You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by GitBox <gi...@apache.org> on 2022/03/29 08:00:02 UTC
[GitHub] [nifi-minifi-cpp] lordgamez opened a new pull request #1289: MINIFICPP-1783 Encrypted values in agent manifest should remain in encrypted form
lordgamez opened a new pull request #1289:
URL: https://github.com/apache/nifi-minifi-cpp/pull/1289
https://issues.apache.org/jira/browse/MINIFICPP-1783
-----------------------------------------------------------------------
Thank you for submitting a contribution to Apache NiFi - MiNiFi C++.
In order to streamline the review of the contribution we ask you
to ensure the following steps have been taken:
### For all changes:
- [ ] Is there a JIRA ticket associated with this PR? Is it referenced
in the commit message?
- [ ] Does your PR title start with MINIFICPP-XXXX where XXXX is the JIRA number you are trying to resolve? Pay particular attention to the hyphen "-" character.
- [ ] Has your PR been rebased against the latest commit within the target branch (typically main)?
- [ ] Is your initial contribution a single, squashed commit?
### For code changes:
- [ ] If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under [ASF 2.0](http://www.apache.org/legal/resolved.html#category-a)?
- [ ] If applicable, have you updated the LICENSE file?
- [ ] If applicable, have you updated the NOTICE file?
### For documentation related changes:
- [ ] Have you ensured that format looks appropriate for the output in which it is rendered?
### Note:
Please ensure that once the PR is submitted, you check GitHub Actions CI results for build issues and submit an update to your PR as soon as possible.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi-minifi-cpp] adamdebreceni closed pull request #1289: MINIFICPP-1783 Encrypted values in agent manifest should remain in encrypted form
Posted by GitBox <gi...@apache.org>.
adamdebreceni closed pull request #1289:
URL: https://github.com/apache/nifi-minifi-cpp/pull/1289
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi-minifi-cpp] fgerlits commented on a change in pull request #1289: MINIFICPP-1783 Encrypted values in agent manifest should remain in encrypted form
Posted by GitBox <gi...@apache.org>.
fgerlits commented on a change in pull request #1289:
URL: https://github.com/apache/nifi-minifi-cpp/pull/1289#discussion_r839504643
##########
File path: extensions/http-curl/tests/C2DescribeManifestTest.cpp
##########
@@ -41,8 +42,17 @@ class DescribeManifestHandler: public HeartbeatHandler {
int main(int argc, char **argv) {
const cmd_args args = parse_cmdline_args(argc, argv, "heartbeat");
VerifyC2Describe harness;
+ utils::crypto::Bytes encryption_key = utils::StringUtils::from_hex("4024b327fdc987ce3eb43dd1f690b9987e4072e0020e3edf4349ce1ad91a4e38");
+ minifi::Decryptor decryptor{utils::crypto::EncryptionProvider{encryption_key}};
+ std::string encrypted_value = "l3WY1V27knTiPa6jVX0jrq4qjmKsySOu||ErntqZpHP1M+6OkA14p5sdnqJhuNHWHDVUU5EyMloTtSytKk9a5xNKo=";
+
+ harness.setConfiguration(std::make_shared<minifi::Configure>(decryptor));
harness.setKeyDir(args.key_dir);
DescribeManifestHandler responder(harness.getConfiguration());
+
+ harness.getConfiguration()->set(minifi::Configuration::nifi_rest_api_password, encrypted_value);
+ harness.getConfiguration()->set(std::string(minifi::Configuration::nifi_rest_api_password) + ".protected", utils::crypto::EncryptionType::name());
Review comment:
I would have preferred something more explicit, as, for example, if someone changes `getString()` to return the decrypted value, the test will continue to pass. On the other hand, it is unlikely someone would do this, and it would probably be caught by other tests, so I'm OK with this version, too.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi-minifi-cpp] adam-markovics commented on a change in pull request #1289: MINIFICPP-1783 Encrypted values in agent manifest should remain in encrypted form
Posted by GitBox <gi...@apache.org>.
