feat: introduce encryption algo registry (#5423)

* feat: introduce encryption algo registry

* chore: pr remarks

Author: wolf4ood

core/common/lib/encryption-lib/build.gradle.kts

@@ -0,0 +1,23 @@
+/*
+ *  Copyright (c) 2025 Metaform Systems, Inc.
+ *
+ *  This program and the accompanying materials are made available under the
+ *  terms of the Apache License, Version 2.0 which is available at
+ *  https://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Contributors:
+ *       Metaform Systems, Inc. - initial API and implementation
+ *
+ */
+
+plugins {
+    `java-library`
+}
+
+dependencies {
+    api(project(":spi:common:encryption-spi"))
+}
+
+

core/common/lib/encryption-lib/src/main/java/org/eclipse/edc/encryption/EncryptionAlgorithmRegistryImpl.java

@@ -0,0 +1,64 @@
+/*
+ *  Copyright (c) 2025 Metaform Systems, Inc.
+ *
+ *  This program and the accompanying materials are made available under the
+ *  terms of the Apache License, Version 2.0 which is available at
+ *  https://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Contributors:
+ *       Metaform Systems, Inc. - initial API and implementation
+ *
+ */
+
+package org.eclipse.edc.encryption;
+
+import org.eclipse.edc.spi.result.Result;
+
+import java.util.Map;
+import java.util.Optional;
+import java.util.concurrent.ConcurrentHashMap;
+
+public class EncryptionAlgorithmRegistryImpl implements EncryptionAlgorithmRegistry {
+
+    private final Map<String, EncryptionAlgorithm> algorithms = new ConcurrentHashMap<>();
+
+    private final boolean failOnUnsupported;
+
+    public EncryptionAlgorithmRegistryImpl(boolean failOnUnsupported) {
+        this.failOnUnsupported = failOnUnsupported;
+    }
+
+    @Override
+    public void register(String algorithm, EncryptionAlgorithm service) {
+        algorithms.put(algorithm, service);
+    }
+
+    @Override
+    public boolean supports(String algorithm) {
+        return algorithms.containsKey(algorithm);
+    }
+
+    @Override
+    public Result<String> encrypt(String algorithm, String plainText) {
+        return Optional.ofNullable(algorithms.get(algorithm))
+                .map(encryptionAlgorithm -> encryptionAlgorithm.encrypt(plainText))
+                .orElseGet(() -> unsupportedAlgorithm(plainText, algorithm));
+    }
+
+    @Override
+    public Result<String> decrypt(String algorithm, String cipherText) {
+        return Optional.ofNullable(algorithms.get(algorithm))
+                .map(encryptionAlgorithm -> encryptionAlgorithm.decrypt(cipherText))
+                .orElseGet(() -> unsupportedAlgorithm(cipherText, algorithm));
+    }
+
+    private Result<String> unsupportedAlgorithm(String text, String algorithm) {
+        if (failOnUnsupported) {
+            return Result.failure("Unsupported encryption algorithm: " + algorithm);
+        } else {
+            return Result.success(text);
+        }
+    }
+}

core/common/lib/encryption-lib/src/test/java/org/eclipse/edc/encryption/EncryptionAlgorithmRegistryImplTest.java

