Github user alopresto commented on a diff in the pull request:
https://github.com/apache/nifi/pull/2350#discussion_r159102294
--- Diff:
nifi-toolkit/nifi-toolkit-encrypt-config/src/main/groovy/org/apache/nifi/properties/ConfigEncryptionTool.groovy
---
@@ -921,6 +1090,39 @@ class ConfigEncryptionTool {
}
}
+ /**
+ * Writes the contents of the authorizers configuration file with
encrypted values to the output {@code authorizers.xml} file.
+ *
+ * @throw IOException if there is a problem reading or writing the
authorizers.xml file
+ */
+ private void writeAuthorizers() throws IOException {
+ if (!outputAuthorizersPath) {
+ throw new IllegalArgumentException("Cannot write encrypted
properties to empty authorizers.xml path")
+ }
+
+ File outputAuthorizersFile = new File(outputAuthorizersPath)
+
+ if (isSafeToWrite(outputAuthorizersFile)) {
+ try {
+ String updatedXmlContent
+ File authorizersFile = new File(authorizersPath)
+ if (authorizersFile.exists() && authorizersFile.canRead())
{
+ // Instead of just writing the XML content to a file,
this method attempts to maintain the structure of the original file and
preserves comments
+ updatedXmlContent =
serializeAuthorizersAndPreserveFormat(authorizers, authorizersFile).join("\n")
+ }
--- End diff --
Due to a possible race condition (`authorizersFile` exists and can be read
when the tool execution starts, but has been deleted/made unreadable by an
external process before `writeAuthorizers` executes), the value of
`updatedXmlContent` will be empty, and it will overwrite `authorizers.xml`.
There should be an `else` branch here which simply serializes `authorizers` to
XML without the preserved whitespace and comments in order to maintain the
content.
This should probably also be done for the LDAP section.
---
