Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: AWS KMS Keyring(s) refactor/reimplementation #211

Merged
merged 16 commits into from
Oct 5, 2020
Merged

feat: AWS KMS Keyring(s) refactor/reimplementation #211

merged 16 commits into from
Oct 5, 2020

Conversation

acioc
Copy link
Contributor

@acioc acioc commented Aug 12, 2020
edited
Loading

Issue #, if available:

Description of changes:

  • Re-implementing the AWS KMS keyring(s)

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Check any applicable:

  • Were any files moved? Moving files changes their URL, which breaks all hyperlinks to the files.
    Files were moved but links (internal to this codebase) have been updated accordingly. Files prior to keyrings have not been moved.

@acioc acioc requested review from robin-aws and lavaleri August 12, 2020 06:45
@acioc acioc self-assigned this Aug 12, 2020
@acioc acioc changed the title feat!: AWS KMS Keyring(s) refactor/reimplementation feat: AWS KMS Keyring(s) refactor/reimplementation Aug 13, 2020
Alex Cioc added 13 commits August 13, 2020 16:07
Initial commit replacing AWS KMS keyring(s) with Spec 2020-07-01_aws-…
42ff908 
…kms-keyring-redesign keyrings
Initial refactor of examples, tests. Some tests still failing. Still …
3b97840 
…need to add new unit tests
Fix AwsKmsDataKeyEncryptionDaoTest
3921a45
Example updates, fixed broken links
3f76b5d
Clean up builders
0ee4799
Fix bug where generator double encrypts, fix examples
f59f07d
Revert KmsMasterKey back to keyring branch, update constructor
ee83536
Add passthrough region to customDataKeyEncryptionDao
5e28cf6
Add AwsKmsSymmetricKeyringTests
6fafd33
Add AwsKmsSymmetricRegionDiscoveryKeyringTests
5efeed3
Add AwsKmsSymmetricMultiRegionDiscoveryKeyringBuilderTests
612a92b
Add AwsKmsSymmetricMultiCmkKeyringBuilderTests
664495b
Fix keyring.childrenKeyrings->keyring.childKeyrings after rebase
186b6e2
lavaleri
lavaleri reviewed Aug 13, 2020
View reviewed changes
Copy link
Contributor

@lavaleri lavaleri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review Part 1 up to AwsKmsSymmetricRegionDiscoveryKeyring.java

src/examples/README.md Show resolved Hide resolved
...s/java/com/amazonaws/crypto/examples/keyring/awskms/ActSimilarToAwsKmsMasterKeyProvider.java Outdated Show resolved Hide resolved
...s/java/com/amazonaws/crypto/examples/keyring/awskms/ActSimilarToAwsKmsMasterKeyProvider.java Outdated Show resolved Hide resolved
...s/java/com/amazonaws/crypto/examples/keyring/awskms/ActSimilarToAwsKmsMasterKeyProvider.java Outdated Show resolved Hide resolved
...s/java/com/amazonaws/crypto/examples/keyring/awskms/ActSimilarToAwsKmsMasterKeyProvider.java Outdated Show resolved Hide resolved
src/main/java/com/amazonaws/encryptionsdk/keyrings/AwsKmsSymmetricMultiCmkKeyringBuilder.java Outdated Show resolved Hide resolved
.../com/amazonaws/encryptionsdk/keyrings/AwsKmsSymmetricMultiRegionDiscoveryKeyringBuilder.java Outdated Show resolved Hide resolved
.../com/amazonaws/encryptionsdk/keyrings/AwsKmsSymmetricMultiRegionDiscoveryKeyringBuilder.java Outdated Show resolved Hide resolved
.../com/amazonaws/encryptionsdk/keyrings/AwsKmsSymmetricMultiRegionDiscoveryKeyringBuilder.java Outdated Show resolved Hide resolved
src/main/java/com/amazonaws/encryptionsdk/keyrings/AwsKmsSymmetricRegionDiscoveryKeyring.java Show resolved Hide resolved
lavaleri
lavaleri reviewed Aug 14, 2020
View reviewed changes
Copy link
Contributor

@lavaleri lavaleri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Finished Part 2 of naive review. I will take another pass tomorrow looking closely at https://github.com/awslabs/aws-encryption-sdk-specification/blob/master/proposals/2020-07-01_aws-kms-keyring-redesign/change.md and ensuring we have sufficient test coverage over the spec of that behavior.

