org.apache.cassandra.security.EncryptionContext Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of cassandra-all Show documentation
Show all versions of cassandra-all Show documentation
The Apache Cassandra Project develops a highly scalable second-generation distributed database, bringing together Dynamo's fully distributed design and Bigtable's ColumnFamily-based data model.
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.cassandra.security;
import java.io.IOException;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import javax.crypto.Cipher;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Objects;
import org.apache.cassandra.config.TransparentDataEncryptionOptions;
import org.apache.cassandra.exceptions.ConfigurationException;
import org.apache.cassandra.io.compress.ICompressor;
import org.apache.cassandra.io.compress.LZ4Compressor;
import org.apache.cassandra.utils.Hex;
/**
* A (largely) immutable wrapper for the application-wide file-level encryption settings.
*/
public class EncryptionContext
{
public static final String ENCRYPTION_CIPHER = "encCipher";
public static final String ENCRYPTION_KEY_ALIAS = "encKeyAlias";
public static final String ENCRYPTION_IV = "encIV";
private final TransparentDataEncryptionOptions tdeOptions;
private final ICompressor compressor;
private final CipherFactory cipherFactory;
private final byte[] iv;
private final int chunkLength;
public EncryptionContext()
{
this(new TransparentDataEncryptionOptions());
}
public EncryptionContext(TransparentDataEncryptionOptions tdeOptions)
{
this(tdeOptions, null, true);
}
@VisibleForTesting
public EncryptionContext(TransparentDataEncryptionOptions tdeOptions, byte[] iv, boolean init)
{
this.tdeOptions = tdeOptions;
compressor = LZ4Compressor.create(Collections.emptyMap());
chunkLength = tdeOptions.chunk_length_kb * 1024;
this.iv = iv;
// always attempt to load the cipher factory, as we could be in the situation where the user has disabled encryption,
// but has existing commitlogs and sstables on disk that are still encrypted (and still need to be read)
CipherFactory factory = null;
if (tdeOptions.enabled && init)
{
try
{
factory = new CipherFactory(tdeOptions);
}
catch (Exception e)
{
throw new ConfigurationException("failed to load key provider for transparent data encryption", e);
}
}
cipherFactory = factory;
}
public ICompressor getCompressor()
{
return compressor;
}
public Cipher getEncryptor() throws IOException
{
return cipherFactory.getEncryptor(tdeOptions.cipher, tdeOptions.key_alias);
}
public Cipher getDecryptor() throws IOException
{
if (iv == null || iv.length == 0)
throw new IllegalStateException("no initialization vector (IV) found in this context");
return cipherFactory.getDecryptor(tdeOptions.cipher, tdeOptions.key_alias, iv);
}
public boolean isEnabled()
{
return tdeOptions.enabled;
}
public int getChunkLength()
{
return chunkLength;
}
public byte[] getIV()
{
return iv;
}
public TransparentDataEncryptionOptions getTransparentDataEncryptionOptions()
{
return tdeOptions;
}
public boolean equals(Object o)
{
return o instanceof EncryptionContext && equals((EncryptionContext) o);
}
public boolean equals(EncryptionContext other)
{
return Objects.equal(tdeOptions, other.tdeOptions)
&& Objects.equal(compressor, other.compressor)
&& Arrays.equals(iv, other.iv);
}
public Map toHeaderParameters()
{
Map map = new HashMap<>(3);
// add compression options, someday ...
if (tdeOptions.enabled)
{
map.put(ENCRYPTION_CIPHER, tdeOptions.cipher);
map.put(ENCRYPTION_KEY_ALIAS, tdeOptions.key_alias);
if (iv != null && iv.length > 0)
map.put(ENCRYPTION_IV, Hex.bytesToHex(iv));
}
return map;
}
/**
* If encryption headers are found in the {@code parameters},
* those headers are merged with the application-wide {@code encryptionContext}.
*/
public static EncryptionContext createFromMap(Map, ?> parameters, EncryptionContext encryptionContext)
{
if (parameters == null || parameters.isEmpty())
return new EncryptionContext(new TransparentDataEncryptionOptions(false));
String keyAlias = (String)parameters.get(ENCRYPTION_KEY_ALIAS);
String cipher = (String)parameters.get(ENCRYPTION_CIPHER);
String ivString = (String)parameters.get(ENCRYPTION_IV);
if (keyAlias == null || cipher == null)
return new EncryptionContext(new TransparentDataEncryptionOptions(false));
TransparentDataEncryptionOptions tdeOptions = new TransparentDataEncryptionOptions(cipher, keyAlias, encryptionContext.getTransparentDataEncryptionOptions().key_provider);
byte[] iv = ivString != null ? Hex.hexToBytes(ivString) : null;
return new EncryptionContext(tdeOptions, iv, true);
}
}
© 2015 - 2024 Weber Informatics LLC | Privacy Policy