org.apache.hadoop.crypto.key.KeyProviderCryptoExtension Java Examples

public static KeyProvider.KeyVersion decryptEncryptedDataEncryptionKey(
    FileEncryptionInfo feInfo, KeyProvider keyProvider) throws IOException {
  if (keyProvider == null) {
    throw new IOException("No KeyProvider is configured, " +
        "cannot access an encrypted file");
  } else {
    EncryptedKeyVersion ekv = EncryptedKeyVersion.createForDecryption(
        feInfo.getKeyName(), feInfo.getEzKeyVersionName(), feInfo.getIV(),
        feInfo.getEncryptedDataEncryptionKey());

    try {
      KeyProviderCryptoExtension cryptoProvider = KeyProviderCryptoExtension
          .createKeyProviderCryptoExtension(keyProvider);
      return cryptoProvider.decryptEncryptedKey(ekv);
    } catch (GeneralSecurityException gse) {
      throw new IOException(gse);
    }
  }
}
 

private static KeyProvider.KeyVersion decryptEncryptedDataEncryptionKey(DistributedFileSystem dfs, FileEncryptionInfo feInfo) throws IOException {
    KeyProvider provider = dfs.dfs.getKeyProvider();
    if (provider == null) {
        throw new IOException("No KeyProvider is configured, cannot access" +
                " an encrypted file");
    }
    KeyProviderCryptoExtension.EncryptedKeyVersion ekv = KeyProviderCryptoExtension.EncryptedKeyVersion.createForDecryption(
            feInfo.getKeyName(), feInfo.getEzKeyVersionName(), feInfo.getIV(),
            feInfo.getEncryptedDataEncryptionKey());
    try {
        KeyProviderCryptoExtension cryptoProvider = KeyProviderCryptoExtension
                .createKeyProviderCryptoExtension(provider);
        return cryptoProvider.decryptEncryptedKey(ekv);
    } catch (GeneralSecurityException e) {
        throw new IOException(e);
    }
}
 

public CryptoExtension(Configuration conf,
    KeyProviderCryptoExtension keyProviderCryptoExtension) {
  this.keyProviderCryptoExtension = keyProviderCryptoExtension;
  encKeyVersionQueue =
      new ValueQueue<KeyProviderCryptoExtension.EncryptedKeyVersion>(
          conf.getInt(KMS_KEY_CACHE_SIZE,
              KMS_KEY_CACHE_SIZE_DEFAULT),
          conf.getFloat(KMS_KEY_CACHE_LOW_WATERMARK,
              KMS_KEY_CACHE_LOW_WATERMARK_DEFAULT),
          conf.getInt(KMS_KEY_CACHE_EXPIRY_MS,
              KMS_KEY_CACHE_EXPIRY_DEFAULT),
          conf.getInt(KMS_KEY_CACHE_NUM_REFILL_THREADS,
              KMS_KEY_CACHE_NUM_REFILL_THREADS_DEFAULT),
          SyncGenerationPolicy.LOW_WATERMARK, new EncryptedQueueRefiller()
      );
}
 

public CryptoExtension(Configuration conf,
    KeyProviderCryptoExtension keyProviderCryptoExtension) {
  this.keyProviderCryptoExtension = keyProviderCryptoExtension;
  encKeyVersionQueue =
      new ValueQueue<KeyProviderCryptoExtension.EncryptedKeyVersion>(
          conf.getInt(KMS_KEY_CACHE_SIZE,
              KMS_KEY_CACHE_SIZE_DEFAULT),
          conf.getFloat(KMS_KEY_CACHE_LOW_WATERMARK,
              KMS_KEY_CACHE_LOW_WATERMARK_DEFAULT),
          conf.getInt(KMS_KEY_CACHE_EXPIRY_MS,
              KMS_KEY_CACHE_EXPIRY_DEFAULT),
          conf.getInt(KMS_KEY_CACHE_NUM_REFILL_THREADS,
              KMS_KEY_CACHE_NUM_REFILL_THREADS_DEFAULT),
          SyncGenerationPolicy.LOW_WATERMARK, new EncryptedQueueRefiller()
      );
}
 

