rename EncryptionCtx back to EncryptionAccess (#2368)

* rename EncryptionCtx back to EncryptionAccess

Change-Id: I5e58915a59979ad6f2e83d36e191b2bbf3ba2ba2

* missed some stuff

Change-Id: Ib65fb186d7f854c0406e5fd7d11498e8941da59e

* oops protolock

Change-Id: I85a5ab4bafb9dd6a804d3dcd17a70811702f07e4

* retrigger

Change-Id: I2d0e3f02b4dbae0299b090e9617662b4437980b0

cmd/gateway/main.go

@@ -225,7 +225,7 @@ func (flags GatewayFlags) action(ctx context.Context, cliCtx *cli.Context) (err
 
 // NewGateway creates a new minio Gateway
 func (flags GatewayFlags) NewGateway(ctx context.Context) (gw minio.Gateway, err error) {
-	encCtx, err := setup.LoadEncryptionCtx(ctx, flags.Enc)
+	access, err := setup.LoadEncryptionAccess(ctx, flags.Enc)
 	if err != nil {
 		return nil, err
 	}
@@ -237,7 +237,7 @@ func (flags GatewayFlags) NewGateway(ctx context.Context) (gw minio.Gateway, err
 
 	return miniogw.NewStorjGateway(
 		project,
-		encCtx,
+		access,
 		storj.Cipher(flags.Enc.PathType).ToCipherSuite(),
 		flags.GetEncryptionScheme().ToEncryptionParameters(),
 		flags.GetRedundancyScheme(),

cmd/uplink/cmd/cp.go

@@ -83,12 +83,12 @@ func upload(ctx context.Context, src fpath.FPath, dst fpath.FPath, showProgress
 		return fmt.Errorf("source cannot be a directory: %s", src)
 	}
 
-	encCtx, err := setup.LoadEncryptionCtx(ctx, cfg.Enc)
+	access, err := setup.LoadEncryptionAccess(ctx, cfg.Enc)
 	if err != nil {
 		return err
 	}
 
-	project, bucket, err := cfg.GetProjectAndBucket(ctx, dst.Bucket(), encCtx)
+	project, bucket, err := cfg.GetProjectAndBucket(ctx, dst.Bucket(), access)
 	if err != nil {
 		return err
 	}
@@ -136,12 +136,12 @@ func download(ctx context.Context, src fpath.FPath, dst fpath.FPath, showProgres
 		return fmt.Errorf("destination must be local path: %s", dst)
 	}
 
-	encCtx, err := setup.LoadEncryptionCtx(ctx, cfg.Enc)
+	access, err := setup.LoadEncryptionAccess(ctx, cfg.Enc)
 	if err != nil {
 		return err
 	}
 
-	project, bucket, err := cfg.GetProjectAndBucket(ctx, src.Bucket(), encCtx)
+	project, bucket, err := cfg.GetProjectAndBucket(ctx, src.Bucket(), access)
 	if err != nil {
 		return err
 	}
@@ -215,12 +215,12 @@ func copyObject(ctx context.Context, src fpath.FPath, dst fpath.FPath) (err erro
 		return fmt.Errorf("destination must be Storj URL: %s", dst)
 	}
 
-	encCtx, err := setup.LoadEncryptionCtx(ctx, cfg.Enc)
+	access, err := setup.LoadEncryptionAccess(ctx, cfg.Enc)
 	if err != nil {
 		return err
 	}
 
-	project, bucket, err := cfg.GetProjectAndBucket(ctx, dst.Bucket(), encCtx)
+	project, bucket, err := cfg.GetProjectAndBucket(ctx, dst.Bucket(), access)
 	if err != nil {
 		return err
 	}

cmd/uplink/cmd/ls.go

@@ -43,7 +43,7 @@ func list(cmd *cobra.Command, args []string) error {
 		}
 	}()
 
-	encCtx, err := setup.LoadEncryptionCtx(ctx, cfg.Enc)
+	access, err := setup.LoadEncryptionAccess(ctx, cfg.Enc)
 	if err != nil {
 		return err
 	}
@@ -58,7 +58,7 @@ func list(cmd *cobra.Command, args []string) error {
 			return fmt.Errorf("No bucket specified, use format sj://bucket/")
 		}
 
-		bucket, err := project.OpenBucket(ctx, src.Bucket(), encCtx)
+		bucket, err := project.OpenBucket(ctx, src.Bucket(), access)
 		if err != nil {
 			return err
 		}
@@ -87,7 +87,7 @@ func list(cmd *cobra.Command, args []string) error {
 			for _, bucket := range list.Items {
 				fmt.Println("BKT", formatTime(bucket.Created), bucket.Name)
 				if *recursiveFlag {
-					if err := listFilesFromBucket(ctx, project, bucket.Name, encCtx); err != nil {
+					if err := listFilesFromBucket(ctx, project, bucket.Name, access); err != nil {
 						return err
 					}
 				}
@@ -106,13 +106,13 @@ func list(cmd *cobra.Command, args []string) error {
 	return nil
 }
 
-func listFilesFromBucket(ctx context.Context, project *libuplink.Project, bucketName string, encCtx *libuplink.EncryptionCtx) error {
+func listFilesFromBucket(ctx context.Context, project *libuplink.Project, bucketName string, access *libuplink.EncryptionAccess) error {
 	prefix, err := fpath.New(fmt.Sprintf("sj://%s/", bucketName))
 	if err != nil {
 		return err
 	}
 
-	bucket, err := project.OpenBucket(ctx, bucketName, encCtx)
+	bucket, err := project.OpenBucket(ctx, bucketName, access)
 	if err != nil {
 		return err
 	}

cmd/uplink/cmd/rb.go

@@ -42,12 +42,12 @@ func deleteBucket(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("Nested buckets not supported, use format sj://bucket/")
 	}
 
-	encCtx, err := setup.LoadEncryptionCtx(ctx, cfg.Enc)
+	access, err := setup.LoadEncryptionAccess(ctx, cfg.Enc)
 	if err != nil {
 		return err
 	}
 
-	project, bucket, err := cfg.GetProjectAndBucket(ctx, dst.Bucket(), encCtx)
+	project, bucket, err := cfg.GetProjectAndBucket(ctx, dst.Bucket(), access)
 	if err != nil {
 		return convertError(err, dst)
 	}

cmd/uplink/cmd/rm.go

@@ -37,12 +37,12 @@ func deleteObject(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("No bucket specified, use format sj://bucket/")
 	}
 
-	encCtx, err := setup.LoadEncryptionCtx(ctx, cfg.Enc)
+	access, err := setup.LoadEncryptionAccess(ctx, cfg.Enc)
 	if err != nil {
 		return err
 	}
 
-	project, bucket, err := cfg.GetProjectAndBucket(ctx, dst.Bucket(), encCtx)
+	project, bucket, err := cfg.GetProjectAndBucket(ctx, dst.Bucket(), access)
 	if err != nil {
 		return convertError(err, dst)
 	}

cmd/uplink/cmd/root.go

@@ -112,7 +112,7 @@ func (cliCfg *UplinkFlags) GetProject(ctx context.Context) (*libuplink.Project,
 }
 
 // GetProjectAndBucket returns a *libuplink.Bucket for interacting with a specific project's bucket
-func (cliCfg *UplinkFlags) GetProjectAndBucket(ctx context.Context, bucketName string, encCtx *libuplink.EncryptionCtx) (project *libuplink.Project, bucket *libuplink.Bucket, err error) {
+func (cliCfg *UplinkFlags) GetProjectAndBucket(ctx context.Context, bucketName string, access *libuplink.EncryptionAccess) (project *libuplink.Project, bucket *libuplink.Bucket, err error) {
 	project, err = cliCfg.GetProject(ctx)
 	if err != nil {
 		return project, bucket, err
@@ -126,7 +126,7 @@ func (cliCfg *UplinkFlags) GetProjectAndBucket(ctx context.Context, bucketName s
 		}
 	}()
 
-	bucket, err = project.OpenBucket(ctx, bucketName, encCtx)
+	bucket, err = project.OpenBucket(ctx, bucketName, access)
 	if err != nil {
 		return project, bucket, err
 	}

cmd/uplink/cmd/share.go

@@ -100,13 +100,13 @@ func shareMain(cmd *cobra.Command, args []string) (err error) {
 		return err
 	}
 
-	encCtx, err := setup.LoadEncryptionCtx(ctx, cfg.Enc)
+	access, err := setup.LoadEncryptionAccess(ctx, cfg.Enc)
 	if err != nil {
 		return err
 	}
 
 	if len(restrictions) > 0 {
-		key, encCtx, err = encCtx.Restrict(key, restrictions...)
+		key, access, err = access.Restrict(key, restrictions...)
 		if err != nil {
 			return err
 		}
@@ -146,12 +146,12 @@ func shareMain(cmd *cobra.Command, args []string) (err error) {
 		return err
 	}
 
