nifi-commons/nifi-sensitive-property-provider/src/main/java/org/apache/nifi/properties/AWSSensitivePropertyProvider.java - nifi - Git at Google

 /*
  * Licensed to the Apache Software Foundation (ASF) under one or more
  * contributor license agreements.  See the NOTICE file distributed with
  * this work for additional information regarding copyright ownership.
  * The ASF licenses this file to You under the Apache License, Version 2.0
  * (the "License"); you may not use this file except in compliance with
  * the License.  You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 package org.apache.nifi.properties;

 import org.apache.commons.lang3.StringUtils;
 import org.apache.nifi.properties.BootstrapProperties.BootstrapPropertyKey;

 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import software.amazon.awssdk.auth.credentials.AwsBasicCredentials;
 import software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider;
 import software.amazon.awssdk.auth.credentials.StaticCredentialsProvider;
 import software.amazon.awssdk.core.SdkBytes;
 import software.amazon.awssdk.core.exception.SdkClientException;
 import software.amazon.awssdk.regions.Region;
 import software.amazon.awssdk.services.kms.KmsClient;
 import software.amazon.awssdk.services.kms.model.DecryptRequest;
 import software.amazon.awssdk.services.kms.model.DecryptResponse;
 import software.amazon.awssdk.services.kms.model.DescribeKeyRequest;
 import software.amazon.awssdk.services.kms.model.DescribeKeyResponse;
 import software.amazon.awssdk.services.kms.model.EncryptRequest;
 import software.amazon.awssdk.services.kms.model.EncryptResponse;
 import software.amazon.awssdk.services.kms.model.KeyMetadata;
 import software.amazon.awssdk.services.kms.model.KmsException;

 import java.util.Base64;
 import java.io.IOException;
 import java.nio.charset.Charset;
 import java.nio.charset.StandardCharsets;
 import java.nio.file.Paths;
 import java.util.Objects;

 public class AWSSensitivePropertyProvider extends AbstractSensitivePropertyProvider {
     private static final Logger logger = LoggerFactory.getLogger(AWSSensitivePropertyProvider.class);

     private static final String AWS_PREFIX = "aws";
     private static final String ACCESS_KEY_PROPS_NAME = "aws.access.key.id";
     private static final String SECRET_KEY_PROPS_NAME = "aws.secret.access.key";
     private static final String REGION_KEY_PROPS_NAME = "aws.region";
     private static final String KMS_KEY_PROPS_NAME = "aws.kms.key.id";

     private static final Charset PROPERTY_CHARSET = StandardCharsets.UTF_8;

     private final BootstrapProperties awsBootstrapProperties;
     private KmsClient client;
     private String keyId;


     AWSSensitivePropertyProvider(final BootstrapProperties bootstrapProperties) throws SensitivePropertyProtectionException {
         super(bootstrapProperties);
         Objects.requireNonNull(bootstrapProperties, "The file bootstrap.conf provided to AWS SPP is null");
         awsBootstrapProperties = getAWSBootstrapProperties(bootstrapProperties);
         loadRequiredAWSProperties(awsBootstrapProperties);
     }

     /**
      * Initializes the KMS Client to be used for encrypt, decrypt and other interactions with AWS KMS.
      * First attempts to use credentials/configuration in bootstrap-aws.conf.
      * If credentials/configuration in bootstrap-aws.conf is not fully configured,
      * attempt to initialize credentials using default AWS credentials/configuration chain.
      * Note: This does not verify if credentials are valid.
      */
     private void initializeClient() {
         if (awsBootstrapProperties == null) {
             logger.warn("AWS Bootstrap Properties are required for KMS Client initialization");
             return;
         }
         final String accessKey = awsBootstrapProperties.getProperty(ACCESS_KEY_PROPS_NAME);
         final String secretKey = awsBootstrapProperties.getProperty(SECRET_KEY_PROPS_NAME);
         final String region = awsBootstrapProperties.getProperty(REGION_KEY_PROPS_NAME);

         if (StringUtils.isNoneBlank(accessKey, secretKey, region)) {
             logger.debug("Using AWS credentials from bootstrap properties");
             try {
                 final AwsBasicCredentials credentials = AwsBasicCredentials.create(accessKey, secretKey);
                 client = KmsClient.builder()
                         .region(Region.of(region))
                         .credentialsProvider(StaticCredentialsProvider.create(credentials))
                         .build();
             } catch (final RuntimeException e) {
                 final String msg = "Valid configuration/credentials are required to initialize KMS client";
                 throw new SensitivePropertyProtectionException(msg, e);
             }
         } else {
             logger.debug("Using AWS credentials from default credentials provider");
             try {
                 final DefaultCredentialsProvider credentialsProvider = DefaultCredentialsProvider.builder()
                         .build();
                 credentialsProvider.resolveCredentials();
                 client = KmsClient.builder()
                         .credentialsProvider(credentialsProvider)
                         .build();
             } catch (final SdkClientException e) {
                 final String msg = "Valid configuration/credentials are required to initialize KMS client";
                 throw new SensitivePropertyProtectionException(msg, e);
             }
         }
     }