/**
 * Decrypts a EDEK by consulting the KeyProvider.
 */
private KeyVersion decryptEncryptedDataEncryptionKey(FileEncryptionInfo
    feInfo) throws IOException {
  TraceScope scope = Trace.startSpan("decryptEDEK", traceSampler);
  try {
    KeyProvider provider = getKeyProvider();
    if (provider == null) {
      throw new IOException("No KeyProvider is configured, cannot access" +
          " an encrypted file");
    }
    EncryptedKeyVersion ekv = EncryptedKeyVersion.createForDecryption(
        feInfo.getKeyName(), feInfo.getEzKeyVersionName(), feInfo.getIV(),
        feInfo.getEncryptedDataEncryptionKey());
    try {
      KeyProviderCryptoExtension cryptoProvider = KeyProviderCryptoExtension
          .createKeyProviderCryptoExtension(provider);
      return cryptoProvider.decryptEncryptedKey(ekv);
    } catch (GeneralSecurityException e) {
      throw new IOException(e);
    }
  } finally {
    scope.close();
  }
}
 

public CryptoExtension(Configuration conf,
    KeyProviderCryptoExtension keyProviderCryptoExtension) {
  this.keyProviderCryptoExtension = keyProviderCryptoExtension;
  encKeyVersionQueue =
      new ValueQueue<KeyProviderCryptoExtension.EncryptedKeyVersion>(
          conf.getInt(KMS_KEY_CACHE_SIZE,
              KMS_KEY_CACHE_SIZE_DEFAULT),
          conf.getFloat(KMS_KEY_CACHE_LOW_WATERMARK,
              KMS_KEY_CACHE_LOW_WATERMARK_DEFAULT),
          conf.getInt(KMS_KEY_CACHE_EXPIRY_MS,
              KMS_KEY_CACHE_EXPIRY_DEFAULT),
          conf.getInt(KMS_KEY_CACHE_NUM_REFILL_THREADS,
              KMS_KEY_CACHE_NUM_REFILL_THREADS_DEFAULT),
          SyncGenerationPolicy.LOW_WATERMARK, new EncryptedQueueRefiller()
      );
}
 

/**
 * Decrypts a EDEK by consulting the KeyProvider.
 */
private KeyVersion decryptEncryptedDataEncryptionKey(FileEncryptionInfo
    feInfo) throws IOException {
  TraceScope scope = Trace.startSpan("decryptEDEK", traceSampler);
  try {
    KeyProvider provider = getKeyProvider();
    if (provider == null) {
      throw new IOException("No KeyProvider is configured, cannot access" +
          " an encrypted file");
    }
    EncryptedKeyVersion ekv = EncryptedKeyVersion.createForDecryption(
        feInfo.getKeyName(), feInfo.getEzKeyVersionName(), feInfo.getIV(),
        feInfo.getEncryptedDataEncryptionKey());
    try {
      KeyProviderCryptoExtension cryptoProvider = KeyProviderCryptoExtension
          .createKeyProviderCryptoExtension(provider);
      return cryptoProvider.decryptEncryptedKey(ekv);
    } catch (GeneralSecurityException e) {
      throw new IOException(e);
    }
  } finally {
    scope.close();
  }
}
 

@Override
public OMRequest preExecute(OzoneManager ozoneManager) throws IOException {

  // Get original request.
  CreateBucketRequest createBucketRequest =
      getOmRequest().getCreateBucketRequest();
  BucketInfo bucketInfo = createBucketRequest.getBucketInfo();
  // Verify resource name
  OmUtils.validateBucketName(bucketInfo.getBucketName());

  // Get KMS provider.
  KeyProviderCryptoExtension kmsProvider =
      ozoneManager.getKmsProvider();

  // Create new Bucket request with new bucket info.
  CreateBucketRequest.Builder newCreateBucketRequest =
      createBucketRequest.toBuilder();

  BucketInfo.Builder newBucketInfo = bucketInfo.toBuilder();

  // Set creation time & modification time.
  long initialTime = Time.now();
  newBucketInfo.setCreationTime(initialTime)
      .setModificationTime(initialTime);

  if (bucketInfo.hasBeinfo()) {
    newBucketInfo.setBeinfo(getBeinfo(kmsProvider, bucketInfo));
  }

  newCreateBucketRequest.setBucketInfo(newBucketInfo.build());

  return getOmRequest().toBuilder().setUserInfo(getUserInfo())
     .setCreateBucketRequest(newCreateBucketRequest.build()).build();
}
 

