diff --git a/libs/common/src/main/java/org/opensearch/common/crypto/CryptoProvider.java b/libs/common/src/main/java/org/opensearch/common/crypto/CryptoHandler.java similarity index 83% rename from libs/common/src/main/java/org/opensearch/common/crypto/CryptoProvider.java rename to libs/common/src/main/java/org/opensearch/common/crypto/CryptoHandler.java index db01106e711cf..395f40605dd9b 100644 --- a/libs/common/src/main/java/org/opensearch/common/crypto/CryptoProvider.java +++ b/libs/common/src/main/java/org/opensearch/common/crypto/CryptoHandler.java @@ -16,8 +16,11 @@ /** * Crypto provider abstractions for encryption and decryption of data. Allows registering multiple providers * for defining different ways of encrypting or decrypting data. + * + * T - Encryption Metadata - crypto metadata instance. + * U - Parsed Encryption Metadata */ -public interface CryptoProvider { +public interface CryptoHandler { /** * To initialise or create a new crypto metadata to be used in encryption. This is needed to set the context before @@ -25,7 +28,8 @@ public interface CryptoProvider { * * @return crypto metadata instance */ - Object initEncryptionMetadata(); + // prepare encryption metadata + T initEncryptionMetadata(); /** * To load crypto metadata to be used in encryption from content header. @@ -34,7 +38,7 @@ public interface CryptoProvider { * * @return crypto metadata instance used in decryption. */ - Object loadEncryptionMetadata(EncryptedHeaderContentSupplier encryptedHeaderContentSupplier) throws IOException; + U loadEncryptionMetadata(EncryptedHeaderContentSupplier encryptedHeaderContentSupplier) throws IOException; /** * Few encryption algorithms have certain conditions on the unit of content to be encrypted. This requires the @@ -46,7 +50,7 @@ public interface CryptoProvider { * @param contentSize Size of the raw content * @return Adjusted size of the content. */ - long adjustContentSizeForPartialEncryption(Object cryptoContext, long contentSize); + long adjustContentSizeForPartialEncryption(T cryptoContext, long contentSize); /** * Estimate length of the encrypted content. It should only be used to determine length of entire content after @@ -56,7 +60,7 @@ public interface CryptoProvider { * @param contentLength Size of the raw content * @return Calculated size of the encrypted content. */ - long estimateEncryptedLengthOfEntireContent(Object cryptoContext, long contentLength); + long estimateEncryptedLengthOfEntireContent(T cryptoContext, long contentLength); /** * For given encrypted content length, estimate the length of the decrypted content. @@ -64,7 +68,7 @@ public interface CryptoProvider { * @param contentLength Size of the encrypted content * @return Calculated size of the decrypted content. */ - long estimateDecryptedLength(Object cryptoContext, long contentLength); + long estimateDecryptedLength(U cryptoContext, long contentLength); /** * Wraps a raw InputStream with encrypting stream @@ -73,7 +77,7 @@ public interface CryptoProvider { * @param stream Raw InputStream to encrypt * @return encrypting stream wrapped around raw InputStream. */ - InputStreamContainer createEncryptingStream(Object encryptionMetadata, InputStreamContainer stream); + InputStreamContainer createEncryptingStream(T encryptionMetadata, InputStreamContainer stream); /** * Provides encrypted stream for a raw stream emitted for a part of content. @@ -84,7 +88,7 @@ public interface CryptoProvider { * @param streamIdx Index of the current stream. * @return Encrypted stream for the provided raw stream. */ - InputStreamContainer createEncryptingStreamOfPart(Object cryptoContext, InputStreamContainer stream, int totalStreams, int streamIdx); + InputStreamContainer createEncryptingStreamOfPart(T cryptoContext, InputStreamContainer stream, int totalStreams, int streamIdx); /** * This method accepts an encrypted stream and provides a decrypting wrapper. @@ -107,5 +111,5 @@ public interface CryptoProvider { * @param startPosOfRawContent starting position in the raw/decrypted content * @param endPosOfRawContent ending position in the raw/decrypted content */ - DecryptedRangedStreamProvider createDecryptingStreamOfRange(Object cryptoContext, long startPosOfRawContent, long endPosOfRawContent); + DecryptedRangedStreamProvider createDecryptingStreamOfRange(U cryptoContext, long startPosOfRawContent, long endPosOfRawContent); } diff --git a/libs/encryption-sdk/src/main/java/org/opensearch/encryption/CryptoManager.java b/libs/encryption-sdk/src/main/java/org/opensearch/encryption/CryptoManager.java index 17d5bc87c27dd..8e1fc8570d552 100644 --- a/libs/encryption-sdk/src/main/java/org/opensearch/encryption/CryptoManager.java +++ b/libs/encryption-sdk/src/main/java/org/opensearch/encryption/CryptoManager.java @@ -8,13 +8,13 @@ package org.opensearch.encryption; -import org.opensearch.common.crypto.CryptoProvider; +import org.opensearch.common.crypto.CryptoHandler; import org.opensearch.common.util.concurrent.RefCounted; /** * Crypto plugin interface used for encryption and decryption. */ -public interface CryptoManager extends RefCounted { +public interface CryptoManager extends RefCounted { /** * @return key provider type @@ -29,5 +29,5 @@ public interface CryptoManager extends RefCounted { /** * @return Crypto provider for encrypting or decrypting raw content. */ - CryptoProvider getCryptoProvider(); + CryptoHandler getCryptoProvider(); } diff --git a/libs/encryption-sdk/src/main/java/org/opensearch/encryption/CryptoManagerFactory.java