BewareMyPower commented on code in PR #24481: URL: https://github.com/apache/pulsar/pull/24481#discussion_r2575857044
########## pip/pip-432 Add isEncrypted field to EncryptionContext.md: ########## @@ -0,0 +1,120 @@ +# PIP-432: Add isEncrypted field to EncryptionContext + +# Background knowledge + +Apache Pulsar supports client-side encryption where messages can be encrypted by producers and decrypted by consumers. When a message is encrypted, Pulsar includes an `EncryptionContext` with each message that contains encryption metadata such as: + +- **Encryption keys**: The encrypted data encryption keys used for message encryption +- **Encryption parameters**: Additional parameters like initialization vectors (IV) +- **Encryption algorithm**: The algorithm used (e.g., RSA, ECDSA) +- **Compression information**: Whether compression was applied before encryption + +**Key concepts:** +- **EncryptionContext**: A metadata object attached to encrypted messages containing encryption-related information +- **CryptoKeyReader**: An interface that provides public/private keys for encryption/decryption operations +- **ConsumerCryptoFailureAction**: Determines how consumers handle decryption failures: + - `FAIL`: Fail message consumption (default) + - `DISCARD`: Silently discard the message + - `CONSUME`: Deliver the encrypted message to the application + +Currently, when `ConsumerCryptoFailureAction.CONSUME` is configured, consumers can receive encrypted messages even when decryption fails (e.g., missing private key, mismatched keys). However, applications have no way to determine whether the received message was successfully decrypted or is still encrypted. + +# Motivation + +Applications using Pulsar's encryption feature with `ConsumerCryptoFailureAction.CONSUME` need to determine whether received messages were successfully decrypted or if decryption failed. This is essential for: + +1. **Error handling**: Applications need to know when they receive encrypted (undecrypted) data to handle it appropriately +2. **Monitoring**: Applications want to track decryption success/failure rates for monitoring and alerting +3. **Manual decryption**: When automatic decryption fails, applications may want to attempt manual decryption using the EncryptionContext +4. **Security compliance**: Applications need to ensure they're not inadvertently processing encrypted data as plain text + +**Current situation:** +- Consumers with `CONSUME` action receive messages regardless of decryption success +- No programmatic way to distinguish between successfully decrypted and failed decryption messages +- Applications must implement workarounds to detect encrypted vs. decrypted content + +**Use cases this solves:** +1. Consumer without private key configured → should know decryption failed +2. Consumer with mismatched private key → should know decryption failed +3. Consumer with correct private key → should know decryption succeeded + +# Goals + +## In Scope + +- Add an `isEncrypted` boolean field to the `EncryptionContext` class +- Update consumer decryption logic to populate this field correctly +- Ensure the field accurately reflects decryption status for all encryption scenarios +- Maintain backward compatibility with existing applications +- Update existing encryption tests to verify the new functionality + +## Out of Scope + +- Changes to encryption/decryption algorithms or protocols +- Modifications to `ConsumerCryptoFailureAction` behavior +- Performance improvements to encryption/decryption operations +- New encryption features or capabilities +- Changes to producer-side encryption logic + +# High Level Design + +The solution adds a simple boolean field `isEncrypted` to the existing `EncryptionContext` class. This field is set during message processing in the consumer: Review Comment: This field name is very confusing, I'd like to use `isUndecryptedPayload` instead <img width="749" height="702" alt="image" src="https://github.com/user-attachments/assets/c9fe0f9f-a70b-4497-a1fa-b92488452547"; /> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
