Improved encryption key validation process when opening already open …

…arrays. Fixes issue with indefinite growing of the URI to encryption key mapping in `StorageManager` (the mapping is no longer needed).

HISTORY.md

@@ -10,6 +10,7 @@
 * Removed fragment metadata caching.
 * Removed array schema caching.
 * The tile MBR in the in-memory fragment metadata are organized into an R-Tree, speeding up tile overlap operations during subarray reads.
+* Improved encryption key validation process when opening already open arrays. Fixes issue with indefinite growing of the URI to encryption key mapping in `StorageManager` (the mapping is no longer needed). 
 
 ## Bug fixes
 

tiledb/sm/storage_manager/open_array.cc

@@ -68,6 +68,10 @@ const URI& OpenArray::array_uri() const {
   return array_uri_;
 }
 
+Status OpenArray::set_encryption_key(const EncryptionKey& encryption_key) {
+  return key_validation_.check_encryption_key(encryption_key);
+}
+
 uint64_t OpenArray::cnt() const {
   return cnt_;
 }

tiledb/sm/storage_manager/open_array.h

@@ -40,6 +40,7 @@
 #include <vector>
 
 #include "tiledb/sm/array_schema/array_schema.h"
+#include "tiledb/sm/encryption/encryption_key_validation.h"
 #include "tiledb/sm/filesystem/vfs.h"
 #include "tiledb/sm/fragment/fragment_metadata.h"
 #include "tiledb/sm/misc/uri.h"
@@ -81,6 +82,14 @@ class OpenArray {
   /** Returns the array URI. */
   const URI& array_uri() const;
 
+  /**
+   * If it is the first time this function is called, the input key
+   * is set to the open array without explicitly storing the key
+   * for future validity checks. Otherwise, the input key is securely
+   * checked if it matches the already set one.
+   */
+  Status set_encryption_key(const EncryptionKey& encryption_key);
+
   /** Returns the counter. */
   uint64_t cnt() const;
 
@@ -165,6 +174,9 @@ class OpenArray {
   /** Counts how many times the array has been opened. */
   uint64_t cnt_;
 
+  /** Used to validate keys when opening an already opened array. */
+  EncryptionKeyValidation key_validation_;
+
   /** Filelock handle. */
   filelock_t filelock_;
 

tiledb/sm/storage_manager/storage_manager.cc

@@ -288,14 +288,18 @@ Status StorageManager::array_open_for_writes(
   {
     std::lock_guard<std::mutex> lock{open_array_for_writes_mtx_};
 
-    // Find the open array entry
+    // Find the open array entry and check key correctness
     auto it = open_arrays_for_writes_.find(array_uri.to_string());
     if (it != open_arrays_for_writes_.end()) {
+      RETURN_NOT_OK(it->second->set_encryption_key(encryption_key));
       open_array = it->second;
     } else {  // Create a new entry
       open_array = new OpenArray(array_uri, QueryType::WRITE);
+      RETURN_NOT_OK_ELSE(
+          open_array->set_encryption_key(encryption_key), delete open_array);
       open_arrays_for_writes_[array_uri.to_string()] = open_array;
     }
+
     // Lock the array and increment counter
     open_array->mtx_lock();
     open_array->cnt_incr();
@@ -347,6 +351,7 @@ Status StorageManager::array_reopen(
           std::string("Cannot reopen array ") + array_uri.to_string() +
           "; Array not open"));
     }
+    RETURN_NOT_OK(it->second->set_encryption_key(encryption_key));
     open_array = it->second;
 
     // Lock the array
@@ -1505,12 +1510,16 @@ Status StorageManager::array_open_without_fragments(
     std::lock_guard<std::mutex> lock{open_array_for_reads_mtx_};
     std::lock_guard<std::mutex> xlock{xlock_mtx_};
 
-    // Find the open array entry
+    // Find the open array entry and check encryption key
     auto it = open_arrays_for_reads_.find(array_uri.to_string());
     if (it != open_arrays_for_reads_.end()) {
+      RETURN_NOT_OK(it->second->set_encryption_key(encryption_key));
       *open_array = it->second;
     } else {  // Create a new entry
       *open_array = new OpenArray(array_uri, QueryType::READ);
+      RETURN_NOT_OK_ELSE(
+          (*open_array)->set_encryption_key(encryption_key),
+          delete *open_array);
       open_arrays_for_reads_[array_uri.to_string()] = *open_array;
     }
     // Lock the array and increment counter