@@ -0,0 +1,72 @@
+/*
+ *  Copyright (c) 2025 Metaform Systems, Inc.
+ *
+ *  This program and the accompanying materials are made available under the
+ *  terms of the Apache License, Version 2.0 which is available at
+ *  https://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Contributors:
+ *       Metaform Systems, Inc. - initial API and implementation
+ *
+ */
+
+package org.eclipse.edc.encryption;
+
+import org.eclipse.edc.spi.result.Result;
+import org.junit.jupiter.api.Test;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.mockito.ArgumentMatchers.anyString;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+class EncryptionAlgorithmRegistryImplTest {
+
+    private final EncryptionAlgorithm algorithm = mock();
+
+    @Test
+    void registerAndSupports() {
+        var registry = new EncryptionAlgorithmRegistryImpl(true);
+        assertFalse(registry.supports("echo"));
+
+        registry.register("echo", algorithm);
+        assertTrue(registry.supports("echo"));
+    }
+
+    @Test
+    void encryptAndDecryptWithRegisteredAlgorithm() {
+        var registry = new EncryptionAlgorithmRegistryImpl(true);
+        when(algorithm.encrypt(anyString())).then(a -> Result.success("enc:" + a.getArgument(0)));
+        when(algorithm.decrypt(anyString())).then(a -> Result.success("dec:" + a.getArgument(0)));
+        registry.register("echo", algorithm);
+
+        Result<String> encryptResult = registry.encrypt("echo", "hello");
+        assertTrue(encryptResult.succeeded());
+        assertEquals("enc:hello", encryptResult.getContent());
+
+        Result<String> decryptResult = registry.decrypt("echo", "ciph");
+        assertTrue(decryptResult.succeeded());
+        assertEquals("dec:ciph", decryptResult.getContent());
+    }
+
+    @Test
+    void unsupportedAlgorithm_whenFailOnUnsupported_true_returnsFailure() {
+        var registry = new EncryptionAlgorithmRegistryImpl(true);
+
+        Result<String> res = registry.encrypt("unknown", "plain");
+        assertFalse(res.succeeded());
+    }
+
+    @Test
+    void unsupportedAlgorithm_whenFailOnUnsupported_false_returnsPlainText() {
+        var registry = new EncryptionAlgorithmRegistryImpl(false);
+
+        Result<String> res = registry.encrypt("unknown", "plain");
+        assertTrue(res.succeeded());
+        assertEquals("plain", res.getContent());
+    }
+}

core/common/participant-context-config-core/src/main/java/org/eclipse/edc/participantcontext/config/ParticipantContextConfigImpl.java

@@ -14,7 +14,7 @@
 
 package org.eclipse.edc.participantcontext.config;
 
-import org.eclipse.edc.encryption.EncryptionService;
+import org.eclipse.edc.encryption.EncryptionAlgorithmRegistry;
 import org.eclipse.edc.participantcontext.spi.config.ParticipantContextConfig;
 import org.eclipse.edc.participantcontext.spi.config.model.ParticipantContextConfiguration;
 import org.eclipse.edc.participantcontext.spi.config.store.ParticipantContextConfigStore;
@@ -31,13 +31,15 @@
 public class ParticipantContextConfigImpl implements ParticipantContextConfig {
 
 
-    private final EncryptionService encryptionService;
+    private final EncryptionAlgorithmRegistry registry;
+    private final String encryptionAlgorithm;
     private final ParticipantContextConfigStore configStore;
     private final TransactionContext transactionContext;
 
 
-    public ParticipantContextConfigImpl(EncryptionService encryptionService, ParticipantContextConfigStore configStore, TransactionContext transactionContext) {
-        this.encryptionService = encryptionService;
+    public ParticipantContextConfigImpl(EncryptionAlgorithmRegistry registry, String encryptionAlgorithm, ParticipantContextConfigStore configStore, TransactionContext transactionContext) {
+        this.registry = registry;
+        this.encryptionAlgorithm = encryptionAlgorithm;
         this.configStore = configStore;
         this.transactionContext = transactionContext;
     }
@@ -89,7 +91,7 @@ public String getSensitiveString(String participantContextId, String key) {
         if (encryptedValue == null) {
             return null;
         }
-        return encryptionService.decrypt(encryptedValue)
+        return registry.decrypt(encryptionAlgorithm, encryptedValue)
                 .orElseThrow(f -> new EdcException(format("Failed to decrypt sensitive config value for key %s and participant context %s", key, participantContextId)));
     }
 

core/common/participant-context-config-core/src/main/java/org/eclipse/edc/participantcontext/config/ParticipantContextConfigServicesExtension.java

@@ -14,41 +14,53 @@
 
 package org.eclipse.edc.participantcontext.config;
 
-import org.eclipse.edc.encryption.EncryptionService;
+import org.eclipse.edc.encryption.EncryptionAlgorithmRegistry;
 import org.eclipse.edc.participantcontext.config.service.ParticipantContextConfigServiceImpl;
 import org.eclipse.edc.participantcontext.spi.config.ParticipantContextConfig;
 import org.eclipse.edc.participantcontext.spi.config.service.ParticipantContextConfigService;
 import org.eclipse.edc.participantcontext.spi.config.store.ParticipantContextConfigStore;
 import org.eclipse.edc.runtime.metamodel.annotation.Extension;
 import org.eclipse.edc.runtime.metamodel.annotation.Inject;
 import org.eclipse.edc.runtime.metamodel.annotation.Provider;
+import org.eclipse.edc.runtime.metamodel.annotation.Setting;
+import org.eclipse.edc.spi.monitor.Monitor;
 import org.eclipse.edc.spi.system.ServiceExtension;
 import org.eclipse.edc.transaction.spi.TransactionContext;
 
