Reuse known keys in XmlKeyManager (#54490)

* Flatten key type hierarchy

We weren't actually using polymorphism and this makes cloning easier.

* Reuse known keys in XmlKeyManager

Keys read from the IXmlRepository (as opposed to created) use deferred decryption but may still be decrypted multiple times.  Since they're immutable (other than revocation), keep track of the keys we've seen and reuse them next time they're returned from the IXmlRepository.

In the absence of deletion support, we don't expect the list of keys to ever shrink, so there's no reason to prune the cache.

While this is likely a perf win, it's a small perf win and only once a day, so it would probably not be worthwhile on that basis alone.  However, this should also reduce the number of calls to `IXmlDecryptor.Decrypt` (which may, e.g., make an Azure KeyVault request).  Each time the key ring is refreshed, it requests all keys from the key manager, clobbering all keys that may have already been decrypted (at least the default key will have been).  In the single app-instance case, for example, there should be no need to call Decrypt at all for any key created during the current execution of the app (old keys will have to be decrypted the first time they're used).

This shouldn't affect security because (a) the key ring already stores all the `IKeys` all the time and (b) `IKey` wraps the actual data in an `ISecret`.

It would have been nice to pass the key ring's list of known keys to the key manager, rather than having it store its own cache, but the key ring's storage format would require abstraction violations that would work poorly with our public extension points.

Author: amcasey

src/DataProtection/DataProtection/src/KeyManagement/DeferredKey.cs

@@ -3,30 +3,156 @@
 
 using System;
 using System.Collections.Generic;
+using System.Xml.Linq;
 using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
 using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel;
+using Microsoft.AspNetCore.DataProtection.KeyManagement.Internal;
+using Microsoft.AspNetCore.DataProtection.XmlEncryption;
 
 namespace Microsoft.AspNetCore.DataProtection.KeyManagement;
 
 /// <summary>
-/// The basic implementation of <see cref="IKey"/>, where the <see cref="IAuthenticatedEncryptorDescriptor"/>
-/// has already been created.
+/// The basic implementation of <see cref="IKey"/>.
 /// </summary>
-internal sealed class Key : KeyBase
+internal sealed class Key : IKey
 {
+    private readonly Lazy<IAuthenticatedEncryptorDescriptor> _lazyDescriptor;
+    private readonly IEnumerable<IAuthenticatedEncryptorFactory> _encryptorFactories;
+
+    private IAuthenticatedEncryptor? _encryptor;
+
+    /// <summary>
+    /// The basic implementation of <see cref="IKey"/>, where the <see cref="IAuthenticatedEncryptorDescriptor"/>
+    /// has already been created.
+    /// </summary>
     public Key(
         Guid keyId,
         DateTimeOffset creationDate,
         DateTimeOffset activationDate,
         DateTimeOffset expirationDate,
         IAuthenticatedEncryptorDescriptor descriptor,
         IEnumerable<IAuthenticatedEncryptorFactory> encryptorFactories)
-        : base(keyId,
+        : this(keyId,
               creationDate,
               activationDate,
               expirationDate,
               new Lazy<IAuthenticatedEncryptorDescriptor>(() => descriptor),
               encryptorFactories)
     {
     }
+
+    /// <summary>
+    /// The basic implementation of <see cref="IKey"/>, where the incoming XML element
+    /// hasn't yet been fully processed.
+    /// </summary>
+    public Key(
+        Guid keyId,
+        DateTimeOffset creationDate,
+        DateTimeOffset activationDate,
+        DateTimeOffset expirationDate,
+        IInternalXmlKeyManager keyManager,
+        XElement keyElement,
+        IEnumerable<IAuthenticatedEncryptorFactory> encryptorFactories)
+        : this(keyId,
+              creationDate,
+              activationDate,
+              expirationDate,
+              new Lazy<IAuthenticatedEncryptorDescriptor>(GetLazyDescriptorDelegate(keyManager, keyElement)),
+              encryptorFactories)
+    {
+    }
+
+    private Key(
+        Guid keyId,
+        DateTimeOffset creationDate,
+        DateTimeOffset activationDate,
+        DateTimeOffset expirationDate,
+        Lazy<IAuthenticatedEncryptorDescriptor> lazyDescriptor,
+        IEnumerable<IAuthenticatedEncryptorFactory> encryptorFactories)
+    {
+        KeyId = keyId;
+        CreationDate = creationDate;
+        ActivationDate = activationDate;
+        ExpirationDate = expirationDate;
+        _lazyDescriptor = lazyDescriptor;
+        _encryptorFactories = encryptorFactories;
+    }
+
+    public DateTimeOffset ActivationDate { get; }
+
+    public DateTimeOffset CreationDate { get; }
+
+    public DateTimeOffset ExpirationDate { get; }
+
+    public bool IsRevoked { get; private set; }
+
+    public Guid KeyId { get; }
+
+    public IAuthenticatedEncryptorDescriptor Descriptor
+    {
+        get
+        {
+            return _lazyDescriptor.Value;
+        }
+    }
+
+    public IAuthenticatedEncryptor? CreateEncryptor()
+    {
+        if (_encryptor == null)
+        {
+            foreach (var factory in _encryptorFactories)
+            {
+                var encryptor = factory.CreateEncryptorInstance(this);
+                if (encryptor != null)
+                {
+                    _encryptor = encryptor;
+                    break;
+                }
+            }
+        }
+
+        return _encryptor;
+    }
+
+    internal void SetRevoked()
+    {
+        IsRevoked = true;
+    }
+
+    internal Key Clone()
+    {
+        return new Key(
+            keyId: KeyId,
+            creationDate: CreationDate,
+            activationDate: ActivationDate,
+            expirationDate: ExpirationDate,
+            lazyDescriptor: _lazyDescriptor,
+            encryptorFactories: _encryptorFactories)
+        {
+            IsRevoked = IsRevoked,
+        };
+    }
+
+    private static Func<IAuthenticatedEncryptorDescriptor> GetLazyDescriptorDelegate(IInternalXmlKeyManager keyManager, XElement keyElement)
+    {
+        // The <key> element will be held around in memory for a potentially lengthy period
+        // of time. Since it might contain sensitive information, we should protect it.
+        var encryptedKeyElement = keyElement.ToSecret();
+
+        try
+        {
+            return GetLazyDescriptorDelegate;
+        }
+        finally
+        {
+            // It's important that the lambda above doesn't capture 'descriptorElement'. Clearing the reference here
+            // helps us detect if we've done this by causing a null ref at runtime.
+            keyElement = null!;
+        }
+
+        IAuthenticatedEncryptorDescriptor GetLazyDescriptorDelegate()
+        {
+            return keyManager.DeserializeDescriptorFromKeyElement(encryptedKeyElement.ToXElement());
+        }
+    }
 }