Google Git
Sign in
apache / hbase-site / 0082cda45f48d1755543336c908ec6d80d4ec0a9 / . / devapidocs / src-html / org / apache / hadoop / hbase / io / asyncfs / FanOutOneBlockAsyncDFSOutputSaslHelper.SaslNegotiateHandler.BuilderPayloadSetter.html
blob: 8ed6441c2d6f531a3058a05fbf8ef4c6b0b6458f [file] [log] [blame]
<!DOCTYPE HTML>
<html lang="en">
<head>
<!-- Generated by javadoc (17) -->
<title>Source code</title>
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="source: package: org.apache.hadoop.hbase.io.asyncfs, class: FanOutOneBlockAsyncDFSOutputSaslHelper, class: SaslNegotiateHandler, class: BuilderPayloadSetter">
<meta name="generator" content="javadoc/SourceToHTMLConverter">
<link rel="stylesheet" type="text/css" href="../../../../../../../stylesheet.css" title="Style">
</head>
<body class="source-page">
<main role="main">
<div class="source-container">
<pre><span class="source-line-no">001</span><span id="line-1">/*</span>
<span class="source-line-no">002</span><span id="line-2"> * Licensed to the Apache Software Foundation (ASF) under one</span>
<span class="source-line-no">003</span><span id="line-3"> * or more contributor license agreements. See the NOTICE file</span>
<span class="source-line-no">004</span><span id="line-4"> * distributed with this work for additional information</span>
<span class="source-line-no">005</span><span id="line-5"> * regarding copyright ownership. The ASF licenses this file</span>
<span class="source-line-no">006</span><span id="line-6"> * to you under the Apache License, Version 2.0 (the</span>
<span class="source-line-no">007</span><span id="line-7"> * "License"); you may not use this file except in compliance</span>
<span class="source-line-no">008</span><span id="line-8"> * with the License. You may obtain a copy of the License at</span>
<span class="source-line-no">009</span><span id="line-9"> *</span>
<span class="source-line-no">010</span><span id="line-10"> * http://www.apache.org/licenses/LICENSE-2.0</span>
<span class="source-line-no">011</span><span id="line-11"> *</span>
<span class="source-line-no">012</span><span id="line-12"> * Unless required by applicable law or agreed to in writing, software</span>
<span class="source-line-no">013</span><span id="line-13"> * distributed under the License is distributed on an "AS IS" BASIS,</span>
<span class="source-line-no">014</span><span id="line-14"> * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.</span>
<span class="source-line-no">015</span><span id="line-15"> * See the License for the specific language governing permissions and</span>
<span class="source-line-no">016</span><span id="line-16"> * limitations under the License.</span>
<span class="source-line-no">017</span><span id="line-17"> */</span>
<span class="source-line-no">018</span><span id="line-18">package org.apache.hadoop.hbase.io.asyncfs;</span>
<span class="source-line-no">019</span><span id="line-19"></span>
<span class="source-line-no">020</span><span id="line-20">import static org.apache.hadoop.hbase.util.NettyFutureUtils.safeWrite;</span>
<span class="source-line-no">021</span><span id="line-21">import static org.apache.hadoop.hdfs.client.HdfsClientConfigKeys.DFS_ENCRYPT_DATA_TRANSFER_CIPHER_SUITES_KEY;</span>
<span class="source-line-no">022</span><span id="line-22">import static org.apache.hbase.thirdparty.io.netty.handler.timeout.IdleState.READER_IDLE;</span>
<span class="source-line-no">023</span><span id="line-23"></span>
<span class="source-line-no">024</span><span id="line-24">import java.io.IOException;</span>
<span class="source-line-no">025</span><span id="line-25">import java.lang.reflect.Constructor;</span>
<span class="source-line-no">026</span><span id="line-26">import java.lang.reflect.Field;</span>
<span class="source-line-no">027</span><span id="line-27">import java.lang.reflect.InvocationTargetException;</span>
<span class="source-line-no">028</span><span id="line-28">import java.lang.reflect.Method;</span>
<span class="source-line-no">029</span><span id="line-29">import java.net.InetAddress;</span>
<span class="source-line-no">030</span><span id="line-30">import java.net.InetSocketAddress;</span>
<span class="source-line-no">031</span><span id="line-31">import java.nio.ByteBuffer;</span>
<span class="source-line-no">032</span><span id="line-32">import java.security.GeneralSecurityException;</span>
<span class="source-line-no">033</span><span id="line-33">import java.util.Arrays;</span>
<span class="source-line-no">034</span><span id="line-34">import java.util.Base64;</span>
<span class="source-line-no">035</span><span id="line-35">import java.util.Collections;</span>
<span class="source-line-no">036</span><span id="line-36">import java.util.List;</span>
<span class="source-line-no">037</span><span id="line-37">import java.util.Map;</span>
<span class="source-line-no">038</span><span id="line-38">import java.util.Set;</span>
<span class="source-line-no">039</span><span id="line-39">import java.util.concurrent.TimeUnit;</span>
<span class="source-line-no">040</span><span id="line-40">import java.util.concurrent.atomic.AtomicBoolean;</span>
<span class="source-line-no">041</span><span id="line-41">import javax.security.auth.callback.Callback;</span>
<span class="source-line-no">042</span><span id="line-42">import javax.security.auth.callback.CallbackHandler;</span>
<span class="source-line-no">043</span><span id="line-43">import javax.security.auth.callback.NameCallback;</span>
<span class="source-line-no">044</span><span id="line-44">import javax.security.auth.callback.PasswordCallback;</span>
<span class="source-line-no">045</span><span id="line-45">import javax.security.auth.callback.UnsupportedCallbackException;</span>
<span class="source-line-no">046</span><span id="line-46">import javax.security.sasl.RealmCallback;</span>
<span class="source-line-no">047</span><span id="line-47">import javax.security.sasl.RealmChoiceCallback;</span>
<span class="source-line-no">048</span><span id="line-48">import javax.security.sasl.Sasl;</span>
<span class="source-line-no">049</span><span id="line-49">import javax.security.sasl.SaslClient;</span>
<span class="source-line-no">050</span><span id="line-50">import javax.security.sasl.SaslException;</span>
<span class="source-line-no">051</span><span id="line-51">import org.apache.commons.lang3.StringUtils;</span>
<span class="source-line-no">052</span><span id="line-52">import org.apache.hadoop.conf.Configuration;</span>
<span class="source-line-no">053</span><span id="line-53">import org.apache.hadoop.crypto.CipherOption;</span>
<span class="source-line-no">054</span><span id="line-54">import org.apache.hadoop.crypto.CipherSuite;</span>
<span class="source-line-no">055</span><span id="line-55">import org.apache.hadoop.crypto.CryptoCodec;</span>
<span class="source-line-no">056</span><span id="line-56">import org.apache.hadoop.crypto.Decryptor;</span>
<span class="source-line-no">057</span><span id="line-57">import org.apache.hadoop.crypto.Encryptor;</span>
<span class="source-line-no">058</span><span id="line-58">import org.apache.hadoop.crypto.key.KeyProvider;</span>
<span class="source-line-no">059</span><span id="line-59">import org.apache.hadoop.crypto.key.KeyProvider.KeyVersion;</span>
<span class="source-line-no">060</span><span id="line-60">import org.apache.hadoop.fs.FileEncryptionInfo;</span>
<span class="source-line-no">061</span><span id="line-61">import org.apache.hadoop.hdfs.DFSClient;</span>
<span class="source-line-no">062</span><span id="line-62">import org.apache.hadoop.hdfs.protocol.DatanodeInfo;</span>
<span class="source-line-no">063</span><span id="line-63">import org.apache.hadoop.hdfs.protocol.HdfsFileStatus;</span>
<span class="source-line-no">064</span><span id="line-64">import org.apache.hadoop.hdfs.protocol.datatransfer.InvalidEncryptionKeyException;</span>
<span class="source-line-no">065</span><span id="line-65">import org.apache.hadoop.hdfs.protocol.datatransfer.TrustedChannelResolver;</span>
<span class="source-line-no">066</span><span id="line-66">import org.apache.hadoop.hdfs.protocol.datatransfer.sasl.SaslDataTransferClient;</span>
<span class="source-line-no">067</span><span id="line-67">import org.apache.hadoop.hdfs.protocol.proto.DataTransferProtos.DataTransferEncryptorMessageProto;</span>
<span class="source-line-no">068</span><span id="line-68">import org.apache.hadoop.hdfs.protocol.proto.DataTransferProtos.DataTransferEncryptorMessageProto.DataTransferEncryptorStatus;</span>
<span class="source-line-no">069</span><span id="line-69">import org.apache.hadoop.hdfs.protocolPB.PBHelperClient;</span>
<span class="source-line-no">070</span><span id="line-70">import org.apache.hadoop.hdfs.security.token.block.BlockTokenIdentifier;</span>
<span class="source-line-no">071</span><span id="line-71">import org.apache.hadoop.hdfs.security.token.block.DataEncryptionKey;</span>
<span class="source-line-no">072</span><span id="line-72">import org.apache.hadoop.security.SaslPropertiesResolver;</span>
<span class="source-line-no">073</span><span id="line-73">import org.apache.hadoop.security.SaslRpcServer.QualityOfProtection;</span>
<span class="source-line-no">074</span><span id="line-74">import org.apache.hadoop.security.UserGroupInformation;</span>
<span class="source-line-no">075</span><span id="line-75">import org.apache.hadoop.security.token.Token;</span>
<span class="source-line-no">076</span><span id="line-76">import org.apache.yetus.audience.InterfaceAudience;</span>
<span class="source-line-no">077</span><span id="line-77">import org.slf4j.Logger;</span>
<span class="source-line-no">078</span><span id="line-78">import org.slf4j.LoggerFactory;</span>
<span class="source-line-no">079</span><span id="line-79"></span>
<span class="source-line-no">080</span><span id="line-80">import org.apache.hbase.thirdparty.com.google.common.base.Throwables;</span>
<span class="source-line-no">081</span><span id="line-81">import org.apache.hbase.thirdparty.com.google.common.collect.ImmutableSet;</span>
<span class="source-line-no">082</span><span id="line-82">import org.apache.hbase.thirdparty.com.google.common.collect.Maps;</span>
<span class="source-line-no">083</span><span id="line-83">import org.apache.hbase.thirdparty.com.google.protobuf.CodedOutputStream;</span>
<span class="source-line-no">084</span><span id="line-84">import org.apache.hbase.thirdparty.io.netty.buffer.ByteBuf;</span>
<span class="source-line-no">085</span><span id="line-85">import org.apache.hbase.thirdparty.io.netty.buffer.ByteBufOutputStream;</span>
<span class="source-line-no">086</span><span id="line-86">import org.apache.hbase.thirdparty.io.netty.buffer.CompositeByteBuf;</span>
<span class="source-line-no">087</span><span id="line-87">import org.apache.hbase.thirdparty.io.netty.buffer.Unpooled;</span>
<span class="source-line-no">088</span><span id="line-88">import org.apache.hbase.thirdparty.io.netty.channel.Channel;</span>
<span class="source-line-no">089</span><span id="line-89">import org.apache.hbase.thirdparty.io.netty.channel.ChannelDuplexHandler;</span>
