@Override public KeyVersion getCurrentKey(String name) throws IOException { return keyProvider.getCurrentKey(name); }
@Override public KeyVersion load(String key) throws Exception { KeyVersion kv = provider.getCurrentKey(key); if (kv == null) { throw new KeyNotFoundException(); } return kv; } });
ekNow = keyProvider.getCurrentKey(ekName); Preconditions .checkNotNull(ekNow, "Key name '%s' does not exist", ekName);
@Override public EncryptedKeyVersion generateEncryptedKey(String encryptionKeyName) throws IOException, GeneralSecurityException { // Fetch the encryption key KeyVersion encryptionKey = keyProvider.getCurrentKey(encryptionKeyName); Preconditions.checkNotNull(encryptionKey, "No KeyVersion exists for key '%s' ", encryptionKeyName); // Generate random bytes for new key and IV CryptoCodec cc = CryptoCodec.getInstance(keyProvider.getConf()); try { final byte[] newKey = new byte[encryptionKey.getMaterial().length]; cc.generateSecureRandom(newKey); final byte[] iv = new byte[cc.getCipherSuite().getAlgorithmBlockSize()]; cc.generateSecureRandom(iv); Encryptor encryptor = cc.createEncryptor(); return generateEncryptedKey(encryptor, encryptionKey, newKey, iv); } finally { cc.close(); } }
@Override public EncryptedKeyVersion reencryptEncryptedKey(EncryptedKeyVersion ekv) throws IOException, GeneralSecurityException { final String ekName = ekv.getEncryptionKeyName(); final KeyVersion ekNow = keyProvider.getCurrentKey(ekName); Preconditions .checkNotNull(ekNow, "KeyVersion name '%s' does not exist", ekName); Preconditions.checkArgument(ekv.getEncryptedKeyVersion().getVersionName() .equals(KeyProviderCryptoExtension.EEK), "encryptedKey version name must be '%s', but found '%s'", KeyProviderCryptoExtension.EEK, ekv.getEncryptedKeyVersion().getVersionName()); if (ekv.getEncryptedKeyVersion().equals(ekNow)) { // no-op if same key version return ekv; } final KeyVersion dek = decryptEncryptedKey(ekv); final CryptoCodec cc = CryptoCodec.getInstance(keyProvider.getConf()); try { final Encryptor encryptor = cc.createEncryptor(); return generateEncryptedKey(encryptor, ekNow, dek.getMaterial(), ekv.getEncryptedKeyIv()); } finally { cc.close(); } }
@Override public KeyVersion getCurrentKey(String name) throws IOException { return keyProvider.getCurrentKey(name); }
@Override public KeyVersion getCurrentKey(String name) throws IOException { return keyProvider.getCurrentKey(name); }
@Override public KeyVersion getCurrentKey(String name) throws IOException { return keyProvider.getCurrentKey(name); }
@Override public KeyVersion getCurrentKey(String name) throws IOException { return keyProvider.getCurrentKey(name); }
@Override public KeyVersion load(String key) throws Exception { KeyVersion kv = provider.getCurrentKey(key); if (kv == null) { throw new KeyNotFoundException(); } return kv; } });
@Override public KeyVersion load(String key) throws Exception { KeyVersion kv = provider.getCurrentKey(key); if (kv == null) { throw new KeyNotFoundException(); } return kv; } });
@Override public KeyVersion load(String key) throws Exception { KeyVersion kv = provider.getCurrentKey(key); if (kv == null) { throw new KeyNotFoundException(); } return kv; } });
@Override public KeyVersion load(String key) throws Exception { KeyVersion kv = provider.getCurrentKey(key); if (kv == null) { throw new KeyNotFoundException(); } return kv; } });
