java source code of EncryptionService

cerberus-master
- cerberus-core
  - src
    - main
      - java
        com
        nike
        cerberus
        security
        CerberusPrincipal.java
        error
        DefaultApiError.java
        event
        AuditableEventContext.java
        AuditableEvent.java
        auth
        connector
        AuthConnector.java
        AuthMfaDevice.java
        AuthStatus.java
        AuthData.java
        AuthResponse.java
    - test
      - java
        com
        nike
        cerberus
        util
        EnvUtils.java
        PropUtils.java
  - cerberus-core.gradle
- findbugs-supressions.xml
- API.md
- dependency-check-supressions.xml
- gradle.properties
- gradle
  - bintray.gradle
  - wrapper
    - gradle-wrapper.properties
  - owasp-dependency-check.gradle
- cerberus-auth-connector-onelogin
  - src
    - main
      - java
        com
        nike
        cerberus
        auth
        connector
        onelogin
        GenerateTokenRequest.java
        OneLoginHttpClient.java
        OneLoginClient.java
        OneLoginAuthConnector.java
        GetUserResponse.java
        MfaDevice.java
        VerifyFactorResponse.java
        ResponseStatus.java
        GenerateTokenResponseData.java
        CreateSessionLoginTokenRequest.java
        UserData.java
        GenerateTokenResponse.java
        CreateSessionLoginTokenResponse.java
        OneLoginConfigurationProperties.java
        SessionUser.java
        SessionLoginTokenData.java
        VerifyFactorRequest.java
        config
        OneLoginConfiguration.java
    - test
      - java
        com
        nike
        cerberus
        auth
        connector
        onelogin
        OneLoginPojoTest.java
        GenerateTokenRequestTest.java
        OneLoginAuthConnectorTest.java
  - cerberus-auth-connector-onelogin.gradle
- gradlew.bat
- debug.sh
- cerberus-api-tests
  - src
    - integration-test
      - resources
        example-file.pem
        json-schema
        v2
        safe-deposit-box
        read_success.json
        create_success.json
        auth
        user-success.json
        user
        refresh.json
        iam-role-encrypted.json
        user-mfa_req.json
        mfa_check.json
        iam-role-decrypted.json
        v1
        secure-file
        list-summaries.json
        category
        get_categories_success.json
        secret
        get-secret-version.json
        get-secret.json
        get-secret-versions-metadata.json
        safe-deposit-box
        read_success.json
        list_success.json
        create_success.json
        auth
        iam-role-encrypted.json
        iam-role-decrypted.json
        role
        get_roles_success.json
        negative
        requested-resource-for-user-principals-only.json
        secret-not-found-error.json
        create-sdb-with-the-same-name.json
        iam-principal-auth-no-permission-to-any-sdb.json
        access-to-requested-resource-is-denied.json
        user-exceeded-limit-of-auth-token-refresh.json
        permission-denied-invalid-auth-token-error.json
        ownership-required-permissions-error.json
        user-auth-invalid-credentials.json
        auth-token-is-malformed-cms-error.json
        put-metadata-category-null.json
        iam-role-auth-no-permission-to-any-sdb.json
        updated-file.pem
      - groovy
        com
        nike
        cerberus
        api
        InvalidAuthApiTests.groovy
        CerberusDashboardApiTests.groovy
        NegativeIamPermissionsApiTests.groovy
        ValidationErrorApiTests.groovy
        NegativeUserPermissionsApiTests.groovy
        util
        TestUtils.groovy
        GatewaySslSocketFactory.groovy
        CerberusIamApiV2Tests.groovy
        CerberusIamApiTests.groovy
        CerberusCompositeApiActions.groovy
        CerberusApiActions.groovy
        CerberusUserApiTests.groovy
        AdminApiTests.groovy
  - README.md
  - cerberus-api-tests.gradle
- gatling.sh
- cerberus-auth-connector-okta
  - src
    - main
      - java
        com
        nike
        cerberus