<span class="source-line-no">090</span><span id="line-90">import org.apache.hbase.thirdparty.io.netty.channel.ChannelHandlerContext;</span>
<span class="source-line-no">091</span><span id="line-91">import org.apache.hbase.thirdparty.io.netty.channel.ChannelOutboundHandlerAdapter;</span>
<span class="source-line-no">092</span><span id="line-92">import org.apache.hbase.thirdparty.io.netty.channel.ChannelPipeline;</span>
<span class="source-line-no">093</span><span id="line-93">import org.apache.hbase.thirdparty.io.netty.channel.ChannelPromise;</span>
<span class="source-line-no">094</span><span id="line-94">import org.apache.hbase.thirdparty.io.netty.channel.SimpleChannelInboundHandler;</span>
<span class="source-line-no">095</span><span id="line-95">import org.apache.hbase.thirdparty.io.netty.handler.codec.LengthFieldBasedFrameDecoder;</span>
<span class="source-line-no">096</span><span id="line-96">import org.apache.hbase.thirdparty.io.netty.handler.codec.MessageToByteEncoder;</span>
<span class="source-line-no">097</span><span id="line-97">import org.apache.hbase.thirdparty.io.netty.handler.codec.protobuf.ProtobufVarint32FrameDecoder;</span>
<span class="source-line-no">098</span><span id="line-98">import org.apache.hbase.thirdparty.io.netty.handler.timeout.IdleStateEvent;</span>
<span class="source-line-no">099</span><span id="line-99">import org.apache.hbase.thirdparty.io.netty.handler.timeout.IdleStateHandler;</span>
<span class="source-line-no">100</span><span id="line-100">import org.apache.hbase.thirdparty.io.netty.util.concurrent.Promise;</span>
<span class="source-line-no">101</span><span id="line-101"></span>
<span class="source-line-no">102</span><span id="line-102">/**</span>
<span class="source-line-no">103</span><span id="line-103"> * Helper class for adding sasl support for {@link FanOutOneBlockAsyncDFSOutput}.</span>
<span class="source-line-no">104</span><span id="line-104"> */</span>
<span class="source-line-no">105</span><span id="line-105">@InterfaceAudience.Private</span>
<span class="source-line-no">106</span><span id="line-106">public final class FanOutOneBlockAsyncDFSOutputSaslHelper {</span>
<span class="source-line-no">107</span><span id="line-107"> private static final Logger LOG =</span>
<span class="source-line-no">108</span><span id="line-108"> LoggerFactory.getLogger(FanOutOneBlockAsyncDFSOutputSaslHelper.class);</span>
<span class="source-line-no">109</span><span id="line-109"></span>
<span class="source-line-no">110</span><span id="line-110"> private FanOutOneBlockAsyncDFSOutputSaslHelper() {</span>
<span class="source-line-no">111</span><span id="line-111"> }</span>
<span class="source-line-no">112</span><span id="line-112"></span>
<span class="source-line-no">113</span><span id="line-113"> private static final String SERVER_NAME = "0";</span>
<span class="source-line-no">114</span><span id="line-114"> private static final String PROTOCOL = "hdfs";</span>
<span class="source-line-no">115</span><span id="line-115"> private static final String MECHANISM = "DIGEST-MD5";</span>
<span class="source-line-no">116</span><span id="line-116"> private static final int SASL_TRANSFER_MAGIC_NUMBER = 0xDEADBEEF;</span>
<span class="source-line-no">117</span><span id="line-117"> private static final String NAME_DELIMITER = " ";</span>
<span class="source-line-no">118</span><span id="line-118"></span>
<span class="source-line-no">119</span><span id="line-119"> private interface SaslAdaptor {</span>
<span class="source-line-no">120</span><span id="line-120"></span>
<span class="source-line-no">121</span><span id="line-121"> TrustedChannelResolver getTrustedChannelResolver(SaslDataTransferClient saslClient);</span>
<span class="source-line-no">122</span><span id="line-122"></span>
<span class="source-line-no">123</span><span id="line-123"> SaslPropertiesResolver getSaslPropsResolver(SaslDataTransferClient saslClient);</span>
<span class="source-line-no">124</span><span id="line-124"></span>
<span class="source-line-no">125</span><span id="line-125"> AtomicBoolean getFallbackToSimpleAuth(SaslDataTransferClient saslClient);</span>
<span class="source-line-no">126</span><span id="line-126"> }</span>
<span class="source-line-no">127</span><span id="line-127"></span>
<span class="source-line-no">128</span><span id="line-128"> private static final SaslAdaptor SASL_ADAPTOR;</span>
<span class="source-line-no">129</span><span id="line-129"></span>
<span class="source-line-no">130</span><span id="line-130"> private interface TransparentCryptoHelper {</span>
<span class="source-line-no">131</span><span id="line-131"></span>
<span class="source-line-no">132</span><span id="line-132"> Encryptor createEncryptor(Configuration conf, FileEncryptionInfo feInfo, DFSClient client)</span>
<span class="source-line-no">133</span><span id="line-133"> throws IOException;</span>
<span class="source-line-no">134</span><span id="line-134"> }</span>
<span class="source-line-no">135</span><span id="line-135"></span>
<span class="source-line-no">136</span><span id="line-136"> private static final TransparentCryptoHelper TRANSPARENT_CRYPTO_HELPER;</span>
<span class="source-line-no">137</span><span id="line-137"></span>
<span class="source-line-no">138</span><span id="line-138"> private static SaslAdaptor createSaslAdaptor()</span>
<span class="source-line-no">139</span><span id="line-139"> throws NoSuchFieldException, NoSuchMethodException {</span>
<span class="source-line-no">140</span><span id="line-140"> Field saslPropsResolverField =</span>
<span class="source-line-no">141</span><span id="line-141"> SaslDataTransferClient.class.getDeclaredField("saslPropsResolver");</span>
<span class="source-line-no">142</span><span id="line-142"> saslPropsResolverField.setAccessible(true);</span>
<span class="source-line-no">143</span><span id="line-143"> Field trustedChannelResolverField =</span>
<span class="source-line-no">144</span><span id="line-144"> SaslDataTransferClient.class.getDeclaredField("trustedChannelResolver");</span>
<span class="source-line-no">145</span><span id="line-145"> trustedChannelResolverField.setAccessible(true);</span>
<span class="source-line-no">146</span><span id="line-146"> Field fallbackToSimpleAuthField =</span>
<span class="source-line-no">147</span><span id="line-147"> SaslDataTransferClient.class.getDeclaredField("fallbackToSimpleAuth");</span>
<span class="source-line-no">148</span><span id="line-148"> fallbackToSimpleAuthField.setAccessible(true);</span>
<span class="source-line-no">149</span><span id="line-149"> return new SaslAdaptor() {</span>
<span class="source-line-no">150</span><span id="line-150"></span>
<span class="source-line-no">151</span><span id="line-151"> @Override</span>
<span class="source-line-no">152</span><span id="line-152"> public TrustedChannelResolver getTrustedChannelResolver(SaslDataTransferClient saslClient) {</span>
<span class="source-line-no">153</span><span id="line-153"> try {</span>
<span class="source-line-no">154</span><span id="line-154"> return (TrustedChannelResolver) trustedChannelResolverField.get(saslClient);</span>
<span class="source-line-no">155</span><span id="line-155"> } catch (IllegalAccessException e) {</span>
<span class="source-line-no">156</span><span id="line-156"> throw new RuntimeException(e);</span>
<span class="source-line-no">157</span><span id="line-157"> }</span>
<span class="source-line-no">158</span><span id="line-158"> }</span>
<span class="source-line-no">159</span><span id="line-159"></span>
<span class="source-line-no">160</span><span id="line-160"> @Override</span>
<span class="source-line-no">161</span><span id="line-161"> public SaslPropertiesResolver getSaslPropsResolver(SaslDataTransferClient saslClient) {</span>
<span class="source-line-no">162</span><span id="line-162"> try {</span>
<span class="source-line-no">163</span><span id="line-163"> return (SaslPropertiesResolver) saslPropsResolverField.get(saslClient);</span>
<span class="source-line-no">164</span><span id="line-164"> } catch (IllegalAccessException e) {</span>
<span class="source-line-no">165</span><span id="line-165"> throw new RuntimeException(e);</span>
<span class="source-line-no">166</span><span id="line-166"> }</span>
<span class="source-line-no">167</span><span id="line-167"> }</span>
<span class="source-line-no">168</span><span id="line-168"></span>
<span class="source-line-no">169</span><span id="line-169"> @Override</span>
<span class="source-line-no">170</span><span id="line-170"> public AtomicBoolean getFallbackToSimpleAuth(SaslDataTransferClient saslClient) {</span>
<span class="source-line-no">171</span><span id="line-171"> try {</span>
<span class="source-line-no">172</span><span id="line-172"> return (AtomicBoolean) fallbackToSimpleAuthField.get(saslClient);</span>
<span class="source-line-no">173</span><span id="line-173"> } catch (IllegalAccessException e) {</span>
<span class="source-line-no">174</span><span id="line-174"> throw new RuntimeException(e);</span>
<span class="source-line-no">175</span><span id="line-175"> }</span>
<span class="source-line-no">176</span><span id="line-176"> }</span>
<span class="source-line-no">177</span><span id="line-177"> };</span>
<span class="source-line-no">178</span><span id="line-178"> }</span>
<span class="source-line-no">179</span><span id="line-179"></span>
<span class="source-line-no">180</span><span id="line-180"> private static TransparentCryptoHelper createTransparentCryptoHelperWithoutHDFS12396()</span>
<span class="source-line-no">181</span><span id="line-181"> throws NoSuchMethodException {</span>
<span class="source-line-no">182</span><span id="line-182"> Method decryptEncryptedDataEncryptionKeyMethod = DFSClient.class</span>
<span class="source-line-no">183</span><span id="line-183"> .getDeclaredMethod("decryptEncryptedDataEncryptionKey", FileEncryptionInfo.class);</span>
<span class="source-line-no">184</span><span id="line-184"> decryptEncryptedDataEncryptionKeyMethod.setAccessible(true);</span>
<span class="source-line-no">185</span><span id="line-185"> return new TransparentCryptoHelper() {</span>
<span class="source-line-no">186</span><span id="line-186"></span>
<span class="source-line-no">187</span><span id="line-187"> @Override</span>
<span class="source-line-no">188</span><span id="line-188"> public Encryptor createEncryptor(Configuration conf, FileEncryptionInfo feInfo,</span>
<span class="source-line-no">189</span><span id="line-189"> DFSClient client) throws IOException {</span>
<span class="source-line-no">190</span><span id="line-190"> try {</span>
<span class="source-line-no">191</span><span id="line-191"> KeyVersion decryptedKey =</span>
<span class="source-line-no">192</span><span id="line-192"> (KeyVersion) decryptEncryptedDataEncryptionKeyMethod.invoke(client, feInfo);</span>
<span class="source-line-no">193</span><span id="line-193"> CryptoCodec cryptoCodec = CryptoCodec.getInstance(conf, feInfo.getCipherSuite());</span>
<span class="source-line-no">194</span><span id="line-194"> Encryptor encryptor = cryptoCodec.createEncryptor();</span>
<span class="source-line-no">195</span><span id="line-195"> encryptor.init(decryptedKey.getMaterial(), feInfo.getIV());</span>