adam-markovics commented on a change in pull request #1289:
URL: https://github.com/apache/nifi-minifi-cpp/pull/1289#discussion_r837466700
##########
File path: libminifi/test/integration/IntegrationBase.h
##########
@@ -61,6 +61,10 @@ class IntegrationBase {
return configuration;
}
+ void setConfiguration(std::shared_ptr<minifi::Configure> configuration) {
+ this->configuration = configuration;
Review comment:
I'd rather `std::move` the parameter if it's stored.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi-minifi-cpp] lordgamez commented on a change in pull request #1289: MINIFICPP-1783 Encrypted values in agent manifest should remain in encrypted form
Posted by GitBox <gi...@apache.org>.
lordgamez commented on a change in pull request #1289:
URL: https://github.com/apache/nifi-minifi-cpp/pull/1289#discussion_r839254433
##########
File path: extensions/http-curl/tests/C2DescribeManifestTest.cpp
##########
@@ -41,8 +42,17 @@ class DescribeManifestHandler: public HeartbeatHandler {
int main(int argc, char **argv) {
const cmd_args args = parse_cmdline_args(argc, argv, "heartbeat");
VerifyC2Describe harness;
+ utils::crypto::Bytes encryption_key = utils::StringUtils::from_hex("4024b327fdc987ce3eb43dd1f690b9987e4072e0020e3edf4349ce1ad91a4e38");
+ minifi::Decryptor decryptor{utils::crypto::EncryptionProvider{encryption_key}};
+ std::string encrypted_value = "l3WY1V27knTiPa6jVX0jrq4qjmKsySOu||ErntqZpHP1M+6OkA14p5sdnqJhuNHWHDVUU5EyMloTtSytKk9a5xNKo=";
+
+ harness.setConfiguration(std::make_shared<minifi::Configure>(decryptor));
harness.setKeyDir(args.key_dir);
DescribeManifestHandler responder(harness.getConfiguration());
+
+ harness.getConfiguration()->set(minifi::Configuration::nifi_rest_api_password, encrypted_value);
+ harness.getConfiguration()->set(std::string(minifi::Configuration::nifi_rest_api_password) + ".protected", utils::crypto::EncryptionType::name());
Review comment:
Yes, as @adamdebreceni mentionsed the verification in HTTPHandlers makes sure we check for the encrypted version in the json. I checked the test with both `get` and `getString` to make sure it fails if we are using the `get` function and succeeds if we expect the encrypted version with `getString`.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi-minifi-cpp] fgerlits commented on a change in pull request #1289: MINIFICPP-1783 Encrypted values in agent manifest should remain in encrypted form
Posted by GitBox <gi...@apache.org>.
fgerlits commented on a change in pull request #1289:
URL: https://github.com/apache/nifi-minifi-cpp/pull/1289#discussion_r838715436
##########
File path: extensions/http-curl/tests/C2DescribeManifestTest.cpp
##########
@@ -41,8 +42,17 @@ class DescribeManifestHandler: public HeartbeatHandler {
int main(int argc, char **argv) {
const cmd_args args = parse_cmdline_args(argc, argv, "heartbeat");
VerifyC2Describe harness;
+ utils::crypto::Bytes encryption_key = utils::StringUtils::from_hex("4024b327fdc987ce3eb43dd1f690b9987e4072e0020e3edf4349ce1ad91a4e38");
+ minifi::Decryptor decryptor{utils::crypto::EncryptionProvider{encryption_key}};
+ std::string encrypted_value = "l3WY1V27knTiPa6jVX0jrq4qjmKsySOu||ErntqZpHP1M+6OkA14p5sdnqJhuNHWHDVUU5EyMloTtSytKk9a5xNKo=";
+
+ harness.setConfiguration(std::make_shared<minifi::Configure>(decryptor));
harness.setKeyDir(args.key_dir);
DescribeManifestHandler responder(harness.getConfiguration());
+
+ harness.getConfiguration()->set(minifi::Configuration::nifi_rest_api_password, encrypted_value);
+ harness.getConfiguration()->set(std::string(minifi::Configuration::nifi_rest_api_password) + ".protected", utils::crypto::EncryptionType::name());
Review comment:
We put the encrypted setting in the configuration here, but we don't verify that it is sent undecrypted. Could we check the value in `handleAcknowledge()`, for example?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi-minifi-cpp] fgerlits commented on a change in pull request #1289: MINIFICPP-1783 Encrypted values in agent manifest should remain in encrypted form
Posted by GitBox <gi...@apache.org>.
