jlengrand/helidon
1
0
Fork 0
mirror of https://github.com/jlengrand/helidon.git synced 2026-03-10 08:21:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

Rename config encryption filter from config-secure.

Browse Source 
Signed-off-by: Tomas Langer <tomas.langer@oracle.com>
This commit is contained in:
Tomas Langer
2019-01-03 23:08:38 +01:00
committed by Tomas Langer
parent 10d31f65ff
commit ff076097f9
34 changed files with 145 additions and 145 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
bom/pom.xml
View File

@@ -1,7 +1,7 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
Copyright (c) 2017, 2018 Oracle and/or its affiliates. All rights reserved.
Copyright (c) 2017, 2019 Oracle and/or its affiliates. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
@@ -101,7 +101,7 @@
</dependency>
<dependency>
<groupId>io.helidon.config</groupId>
<artifactId>helidon-config-secure</artifactId>
<artifactId>helidon-config-encryption</artifactId>
<version>${project.version}</version>
</dependency>
<!-- security -->

4
bundles/security/pom.xml
View File

@@ -1,6 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
Copyright (c) 2018 Oracle and/or its affiliates. All rights reserved.
Copyright (c) 2018,2019 Oracle and/or its affiliates. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
@@ -53,7 +53,7 @@
</dependency>
<dependency>
<groupId>io.helidon.config</groupId>
<artifactId>helidon-config-secure</artifactId>
<artifactId>helidon-config-encryption</artifactId>
<version>${project.version}</version>
</dependency>
<dependency>

4
bundles/security/src/main/java9/module-info.java
View File

@@ -1,5 +1,5 @@
/*
* Copyright (c) 2018 Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2018,2019 Oracle and/or its affiliates. All rights reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -20,7 +20,7 @@
module io.helidon.security.bundle {
requires transitive io.helidon.security;
requires transitive io.helidon.security.annotations;
requires transitive io.helidon.config.secure;
requires transitive io.helidon.config.encryption;
requires transitive io.helidon.security.providers.header;
requires transitive io.helidon.security.providers.httpauth;
requires transitive io.helidon.security.providers.httpsign;

8
config/secure/pom.xml → config/encryption/pom.xml
View File

@@ -1,7 +1,7 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
Copyright (c) 2017, 2018 Oracle and/or its affiliates. All rights reserved.
Copyright (c) 2017, 2019 Oracle and/or its affiliates. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
@@ -26,8 +26,8 @@
<version>0.11.0-SNAPSHOT</version>
</parent>
<modelVersion>4.0.0</modelVersion>
<artifactId>helidon-config-secure</artifactId>
<name>Helidon Config Secure Filter</name>
<artifactId>helidon-config-encryption</artifactId>
<name>Helidon Config Encryption Filter</name>
<description>
Configuration filter checking property values and decrypting them if needed. Also provides tools to encrypt values to
@@ -71,7 +71,7 @@
<configuration>
<archive>
<manifest>
<mainClass>io.helidon.config.secure.Main</mainClass>
<mainClass>io.helidon.config.encryption.Main</mainClass>
</manifest>
</archive>
</configuration>

10
config/secure/src/main/java/io/helidon/config/secure/SecureConfigException.java → config/encryption/src/main/java/io/helidon/config/encryption/ConfigEncryptionException.java
View File

@@ -1,5 +1,5 @@
/*
* Copyright (c) 2018 Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2018,2019 Oracle and/or its affiliates. All rights reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -14,12 +14,12 @@
* limitations under the License.
*/
package io.helidon.config.secure;
package io.helidon.config.encryption;
/**
* Secure config related exception.
*/
public class SecureConfigException extends RuntimeException {
public class ConfigEncryptionException extends RuntimeException {
/**
* Constructs a new secure config exception with the specified detail message.
@@ -27,7 +27,7 @@ public class SecureConfigException extends RuntimeException {
* @param message the detail message. The detail message is saved for
* later retrieval by the {@link #getMessage()} method.
*/
public SecureConfigException(String message) {
public ConfigEncryptionException(String message) {
super(message);
}
@@ -38,7 +38,7 @@ public class SecureConfigException extends RuntimeException {
* @param cause cause of this exception
* @see Exception#Exception(String, Throwable)
*/
public SecureConfigException(String message, Throwable cause) {
public ConfigEncryptionException(String message, Throwable cause) {
super(message, cause);
}
}

8
config/secure/src/main/java/io/helidon/config/secure/ConfigProperties.java → config/encryption/src/main/java/io/helidon/config/encryption/ConfigProperties.java
View File

@@ -1,5 +1,5 @@
/*
* Copyright (c) 2018 Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2018,2019 Oracle and/or its affiliates. All rights reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -14,7 +14,7 @@
* limitations under the License.
*/
package io.helidon.config.secure;
package io.helidon.config.encryption;
/**
* Properties and their default values.
@@ -56,8 +56,8 @@ public final class ConfigProperties {
* Environment variable to set key type to use.
* Allowed values:
* <ul>
* <li><code>RSA</code> - default value, unix-like non-encrypted private key</li>
* <li><code>PKCS12</code> - keystore, password protected store and/or private key</li>
* <li>{@code RSA} - default value, unix-like non-encrypted private key</li>
* <li>{@code PKCS12} - keystore, password protected store and/or private key</li>
* </ul>
*/
public static final String PRIVATE_KEYSTORE_TYPE_ENV_VARIABLE = "SECURE_CONFIG_PRIVATE_KEY_TYPE";

