diff options
Diffstat (limited to 'server')
9 files changed, 9 insertions, 419 deletions
diff --git a/server/sonar-docs/src/images/encrypt-value.png b/server/sonar-docs/src/images/encrypt-value.png Binary files differindex c22aa1dc2d7..c71737322d4 100644 --- a/server/sonar-docs/src/images/encrypt-value.png +++ b/server/sonar-docs/src/images/encrypt-value.png diff --git a/server/sonar-docs/src/pages/instance-administration/security.md b/server/sonar-docs/src/pages/instance-administration/security.md index c7acc9cc0e3..436257e3dda 100644 --- a/server/sonar-docs/src/pages/instance-administration/security.md +++ b/server/sonar-docs/src/pages/instance-administration/security.md @@ -195,7 +195,7 @@ Go back to **[Administration > Configuration > Encryption](/#sonarqube-admin#/ad 1. **Use the encrypted values in your SonarQube server configuration** Simply copy these encrypted values into _$SONARQUBE-HOME/conf/sonar.properties_ ``` -sonar.jdbc.password={aes}CCGCFg4Xpm6r+PiJb1Swfg== # Encrypted DB password +sonar.jdbc.password={aes-gcm}CCGCFg4Xpm6r+PiJb1Swfg== # Encrypted DB password ... sonar.secretKeyPath=C:/path/to/my/secure/location/my_secret_key.txt ``` diff --git a/server/sonar-process/src/main/java/org/sonar/process/AesCipher.java b/server/sonar-process/src/main/java/org/sonar/process/AesCipher.java deleted file mode 100644 index 129858fad94..00000000000 --- a/server/sonar-process/src/main/java/org/sonar/process/AesCipher.java +++ /dev/null @@ -1,112 +0,0 @@ -/* - * SonarQube - * Copyright (C) 2009-2021 SonarSource SA - * mailto:info AT sonarsource DOT com - * - * This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU Lesser General Public - * License as published by the Free Software Foundation; either - * version 3 of the License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public License - * along with this program; if not, write to the Free Software Foundation, - * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. - */ -package org.sonar.process; - -import java.io.File; -import java.io.IOException; -import java.security.Key; -import javax.annotation.Nullable; -import javax.crypto.spec.SecretKeySpec; -import org.apache.commons.codec.binary.Base64; -import org.apache.commons.io.FileUtils; -import org.apache.commons.lang.StringUtils; - -import static java.nio.charset.StandardCharsets.UTF_8; - -final class AesCipher implements Cipher { - private static final String CRYPTO_KEY = "AES"; - - /** - * Duplication from CoreProperties.ENCRYPTION_SECRET_KEY_PATH - */ - static final String ENCRYPTION_SECRET_KEY_PATH = "sonar.secretKeyPath"; - - private String pathToSecretKey; - - AesCipher(@Nullable String pathToSecretKey) { - this.pathToSecretKey = pathToSecretKey; - } - - @Override - public String encrypt(String clearText) { - try { - javax.crypto.Cipher cipher = javax.crypto.Cipher.getInstance(CRYPTO_KEY); - cipher.init(javax.crypto.Cipher.ENCRYPT_MODE, loadSecretFile()); - return Base64.encodeBase64String(cipher.doFinal(clearText.getBytes(UTF_8))); - } catch (RuntimeException e) { - throw e; - } catch (Exception e) { - throw new IllegalStateException(e); - } - } - - @Override - public String decrypt(String encryptedText) { - try { - javax.crypto.Cipher cipher = javax.crypto.Cipher.getInstance(CRYPTO_KEY); - cipher.init(javax.crypto.Cipher.DECRYPT_MODE, loadSecretFile()); - byte[] cipherData = cipher.doFinal(Base64.decodeBase64(StringUtils.trim(encryptedText))); - return new String(cipherData, UTF_8); - } catch (RuntimeException e) { - throw e; - } catch (Exception e) { - throw new IllegalStateException(e); - } - } - - /** - * This method checks the existence of the file, but not the validity of the contained key. - */ - boolean hasSecretKey() { - String path = getPathToSecretKey(); - if (StringUtils.isNotBlank(path)) { - File file = new File(path); - return file.exists() && file.isFile(); - } - return false; - } - - private Key loadSecretFile() throws IOException { - String path = getPathToSecretKey(); - return loadSecretFileFromFile(path); - } - - Key loadSecretFileFromFile(String path) throws IOException { - if (StringUtils.isBlank(path)) { - throw new IllegalStateException("Secret key not found. Please set the property " + ENCRYPTION_SECRET_KEY_PATH); - } - File file = new File(path); - if (!file.exists() || !file.isFile()) { - throw new IllegalStateException("The property " + ENCRYPTION_SECRET_KEY_PATH + " does not link to a valid file: " + path); - } - String s = FileUtils.readFileToString(file, UTF_8); - if (StringUtils.isBlank(s)) { - throw new IllegalStateException("No secret key in the file: " + path); - } - return new SecretKeySpec(Base64.decodeBase64(StringUtils.trim(s)), CRYPTO_KEY); - } - - String getPathToSecretKey() { - if (StringUtils.isBlank(pathToSecretKey)) { - pathToSecretKey = new File(System.getProperty("user.home"), ".sonar/sonar-secret.txt").getPath(); - } - return pathToSecretKey; - } -} diff --git a/server/sonar-process/src/main/java/org/sonar/process/Encryption.java b/server/sonar-process/src/main/java/org/sonar/process/Encryption.java deleted file mode 100644 index a2763997f09..00000000000 --- a/server/sonar-process/src/main/java/org/sonar/process/Encryption.java +++ /dev/null @@ -1,63 +0,0 @@ -/* - * SonarQube - * Copyright (C) 2009-2021 SonarSource SA - * mailto:info AT sonarsource DOT com - * - * This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU Lesser General Public - * License as published by the Free Software Foundation; either - * version 3 of the License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public License - * along with this program; if not, write to the Free Software Foundation, - * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. - */ -package org.sonar.process; - -import javax.annotation.Nullable; -import java.util.HashMap; -import java.util.Locale; -import java.util.Map; -import java.util.regex.Matcher; -import java.util.regex.Pattern; - -/** - * @since 3.0 - */ -public final class Encryption { - - private static final String BASE64_ALGORITHM = "b64"; - - private static final String AES_ALGORITHM = "aes"; - private final AesCipher aesCipher; - - private final Map<String, Cipher> ciphers = new HashMap<>(); - private static final Pattern ENCRYPTED_PATTERN = Pattern.compile("\\{(.*?)\\}(.*)"); - - public Encryption(@Nullable String pathToSecretKey) { - aesCipher = new AesCipher(pathToSecretKey); - ciphers.put(BASE64_ALGORITHM, new Base64Cipher()); - ciphers.put(AES_ALGORITHM, aesCipher); - } - - public boolean isEncrypted(String value) { - return value.indexOf('{') == 0 && value.indexOf('}') > 1; - } - - public String decrypt(String encryptedText) { - Matcher matcher = ENCRYPTED_PATTERN.matcher(encryptedText); - if (matcher.matches()) { - Cipher cipher = ciphers.get(matcher.group(1).toLowerCase(Locale.ENGLISH)); - if (cipher != null) { - return cipher.decrypt(matcher.group(2)); - } - } - return encryptedText; - } - -} diff --git a/server/sonar-process/src/main/java/org/sonar/process/Props.java b/server/sonar-process/src/main/java/org/sonar/process/Props.java index f5294a54812..b88cbad38b0 100644 --- a/server/sonar-process/src/main/java/org/sonar/process/Props.java +++ b/server/sonar-process/src/main/java/org/sonar/process/Props.java @@ -23,7 +23,11 @@ import java.io.File; import java.util.Properties; import javax.annotation.CheckForNull; import javax.annotation.Nullable; + import org.apache.commons.lang.StringUtils; +import org.sonar.api.config.internal.Encryption; + +import static org.sonar.api.CoreProperties.ENCRYPTION_SECRET_KEY_PATH; public class Props { @@ -33,7 +37,7 @@ public class Props { public Props(Properties props) { this.properties = new Properties(); props.forEach((k, v) -> this.properties.put(k.toString().trim(), v == null ? null : v.toString().trim())); - this.encryption = new Encryption(props.getProperty(AesCipher.ENCRYPTION_SECRET_KEY_PATH)); + this.encryption = new Encryption(props.getProperty(ENCRYPTION_SECRET_KEY_PATH)); } public boolean contains(String key) { diff --git a/server/sonar-process/src/test/java/org/sonar/process/AesCipherTest.java b/server/sonar-process/src/test/java/org/sonar/process/AesCipherTest.java deleted file mode 100644 index 3687ee39d11..00000000000 --- a/server/sonar-process/src/test/java/org/sonar/process/AesCipherTest.java +++ /dev/null @@ -1,172 +0,0 @@ -/* - * SonarQube - * Copyright (C) 2009-2021 SonarSource SA - * mailto:info AT sonarsource DOT com - * - * This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU Lesser General Public - * License as published by the Free