From 30faaf2c44bcb41822796fbd8370b0acacfdb69e Mon Sep 17 00:00:00 2001 From: Tobias Woelk Date: Fri, 24 Aug 2018 14:54:54 +0200 Subject: [PATCH] jetty password obfuscation for props values --- README.md | 12 ++++++++++++ src/main/scala/code/api/util/APIUtil.scala | 14 +++++++++----- 2 files changed, 21 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 16f5717e9..15c7c377f 100644 --- a/README.md +++ b/README.md @@ -355,6 +355,7 @@ The Encrypt/Decrypt workflow is : 1st, 2nd and 3rd step can be done using an external tool + ####Encrypting props values with openssl on the commandline 1. Export the public certificate from the keystore: @@ -370,6 +371,17 @@ The Encrypt/Decrypt workflow is : echo -n $2 |openssl pkeyutl -pkeyopt rsa_padding_mode:pkcs1 -encrypt -pubin -inkey $1 -out >(base64) ``` +## Using jetty password obfuscation with props file + +You can obfuscate passwords in the props file the same way as for jetty: + +1. Create the obfuscated value as described here: https://www.eclipse.org/jetty/documentation/9.3.x/configuring-security-secure-passwords.html + +2. A props key value, XXX, is considered obfuscated if has an obfuscation property (XXX.is_obfuscated) in addition to the regular props key name in the props file e.g: + + * db.url.is_obfuscated=true + * db.url=OBF:fdsafdsakwaetcetcetc + ## Scala / Lift diff --git a/src/main/scala/code/api/util/APIUtil.scala b/src/main/scala/code/api/util/APIUtil.scala index b170ec303..cc10ac189 100644 --- a/src/main/scala/code/api/util/APIUtil.scala +++ b/src/main/scala/code/api/util/APIUtil.scala @@ -2077,16 +2077,20 @@ Returns a string showed to the developer * @return Decrypted value of a property */ def getPropsValue(nameOfProperty: String): Box[String] = { - (Props.get(nameOfProperty), Props.get(nameOfProperty + ".is_encrypted")) match { - case (Full(base64PropsValue), Full(isEncrypted)) if isEncrypted == "true" => + (Props.get(nameOfProperty), Props.get(nameOfProperty + ".is_encrypted"), Props.get(nameOfProperty + ".is_obfuscated") ) match { + case (Full(base64PropsValue), Full(isEncrypted), Empty) if isEncrypted == "true" => val decryptedValueAsArray = decrypt(privateKey, Helpers.base64Decode(base64PropsValue), CryptoSystem.RSA) val decryptedValueAsString = new String(decryptedValueAsArray) Full(decryptedValueAsString) - case (Full(property), Full(isEncrypted)) if isEncrypted == "false" => + case (Full(property), Full(isEncrypted), Empty) if isEncrypted == "false" => Full(property) - case (Full(property), Empty) => + case (Full(property),Empty, Full(isObfuscated)) if isObfuscated == "true" => + Full(org.eclipse.jetty.util.security.Password.deobfuscate(property)) + case (Full(property),Empty, Full(isObfuscated)) if isObfuscated == "false" => Full(property) - case (Empty, Empty) => + case (Full(property), Empty,Empty) => + Full(property) + case (Empty, Empty, Empty) => Empty case _ => logger.error(cannotDecryptValueOfProperty + nameOfProperty)