     /**
      * Validates the key ARN, credentials and configuration provided by the user.
      * Note: This function performs checks on the key and indirectly also validates the credentials and
      * configurations provided during the initialization of the client.
      */
     private void validate() throws KmsException, SensitivePropertyProtectionException {
         if (client == null) {
             final String msg = "The AWS KMS Client failed to open, cannot validate key";
             throw new SensitivePropertyProtectionException(msg);
         }
         if (StringUtils.isBlank(keyId)) {
             final String msg = "The AWS KMS key provided is blank";
             throw new SensitivePropertyProtectionException(msg);
         }

         // asking for a Key Description is the best way to check whether a key is valid
         // because AWS KMS accepts various formats for its keys.
         final DescribeKeyRequest request = DescribeKeyRequest.builder()
                 .keyId(keyId)
                 .build();

         // using the KmsClient in a DescribeKey request indirectly also verifies if the credentials provided
         // during the initialization of the key are valid
         final DescribeKeyResponse response = client.describeKey(request);
         final KeyMetadata metadata = response.keyMetadata();

         if (!metadata.enabled()) {
             final String msg = String.format("AWS KMS key [%s] is not enabled", keyId);
             throw new SensitivePropertyProtectionException(msg);
         }
     }

     /**
      * Checks if we have a key ID from AWS KMS and loads it into {@link #keyId}. Will load null if key is not present.
      * Note: This function does not verify if the key is correctly formatted/valid.
      * @param props the properties representing bootstrap-aws.conf
      */
     private void loadRequiredAWSProperties(final BootstrapProperties props) {
         if (props != null) {
             keyId = props.getProperty(KMS_KEY_PROPS_NAME);
         }
     }


     /**
      * Checks bootstrap.conf to check if BootstrapPropertyKey.AWS_KMS_SENSITIVE_PROPERTY_PROVIDER_CONF property is
      * configured to the bootstrap-aws.conf file. Also will try to load bootstrap-aws.conf to {@link #awsBootstrapProperties}.
      * @param bootstrapProperties BootstrapProperties object corresponding to bootstrap.conf.
      * @return BootstrapProperties object corresponding to bootstrap-aws.conf, null otherwise.
      */
     private BootstrapProperties getAWSBootstrapProperties(final BootstrapProperties bootstrapProperties) {
         final BootstrapProperties cloudBootstrapProperties;

         // Load the bootstrap-aws.conf file based on path specified in
         // "nifi.bootstrap.protection.aws.kms.conf" property of bootstrap.conf
         final String filePath = bootstrapProperties.getProperty(BootstrapPropertyKey.AWS_KMS_SENSITIVE_PROPERTY_PROVIDER_CONF).orElse(null);
         if (StringUtils.isBlank(filePath)) {
             logger.warn("AWS KMS properties file path not configured in bootstrap properties");
             return null;
         }

         try {
             cloudBootstrapProperties = AbstractBootstrapPropertiesLoader.loadBootstrapProperties(
                     Paths.get(filePath), AWS_PREFIX);
         } catch (final IOException e) {
             throw new SensitivePropertyProtectionException("Could not load " + filePath, e);
         }

         return cloudBootstrapProperties;
     }

     /**
      * Checks bootstrap-aws.conf for the required configurations for AWS KMS encrypt/decrypt operations.
      * Note: This does not check for credentials/region configurations.
      *       Credentials/configuration will be checked during the first protect/unprotect call during runtime.
      * @return true if bootstrap-aws.conf contains the required properties for AWS SPP, false otherwise.
      */
     private boolean hasRequiredAWSProperties() {
         return awsBootstrapProperties != null && StringUtils.isNotBlank(keyId);
     }

     @Override
     public boolean isSupported() {
         return hasRequiredAWSProperties();
     }

     @Override
     protected PropertyProtectionScheme getProtectionScheme() {
         return PropertyProtectionScheme.AWS_KMS;
     }