-	encCtxData, err := encCtx.Serialize()
+	accessData, err := access.Serialize()
 	if err != nil {
 		return err
 	}
 
 	fmt.Println("api key:", key.Serialize())
-	fmt.Println("enc ctx:", encCtxData)
+	fmt.Println("enc ctx:", accessData)
 	return nil
 }

go.sum

@@ -379,8 +379,6 @@ github.com/zeebo/assert v0.0.0-20181109011804-10f827ce2ed6 h1:bs7mSHVrLRQHxqWcm0
 github.com/zeebo/assert v0.0.0-20181109011804-10f827ce2ed6/go.mod h1:yssERNPivllc1yU3BvpjYI5BUW+zglcz6QWqeVRL5t0=
 github.com/zeebo/errs v1.1.1 h1:Cs5Noqj/tj3Ql/hLkD9WdumKlssx/IN2zr7CRGNOKZA=
 github.com/zeebo/errs v1.1.1/go.mod h1:Yj8dHrUQwls1bF3dr/vcSIu+qf4mI7idnTcHfoACc6I=
-github.com/zeebo/errs v1.2.0 h1:Tk8UszIOLEjtx6DWnvfmMJe6N8q7vu03Bj95HMWDUkc=
-github.com/zeebo/errs v1.2.0/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4=
 github.com/zeebo/errs v1.2.1-0.20190617123220-06a113fed680 h1:nLsPSuW22yF+MmUX0sFaTfnMKL83XuHtx8B1YvNtYys=
 github.com/zeebo/errs v1.2.1-0.20190617123220-06a113fed680/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4=
 github.com/zeebo/float16 v0.1.0 h1:kRqxv5og6z1emEyz5FpW0/BVHe5VfxEAw6b1ljCZlUc=

lib/uplink/bucket_attrs_test.go

@@ -53,12 +53,12 @@ func testPlanetWithLibUplink(t *testing.T, cfg testConfig,
 	})
 }
 
-func simpleEncryptionAccess(encKey string) (access *EncryptionCtx) {
+func simpleEncryptionAccess(encKey string) (access *EncryptionAccess) {
 	key, err := storj.NewKey([]byte(encKey))
 	if err != nil {
 		panic(err)
 	}
-	return NewEncryptionCtxWithDefaultKey(*key)
+	return NewEncryptionAccessWithDefaultKey(*key)
 }
 
 // check that partner bucket attributes are stored and retrieved correctly.

lib/uplink/encryption.go

@@ -19,40 +19,40 @@ const (
 	defaultCipher = storj.EncAESGCM
 )
 
-// EncryptionCtx represents an encryption context. It holds information about
+// EncryptionAccess represents an encryption context. It holds information about
 // how various buckets and objects should be encrypted and decrypted.
-type EncryptionCtx struct {
+type EncryptionAccess struct {
 	store *encryption.Store
 }
 
-// NewEncryptionCtx creates an encryption ctx
+// NewEncryptionAccess creates an encryption ctx
-func NewEncryptionCtx() *EncryptionCtx {
+func NewEncryptionAccess() *EncryptionAccess {
-	return &EncryptionCtx{
+	return &EncryptionAccess{
 		store: encryption.NewStore(),
 	}
 }
 
-// NewEncryptionCtxWithDefaultKey creates an encryption ctx with a default key set
+// NewEncryptionAccessWithDefaultKey creates an encryption ctx with a default key set
-func NewEncryptionCtxWithDefaultKey(defaultKey storj.Key) *EncryptionCtx {
+func NewEncryptionAccessWithDefaultKey(defaultKey storj.Key) *EncryptionAccess {
-	ec := NewEncryptionCtx()
+	ec := NewEncryptionAccess()
 	ec.SetDefaultKey(defaultKey)
 	return ec
 }
 
 // Store returns the underlying encryption store for the context.
-func (s *EncryptionCtx) Store() *encryption.Store {
+func (s *EncryptionAccess) Store() *encryption.Store {
 	return s.store
 }
 
 // SetDefaultKey sets the default key for the encryption context.
-func (s *EncryptionCtx) SetDefaultKey(defaultKey storj.Key) {
+func (s *EncryptionAccess) SetDefaultKey(defaultKey storj.Key) {
 	s.store.SetDefaultKey(&defaultKey)
 }
 
 // Import merges the other encryption context into this one. In cases
 // of conflicting path decryption settings (including if both contexts have
 // a default key), the new settings are kept.
-func (s *EncryptionCtx) Import(other *EncryptionCtx) error {
+func (s *EncryptionAccess) Import(other *EncryptionAccess) error {
 	if key := other.store.GetDefaultKey(); key != nil {
 		s.store.SetDefaultKey(key)
 	}
@@ -66,19 +66,19 @@ type EncryptionRestriction struct {
 	PathPrefix storj.Path
 }
 
-// Restrict creates a new EncryptionCtx with no default key, where the key material
+// Restrict creates a new EncryptionAccess with no default key, where the key material
 // in the new context is just enough to allow someone to access all of the given
 // restrictions but no more.
-func (s *EncryptionCtx) Restrict(apiKey APIKey, restrictions ...EncryptionRestriction) (APIKey, *EncryptionCtx, error) {
+func (s *EncryptionAccess) Restrict(apiKey APIKey, restrictions ...EncryptionRestriction) (APIKey, *EncryptionAccess, error) {
 	if len(restrictions) == 0 {
 		// Should the function signature be
-		// func (s *EncryptionCtx) Restrict(apiKey APIKey, restriction EncryptionRestriction, restrictions ...EncryptionRestriction) (APIKey, *EncryptionCtx, error) {
+		// func (s *EncryptionAccess) Restrict(apiKey APIKey, restriction EncryptionRestriction, restrictions ...EncryptionRestriction) (APIKey, *EncryptionAccess, error) {
 		// so we don't have to do this test?
 		return APIKey{}, nil, errs.New("at least one restriction required")
 	}
 
 	caveat := macaroon.Caveat{}
-	encCtx := NewEncryptionCtx()
+	encCtx := NewEncryptionAccess()
 
 	for _, res := range restrictions {
 		unencPath := paths.NewUnencrypted(res.PathPrefix)
@@ -110,11 +110,11 @@ func (s *EncryptionCtx) Restrict(apiKey APIKey, restrictions ...EncryptionRestri
 	return apiKey, encCtx, nil
 }
 
-// Serialize turns an EncryptionCtx into base58
+// Serialize turns an EncryptionAccess into base58
-func (s *EncryptionCtx) Serialize() (string, error) {
+func (s *EncryptionAccess) Serialize() (string, error) {
-	var storeEntries []*pb.EncryptionCtx_StoreEntry
+	var storeEntries []*pb.EncryptionAccess_StoreEntry
 	err := s.store.Iterate(func(bucket string, unenc paths.Unencrypted, enc paths.Encrypted, key storj.Key) error {
-		storeEntries = append(storeEntries, &pb.EncryptionCtx_StoreEntry{
+		storeEntries = append(storeEntries, &pb.EncryptionAccess_StoreEntry{
 			Bucket:          []byte(bucket),
 			UnencryptedPath: []byte(unenc.Raw()),
 			EncryptedPath:   []byte(enc.Raw()),
@@ -131,7 +131,7 @@ func (s *EncryptionCtx) Serialize() (string, error) {
 		defaultKey = key[:]
 	}
 
-	data, err := proto.Marshal(&pb.EncryptionCtx{
+	data, err := proto.Marshal(&pb.EncryptionAccess{
 		DefaultKey:   defaultKey,
 		StoreEntries: storeEntries,
 	})
@@ -143,19 +143,19 @@ func (s *EncryptionCtx) Serialize() (string, error) {
 
 }
 
-// ParseEncryptionCtx parses a base58 serialized encryption context into a working one.
+// ParseEncryptionAccess parses a base58 serialized encryption context into a working one.
-func ParseEncryptionCtx(b58data string) (*EncryptionCtx, error) {
+func ParseEncryptionAccess(b58data string) (*EncryptionAccess, error) {
 	data, version, err := base58.CheckDecode(b58data)
 	if err != nil || version != 0 {
 		return nil, errs.New("invalid encryption context format")
 	}
 
-	p := new(pb.EncryptionCtx)
+	p := new(pb.EncryptionAccess)
 	if err := proto.Unmarshal(data, p); err != nil {
 		return nil, errs.New("unable to unmarshal encryption context: %v", err)
 	}
 
