You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@activemq.apache.org by jb...@apache.org on 2022/10/13 16:22:26 UTC

[activemq-artemis] branch main updated: ARTEMIS-4042 - read sensitive string codec env var if system property is not set

This is an automated email from the ASF dual-hosted git repository.

jbertram pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/activemq-artemis.git


The following commit(s) were added to refs/heads/main by this push:
     new 8a6e29ccde ARTEMIS-4042 - read sensitive string codec env var if system property is not set
     new 896537700a This closes #4254
8a6e29ccde is described below

commit 8a6e29ccde3525e2012417ac41777529853a5bf0
Author: Gary Tully <ga...@gmail.com>
AuthorDate: Wed Oct 12 12:30:06 2022 +0100

    ARTEMIS-4042 - read sensitive string codec env var if system property is not set
---
 .../artemis/utils/DefaultSensitiveStringCodec.java    | 17 +++++++++++++++++
 .../utils/DefaultSensitiveStringCodecTest.java        | 19 +++++++++++++++++++
 docs/user-manual/en/masking-passwords.md              |  4 ++++
 3 files changed, 40 insertions(+)

diff --git a/artemis-commons/src/main/java/org/apache/activemq/artemis/utils/DefaultSensitiveStringCodec.java b/artemis-commons/src/main/java/org/apache/activemq/artemis/utils/DefaultSensitiveStringCodec.java
index a135e14337..6a5b4caccd 100644
--- a/artemis-commons/src/main/java/org/apache/activemq/artemis/utils/DefaultSensitiveStringCodec.java
+++ b/artemis-commons/src/main/java/org/apache/activemq/artemis/utils/DefaultSensitiveStringCodec.java
@@ -28,6 +28,7 @@ import java.security.spec.InvalidKeySpecException;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.HashMap;
+import java.util.Locale;
 import java.util.Map;
 import java.util.Objects;
 import java.util.Properties;
@@ -146,6 +147,14 @@ public class DefaultSensitiveStringCodec implements SensitiveDataCodec<String> {
                logger.trace("Set key from system property {}", KEY_SYSTEM_PROPERTY);
                updateKey(key);
             }
+            if (key == null) {
+               final String matchingEnvVarName = envVarNameFromSystemPropertyName(KEY_SYSTEM_PROPERTY);
+               key = getFromEnv(matchingEnvVarName);
+               if (key != null) {
+                  logger.trace("Set key from env var {}", matchingEnvVarName);
+                  updateKey(key);
+               }
+            }
          }
       }
 
@@ -205,6 +214,14 @@ public class DefaultSensitiveStringCodec implements SensitiveDataCodec<String> {
       }
    }
 
+   protected String getFromEnv(final String envVarName) {
+      return System.getenv(envVarName);
+   }
+
+   public static String envVarNameFromSystemPropertyName(final String systemPropertyName) {
+      return systemPropertyName.replace(".","_").toUpperCase(Locale.getDefault());
+   }
+
    private static class PBKDF2Algorithm extends CodecAlgorithm {
       private static final String SEPARATOR = ":";
       private String sceretKeyAlgorithm = "PBKDF2WithHmacSHA1";
diff --git a/artemis-commons/src/test/java/org/apache/activemq/artemis/utils/DefaultSensitiveStringCodecTest.java b/artemis-commons/src/test/java/org/apache/activemq/artemis/utils/DefaultSensitiveStringCodecTest.java
index a9ba3e6089..8b0d3bf38f 100644
--- a/artemis-commons/src/test/java/org/apache/activemq/artemis/utils/DefaultSensitiveStringCodecTest.java
+++ b/artemis-commons/src/test/java/org/apache/activemq/artemis/utils/DefaultSensitiveStringCodecTest.java
@@ -26,6 +26,7 @@ import java.util.Map;
 
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNotEquals;
 import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
 
@@ -76,6 +77,24 @@ public class DefaultSensitiveStringCodecTest {
       assertFalse(codec.verify(otherPassword.toCharArray(), maskedText));
    }
 
+   @Test
+   public void testInitFromEnvVar() throws Exception {
+      final String someString = "bla";
+      DefaultSensitiveStringCodec codecFromEnvVarConfig = new DefaultSensitiveStringCodec() {
+         @Override
+         public String getFromEnv(String v) {
+            if (v.contains("_") && !v.contains(".")) {
+               return someString;
+            }
+            return null;
+         }
+      };
+      Map<String, String> params = new HashMap<>();
+      codecFromEnvVarConfig.init(params);
+      String blaVersion = codecFromEnvVarConfig.encode(someString);
+      assertNotEquals(blaVersion,  getDefaultSensitiveStringCodec(DefaultSensitiveStringCodec.TWO_WAY).encode(someString));
+   }
+
    @Test
    public void testCompareWithOnewayAlgorithm() throws Exception {
       testCompareWithAlgorithm(DefaultSensitiveStringCodec.ONE_WAY);
diff --git a/docs/user-manual/en/masking-passwords.md b/docs/user-manual/en/masking-passwords.md
index 24400caa87..c76c4d1c51 100644
--- a/docs/user-manual/en/masking-passwords.md
+++ b/docs/user-manual/en/masking-passwords.md
@@ -413,6 +413,10 @@ that key to unmask the password(s). Therefore, it is possible to supply your
     that the key is more obscure since it will not exist in any configuration
     file. It can be set immediately *before* the broker starts and then cleared
     from the environment immediately *after* the broker finishes starting.
+ 3. If expansion of the `ARTEMIS_DEFAULT_SENSITIVE_STRING_CODEC_KEY` environment
+    variable to set the system property is a concern, modify the startup scripts
+    to remove the system property assignment, the environment variable will then
+    be read directly.
 
 ### Using a custom codec