Search in sources :

Example 1 with SecureKeyId

use of co.cask.cdap.proto.id.SecureKeyId in project cdap by caskdata.

the class SecureStoreHandler method create.

@Path("/{key-name}")
@PUT
@AuditPolicy(AuditDetail.REQUEST_BODY)
public void create(HttpRequest httpRequest, HttpResponder httpResponder, @PathParam("namespace-id") String namespace, @PathParam("key-name") String name) throws Exception {
    SecureKeyId secureKeyId = new SecureKeyId(namespace, name);
    SecureKeyCreateRequest secureKeyCreateRequest = parseBody(httpRequest, SecureKeyCreateRequest.class);
    if (secureKeyCreateRequest == null) {
        SecureKeyCreateRequest dummy = new SecureKeyCreateRequest("<description>", "<data>", ImmutableMap.of("key", "value"));
        throw new BadRequestException("Unable to parse the request. The request body should be of the following format." + " \n" + GSON.toJson(dummy));
    }
    secureStoreManager.putSecureData(namespace, name, secureKeyCreateRequest.getData(), secureKeyCreateRequest.getDescription(), secureKeyCreateRequest.getProperties());
    httpResponder.sendStatus(HttpResponseStatus.OK);
}
Also used : SecureKeyCreateRequest(co.cask.cdap.proto.security.SecureKeyCreateRequest) SecureKeyId(co.cask.cdap.proto.id.SecureKeyId) BadRequestException(co.cask.cdap.common.BadRequestException) Path(javax.ws.rs.Path) AuditPolicy(co.cask.cdap.common.security.AuditPolicy) PUT(javax.ws.rs.PUT)

Example 2 with SecureKeyId

use of co.cask.cdap.proto.id.SecureKeyId in project cdap by caskdata.

the class DefaultSecureStoreService method deleteSecureData.

/**
 * Deletes the key if the user has ADMIN privileges to the key.
 *
 * @throws UnauthorizedException If the user does not have admin privileges required to delete the secure key.
 * @throws NamespaceNotFoundException If the specified namespace does not exist.
 * @throws NotFoundException If the key to be deleted is not found.
 * @throws IOException If there was a problem deleting it from the underlying provider.
 */
@Override
public final void deleteSecureData(String namespace, String name) throws Exception {
    Principal principal = authenticationContext.getPrincipal();
    SecureKeyId secureKeyId = new SecureKeyId(namespace, name);
    authorizationEnforcer.enforce(secureKeyId, principal, Action.ADMIN);
    secureStoreManager.deleteSecureData(namespace, name);
}
Also used : SecureKeyId(co.cask.cdap.proto.id.SecureKeyId) Principal(co.cask.cdap.proto.security.Principal)

Example 3 with SecureKeyId

use of co.cask.cdap.proto.id.SecureKeyId in project cdap by caskdata.

the class DefaultSecureStoreService method getSecureData.

/**
 * Checks if the user has access to read the secure key and returns the {@link SecureStoreData} associated
 * with the key if they do.
 *
 * @return Data associated with the key if the user has read access.
 * @throws NamespaceNotFoundException If the specified namespace does not exist.
 * @throws NotFoundException If the key is not found in the store.
 * @throws IOException If there was a problem reading from the store.
 * @throws UnauthorizedException If the user does not have READ permissions on the secure key.
 */
@Override
public final SecureStoreData getSecureData(String namespace, String name) throws Exception {
    Principal principal = authenticationContext.getPrincipal();
    SecureKeyId secureKeyId = new SecureKeyId(namespace, name);
    authorizationEnforcer.enforce(secureKeyId, principal, Action.READ);
    return secureStore.getSecureData(namespace, name);
}
Also used : SecureKeyId(co.cask.cdap.proto.id.SecureKeyId) Principal(co.cask.cdap.proto.security.Principal)

Example 4 with SecureKeyId

use of co.cask.cdap.proto.id.SecureKeyId in project cdap by caskdata.

the class FileSecureStore method deleteSecureData.

