Apache
/
nifi
mirror of https://github.com/apache/nifi.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

NIFI-9254 Updated default Stateless Sensitive Property configuration 

- Set NIFI_PBKDF2_AES_GCM_256 as property encryption method
- Replaced static default sensitive properties key with random UUID
- Added unit test for PropertiesFileEngineConfigurationParser
- Added random encryption key generation method
- Changed Stateless to use PropertyEncryptionMethod enum

Signed-off-by: Joe Gresock <jgresock@gmail.com>

This closes #5424
This commit is contained in:
exceptionfactory 2021-09-29 12:33:09 -05:00 committed by Joe Gresock
parent 24c0c39ebb
commit a94b47ecf8
No known key found for this signature in database
GPG Key ID: 37F5B9B6E258C8B7
4 changed files with 140 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
nifi-commons/nifi-property-encryptor/src/main/java/org/apache/nifi/encrypt/PropertyEncryptionMethod.java
View File

@ -22,7 +22,7 @@ import org.apache.nifi.security.util.KeyDerivationFunction;
/**
* Property Encryption Method enumerates supported values in addition to {@link org.apache.nifi.security.util.EncryptionMethod}
*/
enum PropertyEncryptionMethod {
public enum PropertyEncryptionMethod {
NIFI_ARGON2_AES_GCM_128(KeyDerivationFunction.ARGON2, EncryptionMethod.AES_GCM,128),
NIFI_ARGON2_AES_GCM_256(KeyDerivationFunction.ARGON2, EncryptionMethod.AES_GCM, 256),

29
nifi-stateless/nifi-stateless-api/src/main/java/org/apache/nifi/stateless/config/PropertiesFileEngineConfigurationParser.java
View File

@ -24,9 +24,14 @@ import org.slf4j.LoggerFactory;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.io.UncheckedIOException;
import java.security.SecureRandom;
import java.util.ArrayList;
import java.util.Base64;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
@ -56,10 +61,10 @@ public class PropertiesFileEngineConfigurationParser {
private static final String KRB5_FILE = PREFIX + "kerberos.krb5.file";
private static final String DEFAULT_KRB5_FILENAME = "/etc/krb5.conf";
private static final String DEFAULT_ENCRYPTION_PASSWORD = "nifi-stateless";
private static final Pattern EXTENSION_CLIENT_PATTERN = Pattern.compile("\\Qnifi.stateless.extension.client.\\E(.*?)\\.(.+)");
private static final int PROPERTIES_KEY_LENGTH = 24;
public StatelessEngineConfiguration parseEngineConfiguration(final File propertiesFile) throws IOException, StatelessConfigurationException {
if (!propertiesFile.exists()) {
@ -93,7 +98,7 @@ public class PropertiesFileEngineConfigurationParser {
final String krb5Filename = properties.getProperty(KRB5_FILE, DEFAULT_KRB5_FILENAME);
final File krb5File = new File(krb5Filename);
final String sensitivePropsKey = properties.getProperty(SENSITIVE_PROPS_KEY, DEFAULT_ENCRYPTION_PASSWORD);
final String sensitivePropsKey = getSensitivePropsKey(propertiesFile, properties);
final SslContextDefinition sslContextDefinition = parseSslContextDefinition(properties);
final List<ExtensionClientDefinition> extensionClients = parseExtensionClients(properties);
@ -218,4 +223,24 @@ public class PropertiesFileEngineConfigurationParser {
return propertyValue.trim();
}
private String getSensitivePropsKey(final File propertiesFile, final Properties properties) {
String sensitivePropsKey = properties.getProperty(SENSITIVE_PROPS_KEY);
if (sensitivePropsKey == null || sensitivePropsKey.isEmpty()) {
logger.warn("Generating Random Properties Encryption Key [{}]", SENSITIVE_PROPS_KEY);
final SecureRandom secureRandom = new SecureRandom();
final byte[] sensitivePropertiesKeyBinary = new byte[PROPERTIES_KEY_LENGTH];
secureRandom.nextBytes(sensitivePropertiesKeyBinary);
final Base64.Encoder encoder = Base64.getEncoder().withoutPadding();
sensitivePropsKey = encoder.encodeToString(sensitivePropertiesKeyBinary);
properties.put(SENSITIVE_PROPS_KEY, sensitivePropsKey);
try (final OutputStream outputStream = new FileOutputStream(propertiesFile)) {
properties.store(outputStream, StatelessEngineConfiguration.class.getSimpleName());
} catch (final IOException e) {
final String message = String.format("Store Configuration Properties [%s] Failed", propertiesFile);
throw new UncheckedIOException(message, e);
}
}
return sensitivePropsKey;
}
}