     /**
      * Returns the name of the underlying implementation.
      *
      * @return the name of this sensitive property provider.
      */
     @Override
     public String getName() {
         return PropertyProtectionScheme.AWS_KMS.getName();
     }

     /**
      * Returns the key used to identify the provider implementation in {@code nifi.properties}.
      *
      * @return the key to persist in the sibling property.
      */
     @Override
     public String getIdentifierKey() {
         return PropertyProtectionScheme.AWS_KMS.getIdentifier();
     }


     /**
      * Returns the ciphertext blob of this value encrypted using an AWS KMS CMK.
      *
      * @return the ciphertext blob to persist in the {@code nifi.properties} file.
      */
     private byte[] encrypt(final byte[] input) {
         final SdkBytes plainBytes = SdkBytes.fromByteArray(input);

         final EncryptRequest encryptRequest = EncryptRequest.builder()
                 .keyId(keyId)
                 .plaintext(plainBytes)
                 .build();

         final EncryptResponse response = client.encrypt(encryptRequest);
         final SdkBytes encryptedData = response.ciphertextBlob();

         return encryptedData.asByteArray();
     }

     /**
      * Returns the value corresponding to a ciphertext blob decrypted using an AWS KMS CMK.
      *
      * @return the "unprotected" byte[] of this value, which could be used by the application.
      */
     private byte[] decrypt(final byte[] input) {
         final SdkBytes cipherBytes = SdkBytes.fromByteArray(input);

         final DecryptRequest decryptRequest = DecryptRequest.builder()
                 .ciphertextBlob(cipherBytes)
                 .keyId(keyId)
                 .build();

         final DecryptResponse response = client.decrypt(decryptRequest);
         final SdkBytes decryptedData = response.plaintext();

         return decryptedData.asByteArray();
     }

     /**
      * Checks if the client is open and if not, initializes the client and validates the key required for AWS KMS.
      */
     private void checkAndInitializeClient() throws SensitivePropertyProtectionException {
         if (client == null) {
             try {
                 initializeClient();
                 validate();
             } catch (final SdkClientException | KmsException | SensitivePropertyProtectionException e) {
                 throw new SensitivePropertyProtectionException("Error initializing the AWS KMS Client", e);
             }
         }
     }

     /**
      * Returns the "protected" form of this value. This is a form which can safely be persisted in the {@code nifi.properties} file without compromising the value.
      * An encryption-based provider would return a cipher text, while a remote-lookup provider could return a unique ID to retrieve the secured value.
      *
      * @param unprotectedValue the sensitive value.
      * @param context The context of the value (ignored in this implementation)
      * @return the value to persist in the {@code nifi.properties} file.
      */
     @Override
     public String protect(final String unprotectedValue, final ProtectedPropertyContext context) throws SensitivePropertyProtectionException {
         if (StringUtils.isBlank(unprotectedValue)) {
             throw new IllegalArgumentException("Cannot encrypt a blank value");
         }

         checkAndInitializeClient();

         try {
             final byte[] plainBytes = unprotectedValue.getBytes(PROPERTY_CHARSET);
             final byte[] cipherBytes = encrypt(plainBytes);
             return Base64.getEncoder().encodeToString(cipherBytes);
         } catch (final SdkClientException | KmsException e) {
             throw new SensitivePropertyProtectionException("Encrypt failed", e);
         }
     }

     /**
      * Returns the "unprotected" form of this value. This is the raw sensitive value which is used by the application logic.
      * An encryption-based provider would decrypt a cipher text and return the plaintext, while a remote-lookup provider could retrieve the secured value.
      *
      * @param protectedValue the protected value read from the {@code nifi.properties} file.
      * @param context The context of the value (ignored in this implementation)
      * @return the raw value to be used by the application.
      */
     @Override
     public String unprotect(final String protectedValue, final ProtectedPropertyContext context) throws SensitivePropertyProtectionException {
         if (StringUtils.isBlank(protectedValue)) {
             throw new IllegalArgumentException("Cannot decrypt a blank value");
         }

         checkAndInitializeClient();

         try {
             final byte[] cipherBytes = Base64.getDecoder().decode(protectedValue);
             final byte[] plainBytes = decrypt(cipherBytes);
             return new String(plainBytes, PROPERTY_CHARSET);
         } catch (final SdkClientException | KmsException e) {
             throw new SensitivePropertyProtectionException("Decrypt failed", e);
         }
     }