36
config/secure/src/main/java/io/helidon/config/secure/SecureConfigFilter.java → config/encryption/src/main/java/io/helidon/config/encryption/EncryptionFilter.java
View File

@@ -1,5 +1,5 @@
/*
* Copyright (c) 2018 Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2018,2019 Oracle and/or its affiliates. All rights reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -14,7 +14,7 @@
* limitations under the License.
*/
package io.helidon.config.secure;
package io.helidon.config.encryption;
import java.security.PrivateKey;
import java.security.interfaces.RSAPrivateKey;
@@ -58,10 +58,10 @@ import io.helidon.config.spi.ConfigFilter;
* @see ConfigProperties#MASTER_PASSWORD_CONFIG_KEY
* @see ConfigProperties#REQUIRE_ENCRYPTION_ENV_VARIABLE
*/
public final class SecureConfigFilter implements ConfigFilter {
public final class EncryptionFilter implements ConfigFilter {
static final String PREFIX_AES = "${AES=";
static final String PREFIX_RSA = "${RSA=";
private static final Logger LOGGER = Logger.getLogger(SecureConfigFilter.class.getName());
private static final Logger LOGGER = Logger.getLogger(EncryptionFilter.class.getName());
private static final String PREFIX_ALIAS = "${ALIAS=";
private static final String PREFIX_CLEAR = "${CLEAR=";
@@ -75,27 +75,27 @@ public final class SecureConfigFilter implements ConfigFilter {
private final ConfigFilter aesFilter;
private final ConfigFilter aliasFilter;
private SecureConfigFilter(Builder builder, Config config) {
private EncryptionFilter(Builder builder, Config config) {
if (builder.fromConfig) {
this.requireEncryption = OptionalHelper.from(CryptUtil.getEnv(ConfigProperties.REQUIRE_ENCRYPTION_ENV_VARIABLE)
this.requireEncryption = OptionalHelper.from(EncryptionUtil.getEnv(ConfigProperties.REQUIRE_ENCRYPTION_ENV_VARIABLE)
.map(Boolean::parseBoolean))
.or(() -> config.get(ConfigProperties.REQUIRE_ENCRYPTION_CONFIG_KEY).asBoolean().asOptional())
.asOptional()
.orElse(true);
this.masterPassword = CryptUtil.resolveMasterPassword(requireEncryption, config).orElse(null);
this.privateKey = CryptUtil.resolvePrivateKey(config.get("security.config.rsa"))
this.masterPassword = EncryptionUtil.resolveMasterPassword(requireEncryption, config).orElse(null);
this.privateKey = EncryptionUtil.resolvePrivateKey(config.get("security.config.rsa"))
.orElse(null);
} else {
this.requireEncryption = builder.requireEncryption;
this.privateKey = builder.privateKeyConfig.privateKey()
.orElseThrow(() -> new SecureConfigException("Private key configuration is invalid"));
.orElseThrow(() -> new ConfigEncryptionException("Private key configuration is invalid"));
this.masterPassword = builder.masterPassword;
}
if (null != privateKey && !(privateKey instanceof RSAPrivateKey)) {
throw new SecureConfigException("Private key must be an RSA private key, but is: " + privateKey.getClass().getName());
throw new ConfigEncryptionException("Private key must be an RSA private key, but is: " + privateKey.getClass().getName());
}
ConfigFilter noOp = (key, stringValue) -> stringValue;
@@ -157,7 +157,7 @@ public final class SecureConfigFilter implements ConfigFilter {
if (value.startsWith(PREFIX_CLEAR)) {
if (requireEncryption) {
throw new SecureConfigException("Key \"" + key + "\" is a clear text password, yet encryption is required");
throw new ConfigEncryptionException("Key \"" + key + "\" is a clear text password, yet encryption is required");
}
return removePlaceholder(PREFIX_CLEAR, value);
}
@@ -183,8 +183,8 @@ public final class SecureConfigFilter implements ConfigFilter {
if (value.startsWith(PREFIX_RSA)) {
String b64Value = removePlaceholder(PREFIX_RSA, value);
try {
return CryptUtil.decryptRsa(privateKey, b64Value);
} catch (SecureConfigException e) {
return EncryptionUtil.decryptRsa(privateKey, b64Value);
} catch (ConfigEncryptionException e) {
LOGGER.log(Level.FINEST, e, () -> "Failed to decrypt " + value);
return value;
}
@@ -199,8 +199,8 @@ public final class SecureConfigFilter implements ConfigFilter {
if (value.startsWith(PREFIX_AES)) {
String b64Value = value.substring(PREFIX_AES.length(), value.length() - 1);
try {
return CryptUtil.decryptAes(masterPassword, b64Value);
} catch (SecureConfigException e) {
return EncryptionUtil.decryptAes(masterPassword, b64Value);
} catch (ConfigEncryptionException e) {
LOGGER.log(Level.FINEST, e, () -> "Failed to decrypt " + value);
return value;
}
@@ -210,7 +210,7 @@ public final class SecureConfigFilter implements ConfigFilter {
}
/**
* Builder to programmatically setup {@link SecureConfigFilter}.
* Builder to programmatically setup {@link EncryptionFilter}.
*/
public static class Builder {
private boolean fromConfig = false;
@@ -257,12 +257,12 @@ public final class SecureConfigFilter implements ConfigFilter {
}
/**
* Create a new {@link SecureConfigFilter} provider based on this builder.
* Create a new {@link EncryptionFilter} provider based on this builder.
*
* @return filter instance
*/
public Function<Config, ConfigFilter> buildProvider() {
return config -> new SecureConfigFilter(this, config);
return config -> new EncryptionFilter(this, config);
}
}
}