<span class="source-line-no">196</span><span id="line-196"> return encryptor;</span>
<span class="source-line-no">197</span><span id="line-197"> } catch (InvocationTargetException e) {</span>
<span class="source-line-no">198</span><span id="line-198"> Throwables.propagateIfPossible(e.getTargetException(), IOException.class);</span>
<span class="source-line-no">199</span><span id="line-199"> throw new RuntimeException(e.getTargetException());</span>
<span class="source-line-no">200</span><span id="line-200"> } catch (GeneralSecurityException e) {</span>
<span class="source-line-no">201</span><span id="line-201"> throw new IOException(e);</span>
<span class="source-line-no">202</span><span id="line-202"> } catch (IllegalAccessException e) {</span>
<span class="source-line-no">203</span><span id="line-203"> throw new RuntimeException(e);</span>
<span class="source-line-no">204</span><span id="line-204"> }</span>
<span class="source-line-no">205</span><span id="line-205"> }</span>
<span class="source-line-no">206</span><span id="line-206"> };</span>
<span class="source-line-no">207</span><span id="line-207"> }</span>
<span class="source-line-no">208</span><span id="line-208"></span>
<span class="source-line-no">209</span><span id="line-209"> private static TransparentCryptoHelper createTransparentCryptoHelperWithHDFS12396()</span>
<span class="source-line-no">210</span><span id="line-210"> throws ClassNotFoundException, NoSuchMethodException {</span>
<span class="source-line-no">211</span><span id="line-211"> Class&lt;?&gt; hdfsKMSUtilCls = Class.forName("org.apache.hadoop.hdfs.HdfsKMSUtil");</span>
<span class="source-line-no">212</span><span id="line-212"> Method decryptEncryptedDataEncryptionKeyMethod = hdfsKMSUtilCls.getDeclaredMethod(</span>
<span class="source-line-no">213</span><span id="line-213"> "decryptEncryptedDataEncryptionKey", FileEncryptionInfo.class, KeyProvider.class);</span>
<span class="source-line-no">214</span><span id="line-214"> decryptEncryptedDataEncryptionKeyMethod.setAccessible(true);</span>
<span class="source-line-no">215</span><span id="line-215"> return new TransparentCryptoHelper() {</span>
<span class="source-line-no">216</span><span id="line-216"></span>
<span class="source-line-no">217</span><span id="line-217"> @Override</span>
<span class="source-line-no">218</span><span id="line-218"> public Encryptor createEncryptor(Configuration conf, FileEncryptionInfo feInfo,</span>
<span class="source-line-no">219</span><span id="line-219"> DFSClient client) throws IOException {</span>
<span class="source-line-no">220</span><span id="line-220"> try {</span>
<span class="source-line-no">221</span><span id="line-221"> KeyVersion decryptedKey = (KeyVersion) decryptEncryptedDataEncryptionKeyMethod</span>
<span class="source-line-no">222</span><span id="line-222"> .invoke(null, feInfo, client.getKeyProvider());</span>
<span class="source-line-no">223</span><span id="line-223"> CryptoCodec cryptoCodec = CryptoCodec.getInstance(conf, feInfo.getCipherSuite());</span>
<span class="source-line-no">224</span><span id="line-224"> Encryptor encryptor = cryptoCodec.createEncryptor();</span>
<span class="source-line-no">225</span><span id="line-225"> encryptor.init(decryptedKey.getMaterial(), feInfo.getIV());</span>
<span class="source-line-no">226</span><span id="line-226"> return encryptor;</span>
<span class="source-line-no">227</span><span id="line-227"> } catch (InvocationTargetException e) {</span>
<span class="source-line-no">228</span><span id="line-228"> Throwables.propagateIfPossible(e.getTargetException(), IOException.class);</span>
<span class="source-line-no">229</span><span id="line-229"> throw new RuntimeException(e.getTargetException());</span>
<span class="source-line-no">230</span><span id="line-230"> } catch (GeneralSecurityException e) {</span>
<span class="source-line-no">231</span><span id="line-231"> throw new IOException(e);</span>
<span class="source-line-no">232</span><span id="line-232"> } catch (IllegalAccessException e) {</span>
<span class="source-line-no">233</span><span id="line-233"> throw new RuntimeException(e);</span>
<span class="source-line-no">234</span><span id="line-234"> }</span>
<span class="source-line-no">235</span><span id="line-235"> }</span>
<span class="source-line-no">236</span><span id="line-236"> };</span>
<span class="source-line-no">237</span><span id="line-237"> }</span>
<span class="source-line-no">238</span><span id="line-238"></span>
<span class="source-line-no">239</span><span id="line-239"> private static TransparentCryptoHelper createTransparentCryptoHelper()</span>
<span class="source-line-no">240</span><span id="line-240"> throws NoSuchMethodException, ClassNotFoundException {</span>
<span class="source-line-no">241</span><span id="line-241"> try {</span>
<span class="source-line-no">242</span><span id="line-242"> return createTransparentCryptoHelperWithoutHDFS12396();</span>
<span class="source-line-no">243</span><span id="line-243"> } catch (NoSuchMethodException e) {</span>
<span class="source-line-no">244</span><span id="line-244"> LOG.debug("No decryptEncryptedDataEncryptionKey method in DFSClient,"</span>
<span class="source-line-no">245</span><span id="line-245"> + " should be hadoop version with HDFS-12396", e);</span>
<span class="source-line-no">246</span><span id="line-246"> }</span>
<span class="source-line-no">247</span><span id="line-247"> return createTransparentCryptoHelperWithHDFS12396();</span>
<span class="source-line-no">248</span><span id="line-248"> }</span>
<span class="source-line-no">249</span><span id="line-249"></span>
<span class="source-line-no">250</span><span id="line-250"> static {</span>
<span class="source-line-no">251</span><span id="line-251"> try {</span>
<span class="source-line-no">252</span><span id="line-252"> SASL_ADAPTOR = createSaslAdaptor();</span>
<span class="source-line-no">253</span><span id="line-253"> TRANSPARENT_CRYPTO_HELPER = createTransparentCryptoHelper();</span>
<span class="source-line-no">254</span><span id="line-254"> } catch (Exception e) {</span>
<span class="source-line-no">255</span><span id="line-255"> String msg = "Couldn't properly initialize access to HDFS internals. Please "</span>
<span class="source-line-no">256</span><span id="line-256"> + "update your WAL Provider to not make use of the 'asyncfs' provider. See "</span>
<span class="source-line-no">257</span><span id="line-257"> + "HBASE-16110 for more information.";</span>
<span class="source-line-no">258</span><span id="line-258"> LOG.error(msg, e);</span>
<span class="source-line-no">259</span><span id="line-259"> throw new Error(msg, e);</span>
<span class="source-line-no">260</span><span id="line-260"> }</span>
<span class="source-line-no">261</span><span id="line-261"> }</span>
<span class="source-line-no">262</span><span id="line-262"></span>
<span class="source-line-no">263</span><span id="line-263"> /**</span>
<span class="source-line-no">264</span><span id="line-264"> * Sets user name and password when asked by the client-side SASL object.</span>
<span class="source-line-no">265</span><span id="line-265"> */</span>
<span class="source-line-no">266</span><span id="line-266"> private static final class SaslClientCallbackHandler implements CallbackHandler {</span>
<span class="source-line-no">267</span><span id="line-267"></span>
<span class="source-line-no">268</span><span id="line-268"> private final char[] password;</span>
<span class="source-line-no">269</span><span id="line-269"> private final String userName;</span>
<span class="source-line-no">270</span><span id="line-270"></span>
<span class="source-line-no">271</span><span id="line-271"> /**</span>
<span class="source-line-no">272</span><span id="line-272"> * Creates a new SaslClientCallbackHandler.</span>
<span class="source-line-no">273</span><span id="line-273"> * @param userName SASL user name</span>
<span class="source-line-no">274</span><span id="line-274"> * @param password SASL password</span>
<span class="source-line-no">275</span><span id="line-275"> */</span>
<span class="source-line-no">276</span><span id="line-276"> public SaslClientCallbackHandler(String userName, char[] password) {</span>
<span class="source-line-no">277</span><span id="line-277"> this.password = password;</span>
<span class="source-line-no">278</span><span id="line-278"> this.userName = userName;</span>
<span class="source-line-no">279</span><span id="line-279"> }</span>
<span class="source-line-no">280</span><span id="line-280"></span>
<span class="source-line-no">281</span><span id="line-281"> @Override</span>
<span class="source-line-no">282</span><span id="line-282"> public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {</span>
<span class="source-line-no">283</span><span id="line-283"> NameCallback nc = null;</span>
<span class="source-line-no">284</span><span id="line-284"> PasswordCallback pc = null;</span>
<span class="source-line-no">285</span><span id="line-285"> RealmCallback rc = null;</span>
<span class="source-line-no">286</span><span id="line-286"> for (Callback callback : callbacks) {</span>
<span class="source-line-no">287</span><span id="line-287"> if (callback instanceof RealmChoiceCallback) {</span>
<span class="source-line-no">288</span><span id="line-288"> continue;</span>
<span class="source-line-no">289</span><span id="line-289"> } else if (callback instanceof NameCallback) {</span>
<span class="source-line-no">290</span><span id="line-290"> nc = (NameCallback) callback;</span>
<span class="source-line-no">291</span><span id="line-291"> } else if (callback instanceof PasswordCallback) {</span>
<span class="source-line-no">292</span><span id="line-292"> pc = (PasswordCallback) callback;</span>
<span class="source-line-no">293</span><span id="line-293"> } else if (callback instanceof RealmCallback) {</span>
<span class="source-line-no">294</span><span id="line-294"> rc = (RealmCallback) callback;</span>
<span class="source-line-no">295</span><span id="line-295"> } else {</span>
<span class="source-line-no">296</span><span id="line-296"> throw new UnsupportedCallbackException(callback, "Unrecognized SASL client callback");</span>
<span class="source-line-no">297</span><span id="line-297"> }</span>
<span class="source-line-no">298</span><span id="line-298"> }</span>
<span class="source-line-no">299</span><span id="line-299"> if (nc != null) {</span>
<span class="source-line-no">300</span><span id="line-300"> nc.setName(userName);</span>
<span class="source-line-no">301</span><span id="line-301"> }</span>
<span class="source-line-no">302</span><span id="line-302"> if (pc != null) {</span>
<span class="source-line-no">303</span><span id="line-303"> pc.setPassword(password);</span>
<span class="source-line-no">304</span><span id="line-304"> }</span>
<span class="source-line-no">305</span><span id="line-305"> if (rc != null) {</span>
<span class="source-line-no">306</span><span id="line-306"> rc.setText(rc.getDefaultText());</span>
<span class="source-line-no">307</span><span id="line-307"> }</span>
<span class="source-line-no">308</span><span id="line-308"> }</span>
