Skip to content

Commit

Permalink
Moved encryption-sdk from lib to modules to resolve dependency issues
Browse files Browse the repository at this point in the history
Signed-off-by: Vikas Bansal <43470111+vikasvb90@users.noreply.github.com>
  • Loading branch information
vikasvb90 committed Sep 6, 2023
1 parent 9d6c43a commit e4d8881
Show file tree
Hide file tree
Showing 36 changed files with 230 additions and 320 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@
import org.opensearch.common.annotation.ExperimentalApi;
import org.opensearch.common.io.InputStreamContainer;

import java.io.Closeable;
import java.io.IOException;
import java.io.InputStream;

Expand All @@ -22,7 +23,7 @@
* U - Parsed Encryption Metadata / CryptoContext
*/
@ExperimentalApi
public interface CryptoHandler<T, U> {
public interface CryptoHandler<T, U> extends Closeable {

/**
* To initialise or create a new crypto metadata to be used in encryption. This is needed to set the context before
Expand Down

This file was deleted.

This file was deleted.

Original file line number Diff line number Diff line change
Expand Up @@ -15,12 +15,17 @@ thirdPartyAudit.enabled = false
forbiddenApisTest.ignoreFailures = true
testingConventions.enabled = false

opensearchplugin {
description 'Crypto module plugin for providing encryption and decryption support.'
classname 'org.opensearch.encryption.CryptoModulePlugin'
}

dependencies {
// Common crypto classes
api project(':libs:opensearch-common')

// Encryption
implementation "com.amazonaws:aws-encryption-sdk-java:2.4.0"
implementation "com.amazonaws:aws-encryption-sdk-java:1.7.0"
implementation "org.bouncycastle:bcprov-jdk15to18:${versions.bouncycastle}"
implementation "org.apache.commons:commons-lang3:${versions.commonslang}"

//Tests
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
51704a672e65456d37f444c5992c079feff31218
1 change: 1 addition & 0 deletions modules/crypto/licenses/bcprov-jdk15to18-1.75.jar.sha1
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
df22e1b6a9f6b218913f5b68dd16641344397fe0
22 changes: 22 additions & 0 deletions modules/crypto/licenses/bcprov-jdk15to18-LICENSE.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
The MIT License (MIT)

Copyright (c) 2000 - 2013 The Legion of the Bouncy Castle Inc.
(http://www.bouncycastle.org)

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.
Empty file.
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,9 @@
import org.opensearch.common.crypto.CryptoHandler;
import org.opensearch.common.crypto.MasterKeyProvider;
import org.opensearch.common.unit.TimeValue;
import org.opensearch.common.util.concurrent.AbstractRefCounted;
import org.opensearch.encryption.keyprovider.CryptoMasterKey;
import org.opensearch.plugins.CryptoPlugin;
import org.opensearch.plugins.Plugin;

import java.security.SecureRandom;
import java.util.concurrent.TimeUnit;
Expand All @@ -21,23 +22,16 @@
import com.amazonaws.encryptionsdk.caching.CachingCryptoMaterialsManager;
import com.amazonaws.encryptionsdk.caching.LocalCryptoMaterialsCache;

public class CryptoManagerFactory {
public class CryptoModulePlugin extends Plugin implements CryptoPlugin<Object, Object> {

private final int dataKeyCacheSize;
private final String algorithm;
private final int dataKeyCacheSize = 500;
private final String algorithm = "ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY";

// - Cache TTL and Jitter is used to decide the Crypto Cache TTL.
// - Random number between: (TTL Jitter, TTL - Jitter)
private final long dataKeyCacheTTL;
private final long dataKeyCacheTTL = TimeValue.timeValueDays(2).getMillis();
private static final long dataKeyCacheJitter = TimeUnit.MINUTES.toMillis(30); // - 30 minutes

public CryptoManagerFactory(String algorithm, TimeValue keyRefreshInterval, int keyCacheSize) {
this.dataKeyCacheSize = keyCacheSize;
validateAndGetAlgorithmId(algorithm);
this.algorithm = algorithm;
dataKeyCacheTTL = keyRefreshInterval.getMillis();
}

private String validateAndGetAlgorithmId(String algorithm) {
// Supporting only 256 bit algorithm
switch (algorithm) {
Expand All @@ -50,7 +44,7 @@ private String validateAndGetAlgorithmId(String algorithm) {
}
}

public CryptoManager<?, ?> getOrCreateCryptoManager(
public CryptoHandler<Object, Object> getOrCreateCryptoHandler(
MasterKeyProvider keyProvider,
String keyProviderName,
String keyProviderType,
Expand All @@ -61,12 +55,11 @@ private String validateAndGetAlgorithmId(String algorithm) {
keyProviderName,
validateAndGetAlgorithmId(algorithm)
);
CryptoHandler<?, ?> cryptoHandler = createCryptoProvider(algorithm, materialsManager, keyProvider);
return createCryptoManager(cryptoHandler, keyProviderType, keyProviderName, onClose);
return createCryptoProvider(algorithm, materialsManager, keyProvider);
}