b/libs/encryption-sdk/src/main/java/org/opensearch/encryption/CryptoManagerFactory.java index f98177905f164..b6e0b5a6d4ed7 100644 --- a/libs/encryption-sdk/src/main/java/org/opensearch/encryption/CryptoManagerFactory.java +++ b/libs/encryption-sdk/src/main/java/org/opensearch/encryption/CryptoManagerFactory.java @@ -11,11 +11,11 @@ import com.amazonaws.encryptionsdk.CryptoAlgorithm; import com.amazonaws.encryptionsdk.caching.CachingCryptoMaterialsManager; import com.amazonaws.encryptionsdk.caching.LocalCryptoMaterialsCache; -import org.opensearch.common.crypto.CryptoProvider; +import org.opensearch.common.crypto.CryptoHandler; import org.opensearch.common.crypto.MasterKeyProvider; import org.opensearch.common.unit.TimeValue; import org.opensearch.common.util.concurrent.AbstractRefCounted; -import org.opensearch.encryption.frame.FrameCryptoProvider; +import org.opensearch.encryption.frame.FrameCryptoHandler; import org.opensearch.encryption.frame.core.AwsCrypto; import org.opensearch.encryption.keyprovider.CryptoMasterKey; @@ -50,7 +50,7 @@ private String validateAndGetAlgorithmId(String algorithm) { } } - public CryptoManager getOrCreateCryptoManager( + public CryptoManager getOrCreateCryptoManager( MasterKeyProvider keyProvider, String keyProviderName, String keyProviderType, @@ -61,24 +61,24 @@ public CryptoManager getOrCreateCryptoManager( keyProviderName, validateAndGetAlgorithmId(algorithm) ); - CryptoProvider cryptoProvider = createCryptoProvider(algorithm, materialsManager, keyProvider); - return createCryptoManager(cryptoProvider, keyProviderType, keyProviderName, onClose); + CryptoHandler cryptoHandler = createCryptoProvider(algorithm, materialsManager, keyProvider); + return createCryptoManager(cryptoHandler, keyProviderType, keyProviderName, onClose); } // package private for tests - CryptoProvider createCryptoProvider( + CryptoHandler createCryptoProvider( String algorithm, CachingCryptoMaterialsManager materialsManager, MasterKeyProvider masterKeyProvider ) { switch (algorithm) { case "ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY": - return new FrameCryptoProvider( + return new FrameCryptoHandler( new AwsCrypto(materialsManager, CryptoAlgorithm.ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY), masterKeyProvider.getEncryptionContext() ); case "ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY_ECDSA_P384": - return new FrameCryptoProvider( + return new FrameCryptoHandler( new AwsCrypto(materialsManager, CryptoAlgorithm.ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY_ECDSA_P384), masterKeyProvider.getEncryptionContext() ); @@ -103,8 +103,13 @@ CachingCryptoMaterialsManager createMaterialsManager(MasterKeyProvider masterKey } // package private for tests - CryptoManager createCryptoManager(CryptoProvider cryptoProvider, String keyProviderType, String keyProviderName, Runnable onClose) { - return new CryptoManagerImpl(keyProviderName, keyProviderType) { + CryptoManager createCryptoManager( + CryptoHandler cryptoHandler, + String keyProviderType, + String keyProviderName, + Runnable onClose + ) { + return new CryptoManagerImpl(keyProviderName, keyProviderType) { @Override protected void closeInternal() { onClose.run(); @@ -121,15 +126,16 @@ public String name() { } @Override - public CryptoProvider getCryptoProvider() { - return cryptoProvider; + public CryptoHandler getCryptoProvider() { + return cryptoHandler; } }; } - private static abstract class CryptoManagerImpl extends AbstractRefCounted implements CryptoManager { + private static abstract class CryptoManagerImpl extends AbstractRefCounted implements CryptoManager { public CryptoManagerImpl(String keyProviderName, String keyProviderType) { super(keyProviderName + "-" + keyProviderType); } } + } diff --git a/libs/encryption-sdk/src/main/java/org/opensearch/encryption/frame/FrameCryptoProvider.java b/libs/encryption-sdk/src/main/java/org/opensearch/encryption/frame/FrameCryptoHandler.java similarity index 83% rename from libs/encryption-sdk/src/main/java/org/opensearch/encryption/frame/FrameCryptoProvider.java rename to libs/encryption-sdk/src/main/java/org/opensearch/encryption/frame/FrameCryptoHandler.java index 0d846da69f18f..f1e7a0e008e11 100644 --- a/libs/encryption-sdk/src/main/java/org/opensearch/encryption/frame/FrameCryptoProvider.java +++ b/libs/encryption-sdk/src/main/java/org/opensearch/encryption/frame/FrameCryptoHandler.java @@ -9,7 +9,7 @@ package org.opensearch.encryption.frame; import com.amazonaws.encryptionsdk.ParsedCiphertext; -import org.opensearch.common.crypto.CryptoProvider; +import org.opensearch.common.crypto.CryptoHandler; import org.opensearch.common.crypto.DecryptedRangedStreamProvider; import org.opensearch.common.crypto.EncryptedHeaderContentSupplier; import org.opensearch.encryption.frame.core.AwsCrypto; @@ -20,14 +20,14 @@ import java.io.InputStream; import java.util.Map; -public class FrameCryptoProvider implements CryptoProvider { +public class FrameCryptoHandler implements CryptoHandler { private final AwsCrypto awsCrypto; private final Map encryptionContext; // package private for tests private final int FRAME_SIZE = 8 * 1024; - public FrameCryptoProvider(AwsCrypto awsCrypto, Map encryptionContext) { + public FrameCryptoHandler(AwsCrypto awsCrypto, Map encryptionContext) { this.awsCrypto = awsCrypto; this.encryptionContext = encryptionContext; } @@ -40,7 +40,7 @@ public int getFrameSize() { * Initialises metadata store