Github user bbende commented on a diff in the pull request: https://github.com/apache/nifi/pull/834#discussion_r75874508 --- Diff: nifi-toolkit/nifi-toolkit-encrypt-config/src/main/groovy/org/apache/nifi/properties/ConfigEncryptionTool.groovy --- @@ -0,0 +1,540 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.properties + +import groovy.io.GroovyPrintWriter +import org.apache.commons.cli.CommandLine +import org.apache.commons.cli.CommandLineParser +import org.apache.commons.cli.DefaultParser +import org.apache.commons.cli.HelpFormatter +import org.apache.commons.cli.Options +import org.apache.commons.cli.ParseException +import org.apache.commons.codec.binary.Hex +import org.apache.nifi.toolkit.tls.commandLine.CommandLineParseException +import org.apache.nifi.toolkit.tls.commandLine.ExitCode +import org.apache.nifi.util.NiFiProperties +import org.apache.nifi.util.console.TextDevice +import org.apache.nifi.util.console.TextDevices +import org.bouncycastle.crypto.generators.SCrypt +import org.bouncycastle.jce.provider.BouncyCastleProvider +import org.slf4j.Logger +import org.slf4j.LoggerFactory + +import javax.crypto.Cipher +import java.nio.charset.StandardCharsets +import java.security.KeyException +import java.security.Security + +class ConfigEncryptionTool { + private static final Logger logger = LoggerFactory.getLogger(ConfigEncryptionTool.class) + + public String bootstrapConfPath + public String niFiPropertiesPath + public String outputNiFiPropertiesPath + public String loginIdentityProvidersPath + + private String keyHex + private String password + private NiFiProperties niFiProperties + + private boolean usingPassword = true + + private static final String HELP_ARG = "help" + private static final String BOOTSTRAP_CONF_ARG = "bootstrapConf" + private static final String NIFI_PROPERTIES_ARG = "niFiProperties" + private static final String OUTPUT_NIFI_PROPERTIES_ARG = "outputNiFiProperties" + private static final String KEY_ARG = "key" + private static final String PASSWORD_ARG = "password" + private static final String USE_KEY_ARG = "useRawKey" + + private static final int MIN_PASSWORD_LENGTH = 12 + + // Strong parameters as of 12 Aug 2016 + private static final int SCRYPT_N = 2**16 + private static final int SCRYPT_R = 8 + private static final int SCRYPT_P = 1 + + private static + final String BOOTSTRAP_KEY_COMMENT = "# Master key in hexadecimal format for encrypted sensitive configuration values" + private static final String BOOTSTRAP_KEY_PREFIX = "nifi.bootstrap.sensitive.key=" + private static final String JAVA_HOME = "JAVA_HOME" + private static final String NIFI_TOOLKIT_HOME = "NIFI_TOOLKIT_HOME" + private static final String SEP = System.lineSeparator() + + private static final String FOOTER = buildFooter() + + private static + final String DEFAULT_DESCRIPTION = "This tool reads from a nifi.properties file with plain sensitive configuration values, prompts the user for a master key, and encrypts each value. It will replace the plain value with the protected value in the same file (or write to a new nifi.properties file if specified)." + + private static String buildHeader(String description = DEFAULT_DESCRIPTION) { + "${SEP}${description}${SEP * 2}" + } + + private static String buildFooter() { + "${SEP}Java home: ${System.getenv(JAVA_HOME)}${SEP}NiFi Toolkit home: ${System.getenv(NIFI_TOOLKIT_HOME)}" + } + + private final Options options; + private final String header; + + + public ConfigEncryptionTool() { + this(DEFAULT_DESCRIPTION) + } + + public ConfigEncryptionTool(String description) { + this.header = buildHeader(description) + this.options = new Options() + options.addOption("h", HELP_ARG, false, "Prints this usage message") + options.addOption("n", NIFI_PROPERTIES_ARG, true, "The nifi.properties file containing unprotected config values (will be overwritten)") --- End diff -- The first time I read the usage when I saw that -n said "will be overwritten", I assumed that if I didn't specify -o then it would just overwrite the file specified with -n, but it actually wrote to nifi-toolkit-1.0.0-SNAPSHOT/conf/nifi.properies, maybe just some additional wording?
--- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---