107
nifi-stateless/nifi-stateless-api/src/test/java/org/apache/nifi/stateless/config/PropertiesFileEngineConfigurationParserTest.java Normal file
View File

@ -0,0 +1,107 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.nifi.stateless.config;
import org.apache.nifi.stateless.engine.StatelessEngineConfiguration;
import org.junit.jupiter.api.AfterAll;
import org.junit.jupiter.api.BeforeAll;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import java.io.File;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.OutputStream;
import java.nio.file.Files;
import java.nio.file.Path;
import java.util.Properties;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertFalse;
import static org.junit.jupiter.api.Assertions.assertNotNull;
public class PropertiesFileEngineConfigurationParserTest {
private PropertiesFileEngineConfigurationParser parser;
private static Path narDirectory;
private static Path workingDirectory;
@BeforeAll
public static void setDirectories() throws IOException {
narDirectory = Files.createTempDirectory(PropertiesFileEngineConfigurationParserTest.class.getSimpleName());
workingDirectory = Files.createTempDirectory(PropertiesFileEngineConfigurationParserTest.class.getSimpleName());
}
@AfterAll
public static void deleteDirectories() throws IOException {
Files.deleteIfExists(narDirectory);
Files.deleteIfExists(workingDirectory);
}
@BeforeEach
public void setParser() {
parser = new PropertiesFileEngineConfigurationParser();
}
@Test
public void testParseEngineConfigurationRequiredProperties() throws IOException, StatelessConfigurationException {
final Properties properties = getRequiredProperties();
final File propertiesFile = getPropertiesFile(properties);
final StatelessEngineConfiguration configuration = parser.parseEngineConfiguration(propertiesFile);
assertNotNull(configuration);
assertEquals(narDirectory.toFile(), configuration.getNarDirectory());
assertEquals(workingDirectory.toFile(), configuration.getWorkingDirectory());
}
@Test
public void testParseEngineConfigurationRandomSensitivePropsKey() throws IOException, StatelessConfigurationException {
final Properties properties = getRequiredProperties();
final File propertiesFile = getPropertiesFile(properties);
final StatelessEngineConfiguration configuration = parser.parseEngineConfiguration(propertiesFile);
assertNotNull(configuration);
final String sensitivePropsKey = configuration.getSensitivePropsKey();
assertNotNull(sensitivePropsKey);
assertFalse(sensitivePropsKey.isEmpty());
final StatelessEngineConfiguration reloadedConfiguration = parser.parseEngineConfiguration(propertiesFile);
assertEquals(sensitivePropsKey, reloadedConfiguration.getSensitivePropsKey());
}
private Properties getRequiredProperties() {
final Properties properties = new Properties();
properties.setProperty("nifi.stateless.nar.directory", narDirectory.toString());
properties.setProperty("nifi.stateless.working.directory", workingDirectory.toString());
return properties;
}
private File getPropertiesFile(final Properties properties) throws IOException {
final File file = File.createTempFile(getClass().getSimpleName(), ".properties");
file.deleteOnExit();
try (final OutputStream outputStream = new FileOutputStream(file)) {
properties.store(outputStream, null);
}
return file;
}
}

