Adds an abstraction layer to hide the underlying usage of Microsoft Data Encryption(MDE) library (Azure#26878)

* Wrapping AAP EncryptionKeyStoreProvider into Cosmos EncryptionKeyWrapProvider

* fixing build error on benchmark project

* resolving comments

* adding module-info for encryption

* build fix

* resolving api review comments

* fixing benchmark build error

* Renamed package to com.azure.encryption.cosmos to fix package resolution

* Fixed samples link

* build error

* resolving import ordering comment

Co-authored-by: Kushagra Thapar <kuthapar@microsoft.com>

Author: simplynaveen20

eng/code-quality-reports/src/main/resources/spotbugs/spotbugs-exclude.xml

@@ -2075,13 +2075,13 @@
   </Match>
 
   <Match>
-    <Class name="com.azure.cosmos.encryption.implementation.EncryptionProcessor"/>
+    <Class name="com.azure.encryption.cosmos.implementation.EncryptionProcessor"/>
     <Method name="decryptAndSerializeProperty"/>
     <Bug pattern="BC_UNCONFIRMED_CAST"/>
   </Match>
 
   <Match>
-    <Class name="com.azure.cosmos.encryption.implementation.EncryptionProcessor"/>
+    <Class name="com.azure.encryption.cosmos.implementation.EncryptionProcessor"/>
     <Method name="encryptAndSerializeProperty"/>
     <Bug pattern="BC_UNCONFIRMED_CAST"/>
   </Match>

sdk/cosmos/azure-cosmos-benchmark/src/main/java/com/azure/cosmos/benchmark/encryption/AsyncEncryptionBenchmark.java

@@ -16,11 +16,12 @@
 import com.azure.cosmos.benchmark.BenchmarkHelper;
 import com.azure.cosmos.benchmark.Configuration;
 import com.azure.cosmos.benchmark.PojoizedJson;
-import com.azure.cosmos.encryption.CosmosEncryptionAsyncClient;
-import com.azure.cosmos.encryption.CosmosEncryptionAsyncContainer;
-import com.azure.cosmos.encryption.CosmosEncryptionAsyncDatabase;
-import com.azure.cosmos.encryption.models.CosmosEncryptionAlgorithm;
-import com.azure.cosmos.encryption.models.CosmosEncryptionType;
+import com.azure.encryption.cosmos.CosmosEncryptionAsyncClient;
+import com.azure.encryption.cosmos.CosmosEncryptionAsyncContainer;
+import com.azure.encryption.cosmos.CosmosEncryptionAsyncDatabase;
+import com.azure.encryption.cosmos.keyprovider.AzureKeyVaultKeyWrapProvider;
+import com.azure.encryption.cosmos.models.CosmosEncryptionAlgorithm;
+import com.azure.encryption.cosmos.models.CosmosEncryptionType;
 import com.azure.cosmos.implementation.HttpConstants;
 import com.azure.cosmos.implementation.apachecommons.lang.StringUtils;
 import com.azure.cosmos.models.ClientEncryptionIncludedPath;
@@ -46,8 +47,6 @@
 import com.codahale.metrics.jvm.CachedThreadStatesGaugeSet;
 import com.codahale.metrics.jvm.GarbageCollectorMetricSet;
 import com.codahale.metrics.jvm.MemoryUsageGaugeSet;
-import com.microsoft.data.encryption.AzureKeyVaultKeyStoreProvider.AzureKeyVaultKeyStoreProvider;
-import com.microsoft.data.encryption.cryptography.MicrosoftDataEncryptionException;
 import io.micrometer.core.instrument.MeterRegistry;
 import org.apache.commons.lang3.RandomStringUtils;
 import org.mpierce.metrics.reservoir.hdrhistogram.HdrHistogramResetOnSnapshotReservoir;
@@ -59,7 +58,6 @@
 import reactor.core.publisher.Mono;
 import reactor.util.retry.Retry;
 
-import java.io.FileInputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.net.InetSocketAddress;
@@ -85,7 +83,7 @@ public abstract class AsyncEncryptionBenchmark<T> {
 
     private CosmosAsyncContainer cosmosAsyncContainer;
     private CosmosAsyncDatabase cosmosAsyncDatabase;
-    private AzureKeyVaultKeyStoreProvider encryptionKeyStoreProvider = null;
+    private AzureKeyVaultKeyWrapProvider azureKeyVaultKeyWrapProvider = null;
     private Properties keyVaultProperties;
 
     final Logger logger;
@@ -112,7 +110,7 @@ public abstract class AsyncEncryptionBenchmark<T> {
 
     private AtomicBoolean warmupMode = new AtomicBoolean(false);
 
