/**
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements.  See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership.  The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License.  You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.apache.hadoop.crypto.key.kms.server;

import com.google.common.base.Preconditions;
import com.google.common.base.Stopwatch;

import org.apache.hadoop.util.KMSUtil;
import org.apache.commons.codec.binary.Base64;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.crypto.key.KeyProvider;
import org.apache.hadoop.crypto.key.KeyProvider.KeyVersion;
import org.apache.hadoop.crypto.key.KeyProviderCryptoExtension;
import org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion;
import org.apache.hadoop.crypto.key.kms.KMSRESTConstants;
import org.apache.hadoop.security.AccessControlException;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.crypto.key.kms.KMSClientProvider;
import org.apache.hadoop.crypto.key.kms.server.KMSACLsType.Type;
import org.apache.hadoop.security.token.delegation.web.HttpUserGroupInformation;
import javax.ws.rs.core.UriBuilder;

import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.Consumes;
import javax.ws.rs.DELETE;
import javax.ws.rs.DefaultValue;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;

import java.io.IOException;
import java.net.URI;
import java.security.PrivilegedExceptionAction;
import java.util.ArrayList;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.regex.Matcher;
import java.util.regex.Pattern;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import static org.apache.hadoop.util.KMSUtil.checkNotEmpty;
import static org.apache.hadoop.util.KMSUtil.checkNotNull;
/**
 * Class providing the REST bindings, via Jersey, for the KMS.
 */
@Path(KMSRESTConstants.SERVICE_VERSION)
@InterfaceAudience.Private
public class KMS {

  public static enum KMSOp {
    CREATE_KEY, DELETE_KEY, ROLL_NEW_VERSION, INVALIDATE_CACHE,
    GET_KEYS, GET_KEYS_METADATA,
    GET_KEY_VERSIONS, GET_METADATA, GET_KEY_VERSION, GET_CURRENT_KEY,
    GENERATE_EEK, DECRYPT_EEK, REENCRYPT_EEK, REENCRYPT_EEK_BATCH
  }

  private static final String KEY_NAME_VALIDATION = "[a-z,A-Z,0-9](?!.*--)(?!.*__)(?!.*-_)(?!.*_-)[\\w\\-\\_]*";

  private KeyProviderCryptoExtension provider;
  private KMSAudit kmsAudit;
  static final Logger LOG = LoggerFactory.getLogger(KMS.class);
  private static final int MAX_NUM_PER_BATCH = 10000;

  public KMS() throws Exception {
    provider = KMSWebApp.getKeyProvider();
    kmsAudit= KMSWebApp.getKMSAudit();
  }

  private void assertAccess(Type aclType, UserGroupInformation ugi,
    KMSOp operation, String clientIp) throws AccessControlException {
    KMSWebApp.getACLs().assertAccess(aclType, ugi, operation, null, clientIp);
  }

  private void assertAccess(Type aclType, UserGroupInformation ugi,
      KMSOp operation, String key, String clientIp) throws AccessControlException {
    KMSWebApp.getACLs().assertAccess(aclType, ugi, operation, key, clientIp);
  }

  private static KeyProvider.KeyVersion removeKeyMaterial(
      KeyProvider.KeyVersion keyVersion) {
    return new KMSClientProvider.KMSKeyVersion(keyVersion.getName(),
        keyVersion.getVersionName(), null);
  }

  private static URI getKeyURI(String domain, String keyName) {
    return UriBuilder.fromPath("{a}/{b}/{c}")
      .build(domain, KMSRESTConstants.KEY_RESOURCE, keyName);
  }

