This repository has been archived by the owner on Apr 8, 2019. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 91
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
GTNPORTAL-2898 Added EncoderService for password masking support
- Loading branch information
Showing
6 changed files
with
297 additions
and
1 deletion.
There are no files selected for viewing
141 changes: 141 additions & 0 deletions
141
component/portal/src/main/java/org/gatein/portal/encoder/EncoderService.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,141 @@ | ||
/* | ||
* JBoss, a division of Red Hat | ||
* Copyright 2013, Red Hat Middleware, LLC, and individual | ||
* contributors as indicated by the @authors tag. See the | ||
* copyright.txt in the distribution for a full listing of | ||
* individual contributors. | ||
* | ||
* This is free software; you can redistribute it and/or modify it | ||
* under the terms of the GNU Lesser General Public License as | ||
* published by the Free Software Foundation; either version 2.1 of | ||
* the License, or (at your option) any later version. | ||
* | ||
* This software is distributed in the hope that it will be useful, | ||
* but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||
* Lesser General Public License for more details. | ||
* | ||
* You should have received a copy of the GNU Lesser General Public | ||
* License along with this software; if not, write to the Free | ||
* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA | ||
* 02110-1301 USA, or see the FSF site: http://www.fsf.org. | ||
*/ | ||
|
||
package org.gatein.portal.encoder; | ||
|
||
import java.io.UnsupportedEncodingException; | ||
import java.security.GeneralSecurityException; | ||
import java.util.Arrays; | ||
|
||
import javax.crypto.SecretKey; | ||
import javax.crypto.SecretKeyFactory; | ||
import javax.crypto.spec.PBEKeySpec; | ||
import javax.crypto.spec.PBEParameterSpec; | ||
|
||
import org.exoplatform.container.xml.InitParams; | ||
import org.exoplatform.container.xml.ValueParam; | ||
import org.exoplatform.management.annotations.Impact; | ||
import org.exoplatform.management.annotations.ImpactType; | ||
import org.exoplatform.management.annotations.Managed; | ||
import org.exoplatform.management.annotations.ManagedDescription; | ||
import org.exoplatform.management.annotations.ManagedName; | ||
import org.exoplatform.management.jmx.annotations.NameTemplate; | ||
import org.exoplatform.management.jmx.annotations.Property; | ||
import org.exoplatform.management.rest.annotations.RESTEndpoint; | ||
import org.gatein.common.logging.Logger; | ||
import org.gatein.common.logging.LoggerFactory; | ||
import org.gatein.common.util.Base64; | ||
import org.gatein.portal.installer.PBEUtils; | ||
import org.picketlink.idm.impl.store.ldap.SimpleLDAPIdentityStoreConfiguration; | ||
import org.picocontainer.Startable; | ||
|
||
/** | ||
* Helper JMX component for encoding/decoding plain text into masked string. It's useful for password masking | ||
* | ||
* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a> | ||
*/ | ||
@Managed | ||
@ManagedDescription("Encoder Service") | ||
@NameTemplate({ @Property(key = "name", value = "encoderService"), @Property(key = "service", value = "EncoderService") }) | ||
@RESTEndpoint(path = "encoderService") | ||
public class EncoderService implements Startable { | ||
|
||
// Same value like SimpleLDAPIdentityStoreConfiguration.ENCODING_KEY_STORE_PASSWORD_DEFAULT | ||
private static final String ENCODING_KEY_STORE_PASSWORD_DEFAULT = "somearbitrarycrazystringthatdoesnotmatter"; | ||
|
||
private static final Logger log = LoggerFactory.getLogger(EncoderService.class); | ||
|
||
private final char[] keyStorePassword; | ||
private final byte[] salt; | ||
private final int iterationCount; | ||
|
||
/** The secret key that corresponds to the keystore password */ | ||
private SecretKey cipherKey; | ||
|
||
/** The encode/decode cipher algorithm */ | ||
private final String cipherAlgorithm; | ||
|
||
/** Cipher specification, which specifies info about salt and iterationsCount **/ | ||
private PBEParameterSpec cipherSpec; | ||
|
||
public EncoderService(InitParams params) throws UnsupportedEncodingException { | ||
ValueParam keyStorePasswordParam = params.getValueParam("keyStorePassword"); | ||
String keyStorePassword = keyStorePasswordParam != null ? keyStorePasswordParam.getValue() : ENCODING_KEY_STORE_PASSWORD_DEFAULT; | ||
this.keyStorePassword = keyStorePassword.toCharArray(); | ||
this.cipherAlgorithm = getParam(params, "cipherAlgorithm"); | ||
