public static String createAuthorizationHeader(AuthCredentialsServiceState authState) { if (authState == null) { return null; } if (AuthCredentialsType.Bearer.toString().equals(authState.type)) { String token = EncryptionUtils.decrypt(authState.privateKey); return "Bearer " + token; } AuthCredentialsType authCredentialsType = AuthCredentialsType.valueOf(authState.type); if (AuthCredentialsType.Password == authCredentialsType) { String username = authState.userEmail; String password = EncryptionUtils.decrypt(authState.privateKey); String code = new String(Base64.getEncoder().encode( (username + ":" + password).getBytes())); return "Basic " + code; } return null; }
protected static void handlePatchPostPut(Service service, Operation op) { AuthCredentialsServiceState body = op.getBody(AuthCredentialsServiceState.class); // Credentials with SYSTEM scope need the password in plain text or they can't be used to // login into Xenon! boolean isSystemScope = (body.customProperties != null) && CredentialsScope.SYSTEM.toString().equals( body.customProperties.get(CUSTOM_PROP_CREDENTIALS_SCOPE)); if (!isSystemScope) { body.privateKey = EncryptionUtils.encrypt(body.privateKey); op.setBodyNoCloning(body); } }
/** * Initializes (or re-initializes) the {@link EncryptorService} by reading the configured * encryption key file. */ public static void initEncryptionService() { File encryptionKey = getEncryptionFile(); if (encryptionKey == null) { encryptionService = null; } else { encryptionService = new EncryptorService(encryptionKey); try { encryptionService.encrypt(ENCRYPTION_PREFIX); } catch (Exception e) { throw new LocalizableValidationException(e, "Error validating the encryption key!", "common.encryption.file.validation"); } } }
@Before public void setUp() throws Throwable { // wait for needed services waitForServiceAvailability(AuthCredentialsService.FACTORY_LINK); // common setup System.clearProperty(EncryptionUtils.ENCRYPTION_KEY); System.clearProperty(EncryptionUtils.INIT_KEY_IF_MISSING); EncryptionUtils.initEncryptionService(); }
@Test public void testManagementHostInitializationWithEncryptionNoErrors() throws Throwable { File keyFile = Paths.get(folder.newFolder().getPath(), "encryption.key").toFile(); System.setProperty(EncryptionUtils.ENCRYPTION_KEY, keyFile.getPath()); System.setProperty(EncryptionUtils.INIT_KEY_IF_MISSING, "true"); EncryptionUtils.initEncryptionService(); try (TestManagementHost host = new TestManagementHost(false)) { // we're just verifying that no exceptions are thrown assertNull(host.getSecureListener()); } }
if (trustStorePassword != null) { System.setProperty(JAVAX_NET_SSL_TRUST_STORE_PASSWORD, EncryptionUtils.decrypt(trustStorePassword));
public static DeferredResult<Void> handlePatchPostPut(Service service, Operation op) { AuthCredentialsServiceState body = op.getBody(AuthCredentialsServiceState.class); // Credentials with SYSTEM scope need the password in plain text or they can't be used to // login into Admiral! boolean isSystemScope = (body.customProperties != null) && AuthConfigProvider.CredentialsScope.SYSTEM.toString().equals( body.customProperties.get(AuthConfigProvider.PROPERTY_SCOPE)); if (!isSystemScope) { body.privateKey = EncryptionUtils.encrypt(body.privateKey); op.setBodyNoCloning(body); } return null; }
