com.amazonaws.services.s3.model.CryptoConfiguration#com.amazonaws.services.s3.AmazonS3EncryptionClient源码实例Demo

@Singleton
@Provides
@Nullable
public AmazonS3 provideAmazonS3Client(@Nullable AWSCredentials awsCredentials, @Nullable EncryptionMaterialsProvider encryptionMaterialsProvider)
{
    if (awsCredentials == null) {
        if (encryptionMaterialsProvider == null) {
            return new AmazonS3Client(new InstanceProfileCredentialsProvider());
        }
        else {
            return new AmazonS3EncryptionClient(new InstanceProfileCredentialsProvider(), encryptionMaterialsProvider);
        }
    }

    if (encryptionMaterialsProvider == null) {
        return new AmazonS3Client(awsCredentials);
    }
    else {
        return new AmazonS3EncryptionClient(awsCredentials, encryptionMaterialsProvider);
    }
}
 

/**
 * Create an encryption client.
 *
 * @param credentialsProvider AWS credentials provider.
 * @param clientConfiguration Client configuration
 * @param kmsRegion AWS KMS region
 * @param keyIdOrMaterial KMS key id
 * @return AWS S3 client
 */
@Override
public AmazonS3Client createEncryptionClient(AWSCredentialsProvider credentialsProvider, ClientConfiguration clientConfiguration, String kmsRegion, String keyIdOrMaterial) {
    KMSEncryptionMaterialsProvider materialProvider = new KMSEncryptionMaterialsProvider(keyIdOrMaterial);
    boolean haveKmsRegion = StringUtils.isNotBlank(kmsRegion);

    CryptoConfiguration cryptoConfig = new CryptoConfiguration();
    if (haveKmsRegion) {
        Region awsRegion = Region.getRegion(Regions.fromName(kmsRegion));
        cryptoConfig.setAwsKmsRegion(awsRegion);
    }

    AmazonS3EncryptionClient client = new AmazonS3EncryptionClient(credentialsProvider, materialProvider, cryptoConfig);

    return client;
}
 

/**
 * Create an encryption client.
 *
 * @param credentialsProvider AWS credentials provider.
 * @param clientConfiguration Client configuration
 * @param kmsRegion not used by this encryption strategy
 * @param keyIdOrMaterial client master key, always base64 encoded
 * @return AWS S3 client
 */
@Override
public AmazonS3Client createEncryptionClient(AWSCredentialsProvider credentialsProvider, ClientConfiguration clientConfiguration, String kmsRegion, String keyIdOrMaterial) {
    ValidationResult keyValidationResult = validateKey(keyIdOrMaterial);
    if (!keyValidationResult.isValid()) {
        throw new IllegalArgumentException("Invalid client key; " + keyValidationResult.getExplanation());
    }

    byte[] keyMaterial = Base64.decodeBase64(keyIdOrMaterial);
    SecretKeySpec symmetricKey = new SecretKeySpec(keyMaterial, "AES");
    StaticEncryptionMaterialsProvider encryptionMaterialsProvider = new StaticEncryptionMaterialsProvider(new EncryptionMaterials(symmetricKey));

    AmazonS3EncryptionClient client = new AmazonS3EncryptionClient(credentialsProvider, encryptionMaterialsProvider);

    return client;
}
 

@Test
public void testEncryptionMaterialsProvider()
        throws Exception
{
    Configuration config = new Configuration(false);
    config.set(S3_ENCRYPTION_MATERIALS_PROVIDER, TestEncryptionMaterialsProvider.class.getName());

    try (PrestoS3FileSystem fs = new PrestoS3FileSystem()) {
        fs.initialize(new URI("s3n://test-bucket/"), config);
        assertInstanceOf(fs.getS3Client(), AmazonS3EncryptionClient.class);
    }
}
 

@Test
public void testKMSEncryptionMaterialsProvider()
        throws Exception
{
    Configuration config = new Configuration(false);
    config.set(S3_KMS_KEY_ID, "test-key-id");

    try (PrestoS3FileSystem fs = new PrestoS3FileSystem()) {
        fs.initialize(new URI("s3n://test-bucket/"), config);
        assertInstanceOf(fs.getS3Client(), AmazonS3EncryptionClient.class);
    }
}
 

private AmazonS3 createAmazonS3Client(Configuration hadoopConfig, ClientConfiguration clientConfig)
{
    Optional<EncryptionMaterialsProvider> encryptionMaterialsProvider = createEncryptionMaterialsProvider(hadoopConfig);
    AmazonS3Builder<? extends AmazonS3Builder<?, ?>, ? extends AmazonS3> clientBuilder;

    String signerType = hadoopConfig.get(S3_SIGNER_TYPE);
    if (signerType != null) {
        clientConfig.withSignerOverride(signerType);
    }

    String signerClass = hadoopConfig.get(S3_SIGNER_CLASS);
    if (signerClass != null) {
        Class<? extends Signer> klass;
        try {
            klass = Class.forName(signerClass).asSubclass(Signer.class);
        }
        catch (ClassNotFoundException e) {
            throw new RuntimeException("Signer class not found: " + signerClass, e);
        }
        SignerFactory.registerSigner(S3_CUSTOM_SIGNER, klass);
        clientConfig.setSignerOverride(S3_CUSTOM_SIGNER);
    }

    if (encryptionMaterialsProvider.isPresent()) {
        clientBuilder = AmazonS3EncryptionClient.encryptionBuilder()
                .withCredentials(credentialsProvider)
                .withEncryptionMaterials(encryptionMaterialsProvider.get())
                .withClientConfiguration(clientConfig)
                .withMetricsCollector(METRIC_COLLECTOR);
    }
    else {
        clientBuilder = AmazonS3Client.builder()
                .withCredentials(credentialsProvider)
                .withClientConfiguration(clientConfig)
                .withMetricsCollector(METRIC_COLLECTOR);
    }

    boolean regionOrEndpointSet = false;

