gresockj commented on a change in pull request #5407: URL: https://github.com/apache/nifi/pull/5407#discussion_r715824740
########## File path: nifi-commons/nifi-repository-encryption/src/main/java/org/apache/nifi/repository/encryption/configuration/kms/StandardRepositoryKeyProviderFactory.java ########## @@ -0,0 +1,216 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.repository.encryption.configuration.kms; + +import org.apache.nifi.repository.encryption.configuration.EncryptedRepositoryType; +import org.apache.nifi.repository.encryption.configuration.EncryptionKeyProvider; +import org.apache.nifi.security.kms.FileBasedKeyProvider; +import org.apache.nifi.security.kms.KeyProvider; +import org.apache.nifi.security.kms.KeyProviderFactory; +import org.apache.nifi.security.kms.KeyStoreKeyProvider; +import org.apache.nifi.security.kms.StaticKeyProvider; +import org.apache.nifi.security.kms.configuration.FileBasedKeyProviderConfiguration; +import org.apache.nifi.security.kms.configuration.KeyProviderConfiguration; +import org.apache.nifi.security.kms.configuration.KeyStoreKeyProviderConfiguration; +import org.apache.nifi.security.kms.configuration.StaticKeyProviderConfiguration; +import org.apache.nifi.security.util.KeyStoreUtils; +import org.apache.nifi.security.util.KeystoreType; +import org.apache.nifi.security.util.TlsException; +import org.apache.nifi.util.NiFiBootstrapUtils; +import org.apache.nifi.util.NiFiProperties; +import org.apache.nifi.util.StringUtils; +import org.bouncycastle.util.encoders.DecoderException; +import org.bouncycastle.util.encoders.Hex; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import javax.crypto.SecretKey; +import javax.crypto.spec.SecretKeySpec; +import java.io.IOException; +import java.security.KeyStore; +import java.util.HashMap; +import java.util.Map; +import java.util.Objects; + +import static org.apache.nifi.util.NiFiProperties.CONTENT_REPOSITORY_ENCRYPTION_KEY_PROVIDER_PASSWORD; +import static org.apache.nifi.util.NiFiProperties.FLOWFILE_REPOSITORY_ENCRYPTION_KEY_PROVIDER_PASSWORD; +import static org.apache.nifi.util.NiFiProperties.PROVENANCE_REPO_ENCRYPTION_KEY_PROVIDER_PASSWORD; +import static org.apache.nifi.util.NiFiProperties.REPOSITORY_ENCRYPTION_KEY_PROVIDER; +import static org.apache.nifi.util.NiFiProperties.CONTENT_REPOSITORY_ENCRYPTION_KEY_PROVIDER_LOCATION; +import static org.apache.nifi.util.NiFiProperties.CONTENT_REPOSITORY_ENCRYPTION_KEY_PROVIDER_IMPLEMENTATION_CLASS; +import static org.apache.nifi.util.NiFiProperties.FLOWFILE_REPOSITORY_ENCRYPTION_KEY_PROVIDER_LOCATION; +import static org.apache.nifi.util.NiFiProperties.FLOWFILE_REPOSITORY_ENCRYPTION_KEY_PROVIDER_IMPLEMENTATION_CLASS; +import static org.apache.nifi.util.NiFiProperties.PROVENANCE_REPO_ENCRYPTION_KEY_PROVIDER_LOCATION; +import static org.apache.nifi.util.NiFiProperties.PROVENANCE_REPO_ENCRYPTION_KEY_PROVIDER_IMPLEMENTATION_CLASS; +import static org.apache.nifi.util.NiFiProperties.REPOSITORY_ENCRYPTION_KEY_PROVIDER_KEYSTORE_LOCATION; +import static org.apache.nifi.util.NiFiProperties.REPOSITORY_ENCRYPTION_KEY_PROVIDER_KEYSTORE_PASSWORD; + +/** + * Standard implementation of Repository Key Provider Factory supporting shared and fallback properties + */ +public class StandardRepositoryKeyProviderFactory implements RepositoryKeyProviderFactory { + private static final Logger logger = LoggerFactory.getLogger(StandardRepositoryKeyProviderFactory.class); + + private static final String ROOT_KEY_ALGORITHM = "AES"; + + private static final Map<EncryptedRepositoryType, String> REPOSITORY_KEY_PROVIDER_CLASS_PROPERTIES = new HashMap<>(); + + private static final Map<EncryptedRepositoryType, String> REPOSITORY_KEY_PROVIDER_LOCATION_PROPERTIES = new HashMap<>(); + + private static final Map<EncryptedRepositoryType, String> REPOSITORY_KEY_PROVIDER_PASSWORD_PROPERTIES = new HashMap<>(); + + static { + REPOSITORY_KEY_PROVIDER_CLASS_PROPERTIES.put(EncryptedRepositoryType.CONTENT, CONTENT_REPOSITORY_ENCRYPTION_KEY_PROVIDER_IMPLEMENTATION_CLASS); + REPOSITORY_KEY_PROVIDER_CLASS_PROPERTIES.put(EncryptedRepositoryType.FLOW_FILE, FLOWFILE_REPOSITORY_ENCRYPTION_KEY_PROVIDER_IMPLEMENTATION_CLASS); + REPOSITORY_KEY_PROVIDER_CLASS_PROPERTIES.put(EncryptedRepositoryType.PROVENANCE, PROVENANCE_REPO_ENCRYPTION_KEY_PROVIDER_IMPLEMENTATION_CLASS); + + REPOSITORY_KEY_PROVIDER_LOCATION_PROPERTIES.put(EncryptedRepositoryType.CONTENT, CONTENT_REPOSITORY_ENCRYPTION_KEY_PROVIDER_LOCATION); + REPOSITORY_KEY_PROVIDER_LOCATION_PROPERTIES.put(EncryptedRepositoryType.FLOW_FILE, FLOWFILE_REPOSITORY_ENCRYPTION_KEY_PROVIDER_LOCATION); + REPOSITORY_KEY_PROVIDER_LOCATION_PROPERTIES.put(EncryptedRepositoryType.PROVENANCE, PROVENANCE_REPO_ENCRYPTION_KEY_PROVIDER_LOCATION); + + REPOSITORY_KEY_PROVIDER_PASSWORD_PROPERTIES.put(EncryptedRepositoryType.CONTENT, CONTENT_REPOSITORY_ENCRYPTION_KEY_PROVIDER_PASSWORD); + REPOSITORY_KEY_PROVIDER_PASSWORD_PROPERTIES.put(EncryptedRepositoryType.FLOW_FILE, FLOWFILE_REPOSITORY_ENCRYPTION_KEY_PROVIDER_PASSWORD); + REPOSITORY_KEY_PROVIDER_PASSWORD_PROPERTIES.put(EncryptedRepositoryType.PROVENANCE, PROVENANCE_REPO_ENCRYPTION_KEY_PROVIDER_PASSWORD); + } + + /** + * Get Key Provider for specified Encrypted Repository Type using shared and fallback NiFi Properties + * + * @param encryptedRepositoryType Encrypted Repository Type + * @param niFiProperties NiFi Properties + * @return Key Provider configured using applicable properties + */ + @Override + public KeyProvider getKeyProvider(final EncryptedRepositoryType encryptedRepositoryType, final NiFiProperties niFiProperties) { + Objects.requireNonNull(encryptedRepositoryType, "Encrypted Repository Type required"); + Objects.requireNonNull(niFiProperties, "NiFi Properties required"); + final EncryptionKeyProvider encryptionKeyProvider = getEncryptionKeyProvider(encryptedRepositoryType, niFiProperties); + final KeyProviderConfiguration<?