<span class="source-line-no">309</span><span id="line-309"> }</span>
<span class="source-line-no">310</span><span id="line-310"></span>
<span class="source-line-no">311</span><span id="line-311"> private static final class SaslNegotiateHandler extends ChannelDuplexHandler {</span>
<span class="source-line-no">312</span><span id="line-312"></span>
<span class="source-line-no">313</span><span id="line-313"> private final Configuration conf;</span>
<span class="source-line-no">314</span><span id="line-314"></span>
<span class="source-line-no">315</span><span id="line-315"> private final Map&lt;String, String&gt; saslProps;</span>
<span class="source-line-no">316</span><span id="line-316"></span>
<span class="source-line-no">317</span><span id="line-317"> private final SaslClient saslClient;</span>
<span class="source-line-no">318</span><span id="line-318"></span>
<span class="source-line-no">319</span><span id="line-319"> private final int timeoutMs;</span>
<span class="source-line-no">320</span><span id="line-320"></span>
<span class="source-line-no">321</span><span id="line-321"> private final Promise&lt;Void&gt; promise;</span>
<span class="source-line-no">322</span><span id="line-322"></span>
<span class="source-line-no">323</span><span id="line-323"> private final DFSClient dfsClient;</span>
<span class="source-line-no">324</span><span id="line-324"></span>
<span class="source-line-no">325</span><span id="line-325"> private int step = 0;</span>
<span class="source-line-no">326</span><span id="line-326"></span>
<span class="source-line-no">327</span><span id="line-327"> public SaslNegotiateHandler(Configuration conf, String username, char[] password,</span>
<span class="source-line-no">328</span><span id="line-328"> Map&lt;String, String&gt; saslProps, int timeoutMs, Promise&lt;Void&gt; promise, DFSClient dfsClient)</span>
<span class="source-line-no">329</span><span id="line-329"> throws SaslException {</span>
<span class="source-line-no">330</span><span id="line-330"> this.conf = conf;</span>
<span class="source-line-no">331</span><span id="line-331"> this.saslProps = saslProps;</span>
<span class="source-line-no">332</span><span id="line-332"> this.saslClient = Sasl.createSaslClient(new String[] { MECHANISM }, username, PROTOCOL,</span>
<span class="source-line-no">333</span><span id="line-333"> SERVER_NAME, saslProps, new SaslClientCallbackHandler(username, password));</span>
<span class="source-line-no">334</span><span id="line-334"> this.timeoutMs = timeoutMs;</span>
<span class="source-line-no">335</span><span id="line-335"> this.promise = promise;</span>
<span class="source-line-no">336</span><span id="line-336"> this.dfsClient = dfsClient;</span>
<span class="source-line-no">337</span><span id="line-337"> }</span>
<span class="source-line-no">338</span><span id="line-338"></span>
<span class="source-line-no">339</span><span id="line-339"> private void sendSaslMessage(ChannelHandlerContext ctx, byte[] payload) throws IOException {</span>
<span class="source-line-no">340</span><span id="line-340"> sendSaslMessage(ctx, payload, null);</span>
<span class="source-line-no">341</span><span id="line-341"> }</span>
<span class="source-line-no">342</span><span id="line-342"></span>
<span class="source-line-no">343</span><span id="line-343"> private List&lt;CipherOption&gt; getCipherOptions() throws IOException {</span>
<span class="source-line-no">344</span><span id="line-344"> // Negotiate cipher suites if configured. Currently, the only supported</span>
<span class="source-line-no">345</span><span id="line-345"> // cipher suite is AES/CTR/NoPadding, but the protocol allows multiple</span>
<span class="source-line-no">346</span><span id="line-346"> // values for future expansion.</span>
<span class="source-line-no">347</span><span id="line-347"> String cipherSuites = conf.get(DFS_ENCRYPT_DATA_TRANSFER_CIPHER_SUITES_KEY);</span>
<span class="source-line-no">348</span><span id="line-348"> if (StringUtils.isBlank(cipherSuites)) {</span>
<span class="source-line-no">349</span><span id="line-349"> return null;</span>
<span class="source-line-no">350</span><span id="line-350"> }</span>
<span class="source-line-no">351</span><span id="line-351"> if (!cipherSuites.equals(CipherSuite.AES_CTR_NOPADDING.getName())) {</span>
<span class="source-line-no">352</span><span id="line-352"> throw new IOException(String.format("Invalid cipher suite, %s=%s",</span>
<span class="source-line-no">353</span><span id="line-353"> DFS_ENCRYPT_DATA_TRANSFER_CIPHER_SUITES_KEY, cipherSuites));</span>
<span class="source-line-no">354</span><span id="line-354"> }</span>
<span class="source-line-no">355</span><span id="line-355"> return Collections.singletonList(new CipherOption(CipherSuite.AES_CTR_NOPADDING));</span>
<span class="source-line-no">356</span><span id="line-356"> }</span>
<span class="source-line-no">357</span><span id="line-357"></span>
<span class="source-line-no">358</span><span id="line-358"> /**</span>
<span class="source-line-no">359</span><span id="line-359"> * The asyncfs subsystem emulates a HDFS client by sending protobuf messages via netty. After</span>
<span class="source-line-no">360</span><span id="line-360"> * Hadoop 3.3.0, the protobuf classes are relocated to org.apache.hadoop.thirdparty.protobuf.*.</span>
<span class="source-line-no">361</span><span id="line-361"> * Use Reflection to check which ones to use.</span>
<span class="source-line-no">362</span><span id="line-362"> */</span>
<span class="source-line-no">363</span><span id="line-363"> private static class BuilderPayloadSetter {</span>
<span class="source-line-no">364</span><span id="line-364"> private static Method setPayloadMethod;</span>
<span class="source-line-no">365</span><span id="line-365"> private static Constructor&lt;?&gt; constructor;</span>
<span class="source-line-no">366</span><span id="line-366"></span>
<span class="source-line-no">367</span><span id="line-367"> /**</span>
<span class="source-line-no">368</span><span id="line-368"> * Create a ByteString from byte array without copying (wrap), and then set it as the payload</span>
<span class="source-line-no">369</span><span id="line-369"> * for the builder.</span>
<span class="source-line-no">370</span><span id="line-370"> * @param builder builder for HDFS DataTransferEncryptorMessage.</span>
<span class="source-line-no">371</span><span id="line-371"> * @param payload byte array of payload.</span>
<span class="source-line-no">372</span><span id="line-372"> */</span>
<span class="source-line-no">373</span><span id="line-373"> static void wrapAndSetPayload(DataTransferEncryptorMessageProto.Builder builder,</span>
<span class="source-line-no">374</span><span id="line-374"> byte[] payload) throws IOException {</span>
<span class="source-line-no">375</span><span id="line-375"> Object byteStringObject;</span>
<span class="source-line-no">376</span><span id="line-376"> try {</span>
<span class="source-line-no">377</span><span id="line-377"> // byteStringObject = new LiteralByteString(payload);</span>
<span class="source-line-no">378</span><span id="line-378"> byteStringObject = constructor.newInstance(payload);</span>
<span class="source-line-no">379</span><span id="line-379"> // builder.setPayload(byteStringObject);</span>
<span class="source-line-no">380</span><span id="line-380"> setPayloadMethod.invoke(builder, constructor.getDeclaringClass().cast(byteStringObject));</span>
<span class="source-line-no">381</span><span id="line-381"> } catch (IllegalAccessException | InstantiationException e) {</span>
<span class="source-line-no">382</span><span id="line-382"> throw new RuntimeException(e);</span>
<span class="source-line-no">383</span><span id="line-383"></span>
<span class="source-line-no">384</span><span id="line-384"> } catch (InvocationTargetException e) {</span>
<span class="source-line-no">385</span><span id="line-385"> Throwables.propagateIfPossible(e.getTargetException(), IOException.class);</span>
<span class="source-line-no">386</span><span id="line-386"> throw new RuntimeException(e.getTargetException());</span>
<span class="source-line-no">387</span><span id="line-387"> }</span>
<span class="source-line-no">388</span><span id="line-388"> }</span>
<span class="source-line-no">389</span><span id="line-389"></span>
<span class="source-line-no">390</span><span id="line-390"> static {</span>
<span class="source-line-no">391</span><span id="line-391"> Class&lt;?&gt; builderClass = DataTransferEncryptorMessageProto.Builder.class;</span>
<span class="source-line-no">392</span><span id="line-392"></span>
<span class="source-line-no">393</span><span id="line-393"> // Try the unrelocated ByteString</span>
<span class="source-line-no">394</span><span id="line-394"> Class&lt;?&gt; byteStringClass;</span>
<span class="source-line-no">395</span><span id="line-395"> try {</span>
<span class="source-line-no">396</span><span id="line-396"> // See if it can load the relocated ByteString, which comes from hadoop-thirdparty.</span>
<span class="source-line-no">397</span><span id="line-397"> byteStringClass = Class.forName("org.apache.hadoop.thirdparty.protobuf.ByteString");</span>
<span class="source-line-no">398</span><span id="line-398"> LOG.debug("Found relocated ByteString class from hadoop-thirdparty."</span>
<span class="source-line-no">399</span><span id="line-399"> + " Assuming this is Hadoop 3.3.0+.");</span>
<span class="source-line-no">400</span><span id="line-400"> } catch (ClassNotFoundException e) {</span>
<span class="source-line-no">401</span><span id="line-401"> LOG.debug("Did not find relocated ByteString class from hadoop-thirdparty."</span>
<span class="source-line-no">402</span><span id="line-402"> + " Assuming this is below Hadoop 3.3.0", e);</span>
<span class="source-line-no">403</span><span id="line-403"> try {</span>
<span class="source-line-no">404</span><span id="line-404"> byteStringClass = Class.forName("com.google.protobuf.ByteString");</span>
<span class="source-line-no">405</span><span id="line-405"> LOG.debug("com.google.protobuf.ByteString found.");</span>
<span class="source-line-no">406</span><span id="line-406"> } catch (ClassNotFoundException ex) {</span>
<span class="source-line-no">407</span><span id="line-407"> throw new RuntimeException(ex);</span>
<span class="source-line-no">408</span><span id="line-408"> }</span>
<span class="source-line-no">409</span><span id="line-409"> }</span>
<span class="source-line-no">410</span><span id="line-410"></span>
<span class="source-line-no">411</span><span id="line-411"> // LiteralByteString is a package private class in protobuf. Make it accessible.</span>
<span class="source-line-no">412</span><span id="line-412"> Class&lt;?&gt; literalByteStringClass;</span>
<span class="source-line-no">413</span><span id="line-413"> try {</span>
<span class="source-line-no">414</span><span id="line-414"> literalByteStringClass =</span>
<span class="source-line-no">415</span><span id="line-415"> Class.forName("org.apache.hadoop.thirdparty.protobuf.ByteString$LiteralByteString");</span>