        auth
        connector
        config
        OktaConfiguration.java
        okta
        OktaApiClientHelper.java
        OktaConfigurationProperties.java
        statehandlers
        InitialLoginStateHandler.java
        AbstractOktaStateHandler.java
        MfaStateHandler.java
        OktaAuthConnector.java
        EmbeddedAuthResponseDataV1.java
    - test
      - java
        com
        nike
        cerberus
        auth
        connector
        okta
        MfaStateHandlerTest.java
        OktaAuthConnectorTest.java
        OktaApiClientHelperTest.java
        InitialLoginStateHandlerTest.java
        AbstractOktaStateHandlerTest.java
  - cerberus-auth-connector-okta.gradle
- gradlew
- CONTRIBUTING.md
- .gitattributes
- run.sh
- build.gradle
- build-and-deploy-cerberus-build-image.sh
- .travis.yml
- README.md
- cerberus-audit-logger-athena
  - src
    - main
      - java
        ch
        qos
        logback
        core
        rolling
        AuditLogsS3TimeBasedRollingPolicy.java
        FiveMinuteRollingFileAppender.java
        com
        nike
        cerberus
        audit
        logger
        AthenaClientFactory.java
        S3ClientFactory.java
        service
        S3LogUploaderService.java
        AthenaService.java
        listener
        AthenaLoggingEventListener.java
        config
        AthenaAuditLoggerConfiguration.java
    - test
      - java
        com
        nike
        cerberus
        audit
        logger
        service
        S3LogUploaderServiceTest.java
  - cerberus-audit-logger-athena.gradle
- cerberus-dashboard
  - src
    - utils
      - cmsUtils.js
      - testUtils.js
      - logger.js
      - index.js
    - actions
      - versionHistoryBrowserActions.js
      - manageSafetyDepositBoxActions.js
      - metadataActions.js
      - createSDBoxActions.js
      - appActions.js
      - headerActions.js
      - authenticationActions.js
      - modalActions.js
      - dropdownActions.js
      - messengerActions.js
    - reducers
      - versionHistoryBrowserReducer.js
      - rootReducer.js
      - createSDBoxReducer.js
      - headerStateReducer.js
      - metadataReducer.js
      - modalReducer.js
      - manageSafetyDepositBoxReducer.js
      - messengerReducer.js
      - authenticationReducer.js
      - appReducer.js
    - components
      - SecureDataBrowser
        SecureDataBrowser.scss
        SecureDataBrowser.js
      - LoginMfaForm
        LoginFormMfa.scss
        LoginMfaForm.js
      - FileButton
        FileButton.js
        FileButton.scss
      - Modal
        Modal.scss
        Modal.js
      - App
        App.js
        App.scss
      - UserGroupPermissionsFieldSet
        UserGroupPermissionsFieldSet.scss
        UserGroupPermissionsFieldSet.js
      - AddButton
        AddButton.js
        AddButton.scss
      - DeleteSafeDepositBoxForm
        validator.js
        DeleteSafeDepositBoxForm.js
        DeleteSafeDepositBoxForm.scss
      - SafeDepositBoxSettings
        SafeDepositBoxSettings.scss
        SafeDepositBoxSettings.js
      - MfaDeviceSelect
        MfaDeviceSelect.js
      - LoginUserForm
        LoginUserForm.js
      - GenericError
        GenericError.js
        GenericError.scss
      - IamPrincipalPermissionsFieldSet
        IamPrincipalPermissionsFieldSet.scss
        IamPrincipalPermissionsFieldSet.js
      - NotFound
        NotFound.js
      - ConfirmationBox
        ConfirmationBox.js
        ConfirmationBox.scss
      - ApiError
        ApiError.js
        ApiError.scss
      - Footer
        Footer.js
        Footer.scss
      - EditSDBoxForm
        EditSDBoxForm.js
        EditSDBoxForm.scss
      - SecureDataForm
        SecureDataForm.scss
        SecureDataForm.js
      - GroupSelect
        GroupsSelect.js
      - RoleSelect
        RoleSelect.js
      - Header
        Header.js
        Header.scss
      - SecureData
        SecureData.js
        SecureData.scss
      - Buttons
        Buttons.scss
        Buttons.js
      - Loader
        Loader.js
      - ViewTokenModal
        ViewTokenModal.js
