protected internal virtual KeyProvider GetKeyProvider()
{
KeyProvider provider = null;
IList <KeyProvider> providers;
try
{
providers = KeyProviderFactory.GetProviders(this._enclosing.GetConf());
if (this._enclosing.userSuppliedProvider)
{
provider = providers[0];
}
else
{
foreach (KeyProvider p in providers)
{
if (!p.IsTransient())
{
provider = p;
break;
}
}
}
}
catch (IOException e)
{
Runtime.PrintStackTrace(e, this._enclosing.err);
}
return(provider);
}
public virtual void TestOptions()
{
Configuration conf = new Configuration();
conf.Set(KeyProvider.DefaultCipherName, "myCipher");
conf.SetInt(KeyProvider.DefaultBitlengthName, 512);
IDictionary <string, string> attributes = new Dictionary <string, string>();
attributes["a"] = "A";
KeyProvider.Options options = KeyProvider.Options(conf);
Assert.Equal("myCipher", options.GetCipher());
Assert.Equal(512, options.GetBitLength());
options.SetCipher("yourCipher");
options.SetDescription("description");
options.SetAttributes(attributes);
options.SetBitLength(128);
Assert.Equal("yourCipher", options.GetCipher());
Assert.Equal(128, options.GetBitLength());
Assert.Equal("description", options.GetDescription());
Assert.Equal(attributes, options.GetAttributes());
options = KeyProvider.Options(new Configuration());
Assert.Equal(KeyProvider.DefaultCipher, options.GetCipher());
Assert.Equal(KeyProvider.DefaultBitlength, options.GetBitLength
());
}
/// <exception cref="System.IO.IOException"/>
public static IList <KeyProvider> GetProviders(Configuration conf)
{
IList <KeyProvider> result = new AList <KeyProvider>();
foreach (string path in conf.GetStringCollection(KeyProviderPath))
{
try
{
URI uri = new URI(path);
KeyProvider kp = Get(uri, conf);
if (kp != null)
{
result.AddItem(kp);
}
else
{
throw new IOException("No KeyProviderFactory for " + uri + " in " + KeyProviderPath
);
}
}
catch (URISyntaxException error)
{
throw new IOException("Bad configuration of " + KeyProviderPath + " at " + path,
error);
}
}
return(result);
}
public virtual void TestKeyVersion()
{
KeyProvider.KeyVersion mockKey = Org.Mockito.Mockito.Mock <KeyProvider.KeyVersion>
();
KeyProvider mockProv = Org.Mockito.Mockito.Mock <KeyProvider>();
Org.Mockito.Mockito.When(mockProv.GetKeyVersion(Org.Mockito.Mockito.Eq("k1@0"))).
ThenReturn(mockKey);
Org.Mockito.Mockito.When(mockProv.GetKeyVersion(Org.Mockito.Mockito.Eq("k2@0"))).
ThenReturn(null);
Org.Mockito.Mockito.When(mockProv.GetConf()).ThenReturn(new Configuration());
KeyProvider cache = new CachingKeyProvider(mockProv, 100, 100);
// asserting caching
Assert.Equal(mockKey, cache.GetKeyVersion("k1@0"));
Org.Mockito.Mockito.Verify(mockProv, Org.Mockito.Mockito.Times(1)).GetKeyVersion(
Org.Mockito.Mockito.Eq("k1@0"));
Assert.Equal(mockKey, cache.GetKeyVersion("k1@0"));
Org.Mockito.Mockito.Verify(mockProv, Org.Mockito.Mockito.Times(1)).GetKeyVersion(
Org.Mockito.Mockito.Eq("k1@0"));
Thread.Sleep(200);
Assert.Equal(mockKey, cache.GetKeyVersion("k1@0"));
Org.Mockito.Mockito.Verify(mockProv, Org.Mockito.Mockito.Times(2)).GetKeyVersion(
Org.Mockito.Mockito.Eq("k1@0"));
// asserting no caching when key is not known
cache = new CachingKeyProvider(mockProv, 100, 100);
Assert.Equal(null, cache.GetKeyVersion("k2@0"));
Org.Mockito.Mockito.Verify(mockProv, Org.Mockito.Mockito.Times(1)).GetKeyVersion(
Org.Mockito.Mockito.Eq("k2@0"));
Assert.Equal(null, cache.GetKeyVersion("k2@0"));
Org.Mockito.Mockito.Verify(mockProv, Org.Mockito.Mockito.Times(2)).GetKeyVersion(
Org.Mockito.Mockito.Eq("k2@0"));
}
public virtual void TestMetadata()
{
KeyProvider.Metadata mockMeta = Org.Mockito.Mockito.Mock <KeyProvider.Metadata>();
KeyProvider mockProv = Org.Mockito.Mockito.Mock <KeyProvider>();
Org.Mockito.Mockito.When(mockProv.GetMetadata(Org.Mockito.Mockito.Eq("k1"))).ThenReturn
