Refactor Iceberg GCS vending tests and remove encryption key mechanism

- Rewrite TestIcebergGcsVendingRestCatalog as TestIcebergGcsVendingRestCatalogConnectorSmokeTest
  extending BaseIcebergConnectorSmokeTest with real GCS credentials
- Create IcebergGcsRestCatalogBackendContainer for GCS-specific REST catalog backend
- Rename IcebergRestCatalogBackendContainer to IcebergS3RestCatalogBackendContainer
- Remove old test class and GcsCredentialVendingCatalogAdapter
- Remove default encryption/decryption key mechanism from GcsFileSystem and GcsFileSystemFactory
  to align with S3FileSystem and AzureFileSystem (only per-call newEncrypted* methods)
- Remove encryption key constants from GcsFileSystemConstants
- Remove encryption key mapping from IcebergRestCatalogFileSystemFactory
- Add new GCS vending test to cloud-tests profile in pom.xml

Author: kaveti

lib/trino-filesystem-gcs/src/main/java/io/trino/filesystem/gcs/GcsFileSystem.java

@@ -76,40 +76,23 @@ public class GcsFileSystem
     private final long writeBlockSizeBytes;
     private final int pageSize;
     private final int batchSize;
-    private final Optional<EncryptionKey> defaultEncryptionKey;
-    private final Optional<EncryptionKey> defaultDecryptionKey;
 
     public GcsFileSystem(ListeningExecutorService executorService, Storage storage, int readBlockSizeBytes, long writeBlockSizeBytes, int pageSize, int batchSize)
-    {
-        this(executorService, storage, readBlockSizeBytes, writeBlockSizeBytes, pageSize, batchSize, Optional.empty(), Optional.empty());
-    }
-
-    public GcsFileSystem(
-            ListeningExecutorService executorService,
-            Storage storage,
-            int readBlockSizeBytes,
-            long writeBlockSizeBytes,
-            int pageSize,
-            int batchSize,
-            Optional<EncryptionKey> defaultEncryptionKey,
-            Optional<EncryptionKey> defaultDecryptionKey)
     {
         this.executorService = requireNonNull(executorService, "executorService is null");
         this.storage = requireNonNull(storage, "storage is null");
         this.readBlockSizeBytes = readBlockSizeBytes;
         this.writeBlockSizeBytes = writeBlockSizeBytes;
         this.pageSize = pageSize;
         this.batchSize = batchSize;
-        this.defaultEncryptionKey = requireNonNull(defaultEncryptionKey, "defaultEncryptionKey is null");
-        this.defaultDecryptionKey = requireNonNull(defaultDecryptionKey, "defaultDecryptionKey is null");
     }
 
     @Override
     public TrinoInputFile newInputFile(Location location)
     {
         GcsLocation gcsLocation = new GcsLocation(location);
         checkIsValidFile(gcsLocation);
-        return new GcsInputFile(gcsLocation, storage, readBlockSizeBytes, OptionalLong.empty(), Optional.empty(), defaultDecryptionKey);
+        return new GcsInputFile(gcsLocation, storage, readBlockSizeBytes, OptionalLong.empty(), Optional.empty(), Optional.empty());
     }
 
     @Override
@@ -125,7 +108,7 @@ public TrinoInputFile newInputFile(Location location, long length)
     {
         GcsLocation gcsLocation = new GcsLocation(location);
         checkIsValidFile(gcsLocation);
-        return new GcsInputFile(gcsLocation, storage, readBlockSizeBytes, OptionalLong.of(length), Optional.empty(), defaultDecryptionKey);
+        return new GcsInputFile(gcsLocation, storage, readBlockSizeBytes, OptionalLong.of(length), Optional.empty(), Optional.empty());
     }
 
     @Override
@@ -141,7 +124,7 @@ public TrinoInputFile newInputFile(Location location, long length, Instant lastM
     {
         GcsLocation gcsLocation = new GcsLocation(location);
         checkIsValidFile(gcsLocation);
-        return new GcsInputFile(gcsLocation, storage, readBlockSizeBytes, OptionalLong.of(length), Optional.of(lastModified), defaultDecryptionKey);
+        return new GcsInputFile(gcsLocation, storage, readBlockSizeBytes, OptionalLong.of(length), Optional.of(lastModified), Optional.empty());
     }
 