/**
 * The constructor takes a {@link KeyProviderCryptoExtension} and an
 * implementation of <code>KeyACLs</code>. All calls are delegated to the
 * provider keyProvider after authorization check (if required)
 * @param keyProvider  the key provider
 * @param acls the Key ACLs
 */
public KeyAuthorizationKeyProvider(KeyProviderCryptoExtension keyProvider,
    KeyACLs acls) {
  super(keyProvider, null);
  this.provider = keyProvider;
  this.acls = acls;
  ReadWriteLock lock = new ReentrantReadWriteLock(true);
  readLock = lock.readLock();
  writeLock = lock.writeLock();
}
 

/**
 * The constructor takes a {@link KeyProviderCryptoExtension} and an
 * implementation of <code>KeyACLs</code>. All calls are delegated to the
 * provider keyProvider after authorization check (if required)
 * @param keyProvider 
 * @param acls
 */
public KeyAuthorizationKeyProvider(KeyProviderCryptoExtension keyProvider,
    KeyACLs acls) {
  super(keyProvider, null);
  this.provider = keyProvider;
  this.acls = acls;
  ReadWriteLock lock = new ReentrantReadWriteLock(true);
  readLock = lock.readLock();
  writeLock = lock.writeLock();
}
 

@SuppressWarnings("rawtypes")
@Override
public KeyVersion decryptEncryptedKey(
    EncryptedKeyVersion encryptedKeyVersion) throws IOException,
                                                    GeneralSecurityException {
  checkNotNull(encryptedKeyVersion.getEncryptionKeyVersionName(),
      "versionName");
  checkNotNull(encryptedKeyVersion.getEncryptedKeyIv(), "iv");
  Preconditions.checkArgument(
      encryptedKeyVersion.getEncryptedKeyVersion().getVersionName()
          .equals(KeyProviderCryptoExtension.EEK),
      "encryptedKey version name must be '%s', is '%s'",
      KeyProviderCryptoExtension.EEK,
      encryptedKeyVersion.getEncryptedKeyVersion().getVersionName()
  );
  checkNotNull(encryptedKeyVersion.getEncryptedKeyVersion(), "encryptedKey");
  Map<String, String> params = new HashMap<String, String>();
  params.put(KMSRESTConstants.EEK_OP, KMSRESTConstants.EEK_DECRYPT);
  Map<String, Object> jsonPayload = new HashMap<String, Object>();
  jsonPayload.put(KMSRESTConstants.NAME_FIELD,
      encryptedKeyVersion.getEncryptionKeyName());
  jsonPayload.put(KMSRESTConstants.IV_FIELD, Base64.encodeBase64String(
      encryptedKeyVersion.getEncryptedKeyIv()));
  jsonPayload.put(KMSRESTConstants.MATERIAL_FIELD, Base64.encodeBase64String(
          encryptedKeyVersion.getEncryptedKeyVersion().getMaterial()));
  URL url = createURL(KMSRESTConstants.KEY_VERSION_RESOURCE,
      encryptedKeyVersion.getEncryptionKeyVersionName(),
      KMSRESTConstants.EEK_SUB_RESOURCE, params);
  HttpURLConnection conn = createConnection(url, HTTP_POST);
  conn.setRequestProperty(CONTENT_TYPE, APPLICATION_JSON_MIME);
  Map response =
      call(conn, jsonPayload, HttpURLConnection.HTTP_OK, Map.class);
  return parseJSONKeyVersion(response);
}
 

@Before
public void setupCluster() throws Exception {
  conf = new Configuration();
  conf.setInt(DFSConfigKeys.DFS_HA_TAILEDITS_PERIOD_KEY, 1);
  HAUtil.setAllowStandbyReads(conf, true);
  fsHelper = new FileSystemTestHelper();
  String testRoot = fsHelper.getTestRootDir();
  testRootDir = new File(testRoot).getAbsoluteFile();
  conf.set(DFSConfigKeys.DFS_ENCRYPTION_KEY_PROVIDER_URI,
      JavaKeyStoreProvider.SCHEME_NAME + "://file" +
      new Path(testRootDir.toString(), "test.jks").toUri()
  );

  cluster = new MiniDFSCluster.Builder(conf)
    .nnTopology(MiniDFSNNTopology.simpleHATopology())
    .numDataNodes(1)
    .build();
  cluster.waitActive();
  cluster.transitionToActive(0);

