exceptionfactory commented on code in PR #8151:
URL: https://github.com/apache/nifi/pull/8151#discussion_r1424788213
##########
minifi/minifi-bootstrap/src/main/java/org/apache/nifi/minifi/bootstrap/service/MiNiFiExecCommandProvider.java:
##########
@@ -116,8 +134,14 @@ public List<String> getMiNiFiExecCommand(int listenPort,
File workingDir) throws
systemProperty(BOOTSTRAP_LOG_FILE_EXTENSION,
minifiBootstrapLogFileExtension)
);
- return List.of(javaCommand, javaAdditionalArgs, systemProperties,
List.of(MINIFI_FULLY_QUALIFIED_CLASS_NAME))
- .stream()
+ String sensitiveParameter = null;
+ if (isSensitiveKeyPresent(bootstrapProperties)) {
+ Path sensitiveKeyFile = createSensitiveKeyFile(confDir);
+ writeSensitiveKeyFile(bootstrapProperties, sensitiveKeyFile);
+ sensitiveParameter = "-K " +
sensitiveKeyFile.toFile().getAbsolutePath();
Review Comment:
As mentioned in writing the key, it seems like it one option would be to
pass the path to the bootstrap configuration and having the called process read
the file, instead of creating a new copy of the key in a new file.
##########
minifi/minifi-commons/minifi-commons-utils/src/main/java/org/apache/nifi/minifi/commons/utils/PropertyUtil.java:
##########
@@ -48,4 +62,96 @@ private static Optional<String> getPropertyValue(String
name, Map<?, ?> properti
private static Stream<String> keyPermutations(String name) {
return Stream.of(name, name.replace(DOT, UNDERSCORE),
name.replace(HYPHEN, UNDERSCORE), name.replace(DOT, UNDERSCORE).replace(HYPHEN,
UNDERSCORE)).distinct();
}
+
+ public static String getFormattedKey(String[] args) {
+ String key = null;
+ Optional<String> keyFileLocation = getKeyFileArg(args);
+ if (keyFileLocation.isPresent()) {
+ LOGGER.debug("The bootstrap process provided the {} flag",
KEY_FILE_FLAG);
+ key = getKeyFromKeyFileAndPrune(keyFileLocation.get());
+ }
+
+ // Format the key (check hex validity and remove spaces)
+ return getFormattedKey(key);
+ }
+
+ public static String getFormattedKey(String unformattedKey) {
+ String key = formatHexKey(unformattedKey);
+
+ if (isNotEmpty(key) && !isHexKeyValid(key)) {
+ throw new IllegalArgumentException("The key was not provided in
valid hex format and of the correct length");
+ } else {
+ return key;
+ }
+ }
+
+ private static String formatHexKey(String input) {
+ return Optional.ofNullable(input)
+ .map(String::trim)
+ .filter(PropertyUtil::isNotEmpty)
+ .map(str -> str.replaceAll("[^0-9a-fA-F]", EMPTY).toLowerCase())
+ .orElse(EMPTY);
+ }
+
+ private static boolean isHexKeyValid(String key) {
+ return Optional.ofNullable(key)
+ .map(String::trim)
+ .filter(PropertyUtil::isNotEmpty)
+ .map(__ -> Arrays.asList(128, 196, 256).contains(key.length() * 4)
&& key.matches("^[0-9a-fA-F]*$"))
Review Comment:
The `196` option should be removed for simplicity, and as mentioned in the
Jira issue, this is a good opportunity to remove the `128` option and simplify
support to only 256 bit keys.
##########
minifi/minifi-nar-bundles/minifi-framework-bundle/minifi-framework/minifi-properties-loader/src/main/java/org/apache/nifi/minifi/properties/MiNiFiPropertiesLoader.java:
##########
@@ -0,0 +1,168 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.minifi.properties;
+
+import java.io.BufferedInputStream;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.InputStream;
+import java.util.Properties;
+import org.apache.nifi.properties.AesGcmSensitivePropertyProvider;
+import org.apache.nifi.properties.SensitivePropertyProvider;
+import org.apache.nifi.util.NiFiBootstrapUtils;
+import org.apache.nifi.util.NiFiProperties;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class MiNiFiPropertiesLoader {
+
+ private static final Logger logger =
LoggerFactory.getLogger(MiNiFiPropertiesLoader.class);
+ private static final String DEFAULT_APPLICATION_PROPERTIES_FILE_PATH =
NiFiBootstrapUtils.getDefaultApplicationPropertiesFilePath();
+
+ private NiFiProperties instance;
+ private String keyHex;
+
+ private MiNiFiPropertiesLoader() {
+ }
+
+ /**
+ * Returns an instance of the loader configured with the key.