  @POST
  @Path(KMSRESTConstants.KEYS_RESOURCE)
  @Consumes(MediaType.APPLICATION_JSON)
  @Produces(MediaType.APPLICATION_JSON)
  @SuppressWarnings("unchecked")
  public Response createKey(Map jsonKey, @Context HttpServletRequest request) throws Exception {
	try {
	  if (LOG.isDebugEnabled()) {
			LOG.debug("Entering createKey Method.");
	  }
      KMSWebApp.getAdminCallsMeter().mark();
      UserGroupInformation user = HttpUserGroupInformation.get();
      final String name = (String) jsonKey.get(KMSRESTConstants.NAME_FIELD);
      checkNotEmpty(name, KMSRESTConstants.NAME_FIELD);
      validateKeyName(name);
      assertAccess(Type.CREATE, user, KMSOp.CREATE_KEY, name, request.getRemoteAddr());
      String cipher = (String) jsonKey.get(KMSRESTConstants.CIPHER_FIELD);
      final String material;
      material = (String) jsonKey.get(KMSRESTConstants.MATERIAL_FIELD);
      int length = (jsonKey.containsKey(KMSRESTConstants.LENGTH_FIELD)) ? (Integer) jsonKey.get(KMSRESTConstants.LENGTH_FIELD) : 0;
      String description = (String) jsonKey.get(KMSRESTConstants.DESCRIPTION_FIELD);
      if (LOG.isDebugEnabled()) {
	      LOG.debug("Creating key with name {}, cipher being used{}, "
	      +"length of key {}, description of key {}", name, cipher,length, description);
      }
      Map<String, String> attributes = (Map<String, String>)
      jsonKey.get(KMSRESTConstants.ATTRIBUTES_FIELD);
      if (material != null) {
        assertAccess(Type.SET_KEY_MATERIAL, user,
        KMSOp.CREATE_KEY, name, request.getRemoteAddr());
      }
      final KeyProvider.Options options = new KeyProvider.Options(
        KMSWebApp.getConfiguration());
      if (cipher != null) {
        options.setCipher(cipher);
      }
      if (length != 0) {
        options.setBitLength(length);
      }
      options.setDescription(description);
      options.setAttributes(attributes);
      KeyProvider.KeyVersion keyVersion = user.doAs(
        new PrivilegedExceptionAction<KeyVersion>() {
          @Override
          public KeyVersion run() throws Exception {
            KeyProvider.KeyVersion keyVersion = (material != null) ? provider.createKey(name, Base64.decodeBase64(material),options) : provider.createKey(name, options);
            provider.flush();
            return keyVersion;
          }
        }
      );
      kmsAudit.ok(user, KMSOp.CREATE_KEY, name, "UserProvidedMaterial:" + (material != null) + " Description:" + description);
      if (!KMSWebApp.getACLs().hasAccess(Type.GET, user, request.getRemoteAddr())) {
        keyVersion = removeKeyMaterial(keyVersion);
      }
      Map json = KMSUtil.toJSON(keyVersion);
      String requestURL = KMSMDCFilter.getURL();
      int idx = requestURL.lastIndexOf(KMSRESTConstants.KEYS_RESOURCE);
      requestURL = requestURL.substring(0, idx);
      if (LOG.isDebugEnabled()) {
          LOG.debug("Exiting createKey Method.");
      }
      return Response.created(getKeyURI(KMSRESTConstants.SERVICE_VERSION, name))
       .type(MediaType.APPLICATION_JSON)
       .header("Location", getKeyURI(requestURL, name)).entity(json).build();
    }
    catch (Exception e) {
      LOG.error("Exception in createKey.", e);
      throw e;
    }
  }

  private void validateKeyName(String name) {
      Pattern pattern = Pattern.compile(KEY_NAME_VALIDATION);
      Matcher matcher = pattern.matcher(name);
	  if(!matcher.matches()){
		  throw new IllegalArgumentException("Key Name : " + name +
		          ", should start with alpha/numeric letters and can have special characters - (hypen) or _ (underscore)");
	  }
  }