10
config/secure/src/main/java/io/helidon/config/secure/SecureConfigFilterService.java → config/encryption/src/main/java/io/helidon/config/encryption/EncryptionFilterService.java
View File

@@ -1,5 +1,5 @@
/*
* Copyright (c) 2018 Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2018,2019 Oracle and/or its affiliates. All rights reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -14,15 +14,15 @@
* limitations under the License.
*/
package io.helidon.config.secure;
package io.helidon.config.encryption;
import io.helidon.config.Config;
import io.helidon.config.spi.ConfigFilter;
/**
* A Java service for {@link SecureConfigFilter}.
* A Java service for {@link EncryptionFilter}.
*/
public class SecureConfigFilterService implements ConfigFilter {
public class EncryptionFilterService implements ConfigFilter {
private ConfigFilter filter;
@Override
@@ -36,6 +36,6 @@ public class SecureConfigFilterService implements ConfigFilter {
@Override
public void init(Config config) {
this.filter = SecureConfigFilter.fromConfig().apply(config);
this.filter = EncryptionFilter.fromConfig().apply(config);
}
}

42
config/secure/src/main/java/io/helidon/config/secure/CryptUtil.java → config/encryption/src/main/java/io/helidon/config/encryption/EncryptionUtil.java
View File

@@ -1,5 +1,5 @@
/*
* Copyright (c) 2018 Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2018,2019 Oracle and/or its affiliates. All rights reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -14,7 +14,7 @@
* limitations under the License.
*/
package io.helidon.config.secure;
package io.helidon.config.encryption;
import java.nio.charset.StandardCharsets;
import java.nio.file.Paths;
@@ -42,8 +42,8 @@ import io.helidon.config.ConfigValue;
/**
* Encryption utilities for secrets protection.
*/
public final class CryptUtil {
private static final Logger LOGGER = Logger.getLogger(CryptUtil.class.getName());
public final class EncryptionUtil {
private static final Logger LOGGER = Logger.getLogger(EncryptionUtil.class.getName());
private static final SecureRandom SECURE_RANDOM = new SecureRandom();
private static final int SALT_LENGTH = 16;
@@ -51,7 +51,7 @@ public final class CryptUtil {
private static final int HASH_ITERATIONS = 10000;
private static final int KEY_LENGTH = 128;
private CryptUtil() {
private EncryptionUtil() {
throw new IllegalStateException("Utility class");
}
@@ -62,9 +62,9 @@ public final class CryptUtil {
* @param key private or public key to use to decrypt
* @param encryptedBase64 base64 encoded encrypted secret
* @return Secret value
* @throws SecureConfigException If any problem with decryption occurs
* @throws ConfigEncryptionException If any problem with decryption occurs
*/
public static String decryptRsa(Key key, String encryptedBase64) throws SecureConfigException {
public static String decryptRsa(Key key, String encryptedBase64) throws ConfigEncryptionException {
Objects.requireNonNull(key, "Key must be provided for decryption");
Objects.requireNonNull(encryptedBase64, "Encrypted bytes must be provided for decryption (base64 encoded)");
@@ -73,11 +73,11 @@ public final class CryptUtil {
cipher.init(Cipher.DECRYPT_MODE, key);
byte[] decrypted = cipher.doFinal(Base64.getDecoder().decode(encryptedBase64));
return new String(decrypted, StandardCharsets.UTF_8);
} catch (SecureConfigException e) {
} catch (ConfigEncryptionException e) {
throw e;
} catch (Exception e) {
throw new SecureConfigException("Failed to decrypt value using RSA. Returning clear text value as is: "
+ encryptedBase64);
throw new ConfigEncryptionException("Failed to decrypt value using RSA. Returning clear text value as is: "
+ encryptedBase64, e);
}
}
@@ -87,9 +87,9 @@ public final class CryptUtil {
* @param key private or public key to use to encrypt
* @param secret secret to encrypt
* @return base64 encoded encrypted bytes
* @throws SecureConfigException If any problem with encryption occurs
* @throws ConfigEncryptionException If any problem with encryption occurs
*/
public static String encryptRsa(Key key, String secret) throws SecureConfigException {
public static String encryptRsa(Key key, String secret) throws ConfigEncryptionException {
Objects.requireNonNull(key, "Key must be provided for encryption");
Objects.requireNonNull(secret, "Secret message must be provided to be encrypted");
@@ -99,7 +99,7 @@ public final class CryptUtil {
