Package de.otto.kafka.messaging.e2ee.vault

Class CachedEncryptionKeyProvider

java.lang.Object

de.otto.kafka.messaging.e2ee.vault.CachedEncryptionKeyProvider

All Implemented Interfaces:

EncryptionKeyProvider

public final class CachedEncryptionKeyProvider
extends Object
implements EncryptionKeyProvider

This class is intended to be used as a 2nd-Level-Cache for the vault access. Meaning the results of all method calls should be cached with a 1st-Level-Cache.

Nested Class Summary

Nested classes/interfaces inherited from interface de.otto.kafka.messaging.e2ee.EncryptionKeyProvider

EncryptionKeyProvider.KeyVersion

Constructor Summary

Constructors

Constructor	Description
CachedEncryptionKeyProvider(EncryptionKeyProvider realEncryptionKeyProvider, SecondLevelCacheStorage cacheStorage, Clock clock, Duration cachingDuration)
CachedEncryptionKeyProvider(EncryptionKeyProvider realEncryptionKeyProvider, SecondLevelCacheStorage cacheStorage, Duration cachingDuration)

Method Summary

Modifier and Type	Method	Description
boolean	isEncryptedTopic(String kafkaTopicName)
String	retrieveKeyForDecryption(String topic, int version)
String	retrieveKeyForDecryption(String topic, int version, String encryptionKeyAttributeName)
EncryptionKeyProvider.KeyVersion	retrieveKeyForEncryption(String topic)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

CachedEncryptionKeyProvider

public CachedEncryptionKeyProvider(EncryptionKeyProvider realEncryptionKeyProvider,
 SecondLevelCacheStorage cacheStorage,
 Duration cachingDuration)

Parameters:

realEncryptionKeyProvider - the VaultEncryptionKeyProvider

cacheStorage - the 2nd-level cache storage

cachingDuration - the cache duration for the encryption keys. The decryption keys will never expire.

CachedEncryptionKeyProvider

public CachedEncryptionKeyProvider(EncryptionKeyProvider realEncryptionKeyProvider,
 SecondLevelCacheStorage cacheStorage,
 Clock clock,
 Duration cachingDuration)

Parameters:

realEncryptionKeyProvider - the VaultEncryptionKeyProvider

cacheStorage - the 2nd-level cache storage

cachingDuration - the cache duration for the encryption keys. The decryption keys will never expire.

clock - a clock (used in unit tests)

Method Details

retrieveKeyForEncryption

public EncryptionKeyProvider.KeyVersion retrieveKeyForEncryption(String topic)

Specified by:

retrieveKeyForEncryption in interface EncryptionKeyProvider

Parameters:

topic - the name of the topic to encrypt

Returns:

a key for encryption or null if encryption is not needed

retrieveKeyForDecryption

public String retrieveKeyForDecryption(String topic,
 int version)

Specified by:

retrieveKeyForDecryption in interface EncryptionKeyProvider

Parameters:

topic - the name of the topic to decrypt

version - the version of the key

Returns:

base64 and URL-Encoded encoded key

retrieveKeyForDecryption

public String retrieveKeyForDecryption(String topic,
 int version,
 String encryptionKeyAttributeName)

Specified by:

retrieveKeyForDecryption in interface EncryptionKeyProvider

Parameters:

topic - the name of the topic to decrypt

version - the version of the key

encryptionKeyAttributeName - the name of the encryption key within the vault. When null then the default value must be used.

Returns:

base64 and URL-Encoded encoded key

isEncryptedTopic

public boolean isEncryptedTopic(String kafkaTopicName)

Specified by:

isEncryptedTopic in interface EncryptionKeyProvider

Parameters:

kafkaTopicName - the name of the topic

Returns:

true when the topic can contain encrypted payloads