Package io.confluent.dekregistry.storage
Class AbstractDekRegistry
java.lang.Object
io.confluent.dekregistry.storage.AbstractDekRegistry
- All Implemented Interfaces:
Closeable,AutoCloseable
- Direct Known Subclasses:
KafkaDekRegistry
Abstract base class for DEK Registry implementations.
Contains encryption/decryption logic and public API methods.
Subclasses implement the storage-specific methods.
-
Field Summary
FieldsModifier and TypeFieldDescriptionstatic final Stringstatic final Stringprotected static final com.fasterxml.jackson.core.type.TypeReference<Dek>protected final intprotected final intprotected final intprotected final intstatic final byte[]static final Stringprotected final AtomicBooleanprotected final CountDownLatchprotected static final com.fasterxml.jackson.core.type.TypeReference<Kek>protected final intprotected final intstatic final Stringstatic final intstatic final intprotected static final Stringprotected static final com.fasterxml.jackson.core.type.TypeReference<Void>static final String -
Constructor Summary
ConstructorsModifierConstructorDescriptionprotectedAbstractDekRegistry(SchemaRegistry schemaRegistry, MetricsManager metricsManager, DekRegistryConfig config) -
Method Summary
Modifier and TypeMethodDescriptionconfig()createDek(String kekName, boolean rewrap, CreateDekRequest request) createDekOrForward(String kekName, boolean rewrap, CreateDekRequest request, Map<String, String> headerProperties) createKek(CreateKekRequest request) createKekOrForward(CreateKekRequest request, Map<String, String> headerProperties) voidvoiddeleteDekOrForward(String name, String subject, DekFormat algorithm, boolean permanentDelete, Map<String, String> headerProperties) voiddeleteDekVersion(String name, String subject, int version, DekFormat algorithm, boolean permanentDelete) voiddeleteDekVersionOrForward(String name, String subject, int version, DekFormat algorithm, boolean permanentDelete, Map<String, String> headerProperties) voidvoiddeleteKekOrForward(String name, boolean permanentDelete, Map<String, String> headerProperties) protected DataEncryptionKeyprotected DataEncryptionKeygenerateRawDek(KeyEncryptionKey kek, DataEncryptionKey key) protected com.google.crypto.tink.AeadgetAead(KeyEncryptionKey kek) protected CryptorgetCryptor(DekFormat dekFormat) protected abstract DataEncryptionKeygetDekById(DataEncryptionKeyId keyId) Get a DEK by its ID.protected List<io.kcache.KeyValue<EncryptionKeyId,EncryptionKey>> protected List<io.kcache.KeyValue<EncryptionKeyId,EncryptionKey>> protected List<io.kcache.KeyValue<EncryptionKeyId,EncryptionKey>> protected abstract List<io.kcache.KeyValue<EncryptionKeyId,EncryptionKey>> getDeksFromStore(String tenant, String minKekName, String maxKekName, boolean lookupDeleted) Get all DEKs for a tenant within a KEK name range.protected abstract List<io.kcache.KeyValue<EncryptionKeyId,EncryptionKey>> getDeksFromStore(String tenant, String kekName, String subject, DekFormat algorithm, boolean lookupDeleted) Get DEKs for a specific subject and algorithm.getDekSubjects(String kekName, boolean lookupDeleted) getDekVersions(String kekName, String subject, DekFormat algorithm, boolean lookupDeleted) protected abstract KeyEncryptionKeygetKekById(KeyEncryptionKeyId keyId) Get a KEK by its ID.getKekNames(List<String> subjectPrefix, boolean lookupDeleted) protected List<io.kcache.KeyValue<EncryptionKeyId,EncryptionKey>> protected abstract List<io.kcache.KeyValue<EncryptionKeyId,EncryptionKey>> getKeksFromStore(String tenant, boolean lookupDeleted) Get all KEKs for a tenant.getLatestDek(String kekName, String subject, DekFormat algorithm, boolean lookupDeleted) getLatestDek(String