Encrypted JSONB operators and functions

Author: tobyhede

diagrams/overview-insert.drawio.svg

@@ -0,0 +1,40 @@
+-- REQUIRE: src/schema.sql
+-- REQUIRE: src/mac/types.sql
+
+
+-- extracts ste_vec index from a jsonb value
+DROP FUNCTION IF EXISTS  eql_v1.blake3(val jsonb);
+
+-- extracts blake3 index from a jsonb value
+DROP FUNCTION IF EXISTS  eql_v1.blake3(val jsonb);
+
+CREATE FUNCTION eql_v1.blake3(val jsonb)
+  RETURNS eql_v1.blake3
+  IMMUTABLE STRICT PARALLEL SAFE
+AS $$
+	BEGIN
+
+    IF NOT (val ? 'b') NULL THEN
+        RAISE 'Expected a blake3 index (b) value in json: %', val;
+    END IF;
+
+    IF val->>'b' IS NULL THEN
+      RETURN NULL;
+    END IF;
+
+    RETURN val->>'b';
+  END;
+$$ LANGUAGE plpgsql;
+
+
+-- extracts blake3 index from an eql_v1_encrypted value
+DROP FUNCTION IF EXISTS  eql_v1.blake3(val eql_v1_encrypted);
+
+CREATE FUNCTION eql_v1.blake3(val eql_v1_encrypted)
+  RETURNS eql_v1.blake3
+  IMMUTABLE STRICT PARALLEL SAFE
+AS $$
+  BEGIN
+    RETURN (SELECT eql_v1.blake3(val.data));
+  END;
+$$ LANGUAGE plpgsql;

diagrams/overview-select.drawio.svg

@@ -0,0 +1,4 @@
+-- REQUIRE: src/schema.sql
+
+DROP DOMAIN IF EXISTS eql_v1.blake3;
+CREATE DOMAIN eql_v1.blake3 AS text;

src/blake3/functions.sql

@@ -2,6 +2,54 @@
 -- REQUIRE: src/schema.sql
 
 
+-- Constant time comparison of 2 bytea values
+DROP FUNCTION IF EXISTS eql_v1.bytea_eq(a bytea, b bytea);
+
+CREATE FUNCTION eql_v1.bytea_eq(a bytea, b bytea) RETURNS boolean AS $$
+DECLARE
+    result boolean;
+    differing bytea;
+BEGIN
+
+    -- Check if the bytea values are the same length
+    IF LENGTH(a) != LENGTH(b) THEN
+        RETURN false;
+    END IF;
+
+    -- Compare each byte in the bytea values
+    result := true;
+    FOR i IN 1..LENGTH(a) LOOP
+        IF SUBSTRING(a FROM i FOR 1) != SUBSTRING(b FROM i FOR 1) THEN
+            result := result AND false;
+        END IF;
+    END LOOP;
+
+    RETURN result;
+END;
+$$ LANGUAGE plpgsql;
+
+
+DROP FUNCTION IF EXISTS eql_v1.jsonb_array_to_bytea_array(val jsonb);
+
+-- Casts a jsonb array of hex-encoded strings to an array of bytea.
+CREATE FUNCTION eql_v1.jsonb_array_to_bytea_array(val jsonb)
+RETURNS bytea[] AS $$
+DECLARE
+  terms_arr bytea[];
+BEGIN
+  IF jsonb_typeof(val) = 'null' THEN
+    RETURN NULL;
+  END IF;
+
+  SELECT array_agg(decode(value::text, 'hex')::bytea)
+    INTO terms_arr
+  FROM jsonb_array_elements_text(val) AS value;
+
+  RETURN terms_arr;
+END;
+$$ LANGUAGE plpgsql;
+
+
 
 --
 -- Convenience function to log a message

src/blake3/types.sql

@@ -18,6 +18,18 @@ AS $$
   END;
 $$ LANGUAGE plpgsql;
 
+DROP FUNCTION IF EXISTS eql_v1.ciphertext(val eql_v1_encrypted);
+
+CREATE FUNCTION eql_v1.ciphertext(val eql_v1_encrypted)
+  RETURNS text
+  IMMUTABLE STRICT PARALLEL SAFE
+AS $$
+	BEGIN
+    RETURN eql_v1.ciphertext(val.data);
+  END;
+$$ LANGUAGE plpgsql;
+
+
 
