src/java/org/apache/cassandra/security/EncryptionContext.java - cassandra - Git at Google

 /*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
  * regarding copyright ownership.  The ASF licenses this file
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 package org.apache.cassandra.security;

 import java.io.IOException;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.Map;
 import javax.crypto.Cipher;

 import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.Objects;

 import org.apache.cassandra.config.TransparentDataEncryptionOptions;
 import org.apache.cassandra.exceptions.ConfigurationException;
 import org.apache.cassandra.io.compress.ICompressor;
 import org.apache.cassandra.io.compress.LZ4Compressor;
 import org.apache.cassandra.utils.Hex;

 /**
  * A (largely) immutable wrapper for the application-wide file-level encryption settings.
  */
 public class EncryptionContext
 {
     public static final String ENCRYPTION_CIPHER = "encCipher";
     public static final String ENCRYPTION_KEY_ALIAS = "encKeyAlias";
     public static final String ENCRYPTION_IV = "encIV";

     private final TransparentDataEncryptionOptions tdeOptions;
     private final ICompressor compressor;
     private final CipherFactory cipherFactory;

     private final byte[] iv;
     private final int chunkLength;

     public EncryptionContext()
     {
         this(new TransparentDataEncryptionOptions());
     }

     public EncryptionContext(TransparentDataEncryptionOptions tdeOptions)
     {
         this(tdeOptions, null, true);
     }

     @VisibleForTesting
     public EncryptionContext(TransparentDataEncryptionOptions tdeOptions, byte[] iv, boolean init)
     {
         this.tdeOptions = tdeOptions;
         compressor = LZ4Compressor.create(Collections.<String, String>emptyMap());
         chunkLength = tdeOptions.chunk_length_kb * 1024;
         this.iv = iv;

         // always attempt to load the cipher factory, as we could be in the situation where the user has disabled encryption,
         // but has existing commitlogs and sstables on disk that are still encrypted (and still need to be read)
         CipherFactory factory = null;

         if (tdeOptions.enabled && init)
         {
             try
             {
                 factory = new CipherFactory(tdeOptions);
             }
             catch (Exception e)
             {
                 throw new ConfigurationException("failed to load key provider for transparent data encryption", e);
             }
         }

         cipherFactory = factory;
     }

     public ICompressor getCompressor()
     {
         return compressor;
     }

     public Cipher getEncryptor() throws IOException
     {
         return cipherFactory.getEncryptor(tdeOptions.cipher, tdeOptions.key_alias);
     }

     public Cipher getDecryptor() throws IOException
     {
         if (iv == null || iv.length == 0)
             throw new IllegalStateException("no initialization vector (IV) found in this context");
         return cipherFactory.getDecryptor(tdeOptions.cipher, tdeOptions.key_alias, iv);
     }

     public boolean isEnabled()
     {
         return tdeOptions.enabled;
     }

     public int getChunkLength()
     {
         return chunkLength;
     }

     public byte[] getIV()
     {
         return iv;
     }

     public TransparentDataEncryptionOptions getTransparentDataEncryptionOptions()
     {
         return tdeOptions;
     }

     public boolean equals(Object o)
     {
         return o instanceof EncryptionContext && equals((EncryptionContext) o);
     }

     public boolean equals(EncryptionContext other)
     {
         return Objects.equal(tdeOptions, other.tdeOptions)
                && Objects.equal(compressor, other.compressor)
                && Arrays.equals(iv, other.iv);
     }

     public Map<String, String> toHeaderParameters()
     {
         Map<String, String> map = new HashMap<>(3);
         // add compression options, someday ...
         if (tdeOptions.enabled)
         {
             map.put(ENCRYPTION_CIPHER, tdeOptions.cipher);
             map.put(ENCRYPTION_KEY_ALIAS, tdeOptions.key_alias);

             if (iv != null && iv.length > 0)
                 map.put(ENCRYPTION_IV, Hex.bytesToHex(iv));
         }
         return map;
     }

     /**
      * If encryption headers are found in the {@code parameters},
      * those headers are merged with the application-wide {@code encryptionContext}.
      */
     public static EncryptionContext createFromMap(Map<?, ?> parameters, EncryptionContext encryptionContext)
     {
         if (parameters == null || parameters.isEmpty())
             return new EncryptionContext(new TransparentDataEncryptionOptions(false));

         String keyAlias = (String)parameters.get(ENCRYPTION_KEY_ALIAS);
         String cipher = (String)parameters.get(ENCRYPTION_CIPHER);
         String ivString = (String)parameters.get(ENCRYPTION_IV);
         if (keyAlias == null || cipher == null)
             return new EncryptionContext(new TransparentDataEncryptionOptions(false));