    @DELETE
    @Path(KMSRESTConstants.KEY_RESOURCE + "/{name:.*}")
    public Response deleteKey(@PathParam("name") final String name, @Context HttpServletRequest request)
        throws Exception {
      try {
        if (LOG.isDebugEnabled()) {
          LOG.debug("Entering deleteKey method.");
        }
        KMSWebApp.getAdminCallsMeter().mark();
        UserGroupInformation user = HttpUserGroupInformation.get();
        assertAccess(Type.DELETE, user, KMSOp.DELETE_KEY, name, request.getRemoteAddr());
        checkNotEmpty(name, "name");
        LOG.debug("Deleting key with name {}.", name);
        user.doAs(new PrivilegedExceptionAction<Void>() {
          @Override
          public Void run() throws Exception {
            provider.deleteKey(name);
            provider.flush();
            return null;
          }
        });
        kmsAudit.ok(user, KMSOp.DELETE_KEY, name, "");
        if (LOG.isDebugEnabled()) {
            LOG.debug("Exiting deleteKey method.");
        }
        return Response.ok().build();
      } catch (Exception e) {
        LOG.error("Exception in deleteKey.", e);
        throw e;
        }
    }

  @POST
  @Path(KMSRESTConstants.KEY_RESOURCE + "/{name:.*}")
  @Consumes(MediaType.APPLICATION_JSON)
  @Produces(MediaType.APPLICATION_JSON)
  public Response rolloverKey(@PathParam("name") final String name, Map jsonMaterial, @Context HttpServletRequest request) throws Exception {
    try {
      if (LOG.isDebugEnabled()) {
        LOG.debug("Entering rolloverKey Method.");
      }
      KMSWebApp.getAdminCallsMeter().mark();
      UserGroupInformation user = HttpUserGroupInformation.get();
      assertAccess(Type.ROLLOVER, user, KMSOp.ROLL_NEW_VERSION, name, request.getRemoteAddr());
      checkNotEmpty(name, "name");
      LOG.debug("Rolling key with name {}.", name);
      final String material = (String) jsonMaterial.get(KMSRESTConstants.MATERIAL_FIELD);
      if (material != null) {
        assertAccess(Type.SET_KEY_MATERIAL, user, KMSOp.ROLL_NEW_VERSION, name, request.getRemoteAddr());
      }
      KeyProvider.KeyVersion keyVersion = user.doAs(new PrivilegedExceptionAction<KeyVersion>(){
        @Override
        public KeyVersion run() throws Exception {KeyVersion keyVersion = (material != null)
        ? provider.rollNewVersion(name, Base64.decodeBase64(material)): provider.rollNewVersion(name);
          provider.flush();
          return keyVersion;
        }
      });
      kmsAudit.ok(user, KMSOp.ROLL_NEW_VERSION, name, "UserProvidedMaterial:" +
      (material != null) + " NewVersion:" + keyVersion.getVersionName());
      if (!KMSWebApp.getACLs().hasAccess(Type.GET, user, request.getRemoteAddr())) {
        keyVersion = removeKeyMaterial(keyVersion);
      }
      Map json = KMSUtil.toJSON(keyVersion);
      if (LOG.isDebugEnabled()) {
          LOG.debug("Exiting rolloverKey Method.");
      }
      return Response.ok().type(MediaType.APPLICATION_JSON).entity(json).build();
    } catch (Exception e) {
      LOG.error("Exception in rolloverKey.", e);
      throw e;
    }
  }

  @POST
  @Path(KMSRESTConstants.KEY_RESOURCE + "/{name:.*}/" + KMSRESTConstants.INVALIDATECACHE_RESOURCE)
  public Response invalidateCache(@PathParam("name") final String name) throws Exception {
    try {
      if (LOG.isDebugEnabled()) {
        LOG.debug("Entering invalidateCache Method.");
      }
      KMSWebApp.getAdminCallsMeter().mark();
      checkNotEmpty(name, "name");
      UserGroupInformation user = HttpUserGroupInformation.get();
      assertAccess(Type.ROLLOVER, user, KMSOp.INVALIDATE_CACHE, name);
      LOG.debug("Invalidating cache with key name {}.", name);
      user.doAs(new PrivilegedExceptionAction<Void>() {
        @Override
        public Void run() throws Exception {
          provider.invalidateCache(name);
          provider.flush();
          return null;
        }
      });
      kmsAudit.ok(user, KMSOp.INVALIDATE_CACHE, name, "");
      if (LOG.isDebugEnabled()) {
          LOG.debug("Exiting invalidateCache for key name {}.", name);
      }
      return Response.ok().build();
    } catch (Exception e) {
      LOG.error("Exception in invalidateCache for key name {}.", name, e);
      throw e;
    }
  }