@Test public void testPlainTextSystemCredentials() throws Throwable { // init EncryptionUtils File keyFile = Paths.get(folder.newFolder().getPath(), "encryption.key").toFile(); System.setProperty(EncryptionUtils.ENCRYPTION_KEY, keyFile.getPath()); System.setProperty(EncryptionUtils.INIT_KEY_IF_MISSING, "true"); EncryptionUtils.initEncryptionService(); AuthCredentialsServiceState credentials = createCredentials("username", "password", true); assertEquals("username", credentials.userEmail); assertNotNull(credentials.privateKey); assertFalse(credentials.privateKey.startsWith(EncryptionUtils.ENCRYPTION_PREFIX)); assertEquals("password", credentials.privateKey); credentials = createCredentials("username2", "password2", false); assertEquals("username2", credentials.userEmail); assertNotNull(credentials.privateKey); assertTrue(credentials.privateKey.startsWith(EncryptionUtils.ENCRYPTION_PREFIX)); // like AuthBootstrapService does AuthCredentialsServiceState credentialsPatch = new AuthCredentialsServiceState(); credentialsPatch.privateKey = "password2"; credentialsPatch.customProperties = new HashMap<>(); credentialsPatch.customProperties.put(AuthConfigProvider.PROPERTY_SCOPE, AuthConfigProvider.CredentialsScope.SYSTEM.toString()); credentials = doPatch(credentialsPatch, credentials.documentSelfLink); assertEquals("username2", credentials.userEmail); assertNotNull(credentials.privateKey); assertFalse(credentials.privateKey.startsWith(EncryptionUtils.ENCRYPTION_PREFIX)); assertEquals("password2", credentials.privateKey); }
/** * Initializes (or re-initializes) the {@link EncryptorService} by reading the configured * encryption key file. */ public static void initEncryptionService() { File encryptionKey = getEncryptionFile(); if (encryptionKey == null) { encryptionService = null; } else { encryptionService = new EncryptorService(encryptionKey); try { encryptionService.encrypt(ENCRYPTION_PREFIX); } catch (Exception e) { throw new LocalizableValidationException(e, "Error validating the encryption key!", "common.encryption.file.validation"); } } }
public static KubeConfig constructKubeConfig(String clusterAddress, AuthCredentialsServiceState credentials) { KubeConfig config = createKubeConfig(clusterAddress); KubeConfig.UserEntry userEntry = new KubeConfig.UserEntry(); userEntry.name = config.contexts.get(0).context.user; userEntry.user = new KubeConfig.AuthInfo(); config.users = Arrays.asList(userEntry); AuthCredentialsType credentialsType = AuthCredentialsType.valueOf(credentials.type); switch (credentialsType) { case Bearer: userEntry.user.token = EncryptionUtils.decrypt(credentials.privateKey); break; case PublicKey: userEntry.user.clientCertificateData = new String( Base64.getEncoder().encode(credentials.publicKey.getBytes())); userEntry.user.clientKeyData = new String(Base64.getEncoder() .encode(EncryptionUtils.decrypt(credentials.privateKey).getBytes())); break; case Password: userEntry.user.username = credentials.userEmail; userEntry.user.password = EncryptionUtils.decrypt(credentials.privateKey); break; default: throw new LocalizableValidationException("Unsupported credentials type", "adapter.unsuported.auth.credentials.type"); } return config; }
/** * Sets read/write permissions only to the owner of the encryption file. */ private void setEncryptionFilePermissions() throws Throwable { String encFileParam = System.getProperty(EncryptionUtils.ENCRYPTION_KEY); if (encFileParam == null) { return; } File f = new File(encFileParam); File parent = f.getParentFile(); // create parent folder if it does not exist if (!parent.exists() && !parent.mkdirs()) { log(Level.SEVERE, "Cannot create folders %s for encryption file.", parent.getAbsolutePath()); throw new IOException("Cannot create " + parent.getAbsolutePath()); } // dummy call to initialize the EncryptionUtils and create the encryption file EncryptionUtils.encrypt(null); try { // set file permissions setPermissionsToOwner(f); } catch (Throwable e) { log(Level.SEVERE, "Cannot change permissions of file %s. Error: %s", encFileParam, e.getMessage()); throw e; } }
