Github user alopresto commented on a diff in the pull request:
https://github.com/apache/nifi/pull/2376#discussion_r159957605
--- Diff:
nifi-toolkit/nifi-toolkit-encrypt-config/src/main/groovy/org/apache/nifi/toolkit/encryptconfig/NiFiRegistryDecryptMode.groovy
---
@@ -0,0 +1,143 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.toolkit.encryptconfig
+
+import org.apache.nifi.properties.AESSensitivePropertyProvider
+import org.apache.nifi.toolkit.encryptconfig.util.BootstrapUtil
+import org.apache.nifi.toolkit.encryptconfig.util.ToolUtilities
+import org.slf4j.Logger
+import org.slf4j.LoggerFactory
+
+/**
+ * A special DecryptMode that can run using NiFiRegistry CLI Options
+ */
+class NiFiRegistryDecryptMode extends DecryptMode {
+
+ private static final Logger logger =
LoggerFactory.getLogger(NiFiRegistryDecryptMode.class)
+
+ CliBuilder cli
+
+ NiFiRegistryDecryptMode() {
+ cli = NiFiRegistryMode.cliBuilder()
+ }
+
+ @Override
+ void run(String[] args) {
+ logger.warn("The decryption capability of this tool is still
considered experimental. The results should be manually verified.")
+ try {
+
+ def options = cli.parse(args)
+
+ if (!options || options.h) {
+ EncryptConfigMain.printUsageAndExit("",
EncryptConfigMain.EXIT_STATUS_OTHER)
+ }
+
+ EncryptConfigLogger.configureLogger(options.v)
+
+ DecryptConfiguration config = new DecryptConfiguration()
+
+ /* Invalid fields when used with --decrypt: */
+ def invalidDecryptOptions = ["i", "a"]
+ def presentInvalidOptions =
Arrays.stream(options.getInner().getOptions()).findAll {
+ invalidDecryptOptions.contains(it.getOpt())
+ }
+ if (presentInvalidOptions.size() > 0) {
+ throw new RuntimeException("Invalid options:
${EncryptConfigMain.DECRYPT_OPT} cannot be used with
[${presentInvalidOptions.join(", ")}]. It should only be used with [-r].")
+ }
+
+ /* Required fields when using --decrypt */
+ // registryPropertiesFile (-r)
+ if (!options.r) {
+ throw new RuntimeException("Invalid options: Input
nifiRegistryProperties (-r) is required when using --decrypt")
+ }
+ config.inputFilePath = options.r
+ config.fileType = FileType.properties // disables
auto-detection, which is still experimental
+
+ // one of [--oldPassword, --oldKey] or [-p, -k, -b <file]
+ String keyHex = null
--- End diff --
I think this logic should be extracted to a method and condensed. Something
like this (note: should `oldPassword` and `oldKey` be accepted for decryption?):
```
Index:
nifi-toolkit/nifi-toolkit-encrypt-config/src/main/groovy/org/apache/nifi/toolkit/encryptconfig/NiFiRegistryDecryptMode.groovy
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
---
nifi-toolkit/nifi-toolkit-encrypt-config/src/main/groovy/org/apache/nifi/toolkit/encryptconfig/NiFiRegistryDecryptMode.groovy
(date 1515148235000)
+++
nifi-toolkit/nifi-toolkit-encrypt-config/src/main/groovy/org/apache/nifi/toolkit/encryptconfig/NiFiRegistryDecryptMode.groovy
(revision )
@@ -67,77 +67,112 @@
config.inputFilePath = options.r
config.fileType = FileType.properties // disables
auto-detection, which is still experimental
- // one of [--oldPassword, --oldKey] or [-p, -k, -b <file]
- String keyHex = null
- String password = null
- config.keySource = null
- if (options.oldPassword) {
- if (config.keySource != null) {
+
+ config.key = retrieveKey(config, options)
+
+ config.decryptionProvider = new
AESSensitivePropertyProvider(config.key)
+
+ /* Optional fields when using --decrypt */
+ // -R outputRegistryPropertiesFile (-R)
+ if (options.R) {
+ config.outputToFile = true
+ config.outputFilePath = options.R
+ }
+
+ run(config)
+
+ } catch (Exception e) {
+ logger.error("Encountered an error: ${e.getMessage()}")
+ logger.debug("", e) // only print stack trace when verbose is
enabled
+
EncryptConfigMain.printUsageAndExit(EncryptConfigMain.EXIT_STATUS_FAILURE)
+ }
+ }
+
+ private String retrieveKey(DecryptConfiguration config, OptionAccessor
options) {
+ // one of [--oldPassword, --oldKey] or [-p, -k, -b <file]
+ String keyHex = null
+ String password = null
+ config.keySource = null
+
+ Map<String, Configuration.KeySource> keySourceMap = [
+ oldPassword: Configuration.KeySource.PASSWORD,
+ oldKey : Configuration.KeySource.KEY_HEX,
+ p : Configuration.KeySource.PASSWORD,
+ k : Configuration.KeySource.KEY_HEX,
+// b : Configuration.KeySource.BOOTSTRAP_FILE
+ ]
+
+ keySourceMap.each { String name, Configuration.KeySource ks ->
+ if (options."$name") {
+ if (config.keySource) {
throw new RuntimeException("Invalid options: Only one
of [--oldPassword, --oldKey, -b, -p, -k] is allowed for specifying the
decryption password/key.")
}
- config.keySource = Configuration.KeySource.PASSWORD
- keyHex = options.getInner().getOptionValue("oldPassword")
- }
- if (options.oldKey) {
- if (config.keySource != null) {
- throw new RuntimeException("Invalid options: Only one
of [--oldPassword, --oldKey, -b, -p, -k] is allowed for specifying the
decryption password/key.")
