orc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From omalley <...@git.apache.org>
Subject [GitHub] orc pull request #213: ORC-278 - Create in memory KeyProvider class
Date Wed, 07 Feb 2018 17:31:26 GMT
Github user omalley commented on a diff in the pull request:

    https://github.com/apache/orc/pull/213#discussion_r166690257
  
    --- Diff: java/core/src/java/org/apache/orc/InMemoryKeystore.java ---
    @@ -0,0 +1,403 @@
    +package org.apache.orc;
    +
    +import org.apache.commons.lang.StringUtils;
    +import org.apache.orc.impl.HadoopShims;
    +
    +import javax.crypto.BadPaddingException;
    +import javax.crypto.Cipher;
    +import javax.crypto.IllegalBlockSizeException;
    +import javax.crypto.spec.IvParameterSpec;
    +import javax.crypto.spec.SecretKeySpec;
    +import java.io.IOException;
    +import java.security.InvalidAlgorithmParameterException;
    +import java.security.InvalidKeyException;
    +import java.security.Key;
    +import java.security.NoSuchAlgorithmException;
    +import java.util.ArrayList;
    +import java.util.Arrays;
    +import java.util.HashMap;
    +import java.util.List;
    +import java.util.Map;
    +import java.util.concurrent.locks.ReentrantReadWriteLock;
    +
    +/**
    + * Licensed to the Apache Software Foundation (ASF) under one
    + * or more contributor license agreements.  See the NOTICE file
    + * distributed with this work for additional information
    + * regarding copyright ownership.  The ASF licenses this file
    + * to you under the Apache License, Version 2.0 (the
    + * "License"); you may not use this file except in compliance
    + * with the License.  You may obtain a copy of the License at
    + * <p>
    + * http://www.apache.org/licenses/LICENSE-2.0
    + * <p>
    + * Unless required by applicable law or agreed to in writing, software
    + * distributed under the License is distributed on an "AS IS" BASIS,
    + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    + * See the License for the specific language governing permissions and
    + * limitations under the License.
    + */
    +
    +/**
    + * This is an in-memory implementation of {@link HadoopShims.KeyProvider}.
    + * The primary use of this class is to ease testing.
    + */
    +public class InMemoryKeystore implements HadoopShims.KeyProvider {
    +
    +  /**
    +   * Support AES 256 ?
    +   */
    +  public static final boolean SUPPORTS_AES_256;
    +
    +  static {
    +    try {
    +      SUPPORTS_AES_256 = Cipher.getMaxAllowedKeyLength("AES") > 128;
    +    } catch (final NoSuchAlgorithmException e) {
    +      throw new IllegalArgumentException("Unknown algorithm", e);
    +    }
    +  }
    +
    +  /**
    +   * A map that stores the 'keyName@version'
    +   * and 'metadata + material' mapping.
    +   */
    +  private final Map<String, KeyVersion> keys;
    +
    +  /**
    +   * A map that store the keyName (without version)
    +   * and metadata associated with it.
    +   */
    +  private final Map<String, HadoopShims.KeyMetadata> meta = new HashMap<>();
    +
    +  private final ReentrantReadWriteLock rwl = new ReentrantReadWriteLock(true);
    +
    +  /* Create an instance */
    +  public InMemoryKeystore() {
    +    this(new HashMap<String, KeyVersion>());
    +  }
    +
    +  /**
    +   * Create an instance populating the given keys.
    +   *
    +   * @param keys Supplied map of keys
    +   */
    +  public InMemoryKeystore(final Map<String, KeyVersion> keys) {
    +    super();
    +    this.keys = keys;
    +  }
    +
    +  /**
    +   * Build a version string from a basename and version number. Converts
    +   * "/aaa/bbb" and 3 to "/aaa/bbb@3".
    +   *
    +   * @param name    the basename of the key
    +   * @param version the version of the key
    +   * @return the versionName of the key.
    +   */
    +  protected static String buildVersionName(final String name,
    +      final int version) {
    +    return name + "@" + version;
    +  }
    +
    +  /**
    +   * Get the list of key names from the key provider.
    +   *
    +   * @return a list of key names
    +   * @throws IOException
    +   */
    +  @Override
    +  public List<String> getKeyNames() throws IOException {
    +    return new ArrayList<>(meta.keySet());
    +  }
    +
    +  /**
    +   * Get the current metadata for a given key. This is used when encrypting
    +   * new data.
    +   *
    +   * @param keyName the name of a key
    +   * @return metadata for the current version of the key
    +   */
    +  @Override
    +  public HadoopShims.KeyMetadata getCurrentKeyVersion(final String keyName) {
    +
    +    /* prevent the material from leaking */
    +    final HadoopShims.KeyMetadata key = meta.get(keyName);
    --- End diff --
    
    This isn't necessary. Just return the meta.get(keyName). Once the secrets are in the process,
you really can't protect the secrets.


---

Mime
View raw message