Skip to content

Commit

Permalink
Moved encryption-sdk from lib to modules to resolve dependency issues
Browse files Browse the repository at this point in the history
Signed-off-by: Vikas Bansal <43470111+vikasvb90@users.noreply.github.com>
  • Loading branch information
vikasvb90 committed Sep 6, 2023
1 parent 9d6c43a commit 4214a81
Show file tree
Hide file tree
Showing 48 changed files with 957 additions and 408 deletions.
4 changes: 0 additions & 4 deletions distribution/tools/plugin-cli/build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -48,10 +48,6 @@ dependencies {
implementation 'org.apache.commons:commons-compress:1.23.0'
}

configurations.implementation {
exclude group: 'org.bouncycastle', module: 'bcprov-jdk15to18'
}

tasks.named("dependencyLicenses").configure {
mapping from: /bc.*/, to: 'bouncycastle'
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@
import org.opensearch.common.annotation.ExperimentalApi;
import org.opensearch.common.io.InputStreamContainer;

import java.io.Closeable;
import java.io.IOException;
import java.io.InputStream;

Expand All @@ -22,7 +23,7 @@
* U - Parsed Encryption Metadata / CryptoContext
*/
@ExperimentalApi
public interface CryptoHandler<T, U> {
public interface CryptoHandler<T, U> extends Closeable {

/**
* To initialise or create a new crypto metadata to be used in encryption. This is needed to set the context before
Expand Down

This file was deleted.

This file was deleted.

This file was deleted.

Original file line number Diff line number Diff line change
Expand Up @@ -15,12 +15,17 @@ thirdPartyAudit.enabled = false
forbiddenApisTest.ignoreFailures = true
testingConventions.enabled = false

opensearchplugin {
description 'Crypto module plugin for providing encryption and decryption support.'
classname 'org.opensearch.encryption.CryptoModulePlugin'
}

dependencies {
// Common crypto classes
api project(':libs:opensearch-common')

// Encryption
implementation "com.amazonaws:aws-encryption-sdk-java:2.4.0"
implementation "com.amazonaws:aws-encryption-sdk-java:1.7.0"
implementation "org.bouncycastle:bcprov-jdk15to18:${versions.bouncycastle}"
implementation "org.apache.commons:commons-lang3:${versions.commonslang}"

//Tests
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
51704a672e65456d37f444c5992c079feff31218
1 change: 1 addition & 0 deletions modules/crypto/licenses/bcprov-jdk15to18-1.75.jar.sha1
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
df22e1b6a9f6b218913f5b68dd16641344397fe0
22 changes: 22 additions & 0 deletions modules/crypto/licenses/bcprov-jdk15to18-LICENSE.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
The MIT License (MIT)

Copyright (c) 2000 - 2013 The Legion of the Bouncy Castle Inc.
(http://www.bouncycastle.org)

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.
Empty file.
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
/*
* SPDX-License-Identifier: Apache-2.0
*
* The OpenSearch Contributors require contributions made to
* this file be licensed under the Apache-2.0 license or a
* compatible open source license.
*/

package org.opensearch.encryption;

import org.opensearch.common.crypto.CryptoHandler;
import org.opensearch.common.crypto.MasterKeyProvider;
import org.opensearch.common.unit.TimeValue;
import org.opensearch.encryption.keyprovider.CryptoMasterKey;
import org.opensearch.plugins.CryptoPlugin;
import org.opensearch.plugins.Plugin;

import java.security.SecureRandom;
import java.util.concurrent.TimeUnit;

import com.amazonaws.encryptionsdk.caching.CachingCryptoMaterialsManager;
import com.amazonaws.encryptionsdk.caching.LocalCryptoMaterialsCache;

public class CryptoModulePlugin extends Plugin implements CryptoPlugin<Object, Object> {

private final int dataKeyCacheSize = 500;
private final String algorithm = "ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY";

// - Cache TTL and Jitter is used to decide the Crypto Cache TTL.
// - Random number between: (TTL Jitter, TTL - Jitter)
private final long dataKeyCacheTTL = TimeValue.timeValueDays(2).getMillis();
private static final long dataKeyCacheJitter = TimeUnit.MINUTES.toMillis(30); // - 30 minutes

public CryptoHandler<Object, Object> getOrCreateCryptoHandler(
MasterKeyProvider keyProvider,
String keyProviderName,
String keyProviderType,
Runnable onClose
) {
CachingCryptoMaterialsManager materialsManager = createMaterialsManager(keyProvider, keyProviderName, algorithm);
return createCryptoHandler(algorithm, materialsManager, keyProvider);
}

// package private for tests
CryptoHandler<Object, Object> createCryptoHandler(
String algorithm,
CachingCryptoMaterialsManager materialsManager,
MasterKeyProvider masterKeyProvider
) {
return new NoOpCryptoHandler();
}

// Package private for tests
CachingCryptoMaterialsManager createMaterialsManager(MasterKeyProvider masterKeyProvider, String keyProviderName, String algorithm) {
SecureRandom r = new SecureRandom();
long low = dataKeyCacheTTL - dataKeyCacheJitter;
long high = dataKeyCacheTTL + dataKeyCacheJitter;
long masterKeyCacheTTL = r.nextInt((int) (high - low)) + low;

CryptoMasterKey cryptoMasterKey = new CryptoMasterKey(masterKeyProvider, keyProviderName, algorithm);
return CachingCryptoMaterialsManager.newBuilder()
.withMasterKeyProvider(cryptoMasterKey)
.withCache(new LocalCryptoMaterialsCache(dataKeyCacheSize))
.withMaxAge(masterKeyCacheTTL, TimeUnit.MILLISECONDS)
.build();
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -125,4 +125,8 @@ public DecryptedRangedStreamProvider createDecryptingStreamOfRange(
return new DecryptedRangedStreamProvider(range, (encryptedStream) -> encryptedStream);
}

@Override
public void close() {
// Nothing to close.
}

Check warning on line 131 in modules/crypto/src/main/java/org/opensearch/encryption/NoOpCryptoHandler.java

View check run for this annotation

Codecov / codecov/patch

modules/crypto/src/main/java/org/opensearch/encryption/NoOpCryptoHandler.java#L131

Added line #L131 was not covered by tests
}
Loading

0 comments on commit 4214a81

Please sign in to comment.