-    AsyncEncryptionBenchmark(Configuration cfg) throws IOException, MicrosoftDataEncryptionException {
+    AsyncEncryptionBenchmark(Configuration cfg) throws IOException {
         CosmosClientBuilder cosmosClientBuilder = new CosmosClientBuilder()
             .endpoint(cfg.getServiceEndpoint())
             .key(cfg.getMasterKey())
@@ -420,14 +418,14 @@ private Properties loadConfig() throws IOException {
         }
     }
 
-    private CosmosEncryptionAsyncClient createEncryptionClientInstance(CosmosAsyncClient cosmosClient) throws MicrosoftDataEncryptionException, IOException {
+    private CosmosEncryptionAsyncClient createEncryptionClientInstance(CosmosAsyncClient cosmosClient) throws IOException {
         keyVaultProperties = loadConfig();
         // Application credentials for authentication with Azure Key Vault.
         // This application must have keys/wrapKey and keys/unwrapKey permissions
         // on the keys that will be used for encryption.
         TokenCredential tokenCredentials = getTokenCredential(keyVaultProperties);
-        encryptionKeyStoreProvider = new AzureKeyVaultKeyStoreProvider(tokenCredentials);
-        return CosmosEncryptionAsyncClient.createCosmosEncryptionAsyncClient(cosmosClient, encryptionKeyStoreProvider);
+        azureKeyVaultKeyWrapProvider = new AzureKeyVaultKeyWrapProvider(tokenCredentials);
+        return CosmosEncryptionAsyncClient.createCosmosEncryptionAsyncClient(cosmosClient, azureKeyVaultKeyWrapProvider);
     }
 
     private TokenCredential getTokenCredential(Properties properties) {
@@ -498,7 +496,7 @@ private void createEncryptionDatabaseAndContainer() {
                 }
 
                 EncryptionKeyWrapMetadata metadata =
-                    new EncryptionKeyWrapMetadata(encryptionKeyStoreProvider.getProviderName(), dataEncryptionKeyId,
+                    new EncryptionKeyWrapMetadata(azureKeyVaultKeyWrapProvider.getProviderName(), dataEncryptionKeyId,
                         masterKeyUrlFromConfig);
                 /// Generates an encryption key, wraps it using the key wrap metadata provided
                 /// and saves the wrapped encryption key as an asynchronous operation in the Azure Cosmos service.
@@ -527,23 +525,23 @@ private void createEncryptionDatabaseAndContainer() {
             ClientEncryptionIncludedPath includedPath = new ClientEncryptionIncludedPath();
             includedPath.setClientEncryptionKeyId(dataEncryptionKeyId);
             includedPath.setPath("/" + ENCRYPTED_STRING_FIELD + i);
-            includedPath.setEncryptionType(CosmosEncryptionType.DETERMINISTIC);
+            includedPath.setEncryptionType(CosmosEncryptionType.DETERMINISTIC.toString());
             includedPath.setEncryptionAlgorithm(CosmosEncryptionAlgorithm.AEAD_AES_256_CBC_HMAC_SHA256);
             encryptionPaths.add(includedPath);
         }
         for (int i = 1; i <= configuration.getEncryptedDoubleFieldCount(); i++) {
             ClientEncryptionIncludedPath includedPath = new ClientEncryptionIncludedPath();
             includedPath.setClientEncryptionKeyId(dataEncryptionKeyId);
             includedPath.setPath("/" + ENCRYPTED_LONG_FIELD + i);
-            includedPath.setEncryptionType(CosmosEncryptionType.DETERMINISTIC);
+            includedPath.setEncryptionType(CosmosEncryptionType.DETERMINISTIC.toString());
             includedPath.setEncryptionAlgorithm(CosmosEncryptionAlgorithm.AEAD_AES_256_CBC_HMAC_SHA256);
             encryptionPaths.add(includedPath);
         }
         for (int i = 1; i <= configuration.getEncryptedLongFieldCount(); i++) {
             ClientEncryptionIncludedPath includedPath = new ClientEncryptionIncludedPath();
             includedPath.setClientEncryptionKeyId(dataEncryptionKeyId);
             includedPath.setPath("/" + ENCRYPTED_DOUBLE_FIELD + i);
-            includedPath.setEncryptionType(CosmosEncryptionType.DETERMINISTIC);
+            includedPath.setEncryptionType(CosmosEncryptionType.DETERMINISTIC.toString());
             includedPath.setEncryptionAlgorithm(CosmosEncryptionAlgorithm.AEAD_AES_256_CBC_HMAC_SHA256);
             encryptionPaths.add(includedPath);
         }

