[
https://issues.apache.org/jira/browse/OAK-3761?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15110173#comment-15110173
]
Chetan Mehrotra edited comment on OAK-3761 at 1/21/16 6:53 AM:
---------------------------------------------------------------
Good stuff here Timothee , nicely implemented and with lots of test coverage!.
However I share the thoughts which Alex put. I think better place for such an
implementation is Sling (commons/extensions) as similar API requirement has
been felt there also for some time. So lets break it in parts
*API*
Currently API is defined as {{SymmetricCipher}}. For usage in Oak code is just
concerned with getting the plain text value. The plain text value can be
* Fetched from 3rd party service by treating the passed text as name of some
credential which need to be fetched from external service
* OR From decrypting the passed text treat that as encrypted string
So a better name might be {{unprotect}} as its not always related to
decryption. On same line the interface name should be something different. Not
sure on same say {{CredentialStore}}.
Also we would need a method {{isProtected}}. Such that client code can decided
if the OSGi config value is plaintext or protected
{code}
@Reference
private CredentialStore credentialStore;
private String ldapPassword;
private void activate(Map<String,Object> config){
String password = (String)config.get("ldapPassword");
if (credentialStore.isProtected(password)){
password = credentialStore.unprotect(password);
}
...
}
{code}
Further instead of adding a new module it would be better to define this API in
{{org.apache.jackrabbit.oak.spi.crypto}}
*Implementation*
We can have the implementation either here or in Sling (Sling preferred). If in
Oak it should go under {{org.apache.jackrabbit.oak.plugins.crypto}}
*Servlet*
Instead of servlet have a main method and provide an option in oak-run. Or
something similar to how [Maven supports
encryption|https://maven.apache.org/guides/mini/guide-encryption.html]
# Specifying master password - This command would take repository folder path
and then store the master password there. The password argument would be
optional. if not specified system would generate one on its own
{noformat}
java -jar oak-run-*.jar crypto --encrypt-master-password <password>
{noformat}
# Encrypting password -
{noformat}
java -jar oak-run-*.jar crypto --encrypt-password <password>
{noformat}
As mentioned before having this feature in Sling as an independent module would
allow wider usage. In such a case you can have a first class web console plugin
to encrypt the password for default implementation. Such a code can be
implemented in a way such that it can also be used as a library within Oak. And
then in Oak we can have a wrapper impl which implements Oak API and delegates
to Sling API
was (Author: chetanm):
Good stuff here Timothee , nicely implemented and with lots of test coverage!.
However I share the thoughts which Alex put. I think better place for such an
implementation is Sling (commons/extensions) as similar API requirement has
been felt there also for some time. So lets break it in parts
*API*
Currently API is defined as {{SymmetricCipher}}. For usage in Oak code is just
concerned with getting the plain text value. The plain text value can be
* Fetched from 3rd party service by treating the passed text as name of some
credential which need to be fetched from external service
* OR From decrypting the passed text treat that as encrypted string
So a better name might be {{unprotect}} as its not always related to
decryption. On same line the interface name should be something different. Not
sure on same say {{CredentialStore}}.
Also we would need a method {{isProtected}}. Such that client code can decided
if the OSGi config value is plaintext or protected
{code}
@Reference
private CredentialStore credentialStore;
private String ldapPassword;
private void activate(Map<String,Object> config){
String password = (String)config.get("ldapPassword");
if (credentialStore.isProtected(password)){
password = credentialStore.unprotect(password);
}
...
}
{code}
Further instead of adding a new module it would be better to define this API in
*org.apache.jackrabbit.oak.spi.crypto*
*Implementation*
We can have the implementation either here or in Sling (Sling preferred). If in
Oak it should go under {{org.apache.jackrabbit.oak.plugins.crypto}}
*Servlet*
Instead of servlet have a main method and provide an option in oak-run. Or
something similar to how [Maven supports
encryption|https://maven.apache.org/guides/mini/guide-encryption.html]
# Specifying master password - This command would take repository folder path
and then store the master password there. The password argument would be
optional. if not specified system would generate one on its own
{noformat}
java -jar oak-run-*.jar crypto --encrypt-master-password <password>
{noformat}
# Encrypting password -
{noformat}
java -jar oak-run-*.jar crypto --encrypt-password <password>
{noformat}
As mentioned before having this feature in Sling as an independent module would
allow wider usage. In such a case you can have a first class web console plugin
to encrypt the password for default implementation. Such a code can be
implemented in a way such that it can also be used as a library within Oak. And
then in Oak we can have a wrapper impl which implements Oak API and delegates
to Sling API
> Oak crypto API and implementation
> ---------------------------------
>
> Key: OAK-3761
> URL: https://issues.apache.org/jira/browse/OAK-3761
> Project: Jackrabbit Oak
> Issue Type: New Feature
> Components: security
> Affects Versions: 1.3.12
> Reporter: Timothee Maret
> Assignee: angela
> Attachments: OAK-3761.patch, OAK-3761.patch
>
>
> As discussed in [0], this issue tracks adding a simple API and implementation
> for encryption/decryption in Oak.
> [0]
> http://oak.markmail.org/search/?q=crypto#query:crypto+page:1+mid:iwsfd66lku2dzs2n+state:results
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
