wso2 / carbon-secvault Goto Github PK

ciphertool scripts are now duplicated in each runtime. libs and scripts need to move to server level to avoid duplicates.

• Make ciphertool as seperate feature as this contains standalone jar. not relates to osgi runtime.

Previously secure vault is in carbon kernel. It was tightly coupled with OSGI context. It was suggested to secure vault should support for both OSGI and non-OSGI mode. So remove secure vault from carbon kernel and move to a separate repo and make the necessary changes for non-OSGI support.

Currently, snake yaml jar is packed in the kernel feature. Ideally, it should be packed in carbon secvault feature.

Carbon cypher tool execution scripts are changed such that they are no more dependent on the carbon tool executor. These changes are to be tested and validated

Samples should be added to demonstrate the use of carbon secure vault in non-OSGi mode

secure vault feature depends on carbon-utils feature. Add git doc for secure vault feature installation.

This should give the correct decrypted value but now getting empty string

• Fix the issues in PR #5, i.e., remove unwanted properties, dependencies, proper groupId artifactId, structure (with component and feature), javaDocs, use carbon-feature-plugin 3.0.0, etc...
  In OSGi support, the configuration files should be specific to each runtime, i.e., it should be in /wso2//conf.

• Support for non-OSGi secure vault - Pending changes.

Jacoco plugin throws class already instrumented exception when building the project. These exceptions should not be thrown and should be resolved

More information:

A sample exception will be as shown below:

java.lang.instrument.IllegalClassFormatException: Error while instrumenting class org/wso2/carbon/secvault/securevault/ciphertool/CipherTool. at org.jacoco.agent.rt.internal_b0d6a23.CoverageTransformer.transform(CoverageTransformer.java:95) at sun.instrument.TransformerManager.transform(TransformerManager.java:188) at sun.instrument.InstrumentationImpl.transform(InstrumentationImpl.java:428) at java.lang.ClassLoader.defineClass1(Native Method) at java.lang.ClassLoader.defineClass(ClassLoader.java:763) at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142) at java.net.URLClassLoader.defineClass(URLClassLoader.java:467) at java.net.URLClassLoader.access$100(URLClassLoader.java:73) at java.net.URLClassLoader$1.run(URLClassLoader.java:368) at java.net.URLClassLoader$1.run(URLClassLoader.java:362) at java.security.AccessController.doPrivileged(Native Method) at java.net.URLClassLoader.findClass(URLClassLoader.java:361) at java.lang.ClassLoader.loadClass(ClassLoader.java:424) at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:331) at java.lang.ClassLoader.loadClass(ClassLoader.java:357) at org.wso2.carbon.secvault.securevault.ciphertool.CipherToolTest.testEncryptionAndDecryption(CipherToolTest.java:43) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.testng.internal.MethodInvocationHelper.invokeMethod(MethodInvocationHelper.java:85) at org.testng.internal.Invoker.invokeMethod(Invoker.java:659) at org.testng.internal.Invoker.invokeTestMethod(Invoker.java:845) at org.testng.internal.Invoker.invokeTestMethods(Invoker.java:1153) at org.testng.internal.TestMethodWorker.invokeTestMethods(TestMethodWorker.java:125) at org.testng.internal.TestMethodWorker.run(TestMethodWorker.java:108) at org.testng.TestRunner.privateRun(TestRunner.java:771) at org.testng.TestRunner.run(TestRunner.java:621) at org.testng.SuiteRunner.runTest(SuiteRunner.java:357) at org.testng.SuiteRunner.runSequentially(SuiteRunner.java:352) at org.testng.SuiteRunner.privateRun(SuiteRunner.java:310) at org.testng.SuiteRunner.run(SuiteRunner.java:259) at org.testng.SuiteRunnerWorker.runSuite(SuiteRunnerWorker.java:52) at org.testng.SuiteRunnerWorker.run(SuiteRunnerWorker.java:86) at org.testng.TestNG.runSuitesSequentially(TestNG.java:1199) at org.testng.TestNG.runSuitesLocally(TestNG.java:1124) at org.testng.TestNG.run(TestNG.java:1032) at org.apache.maven.surefire.testng.TestNGExecutor.run(TestNGExecutor.java:293) at org.apache.maven.surefire.testng.TestNGXmlTestSuite.execute(TestNGXmlTestSuite.java:84) at org.apache.maven.surefire.testng.TestNGProvider.invoke(TestNGProvider.java:91) at org.apache.maven.surefire.booter.ForkedBooter.invokeProviderInSameClassLoader(ForkedBooter.java:200) at org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:153) at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:103) Caused by: java.io.IOException: Error while instrumenting class org/wso2/carbon/secvault/securevault/ciphertool/CipherTool. at org.jacoco.agent.rt.internal_b0d6a23.core.instr.Instrumenter.instrumentError(Instrumenter.java:152) at org.jacoco.agent.rt.internal_b0d6a23.core.instr.Instrumenter.instrument(Instrumenter.java:103) at org.jacoco.agent.rt.internal_b0d6a23.CoverageTransformer.transform(CoverageTransformer.java:93) ... 42 more Caused by: java.lang.IllegalStateException: Class org/wso2/carbon/secvault/securevault/ciphertool/CipherTool is already instrumented. at org.jacoco.agent.rt.internal_b0d6a23.core.internal.instr.InstrSupport.assertNotInstrumented(InstrSupport.java:89) at org.jacoco.agent.rt.internal_b0d6a23.core.internal.instr.ClassInstrumenter.visitField(ClassInstrumenter.java:55) at org.jacoco.agent.rt.internal_b0d6a23.asm.ClassVisitor.visitField(ClassVisitor.java:272) at org.jacoco.agent.rt.internal_b0d6a23.asm.ClassReader.readField(ClassReader.java:768) at org.jacoco.agent.rt.internal_b0d6a23.asm.ClassReader.accept(ClassReader.java:689) at org.jacoco.agent.rt.internal_b0d6a23.asm.ClassReader.accept(ClassReader.java:506) at org.jacoco.agent.rt.internal_b0d6a23.core.instr.Instrumenter.instrument(Instrumenter.java:83) at org.jacoco.agent.rt.internal_b0d6a23.core.instr.Instrumenter.instrument(Instrumenter.java:101) ... 43 more
This exception however do not impact the build or jacoco reports in any way. The plugin is configured to proceed ignoring this warning and produce jacoco reports using the following config