     /**
      * Closes AWS KMS client that may have been opened.
      */
     @Override
     public void cleanUp() {
         if (client != null) {
             client.close();
             client = null;
         }
     }
 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one or more
	* contributor license agreements. See the NOTICE file distributed with
	* this work for additional information regarding copyright ownership.
	* The ASF licenses this file to You under the Apache License, Version 2.0
	* (the "License"); you may not use this file except in compliance with
	* the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/
	package org.apache.nifi.properties;

	import org.apache.commons.lang3.StringUtils;
	import org.apache.nifi.properties.BootstrapProperties.BootstrapPropertyKey;

	import org.slf4j.Logger;
	import org.slf4j.LoggerFactory;
	import software.amazon.awssdk.auth.credentials.AwsBasicCredentials;
	import software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider;
	import software.amazon.awssdk.auth.credentials.StaticCredentialsProvider;
	import software.amazon.awssdk.core.SdkBytes;
	import software.amazon.awssdk.core.exception.SdkClientException;
	import software.amazon.awssdk.regions.Region;
	import software.amazon.awssdk.services.kms.KmsClient;
	import software.amazon.awssdk.services.kms.model.DecryptRequest;
	import software.amazon.awssdk.services.kms.model.DecryptResponse;
	import software.amazon.awssdk.services.kms.model.DescribeKeyRequest;
	import software.amazon.awssdk.services.kms.model.DescribeKeyResponse;
	import software.amazon.awssdk.services.kms.model.EncryptRequest;
	import software.amazon.awssdk.services.kms.model.EncryptResponse;
	import software.amazon.awssdk.services.kms.model.KeyMetadata;
	import software.amazon.awssdk.services.kms.model.KmsException;

	import java.util.Base64;
	import java.io.IOException;
	import java.nio.charset.Charset;
	import java.nio.charset.StandardCharsets;
	import java.nio.file.Paths;
	import java.util.Objects;

	public class AWSSensitivePropertyProvider extends AbstractSensitivePropertyProvider {
	private static final Logger logger = LoggerFactory.getLogger(AWSSensitivePropertyProvider.class);

	private static final String AWS_PREFIX = "aws";
	private static final String ACCESS_KEY_PROPS_NAME = "aws.access.key.id";
	private static final String SECRET_KEY_PROPS_NAME = "aws.secret.access.key";
	private static final String REGION_KEY_PROPS_NAME = "aws.region";
	private static final String KMS_KEY_PROPS_NAME = "aws.kms.key.id";

	private static final Charset PROPERTY_CHARSET = StandardCharsets.UTF_8;

	private final BootstrapProperties awsBootstrapProperties;
	private KmsClient client;
	private String keyId;


	AWSSensitivePropertyProvider(final BootstrapProperties bootstrapProperties) throws SensitivePropertyProtectionException {
	super(bootstrapProperties);
	Objects.requireNonNull(bootstrapProperties, "The file bootstrap.conf provided to AWS SPP is null");
	awsBootstrapProperties = getAWSBootstrapProperties(bootstrapProperties);
	loadRequiredAWSProperties(awsBootstrapProperties);
	}

	/**
	* Initializes the KMS Client to be used for encrypt, decrypt and other interactions with AWS KMS.
	* First attempts to use credentials/configuration in bootstrap-aws.conf.
	* If credentials/configuration in bootstrap-aws.conf is not fully configured,
	* attempt to initialize credentials using default AWS credentials/configuration chain.
	* Note: This does not verify if credentials are valid.
	*/
	private void initializeClient() {
	if (awsBootstrapProperties == null) {
	logger.warn("AWS Bootstrap Properties are required for KMS Client initialization");
	return;
	}
	final String accessKey = awsBootstrapProperties.getProperty(ACCESS_KEY_PROPS_NAME);
	final String secretKey = awsBootstrapProperties.getProperty(SECRET_KEY_PROPS_NAME);
	final String region = awsBootstrapProperties.getProperty(REGION_KEY_PROPS_NAME);

	if (StringUtils.isNoneBlank(accessKey, secretKey, region)) {
	logger.debug("Using AWS credentials from bootstrap properties");
	try {
	final AwsBasicCredentials credentials = AwsBasicCredentials.create(accessKey, secretKey);
	client = KmsClient.builder()
	.region(Region.of(region))
	.credentialsProvider(StaticCredentialsProvider.create(credentials))
	.build();
	} catch (final RuntimeException e) {
	final String msg = "Valid configuration/credentials are required to initialize KMS client";
	throw new SensitivePropertyProtectionException(msg, e);
	}
	} else {
	logger.debug("Using AWS credentials from default credentials provider");
	try {
	final DefaultCredentialsProvider credentialsProvider = DefaultCredentialsProvider.builder()
	.build();
	credentialsProvider.resolveCredentials();
	client = KmsClient.builder()
	.credentialsProvider(credentialsProvider)
	.build();
	} catch (final SdkClientException e) {
	final String msg = "Valid configuration/credentials are required to initialize KMS client";
	throw new SensitivePropertyProtectionException(msg, e);
	}
	}
	}

