Added jasypt encrypted password handling. (#361)

Author: tobiasake

pom.xml

@@ -107,6 +107,12 @@
             <version>${springBootVersion}</version>
         </dependency>
 
+        <dependency>
+            <groupId>com.github.ulisesbocchio</groupId>
+            <artifactId>jasypt-spring-boot-starter</artifactId>
+            <version>2.1.2</version>
+        </dependency>
+
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-amqp</artifactId>

src/main/java/com/ericsson/ei/EndpointSecurity.java

@@ -19,6 +19,7 @@
 
 import org.apache.tomcat.util.codec.binary.Base64;
 import org.apache.tomcat.util.codec.binary.StringUtils;
+import org.jasypt.encryption.pbe.StandardPBEStringEncryptor;
 import org.json.JSONArray;
 import org.json.JSONObject;
 import org.slf4j.Logger;
@@ -32,6 +33,8 @@
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.config.http.SessionCreationPolicy;
 
+import com.ericsson.ei.utils.TextFormatter;
+
 @Configuration
 @EnableWebSecurity
 public class EndpointSecurity extends WebSecurityConfigurerAdapter {
@@ -43,6 +46,9 @@ public class EndpointSecurity extends WebSecurityConfigurerAdapter {
 
     @Value("${ldap.server.list:}")
     private String ldapServerList;
+    
+    @Value("${jasypt.encryptor.password:}")
+    private String jasyptEncryptorPassword;
 
     @Override
     protected void configure(HttpSecurity http) throws Exception {
@@ -85,8 +91,23 @@ private String decodeBase64(String password) {
     }
 
     private void addLDAPServersFromList(JSONArray serverList, AuthenticationManagerBuilder auth) throws Exception {
+        TextFormatter textFormatter = new TextFormatter();
+        StandardPBEStringEncryptor encryptor = new StandardPBEStringEncryptor();
+ 
+        encryptor.setPassword(jasyptEncryptorPassword);
+ 
         for (int i = 0; i < serverList.length(); i++) {
             JSONObject server = (JSONObject) serverList.get(i);
+            String password = server.getString("password");
+        
+            if (checkIfPasswordEncrypted(password)) {
+                password = textFormatter.removeEncryptionParentheses(password);
+                password = encryptor.decrypt(password);
+            }
+            else {
+                password = decodeBase64(server.getString("password"));
+            }
+            
             auth
             .eraseCredentials(false)
             .ldapAuthentication()
@@ -95,7 +116,11 @@ private void addLDAPServersFromList(JSONArray serverList, AuthenticationManagerB
                     .url(server.getString("url"))
                     .root(server.getString("base.dn"))
                     .managerDn(server.getString("username"))
-                    .managerPassword(decodeBase64(server.getString("password")));
+                    .managerPassword(password);
         }
     }
+    
+    private boolean checkIfPasswordEncrypted(final String password) {
+        return (password.startsWith("ENC(") && password.endsWith(")"));
+    }
 }

src/main/java/com/ericsson/ei/config/ConfigurationLogger.java

@@ -70,7 +70,6 @@ private void logConfiguration() {
                 + "spring.mail.properties.mail.smtp.starttls.enable: " + env.getProperty("spring.mail.properties.mail.smtp.starttls.enable") + "\n"
                 + "er.url: " + env.getProperty("er.url") + "\n"
                 + "ldap.enabled: " + env.getProperty("ldap.enabled") + "\n"
-                + "ldap.server.list: " + env.getProperty("ldap.server.list") + "\n"
                 + "logging.level.root: " + env.getProperty("logging.level.root") + "\n"
                 + "logging.level.org.springframework.web: " + env.getProperty("logging.level.org.springframework.web") + "\n"
                 + "logging.level.com.ericsson.ei: " + env.getProperty("logging.level.com.ericsson.ei") + "\n"

src/main/java/com/ericsson/ei/utils/TextFormatter.java

@@ -0,0 +1,49 @@
+/*
+   Copyright 2019 Ericsson AB.
+   For a full list of individual contributors, please see the commit history.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package com.ericsson.ei.utils;
+
+
+/**
+ * Class that handles and formatting Strings for different needs
+ * and can be used in different classes.
+ *
+ */
+public class TextFormatter {
+    
+    /**
+     * Function that removes ENC parentheses from encrypted string.
+     * Commonly used for password properties that has a format "ENC(d23d2ferwf4t55)"
+     * This function removes "ENC(" text and end ")" parentheses and return only the
+     * encryption as string.
+     * 
+     * Function handle also "ENC(<encrypted password>" with missing end , ')', parentheses.
+     * 
+     * @param stringWithEncryptionParantheses  The string that contains the ENC() string.
+     * 
+     * @return  Then string formatted encrypted password without ENC().
+     */
+    public String removeEncryptionParentheses(String stringWithEncryptionParantheses) {
+        String formattedEncryptionString = stringWithEncryptionParantheses.replace("ENC(","");
+        int lastParanthesesOccurenxeIndex = formattedEncryptionString.lastIndexOf(")");
+        if (lastParanthesesOccurenxeIndex == -1) {
+            return formattedEncryptionString;
+        }
+        formattedEncryptionString = formattedEncryptionString.subSequence(0, lastParanthesesOccurenxeIndex).toString();
+        return formattedEncryptionString;
+    }
+}

