public _ProviderCallable_256(string name, byte[] material, KeyProvider.Options options
)
{
this.name = name;
this.material = material;
this.options = options;
}
/// <exception cref="System.Exception"/>
public KeyProvider.KeyVersion Run()
{
KeyProvider.Options opt = TestKeyAuthorizationKeyProvider.NewOptions(conf);
IDictionary <string, string> m = new Dictionary <string, string>();
m["key.acl.name"] = "testKey";
opt.SetAttributes(m);
try
{
KeyProvider.KeyVersion kv = kpExt.CreateKey("foo", SecureRandom.GetSeed(16), opt);
kpExt.RollNewVersion(kv.GetName());
kpExt.RollNewVersion(kv.GetName(), SecureRandom.GetSeed(16));
kpExt.DeleteKey(kv.GetName());
}
catch (IOException)
{
NUnit.Framework.Assert.Fail("User should be Authorized !!");
}
KeyProvider.KeyVersion retkv = null;
try
{
retkv = kpExt.CreateKey("bar", SecureRandom.GetSeed(16), opt);
kpExt.GenerateEncryptedKey(retkv.GetName());
NUnit.Framework.Assert.Fail("User should NOT be Authorized to generate EEK !!");
}
catch (IOException)
{
}
NUnit.Framework.Assert.IsNotNull(retkv);
return(retkv);
}
private static KeyProvider.Options NewOptions(Configuration conf)
{
KeyProvider.Options options = new KeyProvider.Options(conf);
options.SetCipher(Cipher);
options.SetBitLength(128);
return(options);
}
/* Helper function to create a key in the Key Provider. */
/// <exception cref="Sharpen.NoSuchAlgorithmException"/>
/// <exception cref="System.IO.IOException"/>
private void CreateAKey(string keyName, Configuration conf)
{
KeyProvider provider = dfsCluster.GetNameNode().GetNamesystem().GetProvider();
KeyProvider.Options options = KeyProvider.Options(conf);
provider.CreateKey(keyName, options);
provider.Flush();
}
public _PrivilegedExceptionAction_132(KMS _enclosing, string material, string name
, KeyProvider.Options options)
{
this._enclosing = _enclosing;
this.material = material;
this.name = name;
this.options = options;
}
/// <exception cref="NoSuchAlgorithmException"/>
/// <exception cref="System.IO.IOException"/>
public override KeyProvider.KeyVersion CreateKey(string name, KeyProvider.Options
options)
{
try
{
return(DoOp(new _ProviderCallable_268(name, options), NextIdx()));
}
catch (LoadBalancingKMSClientProvider.WrapperException e)
{
throw (NoSuchAlgorithmException)e.InnerException;
}
}
/// <exception cref="NoSuchAlgorithmException"/>
/// <exception cref="System.IO.IOException"/>
public override KeyProvider.KeyVersion CreateKey(string name, KeyProvider.Options
options)
{
writeLock.Lock();
try
{
AuthorizeCreateKey(name, options, GetUser());
return(provider.CreateKey(name, options));
}
finally
{
writeLock.Unlock();
}
}
public virtual Response CreateKey(IDictionary jsonKey)
{
KMSWebApp.GetAdminCallsMeter().Mark();
UserGroupInformation user = HttpUserGroupInformation.Get();
string name = (string)jsonKey[KMSRESTConstants.NameField];
KMSClientProvider.CheckNotEmpty(name, KMSRESTConstants.NameField);
AssertAccess(KMSACLs.Type.Create, user, KMS.KMSOp.CreateKey, name);
string cipher = (string)jsonKey[KMSRESTConstants.CipherField];
string material = (string)jsonKey[KMSRESTConstants.MaterialField];
int length = (jsonKey.Contains(KMSRESTConstants.LengthField)) ? (int)jsonKey[KMSRESTConstants
