mattcasters opened a new pull request, #7497:
URL: https://github.com/apache/hop/pull/7497

   ## Summary
   
   - Re-initialize the process-global two-way password encoder when a 
project/environment is enabled (`ProjectsUtil.enableProject`), so AES/AES2 keys 
can be defined per env-config and reset (or disabled back to Hop obfuscation) 
between projects.
   - Add `HOP_AES_ENCODER_KEY_FILE` for key material from a file (e.g. 
Kubernetes secret mounts), with resolution order: key variable/system property, 
then key file.
   - Extend `ITwoWayPasswordEncoder` / `Encr` with variables-aware, 
synchronized re-init APIs.
   - Add the **Set password encoder** workflow action for an explicit, 
canvas-visible decision (plugin ID + key variable / key file; no raw key stored 
in the HWF).
   - Update shell/bat scripts, Docker, AES docs, variables list, SECURITY.md, 
and THREAT_MODEL.md.
   
   Closes #7176
   
   ## Test plan
   
   - [x] `AesTwoWayPasswordEncoderTest` (encode/decode, key file, variable key, 
re-init to Hop)
   - [x] Package `plugins/actions/setpasswordencoder`, passwords, projects 
modules
   - [ ] Manual: env-config with `HOP_PASSWORD_ENCODER_PLUGIN=AES2` + 
`HOP_AES_ENCODER_KEY_FILE`; switch projects and confirm encoder/key resets
   - [ ] Manual: workflow with Set password encoder action before a connection 
that uses AES2 ciphertext
   - [ ] CI: full build / spotless / RAT


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to