wso2 / carbon-secvault Goto Github PK

License: Apache License 2.0

Java 96.88% Batchfile 1.18% Shell 1.94%

carbon-secvault's Introduction

WSO2 Secure Vault

WSO2 Secure Vault allows you to store encrypted passwords that are mapped to aliases, i.e., you can use the aliases instead of the actual passwords in your configuration files for better security.

For example, some configurations require the admin username and password. If the admin user password is 'admin', you could use the UserManager.AdminUser.Password alias in your configuration file. You would then map that alias to the actual password 'admin'. At runtime, the product will look up this alias and SecureVault will return the decrypted password.

There are three files that are needed by the SecureVault:

secure-vault.yaml: Configurations that are required for configuring the SecureVault are given in this file. It has two major sections (secretRepository: and masterKeyReader:) which corresponds to the initialization of SecretRepository and MasterKeyReader.

In OSGi mode, Separate configuration file (secure-vault.yaml) is not maintained, instead SecureVault configurations are saved in deployment.yaml (global configuration file).

In non-OSGi mode, SecureVault configuration can be maintained as a separate file (secure-vault.yaml) or can be merged it to server configuration file.

Example:
```
 wso2.securevault:
   secretRepository:
     type: org.wso2.carbon.secvault.repository.DefaultSecretRepository
     parameters:
       privateKeyAlias: wso2carbon
       keystoreLocation: resources/security/securevault.jks
       secretPropertiesFile: conf/secrets.properties
   masterKeyReader:
     type: org.wso2.carbon.secvault.reader.DefaultMasterKeyReader
     parameters:
       masterKeyReaderFile: conf/master-keys.yaml
```
master-keys.yaml: The default SecureVault implementation is based on the Java Key Store (JKS). Passwords that are needed to access the JKS and Keys are specified in this file. The passwords given in this file should be base64 format and the explicit type specifier (!!binary) is a must. Example:
```
 permanent: true
 masterKeys:
   keyStorePassword: !!binary d3NvMmNhcmJvbg==
   privateKeyPassword: !!binary d3NvMmNhcmJvbg==
```
permanent: whether to keep this file permanently or delete after read. masterKeys: key value pairs of required master keys and corresponding passwords (in base 64 format) relocation: this is an optional parameter. if specified, ignores all other configurations in this file and read the master keys from the specified file.

secrets.properties: This file contains the alias with the password that is in plain text or is encrypted. Example:

 UserManager.AdminUser.Password=plainText ABC@123
 UserManager.AdminUser.Password=cipherText SnBSWKjtZZOo0UsmOpPRhP6ZMNYTb80+BZHRDC/kxNT9ExcTswAbFjb/aip2KgQNaVuIT27UtrBaIv77Mb5sNPGiwyPrfajLNhSOlke2p8YmMkegx/mG2ytJhJa5j9iMGtCsbMt+SAf85v6kGIiH0gZA20qDZ9jnveT7/Ifz7v0\=

The SecureVault reads the aliases and passwords given in the secrets.properties file and returns the resolved (decrypted) password.

The SecureVault implementation has two major sub-components, namely the Master Key Reader and Secret Repository. The SecureVault implementation allows you to plugin custom implementations for both these sub-components:

Secret Repository The default implementation of Secret Repository is based on the passwords and aliases given in the secrets.properties file and the JKS that is configured in the secure-vault.yaml file.
Master Key Reader The default implementation of MasterKeyReader gets a list of required passwords from the Secret Repository and provides the values for those passwords by reading system properties, environment variables and the master-keys.yaml file.

How To Use Secure Vault

SecureVault reads the aliases and passwords given in the secrets.properties file. The secrets.properties file may contain both plain text and encrypted passwords. We have a separate tool called 'ciphertool' to encrypt the secrets.properties file. Once the tool is run, it will encrypt all the plain text passwords in the secrets.properties file.

CipherTool also depends on the configurations given in the file. Therefore, it is mandatory to make changes in the secure-vault.yaml file before running the Cipher tool. Once configured, running the 'ciphertool' is as simple as running the ciphertool script (ciphertool.sh on Linux/Mac and ciphertool.bat on Windows).

For more information, Please refer document link below,

carbon-secvault's People

Contributors

Stargazers

Watchers

carbon-secvault's Issues

Non OSGI secure vault support

Fix the issues in PR #5, i.e., remove unwanted properties, dependencies, proper groupId artifactId, structure (with component and feature), javaDocs, use carbon-feature-plugin 3.0.0, etc...
In OSGi support, the configuration files should be specific to each runtime, i.e., it should be in /wso2//conf.
Support for non-OSGi secure vault - Pending changes.

Add secure vault samples

Samples should be added to demonstrate the use of carbon secure vault in non-OSGi mode

Add documentation on how to specify an encrypted element in configurations

Description:
There are no samples available which demonstrate how an element to be encrypted should be specified in configuration files. For example, if a property wso2.password1 with some value has been added to secrets.properties and encrypted, the placeholder ${sec:wso2.password1} has to be specified in the configuration file in place of the value. This should be documented and sampled.