.LengthField] : 0;
string description = (string)jsonKey[KMSRESTConstants.DescriptionField];
IDictionary <string, string> attributes = (IDictionary <string, string>)jsonKey[KMSRESTConstants
.AttributesField];
if (material != null)
{
AssertAccess(KMSACLs.Type.SetKeyMaterial, user, KMS.KMSOp.CreateKey, name);
}
KeyProvider.Options options = new KeyProvider.Options(KMSWebApp.GetConfiguration(
));
if (cipher != null)
{
options.SetCipher(cipher);
}
if (length != 0)
{
options.SetBitLength(length);
}
options.SetDescription(description);
options.SetAttributes(attributes);
KeyProvider.KeyVersion keyVersion = user.DoAs(new _PrivilegedExceptionAction_132(
this, material, name, options));
kmsAudit.Ok(user, KMS.KMSOp.CreateKey, name, "UserProvidedMaterial:" + (material
!= null) + " Description:" + description);
if (!KMSWebApp.GetACLs().HasAccess(KMSACLs.Type.Get, user))
{
keyVersion = RemoveKeyMaterial(keyVersion);
}
IDictionary json = KMSServerJSONUtils.ToJSON(keyVersion);
string requestURL = KMSMDCFilter.GetURL();
int idx = requestURL.LastIndexOf(KMSRESTConstants.KeysResource);
requestURL = Runtime.Substring(requestURL, 0, idx);
string keyURL = requestURL + KMSRESTConstants.KeyResource + "/" + name;
return(Response.Created(GetKeyURI(name)).Type(MediaType.ApplicationJson).Header("Location"
, keyURL).Entity(json).Build());
}
/// <exception cref="System.Exception"/>
public Void Run()
{
KeyProvider.Options opt = TestKeyAuthorizationKeyProvider.NewOptions(conf);
IDictionary <string, string> m = new Dictionary <string, string>();
m["key.acl.name"] = "testKey";
opt.SetAttributes(m);
KeyProvider.KeyVersion kv = kpExt.CreateKey("foo", SecureRandom.GetSeed(16), opt);
kpExt.RollNewVersion(kv.GetName());
kpExt.RollNewVersion(kv.GetName(), SecureRandom.GetSeed(16));
KeyProviderCryptoExtension.EncryptedKeyVersion ekv = kpExt.GenerateEncryptedKey(kv
.GetName());
ekv = KeyProviderCryptoExtension.EncryptedKeyVersion.CreateForDecryption(ekv.GetEncryptionKeyName
() + "x", ekv.GetEncryptionKeyVersionName(), ekv.GetEncryptedKeyIv(), ekv.GetEncryptedKeyVersion
().GetMaterial());
kpExt.DecryptEncryptedKey(ekv);
return(null);
}
/// <exception cref="System.Exception"/>
public Void Run()
{
KeyProvider.Options opt = TestKeyAuthorizationKeyProvider.NewOptions(conf);
IDictionary <string, string> m = new Dictionary <string, string>();
m["key.acl.name"] = "testKey";
opt.SetAttributes(m);
try
{
KeyProvider.KeyVersion kv = kpExt.CreateKey("foo", SecureRandom.GetSeed(16), opt);
kpExt.RollNewVersion(kv.GetName());
kpExt.RollNewVersion(kv.GetName(), SecureRandom.GetSeed(16));
KeyProviderCryptoExtension.EncryptedKeyVersion ekv = kpExt.GenerateEncryptedKey(kv
.GetName());
kpExt.DecryptEncryptedKey(ekv);
kpExt.DeleteKey(kv.GetName());
}
catch (IOException)
{
NUnit.Framework.Assert.Fail("User should be Allowed to do everything !!");
}
return(null);
}
// This method first checks if "key.acl.name" attribute is present as an
// attribute in the provider Options. If yes, use the aclName for any
// subsequent access checks, else use the keyName as the aclName and set it
// as the value of the "key.acl.name" in the key's metadata.