String saltParam = getParam(params, "salt"); | ||
String iterationCountParam = getParam(params, "iterationCount"); | ||
|
||
if (saltParam.length() < 8) { | ||
throw new IllegalArgumentException("Salt param needs to have length at least 8. Current value is " + saltParam); | ||
} | ||
this.salt = saltParam.substring(0, 8).getBytes("UTF-8"); | ||
|
||
this.iterationCount = Integer.parseInt(iterationCountParam); | ||
} | ||
|
||
@Override | ||
public void start() { | ||
try { | ||
this.cipherSpec = new PBEParameterSpec(salt, iterationCount); | ||
PBEKeySpec keySpec = new PBEKeySpec(keyStorePassword); | ||
SecretKeyFactory factory = SecretKeyFactory.getInstance(cipherAlgorithm); | ||
this.cipherKey = factory.generateSecret(keySpec); | ||
} catch (Exception e) { | ||
log.error("Error starting EncoderService", e); | ||
} | ||
} | ||
|
||
@Override | ||
public void stop() { | ||
if (keyStorePassword != null) { | ||
Arrays.fill(keyStorePassword, '\0'); | ||
} | ||
cipherKey = null; | ||
} | ||
|
||
@Managed | ||
@ManagedDescription("Encode a secret as a base64 string using the cipher algorithm and the KeyStore password") | ||
@Impact(ImpactType.READ) | ||
public String encode64(@ManagedDescription("secret") @ManagedName("The secret in plain-text to be encoded") String secret) throws Exception { | ||
byte[] secretBytes = secret.getBytes("UTF-8"); | ||
return PBEUtils.encode64(secretBytes, cipherAlgorithm, cipherKey, cipherSpec); | ||
} | ||
|
||
@Managed | ||
@ManagedDescription("Decode a base64 secret using the cipher algorithm and the KeyStore password") | ||
@Impact(ImpactType.READ) | ||
public String decode64(@ManagedDescription("secret") @ManagedName("The masked secret to be decoded") String secret) throws Exception { | ||
return PBEUtils.decode64(secret, cipherAlgorithm, cipherKey, cipherSpec); | ||
} | ||
|
||
private String getParam(InitParams params, String paramName) { | ||
ValueParam param = params.getValueParam(paramName); | ||
if (param == null) { | ||
throw new IllegalArgumentException("Parameter '" + paramName + "' needs to be provided"); | ||
} | ||
|
||
return param.getValue(); | ||
} | ||
|
||
} |
63 changes: 63 additions & 0 deletions
63
component/portal/src/test/java/org/gatein/portal/encoder/TestEncoderService.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
/* | ||
* JBoss, a division of Red Hat | ||
* Copyright 2013, Red Hat Middleware, LLC, and individual | ||
* contributors as indicated by the @authors tag. See the | ||
* copyright.txt in the distribution for a full listing of | ||
* individual contributors. | ||
* | ||
* This is free software; you can redistribute it and/or modify it | ||
* under the terms of the GNU Lesser General Public License as | ||
* published by the Free Software Foundation; either version 2.1 of | ||
* the License, or (at your option) any later version. | ||
* | ||
* This software is distributed in the hope that it will be useful, | ||
* but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||
* Lesser General Public License for more details. | ||
* | ||
* You should have received a copy of the GNU Lesser General Public | ||
* License along with this software; if not, write to the Free | ||
* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA | ||
* 02110-1301 USA, or see the FSF site: http://www.fsf.org. | ||
*/ | ||
|
||
package org.gatein.portal.encoder; | ||
|
||
import org.exoplatform.component.test.AbstractKernelTest; | ||
import org.exoplatform.component.test.ConfigurationUnit; | ||
import org.exoplatform.component.test.ConfiguredBy; | ||
import org.exoplatform.component.test.ContainerScope; | ||
import org.exoplatform.container.PortalContainer; | ||
|
||
/** | ||
* Test for {@link EncoderService} | ||
* | ||
* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a> | ||
*/ | ||
@ConfiguredBy({ | ||
@ConfigurationUnit(scope = ContainerScope.PORTAL, path = "conf/exo.portal.component.encoder-configuration.xml")}) | ||
public class TestEncoderService extends AbstractKernelTest { | ||
|
||
private EncoderService encoderService; | ||
|
||
@Override | ||
protected void setUp() throws Exception { | ||
PortalContainer portalContainer = PortalContainer.getInstance(); | ||
this.encoderService = (EncoderService) portalContainer.getComponentInstanceOfType(EncoderService.class); | ||
} | ||
|
||
public void testEncoder() throws Exception { | ||
encodeDecodeTest("gtn", "6MSyXIj3kkQ="); | ||
encodeDecodeTest("blabla", "tstM3KRJOU4="); | ||
encodeDecodeTest("gogog", "zlGKEql9zxE="); | ||
} | ||
|
||