    // use local region when running inside of EC2
    if (pinS3ClientToCurrentRegion) {
        clientBuilder.setRegion(getCurrentRegionFromEC2Metadata().getName());
        regionOrEndpointSet = true;
    }

    String endpoint = hadoopConfig.get(S3_ENDPOINT);
    if (endpoint != null) {
        clientBuilder.setEndpointConfiguration(new EndpointConfiguration(endpoint, null));
        regionOrEndpointSet = true;
    }

    if (isPathStyleAccess) {
        clientBuilder.enablePathStyleAccess();
    }

    if (!regionOrEndpointSet) {
        clientBuilder.withRegion(US_EAST_1);
        clientBuilder.setForceGlobalBucketAccessEnabled(true);
    }

    return clientBuilder.build();
}
 

private void setupSnowflakeS3Client(Map<?, ?> stageCredentials,
                                    ClientConfiguration clientConfig,
                                    RemoteStoreFileEncryptionMaterial encMat,
                                    String stageRegion,
                                    String stageEndPoint)
throws SnowflakeSQLException
{
  // Save the client creation parameters so that we can reuse them,
  // to reset the AWS client. We won't save the awsCredentials since
  // we will be refreshing that, every time we reset the AWS client
  this.clientConfig = clientConfig;
  this.stageRegion = stageRegion;
  this.encMat = encMat;
  this.stageEndPoint = stageEndPoint; // FIPS endpoint, if needed

  logger.debug("Setting up AWS client ");

  // Retrieve S3 stage credentials
  String awsID = (String) stageCredentials.get("AWS_KEY_ID");
  String awsKey = (String) stageCredentials.get("AWS_SECRET_KEY");
  String awsToken = (String) stageCredentials.get("AWS_TOKEN");

  // initialize aws credentials
  AWSCredentials awsCredentials = (awsToken != null) ?
                                  new BasicSessionCredentials(awsID, awsKey, awsToken)
                                                     : new BasicAWSCredentials(awsID, awsKey);


  clientConfig.withSignerOverride("AWSS3V4SignerType");
  clientConfig.getApacheHttpClientConfig().setSslSocketFactory(
      getSSLConnectionSocketFactory());
  HttpUtil.setProxyForS3(clientConfig);
  AmazonS3Builder<?, ?> amazonS3Builder = AmazonS3Client.builder();
  if (encMat != null)
  {
    byte[] decodedKey = Base64.decode(encMat.getQueryStageMasterKey());
    encryptionKeySize = decodedKey.length * 8;

    if (encryptionKeySize == 256)
    {
      SecretKey queryStageMasterKey =
          new SecretKeySpec(decodedKey, 0, decodedKey.length, AES);
      EncryptionMaterials encryptionMaterials =
          new EncryptionMaterials(queryStageMasterKey);
      encryptionMaterials.addDescription("queryId",
                                         encMat.getQueryId());
      encryptionMaterials.addDescription("smkId",
                                         Long.toString(encMat.getSmkId()));
      CryptoConfiguration cryptoConfig =
          new CryptoConfiguration(CryptoMode.EncryptionOnly);

      amazonS3Builder = AmazonS3EncryptionClient.encryptionBuilder()
          .withCredentials(new AWSStaticCredentialsProvider(awsCredentials))
          .withEncryptionMaterials(new StaticEncryptionMaterialsProvider(encryptionMaterials))
          .withClientConfiguration(clientConfig)
          .withCryptoConfiguration(cryptoConfig);

    }
    else if (encryptionKeySize == 128)
    {
      amazonS3Builder = AmazonS3Client.builder()
          .withCredentials(new AWSStaticCredentialsProvider(awsCredentials))
          .withClientConfiguration(clientConfig);
    }
    else
    {
      throw new SnowflakeSQLException(SqlState.INTERNAL_ERROR,
                                      ErrorCode.INTERNAL_ERROR.getMessageCode(),
                                      "unsupported key size", encryptionKeySize);
    }
  }
  else
  {
    amazonS3Builder = AmazonS3Client.builder()
        .withCredentials(new AWSStaticCredentialsProvider(awsCredentials))
        .withClientConfiguration(clientConfig);
  }

  if (stageRegion != null)
  {
    Region region = RegionUtils.getRegion(stageRegion);
    if (region != null)
    {
      amazonS3Builder.withRegion(region.getName());
    }
  }
  // Explicitly force to use virtual address style
  amazonS3Builder.withPathStyleAccessEnabled(false);

  amazonClient = (AmazonS3) amazonS3Builder.build();
  if (this.stageEndPoint != null && this.stageEndPoint != "")
  {
    // Set the FIPS endpoint if we need it. GS will tell us if we do by
    // giving us an endpoint to use if required and supported by the region.
    amazonClient.setEndpoint(this.stageEndPoint);
  }
}