Software Foundation; either - * version 3 of the License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public License - * along with this program; if not, write to the Free Software Foundation, - * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. - */ -package org.sonar.process; - -import com.google.common.io.Resources; -import java.io.File; -import java.security.InvalidKeyException; -import java.security.Key; -import javax.crypto.BadPaddingException; -import org.apache.commons.codec.binary.Base64; -import org.apache.commons.lang.StringUtils; -import org.junit.Rule; -import org.junit.Test; -import org.junit.rules.ExpectedException; - -import static org.assertj.core.api.Assertions.assertThat; -import static org.junit.Assert.fail; - -public class AesCipherTest { - - @Rule - public ExpectedException thrown = ExpectedException.none(); - - @Test - public void encrypt() { - AesCipher cipher = new AesCipher(pathToSecretKey()); - - String encryptedText = cipher.encrypt("this is a secret"); - - assertThat(StringUtils.isNotBlank(encryptedText)).isTrue(); - assertThat(Base64.isBase64(encryptedText.getBytes())).isTrue(); - } - - @Test - public void encrypt_bad_key() { - thrown.expect(RuntimeException.class); - thrown.expectMessage("Invalid AES key"); - - AesCipher cipher = new AesCipher(getPath("bad_secret_key.txt")); - - cipher.encrypt("this is a secret"); - } - - @Test - public void decrypt() { - AesCipher cipher = new AesCipher(pathToSecretKey()); - - // the following value has been encrypted with the key /org/sonar/api/config/AesCipherTest/aes_secret_key.txt - String clearText = cipher.decrypt("9mx5Zq4JVyjeChTcVjEide4kWCwusFl7P2dSVXtg9IY="); - - assertThat(clearText).isEqualTo("this is a secret"); - } - - @Test - public void decrypt_bad_key() { - AesCipher cipher = new AesCipher(getPath("bad_secret_key.txt")); - - try { - cipher.decrypt("9mx5Zq4JVyjeChTcVjEide4kWCwusFl7P2dSVXtg9IY="); - fail(); - - } catch (RuntimeException e) { - assertThat(e.getCause()).isInstanceOf(InvalidKeyException.class); - } - } - - @Test - public void decrypt_other_key() { - AesCipher cipher = new AesCipher(getPath("other_secret_key.txt")); - - try { - // text encrypted with another key - cipher.decrypt("9mx5Zq4JVyjeChTcVjEide4kWCwusFl7P2dSVXtg9IY="); - fail(); - - } catch (RuntimeException e) { - assertThat(e.getCause()).isInstanceOf(BadPaddingException.class); - } - } - - @Test - public void encryptThenDecrypt() { - AesCipher cipher = new AesCipher(pathToSecretKey()); - - assertThat(cipher.decrypt(cipher.encrypt("foo"))).isEqualTo("foo"); - } - - @Test - public void testDefaultPathToSecretKey() { - AesCipher cipher = new AesCipher(null); - - String path = cipher.getPathToSecretKey(); - - assertThat(StringUtils.isNotBlank(path)).isTrue(); - assertThat(new File(path).getName()).isEqualTo("sonar-secret.txt"); - } - - @Test - public void loadSecretKeyFromFile() throws Exception { - AesCipher cipher = new AesCipher(null); - Key secretKey = cipher.loadSecretFileFromFile(pathToSecretKey()); - assertThat(secretKey.getAlgorithm()).isEqualTo("AES"); - assertThat(secretKey.getEncoded().length).isGreaterThan(10); - } - - @Test - public void loadSecretKeyFromFile_trim_content() throws Exception { - String path = getPath("non_trimmed_secret_key.txt"); - AesCipher cipher = new AesCipher(null); - - Key secretKey = cipher.loadSecretFileFromFile(path); - - assertThat(secretKey.getAlgorithm()).isEqualTo("AES"); - assertThat(secretKey.getEncoded().length).isGreaterThan(10); - } - - @Test - public void loadSecretKeyFromFile_file_does_not_exist() throws Exception { - thrown.expect(IllegalStateException.class); - - AesCipher cipher = new AesCipher(null); - cipher.loadSecretFileFromFile("/file/does/not/exist"); - } - - @Test - public void loadSecretKeyFromFile_no_property() throws Exception { - thrown.expect(IllegalStateException.class); - - AesCipher cipher = new AesCipher(null); - cipher.loadSecretFileFromFile(null); - } - - @Test - public void hasSecretKey() { - AesCipher cipher = new AesCipher(pathToSecretKey()); - - assertThat(cipher.hasSecretKey()).isTrue(); - } - - @Test - public void doesNotHaveSecretKey() { - AesCipher cipher = new AesCipher("/my/twitter/id/is/SimonBrandhof"); - - assertThat(cipher.hasSecretKey()).isFalse(); - } - - private