ID-39: support encrypted secrets

Author: mlookaxw

CHANGELOG.adoc

@@ -9,6 +9,14 @@
 |Base directory for certificate files.
 
 Use the `--base-dir` parameter of the configuration tool or the `axway.config.certs.basedir` property of the plugin to specify the base directory for certificate files.
+
+|https://github.com/Axway-API-Management-Plus/apigw-maven-plugin/issues/39[#39]
+|Enhancement
+|Support for confidential properties.
+
+For confidential properties the configuration tools supports to pass a secrets file.
+It is a JSON file where the values of the properties are encrypted by a passphrase.
+
 |===
 
 == Version 0.12.0

doc/manual/_config-tool.adoc

@@ -21,7 +21,7 @@ The FED builder takes the `.pol` and `.env` archive and JSON files to configure
 The script is invoked with the `jython` interpreter provided with the package and deployment tools of the API Gateway.
 
 ....
-$ jython buildfed.py --help
+$ buildfed.sh --help
 Usage: buildfed.py OPTIONS
 
 Options:
@@ -56,7 +56,13 @@ Options:
   --passphrase-out=PASSPHRASE
                         Passphrase for output archive files [optional]
   -s, --simulate        Enable simulation mode [optional]
-  -b, --base-dir        Base directory for certificate files [optional]
+  -b DIRECTORY, --base-dir=DIRECTORY
+                        Base directory for certificate files [optional]
+  --secrets-file=FILEPATH
+                        Path of JSON file containing confidential propertiers
+                        [optional]
+  --secrets-passphrase=PASSPHRASE
+                        Passphrase to decrypt confidential properties [optional]
 ....
 
 If environmentalized fields or certificates are not configured, the build fails.
@@ -67,7 +73,6 @@ Missing fields or certificates are automatically added to the configuration file
 |Option
 |Description
 
-
 |-e, --env
 |The `.env` file as generated by the `projpack` tool.
 The option is mandatory.
@@ -150,9 +155,75 @@ To avoid errors due to incompatible types (e.g. placeholder string used for an i
 |-b, --base-dir
 |Base directory for certificate files.
 If specified relative path to certificate files is based on this directory.
+
+|--secrets-file
+|Path of JSON file containing confidential properties.
+The file has to be created by the `encrypt` tool.
+
+|--secrets-passphrase
+|Passphrase to decryt confidential properties.
+This parameter is requried if a secrets file is specified.
+The passphrase has to be the same as on creating the secrets file.
 |===
 
 
+== Encrypt Secrets
+
+The `encrypt` tools is used to generate an initial secrets file and to encrypt the values of the properties.
+The script is invoked with the `jython` interpreter provided with the package and deployment tools of the API Gateway.
+
+The tool requries a path to the secrets file and a passphrase to encryt the values.
+If the secrets file doesn't exist a new file will be created.
+For existing files the given passphrase is checked against the passphrase used on file creation.
+
+....
+$ encrypt.sh -h
+Usage: secrets.py OPTIONS
+
+Options:
+  --version             show program's version number and exit
+  -h, --help            show this help message and exit
+  -v, --verbose         Enable verbose messages [optional]
+  --secrets-file=FILEPATH
+                        Path of JSON file containing confidential properties
+  --secrets-passphrase=PASSPHRASE
+                        Passphrase to decrypt confidential values
+
+Encrypt credentials.
+....
+
+[cols="2,5a", options="header"]
+|===
+|Option
+|Description
+
+|--secrets-file
+|Path of JSON file containing confidential properties.
+
+|--secrets-passphrase
+|Passphrase to decrypt confidential properties.
+This parameter is requried if a secrets file is specified.
+|===
+
+To add new properties tag the values with the `encrypt:` prefix.
+Values having this prefix will be encrypted on running the tool.
+
+[source,json]
+----
+{
+  "secrets": {
+    "__": "3QjoMSfhSelmvMlvcgCdyHf+oTyVnHlyneA3stpN0iQKJ1BUIrY9OA==", <1>
+    "my.password": "encrypt:changeme", <2>
+    "cert.password": "eL5+ogfSxQue8+NA0/l859g/2nTFwxBUp/7l7z/sMOE=" <3>
+  }
+}
+----
+<1> Marker to check the passphrase. Don't delete or change it.
+<2> The prefix `encrypt:` indicates that the value `changeme` has to be encrypted.
+<3> Values without the prefix are already encrypted and will not be changed.
+
+NOTE: The `encrypt` tool use the cipher of the entity store.
+
 == Configuration Files
 
