Add support for enforcing https, update JVM version to 17

CHANGELOG.md

@@ -1,5 +1,14 @@
 # Changelog
 
+## v8.0.1
+
+- We’ve removed the direct constructors for `TenantSecurityClient` and replaced them with a builder-based API. The static TenantSecurityClient.create method is still provided for convenience.
+- TenantSecurityClient now enforces HTTPS connections to the TSP by default. You can opt out of this restriction using the new `TenantSecurityClient.Builder`, using `allowInsecureHttp(true)`. This should only be done in the case of testing.
+
+## v8.0.0
+
+- Accidental release. Incomplete. Use 8.0.1 instead.
+
 ## v7.2.3
 
 - No code change, changed publishing to new sonatype.

examples/README.md

@@ -20,11 +20,11 @@ have included this configuration in the repository as a convenience. Also note t
 created in IronCore's staging infrastructure.
 
 The following command will get a TSP and LD running together on your computer with the provided configuration.
-The `docker-compose` command will pull both container images, then start them up together on a subnetwork, so they can
+The `docker compose` command will pull both container images, then start them up together on a subnetwork, so they can
 communicate with each other.
 
 ```bash
-docker-compose -f docker-compose.yml up
+docker compose -f docker-compose.yml up
 ```
 
 The TSP will be listening locally on port 32804.

examples/large-documents/pom.xml

@@ -29,7 +29,7 @@
     <dependency>
       <groupId>com.ironcorelabs</groupId>
       <artifactId>tenant-security-java</artifactId>
-      <version>4.0.1</version>
+      <version>8.0.1</version>
     </dependency>
     <dependency>
       <groupId>com.google.guava</groupId>

examples/large-documents/src/main/java/com/ironcorelabs/large/LargeDocuments.java

@@ -40,7 +40,9 @@ public static void main(String[] args) throws Exception {
 
         // Initialize the client with a Tenant Security Proxy domain and API key.
         // Typically this would be done once when the application or service initializes
-        TenantSecurityClient client = TenantSecurityClient.create("http://localhost:32804", API_KEY).get();
+        TenantSecurityClient client =
+                new TenantSecurityClient.Builder("http://localhost:32804", API_KEY)
+                        .allowInsecureHttp(true).build();
 
         // Create metadata used to associate this document to a tenant, name the
         // document, and identify the service or user making the call
@@ -64,7 +66,8 @@ public static void main(String[] args) throws Exception {
         System.out.println("Writing encrypted files to: " + tmpFileDir);
 
         ObjectMapper objectMapper = new ObjectMapper();
-        BigDoc sourceObj = objectMapper.readValue(new File("./resources/" + filename), BigDoc.class);
+        BigDoc sourceObj =
+                objectMapper.readValue(new File("./resources/" + filename), BigDoc.class);
 
         // Reduce the document to a map of all the sub documents to be encrypted with
         // the same key
@@ -115,14 +118,17 @@ public static void main(String[] args) throws Exception {
         String subDocId2 = "4e57e8bd-d88a-4083-9fac-05a635110e2a";
 
         // Read the two files out first
-        byte[] encryptedFile1 = Files.readAllBytes(Paths.get(tmpFileDir.toString(), subDocId1 + ".enc"));
-        byte[] encryptedFile2 = Files.readAllBytes(Paths.get(tmpFileDir.toString(), subDocId2 + ".enc"));
+        byte[] encryptedFile1 =
+                Files.readAllBytes(Paths.get(tmpFileDir.toString(), subDocId1 + ".enc"));
+        byte[] encryptedFile2 =
+                Files.readAllBytes(Paths.get(tmpFileDir.toString(), subDocId2 + ".enc"));
 
         // In a DB situation this edek could be stored with the large doc (if sub docs
         // are only decrypted in that context) or it could be stored alongside each
         // sub-document. In the latter case you make it harder to accidentally
         // cryptoshred data by de-syncing edeks at the cost of row size
-        String edek = new String(Files.readAllBytes(Paths.get(tmpFileDir.toString(), filename + ".edek")));
+        String edek = new String(
+                Files.readAllBytes(Paths.get(tmpFileDir.toString(), filename + ".edek")));
 