byte[] encrypted = cipher.doFinal(secret.getBytes(StandardCharsets.UTF_8));
return Base64.getEncoder().encodeToString(encrypted);
} catch (Exception e) {
throw new SecureConfigException("Failed to encrypt using RSA key", e);
throw new ConfigEncryptionException("Failed to encrypt using RSA key", e);
}
}
@@ -109,9 +109,9 @@ public final class CryptUtil {
* @param masterPassword master password
* @param secret secret to encrypt
* @return Encrypted value base64 encoded
* @throws SecureConfigException If any problem with encryption occurs
* @throws ConfigEncryptionException If any problem with encryption occurs
*/
public static String encryptAes(char[] masterPassword, String secret) throws SecureConfigException {
public static String encryptAes(char[] masterPassword, String secret) throws ConfigEncryptionException {
Objects.requireNonNull(masterPassword, "Password must be provided for encryption");
Objects.requireNonNull(secret, "Secret message must be provided to be encrypted");
@@ -131,7 +131,7 @@ public final class CryptUtil {
try {
encryptedMessageBytes = cipher.doFinal(bytesToEncrypt);
} catch (Exception e) {
throw new SecureConfigException("Failed to encrypt", e);
throw new ConfigEncryptionException("Failed to encrypt", e);
}
// get bytes to base64 (salt + encrypted message)
@@ -142,7 +142,7 @@ public final class CryptUtil {
return Base64.getEncoder().encodeToString(bytesToEncode);
}
private static Cipher cipher(char[] masterPassword, byte[] salt, int cipherMode) throws SecureConfigException {
private static Cipher cipher(char[] masterPassword, byte[] salt, int cipherMode) throws ConfigEncryptionException {
try {
SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
KeySpec keySpec = new PBEKeySpec(masterPassword, salt, HASH_ITERATIONS, KEY_LENGTH);
@@ -152,7 +152,7 @@ public final class CryptUtil {
return cipher;
} catch (Exception e) {
throw new SecureConfigException("Failed to prepare a cipher instance", e);
throw new ConfigEncryptionException("Failed to prepare a cipher instance", e);
}
}
@@ -164,9 +164,9 @@ public final class CryptUtil {
* @param masterPassword master password
* @param encryptedBase64 encrypted secret, base64 encoded
* @return Decrypted secret
* @throws SecureConfigException if something bad happens during decryption (e.g. wrong password)
* @throws ConfigEncryptionException if something bad happens during decryption (e.g. wrong password)
*/
static String decryptAes(char[] masterPassword, String encryptedBase64) throws SecureConfigException {
static String decryptAes(char[] masterPassword, String encryptedBase64) throws ConfigEncryptionException {
Objects.requireNonNull(masterPassword, "Password must be provided for encryption");
Objects.requireNonNull(encryptedBase64, "Encrypted bytes must be provided for decryption (base64 encoded)");
@@ -192,7 +192,7 @@ public final class CryptUtil {
return new String(originalBytes, StandardCharsets.UTF_8);
} catch (Throwable e) {
throw new SecureConfigException("Failed to decrypt value using AES. Returning clear text value as is: "
throw new ConfigEncryptionException("Failed to decrypt value using AES. Returning clear text value as is: "
+ encryptedBase64, e);
}
}

8
config/secure/src/main/java/io/helidon/config/secure/Main.java → config/encryption/src/main/java/io/helidon/config/encryption/Main.java
View File

@@ -1,5 +1,5 @@
/*
* Copyright (c) 2018 Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2018,2019 Oracle and/or its affiliates. All rights reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -14,7 +14,7 @@
* limitations under the License.
*/
package io.helidon.config.secure;
package io.helidon.config.encryption;
import java.nio.file.Files;
import java.nio.file.Path;
@@ -158,11 +158,11 @@ public final class Main {
}
String rsa() {
return SecureConfigFilter.PREFIX_RSA + CryptUtil.encryptRsa(publicKey, secret) + '}';
return EncryptionFilter.PREFIX_RSA + EncryptionUtil.encryptRsa(publicKey, secret) + '}';
}
String aes() {
return SecureConfigFilter.PREFIX_AES + CryptUtil.encryptAes(masterPassword.toCharArray(), secret) + '}';
return EncryptionFilter.PREFIX_AES + EncryptionUtil.encryptAes(masterPassword.toCharArray(), secret) + '}';
}
Algorithm getAlgorithm() {

8
config/secure/src/main/java/io/helidon/config/secure/package-info.java → config/encryption/src/main/java/io/helidon/config/encryption/package-info.java
View File