+ * <p>
+ * <p>
+ * NOTE: This method is used reflectively by the process which starts
MiNiFi
+ * so changes to it must be made in conjunction with that mechanism.</p>
+ *
+ * @param keyHex the key used to encrypt any sensitive properties
+ * @return the configured loader
+ */
+ public static MiNiFiPropertiesLoader withKey(String keyHex) {
+ MiNiFiPropertiesLoader loader = new MiNiFiPropertiesLoader();
+ loader.setKeyHex(keyHex);
+ return loader;
+ }
Review Comment:
This copied helper method seems unnecessary for MiNiFi usage, so recommend
replacing it with a standard constructor, or using the default constructor and
then using the `setKeyHex()` method.
##########
minifi/minifi-nar-bundles/minifi-framework-bundle/minifi-framework/minifi-properties-loader/src/main/java/org/apache/nifi/minifi/properties/ProtectedMiNiFiProperties.java:
##########
@@ -0,0 +1,241 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.minifi.properties;
+
+import static java.util.Arrays.asList;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+import java.util.Map;
+import java.util.Properties;
+import java.util.Set;
+import java.util.function.Function;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
+import org.apache.nifi.minifi.commons.api.MiNiFiProperties;
+import org.apache.nifi.properties.ApplicationPropertiesProtector;
+import org.apache.nifi.properties.ProtectedProperties;
+import org.apache.nifi.properties.SensitivePropertyProtectionException;
+import org.apache.nifi.properties.SensitivePropertyProtector;
+import org.apache.nifi.properties.SensitivePropertyProvider;
+import org.apache.nifi.util.NiFiProperties;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * Decorator class for intermediate phase when {@link MiNiFiPropertiesLoader}
loads the
+ * raw properties file and performs unprotection activities before returning a
clean
+ * implementation of {@link NiFiProperties}.
+ * This encapsulates the sensitive property access logic from external
consumers
+ * of {@code NiFiProperties}.
+ */
+public class ProtectedMiNiFiProperties extends NiFiProperties implements
ProtectedProperties<NiFiProperties>,
+ SensitivePropertyProtector<ProtectedMiNiFiProperties, NiFiProperties> {
+ private static final Logger logger =
LoggerFactory.getLogger(ProtectedMiNiFiProperties.class);
+ public static final String ADDITIONAL_SENSITIVE_PROPERTIES_KEY =
"nifi.sensitive.props.additional.keys";
Review Comment:
This appears to be duplicative of the name in
`ProtectedBootstrapProperties`, which should also be removed or renamed.
##########
minifi/minifi-nar-bundles/minifi-framework-bundle/minifi-framework/minifi-runtime/src/main/java/org/apache/nifi/minifi/MiNiFi.java:
##########
@@ -216,12 +221,43 @@ public void run() {
* @param args things which are ignored
*/
public static void main(String[] args) {
- logger.info("Launching MiNiFi...");
+ LOGGER.info("Launching MiNiFi...");
try {
- NiFiProperties niFiProperties =
MultiSourceMinifiProperties.getInstance();
- new MiNiFi(niFiProperties);
+ NiFiProperties properties = getValidatedMiNifiProperties(args);
+ new MiNiFi(properties);
} catch (final Throwable t) {
- logger.error("Failure to launch MiNiFi due to " + t, t);
+ LOGGER.error("Failure to launch MiNiFi due to " + t, t);
+ }
+ }
+
+ protected static NiFiProperties getValidatedMiNifiProperties(String[]
args) {
+ NiFiProperties properties = initializeProperties(args,
createBootstrapClassLoader());
+ properties.validate();
+ return properties;
+ }
+
+ private static NiFiProperties initializeProperties(final String[] args,
final ClassLoader boostrapLoader) {
+ ClassLoader contextClassLoader =
Thread.currentThread().getContextClassLoader();
+ String key = getFormattedKey(args);
+
+ Thread.currentThread().setContextClassLoader(boostrapLoader);
+
+ try {
+ Class<?> propsLoaderClass =
Class.forName("org.apache.nifi.minifi.properties.MiNiFiPropertiesLoader", true,
boostrapLoader);
+ Method withKeyMethod = propsLoaderClass.getMethod("withKey",
String.class);
+ Object loaderInstance = withKeyMethod.invoke(null, key);
Review Comment:
Is this approach necessary for MiNiFI? The reflection construct is required
for NiFi, but it would be helpful to know if it is required for MiNiFi or
whether this can be simplified.