  fs = (DistributedFileSystem)HATestUtil.configureFailoverFs(cluster, conf);
  DFSTestUtil.createKey(TEST_KEY, cluster, 0, conf);
  DFSTestUtil.createKey(TEST_KEY, cluster, 1, conf);
  nn0 = cluster.getNameNode(0);
  nn1 = cluster.getNameNode(1);
  dfsAdmin0 = new HdfsAdmin(cluster.getURI(0), conf);
  dfsAdmin1 = new HdfsAdmin(cluster.getURI(1), conf);
  KeyProviderCryptoExtension nn0Provider =
      cluster.getNameNode(0).getNamesystem().getProvider();
  fs.getClient().setKeyProvider(nn0Provider);
}
 

/**
 * Creates a new KeyProviderCryptoExtension by wrapping the
 * KeyProvider specified in the given Configuration.
 *
 * @param conf Configuration
 * @return new KeyProviderCryptoExtension, or null if no provider was found.
 * @throws IOException if the KeyProvider is improperly specified in
 *                             the Configuration
 */
public static KeyProviderCryptoExtension createKeyProviderCryptoExtension(
    final Configuration conf) throws IOException {
  KeyProvider keyProvider = createKeyProvider(conf);
  if (keyProvider == null) {
    return null;
  }
  KeyProviderCryptoExtension cryptoProvider = KeyProviderCryptoExtension
      .createKeyProviderCryptoExtension(keyProvider);
  return cryptoProvider;
}
 

/**
 * The constructor takes a {@link KeyProviderCryptoExtension} and an
 * implementation of <code>KeyACLs</code>. All calls are delegated to the
 * provider keyProvider after authorization check (if required)
 * @param keyProvider 
 * @param acls
 */
public KeyAuthorizationKeyProvider(KeyProviderCryptoExtension keyProvider,
    KeyACLs acls) {
  super(keyProvider, null);
  this.provider = keyProvider;
  this.acls = acls;
  ReadWriteLock lock = new ReentrantReadWriteLock(true);
  readLock = lock.readLock();
  writeLock = lock.writeLock();
}
 

@SuppressWarnings("rawtypes")
@Override
public KeyVersion decryptEncryptedKey(
    EncryptedKeyVersion encryptedKeyVersion) throws IOException,
                                                    GeneralSecurityException {
  checkNotNull(encryptedKeyVersion.getEncryptionKeyVersionName(),
      "versionName");
  checkNotNull(encryptedKeyVersion.getEncryptedKeyIv(), "iv");
  Preconditions.checkArgument(
      encryptedKeyVersion.getEncryptedKeyVersion().getVersionName()
          .equals(KeyProviderCryptoExtension.EEK),
      "encryptedKey version name must be '%s', is '%s'",
      KeyProviderCryptoExtension.EEK,
      encryptedKeyVersion.getEncryptedKeyVersion().getVersionName()
  );
  checkNotNull(encryptedKeyVersion.getEncryptedKeyVersion(), "encryptedKey");
  Map<String, String> params = new HashMap<String, String>();
  params.put(KMSRESTConstants.EEK_OP, KMSRESTConstants.EEK_DECRYPT);
  Map<String, Object> jsonPayload = new HashMap<String, Object>();
  jsonPayload.put(KMSRESTConstants.NAME_FIELD,
      encryptedKeyVersion.getEncryptionKeyName());
  jsonPayload.put(KMSRESTConstants.IV_FIELD, Base64.encodeBase64String(
      encryptedKeyVersion.getEncryptedKeyIv()));
  jsonPayload.put(KMSRESTConstants.MATERIAL_FIELD, Base64.encodeBase64String(
          encryptedKeyVersion.getEncryptedKeyVersion().getMaterial()));
  URL url = createURL(KMSRESTConstants.KEY_VERSION_RESOURCE,
      encryptedKeyVersion.getEncryptionKeyVersionName(),
      KMSRESTConstants.EEK_SUB_RESOURCE, params);
  HttpURLConnection conn = createConnection(url, HTTP_POST);
  conn.setRequestProperty(CONTENT_TYPE, APPLICATION_JSON_MIME);
  Map response =
      call(conn, jsonPayload, HttpURLConnection.HTTP_OK, Map.class);
  return parseJSONKeyVersion(response);
}
 