@@ -1,5 +1,5 @@
/*
* Copyright (c) 2018 Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2018,2019 Oracle and/or its affiliates. All rights reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -17,7 +17,7 @@
/**
* Support for encrypted properties.
*
* @see io.helidon.config.secure.Main For encrypting values
* @see io.helidon.config.secure.SecureConfigFilter For usage with config
* @see io.helidon.config.encryption.Main For encrypting values
* @see io.helidon.config.encryption.EncryptionFilter For usage with config
*/
package io.helidon.config.secure;
package io.helidon.config.encryption;

8
config/secure/src/main/java9/module-info.java → config/encryption/src/main/java9/module-info.java
View File

@@ -1,5 +1,5 @@
/*
* Copyright (c) 2017, 2018 Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2017, 2019 Oracle and/or its affiliates. All rights reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -17,14 +17,14 @@
/**
* Module supporting encryption of secrets in configuration files.
*/
module io.helidon.config.secure {
module io.helidon.config.encryption {
requires java.logging;
// for RSA encrypted keys
requires transitive io.helidon.common.pki;
requires transitive io.helidon.config;
exports io.helidon.config.secure;
exports io.helidon.config.encryption;
provides io.helidon.config.spi.ConfigFilter with io.helidon.config.secure.SecureConfigFilterService;
provides io.helidon.config.spi.ConfigFilter with io.helidon.config.encryption.SecureConfigFilterService;
}

4
config/secure/src/main/resources/META-INF/services/io.helidon.config.spi.ConfigFilter → config/encryption/src/main/resources/META-INF/services/io.helidon.config.spi.ConfigFilter
View File

@@ -1,5 +1,5 @@
#
# Copyright (c) 2018 Oracle and/or its affiliates. All rights reserved.
# Copyright (c) 2018,2019 Oracle and/or its affiliates. All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -14,4 +14,4 @@
# limitations under the License.
#
io.helidon.config.secure.SecureConfigFilterService
io.helidon.config.encryption.EncryptionFilterService

8
config/secure/src/test/java/io/helidon/config/secure/AbstractSecureConfigTest.java → config/encryption/src/test/java/io/helidon/config/encryption/AbstractSecureConfigTest.java
View File

@@ -1,5 +1,5 @@
/*
* Copyright (c) 2018 Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2018,2019 Oracle and/or its affiliates. All rights reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -14,7 +14,7 @@
* limitations under the License.
*/
package io.helidon.config.secure;
package io.helidon.config.encryption;
import java.util.List;
@@ -55,7 +55,7 @@ abstract class AbstractSecureConfigTest {
@Test
void testClearTextNotAllowed() {
assertThrows(SecureConfigException.class, () ->
assertThrows(ConfigEncryptionException.class, () ->
testPassword(getConfigRequiresEncryption(), "pwd1", "known_password"));
}
@@ -77,7 +77,7 @@ abstract class AbstractSecureConfigTest {
@Test
void testAliasClearTextNotAllowed() {
assertThrows(SecureConfigException.class, () ->
assertThrows(ConfigEncryptionException.class, () ->
testPassword(getConfigRequiresEncryption(), "pwd2", "known_password"));
}

34
config/secure/src/test/java/io/helidon/config/secure/CryptUtilTest.java → config/encryption/src/test/java/io/helidon/config/encryption/EncryptionUtilTest.java
View File