-import static org.eclipse.edc.participantcontext.config.defaults.ParticipantContextConfigDefaultServicesExtension.NAME;
+import static org.eclipse.edc.participantcontext.config.ParticipantContextConfigServicesExtension.NAME;
 
 @Extension(NAME)
 public class ParticipantContextConfigServicesExtension implements ServiceExtension {
 
     public static final String NAME = "Participant Context Config Services Extension";
 
+    @Setting(
+            description = "The encryption algorithm used for encrypting and decrypting sensitive config.",
+            key = "edc.participants.config.encryption.algorithm",
+            defaultValue = "aes"
+    )
+    private String encryptionAlgorithm;
+
     @Inject
     private ParticipantContextConfigStore configStore;
 
     @Inject
     private TransactionContext transactionContext;
 
     @Inject
-    private EncryptionService encryptionService;
+    private EncryptionAlgorithmRegistry encryptionRegistry;
+
+    @Inject
+    private Monitor monitor;
 
     @Provider
     public ParticipantContextConfigService participantContextConfigService() {
-        return new ParticipantContextConfigServiceImpl(encryptionService, configStore, transactionContext);
+        return new ParticipantContextConfigServiceImpl(encryptionRegistry, encryptionAlgorithm, configStore, transactionContext);
     }
 
     @Provider
     public ParticipantContextConfig participantContextConfig() {
-        return new ParticipantContextConfigImpl(encryptionService, configStore, transactionContext);
+        return new ParticipantContextConfigImpl(encryptionRegistry, encryptionAlgorithm, configStore, transactionContext);
     }
 
 }

core/common/participant-context-config-core/src/main/java/org/eclipse/edc/participantcontext/config/service/ParticipantContextConfigServiceImpl.java

@@ -14,7 +14,7 @@
 
 package org.eclipse.edc.participantcontext.config.service;
 
-import org.eclipse.edc.encryption.EncryptionService;
+import org.eclipse.edc.encryption.EncryptionAlgorithmRegistry;
 import org.eclipse.edc.participantcontext.spi.config.model.ParticipantContextConfiguration;
 import org.eclipse.edc.participantcontext.spi.config.service.ParticipantContextConfigService;
 import org.eclipse.edc.participantcontext.spi.config.store.ParticipantContextConfigStore;
@@ -28,12 +28,14 @@
 
 public class ParticipantContextConfigServiceImpl implements ParticipantContextConfigService {
 
-    private final EncryptionService encryptionService;
+    private final EncryptionAlgorithmRegistry encryptionRegistry;
+    private final String encryptionAlgorithm;
     private final ParticipantContextConfigStore configStore;
     private final TransactionContext transactionContext;
 
-    public ParticipantContextConfigServiceImpl(EncryptionService encryptionService, ParticipantContextConfigStore configStore, TransactionContext transactionContext) {
-        this.encryptionService = encryptionService;
+    public ParticipantContextConfigServiceImpl(EncryptionAlgorithmRegistry encryptionRegistry, String encryptionAlgorithm, ParticipantContextConfigStore configStore, TransactionContext transactionContext) {
+        this.encryptionRegistry = encryptionRegistry;
+        this.encryptionAlgorithm = encryptionAlgorithm;
         this.configStore = configStore;
         this.transactionContext = transactionContext;
     }
@@ -68,7 +70,7 @@ private Result<ParticipantContextConfiguration> encryptEntries(ParticipantContex
     }
 
     private Result<Map.Entry<String, String>> encryptEntryMap(Map.Entry<String, String> entry) {
-        return encryptionService.encrypt(entry.getValue())
+        return encryptionRegistry.encrypt(encryptionAlgorithm, entry.getValue())
                 .map(encrypted -> Map.entry(entry.getKey(), encrypted));
     }
 

core/common/participant-context-config-core/src/test/java/org/eclipse/edc/participantcontext/config/ParticipantContextConfigImplTest.java

@@ -14,7 +14,7 @@
 
 package org.eclipse.edc.participantcontext.config;
 