private BucketEncryptionInfoProto getBeinfo(
    KeyProviderCryptoExtension kmsProvider, BucketInfo bucketInfo)
    throws IOException {
  BucketEncryptionInfoProto bek = bucketInfo.getBeinfo();
  BucketEncryptionInfoProto.Builder bekb = null;
  if (kmsProvider == null) {
    throw new OMException("Invalid KMS provider, check configuration " +
        CommonConfigurationKeys.HADOOP_SECURITY_KEY_PROVIDER_PATH,
        OMException.ResultCodes.INVALID_KMS_PROVIDER);
  }
  if (bek.getKeyName() == null) {
    throw new OMException("Bucket encryption key needed.", OMException
        .ResultCodes.BUCKET_ENCRYPTION_KEY_NOT_FOUND);
  }
  // Talk to KMS to retrieve the bucket encryption key info.
  KeyProvider.Metadata metadata = kmsProvider.getMetadata(
      bek.getKeyName());
  if (metadata == null) {
    throw new OMException("Bucket encryption key " + bek.getKeyName()
        + " doesn't exist.",
        OMException.ResultCodes.BUCKET_ENCRYPTION_KEY_NOT_FOUND);
  }
  // If the provider supports pool for EDEKs, this will fill in the pool
  kmsProvider.warmUpEncryptedKeys(bek.getKeyName());
  bekb = BucketEncryptionInfoProto.newBuilder()
      .setKeyName(bek.getKeyName())
      .setCryptoProtocolVersion(ENCRYPTION_ZONES)
      .setSuite(OMPBHelper.convert(
          CipherSuite.convert(metadata.getCipher())));
  return bekb.build();
}
 

@Before
public void setupCluster() throws Exception {
  conf = new Configuration();
  conf.setInt(DFSConfigKeys.DFS_HA_TAILEDITS_PERIOD_KEY, 1);
  HAUtil.setAllowStandbyReads(conf, true);
  fsHelper = new FileSystemTestHelper();
  String testRoot = fsHelper.getTestRootDir();
  testRootDir = new File(testRoot).getAbsoluteFile();
  conf.set(DFSConfigKeys.DFS_ENCRYPTION_KEY_PROVIDER_URI,
      JavaKeyStoreProvider.SCHEME_NAME + "://file" +
      new Path(testRootDir.toString(), "test.jks").toUri()
  );

  cluster = new MiniDFSCluster.Builder(conf)
    .nnTopology(MiniDFSNNTopology.simpleHATopology())
    .numDataNodes(1)
    .build();
  cluster.waitActive();
  cluster.transitionToActive(0);

  fs = (DistributedFileSystem)HATestUtil.configureFailoverFs(cluster, conf);
  DFSTestUtil.createKey(TEST_KEY, cluster, 0, conf);
  DFSTestUtil.createKey(TEST_KEY, cluster, 1, conf);
  nn0 = cluster.getNameNode(0);
  nn1 = cluster.getNameNode(1);
  dfsAdmin0 = new HdfsAdmin(cluster.getURI(0), conf);
  dfsAdmin1 = new HdfsAdmin(cluster.getURI(1), conf);
  KeyProviderCryptoExtension nn0Provider =
      cluster.getNameNode(0).getNamesystem().getProvider();
  fs.getClient().setKeyProvider(nn0Provider);
}
 

/**
 * Creates a new KeyProviderCryptoExtension by wrapping the
 * KeyProvider specified in the given Configuration.
 *
 * @param conf Configuration
 * @return new KeyProviderCryptoExtension, or null if no provider was found.
 * @throws IOException if the KeyProvider is improperly specified in
 *                             the Configuration
 */
public static KeyProviderCryptoExtension createKeyProviderCryptoExtension(
    final Configuration conf) throws IOException {
  KeyProvider keyProvider = createKeyProvider(conf);
  if (keyProvider == null) {
    return null;
  }
  KeyProviderCryptoExtension cryptoProvider = KeyProviderCryptoExtension
      .createKeyProviderCryptoExtension(keyProvider);
  return cryptoProvider;
}
 