 DROP FUNCTION IF EXISTS eql_v1.to_jsonb(val eql_v1_encrypted);
 

src/common.sql

@@ -28,5 +28,3 @@ AS $$
     RETURN (SELECT eql_v1.match(val.data));
   END;
 $$ LANGUAGE plpgsql;
-
-

src/encrypted/functions.sql

@@ -1,51 +1,47 @@
 
+-- REQUIRE: src/schema.sql
 -- REQUIRE: src/encrypted/types.sql
 -- REQUIRE: src/encrypted/functions.sql
 
 
-
+--
+-- The -> operator returns an encrypted matching the selector
+-- Encyprted JSON is represented as an array of `eql_v1_encrypted`.
+-- Each `eql_v1_encrypted` value has a selector, ciphertext, and an index term of
+--   - blake3
+--   - ore_cllw_u64_8
+--   - ore_cllw_var_8
+--
+--     {
+--       "sv": [ {"c": "", "s": "", "b": "" } ]
+--     }
+--
 DROP OPERATOR IF EXISTS -> (eql_v1_encrypted, text);
+
 DROP FUNCTION IF EXISTS eql_v1."->"(e eql_v1_encrypted, selector text);
 
---
--- Returns
---
 CREATE FUNCTION eql_v1."->"(e eql_v1_encrypted, selector text)
   RETURNS eql_v1_encrypted
   IMMUTABLE STRICT PARALLEL SAFE
 AS $$
-  -- DECLARE
-  --   j jsonb;
-  --   found: text;
-  --   ignored: text;
+  DECLARE
+    sv eql_v1_encrypted[];
+    found eql_v1_encrypted;
 	BEGIN
 
-    -- j := e->'j';
-    -- PERFORM eql_v1.log(j);
+    IF e IS NULL THEN
+      RETURN NULL;
+    END IF;
 
-    -- FOR i IN 1..jsonb_array_length(j, 1) LOOP
-    -- --     -- The ELSE part is to help ensure constant time operation.
-    -- --     -- The result is thrown away.
-    --     IF j[i]->'s' = selector THEN
-    --       found := j[i]->'c';
-    --     ELSE
-    --       ignored := j[i]->'c';
-    --     END IF;
-    -- END LOOP;
+    sv := eql_v1.ste_vec(e);
 
-    -- IF found IS NOT NULL THEN
-    --   RETURN found;
-    -- ELSE
-    --   RETURN NULL;
-    -- END IF;
-
-    RETURN (
-      SELECT elem::eql_v1_encrypted
-        FROM jsonb_array_elements(e.data->'j') AS elem
-        WHERE elem->>'s' = selector
-        LIMIT 1
-    );
+    FOR idx IN 1..array_length(sv, 1) LOOP
+      if eql_v1.selector(sv[idx]) = selector THEN
+        found := sv[idx];
+      END IF;
+    END LOOP;
 
+    RETURN found;
   END;
 $$ LANGUAGE plpgsql;
 
@@ -56,35 +52,3 @@ CREATE OPERATOR ->(
   RIGHTARG=text
 );
 
-
---   ste_vec_index := eql_v1.ste_vec(col);
-
---   IF ste_vec_index IS NULL THEN
---     RETURN NULL;
---   END IF;
-
---   target_selector := selector->>'svs';
-
---   FOR i IN 1..array_length(ste_vec_index.entries, 1) LOOP
---       -- The ELSE part is to help ensure constant time operation.
---       -- The result is thrown away.
---       IF ste_vec_index.entries[i].tokenized_selector = target_selector THEN
---         found := ste_vec_index.entries[i].ciphertext;
---       ELSE
---         ignored := ste_vec_index.entries[i].ciphertext;
---       END IF;
---   END LOOP;
-
---   IF found IS NOT NULL THEN
---     RETURN jsonb_build_object(
---       'k', 'ct',
---       'c', found,
---       'o', NULL,
---       'm', NULL,
---       'u', NULL,
---       'i', col->'i',
---       'v', 1
---     );
---   ELSE
---     RETURN NULL;
---   END IF;

src/match/functions.sql

@@ -1,8 +1,8 @@
+-- REQUIRE: src/schema.sql
 -- REQUIRE: src/encrypted/types.sql
 -- REQUIRE: src/encrypted/functions.sql
 