  @GET
  @Path(KMSRESTConstants.KEYS_METADATA_RESOURCE)
  @Produces(MediaType.APPLICATION_JSON)
  public Response getKeysMetadata(@QueryParam(KMSRESTConstants.KEY)
      List<String> keyNamesList, @Context HttpServletRequest request) throws Exception {
    try {
      if (LOG.isDebugEnabled()) {
        LOG.debug("Entering getKeysMetadata method.");
      }
      KMSWebApp.getAdminCallsMeter().mark();
      UserGroupInformation user = HttpUserGroupInformation.get();
      final String[] keyNames = keyNamesList.toArray( new String[keyNamesList.size()]);
      assertAccess(Type.GET_METADATA, user, KMSOp.GET_KEYS_METADATA, request.getRemoteAddr());
      KeyProvider.Metadata[] keysMeta = user.doAs(new PrivilegedExceptionAction<KeyProvider.Metadata[]>() {
        @Override
        public KeyProvider.Metadata[] run() throws Exception {
          return provider.getKeysMetadata(keyNames);
        }
      });
      Object json = KMSServerJSONUtils.toJSON(keyNames, keysMeta);
      kmsAudit.ok(user, KMSOp.GET_KEYS_METADATA, "");
      if (LOG.isDebugEnabled()) {
          LOG.debug("Exiting getKeysMetadata method.");
      }
      return Response.ok().type(MediaType.APPLICATION_JSON).entity(json).build();
    } catch (Exception e) {
      LOG.error("Exception in getKeysmetadata.", e);
      throw e;
    }
  }

  @GET
  @Path(KMSRESTConstants.KEYS_NAMES_RESOURCE)
  @Produces(MediaType.APPLICATION_JSON)
  public Response getKeyNames(@Context HttpServletRequest request) throws Exception {
    try {
      if (LOG.isDebugEnabled()) {
        LOG.debug("Entering getKeyNames method.");
      }
      KMSWebApp.getAdminCallsMeter().mark();
      UserGroupInformation user = HttpUserGroupInformation.get();
      assertAccess(Type.GET_KEYS, user, KMSOp.GET_KEYS, request.getRemoteAddr());
      List<String> json = user.doAs(new PrivilegedExceptionAction<List<String>>() {
        @Override
        public List<String> run() throws Exception {
          return provider.getKeys();
        }
      });
      kmsAudit.ok(user, KMSOp.GET_KEYS, "");
      if (LOG.isDebugEnabled()) {
          LOG.debug("Exiting getKeyNames method.");
      }
      return Response.ok().type(MediaType.APPLICATION_JSON).entity(json).build();
    } catch (Exception e) {
      LOG.error("Exception in getkeyNames.", e);
      throw e;
    }
  }

  @GET
  @Path(KMSRESTConstants.KEY_RESOURCE + "/{name:.*}")
  public Response getKey(@PathParam("name") String name, @Context HttpServletRequest request)
      throws Exception {
    try {
      if (LOG.isDebugEnabled()) {
        LOG.debug("Getting key information for key with name {}.", name);
      }
      return getMetadata(name, request);
    } catch (Exception e) {
      LOG.error("Exception in getKey.", e);
      throw e;
    }
  }