-	encCtx := NewEncryptionCtx()
+	encCtx := NewEncryptionAccess()
 
 	if len(p.DefaultKey) > 0 {
 		if len(p.DefaultKey) != len(storj.Key{}) {

lib/uplink/ex_interface_test.go

@@ -48,7 +48,7 @@ func WorkWithLibUplink(satelliteAddress string, encryptionKey *storj.Key, apiKey
 	}
 
 	// Open up the desired Bucket within the Project
-	bucket, err := proj.OpenBucket(ctx, bucketName, uplink.NewEncryptionCtxWithDefaultKey(*encryptionKey))
+	bucket, err := proj.OpenBucket(ctx, bucketName, uplink.NewEncryptionAccessWithDefaultKey(*encryptionKey))
 	if err != nil {
 		return fmt.Errorf("could not open bucket %q: %v", bucketName, err)
 	}

lib/uplink/ex_password_test.go

@@ -16,7 +16,7 @@ import (
 	"storj.io/storj/lib/uplink"
 )
 
-func CreateEncryptionKeyExampleByAdmin1(ctx context.Context, satelliteAddress, apiKey string, cfg *uplink.Config, out io.Writer) (serializedEncCtx string, err error) {
+func CreateEncryptionKeyExampleByAdmin1(ctx context.Context, satelliteAddress, apiKey string, cfg *uplink.Config, out io.Writer) (serializedAccess string, err error) {
 	errCatch := func(fn func() error) { err = errs.Combine(err, fn()) }
 
 	// First, create an Uplink handle.
@@ -46,9 +46,9 @@ func CreateEncryptionKeyExampleByAdmin1(ctx context.Context, satelliteAddress, a
 	}
 
 	// Make an encryption context
-	encCtx := uplink.NewEncryptionCtxWithDefaultKey(*encKey)
+	access := uplink.NewEncryptionAccessWithDefaultKey(*encKey)
 	// serialize it
-	serializedEncCtx, err = encCtx.Serialize()
+	serializedAccess, err = access.Serialize()
 	if err != nil {
 		return "", err
 	}
@@ -60,7 +60,7 @@ func CreateEncryptionKeyExampleByAdmin1(ctx context.Context, satelliteAddress, a
 	}
 
 	// Open bucket
-	bucket, err := p.OpenBucket(ctx, "prod", encCtx)
+	bucket, err := p.OpenBucket(ctx, "prod", access)
 	if err != nil {
 		return "", err
 	}
@@ -73,10 +73,10 @@ func CreateEncryptionKeyExampleByAdmin1(ctx context.Context, satelliteAddress, a
 	}
 
 	fmt.Fprintln(out, "success!")
-	return serializedEncCtx, nil
+	return serializedAccess, nil
 }
 
-func CreateEncryptionKeyExampleByAdmin2(ctx context.Context, satelliteAddress, apiKey string, serializedEncCtx string, cfg *uplink.Config, out io.Writer) (err error) {
+func CreateEncryptionKeyExampleByAdmin2(ctx context.Context, satelliteAddress, apiKey string, serializedAccess string, cfg *uplink.Config, out io.Writer) (err error) {
 	errCatch := func(fn func() error) { err = errs.Combine(err, fn()) }
 
 	// First, create an Uplink handle.
@@ -100,13 +100,13 @@ func CreateEncryptionKeyExampleByAdmin2(ctx context.Context, satelliteAddress, a
 	defer errCatch(p.Close)
 
 	// Parse the encryption context
-	encCtx, err := uplink.ParseEncryptionCtx(serializedEncCtx)
+	access, err := uplink.ParseEncryptionAccess(serializedAccess)
 	if err != nil {
 		return err
 	}
 
 	// Open bucket
-	bucket, err := p.OpenBucket(ctx, "prod", encCtx)
+	bucket, err := p.OpenBucket(ctx, "prod", access)
 	if err != nil {
 		return err
 	}
@@ -148,13 +148,13 @@ func Example_createEncryptionKey() {
 	ctx := context.Background()
 
 	// Admin1 is going to create an encryption context and share it
-	encCtx, err := CreateEncryptionKeyExampleByAdmin1(ctx, satelliteAddress, admin1APIKey, &uplink.Config{}, os.Stdout)
+	access, err := CreateEncryptionKeyExampleByAdmin1(ctx, satelliteAddress, admin1APIKey, &uplink.Config{}, os.Stdout)
 	if err != nil {
 		panic(err)
 	}
 
 	// Admin2 is going to use the provided encryption context to load the uploaded file
-	err = CreateEncryptionKeyExampleByAdmin2(ctx, satelliteAddress, admin2APIKey, encCtx, &uplink.Config{}, os.Stdout)
+	err = CreateEncryptionKeyExampleByAdmin2(ctx, satelliteAddress, admin2APIKey, access, &uplink.Config{}, os.Stdout)
 	if err != nil {
 		panic(err)
 	}

lib/uplink/ex_restrict_test.go

@@ -16,7 +16,7 @@ import (
 	"storj.io/storj/pkg/macaroon"
 )
 
-func RestrictAccessExampleByAdmin(ctx context.Context, satelliteAddress, apiKey string, adminEncCtx string, cfg *uplink.Config, out io.Writer) (serializedUserAPIKey string, serializedEncCtx string, err error) {
+func RestrictAccessExampleByAdmin(ctx context.Context, satelliteAddress, apiKey string, adminAccess string, cfg *uplink.Config, out io.Writer) (serializedUserAPIKey string, serializedAccess string, err error) {
 	// Parse the API key. API keys are "macaroons" that allow you to create new, restricted API keys.
 	key, err := uplink.ParseAPIKey(apiKey)
 	if err != nil {
@@ -34,14 +34,14 @@ func RestrictAccessExampleByAdmin(ctx context.Context, satelliteAddress, apiKey
 	}
 
 	// Load the existing encryption context
-	encCtx, err := uplink.ParseEncryptionCtx(adminEncCtx)
+	access, err := uplink.ParseEncryptionAccess(adminAccess)
 	if err != nil {
 		return "", "", err
 	}
 
 	// Restrict the encryption context to just the prod and staging buckets
 	// for webserver/logs/
-	userAPIKey, userEncCtx, err := encCtx.Restrict(userAPIKey,
+	userAPIKey, userAccess, err := access.Restrict(userAPIKey,
 		uplink.EncryptionRestriction{Bucket: "prod", PathPrefix: "webserver/logs"},
 		uplink.EncryptionRestriction{Bucket: "staging", PathPrefix: "webserver/logs"},
 	)
@@ -50,16 +50,16 @@ func RestrictAccessExampleByAdmin(ctx context.Context, satelliteAddress, apiKey
 	}
 
 	// Serialize the encryption context
-	serializedUserEncCtx, err := userEncCtx.Serialize()
+	serializedUserAccess, err := userAccess.Serialize()
 	if err != nil {
 		return "", "", err
 	}
 
 	fmt.Fprintln(out, "success!")
-	return userAPIKey.Serialize(), serializedUserEncCtx, nil
+	return userAPIKey.Serialize(), serializedUserAccess, nil
 }
 
-func RestrictAccessExampleByUser(ctx context.Context, satelliteAddress, apiKey string, serializedEncCtx string, cfg *uplink.Config, out io.Writer) (err error) {
+func RestrictAccessExampleByUser(ctx context.Context, satelliteAddress, apiKey string, serializedAccess string, cfg *uplink.Config, out io.Writer) (err error) {
 	errCatch := func(fn func() error) { err = errs.Combine(err, fn()) }
 
 	// First, create an Uplink handle.
@@ -83,13 +83,13 @@ func RestrictAccessExampleByUser(ctx context.Context, satelliteAddress, apiKey s
 	defer errCatch(p.Close)
 
 	// Parse the encryption context
-	encCtx, err := uplink.ParseEncryptionCtx(serializedEncCtx)
+	access, err := uplink.ParseEncryptionAccess(serializedAccess)
 	if err != nil {
 		return err
 	}
 
 	// Open bucket
-	bucket, err := p.OpenBucket(ctx, "prod", encCtx)
+	bucket, err := p.OpenBucket(ctx, "prod", access)
 	if err != nil {
 		return err
 	}
@@ -127,20 +127,20 @@ func Example_restrictAccess() {
 	// The API key can be created in the web interface
 	adminAPIKey := "qPSUM3k0bZyOIyil2xrVWiSuc9HuB2yBP3qDrA2Gc"
 
-	// The encryption context was created using NewEncryptionCtxWithDefaultKey and
+	// The encryption context was created using NewEncryptionAccessWithDefaultKey and
 	// (*Project).SaltedKeyFromPassphrase() earlier
-	adminEncCtx := "HYGoqCEz43mCE40Hc5lQD3DtUYynx9Vo1GjOx75hQ"
+	adminAccess := "HYGoqCEz43mCE40Hc5lQD3DtUYynx9Vo1GjOx75hQ"
 
 	ctx := context.Background()
 
