Skip to content

Commit e005dc9

Browse files
committed
Deps + style exemption
1 parent 8c1f429 commit e005dc9

File tree

3 files changed

+12
-3
lines changed

3 files changed

+12
-3
lines changed

buildSrc/src/main/groovy/org/apache/beam/gradle/BeamModulePlugin.groovy

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -864,6 +864,7 @@ class BeamModulePlugin implements Plugin<Project> {
864864
proto_google_cloud_datacatalog_v1beta1 : "com.google.api.grpc:proto-google-cloud-datacatalog-v1beta1", // google_cloud_platform_libraries_bom sets version
865865
proto_google_cloud_datastore_v1 : "com.google.api.grpc:proto-google-cloud-datastore-v1", // google_cloud_platform_libraries_bom sets version
866866
proto_google_cloud_firestore_v1 : "com.google.api.grpc:proto-google-cloud-firestore-v1", // google_cloud_platform_libraries_bom sets version
867+
proto_google_cloud_kms_v1 : "com.google.api.grpc:proto-google-cloud-kms-v1", // google_cloud_platform_libraries_bom sets version
867868
proto_google_cloud_pubsub_v1 : "com.google.api.grpc:proto-google-cloud-pubsub-v1", // google_cloud_platform_libraries_bom sets version
868869
proto_google_cloud_pubsublite_v1 : "com.google.api.grpc:proto-google-cloud-pubsublite-v1", // google_cloud_platform_libraries_bom sets version
869870
proto_google_cloud_secret_manager_v1 : "com.google.api.grpc:proto-google-cloud-secretmanager-v1", // google_cloud_platform_libraries_bom sets version

sdks/java/core/build.gradle

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -100,7 +100,9 @@ dependencies {
100100
shadow library.java.snappy_java
101101
shadow library.java.joda_time
102102
implementation enforcedPlatform(library.java.google_cloud_platform_libraries_bom)
103+
implementation library.java.gax
103104
implementation library.java.google_cloud_kms
105+
implementation library.java.proto_google_cloud_kms_v1
104106
implementation library.java.google_cloud_tink
105107
implementation library.java.google_cloud_secret_manager
106108
implementation library.java.proto_google_cloud_secret_manager_v1
@@ -130,6 +132,8 @@ dependencies {
130132
shadowTest library.java.log4j2_api
131133
shadowTest library.java.jamm
132134
shadowTest 'com.google.cloud:google-cloud-secretmanager:2.75.0'
135+
shadowTest 'com.google.cloud:google-cloud-kms:2.75.0'
136+
shadowTest 'com.google.crypto.tink:tink:1.19.0'
133137
testRuntimeOnly library.java.slf4j_jdk14
134138
}
135139

sdks/java/core/src/main/java/org/apache/beam/sdk/util/GcpHsmGeneratedSecret.java

Lines changed: 7 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,7 @@
3131
import com.google.cloud.secretmanager.v1.SecretVersionName;
3232
import com.google.crypto.tink.subtle.Hkdf;
3333
import com.google.protobuf.ByteString;
34+
import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
3435
import java.io.IOException;
3536
import java.security.GeneralSecurityException;
3637
import java.security.SecureRandom;
@@ -39,8 +40,9 @@
3940
import org.slf4j.LoggerFactory;
4041

4142
/**
42-
* A {@link Secret} manager implementation that generates a secret using entropy from a GCP HSM key
43-
* and stores it in Google Cloud Secret Manager. If the secret already exists, it will be retrieved.
43+
* A {@link org.apache.beam.sdk.util.Secret} manager implementation that generates a secret using
44+
* entropy from a GCP HSM key and stores it in Google Cloud Secret Manager. If the secret already
45+
* exists, it will be retrieved.
4446
*/
4547
public class GcpHsmGeneratedSecret implements Secret {
4648
private static final Logger LOG = LoggerFactory.getLogger(GcpHsmGeneratedSecret.class);
@@ -116,10 +118,12 @@ public byte[] getSecretBytes() {
116118
}
117119
}
118120

121+
@SuppressFBWarnings("DMI_RANDOM_USED_ONLY_ONCE") // intended, used for non-random nonceOne
119122
private byte[] generateDek() throws IOException, GeneralSecurityException {
120123
int dekSize = 32;
121124
try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
122-
// 1. Generate nonce_one
125+
// 1. Generate nonce_one. This doesn't need to have baked in randomness since the
126+
// actual randomness comes from KMS.
123127
SecureRandom random = new SecureRandom();
124128
byte[] nonceOne = new byte[dekSize];
125129
random.nextBytes(nonceOne);

0 commit comments

Comments
 (0)