[GitHub] [nifi] alopresto commented on a change in pull request #3672: NIFI-6363 Additional Sensitive Property Providers

Tue, 27 Aug 2019 11:03:46 -0700 

alopresto commented on a change in pull request #3672: NIFI-6363 Additional 
Sensitive Property Providers
URL: https://github.com/apache/nifi/pull/3672#discussion_r318145112
 
 

 ##########
 File path: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-properties-loader/src/main/java/org/apache/nifi/properties/sensitive/gcp/kms/GCPKMSSensitivePropertyProvider.java
 ##########
 @@ -0,0 +1,187 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.properties.sensitive.gcp.kms;
+
+import com.google.cloud.kms.v1.CryptoKeyName;
+import com.google.cloud.kms.v1.DecryptResponse;
+import com.google.cloud.kms.v1.EncryptResponse;
+import com.google.cloud.kms.v1.KeyManagementServiceClient;
+import com.google.protobuf.ByteString;
+import org.apache.commons.lang3.StringUtils;
+import 
org.apache.nifi.properties.sensitive.SensitivePropertyConfigurationException;
+import 
org.apache.nifi.properties.sensitive.SensitivePropertyProtectionException;
+import org.apache.nifi.properties.sensitive.SensitivePropertyProvider;
+import org.bouncycastle.util.encoders.Base64;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+/**
+ * This provider uses the GCP SDK to interact with the GCP KMS.  Values are 
encoded/decoded base64, using the
+ * standard encoders from bouncycastle.
+ */
+public class GCPKMSSensitivePropertyProvider implements 
SensitivePropertyProvider {
+    private static final Logger logger = 
LoggerFactory.getLogger(GCPKMSSensitivePropertyProvider.class);
+    private static final String IMPLEMENTATION_NAME = "GCP KMS Sensitive 
Property Provider";
+
+    private static final String MATERIAL_PREFIX = "gcp";
+    private static final String MATERIAL_KEY_TYPE = "kms";
+    private static final String MATERIAL_SEPARATOR = "/";
+    private static final String IMPLEMENTATION_PREFIX = MATERIAL_PREFIX + 
MATERIAL_SEPARATOR + MATERIAL_KEY_TYPE + MATERIAL_SEPARATOR;
+
+    private String keyId;
+    private String projectId;
+    private String locationId;
+    private String keyRingId;
+    private String cryptoKeyId;
+
+    private final String resource;
+    private final KeyManagementServiceClient client;
+
+
+    public GCPKMSSensitivePropertyProvider(String keyId) {
+        if 
(StringUtils.isBlank(System.getenv("GOOGLE_APPLICATION_CREDENTIALS"))) {
+            throw new SensitivePropertyConfigurationException("Unable to find 
Google Application Credentials");
+        }
+        extractKeyParts(keyId);
+        this.resource = CryptoKeyName.format(projectId, locationId, keyRingId, 
cryptoKeyId);
+        try {
+            this.client = KeyManagementServiceClient.create();
+        } catch (IOException e) {
+            throw new SensitivePropertyConfigurationException("Unable to 
create service client", e);
+        }
+    }
+
+    private void extractKeyParts(String keyId) {
+        if (StringUtils.isBlank(keyId)) throw new 
SensitivePropertyConfigurationException("The key cannot be empty");
+
+        this.keyId = keyId;
+
+        String[] parts = this.keyId.split(MATERIAL_SEPARATOR, 3);
+        if (parts.length != 3 || !parts[0].equals(MATERIAL_PREFIX) || 
!parts[1].equals(MATERIAL_KEY_TYPE))
+            throw new SensitivePropertyConfigurationException("Invalid GCP 
key");
+
+        String path = parts[2];
+        Pattern simplePattern = 
Pattern.compile("([^/]+)/([^/]+)/([^/]+)/([^/]+)");
+        Pattern verbosePattern = 
Pattern.compile("projects/([^/]+)/locations/([^/]+)/keyRings/([^/]+)/cryptoKeys/([^/]+)");
+
+        Matcher match = null;
+        if (verbosePattern.asPredicate().test(path)) {
+            match = verbosePattern.matcher(path);
+        } else if (simplePattern.asPredicate().test(path)) {
+            match = simplePattern.matcher(path);
+        }
+
+        if (match == null || match.groupCount() != 4 || !match.find())
+            throw new SensitivePropertyConfigurationException("Invalid GCP key 
pattern");
+
+        projectId = match.group(1);
+        locationId = match.group(2);
+        keyRingId = match.group(3);
+        cryptoKeyId = match.group(4);
+
+        if (StringUtils.isBlank(projectId) || StringUtils.isBlank(locationId) 
|| StringUtils.isBlank(keyRingId) || StringUtils.isBlank(cryptoKeyId))
+            throw new SensitivePropertyConfigurationException("Invalid GCP key 
identifier");
+    }
+
+    /**
+     * Returns the name of the underlying implementation.
+     *
+     * @return the name of this sensitive property provider
+     */
+    @Override
+    public String getName() {
+        return IMPLEMENTATION_NAME;
+    }
+
+    /**
+     * Returns the key used to identify the provider implementation in {@code 
nifi.properties}.
+     *
+     * @return the key to persist in the sibling property
+     */
+    @Override
+    public String getIdentifierKey() {
+        return keyId;
+    }
+
+    /**
+     * Returns the "protected" form of this value. This is a form which can 
safely be persisted in the {@code nifi.properties} file without compromising 
the value.
+     * An encryption-based provider would return a cipher text, while a 
remote-lookup provider could return a unique ID to retrieve the secured value.
+     *
+     * @param unprotectedValue the sensitive value
+     * @return the value to persist in the {@code nifi.properties} file
+     */
+    @Override
+    public String protect(String unprotectedValue) throws 
SensitivePropertyProtectionException {
+        if (StringUtils.isBlank(unprotectedValue)) {
+            throw new IllegalArgumentException("Cannot encrypt an empty 
value");
+        }
+
+        EncryptResponse response;
+        try {
+            response = client.encrypt(resource, 
ByteString.copyFrom(unprotectedValue, StandardCharsets.UTF_8));
+        } catch (final com.google.api.gax.rpc.NotFoundException e) {
 
 Review comment:
   Import exception. 

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
[email protected]


With regards,
Apache Git Services

Reply via email to