        ViewTokenModal.scss
      - LandingView
        LandingView.scss
        LandingView.js
      - Login
        Login.js
        Login.scss
      - SecureFileForm
        SecureFileForm.scss
        SecureFileForm.js
      - SideBar
        SideBar.scss
        SideBar.js
      - SDBMetadataList
        SDBMetadataList.scss
        SDBMetadataList.js
      - SDBDescriptionField
        SDBDescriptionField.js
      - Messenger
        Messenger.scss
        Messenger.js
      - CategorySelect
        CategorySelect.js
        CategorySelect.scss
      - SDBMetadata
        SDBMetadata.scss
        SDBMetadata.js
      - CreateSDBoxForm
        validator.js
        CreateSDBoxForm.scss
        CreateSDBoxForm.js
      - SecureDataVersionsBrowser
        SecureDataVersionsBrowser.js
        SecureDataVersionsBrowser.scss
      - SecureFile
        SecureFile.js
        SecureFile.scss
      - ManageSafeDepositBox
        ManageSafeDepositBox.js
        ManageSafeDepositBox.scss
    - store
      - configureStore.js
    - service
      - EnvironmentService.js
    - constants
      - cms.js
      - ports.js
      - actions.js
    - index.js
    - assets
      - images
        refresh-split.svg
        lock-closed-dark-grey.svg
        copy.svg
        cheveron-right.svg
        cheveron-down.svg
        cerberus-logo-head-dark-grey.svg
        lock-open-dark-grey.svg
        facivon.ico
        add-dark-grey.svg
        add-green.svg
        remove-red.svg
        cerberus-logo-narrow-off-white.svg
        eye_closed.svg
        edit-dark-grey.svg
        refresh.svg
        key-dark-grey.svg
        cerberus-logo-narrow-dark-grey.svg
        folder-dark-grey.svg
        remove-dark-grey.svg
        cerberus-logo-head-off-white.svg
        eye.svg
      - styles
        reactSelect.scss
        common.scss
      - mockups
        Manage SDB Mock Up.svg
  - public
    - help
      - main.css
      - index.html
    - favicon.ico
    - index.html
  - cerberus-dashboard.gradle
  - README.md
  - package.json
  - .gitignore
- cerberus-web
  - src
    - main
      - resources
        cerberus.yaml
        com
        nike
        cerberus
        migration
        V1.6.3.1__make_timestamps_precise_to_millis.sql
        V1.6.4.0__remove_trailing_whitespace_from_iam_principal_arns_again.sql
        V1.3.0.0__add_arn_index_and_do_not_allow_null_arn.sql
        V1.6.1.0__truncate_secure_data_version_table.sql
        V1.6.5.0__add_sdb_name_slug.sql
        V1.1.0.0__kms_key_data.sql
        V1.5.1.0__add_kv_count_metadata_to_securedata.sql
        V1.6.2.0__make_user_groups_case_sensitive.sql
        V1.5.1.2__make_iam_roles_case_sensitive.sql
        V1.2.0.0__remove_account_id_and_iam_role_name_fields.sql
        V1.6.3.0__add_type_to_secure_data.sql
        V1.0.0.1__allow_null_descrption.sql
        V1.0.0.0__bootstrap.sql
        V1.5.0.0__auth_and_store_data_in_cms.sql
        V1.6.0.1__remove_trailing_whitespace_from_iam_principal_arns.sql
        V1.6.6.0__add_last_rotated_for_secret_data.sql
        V1.5.1.1__secure_data_blob_to_mediumblob.sql.sql
        V1.5.0.1__add_index_for_expire.sql
        V1.1.1.0__add_iam_role_arn_field.sql
        V1.6.0.0__secure_data_audit_and_version_data.sql
        V1.4.0.0__add_last_validated_field_to_aws_iam_kms_key.sql
        mapper
        UserGroupMapper.xml
        AwsIamRoleMapper.xml
        CategoryMapper.xml
        LockMapper.xml
        PermissionsMapper.xml
        SafeDepositBoxMapper.xml
        SecureDataMapper.xml
        AuthTokenMapper.xml
        SecureDataVersionMapper.xml
        RoleMapper.xml
      - java
        com
        nike
        cerberus
        security
        AuthenticationNotRequiredWhitelist.java
        RequestWasNotAuthenticatedEntryPoint.java
        PrincipalHasWritePermsForPath.java
        PrincipalHasReadPermsForPath.java
        WebSecurityConfiguration.java
        DatabaseTokenAuthenticationProcessingFilter.java
        CerberusAuthenticationFilter.java
        CerberusPrincipalAuthenticationProvider.java
