exceptionfactory commented on a change in pull request #4809: URL: https://github.com/apache/nifi/pull/4809#discussion_r573093470
########## File path: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-components/src/test/java/org/apache/nifi/encrypt/PasswordBasedCipherPropertyEncryptorTest.java ########## @@ -0,0 +1,89 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.encrypt; + +import org.apache.commons.codec.DecoderException; +import org.apache.commons.codec.binary.Hex; +import org.apache.nifi.security.util.EncryptionMethod; +import org.apache.nifi.security.util.crypto.PBECipherProvider; +import org.junit.Before; +import org.junit.Test; + +import java.nio.charset.Charset; +import java.nio.charset.StandardCharsets; + +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertNotEquals; +import static org.junit.Assert.assertThrows; +import static org.junit.Assert.assertTrue; + +public class PasswordBasedCipherPropertyEncryptorTest { + private static final Charset DEFAULT_CHARSET = StandardCharsets.UTF_8; + + private static final String PROPERTY = String.class.getName(); + + private static final int ENCRYPTED_BINARY_LENGTH = 48; + + @SuppressWarnings("deprecation") + private static final PBECipherProvider CIPHER_PROVIDER = new org.apache.nifi.security.util.crypto.NiFiLegacyCipherProvider(); + + private static final EncryptionMethod ENCRYPTION_METHOD = EncryptionMethod.MD5_256AES; + + private static final String PASSWORD = String.class.getName(); + + private PasswordBasedCipherPropertyEncryptor encryptor; + + @Before + public void setUp() { + encryptor = new PasswordBasedCipherPropertyEncryptor(CIPHER_PROVIDER, ENCRYPTION_METHOD, PASSWORD); + } + + @Test + public void testEncryptDecrypt() { + final String encrypted = encryptor.encrypt(PROPERTY); + final String decrypted = encryptor.decrypt(encrypted); + assertEquals(PROPERTY, decrypted); + } + + @Test + public void testEncryptHexadecimalEncoded() throws DecoderException { + final String encrypted = encryptor.encrypt(PROPERTY); + final byte[] decoded = Hex.decodeHex(encrypted); + assertEquals(ENCRYPTED_BINARY_LENGTH, decoded.length); + } + + @Test + public void testDecryptEncryptionException() { + final String encodedProperty = Hex.encodeHexString(PROPERTY.getBytes(DEFAULT_CHARSET)); + assertThrows(EncryptionException.class, () -> encryptor.decrypt(encodedProperty)); + } + + @Test + public void testEqualsHashCode() { + final PasswordBasedCipherPropertyEncryptor equivalentEncryptor = new PasswordBasedCipherPropertyEncryptor(CIPHER_PROVIDER, ENCRYPTION_METHOD, PASSWORD); + assertTrue(encryptor.equals(equivalentEncryptor)); + assertEquals(encryptor.hashCode(), equivalentEncryptor.hashCode()); + } + + @Test + public void testEqualsHashCodeDifferentPassword() { + final PasswordBasedCipherPropertyEncryptor differentEncryptor = new PasswordBasedCipherPropertyEncryptor(CIPHER_PROVIDER, ENCRYPTION_METHOD, String.class.getSimpleName()); + assertFalse(encryptor.equals(differentEncryptor)); Review comment: Will make the change as described. ########## File path: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-components/src/main/java/org/apache/nifi/encrypt/KeyedCipherPropertyEncryptor.java ########## @@ -0,0 +1,160 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.encrypt; + +import org.apache.nifi.security.kms.CryptoUtils; +import org.apache.nifi.security.util.EncryptionMethod; +import org.apache.nifi.security.util.crypto.KeyedCipherProvider; + +import javax.crypto.BadPaddingException; +import javax.crypto.Cipher; +import javax.crypto.IllegalBlockSizeException; +import javax.crypto.SecretKey; +import java.security.SecureRandom; +import java.util.Arrays; +import java.util.Objects; + +/** + * Property Encryptor implementation using Keyed Cipher Provider + */ +class KeyedCipherPropertyEncryptor extends CipherPropertyEncryptor { + private static final int INITIALIZATION_VECTOR_LENGTH = 16; + + private static final int ARRAY_START = 0; + + private static final boolean ENCRYPT = true; + + private static final boolean DECRYPT = false; + + private final SecureRandom secureRandom; + + private final KeyedCipherProvider cipherProvider; + + private