Add KeyStore based CredentialProvider for JDBC based connectors

Author: Praveen2112

presto-base-jdbc/src/main/java/io/prestosql/plugin/jdbc/credential/CredentialProviderModule.java

@@ -19,11 +19,18 @@
 import io.airlift.configuration.ConfigurationFactory;
 import io.prestosql.plugin.jdbc.BaseJdbcConfig;
 import io.prestosql.plugin.jdbc.credential.file.ConfigFileBasedCredentialProviderConfig;
+import io.prestosql.plugin.jdbc.credential.keystore.KeyStoreBasedCredentialProviderConfig;
 
 import javax.inject.Inject;
 import javax.inject.Provider;
 
 import java.io.IOException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.UnrecoverableEntryException;
+import java.security.cert.CertificateException;
+import java.security.spec.InvalidKeySpecException;
 import java.util.Map;
 
 import static com.google.inject.Scopes.SINGLETON;
@@ -32,6 +39,9 @@
 import static io.airlift.configuration.ConfigurationLoader.loadPropertiesFrom;
 import static io.prestosql.plugin.jdbc.credential.CredentialProviderType.FILE;
 import static io.prestosql.plugin.jdbc.credential.CredentialProviderType.INLINE;
+import static io.prestosql.plugin.jdbc.credential.CredentialProviderType.KEYSTORE;
+import static io.prestosql.plugin.jdbc.credential.keystore.KeyStoreUtils.loadKeyStore;
+import static io.prestosql.plugin.jdbc.credential.keystore.KeyStoreUtils.readEntity;
 import static java.util.Objects.requireNonNull;
 
 public class CredentialProviderModule
@@ -52,6 +62,12 @@ protected void setup(Binder binder)
                     configBinder(binder).bindConfig(ConfigFileBasedCredentialProviderConfig.class);
                     internalBinder.bind(CredentialProvider.class).annotatedWith(ForExtraCredentialProvider.class).toProvider(ConfigFileBasedCredentialProviderFactory.class).in(SINGLETON);
                 });
+        bindCredentialProviderModule(
+                KEYSTORE,
+                internalBinder -> {
+                    configBinder(binder).bindConfig(KeyStoreBasedCredentialProviderConfig.class);
+                    internalBinder.bind(CredentialProvider.class).annotatedWith(ForExtraCredentialProvider.class).toProvider(KeyStoreBasedCredentialProviderFactory.class);
+                });
         binder.bind(CredentialProvider.class).to(ExtraCredentialProvider.class).in(SINGLETON);
     }
 
@@ -83,4 +99,28 @@ public CredentialProvider get()
             return new ConfigFileBasedCredentialProvider(credentialsConfig);
         }
     }
+
+    private static class KeyStoreBasedCredentialProviderFactory
+            implements Provider<CredentialProvider>
+    {
+        private final CredentialConfig credentialsConfig;
+
+        @Inject
+        public KeyStoreBasedCredentialProviderFactory(KeyStoreBasedCredentialProviderConfig config)
+                throws IOException, CertificateException, NoSuchAlgorithmException, KeyStoreException, InvalidKeySpecException, UnrecoverableEntryException
+        {
+            requireNonNull(config, "config is null");
+            KeyStore keyStore = loadKeyStore(config.getKeyStoreType(), config.getKeyStoreFilePath(), config.getKeyStorePassword());
+
+            credentialsConfig = new CredentialConfig()
+                    .setConnectionUser(readEntity(keyStore, config.getUserCredentialName(), config.getPasswordForUserCredentialName()))
+                    .setConnectionPassword(readEntity(keyStore, config.getPasswordCredentialName(), config.getPasswordForPasswordCredentialName()));
+        }
+
+        @Override
+        public CredentialProvider get()
+        {
+            return new ConfigFileBasedCredentialProvider(credentialsConfig);
+        }
+    }
 }

presto-base-jdbc/src/main/java/io/prestosql/plugin/jdbc/credential/CredentialProviderType.java

@@ -17,5 +17,6 @@ public enum CredentialProviderType
 {
     INLINE,
     FILE,
+    KEYSTORE,
     /**/
 }

presto-base-jdbc/src/main/java/io/prestosql/plugin/jdbc/credential/keystore/KeyStoreBasedCredentialProviderConfig.java