(mockMeta);
Org.Mockito.Mockito.When(mockProv.GetMetadata(Org.Mockito.Mockito.Eq("k2"))).ThenReturn
(null);
Org.Mockito.Mockito.When(mockProv.GetConf()).ThenReturn(new Configuration());
KeyProvider cache = new CachingKeyProvider(mockProv, 100, 100);
// asserting caching
Assert.Equal(mockMeta, cache.GetMetadata("k1"));
Org.Mockito.Mockito.Verify(mockProv, Org.Mockito.Mockito.Times(1)).GetMetadata(Org.Mockito.Mockito
.Eq("k1"));
Assert.Equal(mockMeta, cache.GetMetadata("k1"));
Org.Mockito.Mockito.Verify(mockProv, Org.Mockito.Mockito.Times(1)).GetMetadata(Org.Mockito.Mockito
.Eq("k1"));
Thread.Sleep(200);
Assert.Equal(mockMeta, cache.GetMetadata("k1"));
Org.Mockito.Mockito.Verify(mockProv, Org.Mockito.Mockito.Times(2)).GetMetadata(Org.Mockito.Mockito
.Eq("k1"));
// asserting no caching when key is not known
cache = new CachingKeyProvider(mockProv, 100, 100);
Assert.Equal(null, cache.GetMetadata("k2"));
Org.Mockito.Mockito.Verify(mockProv, Org.Mockito.Mockito.Times(1)).GetMetadata(Org.Mockito.Mockito
.Eq("k2"));
Assert.Equal(null, cache.GetMetadata("k2"));
Org.Mockito.Mockito.Verify(mockProv, Org.Mockito.Mockito.Times(2)).GetMetadata(Org.Mockito.Mockito
.Eq("k2"));
}
public virtual void TestBuildVersionName()
{
Assert.Equal("/a/b@3", KeyProvider.BuildVersionName("/a/b", 3)
);
Assert.Equal("/aaa@12", KeyProvider.BuildVersionName("/aaa", 12
));
}
public virtual void TestDeleteKey()
{
KeyProvider.KeyVersion mockKey = Org.Mockito.Mockito.Mock <KeyProvider.KeyVersion>
();
KeyProvider mockProv = Org.Mockito.Mockito.Mock <KeyProvider>();
Org.Mockito.Mockito.When(mockProv.GetCurrentKey(Org.Mockito.Mockito.Eq("k1"))).ThenReturn
(mockKey);
Org.Mockito.Mockito.When(mockProv.GetKeyVersion(Org.Mockito.Mockito.Eq("k1@0"))).
ThenReturn(mockKey);
Org.Mockito.Mockito.When(mockProv.GetMetadata(Org.Mockito.Mockito.Eq("k1"))).ThenReturn
(new KMSClientProvider.KMSMetadata("c", 0, "l", null, new DateTime(), 1));
Org.Mockito.Mockito.When(mockProv.GetConf()).ThenReturn(new Configuration());
KeyProvider cache = new CachingKeyProvider(mockProv, 100, 100);
Assert.Equal(mockKey, cache.GetCurrentKey("k1"));
Org.Mockito.Mockito.Verify(mockProv, Org.Mockito.Mockito.Times(1)).GetCurrentKey(
Org.Mockito.Mockito.Eq("k1"));
Assert.Equal(mockKey, cache.GetKeyVersion("k1@0"));
Org.Mockito.Mockito.Verify(mockProv, Org.Mockito.Mockito.Times(1)).GetKeyVersion(
Org.Mockito.Mockito.Eq("k1@0"));
cache.DeleteKey("k1");
// asserting the cache is purged
Assert.Equal(mockKey, cache.GetCurrentKey("k1"));
Org.Mockito.Mockito.Verify(mockProv, Org.Mockito.Mockito.Times(2)).GetCurrentKey(
Org.Mockito.Mockito.Eq("k1"));
Assert.Equal(mockKey, cache.GetKeyVersion("k1@0"));
Org.Mockito.Mockito.Verify(mockProv, Org.Mockito.Mockito.Times(2)).GetKeyVersion(
Org.Mockito.Mockito.Eq("k1@0"));
}
/// <exception cref="System.Exception"/>
public virtual void CheckPermissionRetention(Configuration conf, string ourUrl, Path
path)
{
KeyProvider provider = KeyProviderFactory.GetProviders(conf)[0];
// let's add a new key and flush and check that permissions are still set to 777
byte[] key = new byte[16];
for (int i = 0; i < key.Length; ++i)
{
key[i] = unchecked ((byte)i);
}
// create a new key
try
{
provider.CreateKey("key5", key, KeyProvider.Options(conf));
}
catch (Exception e)
{
Runtime.PrintStackTrace(e);
throw;
}
provider.Flush();
// get a new instance of the provider to ensure it was saved correctly
provider = KeyProviderFactory.GetProviders(conf)[0];
Assert.AssertArrayEquals(key, provider.GetCurrentKey("key5").GetMaterial());
FileSystem fs = path.GetFileSystem(conf);
FileStatus s = fs.GetFileStatus(path);
Assert.True("Permissions should have been retained from the preexisting keystore."