  @GET
  @Path(KMSRESTConstants.KEY_RESOURCE + "/{name:.*}/" +
      KMSRESTConstants.METADATA_SUB_RESOURCE)
  @Produces(MediaType.APPLICATION_JSON)
  public Response getMetadata(@PathParam("name") final String name, @Context HttpServletRequest request)
      throws Exception {
    try {
      if (LOG.isDebugEnabled()) {
        LOG.debug("Entering getMetadata method.");
      }
      UserGroupInformation user = HttpUserGroupInformation.get();
      checkNotEmpty(name, "name");
      KMSWebApp.getAdminCallsMeter().mark();
      assertAccess(Type.GET_METADATA, user, KMSOp.GET_METADATA, name, request.getRemoteAddr());
      LOG.debug("Getting metadata for key with name {}.", name);
      KeyProvider.Metadata metadata = user.doAs(
        new PrivilegedExceptionAction<KeyProvider.Metadata>() {
        @Override
        public KeyProvider.Metadata run() throws Exception {
          return provider.getMetadata(name);
        }
      });
      Object json = KMSServerJSONUtils.toJSON(name, metadata);
      kmsAudit.ok(user, KMSOp.GET_METADATA, name, "");
      if (LOG.isDebugEnabled()) {
          LOG.debug("Exiting getMetadata method.");
      }
      return Response.ok().type(MediaType.APPLICATION_JSON).entity(json).build();
    } catch (Exception e) {
      LOG.error("Exception in getMetadata.", e);
      throw e;
    }
  }

  @GET
  @Path(KMSRESTConstants.KEY_RESOURCE + "/{name:.*}/" +
      KMSRESTConstants.CURRENT_VERSION_SUB_RESOURCE)
  @Produces(MediaType.APPLICATION_JSON)
  public Response getCurrentVersion(@PathParam("name") final String name, @Context HttpServletRequest request)
      throws Exception {
    try {
      if (LOG.isDebugEnabled()) {
        LOG.debug("Entering getCurrentVersion method.");
      }
      UserGroupInformation user = HttpUserGroupInformation.get();
      checkNotEmpty(name, "name");
      KMSWebApp.getKeyCallsMeter().mark();
      assertAccess(Type.GET, user, KMSOp.GET_CURRENT_KEY, name, request.getRemoteAddr());
      LOG.debug("Getting key version for key with name {}.", name);
      KeyVersion keyVersion = user.doAs(new PrivilegedExceptionAction<KeyVersion>() {
        @Override
        public KeyVersion run() throws Exception {
          return provider.getCurrentKey(name);
        }
      });
      Object json = KMSUtil.toJSON(keyVersion);
      kmsAudit.ok(user, KMSOp.GET_CURRENT_KEY, name, "");
      if (LOG.isDebugEnabled()) {
        LOG.debug("Exiting getCurrentVersion method.");
      }
      return Response.ok().type(MediaType.APPLICATION_JSON).entity(json).build();
    } catch (Exception e) {
      LOG.error("Exception in getCurrentVersion.", e);
      throw e;
    }
  }

  @GET
  @Path(KMSRESTConstants.KEY_VERSION_RESOURCE + "/{versionName:.*}")
  @Produces(MediaType.APPLICATION_JSON)
  public Response getKeyVersion(
      @PathParam("versionName") final String versionName, @Context HttpServletRequest request) throws Exception {
    try {
      if (LOG.isDebugEnabled()) {
        LOG.debug("Entering getKeyVersion method.");
      }
      UserGroupInformation user = HttpUserGroupInformation.get();
      checkNotEmpty(versionName, "versionName");
      KMSWebApp.getKeyCallsMeter().mark();
      assertAccess(Type.GET, user, KMSOp.GET_KEY_VERSION, request.getRemoteAddr());
      LOG.debug("Getting key with version name {}.", versionName);
      KeyVersion keyVersion = user.doAs(new PrivilegedExceptionAction<KeyVersion>() {
        @Override
        public KeyVersion run() throws Exception {
          return provider.getKeyVersion(versionName);
        }
      });
      if (keyVersion != null) {
        kmsAudit.ok(user, KMSOp.GET_KEY_VERSION, keyVersion.getName(), "");
      }
      Object json = KMSUtil.toJSON(keyVersion);
      if (LOG.isDebugEnabled()) {
          LOG.debug("Exiting getKeyVersion method.");
      }
      return Response.ok().type(MediaType.APPLICATION_JSON).entity(json).build();
    } catch (Exception e) {
      LOG.error("Exception in getKeyVersion.", e);
      throw e;
    }
  }