> keyProviderConfiguration = getKeyProviderConfiguration(encryptedRepositoryType, encryptionKeyProvider, niFiProperties); + return KeyProviderFactory.getKeyProvider(keyProviderConfiguration); + } + + private EncryptionKeyProvider getEncryptionKeyProvider(final EncryptedRepositoryType encryptedRepositoryType, final NiFiProperties niFiProperties) { + EncryptionKeyProvider encryptionKeyProvider = null; + final String sharedKeyProvider = niFiProperties.getProperty(REPOSITORY_ENCRYPTION_KEY_PROVIDER); + + if (StringUtils.isBlank(sharedKeyProvider)) { + logger.debug("Key Provider Property [{}] not configured", REPOSITORY_ENCRYPTION_KEY_PROVIDER); + + final String classProperty = REPOSITORY_KEY_PROVIDER_CLASS_PROPERTIES.get(encryptedRepositoryType); + final String implementationClass = niFiProperties.getProperty(classProperty); + if (StringUtils.isBlank(implementationClass)) { + final String message = String.format("Key Provider Property [%s] not configured", classProperty); + throw new EncryptedConfigurationException(message); + } else { + encryptionKeyProvider = getEncryptionKeyProvider(implementationClass); + } + } else { + for (final EncryptionKeyProvider currentEncryptKeyProvider : EncryptionKeyProvider.values()) { Review comment: Could this be moved to something like `EncryptionKeyProvider#valueOf(String)`? ########## File path: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/controller/repository/crypto/EncryptedFileSystemRepository.java ########## @@ -227,37 +205,13 @@ public OutputStream write(final ContentClaim claim) throws IOException { final long startingOffset = claimStream.getBytesWritten(); try { - String keyId = getActiveKeyId(); - String recordId = getRecordId(claim); - logger.debug("Creating encrypted output stream (keyId: " + keyId + ") to write flowfile content with record ID: " + recordId); - final OutputStream out = getEncryptedOutputStream(scc, claimStream, startingOffset, keyId, recordId); - logger.debug("Writing to {}", out); - if (logger.isTraceEnabled()) { - logger.trace("Stack trace: ", new RuntimeException("Stack Trace for writing to " + out)); - } - - return out; - } catch (EncryptionException | KeyManagementException e) { - logger.error("Encountered an error instantiating the encrypted content repository output stream: " + e.getMessage()); + final String recordId = getRecordId(claim); + return getEncryptedOutputStream(scc, claimStream, startingOffset, keyId, recordId); + } catch (KeyManagementException e) { Review comment: Could be `final` ########## File path: nifi-commons/nifi-repository-encryption/src/main/java/org/apache/nifi/repository/encryption/configuration/kms/StandardRepositoryKeyProviderFactory.java ########## @@ -0,0 +1,216 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.repository.encryption.configuration.kms; + +import org.apache.nifi.repository.encryption.configuration.EncryptedRepositoryType; +import org.apache.nifi.repository.encryption.configuration.EncryptionKeyProvider; +import org.apache.nifi.security.kms.FileBasedKeyProvider; +import org.apache.nifi.security.kms.KeyProvider; +import org.apache.nifi.security.kms.KeyProviderFactory; +import org.apache.nifi.security.kms.KeyStoreKeyProvider; +import org.apache.nifi.security.kms.StaticKeyProvider; +import org.apache.nifi.security.kms.configuration.FileBasedKeyProviderConfiguration; +import org.apache.nifi.security.kms.configuration.KeyProviderConfiguration; +import org.apache.nifi.security.kms.configuration.KeyStoreKeyProviderConfiguration; +import org.apache.nifi.security.kms.configuration.StaticKeyProviderConfiguration; +import org.apache.nifi.security.util.KeyStoreUtils; +import org.apache.nifi.security.util.KeystoreType; +import org.apache.nifi.security.util.TlsException; +import org.apache.nifi.util.NiFiBootstrapUtils; +import org.apache.nifi.util.NiFiProperties; +import org.apache.nifi.util.StringUtils; +import org.bouncycastle.util.encoders.DecoderException; +import org.bouncycastle.util.encoders.Hex; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import javax.crypto.SecretKey; +import javax.crypto.spec.SecretKeySpec; +import java.io.IOException; +import java.security.KeyStore; +import java.util.HashMap; +import java.util.Map; +import java.util.Objects; + +import static org.apache.nifi.util.NiFiProperties.CONTENT_REPOSITORY_ENCRYPTION_KEY_PROVIDER_PASSWORD; +import static org.apache.nifi.util.NiFiProperties.FLOWFILE_REPOSITORY_ENCRYPTION_KEY_PROVIDER_PASSWORD; +import static org.apache.nifi.util.NiFiProperties.PROVENANCE_REPO_ENCRYPTION_KEY_PROVIDER_PASSWORD; +import static org.apache.nifi.util.NiFiProperties.REPOSITORY_ENCRYPTION_KEY_PROVIDER; +import static org.apache.nifi.util.NiFiProperties.CONTENT_REPOSITORY_ENCRYPTION_KEY_PROVIDER_LOCATION; +import static org.apache.nifi.util.NiFiProperties.CONTENT_REPOSITORY_ENCRYPTION_KEY_PROVIDER_IMPLEMENTATION_CLASS; +import static org.apache.nifi.util.NiFiProperties.FLOWFILE_REPOSITORY_ENCRYPTION_KEY_PROVIDER_LOCATION; +import static org.apache.nifi.util.NiFiProperties.FLOWFILE_REPOSITORY_ENCRYPTION_KEY_PROVIDER_IMPLEMENTATION_CLASS; +import static org.apache.nifi.util.NiFiProperties.PROVENANCE_REPO_ENCRYPTION_KEY_PROVIDER_LOCATION; +import static org.apache.nifi.util.NiFiProperties.PROVENANCE_REPO_ENCRYPTION_KEY_PROVIDER_IMPLEMENTATION_CLASS; +import static org.apache.nifi.util.NiFiProperties.REPOSITORY_ENCRYPTION_KEY_PROVIDER_KEYSTORE_LOCATION; +import static org.apache.nifi.util.NiFiProperties.REPOSITORY_ENCRYPTION_KEY_PROVIDER_KEYSTORE_PASSWORD; + +/** + * Standard