         TransparentDataEncryptionOptions tdeOptions = new TransparentDataEncryptionOptions(cipher, keyAlias, encryptionContext.getTransparentDataEncryptionOptions().key_provider);
         byte[] iv = ivString != null ? Hex.hexToBytes(ivString) : null;
         return new EncryptionContext(tdeOptions, iv, true);
     }
 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/
	package org.apache.cassandra.security;

	import java.io.IOException;
	import java.util.Arrays;
	import java.util.Collections;
	import java.util.HashMap;
	import java.util.Map;
	import javax.crypto.Cipher;

	import com.google.common.annotations.VisibleForTesting;
	import com.google.common.base.Objects;

	import org.apache.cassandra.config.TransparentDataEncryptionOptions;
	import org.apache.cassandra.exceptions.ConfigurationException;
	import org.apache.cassandra.io.compress.ICompressor;
	import org.apache.cassandra.io.compress.LZ4Compressor;
	import org.apache.cassandra.utils.Hex;

	/**
	* A (largely) immutable wrapper for the application-wide file-level encryption settings.
	*/
	public class EncryptionContext
	{
	public static final String ENCRYPTION_CIPHER = "encCipher";
	public static final String ENCRYPTION_KEY_ALIAS = "encKeyAlias";
	public static final String ENCRYPTION_IV = "encIV";

	private final TransparentDataEncryptionOptions tdeOptions;
	private final ICompressor compressor;
	private final CipherFactory cipherFactory;

	private final byte[] iv;
	private final int chunkLength;

	public EncryptionContext()
	{
	this(new TransparentDataEncryptionOptions());
	}

	public EncryptionContext(TransparentDataEncryptionOptions tdeOptions)
	{
	this(tdeOptions, null, true);
	}

	@VisibleForTesting
	public EncryptionContext(TransparentDataEncryptionOptions tdeOptions, byte[] iv, boolean init)
	{
	this.tdeOptions = tdeOptions;
	compressor = LZ4Compressor.create(Collections.<String, String>emptyMap());
	chunkLength = tdeOptions.chunk_length_kb * 1024;
	this.iv = iv;

	// always attempt to load the cipher factory, as we could be in the situation where the user has disabled encryption,
	// but has existing commitlogs and sstables on disk that are still encrypted (and still need to be read)
	CipherFactory factory = null;

	if (tdeOptions.enabled && init)
	{
	try
	{
	factory = new CipherFactory(tdeOptions);
	}
	catch (Exception e)
	{
	throw new ConfigurationException("failed to load key provider for transparent data encryption", e);
	}
	}

	cipherFactory = factory;
	}

	public ICompressor getCompressor()
	{
	return compressor;
	}

	public Cipher getEncryptor() throws IOException
	{
	return cipherFactory.getEncryptor(tdeOptions.cipher, tdeOptions.key_alias);
	}

	public Cipher getDecryptor() throws IOException
	{
	if (iv == null \|\| iv.length == 0)
	throw new IllegalStateException("no initialization vector (IV) found in this context");
	return cipherFactory.getDecryptor(tdeOptions.cipher, tdeOptions.key_alias, iv);
	}

	public boolean isEnabled()
	{
	return tdeOptions.enabled;
	}

	public int getChunkLength()
	{
	return chunkLength;
	}

	public byte[] getIV()
	{
	return iv;
	}

	public TransparentDataEncryptionOptions getTransparentDataEncryptionOptions()
	{
	return tdeOptions;
	}

	public boolean equals(Object o)
	{
	return o instanceof EncryptionContext && equals((EncryptionContext) o);
	}

	public boolean equals(EncryptionContext other)
	{
	return Objects.equal(tdeOptions, other.tdeOptions)
	&& Objects.equal(compressor, other.compressor)
	&& Arrays.equals(iv, other.iv);
	}

	public Map<String, String> toHeaderParameters()
	{
	Map<String, String> map = new HashMap<>(3);
	// add compression options, someday ...
	if (tdeOptions.enabled)
	{
	map.put(ENCRYPTION_CIPHER, tdeOptions.cipher);
	map.put(ENCRYPTION_KEY_ALIAS, tdeOptions.key_alias);

	if (iv != null && iv.length > 0)
	map.put(ENCRYPTION_IV, Hex.bytesToHex(iv));
	}
	return map;
	}

	/**
	* If encryption headers are found in the {@code parameters},
	* those headers are merged with the application-wide {@code encryptionContext}.
	*/
	public static EncryptionContext createFromMap(Map<?, ?> parameters, EncryptionContext encryptionContext)
	{
	if (parameters == null \|\| parameters.isEmpty())
	return new EncryptionContext(new TransparentDataEncryptionOptions(false));

	String keyAlias = (String)parameters.get(ENCRYPTION_KEY_ALIAS);
	String cipher = (String)parameters.get(ENCRYPTION_CIPHER);
	String ivString = (String)parameters.get(ENCRYPTION_IV);
	if (keyAlias == null \|\| cipher == null)
	return new EncryptionContext(new TransparentDataEncryptionOptions(false));

	TransparentDataEncryptionOptions tdeOptions = new TransparentDataEncryptionOptions(cipher, keyAlias, encryptionContext.getTransparentDataEncryptionOptions().key_provider);
	byte[] iv = ivString != null ? Hex.hexToBytes(ivString) : null;
	return new EncryptionContext(tdeOptions, iv, true);
	}
	}