kekName, String subject, DekFormat algorithm, boolean lookupDeleted, boolean maybeGenerateRawDek) com.google.common.collect.SetMultimap<String,KeyEncryptionKeyId> voidinit()booleanprotected abstract voidPerform any initialization required by the storage backend.booleanisLeader()Check if this instance is the leader.protected booleanio.kcache.Cache<EncryptionKeyId,EncryptionKey> keys()Deprecated.protected voidprotected Lockprotected DataEncryptionKeyintnormalizeDekSubjectLimit(int suppliedLimit) intnormalizeDekVersionLimit(int suppliedLimit) intnormalizeKekLimit(int suppliedLimit) protected StringnormalizeKmsType(String kmsType) intnormalizeLimit(int suppliedLimit, int defaultLimit, int maxLimit) putKek(String name, UpdateKekRequest request) putKekOrForward(String name, UpdateKekRequest request, Map<String, String> headerProperties) protected abstract voidputKey(EncryptionKeyId id, EncryptionKey key) Store a key (KEK or DEK).protected abstract voidRemove a key from storage.protected abstract voidSync/refresh the store to ensure it's up-to-date.voidtestKek(KeyEncryptionKey kek) protected static byte[]voidundeleteDek(String name, String subject, DekFormat algorithm) voidundeleteDekOrForward(String name, String subject, DekFormat algorithm, Map<String, String> headerProperties) voidundeleteDekVersion(String name, String subject, int version, DekFormat algorithm) voidundeleteDekVersionOrForward(String name, String subject, int version, DekFormat algorithm, Map<String, String> headerProperties) voidundeleteKek(String name) voidundeleteKekOrForward(String name, Map<String, String> headerProperties) protected voidvoid
-
Field Details
-
KEY
- See Also:
-
LATEST_VERSION
public static final int LATEST_VERSION- See Also:
-
MIN_VERSION
public static final int MIN_VERSION- See Also:
-
EMPTY_AAD
public static final byte[] EMPTY_AAD -
X_FORWARD_HEADER
- See Also:
-
AWS_KMS
- See Also:
-
AZURE_KMS
- See Also:
-
GCP_KMS
- See Also:
-
TEST_SUBJECT
- See Also:
-
KEK_TYPE
-
DEK_TYPE
-
VOID_TYPE
-
kekSearchDefaultLimit
protected final int kekSearchDefaultLimit -
kekSearchMaxLimit
protected final int kekSearchMaxLimit -
dekSubjectSearchDefaultLimit
protected final int dekSubjectSearchDefaultLimit -
dekSubjectSearchMaxLimit
protected final int dekSubjectSearchMaxLimit -
dekVersionSearchDefaultLimit
protected final int dekVersionSearchDefaultLimit -
dekVersionSearchMaxLimit
protected final int dekVersionSearchMaxLimit -
cryptors
-
tenantToLock
-
initialized
-
initLatch
-
-
Constructor Details
-
AbstractDekRegistry
protected AbstractDekRegistry(SchemaRegistry schemaRegistry, MetricsManager metricsManager, DekRegistryConfig config)
-
-
Method Details
-
getKeksFromStore
protected abstract List<io.kcache.KeyValue<EncryptionKeyId,EncryptionKey>> getKeksFromStore(String tenant, boolean lookupDeleted) throws SchemaRegistryStoreException Get all KEKs for a tenant.- Throws:
SchemaRegistryStoreException
-
getDeksFromStore
protected abstract List<io.kcache.KeyValue<EncryptionKeyId,EncryptionKey>> getDeksFromStore(String tenant, String minKekName, String maxKekName, boolean lookupDeleted) throws SchemaRegistryStoreException Get all DEKs for a tenant within a KEK name range.- Throws:
SchemaRegistryStoreException
-
getDeksFromStore
protected abstract List<io.kcache.KeyValue<EncryptionKeyId,EncryptionKey>> getDeksFromStore(String tenant, String kekName, String subject, DekFormat algorithm, boolean lookupDeleted) throws SchemaRegistryStoreException Get DEKs for a specific subject and algorithm.- Throws:
SchemaRegistryStoreException
-
getKekById
protected abstract KeyEncryptionKey getKekById(KeyEncryptionKeyId keyId) throws SchemaRegistryStoreException Get a KEK by its ID.- Throws:
SchemaRegistryStoreException
-
getDekById
protected abstract DataEncryptionKey getDekById(DataEncryptionKeyId keyId) throws SchemaRegistryStoreException Get a DEK by its ID.- Throws:
SchemaRegistryStoreException
-
putKey
protected abstract void putKey(EncryptionKeyId id, EncryptionKey key) throws SchemaRegistryStoreException Store a key (KEK or DEK).- Throws:
SchemaRegistryStoreException
-
removeKey
Remove a key from storage.- Throws:
SchemaRegistryStoreException
-
syncStore
Sync/refresh the store to ensure it's up-to-date.- Throws:
SchemaRegistryStoreException
-
initStore
protected abstract void initStore()Perform any initialization required by the storage backend. -
getSchemaRegistry
-
getMetricsManager
-
config
-
keys
Deprecated.Get the underlying keys kcache (only kafka-based implementations override this). Provides backward compatibility for external components relying on direct cache access.- Returns:
- the keys cache
-
getCryptor
-
init
public void init() -
waitForInit
- Throws:
InterruptedException
-
initialized
public boolean initialized() -
isLeader
public boolean isLeader()Check if this instance is the leader. -
isLeader
-
lockFor
-
lock
-
unlock
-
getKekNames
public List<String> getKekNames(List<String> subjectPrefix, boolean lookupDeleted) throws SchemaRegistryException - Throws:
SchemaRegistryException
-
getKeks
protected List<io.kcache.KeyValue<EncryptionKeyId,EncryptionKey>> getKeks(String tenant, boolean lookupDeleted) throws SchemaRegistryStoreException - Throws:
SchemaRegistryStoreException
-
getKek
- Throws:
SchemaRegistryException
-
toKekEntity
-
createKekOrForward
public Kek createKekOrForward(CreateKekRequest request, Map<String, String> headerProperties) throws SchemaRegistryException- Throws:
SchemaRegistryException
-
createKek
- Throws:
SchemaRegistryException
-
normalizeKmsType
-
testKek
- Throws:
SchemaRegistryException
-
putKekOrForward
public Kek putKekOrForward(String name, UpdateKekRequest request, Map<String, String> headerProperties) throws SchemaRegistryException- Throws:
SchemaRegistryException
-
putKek
public KeyEncryptionKey putKek(String name, UpdateKekRequest request) throws SchemaRegistryException - Throws:
SchemaRegistryException
-
deleteKekOrForward
public void deleteKekOrForward(String name, boolean permanentDelete, Map<String, String> headerProperties) throws SchemaRegistryException- Throws:
SchemaRegistryException
-
deleteKek
- Throws:
SchemaRegistryException
-
undeleteKekOrForward
public void undeleteKekOrForward(String name, Map<String, String> headerProperties) throws SchemaRegistryException- Throws:
SchemaRegistryException
-
undeleteKek
- Throws:
SchemaRegistryException
-
getDekSubjects
public List<String> getDekSubjects(String kekName, boolean lookupDeleted) throws SchemaRegistryException - Throws:
SchemaRegistryException
-
getDekVersions
public List<Integer> getDekVersions(String kekName, String subject, DekFormat algorithm, boolean lookupDeleted) throws SchemaRegistryException - Throws:
SchemaRegistryException
-
getDeks
protected List<io.kcache.KeyValue<EncryptionKeyId,EncryptionKey>> getDeks(String tenant, boolean lookupDeleted) throws SchemaRegistryStoreException - Throws:
SchemaRegistryStoreException
-
getDeks
protected List<io.kcache.KeyValue<EncryptionKeyId,EncryptionKey>> getDeks(String tenant, String kekName, boolean lookupDeleted) throws SchemaRegistryStoreException - Throws:
SchemaRegistryStoreException
-
getDeks
protected List<io.kcache.KeyValue<EncryptionKeyId,EncryptionKey>> getDeks(String tenant, String kekName, String subject, DekFormat algorithm, boolean lookupDeleted) throws SchemaRegistryStoreException - Throws:
SchemaRegistryStoreException
-
getLatestDek
public DataEncryptionKey getLatestDek(String kekName, String subject, DekFormat algorithm, boolean lookupDeleted) throws SchemaRegistryException - Throws:
SchemaRegistryException
-
getLatestDek
public DataEncryptionKey getLatestDek(String kekName, String subject, DekFormat algorithm, boolean lookupDeleted, boolean maybeGenerateRawDek) throws SchemaRegistryException - Throws:
SchemaRegistryException
-
getDek
public DataEncryptionKey getDek(String kekName, String subject, int version, DekFormat algorithm, boolean lookupDeleted) throws SchemaRegistryException - Throws:
SchemaRegistryException
-
maybeGenerateRawDek
protected DataEncryptionKey maybeGenerateRawDek(DataEncryptionKey key) throws SchemaRegistryException - Throws:
SchemaRegistryException
-
createDekOrForward
public Dek createDekOrForward(String kekName, boolean rewrap, CreateDekRequest request, Map<String, String> headerProperties) throws SchemaRegistryException- Throws:
SchemaRegistryException
-
createDek
public DataEncryptionKey createDek(String kekName, boolean rewrap, CreateDekRequest request) throws SchemaRegistryException - Throws:
SchemaRegistryException
-
deleteDekOrForward
public void deleteDekOrForward(String name, String subject, DekFormat algorithm, boolean permanentDelete, Map<String, String> headerProperties) throws SchemaRegistryException- Throws:
SchemaRegistryException
-
deleteDek
public void deleteDek(String name, String subject, DekFormat algorithm, boolean permanentDelete) throws SchemaRegistryException - Throws:
SchemaRegistryException
-
deleteDekVersionOrForward
public void deleteDekVersionOrForward(String name, String subject, int version, DekFormat algorithm, boolean permanentDelete, Map<String, String> headerProperties) throws SchemaRegistryException- Throws:
SchemaRegistryException
-
deleteDekVersion
public void deleteDekVersion(String name, String subject, int version, DekFormat algorithm, boolean permanentDelete) throws SchemaRegistryException - Throws:
SchemaRegistryException
-
undeleteDekOrForward
public void undeleteDekOrForward(String name, String subject, DekFormat algorithm, Map<String, String> headerProperties) throws SchemaRegistryException- Throws:
SchemaRegistryException
-
undeleteDek
public void undeleteDek(String name, String subject, DekFormat algorithm) throws SchemaRegistryException - Throws:
SchemaRegistryException
-
undeleteDekVersionOrForward
public void undeleteDekVersionOrForward(String name, String subject, int version, DekFormat algorithm, Map<String, String> headerProperties) throws SchemaRegistryException- Throws:
SchemaRegistryException
-
undeleteDekVersion
public void undeleteDekVersion(String name, String subject, int version, DekFormat algorithm) throws SchemaRegistryException - Throws:
SchemaRegistryException
-
generateEncryptedDek
protected DataEncryptionKey generateEncryptedDek(KeyEncryptionKey kek, DataEncryptionKey key) throws DekGenerationException - Throws:
DekGenerationException
-
generateRawDek
protected DataEncryptionKey generateRawDek(KeyEncryptionKey kek, DataEncryptionKey key) throws DekGenerationException - Throws:
DekGenerationException
-
getAead
- Throws:
GeneralSecurityException
-
normalizeLimit
public int normalizeLimit(int suppliedLimit, int defaultLimit, int maxLimit) -
normalizeKekLimit
public int normalizeKekLimit(int suppliedLimit) -
normalizeDekSubjectLimit
public int normalizeDekSubjectLimit(int suppliedLimit) -
normalizeDekVersionLimit
public int normalizeDekVersionLimit(int suppliedLimit) -
toJson
- Throws:
com.fasterxml.jackson.core.JsonProcessingException
-