mattcasters opened a new pull request, #7497: URL: https://github.com/apache/hop/pull/7497
## Summary - Re-initialize the process-global two-way password encoder when a project/environment is enabled (`ProjectsUtil.enableProject`), so AES/AES2 keys can be defined per env-config and reset (or disabled back to Hop obfuscation) between projects. - Add `HOP_AES_ENCODER_KEY_FILE` for key material from a file (e.g. Kubernetes secret mounts), with resolution order: key variable/system property, then key file. - Extend `ITwoWayPasswordEncoder` / `Encr` with variables-aware, synchronized re-init APIs. - Add the **Set password encoder** workflow action for an explicit, canvas-visible decision (plugin ID + key variable / key file; no raw key stored in the HWF). - Update shell/bat scripts, Docker, AES docs, variables list, SECURITY.md, and THREAT_MODEL.md. Closes #7176 ## Test plan - [x] `AesTwoWayPasswordEncoderTest` (encode/decode, key file, variable key, re-init to Hop) - [x] Package `plugins/actions/setpasswordencoder`, passwords, projects modules - [ ] Manual: env-config with `HOP_PASSWORD_ENCODER_PLUGIN=AES2` + `HOP_AES_ENCODER_KEY_FILE`; switch projects and confirm encoder/key resets - [ ] Manual: workflow with Set password encoder action before a connection that uses AES2 ciphertext - [ ] CI: full build / spotless / RAT -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