@Test public void testRollNewVersion() throws Exception { KeyProvider.KeyVersion mockKey = Mockito.mock(KeyProvider.KeyVersion.class); KeyProvider mockProv = Mockito.mock(KeyProvider.class); Mockito.when(mockProv.getCurrentKey(Mockito.eq("k1"))).thenReturn(mockKey); Mockito.when(mockProv.getConf()).thenReturn(new Configuration()); KeyProvider cache = new CachingKeyProvider(mockProv, 100, 100); Assert.assertEquals(mockKey, cache.getCurrentKey("k1")); Mockito.verify(mockProv, Mockito.times(1)).getCurrentKey(Mockito.eq("k1")); cache.rollNewVersion("k1"); // asserting the cache is purged Assert.assertEquals(mockKey, cache.getCurrentKey("k1")); Mockito.verify(mockProv, Mockito.times(2)).getCurrentKey(Mockito.eq("k1")); cache.rollNewVersion("k1", new byte[0]); Assert.assertEquals(mockKey, cache.getCurrentKey("k1")); Mockito.verify(mockProv, Mockito.times(3)).getCurrentKey(Mockito.eq("k1")); }
@Test public void testRollNewVersion() throws Exception { KeyProvider.KeyVersion mockKey = Mockito.mock(KeyProvider.KeyVersion.class); KeyProvider mockProv = Mockito.mock(KeyProvider.class); Mockito.when(mockProv.getCurrentKey(Mockito.eq("k1"))).thenReturn(mockKey); Mockito.when(mockProv.getConf()).thenReturn(new Configuration()); KeyProvider cache = new CachingKeyProvider(mockProv, 100, 100); Assert.assertEquals(mockKey, cache.getCurrentKey("k1")); Mockito.verify(mockProv, Mockito.times(1)).getCurrentKey(Mockito.eq("k1")); cache.rollNewVersion("k1"); // asserting the cache is purged Assert.assertEquals(mockKey, cache.getCurrentKey("k1")); Mockito.verify(mockProv, Mockito.times(2)).getCurrentKey(Mockito.eq("k1")); cache.rollNewVersion("k1", new byte[0]); Assert.assertEquals(mockKey, cache.getCurrentKey("k1")); Mockito.verify(mockProv, Mockito.times(3)).getCurrentKey(Mockito.eq("k1")); }
@Test public void testCurrentKey() throws Exception { KeyProvider.KeyVersion mockKey = Mockito.mock(KeyProvider.KeyVersion.class); KeyProvider mockProv = Mockito.mock(KeyProvider.class); Mockito.when(mockProv.getCurrentKey(Mockito.eq("k1"))).thenReturn(mockKey); Mockito.when(mockProv.getCurrentKey(Mockito.eq("k2"))).thenReturn(null); Mockito.when(mockProv.getConf()).thenReturn(new Configuration()); KeyProvider cache = new CachingKeyProvider(mockProv, 100, 100); // asserting caching Assert.assertEquals(mockKey, cache.getCurrentKey("k1")); Mockito.verify(mockProv, Mockito.times(1)).getCurrentKey(Mockito.eq("k1")); Assert.assertEquals(mockKey, cache.getCurrentKey("k1")); Mockito.verify(mockProv, Mockito.times(1)).getCurrentKey(Mockito.eq("k1")); Thread.sleep(1200); Assert.assertEquals(mockKey, cache.getCurrentKey("k1")); Mockito.verify(mockProv, Mockito.times(2)).getCurrentKey(Mockito.eq("k1")); // asserting no caching when key is not known cache = new CachingKeyProvider(mockProv, 100, 100); Assert.assertEquals(null, cache.getCurrentKey("k2")); Mockito.verify(mockProv, Mockito.times(1)).getCurrentKey(Mockito.eq("k2")); Assert.assertEquals(null, cache.getCurrentKey("k2")); Mockito.verify(mockProv, Mockito.times(2)).getCurrentKey(Mockito.eq("k2")); }
@Test public void testDeleteKey() throws Exception { KeyProvider.KeyVersion mockKey = Mockito.mock(KeyProvider.KeyVersion.class); KeyProvider mockProv = Mockito.mock(KeyProvider.class); Mockito.when(mockProv.getCurrentKey(Mockito.eq("k1"))).thenReturn(mockKey); Mockito.when(mockProv.getKeyVersion(Mockito.eq("k1@0"))) .thenReturn(mockKey); Mockito.when(mockProv.getMetadata(Mockito.eq("k1"))).thenReturn( new KMSClientProvider.KMSMetadata("c", 0, "l", null, new Date(), 1)); Mockito.when(mockProv.getConf()).thenReturn(new Configuration()); KeyProvider cache = new CachingKeyProvider(mockProv, 100, 100); Assert.assertEquals(mockKey, cache.getCurrentKey("k1")); Mockito.verify(mockProv, Mockito.times(1)).getCurrentKey(Mockito.eq("k1")); Assert.assertEquals(mockKey, cache.getKeyVersion("k1@0")); Mockito.verify(mockProv, Mockito.times(1)) .getKeyVersion(Mockito.eq("k1@0")); cache.deleteKey("k1"); // asserting the cache is purged Assert.assertEquals(mockKey, cache.getCurrentKey("k1")); Mockito.verify(mockProv, Mockito.times(2)).getCurrentKey(Mockito.eq("k1")); Assert.assertEquals(mockKey, cache.getKeyVersion("k1@0")); Mockito.verify(mockProv, Mockito.times(2)) .getKeyVersion(Mockito.eq("k1@0")); } }