final EncryptionMethod encryptionMethod; + + private final SecretKey secretKey; + + protected KeyedCipherPropertyEncryptor(final KeyedCipherProvider cipherProvider, + final EncryptionMethod encryptionMethod, + final SecretKey secretKey) { + this.cipherProvider = cipherProvider; + this.encryptionMethod = encryptionMethod; + this.secretKey = secretKey; + this.secureRandom = new SecureRandom(); + } + + /** + * Encrypt binary and return enciphered binary prefixed with initialization vector + * + * @param binary Binary to be encrypted + * @return Enciphered binary prefixed with initialization vector + */ + @Override + protected byte[] encrypt(final byte[] binary) { + final byte[] initializationVector = createInitializationVector(); + final Cipher cipher = getCipher(initializationVector, ENCRYPT); + try { + final byte[] encrypted = cipher.doFinal(binary); + return CryptoUtils.concatByteArrays(initializationVector, encrypted); + } catch (final BadPaddingException | IllegalBlockSizeException e) { + final String message = String.format("Encryption Failed with Algorithm [%s]", cipher.getAlgorithm()); + throw new EncryptionException(message, e); + } Review comment: This method implementation is slightly different from `PasswordBasedCipherPropertyEncryptor` in that the `Keyed` implementation uses an initialization vector whereas the `PasswordBased` implementation uses a salt. It is possible to name the reading of the parameter binary information more generically, which would allow removing this duplicated block. ########## File path: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-components/src/test/java/org/apache/nifi/encrypt/KeyedCipherPropertyEncryptorTest.java ########## @@ -0,0 +1,105 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.encrypt; + +import org.apache.commons.codec.DecoderException; +import org.apache.commons.codec.binary.Hex; +import org.apache.nifi.security.util.EncryptionMethod; +import org.apache.nifi.security.util.crypto.AESKeyedCipherProvider; +import org.apache.nifi.security.util.crypto.KeyedCipherProvider; +import org.apache.nifi.util.StringUtils; +import org.junit.Before; +import org.junit.Test; + +import javax.crypto.SecretKey; +import javax.crypto.spec.SecretKeySpec; +import java.nio.charset.Charset; +import java.nio.charset.StandardCharsets; + +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertNotEquals; +import static org.junit.Assert.assertTrue; +import static org.junit.Assert.assertThrows; + +public class KeyedCipherPropertyEncryptorTest { + private static final Charset DEFAULT_CHARSET = StandardCharsets.UTF_8; + + private static final String PROPERTY = String.class.getName(); + + private static final int ENCRYPTED_BINARY_LENGTH = 48; + + private static final KeyedCipherProvider CIPHER_PROVIDER = new AESKeyedCipherProvider(); + + private static final EncryptionMethod ENCRYPTION_METHOD = EncryptionMethod.AES_GCM; + + private static final String KEY_ALGORITHM = "AES"; + + private static final byte[] STATIC_KEY = StringUtils.repeat("KEY", 8).getBytes(DEFAULT_CHARSET); + + private static final SecretKey SECRET_KEY = new SecretKeySpec(STATIC_KEY, KEY_ALGORITHM); + + private static final SecretKey INVALID_SECRET_KEY = new SecretKeySpec(KEY_ALGORITHM.getBytes(DEFAULT_CHARSET), KEY_ALGORITHM); + + private KeyedCipherPropertyEncryptor encryptor; + + @Before + public void setUp() { + encryptor = new KeyedCipherPropertyEncryptor(CIPHER_PROVIDER, ENCRYPTION_METHOD, SECRET_KEY); + } + + @Test + public void testEncryptDecrypt() { + final String encrypted = encryptor.encrypt(PROPERTY); + final String decrypted = encryptor.decrypt(encrypted); + assertEquals(PROPERTY, decrypted); + } + + @Test + public void testEncryptHexadecimalEncoded() throws DecoderException { + final String encrypted = encryptor.encrypt(PROPERTY); + final byte[] decoded = Hex.decodeHex(encrypted); + assertEquals(ENCRYPTED_BINARY_LENGTH, decoded.length); + } + + @Test + public void testDecryptEncryptionException() { + final String encodedProperty = Hex.encodeHexString(PROPERTY.getBytes(DEFAULT_CHARSET)); + assertThrows(EncryptionException.class, () -> encryptor.decrypt(encodedProperty)); + } + + @Test + public void testGetCipherEncryptionException() { + encryptor = new KeyedCipherPropertyEncryptor(CIPHER_PROVIDER, ENCRYPTION_METHOD, INVALID_SECRET_KEY); + assertThrows(EncryptionException.class, () -> encryptor.encrypt(PROPERTY)); + } + + @Test + public void testEqualsHashCode() { + final KeyedCipherPropertyEncryptor equivalentEncryptor = new KeyedCipherPropertyEncryptor(CIPHER_PROVIDER, ENCRYPTION_METHOD, SECRET_KEY); + assertTrue(encryptor.equals(equivalentEncryptor)); + assertEquals(encryptor.hashCode(), equivalentEncryptor.hashCode()); + } + + @Test + public void testEqualsHashCodeDifferentSecretKey() { + final SecretKey secretKey = new SecretKeySpec(String.class.getSimpleName().getBytes(StandardCharsets.UTF_8), KEY_ALGORITHM); + final KeyedCipherPropertyEncryptor differentEncryptor = new KeyedCipherPropertyEncryptor(CIPHER_PROVIDER, ENCRYPTION_METHOD, secretKey); + assertFalse(encryptor.equals(differentEncryptor)); Review comment: As above, the purpose was to call `equals()` explicitly, but will make this change as well. ########## File path: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-components/src/test/java/org/apache/nifi/encrypt/KeyedCipherPropertyEncryptorTest.java ########## @@ -0,0 +1,105 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.encrypt; + +import org.apache.commons.codec.DecoderException; +import org.apache.commons.codec.binary.Hex; +import org.apache.nifi.security.util.EncryptionMethod; +import org.apache.nifi.security.util.crypto.AESKeyedCipherProvider; +import org.apache.nifi.security.util.crypto.KeyedCipherProvider; +import org.apache.nifi.util.StringUtils; +import org.junit.Before; +import org.junit.Test; + +import javax.crypto.SecretKey; +import javax.crypto.spec.SecretKeySpec; +import java.nio.charset.Charset; +import java.nio.charset.StandardCharsets; + +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertNotEquals; +import static org.junit.Assert.assertTrue; +import static org.junit.Assert.assertThrows; + +public class KeyedCipherPropertyEncryptorTest { + private static final Charset DEFAULT_CHARSET = StandardCharsets.UTF_8; + + private static final String PROPERTY = String.class.getName(); + + private static final int ENCRYPTED_BINARY_LENGTH = 48; + + private static final KeyedCipherProvider CIPHER_PROVIDER = new AESKeyedCipherProvider(); + + private static final EncryptionMethod ENCRYPTION_METHOD = EncryptionMethod.AES_GCM; + + private static final String KEY_ALGORITHM = "AES"; + + private static final byte[] STATIC_KEY = StringUtils.repeat("KEY", 8).getBytes(DEFAULT_CHARSET); + + private static final SecretKey SECRET_KEY = new SecretKeySpec(STATIC_KEY, KEY_ALGORITHM); + + private static final SecretKey INVALID_SECRET_KEY = new SecretKeySpec(KEY_ALGORITHM.getBytes(DEFAULT_CHARSET), KEY_ALGORITHM); + + private KeyedCipherPropertyEncryptor encryptor; + + @Before + public void setUp() { + encryptor = new KeyedCipherPropertyEncryptor(CIPHER_PROVIDER, ENCRYPTION_METHOD, SECRET_KEY); + } + + @Test + public void testEncryptDecrypt() { + final String encrypted = encryptor.encrypt(PROPERTY); + final String decrypted = encryptor.decrypt(encrypted); + assertEquals(PROPERTY, decrypted); + } + + @Test + public void testEncryptHexadecimalEncoded() throws DecoderException { + final String encrypted = encryptor.encrypt(PROPERTY); + final byte[] decoded = Hex.decodeHex(encrypted); + assertEquals(ENCRYPTED_BINARY_LENGTH, decoded.length); + } + + @Test + public void testDecryptEncryptionException() { + final String encodedProperty = Hex.encodeHexString(PROPERTY.getBytes(DEFAULT_CHARSET)); + assertThrows(EncryptionException.class, () -> encryptor.decrypt(encodedProperty)); + } + + @Test + public void testGetCipherEncryptionException() { + encryptor = new KeyedCipherPropertyEncryptor(CIPHER_PROVIDER, ENCRYPTION_METHOD, INVALID_SECRET_KEY); + assertThrows(EncryptionException.class, () -> encryptor.encrypt(PROPERTY)); + } + + @Test + public void testEqualsHashCode() { + final KeyedCipherPropertyEncryptor equivalentEncryptor = new KeyedCipherPropertyEncryptor(CIPHER_PROVIDER, ENCRYPTION_METHOD, SECRET_KEY); + assertTrue(encryptor.equals(equivalentEncryptor)); Review