implementation of Repository Key Provider Factory supporting shared and fallback properties + */ +public class StandardRepositoryKeyProviderFactory implements RepositoryKeyProviderFactory { + private static final Logger logger = LoggerFactory.getLogger(StandardRepositoryKeyProviderFactory.class); + + private static final String ROOT_KEY_ALGORITHM = "AES"; + + private static final Map<EncryptedRepositoryType, String> REPOSITORY_KEY_PROVIDER_CLASS_PROPERTIES = new HashMap<>(); + + private static final Map<EncryptedRepositoryType, String> REPOSITORY_KEY_PROVIDER_LOCATION_PROPERTIES = new HashMap<>(); + + private static final Map<EncryptedRepositoryType, String> REPOSITORY_KEY_PROVIDER_PASSWORD_PROPERTIES = new HashMap<>(); + + static { + REPOSITORY_KEY_PROVIDER_CLASS_PROPERTIES.put(EncryptedRepositoryType.CONTENT, CONTENT_REPOSITORY_ENCRYPTION_KEY_PROVIDER_IMPLEMENTATION_CLASS); + REPOSITORY_KEY_PROVIDER_CLASS_PROPERTIES.put(EncryptedRepositoryType.FLOW_FILE, FLOWFILE_REPOSITORY_ENCRYPTION_KEY_PROVIDER_IMPLEMENTATION_CLASS); + REPOSITORY_KEY_PROVIDER_CLASS_PROPERTIES.put(EncryptedRepositoryType.PROVENANCE, PROVENANCE_REPO_ENCRYPTION_KEY_PROVIDER_IMPLEMENTATION_CLASS); + + REPOSITORY_KEY_PROVIDER_LOCATION_PROPERTIES.put(EncryptedRepositoryType.CONTENT, CONTENT_REPOSITORY_ENCRYPTION_KEY_PROVIDER_LOCATION); + REPOSITORY_KEY_PROVIDER_LOCATION_PROPERTIES.put(EncryptedRepositoryType.FLOW_FILE, FLOWFILE_REPOSITORY_ENCRYPTION_KEY_PROVIDER_LOCATION); + REPOSITORY_KEY_PROVIDER_LOCATION_PROPERTIES.put(EncryptedRepositoryType.PROVENANCE, PROVENANCE_REPO_ENCRYPTION_KEY_PROVIDER_LOCATION); + + REPOSITORY_KEY_PROVIDER_PASSWORD_PROPERTIES.put(EncryptedRepositoryType.CONTENT, CONTENT_REPOSITORY_ENCRYPTION_KEY_PROVIDER_PASSWORD); + REPOSITORY_KEY_PROVIDER_PASSWORD_PROPERTIES.put(EncryptedRepositoryType.FLOW_FILE, FLOWFILE_REPOSITORY_ENCRYPTION_KEY_PROVIDER_PASSWORD); + REPOSITORY_KEY_PROVIDER_PASSWORD_PROPERTIES.put(EncryptedRepositoryType.PROVENANCE, PROVENANCE_REPO_ENCRYPTION_KEY_PROVIDER_PASSWORD); + } + + /** + * Get Key Provider for specified Encrypted Repository Type using shared and fallback NiFi Properties + * + * @param encryptedRepositoryType Encrypted Repository Type + * @param niFiProperties NiFi Properties + * @return Key Provider configured using applicable properties + */ + @Override + public KeyProvider getKeyProvider(final EncryptedRepositoryType encryptedRepositoryType, final NiFiProperties niFiProperties) { + Objects.requireNonNull(encryptedRepositoryType, "Encrypted Repository Type required"); + Objects.requireNonNull(niFiProperties, "NiFi Properties required"); + final EncryptionKeyProvider encryptionKeyProvider = getEncryptionKeyProvider(encryptedRepositoryType, niFiProperties); + final KeyProviderConfiguration<?> keyProviderConfiguration = getKeyProviderConfiguration(encryptedRepositoryType, encryptionKeyProvider, niFiProperties); + return KeyProviderFactory.getKeyProvider(keyProviderConfiguration); + } + + private EncryptionKeyProvider getEncryptionKeyProvider(final EncryptedRepositoryType encryptedRepositoryType, final NiFiProperties niFiProperties) { + EncryptionKeyProvider encryptionKeyProvider = null; + final String sharedKeyProvider = niFiProperties.getProperty(REPOSITORY_ENCRYPTION_KEY_PROVIDER); + + if (StringUtils.isBlank(sharedKeyProvider)) { + logger.debug("Key Provider Property [{}] not configured", REPOSITORY_ENCRYPTION_KEY_PROVIDER); + + final String classProperty = REPOSITORY_KEY_PROVIDER_CLASS_PROPERTIES.get(encryptedRepositoryType); + final String implementationClass = niFiProperties.getProperty(classProperty); + if (StringUtils.isBlank(implementationClass)) { + final String message = String.format("Key Provider Property [%s] not configured", classProperty); + throw new EncryptedConfigurationException(message); + } else { + encryptionKeyProvider = getEncryptionKeyProvider(implementationClass); + } + } else { + for (final EncryptionKeyProvider currentEncryptKeyProvider : EncryptionKeyProvider.values()) { + if (currentEncryptKeyProvider.toString().equals(sharedKeyProvider)) { + encryptionKeyProvider = currentEncryptKeyProvider; + } + } + } + + if (encryptionKeyProvider == null) { + final String message = String.format("Key Provider [%s] not found for Repository Type [%s] ", sharedKeyProvider, encryptedRepositoryType); + throw new EncryptedConfigurationException(message); + } + + return encryptionKeyProvider; + } + + private EncryptionKeyProvider getEncryptionKeyProvider(final String implementationClass) { + EncryptionKeyProvider encryptionKeyProvider; + + if (implementationClass.endsWith(FileBasedKeyProvider.class.getSimpleName())) { + encryptionKeyProvider = EncryptionKeyProvider.FILE_PROPERTIES; + } else if (implementationClass.endsWith(KeyStoreKeyProvider.class.getSimpleName())) { + encryptionKeyProvider = EncryptionKeyProvider.KEYSTORE; + } else if (implementationClass.endsWith(StaticKeyProvider.class.getSimpleName())) { + encryptionKeyProvider = EncryptionKeyProvider.NIFI_PROPERTIES; + } else { + final String message = String.format("Key Provider Class [%s] not supported", implementationClass); + throw new IllegalArgumentException(message); Review comment: Could this be in a method like `EncryptionKeyProvider#fromImplementationClassName(String)`? ########## File path: nifi-commons/nifi-repository-encryption/src/main/java/org/apache/nifi/repository/encryption/configuration/kms/StandardRepositoryKeyProviderFactory.java ########## @@ -0,0 +1,216 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.repository.encryption.configuration.kms; + +import org.apache.nifi.repository.encryption.configuration.EncryptedRepositoryType; +import