KMS Decrypt (CALS-SDK)
1. Scenario
- In CALS-Studio > Utility > Key Management, if the
Algorithmis set toKMS-AESand theManage Typeis set toExternalorApplication, write the logic to retrieve the decryptionkeyinformation.
2. Interface definition
- Request Parameter
| Element name | Sub-element name | Data type | Request level | Explanation |
|---|---|---|---|---|
| applicationId | String | Required | SYS_ID of the application retrieving the decryption key information. | |
| accountId | String | Required | SYS_ID of the account retrieving the decryption key information. | |
| userId | String | Required | SYS_ID of the user retrieving the decryption key information. | |
| arrDecryptItem | Array[Object] | Required | Array object retrieving the decryption key information. | |
| keyId | String | Required | SYS_ID of the row retrieving the decryption key information in qt_key_master of the application/External DB. | |
| encDataKey | String | Required | ENC_DATA_KEY of the row retrieving the decryption key information in qt_key_master of the application/External DB. | |
| encData | String | Required | ENC_DATA of the row retrieving the decryption key information in qt_key_master of the application/External DB. |
- Response Parameter
| Element name | Sub-element name | 2 depth element name | Data type | Explanation |
|---|---|---|---|---|
| success | Boolean | Indicates whether the API request succeeded or failed [true / false]. | ||
| error | Object | Error information. | ||
| code | Integer | Error code. | ||
| type | String | Error type. | ||
| message | String | Error message. | ||
| payload | Object | Response object. | ||
| items | Array[Object] | Decrypted data array object. | ||
| decryptKey | String | Decrypted key. | ||
| keyId | String | SYS_ID of the row retrieving decrypted key information in qt_key_master of the Application/External DB. | ||
| encData | String | ENC_DATA of the row retrieving decrypted key information in qt_key_master of the Application/External DB. | ||
| encDataKey | String | ENC_DATA_KEY of the row retrieving decrypted key information in qt_key_master of the Application/External DB. |
3. Example for source creation
- src/controller.js
async process () {
calsLogger.param(this.event, this.context)
// 1. Request parameter validate Application ID
if (CompareUtility.isEmpty(this.objRequestParams.applicationId)) {
throw new ParameterNonExistException('applicationId')
}
// 2. Request parameter validate Application ID
if (CompareUtility.isEmpty(this.objRequestParams.accountId)) {
throw new ParameterNonExistException('accountId')
}
// 3. Request parameter validate User ID
if (CompareUtility.isEmpty(this.objRequestParams.userId)) {
throw new ParameterNonExistException('userId')
}
this.objReturn = await this.clsService.runMethod({ objRequestParams: this.objRequestParams, objReturn: this.objReturn })
calsLogger.result(this.objReturn)
return this.objReturn
}- src/service.js
'use strict'
const { BaseService, calsLogger, CompareUtility, OperationFailException } = require('@cals-framework/lambda')
const DAO = require('./dao')
const calsSdk = new (require('cals-sdk')).CalsSDK()
module.exports = class Service extends BaseService {
constructor () {
super()
this.calsContext.daoContext === undefined
? this.clsDAO = new DAO()
: typeof this.calsContext.daoContext !== 'undefined'
? this.calsContext.daoContext = new DAO()
: this.clsDAO = this.calsContext.daoContext
}
async runMethod ({ objRequestParams, objReturn }) {
calsLogger.param(objRequestParams)
// 0. Initialize CALS-SDK
await this.initCalsSdkForAplLambda(objRequestParams, this.clsRdkCoreLodash.cloneDeep(this.clsDAO))
objRequestParams.bActiveStatus = await calsSdk.activate()
if (CompareUtility.isNotEmpty(objRequestParams.bActiveStatus)) {
throw new OperationFailException('CALS-SDK')
}
// 1. Call getDecryptKey Method
const objDecryptKey = await calsSdk.getDecryptKey({
applicationId: objRequestParams.applicationId,
accountId: objRequestParams.accountId,
userId: objRequestParams.userId,
arrDecryptItem: [
{
encData: '[qt_key_master ENC_DATA]',
encDataKey: '[qt_key_master ENC_DATA_KEY]',
keyId: '[qt_key_master SYS_ID]'
}
]
})
if(objDecryptKey.success) {
// 2-1. If successful, check DecryptKey
console.log(objDecryptKey.payload.items)
} else {
// 2-2. If failed, check error message
console.error(objDecryptKey.error.message)
}
// 3. After that run query decrypt DB
this.setDAOParams({
sDecryptKey: objDecryptKey.payload.items[0].decryptKey
})
objReturn = await this.clsDAO.getData({ objDAOParams: this.objDAOParams, objReturn })
calsLogger.result(objReturn)
return objReturn
}
// can edit up to here
}- src/dao.js
'use strict'
const { ApplicationDAO, calsLogger } = require('@cals-framework/lambda')
module.exports = class DAO extends ApplicationDAO {
// can edit from here
async getData ({ objDAOParams, objReturn }) {
calsLogger.param(objDAOParams)
const objDAOReturn = await this.select({
sQueryId: 'selectTest1',
objParam: objDAOParams,
objReturn
})
calsLogger.result(objDAOReturn)
return objDAOReturn
}
// edit up to here
}- query/mysql/mysql.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN" "http://mybatis.org/dtd/mybatis-3-mapper.dtd">
<mapper namespace="mysql">
<select id="selectTest1">
SELECT
${systemField}
, CAST(AES_DECRYPT(UNHEX([COLUMN_NAME]), '${sDecryptKey}') AS CHAR) AS [COLUMN_NAME]
FROM
TEST_TABLE
WHERE 1=1
AND SYS_FLAG = 1
</select>
</mapper>