comment: The purpose of this approach was to call the `equals()` method explicitly, but using `assertEquals` does provide better semantics, so will make the adjustment. ########## File path: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-components/src/main/java/org/apache/nifi/encrypt/PropertyEncryptionMethod.java ########## @@ -0,0 +1,72 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.encrypt; + +import org.apache.nifi.security.util.EncryptionMethod; +import org.apache.nifi.security.util.KeyDerivationFunction; + +/** + * Property Encryption Method enumerates supported values in addition to {@link org.apache.nifi.security.util.EncryptionMethod} + */ +enum PropertyEncryptionMethod { + NIFI_ARGON2_AES_GCM_128(KeyDerivationFunction.ARGON2, EncryptionMethod.AES_GCM,128), + + NIFI_ARGON2_AES_GCM_256(KeyDerivationFunction.ARGON2, EncryptionMethod.AES_GCM, 256), + + NIFI_PBKDF2_AES_GCM_128(KeyDerivationFunction.PBKDF2, EncryptionMethod.AES_GCM, 128), + + NIFI_PBKDF2_AES_GCM_256(KeyDerivationFunction.PBKDF2, EncryptionMethod.AES_GCM, 256), + + NIFI_SCRYPT_AES_GCM_128(KeyDerivationFunction.SCRYPT, EncryptionMethod.AES_GCM, 128), + + NIFI_SCRYPT_AES_GCM_256(KeyDerivationFunction.SCRYPT, EncryptionMethod.AES_GCM, 256); + + private static final int HASH_LENGTH_DIVISOR = 8; + + private KeyDerivationFunction keyDerivationFunction; + + private EncryptionMethod encryptionMethod; + + private int keyLength; + + private int hashLength; Review comment: That makes sense given that this is an enum. ########## File path: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-components/src/test/java/org/apache/nifi/encrypt/PasswordBasedCipherPropertyEncryptorTest.java ########## @@ -0,0 +1,89 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.encrypt; + +import org.apache.commons.codec.DecoderException; +import org.apache.commons.codec.binary.Hex; +import org.apache.nifi.security.util.EncryptionMethod; +import org.apache.nifi.security.util.crypto.PBECipherProvider; +import org.junit.Before; +import org.junit.Test; + +import java.nio.charset.Charset; +import java.nio.charset.StandardCharsets; + +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertNotEquals; +import static org.junit.Assert.assertThrows; +import static org.junit.Assert.assertTrue; + +public class PasswordBasedCipherPropertyEncryptorTest { + private static final Charset DEFAULT_CHARSET = StandardCharsets.UTF_8; + + private static final String PROPERTY = String.class.getName(); + + private static final int ENCRYPTED_BINARY_LENGTH = 48; + + @SuppressWarnings("deprecation") + private static final PBECipherProvider CIPHER_PROVIDER = new org.apache.nifi.security.util.crypto.NiFiLegacyCipherProvider(); + + private static final EncryptionMethod ENCRYPTION_METHOD = EncryptionMethod.MD5_256AES; + + private static final String PASSWORD = String.class.getName(); + + private PasswordBasedCipherPropertyEncryptor encryptor; + + @Before + public void setUp() { + encryptor = new PasswordBasedCipherPropertyEncryptor(CIPHER_PROVIDER, ENCRYPTION_METHOD, PASSWORD); + } + + @Test + public void testEncryptDecrypt() { + final String encrypted = encryptor.encrypt(PROPERTY); + final String decrypted = encryptor.decrypt(encrypted); + assertEquals(PROPERTY, decrypted); + } + + @Test + public void testEncryptHexadecimalEncoded() throws DecoderException { + final String encrypted = encryptor.encrypt(PROPERTY); + final byte[] decoded = Hex.decodeHex(encrypted); + assertEquals(ENCRYPTED_BINARY_LENGTH, decoded.length); + } + + @Test + public void testDecryptEncryptionException() { + final String encodedProperty = Hex.encodeHexString(PROPERTY.getBytes(DEFAULT_CHARSET)); + assertThrows(EncryptionException.class, () -> encryptor.decrypt(encodedProperty)); + } + + @Test + public void testEqualsHashCode() { + final PasswordBasedCipherPropertyEncryptor equivalentEncryptor = new PasswordBasedCipherPropertyEncryptor(CIPHER_PROVIDER, ENCRYPTION_METHOD, PASSWORD); + assertTrue(encryptor.equals(equivalentEncryptor)); Review comment: Will make the change as described. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
