All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.apache.parquet.crypto.keytools.LocalWrapKmsClient Maven / Gradle / Ivy

The newest version!
/*
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements.  See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership.  The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License.  You may obtain a copy of the License at
 *
 *   http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing,
 * software distributed under the License is distributed on an
 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 * KIND, either express or implied.  See the License for the
 * specific language governing permissions and limitations
 * under the License.
 */

package org.apache.parquet.crypto.keytools;

import org.apache.hadoop.conf.Configuration;
import org.apache.parquet.crypto.KeyAccessDeniedException;
import org.apache.parquet.crypto.ParquetCryptoRuntimeException;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.core.type.TypeReference;

import java.io.IOException;
import java.io.StringReader;
import java.nio.charset.StandardCharsets;
import java.util.HashMap;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap;

/**
 * Typically, KMS systems support in-server key wrapping. Their clients should implement KmsClient interface directly.
 * An extension of the LocalWrapKmsClient class should used only in rare situations where in-server wrapping is not
 * supported. The wrapping will be done locally then - the MEKs will be fetched from the KMS server via the
 * getMasterKeyFromServer function, and used to encrypt a DEK or KEK inside the LocalWrapKmsClient code.
 * Note: master key rotation is not supported with local wrapping.
 */
public abstract class LocalWrapKmsClient implements KmsClient {

  public static final String LOCAL_WRAP_NO_KEY_VERSION = "NO_VERSION";

  protected String kmsInstanceID;
  protected String kmsInstanceURL;
  protected String kmsToken;
  protected Configuration hadoopConfiguration;

  // MasterKey cache: master keys per key ID (per KMS Client). For local wrapping only.
  private ConcurrentMap masterKeyCache;

  /**
   * KMS systems wrap keys by encrypting them by master keys, and attaching additional information (such as the version 
   * number of the masker key) to the result of encryption. The master key version is required in  key rotation.
   * Currently, the local wrapping mode does not support key rotation (because not all KMS systems allow to fetch a master
   * key by its ID and version number). Still, the local wrapping mode adds a placeholder for the master key version, that will
   * enable support for key rotation in this mode in the future, with appropriate KMS systems. This will also enable backward
   * compatibility, where future readers will be able to extract master key version in the files written by the current code.
   * 
   * LocalKeyWrap class writes (and reads) the "key wrap" as a flat json with the following fields:
   * 1. "masterKeyVersion" - a String, with the master key version. In the current version, only one value is allowed - "NO_VERSION".
   * 2. "encryptedKey" - a String, with the key encrypted by the master key (base64-encoded).
   */
  static class LocalKeyWrap {
    public static final String LOCAL_WRAP_KEY_VERSION_FIELD = "masterKeyVersion";
    public static final String LOCAL_WRAP_ENCRYPTED_KEY_FIELD = "encryptedKey";

    private static final ObjectMapper OBJECT_MAPPER = new ObjectMapper();

    private String encryptedEncodedKey;
    private String masterKeyVersion;

    private LocalKeyWrap(String masterKeyVersion, String encryptedEncodedKey) {
      this.masterKeyVersion = masterKeyVersion;
      this.encryptedEncodedKey = encryptedEncodedKey;
    }

    private static String createSerialized(String encryptedEncodedKey) {
      Map keyWrapMap = new HashMap(2);
      keyWrapMap.put(LOCAL_WRAP_KEY_VERSION_FIELD, LOCAL_WRAP_NO_KEY_VERSION);
      keyWrapMap.put(LOCAL_WRAP_ENCRYPTED_KEY_FIELD, encryptedEncodedKey);
      try {
        return OBJECT_MAPPER.writeValueAsString(keyWrapMap);
      } catch (IOException e) {
        throw new ParquetCryptoRuntimeException("Failed to serialize local key wrap map", e);
      }
    }

