Remove SupportsEncryption method. (#9390)

Originally encryption required a dedicated customer partition. Then
later we added encryption information into the pebble key which allowed
us to distinguish encrypted content for different customers.

Author: vadimberezniker

enterprise/server/backends/distributed/distributed.go

@@ -1438,7 +1438,3 @@ func (c *Cache) SupportsCompressor(compressor repb.Compressor_Value) bool {
 	}
 	return false
 }
-
-func (c *Cache) SupportsEncryption(ctx context.Context) bool {
-	return c.local.SupportsEncryption(ctx)
-}

enterprise/server/backends/gcs_cache/gcs_cache.go

@@ -526,7 +526,3 @@ func (g *GCSCache) Stop() error {
 func (g *GCSCache) SupportsCompressor(compressor repb.Compressor_Value) bool {
 	return compressor == repb.Compressor_IDENTITY
 }
-
-func (g *GCSCache) SupportsEncryption(ctx context.Context) bool {
-	return false
-}

enterprise/server/backends/memcache/memcache.go

@@ -321,7 +321,3 @@ func (c *Cache) Stop() error {
 func (c *Cache) SupportsCompressor(compressor repb.Compressor_Value) bool {
 	return compressor == repb.Compressor_IDENTITY
 }
-
-func (c *Cache) SupportsEncryption(ctx context.Context) bool {
-	return false
-}

enterprise/server/backends/migration_cache/migration_cache.go

@@ -180,21 +180,6 @@ func pebbleCacheFromConfig(env environment.Env, cfg *PebbleCacheConfig) (*pebble
 	return c, nil
 }
 
-func (mc *MigrationCache) checkSafeToMigrate(ctx context.Context) error {
-	u, err := mc.env.GetAuthenticator().AuthenticatedUser(ctx)
-	if err != nil {
-		// This is an anon user which is ok.
-		return nil
-	}
-	if !u.GetCacheEncryptionEnabled() {
-		return nil
-	}
-	if mc.src.SupportsEncryption(ctx) && !mc.dest.SupportsEncryption(ctx) {
-		return status.FailedPreconditionError("not safe to copy from encrypted cache to unencrypted cache")
-	}
-	return nil
-}
-
 func (mc *MigrationCache) doubleRead() bool {
 	return mc.doubleReadPercentage > 0 && rand.Float64() < mc.doubleReadPercentage
 }
@@ -263,9 +248,6 @@ func (mc *MigrationCache) Metadata(ctx context.Context, r *rspb.ResourceName) (*
 }
 
 func (mc *MigrationCache) FindMissing(ctx context.Context, resources []*rspb.ResourceName) ([]*repb.Digest, error) {
-	if err := mc.checkSafeToMigrate(ctx); err != nil {
-		return nil, err
-	}
 	srcMissing, srcErr := mc.src.FindMissing(ctx, resources)
 
 	if mc.doubleRead() {
@@ -301,9 +283,6 @@ func (mc *MigrationCache) FindMissing(ctx context.Context, resources []*rspb.Res
 }
 
 func (mc *MigrationCache) GetMulti(ctx context.Context, resources []*rspb.ResourceName) (map[*repb.Digest][]byte, error) {
-	if err := mc.checkSafeToMigrate(ctx); err != nil {
-		return nil, err
-	}
 	srcData, srcErr := mc.src.GetMulti(ctx, resources)
 
 	go func() {
@@ -347,10 +326,6 @@ func (mc *MigrationCache) GetMulti(ctx context.Context, resources []*rspb.Resour
 }
 
 func (mc *MigrationCache) SetMulti(ctx context.Context, kvs map[*rspb.ResourceName][]byte) error {
-	if err := mc.checkSafeToMigrate(ctx); err != nil {
-		return err
-	}
-
 	eg, gctx := errgroup.WithContext(ctx)
 	var srcErr, dstErr error
 
