Feature/v10.x/secret management

agent-manager/agent/agent.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"io"
 	"log"
+	"regexp"
 	"time"
 
 	"github.com/utmstack/UTMStack/agent-manager/config"
@@ -101,6 +102,19 @@ func (s *Grpc) AgentStream(stream AgentService_AgentStreamServer) error {
 	}
 }
 
+func (s *Grpc) replaceSecretValues(input string) string {
+	pattern := regexp.MustCompile(`\$\[(\w+):([^\]]+)\]`)
+	return pattern.ReplaceAllStringFunc(input, func(match string) string {
+		matches := pattern.FindStringSubmatch(match)
+		if len(matches) < 3 {
+			return match // In case of no match, return the original
+		}
+		encryptedValue := matches[2]
+		decryptedValue, _ := util.DecryptValue(encryptedValue)
+		return decryptedValue
+	})
+}
+
 func (s *Grpc) ProcessCommand(stream PanelService_ProcessCommandServer) error {
 	for {
 		cmd, err := stream.Recv()
@@ -144,7 +158,7 @@ func (s *Grpc) ProcessCommand(stream PanelService_ProcessCommandServer) error {
 			StreamMessage: &BidirectionalStream_Command{
 				Command: &UtmCommand{
 					AgentKey:    cmd.AgentKey,
-					Command:     cmd.Command,
+					Command:     s.replaceSecretValues(cmd.Command),
 					CmdId:       cmdID,
 					InternalKey: config.GetInternalKey(),
 				},

agent-manager/config/global_const.go

@@ -27,6 +27,7 @@ func ConnectionKeyRoutes() []string {
 
 const PanelConnectionKeyUrl = "%s/api/authenticateFederationServiceManager"
 const UTMSharedKeyEnv = "INTERNAL_KEY"
+const UTMEncryptionKeyEnv = "ENCRYPTION_KEY"
 const UTMHostEnv = "UTM_HOST"
 
 func GetInternalKey() string {

agent-manager/util/aes.go

@@ -10,7 +10,7 @@ import (
 )
 
 var (
-	passphrase = os.Getenv(config.UTMSharedKeyEnv)
+	passphrase = os.Getenv(config.UTMEncryptionKeyEnv)
 )
 
 func EncryptDecryptConfValues(conf *models.AgentModuleConfiguration, action string) *models.AgentModuleConfiguration {

backend/src/main/java/com/park/utmstack/config/SecurityConfiguration.java

@@ -55,8 +55,8 @@ public SecurityConfiguration(AuthenticationManagerBuilder authenticationManagerB
     public void init() {
         try {
             authenticationManagerBuilder
-                .userDetailsService(userDetailsService)
-                .passwordEncoder(passwordEncoder());
+                    .userDetailsService(userDetailsService)
+                    .passwordEncoder(passwordEncoder());
         } catch (Exception e) {
             throw new BeanInitializationException("Security configuration failed", e);
         }
@@ -76,51 +76,53 @@ public PasswordEncoder passwordEncoder() {
     @Bean
     public WebSecurityCustomizer webSecurityCustomizer() {
         return web -> web.ignoring()
-            .antMatchers(HttpMethod.OPTIONS, "/**")
-            .antMatchers("/swagger-ui/**")
-            .antMatchers("/i18n/**");
+                .antMatchers(HttpMethod.OPTIONS, "/**")
+                .antMatchers("/swagger-ui/**")
+                .antMatchers("/i18n/**");
     }
 
     @Override
     public void configure(HttpSecurity http) throws Exception {
         http
-            .csrf()
-            .disable()
-            .addFilterBefore(corsFilter, UsernamePasswordAuthenticationFilter.class)
-            .exceptionHandling()
-            .authenticationEntryPoint((request, response, authException) -> response.sendError(HttpServletResponse.SC_UNAUTHORIZED))
-            .accessDeniedHandler((request, response, accessDeniedException) -> response.sendError(HttpServletResponse.SC_FORBIDDEN))
-            .and()
-            .headers()
-            .frameOptions()
-            .disable()
-            .and()
-            .sessionManagement()
-            .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
-            .and()
-            .authorizeRequests()
-            .antMatchers("/api/authenticate").permitAll()
-            .antMatchers("/api/authenticateFederationServiceManager").permitAll()
-            .antMatchers("/api/ping").permitAll()
-            .antMatchers("/api/date-format").permitAll()
-            .antMatchers("/api/healthcheck").permitAll()
-            .antMatchers("/api/releaseInfo").permitAll()
-            .antMatchers("/api/account/reset-password/init").permitAll()
-            .antMatchers("/api/account/reset-password/finish").permitAll()
-            .antMatchers("/api/images/all").permitAll()
-            .antMatchers("/api/tfa/verifyCode").hasAuthority(AuthoritiesConstants.PRE_VERIFICATION_USER)
-            .antMatchers("/api/utm-incident-jobs").hasAuthority(AuthoritiesConstants.ADMIN)
-            .antMatchers("/api/utm-incident-jobs/**").hasAuthority(AuthoritiesConstants.ADMIN)
-            .antMatchers("/api/custom-reports/**").denyAll()
-            .antMatchers("/api/**").hasAnyAuthority(AuthoritiesConstants.ADMIN, AuthoritiesConstants.USER)
-            .antMatchers("/ws/topic").hasAuthority(AuthoritiesConstants.ADMIN)
-            .antMatchers("/ws/**").permitAll()
-            .antMatchers("/management/info").permitAll()
-            .antMatchers("/management/**").hasAnyAuthority(AuthoritiesConstants.ADMIN, AuthoritiesConstants.USER)
-            .and()
-            .apply(securityConfigurerAdapterForJwt())
-            .and()
-            .apply(securityConfigurerAdapterForInternalApiKey());
+                .csrf()
+                .disable()
+                .addFilterBefore(corsFilter, UsernamePasswordAuthenticationFilter.class)
+                .exceptionHandling()
+                .authenticationEntryPoint((request, response, authException) -> response.sendError(HttpServletResponse.SC_UNAUTHORIZED))
+                .accessDeniedHandler((request, response, accessDeniedException) -> response.sendError(HttpServletResponse.SC_FORBIDDEN))
+                .and()
+                .headers()
+                .frameOptions()
+                .disable()
+                .and()
+                .sessionManagement()
+                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
+                .and()
+                .authorizeRequests()
+                .antMatchers("/api/authenticate").permitAll()
+                .antMatchers("/api/authenticateFederationServiceManager").permitAll()
+                .antMatchers("/api/ping").permitAll()
+                .antMatchers("/api/date-format").permitAll()
+                .antMatchers("/api/healthcheck").permitAll()
+                .antMatchers("/api/releaseInfo").permitAll()
+                .antMatchers("/api/account/reset-password/init").permitAll()
+                .antMatchers("/api/account/reset-password/finish").permitAll()
+                .antMatchers("/api/images/all").permitAll()
+                .antMatchers("/api/tfa/verifyCode").hasAuthority(AuthoritiesConstants.PRE_VERIFICATION_USER)
+                .antMatchers("/api/utm-incident-jobs").hasAuthority(AuthoritiesConstants.ADMIN)
+                .antMatchers("/api/utm-incident-jobs/**").hasAuthority(AuthoritiesConstants.ADMIN)
+                .antMatchers("/api/utm-incident-variables/**").hasAuthority(AuthoritiesConstants.ADMIN)
+                .antMatchers(HttpMethod.GET, "/api/utm-incident-variables").hasAnyAuthority()
+                .antMatchers("/api/custom-reports/**").denyAll()
+                .antMatchers("/api/**").hasAnyAuthority(AuthoritiesConstants.ADMIN, AuthoritiesConstants.USER)
+                .antMatchers("/ws/topic").hasAuthority(AuthoritiesConstants.ADMIN)
+                .antMatchers("/ws/**").permitAll()
+                .antMatchers("/management/info").permitAll()
+                .antMatchers("/management/**").hasAnyAuthority(AuthoritiesConstants.ADMIN, AuthoritiesConstants.USER)
+                .and()
+                .apply(securityConfigurerAdapterForJwt())
+                .and()
+                .apply(securityConfigurerAdapterForInternalApiKey());
 