 	// Admin1 is going to create an encryption context and share it
-	userAPIKey, encCtx, err := RestrictAccessExampleByAdmin(ctx, satelliteAddress, adminAPIKey, adminEncCtx, &uplink.Config{}, os.Stdout)
+	userAPIKey, access, err := RestrictAccessExampleByAdmin(ctx, satelliteAddress, adminAPIKey, adminAccess, &uplink.Config{}, os.Stdout)
 	if err != nil {
 		panic(err)
 	}
 
 	// Admin2 is going to use the provided encryption context to load the uploaded file
-	err = RestrictAccessExampleByUser(ctx, satelliteAddress, userAPIKey, encCtx, &uplink.Config{}, os.Stdout)
+	err = RestrictAccessExampleByUser(ctx, satelliteAddress, userAPIKey, access, &uplink.Config{}, os.Stdout)
 	if err != nil {
 		panic(err)
 	}

lib/uplink/examples_test.go

@@ -52,22 +52,22 @@ func TestBucketExamples(t *testing.T) {
 			require.Equal(t, out.String(), "")
 
 			out = bytes.NewBuffer(nil)
-			encCtx, err := CreateEncryptionKeyExampleByAdmin1(ctx, satelliteAddr, apiKey, &cfg, out)
+			access, err := CreateEncryptionKeyExampleByAdmin1(ctx, satelliteAddr, apiKey, &cfg, out)
 			require.NoError(t, err)
 			require.Equal(t, out.String(), "success!\n")
 
 			out = bytes.NewBuffer(nil)
-			err = CreateEncryptionKeyExampleByAdmin2(ctx, satelliteAddr, apiKey, encCtx, &cfg, out)
+			err = CreateEncryptionKeyExampleByAdmin2(ctx, satelliteAddr, apiKey, access, &cfg, out)
 			require.NoError(t, err)
 			require.Equal(t, out.String(), "hello world\n")
 
 			out = bytes.NewBuffer(nil)
-			userAPIKey, userEncCtx, err := RestrictAccessExampleByAdmin(ctx, satelliteAddr, apiKey, encCtx, &cfg, out)
+			userAPIKey, userAccess, err := RestrictAccessExampleByAdmin(ctx, satelliteAddr, apiKey, access, &cfg, out)
 			require.NoError(t, err)
 			require.Equal(t, out.String(), "success!\n")
 
 			out = bytes.NewBuffer(nil)
-			err = RestrictAccessExampleByUser(ctx, satelliteAddr, userAPIKey, userEncCtx, &cfg, out)
+			err = RestrictAccessExampleByUser(ctx, satelliteAddr, userAPIKey, userAccess, &cfg, out)
 			require.NoError(t, err)
 			require.Equal(t, out.String(), "hello world\n")
 		})

lib/uplink/project.go

@@ -150,7 +150,7 @@ func (p *Project) GetBucketInfo(ctx context.Context, bucket string) (b storj.Buc
 
 // OpenBucket returns a Bucket handle with the given EncryptionAccess
 // information.
-func (p *Project) OpenBucket(ctx context.Context, bucketName string, encCtx *EncryptionCtx) (b *Bucket, err error) {
+func (p *Project) OpenBucket(ctx context.Context, bucketName string, access *EncryptionAccess) (b *Bucket, err error) {
 	defer mon.Task()(&ctx)(&err)
 
 	bucketInfo, cfg, err := p.GetBucketInfo(ctx, bucketName)
@@ -194,7 +194,7 @@ func (p *Project) OpenBucket(ctx context.Context, bucketName string, encCtx *Enc
 	}
 	segmentStore := segments.NewSegmentStore(p.metainfo, ec, rs, p.maxInlineSize.Int(), maxEncryptedSegmentSize)
 
-	streamStore, err := streams.NewStreamStore(segmentStore, cfg.Volatile.SegmentsSize.Int64(), encCtx.store, int(encryptionScheme.BlockSize), encryptionScheme.Cipher, p.maxInlineSize.Int())
+	streamStore, err := streams.NewStreamStore(segmentStore, cfg.Volatile.SegmentsSize.Int64(), access.store, int(encryptionScheme.BlockSize), encryptionScheme.Cipher, p.maxInlineSize.Int())
 	if err != nil {
 		return nil, err
 	}
@@ -204,7 +204,7 @@ func (p *Project) OpenBucket(ctx context.Context, bucketName string, encCtx *Enc
 		Name:         bucketInfo.Name,
 		Created:      bucketInfo.Created,
 		bucket:       bucketInfo,
-		metainfo:     kvmetainfo.New(p.project, p.metainfo, streamStore, segmentStore, encCtx.store),
+		metainfo:     kvmetainfo.New(p.project, p.metainfo, streamStore, segmentStore, access.store),
 		streams:      streamStore,
 	}, nil
 }

lib/uplinkc/bucket.go

@@ -76,14 +76,14 @@ func get_bucket_info(projectHandle C.ProjectRef, bucketName *C.char, cerr **C.ch
 
 // open_bucket returns a Bucket handle with the given encryption context information.
 //export open_bucket
-func open_bucket(projectHandle C.ProjectRef, name *C.char, encryptionCtx *C.char, cerr **C.char) C.BucketRef {
+func open_bucket(projectHandle C.ProjectRef, name *C.char, encryptionAccess *C.char, cerr **C.char) C.BucketRef {
 	project, ok := universe.Get(projectHandle._handle).(*Project)
 	if !ok {
 		*cerr = C.CString("invalid project")
 		return C.BucketRef{}
 	}
 
-	encCtx, err := uplink.ParseEncryptionCtx(C.GoString(encryptionCtx))
+	access, err := uplink.ParseEncryptionAccess(C.GoString(encryptionAccess))
 	if err != nil {
 		*cerr = C.CString(err.Error())
 		return C.BucketRef{}
@@ -91,7 +91,7 @@ func open_bucket(projectHandle C.ProjectRef, name *C.char, encryptionCtx *C.char
 
 	scope := project.scope.child()
 
-	bucket, err := project.OpenBucket(scope.ctx, C.GoString(name), encCtx)
+	bucket, err := project.OpenBucket(scope.ctx, C.GoString(name), access)
 	if err != nil {
 		*cerr = C.CString(err.Error())
 		return C.BucketRef{}

mobile/encryption.go

@@ -8,19 +8,19 @@ import (
 	"storj.io/storj/pkg/storj"
 )
 
-// EncryptionCtx holds data about encryption keys for a bucket.
+// EncryptionAccess holds data about encryption keys for a bucket.
-type EncryptionCtx struct {
+type EncryptionAccess struct {
-	lib *libuplink.EncryptionCtx
+	lib *libuplink.EncryptionAccess
 }
 
-// NewEncryptionCtx constructs an empty encryption context.
+// NewEncryptionAccess constructs an empty encryption context.
-func NewEncryptionCtx() *EncryptionCtx {
+func NewEncryptionAccess() *EncryptionAccess {
-	return &EncryptionCtx{lib: libuplink.NewEncryptionCtx()}
+	return &EncryptionAccess{lib: libuplink.NewEncryptionAccess()}
 }
 
 // SetDefaultKey sets the default key to use when no matching keys are found
 // for the encryption context.
-func (e *EncryptionCtx) SetDefaultKey(keyData []byte) error {
+func (e *EncryptionAccess) SetDefaultKey(keyData []byte) error {
 	key, err := storj.NewKey(keyData)
 	if err != nil {
 		return safeError(err)
@@ -29,12 +29,12 @@ func (e *EncryptionCtx) SetDefaultKey(keyData []byte) error {
 	return nil
 }
 
-// ParseEncryptionCtx parses the base58 encoded encryption context data and
+// ParseEncryptionAccess parses the base58 encoded encryption context data and
 // returns the resulting context.
-func ParseEncryptionCtx(b58data string) (*EncryptionCtx, error) {
+func ParseEncryptionAccess(b58data string) (*EncryptionAccess, error) {
-	encCtx, err := libuplink.ParseEncryptionCtx(b58data)
+	access, err := libuplink.ParseEncryptionAccess(b58data)
 	if err != nil {
 		return nil, safeError(err)
 	}
-	return &EncryptionCtx{lib: encCtx}, nil
+	return &EncryptionAccess{lib: access}, nil
 }

mobile/libuplink_android/app/src/androidTest/java/io/storj/mobile/libuplink/LibuplinkInstrumentedTest.java

@@ -133,8 +133,8 @@ public class LibuplinkInstrumentedTest {
         try {
             Project project = uplink.openProject(VALID_SATELLITE_ADDRESS, VALID_API_KEY);
             try {
-                EncryptionCtx encCtx = new EncryptionCtx();
+                EncryptionAccess access = new EncryptionAccess();
-                encCtx.setDefaultKey("TestEncryptionKey".getBytes());
+                access.setDefaultKey("TestEncryptionKey".getBytes());
 