        PrincipalHasDeletePermsForPath.java
        PrincipalHasReadPermsForSdb.java
        PrincipalHasOwnerPermsForSdb.java
        dao
        AwsIamRoleDao.java
        SafeDepositBoxDao.java
        LockDao.java
        UserGroupDao.java
        AuthTokenDao.java
        SecureDataVersionDao.java
        CategoryDao.java
        RoleDao.java
        PermissionsDao.java
        SecureDataDao.java
        error
        InvalidIamRoleArnApiError.java
        KeyInvalidForAuthException.java
        SfxAwareApiExceptionHandlerUtils.java
        InvalidRoleNameApiError.java
        InvalidCategoryNameApiError.java
        DefaultApiErrorsImpl.java
        record
        RoleRecord.java
        DataKeyInfo.java
        SafeDepositBoxRoleRecord.java
        CategoryRecord.java
        UserGroupRecord.java
        AwsIamRolePermissionRecord.java
        UserGroupPermissionRecord.java
        AuthTokenRecord.java
        AwsIamRoleRecord.java
        SecureDataRecord.java
        SafeDepositBoxRecord.java
        SecureDataVersionRecord.java
        AwsIamRoleKmsKeyRecord.java
        util
        UuidSupplier.java
        AuthTokenGenerator.java
        TokenHasher.java
        SdbAccessRequest.java
        DateTimeSupplier.java
        CiphertextUtils.java
        Slugger.java
        AwsIamRoleArnParser.java
        SecureDataAction.java
        config
        database
        MybatisConfiguration.java
        C3p0DataSourceConfiguration.java
        FlywayConfiguration.java
        OffsetDateTimeTypeHandler.java
        MvcConfiguration.java
        ApplicationConfiguration.java
        AuditLoggerConfiguration.java
        SecretsManagerSecretEngine.java
        LambdaFilter.java
        service
        CleanUpService.java
        KmsPolicyService.java
        AwsIamRoleService.java
        SecureDataService.java
        CategoryService.java
        UserGroupPermissionService.java
        PermissionValidationService.java
        DistributedLockService.java
        MetadataService.java
        RoleService.java
        AuthTokenService.java
        EncryptionService.java
        AuthenticationService.java
        KmsService.java
        IamPrincipalPermissionService.java
        SafeDepositBoxService.java
        SecureDataVersionService.java
        Main.java
        event
        filter
        AuditLoggingFilterDetails.java
        AuditLoggingFilter.java
        listener
        AuditLoggingEventListener.java
        jobs
        KpiMetricsProcessingJob.java
        HystrixMetricsProcessingJob.java
        LockingJob.java
        OrphanedKmsKeyCleanUpJob.java
        DataKeyRotationJob.java
        ExpiredTokenCleanUpJob.java
        InactiveKmsKeyCleanUpJob.java
        cache
        MetricReportingCache.java
        DatabaseCache.java
        MetricReportingCryptoMaterialsCache.java
        metric
        MetricsService.java
        LoggingMetricsService.java
        CerberusHttpHeaders.java
        aws
        KmsClientFactory.java
        sts
        GetCallerIdentityFullResponse.java
        ErrorResponse.java
        GetCallerIdentityResponse.java
        AwsStsHttpHeader.java
        Error.java
        AwsStsHttpClient.java
        AwsStsClient.java
        mapper
        RoleMapper.java
        SafeDepositBoxMapper.java
        AwsIamRoleMapper.java
        AuthTokenMapper.java
        CategoryMapper.java
        PermissionsMapper.java
        LockMapper.java
        SecureDataMapper.java
        SecureDataVersionMapper.java
        UserGroupMapper.java
        controller
        SecureFileController.java
        SafeDepositBoxControllerV1.java
        authentication
        UserAuthenticationController.java
        AwsIamStsAuthController.java
        RevokeAuthenticationController.java
        AwsIamKmsAuthV1Controller.java
        AwsIamKmsAuthV2Controller.java
        admin
        AdminActionsController.java
        SdbMetadataController.java
        RoleController.java
        SecureFilesSummaryController.java
        DashboardController.java
        SafeDepositBoxControllerV2.java