org.apache.nifi.repository.encryption.configuration.EncryptionKeyProvider; +import org.apache.nifi.security.kms.FileBasedKeyProvider; +import org.apache.nifi.security.kms.KeyProvider; +import org.apache.nifi.security.kms.KeyProviderFactory; +import org.apache.nifi.security.kms.KeyStoreKeyProvider; +import org.apache.nifi.security.kms.StaticKeyProvider; +import org.apache.nifi.security.kms.configuration.FileBasedKeyProviderConfiguration; +import org.apache.nifi.security.kms.configuration.KeyProviderConfiguration; +import org.apache.nifi.security.kms.configuration.KeyStoreKeyProviderConfiguration; +import org.apache.nifi.security.kms.configuration.StaticKeyProviderConfiguration; +import org.apache.nifi.security.util.KeyStoreUtils; +import org.apache.nifi.security.util.KeystoreType; +import org.apache.nifi.security.util.TlsException; +import org.apache.nifi.util.NiFiBootstrapUtils; +import org.apache.nifi.util.NiFiProperties; +import org.apache.nifi.util.StringUtils; +import org.bouncycastle.util.encoders.DecoderException; +import org.bouncycastle.util.encoders.Hex; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import javax.crypto.SecretKey; +import javax.crypto.spec.SecretKeySpec; +import java.io.IOException; +import java.security.KeyStore; +import java.util.HashMap; +import java.util.Map; +import java.util.Objects; + +import static org.apache.nifi.util.NiFiProperties.CONTENT_REPOSITORY_ENCRYPTION_KEY_PROVIDER_PASSWORD; +import static org.apache.nifi.util.NiFiProperties.FLOWFILE_REPOSITORY_ENCRYPTION_KEY_PROVIDER_PASSWORD; +import static org.apache.nifi.util.NiFiProperties.PROVENANCE_REPO_ENCRYPTION_KEY_PROVIDER_PASSWORD; +import static org.apache.nifi.util.NiFiProperties.REPOSITORY_ENCRYPTION_KEY_PROVIDER; +import static org.apache.nifi.util.NiFiProperties.CONTENT_REPOSITORY_ENCRYPTION_KEY_PROVIDER_LOCATION; +import static org.apache.nifi.util.NiFiProperties.CONTENT_REPOSITORY_ENCRYPTION_KEY_PROVIDER_IMPLEMENTATION_CLASS; +import static org.apache.nifi.util.NiFiProperties.FLOWFILE_REPOSITORY_ENCRYPTION_KEY_PROVIDER_LOCATION; +import static org.apache.nifi.util.NiFiProperties.FLOWFILE_REPOSITORY_ENCRYPTION_KEY_PROVIDER_IMPLEMENTATION_CLASS; +import static org.apache.nifi.util.NiFiProperties.PROVENANCE_REPO_ENCRYPTION_KEY_PROVIDER_LOCATION; +import static org.apache.nifi.util.NiFiProperties.PROVENANCE_REPO_ENCRYPTION_KEY_PROVIDER_IMPLEMENTATION_CLASS; +import static org.apache.nifi.util.NiFiProperties.REPOSITORY_ENCRYPTION_KEY_PROVIDER_KEYSTORE_LOCATION; +import static org.apache.nifi.util.NiFiProperties.REPOSITORY_ENCRYPTION_KEY_PROVIDER_KEYSTORE_PASSWORD; + +/** + * Standard implementation of Repository Key Provider Factory supporting shared and fallback properties + */ +public class StandardRepositoryKeyProviderFactory implements RepositoryKeyProviderFactory { + private static final Logger logger = LoggerFactory.getLogger(StandardRepositoryKeyProviderFactory.class); + + private static final String ROOT_KEY_ALGORITHM = "AES"; + + private static final Map<EncryptedRepositoryType, String> REPOSITORY_KEY_PROVIDER_CLASS_PROPERTIES = new HashMap<>(); + + private static final Map<EncryptedRepositoryType, String> REPOSITORY_KEY_PROVIDER_LOCATION_PROPERTIES = new HashMap<>(); + + private static final Map<EncryptedRepositoryType, String> REPOSITORY_KEY_PROVIDER_PASSWORD_PROPERTIES = new HashMap<>(); + + static { + REPOSITORY_KEY_PROVIDER_CLASS_PROPERTIES.put(EncryptedRepositoryType.CONTENT, CONTENT_REPOSITORY_ENCRYPTION_KEY_PROVIDER_IMPLEMENTATION_CLASS); + REPOSITORY_KEY_PROVIDER_CLASS_PROPERTIES.put(EncryptedRepositoryType.FLOW_FILE, FLOWFILE_REPOSITORY_ENCRYPTION_KEY_PROVIDER_IMPLEMENTATION_CLASS); + REPOSITORY_KEY_PROVIDER_CLASS_PROPERTIES.put(EncryptedRepositoryType.PROVENANCE, PROVENANCE_REPO_ENCRYPTION_KEY_PROVIDER_IMPLEMENTATION_CLASS); + + REPOSITORY_KEY_PROVIDER_LOCATION_PROPERTIES.put(EncryptedRepositoryType.CONTENT, CONTENT_REPOSITORY_ENCRYPTION_KEY_PROVIDER_LOCATION); + REPOSITORY_KEY_PROVIDER_LOCATION_PROPERTIES.put(EncryptedRepositoryType.FLOW_FILE, FLOWFILE_REPOSITORY_ENCRYPTION_KEY_PROVIDER_LOCATION); + REPOSITORY_KEY_PROVIDER_LOCATION_PROPERTIES.put(EncryptedRepositoryType.PROVENANCE, PROVENANCE_REPO_ENCRYPTION_KEY_PROVIDER_LOCATION); + + REPOSITORY_KEY_PROVIDER_PASSWORD_PROPERTIES.put(EncryptedRepositoryType.CONTENT, CONTENT_REPOSITORY_ENCRYPTION_KEY_PROVIDER_PASSWORD); + REPOSITORY_KEY_PROVIDER_PASSWORD_PROPERTIES.put(EncryptedRepositoryType.FLOW_FILE, FLOWFILE_REPOSITORY_ENCRYPTION_KEY_PROVIDER_PASSWORD); + REPOSITORY_KEY_PROVIDER_PASSWORD_PROPERTIES.put(EncryptedRepositoryType.PROVENANCE, PROVENANCE_REPO_ENCRYPTION_KEY_PROVIDER_PASSWORD); + } + + /** + * Get Key Provider for specified Encrypted Repository Type using shared and fallback NiFi Properties + * + * @param encryptedRepositoryType Encrypted Repository Type + * @param niFiProperties NiFi Properties + * @return Key Provider configured using applicable properties + */ + @Override + public KeyProvider getKeyProvider(final EncryptedRepositoryType encryptedRepositoryType, final NiFiProperties niFiProperties) { + Objects.requireNonNull(encryptedRepositoryType, "Encrypted Repository Type required"); + Objects.requireNonNull(niFiProperties, "NiFi Properties required"); + final EncryptionKeyProvider encryptionKeyProvider = getEncryptionKeyProvider(encryptedRepositoryType, niFiProperties); + final KeyProviderConfiguration<?