<span class="source-line-no">416</span><span id="line-416"> LOG.debug("Shaded LiteralByteString from hadoop-thirdparty is found.");</span>
<span class="source-line-no">417</span><span id="line-417"> } catch (ClassNotFoundException e) {</span>
<span class="source-line-no">418</span><span id="line-418"> try {</span>
<span class="source-line-no">419</span><span id="line-419"> literalByteStringClass = Class.forName("com.google.protobuf.LiteralByteString");</span>
<span class="source-line-no">420</span><span id="line-420"> LOG.debug("com.google.protobuf.LiteralByteString found.");</span>
<span class="source-line-no">421</span><span id="line-421"> } catch (ClassNotFoundException ex) {</span>
<span class="source-line-no">422</span><span id="line-422"> throw new RuntimeException(ex);</span>
<span class="source-line-no">423</span><span id="line-423"> }</span>
<span class="source-line-no">424</span><span id="line-424"> }</span>
<span class="source-line-no">425</span><span id="line-425"></span>
<span class="source-line-no">426</span><span id="line-426"> try {</span>
<span class="source-line-no">427</span><span id="line-427"> constructor = literalByteStringClass.getDeclaredConstructor(byte[].class);</span>
<span class="source-line-no">428</span><span id="line-428"> constructor.setAccessible(true);</span>
<span class="source-line-no">429</span><span id="line-429"> } catch (NoSuchMethodException e) {</span>
<span class="source-line-no">430</span><span id="line-430"> throw new RuntimeException(e);</span>
<span class="source-line-no">431</span><span id="line-431"> }</span>
<span class="source-line-no">432</span><span id="line-432"></span>
<span class="source-line-no">433</span><span id="line-433"> try {</span>
<span class="source-line-no">434</span><span id="line-434"> setPayloadMethod = builderClass.getMethod("setPayload", byteStringClass);</span>
<span class="source-line-no">435</span><span id="line-435"> } catch (NoSuchMethodException e) {</span>
<span class="source-line-no">436</span><span id="line-436"> // if either method is not found, we are in big trouble. Abort.</span>
<span class="source-line-no">437</span><span id="line-437"> throw new RuntimeException(e);</span>
<span class="source-line-no">438</span><span id="line-438"> }</span>
<span class="source-line-no">439</span><span id="line-439"> }</span>
<span class="source-line-no">440</span><span id="line-440"> }</span>
<span class="source-line-no">441</span><span id="line-441"></span>
<span class="source-line-no">442</span><span id="line-442"> private void sendSaslMessage(ChannelHandlerContext ctx, byte[] payload,</span>
<span class="source-line-no">443</span><span id="line-443"> List&lt;CipherOption&gt; options) throws IOException {</span>
<span class="source-line-no">444</span><span id="line-444"> DataTransferEncryptorMessageProto.Builder builder =</span>
<span class="source-line-no">445</span><span id="line-445"> DataTransferEncryptorMessageProto.newBuilder();</span>
<span class="source-line-no">446</span><span id="line-446"> builder.setStatus(DataTransferEncryptorStatus.SUCCESS);</span>
<span class="source-line-no">447</span><span id="line-447"> if (payload != null) {</span>
<span class="source-line-no">448</span><span id="line-448"> BuilderPayloadSetter.wrapAndSetPayload(builder, payload);</span>
<span class="source-line-no">449</span><span id="line-449"> }</span>
<span class="source-line-no">450</span><span id="line-450"> if (options != null) {</span>
<span class="source-line-no">451</span><span id="line-451"> builder.addAllCipherOption(PBHelperClient.convertCipherOptions(options));</span>
<span class="source-line-no">452</span><span id="line-452"> }</span>
<span class="source-line-no">453</span><span id="line-453"> DataTransferEncryptorMessageProto proto = builder.build();</span>
<span class="source-line-no">454</span><span id="line-454"> int size = proto.getSerializedSize();</span>
<span class="source-line-no">455</span><span id="line-455"> size += CodedOutputStream.computeUInt32SizeNoTag(size);</span>
<span class="source-line-no">456</span><span id="line-456"> ByteBuf buf = ctx.alloc().buffer(size);</span>
<span class="source-line-no">457</span><span id="line-457"> proto.writeDelimitedTo(new ByteBufOutputStream(buf));</span>
<span class="source-line-no">458</span><span id="line-458"> safeWrite(ctx, buf);</span>
<span class="source-line-no">459</span><span id="line-459"> }</span>
<span class="source-line-no">460</span><span id="line-460"></span>
<span class="source-line-no">461</span><span id="line-461"> @Override</span>
<span class="source-line-no">462</span><span id="line-462"> public void handlerAdded(ChannelHandlerContext ctx) throws Exception {</span>
<span class="source-line-no">463</span><span id="line-463"> safeWrite(ctx, ctx.alloc().buffer(4).writeInt(SASL_TRANSFER_MAGIC_NUMBER));</span>
<span class="source-line-no">464</span><span id="line-464"> sendSaslMessage(ctx, new byte[0]);</span>
<span class="source-line-no">465</span><span id="line-465"> ctx.flush();</span>
<span class="source-line-no">466</span><span id="line-466"> step++;</span>
<span class="source-line-no">467</span><span id="line-467"> }</span>
<span class="source-line-no">468</span><span id="line-468"></span>
<span class="source-line-no">469</span><span id="line-469"> @Override</span>
<span class="source-line-no">470</span><span id="line-470"> public void channelInactive(ChannelHandlerContext ctx) throws Exception {</span>
<span class="source-line-no">471</span><span id="line-471"> saslClient.dispose();</span>
<span class="source-line-no">472</span><span id="line-472"> }</span>
<span class="source-line-no">473</span><span id="line-473"></span>
<span class="source-line-no">474</span><span id="line-474"> private void check(DataTransferEncryptorMessageProto proto) throws IOException {</span>
<span class="source-line-no">475</span><span id="line-475"> if (proto.getStatus() == DataTransferEncryptorStatus.ERROR_UNKNOWN_KEY) {</span>
<span class="source-line-no">476</span><span id="line-476"> dfsClient.clearDataEncryptionKey();</span>
<span class="source-line-no">477</span><span id="line-477"> throw new InvalidEncryptionKeyException(proto.getMessage());</span>
<span class="source-line-no">478</span><span id="line-478"> } else if (proto.getStatus() == DataTransferEncryptorStatus.ERROR) {</span>
<span class="source-line-no">479</span><span id="line-479"> throw new IOException(proto.getMessage());</span>
<span class="source-line-no">480</span><span id="line-480"> }</span>
<span class="source-line-no">481</span><span id="line-481"> }</span>
<span class="source-line-no">482</span><span id="line-482"></span>
<span class="source-line-no">483</span><span id="line-483"> private String getNegotiatedQop() {</span>
<span class="source-line-no">484</span><span id="line-484"> return (String) saslClient.getNegotiatedProperty(Sasl.QOP);</span>
<span class="source-line-no">485</span><span id="line-485"> }</span>
<span class="source-line-no">486</span><span id="line-486"></span>
<span class="source-line-no">487</span><span id="line-487"> private boolean isNegotiatedQopPrivacy() {</span>
<span class="source-line-no">488</span><span id="line-488"> String qop = getNegotiatedQop();</span>
<span class="source-line-no">489</span><span id="line-489"> return qop != null &amp;&amp; "auth-conf".equalsIgnoreCase(qop);</span>
<span class="source-line-no">490</span><span id="line-490"> }</span>
<span class="source-line-no">491</span><span id="line-491"></span>
<span class="source-line-no">492</span><span id="line-492"> private boolean requestedQopContainsPrivacy() {</span>
<span class="source-line-no">493</span><span id="line-493"> Set&lt;String&gt; requestedQop =</span>
<span class="source-line-no">494</span><span id="line-494"> ImmutableSet.copyOf(Arrays.asList(saslProps.get(Sasl.QOP).split(",")));</span>
<span class="source-line-no">495</span><span id="line-495"> return requestedQop.contains("auth-conf");</span>
<span class="source-line-no">496</span><span id="line-496"> }</span>
<span class="source-line-no">497</span><span id="line-497"></span>
<span class="source-line-no">498</span><span id="line-498"> private void checkSaslComplete() throws IOException {</span>
<span class="source-line-no">499</span><span id="line-499"> if (!saslClient.isComplete()) {</span>
<span class="source-line-no">500</span><span id="line-500"> throw new IOException("Failed to complete SASL handshake");</span>
<span class="source-line-no">501</span><span id="line-501"> }</span>
<span class="source-line-no">502</span><span id="line-502"> Set&lt;String&gt; requestedQop =</span>
<span class="source-line-no">503</span><span id="line-503"> ImmutableSet.copyOf(Arrays.asList(saslProps.get(Sasl.QOP).split(",")));</span>
<span class="source-line-no">504</span><span id="line-504"> String negotiatedQop = getNegotiatedQop();</span>
<span class="source-line-no">505</span><span id="line-505"> LOG.debug(</span>
<span class="source-line-no">506</span><span id="line-506"> "Verifying QOP, requested QOP = " + requestedQop + ", negotiated QOP = " + negotiatedQop);</span>
<span class="source-line-no">507</span><span id="line-507"> if (!requestedQop.contains(negotiatedQop)) {</span>
<span class="source-line-no">508</span><span id="line-508"> throw new IOException(String.format("SASL handshake completed, but "</span>
<span class="source-line-no">509</span><span id="line-509"> + "channel does not have acceptable quality of protection, "</span>
<span class="source-line-no">510</span><span id="line-510"> + "requested = %s, negotiated = %s", requestedQop, negotiatedQop));</span>
<span class="source-line-no">511</span><span id="line-511"> }</span>
<span class="source-line-no">512</span><span id="line-512"> }</span>
<span class="source-line-no">513</span><span id="line-513"></span>
<span class="source-line-no">514</span><span id="line-514"> private boolean useWrap() {</span>
<span class="source-line-no">515</span><span id="line-515"> String qop = (String) saslClient.getNegotiatedProperty(Sasl.QOP);</span>
<span class="source-line-no">516</span><span id="line-516"> return qop != null &amp;&amp; !"auth".equalsIgnoreCase(qop);</span>
<span class="source-line-no">517</span><span id="line-517"> }</span>
<span class="source-line-no">518</span><span id="line-518"></span>
<span class="source-line-no">519</span><span id="line-519"> private CipherOption unwrap(CipherOption option, SaslClient saslClient) throws IOException {</span>
<span class="source-line-no">520</span><span id="line-520"> byte[] inKey = option.getInKey();</span>
<span class="source-line-no">521</span><span id="line-521"> if (inKey != null) {</span>
<span class="source-line-no">522</span><span id="line-522"> inKey = saslClient.unwrap(inKey, 0, inKey.length);</span>
<span class="source-line-no">523</span><span id="line-523"> }</span>
<span class="source-line-no">524</span><span id="line-524"> byte[] outKey = option.getOutKey();</span>
<span class="source-line-no">525</span><span id="line-525"> if (outKey != null) {</span>
<span class="source-line-no">526</span><span id="line-526"> outKey = saslClient.unwrap(outKey, 0, outKey.length);</span>
<span class="source-line-no">527</span><span id="line-527"> }</span>