        CategoryController.java
        GetSecureDataVersionsController.java
        SecureDataController.java
        GetSecretVersionPathsForSdbController.java
    - test
      - resources
        com
        nike
        cerberus
        service
        invalid-cerberus-iam-auth-kms-key-policy.json
        valid-cerberus-iam-auth-kms-key-policy.json
        sdb_metadata_backup.json
        invalid-cerberus-kms-key-policy-cms-cannot-delete.json
      - java
        com
        nike
        cerberus
        dao
        SecureDataVersionDaoTest.java
        RoleDaoTest.java
        AwsIamRoleDaoTest.java
        UserGroupDaoTest.java
        CategoryDaoTest.java
        SafeDepositBoxDaoTest.java
        error
        ProjectApiErrorTest.java
        ProjectApiErrorsImplTest.java
        record
        RecordPojoTest.java
        util
        AwsIamRoleArnParserTest.java
        SluggerTest.java
        DateTimeSupplierTest.java
        UuidSupplierTest.java
        service
        RoleServiceTest.java
        CleanUpServiceTest.java
        SafeDepositBoxServiceTest.java
        AuthTokenServiceTest.java
        MetadataServiceTest.java
        EncryptionServiceTest.java
        SecureDataServiceTest.java
        SecureDataVersionServiceTest.java
        KmsServiceTest.java
        AuthenticationServiceTest.java
        KmsPolicyServiceTest.java
        CategoryServiceTest.java
        DistributedLockServiceTest.java
        SecureDataActionTest.java
        cache
        DatabaseCacheTest.java
        aws
        KmsClientFactoryTest.java
        sts
        AwsStsHttpHeaderTest.java
        AwsStsPojoTest.java
        AwsStsClientTest.java
      - groovy
        com
        nike
        cerberus
        CerberusHttpHeadersSpec.groovy
    - integration-test
      - java
        com
        nike
        cerberus
        IntegrationTests.java
  - cerberus-web.gradle
- cerberus-domain
  - src
    - main
      - java
        com
        nike
        cerberus
        PrincipalType.java
        validation
        group
        Updatable.java
        UserGroupPermissionsValidator.java
        UniqueIamRolePermissions.java
        UniqueIamPrincipalPermissions.java
        UniqueOwnerValidator.java
        UniqueUserGroupPermissions.java
        PatternListAnyMatchValidator.java
        UniqueOwner.java
        PatternListAnyMatch.java
        IamRolePermissionsValidator.java
        IamPrincipalPermissionsValidator.java
        domain
        EncryptedAuthDataWrapper.java
        CerberusAuthToken.java
        AwsIamKmsAuthRequest.java
        SecureDataVersionsResult.java
        MfaCheckRequest.java
        Source.java
        DomainConstants.java
        SDBMetadataResult.java
        UserGroupPermission.java
        SecureDataResponse.java
        SecureDataVersionSummary.java
        SafeDepositBoxV1.java
        VaultStyleErrorResponse.java
        SecureDataType.java
        SafeDepositBoxV2.java
        SecureFileSummary.java
        IamPrincipalPermission.java
        AuthKmsKeyMetadataResult.java
        SafeDepositBox.java
        CleanUpRequest.java
        Role.java
        SecureFile.java
        AuthKmsKeyMetadata.java
        SecureData.java
        UserCredentials.java
        Category.java
        SafeDepositBoxSummary.java
        AuthTokenResponse.java
        SecureFileVersion.java
        SecureFileCurrent.java
        IamRoleRegex.java
        SecureFileSummaryResult.java
        SecureDataVersion.java
        IamRolePermission.java
        IamRoleCredentials.java
        SDBMetadata.java
    - test
      - java
        com
        nike
        cerberus
        validation
        IamRolePermissionsValidatorTest.java
        IamPrincipalPermissionTest.java
        UserGroupPermissionsValidatorTest.java
        UniqueOwnerValidatorTest.java
        IamPrincipalPermissionsValidatorTest.java
        domain
        VaultStyleErrorResponseTest.java
        DomainPojoTest.java
  - cerberus-domain.gradle
- settings.gradle
- .gitignore
- docs
  - assets
- LICENSE.txt
- Dockerfile.build
- lombok.config

