You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by GitBox <gi...@apache.org> on 2020/11/18 08:37:34 UTC
[GitHub] [nifi-minifi-cpp] adamdebreceni commented on a change in pull request #937: MINIFICPP-1402 - Encrypt flow configuration and change encryption key
adamdebreceni commented on a change in pull request #937:
URL: https://github.com/apache/nifi-minifi-cpp/pull/937#discussion_r525902713
##########
File path: encrypt-config/EncryptConfig.cpp
##########
@@ -42,40 +42,72 @@ namespace nifi {
namespace minifi {
namespace encrypt_config {
-EncryptConfig::EncryptConfig(int argc, char* argv[]) : minifi_home_(parseMinifiHomeFromTheOptions(argc, argv)) {
+EncryptConfig::EncryptConfig(const std::string& minifi_home) : minifi_home_(minifi_home) {
if (sodium_init() < 0) {
throw std::runtime_error{"Could not initialize the libsodium library!"};
}
+ keys_ = getEncryptionKeys();
}
-std::string EncryptConfig::parseMinifiHomeFromTheOptions(int argc, char* argv[]) {
- if (argc >= 2) {
- for (int i = 1; i < argc; ++i) {
- std::string argstr(argv[i]);
- if ((argstr == "-h") || (argstr == "--help")) {
- std::cout << USAGE_STRING << std::endl;
- std::exit(0);
- }
- }
+EncryptConfig::EncryptionType EncryptConfig::encryptSensitiveProperties() const {
+ encryptSensitiveProperties(keys_);
+ if (keys_.decryption_key) {
+ return EncryptionType::RE_ENCRYPT;
}
+ return EncryptionType::ENCRYPT;
+}
- if (argc >= 3) {
- for (int i = 1; i < argc; ++i) {
- std::string argstr(argv[i]);
- if ((argstr == "-m") || (argstr == "--minifi-home")) {
- if (i+1 < argc) {
- return std::string(argv[i+1]);
- }
- }
- }
+void EncryptConfig::encryptFlowConfig() const {
+ encrypt_config::ConfigFile properties_file{std::ifstream{propertiesFilePath()}};
+ utils::optional<std::string> config_path = properties_file.getValue(Configure::nifi_flow_configuration_file);
+ if (!config_path) {
+ config_path = utils::file::PathUtils::resolve(minifi_home_, "conf/config.yml");
+ std::cout << "Couldn't find path of configuration file, using default: \"" << *config_path << "\"\n";
+ } else {
+ config_path = utils::file::PathUtils::resolve(minifi_home_, *config_path);
+ std::cout << "Encrypting flow configuration file: \"" << *config_path << "\"\n";
+ }
+ std::string config_content;
+ try {
+ std::ifstream config_file{*config_path, std::ios::binary};
+ config_file.exceptions(std::ios::failbit | std::ios::badbit);
+ config_content = std::string{std::istreambuf_iterator<char>(config_file), {}};
+ } catch (...) {
+ std::cerr << "Error while reading flow configuration file \"" << *config_path << "\"\n";
+ throw;
}
+ try {
+ utils::crypto::decrypt(config_content, keys_.encryption_key);
+ std::cout << "Flow config file is already properly encrypted.\n";
+ return;
+ } catch (const std::exception&) {}
- throw std::runtime_error{USAGE_STRING};
-}
+ if (utils::crypto::isEncrypted(config_content)) {
+ if (!keys_.decryption_key) {
+ std::cerr << "Config file is encrypted, but no deprecated key is set.\n";
+ std::exit(1);
+ }
+ std::cout << "Trying to decrypt flow config file using the deprecated key ...\n";
+ try {
+ config_content = utils::crypto::decrypt(config_content, *keys_.decryption_key);
+ } catch (const std::exception&) {
+ std::cerr << "Flow config is encrypted, but couldn't be decrypted.\n";
+ std::exit(1);
+ }
+ } else {
+ std::cout << "Flow config file is not encrypted, using as-is.\n";
Review comment:
it might be that an encrypted config is corrupted for whatever reason, and since we have no way of detecting that (short of trying to parse the yml) I figured it would raise some eyebrows if the user expects reencryption
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org