src/main/resources/application.properties

@@ -25,6 +25,7 @@ rabbitmq.host: localhost
 rabbitmq.port: 5672
 rabbitmq.user: myuser
 rabbitmq.password: myuser
+# Check configuration documentation for using jasypt encrypted passswords
 # Valid TLS versions: 'TLSv1.2', 'TLSv1.1', 'TLSv1', 'TLS', 'SSLv3', 'SSLv2', 'SSL'
 rabbitmq.tlsVersion:
 rabbitmq.exchange.name: ei-exchange
@@ -48,6 +49,7 @@ spring.data.mongodb.host: localhost
 spring.data.mongodb.port: 27017
 #spring.data.mongodb.username:
 #spring.data.mongodb.password:
+# Check configuration documentation for using jasypt encrypted passswords
 spring.data.mongodb.database: eiffel_intelligence
 # we cannot have empty username and password property here
 # if these properties are empty, remove or comment them
@@ -123,6 +125,8 @@ er.url:
 # Settings for ldap server if ldap authentication is needed.
 # For security reasons and to avoid authorization problems this
 # password should be encoded in base64. It will be decoded in EndpointSecurity.java.
+#
+# Password field can also be Jasypt encoded, check configuration documentation for info.
 ldap.enabled: false
 ldap.server.list: [{\
         "url": "",\

src/test/java/com/ericsson/ei/utils/TextFormatterTest.java

@@ -0,0 +1,46 @@
+/*
+   Copyright 2019 Ericsson AB.
+   For a full list of individual contributors, please see the commit history.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package com.ericsson.ei.utils;
+
+import static org.junit.Assert.assertEquals;
+import org.junit.Test;
+
+import com.ericsson.ei.utils.TextFormatter;
+
+public class TextFormatterTest {
+    
+    @Test
+    public void testRemoveEncryptionParentheses() {
+        final String encryptedPassword = "ENC(m0++Ua2Pe1j/5X/x8NpKsQ==)";
+        final String expectedEncryptedPassword = "m0++Ua2Pe1j/5X/x8NpKsQ==";
+        
+        assertEquals("Failed to remove ENC() from encrypted password property string.",
+                expectedEncryptedPassword,
+                new TextFormatter().removeEncryptionParentheses(encryptedPassword));
+    }
+    
+    @Test
+    public void testRemoveEncryptionParenthesesWithMissingEndParentheses() {
+        final String encryptedPassword = "ENC(m0++Ua2Pe1j/5X/x8NpKsQ==";
+        final String expectedEncryptedPassword = "m0++Ua2Pe1j/5X/x8NpKsQ==";
+        
+        assertEquals("Failed to remove ENC() from encrypted password property string.",
+                expectedEncryptedPassword,
+                new TextFormatter().removeEncryptionParentheses(encryptedPassword));
+    }
+}

wiki/markdown/configuration.md

@@ -168,4 +168,57 @@ and the settings are defined in the **ldap.server.list** property.
             "password": "",\
             "user.filter": "uid={0}"\
         }\
-    ]\
+    ]\
+
+## Password encryption
+
+In a production environment and filesystems, administrator most likely don't want to store passwords in clear text.
+
+These Eiffel-Intelligence password properties can be provided encrypted:
+        
+        rabbitmq.password
+        spring.data.mongodb.password
+
+
+A password property is configured by providing the encrypted password in this format.
+
+        some.component.password=ENC(<encrypted password>)
+
+
+Ldap encrypted password is set inside **ldap.server.list** property according the example below:
+ 
+    ldap.server.list=[{\
+        "url": "<ldap address>",\
+        "base.dn": "<dn>",\
+        "username": "<username>",\
+        "password": "ENC(<encrypted password>)",\
+        "user.filter": "<filter>"\
+    }]
+
+How and examples of how to encrypt passwords can be found on Jasypt homepage.
+On Jasypt homepage encrypt.sh script can be downloaded, which can be used to encrypt passwords:
+
+http://www.jasypt.org/cli.html
+
+Short guide about encrypting passwords:
+
+**1** Encrypt actual component password with secret encrypting password.
+Encrypting password should be a secret password and is created/generated by administator user and should not be written/stored in application.properties or any other config files near the application in the filesystem:
+    
+        ./encrypt.sh input="<the actual component password>" password=<the secret encryptor password>
+
+**2** That above step will generate the encrypted component password, example:
+        
+        rv/2O+hOT4GJSPmmF/cF1w==
+
+**3** Now open application.properties file and add the new encrypted password to the specific component password property with "ENC(<encrypted password>)" format:
+        
+         some.component.password=ENC(rv/2O+hOT4GJSPmmF/cF1w==)
+
+Do step 1 to 3 for all component passwords and properties in application.properties. Remember to use same secret encryptor password for all components passwords.
+
+**4** Now its time to run Eiffel-Intelligence with these encrypted passwords in application.properties.
+Eiffel-Intelligence will decrypt password properties with help of the provided secret encryptor password at run-time.
+Execute Eiffel-Intelligence with "jasypt.encryptor.password=<the secret encryptor password>" flag, example:
+        
+        java -jar eiffel-intelligence-<version>.war --jasypt.encryptor.password=<the secret encryptor password> --spring.config.location=/path/to/application.properties