@SuppressWarnings("parameternumber")
public KeyManagerImpl(OzoneManager om, ScmClient scmClient,
    OMMetadataManager metadataManager, OzoneConfiguration conf, String omId,
    OzoneBlockTokenSecretManager secretManager,
    KeyProviderCryptoExtension kmsProvider, PrefixManager prefixManager) {
  this.scmBlockSize = (long) conf
      .getStorageSize(OZONE_SCM_BLOCK_SIZE, OZONE_SCM_BLOCK_SIZE_DEFAULT,
          StorageUnit.BYTES);
  this.useRatis = conf.getBoolean(DFS_CONTAINER_RATIS_ENABLED_KEY,
      DFS_CONTAINER_RATIS_ENABLED_DEFAULT);
  this.preallocateBlocksMax = conf.getInt(
      OZONE_KEY_PREALLOCATION_BLOCKS_MAX,
      OZONE_KEY_PREALLOCATION_BLOCKS_MAX_DEFAULT);
  this.grpcBlockTokenEnabled = conf.getBoolean(
      HDDS_BLOCK_TOKEN_ENABLED,
      HDDS_BLOCK_TOKEN_ENABLED_DEFAULT);
  this.listTrashKeysMax = conf.getInt(
    OZONE_CLIENT_LIST_TRASH_KEYS_MAX,
    OZONE_CLIENT_LIST_TRASH_KEYS_MAX_DEFAULT);

  this.ozoneManager = om;
  this.omId = omId;
  this.scmClient = scmClient;
  this.metadataManager = metadataManager;
  this.prefixManager = prefixManager;
  this.secretManager = secretManager;
  this.kmsProvider = kmsProvider;

}
 

@Test
public void testCreateBucket() throws Exception {
  OmMetadataManagerImpl metaMgr = createSampleVol();

  KeyProviderCryptoExtension kmsProvider = Mockito.mock(
      KeyProviderCryptoExtension.class);
  String testBekName = "key1";
  String testCipherName = "AES/CTR/NoPadding";

  KeyProvider.Metadata mockMetadata = Mockito.mock(KeyProvider.Metadata
      .class);
  Mockito.when(kmsProvider.getMetadata(testBekName)).thenReturn(mockMetadata);
  Mockito.when(mockMetadata.getCipher()).thenReturn(testCipherName);

  BucketManager bucketManager = new BucketManagerImpl(metaMgr,
      kmsProvider);
  OmBucketInfo bucketInfo = OmBucketInfo.newBuilder()
      .setVolumeName("sampleVol")
      .setBucketName("bucketOne")
      .setBucketEncryptionKey(new
          BucketEncryptionKeyInfo.Builder().setKeyName("key1").build())
      .build();
  bucketManager.createBucket(bucketInfo);
  Assert.assertNotNull(bucketManager.getBucketInfo("sampleVol", "bucketOne"));

  OmBucketInfo bucketInfoRead =
      bucketManager.getBucketInfo("sampleVol",  "bucketOne");

  Assert.assertTrue(bucketInfoRead.getEncryptionKeyInfo().getKeyName()
      .equals(bucketInfo.getEncryptionKeyInfo().getKeyName()));
  metaMgr.getStore().close();
}
 

private KeyProviderCryptoExtension createKeyProviderExt(
    OzoneConfiguration conf) throws IOException {
  KeyProvider keyProvider = KMSUtil.createKeyProvider(conf,
      keyProviderUriKeyName);
  if (keyProvider == null) {
    return null;
  }
  KeyProviderCryptoExtension cryptoProvider = KeyProviderCryptoExtension
      .createKeyProviderCryptoExtension(keyProvider);
  return cryptoProvider;
}
 

public static KeyProviderCryptoExtension getKeyProvider() {
  return keyProviderCryptoExtension;
}
 

