Skip to content

[6.1] Fix encryption key cache design for AKV provider #3477

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 15, 2025
Merged

[6.1] Fix encryption key cache design for AKV provider #3477

merged 1 commit into from
Jul 15, 2025

Conversation

mdaigle
Copy link
Contributor

@mdaigle mdaigle commented Jul 15, 2025

Description

Ports #3464 to release/6.1

@cheenamalhotra @paulmedynski @mdaigle
Fix encryption key cache design for AKV provider (#3464)
a0a7bdf 
* Fix AzureSqlKeyCryptographer to be pure sync

* Fix Symmetric key cache design + Key vault cache

* Fix tests

* Add back multi-user cache scenario

* Add cache lock in global CEK cache to prevent concurrency issues.

* Touch-ups

* More changes to streamline getKey calls

* More updates

* - Addressed review comments.

* - Fixing tests that expect certain localized strings that have changed.

---------

Co-authored-by: Paul Medynski <31868385+paulmedynski@users.noreply.github.com>
@mdaigle mdaigle changed the base branch from main to release/6.1 July 15, 2025 15:56
@mdaigle mdaigle marked this pull request as ready for review July 15, 2025 15:56
@Copilot Copilot AI review requested due to automatic review settings July 15, 2025 15:56
@mdaigle mdaigle requested a review from a team as a code owner July 15, 2025 15:56
@mdaigle mdaigle added this to the 6.1.0 milestone Jul 15, 2025
Copilot
Copilot AI reviewed Jul 15, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Ports the fix for encryption key cache design in Azure Key Vault (AKV) provider to the 6.1 release branch, ensuring thread-safe caching and more precise error messages.

  • Updated manual tests to assert quoted parameter names in exception messages.
  • Introduced SemaphoreSlim locks around symmetric key and AKV provider caches for concurrency safety.
  • Refactored code to use C# 12 collection expressions and improved exception resource structures.

Reviewed Changes

Copilot reviewed 9 out of 10 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
src/Microsoft.Data.SqlClient/tests/ManualTests/AlwaysEncrypted/ExceptionTestAKVStore.cs Refined asserted exception messages to quote parameter names.
src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/SqlSymmetricKeyCache.cs Wrapped cache access in a semaphore lock and simplified object initializers.
src/Microsoft.Data.SqlClient/netfx/src/Microsoft/Data/SqlClient/SqlConnection.cs Updated comments and set zero TTL on AKV key store providers.
src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/SqlConnection.cs Applied C# 12 collection expressions and updated CEK cache comments.
src/Microsoft.Data.SqlClient/add-ons/AzureKeyVaultProvider/Utils.cs Switched exception templates and added a GetKeyFailed helper.
src/Microsoft.Data.SqlClient/add-ons/AzureKeyVaultProvider/Strings.resx Updated resource entries for consistent quoting and added GetKeyFailed.
src/Microsoft.Data.SqlClient/add-ons/AzureKeyVaultProvider/SqlColumnEncryptionAzureKeyVaultProvider.cs Introduced locking around local key cache, refactored ToHexString, and simplified fetch logic.
src/Microsoft.Data.SqlClient/add-ons/AzureKeyVaultProvider/LocalCache.cs Rearranged using directives and added doc comment for cache inspection in tests.
src/Microsoft.Data.SqlClient/add-ons/AzureKeyVaultProvider/AzureSqlKeyCryptographer.cs Made class sealed, implemented IDisposable, and added semaphore-based thread safety.
Files not reviewed (1)
  • src/Microsoft.Data.SqlClient/add-ons/AzureKeyVaultProvider/Strings.Designer.cs: Language not supported
Comments suppressed due to low confidence (2)

src/Microsoft.Data.SqlClient/add-ons/AzureKeyVaultProvider/SqlColumnEncryptionAzureKeyVaultProvider.cs:183

  • The exception only includes the key name; consider passing the full key identifier URI (masterKeyPath) to GetKeyFailed so consumers have full context of which vault path failed.
        /// <returns>Plain text column encryption key</returns>

src/Microsoft.Data.SqlClient/add-ons/AzureKeyVaultProvider/LocalCache.cs:95

  • You've documented the use of this method in unit tests—please add or update unit tests to explicitly cover LocalCache.ContainsKey and ensure the caching behavior works as intended.
        /// Used in unit tests to verify that the cache contains the expected entries.

benrr101
benrr101 approved these changes Jul 15, 2025
View reviewed changes
Copy link
Contributor

@benrr101 benrr101 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚀 🪨

@codecov Codecov
Copy link

codecov bot commented Jul 15, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 84.28571% with 11 lines in your changes missing coverage. Please review.

Project coverage is 64.71%. Comparing base (6773a65) to head (a0a7bdf).
Report is 2 commits behind head on release/6.1.

Files with missing lines Patch % Lines
.../AzureKeyVaultProvider/AzureSqlKeyCryptographer.cs 75.00% 7 Missing ⚠️
...a.SqlClient/add-ons/AzureKeyVaultProvider/Utils.cs 0.00% 2 Missing ⚠️
...core/src/Microsoft/Data/SqlClient/SqlConnection.cs 66.66% 2 Missing ⚠️
Additional details and impacted files 
@@               Coverage Diff               @@
##           release/6.1    #3477      +/-   ##
===============================================
- Coverage        68.87%   64.71%   -4.16%     
===============================================
  Files              280      280              
  Lines            62322    62355      +33     
===============================================
- Hits             42927    40356    -2571     
- Misses           19395    21999    +2604
Flag Coverage Δ
addons 90.82% <76.31%> (-1.76%) ⬇️
netcore 68.96% <93.75%> (-3.82%) ⬇️
netfx 66.17% <100.00%> (-1.89%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@paulmedynski paulmedynski merged commit caf3792 into release/6.1 Jul 15, 2025
129 checks passed
@paulmedynski paulmedynski deleted the dev/mdaigle/port-3464 branch July 15, 2025 18:39
@paulmedynski paulmedynski changed the title [6.1] Fix encryption key cache design for AKV provider (#3464) [6.1] Fix encryption key cache design for AKV provider Jul 23, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@benrr101 benrr101 benrr101 approved these changes

@paulmedynski paulmedynski paulmedynski approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
6.1.0
Development

Successfully merging this pull request may close these issues.
4 participants
@mdaigle @benrr101 @paulmedynski @cheenamalhotra