 For the configuration of the environment specific deployment archive, various configuration files are used.
@@ -269,9 +340,20 @@ If the `gateway.info.json` file is not available the property contains an empty
                     "value": "USERNAME" <11>
                 }
             }
+        },
+        "/[CircuitContainer]name=Hello World/[FilterCircuit]name=Hello World Message/[SetAttributeFilter]name=Secret": {
+            "description": "Some secret information", 
+            "fields": {
+                "attributeValue#0": {
+                    "source": "secrets" <12>
+                    "type": "string",
+                    "used": true,
+                    "value": "secret" <13>
+                }
+            }
         }
     }
-    "properties": { <12>
+    "properties": { <14>
         "foobar": "myvalue"
     }
 }
@@ -289,9 +371,12 @@ The property is automatically maintained by the plugin.
 <9> Literal value for the field.
 <10> Specifies an environment variable as the source for the field value.
 <11> Field value is retrieved from the `USERNAME` environment variable.
-<12> An optional local definition of properties.
+<12> Specifies an property from the secrets file as the source for the field value.
+<13> Field value is retrieved from the `secret` property in the secrets file.
+<14> An optional local definition of properties.
 If the same property is defined in a separate property file (see below), the separate property has precedence.
 
+
 NOTE: If `value` is _null_ the field is treated as undefined and the build will fail.
 
 === Certificates
@@ -418,3 +503,25 @@ The shift of properties to a separate file enables them to be exclude from the s
 In productive environments secretes may be stored in a secured configuration database.
 For the build process the property file may be temporarily generated from the configuration database.
 ====
+
+=== Secrets
+
+A secrets file is used to store confidential configurations (e.g. passwords).
+The values of the properties are encrypted and can be access with a passphrase only.
+All values are encrypted with the same passphrase.
+
+.gateway.crypt.json
+[source,json]
+----
+{
+  "secrets": { <1>
+    "__": "3QjoMSfhSelmvMlvcgCdyHf+oTyVnHlyneA3stpN0iQKJ1BUIrY9OA==", <2>
+    "my.password": "encrypt:changeme", <3>
+    "cert.password": "eL5+ogfSxQue8+NA0/l859g/2nTFwxBUp/7l7z/sMOE=" <4>
+  }
+}
+----
+<1> The `secrets` property is requried.
+<2> Marker to check the passphrase. Don't delete or change it.
+<3> The prefix `encrypt:` indicates that the value `changeme` has to be encrypted by the `encrypt` tool.
+<4> Values without the prefix are already encrypted.

doc/manual/_reference.adoc

@@ -357,7 +357,7 @@ Default: 8090
 Default: admin
 
 |axway.anm.password
-|Password word Admin Node Manager (required for deployment only)
+|Password for Admin Node Manager (required for deployment only)
 
 Default: _none_
 
@@ -372,6 +372,12 @@ Default: _none_
 Default: false
 
 NOTE: It is not checked if the source files are newer than the target artifact.
+
+|axway.config.secrets.file
+|Path to file storing secrets.
+
+|axway.config.secrets.passphrase
+|Passphrase to decrypt/encrypt values of secrets file.
 |===
 
 == Plugin Configuration
@@ -400,6 +406,9 @@ The plugin can also be configured in the `pom.xml` via the <configuration> eleme
     </configPropertFiles>
 
     <configCertsBaseDir>${basedir}/src/main/axwgw/certs</configCertsBaseDir> <!--5-->
+
+    <configSecretsFile>${basedir}/src/main/axwgw/gateway.crypt.json</configSecretsFile> <!--6-->
+    <configSecretsPassphrase>changeme</configSecretsPassphrase> <!--7-->
   </configuration>
 </plugin>
 <!- ... ->
@@ -409,3 +418,5 @@ The plugin can also be configured in the `pom.xml` via the <configuration> eleme
 <3> Location of a configuration file for properties.
 <4> Location of a list of configuration files for properties.
 <5> Base directory for certificate files.
+<6> Path to secrets file.
+<7> Passphrase to decrypt/encrypt values of secrets file.

