emiliosetiadarma commented on a change in pull request #5202: URL: https://github.com/apache/nifi/pull/5202#discussion_r669786171
########## File path: nifi-commons/nifi-sensitive-property-provider/src/main/java/org/apache/nifi/properties/AWSSensitivePropertyProvider.java ########## @@ -0,0 +1,377 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.properties; + +import org.apache.commons.lang3.StringUtils; +import org.apache.nifi.properties.BootstrapProperties.BootstrapPropertyKey; + +import org.bouncycastle.util.encoders.Base64; +import org.bouncycastle.util.encoders.DecoderException; +import org.bouncycastle.util.encoders.EncoderException; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import software.amazon.awssdk.auth.credentials.AwsBasicCredentials; +import software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider; +import software.amazon.awssdk.auth.credentials.StaticCredentialsProvider; +import software.amazon.awssdk.core.SdkBytes; +import software.amazon.awssdk.core.exception.SdkClientException; +import software.amazon.awssdk.regions.Region; +import software.amazon.awssdk.services.kms.KmsClient; +import software.amazon.awssdk.services.kms.model.DecryptRequest; +import software.amazon.awssdk.services.kms.model.DecryptResponse; +import software.amazon.awssdk.services.kms.model.DescribeKeyRequest; +import software.amazon.awssdk.services.kms.model.DescribeKeyResponse; +import software.amazon.awssdk.services.kms.model.EncryptRequest; +import software.amazon.awssdk.services.kms.model.EncryptResponse; +import software.amazon.awssdk.services.kms.model.KeyMetadata; +import software.amazon.awssdk.services.kms.model.KmsException; + +import java.io.IOException; +import java.nio.charset.Charset; +import java.nio.charset.StandardCharsets; +import java.nio.file.Paths; + +public class AWSSensitivePropertyProvider extends AbstractSensitivePropertyProvider { + private static final Logger logger = LoggerFactory.getLogger(AWSSensitivePropertyProvider.class); + + private static final String AWS_PREFIX = "aws"; + private static final String ACCESS_KEY_PROPS_NAME = "aws.access.key.id"; + private static final String SECRET_KEY_PROPS_NAME = "aws.secret.key.id"; + private static final String REGION_KEY_PROPS_NAME = "aws.region"; + private static final String KMS_KEY_PROPS_NAME = "aws.kms.key.id"; + + private static final Charset PROPERTY_CHARSET = StandardCharsets.UTF_8; + + private final BootstrapProperties awsBootstrapProperties; + private KmsClient client; + private String keyId; + + + AWSSensitivePropertyProvider(final BootstrapProperties bootstrapProperties) throws SensitivePropertyProtectionException { + super(bootstrapProperties); + // if either awsBootstrapProperties or keyId is loaded as null values, then isSupported will return false + awsBootstrapProperties = getAWSBootstrapProperties(bootstrapProperties); + if (awsBootstrapProperties != null) { + loadRequiredAWSProperties(awsBootstrapProperties); + } + } + + /** + * Initializes the KMS Client to be used for encrypt, decrypt and other interactions with AWS KMS. + * First attempts to use credentials/configuration in bootstrap-aws.conf. + * If credentials/configuration in bootstrap-aws.conf is not fully configured, + * attempt to initialize credentials using default AWS credentials/configuration chain. + * Note: This does not verify if credentials are valid. + */ + private final void initializeClient() { + if (awsBootstrapProperties == null) { + logger.warn("Cannot initialize client if awsBootstrapProperties is null"); + return; + } + final String accessKeyId = awsBootstrapProperties.getProperty(ACCESS_KEY_PROPS_NAME); + final String secretKeyId = awsBootstrapProperties.getProperty(SECRET_KEY_PROPS_NAME); + final String region = awsBootstrapProperties.getProperty(REGION_KEY_PROPS_NAME); + + if (StringUtils.isNotBlank(accessKeyId) && StringUtils.isNotBlank(secretKeyId) && StringUtils.isNotBlank(region)) { + logger.debug("Credentials/Configuration provided in bootstrap-aws.conf"); + try { + final AwsBasicCredentials credentials = AwsBasicCredentials.create(accessKeyId, secretKeyId); + client = KmsClient.builder() + .region(Region.of(region)) + .credentialsProvider(StaticCredentialsProvider.create(credentials)) + .build(); + } catch (final KmsException | NullPointerException | IllegalArgumentException e) { + final String msg = "Valid configuration/credentials are required to initialize KMS client"; + logger.error(msg); + throw new SensitivePropertyProtectionException(msg, e); + } + } else { + // attempts to initialize client with credentials provider chain + logger.debug("Credentials/Configuration not provided in bootstrap-aws.conf, attempting to use default configuration"); + try { + final DefaultCredentialsProvider credentialsProvider = DefaultCredentialsProvider.builder() + .build(); + // the following is needed to check the default credential builder, if it fails, throws SdkClientException + credentialsProvider.resolveCredentials(); + client = KmsClient.builder() + .credentialsProvider(credentialsProvider) + .build(); + } catch (final SdkClientException e) { + // this exception occurs if default credentials are not provided + final String msg = "Valid configuration/credentials are required to initialize KMS client"; + logger.error(msg); + throw new SensitivePropertyProtectionException(msg, e); Review comment: Making the change -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@nifi.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
