secret providers: fixing handling of encrypted/external data in prote…

…cted data type
Evolveum · Feb 23, 2024 · 8d39929 · 8d39929
1 parent d012cd3
commit 8d39929
Show file tree

Hide file tree

Showing 4 changed files with 36 additions and 9 deletions.
diff --git a/infra/prism-api/src/main/java/com/evolveum/midpoint/prism/crypto/ProtectedData.java b/infra/prism-api/src/main/java/com/evolveum/midpoint/prism/crypto/ProtectedData.java
@@ -37,6 +37,8 @@ public interface ProtectedData<T> {
 
     boolean isEncrypted();
 
+    boolean isExternal();
+
     HashedDataType getHashedDataType();
 
     void setHashedData(HashedDataType hashedDataType);

diff --git a/.../prism-api/src/main/java/com/evolveum/prism/xml/ns/_public/types_3/ProtectedDataType.java b/.../prism-api/src/main/java/com/evolveum/prism/xml/ns/_public/types_3/ProtectedDataType.java
@@ -135,6 +135,11 @@ public boolean isEncrypted() {
         return encryptedDataType != null;
     }
 
+    @Override
+    public boolean isExternal() {
+        return externalDataType != null;
+    }
+
     @Override
     public HashedDataType getHashedDataType() {
         return hashedDataType;

diff --git a/infra/prism-impl/src/main/java/com/evolveum/midpoint/prism/impl/crypto/BaseProtector.java b/infra/prism-impl/src/main/java/com/evolveum/midpoint/prism/impl/crypto/BaseProtector.java
@@ -20,14 +20,12 @@ public abstract class BaseProtector implements Protector {
 
     @Override
     public <T> void decrypt(ProtectedData<T> protectedData) throws EncryptionException, SchemaException {
-        if (!protectedData.isEncrypted()) {
-            return;
-            //TODO: is this exception really needed?? isn't it better just return the same protected data??
-//            throw new IllegalArgumentException("Attempt to decrypt protected data that are not encrypted");
-        } else {
+        if (protectedData.isEncrypted()) {
             byte[] decryptedData = decryptBytes(protectedData);
             protectedData.setClearBytes(decryptedData);
             protectedData.setEncryptedData(null);
+        } else if (protectedData.isExternal()) {
+            throw new EncryptionException("This protector implementation can't resolve external data");
         }
     }
 
@@ -36,13 +34,15 @@ public <T> void decrypt(ProtectedData<T> protectedData) throws EncryptionExcepti
     @Override
     public String decryptString(ProtectedData<String> protectedString) throws EncryptionException {
         try {
-            if (!protectedString.isEncrypted()) {
-                return protectedString.getClearValue();
-            } else {
+            if (protectedString.isEncrypted()) {
                 byte[] clearBytes = decryptBytes(protectedString);
                 return ProtectedStringType.bytesToString(clearBytes);
+            } else if (protectedString.isExternal()) {
+                throw new EncryptionException("This protector implementation can't resolve external data");
             }
-        } catch (SchemaException ex){
+
+            return protectedString.getClearValue();
+        } catch (SchemaException ex) {
             throw new EncryptionException(ex);
         }
     }

diff --git a/...mpl/src/main/java/com/evolveum/midpoint/prism/impl/crypto/KeyStoreBasedProtectorImpl.java b/...mpl/src/main/java/com/evolveum/midpoint/prism/impl/crypto/KeyStoreBasedProtectorImpl.java
@@ -306,6 +306,10 @@ protected <T> byte[] decryptBytes(ProtectedData<T> protectedData)
 
     @Override
     public <T> void encrypt(ProtectedData<T> protectedData) throws EncryptionException {
+        if (protectedData.isExternal()) {
+            protectedData.destroyCleartext();
+            return;
+        }
         if (protectedData.isEncrypted()) {
             throw new IllegalArgumentException(
                     "Attempt to encrypt protected data that are already encrypted");
@@ -582,6 +586,8 @@ private HashedDataType hashPbkd(
     private char[] getClearChars(ProtectedData<String> protectedData) throws EncryptionException {
         if (protectedData.isEncrypted()) {
             return decryptString(protectedData).toCharArray();
+        } else if (protectedData.isExternal()) {
+            throw new EncryptionException("This protector implementation can't resolve external data");
         } else {
             return protectedData.getClearValue().toCharArray();
         }
@@ -709,6 +715,13 @@ public boolean areEquivalent(ProtectedStringType a, ProtectedStringType b) {
                 return false;
             }
         }
+        if (a.isExternal()) {
+            if (b.isExternal()) {
+                return areEquivalentExternal(a,b);
+            } else {
+                return false;
+            }
+        }
         return Objects.equals(a.getClearValue(), b.getClearValue());
     }
 
@@ -717,6 +730,13 @@ private boolean areEquivalentHashed(ProtectedStringType a, ProtectedStringType b
         return Objects.equals(a.getHashedDataType(), b.getHashedDataType());
     }
 
+    private boolean areEquivalentExternal(ProtectedStringType a, ProtectedStringType b) {
+        ExternalDataType ae = a.getExternalData();
+        ExternalDataType be = b.getExternalData();
+
+        return Objects.equals(ae, be);
+    }
+
     private boolean areEquivalentEncrypted(ProtectedStringType a, ProtectedStringType b) {
         EncryptedDataType ae = a.getEncryptedDataType();
         EncryptedDataType be = b.getEncryptedDataType();