##########
minifi/minifi-toolkit/minifi-toolkit-encrypt-config/src/main/java/org/apache/nifi/minifi/toolkit/config/command/MiNiFiEncryptConfig.java:
##########
@@ -0,0 +1,146 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.minifi.toolkit.config.command;
+
+import java.io.IOException;
+import java.io.UncheckedIOException;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.StandardCopyOption;
+import java.security.SecureRandom;
+import java.util.HashSet;
+import java.util.Optional;
+import java.util.Set;
+import org.apache.commons.codec.binary.Hex;
+import org.apache.nifi.minifi.properties.BootstrapProperties;
+import org.apache.nifi.minifi.properties.BootstrapPropertiesLoader;
+import org.apache.nifi.minifi.properties.ProtectedBootstrapProperties;
+import
org.apache.nifi.minifi.toolkit.config.transformer.ApplicationPropertiesFileTransformer;
+import
org.apache.nifi.minifi.toolkit.config.transformer.BootstrapConfigurationFileTransformer;
+import org.apache.nifi.minifi.toolkit.config.transformer.FileTransformer;
+import org.apache.nifi.properties.AesGcmSensitivePropertyProvider;
+import org.apache.nifi.properties.SensitivePropertyProvider;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import picocli.CommandLine.Command;
+import picocli.CommandLine.Option;
+
+/**
+ * Shared Encrypt Configuration for NiFi and NiFi Registry
+ */
+@Command(
+ name = "encrypt-config",
+ sortOptions = false,
+ mixinStandardHelpOptions = true,
+ usageHelpWidth = 160,
+ separator = " ",
+ version = {
+ "Java ${java.version} (${java.vendor} ${java.vm.name}
${java.vm.version})"
+ },
+ descriptionHeading = "Description: ",
+ description = {
+ "encrypt-config supports protection of sensitive values in
Apache MiNiFi"
+ }
+)
+public class MiNiFiEncryptConfig implements Runnable{
+
+ static final String BOOTSTRAP_ROOT_KEY_PROPERTY =
"minifi.bootstrap.sensitive.key";
+
+ private static final String WORKING_FILE_NAME_FORMAT = "%s.%d.working";
+ private static final int KEY_LENGTH = 32;
+
+ @Option(
+ names = {"-b", "--bootstrapConf"},
+ description = "Path to file containing Bootstrap Configuration
[bootstrap.conf] for optional root key and property protection scheme settings"
+ )
+ Path bootstrapConfPath;
+
+ @Option(
+ names = {"-B", "--outputBootstrapConf"},
+ description = "Path to output file for Bootstrap Configuration
[bootstrap.conf] with root key configured"
+ )
+ Path outputBootstrapConf;
+
+ protected final Logger logger = LoggerFactory.getLogger(getClass());
+
+ @Override
+ public void run() {
+ processBootstrapConf();
+ }
+
+ /**
+ * Process bootstrap.conf writing new Root Key to specified Root Key
Property when bootstrap.conf is specified
+ *
+ */
+ protected void processBootstrapConf() {
+ BootstrapProperties unprotectedProperties =
BootstrapPropertiesLoader.load(bootstrapConfPath.toFile());
Review Comment:
After the initial encryption process, it looks like running the command
again would encrypt the already-encrypted values, rendering the configuration
unusable. One option would be to read the existing key from bootstrap.conf if
found. The other option would be to throw an error if encrypted values are
already found.
##########
minifi/minifi-nar-bundles/minifi-framework-bundle/minifi-framework/minifi-runtime/pom.xml:
##########
@@ -76,5 +77,11 @@ limitations under the License.
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
</dependency>
+
+ <dependency>
+ <groupId>ch.qos.logback</groupId>
+ <artifactId>logback-classic</artifactId>
+ <scope>test</scope>
+ </dependency>
Review Comment:
Logback should not be used as a test dependency. If logging is required in
tests, `slf4j-simple` prints to the console. Is there any reason to include
Logback in this module for testing?