@@ -1,5 +1,5 @@
/*
* Copyright (c) 2018 Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2018,2019 Oracle and/or its affiliates. All rights reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -14,7 +14,7 @@
* limitations under the License.
*/
package io.helidon.config.secure;
package io.helidon.config.encryption;
import java.nio.charset.StandardCharsets;
import java.security.InvalidKeyException;
@@ -44,7 +44,7 @@ import static org.junit.jupiter.api.Assertions.fail;
/**
* Encryption utility test.
*/
public class CryptUtilTest {
public class EncryptionUtilTest {
private static final String TEST_SECRET = "Jaja uzh :( berglengele";
private static final char[] MASTER_PASSWORD = "myComplicatePassword".toCharArray();
@@ -78,9 +78,9 @@ public class CryptUtilTest {
public void testEncryptWrongKey() throws NoSuchAlgorithmException {
PrivateKey privateKey = generateDsaPrivateKey();
try {
CryptUtil.encryptRsa(privateKey, TEST_SECRET);
EncryptionUtil.encryptRsa(privateKey, TEST_SECRET);
fail("We have fed DSA private key to RSA decryption. This should have failed");
} catch (SecureConfigException e) {
} catch (ConfigEncryptionException e) {
Throwable cause = e.getCause();
//our message
assertEquals("Failed to encrypt using RSA key", e.getMessage());
@@ -96,56 +96,56 @@ public class CryptUtilTest {
}
private void testPki(Key encryptionKey, Key decryptionKey, boolean mustBeSeeded) {
String encryptedBase64 = CryptUtil.encryptRsa(encryptionKey, TEST_SECRET);
String decrypted = CryptUtil.decryptRsa(decryptionKey, encryptedBase64);
String encryptedBase64 = EncryptionUtil.encryptRsa(encryptionKey, TEST_SECRET);
String decrypted = EncryptionUtil.decryptRsa(decryptionKey, encryptedBase64);
assertEquals(TEST_SECRET, decrypted);
String encryptedAgain = CryptUtil.encryptRsa(encryptionKey, TEST_SECRET);
String encryptedAgain = EncryptionUtil.encryptRsa(encryptionKey, TEST_SECRET);
if (mustBeSeeded) {
assertNotEquals(encryptedBase64, encryptedAgain);
}
decrypted = CryptUtil.decryptRsa(decryptionKey, encryptedAgain);
decrypted = EncryptionUtil.decryptRsa(decryptionKey, encryptedAgain);
assertEquals(TEST_SECRET, decrypted);
}
@Test
public void testEncryptedRsaPrivate() {
assertThrows(SecureConfigException.class, () -> testPki(privateKey, privateKey, false));
assertThrows(ConfigEncryptionException.class, () -> testPki(privateKey, privateKey, false));
}
@Test
public void testEncryptedRsaPublic() {
assertThrows(SecureConfigException.class, () -> testPki(publicKey, publicKey, true));
assertThrows(ConfigEncryptionException.class, () -> testPki(publicKey, publicKey, true));
}
@Test
public void testEncryptAndDecryptAes() {
String encryptedBase64 = CryptUtil.encryptAes(MASTER_PASSWORD, TEST_SECRET);
String decrypted = CryptUtil.decryptAes(MASTER_PASSWORD, encryptedBase64);
String encryptedBase64 = EncryptionUtil.encryptAes(MASTER_PASSWORD, TEST_SECRET);
String decrypted = EncryptionUtil.decryptAes(MASTER_PASSWORD, encryptedBase64);
assertEquals(TEST_SECRET, decrypted);
String encryptedAgain = CryptUtil.encryptAes(MASTER_PASSWORD, TEST_SECRET);
String encryptedAgain = EncryptionUtil.encryptAes(MASTER_PASSWORD, TEST_SECRET);
assertNotEquals(encryptedBase64, encryptedAgain);
decrypted = CryptUtil.decryptAes(MASTER_PASSWORD, encryptedAgain);
decrypted = EncryptionUtil.decryptAes(MASTER_PASSWORD, encryptedAgain);
assertEquals(TEST_SECRET, decrypted);
}
@Test
public void testEncryptedAes() {
String encryptedBase64 = CryptUtil.encryptAes(MASTER_PASSWORD, TEST_SECRET);
String encryptedBase64 = EncryptionUtil.encryptAes(MASTER_PASSWORD, TEST_SECRET);
String encryptedString = new String(Base64.getDecoder().decode(encryptedBase64), StandardCharsets.UTF_8);
//must not be just base64 encoded
assertNotEquals(TEST_SECRET, encryptedString);
try {
String decrypted = CryptUtil.decryptAes("anotherPassword".toCharArray(), encryptedBase64);
String decrypted = EncryptionUtil.decryptAes("anotherPassword".toCharArray(), encryptedBase64);
assertThat(decrypted, is(not(TEST_SECRET)));
} catch (Exception e) {
//this is OK

16
config/secure/src/test/java/io/helidon/config/secure/MainTest.java → config/encryption/src/test/java/io/helidon/config/encryption/MainTest.java
View File

@@ -1,5 +1,5 @@
/*
* Copyright (c) 2018 Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2018,2019 Oracle and/or its affiliates. All rights reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -14,7 +14,7 @@
* limitations under the License.
*/
package io.helidon.config.secure;
package io.helidon.config.encryption;
import java.nio.file.Paths;
import java.security.PrivateKey;
@@ -50,12 +50,12 @@ public class MainTest {
assertAll(
() -> assertThat("Encrypted string should contain aes prefix: " + encrypted,
encrypted.startsWith(SecureConfigFilter.PREFIX_AES)),
encrypted.startsWith(EncryptionFilter.PREFIX_AES)),
() -> assertThat("Encrypted string should contain suffix \"}\": " + encrypted, encrypted.endsWith("}"))
);
String orig = CryptUtil.decryptAes(ecp.getMasterPassword().toCharArray(),
encrypted.substring(SecureConfigFilter.PREFIX_AES.length(), encrypted.length() - 1));
String orig = EncryptionUtil.decryptAes(ecp.getMasterPassword().toCharArray(),
encrypted.substring(EncryptionFilter.PREFIX_AES.length(), encrypted.length() - 1));
assertEquals(secret, orig);
@@ -85,13 +85,13 @@ public class MainTest {
String encrypted = ecp.encrypt();
assertAll(() -> assertThat("Encrypted string should start with rsa prefix: " + encrypted,
encrypted.startsWith(SecureConfigFilter.PREFIX_RSA)),
encrypted.startsWith(EncryptionFilter.PREFIX_RSA)),
() -> assertThat("Encrypted string should end with \"}\": " + encrypted, encrypted.endsWith("}")));
String base64 = encrypted.substring(SecureConfigFilter.PREFIX_RSA.length(), encrypted.length() - 1);
String base64 = encrypted.substring(EncryptionFilter.PREFIX_RSA.length(), encrypted.length() - 1);
Base64.getDecoder().decode(base64);
String orig = CryptUtil.decryptRsa(pk, base64);
String orig = EncryptionUtil.decryptRsa(pk, base64);
assertEquals(secret, orig);
Main.main(args);