src/main/java/com/amazonaws/encryptionsdk/keyrings/StandardKeyrings.java Outdated Show resolved Hide resolved
src/main/java/com/amazonaws/encryptionsdk/keyrings/AwsKmsSymmetricMultiCmkKeyringBuilder.java Show resolved Hide resolved
src/main/java/com/amazonaws/encryptionsdk/kms/AwsKmsDataKeyEncryptionDao.java Outdated Show resolved Hide resolved
src/test/java/com/amazonaws/encryptionsdk/keyrings/AwsKmsSymmetricKeyringTest.java Show resolved Hide resolved
src/test/java/com/amazonaws/encryptionsdk/keyrings/AwsKmsSymmetricKeyringTest.java Show resolved Hide resolved
src/test/java/com/amazonaws/encryptionsdk/keyrings/AwsKmsSymmetricKeyringTest.java Outdated Show resolved Hide resolved
src/test/java/com/amazonaws/encryptionsdk/keyrings/AwsKmsSymmetricKeyringTest.java Outdated Show resolved Hide resolved
src/main/java/com/amazonaws/encryptionsdk/keyrings/AwsKmsSymmetricKeyring.java Outdated Show resolved Hide resolved
src/test/java/com/amazonaws/encryptionsdk/keyrings/AwsKmsSymmetricKeyringTest.java Show resolved Hide resolved
...est/java/com/amazonaws/encryptionsdk/keyrings/AwsKmsSymmetricRegionDiscoveryKeyringTest.java Show resolved Hide resolved
@acioc acioc marked this pull request as ready for review August 17, 2020 21:52
@acioc acioc mentioned this pull request Sep 30, 2020
Closed
lavaleri
lavaleri reviewed Oct 5, 2020
View reviewed changes
Copy link
Contributor

@lavaleri lavaleri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good work! LGTM once feedback is resolved one way or another. Feel free to let me know if any of this feedback should be addressed as part of #223 instead.

...s/java/com/amazonaws/crypto/examples/keyring/awskms/ActSimilarToAwsKmsMasterKeyProvider.java Show resolved Hide resolved
src/examples/java/com/amazonaws/crypto/examples/keyring/awskms/CustomDataKeyEncryptionDao.java
// Create the keyring that determines how your data keys are protected.
final String region = Arn.fromString(awsKmsCmk.toString()).getRegion();
final Keyring keyring = StandardKeyrings.awsKmsSymmetric(
CustomMultiPartitionDao.daoGivenRegionId(region),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Taking another look at this, the example makes sense, but I still think will be confusing for customers. At the very least "CustomDataKeyEncryptionDao" as an example name isn't very helpful because customers don't know what a DataKeyEncryptionDao is. Maybe this would be better framed as a "CustomCredentialProvider" example? And then explain what the default credential provider configuration is.

It might also be good to highlight the difference between this example and the CustomKmsClientConfig example. That example is useful if you want every call using the same client config. If you need different client config depending on the key you're trying ot decrypt (in this example, based on what region it is), then you'll need to do something more complicated, like in this example.

.../java/com/amazonaws/crypto/examples/keyring/awskms/DiscoveryDecryptWithPreferredRegions.java Show resolved Hide resolved
src/examples/java/com/amazonaws/crypto/examples/keyring/awskms/MultipleRegions.java Show resolved Hide resolved
src/main/java/com/amazonaws/encryptionsdk/keyrings/AwsKmsSymmetricKeyring.java Show resolved Hide resolved
src/main/java/com/amazonaws/encryptionsdk/kms/AwsKmsDataKeyEncryptionDaoBuilder.java Show resolved Hide resolved
src/main/java/com/amazonaws/encryptionsdk/kms/AwsKmsDataKeyEncryptionDao.java Show resolved Hide resolved
@acioc acioc merged commit 6ff15f9 into aws:keyring Oct 5, 2020
@acioc acioc deleted the kms branch October 5, 2020 21:41
acioc pushed a commit to acioc/aws-encryption-sdk-java that referenced this pull request Oct 5, 2020
fix: Update build, unit tests, examples, and apply PR feedback from a…
b34932b 
…ws#211
acioc pushed a commit to acioc/aws-encryption-sdk-java that referenced this pull request Oct 5, 2020
fix: Update build, unit tests, examples, and apply PR feedback from a…
397a84d 
…ws#211
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lavaleri lavaleri lavaleri approved these changes

@robin-aws robin-aws Awaiting requested review from robin-aws

Assignees

@acioc acioc

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@acioc @lavaleri