1 // Licensed to the Apache Software Foundation (ASF) under one
2 // or more contributor license agreements. See the NOTICE file
3 // distributed with this work for additional information
4 // regarding copyright ownership. The ASF licenses this file
5 // to you under the Apache License, Version 2.0 (the
6 // "License"); you may not use this file except in compliance
7 // with the License. You may obtain a copy of the License at
9 // http://www.apache.org/licenses/LICENSE-2.0
11 // Unless required by applicable law or agreed to in writing,
12 // software distributed under the License is distributed on an
13 // "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
14 // KIND, either express or implied. See the License for the
15 // specific language governing permissions and limitations
22 #include <unordered_map>
24 #include "arrow/util/mutex.h"
26 #include "parquet/exception.h"
27 #include "parquet/platform.h"
30 namespace encryption
{
32 /// This class wraps the key access token of a KMS server. If your token changes over
33 /// time, you should keep the reference to the KeyAccessToken object and call Refresh()
34 /// method every time you have a new token.
35 class PARQUET_EXPORT KeyAccessToken
{
37 KeyAccessToken() = default;
39 explicit KeyAccessToken(const std::string value
) : value_(value
) {}
41 void Refresh(const std::string
& new_value
) {
42 auto lock
= mutex_
.Lock();
46 const std::string
& value() const {
47 auto lock
= mutex_
.Lock();
53 mutable ::arrow::util::Mutex mutex_
;
56 struct PARQUET_EXPORT KmsConnectionConfig
{
57 std::string kms_instance_id
;
58 std::string kms_instance_url
;
59 /// If the access token is changed in the future, you should keep a reference to
60 /// this object and call Refresh() on it whenever there is a new access token.
61 std::shared_ptr
<KeyAccessToken
> refreshable_key_access_token
;
62 std::unordered_map
<std::string
, std::string
> custom_kms_conf
;
64 KmsConnectionConfig();
66 const std::string
& key_access_token() const {
67 if (refreshable_key_access_token
== NULL
||
68 refreshable_key_access_token
->value().empty()) {
69 throw ParquetException("key access token is not set!");
71 return refreshable_key_access_token
->value();
74 void SetDefaultIfEmpty();
77 class PARQUET_EXPORT KmsClient
{
79 static constexpr const char kKmsInstanceIdDefault
[] = "DEFAULT";
80 static constexpr const char kKmsInstanceUrlDefault
[] = "DEFAULT";
81 static constexpr const char kKeyAccessTokenDefault
[] = "DEFAULT";
83 /// Wraps a key - encrypts it with the master key, encodes the result
84 /// and potentially adds a KMS-specific metadata.
85 virtual std::string
WrapKey(const std::string
& key_bytes
,
86 const std::string
& master_key_identifier
) = 0;
88 /// Decrypts (unwraps) a key with the master key.
89 virtual std::string
UnwrapKey(const std::string
& wrapped_key
,
90 const std::string
& master_key_identifier
) = 0;
91 virtual ~KmsClient() {}
94 } // namespace encryption
95 } // namespace parquet