> keyProviderConfiguration = getKeyProviderConfiguration(encryptedRepositoryType, encryptionKeyProvider, niFiProperties); + return KeyProviderFactory.getKeyProvider(keyProviderConfiguration); + } + + private EncryptionKeyProvider getEncryptionKeyProvider(final EncryptedRepositoryType encryptedRepositoryType, final NiFiProperties niFiProperties) { + EncryptionKeyProvider encryptionKeyProvider = null; + final String sharedKeyProvider = niFiProperties.getProperty(REPOSITORY_ENCRYPTION_KEY_PROVIDER); + + if (StringUtils.isBlank(sharedKeyProvider)) { + logger.debug("Key Provider Property [{}] not configured", REPOSITORY_ENCRYPTION_KEY_PROVIDER); + + final String classProperty = REPOSITORY_KEY_PROVIDER_CLASS_PROPERTIES.get(encryptedRepositoryType); + final String implementationClass = niFiProperties.getProperty(classProperty); + if (StringUtils.isBlank(implementationClass)) { + final String message = String.format("Key Provider Property [%s] not configured", classProperty); + throw new EncryptedConfigurationException(message); + } else { + encryptionKeyProvider = getEncryptionKeyProvider(implementationClass); + } + } else { + for (final EncryptionKeyProvider currentEncryptKeyProvider : EncryptionKeyProvider.values()) { + if (currentEncryptKeyProvider.toString().equals(sharedKeyProvider)) { + encryptionKeyProvider = currentEncryptKeyProvider; + } + } + } + + if (encryptionKeyProvider == null) { + final String message = String.format("Key Provider [%s] not found for Repository Type [%s] ", sharedKeyProvider, encryptedRepositoryType); + throw new EncryptedConfigurationException(message); + } + + return encryptionKeyProvider; + } + + private EncryptionKeyProvider getEncryptionKeyProvider(final String implementationClass) { + EncryptionKeyProvider encryptionKeyProvider; + + if (implementationClass.endsWith(FileBasedKeyProvider.class.getSimpleName())) { + encryptionKeyProvider = EncryptionKeyProvider.FILE_PROPERTIES; + } else if (implementationClass.endsWith(KeyStoreKeyProvider.class.getSimpleName())) { + encryptionKeyProvider = EncryptionKeyProvider.KEYSTORE; + } else if (implementationClass.endsWith(StaticKeyProvider.class.getSimpleName())) { + encryptionKeyProvider = EncryptionKeyProvider.NIFI_PROPERTIES; + } else { + final String message = String.format("Key Provider Class [%s] not supported", implementationClass); + throw new IllegalArgumentException(message); + } + + return encryptionKeyProvider; + } + + private Map<String, String> getEncryptionKeys(final EncryptedRepositoryType encryptedRepositoryType, final NiFiProperties niFiProperties) { + switch (encryptedRepositoryType) { + case CONTENT: + return niFiProperties.getContentRepositoryEncryptionKeys(); + case FLOW_FILE: + return niFiProperties.getFlowFileRepoEncryptionKeys(); + case PROVENANCE: + return niFiProperties.getProvenanceRepoEncryptionKeys(); + default: + throw new IllegalArgumentException(String.format("Repository Type [%s] not supported", encryptedRepositoryType)); + } Review comment: What if we had an `EncryptionKeysExtractor` interface with a `#getRepositoryEncryptionKeys(NiFiProperties)` method, and a `EncryptedRepositoryType#getEncryptionKeysExtractor()` method? Then we could replace this with something like: ``` return encryptedRepositoryType.getEncryptionKeysExtractor() .getRepositoryEncryptionKeys(niFiProperties); ``` ########## File path: nifi-nar-bundles/nifi-provenance-repository-bundle/nifi-persistent-provenance-repository/src/main/java/org/apache/nifi/provenance/EncryptedSchemaRecordReader.java ########## @@ -60,29 +55,24 @@ protected StandardProvenanceEventRecord nextRecord(final DataInputStream in, fin } private StandardProvenanceEventRecord readRecord(final DataInputStream inputStream, final long eventId, final long startOffset, final int recordLength) throws IOException { - try { - final InputStream limitedIn = new LimitingInputStream(inputStream, recordLength); + final InputStream limitedIn = new LimitingInputStream(inputStream, recordLength); - byte[] encryptedSerializedBytes = new byte[recordLength]; - DataInputStream encryptedInputStream = new DataInputStream(limitedIn); - encryptedInputStream.readFully(encryptedSerializedBytes); + byte[] encryptedSerializedBytes = new byte[recordLength]; Review comment: Looks like the variables in this method could be `final`. ########## File path: nifi-commons/nifi-repository-encryption/src/main/java/org/apache/nifi/repository/encryption/configuration/kms/StandardRepositoryKeyProviderFactory.java ########## @@ -0,0 +1,216 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.repository.encryption.configuration.kms; + +import org.apache.nifi.repository.encryption.configuration.EncryptedRepositoryType; +import org.apache.nifi.repository.encryption.configuration.EncryptionKeyProvider; +import org.apache.nifi.security.kms.FileBasedKeyProvider; +import org.apache.nifi.security.kms.KeyProvider; +import org.apache.nifi.security.kms.KeyProviderFactory; +import org.apache.nifi.security.kms.KeyStoreKeyProvider; +import org.apache.nifi.security.kms.StaticKeyProvider; +import org.apache.nifi.security.kms.configuration.FileBasedKeyProviderConfiguration; +import org.apache.nifi.security.kms.configuration.KeyProviderConfiguration; +import org.apache.nifi.security.kms.configuration.KeyStoreKeyProviderConfiguration; +import org.apache.nifi.security.kms.configuration.StaticKeyProviderConfiguration; +import org.apache.nifi.security.util.KeyStoreUtils; +import org.apache.nifi.security.util.KeystoreType; +import org.apache.nifi.security.util.TlsException; +import org.apache.nifi.util.NiFiBootstrapUtils; +import org.apache.nifi.util.NiFiProperties; +import org.apache.nifi.util.StringUtils; +import org.bouncycastle.util.encoders.DecoderException; +import org.bouncycastle.util.encoders.Hex; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import javax.crypto.SecretKey; +import javax.crypto.spec.SecretKeySpec; +import java.io.IOException; +import java.security.KeyStore; +import java.util.HashMap; +import java.util.Map; +import