used in encryption. * @return crypto metadata object constructed with encryption metadata like data key pair, encryption algorithm, etc. */ - public Object initEncryptionMetadata() { + public EncryptionMetadata initEncryptionMetadata() { return awsCrypto.createCryptoContext(encryptionContext, getFrameSize()); } @@ -57,7 +57,7 @@ public Object initEncryptionMetadata() { * @param streamSize Size of the stream to be adjusted. * @return Adjusted size of the stream. */ - public long adjustContentSizeForPartialEncryption(Object cryptoContextObj, long streamSize) { + public long adjustContentSizeForPartialEncryption(EncryptionMetadata cryptoContextObj, long streamSize) { EncryptionMetadata encryptionMetadata = validateEncryptionMetadata(cryptoContextObj); return (streamSize - (streamSize % encryptionMetadata.getFrameSize())) + encryptionMetadata.getFrameSize(); } @@ -69,7 +69,7 @@ public long adjustContentSizeForPartialEncryption(Object cryptoContextObj, long * @param contentLength Size of the raw content * @return Calculated size of the encrypted stream for the provided raw stream. */ - public long estimateEncryptedLengthOfEntireContent(Object cryptoMetadataObj, long contentLength) { + public long estimateEncryptedLengthOfEntireContent(EncryptionMetadata cryptoMetadataObj, long contentLength) { EncryptionMetadata encryptionMetadata = validateEncryptionMetadata(cryptoMetadataObj); return encryptionMetadata.getCiphertextHeaderBytes().length + awsCrypto.estimateOutputSizeWithFooter( encryptionMetadata.getFrameSize(), @@ -87,17 +87,13 @@ public long estimateEncryptedLengthOfEntireContent(Object cryptoMetadataObj, lon * @param contentLength Size of the encrypted content * @return Calculated size of the encrypted stream for the provided raw stream. */ - public long estimateDecryptedLength(Object cryptoMetadataObj, long contentLength) { - if (!(cryptoMetadataObj instanceof ParsedCiphertext)) { - throw new IllegalArgumentException("Unknown crypto metadata object received for adjusting range for decryption"); - } - ParsedCiphertext parsedCiphertext = (ParsedCiphertext) cryptoMetadataObj; + public long estimateDecryptedLength(ParsedCiphertext cryptoMetadataObj, long contentLength) { return awsCrypto.estimateDecryptedSize( - parsedCiphertext.getFrameLength(), - parsedCiphertext.getNonceLength(), - parsedCiphertext.getCryptoAlgoId().getTagLen(), - contentLength - parsedCiphertext.getOffset(), - parsedCiphertext.getCryptoAlgoId() + cryptoMetadataObj.getFrameLength(), + cryptoMetadataObj.getNonceLength(), + cryptoMetadataObj.getCryptoAlgoId().getTagLen(), + contentLength - cryptoMetadataObj.getOffset(), + cryptoMetadataObj.getCryptoAlgoId() ); } @@ -107,16 +103,13 @@ public long estimateDecryptedLength(Object cryptoMetadataObj, long contentLength * @param stream Raw InputStream to encrypt * @return encrypting stream wrapped around raw InputStream. */ - public InputStreamContainer createEncryptingStream(Object cryptoContextObj, InputStreamContainer stream) { + public InputStreamContainer createEncryptingStream(EncryptionMetadata cryptoContextObj, InputStreamContainer stream) { EncryptionMetadata encryptionMetadata = validateEncryptionMetadata(cryptoContextObj); return createEncryptingStreamOfPart(encryptionMetadata, stream, 1, 0); } - private EncryptionMetadata validateEncryptionMetadata(Object cryptoContext) { - if (!(cryptoContext instanceof EncryptionMetadata)) { - throw new IllegalArgumentException("Unknown crypto metadata object received"); - } - return (EncryptionMetadata) cryptoContext; + private EncryptionMetadata validateEncryptionMetadata(EncryptionMetadata cryptoContext) { + return cryptoContext; } /** @@ -132,7 +125,7 @@ private EncryptionMetadata validateEncryptionMetadata(Object cryptoContext) { * @return Encrypted stream for the provided raw stream. */ public InputStreamContainer createEncryptingStreamOfPart( - Object cryptoContextObj, + EncryptionMetadata cryptoContextObj, InputStreamContainer stream, int totalStreams, int streamIdx @@ -157,7 +150,7 @@ private EncryptionMetadata parseEncryptionMetadata(Object cryptoContextObj) { * @return parsed encryption metadata object * @throws IOException if content fetch for header creation fails */ - public Object loadEncryptionMetadata(EncryptedHeaderContentSupplier encryptedHeaderContentSupplier) throws IOException { + public ParsedCiphertext loadEncryptionMetadata(EncryptedHeaderContentSupplier encryptedHeaderContentSupplier) throws IOException { byte[] encryptedHeader = encryptedHeaderContentSupplier.supply(0, 4095); return new ParsedCiphertext(encryptedHeader); } @@ -214,21 +207,19 @@ private InputStream createBlockDecryptionStream( * @return stream provider for decrypted stream for the specified range of content including adjusted range */ public DecryptedRangedStreamProvider createDecryptingStreamOfRange( - Object cryptoContext, + ParsedCiphertext cryptoContext, long startPosOfRawContent, long endPosOfRawContent ) { if (!