fgerlits commented on a change in pull request #1289:
URL: https://github.com/apache/nifi-minifi-cpp/pull/1289#discussion_r838715436
##########
File path: extensions/http-curl/tests/C2DescribeManifestTest.cpp
##########
@@ -41,8 +42,17 @@ class DescribeManifestHandler: public HeartbeatHandler {
int main(int argc, char **argv) {
const cmd_args args = parse_cmdline_args(argc, argv, "heartbeat");
VerifyC2Describe harness;
+ utils::crypto::Bytes encryption_key = utils::StringUtils::from_hex("4024b327fdc987ce3eb43dd1f690b9987e4072e0020e3edf4349ce1ad91a4e38");
+ minifi::Decryptor decryptor{utils::crypto::EncryptionProvider{encryption_key}};
+ std::string encrypted_value = "l3WY1V27knTiPa6jVX0jrq4qjmKsySOu||ErntqZpHP1M+6OkA14p5sdnqJhuNHWHDVUU5EyMloTtSytKk9a5xNKo=";
+
+ harness.setConfiguration(std::make_shared<minifi::Configure>(decryptor));
harness.setKeyDir(args.key_dir);
DescribeManifestHandler responder(harness.getConfiguration());
+
+ harness.getConfiguration()->set(minifi::Configuration::nifi_rest_api_password, encrypted_value);
+ harness.getConfiguration()->set(std::string(minifi::Configuration::nifi_rest_api_password) + ".protected", utils::crypto::EncryptionType::name());
Review comment:
We put the encrypted setting in the configuration here, but we don't verify that it is sent unencrypted. Could we check the value in `handleAcknowledge()`, for example?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi-minifi-cpp] adamdebreceni commented on a change in pull request #1289: MINIFICPP-1783 Encrypted values in agent manifest should remain in encrypted form
Posted by GitBox <gi...@apache.org>.
adamdebreceni commented on a change in pull request #1289:
URL: https://github.com/apache/nifi-minifi-cpp/pull/1289#discussion_r839245590
##########
File path: extensions/http-curl/tests/C2DescribeManifestTest.cpp
##########
@@ -41,8 +42,17 @@ class DescribeManifestHandler: public HeartbeatHandler {
int main(int argc, char **argv) {
const cmd_args args = parse_cmdline_args(argc, argv, "heartbeat");
VerifyC2Describe harness;
+ utils::crypto::Bytes encryption_key = utils::StringUtils::from_hex("4024b327fdc987ce3eb43dd1f690b9987e4072e0020e3edf4349ce1ad91a4e38");
+ minifi::Decryptor decryptor{utils::crypto::EncryptionProvider{encryption_key}};
+ std::string encrypted_value = "l3WY1V27knTiPa6jVX0jrq4qjmKsySOu||ErntqZpHP1M+6OkA14p5sdnqJhuNHWHDVUU5EyMloTtSytKk9a5xNKo=";
+
+ harness.setConfiguration(std::make_shared<minifi::Configure>(decryptor));
harness.setKeyDir(args.key_dir);
DescribeManifestHandler responder(harness.getConfiguration());
+
+ harness.getConfiguration()->set(minifi::Configuration::nifi_rest_api_password, encrypted_value);
+ harness.getConfiguration()->set(std::string(minifi::Configuration::nifi_rest_api_password) + ".protected", utils::crypto::EncryptionType::name());
Review comment:
HTTPHandlers.cpp:536 has also been updated I think that verifies that we receive the encrypted value
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi-minifi-cpp] lordgamez commented on a change in pull request #1289: MINIFICPP-1783 Encrypted values in agent manifest should remain in encrypted form
Posted by GitBox <gi...@apache.org>.
lordgamez commented on a change in pull request #1289:
URL: https://github.com/apache/nifi-minifi-cpp/pull/1289#discussion_r837586229
##########
File path: libminifi/test/integration/IntegrationBase.h
##########
@@ -61,6 +61,10 @@ class IntegrationBase {
return configuration;
}
+ void setConfiguration(std::shared_ptr<minifi::Configure> configuration) {
+ this->configuration = configuration;
Review comment:
Updated in aebe4fbd063ef08ba9877d0fb1657b44486a89a6
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org