+ config.keySource = ks
+ if (ks == Configuration.KeySource.PASSWORD) {
+ password = options.getInner().getOptionValue(name)
+ } else {
+ keyHex = options.getInner().getOptionValue(name)
}
- config.keySource = Configuration.KeySource.KEY_HEX
- keyHex = options.getInner().getOptionValue("oldKey")
}
- if (options.p) {
- if (config.keySource != null) {
- throw new RuntimeException("Invalid options: Only one
of [--oldPassword, --oldKey, -b, -p, -k] is allowed for specifying the
decryption password/key.")
- }
- config.keySource = Configuration.KeySource.PASSWORD
- password = options.getInner().getOptionValue("p")
- }
- if (options.k) {
- if (config.keySource != null) {
- throw new RuntimeException("Invalid options: Only one
of [--oldPassword, --oldKey, -b, -p, -k] is allowed for specifying the
decryption password/key.")
- }
- config.keySource = Configuration.KeySource.KEY_HEX
- keyHex = options.getInner().getOptionValue("k")
- }
+ }
- if (config.keySource) {
- config.key = ToolUtilities.determineKey(keyHex, password,
Configuration.KeySource.PASSWORD.equals(config.keySource))
- }
+ // Convert the password to a key (if necessary) and store in the
config object
+ if (config.keySource) {
+ config.key = ToolUtilities.determineKey(keyHex, password,
config.keySource == Configuration.KeySource.PASSWORD)
+ }
+
+// if (options.oldPassword) {
+// if (config.keySource != null) {
+// throw new RuntimeException("Invalid options: Only one of
[--oldPassword, --oldKey, -b, -p, -k] is allowed for specifying the decryption
password/key.")
+// }
+// config.keySource = Configuration.KeySource.PASSWORD
+// keyHex = options.getInner().getOptionValue("oldPassword")
+// }
+// if (options.oldKey) {
+// if (config.keySource != null) {
+// throw new RuntimeException("Invalid options: Only one of
[--oldPassword, --oldKey, -b, -p, -k] is allowed for specifying the decryption
password/key.")
+// }
+// config.keySource = Configuration.KeySource.KEY_HEX
+// keyHex = options.getInner().getOptionValue("oldKey")
+// }
+// if (options.p) {
+// if (config.keySource != null) {
+// throw new RuntimeException("Invalid options: Only one of
[--oldPassword, --oldKey, -b, -p, -k] is allowed for specifying the decryption
password/key.")
+// }
+// config.keySource = Configuration.KeySource.PASSWORD
+// password = options.getInner().getOptionValue("p")
+// }
+// if (options.k) {
+// if (config.keySource != null) {
+// throw new RuntimeException("Invalid options: Only one of
[--oldPassword, --oldKey, -b, -p, -k] is allowed for specifying the decryption
password/key.")
+// }
+// config.keySource = Configuration.KeySource.KEY_HEX
+// keyHex = options.getInner().getOptionValue("k")
+// }
+
+// if (config.keySource) {
+// config.key = ToolUtilities.determineKey(keyHex, password,
Configuration.KeySource.PASSWORD.equals(config.keySource))
+// }
- if (options.b) {
- if (config.keySource != null) {
- throw new RuntimeException("Invalid options: Only one
of [--oldPassword, --oldKey, -b, -p, -k] is allowed for specifying the
decryption password/key.")
- }
- config.keySource = Configuration.KeySource.BOOTSTRAP_FILE
- config.inputBootstrapPath = options.b
+ if (options.b) {
+ if (config.keySource) {
+ throw new RuntimeException("Invalid options: Only one of
[--oldPassword, --oldKey, -b, -p, -k] is allowed for specifying the decryption
password/key.")
+ }
+ config.keySource = Configuration.KeySource.BOOTSTRAP_FILE
+ config.inputBootstrapPath = options.b
- logger.debug("Checking expected NiFi Registry
bootstrap.conf format")
- config.key =
BootstrapUtil.extractKeyFromBootstrapFile(config.inputBootstrapPath,
BootstrapUtil.REGISTRY_BOOTSTRAP_KEY_PROPERTY)
+ logger.debug("Checking expected NiFi Registry bootstrap.conf
format")
+ config.key =
BootstrapUtil.extractKeyFromBootstrapFile(config.inputBootstrapPath,
BootstrapUtil.REGISTRY_BOOTSTRAP_KEY_PROPERTY)
- // check we have found the key
- if (config.key) {
- logger.debug("Master key found in
${config.inputBootstrapPath}. This key will be used for decryption operations.")
- } else {
- logger.warn("Bootstrap Conf flag present, but master
key could not be found in ${config.inputBootstrapPath}.")
- }
- }
+ // check we have found the key
+ if (config.key) {
+ logger.debug("Master key found in
${config.inputBootstrapPath}. This key will be used for decryption operations.")
+ } else {
+ logger.warn("Bootstrap conf flag present, but master key
could not be found in ${config.inputBootstrapPath}.")
+ }
+ }
- config.decryptionProvider = new
AESSensitivePropertyProvider(config.key)
-
- /* Optional fields when using --decrypt */
- // -R outputRegistryPropertiesFile (-R)
- if (options.R) {
- config.outputToFile = true
- config.outputFilePath = options.R
- }
-
- run(config)
-
- } catch (Exception e) {
- logger.error("Encountered an error: ${e.getMessage()}")
- logger.debug("", e) // only print stack trace when verbose is
enabled
-
EncryptConfigMain.printUsageAndExit(EncryptConfigMain.EXIT_STATUS_FAILURE)
- }
+ config.key
}
}
```
---