  @SuppressWarnings({ "rawtypes", "unchecked" })
  @GET
  @Path(KMSRESTConstants.KEY_RESOURCE + "/{name:.*}/" +
      KMSRESTConstants.EEK_SUB_RESOURCE)
  @Produces(MediaType.APPLICATION_JSON)
  public Response generateEncryptedKeys( @PathParam("name") final String name,
    @QueryParam(KMSRESTConstants.EEK_OP) String edekOp,
    @DefaultValue("1") @QueryParam(KMSRESTConstants.EEK_NUM_KEYS) final int numKeys,
    @Context HttpServletRequest request) throws Exception {
    try {
      if (LOG.isDebugEnabled()) {
        LOG.debug("Entering generateEncryptedKeys method.");
      }
      UserGroupInformation user = HttpUserGroupInformation.get();
      checkNotEmpty(name, "name");
      checkNotNull(edekOp, "eekOp");
      LOG.debug("Generating encrypted key with name {}, the edek Operation is {}.", name, edekOp);
      Object retJSON;
      if (edekOp.equals(KMSRESTConstants.EEK_GENERATE)) {
        LOG.debug("edek Operation is Generate.");
        assertAccess(Type.GENERATE_EEK, user, KMSOp.GENERATE_EEK, name,request.getRemoteAddr());
        final List<EncryptedKeyVersion> retEdeks = new LinkedList<EncryptedKeyVersion>();
        try {
          user.doAs(new PrivilegedExceptionAction<Void>() {
            @Override
            public Void run() throws Exception {
              LOG.debug("Generated Encrypted key for {} number of keys.", numKeys);
              for (int i = 0; i < numKeys; i++) {
                retEdeks.add(provider.generateEncryptedKey(name));
              }
              return null;
            }
          });
        } catch (Exception e) {
          LOG.error("Exception in generateEncryptedKeys:", e);
          throw new IOException(e);
        }
        kmsAudit.ok(user, KMSOp.GENERATE_EEK, name, "");
        retJSON = new ArrayList();
        for (EncryptedKeyVersion edek : retEdeks) {
          ((ArrayList) retJSON).add(KMSUtil.toJSON(edek));
        }
      } else {
        StringBuilder error;
        error = new StringBuilder("IllegalArgumentException Wrong ");
        error.append(KMSRESTConstants.EEK_OP);
        error.append(" value, it must be ");
        error.append(KMSRESTConstants.EEK_GENERATE);
        error.append(" or ");
        error.append(KMSRESTConstants.EEK_DECRYPT);
        LOG.error(error.toString());
        throw new IllegalArgumentException(error.toString());
      }
      KMSWebApp.getGenerateEEKCallsMeter().mark();
      if (LOG.isDebugEnabled()) {
          LOG.debug("Exiting generateEncryptedKeys method.");
      }
      return Response.ok().type(MediaType.APPLICATION_JSON).entity(retJSON).build();
    } catch (Exception e) {
      LOG.error("Exception in generateEncryptedKeys.", e);
      throw e;
    }
  }
  @SuppressWarnings({ "rawtypes", "unchecked" })
    @POST
    @Path(KMSRESTConstants.KEY_RESOURCE + "/{name:.*}/" +
        KMSRESTConstants.REENCRYPT_BATCH_SUB_RESOURCE)
    @Consumes(MediaType.APPLICATION_JSON)
    @Produces(MediaType.APPLICATION_JSON )
    public Response reencryptEncryptedKeys(
        @PathParam("name") final String name,
        final List<Map> jsonPayload)
        throws Exception {
    try {
      if (LOG.isDebugEnabled()) {
        LOG.debug("Entering reencryptEncryptedKeys method.");
      }
      final Stopwatch sw = Stopwatch.createStarted();
      checkNotEmpty(name, "name");
      checkNotNull(jsonPayload, "jsonPayload");
      final UserGroupInformation user = HttpUserGroupInformation.get();
      KMSWebApp.getReencryptEEKBatchCallsMeter().mark();
      if (jsonPayload.size() > MAX_NUM_PER_BATCH) {
        LOG.warn("Payload size {} too big for reencryptEncryptedKeys from"
        + " user {}.", jsonPayload.size(), user);
      }
      assertAccess(Type.GENERATE_EEK, user, KMSOp.REENCRYPT_EEK_BATCH,name);
      LOG.debug("Batch reencrypting {} Encrypted Keys for key name {}", jsonPayload.size(), name);
      final List<EncryptedKeyVersion> ekvs = KMSUtil.parseJSONEncKeyVersions(name, jsonPayload);
      Preconditions.checkArgument(ekvs.size() == jsonPayload.size(),"EncryptedKey size mismatch after parsing from json");
      for (EncryptedKeyVersion ekv : ekvs) {
        Preconditions.checkArgument(name.equals(ekv.getEncryptionKeyName()),"All EncryptedKeys must be under the given key name " + name);
      }
      user.doAs(new PrivilegedExceptionAction<Void>() {
        @Override
        public Void run() throws Exception {
          provider.reencryptEncryptedKeys(ekvs);
          return null;
        }
      });
      List retJSON = new ArrayList<>(ekvs.size());
      for (EncryptedKeyVersion ekv: ekvs) {
        retJSON.add(KMSUtil.toJSON(ekv));
      }
      kmsAudit.ok(user, KMSOp.REENCRYPT_EEK_BATCH, name,"reencrypted " + ekvs.size() + " keys");
      LOG.info("reencryptEncryptedKeys {} keys for key {} took {}", jsonPayload.size(), name, sw.stop());
      if (LOG.isDebugEnabled()) {
          LOG.debug("Exiting reencryptEncryptedKeys method.");
      }
      return Response.ok().type(MediaType.APPLICATION_JSON).entity(retJSON).build();
    } catch (Exception e) {
      LOG.error("Exception in reencryptEncryptedKeys.", e);
      throw e;
    }
  }

