Package io.confluent.dekregistry.storage
Class AbstractDekRegistry
java.lang.Object
io.confluent.dekregistry.storage.AbstractDekRegistry
- All Implemented Interfaces:
Closeable,AutoCloseable
- Direct Known Subclasses:
KafkaDekRegistry
Abstract base class for DEK Registry implementations.
Contains encryption/decryption logic and public API methods.
Subclasses implement the storage-specific methods.
-
Field Summary
FieldsModifier and TypeFieldDescriptionstatic final Stringstatic final Stringprotected static final com.fasterxml.jackson.core.type.TypeReference<Dek>protected final intprotected final intprotected final intprotected final intstatic final byte[]static final Stringprotected final AtomicBooleanprotected final CountDownLatchprotected static final com.fasterxml.jackson.core.type.TypeReference<Kek>protected final intprotected final intstatic final Stringstatic final intstatic final intprotected static final Stringprotected static final com.fasterxml.jackson.core.type.TypeReference<Void>static final String -
Constructor Summary
ConstructorsModifierConstructorDescriptionprotectedAbstractDekRegistry(SchemaRegistry schemaRegistry, MetricsManager metricsManager, DekRegistryConfig config) -
Method Summary
Modifier and TypeMethodDescriptionconfig()createDek(String kekName, boolean rewrap, CreateDekRequest request) createDekOrForward(String kekName, boolean rewrap, CreateDekRequest request, Map<String, String> headerProperties) createKek(CreateKekRequest request) createKekOrForward(CreateKekRequest request, Map<String, String> headerProperties) voidvoiddeleteDekOrForward(String name, String subject, DekFormat algorithm, boolean permanentDelete, Map<String, String> headerProperties) voiddeleteDekVersion(String name, String subject, int version, DekFormat algorithm, boolean permanentDelete) voiddeleteDekVersionOrForward(String name, String subject, int version, DekFormat algorithm, boolean permanentDelete, Map<String, String> headerProperties) voidvoiddeleteKekOrForward(String name, boolean permanentDelete, Map<String, String> headerProperties) protected DataEncryptionKeyprotected DataEncryptionKeygenerateRawDek(KeyEncryptionKey kek, DataEncryptionKey key) protected com.google.crypto.tink.AeadgetAead(KeyEncryptionKey kek) protected CryptorgetCryptor(DekFormat dekFormat) protected abstract DataEncryptionKeygetDekById(DataEncryptionKeyId keyId) Get a DEK by its ID.protected List<io.kcache.KeyValue<EncryptionKeyId,EncryptionKey>> protected List<io.kcache.KeyValue<EncryptionKeyId,EncryptionKey>> protected List<io.kcache.KeyValue<EncryptionKeyId,EncryptionKey>> protected abstract List<io.kcache.KeyValue<EncryptionKeyId,EncryptionKey>> getDeksFromStore(String tenant, String minKekName, String maxKekName, boolean lookupDeleted) Get all DEKs for a tenant within a KEK name range.protected abstract List<io.kcache.KeyValue<EncryptionKeyId,EncryptionKey>> getDeksFromStore(String tenant, String kekName, String subject, DekFormat algorithm, boolean lookupDeleted) Get DEKs for a specific subject and algorithm.getDekSubjects(String kekName, boolean lookupDeleted) getDekVersions(String kekName, String subject, DekFormat algorithm, boolean lookupDeleted) protected abstract KeyEncryptionKeygetKekById(KeyEncryptionKeyId keyId) Get a KEK by its ID.getKekNames(List<String> subjectPrefix, boolean lookupDeleted) protected List<io.kcache.KeyValue<EncryptionKeyId,EncryptionKey>> protected abstract List<io.kcache.KeyValue<EncryptionKeyId,EncryptionKey>> getKeksFromStore(String tenant, boolean lookupDeleted) Get all KEKs for a tenant.Returns the encryption key for the given id, ornullif not found.getLatestDek(String kekName, String subject, DekFormat algorithm, boolean lookupDeleted) getLatestDek(String kekName, String subject, DekFormat algorithm, boolean lookupDeleted, boolean maybeGenerateRawDek) voidinit()booleanprotected abstract voidPerform any initialization