/*
 * Copyright (c) 2020 Nike, inc.
 *
 * Licensed under the Apache License, Version 2.0 (the "License")
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *   http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package com.nike.cerberus.service;

import com.amazonaws.encryptionsdk.*;
import com.amazonaws.encryptionsdk.kms.KmsMasterKey;
import com.amazonaws.encryptionsdk.kms.KmsMasterKeyProvider;
import com.amazonaws.encryptionsdk.multi.MultipleProviderFactory;
import com.amazonaws.regions.Region;
import com.google.common.collect.Lists;
import com.nike.cerberus.util.CiphertextUtils;
import java.nio.charset.StandardCharsets;
import java.util.Date;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.stream.Collectors;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.time.DateFormatUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Component;

/** Service for performing encryption and decryption of secrets using the 'AWS Encryption SDK'. */
@Component
public class EncryptionService {

  /** Property name for current SDB path in the EncryptionContext */
  public static final String SDB_PATH_PROPERTY_NAME = "sdb_path";

  private final Logger log = LoggerFactory.getLogger(getClass());

  private final AwsCrypto awsCrypto;
  private List<String> cmkArnList;
  private final Region currentRegion;
  private final CryptoMaterialsManager decryptCryptoMaterialsManager;
  private final CryptoMaterialsManager encryptCryptoMaterialsManager;

  @Autowired
  public EncryptionService(
      AwsCrypto awsCrypto,
      @Value("${cerberus.encryption.cmk.arns}") String cmkArns,
      @Qualifier("decryptCryptoMaterialsManager")
          CryptoMaterialsManager decryptCryptoMaterialsManager,
      @Qualifier("encryptCryptoMaterialsManager")
          CryptoMaterialsManager encryptCryptoMaterialsManager,
      Region currentRegion) {
    this.currentRegion = currentRegion;
    this.awsCrypto = awsCrypto;
    log.info("CMK ARNs " + cmkArns);
    this.cmkArnList = splitArns(cmkArns);
    this.decryptCryptoMaterialsManager = decryptCryptoMaterialsManager;
    this.encryptCryptoMaterialsManager = encryptCryptoMaterialsManager;
  }

  /**
   * Encrypt the plainTextPayload.
   *
   * <p>Generates a Base64 encoded String the the 'AWS Encryption SDK Message Format'
   *
   * <p>http://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/message-format.html
   *
   * @param plainTextPayload the secrets to encrypt
   * @param sdbPath the SDB path where these secrets are being stored (added to EncryptionContext)
   */
  public String encrypt(String plainTextPayload, String sdbPath) {
    return awsCrypto
        .encryptString(
            encryptCryptoMaterialsManager, plainTextPayload, buildEncryptionContext(sdbPath))
        .getResult();
  }

  public byte[] encrypt(byte[] bytes, String sdbPath) {
    return awsCrypto
        .encryptData(encryptCryptoMaterialsManager, bytes, buildEncryptionContext(sdbPath))
        .getResult();
  }

  /**
   * Decrypt the encryptedPayload.
   *
   * <p>Expects a Base64 encoded String the the 'AWS Encryption SDK Message Format'.
   *
   * <p>http://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/message-format.html
   */
  public String decrypt(String encryptedPayload, String sdbPath) {
    ParsedCiphertext parsedCiphertext = CiphertextUtils.parse(encryptedPayload);
    try {
      return decrypt(parsedCiphertext, sdbPath);
    } catch (RuntimeException e) {
      log.error("Decrypt operation failed " + CiphertextUtils.toJson(parsedCiphertext), e);
      throw e;
    }
  }