, s.GetPermission().ToString().Equals("rwxrwxrwx"));
}
/// <summary>
/// Creates a <code>KeyProviderDelegationTokenExtension</code> using a given
/// <see cref="KeyProvider"/>
/// .
/// <p/>
/// If the given <code>KeyProvider</code> implements the
/// <see cref="DelegationTokenExtension"/>
/// interface the <code>KeyProvider</code>
/// itself will provide the extension functionality, otherwise a default
/// extension implementation will be used.
/// </summary>
/// <param name="keyProvider">
/// <code>KeyProvider</code> to use to create the
/// <code>KeyProviderDelegationTokenExtension</code> extension.
/// </param>
/// <returns>
/// a <code>KeyProviderDelegationTokenExtension</code> instance
/// using the given <code>KeyProvider</code>.
/// </returns>
public static KeyProviderDelegationTokenExtension CreateKeyProviderDelegationTokenExtension
(KeyProvider keyProvider)
{
KeyProviderDelegationTokenExtension.DelegationTokenExtension delTokExtension = (keyProvider
is KeyProviderDelegationTokenExtension.DelegationTokenExtension) ? (KeyProviderDelegationTokenExtension.DelegationTokenExtension
)keyProvider : DefaultExtension;
return(new KeyProviderDelegationTokenExtension(keyProvider, delTokExtension));
}
/// <exception cref="System.IO.IOException"/>
private void VerifyAfterReload(FilePath file, KeyProvider provider)
{
IList <string> existingKeys = provider.GetKeys();
Assert.True(existingKeys.Contains("key4"));
Assert.True(existingKeys.Contains("key3"));
Assert.True(file.Exists());
}
/// <summary>
/// Creates a <code>KeyProviderCryptoExtension</code> using a given
/// <see cref="KeyProvider"/>
/// .
/// <p/>
/// If the given <code>KeyProvider</code> implements the
/// <see cref="CryptoExtension"/>
/// interface the <code>KeyProvider</code> itself
/// will provide the extension functionality, otherwise a default extension
/// implementation will be used.
/// </summary>
/// <param name="keyProvider">
/// <code>KeyProvider</code> to use to create the
/// <code>KeyProviderCryptoExtension</code> extension.
/// </param>
/// <returns>
/// a <code>KeyProviderCryptoExtension</code> instance using the
/// given <code>KeyProvider</code>.