/// <exception cref="System.IO.IOException"/>
private void AuthorizeCreateKey(string keyName, KeyProvider.Options options, UserGroupInformation
ugi)
{
Preconditions.CheckNotNull(ugi, "UserGroupInformation cannot be null");
IDictionary <string, string> attributes = options.GetAttributes();
string aclName = attributes[KeyAclName];
bool success = false;
if (Strings.IsNullOrEmpty(aclName))
{
if (acls.IsACLPresent(keyName, KeyAuthorizationKeyProvider.KeyOpType.Management))
{
options.SetAttributes(ImmutableMap.Builder <string, string>().PutAll(attributes).Put
(KeyAclName, keyName).Build());
success = acls.HasAccessToKey(keyName, ugi, KeyAuthorizationKeyProvider.KeyOpType
.Management) || acls.HasAccessToKey(keyName, ugi, KeyAuthorizationKeyProvider.KeyOpType
.All);
}
else
{
success = false;
}
}
else
{
success = acls.IsACLPresent(aclName, KeyAuthorizationKeyProvider.KeyOpType.Management
) && (acls.HasAccessToKey(aclName, ugi, KeyAuthorizationKeyProvider.KeyOpType.Management
) || acls.HasAccessToKey(aclName, ugi, KeyAuthorizationKeyProvider.KeyOpType.All
));
}
if (!success)
{
throw new AuthorizationException(string.Format("User [%s] is not" + " authorized to create key !!"
, ugi.GetShortUserName()));
}
}
/// <exception cref="System.IO.IOException"/>
public override KeyProvider.KeyVersion CreateKey(string name, byte[] material, KeyProvider.Options
options)
{
return(null);
}
/// <exception cref="NoSuchAlgorithmException"/>
/// <exception cref="System.IO.IOException"/>
private KeyProvider.KeyVersion CreateKeyInternal(string name, byte[] material, KeyProvider.Options
options)
{
CheckNotEmpty(name, "name");
CheckNotNull(options, "options");
IDictionary <string, object> jsonKey = new Dictionary <string, object>();
jsonKey[KMSRESTConstants.NameField] = name;
jsonKey[KMSRESTConstants.CipherField] = options.GetCipher();
jsonKey[KMSRESTConstants.LengthField] = options.GetBitLength();
if (material != null)
{
jsonKey[KMSRESTConstants.MaterialField] = Base64.EncodeBase64String(material);
}
if (options.GetDescription() != null)
{
jsonKey[KMSRESTConstants.DescriptionField] = options.GetDescription();
}
if (options.GetAttributes() != null && !options.GetAttributes().IsEmpty())
{
jsonKey[KMSRESTConstants.AttributesField] = options.GetAttributes();
}
Uri url = CreateURL(KMSRESTConstants.KeysResource, null, null, null);
HttpURLConnection conn = CreateConnection(url, HttpPost);
conn.SetRequestProperty(ContentType, ApplicationJsonMime);
IDictionary response = Call <IDictionary>(conn, jsonKey, HttpURLConnection.HttpCreated
);
return(ParseJSONKeyVersion(response));
}
/// <exception cref="NoSuchAlgorithmException"/>
/// <exception cref="System.IO.IOException"/>
public override KeyProvider.KeyVersion CreateKey(string name, KeyProvider.Options
options)
{
return(CreateKeyInternal(name, null, options));
}
public _ProviderCallable_268(string name, KeyProvider.Options options)
{
this.name = name;
this.options = options;
}
/// <exception cref="System.IO.IOException"/>
public override KeyProvider.KeyVersion CreateKey(string name, byte[] material, KeyProvider.Options
options)
{
CheckNotNull(material, "material");
try
{
return(CreateKeyInternal(name, material, options));
}
catch (NoSuchAlgorithmException ex)
{
throw new RuntimeException("It should not happen", ex);
}
}
/// <exception cref="System.IO.IOException"/>
public override KeyProvider.KeyVersion CreateKey(string name, byte[] material, KeyProvider.Options
options)
{
return(DoOp(new _ProviderCallable_256(name, material, options), NextIdx()));
}