##########
minifi/minifi-nar-bundles/minifi-framework-bundle/minifi-framework/minifi-properties-loader/pom.xml:
##########
@@ -0,0 +1,61 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ ~ Licensed to the Apache Software Foundation (ASF) under one or more
+ ~ contributor license agreements. See the NOTICE file distributed with
+ ~ this work for additional information regarding copyright ownership.
+ ~ The ASF licenses this file to You under the Apache License, Version 2.0
+ ~ (the "License"); you may not use this file except in compliance with
+ ~ the License. You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing, software
+ ~ distributed under the License is distributed on an "AS IS" BASIS,
+ ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ ~ See the License for the specific language governing permissions and
+ ~ limitations under the License.
+ -->
+
+<project xmlns="http://maven.apache.org/POM/4.0.0";
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
+ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0
http://maven.apache.org/xsd/maven-4.0.0.xsd";>
+ <modelVersion>4.0.0</modelVersion>
+ <parent>
+ <groupId>org.apache.nifi.minifi</groupId>
+ <artifactId>minifi-framework</artifactId>
+ <version>2.0.0-SNAPSHOT</version>
+ </parent>
+
+ <artifactId>minifi-properties-loader</artifactId>
+
+ <dependencies>
+ <dependency>
+ <groupId>org.apache.nifi</groupId>
+ <artifactId>nifi-property-protection-loader</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.nifi</groupId>
+ <artifactId>nifi-property-protection-factory</artifactId>
Review Comment:
This library is capable of loading all possible providers, but as the goal
appears to be supporting only the AES-GCM Cipher option, this is an opportunity
to avoid the additional dependencies and provide factory implementations for
MiNiFi that support only AES-GCM.
##########
minifi/minifi-commons/minifi-commons-utils/src/main/java/org/apache/nifi/minifi/commons/utils/PropertyUtil.java:
##########
@@ -48,4 +62,96 @@ private static Optional<String> getPropertyValue(String
name, Map<?, ?> properti
private static Stream<String> keyPermutations(String name) {
return Stream.of(name, name.replace(DOT, UNDERSCORE),
name.replace(HYPHEN, UNDERSCORE), name.replace(DOT, UNDERSCORE).replace(HYPHEN,
UNDERSCORE)).distinct();
}
+
+ public static String getFormattedKey(String[] args) {
Review Comment:
This methods seem too specific for this generalized `PropertyUtil` class.
Although some of these methods may not be necessary depending on the final
implementation, if they are kept, recommend moving them to a more specific
utility class, such as SensitivePropertyUtils or similar.
##########
minifi/minifi-nar-bundles/minifi-framework-bundle/minifi-framework/minifi-properties-loader/src/main/java/org/apache/nifi/minifi/properties/ProtectedBootstrapProperties.java:
##########
@@ -0,0 +1,135 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.nifi.minifi.properties;
+
+import static
org.apache.nifi.minifi.properties.ProtectedMiNiFiProperties.DEFAULT_SENSITIVE_PROPERTIES;
+
+import java.util.Arrays;
+import java.util.List;
+import java.util.Map;
+import java.util.Properties;
+import java.util.Set;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
+import org.apache.nifi.minifi.commons.api.MiNiFiProperties;
+import org.apache.nifi.properties.ApplicationPropertiesProtector;
+import org.apache.nifi.properties.ProtectedProperties;
+import org.apache.nifi.properties.SensitivePropertyProtectionException;
+import org.apache.nifi.properties.SensitivePropertyProtector;
+import org.apache.nifi.properties.SensitivePropertyProvider;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class ProtectedBootstrapProperties extends BootstrapProperties
implements ProtectedProperties<BootstrapProperties>,
+ SensitivePropertyProtector<ProtectedBootstrapProperties,
BootstrapProperties> {
+
+ private static final Logger logger =
LoggerFactory.getLogger(ProtectedBootstrapProperties.class);
+
+ private BootstrapProperties bootstrapProperties;
+
+ private final SensitivePropertyProtector<ProtectedBootstrapProperties,
BootstrapProperties> propertyProtectionDelegate;
+
+ public static final String ADDITIONAL_SENSITIVE_PROPERTIES_KEY =
"nifi.sensitive.props.additional.keys";
Review Comment:
This appears to be specific to NiFi, as opposed to MiNiFi, should it be
removed or changed?