sdk/cosmos/azure-cosmos-benchmark/src/main/java/com/azure/cosmos/benchmark/encryption/AsyncEncryptionWriteBenchmark.java

@@ -10,7 +10,6 @@
 import com.azure.cosmos.models.CosmosItemResponse;
 import com.azure.cosmos.models.PartitionKey;
 import com.codahale.metrics.Timer;
-import com.microsoft.data.encryption.cryptography.MicrosoftDataEncryptionException;
 import org.apache.commons.lang3.RandomStringUtils;
 import org.reactivestreams.Subscription;
 import reactor.core.publisher.BaseSubscriber;
@@ -56,7 +55,7 @@ protected void hookOnError(Throwable throwable) {
         }
     }
 
-    public AsyncEncryptionWriteBenchmark(Configuration cfg) throws IOException, MicrosoftDataEncryptionException {
+    public AsyncEncryptionWriteBenchmark(Configuration cfg) throws IOException {
         super(cfg);
         uuid = UUID.randomUUID().toString();
         dataFieldValue = RandomStringUtils.randomAlphabetic(configuration.getDocumentDataFieldSize());

sdk/cosmos/azure-cosmos-encryption/README.md

@@ -58,7 +58,7 @@ CosmosAsyncClient cosmosAsyncClient = new CosmosClientBuilder()
     .buildAsyncClient();
 CosmosEncryptionAsyncClient cosmosEncryptionAsyncClient =
     CosmosEncryptionAsyncClient.createCosmosEncryptionAsyncClient(cosmosAsyncClient,
-        new AzureKeyVaultKeyStoreProvider(tokenCredentials));
+        new AzureKeyVaultKeyWrapProvider(tokenCredentials));
 ```
 
 ### Create Cosmos Encryption Database
@@ -81,7 +81,7 @@ You need to first create Container with ClientEncryptionPolicy and using cosmos
 
 ```java readme-sample-createCosmosEncryptionContainer
 //Create Client Encryption Key
-EncryptionKeyWrapMetadata metadata = new EncryptionKeyWrapMetadata(encryptionKeyStoreProvider.getProviderName(), "key", "tempmetadata");
+EncryptionKeyWrapMetadata metadata = new EncryptionKeyWrapMetadata(encryptionKeyWrapProvider.getProviderName(), "key", "tempmetadata");
 CosmosEncryptionAsyncContainer cosmosEncryptionAsyncContainer = cosmosEncryptionAsyncDatabase
     .createClientEncryptionKey("key", CosmosEncryptionAlgorithm.AEAD_AES_256_CBC_HMAC_SHA256, metadata)
     // TIP: Our APIs are Reactor Core based, so try to chain your calls
@@ -90,7 +90,7 @@ CosmosEncryptionAsyncContainer cosmosEncryptionAsyncContainer = cosmosEncryption
         ClientEncryptionIncludedPath includedPath = new ClientEncryptionIncludedPath();
         includedPath.setClientEncryptionKeyId("key");
         includedPath.setPath("/sensitiveString");
-        includedPath.setEncryptionType(CosmosEncryptionType.DETERMINISTIC);
+        includedPath.setEncryptionType(CosmosEncryptionType.DETERMINISTIC.toString());
         includedPath.setEncryptionAlgorithm(CosmosEncryptionAlgorithm.AEAD_AES_256_CBC_HMAC_SHA256);
 
