if the key fails
|
||||
/// to decrypt the database due to a password/key mismatch).
|
||||
///
|
||||
/// Use this callback to report diagnostics, trigger recovery logic, prompt the user
|
||||
/// for authentication, or update internal state.
|
||||
/// By default, this method does nothing; implement it only if you need to respond
|
||||
/// to key-related failures.
|
||||
///
|
||||
/// - Parameters:
|
||||
/// - service: The database service reporting the error.
|
||||
/// - error: The error encountered during key retrieval or application.
|
||||
func databaseService(_ service: DatabaseService, didReceive error: Error)
|
||||
|
||||
/// Informs the service whether it should attempt to reconnect automatically.
|
||||
///
|
||||
/// Return `true` if the service should retry connecting (for example, if the key may
|
||||
/// become available shortly). By default, returns `false`.
|
||||
///
|
||||
/// - Parameter service: The database service.
|
||||
/// - Returns: `true` to retry, `false` to abort.
|
||||
func databaseServiceShouldReconnect(_ service: DatabaseService) -> Bool
|
||||
}
|
||||
|
||||
public extension DatabaseServiceKeyProvider {
|
||||
/// Default no-op implementation of error handling callback.
|
||||
///
|
||||
/// This allows conforming types to ignore the error reporting mechanism
|
||||
/// if they do not need to respond to key failures.
|
||||
/// Default no-op implementation for key-related error reporting.
|
||||
func databaseService(_ service: DatabaseService, didReceive error: Error) {}
|
||||
|
||||
/// Default implementation disables automatic reconnect attempts.
|
||||
func databaseServiceShouldReconnect(_ service: DatabaseService) -> Bool {
|
||||
false
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user