[jira] [Commented] (NIFIREG-61) Add support for encrypted properties in configuration files

[ASF GitHub Bot (JIRA)]

    [ 
https://issues.apache.org/jira/browse/NIFIREG-61?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16293438#comment-16293438
 ] 

ASF GitHub Bot commented on NIFIREG-61:
---------------------------------------

Github user alopresto commented on a diff in the pull request:

    https://github.com/apache/nifi-registry/pull/51#discussion_r157324448
  
    --- Diff: 
nifi-registry-properties/src/main/java/org/apache/nifi/registry/security/crypto/CryptoKeyLoader.java
 ---
    @@ -0,0 +1,87 @@
    +/*
    + * Licensed to the Apache Software Foundation (ASF) under one or more
    + * contributor license agreements.  See the NOTICE file distributed with
    + * this work for additional information regarding copyright ownership.
    + * The ASF licenses this file to You under the Apache License, Version 2.0
    + * (the "License"); you may not use this file except in compliance with
    + * the License.  You may obtain a copy of the License at
    + *
    + *     http://www.apache.org/licenses/LICENSE-2.0
    + *
    + * Unless required by applicable law or agreed to in writing, software
    + * distributed under the License is distributed on an "AS IS" BASIS,
    + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    + * See the License for the specific language governing permissions and
    + * limitations under the License.
    + */
    +package org.apache.nifi.registry.security.crypto;
    +
    +import org.apache.commons.lang3.StringUtils;
    +import org.slf4j.Logger;
    +import org.slf4j.LoggerFactory;
    +
    +import java.io.File;
    +import java.io.IOException;
    +import java.nio.file.Files;
    +import java.nio.file.Paths;
    +import java.util.Optional;
    +import java.util.stream.Stream;
    +
    +public class CryptoKeyLoader {
    +
    +    private static final Logger logger = 
LoggerFactory.getLogger(CryptoKeyLoader.class);
    +
    +    private static final String BOOTSTRAP_KEY_PREFIX = 
"nifi.registry.bootstrap.sensitive.key=";
    +
    +    /**
    +     * Returns the key (if any) used to encrypt sensitive properties.
    +     * The key extracted from the bootstrap.conf file at the specified 
location.
    +     *
    +     * @param bootstrapPath the path to the bootstrap file
    +     * @return the key in hexadecimal format, or {@link 
CryptoKeyProvider#EMPTY_KEY} if the key is null or empty
    +     * @throws IOException if the file is not readable
    +     */
    +    public static String extractKeyFromBootstrapFile(String bootstrapPath) 
throws IOException {
    +        File bootstrapFile;
    +        if (StringUtils.isBlank(bootstrapPath)) {
    +            logger.error("Cannot read from bootstrap.conf file to extract 
encryption key; location not specified");
    +            throw new IOException("Cannot read from bootstrap.conf without 
file location");
    +        } else {
    +            bootstrapFile = new File(bootstrapPath);
    +        }
    +
    +        String keyValue;
    +        if (bootstrapFile.exists() && bootstrapFile.canRead()) {
    +            try (Stream<String> stream = 
Files.lines(Paths.get(bootstrapFile.getAbsolutePath()))) {
    +                Optional<String> keyLine = stream.filter(l -> 
l.startsWith(BOOTSTRAP_KEY_PREFIX)).findFirst();
    +                if (keyLine.isPresent()) {
    +                    keyValue = keyLine.get().split("=", 2)[1];
    +                    keyValue = checkHexKey(keyValue);
    +                } else {
    +                    keyValue = CryptoKeyProvider.EMPTY_KEY;
    +                }
    +            } catch (IOException e) {
    +                logger.error("Cannot read from bootstrap.conf file at {} 
to extract encryption key", bootstrapFile.getAbsolutePath());
    +                throw new IOException("Cannot read from bootstrap.conf", 
e);
    +            }
    +        } else {
    +            logger.error("Cannot read from bootstrap.conf file at {} to 
extract encryption key -- file is missing or permissions are incorrect", 
bootstrapFile.getAbsolutePath());
    +            throw new IOException("Cannot read from bootstrap.conf");
    +        }
    +
    +        if (CryptoKeyProvider.EMPTY_KEY.equals(keyValue)) {
    +            logger.warn("No encryption key present in the bootstrap.conf 
file at {}", bootstrapFile.getAbsolutePath());
    --- End diff --
    
    I don't think this should be `WARN` level -- `INFO` is fine. 


> Add support for encrypted properties in configuration files
> -----------------------------------------------------------
>
>                 Key: NIFIREG-61
>                 URL: https://issues.apache.org/jira/browse/NIFIREG-61
>             Project: NiFi Registry
>          Issue Type: New Feature
>            Reporter: Kevin Doran
>            Assignee: Kevin Doran
>             Fix For: 0.0.1
>
>
> The NiFi Registry server is configured by files on disk, e.g., 
> nifi-registry.properties, bootstrap.conf, and XML files for loading 
> extensions. Sometimes these files contain properties with sensitive values, 
> such as credentials.
> We want to be able to support encrypting property values in NiFi Registry 
> configuration files on disk that get decrypted in memory at runtime. As an 
> initial step, the decryption key will be specified in the bootstrap.conf 
> file. In the future, it might be input to the bootstrap processes via other 
> means.
> For the design of this feature, the NiFi implementation of this capability 
> should be used as a guide.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)