         List<ClientEncryptionIncludedPath> paths = new ArrayList<>();
@@ -222,7 +222,7 @@ or contact [opencode@microsoft.com][coc_contact] with any additional questions o
 [troubleshooting]: https://docs.microsoft.com/azure/cosmos-db/troubleshoot-java-sdk-v4-sql
 [perf_guide]: https://docs.microsoft.com/azure/cosmos-db/performance-tips-java-sdk-v4-sql?tabs=api-async
 [sql_api_query]: https://docs.microsoft.com/azure/cosmos-db/sql-api-sql-query
-[getting_started_encryption]: https://github.com/Azure/azure-sdk-for-java/tree/main/sdk/cosmos/azure-cosmos-encryption/src/samples/java/com/azure/cosmos
+[getting_started_encryption]: https://github.com/Azure/azure-sdk-for-java/tree/main/sdk/cosmos/azure-cosmos-encryption/src/samples/java/com/azure/encryption/cosmos
 [quickstart]: https://docs.microsoft.com/azure/cosmos-db/create-sql-api-java?tabs=sync
 
 ![Impressions](https://azure-sdk-impressions.azurewebsites.net/api/impressions/azure-sdk-for-java%2Fsdk%2Fcosmos%2Fazure-cosmos-encryption%2FREADME.png)

sdk/cosmos/azure-cosmos-encryption/pom.xml

@@ -35,12 +35,21 @@ Licensed under the MIT License.
   <!-- CosmosSkip - Needed temporary values to 10% not fail. -->
   <properties>
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-    <jacoco.min.linecoverage>0.01</jacoco.min.linecoverage>
-    <jacoco.min.branchcoverage>0.01</jacoco.min.branchcoverage>
+    <jacoco.min.linecoverage>0.10</jacoco.min.linecoverage>
+    <jacoco.min.branchcoverage>0.05</jacoco.min.branchcoverage>
 
     <!-- CosmosSkip - This is not a module we want/expect external customers to consume. Skip breaking API checks. -->
     <!-- This can only be enabled once we release GA, as it needs a stable version to check for breaking changes. -->
     <revapi.skip>true</revapi.skip>
+
+    <!-- Configures the Java 9+ run to perform the required module exports, opens, and reads that are necessary for testing but shouldn't be part of the module-info. -->
+    <javaModulesSurefireArgLine>
+      --add-opens com.azure.encryption.cosmos/com.azure.encryption.cosmos=ALL-UNNAMED
+      --add-opens com.azure.encryption.cosmos/com.azure.encryption.cosmos.implementation=ALL-UNNAMED
+      --add-opens com.azure.encryption.cosmos/com.azure.encryption.cosmos.keyprovider=ALL-UNNAMED
+      --add-opens com.azure.encryption.cosmos/com.azure.encryption.cosmos.util=ALL-UNNAMED
+      --add-opens com.azure.encryption.cosmos/com.azure.encryption.cosmos.models=ALL-UNNAMED
+    </javaModulesSurefireArgLine>
   </properties>
 
   <dependencies>
@@ -199,17 +208,6 @@ Licensed under the MIT License.
 
   <build>
     <plugins>
-      <plugin>
-        <groupId>org.apache.maven.plugins</groupId>
-        <artifactId>maven-compiler-plugin</artifactId>
-        <version>3.8.1</version> <!-- {x-version-update;org.apache.maven.plugins:maven-compiler-plugin;external_dependency} -->
-        <configuration>
-          <source>1.8</source>
-          <target>1.8</target>
-          <failOnWarning>false</failOnWarning>
-        </configuration>
-      </plugin>
-
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-surefire-plugin</artifactId>

sdk/cosmos/azure-cosmos-encryption/src/main/java/com/azure/cosmos/encryption/models/CosmosEncryptionType.java

@@ -1,7 +1,7 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
-package com.azure.cosmos.encryption;
+package com.azure.encryption.cosmos;
 
 import com.azure.cosmos.ChangeFeedProcessor;
 import com.azure.cosmos.ChangeFeedProcessorBuilder;

…hangeFeedEncryptionProcessorBuilder.java …hangeFeedEncryptionProcessorBuilder.javasdk/cosmos/azure-cosmos-encryption/src/main/java/com/azure/cosmos/encryption/ChangeFeedEncryptionProcessorBuilder.java renamed to sdk/cosmos/azure-cosmos-encryption/src/main/java/com/azure/encryption/cosmos/ChangeFeedEncryptionProcessorBuilder.java sdk/cosmos/azure-cosmos-encryption/src/main/java/com/azure/cosmos/encryption/ChangeFeedEncryptionProcessorBuilder.java renamed to sdk/cosmos/azure-cosmos-encryption/src/main/java/com/azure/encryption/cosmos/ChangeFeedEncryptionProcessorBuilder.java