                 RedundancyScheme scheme = new RedundancyScheme();
                 scheme.setRequiredShares((short) 2);
@@ -147,7 +147,7 @@ public class LibuplinkInstrumentedTest {
 
                 project.createBucket("test", bucketConfig);
 
-                Bucket bucket = project.openBucket("test", encCtx);
+                Bucket bucket = project.openBucket("test", access);
 
                 byte[] expectedData = new byte[1024];
                 Random random = new Random();
@@ -197,8 +197,8 @@ public class LibuplinkInstrumentedTest {
         try {
             Project project = uplink.openProject(VALID_SATELLITE_ADDRESS, VALID_API_KEY);
             try {
-                EncryptionCtx encCtx = new EncryptionCtx();
+                EncryptionAccess access = new EncryptionAccess();
-                encCtx.setDefaultKey("TestEncryptionKey".getBytes());
+                access.setDefaultKey("TestEncryptionKey".getBytes());
 
                 RedundancyScheme scheme = new RedundancyScheme();
                 scheme.setRequiredShares((short) 2);
@@ -211,7 +211,7 @@ public class LibuplinkInstrumentedTest {
 
                 project.createBucket("test", bucketConfig);
 
-                Bucket bucket = project.openBucket("test", encCtx);
+                Bucket bucket = project.openBucket("test", access);
 
                 byte[] expectedData = new byte[1024 * 100];
                 Random random = new Random();
@@ -267,8 +267,8 @@ public class LibuplinkInstrumentedTest {
         try {
             Project project = uplink.openProject(VALID_SATELLITE_ADDRESS, VALID_API_KEY);
             try {
-                EncryptionCtx encCtx = new EncryptionCtx();
+                EncryptionAccess access = new EncryptionAccess();
-                encCtx.setDefaultKey("TestEncryptionKey".getBytes());
+                access.setDefaultKey("TestEncryptionKey".getBytes());
 
                 BucketConfig bucketConfig = new BucketConfig();
                 bucketConfig.setRedundancyScheme(new RedundancyScheme());
@@ -276,7 +276,7 @@ public class LibuplinkInstrumentedTest {
                 BucketInfo bucketInfo = project.createBucket("testBucket", bucketConfig);
                 assertEquals("testBucket", bucketInfo.getName());
 
-                Bucket bucket = project.openBucket("testBucket", encCtx);
+                Bucket bucket = project.openBucket("testBucket", access);
 
                 long before = System.currentTimeMillis();
 

mobile/uplink.go

@@ -117,10 +117,10 @@ func (project *Project) CreateBucket(bucketName string, opts *BucketConfig) (*Bu
 
 // OpenBucket returns a Bucket handle with the given EncryptionAccess
 // information.
-func (project *Project) OpenBucket(bucketName string, encCtx *EncryptionCtx) (*Bucket, error) {
+func (project *Project) OpenBucket(bucketName string, access *EncryptionAccess) (*Bucket, error) {
 	scope := project.scope.child()
 
-	bucket, err := project.lib.OpenBucket(scope.ctx, bucketName, encCtx.lib)
+	bucket, err := project.lib.OpenBucket(scope.ctx, bucketName, access.lib)
 	if err != nil {
 		return nil, safeError(err)
 	}

pkg/miniogw/gateway.go

@@ -30,10 +30,10 @@ var (
 )
 
 // NewStorjGateway creates a *Storj object from an existing ObjectStore
-func NewStorjGateway(project *uplink.Project, encCtx *uplink.EncryptionCtx, pathCipher storj.CipherSuite, encryption storj.EncryptionParameters, redundancy storj.RedundancyScheme, segmentSize memory.Size) *Gateway {
+func NewStorjGateway(project *uplink.Project, access *uplink.EncryptionAccess, pathCipher storj.CipherSuite, encryption storj.EncryptionParameters, redundancy storj.RedundancyScheme, segmentSize memory.Size) *Gateway {
 	return &Gateway{
 		project:     project,
-		encCtx:      encCtx,
+		access:      access,
 		pathCipher:  pathCipher,
 		encryption:  encryption,
 		redundancy:  redundancy,
@@ -45,7 +45,7 @@ func NewStorjGateway(project *uplink.Project, encCtx *uplink.EncryptionCtx, path
 // Gateway is the implementation of a minio cmd.Gateway
 type Gateway struct {
 	project     *uplink.Project
-	encCtx      *uplink.EncryptionCtx
+	access      *uplink.EncryptionAccess
 	pathCipher  storj.CipherSuite
 	encryption  storj.EncryptionParameters
 	redundancy  storj.RedundancyScheme
@@ -93,7 +93,7 @@ func (layer *gatewayLayer) DeleteBucket(ctx context.Context, bucketName string)
 func (layer *gatewayLayer) bucketEmpty(ctx context.Context, bucketName string) (empty bool, err error) {
 	defer mon.Task()(&ctx)(&err)
 
-	bucket, err := layer.gateway.project.OpenBucket(ctx, bucketName, layer.gateway.encCtx)
+	bucket, err := layer.gateway.project.OpenBucket(ctx, bucketName, layer.gateway.access)
 	if err != nil {
 		return false, convertError(err, bucketName, "")
 	}
@@ -110,7 +110,7 @@ func (layer *gatewayLayer) bucketEmpty(ctx context.Context, bucketName string) (
 func (layer *gatewayLayer) DeleteObject(ctx context.Context, bucketName, objectPath string) (err error) {
 	defer mon.Task()(&ctx)(&err)
 
-	bucket, err := layer.gateway.project.OpenBucket(ctx, bucketName, layer.gateway.encCtx)
+	bucket, err := layer.gateway.project.OpenBucket(ctx, bucketName, layer.gateway.access)
 	if err != nil {
 		return convertError(err, bucketName, "")
 	}
@@ -136,7 +136,7 @@ func (layer *gatewayLayer) GetBucketInfo(ctx context.Context, bucketName string)
 func (layer *gatewayLayer) GetObject(ctx context.Context, bucketName, objectPath string, startOffset int64, length int64, writer io.Writer, etag string) (err error) {
 	defer mon.Task()(&ctx)(&err)
 
-	bucket, err := layer.gateway.project.OpenBucket(ctx, bucketName, layer.gateway.encCtx)
+	bucket, err := layer.gateway.project.OpenBucket(ctx, bucketName, layer.gateway.access)
 	if err != nil {
 		return convertError(err, bucketName, "")
 	}
@@ -170,7 +170,7 @@ func (layer *gatewayLayer) GetObject(ctx context.Context, bucketName, objectPath
 func (layer *gatewayLayer) GetObjectInfo(ctx context.Context, bucketName, objectPath string) (objInfo minio.ObjectInfo, err error) {
 	defer mon.Task()(&ctx)(&err)
 
-	bucket, err := layer.gateway.project.OpenBucket(ctx, bucketName, layer.gateway.encCtx)
+	bucket, err := layer.gateway.project.OpenBucket(ctx, bucketName, layer.gateway.access)
 	if err != nil {
 		return minio.ObjectInfo{}, convertError(err, bucketName, "")
 	}
@@ -225,7 +225,7 @@ func (layer *gatewayLayer) ListObjects(ctx context.Context, bucketName, prefix,
 		return minio.ListObjectsInfo{}, minio.UnsupportedDelimiter{Delimiter: delimiter}
 	}
 
-	bucket, err := layer.gateway.project.OpenBucket(ctx, bucketName, layer.gateway.encCtx)
+	bucket, err := layer.gateway.project.OpenBucket(ctx, bucketName, layer.gateway.access)
 	if err != nil {
 		return minio.ListObjectsInfo{}, convertError(err, bucketName, "")
 	}
@@ -291,7 +291,7 @@ func (layer *gatewayLayer) ListObjectsV2(ctx context.Context, bucketName, prefix
 		return minio.ListObjectsV2Info{ContinuationToken: continuationToken}, minio.UnsupportedDelimiter{Delimiter: delimiter}
 	}
 
-	bucket, err := layer.gateway.project.OpenBucket(ctx, bucketName, layer.gateway.encCtx)
+	bucket, err := layer.gateway.project.OpenBucket(ctx, bucketName, layer.gateway.access)
 	if err != nil {
 		return minio.ListObjectsV2Info{}, convertError(err, bucketName, "")
 	}
@@ -392,7 +392,7 @@ func (layer *gatewayLayer) MakeBucketWithLocation(ctx context.Context, bucketNam
 func (layer *gatewayLayer) CopyObject(ctx context.Context, srcBucket, srcObject, destBucket, destObject string, srcInfo minio.ObjectInfo) (objInfo minio.ObjectInfo, err error) {
 	defer mon.Task()(&ctx)(&err)
 