/// </returns>
public static KeyProviderCryptoExtension CreateKeyProviderCryptoExtension(KeyProvider
keyProvider)
{
KeyProviderCryptoExtension.CryptoExtension cryptoExtension = (keyProvider is KeyProviderCryptoExtension.CryptoExtension
) ? (KeyProviderCryptoExtension.CryptoExtension)keyProvider : new KeyProviderCryptoExtension.DefaultCryptoExtension
(keyProvider);
return(new KeyProviderCryptoExtension(keyProvider, cryptoExtension));
}
public virtual void TestJksProviderPasswordViaConfig()
{
Configuration conf = new Configuration();
Path jksPath = new Path(testRootDir.ToString(), "test.jks");
string ourUrl = JavaKeyStoreProvider.SchemeName + "://file" + jksPath.ToUri();
FilePath file = new FilePath(testRootDir, "test.jks");
file.Delete();
try
{
conf.Set(KeyProviderFactory.KeyProviderPath, ourUrl);
conf.Set(JavaKeyStoreProvider.KeystorePasswordFileKey, "javakeystoreprovider.password"
);
KeyProvider provider = KeyProviderFactory.GetProviders(conf)[0];
provider.CreateKey("key3", new byte[16], KeyProvider.Options(conf));
provider.Flush();
}
catch (Exception)
{
NUnit.Framework.Assert.Fail("could not create keystore with password file");
}
KeyProvider provider_1 = KeyProviderFactory.GetProviders(conf)[0];
NUnit.Framework.Assert.IsNotNull(provider_1.GetCurrentKey("key3"));
try
{
conf.Set(JavaKeyStoreProvider.KeystorePasswordFileKey, "bar");
KeyProviderFactory.GetProviders(conf)[0];
NUnit.Framework.Assert.Fail("using non existing password file, it should fail");
}
catch (IOException)
{
}
//NOP
try
{
conf.Set(JavaKeyStoreProvider.KeystorePasswordFileKey, "core-site.xml");
KeyProviderFactory.GetProviders(conf)[0];
NUnit.Framework.Assert.Fail("using different password file, it should fail");
}
catch (IOException)
{
}
//NOP
try
{
conf.Unset(JavaKeyStoreProvider.KeystorePasswordFileKey);
KeyProviderFactory.GetProviders(conf)[0];
NUnit.Framework.Assert.Fail("No password file property, env not set, it should fail"
);
}
catch (IOException)
{
}
}
internal CacheExtension(KeyProvider prov, long keyTimeoutMillis, long currKeyTimeoutMillis
)
{
this.provider = prov;
keyVersionCache = CacheBuilder.NewBuilder().ExpireAfterAccess(keyTimeoutMillis, TimeUnit
.Milliseconds).Build(new _CacheLoader_49(this));
keyMetadataCache = CacheBuilder.NewBuilder().ExpireAfterAccess(keyTimeoutMillis,
TimeUnit.Milliseconds).Build(new _CacheLoader_62(this));
currentKeyCache = CacheBuilder.NewBuilder().ExpireAfterWrite(currKeyTimeoutMillis
, TimeUnit.Milliseconds).Build(new _CacheLoader_75(this));
}
public static void Setup()
{
conf = new Configuration();
kp = new UserProvider.Factory().CreateProvider(new URI("user:///"), conf);
kpExt = KeyProviderCryptoExtension.CreateKeyProviderCryptoExtension(kp);
options = new KeyProvider.Options(conf);
options.SetCipher(Cipher);
options.SetBitLength(128);
encryptionKey = kp.CreateKey(EncryptionKeyName, SecureRandom.GetSeed(16), options
);
}
public virtual void TestGetProviderViaURI()
{
Configuration conf = new Configuration(false);
Path jksPath = new Path(testRootDir.ToString(), "test.jks");
URI uri = new URI(JavaKeyStoreProvider.SchemeName + "://file" + jksPath.ToUri());
KeyProvider kp = KeyProviderFactory.Get(uri, conf);
NUnit.Framework.Assert.IsNotNull(kp);
Assert.Equal(typeof(JavaKeyStoreProvider), kp.GetType());
uri = new URI("foo://bar");
kp = KeyProviderFactory.Get(uri, conf);
NUnit.Framework.Assert.IsNull(kp);
}
/// <summary>Create a KeyProvider based on a provided URI.</summary>
/// <param name="uri">key provider URI</param>
/// <param name="conf">configuration to initialize the key provider</param>
/// <returns>
/// the key provider for the specified URI, or <code>NULL</code> if
/// a provider for the specified URI scheme could not be found.
/// </returns>
/// <exception cref="System.IO.IOException">thrown if the provider failed to initialize.