<span class="source-line-no">528</span><span id="line-528"> return new CipherOption(option.getCipherSuite(), inKey, option.getInIv(), outKey,</span>
<span class="source-line-no">529</span><span id="line-529"> option.getOutIv());</span>
<span class="source-line-no">530</span><span id="line-530"> }</span>
<span class="source-line-no">531</span><span id="line-531"></span>
<span class="source-line-no">532</span><span id="line-532"> private CipherOption getCipherOption(DataTransferEncryptorMessageProto proto,</span>
<span class="source-line-no">533</span><span id="line-533"> boolean isNegotiatedQopPrivacy, SaslClient saslClient) throws IOException {</span>
<span class="source-line-no">534</span><span id="line-534"> List&lt;CipherOption&gt; cipherOptions =</span>
<span class="source-line-no">535</span><span id="line-535"> PBHelperClient.convertCipherOptionProtos(proto.getCipherOptionList());</span>
<span class="source-line-no">536</span><span id="line-536"> if (cipherOptions == null || cipherOptions.isEmpty()) {</span>
<span class="source-line-no">537</span><span id="line-537"> return null;</span>
<span class="source-line-no">538</span><span id="line-538"> }</span>
<span class="source-line-no">539</span><span id="line-539"> CipherOption cipherOption = cipherOptions.get(0);</span>
<span class="source-line-no">540</span><span id="line-540"> return isNegotiatedQopPrivacy ? unwrap(cipherOption, saslClient) : cipherOption;</span>
<span class="source-line-no">541</span><span id="line-541"> }</span>
<span class="source-line-no">542</span><span id="line-542"></span>
<span class="source-line-no">543</span><span id="line-543"> @Override</span>
<span class="source-line-no">544</span><span id="line-544"> public void channelRead(ChannelHandlerContext ctx, Object msg) throws Exception {</span>
<span class="source-line-no">545</span><span id="line-545"> if (msg instanceof DataTransferEncryptorMessageProto) {</span>
<span class="source-line-no">546</span><span id="line-546"> DataTransferEncryptorMessageProto proto = (DataTransferEncryptorMessageProto) msg;</span>
<span class="source-line-no">547</span><span id="line-547"> check(proto);</span>
<span class="source-line-no">548</span><span id="line-548"> byte[] challenge = proto.getPayload().toByteArray();</span>
<span class="source-line-no">549</span><span id="line-549"> byte[] response = saslClient.evaluateChallenge(challenge);</span>
<span class="source-line-no">550</span><span id="line-550"> switch (step) {</span>
<span class="source-line-no">551</span><span id="line-551"> case 1: {</span>
<span class="source-line-no">552</span><span id="line-552"> List&lt;CipherOption&gt; cipherOptions = null;</span>
<span class="source-line-no">553</span><span id="line-553"> if (requestedQopContainsPrivacy()) {</span>
<span class="source-line-no">554</span><span id="line-554"> cipherOptions = getCipherOptions();</span>
<span class="source-line-no">555</span><span id="line-555"> }</span>
<span class="source-line-no">556</span><span id="line-556"> sendSaslMessage(ctx, response, cipherOptions);</span>
<span class="source-line-no">557</span><span id="line-557"> ctx.flush();</span>
<span class="source-line-no">558</span><span id="line-558"> step++;</span>
<span class="source-line-no">559</span><span id="line-559"> break;</span>
<span class="source-line-no">560</span><span id="line-560"> }</span>
<span class="source-line-no">561</span><span id="line-561"> case 2: {</span>
<span class="source-line-no">562</span><span id="line-562"> assert response == null;</span>
<span class="source-line-no">563</span><span id="line-563"> checkSaslComplete();</span>
<span class="source-line-no">564</span><span id="line-564"> CipherOption cipherOption =</span>
<span class="source-line-no">565</span><span id="line-565"> getCipherOption(proto, isNegotiatedQopPrivacy(), saslClient);</span>
<span class="source-line-no">566</span><span id="line-566"> ChannelPipeline p = ctx.pipeline();</span>
<span class="source-line-no">567</span><span id="line-567"> while (p.first() != null) {</span>
<span class="source-line-no">568</span><span id="line-568"> p.removeFirst();</span>
<span class="source-line-no">569</span><span id="line-569"> }</span>
<span class="source-line-no">570</span><span id="line-570"> if (cipherOption != null) {</span>
<span class="source-line-no">571</span><span id="line-571"> CryptoCodec codec = CryptoCodec.getInstance(conf, cipherOption.getCipherSuite());</span>
<span class="source-line-no">572</span><span id="line-572"> p.addLast(new EncryptHandler(codec, cipherOption.getInKey(), cipherOption.getInIv()),</span>
<span class="source-line-no">573</span><span id="line-573"> new DecryptHandler(codec, cipherOption.getOutKey(), cipherOption.getOutIv()));</span>
<span class="source-line-no">574</span><span id="line-574"> } else {</span>
<span class="source-line-no">575</span><span id="line-575"> if (useWrap()) {</span>
<span class="source-line-no">576</span><span id="line-576"> p.addLast(new SaslWrapHandler(saslClient),</span>
<span class="source-line-no">577</span><span id="line-577"> new LengthFieldBasedFrameDecoder(Integer.MAX_VALUE, 0, 4),</span>
<span class="source-line-no">578</span><span id="line-578"> new SaslUnwrapHandler(saslClient));</span>
<span class="source-line-no">579</span><span id="line-579"> }</span>
<span class="source-line-no">580</span><span id="line-580"> }</span>
<span class="source-line-no">581</span><span id="line-581"> promise.trySuccess(null);</span>
<span class="source-line-no">582</span><span id="line-582"> break;</span>
<span class="source-line-no">583</span><span id="line-583"> }</span>
<span class="source-line-no">584</span><span id="line-584"> default:</span>
<span class="source-line-no">585</span><span id="line-585"> throw new IllegalArgumentException("Unrecognized negotiation step: " + step);</span>
<span class="source-line-no">586</span><span id="line-586"> }</span>
<span class="source-line-no">587</span><span id="line-587"> } else {</span>
<span class="source-line-no">588</span><span id="line-588"> ctx.fireChannelRead(msg);</span>
<span class="source-line-no">589</span><span id="line-589"> }</span>
<span class="source-line-no">590</span><span id="line-590"> }</span>
<span class="source-line-no">591</span><span id="line-591"></span>
<span class="source-line-no">592</span><span id="line-592"> @Override</span>
<span class="source-line-no">593</span><span id="line-593"> public void exceptionCaught(ChannelHandlerContext ctx, Throwable cause) throws Exception {</span>
<span class="source-line-no">594</span><span id="line-594"> promise.tryFailure(cause);</span>
<span class="source-line-no">595</span><span id="line-595"> }</span>
<span class="source-line-no">596</span><span id="line-596"></span>
<span class="source-line-no">597</span><span id="line-597"> @Override</span>
<span class="source-line-no">598</span><span id="line-598"> public void userEventTriggered(ChannelHandlerContext ctx, Object evt) throws Exception {</span>
<span class="source-line-no">599</span><span id="line-599"> if (evt instanceof IdleStateEvent &amp;&amp; ((IdleStateEvent) evt).state() == READER_IDLE) {</span>
<span class="source-line-no">600</span><span id="line-600"> promise.tryFailure(new IOException("Timeout(" + timeoutMs + "ms) waiting for response"));</span>
<span class="source-line-no">601</span><span id="line-601"> } else {</span>
<span class="source-line-no">602</span><span id="line-602"> super.userEventTriggered(ctx, evt);</span>
<span class="source-line-no">603</span><span id="line-603"> }</span>
<span class="source-line-no">604</span><span id="line-604"> }</span>
<span class="source-line-no">605</span><span id="line-605"> }</span>
<span class="source-line-no">606</span><span id="line-606"></span>
<span class="source-line-no">607</span><span id="line-607"> private static final class SaslUnwrapHandler extends SimpleChannelInboundHandler&lt;ByteBuf&gt; {</span>
<span class="source-line-no">608</span><span id="line-608"></span>
<span class="source-line-no">609</span><span id="line-609"> private final SaslClient saslClient;</span>
<span class="source-line-no">610</span><span id="line-610"></span>
<span class="source-line-no">611</span><span id="line-611"> public SaslUnwrapHandler(SaslClient saslClient) {</span>
<span class="source-line-no">612</span><span id="line-612"> this.saslClient = saslClient;</span>
<span class="source-line-no">613</span><span id="line-613"> }</span>
<span class="source-line-no">614</span><span id="line-614"></span>
<span class="source-line-no">615</span><span id="line-615"> @Override</span>
<span class="source-line-no">616</span><span id="line-616"> public void channelInactive(ChannelHandlerContext ctx) throws Exception {</span>
<span class="source-line-no">617</span><span id="line-617"> saslClient.dispose();</span>
<span class="source-line-no">618</span><span id="line-618"> }</span>
<span class="source-line-no">619</span><span id="line-619"></span>
<span class="source-line-no">620</span><span id="line-620"> @Override</span>
<span class="source-line-no">621</span><span id="line-621"> protected void channelRead0(ChannelHandlerContext ctx, ByteBuf msg) throws Exception {</span>
<span class="source-line-no">622</span><span id="line-622"> msg.skipBytes(4);</span>
<span class="source-line-no">623</span><span id="line-623"> byte[] b = new byte[msg.readableBytes()];</span>
<span class="source-line-no">624</span><span id="line-624"> msg.readBytes(b);</span>
<span class="source-line-no">625</span><span id="line-625"> ctx.fireChannelRead(Unpooled.wrappedBuffer(saslClient.unwrap(b, 0, b.length)));</span>
<span class="source-line-no">626</span><span id="line-626"> }</span>
<span class="source-line-no">627</span><span id="line-627"> }</span>
<span class="source-line-no">628</span><span id="line-628"></span>
<span class="source-line-no">629</span><span id="line-629"> private static final class SaslWrapHandler extends ChannelOutboundHandlerAdapter {</span>
<span class="source-line-no">630</span><span id="line-630"></span>
<span class="source-line-no">631</span><span id="line-631"> private final SaslClient saslClient;</span>
<span class="source-line-no">632</span><span id="line-632"></span>
<span class="source-line-no">633</span><span id="line-633"> private CompositeByteBuf cBuf;</span>
<span class="source-line-no">634</span><span id="line-634"></span>
<span class="source-line-no">635</span><span id="line-635"> public SaslWrapHandler(SaslClient saslClient) {</span>
<span class="source-line-no">636</span><span id="line-636"> this.saslClient = saslClient;</span>
<span class="source-line-no">637</span><span id="line-637"> }</span>
<span class="source-line-no">638</span><span id="line-638"></span>
<span class="source-line-no">639</span><span id="line-639"> @Override</span>
<span class="source-line-no">640</span><span id="line-640"> public void handlerAdded(ChannelHandlerContext ctx) throws Exception {</span>
<span class="source-line-no">641</span><span id="line-641"> cBuf = new CompositeByteBuf(ctx.alloc(), false, Integer.MAX_VALUE);</span>
<span class="source-line-no">642</span><span id="line-642"> }</span>
