下面列出了com.amazonaws.services.s3.model.CryptoConfiguration#com.amazonaws.services.s3.AmazonS3EncryptionClient 实例代码,或者点击链接到github查看源代码,也可以在右侧发表评论。
@Singleton
@Provides
@Nullable
public AmazonS3 provideAmazonS3Client(@Nullable AWSCredentials awsCredentials, @Nullable EncryptionMaterialsProvider encryptionMaterialsProvider)
{
if (awsCredentials == null) {
if (encryptionMaterialsProvider == null) {
return new AmazonS3Client(new InstanceProfileCredentialsProvider());
}
else {
return new AmazonS3EncryptionClient(new InstanceProfileCredentialsProvider(), encryptionMaterialsProvider);
}
}
if (encryptionMaterialsProvider == null) {
return new AmazonS3Client(awsCredentials);
}
else {
return new AmazonS3EncryptionClient(awsCredentials, encryptionMaterialsProvider);
}
}
/**
* Create an encryption client.
*
* @param credentialsProvider AWS credentials provider.
* @param clientConfiguration Client configuration
* @param kmsRegion AWS KMS region
* @param keyIdOrMaterial KMS key id
* @return AWS S3 client
*/
@Override
public AmazonS3Client createEncryptionClient(AWSCredentialsProvider credentialsProvider, ClientConfiguration clientConfiguration, String kmsRegion, String keyIdOrMaterial) {
KMSEncryptionMaterialsProvider materialProvider = new KMSEncryptionMaterialsProvider(keyIdOrMaterial);
boolean haveKmsRegion = StringUtils.isNotBlank(kmsRegion);
CryptoConfiguration cryptoConfig = new CryptoConfiguration();
if (haveKmsRegion) {
Region awsRegion = Region.getRegion(Regions.fromName(kmsRegion));
cryptoConfig.setAwsKmsRegion(awsRegion);
}
AmazonS3EncryptionClient client = new AmazonS3EncryptionClient(credentialsProvider, materialProvider, cryptoConfig);
return client;
}
/**
* Create an encryption client.
*
* @param credentialsProvider AWS credentials provider.
* @param clientConfiguration Client configuration
* @param kmsRegion not used by this encryption strategy
* @param keyIdOrMaterial client master key, always base64 encoded
* @return AWS S3 client
*/
@Override
public AmazonS3Client createEncryptionClient(AWSCredentialsProvider credentialsProvider, ClientConfiguration clientConfiguration, String kmsRegion, String keyIdOrMaterial) {
ValidationResult keyValidationResult = validateKey(keyIdOrMaterial);
if (!keyValidationResult.isValid()) {
throw new IllegalArgumentException("Invalid client key; " + keyValidationResult.getExplanation());
}
byte[] keyMaterial = Base64.decodeBase64(keyIdOrMaterial);
SecretKeySpec symmetricKey = new SecretKeySpec(keyMaterial, "AES");
StaticEncryptionMaterialsProvider encryptionMaterialsProvider = new StaticEncryptionMaterialsProvider(new EncryptionMaterials(symmetricKey));
AmazonS3EncryptionClient client = new AmazonS3EncryptionClient(credentialsProvider, encryptionMaterialsProvider);
return client;
}
@Test
public void testEncryptionMaterialsProvider()
throws Exception
{
Configuration config = new Configuration(false);
config.set(S3_ENCRYPTION_MATERIALS_PROVIDER, TestEncryptionMaterialsProvider.class.getName());
try (PrestoS3FileSystem fs = new PrestoS3FileSystem()) {
fs.initialize(new URI("s3n://test-bucket/"), config);
assertInstanceOf(fs.getS3Client(), AmazonS3EncryptionClient.class);
}
}
@Test
public void testKMSEncryptionMaterialsProvider()
throws Exception
{
Configuration config = new Configuration(false);
config.set(S3_KMS_KEY_ID, "test-key-id");
try (PrestoS3FileSystem fs = new PrestoS3FileSystem()) {
fs.initialize(new URI("s3n://test-bucket/"), config);
assertInstanceOf(fs.getS3Client(), AmazonS3EncryptionClient.class);
}
}
private AmazonS3 createAmazonS3Client(Configuration hadoopConfig, ClientConfiguration clientConfig)
{
Optional<EncryptionMaterialsProvider> encryptionMaterialsProvider = createEncryptionMaterialsProvider(hadoopConfig);
AmazonS3Builder<? extends AmazonS3Builder<?, ?>, ? extends AmazonS3> clientBuilder;
String signerType = hadoopConfig.get(S3_SIGNER_TYPE);
if (signerType != null) {
clientConfig.withSignerOverride(signerType);
}
String signerClass = hadoopConfig.get(S3_SIGNER_CLASS);
if (signerClass != null) {
Class<? extends Signer> klass;
try {
klass = Class.forName(signerClass).asSubclass(Signer.class);
}
catch (ClassNotFoundException e) {
throw new RuntimeException("Signer class not found: " + signerClass, e);
}
SignerFactory.registerSigner(S3_CUSTOM_SIGNER, klass);