@@ -0,0 +1,121 @@
+/*
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.prestosql.plugin.jdbc.credential.keystore;
+
+import io.airlift.configuration.Config;
+import io.airlift.configuration.ConfigSecuritySensitive;
+
+import javax.validation.constraints.NotNull;
+
+public class KeyStoreBasedCredentialProviderConfig
+{
+    private String keyStoreFilePath;
+    private String keyStoreType;
+    private String keyStorePassword;
+    private String userCredentialName;
+    private String passwordForUserCredentialName;
+    private String passwordCredentialName;
+    private String passwordForPasswordCredentialName;
+
+    @Config("keystore-file-path")
+    public KeyStoreBasedCredentialProviderConfig setKeyStoreFilePath(String keyStoreFilePath)
+    {
+        this.keyStoreFilePath = keyStoreFilePath;
+        return this;
+    }
+
+    @NotNull
+    public String getKeyStoreFilePath()
+    {
+        return keyStoreFilePath;
+    }
+
+    @Config("keystore-type")
+    public KeyStoreBasedCredentialProviderConfig setKeyStoreType(String keyStoreType)
+    {
+        this.keyStoreType = keyStoreType;
+        return this;
+    }
+
+    @NotNull
+    public String getKeyStoreType()
+    {
+        return keyStoreType;
+    }
+
+    @Config("keystore-password")
+    @ConfigSecuritySensitive
+    public KeyStoreBasedCredentialProviderConfig setKeyStorePassword(String keyStorePassword)
+    {
+        this.keyStorePassword = keyStorePassword;
+        return this;
+    }
+
+    @Config("keystore-user-credential-password")
+    public KeyStoreBasedCredentialProviderConfig setPasswordForUserCredentialName(String passwordForUserCredentialName)
+    {
+        this.passwordForUserCredentialName = passwordForUserCredentialName;
+        return this;
+    }
+
+    @NotNull
+    public String getPasswordForUserCredentialName()
+    {
+        return passwordForUserCredentialName;
+    }
+
+    @Config("keystore-password-credential-password")
+    public KeyStoreBasedCredentialProviderConfig setPasswordForPasswordCredentialName(String passwordForPasswordCredentialName)
+    {
+        this.passwordForPasswordCredentialName = passwordForPasswordCredentialName;
+        return this;
+    }
+
+    public String getPasswordForPasswordCredentialName()
+    {
+        return passwordForPasswordCredentialName;
+    }
+
+    @NotNull
+    public String getKeyStorePassword()
+    {
+        return keyStorePassword;
+    }
+
+    @Config("keystore-user-credential-name")
+    public KeyStoreBasedCredentialProviderConfig setUserCredentialName(String userCredntialName)
+    {
+        this.userCredentialName = userCredntialName;
+        return this;
+    }
+
+    @NotNull
+    public String getUserCredentialName()
+    {
+        return userCredentialName;
+    }
+
+    @Config("keystore-password-credential-name")
+    public KeyStoreBasedCredentialProviderConfig setPasswordCredentialName(String passwordCredentialName)
+    {
+        this.passwordCredentialName = passwordCredentialName;
+        return this;
+    }
+
+    @NotNull
+    public String getPasswordCredentialName()
+    {
+        return passwordCredentialName;
+    }
+}

presto-base-jdbc/src/main/java/io/prestosql/plugin/jdbc/credential/keystore/KeyStoreUtils.java

@@ -0,0 +1,53 @@
+/*
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.prestosql.plugin.jdbc.credential.keystore;
+
+import javax.crypto.SecretKeyFactory;
+import javax.crypto.spec.PBEKeySpec;
+
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.security.KeyStore;
+import java.security.KeyStore.PasswordProtection;
+import java.security.KeyStore.SecretKeyEntry;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.UnrecoverableEntryException;
+import java.security.cert.CertificateException;
+import java.security.spec.InvalidKeySpecException;
+
+public class KeyStoreUtils
+{
+    private KeyStoreUtils()
+    {}
+
+    public static KeyStore loadKeyStore(String keyStoreType, String keyStorePath, String keyStorePassword)
+            throws KeyStoreException, IOException, CertificateException, NoSuchAlgorithmException
+    {
+        KeyStore keyStore = KeyStore.getInstance(keyStoreType);
+        keyStore.load(new FileInputStream(keyStorePath), keyStorePassword.toCharArray());
+        return keyStore;
+    }
+
+    public static String readEntity(KeyStore keyStore, String entityAlias, String entityPassword)
+            throws UnrecoverableEntryException, NoSuchAlgorithmException, KeyStoreException, InvalidKeySpecException
+    {
+        SecretKeyEntry secretKeyEntry = (SecretKeyEntry) keyStore.getEntry(entityAlias, new PasswordProtection(entityPassword.toCharArray()));
+
+        SecretKeyFactory factory = SecretKeyFactory.getInstance("PBE");
+        PBEKeySpec keySpec = (PBEKeySpec) factory.getKeySpec(secretKeyEntry.getSecretKey(), PBEKeySpec.class);
+
+        return new String(keySpec.getPassword());
+    }
+}

presto-base-jdbc/src/test/java/io/prestosql/plugin/jdbc/credential/TestCredentialProvider.java