@@ -561,10 +536,6 @@ func (d *doubleReader) Close() error {
 }
 
 func (mc *MigrationCache) Reader(ctx context.Context, r *rspb.ResourceName, uncompressedOffset, limit int64) (io.ReadCloser, error) {
-	if err := mc.checkSafeToMigrate(ctx); err != nil {
-		return nil, err
-	}
-
 	eg := &errgroup.Group{}
 	var dstErr error
 	var destReader io.ReadCloser
@@ -772,10 +743,6 @@ func (aw *asyncWriter) Close() error {
 }
 
 func (mc *MigrationCache) Writer(ctx context.Context, r *rspb.ResourceName) (interfaces.CommittedWriteCloser, error) {
-	if err := mc.checkSafeToMigrate(ctx); err != nil {
-		return nil, err
-	}
-
 	if mc.asyncDestWrites {
 		// We will write to the destination cache in the background.
 		mc.sendNonBlockingCopy(ctx, r, false /*=onlyCopyMissing*/)
@@ -800,9 +767,6 @@ func (mc *MigrationCache) Writer(ctx context.Context, r *rspb.ResourceName) (int
 }
 
 func (mc *MigrationCache) Get(ctx context.Context, r *rspb.ResourceName) ([]byte, error) {
-	if err := mc.checkSafeToMigrate(ctx); err != nil {
-		return nil, err
-	}
 	srcBuf, srcErr := mc.src.Get(ctx, r)
 
 	go func() {
@@ -1053,7 +1017,3 @@ func (mc *MigrationCache) Stop() error {
 func (mc *MigrationCache) SupportsCompressor(compressor repb.Compressor_Value) bool {
 	return mc.src.SupportsCompressor(compressor) && mc.dest.SupportsCompressor(compressor)
 }
-
-func (mc *MigrationCache) SupportsEncryption(ctx context.Context) bool {
-	return mc.src.SupportsEncryption(ctx) && mc.dest.SupportsEncryption(ctx)
-}

enterprise/server/backends/pebble_cache/pebble_cache.go

@@ -3461,13 +3461,3 @@ func (p *PebbleCache) Stop() error {
 
 	return nil
 }
-
-func (p *PebbleCache) SupportsEncryption(ctx context.Context) bool {
-	_, partID := p.lookupGroupAndPartitionID(ctx, "")
-	for _, part := range p.partitions {
-		if part.ID == partID {
-			return part.EncryptionSupported
-		}
-	}
-	return false
-}

enterprise/server/backends/pebble_cache/pebble_cache_test.go

@@ -2861,70 +2861,6 @@ func BenchmarkSet(b *testing.B) {
 	}
 }
 
-func TestSupportsEncryption(t *testing.T) {
-	te := testenv.GetTestEnv(t)
-	apiKey1 := "AK2222"
-	group1 := "GR7890"
-	apiKey2 := "AK3333"
-	group2 := "GR1111"
-	testUsers := testauth.TestUsers(apiKey1, group1, apiKey2, group2)
-	te.SetAuthenticator(testauth.NewTestAuthenticator(testUsers))
-
-	maxSizeBytes := int64(1_000_000_000) // 1GB
-	rootDir := testfs.MakeTempDir(t)
-	group1PartitionID := "user1part"
-	group2PartitionID := "user2part"
-	opts := &pebble_cache.Options{
-		RootDirectory:          rootDir,
-		MaxSizeBytes:           maxSizeBytes,
-		MaxInlineFileSizeBytes: 100,
-		Partitions: []disk.Partition{
-			{
-				ID:           pebble_cache.DefaultPartitionID,
-				MaxSizeBytes: maxSizeBytes,
-			},
-			{
-				ID:           group1PartitionID,
-				MaxSizeBytes: maxSizeBytes,
-			},
-			{
-				ID:                  group2PartitionID,
-				MaxSizeBytes:        maxSizeBytes,
-				EncryptionSupported: true,
-			},
-		},
-		PartitionMappings: []disk.PartitionMapping{
-			{
-				GroupID:     group1,
-				PartitionID: group1PartitionID,
-			},
-			{
-				GroupID:     group2,
-				PartitionID: group2PartitionID,
-			},
-		},
-	}
-
-	pc, err := pebble_cache.NewPebbleCache(te, opts)
-	require.NoError(t, err)
-	err = pc.Start()
-	require.NoError(t, err)
-
-	// Anon write should go to the default partition which doesn't support
-	// encryption.
-	ctx := getAnonContext(t, te)
-	require.False(t, pc.SupportsEncryption(ctx))
-
-	// First group is mapped to a partition that does not have encryption
-	// support.
-	ctx = te.GetAuthenticator().AuthContextFromAPIKey(context.Background(), apiKey1)
-	require.False(t, pc.SupportsEncryption(ctx))
-
-	// Second user should be able to use encryption.
-	ctx = te.GetAuthenticator().AuthContextFromAPIKey(context.Background(), apiKey2)
-	require.True(t, pc.SupportsEncryption(ctx))
-}
-
 func TestSampling(t *testing.T) {
 	activeKeyVersion := int64(4)
 