         // each of the documents could be individually decrypted with their own calls,
         // but by combining them into one structure we ensure we only make one call to
@@ -133,15 +139,18 @@ public static void main(String[] args) throws Exception {
         EncryptedDocument encryptedPartialBigDoc = new EncryptedDocument(encryptedPartDocMap, edek);
 
         // Decrypt the two subdocuments
-        PlaintextDocument decryptedPartialBigDoc = client.decrypt(encryptedPartialBigDoc, metadata).get();
+        PlaintextDocument decryptedPartialBigDoc =
+                client.decrypt(encryptedPartialBigDoc, metadata).get();
 
         // Turn the decrypted bytes back into objects
-        SubDoc reSubDoc1 = objectMapper
-                .readValue(new String(decryptedPartialBigDoc.getDecryptedFields().get(subDocId1)), SubDoc.class);
-        SubDoc reSubDoc2 = objectMapper
-                .readValue(new String(decryptedPartialBigDoc.getDecryptedFields().get(subDocId2)), SubDoc.class);
+        SubDoc reSubDoc1 = objectMapper.readValue(
+                new String(decryptedPartialBigDoc.getDecryptedFields().get(subDocId1)),
+                SubDoc.class);
+        SubDoc reSubDoc2 = objectMapper.readValue(
+                new String(decryptedPartialBigDoc.getDecryptedFields().get(subDocId2)),
+                SubDoc.class);
         // just so we can write it out nicely
-        BigDoc rePartialBigDoc = new BigDoc("x", "x", "x", new SubDoc[] { reSubDoc1, reSubDoc2 });
+        BigDoc rePartialBigDoc = new BigDoc("x", "x", "x", new SubDoc[] {reSubDoc1, reSubDoc2});
 
         // Write out the rehydrated docs as proof that things round tripped fine
         Files.write(Paths.get(tmpFileDir.toString(), "partial-large-document.json"),

examples/logging-example/pom.xml

@@ -29,7 +29,7 @@
     <dependency>
       <groupId>com.ironcorelabs</groupId>
       <artifactId>tenant-security-java</artifactId>
-      <version>4.0.0</version>
+      <version>8.0.1</version>
     </dependency>
 
   </dependencies>
@@ -82,4 +82,4 @@
       </plugin>
     </plugins>
   </build>
-</project>
+</project>

examples/logging-example/src/main/java/com/ironcorelabs/logging/LoggingExample.java

@@ -28,7 +28,9 @@ public static void main(String[] args) throws Exception {
 
     // Initialize the client with a Tenant Security Proxy domain and API key.
     // Typically this would be done once when the application or service initializes
-    TenantSecurityClient client = TenantSecurityClient.create("http://localhost:32804", API_KEY).get();
+    TenantSecurityClient client =
+        new TenantSecurityClient.Builder("http://localhost:32804", API_KEY).allowInsecureHttp(true)
+            .build();
 
     // Example 1: logging a user-related event
     //
@@ -38,8 +40,8 @@ public static void main(String[] args) throws Exception {
     Map<String, String> otherData = new HashMap<>();
     otherData.put("field1", "gumby");
     otherData.put("field2", "gumby");
-    EventMetadata metadata1 = new EventMetadata(TENANT_ID, "userId1", "PII", otherData, "Rq8675309", "127.0.0.1",
-        "userId1", System.currentTimeMillis());
+    EventMetadata metadata1 = new EventMetadata(TENANT_ID, "userId1", "PII", otherData, "Rq8675309",
+        "127.0.0.1", "userId1", System.currentTimeMillis());
     try {
       client.logSecurityEvent(UserEvent.LOGIN, metadata1).get();
       System.out.println("Successfully logged user login event.");

examples/rekey-example/pom.xml

@@ -28,7 +28,7 @@
     <dependency>
       <groupId>com.ironcorelabs</groupId>
       <artifactId>tenant-security-java</artifactId>
-      <version>4.1.0</version>
+      <version>8.0.1</version>
     </dependency>
   </dependencies>
 