doc/manual/_usage.adoc

@@ -236,6 +236,14 @@ For deployment following properties are used:
 |`axway.config.props.files`
 |Comma separated list of paths to properties configuration files.
 |no
+
+|`axway.config.secrets.file`
+|Path to secrets file.
+|no
+
+|`axway.config.secrets.passphrase`
+|Passphrase to decrypt/encrypt values of secrets file.
+|yes, if secrets file is specified
 |===
 
 Example:
@@ -378,7 +386,34 @@ The plugin includes some Python based scripts to configure environment specific
 The scripts can also be used as standalone tools.
 The goal `apigw:tools` extracts the included script to the `${project.build.directory}/tools` directory.
 
-  $ mvn apigw:tools
+.Command Line
+....
+$ mvn apigw:tools
+....
+
+=== Encrypt Secrets File
+To create an empty secrets file or to add properties to secrets file, the goal `apigw:encrypt` can be used.
+A passphrase is used to initially create the secrets file.
+The same passphrase as used to create the file has to be used to decrypt values.
+
+.gateway.crypt.json
+[source,json]
+----
+{
+  "secrets": { <1>
+    "__": "3QjoMSfhSelmvMlvcgCdyHf+oTyVnHlyneA3stpN0iQKJ1BUIrY9OA==", <2>
+    "my.password": "encrypt:changeme", <3>
+  }
+}
+----
+<1> The `secrets` property is requried.
+<2> Marker to check the passphrase. Don't delete or change it.
+<3> The prefix `encrypt:` indicates that the value `changeme` has to be encrypted by the `encrypt` tool.
+
+.Command Line
+....
+$ mvn apigw:encrypt -Daxway.config.secrets.file=gateway.crypt.json -Daxway.config.secrets.passphrase=changeme
+....
 
 == Maven Goals
 This section provides a short overview of the goals supported by the Maven plugin.
@@ -419,4 +454,8 @@ This section provides a short overview of the goals supported by the Maven plugi
 |apigw:deploy
 |Deploy project to a gateway.
 |yes|yes|yes
+
+|apigw:encrypt
+|Encrypt plain values of secrets file.
+|yes|yes|yes
 |===

example/config-tool/config/gateway.certs.json

@@ -18,7 +18,7 @@
       "update": {
         "file": "staged-server.p12", 
         "password": "cert.password.staged.server", 
-        "source": "property", 
+        "source": "secrets", 
         "type": "p12"
       }
     }, 

example/config-tool/config/gateway.config.json

@@ -48,7 +48,7 @@
       "description": "", 
       "fields": {
         "address#0": {
-          "source": "property", 
+          "source": "secrets", 
           "type": "string", 
           "used": true, 
           "value": "service.address"

example/config-tool/config/gateway.crypt.json

@@ -0,0 +1,7 @@
+{
+  "secrets": {
+    "__": "3QjoMSfhSelmvMlvcgCdyHf+oTyVnHlyneA3stpN0iQKJ1BUIrY9OA==", 
+    "cert.password.staged.server": "Y4H5Is1CiuA8V3jN91y1qpxc3n5IBbM9DSbWH5kqq6w=", 
+    "service.address": "eL5+ogfSxQue8+NA0/l859g/2nTFwxBUp/7l7z/sMOE="
+  }
+}

example/config-tool/config/gateway.props.json

@@ -1,6 +1,5 @@
 {
 	"properties": {
-		"service.address": "localhost",
 		"service.port": 18443
 	}
 }

example/config-tool/config/passwords.props.json

@@ -0,0 +1,8 @@
+@ECHO off
+SETLOCAL
+SET CMD_HOME=%~dp0
+CD /d "%CMD_HOME%"
+SET ENCRYPT="..\..\src\main\resources\scripts\encrypt.cmd"
+
+CALL %ENCRYPT% --secrets-file=config/gateway.crypt.json --secrets-passphrase=changeme
+ENDLOCAL