Suggested Labels:
Improvement

encrypt decrypt command line print nothing

Earlier it prints the encrypted value and decrypted value. But now it prints nothing

resolve function gives empty char array for alias

This should give the correct decrypted value but now getting empty string

Unit Testcase failure due to master key password change

DefaultSecretRepositoryTest fails giving below exception.

java.lang.ClassCastException: java.lang.String cannot be cast to [B

Move securevault configurations to support multiple runtime

move ciphertool.sh scripts to wso2/{runtime}/bin directory
move secrete.properties and master-key.yaml files to conf/{runtime} directory
move secure-vault.yaml file to config-docs directory. we use deployment.yaml to store the configuration.

Validate cipher tool

Carbon cypher tool execution scripts are changed such that they are no more dependent on the carbon tool executor. These changes are to be tested and validated

Add documentation for feature installation

secure vault feature depends on carbon-utils feature. Add git doc for secure vault feature installation.

MasterKeyConfiguration class has the password in Properties

Copied from: wso2/carbon-kernel#1252

In the MasterKeyConfiguration class, the password in the master key yaml file, is read and stored in a properties object. This file should be read as an inputstream and the password should be stored in the char array.

Remove "org.easymock" dependency and use "org.mockito" instead

Remove

            <dependency>
                <groupId>org.easymock</groupId>
                <artifactId>easymock</artifactId>
                <version>${easymock.version}</version>
                <scope>test</scope>
            </dependency>

dependency and use

            <dependency>
                <groupId>org.mockito</groupId>
                <artifactId>mockito-core</artifactId>
                <version>${mockito-core.version}</version>
                <scope>test</scope>
            </dependency>

instead for mocking.

The reason for replacing this dependency is since mockito is the library that is being approved by WSO2

Cipher tool gives errors on running

It gives init method not found error

Move secure vault from Carbon Kernel

In Carbon 5.2.0-m3, carbon secure vault resides in Kernel and supports only OSGi model. This needs to be moved to this repo and in-addition to OSGi support, it should also provide support for non-OSGi.

MasterKeyReaderConfiguration should return byte[] instead a String for get methods

Strings should not be used to store master keys

[1] https://github.com/wso2/carbon-secvault/blob/master/components/org.wso2.carbon.secvault/src/main/java/org/wso2/carbon/secvault/model/MasterKeyReaderConfiguration.java#L48

Move ciphertool scripts to server level.

ciphertool scripts are now duplicated in each runtime. libs and scripts need to move to server level to avoid duplicates.

Make ciphertool as seperate feature as this contains standalone jar. not relates to osgi runtime.

Change the ciphertool script to support per runtime encryption

Current ciphertool script not supports per runtime encryption. need to support it.

Make secure vault namespace configurable

Currently we hardcode securevault namespace to "wso2.securevault". So secure vault configuration should always keep under wso2.securevault as below.

wso2.securevault:
  secretRepository:
    type: org.wso2.carbon.secvault.repository.DefaultSecretRepository
    parameters:
      privateKeyAlias: wso2carbon
      keystoreLocation: ../../resources/security/securevault.jks
      secretPropertiesFile: ../../conf/${sys:wso2.runtime}/secrets.properties
  masterKeyReader:
    type: org.wso2.carbon.secvault.reader.DefaultMasterKeyReader
    parameters:
      masterKeyReaderFile: ../../conf/${sys:wso2.runtime}/master-keys.yaml

It would be better, if we can make the namespace configurable.

Move secure vault from kernel to a separate repo

Previously secure vault is in carbon kernel. It was tightly coupled with OSGI context. It was suggested to secure vault should support for both OSGI and non-OSGI mode. So remove secure vault from carbon kernel and move to a separate repo and make the necessary changes for non-OSGI support.

Move ciphertool jar and scripts to separate feature.

Currently ciphertool jar and scripts are included in same secvault feature with secvault osgi bundles. Since ciphertool is a standalone jar file. It is better, if we can move tools to separate feature(org.wso2.carbon.secvault.tools.feature). So products can add secure tools feature separately.

Add snakeyaml jar in to the secvault feature

Currently, snake yaml jar is packed in the kernel feature. Ideally, it should be packed in carbon secvault feature.

Need descriptive document on secure-vault.yaml, materkey.yaml and secrete.properties

Need to update the main MD doc for secvault repo with description about each of the individual config files used.

