[
https://issues.apache.org/jira/browse/NIFI-5147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16602956#comment-16602956
]
ASF GitHub Bot commented on NIFI-5147:
--------------------------------------
Github user ottobackwards commented on a diff in the pull request:
https://github.com/apache/nifi/pull/2980#discussion_r214883268
--- Diff:
nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/security/util/crypto/HashService.java
---
@@ -0,0 +1,121 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.security.util.crypto;
+
+import java.nio.charset.Charset;
+import java.nio.charset.StandardCharsets;
+import org.apache.commons.codec.binary.Hex;
+import org.apache.commons.codec.digest.DigestUtils;
+import org.bouncycastle.crypto.digests.Blake2bDigest;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * This class provides a generic service for cryptographic hashing. It is
used in
+ * {@link org.apache.nifi.processors.standard.CalculateAttributeHash} and
+ * {@link org.apache.nifi.processors.standard.HashContent}.
+ * <p>
+ * See also:
+ * * {@link HashAlgorithm}
+ */
+public class HashService {
+ private static final Logger logger =
LoggerFactory.getLogger(HashService.class);
+
+ /**
+ * Returns the hex-encoded hash of the specified value.
+ *
+ * @param algorithm the hash algorithm to use
+ * @param value the value to hash (cannot be {@code null} but can
be an empty String)
+ * @param charset the charset to use
+ * @return the hash value in hex
+ */
+ public static String hashValue(HashAlgorithm algorithm, String value,
Charset charset) {
+ byte[] rawHash = hashValueRaw(algorithm, value, charset);
+ return Hex.encodeHexString(rawHash);
+ }
+
+ /**
+ * Returns the hex-encoded hash of the specified value. The default
charset ({@code StandardCharsets.UTF_8}) is used.
+ *
+ * @param algorithm the hash algorithm to use
+ * @param value the value to hash (cannot be {@code null} but can
be an empty String)
+ * @return the hash value in hex
+ */
+ public static String hashValue(HashAlgorithm algorithm, String value) {
+ return hashValue(algorithm, value, StandardCharsets.UTF_8);
+ }
+
+ /**
+ * Returns the raw {@code byte[]} hash of the specified value.
+ *
+ * @param algorithm the hash algorithm to use
+ * @param value the value to hash (cannot be {@code null} but can
be an empty String)
+ * @param charset the charset to use
+ * @return the hash value in bytes
+ */
+ public static byte[] hashValueRaw(HashAlgorithm algorithm, String
value, Charset charset) {
+ if (value == null) {
+ throw new IllegalArgumentException("The value cannot be null");
+ }
+ return hashValueRaw(algorithm, value.getBytes(charset));
+ }
+
+ /**
+ * Returns the raw {@code byte[]} hash of the specified value. The
default charset ({@code StandardCharsets.UTF_8}) is used.
+ *
+ * @param algorithm the hash algorithm to use
+ * @param value the value to hash (cannot be {@code null} but can
be an empty String)
+ * @return the hash value in bytes
+ */
+ public static byte[] hashValueRaw(HashAlgorithm algorithm, String
value) {
+ return hashValueRaw(algorithm, value, StandardCharsets.UTF_8);
+ }
+
+ /**
+ * Returns the raw {@code byte[]} hash of the specified value.
+ *
+ * @param algorithm the hash algorithm to use
+ * @param value the value to hash
+ * @return the hash value in bytes
+ */
+ public static byte[] hashValueRaw(HashAlgorithm algorithm, byte[]
value) {
+ if (algorithm == null) {
+ throw new IllegalArgumentException("The hash algorithm cannot
be null");
+ }
+ if (value == null) {
+ throw new IllegalArgumentException("The value cannot be null");
+ }
+ if (algorithm.isBlake2()) {
+ return blake2Hash(algorithm, value);
+ } else {
+ return traditionalHash(algorithm, value);
+ }
+ }
+
--- End diff --
Could we put this functionality in the enum and simplify this class?
Having the specialization there?
> Improve HashAttribute processor
> -------------------------------
>
> Key: NIFI-5147
> URL: https://issues.apache.org/jira/browse/NIFI-5147
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Extensions
> Affects Versions: 1.6.0
> Reporter: Andy LoPresto
> Assignee: Otto Fowler
> Priority: Major
> Labels: hash, security
> Fix For: 1.8.0
>
>
> The {{HashAttribute}} processor currently has surprising behavior. Barring
> familiarity with the processor, a user would expect {{HashAttribute}} to
> generate a hash value over one or more attributes. Instead, the processor as
> it is implemented "groups" incoming flowfiles into groups based on regular
> expressions which match attribute values, and then generates a
> (non-configurable) MD5 hash over the concatenation of the matching attribute
> keys and values.
> In addition:
> * the processor throws an error and routes to failure any incoming flowfile
> which does not have all attributes specified in the processor
> * the use of MD5 is vastly deprecated
> * no other hash algorithms are available
> I am unaware of community use of this processor, but I do not want to break
> backward compatibility. I propose the following steps:
> * Implement a new {{CalculateAttributeHash}} processor (awkward name, but
> this processor already has the desired name)
> ** This processor will perform the "standard" use case -- identify an
> attribute, calculate the specified hash over the value, and write it to an
> output attribute
> ** This processor will have a required property descriptor allowing a
> dropdown menu of valid hash algorithms
> ** This processor will accept arbitrary dynamic properties identifying the
> attributes to be hashed as a key, and the resulting attribute name as a value
> ** Example: I want to generate a SHA-512 hash on the attribute {{username}},
> and a flowfile enters the processor with {{username}} value {{alopresto}}. I
> configure {{algorithm}} with {{SHA-512}} and add a dynamic property
> {{username}} -- {{username_SHA512}}. The resulting flowfile will have
> attribute {{username_SHA512}} with value
> {{739b4f6722fb5de20125751c7a1a358b2a7eb8f07e530e4bf18561fbff93234908aa9d2577770c876bca9ede5ba784d5ce6081dbbdfe5ddd446678f223b8d632}}
> * Improve the documentation of this processor to explain the goal/expected
> use case (?)
> * Link in processor documentation to new processor for standard use cases
> * Remove the error alert when an incoming flowfile does not contain all
> expected attributes. I propose changing the severity to INFO and still
> routing to failure
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