8
config/secure/src/test/java/io/helidon/config/secure/SecureConfigFromBuilderTest.java → config/encryption/src/test/java/io/helidon/config/encryption/SecureConfigFromBuilderTest.java
View File

@@ -1,5 +1,5 @@
/*
* Copyright (c) 2018 Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2018,2019 Oracle and/or its affiliates. All rights reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -14,7 +14,7 @@
* limitations under the License.
*/
package io.helidon.config.secure;
package io.helidon.config.encryption;
import io.helidon.common.configurable.Resource;
import io.helidon.common.pki.KeyConfig;
@@ -42,7 +42,7 @@ public class SecureConfigFromBuilderTest extends AbstractSecureConfigTest {
config = Config.builder()
.disableFilterServices()
.addFilter(SecureConfigFilter.builder()
.addFilter(EncryptionFilter.builder()
.requireEncryption(false)
.masterPassword("myMasterPasswordForEncryption".toCharArray())
.privateKey(keyConfig)
@@ -51,7 +51,7 @@ public class SecureConfigFromBuilderTest extends AbstractSecureConfigTest {
configRequiresEncryption = Config.builder()
.disableFilterServices()
.addFilter(SecureConfigFilter.builder()
.addFilter(EncryptionFilter.builder()
.requireEncryption(true)
.masterPassword("myMasterPasswordForEncryption".toCharArray())
.privateKey(keyConfig)

4
config/secure/src/test/java/io/helidon/config/secure/SecureConfigFromConfigTest.java → config/encryption/src/test/java/io/helidon/config/encryption/SecureConfigFromConfigTest.java
View File

@@ -1,5 +1,5 @@
/*
* Copyright (c) 2018 Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2018,2019 Oracle and/or its affiliates. All rights reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -14,7 +14,7 @@
* limitations under the License.
*/
package io.helidon.config.secure;
package io.helidon.config.encryption;
import io.helidon.config.Config;
import io.helidon.config.ConfigSources;

4
config/secure/src/test/java/io/helidon/config/secure/TestFilterService.java → config/encryption/src/test/java/io/helidon/config/encryption/TestFilterService.java
View File

@@ -1,5 +1,5 @@
/*
* Copyright (c) 2018 Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2018,2019 Oracle and/or its affiliates. All rights reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -14,7 +14,7 @@
* limitations under the License.
*/
package io.helidon.config.secure;
package io.helidon.config.encryption;
import io.helidon.config.Config;

0
config/secure/src/test/resources/.ssh/keystore.p12 → config/encryption/src/test/resources/.ssh/keystore.p12
View File

0
config/secure/src/test/resources/application.yaml → config/encryption/src/test/resources/application.yaml
View File

4
config/pom.xml
View File

@@ -1,7 +1,7 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
Copyright (c) 2017, 2018 Oracle and/or its affiliates. All rights reserved.
Copyright (c) 2017, 2019 Oracle and/or its affiliates. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
@@ -42,7 +42,7 @@
<module>etcd</module>
<module>git</module>
<module>hocon</module>
<module>secure</module>
<module>encryption</module>
<module>testing</module>
<module>test-infrastructure</module>
<module>tests</module>

16
docs/src/main/docs/microprofile/06_configuration.adoc
View File

@@ -56,19 +56,19 @@ security:
=== Protecting Configuration Secrets
If you don't provide an explicit instance of Helidon Config to a MicroProfile server, then the
secure config filter **is enabled by default**. However, if you don't configure it, the secure config filter
In Helidon MP, the secure config filter ** enabled by default**. However, if you don't configure it, the secure config filter
only supports a template for aliasing that checks that no clear text passwords are
present (template ${CLEAR=...}.
To add the secure config filter:
In Helidon SE, you may add support for this filter with dependency (loaded through a java service mechanism):
[source,java]
.Add secure config filter
[source,xml]
.Maven Dependency
----
Config helidonConfig = Config.builder()
.addFilter(SecureConfigFilter.fromConfig())
.build();
<dependency>
<groupId>io.helidon.config</groupId>
<artifactId>helidon-config-encryption</artifactId>
</dependency>
----
Put encrypted values into your

2
docs/src/main/docs/security/04_tools.adoc
View File

@@ -30,7 +30,7 @@ Support for encrypting secrets in configuration files.
----
<dependency>
<groupId>io.helidon.config</groupId>
<artifactId>helidon-config-secure</artifactId>
<artifactId>helidon-config-encryption</artifactId>
</dependency>
----

4
examples/security/google-login/pom.xml
View File

@@ -1,7 +1,7 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
Copyright (c) 2017, 2018 Oracle and/or its affiliates. All rights reserved.
Copyright (c) 2017, 2019 Oracle and/or its affiliates. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
@@ -50,7 +50,7 @@
</dependency>
<dependency>
<groupId>io.helidon.config</groupId>
<artifactId>helidon-config-secure</artifactId>
<artifactId>helidon-config-encryption</artifactId>
<version>${project.version}</version>
</dependency>
<dependency>