// package private for tests
CryptoHandler<?, ?> createCryptoProvider(
CryptoHandler<Object, Object> createCryptoProvider(
String algorithm,
CachingCryptoMaterialsManager materialsManager,
MasterKeyProvider masterKeyProvider
Expand All @@ -88,40 +81,4 @@ CachingCryptoMaterialsManager createMaterialsManager(MasterKeyProvider masterKey
.withMaxAge(masterKeyCacheTTL, TimeUnit.MILLISECONDS)
.build();
}

// package private for tests
<T, U> CryptoManager<?, ?> createCryptoManager(
CryptoHandler<T, U> cryptoHandler,
String keyProviderType,
String keyProviderName,
Runnable onClose
) {
return new CryptoManagerImpl<T, U>(keyProviderName, keyProviderType) {
@Override
protected void closeInternal() {
onClose.run();
}

@Override
public String type() {
return keyProviderType;
}

@Override
public String name() {
return keyProviderName;
}

@Override
public CryptoHandler<T, U> getCryptoProvider() {
return cryptoHandler;
}
};
}

private static abstract class CryptoManagerImpl<T, U> extends AbstractRefCounted implements CryptoManager<T, U> {
public CryptoManagerImpl(String keyProviderName, String keyProviderType) {
super(keyProviderName + "-" + keyProviderType);
}
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -125,4 +125,8 @@ public DecryptedRangedStreamProvider createDecryptingStreamOfRange(
return new DecryptedRangedStreamProvider(range, (encryptedStream) -> encryptedStream);
}

@Override
public void close() {
// Nothing to close.
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -10,9 +10,7 @@

import org.opensearch.common.crypto.CryptoHandler;
import org.opensearch.common.crypto.MasterKeyProvider;
import org.opensearch.common.unit.TimeValue;
import org.opensearch.test.OpenSearchTestCase;
import org.junit.Before;

import java.util.Collections;

Expand All @@ -21,39 +19,30 @@
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.when;

public class CryptoManagerFactoryTests extends OpenSearchTestCase {
public class CryptoModulePluginTests extends OpenSearchTestCase {

private CryptoManagerFactory cryptoManagerFactory;
private final CryptoModulePlugin cryptoModulePlugin = new CryptoModulePlugin();

@Before
public void setup() {
cryptoManagerFactory = new CryptoManagerFactory(
"ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY_ECDSA_P384",
TimeValue.timeValueDays(2),
10
);
}

public void testGetOrCreateCryptoManager() {
public void testGetOrCreateCryptoHandler() {
MasterKeyProvider mockKeyProvider = mock(MasterKeyProvider.class);
when(mockKeyProvider.getEncryptionContext()).thenReturn(Collections.emptyMap());

CryptoManager<?, ?> cryptoManager = cryptoManagerFactory.getOrCreateCryptoManager(
CryptoHandler<?, ?> cryptoHandler = cryptoModulePlugin.getOrCreateCryptoHandler(
mockKeyProvider,
"keyProviderName",
"keyProviderType",
() -> {}
);

assertNotNull(cryptoManager);
assertNotNull(cryptoHandler);
}

public void testCreateCryptoProvider() {
CachingCryptoMaterialsManager mockMaterialsManager = mock(CachingCryptoMaterialsManager.class);
MasterKeyProvider mockKeyProvider = mock(MasterKeyProvider.class);
when(mockKeyProvider.getEncryptionContext()).thenReturn(Collections.emptyMap());

CryptoHandler<?, ?> cryptoHandler = cryptoManagerFactory.createCryptoProvider(
CryptoHandler<?, ?> cryptoHandler = cryptoModulePlugin.createCryptoProvider(
"ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY_ECDSA_P384",
mockMaterialsManager,
mockKeyProvider
Expand All @@ -66,27 +55,12 @@ public void testCreateMaterialsManager() {
MasterKeyProvider mockKeyProvider = mock(MasterKeyProvider.class);
when(mockKeyProvider.getEncryptionContext()).thenReturn(Collections.emptyMap());

