com.mozilla.secops.crypto

Class RuntimeSecrets

java.lang.Object

com.mozilla.secops.crypto.RuntimeSecrets

public class RuntimeSecrets
extends Object

Class for decryption of secrets during pipeline runtime

This class makes use of cloud KMS for encryption/decryption operations.

It will also make use of GCS if a GCS URL is provided when calling interpretSecret.

Constructor Summary

Constructors

Constructor and Description
RuntimeSecrets(String project, String ring, String keyName) Create new RuntimeSecrets object referencing a KMS key based on the supplied parameters.

Method Summary

Modifier and Type	Method and Description
String	decrypt(String input) Decrypt the supplied input
void	done() Indicate RuntimeSecrets object will no longer be used, must be called to shutdown background threads
String	encrypt(String input) Encrypt the supplied input
static String	interpretSecret(String input, String project) Interpret a runtime secret as specified in pipeline options.
static void	main(String[] args) main routine can be used to encrypt or decrypt data on the command line

Methods inherited from class java.lang.Object

equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

RuntimeSecrets

public RuntimeSecrets(String project,
                      String ring,
                      String keyName)
               throws IOException

Create new RuntimeSecrets object referencing a KMS key based on the supplied parameters.

Parameters:

project - Project name

ring - Keyring name

keyName - Key name

Throws:

IOException - IOException

Method Detail

encrypt

public String encrypt(String input)

Encrypt the supplied input

Parameters:

input - Input string

Returns:

Base64 encoded encrypted data

decrypt

public String decrypt(String input)

Decrypt the supplied input

Parameters:

input - Input string

Returns:

Decrypted output string

done

public void done()
          throws InterruptedException

Indicate RuntimeSecrets object will no longer be used, must be called to shutdown background threads

Throws:

InterruptedException - InterruptedException

interpretSecret

public static String interpretSecret(String input,
                                     String project)
                              throws IOException

Interpret a runtime secret as specified in pipeline options.

This function currently handles three formats. A string prefixed with cloudkms:// is interpreted as an encrypted string which will be decrypted via CloudKMS. The project should be set to the correct GCP project name. The key ring and key name will always be looked for as "dataflow".

With no prefix, the input is simply returned as is and treated as an unencrypted string.

If a GCS URL is provided (e.g., gs://bucket/path) - the content of the object at the specified path will be fetched and handled as if it was passed directly as a string into the function.

Parameters:

input - Input string

project - GCP project name, can be null if unapplicable

Returns:

Transformed runtime secret

Throws:

IOException - IOException

main

public static void main(String[] args)
                 throws Exception

main routine can be used to encrypt or decrypt data on the command line

Parameters:

args - Command line arguments

Throws:

Exception - Exception