<span class="source-line-no">643</span><span id="line-643"></span>
<span class="source-line-no">644</span><span id="line-644"> @Override</span>
<span class="source-line-no">645</span><span id="line-645"> public void write(ChannelHandlerContext ctx, Object msg, ChannelPromise promise)</span>
<span class="source-line-no">646</span><span id="line-646"> throws Exception {</span>
<span class="source-line-no">647</span><span id="line-647"> if (msg instanceof ByteBuf) {</span>
<span class="source-line-no">648</span><span id="line-648"> ByteBuf buf = (ByteBuf) msg;</span>
<span class="source-line-no">649</span><span id="line-649"> cBuf.addComponent(buf);</span>
<span class="source-line-no">650</span><span id="line-650"> cBuf.writerIndex(cBuf.writerIndex() + buf.readableBytes());</span>
<span class="source-line-no">651</span><span id="line-651"> } else {</span>
<span class="source-line-no">652</span><span id="line-652"> safeWrite(ctx, msg);</span>
<span class="source-line-no">653</span><span id="line-653"> }</span>
<span class="source-line-no">654</span><span id="line-654"> }</span>
<span class="source-line-no">655</span><span id="line-655"></span>
<span class="source-line-no">656</span><span id="line-656"> @Override</span>
<span class="source-line-no">657</span><span id="line-657"> public void flush(ChannelHandlerContext ctx) throws Exception {</span>
<span class="source-line-no">658</span><span id="line-658"> if (cBuf.isReadable()) {</span>
<span class="source-line-no">659</span><span id="line-659"> byte[] b = new byte[cBuf.readableBytes()];</span>
<span class="source-line-no">660</span><span id="line-660"> cBuf.readBytes(b);</span>
<span class="source-line-no">661</span><span id="line-661"> cBuf.discardReadComponents();</span>
<span class="source-line-no">662</span><span id="line-662"> byte[] wrapped = saslClient.wrap(b, 0, b.length);</span>
<span class="source-line-no">663</span><span id="line-663"> ByteBuf buf = ctx.alloc().ioBuffer(4 + wrapped.length);</span>
<span class="source-line-no">664</span><span id="line-664"> buf.writeInt(wrapped.length);</span>
<span class="source-line-no">665</span><span id="line-665"> buf.writeBytes(wrapped);</span>
<span class="source-line-no">666</span><span id="line-666"> safeWrite(ctx, buf);</span>
<span class="source-line-no">667</span><span id="line-667"> }</span>
<span class="source-line-no">668</span><span id="line-668"> ctx.flush();</span>
<span class="source-line-no">669</span><span id="line-669"> }</span>
<span class="source-line-no">670</span><span id="line-670"></span>
<span class="source-line-no">671</span><span id="line-671"> @Override</span>
<span class="source-line-no">672</span><span id="line-672"> public void handlerRemoved(ChannelHandlerContext ctx) throws Exception {</span>
<span class="source-line-no">673</span><span id="line-673"> // Release buffer on removal.</span>
<span class="source-line-no">674</span><span id="line-674"> cBuf.release();</span>
<span class="source-line-no">675</span><span id="line-675"> cBuf = null;</span>
<span class="source-line-no">676</span><span id="line-676"> }</span>
<span class="source-line-no">677</span><span id="line-677"> }</span>
<span class="source-line-no">678</span><span id="line-678"></span>
<span class="source-line-no">679</span><span id="line-679"> private static final class DecryptHandler extends SimpleChannelInboundHandler&lt;ByteBuf&gt; {</span>
<span class="source-line-no">680</span><span id="line-680"></span>
<span class="source-line-no">681</span><span id="line-681"> private final Decryptor decryptor;</span>
<span class="source-line-no">682</span><span id="line-682"></span>
<span class="source-line-no">683</span><span id="line-683"> public DecryptHandler(CryptoCodec codec, byte[] key, byte[] iv)</span>
<span class="source-line-no">684</span><span id="line-684"> throws GeneralSecurityException, IOException {</span>
<span class="source-line-no">685</span><span id="line-685"> this.decryptor = codec.createDecryptor();</span>
<span class="source-line-no">686</span><span id="line-686"> this.decryptor.init(key, Arrays.copyOf(iv, iv.length));</span>
<span class="source-line-no">687</span><span id="line-687"> }</span>
<span class="source-line-no">688</span><span id="line-688"></span>
<span class="source-line-no">689</span><span id="line-689"> @Override</span>
<span class="source-line-no">690</span><span id="line-690"> protected void channelRead0(ChannelHandlerContext ctx, ByteBuf msg) throws Exception {</span>
<span class="source-line-no">691</span><span id="line-691"> ByteBuf inBuf;</span>
<span class="source-line-no">692</span><span id="line-692"> boolean release = false;</span>
<span class="source-line-no">693</span><span id="line-693"> if (msg.nioBufferCount() == 1) {</span>
<span class="source-line-no">694</span><span id="line-694"> inBuf = msg;</span>
<span class="source-line-no">695</span><span id="line-695"> } else {</span>
<span class="source-line-no">696</span><span id="line-696"> inBuf = ctx.alloc().directBuffer(msg.readableBytes());</span>
<span class="source-line-no">697</span><span id="line-697"> msg.readBytes(inBuf);</span>
<span class="source-line-no">698</span><span id="line-698"> release = true;</span>
<span class="source-line-no">699</span><span id="line-699"> }</span>
<span class="source-line-no">700</span><span id="line-700"> ByteBuffer inBuffer = inBuf.nioBuffer();</span>
<span class="source-line-no">701</span><span id="line-701"> ByteBuf outBuf = ctx.alloc().directBuffer(inBuf.readableBytes());</span>
<span class="source-line-no">702</span><span id="line-702"> ByteBuffer outBuffer = outBuf.nioBuffer(0, inBuf.readableBytes());</span>
<span class="source-line-no">703</span><span id="line-703"> decryptor.decrypt(inBuffer, outBuffer);</span>
<span class="source-line-no">704</span><span id="line-704"> outBuf.writerIndex(inBuf.readableBytes());</span>
<span class="source-line-no">705</span><span id="line-705"> if (release) {</span>
<span class="source-line-no">706</span><span id="line-706"> inBuf.release();</span>
<span class="source-line-no">707</span><span id="line-707"> }</span>
<span class="source-line-no">708</span><span id="line-708"> ctx.fireChannelRead(outBuf);</span>
<span class="source-line-no">709</span><span id="line-709"> }</span>
<span class="source-line-no">710</span><span id="line-710"> }</span>
<span class="source-line-no">711</span><span id="line-711"></span>
<span class="source-line-no">712</span><span id="line-712"> private static final class EncryptHandler extends MessageToByteEncoder&lt;ByteBuf&gt; {</span>
<span class="source-line-no">713</span><span id="line-713"></span>
<span class="source-line-no">714</span><span id="line-714"> private final Encryptor encryptor;</span>
<span class="source-line-no">715</span><span id="line-715"></span>
<span class="source-line-no">716</span><span id="line-716"> public EncryptHandler(CryptoCodec codec, byte[] key, byte[] iv)</span>
<span class="source-line-no">717</span><span id="line-717"> throws GeneralSecurityException, IOException {</span>
<span class="source-line-no">718</span><span id="line-718"> this.encryptor = codec.createEncryptor();</span>
<span class="source-line-no">719</span><span id="line-719"> this.encryptor.init(key, Arrays.copyOf(iv, iv.length));</span>
<span class="source-line-no">720</span><span id="line-720"> }</span>
<span class="source-line-no">721</span><span id="line-721"></span>
<span class="source-line-no">722</span><span id="line-722"> @Override</span>
<span class="source-line-no">723</span><span id="line-723"> protected ByteBuf allocateBuffer(ChannelHandlerContext ctx, ByteBuf msg, boolean preferDirect)</span>
<span class="source-line-no">724</span><span id="line-724"> throws Exception {</span>
<span class="source-line-no">725</span><span id="line-725"> if (preferDirect) {</span>
<span class="source-line-no">726</span><span id="line-726"> return ctx.alloc().directBuffer(msg.readableBytes());</span>
<span class="source-line-no">727</span><span id="line-727"> } else {</span>
<span class="source-line-no">728</span><span id="line-728"> return ctx.alloc().buffer(msg.readableBytes());</span>
<span class="source-line-no">729</span><span id="line-729"> }</span>
<span class="source-line-no">730</span><span id="line-730"> }</span>
<span class="source-line-no">731</span><span id="line-731"></span>
<span class="source-line-no">732</span><span id="line-732"> @Override</span>
<span class="source-line-no">733</span><span id="line-733"> protected void encode(ChannelHandlerContext ctx, ByteBuf msg, ByteBuf out) throws Exception {</span>
<span class="source-line-no">734</span><span id="line-734"> ByteBuf inBuf;</span>
<span class="source-line-no">735</span><span id="line-735"> boolean release = false;</span>
<span class="source-line-no">736</span><span id="line-736"> if (msg.nioBufferCount() == 1) {</span>
<span class="source-line-no">737</span><span id="line-737"> inBuf = msg;</span>
<span class="source-line-no">738</span><span id="line-738"> } else {</span>
<span class="source-line-no">739</span><span id="line-739"> inBuf = ctx.alloc().directBuffer(msg.readableBytes());</span>
<span class="source-line-no">740</span><span id="line-740"> msg.readBytes(inBuf);</span>
<span class="source-line-no">741</span><span id="line-741"> release = true;</span>
<span class="source-line-no">742</span><span id="line-742"> }</span>
<span class="source-line-no">743</span><span id="line-743"> ByteBuffer inBuffer = inBuf.nioBuffer();</span>
<span class="source-line-no">744</span><span id="line-744"> ByteBuffer outBuffer = out.nioBuffer(0, inBuf.readableBytes());</span>
<span class="source-line-no">745</span><span id="line-745"> encryptor.encrypt(inBuffer, outBuffer);</span>
<span class="source-line-no">746</span><span id="line-746"> out.writerIndex(inBuf.readableBytes());</span>
<span class="source-line-no">747</span><span id="line-747"> if (release) {</span>
<span class="source-line-no">748</span><span id="line-748"> inBuf.release();</span>
<span class="source-line-no">749</span><span id="line-749"> }</span>
<span class="source-line-no">750</span><span id="line-750"> }</span>
<span class="source-line-no">751</span><span id="line-751"> }</span>
<span class="source-line-no">752</span><span id="line-752"></span>
<span class="source-line-no">753</span><span id="line-753"> private static String getUserNameFromEncryptionKey(DataEncryptionKey encryptionKey) {</span>
<span class="source-line-no">754</span><span id="line-754"> return encryptionKey.keyId + NAME_DELIMITER + encryptionKey.blockPoolId + NAME_DELIMITER</span>
<span class="source-line-no">755</span><span id="line-755"> + Base64.getEncoder().encodeToString(encryptionKey.nonce);</span>
<span class="source-line-no">756</span><span id="line-756"> }</span>
<span class="source-line-no">757</span><span id="line-757"></span>
<span class="source-line-no">758</span><span id="line-758"> private static char[] encryptionKeyToPassword(byte[] encryptionKey) {</span>
<span class="source-line-no">759</span><span id="line-759"> return Base64.getEncoder().encodeToString(encryptionKey).toCharArray();</span>
