Add support for encrypting data transfers with AES (#94)

Kimahriman · web-flow · commit 0e90092e6729 · 2024-04-05T14:49:21.000-04:00
diff --git a/crates/hdfs-native/minidfs/src/main/java/main/Main.java b/crates/hdfs-native/minidfs/src/main/java/main/Main.java
@@ -57,7 +57,10 @@ public static void main(String args[]) throws Exception {
                 conf.set(HADOOP_RPC_PROTECTION, "privacy");
                 conf.set(DFS_DATA_TRANSFER_PROTECTION_KEY, "privacy");
                 if (flags.contains("data_transfer_encryption")) {
+                    // Force encryption for all connections
                     conf.set(DFSConfigKeys.DFS_ENCRYPT_DATA_TRANSFER_KEY, "true");
+                }
+                if (flags.contains("aes")) {
                     conf.set(DFS_ENCRYPT_DATA_TRANSFER_CIPHER_SUITES_KEY, "AES/CTR/NoPadding");
                 }
             } else if (flags.contains("integrity")) {
diff --git a/crates/hdfs-native/src/hdfs/connection.rs b/crates/hdfs-native/src/hdfs/connection.rs
@@ -550,12 +550,9 @@ impl DatanodeConnection {
             .await?;
         self.writer.flush().await?;
 
-        let msg_length = self.reader.read_length_delimiter().await?;
+        let message = self.reader.read_proto().await?;
 
-        let mut response_buf = BytesMut::zeroed(msg_length);
-        self.reader.read_exact(&mut response_buf).await?;
-
-        let response = hdfs::BlockOpResponseProto::decode(response_buf.freeze())?;
+        let response = hdfs::BlockOpResponseProto::decode(message)?;
         Ok(response)
     }
 
@@ -630,12 +627,9 @@ pub(crate) struct DatanodeReader {
 
 impl DatanodeReader {
     pub(crate) async fn read_ack(&mut self) -> Result<hdfs::PipelineAckProto> {
-        let ack_length = self.reader.read_length_delimiter().await?;
-
-        let mut response_buf = BytesMut::zeroed(ack_length);
-        self.reader.read_exact(&mut response_buf).await?;
+        let message = self.reader.read_proto().await?;
 
-        let response = hdfs::PipelineAckProto::decode(response_buf.freeze())?;
+        let response = hdfs::PipelineAckProto::decode(message)?;
         Ok(response)
     }
 }
diff --git a/crates/hdfs-native/src/minidfs.rs b/crates/hdfs-native/src/minidfs.rs
@@ -13,6 +13,7 @@ pub enum DfsFeatures {
     Token,
     Integrity,
     Privacy,
+    AES,
     HA,
     ViewFS,
     EC,
@@ -28,6 +29,7 @@ impl DfsFeatures {
             DfsFeatures::Privacy => "privacy",
             DfsFeatures::Security => "security",
             DfsFeatures::Integrity => "integrity",
+            DfsFeatures::AES => "aes",
             DfsFeatures::Token => "token",
             DfsFeatures::RBF => "rbf",
         }
diff --git a/crates/hdfs-native/src/security/digest.rs b/crates/hdfs-native/src/security/digest.rs
@@ -357,6 +357,14 @@ impl DigestSaslSession {
             server: kis,
         }
     }
+
+    pub(crate) fn supports_encryption(&self) -> bool {
+        match &self.state {
+            DigestState::Stepped(ctx) => matches!(ctx.qop, Qop::AuthConf),
+            DigestState::Completed(ctx) => ctx.as_ref().is_some_and(|c| c.encryptor.is_some()),
+            _ => false,
+        }
+    }
 }
 
 impl SaslSession for DigestSaslSession {
diff --git a/crates/hdfs-native/src/security/sasl.rs b/crates/hdfs-native/src/security/sasl.rs
diff --git a/crates/hdfs-native/tests/test_integration.rs b/crates/hdfs-native/tests/test_integration.rs

Original file line number	Diff line number	Diff line change
`@@ -357,6 +357,14 @@ impl DigestSaslSession {`
`357`	`357`	`server: kis,`
`358`	`358`	`}`
`359`	`359`	`}`
	`360`	`+`
	`361`	`+ pub(crate) fn supports_encryption(&self) -> bool {`
	`362`	`+ match &self.state {`
	`363`	`+ DigestState::Stepped(ctx) => matches!(ctx.qop, Qop::AuthConf),`
	`364`	`+ DigestState::Completed(ctx) => ctx.as_ref().is_some_and(\|c\| c.encryptor.is_some()),`
	`365`	`+ _ => false,`
	`366`	`+ }`
	`367`	`+ }`
`360`	`368`	`}`
`361`	`369`
`362`	`370`	`impl SaslSession for DigestSaslSession {`