GitHub user alopresto opened a pull request:
https://github.com/apache/nifi/pull/834
NIFI-1831 Implemented encrypted configuration capabilities
This is a "beta" PR -- there are still some edge cases I want to clean up
but I wanted to get eyes on it because it will be a large change. Specific
areas of focus for review:
* LICENSE
* `AESSensitivePropertyProvider` -- class which actually performs
encryption/decryption
* `ConfigEncryptionTool` -- command-line class to make the process of
encrypting the configuration values easy
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/alopresto/nifi NIFI-1831
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/nifi/pull/834.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #834
----
commit b75cdb0742fd814e0c9c7831e8e0bcbdc48c1223
Author: Andy LoPresto <[email protected]>
Date: 2016-06-11T04:06:55Z
NIFI-1831 Cleaned up trailing whitespace. (+1 squashed commit)
Squashed commits:
[7fc7e0a] NIFI-1831 Adapted Apache Commons Hex and Base64 encoding/decoding
classes and implemented in nifi-properties (avoiding extraneous Maven
dependencies).
Added sanity checks in unit tests.
Added utility join method in StringUtils.
commit f9f173099b026eb78b2fe16c6ad15ab1bdeed8d3
Author: Andy LoPresto <[email protected]>
Date: 2016-06-11T04:18:37Z
NIFI-1831 Added interface and first implementation of
SensitivePropertyProvider.
commit 354596a2e3ea9cde41bd12c0ff4d145e1ab910c4
Author: Andy LoPresto <[email protected]>
Date: 2016-06-11T04:19:13Z
NIFI-1831 Added skeleton for regression tests and new unit tests for
sensitive property loading.
commit 836ee1e84c2b352ee96c8831e02178d95396400c
Author: Andy LoPresto <[email protected]>
Date: 2016-07-14T20:31:17Z
NIFI-1831 Added initial logic in NiFiProperties to detect sensitive
property keys and return list of sensitive properties.
Added unit tests (and resource).
commit dafa426d36e2bb86361ee8c14681addfa31677f9
Author: Andy LoPresto <[email protected]>
Date: 2016-07-14T20:39:17Z
NIFI-1831 Moved Base64 and Hex sanity tests into correct package.
commit eee44e107ddbecbacd8cb44b9c94fd0bbef5ec60
Author: Andy LoPresto <[email protected]>
Date: 2016-07-14T22:58:01Z
NIFI-1831 Added BouncyCastle dependency to nifi-properties module.
commit a0286b55eb1c1f469ae9612a51a3aadb4198f175
Author: Andy LoPresto <[email protected]>
Date: 2016-07-14T22:59:06Z
NIFI-1831 Added SensitivePropertyProtectionException.
Updated unprotect method contract in interface and implementation with new
exception.
Added unprotect logic.
commit 064b2d14c088f7e984af625658011fe9310a759b
Author: Andy LoPresto <[email protected]>
Date: 2016-07-14T22:59:34Z
NIFI-1831 Added unit tests for sensitive property encryption/decryption.
commit 46a7b1b902672843f10758edbe763dcd35f1ffc7
Author: Andy LoPresto <[email protected]>
Date: 2016-07-15T19:11:50Z
NIFI-1831 Finished logic for sensitive property encryption/decryption.
Added negative/edge case unit tests for sensitive property
encryption/decryption.
commit 2d8ec30adfb6f46e1a4302c0fe074d7b132a3cda
Author: Andy LoPresto <[email protected]>
Date: 2016-07-15T19:17:28Z
NIFI-1831 Excluded additional keys property from self-inclusion to avoid
recursive/protection issue.
commit 723523059a1c8fffe90ddbf29a9eb8ac3e2ec32a
Author: Andy LoPresto <[email protected]>
Date: 2016-07-15T19:33:20Z
NIFI-1831 Removed unnecessary duplication of Base64 and Hex encoders as
BouncyCastle includes implementations.
commit b81f89fa8bb20d96d4d2ff1a45d15c2271e88ad6
Author: Andy LoPresto <[email protected]>
Date: 2016-07-15T19:35:53Z
NIFI-1831 Removed unnecessary reference to commons-codec from NOTICE files
as the duplicate code is removed.
commit 323756119e6841e4b6bab234f793386ea1ce13a5
Author: Andy LoPresto <[email protected]>
Date: 2016-07-15T19:36:57Z
NIFI-1831 Removed unnecessary nifi-properties NOTICE file as the duplicate
code is removed.
commit 0798cd12d2712132285284209be51ac40bfd970b
Author: Andy LoPresto <[email protected]>
Date: 2016-07-15T21:25:32Z
NIFI-1831 Fixed tests which were not deterministic (shuffling IV and
ciphertext could occasionally result in same value, rendering successful
decryption and lacking expected exception).
Added license to AESSensitivePropertyProviderTest.
commit 7d9c3a8159a4d06d0a96364e87141de10a298e33
Author: Andy LoPresto <[email protected]>
Date: 2016-07-15T23:20:59Z
NIFI-1831 Added logic to retrieve protected keys and their protection
mechanism from properties.