Resolve jacoco maven plugin - class already instrumented exception when building the project

Jacoco plugin throws class already instrumented exception when building the project. These exceptions should not be thrown and should be resolved

More information:

A sample exception will be as shown below:

java.lang.instrument.IllegalClassFormatException: Error while instrumenting class org/wso2/carbon/secvault/securevault/ciphertool/CipherTool. at org.jacoco.agent.rt.internal_b0d6a23.CoverageTransformer.transform(CoverageTransformer.java:95) at sun.instrument.TransformerManager.transform(TransformerManager.java:188) at sun.instrument.InstrumentationImpl.transform(InstrumentationImpl.java:428) at java.lang.ClassLoader.defineClass1(Native Method) at java.lang.ClassLoader.defineClass(ClassLoader.java:763) at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142) at java.net.URLClassLoader.defineClass(URLClassLoader.java:467) at java.net.URLClassLoader.access$100(URLClassLoader.java:73) at java.net.URLClassLoader$1.run(URLClassLoader.java:368) at java.net.URLClassLoader$1.run(URLClassLoader.java:362) at java.security.AccessController.doPrivileged(Native Method) at java.net.URLClassLoader.findClass(URLClassLoader.java:361) at java.lang.ClassLoader.loadClass(ClassLoader.java:424) at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:331) at java.lang.ClassLoader.loadClass(ClassLoader.java:357) at org.wso2.carbon.secvault.securevault.ciphertool.CipherToolTest.testEncryptionAndDecryption(CipherToolTest.java:43) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.testng.internal.MethodInvocationHelper.invokeMethod(MethodInvocationHelper.java:85) at org.testng.internal.Invoker.invokeMethod(Invoker.java:659) at org.testng.internal.Invoker.invokeTestMethod(Invoker.java:845) at org.testng.internal.Invoker.invokeTestMethods(Invoker.java:1153) at org.testng.internal.TestMethodWorker.invokeTestMethods(TestMethodWorker.java:125) at org.testng.internal.TestMethodWorker.run(TestMethodWorker.java:108) at org.testng.TestRunner.privateRun(TestRunner.java:771) at org.testng.TestRunner.run(TestRunner.java:621) at org.testng.SuiteRunner.runTest(SuiteRunner.java:357) at org.testng.SuiteRunner.runSequentially(SuiteRunner.java:352) at org.testng.SuiteRunner.privateRun(SuiteRunner.java:310) at org.testng.SuiteRunner.run(SuiteRunner.java:259) at org.testng.SuiteRunnerWorker.runSuite(SuiteRunnerWorker.java:52) at org.testng.SuiteRunnerWorker.run(SuiteRunnerWorker.java:86) at org.testng.TestNG.runSuitesSequentially(TestNG.java:1199) at org.testng.TestNG.runSuitesLocally(TestNG.java:1124) at org.testng.TestNG.run(TestNG.java:1032) at org.apache.maven.surefire.testng.TestNGExecutor.run(TestNGExecutor.java:293) at org.apache.maven.surefire.testng.TestNGXmlTestSuite.execute(TestNGXmlTestSuite.java:84) at org.apache.maven.surefire.testng.TestNGProvider.invoke(TestNGProvider.java:91) at org.apache.maven.surefire.booter.ForkedBooter.invokeProviderInSameClassLoader(ForkedBooter.java:200) at org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:153) at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:103) Caused by: java.io.IOException: Error while instrumenting class org/wso2/carbon/secvault/securevault/ciphertool/CipherTool. at org.jacoco.agent.rt.internal_b0d6a23.core.instr.Instrumenter.instrumentError(Instrumenter.java:152) at org.jacoco.agent.rt.internal_b0d6a23.core.instr.Instrumenter.instrument(Instrumenter.java:103) at org.jacoco.agent.rt.internal_b0d6a23.CoverageTransformer.transform(CoverageTransformer.java:93) ... 42 more Caused by: java.lang.IllegalStateException: Class org/wso2/carbon/secvault/securevault/ciphertool/CipherTool is already instrumented. at org.jacoco.agent.rt.internal_b0d6a23.core.internal.instr.InstrSupport.assertNotInstrumented(InstrSupport.java:89) at org.jacoco.agent.rt.internal_b0d6a23.core.internal.instr.ClassInstrumenter.visitField(ClassInstrumenter.java:55) at org.jacoco.agent.rt.internal_b0d6a23.asm.ClassVisitor.visitField(ClassVisitor.java:272) at org.jacoco.agent.rt.internal_b0d6a23.asm.ClassReader.readField(ClassReader.java:768) at org.jacoco.agent.rt.internal_b0d6a23.asm.ClassReader.accept(ClassReader.java:689) at org.jacoco.agent.rt.internal_b0d6a23.asm.ClassReader.accept(ClassReader.java:506) at org.jacoco.agent.rt.internal_b0d6a23.core.instr.Instrumenter.instrument(Instrumenter.java:83) at org.jacoco.agent.rt.internal_b0d6a23.core.instr.Instrumenter.instrument(Instrumenter.java:101) ... 43 more
This exception however do not impact the build or jacoco reports in any way. The plugin is configured to proceed ignoring this warning and produce jacoco reports using the following config

<execution> <id>default-restore-instrumented-classes</id> <goals> <goal>restore-instrumented-classes</goal> </goals> </execution>

wso2 / carbon-secvault Goto Github PK

carbon-secvault's Introduction

WSO2 Secure Vault

How To Use Secure Vault

carbon-secvault's People

Contributors

Stargazers

Watchers

Forkers

carbon-secvault's Issues

Recommend Projects

Recommend Topics

Recommend Org