required by the storage backend.booleanisLeader()Check if this instance is the leader.protected booleanio.kcache.Cache<EncryptionKeyId,EncryptionKey> keys()Deprecated.protected voidprotected Lockprotected DataEncryptionKeyintnormalizeDekSubjectLimit(int suppliedLimit) intnormalizeDekVersionLimit(int suppliedLimit) intnormalizeKekLimit(int suppliedLimit) protected StringnormalizeKmsType(String kmsType) intnormalizeLimit(int suppliedLimit, int defaultLimit, int maxLimit) putKek(String name, UpdateKekRequest request) putKekOrForward(String name, UpdateKekRequest request, Map<String, String> headerProperties) protected abstract voidputKey(EncryptionKeyId id, EncryptionKey key) Store a key (KEK or DEK).io.kcache.KeyValueIterator<EncryptionKeyId,EncryptionKey> rangeKeys(EncryptionKeyId start, boolean startInclusive, EncryptionKeyId end, boolean endInclusive) Returns an iterator over the encryption keys whose ids fall in the given range.protected abstract voidRemove a key from storage.protected abstract voidSync/refresh the store to ensure it's up-to-date.voidtestKek(KeyEncryptionKey kek) protected static byte[]voidundeleteDek(String name, String subject, DekFormat algorithm) voidundeleteDekOrForward(String name, String subject, DekFormat algorithm, Map<String, String> headerProperties) voidundeleteDekVersion(String name, String subject, int version, DekFormat algorithm) voidundeleteDekVersionOrForward(String name, String subject, int version, DekFormat algorithm, Map<String, String> headerProperties) voidundeleteKek(String name) voidundeleteKekOrForward(String name, Map<String, String> headerProperties) protected voidvoid
-
Field Details
-
KEY
- See Also:
-
LATEST_VERSION
public static final int LATEST_VERSION- See Also:
-
MIN_VERSION
public static final int MIN_VERSION- See Also:
-
EMPTY_AAD
public static final byte[] EMPTY_AAD -
X_FORWARD_HEADER
- See Also:
-
AWS_KMS
- See Also:
-
AZURE_KMS
- See Also:
-
GCP_KMS
- See Also:
-
TEST_SUBJECT
- See Also:
-
KEK_TYPE
-
DEK_TYPE
-
VOID_TYPE
-
kekSearchDefaultLimit
protected final int kekSearchDefaultLimit -
kekSearchMaxLimit
protected final int kekSearchMaxLimit -
dekSubjectSearchDefaultLimit
protected final int dekSubjectSearchDefaultLimit -
dekSubjectSearchMaxLimit
protected final int dekSubjectSearchMaxLimit -
dekVersionSearchDefaultLimit
protected final int dekVersionSearchDefaultLimit -
dekVersionSearchMaxLimit
protected final int dekVersionSearchMaxLimit -
cryptors
-
tenantToLock
-
initialized
-
initLatch
-
-
Constructor Details
-
AbstractDekRegistry
protected AbstractDekRegistry(SchemaRegistry schemaRegistry, MetricsManager metricsManager, DekRegistryConfig config)
-
-
Method Details
-
getKeksFromStore
protected abstract List<io.kcache.KeyValue<EncryptionKeyId,EncryptionKey>> getKeksFromStore(String tenant, boolean lookupDeleted) throws SchemaRegistryStoreException Get all KEKs for a tenant.- Throws:
SchemaRegistryStoreException
-
getDeksFromStore
protected abstract List<io.kcache.KeyValue<EncryptionKeyId,EncryptionKey>> getDeksFromStore(String tenant, String minKekName, String maxKekName, boolean lookupDeleted) throws SchemaRegistryStoreException Get all DEKs for a tenant within a KEK name range.- Throws:
SchemaRegistryStoreException
-
getDeksFromStore
protected abstract List<io.kcache.KeyValue<EncryptionKeyId,EncryptionKey>> getDeksFromStore(String tenant, String kekName, String subject, DekFormat algorithm, boolean lookupDeleted) throws SchemaRegistryStoreException Get DEKs for a specific subject and algorithm.- Throws:
SchemaRegistryStoreException
-
getKekById
protected abstract KeyEncryptionKey getKekById(KeyEncryptionKeyId keyId) throws SchemaRegistryStoreException Get a KEK by its ID.- Throws:
SchemaRegistryStoreException
-
getDekById
protected abstract DataEncryptionKey getDekById(DataEncryptionKeyId keyId) throws SchemaRegistryStoreException Get a DEK by its ID.- Throws:
SchemaRegistryStoreException
-
putKey
protected abstract void putKey(EncryptionKeyId id, EncryptionKey key) throws SchemaRegistryStoreException Store a key (KEK or DEK).- Throws:
SchemaRegistryStoreException
-
removeKey
Remove a key from storage.- Throws:
SchemaRegistryStoreException
-
syncStore
Sync/refresh the store to ensure it's up-to-date.- Throws:
SchemaRegistryStoreException
-
initStore
protected abstract void initStore()Perform any initialization required by the storage backend. -
getSchemaRegistry
-
getMetricsManager
-
config
-
keys
Deprecated.callers should usegetKey(EncryptionKeyId)orrangeKeys(EncryptionKeyId, boolean, EncryptionKeyId, boolean)instead.Get the underlying keys kcache (only kafka-based implementations override this). Provides backward compatibility for external components relying on direct cache access.- Returns:
- the keys cache
-
getKey
Returns the encryption key for the given id, ornullif not found.The default implementation delegates to
keys()for kafka-based subclasses. -
rangeKeys
public io.kcache.KeyValueIterator<EncryptionKeyId,EncryptionKey> rangeKeys(EncryptionKeyId start, boolean startInclusive, EncryptionKeyId end, boolean endInclusive) Returns an iterator over the encryption keys whose ids fall in the given range. Caller is responsible for closing the returned iterator.The default implementation delegates to
keys()for kafka-based subclasses. -
getCryptor
-
init
public void init() -
waitForInit
- Throws:
InterruptedException
-
initialized
public boolean initialized() -
isLeader
public boolean isLeader()Check if this instance is the leader. -
isLeader
-
lockFor
-
lock
-
unlock
-
getKekNames
public List<String> getKekNames(List<String> subjectPrefix, boolean lookupDeleted) throws SchemaRegistryException - Throws:
SchemaRegistryException
-
getKeks
protected List<io.kcache.KeyValue<EncryptionKeyId,EncryptionKey>> getKeks(String tenant, boolean lookupDeleted) throws SchemaRegistryStoreException - Throws:
SchemaRegistryStoreException
-
getKek
- Throws:
SchemaRegistryException
-
toKekEntity
-
createKekOrForward
public Kek createKekOrForward(CreateKekRequest request, Map<String, String> headerProperties) throws SchemaRegistryException- Throws:
SchemaRegistryException
-
createKek
- Throws:
SchemaRegistryException
-
normalizeKmsType
-
testKek
- Throws:
SchemaRegistryException
-
putKekOrForward
public Kek putKekOrForward(String name, UpdateKekRequest request, Map<String, String> headerProperties) throws SchemaRegistryException- Throws:
SchemaRegistryException
-
putKek
public KeyEncryptionKey putKek(String name, UpdateKekRequest request) throws SchemaRegistryException - Throws:
SchemaRegistryException
-
deleteKekOrForward
public void deleteKekOrForward(String name, boolean permanentDelete, Map<String, String> headerProperties) throws SchemaRegistryException- Throws:
SchemaRegistryException
-
deleteKek
- Throws:
SchemaRegistryException
-
undeleteKekOrForward
public void undeleteKekOrForward(String name, Map<String, String> headerProperties) throws SchemaRegistryException- Throws:
SchemaRegistryException
-
undeleteKek
- Throws:
SchemaRegistryException
-
getDekSubjects
public List<String> getDekSubjects(String kekName, boolean lookupDeleted) throws SchemaRegistryException - Throws:
SchemaRegistryException
-
getDekVersions
public List<Integer> getDekVersions(String kekName, String subject, DekFormat algorithm, boolean lookupDeleted) throws SchemaRegistryException - Throws:
SchemaRegistryException
-
getDeks
protected List<io.kcache.KeyValue<EncryptionKeyId,EncryptionKey>> getDeks(String tenant, boolean lookupDeleted) throws SchemaRegistryStoreException - Throws:
SchemaRegistryStoreException
-
getDeks
protected List<io.kcache.KeyValue<EncryptionKeyId,EncryptionKey>> getDeks(String tenant, String kekName, boolean lookupDeleted) throws SchemaRegistryStoreException - Throws:
SchemaRegistryStoreException
-
getDeks