  @SuppressWarnings("rawtypes")
  @POST
  @Path(KMSRESTConstants.KEY_VERSION_RESOURCE + "/{versionName:.*}/" +
      KMSRESTConstants.EEK_SUB_RESOURCE)
  @Produces(MediaType.APPLICATION_JSON)
  public Response handleEncryptedKeyOp(
      @PathParam("versionName") final String versionName,
      @QueryParam(KMSRESTConstants.EEK_OP) String eekOp,
      Map jsonPayload, @Context HttpServletRequest request)
      throws Exception {
    try {
      if (LOG.isDebugEnabled()) {
        LOG.debug("Entering handleEncryptedKeyOp method.");
      }
      UserGroupInformation user = HttpUserGroupInformation.get();
      checkNotEmpty(versionName, "versionName");
      checkNotNull(eekOp, "eekOp");
      LOG.debug("Decrypting key for {}, the edek Operation is {}.", versionName, eekOp);
      final String keyName = (String) jsonPayload.get(KMSRESTConstants.NAME_FIELD);
      String ivStr = (String) jsonPayload.get(KMSRESTConstants.IV_FIELD);
      String encMaterialStr = (String) jsonPayload.get(KMSRESTConstants.MATERIAL_FIELD);
      checkNotNull(ivStr, KMSRESTConstants.IV_FIELD);
      final byte[] iv = Base64.decodeBase64(ivStr);
      checkNotNull(encMaterialStr, KMSRESTConstants.MATERIAL_FIELD);
      final byte[] encMaterial = Base64.decodeBase64(encMaterialStr);
      Object retJSON;
      if (eekOp.equals(KMSRESTConstants.EEK_DECRYPT)) {
        KMSWebApp.getDecryptEEKCallsMeter().mark();
        assertAccess(Type.DECRYPT_EEK, user, KMSOp.DECRYPT_EEK, keyName, request.getRemoteAddr());
        KeyProvider.KeyVersion retKeyVersion = user.doAs(new PrivilegedExceptionAction<KeyVersion>() {
          @Override
          public KeyVersion run() throws Exception {
            return provider.decryptEncryptedKey(new KMSClientProvider.KMSEncryptedKeyVersion(
            keyName, versionName, iv,KeyProviderCryptoExtension.EEK,encMaterial));
          }
        });
        retJSON = KMSUtil.toJSON(retKeyVersion);
        kmsAudit.ok(user, KMSOp.DECRYPT_EEK, keyName, "");
      } else if (eekOp.equals(KMSRESTConstants.EEK_REENCRYPT)) {
        KMSWebApp.getReencryptEEKCallsMeter().mark();
        assertAccess(Type.GENERATE_EEK, user, KMSOp.REENCRYPT_EEK, keyName);
        EncryptedKeyVersion retEncryptedKeyVersion = user.doAs(new PrivilegedExceptionAction<EncryptedKeyVersion>() {
          @Override
          public EncryptedKeyVersion run() throws Exception {
            return provider.reencryptEncryptedKey(new KMSClientProvider.KMSEncryptedKeyVersion(keyName,versionName, iv, KeyProviderCryptoExtension.EEK,
              encMaterial));
          }
        });
        retJSON = KMSUtil.toJSON(retEncryptedKeyVersion);
        kmsAudit.ok(user, KMSOp.REENCRYPT_EEK, keyName, "");
        } else {
        StringBuilder error;
        error = new StringBuilder("IllegalArgumentException Wrong ");
        error.append(KMSRESTConstants.EEK_OP);
        error.append(" value, it must be ");
        error.append(KMSRESTConstants.EEK_GENERATE);
        error.append(" or ");
        error.append(KMSRESTConstants.EEK_DECRYPT);
        LOG.error(error.toString());
        throw new IllegalArgumentException(error.toString());
      }
      if (LOG.isDebugEnabled()) {
          LOG.debug("Exiting handleEncryptedKeyOp method.");
      }
      return Response.ok().type(MediaType.APPLICATION_JSON).entity(retJSON).build();
    } catch (Exception e) {
      LOG.error("Exception in handleEncryptedKeyOp.", e);
      throw e;
}
  }