(cryptoContext instanceof ParsedCiphertext)) { throw new IllegalArgumentException("Unknown crypto metadata object received for adjusting range for decryption"); } - - ParsedCiphertext encryptionMetadata = (ParsedCiphertext) cryptoContext; - long adjustedStartPos = startPosOfRawContent - (startPosOfRawContent % encryptionMetadata.getFrameLength()); - long endPosOverhead = (endPosOfRawContent + 1) % encryptionMetadata.getFrameLength(); + long adjustedStartPos = startPosOfRawContent - (startPosOfRawContent % cryptoContext.getFrameLength()); + long endPosOverhead = (endPosOfRawContent + 1) % cryptoContext.getFrameLength(); long adjustedEndPos = endPosOverhead == 0 ? endPosOfRawContent - : (endPosOfRawContent - endPosOverhead + encryptionMetadata.getFrameLength()); - long[] encryptedRange = transformToEncryptedRange(encryptionMetadata, adjustedStartPos, adjustedEndPos); + : (endPosOfRawContent - endPosOverhead + cryptoContext.getFrameLength()); + long[] encryptedRange = transformToEncryptedRange(cryptoContext, adjustedStartPos, adjustedEndPos); return new DecryptedRangedStreamProvider(encryptedRange, (encryptedStream) -> { InputStream decryptedStream = createBlockDecryptionStream( cryptoContext, diff --git a/libs/encryption-sdk/src/test/java/org/opensearch/encryption/CryptoManagerFactoryTests.java b/libs/encryption-sdk/src/test/java/org/opensearch/encryption/CryptoManagerFactoryTests.java index 78ea538749bc7..a2b29619a71b0 100644 --- a/libs/encryption-sdk/src/test/java/org/opensearch/encryption/CryptoManagerFactoryTests.java +++ b/libs/encryption-sdk/src/test/java/org/opensearch/encryption/CryptoManagerFactoryTests.java @@ -8,18 +8,18 @@ package org.opensearch.encryption; -import static org.mockito.Mockito.when; -import static org.mockito.Mockito.mock; - import com.amazonaws.encryptionsdk.caching.CachingCryptoMaterialsManager; import org.junit.Before; -import org.opensearch.common.crypto.CryptoProvider; +import org.opensearch.common.crypto.CryptoHandler; import org.opensearch.common.crypto.MasterKeyProvider; import org.opensearch.common.unit.TimeValue; import org.opensearch.test.OpenSearchTestCase; import java.util.Collections; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.when; + public class CryptoManagerFactoryTests extends OpenSearchTestCase { private CryptoManagerFactory cryptoManagerFactory; @@ -33,7 +33,7 @@ public void testGetOrCreateCryptoManager() { MasterKeyProvider mockKeyProvider = mock(MasterKeyProvider.class); when(mockKeyProvider.getEncryptionContext()).thenReturn(Collections.emptyMap()); - CryptoManager cryptoManager = cryptoManagerFactory.getOrCreateCryptoManager( + CryptoManager cryptoManager = cryptoManagerFactory.getOrCreateCryptoManager( mockKeyProvider, "keyProviderName", "keyProviderType", @@ -48,13 +48,13 @@ public void testCreateCryptoProvider() { MasterKeyProvider mockKeyProvider = mock(MasterKeyProvider.class); when(mockKeyProvider.getEncryptionContext()).thenReturn(Collections.emptyMap()); - CryptoProvider cryptoProvider = cryptoManagerFactory.createCryptoProvider( + CryptoHandler cryptoHandler = cryptoManagerFactory.createCryptoProvider( "ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY", mockMaterialsManager, mockKeyProvider ); - assertNotNull(cryptoProvider); + assertNotNull(cryptoHandler); } public void testCreateMaterialsManager() { @@ -71,9 +71,9 @@ public void testCreateMaterialsManager() { } public void testCreateCryptoManager() { - CryptoProvider mockCryptoProvider = mock(CryptoProvider.class); - CryptoManager cryptoManager = cryptoManagerFactory.createCryptoManager( - mockCryptoProvider, + CryptoHandler mockCryptoHandler = mock(CryptoHandler.class); + CryptoManager cryptoManager = cryptoManagerFactory.createCryptoManager( + mockCryptoHandler, "keyProviderName", "keyProviderType", null diff --git a/libs/encryption-sdk/src/test/java/org/opensearch/encryption/frame/CryptoTests.java b/libs/encryption-sdk/src/test/java/org/opensearch/encryption/frame/CryptoTests.java index e3bff72eb7b82..7e82de8e8805b 100644 --- a/libs/encryption-sdk/src/test/java/org/opensearch/encryption/frame/CryptoTests.java +++ b/libs/encryption-sdk/src/test/java/org/opensearch/encryption/frame/CryptoTests.java @@ -45,14 +45,14 @@ public class CryptoTests extends OpenSearchTestCase { - private static FrameCryptoProvider frameCryptoProvider; + private static FrameCryptoHandler frameCryptoProvider; - private static FrameCryptoProvider frameCryptoProviderTrailingAlgo; + private static FrameCryptoHandler frameCryptoProviderTrailingAlgo; - static class CustomFrameCryptoProviderTest extends FrameCryptoProvider { + static class CustomFrameCryptoHandlerTest extends FrameCryptoHandler { private final int frameSize; - CustomFrameCryptoProviderTest(AwsCrypto awsCrypto, HashMap config, int frameSize) { + CustomFrameCryptoHandlerTest(AwsCrypto awsCrypto, HashMap config, int frameSize) { super(awsCrypto, config); this.frameSize = frameSize; } @@ -65,12 +65,12 @@ public int getFrameSize() { @Before public void setupResources() { - frameCryptoProvider = new CustomFrameCryptoProviderTest( + frameCryptoProvider = new CustomFrameCryptoHandlerTest( createAwsCrypto(CryptoAlgorithm.ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY), new HashMap<>(), 100 ); - frameCryptoProviderTrailingAlgo = new CustomFrameCryptoProviderTest( + frameCryptoProviderTrailingAlgo = new CustomFrameCryptoHandlerTest( createAwsCrypto(CryptoAlgorithm.ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY_ECDSA_P384), new HashMap<>(), 100 @@ -99,12 +99,12 @@ private EncryptedStore verifyAndGetEncryptedContent() throws IOException, URISyn return verifyAndGetEncryptedContent(false, frameCryptoProvider); } - private EncryptedStore verifyAndGetEncryptedContent(boolean truncateRemainderPart, FrameCryptoProvider frameCryptoProvider) + private EncryptedStore verifyAndGetEncryptedContent(boolean truncateRemainderPart, FrameCryptoHandler frameCryptoProvider) throws IOException, URISyntaxException { String path = CryptoTests.class.getResource("/raw_content_for_crypto_test").toURI().getPath(); File file = new File(path); - Object cryptoContext = frameCryptoProvider.initEncryptionMetadata(); + EncryptionMetadata cryptoContext = frameCryptoProvider.initEncryptionMetadata(); long length; byte[] encryptedContent = new byte[1024 * 20]; try (FileInputStream fileInputStream = new FileInputStream(file)) { @@ -141,12 +141,12 @@ public void testEncryptedDecryptedLengthEstimations() { for (int i = 0; i < 100; i++) { // Raw content size cannot be max value as encrypted size will overflow for the same. long n = randomLongBetween(0, Long.MAX_VALUE / 2); - FrameCryptoProvider frameCryptoProvider = new CustomFrameCryptoProviderTest( + FrameCryptoHandler frameCryptoProvider = new CustomFrameCryptoHandlerTest( createAwsCrypto(CryptoAlgorithm.ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY), new HashMap<>(), randomIntBetween(10, 10240) ); - EncryptionMetadata cryptoContext = (EncryptionMetadata) frameCryptoProvider.initEncryptionMetadata(); + EncryptionMetadata cryptoContext = frameCryptoProvider.initEncryptionMetadata(); long encryptedLength = frameCryptoProvider.estimateEncryptedLengthOfEntireContent(cryptoContext, n); ParsedCiphertext parsedCiphertext = new ParsedCiphertext(cryptoContext.getCiphertextHeaderBytes()); long decryptedLength = frameCryptoProvider.estimateDecryptedLength(parsedCiphertext, encryptedLength); @@ -219,8 +219,8 @@ private long decryptAndVerify(InputStream encryptedStream, long encSize, File fi } public void testMultiPartStreamsEncryption() throws IOException, URISyntaxException { - Object cryptoContextObj = frameCryptoProvider.initEncryptionMetadata(); - EncryptionMetadata encryptionMetadata = (EncryptionMetadata) cryptoContextObj; + EncryptionMetadata cryptoContextObj = frameCryptoProvider.initEncryptionMetadata(); + EncryptionMetadata encryptionMetadata = cryptoContextObj; String path = CryptoTests.class.getResource("/raw_content_for_crypto_test").toURI().getPath(); File file = new File(path); byte[] encryptedContent = new byte[1024 * 20]; @@ -431,7 +431,7 @@ private void validateBlockDownload(EncryptedStore encryptedStore, int startPos, EncryptedHeaderContentSupplier encryptedHeaderContentSupplier = createEncryptedHeaderContentSupplier( encryptedStore.encryptedContent ); - Object cryptoContext = frameCryptoProvider.loadEncryptionMetadata(encryptedHeaderContentSupplier); + ParsedCiphertext cryptoContext = frameCryptoProvider.loadEncryptionMetadata(encryptedHeaderContentSupplier); DecryptedRangedStreamProvider decryptedStreamProvider = frameCryptoProvider.createDecryptingStreamOfRange( cryptoContext, startPos, @@ -480,7 +480,7 @@ private long decryptAndVerifyBlock(InputStream decryptedStream, File file, int r public void testEmptyContentCrypto() throws IOException { ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(new byte[] {}); - Object cryptoContext = frameCryptoProvider.initEncryptionMetadata(); + EncryptionMetadata cryptoContext = frameCryptoProvider.initEncryptionMetadata(); InputStreamContainer stream = new InputStreamContainer(byteArrayInputStream, 0, 0); InputStreamContainer encryptingStream = frameCryptoProvider.createEncryptingStream(cryptoContext, stream); InputStream decryptingStream = frameCryptoProvider.createDecryptingStream(encryptingStream.getInputStream()); @@ -489,7 +489,7 @@ public void testEmptyContentCrypto() throws IOException { public void testEmptyContentCryptoTrailingSignatureAlgo() throws IOException { ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(new byte[] {}); - Object cryptoContext = frameCryptoProviderTrailingAlgo.initEncryptionMetadata(); + EncryptionMetadata cryptoContext = frameCryptoProviderTrailingAlgo.initEncryptionMetadata(); InputStreamContainer stream = new InputStreamContainer(byteArrayInputStream, 0, 0); InputStreamContainer encryptingStream = frameCryptoProviderTrailingAlgo.createEncryptingStream(cryptoContext, stream); InputStream decryptingStream = frameCryptoProviderTrailingAlgo.createDecryptingStream(encryptingStream.getInputStream()); diff --git a/server/src/main/java/org/opensearch/common/blobstore/AsyncMultiStreamEncryptedBlobContainer.java b/server/src/main/java/org/opensearch/common/blobstore/AsyncMultiStreamEncryptedBlobContainer.java index 53f6ef6defccb..136511025154c 100644 --- a/server/src/main/java/org/opensearch/common/blobstore/AsyncMultiStreamEncryptedBlobContainer.java +++ b/server/src/main/java/org/opensearch/common/blobstore/AsyncMultiStreamEncryptedBlobContainer.java @@ -10,7 +10,7 @@ import org.opensearch.common.StreamContext; import org.opensearch.common.blobstore.stream.write.WriteContext; -import org.opensearch.common.crypto.CryptoProvider; +import org.opensearch.common.crypto.CryptoHandler; import org.opensearch.common.io.InputStreamContainer; import org.opensearch.core.action.ActionListener; @@ -22,20 +22,20 @@ * * @opensearch.internal */ -public class AsyncMultiStreamEncryptedBlobContainer extends EncryptedBlobContainer implements AsyncMultiStreamBlobContainer { +public class AsyncMultiStreamEncryptedBlobContainer extends EncryptedBlobContainer implements AsyncMultiStreamBlobContainer { private final AsyncMultiStreamBlobContainer blobContainer; - private final CryptoProvider cryptoProvider; + private final CryptoHandler cryptoHandler; - public AsyncMultiStreamEncryptedBlobContainer(AsyncMultiStreamBlobContainer blobContainer, CryptoProvider cryptoProvider) { - super(blobContainer, cryptoProvider); + public