protected List<io.kcache.KeyValue<EncryptionKeyId,EncryptionKey>> getDeks(String tenant, String kekName, String subject, DekFormat algorithm, boolean lookupDeleted) throws SchemaRegistryStoreException - Throws:
SchemaRegistryStoreException
-
getLatestDek
public DataEncryptionKey getLatestDek(String kekName, String subject, DekFormat algorithm, boolean lookupDeleted) throws SchemaRegistryException - Throws:
SchemaRegistryException
-
getLatestDek
public DataEncryptionKey getLatestDek(String kekName, String subject, DekFormat algorithm, boolean lookupDeleted, boolean maybeGenerateRawDek) throws SchemaRegistryException - Throws:
SchemaRegistryException
-
getDek
public DataEncryptionKey getDek(String kekName, String subject, int version, DekFormat algorithm, boolean lookupDeleted) throws SchemaRegistryException - Throws:
SchemaRegistryException
-
maybeGenerateRawDek
protected DataEncryptionKey maybeGenerateRawDek(DataEncryptionKey key) throws SchemaRegistryException - Throws:
SchemaRegistryException
-
createDekOrForward
public Dek createDekOrForward(String kekName, boolean rewrap, CreateDekRequest request, Map<String, String> headerProperties) throws SchemaRegistryException- Throws:
SchemaRegistryException
-
createDek
public DataEncryptionKey createDek(String kekName, boolean rewrap, CreateDekRequest request) throws SchemaRegistryException - Throws:
SchemaRegistryException
-
deleteDekOrForward
public void deleteDekOrForward(String name, String subject, DekFormat algorithm, boolean permanentDelete, Map<String, String> headerProperties) throws SchemaRegistryException- Throws:
SchemaRegistryException
-
deleteDek
public void deleteDek(String name, String subject, DekFormat algorithm, boolean permanentDelete) throws SchemaRegistryException - Throws:
SchemaRegistryException
-
deleteDekVersionOrForward
public void deleteDekVersionOrForward(String name, String subject, int version, DekFormat algorithm, boolean permanentDelete, Map<String, String> headerProperties) throws SchemaRegistryException- Throws:
SchemaRegistryException
-
deleteDekVersion
public void deleteDekVersion(String name, String subject, int version, DekFormat algorithm, boolean permanentDelete) throws SchemaRegistryException - Throws:
SchemaRegistryException
-
undeleteDekOrForward
public void undeleteDekOrForward(String name, String subject, DekFormat algorithm, Map<String, String> headerProperties) throws SchemaRegistryException- Throws:
SchemaRegistryException
-
undeleteDek
public void undeleteDek(String name, String subject, DekFormat algorithm) throws SchemaRegistryException - Throws:
SchemaRegistryException
-
undeleteDekVersionOrForward
public void undeleteDekVersionOrForward(String name, String subject, int version, DekFormat algorithm, Map<String, String> headerProperties) throws SchemaRegistryException- Throws:
SchemaRegistryException
-
undeleteDekVersion
public void undeleteDekVersion(String name, String subject, int version, DekFormat algorithm) throws SchemaRegistryException - Throws:
SchemaRegistryException
-
generateEncryptedDek
protected DataEncryptionKey generateEncryptedDek(KeyEncryptionKey kek, DataEncryptionKey key) throws DekGenerationException - Throws:
DekGenerationException
-
generateRawDek
protected DataEncryptionKey generateRawDek(KeyEncryptionKey kek, DataEncryptionKey key) throws DekGenerationException - Throws:
DekGenerationException
-
getAead
- Throws:
GeneralSecurityException
-
normalizeLimit
public int normalizeLimit(int suppliedLimit, int defaultLimit, int maxLimit) -
normalizeKekLimit
public int normalizeKekLimit(int suppliedLimit) -
normalizeDekSubjectLimit
public int normalizeDekSubjectLimit(int suppliedLimit) -
normalizeDekVersionLimit
public int normalizeDekVersionLimit(int suppliedLimit) -
toJson
- Throws:
com.fasterxml.jackson.core.JsonProcessingException
-
getKey(EncryptionKeyId)orrangeKeys(EncryptionKeyId, boolean, EncryptionKeyId, boolean)instead.