21
nifi-stateless/nifi-stateless-bundle/nifi-stateless-engine/src/main/java/org/apache/nifi/stateless/flow/StandardStatelessDataflowFactory.java
View File

@ -30,8 +30,9 @@ import org.apache.nifi.controller.repository.metrics.RingBufferEventRepository;
import org.apache.nifi.controller.scheduling.StatelessProcessScheduler;
import org.apache.nifi.controller.service.ControllerServiceProvider;
import org.apache.nifi.controller.service.StandardControllerServiceProvider;
import org.apache.nifi.encrypt.PropertyEncryptionMethod;
import org.apache.nifi.encrypt.PropertyEncryptor;
import org.apache.nifi.encrypt.PropertyEncryptorFactory;
import org.apache.nifi.encrypt.PropertyEncryptorBuilder;
import org.apache.nifi.events.EventReporter;
import org.apache.nifi.events.VolatileBulletinRepository;
import org.apache.nifi.extensions.ExtensionClient;
@ -51,7 +52,6 @@ import org.apache.nifi.registry.flow.InMemoryFlowRegistry;
import org.apache.nifi.registry.flow.StandardFlowRegistryClient;
import org.apache.nifi.registry.flow.VersionedFlowSnapshot;
import org.apache.nifi.reporting.BulletinRepository;
import org.apache.nifi.security.util.EncryptionMethod;
import org.apache.nifi.stateless.bootstrap.ExtensionDiscovery;
import org.apache.nifi.stateless.config.ExtensionClientDefinition;
import org.apache.nifi.stateless.config.SslConfigurationUtil;
@ -73,7 +73,6 @@ import org.apache.nifi.stateless.repository.StatelessFileSystemContentRepository
import org.apache.nifi.stateless.repository.StatelessFlowFileRepository;
import org.apache.nifi.stateless.repository.StatelessProvenanceRepository;
import org.apache.nifi.stateless.repository.StatelessRepositoryContextFactory;
import org.apache.nifi.util.NiFiProperties;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@ -83,14 +82,11 @@ import java.io.IOException;
import java.net.URL;
import java.net.URLClassLoader;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Optional;
public class StandardStatelessDataflowFactory implements StatelessDataflowFactory<VersionedFlowSnapshot> {
private static final Logger logger = LoggerFactory.getLogger(StandardStatelessDataflowFactory.class);
private static final EncryptionMethod ENCRYPTION_METHOD = EncryptionMethod.MD5_256AES;
@Override
public StatelessDataflow createDataflow(final StatelessEngineConfiguration engineConfiguration, final DataflowDefinition<VersionedFlowSnapshot> dataflowDefinition)
@ -167,7 +163,9 @@ public class StandardStatelessDataflowFactory implements StatelessDataflowFactor
return created;
}
created = getPropertyEncryptor(engineConfiguration.getSensitivePropsKey());
created = new PropertyEncryptorBuilder(engineConfiguration.getSensitivePropsKey())
.setAlgorithm(PropertyEncryptionMethod.NIFI_PBKDF2_AES_GCM_256.toString())
.build();
return created;
}
};
@ -342,13 +340,4 @@ public class StandardStatelessDataflowFactory implements StatelessDataflowFactor
return Integer.parseInt(javaVersion.substring(0, dotIndex));
}
private PropertyEncryptor getPropertyEncryptor(final String sensitivePropertiesKey) {
final Map<String, String> properties = new HashMap<>();
properties.put(NiFiProperties.SENSITIVE_PROPS_ALGORITHM, ENCRYPTION_METHOD.getAlgorithm());
properties.put(NiFiProperties.SENSITIVE_PROPS_PROVIDER, ENCRYPTION_METHOD.getProvider());
properties.put(NiFiProperties.SENSITIVE_PROPS_KEY, sensitivePropertiesKey);
final NiFiProperties niFiProperties = NiFiProperties.createBasicNiFiProperties(null, properties);
return PropertyEncryptorFactory.getPropertyEncryptor(niFiProperties);
}
}