static String getPath(String file) { - return Resources.getResource(AesCipherTest.class, "AesCipherTest/" + file).getPath(); - } - - private static String pathToSecretKey() { - return getPath("aes_secret_key.txt"); - } - -} diff --git a/server/sonar-process/src/test/java/org/sonar/process/EncryptionTest.java b/server/sonar-process/src/test/java/org/sonar/process/EncryptionTest.java deleted file mode 100644 index 956d97dbebb..00000000000 --- a/server/sonar-process/src/test/java/org/sonar/process/EncryptionTest.java +++ /dev/null @@ -1,58 +0,0 @@ -/* - * SonarQube - * Copyright (C) 2009-2021 SonarSource SA - * mailto:info AT sonarsource DOT com - * - * This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU Lesser General Public - * License as published by the Free Software Foundation; either - * version 3 of the License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public License - * along with this program; if not, write to the Free Software Foundation, - * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. - */ -package org.sonar.process; - -import org.junit.Test; - -import static org.assertj.core.api.Assertions.assertThat; - - -public class EncryptionTest { - - @Test - public void isEncrypted() { - Encryption encryption = new Encryption(null); - assertThat(encryption.isEncrypted("{aes}ADASDASAD")).isTrue(); - assertThat(encryption.isEncrypted("{b64}ADASDASAD")).isTrue(); - assertThat(encryption.isEncrypted("{abc}ADASDASAD")).isTrue(); - - assertThat(encryption.isEncrypted("{}")).isFalse(); - assertThat(encryption.isEncrypted("{foo")).isFalse(); - assertThat(encryption.isEncrypted("foo{aes}")).isFalse(); - } - - @Test - public void decrypt() { - Encryption encryption = new Encryption(null); - assertThat(encryption.decrypt("{b64}Zm9v")).isEqualTo("foo"); - } - - @Test - public void decrypt_unknown_algorithm() { - Encryption encryption = new Encryption(null); - assertThat(encryption.decrypt("{xxx}Zm9v")).isEqualTo("{xxx}Zm9v"); - } - - @Test - public void decrypt_uncrypted_text() { - Encryption encryption = new Encryption(null); - assertThat(encryption.decrypt("foo")).isEqualTo("foo"); - } -} diff --git a/server/sonar-webserver-webapi/src/main/resources/org/sonar/server/setting/ws/encrypt-example.json b/server/sonar-webserver-webapi/src/main/resources/org/sonar/server/setting/ws/encrypt-example.json index ae4fd4cfca4..e42a6be672d 100644 --- a/server/sonar-webserver-webapi/src/main/resources/org/sonar/server/setting/ws/encrypt-example.json +++ b/server/sonar-webserver-webapi/src/main/resources/org/sonar/server/setting/ws/encrypt-example.json @@ -1,3 +1,3 @@ { - "encryptedValue": "{aes}q2ANI9ikR9R8P2CMCCTWeA==" + "encryptedValue": "{aes-gcm}q2ANI9ikR9R8P2CMCCTWeA==" } diff --git a/server/sonar-webserver-webapi/src/test/java/org/sonar/server/setting/ws/EncryptActionTest.java b/server/sonar-webserver-webapi/src/test/java/org/sonar/server/setting/ws/EncryptActionTest.java index 4bf7c859c90..70876c252ab 100644 --- a/server/sonar-webserver-webapi/src/test/java/org/sonar/server/setting/ws/EncryptActionTest.java +++ b/server/sonar-webserver-webapi/src/test/java/org/sonar/server/setting/ws/EncryptActionTest.java @@ -22,6 +22,7 @@ package org.sonar.server.setting.ws; import java.io.File; import java.nio.charset.StandardCharsets; import javax.annotation.Nullable; + import org.apache.commons.io.FileUtils; import org.junit.Before; import org.junit.Rule; @@ -40,7 +41,6 @@ import org.sonarqube.ws.Settings.EncryptWsResponse; import static org.assertj.core.api.Assertions.assertThat; import static org.sonar.server.setting.ws.SettingsWsParameters.PARAM_VALUE; -import static org.sonar.test.JsonAssert.assertJson; public class EncryptActionTest { @Rule @@ -66,21 +66,12 @@ public class EncryptActionTest { } @Test - public void json_example() { - logInAsSystemAdministrator(); - - String result = ws.newRequest().setParam("value", "my value").execute().getInput(); - - assertJson(result).isSimilarTo(ws.getDef().responseExampleAsString()); - } - - @Test public void encrypt() { logInAsSystemAdministrator(); EncryptWsResponse result = call("my value!"); - assertThat(result.getEncryptedValue()).isEqualTo("{aes}NoofntibpMBdhkMfXQxYcA=="); + assertThat(result.getEncryptedValue()).matches("^\\{aes-gcm\\}.+"); } @Test |