4
examples/security/webserver-digest-auth/pom.xml
View File

@@ -1,7 +1,7 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
Copyright (c) 2017, 2018 Oracle and/or its affiliates. All rights reserved.
Copyright (c) 2017, 2019 Oracle and/or its affiliates. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
@@ -46,7 +46,7 @@
</dependency>
<dependency>
<groupId>io.helidon.config</groupId>
<artifactId>helidon-config-secure</artifactId>
<artifactId>helidon-config-encryption</artifactId>
<version>${project.version}</version>
</dependency>
<dependency>

4
javadocs/pom.xml
View File

@@ -1,7 +1,7 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
Copyright (c) 2017, 2018 Oracle and/or its affiliates. All rights reserved.
Copyright (c) 2017, 2019 Oracle and/or its affiliates. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
@@ -161,7 +161,7 @@
</dependency>
<dependency>
<groupId>io.helidon.config</groupId>
<artifactId>helidon-config-secure</artifactId>
<artifactId>helidon-config-encryption</artifactId>
<version>${project.version}</version>
</dependency>
<!-- security -->

4
microprofile/config/config/pom.xml
View File

@@ -1,7 +1,7 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
Copyright (c) 2018 Oracle and/or its affiliates. All rights reserved.
Copyright (c) 2018,2019 Oracle and/or its affiliates. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
@@ -45,7 +45,7 @@
</dependency>
<dependency>
<groupId>io.helidon.config</groupId>
<artifactId>helidon-config-secure</artifactId>
<artifactId>helidon-config-encryption</artifactId>
<version>${project.version}</version>
</dependency>
<dependency>

4
microprofile/config/config/src/main/java9/module-info.java
View File

@@ -1,5 +1,5 @@
/*
* Copyright (c) 2018 Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2018,2019 Oracle and/or its affiliates. All rights reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -22,7 +22,7 @@ module io.helidon.microprofile.config {
requires transitive io.helidon.config;
requires transitive microprofile.config.api;
requires io.helidon.config.secure;
requires io.helidon.config.encryption;
exports io.helidon.microprofile.config;

4
security/integration/webserver/pom.xml
View File

@@ -1,7 +1,7 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
Copyright (c) 2017, 2018 Oracle and/or its affiliates. All rights reserved.
Copyright (c) 2017, 2019 Oracle and/or its affiliates. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
@@ -74,7 +74,7 @@
</dependency>
<dependency>
<groupId>io.helidon.config</groupId>
<artifactId>helidon-config-secure</artifactId>
<artifactId>helidon-config-encryption</artifactId>
<version>${project.version}</version>
<scope>test</scope>
</dependency>

4
security/providers/google-login/pom.xml
View File

@@ -1,7 +1,7 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
Copyright (c) 2017, 2018 Oracle and/or its affiliates. All rights reserved.
Copyright (c) 2017, 2019 Oracle and/or its affiliates. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
@@ -66,7 +66,7 @@
</dependency>
<dependency>
<groupId>io.helidon.config</groupId>
<artifactId>helidon-config-secure</artifactId>
<artifactId>helidon-config-encryption</artifactId>
<version>${project.version}</version>
<scope>test</scope>
</dependency>

4
security/providers/header/pom.xml
View File

@@ -1,7 +1,7 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
Copyright (c) 2017, 2018 Oracle and/or its affiliates. All rights reserved.
Copyright (c) 2017, 2019 Oracle and/or its affiliates. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
@@ -42,7 +42,7 @@
</dependency>
<dependency>
<groupId>io.helidon.config</groupId>
<artifactId>helidon-config-secure</artifactId>
<artifactId>helidon-config-encryption</artifactId>
<version>${project.version}</version>
<scope>test</scope>
</dependency>

4
security/providers/http-auth/pom.xml
View File

@@ -1,7 +1,7 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
Copyright (c) 2017, 2018 Oracle and/or its affiliates. All rights reserved.
Copyright (c) 2017, 2019 Oracle and/or its affiliates. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
@@ -57,7 +57,7 @@
</dependency>
<dependency>
<groupId>io.helidon.config</groupId>
<artifactId>helidon-config-secure</artifactId>
<artifactId>helidon-config-encryption</artifactId>
<version>${project.version}</version>
<scope>test</scope>
</dependency>

4
security/providers/http-sign/pom.xml
View File

@@ -1,7 +1,7 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
Copyright (c) 2017, 2018 Oracle and/or its affiliates. All rights reserved.
Copyright (c) 2017, 2019 Oracle and/or its affiliates. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
@@ -62,7 +62,7 @@
</dependency>
<dependency>
<groupId>io.helidon.config</groupId>
<artifactId>helidon-config-secure</artifactId>
<artifactId>helidon-config-encryption</artifactId>
<version>${project.version}</version>
<scope>test</scope>
</dependency>