@Test(expected = IllegalArgumentException.class)
public void testDecryptWithKeyVersionNameKeyMismatch() throws Exception {
  final Configuration conf = new Configuration();
  KeyProvider kp =
      new UserProvider.Factory().createProvider(new URI("user:///"), conf);
  KeyACLs mock = mock(KeyACLs.class);
  when(mock.isACLPresent("testKey", KeyOpType.MANAGEMENT)).thenReturn(true);
  when(mock.isACLPresent("testKey", KeyOpType.GENERATE_EEK)).thenReturn(true);
  when(mock.isACLPresent("testKey", KeyOpType.DECRYPT_EEK)).thenReturn(true);
  when(mock.isACLPresent("testKey", KeyOpType.ALL)).thenReturn(true);
  UserGroupInformation u1 = UserGroupInformation.createRemoteUser("u1");
  UserGroupInformation u2 = UserGroupInformation.createRemoteUser("u2");
  UserGroupInformation u3 = UserGroupInformation.createRemoteUser("u3");
  UserGroupInformation sudo = UserGroupInformation.createRemoteUser("sudo");
  when(mock.hasAccessToKey("testKey", u1,
      KeyOpType.MANAGEMENT)).thenReturn(true);
  when(mock.hasAccessToKey("testKey", u2,
      KeyOpType.GENERATE_EEK)).thenReturn(true);
  when(mock.hasAccessToKey("testKey", u3,
      KeyOpType.DECRYPT_EEK)).thenReturn(true);
  when(mock.hasAccessToKey("testKey", sudo,
      KeyOpType.ALL)).thenReturn(true);
  final KeyProviderCryptoExtension kpExt =
      new KeyAuthorizationKeyProvider(
          KeyProviderCryptoExtension.createKeyProviderCryptoExtension(kp),
          mock);

  sudo.doAs(
      new PrivilegedExceptionAction<Void>() {
        @Override
        public Void run() throws Exception {
          Options opt = newOptions(conf);
          Map<String, String> m = new HashMap<String, String>();
          m.put("key.acl.name", "testKey");
          opt.setAttributes(m);
          byte[] seed = new byte[16];
          SECURE_RANDOM.nextBytes(seed);
          KeyVersion kv =
              kpExt.createKey("foo", seed, opt);
          kpExt.rollNewVersion(kv.getName());
          seed = new byte[16];
          SECURE_RANDOM.nextBytes(seed);
          kpExt.rollNewVersion(kv.getName(), seed);
          EncryptedKeyVersion ekv = kpExt.generateEncryptedKey(kv.getName());
          ekv = EncryptedKeyVersion.createForDecryption(
              ekv.getEncryptionKeyName() + "x",
              ekv.getEncryptionKeyVersionName(),
              ekv.getEncryptedKeyIv(),
              ekv.getEncryptedKeyVersion().getMaterial());
          kpExt.decryptEncryptedKey(ekv);
          return null;
        }
      }
  );
}
 

KeyProviderCryptoExtension getKMSProvider() {
  return kmsProvider;
}
 

@Override
public EncryptedKeyVersion run() throws Exception {
  return provider.reencryptEncryptedKey(new KMSClientProvider.KMSEncryptedKeyVersion(keyName,versionName, iv, KeyProviderCryptoExtension.EEK,
    encMaterial));
}
 

public static KeyProviderCryptoExtension getKeyProvider() {
  return keyProviderCryptoExtension;
}
 

@Test(expected = IllegalArgumentException.class)
public void testDecryptWithKeyVersionNameKeyMismatch() throws Exception {
  final Configuration conf = new Configuration();
  KeyProvider kp =
      new UserProvider.Factory().createProvider(new URI("user:///"), conf);
  KeyACLs mock = mock(KeyACLs.class);
  when(mock.isACLPresent("testKey", KeyOpType.MANAGEMENT)).thenReturn(true);
  when(mock.isACLPresent("testKey", KeyOpType.GENERATE_EEK)).thenReturn(true);
  when(mock.isACLPresent("testKey", KeyOpType.DECRYPT_EEK)).thenReturn(true);
  when(mock.isACLPresent("testKey", KeyOpType.ALL)).thenReturn(true);
  UserGroupInformation u1 = UserGroupInformation.createRemoteUser("u1");
  UserGroupInformation u2 = UserGroupInformation.createRemoteUser("u2");
  UserGroupInformation u3 = UserGroupInformation.createRemoteUser("u3");
  UserGroupInformation sudo = UserGroupInformation.createRemoteUser("sudo");
  when(mock.hasAccessToKey("testKey", u1,
      KeyOpType.MANAGEMENT)).thenReturn(true);
  when(mock.hasAccessToKey("testKey", u2,
      KeyOpType.GENERATE_EEK)).thenReturn(true);
  when(mock.hasAccessToKey("testKey", u3,
      KeyOpType.DECRYPT_EEK)).thenReturn(true);
  when(mock.hasAccessToKey("testKey", sudo,
      KeyOpType.ALL)).thenReturn(true);
  final KeyProviderCryptoExtension kpExt =
      new KeyAuthorizationKeyProvider(
          KeyProviderCryptoExtension.createKeyProviderCryptoExtension(kp),
          mock);