java.util.Objects; + +import static org.apache.nifi.util.NiFiProperties.CONTENT_REPOSITORY_ENCRYPTION_KEY_PROVIDER_PASSWORD; +import static org.apache.nifi.util.NiFiProperties.FLOWFILE_REPOSITORY_ENCRYPTION_KEY_PROVIDER_PASSWORD; +import static org.apache.nifi.util.NiFiProperties.PROVENANCE_REPO_ENCRYPTION_KEY_PROVIDER_PASSWORD; +import static org.apache.nifi.util.NiFiProperties.REPOSITORY_ENCRYPTION_KEY_PROVIDER; +import static org.apache.nifi.util.NiFiProperties.CONTENT_REPOSITORY_ENCRYPTION_KEY_PROVIDER_LOCATION; +import static org.apache.nifi.util.NiFiProperties.CONTENT_REPOSITORY_ENCRYPTION_KEY_PROVIDER_IMPLEMENTATION_CLASS; +import static org.apache.nifi.util.NiFiProperties.FLOWFILE_REPOSITORY_ENCRYPTION_KEY_PROVIDER_LOCATION; +import static org.apache.nifi.util.NiFiProperties.FLOWFILE_REPOSITORY_ENCRYPTION_KEY_PROVIDER_IMPLEMENTATION_CLASS; +import static org.apache.nifi.util.NiFiProperties.PROVENANCE_REPO_ENCRYPTION_KEY_PROVIDER_LOCATION; +import static org.apache.nifi.util.NiFiProperties.PROVENANCE_REPO_ENCRYPTION_KEY_PROVIDER_IMPLEMENTATION_CLASS; +import static org.apache.nifi.util.NiFiProperties.REPOSITORY_ENCRYPTION_KEY_PROVIDER_KEYSTORE_LOCATION; +import static org.apache.nifi.util.NiFiProperties.REPOSITORY_ENCRYPTION_KEY_PROVIDER_KEYSTORE_PASSWORD; + +/** + * Standard implementation of Repository Key Provider Factory supporting shared and fallback properties + */ +public class StandardRepositoryKeyProviderFactory implements RepositoryKeyProviderFactory { + private static final Logger logger = LoggerFactory.getLogger(StandardRepositoryKeyProviderFactory.class); + + private static final String ROOT_KEY_ALGORITHM = "AES"; + + private static final Map<EncryptedRepositoryType, String> REPOSITORY_KEY_PROVIDER_CLASS_PROPERTIES = new HashMap<>(); + + private static final Map<EncryptedRepositoryType, String> REPOSITORY_KEY_PROVIDER_LOCATION_PROPERTIES = new HashMap<>(); + + private static final Map<EncryptedRepositoryType, String> REPOSITORY_KEY_PROVIDER_PASSWORD_PROPERTIES = new HashMap<>(); + + static { + REPOSITORY_KEY_PROVIDER_CLASS_PROPERTIES.put(EncryptedRepositoryType.CONTENT, CONTENT_REPOSITORY_ENCRYPTION_KEY_PROVIDER_IMPLEMENTATION_CLASS); + REPOSITORY_KEY_PROVIDER_CLASS_PROPERTIES.put(EncryptedRepositoryType.FLOW_FILE, FLOWFILE_REPOSITORY_ENCRYPTION_KEY_PROVIDER_IMPLEMENTATION_CLASS); + REPOSITORY_KEY_PROVIDER_CLASS_PROPERTIES.put(EncryptedRepositoryType.PROVENANCE, PROVENANCE_REPO_ENCRYPTION_KEY_PROVIDER_IMPLEMENTATION_CLASS); + + REPOSITORY_KEY_PROVIDER_LOCATION_PROPERTIES.put(EncryptedRepositoryType.CONTENT, CONTENT_REPOSITORY_ENCRYPTION_KEY_PROVIDER_LOCATION); + REPOSITORY_KEY_PROVIDER_LOCATION_PROPERTIES.put(EncryptedRepositoryType.FLOW_FILE, FLOWFILE_REPOSITORY_ENCRYPTION_KEY_PROVIDER_LOCATION); + REPOSITORY_KEY_PROVIDER_LOCATION_PROPERTIES.put(EncryptedRepositoryType.PROVENANCE, PROVENANCE_REPO_ENCRYPTION_KEY_PROVIDER_LOCATION); + + REPOSITORY_KEY_PROVIDER_PASSWORD_PROPERTIES.put(EncryptedRepositoryType.CONTENT, CONTENT_REPOSITORY_ENCRYPTION_KEY_PROVIDER_PASSWORD); + REPOSITORY_KEY_PROVIDER_PASSWORD_PROPERTIES.put(EncryptedRepositoryType.FLOW_FILE, FLOWFILE_REPOSITORY_ENCRYPTION_KEY_PROVIDER_PASSWORD); + REPOSITORY_KEY_PROVIDER_PASSWORD_PROPERTIES.put(EncryptedRepositoryType.PROVENANCE, PROVENANCE_REPO_ENCRYPTION_KEY_PROVIDER_PASSWORD); + } + + /** + * Get Key Provider for specified Encrypted Repository Type using shared and fallback NiFi Properties + * + * @param encryptedRepositoryType Encrypted Repository Type + * @param niFiProperties NiFi Properties + * @return Key Provider configured using applicable properties + */ + @Override + public KeyProvider getKeyProvider(final EncryptedRepositoryType encryptedRepositoryType, final NiFiProperties niFiProperties) { + Objects.requireNonNull(encryptedRepositoryType, "Encrypted Repository Type required"); + Objects.requireNonNull(niFiProperties, "NiFi Properties required"); + final EncryptionKeyProvider encryptionKeyProvider = getEncryptionKeyProvider(encryptedRepositoryType, niFiProperties); + final KeyProviderConfiguration<?> keyProviderConfiguration = getKeyProviderConfiguration(encryptedRepositoryType, encryptionKeyProvider, niFiProperties); + return KeyProviderFactory.getKeyProvider(keyProviderConfiguration); + } + + private EncryptionKeyProvider getEncryptionKeyProvider(final EncryptedRepositoryType encryptedRepositoryType, final NiFiProperties niFiProperties) { + EncryptionKeyProvider encryptionKeyProvider = null; + final String sharedKeyProvider = niFiProperties.getProperty(REPOSITORY_ENCRYPTION_KEY_PROVIDER); + + if (StringUtils.isBlank(sharedKeyProvider)) { + logger.debug("Key Provider Property [{}] not configured", REPOSITORY_ENCRYPTION_KEY_PROVIDER); + + final String classProperty = REPOSITORY_KEY_PROVIDER_CLASS_PROPERTIES.get(encryptedRepositoryType); + final String implementationClass = niFiProperties.getProperty(classProperty); + if (StringUtils.isBlank(implementationClass)) { + final String message = String.format("Key Provider Property [%s] not configured", classProperty); + throw new EncryptedConfigurationException(message); + } else { + encryptionKeyProvider = getEncryptionKeyProvider(implementationClass); + } + } else { + for (final EncryptionKeyProvider currentEncryptKeyProvider : EncryptionKeyProvider.values()) { + if (currentEncryptKeyProvider.toString().equals(sharedKeyProvider)) { + encryptionKeyProvider = currentEncryptKeyProvider; + } + } + } + + if (encryptionKeyProvider == null) { + final String message = String.format("Key Provider [%s] not found for Repository Type [%s] ", sharedKeyProvider, encryptedRepositoryType); + throw new EncryptedConfigurationException(message); + } + + return encryptionKeyProvider; + } + + private