     @Override
@@ -157,7 +140,7 @@ public TrinoOutputFile newOutputFile(Location location)
     {
         GcsLocation gcsLocation = new GcsLocation(location);
         checkIsValidFile(gcsLocation);
-        return new GcsOutputFile(gcsLocation, storage, writeBlockSizeBytes, defaultEncryptionKey);
+        return new GcsOutputFile(gcsLocation, storage, writeBlockSizeBytes, Optional.empty());
     }
 
     @Override

lib/trino-filesystem-gcs/src/main/java/io/trino/filesystem/gcs/GcsFileSystemFactory.java

@@ -17,17 +17,11 @@
 import com.google.inject.Inject;
 import io.trino.filesystem.TrinoFileSystem;
 import io.trino.filesystem.TrinoFileSystemFactory;
-import io.trino.filesystem.encryption.EncryptionKey;
 import io.trino.spi.security.ConnectorIdentity;
 import jakarta.annotation.PreDestroy;
 
-import java.util.Base64;
-import java.util.Optional;
-
 import static com.google.common.util.concurrent.MoreExecutors.listeningDecorator;
 import static io.airlift.concurrent.Threads.daemonThreadsNamed;
-import static io.trino.filesystem.gcs.GcsFileSystemConstants.EXTRA_CREDENTIALS_GCS_DECRYPTION_KEY_PROPERTY;
-import static io.trino.filesystem.gcs.GcsFileSystemConstants.EXTRA_CREDENTIALS_GCS_ENCRYPTION_KEY_PROPERTY;
 import static java.lang.Math.toIntExact;
 import static java.util.Objects.requireNonNull;
 import static java.util.concurrent.Executors.newCachedThreadPool;
@@ -62,18 +56,6 @@ public void stop()
     @Override
     public TrinoFileSystem create(ConnectorIdentity identity)
     {
-        Optional<EncryptionKey> defaultEncryptionKey = extractEncryptionKey(identity, EXTRA_CREDENTIALS_GCS_ENCRYPTION_KEY_PROPERTY);
-        Optional<EncryptionKey> defaultDecryptionKey = extractEncryptionKey(identity, EXTRA_CREDENTIALS_GCS_DECRYPTION_KEY_PROPERTY);
-        return new GcsFileSystem(executorService, storageFactory.create(identity), readBlockSizeBytes, writeBlockSizeBytes, pageSize, batchSize, defaultEncryptionKey, defaultDecryptionKey);
-    }
-
-    private static Optional<EncryptionKey> extractEncryptionKey(ConnectorIdentity identity, String extraCredentialKey)
-    {
-        String base64Key = identity.getExtraCredentials().get(extraCredentialKey);
-        if (base64Key == null) {
-            return Optional.empty();
-        }
-        byte[] keyBytes = Base64.getDecoder().decode(base64Key);
-        return Optional.of(new EncryptionKey(keyBytes, "AES256"));
+        return new GcsFileSystem(executorService, storageFactory.create(identity), readBlockSizeBytes, writeBlockSizeBytes, pageSize, batchSize);
     }
 }

lib/trino-filesystem/src/main/java/io/trino/filesystem/gcs/GcsFileSystemConstants.java

@@ -21,8 +21,6 @@ public final class GcsFileSystemConstants
     public static final String EXTRA_CREDENTIALS_GCS_SERVICE_HOST_PROPERTY = "internal$gcs_service_host";
     public static final String EXTRA_CREDENTIALS_GCS_NO_AUTH_PROPERTY = "internal$gcs_no_auth";
     public static final String EXTRA_CREDENTIALS_GCS_USER_PROJECT_PROPERTY = "internal$gcs_user_project";
-    public static final String EXTRA_CREDENTIALS_GCS_ENCRYPTION_KEY_PROPERTY = "internal$gcs_encryption_key";
-    public static final String EXTRA_CREDENTIALS_GCS_DECRYPTION_KEY_PROPERTY = "internal$gcs_decryption_key";
 
     private GcsFileSystemConstants() {}
 }

plugin/trino-iceberg/pom.xml

@@ -845,6 +845,7 @@
                                 <include>**/TestIcebergS3TablesConnectorSmokeTest.java</include>
                                 <include>**/TestIcebergBigLakeMetastoreConnectorSmokeTest.java</include>
                                 <include>**/TestIcebergGcsConnectorSmokeTest.java</include>
+                                <include>**/TestIcebergGcsVendingRestCatalogConnectorSmokeTest.java</include>
                                 <include>**/TestIcebergAbfsConnectorSmokeTest.java</include>
                                 <include>**/TestIcebergSnowflakeCatalogConnectorSmokeTest.java</include>
                                 <include>**/TestTrinoSnowflakeCatalog.java</include>

plugin/trino-iceberg/src/main/java/io/trino/plugin/iceberg/catalog/rest/IcebergRestCatalogFileSystemFactory.java

