ceph/src/arrow/cpp/src/parquet/encryption/kms_client.h

   1 // Licensed to the Apache Software Foundation (ASF) under one
   2 // or more contributor license agreements.  See the NOTICE file
   3 // distributed with this work for additional information
   4 // regarding copyright ownership.  The ASF licenses this file
   5 // to you under the Apache License, Version 2.0 (the
   6 // "License"); you may not use this file except in compliance
   7 // with the License.  You may obtain a copy of the License at
   8 //
   9 //   http://www.apache.org/licenses/LICENSE-2.0
  10 //
  11 // Unless required by applicable law or agreed to in writing,
  12 // software distributed under the License is distributed on an
  13 // "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  14 // KIND, either express or implied.  See the License for the
  15 // specific language governing permissions and limitations
  16 // under the License.
  17
  18 #pragma once
  19
  20 #include <memory>
  21 #include <string>
  22 #include <unordered_map>
  23
  24 #include "arrow/util/mutex.h"
  25
  26 #include "parquet/exception.h"
  27 #include "parquet/platform.h"
  28
  29 namespace parquet {
  30 namespace encryption {
  31
  32 /// This class wraps the key access token of a KMS server. If your token changes over
  33 /// time, you should keep the reference to the KeyAccessToken object and call Refresh()
  34 /// method every time you have a new token.
  35 class PARQUET_EXPORT KeyAccessToken {
  36  public:
  37   KeyAccessToken() = default;
  38
  39   explicit KeyAccessToken(const std::string value) : value_(value) {}
  40
  41   void Refresh(const std::string& new_value) {
  42     auto lock = mutex_.Lock();
  43     value_ = new_value;
  44   }
  45
  46   const std::string& value() const {
  47     auto lock = mutex_.Lock();
  48     return value_;
  49   }
  50
  51  private:
  52   std::string value_;
  53   mutable ::arrow::util::Mutex mutex_;
  54 };
  55
  56 struct PARQUET_EXPORT KmsConnectionConfig {
  57   std::string kms_instance_id;
  58   std::string kms_instance_url;
  59   /// If the access token is changed in the future, you should keep a reference to
  60   /// this object and call Refresh() on it whenever there is a new access token.
  61   std::shared_ptr<KeyAccessToken> refreshable_key_access_token;
  62   std::unordered_map<std::string, std::string> custom_kms_conf;
  63
  64   KmsConnectionConfig();
  65
  66   const std::string& key_access_token() const {
  67     if (refreshable_key_access_token == NULL ||
  68         refreshable_key_access_token->value().empty()) {
  69       throw ParquetException("key access token is not set!");
  70     }
  71     return refreshable_key_access_token->value();
  72   }
  73
  74   void SetDefaultIfEmpty();
  75 };
  76
  77 class PARQUET_EXPORT KmsClient {
  78  public:
  79   static constexpr const char kKmsInstanceIdDefault[] = "DEFAULT";
  80   static constexpr const char kKmsInstanceUrlDefault[] = "DEFAULT";
  81   static constexpr const char kKeyAccessTokenDefault[] = "DEFAULT";
  82
  83   /// Wraps a key - encrypts it with the master key, encodes the result
  84   /// and potentially adds a KMS-specific metadata.
  85   virtual std::string WrapKey(const std::string& key_bytes,
  86                               const std::string& master_key_identifier) = 0;
  87
  88   /// Decrypts (unwraps) a key with the master key.
  89   virtual std::string UnwrapKey(const std::string& wrapped_key,
  90                                 const std::string& master_key_identifier) = 0;
  91   virtual ~KmsClient() {}
  92 };
  93
  94 }  // namespace encryption
  95 }  // namespace parquet