@@ -1,22 +1,21 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
-package com.azure.cosmos.encryption;
+package com.azure.encryption.cosmos;
 
 import com.azure.cosmos.BridgeInternal;
 import com.azure.cosmos.CosmosAsyncClient;
 import com.azure.cosmos.CosmosAsyncClientEncryptionKey;
 import com.azure.cosmos.CosmosAsyncContainer;
 import com.azure.cosmos.CosmosAsyncDatabase;
 import com.azure.cosmos.CosmosException;
+import com.azure.encryption.cosmos.keyprovider.EncryptionKeyWrapProvider;
 import com.azure.cosmos.implementation.HttpConstants;
 import com.azure.cosmos.implementation.Utils;
 import com.azure.cosmos.implementation.caches.AsyncCache;
-import com.azure.cosmos.models.ClientEncryptionPolicy;
 import com.azure.cosmos.models.CosmosClientEncryptionKeyProperties;
 import com.azure.cosmos.models.CosmosContainerProperties;
 import com.azure.cosmos.models.CosmosContainerResponse;
-import com.microsoft.data.encryption.cryptography.EncryptionKeyStoreProvider;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import reactor.core.publisher.Mono;
@@ -29,27 +28,27 @@ public class CosmosEncryptionAsyncClient {
     private final CosmosAsyncClient cosmosAsyncClient;
     private final AsyncCache<String, CosmosContainerProperties> containerPropertiesCacheByContainerId;
     private final AsyncCache<String, CosmosClientEncryptionKeyProperties> clientEncryptionKeyPropertiesCacheByKeyId;
-    private EncryptionKeyStoreProvider encryptionKeyStoreProvider;
+    private EncryptionKeyWrapProvider encryptionKeyWrapProvider;
 
     CosmosEncryptionAsyncClient(CosmosAsyncClient cosmosAsyncClient,
-                                EncryptionKeyStoreProvider encryptionKeyStoreProvider) {
+                                EncryptionKeyWrapProvider encryptionKeyWrapProvider) {
         if (cosmosAsyncClient == null) {
             throw new IllegalArgumentException("cosmosClient is null");
         }
-        if (encryptionKeyStoreProvider == null) {
-            throw new IllegalArgumentException("encryptionKeyStoreProvider is null");
+        if (encryptionKeyWrapProvider == null) {
+            throw new IllegalArgumentException("encryptionKeyWrapProvider is null");
         }
         this.cosmosAsyncClient = cosmosAsyncClient;
-        this.encryptionKeyStoreProvider = encryptionKeyStoreProvider;
+        this.encryptionKeyWrapProvider = encryptionKeyWrapProvider;
         this.clientEncryptionKeyPropertiesCacheByKeyId = new AsyncCache<>();
         this.containerPropertiesCacheByContainerId = new AsyncCache<>();
     }
 
     /**
-     * @return the encryption key store provider
+     * @return the encryption key wrap provider
      */
-    public EncryptionKeyStoreProvider getEncryptionKeyStoreProvider() {
-        return encryptionKeyStoreProvider;
+    public EncryptionKeyWrapProvider getEncryptionKeyWrapProvider() {
+        return encryptionKeyWrapProvider;
     }
 
     Mono<CosmosContainerProperties> getContainerPropertiesAsync(
@@ -142,13 +141,13 @@ public CosmosAsyncClient getCosmosAsyncClient() {
      * Create Cosmos Client with Encryption support for performing operations using client-side encryption.
      *
      * @param cosmosAsyncClient          Regular Cosmos Client.
-     * @param encryptionKeyStoreProvider encryptionKeyStoreProvider, provider that allows interaction with the master
+     * @param encryptionKeyWrapProvider encryptionKeyWrapProvider, provider that allows interaction with the master
      *                                   keys.
      * @return encryptionAsyncCosmosClient to perform operations supporting client-side encryption / decryption.
      */
     public static CosmosEncryptionAsyncClient createCosmosEncryptionAsyncClient(CosmosAsyncClient cosmosAsyncClient,
-                                                                                EncryptionKeyStoreProvider encryptionKeyStoreProvider) {
-        return new CosmosEncryptionAsyncClient(cosmosAsyncClient, encryptionKeyStoreProvider);
+                                                                                EncryptionKeyWrapProvider encryptionKeyWrapProvider) {
+        return new CosmosEncryptionAsyncClient(cosmosAsyncClient, encryptionKeyWrapProvider);
     }
 
     /**