<execution> <id>default-restore-instrumented-classes</id> <goals> <goal>restore-instrumented-classes</goal> </goals> </execution>

Earlier it prints the encrypted value and decrypted value. But now it prints nothing

Description:
There are no samples available which demonstrate how an element to be encrypted should be specified in configuration files. For example, if a property wso2.password1 with some value has been added to secrets.properties and encrypted, the placeholder ${sec:wso2.password1} has to be specified in the configuration file in place of the value. This should be documented and sampled.

Suggested Labels:
Improvement

Strings should not be used to store master keys

[1] https://github.com/wso2/carbon-secvault/blob/master/components/org.wso2.carbon.secvault/src/main/java/org/wso2/carbon/secvault/model/MasterKeyReaderConfiguration.java#L48

Remove

            <dependency>
                <groupId>org.easymock</groupId>
                <artifactId>easymock</artifactId>
                <version>${easymock.version}</version>
                <scope>test</scope>
            </dependency>

dependency and use

            <dependency>
                <groupId>org.mockito</groupId>
                <artifactId>mockito-core</artifactId>
                <version>${mockito-core.version}</version>
                <scope>test</scope>
            </dependency>

instead for mocking.

The reason for replacing this dependency is since mockito is the library that is being approved by WSO2

Currently we hardcode securevault namespace to "wso2.securevault". So secure vault configuration should always keep under wso2.securevault as below.

wso2.securevault:
  secretRepository:
    type: org.wso2.carbon.secvault.repository.DefaultSecretRepository
    parameters:
      privateKeyAlias: wso2carbon
      keystoreLocation: ../../resources/security/securevault.jks
      secretPropertiesFile: ../../conf/${sys:wso2.runtime}/secrets.properties
  masterKeyReader:
    type: org.wso2.carbon.secvault.reader.DefaultMasterKeyReader
    parameters:
      masterKeyReaderFile: ../../conf/${sys:wso2.runtime}/master-keys.yaml

It would be better, if we can make the namespace configurable.

DefaultSecretRepositoryTest fails giving below exception.

java.lang.ClassCastException: java.lang.String cannot be cast to [B

Need to update the main MD doc for secvault repo with description about each of the individual config files used.

Current ciphertool script not supports per runtime encryption. need to support it.

Copied from: wso2/carbon-kernel#1252

In the MasterKeyConfiguration class, the password in the master key yaml file, is read and stored in a properties object. This file should be read as an inputstream and the password should be stored in the char array.

• move ciphertool.sh scripts to wso2/{runtime}/bin directory
• move secrete.properties and master-key.yaml files to conf/{runtime} directory
• move secure-vault.yaml file to config-docs directory. we use deployment.yaml to store the configuration.

In Carbon 5.2.0-m3, carbon secure vault resides in Kernel and supports only OSGi model. This needs to be moved to this repo and in-addition to OSGi support, it should also provide support for non-OSGi.

It gives init method not found error

Currently ciphertool jar and scripts are included in same secvault feature with secvault osgi bundles. Since ciphertool is a standalone jar file. It is better, if we can move tools to separate feature(org.wso2.carbon.secvault.tools.feature). So products can add secure tools feature separately.