    private static LocalKeyWrap parse(String wrappedKey) {
      Map keyWrapMap = null;
      try {
        keyWrapMap = OBJECT_MAPPER.readValue(new StringReader(wrappedKey),
            new TypeReference>() {});
      } catch (IOException e) {
        throw new ParquetCryptoRuntimeException("Failed to parse local key wrap json " + wrappedKey, e);
      }
      String encryptedEncodedKey = keyWrapMap.get(LOCAL_WRAP_ENCRYPTED_KEY_FIELD);
      String masterKeyVersion = keyWrapMap.get(LOCAL_WRAP_KEY_VERSION_FIELD);

      return new LocalKeyWrap(masterKeyVersion, encryptedEncodedKey);
    }

    private String getMasterKeyVersion() {
      return masterKeyVersion;
    }

    private String getEncryptedKey() {
      return encryptedEncodedKey;
    }
  }

  @Override
  public void initialize(Configuration configuration, String kmsInstanceID, String kmsInstanceURL, String accessToken) {
    this.kmsInstanceID = kmsInstanceID;
    this.kmsInstanceURL = kmsInstanceURL;
    
    masterKeyCache = new ConcurrentHashMap<>();
    hadoopConfiguration = configuration;
    kmsToken = accessToken;

    initializeInternal();
  }

  @Override
  public String wrapKey(byte[] key, String masterKeyIdentifier) throws KeyAccessDeniedException {
    byte[] masterKey =  masterKeyCache.computeIfAbsent(masterKeyIdentifier,
          (k) -> getKeyFromServer(masterKeyIdentifier));
    byte[] AAD = masterKeyIdentifier.getBytes(StandardCharsets.UTF_8);
    String encryptedEncodedKey =  KeyToolkit.encryptKeyLocally(key, masterKey, AAD);
    return LocalKeyWrap.createSerialized(encryptedEncodedKey);
  }

  @Override
  public byte[] unwrapKey(String wrappedKey, String masterKeyIdentifier) throws KeyAccessDeniedException {
    LocalKeyWrap keyWrap = LocalKeyWrap.parse(wrappedKey);
    String masterKeyVersion = keyWrap.getMasterKeyVersion();
    if (!LOCAL_WRAP_NO_KEY_VERSION.equals(masterKeyVersion)) {
      throw new ParquetCryptoRuntimeException("Master key versions are not supported for local wrapping: "
        + masterKeyVersion);
    }
    String encryptedEncodedKey = keyWrap.getEncryptedKey();
    byte[] masterKey = masterKeyCache.computeIfAbsent(masterKeyIdentifier,
        (k) -> getKeyFromServer(masterKeyIdentifier));
    byte[] AAD = masterKeyIdentifier.getBytes(StandardCharsets.UTF_8);
    return KeyToolkit.decryptKeyLocally(encryptedEncodedKey, masterKey, AAD);
  }

  private byte[] getKeyFromServer(String keyIdentifier) {
    // refresh token
    kmsToken = hadoopConfiguration.getTrimmed(KeyToolkit.KEY_ACCESS_TOKEN_PROPERTY_NAME);
    byte[] key = getMasterKeyFromServer(keyIdentifier);
    int keyLength = key.length;
    if (!(16 == keyLength || 24 == keyLength || 32 == keyLength)) {
      throw new ParquetCryptoRuntimeException( "Wrong length: "+ keyLength +
          " of AES key: "  + keyIdentifier);
    }
    return key;
  }

  /**
   * Get master key from the remote KMS server.
   * 
   * If your KMS client code throws runtime exceptions related to access/permission problems
   * (such as Hadoop AccessControlException), catch them and throw the KeyAccessDeniedException.
   * 
   * @param masterKeyIdentifier: a string that uniquely identifies the master key in a KMS instance
   * @return master key bytes
   * @throws KeyAccessDeniedException unauthorized to get the master key
   */
  protected abstract byte[] getMasterKeyFromServer(String masterKeyIdentifier) 
      throws KeyAccessDeniedException;

  /**
   * Pass configuration with KMS-specific parameters.
   */
  protected abstract void initializeInternal() 
      throws KeyAccessDeniedException;
}




© 2015 - 2025 Weber Informatics LLC | Privacy Policy