From 8a6e29ccde3525e2012417ac41777529853a5bf0 Mon Sep 17 00:00:00 2001 From: Gary Tully Date: Wed, 12 Oct 2022 12:30:06 +0100 Subject: [PATCH] ARTEMIS-4042 - read sensitive string codec env var if system property is not set --- .../utils/DefaultSensitiveStringCodec.java | 17 +++++++++++++++++ .../DefaultSensitiveStringCodecTest.java | 19 +++++++++++++++++++ docs/user-manual/en/masking-passwords.md | 4 ++++ 3 files changed, 40 insertions(+) diff --git a/artemis-commons/src/main/java/org/apache/activemq/artemis/utils/DefaultSensitiveStringCodec.java b/artemis-commons/src/main/java/org/apache/activemq/artemis/utils/DefaultSensitiveStringCodec.java index a135e14337..6a5b4caccd 100644 --- a/artemis-commons/src/main/java/org/apache/activemq/artemis/utils/DefaultSensitiveStringCodec.java +++ b/artemis-commons/src/main/java/org/apache/activemq/artemis/utils/DefaultSensitiveStringCodec.java @@ -28,6 +28,7 @@ import java.security.spec.InvalidKeySpecException; import java.util.Arrays; import java.util.Collections; import java.util.HashMap; +import java.util.Locale; import java.util.Map; import java.util.Objects; import java.util.Properties; @@ -146,6 +147,14 @@ public class DefaultSensitiveStringCodec implements SensitiveDataCodec { logger.trace("Set key from system property {}", KEY_SYSTEM_PROPERTY); updateKey(key); } + if (key == null) { + final String matchingEnvVarName = envVarNameFromSystemPropertyName(KEY_SYSTEM_PROPERTY); + key = getFromEnv(matchingEnvVarName); + if (key != null) { + logger.trace("Set key from env var {}", matchingEnvVarName); + updateKey(key); + } + } } } @@ -205,6 +214,14 @@ public class DefaultSensitiveStringCodec implements SensitiveDataCodec { } } + protected String getFromEnv(final String envVarName) { + return System.getenv(envVarName); + } + + public static String envVarNameFromSystemPropertyName(final String systemPropertyName) { + return systemPropertyName.replace(".","_").toUpperCase(Locale.getDefault()); + } + private static class PBKDF2Algorithm extends CodecAlgorithm { private static final String SEPARATOR = ":"; private String sceretKeyAlgorithm = "PBKDF2WithHmacSHA1"; diff --git a/artemis-commons/src/test/java/org/apache/activemq/artemis/utils/DefaultSensitiveStringCodecTest.java b/artemis-commons/src/test/java/org/apache/activemq/artemis/utils/DefaultSensitiveStringCodecTest.java index a9ba3e6089..8b0d3bf38f 100644 --- a/artemis-commons/src/test/java/org/apache/activemq/artemis/utils/DefaultSensitiveStringCodecTest.java +++ b/artemis-commons/src/test/java/org/apache/activemq/artemis/utils/DefaultSensitiveStringCodecTest.java @@ -26,6 +26,7 @@ import java.util.Map; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertNotEquals; import static org.junit.Assert.assertTrue; import static org.junit.Assert.fail; @@ -76,6 +77,24 @@ public class DefaultSensitiveStringCodecTest { assertFalse(codec.verify(otherPassword.toCharArray(), maskedText)); } + @Test + public void testInitFromEnvVar() throws Exception { + final String someString = "bla"; + DefaultSensitiveStringCodec codecFromEnvVarConfig = new DefaultSensitiveStringCodec() { + @Override + public String getFromEnv(String v) { + if (v.contains("_") && !v.contains(".")) { + return someString; + } + return null; + } + }; + Map params = new HashMap<>(); + codecFromEnvVarConfig.init(params); + String blaVersion = codecFromEnvVarConfig.encode(someString); + assertNotEquals(blaVersion, getDefaultSensitiveStringCodec(DefaultSensitiveStringCodec.TWO_WAY).encode(someString)); + } + @Test public void testCompareWithOnewayAlgorithm() throws Exception { testCompareWithAlgorithm(DefaultSensitiveStringCodec.ONE_WAY); diff --git a/docs/user-manual/en/masking-passwords.md b/docs/user-manual/en/masking-passwords.md index 24400caa87..c76c4d1c51 100644 --- a/docs/user-manual/en/masking-passwords.md +++ b/docs/user-manual/en/masking-passwords.md @@ -413,6 +413,10 @@ that key to unmask the password(s). Therefore, it is possible to supply your that the key is more obscure since it will not exist in any configuration file. It can be set immediately *before* the broker starts and then cleared from the environment immediately *after* the broker finishes starting. + 3. If expansion of the `ARTEMIS_DEFAULT_SENSITIVE_STRING_CODEC_KEY` environment + variable to set the system property is a concern, modify the startup scripts + to remove the system property assignment, the environment variable will then + be read directly. ### Using a custom codec