##########
minifi/minifi-bootstrap/src/main/java/org/apache/nifi/minifi/bootstrap/service/MiNiFiExecCommandProvider.java:
##########
@@ -159,15 +183,58 @@ private String buildClassPath(File confDir, File libDir) {
.collect(joining(File.pathSeparator));
}
- private List<String> getJavaAdditionalArgs(Properties props) {
- return props.entrySet()
+ private List<String> getJavaAdditionalArgs(BootstrapProperties props) {
+ return props.getPropertyKeys()
.stream()
- .filter(entry -> ((String)
entry.getKey()).startsWith(JAVA_ARG_KEY_PREFIX))
- .map(entry -> (String) entry.getValue())
+ .filter(entry -> entry.startsWith(JAVA_ARG_KEY_PREFIX))
+ .map(props::getProperty)
.toList();
}
private String systemProperty(String key, Object value) {
return String.format(SYSTEM_PROPERTY_TEMPLATE, key, value);
}
+
+ private boolean isSensitiveKeyPresent(BootstrapProperties
bootstrapProperties) {
+ return bootstrapProperties.containsKey(MINIFI_BOOTSTRAP_SENSITIVE_KEY)
&&
!StringUtils.isBlank(bootstrapProperties.getProperty(MINIFI_BOOTSTRAP_SENSITIVE_KEY));
+ }
+
+ private Path createSensitiveKeyFile(File confDir) {
Review Comment:
Is there a reason for writing out the sensitive key value to a new file as
opposed to having the new process read the key from the bootstrap configuration
itself? Although NiFi bootstrap has done some similar things with other values,
this is not an optimal approach as it makes additional copies on the file
system. This is one example of an approach where some additional consideration
is worthwhile to implement a better solution.
##########
minifi/minifi-nar-bundles/minifi-framework-bundle/minifi-framework/minifi-runtime/src/main/java/org/apache/nifi/minifi/MiNiFi.java:
##########
@@ -45,7 +49,8 @@
public class MiNiFi {
- private static final Logger logger = LoggerFactory.getLogger(MiNiFi.class);
+ private static final Logger LOGGER = LoggerFactory.getLogger(MiNiFi.class);
Review Comment:
Although the repository is not completely consistent, recommend leaving this
lowercase name of `logger` unchanged.
##########
minifi/minifi-nar-bundles/minifi-framework-bundle/minifi-framework/minifi-runtime/src/main/java/org/apache/nifi/minifi/util/ClassLoaderUtil.java:
##########
@@ -0,0 +1,59 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.nifi.minifi.util;
+
+import java.io.IOException;
+import java.net.MalformedURLException;
+import java.net.URL;
+import java.net.URLClassLoader;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.stream.Stream;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * Util for creating class loader with bootstrap libs.
+ */
+public final class ClassLoaderUtil {
Review Comment:
It seems better to name this more specifically to
`BootstrapClassLoaderUtils`.
##########
minifi/minifi-toolkit/minifi-toolkit-assembly/README.md:
##########
@@ -60,6 +61,87 @@ After downloading the binary and extracting it, to run the
MiNiFi Toolkit Conver
## Note
It's not guaranteed in all circumstances that the migration will result in a
correct flow. For example if a processor's configuration has changed between
version, the conversion tool won't be aware of this, and will use the
deprecated property names. You will need to fix such issues manually.
+# <a id="encrypt-sensitive-properties-in-bootstrapconf"
href="#encrypt-sensitive-properties-in-bootstrapconf">Encrypting Sensitive
Properties in bootstrap.conf</a>
+
+## MiNiFi Encrypt-Config Tool
+The encrypt-config command line tool (invoked in minifi-toolkit as
./bin/encrypt-config.sh or bin\encrypt-config.bat) reads from a bootstrap.conf
file with plaintext sensitive configuration values, prompts for a root password
or raw hexadecimal key, and encrypts each value. It replaces the plain values
with the protected value in the same file, or writes to a new bootstrap.conf
file if specified.
+
+The supported encryption algorithm utilized is AES/GCM 128/256-bit. 128-bit is
used if the JCE Unlimited Strength Cryptographic Jurisdiction Policy files are
not installed, and 256-bit is used if they are installed.
+
Review Comment:
All modern versions of Java included unlimited strength cryptography, so the
second sentence can be removed, and the first should be shortened to reference
only AES/GCM 256.