AsyncMultiStreamEncryptedBlobContainer(AsyncMultiStreamBlobContainer blobContainer, CryptoHandler cryptoHandler) { + super(blobContainer, cryptoHandler); this.blobContainer = blobContainer; - this.cryptoProvider = cryptoProvider; + this.cryptoHandler = cryptoHandler; } @Override public void asyncBlobUpload(WriteContext writeContext, ActionListener completionListener) throws IOException { - EncryptedWriteContext encryptedWriteContext = new EncryptedWriteContext(writeContext, cryptoProvider); + EncryptedWriteContext encryptedWriteContext = new EncryptedWriteContext<>(writeContext, cryptoHandler); blobContainer.asyncBlobUpload(encryptedWriteContext, completionListener); } @@ -44,26 +44,26 @@ public boolean remoteIntegrityCheckSupported() { return false; } - static class EncryptedWriteContext extends WriteContext { + static class EncryptedWriteContext extends WriteContext { - private final Object encryptionMetadata; - private final CryptoProvider cryptoProvider; + private final T encryptionMetadata; + private final CryptoHandler cryptoHandler; private final long fileSize; /** * Construct a new encrypted WriteContext object */ - public EncryptedWriteContext(WriteContext writeContext, CryptoProvider cryptoProvider) { + public EncryptedWriteContext(WriteContext writeContext, CryptoHandler cryptoHandler) { super(writeContext); - this.cryptoProvider = cryptoProvider; - this.encryptionMetadata = this.cryptoProvider.initEncryptionMetadata(); - this.fileSize = this.cryptoProvider.estimateEncryptedLengthOfEntireContent(encryptionMetadata, writeContext.getFileSize()); + this.cryptoHandler = cryptoHandler; + this.encryptionMetadata = this.cryptoHandler.initEncryptionMetadata(); + this.fileSize = this.cryptoHandler.estimateEncryptedLengthOfEntireContent(encryptionMetadata, writeContext.getFileSize()); } public StreamContext getStreamProvider(long partSize) { - long adjustedPartSize = cryptoProvider.adjustContentSizeForPartialEncryption(encryptionMetadata, partSize); + long adjustedPartSize = cryptoHandler.adjustContentSizeForPartialEncryption(encryptionMetadata, partSize); StreamContext streamContext = super.getStreamProvider(adjustedPartSize); - return new EncryptedStreamContext(streamContext, cryptoProvider, encryptionMetadata); + return new EncryptedStreamContext<>(streamContext, cryptoHandler, encryptionMetadata); } /** @@ -74,24 +74,24 @@ public long getFileSize() { } } - static class EncryptedStreamContext extends StreamContext { + static class EncryptedStreamContext extends StreamContext { - private final CryptoProvider cryptoProvider; - private final Object encryptionMetadata; + private final CryptoHandler cryptoHandler; + private final T encryptionMetadata; /** * Construct a new encrypted StreamContext object */ - public EncryptedStreamContext(StreamContext streamContext, CryptoProvider cryptoProvider, Object encryptionMetadata) { + public EncryptedStreamContext(StreamContext streamContext, CryptoHandler cryptoHandler, T encryptionMetadata) { super(streamContext); - this.cryptoProvider = cryptoProvider; + this.cryptoHandler = cryptoHandler; this.encryptionMetadata = encryptionMetadata; } @Override public InputStreamContainer provideStream(int partNumber) throws IOException { InputStreamContainer inputStreamContainer = super.provideStream(partNumber); - return cryptoProvider.createEncryptingStreamOfPart(encryptionMetadata, inputStreamContainer, getNumberOfParts(), partNumber); + return cryptoHandler.createEncryptingStreamOfPart(encryptionMetadata, inputStreamContainer, getNumberOfParts(), partNumber); } } diff --git a/server/src/main/java/org/opensearch/common/blobstore/EncryptedBlobContainer.java b/server/src/main/java/org/opensearch/common/blobstore/EncryptedBlobContainer.java index 3c2c717e6b1ea..9591643d899be 100644 --- a/server/src/main/java/org/opensearch/common/blobstore/EncryptedBlobContainer.java +++ b/server/src/main/java/org/opensearch/common/blobstore/EncryptedBlobContainer.java @@ -9,7 +9,7 @@ package org.opensearch.common.blobstore; import org.opensearch.common.CheckedBiConsumer; -import org.opensearch.common.crypto.CryptoProvider; +import org.opensearch.common.crypto.CryptoHandler; import org.opensearch.common.crypto.DecryptedRangedStreamProvider; import org.opensearch.common.crypto.EncryptedHeaderContentSupplier; import org.opensearch.common.io.InputStreamContainer; @@ -24,14 +24,14 @@ /** * EncryptedBlobContainer is a wrapper around BlobContainer that encrypts the data on the fly. */ -public class EncryptedBlobContainer implements BlobContainer { +public class EncryptedBlobContainer implements BlobContainer { private final BlobContainer blobContainer; - private final CryptoProvider cryptoProvider; + private final CryptoHandler cryptoHandler; - public EncryptedBlobContainer(BlobContainer blobContainer, CryptoProvider cryptoProvider) { + public EncryptedBlobContainer(BlobContainer blobContainer, CryptoHandler cryptoHandler) { this.blobContainer = blobContainer; - this.cryptoProvider = cryptoProvider; + this.cryptoHandler = cryptoHandler; } @Override @@ -47,7 +47,7 @@ public boolean blobExists(String blobName) throws IOException { @Override public InputStream readBlob(String blobName) throws IOException { InputStream inputStream = blobContainer.readBlob(blobName); - return cryptoProvider.createDecryptingStream(inputStream); + return cryptoHandler.createDecryptingStream(inputStream); } private EncryptedHeaderContentSupplier getEncryptedHeaderContentSupplier(String blobName) { @@ -64,8 +64,8 @@ private EncryptedHeaderContentSupplier getEncryptedHeaderContentSupplier(String @Override public InputStream readBlob(String blobName, long position, long length) throws IOException { - Object encryptionMetadata = cryptoProvider.loadEncryptionMetadata(getEncryptedHeaderContentSupplier(blobName)); - DecryptedRangedStreamProvider decryptedStreamProvider = cryptoProvider.createDecryptingStreamOfRange( + U encryptionMetadata = cryptoHandler.loadEncryptionMetadata(getEncryptedHeaderContentSupplier(blobName)); + DecryptedRangedStreamProvider decryptedStreamProvider = cryptoHandler.createDecryptingStreamOfRange( encryptionMetadata, position, position + length - 1 @@ -83,10 +83,10 @@ public long readBlobPreferredLength() { private void executeWrite(InputStream inputStream, long blobSize, CheckedBiConsumer writeConsumer) throws IOException { - Object cryptoContext = cryptoProvider.initEncryptionMetadata(); + T cryptoContext = cryptoHandler.initEncryptionMetadata(); InputStreamContainer streamContainer = new InputStreamContainer(inputStream, blobSize, 0); - InputStreamContainer encryptedStream = cryptoProvider.createEncryptingStream(cryptoContext, streamContainer); - long cryptoLength = cryptoProvider.estimateEncryptedLengthOfEntireContent(cryptoContext, blobSize); + InputStreamContainer encryptedStream = cryptoHandler.createEncryptingStream(cryptoContext, streamContainer); + long cryptoLength = cryptoHandler.estimateEncryptedLengthOfEntireContent(cryptoContext, blobSize); writeConsumer.accept(encryptedStream.getInputStream(), cryptoLength); } @@ -135,7 +135,7 @@ public Map children() throws IOException { if (children != null) { return children.entrySet() .stream() - .collect(Collectors.toMap(Map.Entry::getKey, entry -> new EncryptedBlobContainer(entry.getValue(), cryptoProvider))); + .collect(Collectors.toMap(Map.Entry::getKey, entry -> new EncryptedBlobContainer<>(entry.getValue(), cryptoHandler))); } else { return null; } @@ -157,7 +157,7 @@ private Map convertToEncryptedMetadataMap(Map new EncryptedBlobMetadata(entry.getValue(), cryptoProvider, getEncryptedHeaderContentSupplier(entry.getKey())) + entry -> new EncryptedBlobMetadata(entry.getValue(), cryptoHandler, getEncryptedHeaderContentSupplier(entry.getKey())) ) ); @@ -178,7 +178,7 @@ public void listBlobsByPrefixInSortedOrder( .map( blobMetadata -> new EncryptedBlobMetadata( blobMetadata, - cryptoProvider, + cryptoHandler, getEncryptedHeaderContentSupplier(blobMetadata.name()) ) ) diff --git a/server/src/main/java/org/opensearch/common/blobstore/EncryptedBlobMetadata.java b/server/src/main/java/org/opensearch/common/blobstore/EncryptedBlobMetadata.java index 315a96f1591bb..fbd3c304a00f0 100644 --- a/server/src/main/java/org/opensearch/common/blobstore/EncryptedBlobMetadata.java +++ b/server/src/main/java/org/opensearch/common/blobstore/EncryptedBlobMetadata.java @@ -8,7 +8,7 @@ package org.opensearch.common.blobstore; -import org.opensearch.common.crypto.CryptoProvider; +import org.opensearch.common.crypto.CryptoHandler; import org.opensearch.common.crypto.EncryptedHeaderContentSupplier; import java.io.IOException; @@ -16,19 +16,19 @@ /** * Adjusts length of encrypted blob to raw length */ -public class EncryptedBlobMetadata implements BlobMetadata { +public class EncryptedBlobMetadata implements BlobMetadata { private final EncryptedHeaderContentSupplier encryptedHeaderContentSupplier; private final BlobMetadata delegate; - private final CryptoProvider cryptoProvider; + private final CryptoHandler cryptoHandler; public EncryptedBlobMetadata( BlobMetadata delegate, - CryptoProvider cryptoProvider, + CryptoHandler cryptoHandler, EncryptedHeaderContentSupplier encryptedHeaderContentSupplier ) { this.encryptedHeaderContentSupplier = encryptedHeaderContentSupplier; this.delegate = delegate; - this.cryptoProvider = cryptoProvider; + this.cryptoHandler = cryptoHandler; } @Override @@ -40,10 +40,10 @@ public String name() { public long length() { Object cryptoContext; try { - cryptoContext = cryptoProvider.loadEncryptionMetadata(encryptedHeaderContentSupplier); + cryptoContext = cryptoHandler.loadEncryptionMetadata(encryptedHeaderContentSupplier); } catch (IOException ex) { throw new RuntimeException(ex); } - return cryptoProvider.estimateDecryptedLength(cryptoContext, delegate.length()); + return cryptoHandler.estimateDecryptedLength((U) cryptoContext, delegate.length()); } } diff --git a/server/src/main/java/org/opensearch/common/blobstore/EncryptedBlobStore.java b/server/src/main/java/org/opensearch/common/blobstore/EncryptedBlobStore.java index dae6887db5f8f..ec62fdbabb270 100644 --- a/server/src/main/java/org/opensearch/common/blobstore/EncryptedBlobStore.java +++ b/server/src/main/java/org/opensearch/common/blobstore/EncryptedBlobStore.java @@ -25,7 +25,7 @@ public class EncryptedBlobStore implements BlobStore { private final BlobStore blobStore; - private final CryptoManager cryptoManager; + private final CryptoManager cryptoManager; /** * Constructs an EncryptedBlobStore that wraps the provided BlobStore with encryption capabilities based on the @@ -61,12 +61,12 @@ public EncryptedBlobStore(BlobStore blobStore, CryptoMetadata cryptoMetadata) { public BlobContainer blobContainer(BlobPath path) { BlobContainer blobContainer = blobStore.blobContainer(path); if (blobContainer instanceof AsyncMultiStreamBlobContainer) { - return new AsyncMultiStreamEncryptedBlobContainer( + return new AsyncMultiStreamEncryptedBlobContainer<>( (AsyncMultiStreamBlobContainer) blobContainer, cryptoManager.getCryptoProvider() ); } - return new EncryptedBlobContainer(blobContainer, cryptoManager.getCryptoProvider()); + return new EncryptedBlobContainer<>(blobContainer, cryptoManager.getCryptoProvider()); } /** diff --git a/server/src/main/java/org/opensearch/crypto/CryptoManagerRegistry.java b/server/src/main/java/org/opensearch/crypto/CryptoManagerRegistry.java index 086c3cd96e693..8ab83c9849a2d 100644 --- a/server/src/main/java/org/opensearch/crypto/CryptoManagerRegistry.java +++ b/server/src/main/java/org/opensearch/crypto/CryptoManagerRegistry.java @@ -39,7 +39,7 @@ public class CryptoManagerRegistry { // Package private for tests SetOnce cryptoManagerFactory = new SetOnce(); - private final Map registeredCryptoManagers = new HashMap<>(); + private final Map> registeredCryptoManagers = new HashMap<>(); private static volatile CryptoManagerRegistry instance; private static final Object lock = new Object(); @@ -145,8 +145,8 @@ public CryptoKeyProviderPlugin getCryptoKeyProviderPlugin(String keyProviderType * @return The crypto manager for performing encrypt/decrypt operations. * @throws CryptoRegistryException If the key provider is not installed or there is an error during crypto manager creation. */ - public CryptoManager fetchCryptoManager(CryptoMetadata cryptoMetadata) { - CryptoManager cryptoManager = registeredCryptoManagers.get(cryptoMetadata); + public CryptoManager fetchCryptoManager(CryptoMetadata cryptoMetadata) { + CryptoManager cryptoManager = registeredCryptoManagers.get(cryptoMetadata); if (cryptoManager == null) { synchronized (registeredCryptoManagers) { cryptoManager = registeredCryptoManagers.get(cryptoMetadata); @@ -164,7 +164,7 @@ public CryptoManager fetchCryptoManager(CryptoMetadata cryptoMetadata) { return cryptoManager; } - private CryptoManager createCryptoManager(CryptoMetadata cryptoMetadata, Runnable onClose) { + private CryptoManager createCryptoManager(CryptoMetadata cryptoMetadata, Runnable onClose) { logger.debug("creating crypto client [{}][{}]", cryptoMetadata.keyProviderType(), cryptoMetadata.keyProviderName()); CryptoKeyProviderPlugin keyProviderPlugin = getCryptoKeyProviderPlugin(cryptoMetadata.keyProviderType()); if (keyProviderPlugin == null) { diff --git a/server/src/test/java/org/opensearch/repositories/RepositoriesServiceTests.java b/server/src/test/java/org/opensearch/repositories/RepositoriesServiceTests.java index 866ed1b0f7c3b..76a204f5e3976 100644 --- a/server/src/test/java/org/opensearch/repositories/RepositoriesServiceTests.java +++ b/server/src/test/java/org/opensearch/repositories/RepositoriesServiceTests.java @@ -34,8 +34,6 @@ import org.apache.lucene.index.IndexCommit; import org.opensearch.Version; -import org.opensearch.common.crypto.CryptoProvider; -import org.opensearch.core.action.ActionListener; import org.opensearch.action.admin.cluster.crypto.CryptoSettings; import org.opensearch.action.admin.cluster.repositories.put.PutRepositoryRequest; import org.opensearch.cluster.AckedClusterStateUpdateTask; @@ -56,17 +54,19 @@ import org.opensearch.common.UUIDs; import org.opensearch.common.blobstore.BlobPath; import org.opensearch.common.blobstore.BlobStore; +import org.opensearch.common.crypto.CryptoHandler; import org.opensearch.common.crypto.DecryptedRangedStreamProvider; import org.opensearch.common.crypto.EncryptedHeaderContentSupplier; +import org.opensearch.common.io.InputStreamContainer; import org.opensearch.common.lifecycle.Lifecycle; import org.opensearch.common.lifecycle.LifecycleListener; -import org.opensearch.common.io.InputStreamContainer; import org.opensearch.common.settings.Settings; +import org.opensearch.core.action.ActionListener; import org.opensearch.core.common.Strings; +import org.opensearch.core.index.shard.ShardId; import org.opensearch.core.xcontent.NamedXContentRegistry; import org.opensearch.encryption.CryptoManager; import org.opensearch.index.mapper.MapperService; -import org.opensearch.core.index.shard.ShardId; import org.opensearch.index.snapshots.IndexShardSnapshotStatus; import org.opensearch.index.snapshots.blobstore.RemoteStoreShardShallowCopySnapshot; import org.opensearch.index.store.Store; @@ -529,7 +529,7 @@ private void assertThrowsOnRegister(String repoName) { expectThrows(RepositoryException.class, () -> repositoriesService.registerRepository(request, null)); } - private static class TestCryptoProvider implements CryptoProvider { + private static class TestCryptoHandler implements CryptoHandler { @Override public Object initEncryptionMetadata() { @@ -586,16 +586,16 @@ public long estimateDecryptedLength(Object cryptoContext, long contentLength) { } } - private static abstract class TestCryptoManager implements CryptoManager { + private static abstract class TestCryptoManager implements CryptoManager { private final String name; private final AtomicInteger ref; - private final CryptoProvider cryptoProvider; + private final CryptoHandler cryptoHandler; public TestCryptoManager(Settings settings, String keyProviderName) { this.name = keyProviderName; this.ref = new AtomicInteger(1); - this.cryptoProvider = new TestCryptoProvider(); + this.cryptoHandler = new TestCryptoHandler(); } @Override @@ -624,8 +624,8 @@ public String name() { return name; } - public CryptoProvider getCryptoProvider() { - return cryptoProvider; + public CryptoHandler getCryptoProvider() { + return cryptoHandler; } }