CachingCryptoMaterialsManager materialsManager = cryptoManagerFactory.createMaterialsManager(
CachingCryptoMaterialsManager materialsManager = cryptoModulePlugin.createMaterialsManager(
mockKeyProvider,
"keyProviderName",
"ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY_ECDSA_P384"
);

assertNotNull(materialsManager);
}

public void testCreateCryptoManager() {
CryptoHandler<?, ?> mockCryptoHandler = mock(CryptoHandler.class);
CryptoManager<?, ?> cryptoManager = cryptoManagerFactory.createCryptoManager(
mockCryptoHandler,
"keyProviderName",
"keyProviderType",
null
);
assertNotNull(cryptoManager);
}

public void testUnsupportedAlgorithm() {
expectThrows(IllegalArgumentException.class, () -> new CryptoManagerFactory("Unsupported_algo", TimeValue.timeValueDays(2), 10));
}
}
File renamed without changes.
6 changes: 4 additions & 2 deletions plugins/crypto-kms/build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -26,8 +26,6 @@ ext {
}

dependencies {
api project(':libs:opensearch-encryption-sdk')

api "software.amazon.awssdk:sdk-core:${versions.aws}"
api "software.amazon.awssdk:aws-core:${versions.aws}"
api "software.amazon.awssdk:utils:${versions.aws}"
Expand Down Expand Up @@ -56,6 +54,10 @@ dependencies {
api "org.reactivestreams:reactive-streams:${versions.reactivestreams}"
}

testClusters.all {
module ':modules:crypto'
}

tasks.named("dependencyLicenses").configure {
mapping from: /jackson-.*/, to: 'jackson'
mapping from: /jaxb-.*/, to: 'jaxb'
Expand Down
1 change: 0 additions & 1 deletion server/build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -106,7 +106,6 @@ dependencies {
api project(':libs:opensearch-x-content')
api project(":libs:opensearch-geo")
api project(":libs:opensearch-telemetry")
api project(":libs:opensearch-encryption-sdk")


compileOnly project(':libs:opensearch-plugin-classloader')
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,9 +9,9 @@
package org.opensearch.common.blobstore;

import org.opensearch.cluster.metadata.CryptoMetadata;
import org.opensearch.crypto.CryptoManagerRegistry;
import org.opensearch.common.crypto.CryptoHandler;
import org.opensearch.crypto.CryptoHandlerRegistry;
import org.opensearch.crypto.CryptoRegistryException;
import org.opensearch.encryption.CryptoManager;

import java.io.IOException;
import java.util.Map;
Expand All @@ -25,7 +25,7 @@
public class EncryptedBlobStore implements BlobStore {

private final BlobStore blobStore;
private final CryptoManager<?, ?> cryptoManager;
private final CryptoHandler<?, ?> cryptoHandler;

/**
* Constructs an EncryptedBlobStore that wraps the provided BlobStore with encryption capabilities based on the
Expand All @@ -36,17 +36,16 @@ public class EncryptedBlobStore implements BlobStore {
* @throws CryptoRegistryException If the CryptoManager is not found during encrypted BlobStore creation.
*/
public EncryptedBlobStore(BlobStore blobStore, CryptoMetadata cryptoMetadata) {
CryptoManagerRegistry cryptoManagerRegistry = CryptoManagerRegistry.getInstance();
assert cryptoManagerRegistry != null : "CryptoManagerRegistry is not initialized";
this.cryptoManager = cryptoManagerRegistry.fetchCryptoManager(cryptoMetadata);
if (cryptoManager == null) {
CryptoHandlerRegistry cryptoHandlerRegistry = CryptoHandlerRegistry.getInstance();
assert cryptoHandlerRegistry != null : "CryptoManagerRegistry is not initialized";
this.cryptoHandler = cryptoHandlerRegistry.fetchCryptoHandler(cryptoMetadata);
if (cryptoHandler == null) {
throw new CryptoRegistryException(
cryptoMetadata.keyProviderName(),
cryptoMetadata.keyProviderType(),
"Crypto manager not found during encrypted blob store creation."
);
}
this.cryptoManager.incRef();
this.blobStore = blobStore;
}

Expand All @@ -63,10 +62,10 @@ public BlobContainer blobContainer(BlobPath path) {
if (blobContainer instanceof AsyncMultiStreamBlobContainer) {
return new AsyncMultiStreamEncryptedBlobContainer<>(
(AsyncMultiStreamBlobContainer) blobContainer,
cryptoManager.getCryptoProvider()
cryptoHandler
);
}
return new EncryptedBlobContainer<>(blobContainer, cryptoManager.getCryptoProvider());
return new EncryptedBlobContainer<>(blobContainer, cryptoHandler);
}

/**
Expand All @@ -87,7 +86,7 @@ public Map<String, Long> stats() {
*/
@Override
public void close() throws IOException {
cryptoManager.decRef();
cryptoHandler.close();
blobStore.close();
}

Expand Down
Loading

0 comments on commit e4d8881

Please sign in to comment.