  sudo.doAs(
      new PrivilegedExceptionAction<Void>() {
        @Override
        public Void run() throws Exception {
          Options opt = newOptions(conf);
          Map<String, String> m = new HashMap<String, String>();
          m.put("key.acl.name", "testKey");
          opt.setAttributes(m);
          KeyVersion kv =
              kpExt.createKey("foo", SecureRandom.getSeed(16), opt);
          kpExt.rollNewVersion(kv.getName());
          kpExt.rollNewVersion(kv.getName(), SecureRandom.getSeed(16));
          EncryptedKeyVersion ekv = kpExt.generateEncryptedKey(kv.getName());
          ekv = EncryptedKeyVersion.createForDecryption(
              ekv.getEncryptionKeyName() + "x",
              ekv.getEncryptionKeyVersionName(),
              ekv.getEncryptedKeyIv(),
              ekv.getEncryptedKeyVersion().getMaterial());
          kpExt.decryptEncryptedKey(ekv);
          return null;
        }
      }
  );
}
 

public BucketManagerImpl(OMMetadataManager metadataManager,
                         KeyProviderCryptoExtension kmsProvider) {
  this(metadataManager, kmsProvider, false);
}
 

public BucketManagerImpl(OMMetadataManager metadataManager,
    KeyProviderCryptoExtension kmsProvider, boolean isRatisEnabled) {
  this.metadataManager = metadataManager;
  this.kmsProvider = kmsProvider;
}
 

@SuppressWarnings("rawtypes")
@POST
@Path(KMSRESTConstants.KEY_VERSION_RESOURCE + "/{versionName:.*}/" +
    KMSRESTConstants.EEK_SUB_RESOURCE)
@Produces(MediaType.APPLICATION_JSON)
public Response decryptEncryptedKey(
    @PathParam("versionName") final String versionName,
    @QueryParam(KMSRESTConstants.EEK_OP) String eekOp,
    Map jsonPayload)
    throws Exception {
  UserGroupInformation user = HttpUserGroupInformation.get();
  KMSClientProvider.checkNotEmpty(versionName, "versionName");
  KMSClientProvider.checkNotNull(eekOp, "eekOp");

  final String keyName = (String) jsonPayload.get(
      KMSRESTConstants.NAME_FIELD);
  String ivStr = (String) jsonPayload.get(KMSRESTConstants.IV_FIELD);
  String encMaterialStr = 
      (String) jsonPayload.get(KMSRESTConstants.MATERIAL_FIELD);
  Object retJSON;
  if (eekOp.equals(KMSRESTConstants.EEK_DECRYPT)) {
    assertAccess(KMSACLs.Type.DECRYPT_EEK, user, KMSOp.DECRYPT_EEK, keyName);
    KMSClientProvider.checkNotNull(ivStr, KMSRESTConstants.IV_FIELD);
    final byte[] iv = Base64.decodeBase64(ivStr);
    KMSClientProvider.checkNotNull(encMaterialStr,
        KMSRESTConstants.MATERIAL_FIELD);
    final byte[] encMaterial = Base64.decodeBase64(encMaterialStr);

    KeyProvider.KeyVersion retKeyVersion = user.doAs(
        new PrivilegedExceptionAction<KeyVersion>() {
          @Override
          public KeyVersion run() throws Exception {
            return provider.decryptEncryptedKey(
                new KMSClientProvider.KMSEncryptedKeyVersion(keyName,
                    versionName, iv, KeyProviderCryptoExtension.EEK,
                    encMaterial)
            );
          }
        }
    );

    retJSON = KMSServerJSONUtils.toJSON(retKeyVersion);
    kmsAudit.ok(user, KMSOp.DECRYPT_EEK, keyName, "");
  } else {
    throw new IllegalArgumentException("Wrong " + KMSRESTConstants.EEK_OP +
        " value, it must be " + KMSRESTConstants.EEK_GENERATE + " or " +
        KMSRESTConstants.EEK_DECRYPT);
  }
  KMSWebApp.getDecryptEEKCallsMeter().mark();
  return Response.ok().type(MediaType.APPLICATION_JSON).entity(retJSON)
      .build();
}