Added logic to determine percentage of sensitive keys currently protected.
Added unit tests.
Added failing unit test for successful transparent retrieval of protected
value.
commit 6e817f98b6d0e3408afc98102e1657c239dcc1c0
Author: Andy LoPresto <[email protected]>
Date: 2016-07-18T23:42:03Z
NIFI-1831 Improved NiFiProperties Javadoc.
commit 86d298c4781294e82b0ea8f04c9595249811b6eb
Author: Andy LoPresto <[email protected]>
Date: 2016-07-18T23:42:57Z
NIFI-1831 Added accessor method for implementation-specific key to
interface and implementation.
Added unit test.
commit ad0c178796b6674425959032065bdb1e62bea51f
Author: Andy LoPresto <[email protected]>
Date: 2016-07-19T06:35:19Z
NIFI-1831 Added empty AES SPP constructor and key setter.
Added unit test to verify key cannot be changed once set.
Added SPP factory.
Added unit tests for factory.
commit 9160e2cf4ae9d2c21be7381196af99696b7f66c2
Author: Andy LoPresto <[email protected]>
Date: 2016-07-19T21:47:55Z
NIFI-1831 Performed minor refactoring and added unit test.
commit 2433f225bb362c6f22476689f348a3858a361d26
Author: Andy LoPresto <[email protected]>
Date: 2016-07-20T01:36:47Z
NIFI-1831 Implemented logic to unprotect retrieved properties values
transparently.
Refactored AESSensitivePropertyProvider setKey logic out of constructor.
Changed SensitivePropertyProtectionException to RuntimeException.
Added internal localProviderCache to NiFiProperties to handle
initialization and provider registration.
Added logic to short-circuit infinite loop on protected property lookup.
Added unit tests.
Added test resources.
commit d60b6f8528572ad7c830f0285f4ddcd2c5c2a9f8
Author: Andy LoPresto <[email protected]>
Date: 2016-07-20T03:37:23Z
NIFI-1831 Added logic to handle malformed AES-protected property values.
Added unit test.
Added test resource.
commit 7088aac387fd8ae4a66aca274285d736bcf94b3b
Author: Andy LoPresto <[email protected]>
Date: 2016-07-20T23:37:11Z
NIFI-1831 Added unit tests for getProperty(key, defaultValue).
commit 97c1a2037636aa3219a230030fa35ec9ae653db9
Author: Andy LoPresto <[email protected]>
Date: 2016-07-21T06:52:50Z
NIFI-1831 Added necessity checks before instantiating & registering SPP in
NiFiProperties.
Resolved Maven vs. IDE test issues (different JREs with different JCE
policies).
Resolved regression test issues (unnecessary loading of SPP without BC
provided).
commit bacb9bda03c8964225ab3a460823cd5ef74c64bd
Author: Andy LoPresto <[email protected]>
Date: 2016-07-21T17:47:42Z
NIFI-1831 Added capability for external class to set NiFiProperties
protection key (once).
Added unit tests.
commit 606456feaedb2b8f4df69d0e955762d1b7e5a9de
Author: Andy LoPresto <[email protected]>
Date: 2016-07-22T01:15:51Z
NIFI-1831 Added SLF4J test dependency.
commit 7b94b50a079918974855d72547b6c495f4fded85
Author: Andy LoPresto <[email protected]>
Date: 2016-07-22T01:19:00Z
NIFI-1831 Added logic to lazily instantiate the SensitivePropertyProvider
in NiFiProperties#getInstance().
Added logic to get raw property directly for protection keys.
Added logic to read bootstrap-injected key.
Added unit tests.
commit c1aee4bfb566c25a0b9b16cd6acf9d6c3fe8478f
Author: Andy LoPresto <[email protected]>
Date: 2016-07-22T01:20:27Z
NIFI-1831 Added logic to inject bootstrap-provided protection key into
NiFiProperties on NiFi startup.
Added regression test for no key provided in args for properties with no
protected properties (legacy default).
Added unit tests.
Added test resources.
commit 0163870b69a03c18c0b42faf3bfa406dc27b62ba
Author: Andy LoPresto <[email protected]>
Date: 2016-07-22T02:38:24Z
NIFI-1831 Added custom TestAppender to intercept log messages.
Configured logback-test.xml for NiFiTest.
Added logic to handle bootstrap-provided key.
Added logic to format and validate hex keys.
Added unit tests.
commit 4bf2f76ce40ea9dcf13230a7115299a0b20945ce
Author: Andy LoPresto <[email protected]>
Date: 2016-07-22T04:29:28Z
NIFI-1831 Moved NiFiGroovyTest and associated resources from nifi-jetty
module to nifi-runtime.
commit ab0a904e5db2386e45928d47a40683ddb3b24a90
Author: Andy LoPresto <[email protected]>
Date: 2016-07-22T04:30:26Z
NIFI-1831 Reverted nifi-jetty pom.xml and added Logback dependency with
test scope to nifi-runtime pom.xml.
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