.getResource("/encryption.key").toURI().getPath(); System.setProperty(ENCRYPTION_KEY, encryptionKey); EncryptionUtils.initEncryptionService();
/** * Utility method to decode a PEM encoded private key string to a PrivateKey instance * * @param key * - a PEM encoded private key string * @return - decoded PrivateKey instance */ public static KeyPair createKeyPair(String key) { AssertUtil.assertNotNull(key, "key"); String decryptedKey = EncryptionUtils.decrypt(key); try (PEMParser parser = new PEMParser(new StringReader(decryptedKey))) { JcaPEMKeyConverter converter = new JcaPEMKeyConverter(); PEMKeyPair keyPair = (PEMKeyPair) parser.readObject(); if (keyPair == null) { throw new RuntimeException("A valid key pair was not found"); } return converter.getKeyPair(keyPair); } catch (IOException e) { throw new RuntimeException("Failed to create key pair", e); } }
@Override public void handleCreate(Operation op) { if (PhotonModelUtils.isFromMigration(op)) { op.complete(); return; } if (checkForValid(op)) { SessionState body = op.getBody(SessionState.class); body.externalToken = EncryptionUtils.encrypt(body.externalToken); super.handleCreate(op); } }
System.setProperty(EncryptionUtils.ENCRYPTION_KEY, keyFile.getPath()); System.setProperty(EncryptionUtils.INIT_KEY_IF_MISSING, "true"); EncryptionUtils.initEncryptionService();
clientKey = EncryptionUtils.decrypt(input.getCredentials().privateKey); clientCert = input.getCredentials().publicKey;
EncryptionUtils.decrypt(this.auth.privateKey).getBytes(), null, null); java.util.Properties config = new java.util.Properties(); config.put("StrictHostKeyChecking", "no");
EncryptionUtils.decrypt(this.auth.privateKey).getBytes(), null, null); java.util.Properties config = new java.util.Properties(); config.put("StrictHostKeyChecking", "no");
private void createOrUpdateTargetSsl(KubernetesContext context) { URI uri = UriUtils.buildUri(context.host.address); if (!isSecure(uri)) { return; } String sslTrust = context.SSLTrustCertificate; if (sslTrust != null && trustManager != null) { String trustAlias = context.SSLTrustAlias; trustManager.putDelegate(trustAlias, sslTrust); } if (context.credentials == null || !AuthCredentialsType.PublicKey.name().equals(context.credentials.type)) { return; } String clientKey = EncryptionUtils.decrypt(context.credentials.privateKey); String clientCert = context.credentials.publicKey; String alias = context.host.address.toLowerCase(); if (clientKey != null && !clientKey.isEmpty()) { X509ExtendedKeyManager delegateKeyManager = (X509ExtendedKeyManager) CertificateUtil .getKeyManagers(alias, clientKey, clientCert)[0]; keyManager.putDelegate(alias, delegateKeyManager); } }
private void createOrUpdateTargetSsl(CommandInput input, DelegatingX509KeyManager keyM, ServerX509TrustManager trustM) { if (!isSecure(input.getDockerUri())) { return; } String sslTrust = (String) input.getProperties().get(SSL_TRUST_CERT_PROP_NAME); String trustAlias = (String) input.getProperties().get(SSL_TRUST_ALIAS_PROP_NAME); if (trustAlias == null) { logger.warning("No trust alias property set, not using certificate."); return; } if (sslTrust != null && trustM != null) { trustM.putDelegate(trustAlias, sslTrust); } if (input.getCredentials() == null) { return; } String clientKey = EncryptionUtils.decrypt(input.getCredentials().privateKey); String clientCert = input.getCredentials().publicKey; // TODO use an LRU cache to limit the number of stored // KeyManagers while minimizing time wasted repeatedly // recreating them if (clientKey != null && !clientKey.isEmpty()) { X509ExtendedKeyManager delegateKeyManager = (X509ExtendedKeyManager) CertificateUtil .getKeyManagers(trustAlias, clientKey, clientCert)[0]; keyM.putDelegate(trustAlias, delegateKeyManager); } }