private void encodeDecodeTest(String plainText, String expectedEncoded) throws Exception { | ||
String encoded = encoderService.encode64(plainText); | ||
assertEquals(encoded, expectedEncoded); | ||
|
||
String decoded = encoderService.decode64(encoded); | ||
assertEquals(decoded, plainText); | ||
} | ||
|
||
} |
45 changes: 45 additions & 0 deletions
45
component/portal/src/test/resources/conf/exo.portal.component.encoder-configuration.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
<?xml version="1.0" encoding="ISO-8859-1"?> | ||
<!-- | ||
~ JBoss, a division of Red Hat | ||
~ Copyright 2013, Red Hat Middleware, LLC, and individual | ||
~ contributors as indicated by the @authors tag. See the | ||
~ copyright.txt in the distribution for a full listing of | ||
~ individual contributors. | ||
~ | ||
~ This is free software; you can redistribute it and/or modify it | ||
~ under the terms of the GNU Lesser General Public License as | ||
~ published by the Free Software Foundation; either version 2.1 of | ||
~ the License, or (at your option) any later version. | ||
~ | ||
~ This software is distributed in the hope that it will be useful, | ||
~ but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
~ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||
~ Lesser General Public License for more details. | ||
~ | ||
~ You should have received a copy of the GNU Lesser General Public | ||
~ License along with this software; if not, write to the Free | ||
~ Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA | ||
~ 02110-1301 USA, or see the FSF site: http://www.fsf.org. | ||
--> | ||
<configuration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | ||
xsi:schemaLocation="http://www.exoplatform.org/xml/ns/kernel_1_2.xsd http://www.exoplatform.org/xml/ns/kernel_1_2.xsd" | ||
xmlns="http://www.exoplatform.org/xml/ns/kernel_1_2.xsd"> | ||
<component> | ||
<key>org.gatein.portal.encoder.EncoderService</key> | ||
<type>org.gatein.portal.encoder.EncoderService</type> | ||
<init-params> | ||
<value-param> | ||
<name>cipherAlgorithm</name> | ||
<value>PBEwithMD5andDES</value> | ||
</value-param> | ||
<value-param> | ||
<name>salt</name> | ||
<value>unodostrescuatro</value> | ||
</value-param> | ||
<value-param> | ||
<name>iterationCount</name> | ||
<value>9</value> | ||
</value-param> | ||
</init-params> | ||
</component> | ||
</configuration> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
46 changes: 46 additions & 0 deletions
46
web/portal/src/main/webapp/WEB-INF/conf/common/encoder-configuration.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
<?xml version="1.0" encoding="ISO-8859-1"?> | ||
<!-- | ||
~ JBoss, a division of Red Hat | ||
~ Copyright 2013, Red Hat Middleware, LLC, and individual | ||
~ contributors as indicated by the @authors tag. See the | ||
~ copyright.txt in the distribution for a full listing of | ||
~ individual contributors. | ||
~ | ||
~ This is free software; you can redistribute it and/or modify it | ||
~ under the terms of the GNU Lesser General Public License as | ||
~ published by the Free Software Foundation; either version 2.1 of | ||
~ the License, or (at your option) any later version. | ||
~ | ||
~ This software is distributed in the hope that it will be useful, | ||
~ but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
~ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||
~ Lesser General Public License for more details. | ||
~ | ||
~ You should have received a copy of the GNU Lesser General Public | ||
~ License along with this software; if not, write to the Free | ||
~ Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA | ||
~ 02110-1301 USA, or see the FSF site: http://www.fsf.org. | ||
--> | ||
<configuration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | ||
xsi:schemaLocation="http://www.exoplatform.org/xml/ns/kernel_1_2.xsd http://www.exoplatform.org/xml/ns/kernel_1_2.xsd" | ||
xmlns="http://www.exoplatform.org/xml/ns/kernel_1_2.xsd"> | ||
<component> | ||
<key>org.gatein.portal.encoder.EncoderService</key> | ||
<type>org.gatein.portal.encoder.EncoderService</type> | ||
<init-params> | ||
<value-param> | ||
<name>cipherAlgorithm</name> | ||
<value>PBEwithMD5andDES</value> | ||
</value-param> | ||
<value-param> | ||
<name>salt</name> | ||
<value>unodostrescuatro</value> | ||
</value-param> | ||
<value-param> | ||
<name>iterationCount</name> | ||
<value>9</value> | ||
</value-param> | ||
</init-params> | ||
</component> | ||
</configuration> | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters