EncryptionContext.java
/*
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements.  See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership.  The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License.  You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.apache.cassandra.security;
import java.io.IOException;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import javax.crypto.Cipher;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Objects;
import org.apache.cassandra.config.TransparentDataEncryptionOptions;
import org.apache.cassandra.exceptions.ConfigurationException;
import org.apache.cassandra.io.compress.ICompressor;
import org.apache.cassandra.io.compress.LZ4Compressor;
import org.apache.cassandra.utils.Hex;
/**
 * A (largely) immutable wrapper for the application-wide file-level encryption settings.
 */
public class EncryptionContext
{
    public static final String ENCRYPTION_CIPHER = "encCipher";
    public static final String ENCRYPTION_KEY_ALIAS = "encKeyAlias";
    public static final String ENCRYPTION_IV = "encIV";
    private final TransparentDataEncryptionOptions tdeOptions;
    private final ICompressor compressor;
    private final CipherFactory cipherFactory;
    private final byte[] iv;
    private final int chunkLength;
    public EncryptionContext()
    {
        this(new TransparentDataEncryptionOptions());
    }
    public EncryptionContext(TransparentDataEncryptionOptions tdeOptions)
    {
        this(tdeOptions, null, true);
    }
    @VisibleForTesting
    public EncryptionContext(TransparentDataEncryptionOptions tdeOptions, byte[] iv, boolean init)
    {
        this.tdeOptions = tdeOptions;
        compressor = LZ4Compressor.create(Collections.<String, String>emptyMap());
        chunkLength = tdeOptions.chunk_length_kb * 1024;
        this.iv = iv;
        // always attempt to load the cipher factory, as we could be in the situation where the user has disabled encryption,
        // but has existing commitlogs and sstables on disk that are still encrypted (and still need to be read)
        CipherFactory factory = null;
        if (tdeOptions.enabled && init)
        {
            try
            {
                factory = new CipherFactory(tdeOptions);
            }
            catch (Exception e)
            {
                throw new ConfigurationException("failed to load key provider for transparent data encryption", e);
            }
        }
        cipherFactory = factory;
    }
    public ICompressor getCompressor()
    {
        return compressor;
    }
    public Cipher getEncryptor() throws IOException
    {
        return cipherFactory.getEncryptor(tdeOptions.cipher, tdeOptions.key_alias);
    }
    public Cipher getDecryptor() throws IOException
    {
        if (iv == null || iv.length == 0)
            throw new IllegalStateException("no initialization vector (IV) found in this context");
        return cipherFactory.getDecryptor(tdeOptions.cipher, tdeOptions.key_alias, iv);
    }
    public boolean isEnabled()
    {
        return tdeOptions.enabled;
    }
    public int getChunkLength()
    {
        return chunkLength;
    }
    public byte[] getIV()
    {
        return iv;
    }
    public TransparentDataEncryptionOptions getTransparentDataEncryptionOptions()
    {
        return tdeOptions;
    }
    public boolean equals(Object o)
    {
        return o instanceof EncryptionContext && equals((EncryptionContext) o);
    }
    public boolean equals(EncryptionContext other)
    {
        return Objects.equal(tdeOptions, other.tdeOptions)
               && Objects.equal(compressor, other.compressor)
               && Arrays.equals(iv, other.iv);
    }
    public Map<String, String> toHeaderParameters()
    {
        Map<String, String> map = new HashMap<>(3);
        // add compression options, someday ...
        if (tdeOptions.enabled)
        {
            map.put(ENCRYPTION_CIPHER, tdeOptions.cipher);
            map.put(ENCRYPTION_KEY_ALIAS, tdeOptions.key_alias);
            if (iv != null && iv.length > 0)
                map.put(ENCRYPTION_IV, Hex.bytesToHex(iv));
        }
        return map;
    }
    /**
     * If encryption headers are found in the {@code parameters},
     * those headers are merged with the application-wide {@code encryptionContext}.
     */
    public static EncryptionContext createFromMap(Map<?, ?> parameters, EncryptionContext encryptionContext)
    {
        if (parameters == null || parameters.isEmpty())
            return new EncryptionContext(new TransparentDataEncryptionOptions(false));
        String keyAlias = (String)parameters.get(ENCRYPTION_KEY_ALIAS);
        String cipher = (String)parameters.get(ENCRYPTION_CIPHER);
        String ivString = (String)parameters.get(ENCRYPTION_IV);
        if (keyAlias == null || cipher == null)
            return new EncryptionContext(new TransparentDataEncryptionOptions(false));
        TransparentDataEncryptionOptions tdeOptions = new TransparentDataEncryptionOptions(cipher, keyAlias, encryptionContext.getTransparentDataEncryptionOptions().key_provider);
        byte[] iv = ivString != null ? Hex.hexToBytes(ivString) : null;
        return new EncryptionContext(tdeOptions, iv, true);
    }
}