[GitHub] [activemq-artemis] ryan-highley commented on a diff in pull request #4135: ARTEMIS-3794 System Property Encryption Support

Tue, 05 Jul 2022 20:31:46 -0700 


ryan-highley commented on code in PR #4135:
URL: https://github.com/apache/activemq-artemis/pull/4135#discussion_r914382446


##########
artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyConnector.java:
##########
@@ -584,15 +585,15 @@ public synchronized void start() {
             realTrustStorePassword = trustStorePassword;
          } else {
             realKeyStorePath = 
Stream.of(System.getProperty(ACTIVEMQ_KEYSTORE_PATH_PROP_NAME), 
System.getProperty(JAVAX_KEYSTORE_PATH_PROP_NAME), keyStorePath).map(v -> 
useDefaultSslContext ? keyStorePath : 
v).filter(Objects::nonNull).findFirst().orElse(null);
-            realKeyStorePassword = 
Stream.of(System.getProperty(ACTIVEMQ_KEYSTORE_PASSWORD_PROP_NAME), 
System.getProperty(JAVAX_KEYSTORE_PASSWORD_PROP_NAME), keyStorePassword).map(v 
-> useDefaultSslContext ? keyStorePassword : 
v).filter(Objects::nonNull).findFirst().orElse(null);
+            realKeyStorePassword = 
processSslPasswordProperty(Stream.of(System.getProperty(ACTIVEMQ_KEYSTORE_PASSWORD_PROP_NAME),
 System.getProperty(JAVAX_KEYSTORE_PASSWORD_PROP_NAME), keyStorePassword).map(v 
-> useDefaultSslContext ? keyStorePassword : 
v).filter(Objects::nonNull).findFirst().orElse(null));

Review Comment:
   This PR enables ENC(...) handling for the 
'org.apache.activemq.ssl.keyStorePassword', 'o.a.a.ssl.trustStorePassword', 
'javax.net.ssl.keyStorePassword', and 'j.n.ssl.trustStorePassword' system 
property values. The connector URL 'keyStorePassword' and 'trustStorePassword' 
query string handling is unchanged as these values already are decrypted as 
needed through the ConfigurationHelper#getPasswordProperty(...) method in lines 
401 and 409.
   
   The system properties obviously aren't part of the 'configuration' Map so 
the ConfigurationHelper#getPasswordProperty(...) method can't be used directly. 
The processSslPasswordProperty(...) method duplicates the behavior of calling 
getPasswordProperty(...) using the same 
ActiveMQDefaultConfiguration.getPropMaskPassword() and .getPropPasswordCodec() 
used for the connector URL password handling for the 'keyStorePassword' and 
'trustStorePassword'.
   
   Hopefully, that makes more sense as to the intent. ARTEMIS-3794 is just a 
JIRA I saw similar to the AMQP broker connection user and password attribute 
encryption handling.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to