enterprise/server/backends/redis_cache/redis_cache.go

@@ -372,7 +372,3 @@ func (c *Cache) Stop() error {
 func (c *Cache) SupportsCompressor(compressor repb.Compressor_Value) bool {
 	return compressor == repb.Compressor_IDENTITY
 }
-
-func (c *Cache) SupportsEncryption(ctx context.Context) bool {
-	return false
-}

enterprise/server/backends/s3_cache/s3_cache.go

@@ -616,7 +616,3 @@ func (s3c *S3Cache) Stop() error {
 func (s3c *S3Cache) SupportsCompressor(compressor repb.Compressor_Value) bool {
 	return compressor == repb.Compressor_IDENTITY
 }
-
-func (s3c *S3Cache) SupportsEncryption(ctx context.Context) bool {
-	return false
-}

enterprise/server/composable_cache/composable_cache.go

@@ -277,7 +277,3 @@ func (c *ComposableCache) Writer(ctx context.Context, r *rspb.ResourceName) (int
 func (c *ComposableCache) SupportsCompressor(compressor repb.Compressor_Value) bool {
 	return compressor == repb.Compressor_IDENTITY
 }
-
-func (c *ComposableCache) SupportsEncryption(ctx context.Context) bool {
-	return false
-}

enterprise/server/raft/cache/cache.go

@@ -660,10 +660,6 @@ func (rc *RaftCache) SupportsCompressor(compressor repb.Compressor_Value) bool {
 	return compressor == repb.Compressor_IDENTITY
 }
 
-func (rc *RaftCache) SupportsEncryption(ctx context.Context) bool {
-	return false
-}
-
 func (rc *RaftCache) olderThanThreshold(t time.Time, threshold time.Duration) bool {
 	age := rc.clock.Since(t)
 	return age >= threshold

server/backends/disk_cache/disk_cache.go

@@ -1229,7 +1229,3 @@ func (p *partition) writer(ctx context.Context, r *rspb.ResourceName) (interface
 func (c *DiskCache) SupportsCompressor(compressor repb.Compressor_Value) bool {
 	return compressor == repb.Compressor_IDENTITY
 }
-
-func (c *DiskCache) SupportsEncryption(ctx context.Context) bool {
-	return false
-}

server/backends/memory_cache/memory_cache.go

@@ -246,7 +246,3 @@ func (m *MemoryCache) Stop() error {
 func (m *MemoryCache) SupportsCompressor(compressor repb.Compressor_Value) bool {
 	return compressor == repb.Compressor_IDENTITY
 }
-
-func (c *MemoryCache) SupportsEncryption(ctx context.Context) bool {
-	return false
-}

server/interfaces/interfaces.go

@@ -287,7 +287,6 @@ type Cache interface {
 
 	// SupportsCompressor returns whether the cache supports storing data compressed with the given compressor
 	SupportsCompressor(compressor repb.Compressor_Value) bool
-	SupportsEncryption(ctx context.Context) bool
 }
 
 type StoppableCache interface {

server/util/disk/disk.go

@@ -32,9 +32,8 @@ var (
 )
 
 type Partition struct {
-	ID                  string `yaml:"id" json:"id" usage:"The ID of the partition."`
-	MaxSizeBytes        int64  `yaml:"max_size_bytes" json:"max_size_bytes" usage:"Maximum size of the partition."`
-	EncryptionSupported bool   `yaml:"encryption_supported" json:"encryption_supported" usage:"Whether encrypted data can be stored on this partition."`
+	ID           string `yaml:"id" json:"id" usage:"The ID of the partition."`
+	MaxSizeBytes int64  `yaml:"max_size_bytes" json:"max_size_bytes" usage:"Maximum size of the partition."`
 }
 
 type PartitionMapping struct {