EncryptionKeyProvider getEncryptionKeyProvider(final String implementationClass) { + EncryptionKeyProvider encryptionKeyProvider; + + if (implementationClass.endsWith(FileBasedKeyProvider.class.getSimpleName())) { + encryptionKeyProvider = EncryptionKeyProvider.FILE_PROPERTIES; + } else if (implementationClass.endsWith(KeyStoreKeyProvider.class.getSimpleName())) { + encryptionKeyProvider = EncryptionKeyProvider.KEYSTORE; + } else if (implementationClass.endsWith(StaticKeyProvider.class.getSimpleName())) { + encryptionKeyProvider = EncryptionKeyProvider.NIFI_PROPERTIES; + } else { + final String message = String.format("Key Provider Class [%s] not supported", implementationClass); + throw new IllegalArgumentException(message); + } + + return encryptionKeyProvider; + } + + private Map<String, String> getEncryptionKeys(final EncryptedRepositoryType encryptedRepositoryType, final NiFiProperties niFiProperties) { + switch (encryptedRepositoryType) { + case CONTENT: + return niFiProperties.getContentRepositoryEncryptionKeys(); + case FLOW_FILE: + return niFiProperties.getFlowFileRepoEncryptionKeys(); + case PROVENANCE: + return niFiProperties.getProvenanceRepoEncryptionKeys(); + default: + throw new IllegalArgumentException(String.format("Repository Type [%s] not supported", encryptedRepositoryType)); + } + } + + private KeyProviderConfiguration<?> getKeyProviderConfiguration(final EncryptedRepositoryType encryptedRepositoryType, + final EncryptionKeyProvider encryptionKeyProvider, + final NiFiProperties niFiProperties) { + if (EncryptionKeyProvider.NIFI_PROPERTIES == encryptionKeyProvider) { Review comment: What if we had a `KeyProviderConfigurationStrategy` interface with a `#getKeyProviderConfiguration(EncryptedRepositryType, NiFiProperties)` method, and an `EncryptionKeyProvider#getKeyProviderConfigurationStrategy()` method. Then you could move most of the conditional logic to the `KeyProviderConfigurationStrategy` implementations and replace this method with something like: ``` return encryptionKeyProvider.getKeyProviderConfigurationStrategy() .getKeyProviderConfiguration(encryptedRepositoryType, niFiProperties); ``` ########## File path: nifi-nar-bundles/nifi-provenance-repository-bundle/nifi-persistent-provenance-repository/src/main/java/org/apache/nifi/provenance/EncryptedSchemaRecordReader.java ########## @@ -107,13 +97,8 @@ private StandardProvenanceEventRecord readRecord(final DataInputStream inputStre return Optional.empty(); } - private byte[] decrypt(byte[] encryptedBytes, String eventId) throws IOException, EncryptionException { - try { - return provenanceEventEncryptor.decrypt(encryptedBytes, eventId); - } catch (Exception e) { - logger.error("Encountered an error: ", e); - throw new EncryptionException(e); - } + private byte[] decrypt(byte[] encryptedBytes, String eventId) { Review comment: Could be `final` ########## File path: nifi-commons/nifi-repository-encryption/src/main/java/org/apache/nifi/repository/encryption/configuration/kms/StandardRepositoryKeyProviderFactory.java ########## @@ -0,0 +1,216 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.repository.encryption.configuration.kms; + +import org.apache.nifi.repository.encryption.configuration.EncryptedRepositoryType; +import org.apache.nifi.repository.encryption.configuration.EncryptionKeyProvider; +import org.apache.nifi.security.kms.FileBasedKeyProvider; +import org.apache.nifi.security.kms.KeyProvider; +import org.apache.nifi.security.kms.KeyProviderFactory; +import org.apache.nifi.security.kms.KeyStoreKeyProvider; +import org.apache.nifi.security.kms.StaticKeyProvider; +import org.apache.nifi.security.kms.configuration.FileBasedKeyProviderConfiguration; +import org.apache.nifi.security.kms.configuration.KeyProviderConfiguration; +import org.apache.nifi.security.kms.configuration.KeyStoreKeyProviderConfiguration; +import org.apache.nifi.security.kms.configuration.StaticKeyProviderConfiguration; +import org.apache.nifi.security.util.KeyStoreUtils; +import org.apache.nifi.security.util.KeystoreType; +import org.apache.nifi.security.util.TlsException; +import org.apache.nifi.util.NiFiBootstrapUtils; +import org.apache.nifi.util.NiFiProperties; +import org.apache.nifi.util.StringUtils; +import org.bouncycastle.util.encoders.DecoderException; +import org.bouncycastle.util.encoders.Hex; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import javax.crypto.SecretKey; +import javax.crypto.spec.SecretKeySpec; +import java.io.IOException; +import java.security.KeyStore; +import java.util.HashMap; +import java.util.Map; +import java.util.Objects; + +import static org.apache.nifi.util.NiFiProperties.CONTENT_REPOSITORY_ENCRYPTION_KEY_PROVIDER_PASSWORD; +import static org.apache.nifi.util.NiFiProperties.FLOWFILE_REPOSITORY_ENCRYPTION_KEY_PROVIDER_PASSWORD; +import static org.apache.nifi.util.NiFiProperties.PROVENANCE_REPO_ENCRYPTION_KEY_PROVIDER_PASSWORD; +import static org.apache.nifi.util.NiFiProperties.REPOSITORY_ENCRYPTION_KEY_PROVIDER; +import static org.apache.nifi.util.NiFiProperties.CONTENT_REPOSITORY_ENCRYPTION_KEY_PROVIDER_LOCATION; +import static org.apache.nifi.util.NiFiProperties.CONTENT_REPOSITORY_ENCRYPTION_KEY_PROVIDER_IMPLEMENTATION_CLASS; +import static org.apache.nifi.util.NiFiProperties.FLOWFILE_REPOSITORY_ENCRYPTION_KEY_PROVIDER_LOCATION; +import static org.apache.nifi.util.NiFiProperties.FLOWFILE_REPOSITORY_ENCRYPTION_KEY_PROVIDER_IMPLEMENTATION_CLASS; +import static org.apache.nifi.util.NiFiProperties.PROVENANCE_REPO_ENCRYPTION_KEY_PROVIDER_LOCATION; +import static org.apache.nifi.util.NiFiProperties.PROVENANCE_REPO_ENCRYPTION_KEY_PROVIDER_IMPLEMENTATION_CLASS; +import static