@@ -80,4 +80,4 @@
       </plugin>
     </plugins>
   </build>
-</project>
+</project>

examples/rekey-example/src/main/java/com/ironcorelabs/rekey/RekeyExample.java

@@ -2,6 +2,7 @@
 
 import com.ironcorelabs.tenantsecurity.kms.v1.*;
 import com.ironcorelabs.tenantsecurity.kms.v1.exception.TenantSecurityException;
+import com.ironcorelabs.tenantsecurity.utils.CompletableFutures;
 import java.nio.charset.StandardCharsets;
 import java.util.HashMap;
 import java.util.Map;
@@ -12,11 +13,14 @@
 /**
  * Three parts:
  *
- * <p>Encrypt a customer record
+ * <p>
+ * Encrypt a customer record
  *
- * <p>Rekey the encrypted record to a new tenant
+ * <p>
+ * Rekey the encrypted record to a new tenant
  *
- * <p>Decrypt the encrypted record using the new tenant
+ * <p>
+ * Decrypt the encrypted record using the new tenant
  */
 public class RekeyExample {
 
@@ -44,87 +48,78 @@ public static void main(String[] args) throws Exception {
 
     // Initialize the client with a Tenant Security Proxy domain and API key.
     // Typically this would be done once when the application or service initializes.
-    CompletableFuture<PlaintextDocument> rekeyedRoundtrip =
-        TenantSecurityClient.create(TSP_ADDR, API_KEY)
-            .thenCompose(
-                client -> {
-                  try {
-                    //
-                    // Part 1: Encrypting a customer record
-                    //
-
-                    // Create metadata used to associate this document to the first tenant, name the
-                    // document, and identify the service or user making the call
-                    DocumentMetadata metadata =
-                        new DocumentMetadata(TENANT_ID, "serviceOrUserId", "PII");
-
-                    // Create a map containing your data
-                    Map<String, byte[]> custRecord = new HashMap<>();
-                    custRecord.put("ssn", "000-12-2345".getBytes("UTF-8"));
-                    custRecord.put(
-                        "address", "2825-519 Stone Creek Rd, Bozeman, MT 59715".getBytes("UTF-8"));
-                    custRecord.put("name", "Jim Bridger".getBytes("UTF-8"));
-
-                    System.out.println("Encrypting using tenant " + TENANT_ID);
-                    // Request a key from the KMS and use it to encrypt the document
-                    CompletableFuture<EncryptedDocument> encryptedDocument =
-                        client.encrypt(custRecord, metadata);
-
-                    //
-                    // Part 2: Rekey the encrypted record to a new tenant
-                    //
-
-                    final String NEW_TENANT_ID = "tenant-aws";
-
-                    System.out.println("Rekeying to tenant " + NEW_TENANT_ID);
-
-                    CompletableFuture<EncryptedDocument> rekeyedDocument =
-                        encryptedDocument.thenCompose(
-                            // Rekey the document to `tenant-aws` using their primary config. The
-                            // metadata's name and identifying information could also be changed at
-                            // this time.
-                            encrypted -> 
-                                client.rekeyEdek(encrypted.getEdek(), metadata, NEW_TENANT_ID)
-                                    .thenApply(
-                                        newDoc -> 
-                                            new EncryptedDocument(encrypted.getEncryptedFields(), 
-                                                                  newDoc)
-                                ));
-
-
-
-                    //
-                    // Part 3: Decrypt the encrypted record using the new tenant
-                    //
-
-                    // Create new metadata for this document indicating that it was
-                    // rekeyed to the second tenant. The name and identifying information
-                    // could also be changed at this time.
-                    DocumentMetadata newMetadata =
-                        new DocumentMetadata(NEW_TENANT_ID, "serviceOrUserId", "PII");
-
-                    System.out.println("Decrypting with tenant " + NEW_TENANT_ID);
-
-                    CompletableFuture<PlaintextDocument> decryptedDocument =
-                        rekeyedDocument.thenCompose(