<span class="source-line-no">760</span><span id="line-760"> }</span>
<span class="source-line-no">761</span><span id="line-761"></span>
<span class="source-line-no">762</span><span id="line-762"> private static String buildUsername(Token&lt;BlockTokenIdentifier&gt; blockToken) {</span>
<span class="source-line-no">763</span><span id="line-763"> return Base64.getEncoder().encodeToString(blockToken.getIdentifier());</span>
<span class="source-line-no">764</span><span id="line-764"> }</span>
<span class="source-line-no">765</span><span id="line-765"></span>
<span class="source-line-no">766</span><span id="line-766"> private static char[] buildClientPassword(Token&lt;BlockTokenIdentifier&gt; blockToken) {</span>
<span class="source-line-no">767</span><span id="line-767"> return Base64.getEncoder().encodeToString(blockToken.getPassword()).toCharArray();</span>
<span class="source-line-no">768</span><span id="line-768"> }</span>
<span class="source-line-no">769</span><span id="line-769"></span>
<span class="source-line-no">770</span><span id="line-770"> private static Map&lt;String, String&gt; createSaslPropertiesForEncryption(String encryptionAlgorithm) {</span>
<span class="source-line-no">771</span><span id="line-771"> Map&lt;String, String&gt; saslProps = Maps.newHashMapWithExpectedSize(3);</span>
<span class="source-line-no">772</span><span id="line-772"> saslProps.put(Sasl.QOP, QualityOfProtection.PRIVACY.getSaslQop());</span>
<span class="source-line-no">773</span><span id="line-773"> saslProps.put(Sasl.SERVER_AUTH, "true");</span>
<span class="source-line-no">774</span><span id="line-774"> saslProps.put("com.sun.security.sasl.digest.cipher", encryptionAlgorithm);</span>
<span class="source-line-no">775</span><span id="line-775"> return saslProps;</span>
<span class="source-line-no">776</span><span id="line-776"> }</span>
<span class="source-line-no">777</span><span id="line-777"></span>
<span class="source-line-no">778</span><span id="line-778"> private static void doSaslNegotiation(Configuration conf, Channel channel, int timeoutMs,</span>
<span class="source-line-no">779</span><span id="line-779"> String username, char[] password, Map&lt;String, String&gt; saslProps, Promise&lt;Void&gt; saslPromise,</span>
<span class="source-line-no">780</span><span id="line-780"> DFSClient dfsClient) {</span>
<span class="source-line-no">781</span><span id="line-781"> try {</span>
<span class="source-line-no">782</span><span id="line-782"> channel.pipeline().addLast(new IdleStateHandler(timeoutMs, 0, 0, TimeUnit.MILLISECONDS),</span>
<span class="source-line-no">783</span><span id="line-783"> new ProtobufVarint32FrameDecoder(),</span>
<span class="source-line-no">784</span><span id="line-784"> new ProtobufDecoder(DataTransferEncryptorMessageProto.getDefaultInstance()),</span>
<span class="source-line-no">785</span><span id="line-785"> new SaslNegotiateHandler(conf, username, password, saslProps, timeoutMs, saslPromise,</span>
<span class="source-line-no">786</span><span id="line-786"> dfsClient));</span>
<span class="source-line-no">787</span><span id="line-787"> } catch (SaslException e) {</span>
<span class="source-line-no">788</span><span id="line-788"> saslPromise.tryFailure(e);</span>
<span class="source-line-no">789</span><span id="line-789"> }</span>
<span class="source-line-no">790</span><span id="line-790"> }</span>
<span class="source-line-no">791</span><span id="line-791"></span>
<span class="source-line-no">792</span><span id="line-792"> static void trySaslNegotiate(Configuration conf, Channel channel, DatanodeInfo dnInfo,</span>
<span class="source-line-no">793</span><span id="line-793"> int timeoutMs, DFSClient client, Token&lt;BlockTokenIdentifier&gt; accessToken,</span>
<span class="source-line-no">794</span><span id="line-794"> Promise&lt;Void&gt; saslPromise) throws IOException {</span>
<span class="source-line-no">795</span><span id="line-795"> SaslDataTransferClient saslClient = client.getSaslDataTransferClient();</span>
<span class="source-line-no">796</span><span id="line-796"> SaslPropertiesResolver saslPropsResolver = SASL_ADAPTOR.getSaslPropsResolver(saslClient);</span>
<span class="source-line-no">797</span><span id="line-797"> TrustedChannelResolver trustedChannelResolver =</span>
<span class="source-line-no">798</span><span id="line-798"> SASL_ADAPTOR.getTrustedChannelResolver(saslClient);</span>
<span class="source-line-no">799</span><span id="line-799"> AtomicBoolean fallbackToSimpleAuth = SASL_ADAPTOR.getFallbackToSimpleAuth(saslClient);</span>
<span class="source-line-no">800</span><span id="line-800"> InetAddress addr = ((InetSocketAddress) channel.remoteAddress()).getAddress();</span>
<span class="source-line-no">801</span><span id="line-801"> if (trustedChannelResolver.isTrusted() || trustedChannelResolver.isTrusted(addr)) {</span>
<span class="source-line-no">802</span><span id="line-802"> saslPromise.trySuccess(null);</span>
<span class="source-line-no">803</span><span id="line-803"> return;</span>
<span class="source-line-no">804</span><span id="line-804"> }</span>
<span class="source-line-no">805</span><span id="line-805"> DataEncryptionKey encryptionKey = client.newDataEncryptionKey();</span>
<span class="source-line-no">806</span><span id="line-806"> if (encryptionKey != null) {</span>
<span class="source-line-no">807</span><span id="line-807"> if (LOG.isDebugEnabled()) {</span>
<span class="source-line-no">808</span><span id="line-808"> LOG.debug(</span>
<span class="source-line-no">809</span><span id="line-809"> "SASL client doing encrypted handshake for addr = " + addr + ", datanodeId = " + dnInfo);</span>
<span class="source-line-no">810</span><span id="line-810"> }</span>
<span class="source-line-no">811</span><span id="line-811"> doSaslNegotiation(conf, channel, timeoutMs, getUserNameFromEncryptionKey(encryptionKey),</span>
<span class="source-line-no">812</span><span id="line-812"> encryptionKeyToPassword(encryptionKey.encryptionKey),</span>
<span class="source-line-no">813</span><span id="line-813"> createSaslPropertiesForEncryption(encryptionKey.encryptionAlgorithm), saslPromise, client);</span>
<span class="source-line-no">814</span><span id="line-814"> } else if (!UserGroupInformation.isSecurityEnabled()) {</span>
<span class="source-line-no">815</span><span id="line-815"> if (LOG.isDebugEnabled()) {</span>
<span class="source-line-no">816</span><span id="line-816"> LOG.debug("SASL client skipping handshake in unsecured configuration for addr = " + addr</span>
<span class="source-line-no">817</span><span id="line-817"> + ", datanodeId = " + dnInfo);</span>
<span class="source-line-no">818</span><span id="line-818"> }</span>
<span class="source-line-no">819</span><span id="line-819"> saslPromise.trySuccess(null);</span>
<span class="source-line-no">820</span><span id="line-820"> } else if (dnInfo.getXferPort() &lt; 1024) {</span>
<span class="source-line-no">821</span><span id="line-821"> if (LOG.isDebugEnabled()) {</span>
<span class="source-line-no">822</span><span id="line-822"> LOG.debug("SASL client skipping handshake in secured configuration with "</span>
<span class="source-line-no">823</span><span id="line-823"> + "privileged port for addr = " + addr + ", datanodeId = " + dnInfo);</span>
<span class="source-line-no">824</span><span id="line-824"> }</span>
<span class="source-line-no">825</span><span id="line-825"> saslPromise.trySuccess(null);</span>
<span class="source-line-no">826</span><span id="line-826"> } else if (fallbackToSimpleAuth != null &amp;&amp; fallbackToSimpleAuth.get()) {</span>
<span class="source-line-no">827</span><span id="line-827"> if (LOG.isDebugEnabled()) {</span>
<span class="source-line-no">828</span><span id="line-828"> LOG.debug("SASL client skipping handshake in secured configuration with "</span>
<span class="source-line-no">829</span><span id="line-829"> + "unsecured cluster for addr = " + addr + ", datanodeId = " + dnInfo);</span>
<span class="source-line-no">830</span><span id="line-830"> }</span>
<span class="source-line-no">831</span><span id="line-831"> saslPromise.trySuccess(null);</span>
<span class="source-line-no">832</span><span id="line-832"> } else if (saslPropsResolver != null) {</span>
<span class="source-line-no">833</span><span id="line-833"> if (LOG.isDebugEnabled()) {</span>
<span class="source-line-no">834</span><span id="line-834"> LOG.debug(</span>
<span class="source-line-no">835</span><span id="line-835"> "SASL client doing general handshake for addr = " + addr + ", datanodeId = " + dnInfo);</span>
<span class="source-line-no">836</span><span id="line-836"> }</span>
<span class="source-line-no">837</span><span id="line-837"> doSaslNegotiation(conf, channel, timeoutMs, buildUsername(accessToken),</span>
<span class="source-line-no">838</span><span id="line-838"> buildClientPassword(accessToken), saslPropsResolver.getClientProperties(addr), saslPromise,</span>
<span class="source-line-no">839</span><span id="line-839"> client);</span>
<span class="source-line-no">840</span><span id="line-840"> } else {</span>
<span class="source-line-no">841</span><span id="line-841"> // It's a secured cluster using non-privileged ports, but no SASL. The only way this can</span>
<span class="source-line-no">842</span><span id="line-842"> // happen is if the DataNode has ignore.secure.ports.for.testing configured, so this is a rare</span>
<span class="source-line-no">843</span><span id="line-843"> // edge case.</span>
<span class="source-line-no">844</span><span id="line-844"> if (LOG.isDebugEnabled()) {</span>
<span class="source-line-no">845</span><span id="line-845"> LOG.debug("SASL client skipping handshake in secured configuration with no SASL "</span>
<span class="source-line-no">846</span><span id="line-846"> + "protection configured for addr = " + addr + ", datanodeId = " + dnInfo);</span>
<span class="source-line-no">847</span><span id="line-847"> }</span>
<span class="source-line-no">848</span><span id="line-848"> saslPromise.trySuccess(null);</span>
<span class="source-line-no">849</span><span id="line-849"> }</span>
<span class="source-line-no">850</span><span id="line-850"> }</span>
<span class="source-line-no">851</span><span id="line-851"></span>
<span class="source-line-no">852</span><span id="line-852"> static Encryptor createEncryptor(Configuration conf, HdfsFileStatus stat, DFSClient client)</span>
<span class="source-line-no">853</span><span id="line-853"> throws IOException {</span>
<span class="source-line-no">854</span><span id="line-854"> FileEncryptionInfo feInfo = stat.getFileEncryptionInfo();</span>
<span class="source-line-no">855</span><span id="line-855"> if (feInfo == null) {</span>
<span class="source-line-no">856</span><span id="line-856"> return null;</span>
<span class="source-line-no">857</span><span id="line-857"> }</span>
<span class="source-line-no">858</span><span id="line-858"> return TRANSPARENT_CRYPTO_HELPER.createEncryptor(conf, feInfo, client);</span>
<span class="source-line-no">859</span><span id="line-859"> }</span>
<span class="source-line-no">860</span><span id="line-860">}</span>
</pre>
</div>
</main>
</body>
</html>