##########
minifi/minifi-toolkit/minifi-toolkit-encrypt-config/src/main/java/org/apache/nifi/minifi/toolkit/config/command/MiNiFiEncryptConfig.java:
##########
@@ -0,0 +1,146 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.minifi.toolkit.config.command;
+
+import java.io.IOException;
+import java.io.UncheckedIOException;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.StandardCopyOption;
+import java.security.SecureRandom;
+import java.util.HashSet;
+import java.util.Optional;
+import java.util.Set;
+import org.apache.commons.codec.binary.Hex;
Review Comment:
Instead of using Commons Codec, the Java
[HexFormat](https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/util/HexFormat.html)
class can be used.
##########
minifi/minifi-nar-bundles/minifi-framework-bundle/minifi-framework/minifi-properties-loader/src/main/java/org/apache/nifi/minifi/properties/ProtectedMiNiFiProperties.java:
##########
@@ -0,0 +1,241 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.minifi.properties;
+
+import static java.util.Arrays.asList;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+import java.util.Map;
+import java.util.Properties;
+import java.util.Set;
+import java.util.function.Function;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
+import org.apache.nifi.minifi.commons.api.MiNiFiProperties;
+import org.apache.nifi.properties.ApplicationPropertiesProtector;
+import org.apache.nifi.properties.ProtectedProperties;
+import org.apache.nifi.properties.SensitivePropertyProtectionException;
+import org.apache.nifi.properties.SensitivePropertyProtector;
+import org.apache.nifi.properties.SensitivePropertyProvider;
+import org.apache.nifi.util.NiFiProperties;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * Decorator class for intermediate phase when {@link MiNiFiPropertiesLoader}
loads the
+ * raw properties file and performs unprotection activities before returning a
clean
+ * implementation of {@link NiFiProperties}.
+ * This encapsulates the sensitive property access logic from external
consumers
+ * of {@code NiFiProperties}.
+ */
+public class ProtectedMiNiFiProperties extends NiFiProperties implements
ProtectedProperties<NiFiProperties>,
+ SensitivePropertyProtector<ProtectedMiNiFiProperties, NiFiProperties> {
+ private static final Logger logger =
LoggerFactory.getLogger(ProtectedMiNiFiProperties.class);
+ public static final String ADDITIONAL_SENSITIVE_PROPERTIES_KEY =
"nifi.sensitive.props.additional.keys";
+ public static final List<String> DEFAULT_SENSITIVE_PROPERTIES = new
ArrayList<>(asList(
+ SECURITY_KEY_PASSWD,
+ SECURITY_KEYSTORE_PASSWD,
+ SECURITY_TRUSTSTORE_PASSWD,
+ SENSITIVE_PROPS_KEY,
+ REPOSITORY_ENCRYPTION_KEY_PROVIDER_KEYSTORE_PASSWORD,
+ SECURITY_USER_OIDC_CLIENT_SECRET
Review Comment:
Many of these values are specific to NiFi and need to be removed or
re-evaluated.
##########
minifi/minifi-toolkit/minifi-toolkit-assembly/README.md:
##########
@@ -60,6 +61,87 @@ After downloading the binary and extracting it, to run the
MiNiFi Toolkit Conver
## Note
It's not guaranteed in all circumstances that the migration will result in a
correct flow. For example if a processor's configuration has changed between
version, the conversion tool won't be aware of this, and will use the
deprecated property names. You will need to fix such issues manually.
+# <a id="encrypt-sensitive-properties-in-bootstrapconf"
href="#encrypt-sensitive-properties-in-bootstrapconf">Encrypting Sensitive
Properties in bootstrap.conf</a>
+
+## MiNiFi Encrypt-Config Tool
+The encrypt-config command line tool (invoked in minifi-toolkit as
./bin/encrypt-config.sh or bin\encrypt-config.bat) reads from a bootstrap.conf
file with plaintext sensitive configuration values, prompts for a root password
or raw hexadecimal key, and encrypts each value. It replaces the plain values
with the protected value in the same file, or writes to a new bootstrap.conf
file if specified.
Review Comment:
The implementation appears to generated a random key, as opposed to
prompting, so it looks like the description needs to be updated.
##########
minifi/minifi-nar-bundles/minifi-framework-bundle/pom.xml:
##########
@@ -80,6 +80,21 @@ limitations under the License.
<version>2.0.0-SNAPSHOT</version>
<scope>test</scope>
</dependency>
+ <dependency>
+ <groupId>org.apache.nifi</groupId>
+ <artifactId>nifi-property-protection-factory</artifactId>
Review Comment:
See other note on whether this library is required, or whether an
alternative simplified version would work better.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