-                            // Decrypt the document encrypted to `tenant-aws`
-                            rekeyed -> client.decrypt(rekeyed, newMetadata));
-
-                    return decryptedDocument;
-                  } catch (Exception e) {
-                    throw new CompletionException(e);
-                  }
-                });
+    CompletableFuture<PlaintextDocument> rekeyedRoundtrip = CompletableFutures.tryCatchNonFatal(
+        () -> new TenantSecurityClient.Builder(TSP_ADDR, API_KEY).allowInsecureHttp(true).build())
+        .thenCompose(client -> {
+          try {
+            //
+            // Part 1: Encrypting a customer record
+            //
+
+            // Create metadata used to associate this document to the first tenant, name the
+            // document, and identify the service or user making the call
+            DocumentMetadata metadata = new DocumentMetadata(TENANT_ID, "serviceOrUserId", "PII");
+
+            // Create a map containing your data
+            Map<String, byte[]> custRecord = new HashMap<>();
+            custRecord.put("ssn", "000-12-2345".getBytes("UTF-8"));
+            custRecord.put("address",
+                "2825-519 Stone Creek Rd, Bozeman, MT 59715".getBytes("UTF-8"));
+            custRecord.put("name", "Jim Bridger".getBytes("UTF-8"));
+
+            System.out.println("Encrypting using tenant " + TENANT_ID);
+            // Request a key from the KMS and use it to encrypt the document
+            CompletableFuture<EncryptedDocument> encryptedDocument =
+                client.encrypt(custRecord, metadata);
+
+            //
+            // Part 2: Rekey the encrypted record to a new tenant
+            //
+
+            final String NEW_TENANT_ID = "tenant-aws";
+
+            System.out.println("Rekeying to tenant " + NEW_TENANT_ID);
+
+            CompletableFuture<EncryptedDocument> rekeyedDocument = encryptedDocument.thenCompose(
+                // Rekey the document to `tenant-aws` using their primary config. The
+                // metadata's name and identifying information could also be changed at
+                // this time.
+                encrypted -> client.rekeyEdek(encrypted.getEdek(), metadata, NEW_TENANT_ID)
+                    .thenApply(
+                        newDoc -> new EncryptedDocument(encrypted.getEncryptedFields(), newDoc)));
+
+
+
+            //
+            // Part 3: Decrypt the encrypted record using the new tenant
+            //
+
+            // Create new metadata for this document indicating that it was
+            // rekeyed to the second tenant. The name and identifying information
+            // could also be changed at this time.
+            DocumentMetadata newMetadata =
+                new DocumentMetadata(NEW_TENANT_ID, "serviceOrUserId", "PII");
+
+            System.out.println("Decrypting with tenant " + NEW_TENANT_ID);
+
+            CompletableFuture<PlaintextDocument> decryptedDocument = rekeyedDocument.thenCompose(
+                // Decrypt the document encrypted to `tenant-aws`
+                rekeyed -> client.decrypt(rekeyed, newMetadata));
+
+            return decryptedDocument;
+          } catch (Exception e) {
+            throw new CompletionException(e);
+          }
+        });
 
     try {
       // access decrypted fields
       Map<String, byte[]> decryptedValuesMap = rekeyedRoundtrip.get().getDecryptedFields();
 
       System.out.println(
           "Decrypted SSN: " + new String(decryptedValuesMap.get("ssn"), StandardCharsets.UTF_8));
-      System.out.println(
-          "Decrypted address: "
-              + new String(decryptedValuesMap.get("address"), StandardCharsets.UTF_8));
+      System.out.println("Decrypted address: "
+          + new String(decryptedValuesMap.get("address"), StandardCharsets.UTF_8));
       System.out.println(
           "Decrypted name: " + new String(decryptedValuesMap.get("name"), StandardCharsets.UTF_8));
     } catch (ExecutionException e) {

examples/simple-roundtrip/pom.xml

@@ -29,7 +29,7 @@
     <dependency>
       <groupId>com.ironcorelabs</groupId>
       <artifactId>tenant-security-java</artifactId>
-      <version>4.0.0</version>
+      <version>8.0.1</version>
     </dependency>
 
   </dependencies>
@@ -82,4 +82,4 @@
       </plugin>
     </plugins>
   </build>
-</project>
+</project>