clientConfig.setSignerOverride(S3_CUSTOM_SIGNER);
}
if (encryptionMaterialsProvider.isPresent()) {
clientBuilder = AmazonS3EncryptionClient.encryptionBuilder()
.withCredentials(credentialsProvider)
.withEncryptionMaterials(encryptionMaterialsProvider.get())
.withClientConfiguration(clientConfig)
.withMetricsCollector(METRIC_COLLECTOR);
}
else {
clientBuilder = AmazonS3Client.builder()
.withCredentials(credentialsProvider)
.withClientConfiguration(clientConfig)
.withMetricsCollector(METRIC_COLLECTOR);
}
boolean regionOrEndpointSet = false;
// use local region when running inside of EC2
if (pinS3ClientToCurrentRegion) {
clientBuilder.setRegion(getCurrentRegionFromEC2Metadata().getName());
regionOrEndpointSet = true;
}
String endpoint = hadoopConfig.get(S3_ENDPOINT);
if (endpoint != null) {
clientBuilder.setEndpointConfiguration(new EndpointConfiguration(endpoint, null));
regionOrEndpointSet = true;
}
if (isPathStyleAccess) {
clientBuilder.enablePathStyleAccess();
}
if (!regionOrEndpointSet) {
clientBuilder.withRegion(US_EAST_1);
clientBuilder.setForceGlobalBucketAccessEnabled(true);
}
return clientBuilder.build();
}
private void setupSnowflakeS3Client(Map<?, ?> stageCredentials,
ClientConfiguration clientConfig,
RemoteStoreFileEncryptionMaterial encMat,
String stageRegion,
String stageEndPoint)
throws SnowflakeSQLException
{
// Save the client creation parameters so that we can reuse them,
// to reset the AWS client. We won't save the awsCredentials since
// we will be refreshing that, every time we reset the AWS client
this.clientConfig = clientConfig;
this.stageRegion = stageRegion;
this.encMat = encMat;
this.stageEndPoint = stageEndPoint; // FIPS endpoint, if needed
logger.debug("Setting up AWS client ");
// Retrieve S3 stage credentials
String awsID = (String) stageCredentials.get("AWS_KEY_ID");
String awsKey = (String) stageCredentials.get("AWS_SECRET_KEY");
String awsToken = (String) stageCredentials.get("AWS_TOKEN");
// initialize aws credentials
AWSCredentials awsCredentials = (awsToken != null) ?
new BasicSessionCredentials(awsID, awsKey, awsToken)
: new BasicAWSCredentials(awsID, awsKey);
clientConfig.withSignerOverride("AWSS3V4SignerType");
clientConfig.getApacheHttpClientConfig().setSslSocketFactory(
getSSLConnectionSocketFactory());
HttpUtil.setProxyForS3(clientConfig);
AmazonS3Builder<?, ?> amazonS3Builder = AmazonS3Client.builder();
if (encMat != null)
{
byte[] decodedKey = Base64.decode(encMat.getQueryStageMasterKey());
encryptionKeySize = decodedKey.length * 8;
if (encryptionKeySize == 256)
{
SecretKey queryStageMasterKey =
new SecretKeySpec(decodedKey, 0, decodedKey.length, AES);
EncryptionMaterials encryptionMaterials =
new EncryptionMaterials(queryStageMasterKey);
encryptionMaterials.addDescription("queryId",
encMat.getQueryId());
encryptionMaterials.addDescription("smkId",
Long.toString(encMat.getSmkId()));
CryptoConfiguration cryptoConfig =
new CryptoConfiguration(CryptoMode.EncryptionOnly);
amazonS3Builder = AmazonS3EncryptionClient.encryptionBuilder()
.withCredentials(new AWSStaticCredentialsProvider(awsCredentials))
.withEncryptionMaterials(new StaticEncryptionMaterialsProvider(encryptionMaterials))
.withClientConfiguration(clientConfig)
.withCryptoConfiguration(cryptoConfig);
}
else if (encryptionKeySize == 128)
{
amazonS3Builder = AmazonS3Client.builder()
.withCredentials(new AWSStaticCredentialsProvider(awsCredentials))
.withClientConfiguration(clientConfig);
}
else
{
throw new SnowflakeSQLException(SqlState.INTERNAL_ERROR,
ErrorCode.INTERNAL_ERROR.getMessageCode(),
"unsupported key size", encryptionKeySize);
}
}
else
{
amazonS3Builder = AmazonS3Client.builder()
.withCredentials(new AWSStaticCredentialsProvider(awsCredentials))
.withClientConfiguration(clientConfig);
}
if (stageRegion != null)
{
Region region = RegionUtils.getRegion(stageRegion);
if (region != null)
{
amazonS3Builder.withRegion(region.getName());
}
}
// Explicitly force to use virtual address style
amazonS3Builder.withPathStyleAccessEnabled(false);
amazonClient = (AmazonS3) amazonS3Builder.build();
if (this.stageEndPoint != null && this.stageEndPoint != "")
{
// Set the FIPS endpoint if we need it. GS will tell us if we do by
// giving us an endpoint to use if required and supported by the region.
amazonClient.setEndpoint(this.stageEndPoint);
}
}