@@ -51,7 +51,27 @@ public void testFileCredentialProvider()
         assertEquals(credentialProvider.getConnectionPassword(Optional.empty()).get(), "password_for_user_from_file");
     }
 
-    private static CredentialProvider getCredentialProvider(Map<String, String> properties)
+    @Test
+    public void testKeyStoreBasedCredentialProvider()
+    {
+        Map<String, String> properties = new ImmutableMap.Builder<String, String>()
+                .put("connection-url", "jdbc:h2:mem:config")
+                .put("credential-provider.type", "KEYSTORE")
+                .put("keystore-file-path", getResourceFilePath("credentials.jceks"))
+                .put("keystore-type", "JCEKS")
+                .put("keystore-password", "keystore_password")
+                .put("keystore-user-credential-name", "userName")
+                .put("keystore-user-credential-password", "keystore_password_for_user_name")
+                .put("keystore-password-credential-name", "password")
+                .put("keystore-password-credential-password", "keystore_password_for_password")
+                .build();
+
+        CredentialProvider credentialProvider = getCredentialProvider(properties);
+        assertEquals(credentialProvider.getConnectionUser(Optional.empty()).get(), "user_from_keystore");
+        assertEquals(credentialProvider.getConnectionPassword(Optional.empty()).get(), "password_from_keystore");
+    }
+
+    private CredentialProvider getCredentialProvider(Map<String, String> properties)
     {
         return new Bootstrap(ImmutableList.of(new CredentialProviderModule()))
                 .setOptionalConfigurationProperties(properties)

presto-base-jdbc/src/test/java/io/prestosql/plugin/jdbc/credential/keystore/TestKeyStoreBasedCredentialProviderConfig.java

@@ -0,0 +1,64 @@
+/*
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.prestosql.plugin.jdbc.credential.keystore;
+
+import com.google.common.collect.ImmutableMap;
+import org.testng.annotations.Test;
+
+import java.util.Map;
+
+import static io.airlift.configuration.testing.ConfigAssertions.assertFullMapping;
+import static io.airlift.configuration.testing.ConfigAssertions.assertRecordedDefaults;
+import static io.airlift.configuration.testing.ConfigAssertions.recordDefaults;
+
+public class TestKeyStoreBasedCredentialProviderConfig
+{
+    @Test
+    public void testDefaults()
+    {
+        assertRecordedDefaults(recordDefaults(KeyStoreBasedCredentialProviderConfig.class)
+                .setKeyStoreFilePath(null)
+                .setKeyStoreType(null)
+                .setKeyStorePassword(null)
+                .setUserCredentialName(null)
+                .setPasswordForUserCredentialName(null)
+                .setPasswordCredentialName(null)
+                .setPasswordForPasswordCredentialName(null));
+    }
+
+    @Test
+    public void testExplicitPropertyMappings()
+    {
+        Map<String, String> properties = new ImmutableMap.Builder<String, String>()
+                .put("keystore-file-path", "/presto/credentials.jceks")
+                .put("keystore-type", "JCEKS")
+                .put("keystore-password", "keystore_password")
+                .put("keystore-user-credential-name", "userName")
+                .put("keystore-user-credential-password", "keystore_password_for_user_name")
+                .put("keystore-password-credential-name", "password")
+                .put("keystore-password-credential-password", "keystore_password_for_password")
+                .build();
+
+        KeyStoreBasedCredentialProviderConfig expected = new KeyStoreBasedCredentialProviderConfig()
+                .setKeyStoreFilePath("/presto/credentials.jceks")
+                .setKeyStoreType("JCEKS")
+                .setKeyStorePassword("keystore_password")
+                .setUserCredentialName("userName")
+                .setPasswordForUserCredentialName("keystore_password_for_user_name")
+                .setPasswordCredentialName("password")
+                .setPasswordForPasswordCredentialName("keystore_password_for_password");
+
+        assertFullMapping(properties, expected);
+    }
+}