	/**
	* Validates the key ARN, credentials and configuration provided by the user.
	* Note: This function performs checks on the key and indirectly also validates the credentials and
	* configurations provided during the initialization of the client.
	*/
	private void validate() throws KmsException, SensitivePropertyProtectionException {
	if (client == null) {
	final String msg = "The AWS KMS Client failed to open, cannot validate key";
	throw new SensitivePropertyProtectionException(msg);
	}
	if (StringUtils.isBlank(keyId)) {
	final String msg = "The AWS KMS key provided is blank";
	throw new SensitivePropertyProtectionException(msg);
	}

	// asking for a Key Description is the best way to check whether a key is valid
	// because AWS KMS accepts various formats for its keys.
	final DescribeKeyRequest request = DescribeKeyRequest.builder()
	.keyId(keyId)
	.build();

	// using the KmsClient in a DescribeKey request indirectly also verifies if the credentials provided
	// during the initialization of the key are valid
	final DescribeKeyResponse response = client.describeKey(request);
	final KeyMetadata metadata = response.keyMetadata();

	if (!metadata.enabled()) {
	final String msg = String.format("AWS KMS key [%s] is not enabled", keyId);
	throw new SensitivePropertyProtectionException(msg);
	}
	}

	/**
	* Checks if we have a key ID from AWS KMS and loads it into {@link #keyId}. Will load null if key is not present.
	* Note: This function does not verify if the key is correctly formatted/valid.
	* @param props the properties representing bootstrap-aws.conf
	*/
	private void loadRequiredAWSProperties(final BootstrapProperties props) {
	if (props != null) {
	keyId = props.getProperty(KMS_KEY_PROPS_NAME);
	}
	}


	/**
	* Checks bootstrap.conf to check if BootstrapPropertyKey.AWS_KMS_SENSITIVE_PROPERTY_PROVIDER_CONF property is
	* configured to the bootstrap-aws.conf file. Also will try to load bootstrap-aws.conf to {@link #awsBootstrapProperties}.
	* @param bootstrapProperties BootstrapProperties object corresponding to bootstrap.conf.
	* @return BootstrapProperties object corresponding to bootstrap-aws.conf, null otherwise.
	*/
	private BootstrapProperties getAWSBootstrapProperties(final BootstrapProperties bootstrapProperties) {
	final BootstrapProperties cloudBootstrapProperties;

	// Load the bootstrap-aws.conf file based on path specified in
	// "nifi.bootstrap.protection.aws.kms.conf" property of bootstrap.conf
	final String filePath = bootstrapProperties.getProperty(BootstrapPropertyKey.AWS_KMS_SENSITIVE_PROPERTY_PROVIDER_CONF).orElse(null);
	if (StringUtils.isBlank(filePath)) {
	logger.warn("AWS KMS properties file path not configured in bootstrap properties");
	return null;
	}

	try {
	cloudBootstrapProperties = AbstractBootstrapPropertiesLoader.loadBootstrapProperties(
	Paths.get(filePath), AWS_PREFIX);
	} catch (final IOException e) {
	throw new SensitivePropertyProtectionException("Could not load " + filePath, e);
	}

	return cloudBootstrapProperties;
	}

	/**
	* Checks bootstrap-aws.conf for the required configurations for AWS KMS encrypt/decrypt operations.
	* Note: This does not check for credentials/region configurations.
	* Credentials/configuration will be checked during the first protect/unprotect call during runtime.
	* @return true if bootstrap-aws.conf contains the required properties for AWS SPP, false otherwise.
	*/
	private boolean hasRequiredAWSProperties() {
	return awsBootstrapProperties != null && StringUtils.isNotBlank(keyId);
	}

	@Override
	public boolean isSupported() {
	return hasRequiredAWSProperties();
	}

	@Override
	protected PropertyProtectionScheme getProtectionScheme() {
	return PropertyProtectionScheme.AWS_KMS;
	}