/**
 * Deletes the element with the given name. Flushes the keystore after deleting the key from the in memory keystore.
 * If the flush fails, we attempt to insert to key back to the in memory store and notify the user that delete failed.
 * If the insertion in the key store fails after a flush failure then there would be a discrepancy between the
 * in memory store and the file on the disk. This will be remedied the next time a flush happens.
 * If another flush does not happen and the system is restarted, the only time that file is read,
 * then we will have an extra key in the keystore.
 * @param namespace The namespace this key belongs to.
 * @param name Name of the element to be deleted.
 * @throws NamespaceNotFoundException If the specified namespace does not exist.
 * @throws NotFoundException If the key to be deleted is not found.
 * @throws IOException If their was a problem during deleting the key from the in memory store
 * or if there was a problem persisting the keystore after deleting the element.
 */
@Override
public void deleteSecureData(String namespace, String name) throws Exception {
    checkNamespaceExists(namespace);
    String keyName = getKeyName(namespace, name);
    Key key = null;
    writeLock.lock();
    try {
        if (!keyStore.containsAlias(keyName)) {
            throw new NotFoundException(new SecureKeyId(namespace, name));
        }
        key = deleteFromStore(keyName, password);
        flush();
        LOG.debug(String.format("Successfully deleted key %s from namespace %s", name, namespace));
    } catch (UnrecoverableKeyException | NoSuchAlgorithmException | KeyStoreException e) {
        throw new IOException("Failed to delete the key. ", e);
    } catch (IOException ioe) {
        try {
            keyStore.setKeyEntry(keyName, key, password, null);
        } catch (KeyStoreException e) {
            ioe.addSuppressed(e);
        }
        throw ioe;
    } finally {
        writeLock.unlock();
    }
}
Also used : SecureKeyId(co.cask.cdap.proto.id.SecureKeyId) UnrecoverableKeyException(java.security.UnrecoverableKeyException) NamespaceNotFoundException(co.cask.cdap.common.NamespaceNotFoundException) NotFoundException(co.cask.cdap.common.NotFoundException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) KeyStoreException(java.security.KeyStoreException) IOException(java.io.IOException) Key(java.security.Key)

Example 5 with SecureKeyId

use of co.cask.cdap.proto.id.SecureKeyId in project cdap by caskdata.

the class FileSecureStore method putSecureData.

/**
 * Stores an element in the secure store. Although JCEKS supports overwriting keys the interface currently does not
 * support it. If the key already exists then this method throws an AlreadyExistsException.
 * @param namespace The namespace this key belongs to.
 * @param name Name of the element to store.
 * @param data The data that needs to be securely stored.
 * @param description User provided description of the entry.
 * @param properties Metadata associated with the data.
 * @throws NamespaceNotFoundException If the specified namespace does not exist.
 * @throws AlreadyExistsException If the key already exists in the namespace. Updating is not supported.
 * @throws IOException If there was a problem storing the key to the in memory keystore
 * or if there was problem persisting the keystore.
 */
@Override
public void putSecureData(String namespace, String name, String data, String description, Map<String, String> properties) throws Exception {
    checkNamespaceExists(namespace);
    String keyName = getKeyName(namespace, name);
    SecureStoreMetadata meta = SecureStoreMetadata.of(name, description, properties);
    SecureStoreData secureStoreData = new SecureStoreData(meta, data.getBytes(Charsets.UTF_8));
    writeLock.lock();
    try {
        if (keyStore.containsAlias(keyName)) {
            throw new AlreadyExistsException(new SecureKeyId(namespace, name));
        }
        keyStore.setKeyEntry(keyName, new KeyStoreEntry(secureStoreData, meta), password, null);
        // Attempt to persist the store.
        flush();
        LOG.debug(String.format("Successfully stored %s in namespace %s", name, namespace));
    } catch (KeyStoreException e) {
        // We failed to store the key in the key store. Throw an IOException.
        throw new IOException("Failed to store the key. ", e);
    } finally {
        writeLock.unlock();
    }
}
Also used : SecureStoreData(co.cask.cdap.api.security.store.SecureStoreData) SecureKeyId(co.cask.cdap.proto.id.SecureKeyId) AlreadyExistsException(co.cask.cdap.common.AlreadyExistsException) SecureStoreMetadata(co.cask.cdap.api.security.store.SecureStoreMetadata) KeyStoreException(java.security.KeyStoreException) IOException(java.io.IOException)

Aggregations

SecureKeyId (co.cask.cdap.proto.id.SecureKeyId)15 NamespaceNotFoundException (co.cask.cdap.common.NamespaceNotFoundException)4 Principal (co.cask.cdap.proto.security.Principal)4 SecureKeyCreateRequest (co.cask.cdap.proto.security.SecureKeyCreateRequest)4 Test (org.junit.Test)4 SecureStoreMetadata (co.cask.cdap.api.security.store.SecureStoreMetadata)3 BadRequestException (co.cask.cdap.common.BadRequestException)3 NotFoundException (co.cask.cdap.common.NotFoundException)3 IOException (java.io.IOException)3 KeyStoreException (java.security.KeyStoreException)3 Path (javax.ws.rs.Path)3 SecureStoreData (co.cask.cdap.api.security.store.SecureStoreData)2 AuditPolicy (co.cask.cdap.common.security.AuditPolicy)2 NamespaceId (co.cask.cdap.proto.id.NamespaceId)2 Key (java.security.Key)2 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)2 UnrecoverableKeyException (java.security.UnrecoverableKeyException)2 PUT (javax.ws.rs.PUT)2 AlreadyExistsException (co.cask.cdap.common.AlreadyExistsException)1 SecureKeyAlreadyExistsException (co.cask.cdap.common.SecureKeyAlreadyExistsException)1