exceptionfactory commented on a change in pull request #5255: URL: https://github.com/apache/nifi/pull/5255#discussion_r680962075
########## File path: nifi-commons/nifi-sensitive-property-provider/src/main/java/org/apache/nifi/properties/HashiCorpVaultKeyValueSensitivePropertyProvider.java ########## @@ -0,0 +1,90 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.properties; + +import org.apache.commons.lang3.StringUtils; + +import java.util.Objects; + +/** + * Uses the HashiCorp Vault Key/Value (unversioned) Secrets Engine to store sensitive values. + */ +public class HashiCorpVaultKeyValueSensitivePropertyProvider extends AbstractHashiCorpVaultSensitivePropertyProvider { + + private static final String KEY_VALUE_PATH = "vault.kv.path"; + + HashiCorpVaultKeyValueSensitivePropertyProvider(final BootstrapProperties bootstrapProperties) { + super(bootstrapProperties); + } + + @Override + protected String getSecretsEnginePath(final BootstrapProperties vaultBootstrapProperties) { + if (vaultBootstrapProperties == null) { + return null; + } + final String kvPath = vaultBootstrapProperties.getProperty(KEY_VALUE_PATH); + // Validate transit path + try { + PropertyProtectionScheme.fromIdentifier(getProtectionScheme().getIdentifier(kvPath)); + } catch (IllegalArgumentException e) { + throw new SensitivePropertyProtectionException(String.format("%s [%s] contains unsupported characters", KEY_VALUE_PATH, kvPath), e); + } + + return kvPath; + } + + @Override + protected PropertyProtectionScheme getProtectionScheme() { + return PropertyProtectionScheme.HASHICORP_VAULT_KV; + } + + /** + * Stores the sensitive value in Vault and returns a description of the secret. + * + * @param unprotectedValue the sensitive value + * @param context The property context, unused in this provider + * @return the value to persist in the {@code nifi.properties} file + * @throws SensitivePropertyProtectionException if there is an exception writing the secret + */ + @Override + public String protect(final String unprotectedValue, final ProtectedPropertyContext context) throws SensitivePropertyProtectionException { + if (StringUtils.isBlank(unprotectedValue)) { + throw new IllegalArgumentException("Cannot protect an empty value"); + } + Objects.requireNonNull(context, "Context is required to protect a value"); + + getVaultCommunicationService().writeKeyValueSecret(getPath(), context.getContextKey(), unprotectedValue); + return String.format("Protected by [%s] at [%s/%s]", getName(), getPath(), context.getContextKey()); Review comment: Although this provides a clear explanation, it seems more verbose than necessary given that the `protected` sibling property describes the protection scheme. What do you think about changing this to just the Vault path and context key along the following lines? ```suggestion return String.format("%s/%s", getPath(), context.getContextKey()); ``` ########## File path: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/bootstrap.conf ########## @@ -66,6 +66,21 @@ nifi.bootstrap.protection.hashicorp.vault.conf=./conf/bootstrap-hashicorp-vault. # AWS KMS Sensitive Property Providers nifi.bootstrap.protection.aws.kms.conf=./conf/bootstrap-aws.conf +# Note: the following mapping properties only apply if a Sensitive Property Provider that uses property contexts +# is configured. Otherwise, these values are ignored. +# +# If no nifi.bootstrap.protection.context.mapping.* properties are provided, the context for protected +# properties uses a 'default' context, as in "default/Manager Password". Properties in nifi.properties are always +# assigned this context, but there is a possibility of naming conflicts among the other configuration files. +# +# To create separate contexts for properties, you may provide context mappings in the format: +# nifi.bootstrap.protection.context.mapping.<contextName>=<identifier matching regex> +# With the following configuration, for example, any property named "Manager Password" located inside +# a block whose <identifier> starts with "ldap-" will be mapped to the context named "ldap/Manager Password", +# regardless of whether it resides in authorizers.xml or login-identity-providers.xml. +# +# nifi.bootstrap.protection.context.mapping.ldap=ldap-.* Review comment: These details and example are helpful, but it seems like it would be better to include in the Admin Guide as opposed to configuration file comments. Perhaps just a line or two mentioning that NiFi uses the `default` context when the bootstrap configuration does not include additional mappings. With a new section in the Admin Guide, the comment could also mention something along the lines of: See Administrator's Guide section on Context Mapping for Sensitive Properties Providers for more details. ########## File path: nifi-commons/nifi-vault-utils/src/main/java/org/apache/nifi/vault/hashicorp/StandardHashiCorpVaultCommunicationService.java ########## @@ -61,12 +70,56 @@ public StandardHashiCorpVaultCommunicationService(final HashiCorpVaultProperties } @Override - public String encrypt(final String transitKey, final byte[] plainText) { - return transitOperations.encrypt(transitKey, Plaintext.of(plainText)).getCiphertext(); + public String encrypt(final String transitPath, final byte[] plainText) { + return transitOperations.encrypt(transitPath, Plaintext.of(plainText)).getCiphertext(); + } + + @Override + public byte[] decrypt(final String transitPath, final String cipherText) { + return transitOperations.decrypt(transitPath, Ciphertext.of(cipherText)).getPlaintext(); + } + + /** + * Writes the value to the "value" key of the secret with the path [keyValuePath]/[key]. + * @param keyValuePath The Vault path to use for the configured Key/Value v1 Secrets Engine + * @param key The secret key + * @param value The secret value + */ + @Override + public void writeKeyValueSecret(final String keyValuePath, final String key, final String value) { + final VaultKeyValueOperations keyValueOperations = keyValueOperationsMap + .computeIfAbsent(keyValuePath, path -> vaultTemplate.opsForKeyValue(path, KV_1)); + keyValueOperations.put(key, new SecretData(value)); } + /** + * Returns the value of the "value" key from the secret at the path [keyValuePath]/[key]. + * @param keyValuePath The Vault path to use for the configured Key/Value v1 Secrets Engine + * @param key The secret key + * @return The value of the secret + */ @Override - public byte[] decrypt(final String transitKey, final String cipherText) { - return transitOperations.decrypt(transitKey, Ciphertext.of(cipherText)).getPlaintext(); + public Optional<String> readKeyValueSecret(final String keyValuePath, final String key) { + final VaultKeyValueOperations keyValueOperations = keyValueOperationsMap + .computeIfAbsent(keyValuePath, path -> vaultTemplate.opsForKeyValue(path, KV_1)); + final VaultResponseSupport<SecretData> response = keyValueOperations.get(key, SecretData.class); + return response == null ? Optional.empty() : Optional.ofNullable(response.getRequiredData().getValue()); + } + + private static class SecretData { + private final String value; + + // required for Jackson deserialization + private SecretData() { + value = null; + } Review comment: Is it worth replacing this specialized constructor with a Jackson annotation on the constructor with the `value` argument, or using this constructor and adding a set method instead? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
