AbstractKeyManager (CDAP Security 3.3.4 API)

java.lang.Object
- com.google.common.util.concurrent.AbstractIdleService
- - co.cask.cdap.security.auth.AbstractKeyManager

All Implemented Interfaces:

KeyManager, com.google.common.util.concurrent.Service

Direct Known Subclasses:

DistributedKeyManager, MapBackedKeyManager
```
public abstract class AbstractKeyManager
extends com.google.common.util.concurrent.AbstractIdleService
implements KeyManager
```
AbstractKeyManager that provides the basic functionality that all key managers share. This includes generation of keys and MACs, and validation of MACs. Subclasses are expected to override the init method.

Nested Class Summary
- Nested classes/interfaces inherited from interface co.cask.cdap.security.auth.KeyManager
  KeyManager.DigestId
- Nested classes/interfaces inherited from interface com.google.common.util.concurrent.Service
  com.google.common.util.concurrent.Service.Listener, com.google.common.util.concurrent.Service.State

Field Summary

Fields
Modifier and Type	Field and Description
`protected KeyIdentifier`	`currentKey`
`protected String`	`keyAlgo`
`protected long`	`keyExpirationPeriod` Time duration (in milliseconds) after which an active secret key should be retired.
`protected KeyGenerator`	`keyGenerator`
`protected int`	`keyLength`
`protected ThreadLocal<Mac>`	`threadLocalMac`

Constructor Summary

Constructors
Constructor and Description
`AbstractKeyManager(CConfiguration conf)` An AbstractKeyManager that has common functionality of all keymanagers.
`AbstractKeyManager(String keyAlgo, int keyLength)`

Method Summary

Methods
Modifier and Type	Method and Description
`protected abstract void`	`addKey(KeyIdentifier key)` Adds a given key instance.
`protected abstract void`	`doInit()` Extended classes must override this method to initialize/read the key(s) used for signing tokens.
`protected KeyIdentifier`	`generateKey()` Generates a new KeyIdentifier and sets that to be the current key being used.
`KeyManager.DigestId`	`generateMAC(byte[] message)` Computes a digest for the given input message, using the current secret key.
`protected byte[]`	`generateMAC(int keyId, byte[] message)` Computes a digest for the given input message, using the key identified by the given ID.
`protected byte[]`	`generateMAC(SecretKey key, byte[] message)`
`protected abstract KeyIdentifier`	`getKey(int id)` Returns the key instance matching a given unique ID.
`protected abstract boolean`	`hasKey(int id)` Returns whether or not a key exists for the given unique ID.
`void`	`startUp()`
`<T> void`	`validateMAC(Codec<T> codec, Signed<T> signedMessage)` Recomputes the digest for the given message and verifies that it matches the provided value.

Methods inherited from class com.google.common.util.concurrent.AbstractIdleService
addListener, executor, isRunning, shutDown, start, startAndWait, state, stop, stopAndWait, toString

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Methods inherited from interface com.google.common.util.concurrent.Service
addListener, isRunning, start, startAndWait, state, stop, stopAndWait

- Field Detail
  - threadLocalMac
```
protected ThreadLocal<Mac> threadLocalMac
```
  - keyGenerator
```
protected KeyGenerator keyGenerator
```
  - currentKey
```
protected volatile KeyIdentifier currentKey
```
  - keyAlgo
```
protected final String keyAlgo
```
  - keyLength
```
protected final int keyLength
```
  - keyExpirationPeriod
```
protected long keyExpirationPeriod
```
    Time duration (in milliseconds) after which an active secret key should be retired. A value or zero or less means no expiration.
- Constructor Detail
  - AbstractKeyManager
```
public AbstractKeyManager(CConfiguration conf)
```
    An AbstractKeyManager that has common functionality of all keymanagers.
    
    Parameters:
    conf -
  - AbstractKeyManager
```
public AbstractKeyManager(String keyAlgo,
                  int keyLength)
```
- Method Detail
  - startUp
```
public final void startUp()
                   throws NoSuchAlgorithmException,
                          IOException
```
    Specified by:
    
    startUp in class com.google.common.util.concurrent.AbstractIdleService
    
    Throws:
    
    NoSuchAlgorithmException
    
    IOException
  - doInit
```
protected abstract void doInit()
                        throws IOException
```
    Extended classes must override this method to initialize/read the key(s) used for signing tokens.
    
    Throws:
    
    IOException
  - hasKey
```
protected abstract boolean hasKey(int id)
```
    Returns whether or not a key exists for the given unique ID.
  - getKey
```
protected abstract KeyIdentifier getKey(int id)
```
    Returns the key instance matching a given unique ID.
  - addKey
```
protected abstract void addKey(KeyIdentifier key)
```
    Adds a given key instance.
  - generateKey
```
protected final KeyIdentifier generateKey()
```
    Generates a new KeyIdentifier and sets that to be the current key being used.
    
    Returns:
    A new KeyIdentifier.
  - validateMAC
```
public final <T> void validateMAC(Codec<T> codec,
                   Signed<T> signedMessage)
                       throws InvalidDigestException,
                              InvalidKeyException
```
    Description copied from interface: KeyManager
    
    Recomputes the digest for the given message and verifies that it matches the provided value.
    
    Specified by:
    
    validateMAC in interface KeyManager
    
    Parameters:
    codec - The serialization utility to use in serializing the message when recomputing the digest
    signedMessage - The message and digest to validate.
    
    Throws:
    
    InvalidDigestException
    
    InvalidKeyException
  - generateMAC
```
public final KeyManager.DigestId generateMAC(byte[] message)
                                      throws InvalidKeyException
```
    Description copied from interface: KeyManager
    
    Computes a digest for the given input message, using the current secret key.
    
    Specified by:
    
    generateMAC in interface KeyManager
    
    Parameters:
    message - The data over which we should generate a digest.
    
    Returns:
    The computed digest and the ID of the secret key used in generation.
    
    Throws:
    
    InvalidKeyException - If the internal Mac implementation does not accept the given key.
  - generateMAC
```
protected final byte[] generateMAC(int keyId,
                 byte[] message)
                            throws InvalidKeyException
```
    Computes a digest for the given input message, using the key identified by the given ID.
    
    Parameters:
    keyId - Identifier of the secret key to use.
    message - The data over which we should generate a digest.
    
    Returns:
    The computed digest.
    
    Throws:
    
    InvalidKeyException - If the input keyId does not match a known key or the key is not accepted by the internal Mac implementation.
  - generateMAC
```
protected final byte[] generateMAC(SecretKey key,
                 byte[] message)
                            throws InvalidKeyException
```
    Throws:
    
    InvalidKeyException

Class AbstractKeyManager

Nested Class Summary

Nested classes/interfaces inherited from interface co.cask.cdap.security.auth.KeyManager

Nested classes/interfaces inherited from interface com.google.common.util.concurrent.Service

Field Summary

Constructor Summary

Method Summary

Methods inherited from class com.google.common.util.concurrent.AbstractIdleService

Methods inherited from class java.lang.Object

Methods inherited from interface com.google.common.util.concurrent.Service

Field Detail

threadLocalMac

keyGenerator

currentKey

keyAlgo

keyLength

keyExpirationPeriod

Constructor Detail

AbstractKeyManager

AbstractKeyManager

Method Detail

startUp

doInit

hasKey

getKey

addKey

generateKey

validateMAC

generateMAC

generateMAC

generateMAC