-	bucket, err := layer.gateway.project.OpenBucket(ctx, srcBucket, layer.gateway.encCtx)
+	bucket, err := layer.gateway.project.OpenBucket(ctx, srcBucket, layer.gateway.access)
 	if err != nil {
 		return minio.ObjectInfo{}, convertError(err, srcBucket, "")
 	}
@@ -424,7 +424,7 @@ func (layer *gatewayLayer) CopyObject(ctx context.Context, srcBucket, srcObject,
 func (layer *gatewayLayer) putObject(ctx context.Context, bucketName, objectPath string, reader io.Reader, opts *uplink.UploadOptions) (objInfo minio.ObjectInfo, err error) {
 	defer mon.Task()(&ctx)(&err)
 
-	bucket, err := layer.gateway.project.OpenBucket(ctx, bucketName, layer.gateway.encCtx)
+	bucket, err := layer.gateway.project.OpenBucket(ctx, bucketName, layer.gateway.access)
 	if err != nil {
 		return minio.ObjectInfo{}, convertError(err, bucketName, "")
 	}

pkg/miniogw/gateway_test.go

@@ -704,8 +704,8 @@ func initEnv(ctx context.Context, planet *testplanet.Planet) (minio.ObjectLayer,
 
 	var encKey storj.Key
 	copy(encKey[:], TestEncKey)
-	encCtx := libuplink.NewEncryptionCtxWithDefaultKey(encKey)
+	access := libuplink.NewEncryptionAccessWithDefaultKey(encKey)
-	encStore := encCtx.Store()
+	encStore := access.Store()
 
 	blockSize := rs.StripeSize()
 	inlineThreshold := 4 * memory.KiB.Int()
@@ -747,7 +747,7 @@ func initEnv(ctx context.Context, planet *testplanet.Planet) (minio.ObjectLayer,
 
 	gateway := NewStorjGateway(
 		proj,
-		encCtx,
+		access,
 		storj.EncAESGCM,
 		storj.EncryptionParameters{
 			CipherSuite: storj.EncAESGCM,

pkg/miniogw/integration_test.go

@@ -212,7 +212,7 @@ func runGateway(ctx context.Context, gwCfg config, uplinkCfg uplink.Config, log
 
 	gw := miniogw.NewStorjGateway(
 		project,
-		libuplink.NewEncryptionCtxWithDefaultKey(storj.Key{}),
+		libuplink.NewEncryptionAccessWithDefaultKey(storj.Key{}),
 		storj.Cipher(uplinkCfg.Enc.PathType).ToCipherSuite(),
 		uplinkCfg.GetEncryptionScheme().ToEncryptionParameters(),
 		uplinkCfg.GetRedundancyScheme(),

pkg/pb/encryption_access.pb.go

@@ -0,0 +1,156 @@
+// Code generated by protoc-gen-gogo. DO NOT EDIT.
+// source: encryption_access.proto
+
+package pb
+
+import (
+	fmt "fmt"
+	_ "github.com/gogo/protobuf/gogoproto"
+	proto "github.com/gogo/protobuf/proto"
+	math "math"
+)
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the proto package it is being compiled against.
+// A compilation error at this line likely means your copy of the
+// proto package needs to be updated.
+const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package
+
+type EncryptionAccess struct {
+	DefaultKey           []byte                         `protobuf:"bytes,1,opt,name=default_key,json=defaultKey,proto3" json:"default_key,omitempty"`
+	StoreEntries         []*EncryptionAccess_StoreEntry `protobuf:"bytes,2,rep,name=store_entries,json=storeEntries,proto3" json:"store_entries,omitempty"`
+	XXX_NoUnkeyedLiteral struct{}                       `json:"-"`
+	XXX_unrecognized     []byte                         `json:"-"`
+	XXX_sizecache        int32                          `json:"-"`
+}
+
+func (m *EncryptionAccess) Reset()         { *m = EncryptionAccess{} }
+func (m *EncryptionAccess) String() string { return proto.CompactTextString(m) }
+func (*EncryptionAccess) ProtoMessage()    {}
+func (*EncryptionAccess) Descriptor() ([]byte, []int) {
+	return fileDescriptor_464b1a18bff4a17b, []int{0}
+}
+func (m *EncryptionAccess) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_EncryptionAccess.Unmarshal(m, b)
+}
+func (m *EncryptionAccess) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_EncryptionAccess.Marshal(b, m, deterministic)
+}
+func (m *EncryptionAccess) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_EncryptionAccess.Merge(m, src)
+}
+func (m *EncryptionAccess) XXX_Size() int {
+	return xxx_messageInfo_EncryptionAccess.Size(m)
+}
+func (m *EncryptionAccess) XXX_DiscardUnknown() {
+	xxx_messageInfo_EncryptionAccess.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_EncryptionAccess proto.InternalMessageInfo
+
+func (m *EncryptionAccess) GetDefaultKey() []byte {
+	if m != nil {
+		return m.DefaultKey
+	}
+	return nil
+}
+
+func (m *EncryptionAccess) GetStoreEntries() []*EncryptionAccess_StoreEntry {
+	if m != nil {
+		return m.StoreEntries
+	}
+	return nil
+}
+
+type EncryptionAccess_StoreEntry struct {
+	Bucket               []byte   `protobuf:"bytes,1,opt,name=bucket,proto3" json:"bucket,omitempty"`
+	UnencryptedPath      []byte   `protobuf:"bytes,2,opt,name=unencrypted_path,json=unencryptedPath,proto3" json:"unencrypted_path,omitempty"`
+	EncryptedPath        []byte   `protobuf:"bytes,3,opt,name=encrypted_path,json=encryptedPath,proto3" json:"encrypted_path,omitempty"`
+	Key                  []byte   `protobuf:"bytes,4,opt,name=key,proto3" json:"key,omitempty"`
+	XXX_NoUnkeyedLiteral struct{} `json:"-"`
+	XXX_unrecognized     []byte   `json:"-"`
+	XXX_sizecache        int32    `json:"-"`
+}
+
+func (m *EncryptionAccess_StoreEntry) Reset()         { *m = EncryptionAccess_StoreEntry{} }
+func (m *EncryptionAccess_StoreEntry) String() string { return proto.CompactTextString(m) }
+func (*EncryptionAccess_StoreEntry) ProtoMessage()    {}
+func (*EncryptionAccess_StoreEntry) Descriptor() ([]byte, []int) {
+	return fileDescriptor_464b1a18bff4a17b, []int{0, 0}
+}
+func (m *EncryptionAccess_StoreEntry) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_EncryptionAccess_StoreEntry.Unmarshal(m, b)
+}
+func (m *EncryptionAccess_StoreEntry) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_EncryptionAccess_StoreEntry.Marshal(b, m, deterministic)
+}
+func (m *EncryptionAccess_StoreEntry) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_EncryptionAccess_StoreEntry.Merge(m, src)
+}
+func (m *EncryptionAccess_StoreEntry) XXX_Size() int {
+	return xxx_messageInfo_EncryptionAccess_StoreEntry.Size(m)
+}
+func (m *EncryptionAccess_StoreEntry) XXX_DiscardUnknown() {
+	xxx_messageInfo_EncryptionAccess_StoreEntry.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_EncryptionAccess_StoreEntry proto.InternalMessageInfo
+
+func (m *EncryptionAccess_StoreEntry) GetBucket() []byte {
+	if m != nil {
+		return m.Bucket
+	}
+	return nil
+}
+
+func (m *EncryptionAccess_StoreEntry) GetUnencryptedPath() []byte {
+	if m != nil {
+		return m.UnencryptedPath
+	}
+	return nil
+}
+
+func (m *EncryptionAccess_StoreEntry) GetEncryptedPath() []byte {
+	if m != nil {
+		return m.EncryptedPath
+	}
+	return nil
+}
+
+func (m *EncryptionAccess_StoreEntry) GetKey() []byte {
+	if m != nil {
+		return m.Key
+	}
+	return nil
+}
+
+func init() {
+	proto.RegisterType((*EncryptionAccess)(nil), "encryption_access.EncryptionAccess")
+	proto.RegisterType((*EncryptionAccess_StoreEntry)(nil), "encryption_access.EncryptionAccess.StoreEntry")
+}
+
+func init() { proto.RegisterFile("encryption_access.proto", fileDescriptor_464b1a18bff4a17b) }
+
+var fileDescriptor_464b1a18bff4a17b = []byte{
+	// 228 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xe2, 0x12, 0x4f, 0xcd, 0x4b, 0x2e,
+	0xaa, 0x2c, 0x28, 0xc9, 0xcc, 0xcf, 0x8b, 0x4f, 0x4c, 0x4e, 0x4e, 0x2d, 0x2e, 0xd6, 0x2b, 0x28,
+	0xca, 0x2f, 0xc9, 0x17, 0x12, 0xc4, 0x90, 0x90, 0xe2, 0x4a, 0xcf, 0x4f, 0xcf, 0x87, 0x48, 0x2b,
+	0x4d, 0x66, 0xe2, 0x12, 0x70, 0x85, 0xab, 0x70, 0x04, 0x2b, 0x10, 0x92, 0xe7, 0xe2, 0x4e, 0x49,
+	0x4d, 0x4b, 0x2c, 0xcd, 0x29, 0x89, 0xcf, 0x4e, 0xad, 0x94, 0x60, 0x54, 0x60, 0xd4, 0xe0, 0x09,
+	0xe2, 0x82, 0x0a, 0x79, 0xa7, 0x56, 0x0a, 0x05, 0x73, 0xf1, 0x16, 0x97, 0xe4, 0x17, 0xa5, 0xc6,
+	0xa7, 0xe6, 0x95, 0x14, 0x65, 0xa6, 0x16, 0x4b, 0x30, 0x29, 0x30, 0x6b, 0x70, 0x1b, 0xe9, 0xe9,
+	0x61, 0xba, 0x02, 0xdd, 0x70, 0xbd, 0x60, 0x90, 0x46, 0xd7, 0xbc, 0x92, 0xa2, 0xca, 0x20, 0x9e,
+	0x62, 0x18, 0x3b, 0x33, 0xb5, 0x58, 0xaa, 0x83, 0x91, 0x8b, 0x0b, 0x21, 0x29, 0x24, 0xc6, 0xc5,
+	0x96, 0x54, 0x9a, 0x9c, 0x9d, 0x5a, 0x02, 0xb5, 0x1f, 0xca, 0x13, 0xd2, 0xe4, 0x12, 0x28, 0xcd,
+	0x83, 0xda, 0x93, 0x9a, 0x12, 0x5f, 0x90, 0x58, 0x92, 0x21, 0xc1, 0x04, 0x56, 0xc1, 0x8f, 0x24,
+	0x1e, 0x90, 0x58, 0x92, 0x21, 0xa4, 0xca, 0xc5, 0x87, 0xa6, 0x90, 0x19, 0xac, 0x90, 0x17, 0x55,
+	0x99, 0x00, 0x17, 0x33, 0xc8, 0x9b, 0x2c, 0x60, 0x39, 0x10, 0xd3, 0x89, 0x25, 0x8a, 0xa9, 0x20,
+	0x29, 0x89, 0x0d, 0x1c, 0x44, 0xc6, 0x80, 0x00, 0x00, 0x00, 0xff, 0xff, 0xf2, 0x73, 0xee, 0x7d,
+	0x5c, 0x01, 0x00, 0x00,
+}