  @GET
  @Path(KMSRESTConstants.KEY_RESOURCE + "/{name:.*}/" +
      KMSRESTConstants.VERSIONS_SUB_RESOURCE)
  @Produces(MediaType.APPLICATION_JSON)
  public Response getKeyVersions(@PathParam("name") final String name, @Context HttpServletRequest request)
      throws Exception {
    try {
      if (LOG.isDebugEnabled()) {
        LOG.debug("Entering getKeyVersions method.");
      }
      UserGroupInformation user = HttpUserGroupInformation.get();
      checkNotEmpty(name, "name");
      KMSWebApp.getKeyCallsMeter().mark();
      assertAccess(Type.GET, user, KMSOp.GET_KEY_VERSIONS, name, request.getRemoteAddr());
      LOG.debug("Getting key versions for key {}", name);
      List<KeyVersion> ret = user.doAs(new PrivilegedExceptionAction<List<KeyVersion>>() {
        @Override
        public List<KeyVersion> run() throws Exception {
          return provider.getKeyVersions(name);
        }
      });
      Object json = KMSServerJSONUtils.toJSON(ret);
      kmsAudit.ok(user, KMSOp.GET_KEY_VERSIONS, name, "");
      if (LOG.isDebugEnabled()) {
          LOG.debug("Exiting getKeyVersions method.");
      }
      return Response.ok().type(MediaType.APPLICATION_JSON).entity(json).build();
    } catch (Exception e) {
        LOG.error("Exception in getKeyVersions.", e);
      throw e;
    }
   }

}