  /**
   * Decrypt the encryptedPayload.
   *
   * <p>Expects a Base64 encoded String the the 'AWS Encryption SDK Message Format'.
   *
   * <p>http://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/message-format.html
   */
  public byte[] decrypt(byte[] encryptedPayload, String sdbPath) {
    ParsedCiphertext parsedCiphertext = CiphertextUtils.parse(encryptedPayload);
    try {
      return decryptToBytes(parsedCiphertext, sdbPath);
    } catch (RuntimeException e) {
      log.error("Decrypt operation failed " + CiphertextUtils.toJson(parsedCiphertext), e);
      throw e;
    }
  }

  /**
   * Decrypt the encryptedPayload.
   *
   * @param parsedCiphertext encryptedPayload
   * @param sdbPath the current SDB path
   */
  private String decrypt(ParsedCiphertext parsedCiphertext, String sdbPath) {
    validateEncryptionContext(parsedCiphertext, sdbPath);
    // Parses the ARNs out of the encryptedPayload so that you can manually rotate the CMKs, if
    // desired
    // Whatever CMKs were used in the encrypt operation will be used to decrypt
    List<String> cmkArns = CiphertextUtils.getCustomerMasterKeyArns(parsedCiphertext);
    CryptoMaterialsManager cryptoMaterialsManager =
        getCryptoMaterialsManager(cmkArns, currentRegion);
    return new String(
        awsCrypto.decryptData(cryptoMaterialsManager, parsedCiphertext).getResult(),
        StandardCharsets.UTF_8);
  }

  private CryptoMaterialsManager getCryptoMaterialsManager(
      List<String> cmkArns, Region currentRegion) {
    if (cmkArnList.containsAll(cmkArns)) {
      return decryptCryptoMaterialsManager;
    } else {
      MasterKeyProvider<KmsMasterKey> provider = initializeKeyProvider(cmkArns, currentRegion);
      return new DefaultCryptoMaterialsManager(provider);
    }
  }

  /**
   * Re-encrypt (i.e. decrypt then encrypt) String ciphertext
   *
   * @param encryptedPayload encryptedPayload
   * @param sdbPath the current SDB path
   * @return re-encrypted ciphertext
   */
  public String reencrypt(String encryptedPayload, String sdbPath) {
    String plaintext = decrypt(encryptedPayload, sdbPath);
    return encrypt(plaintext, sdbPath);
  }

  /**
   * Re-encrypt (i.e. decrypt then encrypt) byte array ciphertext
   *
   * @param encryptedPayload encryptedPayload
   * @param sdbPath the current SDB path
   * @return re-encrypted ciphertext
   */
  public byte[] reencrypt(byte[] encryptedPayload, String sdbPath) {
    byte[] plaintextBytes = decrypt(encryptedPayload, sdbPath);
    return encrypt(plaintextBytes, sdbPath);
  }

  /**
   * Decrypt the encryptedPayload.
   *
   * @param parsedCiphertext encryptedPayload
   * @param sdbPath the current SDB path
   */
  private byte[] decryptToBytes(ParsedCiphertext parsedCiphertext, String sdbPath) {
    validateEncryptionContext(parsedCiphertext, sdbPath);
    // Parses the ARNs out of the encryptedPayload so that you can manually rotate the CMKs, if
    // desired
    // Whatever CMKs were used in the encrypt operation will be used to decrypt
    List<String> cmkArns = CiphertextUtils.getCustomerMasterKeyArns(parsedCiphertext);
    CryptoMaterialsManager cryptoMaterialsManager =
        getCryptoMaterialsManager(cmkArns, currentRegion);
    return awsCrypto.decryptData(cryptoMaterialsManager, parsedCiphertext).getResult();
  }