     }
 

backend/src/main/java/com/park/utmstack/domain/incident_response/UtmIncidentVariable.java

@@ -0,0 +1,106 @@
+package com.park.utmstack.domain.incident_response;
+
+
+import javax.persistence.*;
+import java.io.Serializable;
+import java.time.Instant;
+
+/**
+ * A UtmIncidentVariable.
+ */
+@Entity
+@Table(name = "utm_incident_variables")
+public class UtmIncidentVariable implements Serializable {
+
+    private static final long serialVersionUID = 1L;
+
+    @Id
+    @GeneratedValue(strategy = GenerationType.IDENTITY)
+    private Long id;
+
+    @Column(name = "variable_name")
+    private String variableName;
+
+    @Column(name = "variable_value")
+    private String variableValue;
+
+    @Column(name = "variable_description")
+    private String variableDescription;
+
+    @Column(name = "is_secret")
+    private boolean isSecret;
+
+    @Column(name = "created_by")
+    private String createdBy;
+
+    @Column(name = "last_modified_date")
+    private Instant lastModifiedDate;
+
+    @Column(name = "last_modified_by")
+    private String lastModifiedBy;
+
+
+    public Long getId() {
+        return id;
+    }
+
+    public void setId(Long id) {
+        this.id = id;
+    }
+
+    public String getVariableName() {
+        return variableName;
+    }
+
+    public void setVariableName(String variableName) {
+        this.variableName = variableName;
+    }
+
+    public String getVariableValue() {
+        return variableValue;
+    }
+
+    public void setVariableValue(String variableValue) {
+        this.variableValue = variableValue;
+    }
+
+    public boolean isSecret() {
+        return isSecret;
+    }
+
+    public void setSecret(boolean secret) {
+        isSecret = secret;
+    }
+
+    public String getCreatedBy() {
+        return createdBy;
+    }
+
+    public void setCreatedBy(String createdBy) {
+        this.createdBy = createdBy;
+    }
+
+    public Instant getLastModifiedDate() {
+        return lastModifiedDate;
+    }
+
+    public void setLastModifiedDate(Instant lastModifiedDate) {
+        this.lastModifiedDate = lastModifiedDate;
+    }
+
+    public String getLastModifiedBy() {
+        return lastModifiedBy;
+    }
+
+    public void setLastModifiedBy(String lastModifiedBy) {
+        this.lastModifiedBy = lastModifiedBy;
+    }
+
+    public String getVariableDescription() {
+        return variableDescription;
+    }
+
+    public void setVariableDescription(String variableDescription) {
+        this.variableDescription = variableDescription;
+    }
+}

backend/src/main/java/com/park/utmstack/repository/incident_response/UtmIncidentVariableRepository.java

@@ -0,0 +1,23 @@
+package com.park.utmstack.repository.incident_response;
+
+import com.park.utmstack.domain.incident_response.UtmIncidentAction;
+import com.park.utmstack.domain.incident_response.UtmIncidentVariable;
+import org.springframework.data.jpa.repository.JpaRepository;
+import org.springframework.data.jpa.repository.JpaSpecificationExecutor;
+import org.springframework.stereotype.Repository;
+
+import java.util.List;
+import java.util.Optional;
+
+
+/**
+ * Spring Data  repository for the UtmIncidentAction entity.
+ */
+@SuppressWarnings("unused")
+@Repository
+public interface UtmIncidentVariableRepository extends JpaRepository<UtmIncidentVariable, Long>, JpaSpecificationExecutor<UtmIncidentVariable> {
+
+    Optional<UtmIncidentVariable> findByVariableName(String variable);
+
+    List<UtmIncidentVariable> findAllByVariableNameIn(List<String> variables);
+}