/// </exception>
public static KeyProvider Get(URI uri, Configuration conf)
{
KeyProvider kp = null;
foreach (KeyProviderFactory factory in serviceLoader)
{
kp = factory.CreateProvider(uri, conf);
if (kp != null)
{
break;
}
}
return(kp);
}
public virtual void TestParseVersionName()
{
Assert.Equal("/a/b", KeyProvider.GetBaseName("/a/b@3"));
Assert.Equal("/aaa", KeyProvider.GetBaseName("/aaa@112"));
try
{
KeyProvider.GetBaseName("no-slashes");
Assert.True("should have thrown", false);
}
catch (IOException)
{
Assert.True(true);
}
}
public virtual void TestJksProviderWithKeytoolKeys()
{
Configuration conf = new Configuration();
string keystoreDirAbsolutePath = conf.GetResource("hdfs7067.keystore").AbsolutePath;
string ourUrl = JavaKeyStoreProvider.SchemeName + "://file@/" + keystoreDirAbsolutePath;
conf.Set(KeyProviderFactory.KeyProviderPath, ourUrl);
KeyProvider provider = KeyProviderFactory.GetProviders(conf)[0];
// Sanity check that we are using the right keystore
KeyProvider.KeyVersion keyVersion = provider.GetKeyVersion("testkey5@0");
try
{
KeyProvider.KeyVersion keyVersionWrongKeyNameFormat = provider.GetKeyVersion("testkey2"
);
NUnit.Framework.Assert.Fail("should have thrown an exception");
}
catch (IOException e)
{
// No version in key path testkey2/
GenericTestUtils.AssertExceptionContains("No version in key path", e);
}
try
{
KeyProvider.KeyVersion keyVersionCurrentKeyNotWrongKeyNameFormat = provider.GetCurrentKey
("testkey5@0");
NUnit.Framework.Assert.Fail("should have thrown an exception getting testkey5@0");
}
catch (IOException e)
{
// javax.crypto.spec.SecretKeySpec cannot be cast to
// org.apache.hadoop.crypto.key.JavaKeyStoreProvider$KeyMetadata
GenericTestUtils.AssertExceptionContains("other non-Hadoop method", e);
}
try
{
KeyProvider.KeyVersion keyVersionCurrentKeyNotReally = provider.GetCurrentKey("testkey2"
);
NUnit.Framework.Assert.Fail("should have thrown an exception getting testkey2");
}
catch (IOException e)
{
// javax.crypto.spec.SecretKeySpec cannot be cast to
// org.apache.hadoop.crypto.key.JavaKeyStoreProvider$KeyMetadata
GenericTestUtils.AssertExceptionContains("other non-Hadoop method", e);
}
}
public virtual void TestRollNewVersion()
{
KeyProvider.KeyVersion mockKey = Org.Mockito.Mockito.Mock <KeyProvider.KeyVersion>
();
KeyProvider mockProv = Org.Mockito.Mockito.Mock <KeyProvider>();
Org.Mockito.Mockito.When(mockProv.GetCurrentKey(Org.Mockito.Mockito.Eq("k1"))).ThenReturn
(mockKey);
Org.Mockito.Mockito.When(mockProv.GetConf()).ThenReturn(new Configuration());
KeyProvider cache = new CachingKeyProvider(mockProv, 100, 100);
Assert.Equal(mockKey, cache.GetCurrentKey("k1"));
Org.Mockito.Mockito.Verify(mockProv, Org.Mockito.Mockito.Times(1)).GetCurrentKey(
Org.Mockito.Mockito.Eq("k1"));
cache.RollNewVersion("k1");
// asserting the cache is purged
Assert.Equal(mockKey, cache.GetCurrentKey("k1"));
Org.Mockito.Mockito.Verify(mockProv, Org.Mockito.Mockito.Times(2)).GetCurrentKey(
Org.Mockito.Mockito.Eq("k1"));
cache.RollNewVersion("k1", new byte[0]);
Assert.Equal(mockKey, cache.GetCurrentKey("k1"));
Org.Mockito.Mockito.Verify(mockProv, Org.Mockito.Mockito.Times(3)).GetCurrentKey(
Org.Mockito.Mockito.Eq("k1"));
}
/// <exception cref="System.Exception"/>
internal static void CheckSpecificProvider(Configuration conf, string ourUrl)
{
KeyProvider provider = KeyProviderFactory.GetProviders(conf)[0];
byte[] key1 = new byte[16];
byte[] key2 = new byte[16];
byte[] key3 = new byte[16];
for (int i = 0; i < key1.Length; ++i)
{
key1[i] = unchecked ((byte)i);
key2[i] = unchecked ((byte)(i * 2));
key3[i] = unchecked ((byte)(i * 3));
}
// ensure that we get nulls when the key isn't there
Assert.Equal(null, provider.GetKeyVersion("no-such-key"));
Assert.Equal(null, provider.GetMetadata("key"));
// create a new key
try
{
provider.CreateKey("key3", key3, KeyProvider.Options(conf));
}
catch (Exception e)
{
Runtime.PrintStackTrace(e);
throw;
}
// check the metadata for key3
KeyProvider.Metadata meta = provider.GetMetadata("key3");
Assert.Equal(KeyProvider.DefaultCipher, meta.GetCipher());
Assert.Equal(KeyProvider.DefaultBitlength, meta.GetBitLength()
);
Assert.Equal(1, meta.GetVersions());
// make sure we get back the right key
Assert.AssertArrayEquals(key3, provider.GetCurrentKey("key3").GetMaterial());
Assert.Equal("key3@0", provider.GetCurrentKey("key3").GetVersionName
());
// try recreating key3
try
{
provider.CreateKey("key3", key3, KeyProvider.Options(conf));
Assert.True("should throw", false);
}
catch (IOException e)
{
Assert.Equal("Key key3 already exists in " + ourUrl, e.Message
);
}
provider.DeleteKey("key3");
try
{
provider.DeleteKey("key3");
Assert.True("should throw", false);
}
catch (IOException e)
{
Assert.Equal("Key key3 does not exist in " + ourUrl, e.Message
);
}
provider.CreateKey("key3", key3, KeyProvider.Options(conf));
try
{
provider.CreateKey("key4", key3, KeyProvider.Options(conf).SetBitLength(8));
Assert.True("should throw", false);
}
catch (IOException e)
{
Assert.Equal("Wrong key length. Required 8, but got 128", e.Message
);
}
provider.CreateKey("key4", new byte[] { 1 }, KeyProvider.Options(conf).SetBitLength
(8));
provider.RollNewVersion("key4", new byte[] { 2 });
meta = provider.GetMetadata("key4");
Assert.Equal(2, meta.GetVersions());
Assert.AssertArrayEquals(new byte[] { 2 }, provider.GetCurrentKey("key4").GetMaterial
());
Assert.AssertArrayEquals(new byte[] { 1 }, provider.GetKeyVersion("key4@0").GetMaterial
());
Assert.Equal("key4@1", provider.GetCurrentKey("key4").GetVersionName
());
try
{
provider.RollNewVersion("key4", key1);
Assert.True("should throw", false);
}
catch (IOException e)
{
Assert.Equal("Wrong key length. Required 8, but got 128", e.Message
);
}
try
{
provider.RollNewVersion("no-such-key", key1);
Assert.True("should throw", false);
}
catch (IOException e)
{
Assert.Equal("Key no-such-key not found", e.Message);
}
provider.Flush();
// get a new instance of the provider to ensure it was saved correctly
provider = KeyProviderFactory.GetProviders(conf)[0];
Assert.AssertArrayEquals(new byte[] { 2 }, provider.GetCurrentKey("key4").GetMaterial
());
Assert.AssertArrayEquals(key3, provider.GetCurrentKey("key3").GetMaterial());
Assert.Equal("key3@0", provider.GetCurrentKey("key3").GetVersionName
());
IList <string> keys = provider.GetKeys();
Assert.True("Keys should have been returned.", keys.Count == 2);
Assert.True("Returned Keys should have included key3.", keys.Contains
("key3"));
Assert.True("Returned Keys should have included key4.", keys.Contains
("key4"));
IList <KeyProvider.KeyVersion> kvl = provider.GetKeyVersions("key3");
Assert.True("KeyVersions should have been returned for key3.",
kvl.Count == 1);
Assert.True("KeyVersions should have included key3@0.", kvl[0].
GetVersionName().Equals("key3@0"));
Assert.AssertArrayEquals(key3, kvl[0].GetMaterial());
}
private DefaultCryptoExtension(KeyProvider keyProvider)
{
this.keyProvider = keyProvider;
}
public KeyProviderExtension(KeyProvider keyProvider, E extensions)
: base(keyProvider.GetConf())
{
this.keyProvider = keyProvider;
this.extension = extensions;
}
/// <summary>
/// This constructor is to be used by sub classes that provide
/// delegating/proxying functionality to the
/// <see cref="KeyProviderCryptoExtension"/>
/// </summary>
/// <param name="keyProvider"/>
/// <param name="extension"/>
protected internal KeyProviderCryptoExtension(KeyProvider keyProvider, KeyProviderCryptoExtension.CryptoExtension
extension)
: base(keyProvider, extension)
{
}
public CachingKeyProvider(KeyProvider keyProvider, long keyTimeoutMillis, long currKeyTimeoutMillis
)
: base(keyProvider, new CachingKeyProvider.CacheExtension(keyProvider, keyTimeoutMillis
, currKeyTimeoutMillis))
{
}
/// <summary>
/// Parse the command line arguments and initialize the data
/// <pre>
/// % hadoop key create keyName [-size size] [-cipher algorithm]
/// [-provider providerPath]
/// % hadoop key roll keyName [-provider providerPath]
/// % hadoop key list [-provider providerPath]
/// % hadoop key delete keyName [-provider providerPath] [-i]
/// </pre>
/// </summary>
/// <param name="args">Command line arguments.</param>
/// <returns>0 on success, 1 on failure.</returns>
/// <exception cref="System.IO.IOException"/>
private int Init(string[] args)
{
KeyProvider.Options options = KeyProvider.Options(GetConf());
IDictionary <string, string> attributes = new Dictionary <string, string>();
for (int i = 0; i < args.Length; i++)
{
// parse command line
bool moreTokens = (i < args.Length - 1);
if (args[i].Equals("create"))
{
string keyName = "-help";
if (moreTokens)
{
keyName = args[++i];
}
command = new KeyShell.CreateCommand(this, keyName, options);
if ("-help".Equals(keyName))
{
PrintKeyShellUsage();
return(1);
}
}
else
{
if (args[i].Equals("delete"))
{
string keyName = "-help";
if (moreTokens)
{
keyName = args[++i];
}
command = new KeyShell.DeleteCommand(this, keyName);
if ("-help".Equals(keyName))
{
PrintKeyShellUsage();
return(1);
}
}
else
{
if (args[i].Equals("roll"))
{
string keyName = "-help";
if (moreTokens)
{
keyName = args[++i];
}
command = new KeyShell.RollCommand(this, keyName);
if ("-help".Equals(keyName))
{
PrintKeyShellUsage();
return(1);
}
}
else
{
if ("list".Equals(args[i]))
{
command = new KeyShell.ListCommand(this);
}
else
{
if ("-size".Equals(args[i]) && moreTokens)
{
options.SetBitLength(System.Convert.ToInt32(args[++i]));
}
else
{
if ("-cipher".Equals(args[i]) && moreTokens)
{
options.SetCipher(args[++i]);
}
else
{
if ("-description".Equals(args[i]) && moreTokens)
{
options.SetDescription(args[++i]);
}
else
{
if ("-attr".Equals(args[i]) && moreTokens)
{
string[] attrval = args[++i].Split("=", 2);
string attr = attrval[0].Trim();
string val = attrval[1].Trim();
if (attr.IsEmpty() || val.IsEmpty())
{
@out.WriteLine("\nAttributes must be in attribute=value form, " + "or quoted\nlike \"attribute = value\"\n"
);
PrintKeyShellUsage();
return(1);
}
if (attributes.Contains(attr))
{
@out.WriteLine("\nEach attribute must correspond to only one value:\n" + "atttribute \""
+ attr + "\" was repeated\n");
PrintKeyShellUsage();
return(1);
}
attributes[attr] = val;
}
else
{
if ("-provider".Equals(args[i]) && moreTokens)
{
userSuppliedProvider = true;
GetConf().Set(KeyProviderFactory.KeyProviderPath, args[++i]);
}
else
{
if ("-metadata".Equals(args[i]))
{
GetConf().SetBoolean(ListMetadata, true);
}
else
{
if ("-f".Equals(args[i]) || ("-force".Equals(args[i])))
{
interactive = false;
}
else
{
if ("-help".Equals(args[i]))
{
PrintKeyShellUsage();
return(1);
}
else
{
PrintKeyShellUsage();
ToolRunner.PrintGenericCommandUsage(System.Console.Error);
return(1);
}
}
}
}
}
}
}
}
}
}
}
}
}
if (command == null)
{
PrintKeyShellUsage();
return(1);
}
if (!attributes.IsEmpty())
{
options.SetAttributes(attributes);
}
return(0);
}
public virtual void TestJksProvider()
{
Configuration conf = new Configuration();
Path jksPath = new Path(testRootDir.ToString(), "test.jks");
string ourUrl = JavaKeyStoreProvider.SchemeName + "://file" + jksPath.ToUri();
FilePath file = new FilePath(testRootDir, "test.jks");
file.Delete();
conf.Set(KeyProviderFactory.KeyProviderPath, ourUrl);
CheckSpecificProvider(conf, ourUrl);
// START : Test flush error by failure injection
conf.Set(KeyProviderFactory.KeyProviderPath, ourUrl.Replace(JavaKeyStoreProvider.
SchemeName, FailureInjectingJavaKeyStoreProvider.SchemeName));
// get a new instance of the provider to ensure it was saved correctly
KeyProvider provider = KeyProviderFactory.GetProviders(conf)[0];
// inject failure during keystore write
FailureInjectingJavaKeyStoreProvider fProvider = (FailureInjectingJavaKeyStoreProvider
)provider;
fProvider.SetWriteFail(true);
provider.CreateKey("key5", new byte[] { 1 }, KeyProvider.Options(conf).SetBitLength
(8));
NUnit.Framework.Assert.IsNotNull(provider.GetCurrentKey("key5"));
try
{
provider.Flush();
NUnit.Framework.Assert.Fail("Should not succeed");
}
catch (Exception)
{
}
// Ignore
// SHould be reset to pre-flush state
NUnit.Framework.Assert.IsNull(provider.GetCurrentKey("key5"));
// Un-inject last failure and
// inject failure during keystore backup
fProvider.SetWriteFail(false);
fProvider.SetBackupFail(true);
provider.CreateKey("key6", new byte[] { 1 }, KeyProvider.Options(conf).SetBitLength
(8));
NUnit.Framework.Assert.IsNotNull(provider.GetCurrentKey("key6"));
try
{
provider.Flush();
NUnit.Framework.Assert.Fail("Should not succeed");
}
catch (Exception)
{
}
// Ignore
// SHould be reset to pre-flush state
NUnit.Framework.Assert.IsNull(provider.GetCurrentKey("key6"));
// END : Test flush error by failure injection
conf.Set(KeyProviderFactory.KeyProviderPath, ourUrl.Replace(FailureInjectingJavaKeyStoreProvider
.SchemeName, JavaKeyStoreProvider.SchemeName));
Path path = ProviderUtils.UnnestUri(new URI(ourUrl));
FileSystem fs = path.GetFileSystem(conf);
FileStatus s = fs.GetFileStatus(path);
Assert.True(s.GetPermission().ToString().Equals("rwx------"));
Assert.True(file + " should exist", file.IsFile());
// Corrupt file and Check if JKS can reload from _OLD file
FilePath oldFile = new FilePath(file.GetPath() + "_OLD");
file.RenameTo(oldFile);
file.Delete();
file.CreateNewFile();
Assert.True(oldFile.Exists());
provider = KeyProviderFactory.GetProviders(conf)[0];
Assert.True(file.Exists());
Assert.True(oldFile + "should be deleted", !oldFile.Exists());
VerifyAfterReload(file, provider);
Assert.True(!oldFile.Exists());
// _NEW and current file should not exist together
FilePath newFile = new FilePath(file.GetPath() + "_NEW");
newFile.CreateNewFile();
try
{
provider = KeyProviderFactory.GetProviders(conf)[0];
NUnit.Framework.Assert.Fail("_NEW and current file should not exist together !!");
}
catch (Exception)
{
}
finally
{
// Ignore
if (newFile.Exists())
{
newFile.Delete();
}
}
// Load from _NEW file
file.RenameTo(newFile);
file.Delete();
try
{
provider = KeyProviderFactory.GetProviders(conf)[0];
NUnit.Framework.Assert.IsFalse(newFile.Exists());
NUnit.Framework.Assert.IsFalse(oldFile.Exists());
}
catch (Exception)
{
NUnit.Framework.Assert.Fail("JKS should load from _NEW file !!");
}
// Ignore
VerifyAfterReload(file, provider);
// _NEW exists but corrupt.. must load from _OLD
newFile.CreateNewFile();
file.RenameTo(oldFile);
file.Delete();
try
{
provider = KeyProviderFactory.GetProviders(conf)[0];
NUnit.Framework.Assert.IsFalse(newFile.Exists());
NUnit.Framework.Assert.IsFalse(oldFile.Exists());
}
catch (Exception)
{
NUnit.Framework.Assert.Fail("JKS should load from _OLD file !!");
}
finally
{
// Ignore
if (newFile.Exists())
{
newFile.Delete();
}
}
VerifyAfterReload(file, provider);
// check permission retention after explicit change
fs.SetPermission(path, new FsPermission("777"));
CheckPermissionRetention(conf, ourUrl, path);
// Check that an uppercase keyname results in an error
provider = KeyProviderFactory.GetProviders(conf)[0];
try
{
provider.CreateKey("UPPERCASE", KeyProvider.Options(conf));
NUnit.Framework.Assert.Fail("Expected failure on creating key name with uppercase "
+ "characters");
}
catch (ArgumentException e)
{
GenericTestUtils.AssertExceptionContains("Uppercase key names", e);
}
}
private KeyProviderDelegationTokenExtension(KeyProvider keyProvider, KeyProviderDelegationTokenExtension.DelegationTokenExtension
extensions)
: base(keyProvider, extensions)
{
}