 
-
 DROP OPERATOR IF EXISTS ->> (eql_v1_encrypted, text);
 DROP FUNCTION IF EXISTS eql_v1."->>"(e eql_v1_encrypted, selector text);
 
@@ -11,22 +11,28 @@ CREATE FUNCTION eql_v1."->>"(e eql_v1_encrypted, selector text)
   IMMUTABLE STRICT PARALLEL SAFE
 AS $$
   DECLARE
-    j jsonb;
+    vec jsonb;
     found text;
     ignored text;
 	BEGIN
-    -- j := e.data->'j';
-    -- -- PERFORM eql_v1.log(j::text);
-    -- PERFORM eql_v1.log('jsonb_array_length(j)');
-    -- PERFORM eql_v1.log(jsonb_array_length(j)::text);
-
-    -- FOR i IN 0..jsonb_array_length(j) LOOP
-    --     -- The ELSE part is to help ensure constant time operation.
-    --     -- The result is thrown away.
-    --     IF j[i]->>'s' = selector THEN
-    --       found := eql_v1.ciphertext(j->i);
+   -- Parent StructuredVec data
+    vec := eql_v1.ste_vec(e.data);
+
+    RETURN (
+      SELECT elem::text
+        FROM jsonb_array_elements(vec) AS elem
+        WHERE eql_v1.selector(elem) = selector
+        LIMIT 1
+    );
+
+    --
+    -- Constant time version
+    --
+    -- FOR i IN 0..jsonb_array_length(vec) LOOP
+    --     IF vec->i->>'s' = selector THEN
+    --       found := eql_v1.ciphertext(vec->i);
     --     ELSE
-    --       ignored := eql_v1.ciphertext(j->i);
+    --       ignored := eql_v1.ciphertext(vec->i);
     --     END IF;
     -- END LOOP;
 
@@ -35,12 +41,7 @@ AS $$
     -- ELSE
     --   RETURN NULL;
     -- END IF;
-    RETURN (
-      SELECT eql_v1.ciphertext(elem)
-        FROM jsonb_array_elements(e.data->'j') AS elem
-        WHERE elem->>'s' = selector
-        LIMIT 1
-    );
+
   END;
 $$ LANGUAGE plpgsql;
 

src/operators/->.sql

@@ -0,0 +1,41 @@
+\set ON_ERROR_STOP on
+
+
+SELECT create_table_with_encrypted();
+SELECT seed_encrypted_json();
+
+--
+-- The ->> operator returns an encrypted matching the selector
+DO $$
+  BEGIN
+    PERFORM assert_result(
+        'Fetch ciphertext from encrypted column',
+        'SELECT e->>''bca213de9ccce676fa849ff9c4807963'' FROM encrypted LIMIT 1;',
+        'mBbLGB9xHAGzLvUj-`@Wmf=IhD87n7r3ir3n!Sk6AKir_YawR=0c>pk(OydB;ntIEXK~c>V&4>)rNkf<JN7fmlO)c^iBv;-X0+3XyK5d`&&I-oeIEOcwPf<3zy');
+
+    PERFORM assert_count(
+        'Fetch ciphertext from encrypted column',
+        'SELECT e->>''bca213de9ccce676fa849ff9c4807963'' FROM encrypted;',
+        3);
+  END;
+$$ LANGUAGE plpgsql;
+
+
+--
+-- encrypted returned from -> operator expression called via eql_v1.ciphertext
+--
+DO $$
+  DECLARE
+    result eql_v1_encrypted;
+  BEGIN
+    PERFORM assert_result(
+        'Fetch ciphertext from encrypted column',
+        'SELECT eql_v1.ciphertext(e->''2517068c0d1f9d4d41d2c666211f785e'') FROM encrypted LIMIT 1;',
+        'mBbLGB9xHAGzLvUj-`@Wmf=IhD87n7r3ir3n!Sk6AKir_YawR=0c>pk(OydB;ntIEXK~c>V&4>)rNkf<JN7fmlO)c^iBv;-X0+3XyK5d`&&I-oeIEOcwPf<3zy');
+
+    PERFORM assert_count(
+        'Fetch ciphertext from encrypted column',
+        'SELECT eql_v1.ciphertext(e->''2517068c0d1f9d4d41d2c666211f785e'') FROM encrypted;',
+        3);
+  END;
+$$ LANGUAGE plpgsql;