pkg/pb/encryption_access.proto

@@ -5,11 +5,11 @@ syntax = "proto3";
 
 option go_package = "pb";
 
-package encryption_ctx;
+package encryption_access;
 
 import "gogo.proto";
 
-message EncryptionCtx {
+message EncryptionAccess {
     message StoreEntry {
         bytes bucket = 1;
         bytes unencrypted_path = 2;

pkg/pb/encryption_ctx.pb.go

@@ -1,155 +0,0 @@
-// Code generated by protoc-gen-gogo. DO NOT EDIT.
-// source: encryption_ctx.proto
-
-package pb
-
-import (
-	fmt "fmt"
-	_ "github.com/gogo/protobuf/gogoproto"
-	proto "github.com/gogo/protobuf/proto"
-	math "math"
-)
-
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
-
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package
-
-type EncryptionCtx struct {
-	DefaultKey           []byte                      `protobuf:"bytes,1,opt,name=default_key,json=defaultKey,proto3" json:"default_key,omitempty"`
-	StoreEntries         []*EncryptionCtx_StoreEntry `protobuf:"bytes,2,rep,name=store_entries,json=storeEntries,proto3" json:"store_entries,omitempty"`
-	XXX_NoUnkeyedLiteral struct{}                    `json:"-"`
-	XXX_unrecognized     []byte                      `json:"-"`
-	XXX_sizecache        int32                       `json:"-"`
-}
-
-func (m *EncryptionCtx) Reset()         { *m = EncryptionCtx{} }
-func (m *EncryptionCtx) String() string { return proto.CompactTextString(m) }
-func (*EncryptionCtx) ProtoMessage()    {}
-func (*EncryptionCtx) Descriptor() ([]byte, []int) {
-	return fileDescriptor_b1567295c75a6f56, []int{0}
-}
-func (m *EncryptionCtx) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_EncryptionCtx.Unmarshal(m, b)
-}
-func (m *EncryptionCtx) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_EncryptionCtx.Marshal(b, m, deterministic)
-}
-func (m *EncryptionCtx) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_EncryptionCtx.Merge(m, src)
-}
-func (m *EncryptionCtx) XXX_Size() int {
-	return xxx_messageInfo_EncryptionCtx.Size(m)
-}
-func (m *EncryptionCtx) XXX_DiscardUnknown() {
-	xxx_messageInfo_EncryptionCtx.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_EncryptionCtx proto.InternalMessageInfo
-
-func (m *EncryptionCtx) GetDefaultKey() []byte {
-	if m != nil {
-		return m.DefaultKey
-	}
-	return nil
-}
-
-func (m *EncryptionCtx) GetStoreEntries() []*EncryptionCtx_StoreEntry {
-	if m != nil {
-		return m.StoreEntries
-	}
-	return nil
-}
-
-type EncryptionCtx_StoreEntry struct {
-	Bucket               []byte   `protobuf:"bytes,1,opt,name=bucket,proto3" json:"bucket,omitempty"`
-	UnencryptedPath      []byte   `protobuf:"bytes,2,opt,name=unencrypted_path,json=unencryptedPath,proto3" json:"unencrypted_path,omitempty"`
-	EncryptedPath        []byte   `protobuf:"bytes,3,opt,name=encrypted_path,json=encryptedPath,proto3" json:"encrypted_path,omitempty"`
-	Key                  []byte   `protobuf:"bytes,4,opt,name=key,proto3" json:"key,omitempty"`
-	XXX_NoUnkeyedLiteral struct{} `json:"-"`
-	XXX_unrecognized     []byte   `json:"-"`
-	XXX_sizecache        int32    `json:"-"`
-}
-
-func (m *EncryptionCtx_StoreEntry) Reset()         { *m = EncryptionCtx_StoreEntry{} }
-func (m *EncryptionCtx_StoreEntry) String() string { return proto.CompactTextString(m) }
-func (*EncryptionCtx_StoreEntry) ProtoMessage()    {}
-func (*EncryptionCtx_StoreEntry) Descriptor() ([]byte, []int) {
-	return fileDescriptor_b1567295c75a6f56, []int{0, 0}
-}
-func (m *EncryptionCtx_StoreEntry) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_EncryptionCtx_StoreEntry.Unmarshal(m, b)
-}
-func (m *EncryptionCtx_StoreEntry) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_EncryptionCtx_StoreEntry.Marshal(b, m, deterministic)
-}
-func (m *EncryptionCtx_StoreEntry) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_EncryptionCtx_StoreEntry.Merge(m, src)
-}
-func (m *EncryptionCtx_StoreEntry) XXX_Size() int {
-	return xxx_messageInfo_EncryptionCtx_StoreEntry.Size(m)
-}
-func (m *EncryptionCtx_StoreEntry) XXX_DiscardUnknown() {
-	xxx_messageInfo_EncryptionCtx_StoreEntry.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_EncryptionCtx_StoreEntry proto.InternalMessageInfo
-
-func (m *EncryptionCtx_StoreEntry) GetBucket() []byte {
-	if m != nil {
-		return m.Bucket
-	}
-	return nil
-}
-
-func (m *EncryptionCtx_StoreEntry) GetUnencryptedPath() []byte {
-	if m != nil {
-		return m.UnencryptedPath
-	}
-	return nil
-}
-
-func (m *EncryptionCtx_StoreEntry) GetEncryptedPath() []byte {
-	if m != nil {
-		return m.EncryptedPath
-	}
-	return nil
-}
-
-func (m *EncryptionCtx_StoreEntry) GetKey() []byte {
-	if m != nil {
-		return m.Key
-	}
-	return nil
-}
-
-func init() {
-	proto.RegisterType((*EncryptionCtx)(nil), "encryption_ctx.EncryptionCtx")
-	proto.RegisterType((*EncryptionCtx_StoreEntry)(nil), "encryption_ctx.EncryptionCtx.StoreEntry")
-}
-
-func init() { proto.RegisterFile("encryption_ctx.proto", fileDescriptor_b1567295c75a6f56) }
-
-var fileDescriptor_b1567295c75a6f56 = []byte{
-	// 224 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xe2, 0x12, 0x49, 0xcd, 0x4b, 0x2e,
-	0xaa, 0x2c, 0x28, 0xc9, 0xcc, 0xcf, 0x8b, 0x4f, 0x2e, 0xa9, 0xd0, 0x2b, 0x28, 0xca, 0x2f, 0xc9,
-	0x17, 0xe2, 0x43, 0x15, 0x95, 0xe2, 0x4a, 0xcf, 0x4f, 0xcf, 0x87, 0xc8, 0x29, 0x75, 0x31, 0x71,
-	0xf1, 0xba, 0xc2, 0xa5, 0x9d, 0x4b, 0x2a, 0x84, 0xe4, 0xb9, 0xb8, 0x53, 0x52, 0xd3, 0x12, 0x4b,
-	0x73, 0x4a, 0xe2, 0xb3, 0x53, 0x2b, 0x25, 0x18, 0x15, 0x18, 0x35, 0x78, 0x82, 0xb8, 0xa0, 0x42,
-	0xde, 0xa9, 0x95, 0x42, 0xbe, 0x5c, 0xbc, 0xc5, 0x25, 0xf9, 0x45, 0xa9, 0xf1, 0xa9, 0x79, 0x25,
-	0x45, 0x99, 0xa9, 0xc5, 0x12, 0x4c, 0x0a, 0xcc, 0x1a, 0xdc, 0x46, 0x1a, 0x7a, 0x68, 0x96, 0xa3,
-	0x18, 0xab, 0x17, 0x0c, 0xd2, 0xe2, 0x9a, 0x57, 0x52, 0x54, 0x19, 0xc4, 0x53, 0x0c, 0x63, 0x67,
-	0xa6, 0x16, 0x4b, 0x75, 0x30, 0x72, 0x71, 0x21, 0x24, 0x85, 0xc4, 0xb8, 0xd8, 0x92, 0x4a, 0x93,
-	0xb3, 0x53, 0x4b, 0xa0, 0x36, 0x43, 0x79, 0x42, 0x9a, 0x5c, 0x02, 0xa5, 0x79, 0x50, 0x1b, 0x52,
-	0x53, 0xe2, 0x0b, 0x12, 0x4b, 0x32, 0x24, 0x98, 0xc0, 0x2a, 0xf8, 0x91, 0xc4, 0x03, 0x12, 0x4b,
-	0x32, 0x84, 0x54, 0xb9, 0xf8, 0xd0, 0x14, 0x32, 0x83, 0x15, 0xf2, 0xa2, 0x2a, 0x13, 0xe0, 0x62,
-	0x06, 0x79, 0x90, 0x05, 0x2c, 0x07, 0x62, 0x3a, 0xb1, 0x44, 0x31, 0x15, 0x24, 0x25, 0xb1, 0x81,
-	0x43, 0xc6, 0x18, 0x10, 0x00, 0x00, 0xff, 0xff, 0xcb, 0x91, 0x63, 0x57, 0x4d, 0x01, 0x00, 0x00,
-}