  /**
   * Decrypt the encryptedPayload.
   *
   * @param parsedCiphertext encryptedPayload
   */
  public static String decrypt(
      ParsedCiphertext parsedCiphertext, AwsCrypto awsCrypto, Region currentRegion) {
    // Parses the ARNs out of the encryptedPayload so that you can manually rotate the CMKs, if
    // desired
    // Whatever CMKs were used in the encrypt operation will be used to decrypt
    List<String> cmkArns = CiphertextUtils.getCustomerMasterKeyArns(parsedCiphertext);
    MasterKeyProvider<KmsMasterKey> decryptProvider = initializeKeyProvider(cmkArns, currentRegion);
    return new String(
        awsCrypto.decryptData(decryptProvider, parsedCiphertext).getResult(),
        StandardCharsets.UTF_8);
  }

  /**
   * Validate the encryptionContext for the parsedCiphertext includes the expected sdbPath.
   *
   * <p>This step validates that the encrypted payload was created for the SDB that is currently
   * being decrypted. It is an integrity check. If this validation fails then the encrypted payload
   * may have been tampered with, e.g. copying the encrypted payload between two SDBs.
   *
   * @param parsedCiphertext the ciphertext to read the encryptionContext from
   * @param sdbPath the path expected in the encryptionContext
   */
  private void validateEncryptionContext(ParsedCiphertext parsedCiphertext, String sdbPath) {
    Map<String, String> encryptionContext = parsedCiphertext.getEncryptionContextMap();
    String pathFromEncryptionContext = encryptionContext.getOrDefault(SDB_PATH_PROPERTY_NAME, null);
    if (!StringUtils.equals(pathFromEncryptionContext, sdbPath)) {
      log.error("EncryptionContext did not have expected path, possible tampering: " + sdbPath);
      throw new IllegalArgumentException(
          "EncyptionContext did not have expected path, possible tampering: " + sdbPath);
    }
  }

  /** Split the ARNs from a single comma delimited string into a list. */
  public static List<String> splitArns(String cmkArns) {
    List<String> keyArns = Lists.newArrayList(StringUtils.split(cmkArns, ","));
    if (keyArns.size() < 2) {
      throw new IllegalArgumentException(
          "At least 2 CMK ARNs are required for high availability, size:" + keyArns.size());
    }
    return keyArns;
  }

  /**
   * Initialize a Multi-KMS-MasterKeyProvider.
   *
   * <p>For encrypt, KMS in all regions must be available. For decrypt, KMS in at least one region
   * must be available.
   */
  public static MasterKeyProvider<KmsMasterKey> initializeKeyProvider(
      List<String> cmkArns, Region currentRegion) {
    List<MasterKeyProvider<KmsMasterKey>> providers =
        getSortedArnListByCurrentRegion(cmkArns, currentRegion).stream()
            .map(KmsMasterKeyProvider::new)
            .collect(Collectors.toList());
    return (MasterKeyProvider<KmsMasterKey>) MultipleProviderFactory.buildMultiProvider(providers);
  }

  /**
   * Initialize a Multi-KMS-MasterKeyProvider.
   *
   * <p>For encrypt, KMS in all regions must be available. For decrypt, KMS in at least one region
   * must be available.
   */
  public static MasterKeyProvider<KmsMasterKey> initializeKeyProvider(
      String cmkArns, Region currentRegion) {
    return initializeKeyProvider(splitArns(cmkArns), currentRegion);
  }

  /** ARN with current region should always go first to minimize latency */
  protected static List<String> getSortedArnListByCurrentRegion(
      List<String> cmkArns, Region currentRegion) {
    return cmkArns.stream()
        .sorted(
            (s1, s2) -> {
              if (s1.contains(currentRegion.getName())) {
                // ARN with current region should always go first
                return -1;
              } else if (s2.contains(currentRegion.getName())) {
                // ARN with current region should always go first
                return 1;
              } else {
                // otherwise order isn't that important
                return s1.compareTo(s2);
              }
            })
        .collect(Collectors.toList());
  }

  /**
   * Generate an encryption context (additional information about the payload). This context is not
   * encrypted and should not contain secrets.
   */
  protected Map<String, String> buildEncryptionContext(String sdbPath) {
    Map<String, String> context = new HashMap<>();
    context.put("created_on", DateFormatUtils.format(new Date(), "yyyy-MM-dd"));
    context.put(SDB_PATH_PROPERTY_NAME, sdbPath);
    return context;
  }
}