[GitHub] [activemq-artemis] ryan-highley commented on a diff in pull request #4135: ARTEMIS-3794 System Property Encryption Support

Mon, 04 Jul 2022 08:09:27 -0700 


ryan-highley commented on code in PR #4135:
URL: https://github.com/apache/activemq-artemis/pull/4135#discussion_r913089507


##########
artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyConnector.java:
##########
@@ -584,15 +585,15 @@ public synchronized void start() {
             realTrustStorePassword = trustStorePassword;
          } else {
             realKeyStorePath = 
Stream.of(System.getProperty(ACTIVEMQ_KEYSTORE_PATH_PROP_NAME), 
System.getProperty(JAVAX_KEYSTORE_PATH_PROP_NAME), keyStorePath).map(v -> 
useDefaultSslContext ? keyStorePath : 
v).filter(Objects::nonNull).findFirst().orElse(null);
-            realKeyStorePassword = 
Stream.of(System.getProperty(ACTIVEMQ_KEYSTORE_PASSWORD_PROP_NAME), 
System.getProperty(JAVAX_KEYSTORE_PASSWORD_PROP_NAME), keyStorePassword).map(v 
-> useDefaultSslContext ? keyStorePassword : 
v).filter(Objects::nonNull).findFirst().orElse(null);
+            realKeyStorePassword = 
processSslPasswordProperty(Stream.of(System.getProperty(ACTIVEMQ_KEYSTORE_PASSWORD_PROP_NAME),
 System.getProperty(JAVAX_KEYSTORE_PASSWORD_PROP_NAME), keyStorePassword).map(v 
-> useDefaultSslContext ? keyStorePassword : 
v).filter(Objects::nonNull).findFirst().orElse(null));

Review Comment:
   The stream processing logic is identical to the previous code--I just 
wrapped the stream result in a method call to handle the possibility of an 
encrypted system property. However, the encrypted password logic should only be 
invoked when the value is not the keyStorePassword or trustStorePassword 
captured with ConfigurationHelper#getPasswordProperty(...) previously as that 
value has already been decrypted if necessary.
   
   I've tweaked the logic to call processSslPasswordProperty(...) only when the 
existing stream processing result is one of the system properties, not a query 
string value.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to