proto.lock

@@ -185,11 +185,11 @@
       }
     },
     {
-      "protopath": "pkg:/:pb:/:encryption_ctx.proto",
+      "protopath": "pkg:/:pb:/:encryption_access.proto",
       "def": {
         "messages": [
           {
-            "name": "EncryptionCtx",
+            "name": "EncryptionAccess",
             "fields": [
               {
                 "id": 1,
@@ -238,7 +238,7 @@
           }
         ],
         "package": {
-          "name": "encryption_ctx"
+          "name": "encryption_access"
         },
         "options": [
           {

uplink/config.go

@@ -27,7 +27,7 @@ type RSConfig struct {
 type EncryptionConfig struct {
 	EncryptionKey     string `help:"the root key for encrypting the data which will be stored in KeyFilePath" setup:"true"`
 	KeyFilepath       string `help:"the path to the file which contains the root key for encrypting the data"`
-	EncCtxFilepath string `help:"the path to a file containing a serialized encryption ctx"`
+	EncAccessFilepath string `help:"the path to a file containing a serialized encryption access"`
 	DataType          int    `help:"Type of encryption to use for content and metadata (1=AES-GCM, 2=SecretBox)" default:"1"`
 	PathType          int    `help:"Type of encryption to use for paths (0=Unencrypted, 1=AES-GCM, 2=SecretBox)" default:"1"`
 }

uplink/setup/setup.go

@@ -23,16 +23,16 @@ var (
 	Error = errs.Class("uplink setup")
 )
 
-// LoadEncryptionCtx loads an EncryptionCtx from the values specified in the encryption config.
+// LoadEncryptionAccess loads an EncryptionAccess from the values specified in the encryption config.
-func LoadEncryptionCtx(ctx context.Context, cfg uplink.EncryptionConfig) (_ *libuplink.EncryptionCtx, err error) {
+func LoadEncryptionAccess(ctx context.Context, cfg uplink.EncryptionConfig) (_ *libuplink.EncryptionAccess, err error) {
 	defer mon.Task()(&ctx)(&err)
 
-	if cfg.EncCtxFilepath != "" {
+	if cfg.EncAccessFilepath != "" {
-		data, err := ioutil.ReadFile(cfg.EncCtxFilepath)
+		data, err := ioutil.ReadFile(cfg.EncAccessFilepath)
 		if err != nil {
 			return nil, errs.Wrap(err)
 		}
-		return libuplink.ParseEncryptionCtx(strings.TrimSpace(string(data)))
+		return libuplink.ParseEncryptionAccess(strings.TrimSpace(string(data)))
 	}
 
 	data := []byte(cfg.EncryptionKey)
@@ -47,5 +47,5 @@ func LoadEncryptionCtx(ctx context.Context, cfg uplink.EncryptionConfig) (_ *lib
 	if err != nil {
 		return nil, errs.Wrap(err)
 	}
-	return libuplink.NewEncryptionCtxWithDefaultKey(*key), nil
+	return libuplink.NewEncryptionAccessWithDefaultKey(*key), nil
 }

uplink/setup/setup_test.go

@@ -19,13 +19,13 @@ import (
 	"storj.io/storj/uplink/setup"
 )
 
-func TestLoadEncryptionCtx(t *testing.T) {
+func TestLoadEncryptionAccess(t *testing.T) {
-	saveRawCtx := func(encCtx *libuplink.EncryptionCtx) (filepath string, clenaup func()) {
+	saveRawCtx := func(access *libuplink.EncryptionAccess) (filepath string, clenaup func()) {
 		t.Helper()
 
 		ctx := testcontext.New(t)
 		filename := ctx.File("encryption.ctx")
-		data, err := encCtx.Serialize()
+		data, err := access.Serialize()
 		require.NoError(t, err)
 		err = ioutil.WriteFile(filename, []byte(data), os.FileMode(0400))
 		require.NoError(t, err)
@@ -38,20 +38,20 @@ func TestLoadEncryptionCtx(t *testing.T) {
 
 		key, err := storj.NewKey(passphrase)
 		require.NoError(t, err)
-		encCtx := libuplink.NewEncryptionCtxWithDefaultKey(*key)
+		access := libuplink.NewEncryptionAccessWithDefaultKey(*key)
-		filename, cleanup := saveRawCtx(encCtx)
+		filename, cleanup := saveRawCtx(access)
 		defer cleanup()
 
-		gotCtx, err := setup.LoadEncryptionCtx(context.Background(), uplink.EncryptionConfig{
+		gotCtx, err := setup.LoadEncryptionAccess(context.Background(), uplink.EncryptionConfig{
-			EncCtxFilepath: filename,
+			EncAccessFilepath: filename,
 		})
 		require.NoError(t, err)
-		require.Equal(t, encCtx, gotCtx)
+		require.Equal(t, access, gotCtx)
 	})
 
 	t.Run("ok: empty filepath", func(t *testing.T) {
-		gotCtx, err := setup.LoadEncryptionCtx(context.Background(), uplink.EncryptionConfig{
+		gotCtx, err := setup.LoadEncryptionAccess(context.Background(), uplink.EncryptionConfig{
-			EncCtxFilepath: "",
+			EncAccessFilepath: "",
 		})
 
 		require.NoError(t, err)
@@ -63,8 +63,8 @@ func TestLoadEncryptionCtx(t *testing.T) {
 		defer ctx.Cleanup()
 		filename := ctx.File("encryption.ctx")
 
-		_, err := setup.LoadEncryptionCtx(context.Background(), uplink.EncryptionConfig{
+		_, err := setup.LoadEncryptionAccess(context.Background(), uplink.EncryptionConfig{
-			EncCtxFilepath: filename,
+			EncAccessFilepath: filename,
 		})
 		require.Error(t, err)
 	})