	/**
	* Returns the name of the underlying implementation.
	*
	* @return the name of this sensitive property provider.
	*/
	@Override
	public String getName() {
	return PropertyProtectionScheme.AWS_KMS.getName();
	}

	/**
	* Returns the key used to identify the provider implementation in {@code nifi.properties}.
	*
	* @return the key to persist in the sibling property.
	*/
	@Override
	public String getIdentifierKey() {
	return PropertyProtectionScheme.AWS_KMS.getIdentifier();
	}


	/**
	* Returns the ciphertext blob of this value encrypted using an AWS KMS CMK.
	*
	* @return the ciphertext blob to persist in the {@code nifi.properties} file.
	*/
	private byte[] encrypt(final byte[] input) {
	final SdkBytes plainBytes = SdkBytes.fromByteArray(input);

	final EncryptRequest encryptRequest = EncryptRequest.builder()
	.keyId(keyId)
	.plaintext(plainBytes)
	.build();

	final EncryptResponse response = client.encrypt(encryptRequest);
	final SdkBytes encryptedData = response.ciphertextBlob();

	return encryptedData.asByteArray();
	}

	/**
	* Returns the value corresponding to a ciphertext blob decrypted using an AWS KMS CMK.
	*
	* @return the "unprotected" byte[] of this value, which could be used by the application.
	*/
	private byte[] decrypt(final byte[] input) {
	final SdkBytes cipherBytes = SdkBytes.fromByteArray(input);

	final DecryptRequest decryptRequest = DecryptRequest.builder()
	.ciphertextBlob(cipherBytes)
	.keyId(keyId)
	.build();

	final DecryptResponse response = client.decrypt(decryptRequest);
	final SdkBytes decryptedData = response.plaintext();

	return decryptedData.asByteArray();
	}

	/**
	* Checks if the client is open and if not, initializes the client and validates the key required for AWS KMS.
	*/
	private void checkAndInitializeClient() throws SensitivePropertyProtectionException {
	if (client == null) {
	try {
	initializeClient();
	validate();
	} catch (final SdkClientException \| KmsException \| SensitivePropertyProtectionException e) {
	throw new SensitivePropertyProtectionException("Error initializing the AWS KMS Client", e);
	}
	}
	}

	/**
	* Returns the "protected" form of this value. This is a form which can safely be persisted in the {@code nifi.properties} file without compromising the value.
	* An encryption-based provider would return a cipher text, while a remote-lookup provider could return a unique ID to retrieve the secured value.
	*
	* @param unprotectedValue the sensitive value.
	* @param context The context of the value (ignored in this implementation)
	* @return the value to persist in the {@code nifi.properties} file.
	*/
	@Override
	public String protect(final String unprotectedValue, final ProtectedPropertyContext context) throws SensitivePropertyProtectionException {
	if (StringUtils.isBlank(unprotectedValue)) {
	throw new IllegalArgumentException("Cannot encrypt a blank value");
	}

	checkAndInitializeClient();

	try {
	final byte[] plainBytes = unprotectedValue.getBytes(PROPERTY_CHARSET);
	final byte[] cipherBytes = encrypt(plainBytes);
	return Base64.getEncoder().encodeToString(cipherBytes);
	} catch (final SdkClientException \| KmsException e) {
	throw new SensitivePropertyProtectionException("Encrypt failed", e);
	}
	}

	/**
	* Returns the "unprotected" form of this value. This is the raw sensitive value which is used by the application logic.
	* An encryption-based provider would decrypt a cipher text and return the plaintext, while a remote-lookup provider could retrieve the secured value.
	*
	* @param protectedValue the protected value read from the {@code nifi.properties} file.
	* @param context The context of the value (ignored in this implementation)
	* @return the raw value to be used by the application.
	*/
	@Override
	public String unprotect(final String protectedValue, final ProtectedPropertyContext context) throws SensitivePropertyProtectionException {
	if (StringUtils.isBlank(protectedValue)) {
	throw new IllegalArgumentException("Cannot decrypt a blank value");
	}

	checkAndInitializeClient();

	try {
	final byte[] cipherBytes = Base64.getDecoder().decode(protectedValue);
	final byte[] plainBytes = decrypt(cipherBytes);
	return new String(plainBytes, PROPERTY_CHARSET);
	} catch (final SdkClientException \| KmsException e) {
	throw new SensitivePropertyProtectionException("Decrypt failed", e);
	}
	}

	/**
	* Closes AWS KMS client that may have been opened.
	*/
	@Override
	public void cleanUp() {
	if (client != null) {
	client.close();
	client = null;
	}
	}
	}