public void checkPermissionRetention(Configuration conf, String ourUrl, Path path) throws Exception { KeyProvider provider = KeyProviderFactory.getProviders(conf).get(0); // let's add a new key and flush and check that permissions are still set to 777 byte[] key = new byte[16]; for(int i =0; i < key.length; ++i) { key[i] = (byte) i; } // create a new key try { provider.createKey("key5", key, KeyProvider.options(conf)); } catch (Exception e) { e.printStackTrace(); throw e; } provider.flush(); // get a new instance of the provider to ensure it was saved correctly provider = KeyProviderFactory.getProviders(conf).get(0); assertArrayEquals(key, provider.getCurrentKey("key5").getMaterial()); FileSystem fs = path.getFileSystem(conf); FileStatus s = fs.getFileStatus(path); assertTrue("Permissions should have been retained from the preexisting keystore.", s.getPermission().toString().equals("rwxrwxrwx")); }
public void checkPermissionRetention(Configuration conf, String ourUrl, Path path) throws Exception { KeyProvider provider = KeyProviderFactory.getProviders(conf).get(0); // let's add a new key and flush and check that permissions are still set to 777 byte[] key = new byte[16]; for(int i =0; i < key.length; ++i) { key[i] = (byte) i; } // create a new key try { provider.createKey("key5", key, KeyProvider.options(conf)); } catch (Exception e) { e.printStackTrace(); throw e; } provider.flush(); // get a new instance of the provider to ensure it was saved correctly provider = KeyProviderFactory.getProviders(conf).get(0); assertArrayEquals(key, provider.getCurrentKey("key5").getMaterial()); FileSystem fs = path.getFileSystem(conf); FileStatus s = fs.getFileStatus(path); assertTrue("Permissions should have been retained from the preexisting keystore.", s.getPermission().toString().equals("rwxrwxrwx")); }
/** * Returns the data stored in the secure store. Makes two calls to the provider, one to get the metadata and another * to get the data. * @param namespace The namespace this key belongs to. * @param name Name of the key. * @return An object representing the securely stored data associated with the name. * @throws NamespaceNotFoundException If the specified namespace does not exist. * @throws IOException If there was a problem getting the key or the metadata from the underlying key provider. */ // Unfortunately KeyProvider does not specify the underlying cause except in the message, so we can not throw a // more specific exception. @Override public SecureStoreData get(String namespace, String name) throws Exception { checkNamespaceExists(namespace); String keyName = getKeyName(namespace, name); KeyProvider.Metadata metadata = provider.getMetadata(keyName); // Provider returns null if the key is not found. if (metadata == null) { throw new NotFoundException(new SecureKeyId(namespace, name)); } SecureStoreMetadata meta = new SecureStoreMetadata(name, metadata.getDescription(), metadata.getCreated().getTime(), metadata.getAttributes()); KeyProvider.KeyVersion keyVersion = provider.getCurrentKey(keyName); return new SecureStoreData(meta, keyVersion.getMaterial()); }