org.apache.nifi.util.NiFiProperties.REPOSITORY_ENCRYPTION_KEY_PROVIDER_KEYSTORE_LOCATION; +import static org.apache.nifi.util.NiFiProperties.REPOSITORY_ENCRYPTION_KEY_PROVIDER_KEYSTORE_PASSWORD; + +/** + * Standard implementation of Repository Key Provider Factory supporting shared and fallback properties + */ +public class StandardRepositoryKeyProviderFactory implements RepositoryKeyProviderFactory { + private static final Logger logger = LoggerFactory.getLogger(StandardRepositoryKeyProviderFactory.class); + + private static final String ROOT_KEY_ALGORITHM = "AES"; + + private static final Map<EncryptedRepositoryType, String> REPOSITORY_KEY_PROVIDER_CLASS_PROPERTIES = new HashMap<>(); + + private static final Map<EncryptedRepositoryType, String> REPOSITORY_KEY_PROVIDER_LOCATION_PROPERTIES = new HashMap<>(); + + private static final Map<EncryptedRepositoryType, String> REPOSITORY_KEY_PROVIDER_PASSWORD_PROPERTIES = new HashMap<>(); + + static { + REPOSITORY_KEY_PROVIDER_CLASS_PROPERTIES.put(EncryptedRepositoryType.CONTENT, CONTENT_REPOSITORY_ENCRYPTION_KEY_PROVIDER_IMPLEMENTATION_CLASS); Review comment: Rather than having 3 parallel maps, could try to add methods directly to the `EncryptedRepositoryType`? ########## File path: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/test/java/org/apache/nifi/controller/TestEncryptedFileSystemSwapManager.java ########## @@ -97,8 +92,7 @@ public void testSwapOutSwapIn() throws GeneralSecurityException, EncryptionExcep /** * Borrowed from "nifi-framework-core/src/test/java/org/apache/nifi/controller/TestFileSystemSwapManager.java". */ - private FlowFileSwapManager createSwapManager(NiFiProperties nifiProperties) - throws IOException, GeneralSecurityException, EncryptionException { + private FlowFileSwapManager createSwapManager(NiFiProperties nifiProperties) throws GeneralSecurityException { Review comment: Could be `final` ########## File path: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-flowfile-repo-serialization/src/main/java/org/apache/nifi/controller/repository/EncryptedSchemaRepositoryRecordSerde.java ########## @@ -152,54 +106,33 @@ public void serializeEdit(SerializedRepositoryRecord previousRecordState, Serial @Override public void serializeRecord(final SerializedRepositoryRecord record, final DataOutputStream out) throws IOException { // Create BAOS wrapped in DOS to intercept the output - ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream(); - DataOutputStream tempDataStream = new DataOutputStream(byteArrayOutputStream); + final ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream(); + final DataOutputStream tempDataStream = new DataOutputStream(byteArrayOutputStream); // Use the delegate to serialize the actual record and extract the output - String recordId = getRecordIdentifier(record).toString(); + final String recordId = getRecordIdentifier(record).toString(); wrappedSerDe.serializeRecord(record, tempDataStream); tempDataStream.flush(); - byte[] plainSerializedBytes = byteArrayOutputStream.toByteArray(); - logger.debug("Serialized flowfile record {} to temp stream with length {}", recordId, plainSerializedBytes.length); + final byte[] plainSerializedBytes = byteArrayOutputStream.toByteArray(); // Encrypt the serialized byte[] to the real stream encryptToStream(plainSerializedBytes, recordId, out); - logger.debug("Encrypted serialized flowfile record {} to actual output stream", recordId); } /** * Encrypts the plain serialized bytes and writes them to the output stream. Precedes - * the cipher bytes with the plaintext - * {@link org.apache.nifi.security.repository.RepositoryObjectEncryptionMetadata} data - * to allow for on-demand deserialization and decryption. + * the cipher bytes with the plaintext to allow for on-demand deserialization and decryption. * * @param plainSerializedBytes the plain serialized bytes * @param recordId the unique identifier for this record to be stored in the encryption metadata * @param out the output stream * @throws IOException if there is a problem writing to the stream */ private void encryptToStream(byte[] plainSerializedBytes, String recordId, DataOutputStream out) throws IOException { - try { - RepositoryObjectBlockEncryptor encryptor = new RepositoryObjectAESGCMEncryptor(); - encryptor.initialize(keyProvider); - logger.debug("Initialized {} for flowfile record {}", encryptor.toString(), recordId); - - byte[] cipherBytes = encryptor.encrypt(plainSerializedBytes, recordId, getActiveKeyId()); - logger.debug("Encrypted {} bytes for flowfile record {}", cipherBytes.length, recordId); - - // Maybe remove cipher bytes length because it's included in encryption metadata; deserialization might need to change? - out.writeInt(cipherBytes.length); - out.write(cipherBytes); - logger.debug("Wrote {} bytes (encrypted, including length) for flowfile record {} to output stream", cipherBytes.length + 4, recordId); - } catch (KeyManagementException | EncryptionException e) { - logger.error("Encountered an error encrypting & serializing flowfile record {} due to {}", recordId, e.getLocalizedMessage()); - if (logger.isDebugEnabled()) { - logger.debug(e.getLocalizedMessage(), e); - } - - // The calling method contract only throws IOException - throw new IOException("Encountered an error encrypting & serializing flowfile record " + recordId, e); - } + final byte[] cipherBytes = encryptor.encrypt(plainSerializedBytes, recordId, keyId); + // Maybe remove cipher bytes length because it's included in encryption metadata; deserialization might need to change? Review comment: This looks like a TODO -- perhaps better captured in a JIRA if we want to add it as a future enhancement? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