-import org.eclipse.edc.encryption.EncryptionService;
+import org.eclipse.edc.encryption.EncryptionAlgorithmRegistry;
 import org.eclipse.edc.participantcontext.spi.config.ParticipantContextConfig;
 import org.eclipse.edc.participantcontext.spi.config.model.ParticipantContextConfiguration;
 import org.eclipse.edc.participantcontext.spi.config.store.ParticipantContextConfigStore;
@@ -43,8 +43,8 @@ public class ParticipantContextConfigImplTest {
 
     private static final String PARTICIPANT_CONTEXT_ID = "participantContextId";
     private final ParticipantContextConfigStore store = mock();
-    private final EncryptionService encryptionService = mock();
-    private final ParticipantContextConfig contextConfig = new ParticipantContextConfigImpl(encryptionService, store, new NoopTransactionContext());
+    private final EncryptionAlgorithmRegistry registry = mock();
+    private final ParticipantContextConfig contextConfig = new ParticipantContextConfigImpl(registry, "any", store, new NoopTransactionContext());
 
     @ParameterizedTest
     @ArgumentsSource(SettingProvider.class)
@@ -88,40 +88,6 @@ void notFound(SettingCall setting, String key, String value, Object expectedValu
 
     }
 
-    @Nested
-    class GetSensitiveString {
-
-        @Test
-        void shouldGetPrivateSetting() {
-            var cfg = ParticipantContextConfiguration.Builder.newInstance().participantContextId(PARTICIPANT_CONTEXT_ID)
-                    .entries(Map.of("key", "value"))
-                    .privateEntries(Map.of("private.key", "encryptedValue"))
-                    .build();
-
-            when(encryptionService.decrypt("encryptedValue")).thenReturn(Result.success("decryptedValue"));
-            when(store.get(PARTICIPANT_CONTEXT_ID)).thenReturn(cfg);
-
-            var result = contextConfig.getSensitiveString(PARTICIPANT_CONTEXT_ID, "private.key");
-
-            assertThat(result).isNotNull()
-                    .isEqualTo("decryptedValue");
-        }
-
-        @Test
-        void shouldReturnNull_whenNoSettingFound() {
-            var cfg = ParticipantContextConfiguration.Builder.newInstance().participantContextId(PARTICIPANT_CONTEXT_ID)
-                    .entries(emptyMap())
-                    .privateEntries(emptyMap())
-                    .build();
-            when(store.get(PARTICIPANT_CONTEXT_ID)).thenReturn(cfg);
-
-            var result = contextConfig.getSensitiveString(PARTICIPANT_CONTEXT_ID, "any");
-
-            assertThat(result).isNull();
-            verifyNoInteractions(encryptionService);
-        }
-    }
-
     @FunctionalInterface
     private interface SettingCall {
         Object call(ParticipantContextConfig service, String participantContextId, String key);
@@ -167,4 +133,38 @@ public Stream<? extends Arguments> provideArguments(ExtensionContext context) {
             );
         }
     }
+
+    @Nested
+    class GetSensitiveString {
+
+        @Test
+        void shouldGetPrivateSetting() {
+            var cfg = ParticipantContextConfiguration.Builder.newInstance().participantContextId(PARTICIPANT_CONTEXT_ID)
+                    .entries(Map.of("key", "value"))
+                    .privateEntries(Map.of("private.key", "encryptedValue"))
+                    .build();
+
+            when(registry.decrypt("any", "encryptedValue")).thenReturn(Result.success("decryptedValue"));
+            when(store.get(PARTICIPANT_CONTEXT_ID)).thenReturn(cfg);
+
+            var result = contextConfig.getSensitiveString(PARTICIPANT_CONTEXT_ID, "private.key");
+
+            assertThat(result).isNotNull()
+                    .isEqualTo("decryptedValue");
+        }
+
+        @Test
+        void shouldReturnNull_whenNoSettingFound() {
+            var cfg = ParticipantContextConfiguration.Builder.newInstance().participantContextId(PARTICIPANT_CONTEXT_ID)
+                    .entries(emptyMap())
+                    .privateEntries(emptyMap())
+                    .build();
+            when(store.get(PARTICIPANT_CONTEXT_ID)).thenReturn(cfg);
+
+            var result = contextConfig.getSensitiveString(PARTICIPANT_CONTEXT_ID, "any");
+
+            assertThat(result).isNull();
+            verifyNoInteractions(registry);
+        }
+    }
 }