@@ -22,8 +22,6 @@
 
 import java.util.Map;
 
-import static io.trino.filesystem.gcs.GcsFileSystemConstants.EXTRA_CREDENTIALS_GCS_DECRYPTION_KEY_PROPERTY;
-import static io.trino.filesystem.gcs.GcsFileSystemConstants.EXTRA_CREDENTIALS_GCS_ENCRYPTION_KEY_PROPERTY;
 import static io.trino.filesystem.gcs.GcsFileSystemConstants.EXTRA_CREDENTIALS_GCS_NO_AUTH_PROPERTY;
 import static io.trino.filesystem.gcs.GcsFileSystemConstants.EXTRA_CREDENTIALS_GCS_OAUTH_TOKEN_EXPIRES_AT_PROPERTY;
 import static io.trino.filesystem.gcs.GcsFileSystemConstants.EXTRA_CREDENTIALS_GCS_OAUTH_TOKEN_PROPERTY;
@@ -48,8 +46,6 @@ public class IcebergRestCatalogFileSystemFactory
     private static final String VENDED_GCS_SERVICE_HOST = "gcs.service.host";
     private static final String VENDED_GCS_NO_AUTH = "gcs.no-auth";
     private static final String VENDED_GCS_USER_PROJECT = "gcs.user-project";
-    private static final String VENDED_GCS_ENCRYPTION_KEY = "gcs.encryption-key";
-    private static final String VENDED_GCS_DECRYPTION_KEY = "gcs.decryption-key";
 
     private final TrinoFileSystemFactory fileSystemFactory;
     private final boolean vendedCredentialsEnabled;
@@ -92,9 +88,6 @@ public TrinoFileSystem create(ConnectorIdentity identity, Map<String, String> fi
             addOptionalProperty(extraCredentialsBuilder, fileIoProperties, VENDED_GCS_SERVICE_HOST, EXTRA_CREDENTIALS_GCS_SERVICE_HOST_PROPERTY);
             addOptionalProperty(extraCredentialsBuilder, fileIoProperties, VENDED_GCS_NO_AUTH, EXTRA_CREDENTIALS_GCS_NO_AUTH_PROPERTY);
             addOptionalProperty(extraCredentialsBuilder, fileIoProperties, VENDED_GCS_USER_PROJECT, EXTRA_CREDENTIALS_GCS_USER_PROJECT_PROPERTY);
-            addOptionalProperty(extraCredentialsBuilder, fileIoProperties, VENDED_GCS_ENCRYPTION_KEY, EXTRA_CREDENTIALS_GCS_ENCRYPTION_KEY_PROPERTY);
-            addOptionalProperty(extraCredentialsBuilder, fileIoProperties, VENDED_GCS_DECRYPTION_KEY, EXTRA_CREDENTIALS_GCS_DECRYPTION_KEY_PROPERTY);
-
             ConnectorIdentity identityWithExtraCredentials = ConnectorIdentity.forUser(identity.getUser())
                     .withGroups(identity.getGroups())
                     .withPrincipal(identity.getPrincipal())
@@ -114,9 +107,7 @@ private static boolean hasAnyGcsVendedProperty(Map<String, String> fileIoPropert
                 fileIoProperties.containsKey(VENDED_GCS_NO_AUTH) ||
                 fileIoProperties.containsKey(VENDED_GCS_PROJECT_ID) ||
                 fileIoProperties.containsKey(VENDED_GCS_SERVICE_HOST) ||
-                fileIoProperties.containsKey(VENDED_GCS_USER_PROJECT) ||
-                fileIoProperties.containsKey(VENDED_GCS_ENCRYPTION_KEY) ||
-                fileIoProperties.containsKey(VENDED_GCS_DECRYPTION_KEY);
+                fileIoProperties.containsKey(VENDED_GCS_USER_PROJECT);
     }
 
     private static void addOptionalProperty(