ID-39: use key file instead of passphrase

mlookaxw · mlookaxw · commit ce0e79e47736 · 2020-05-03T09:32:15.000+02:00
diff --git a/CHANGELOG.adoc b/CHANGELOG.adoc
@@ -15,8 +15,7 @@ Use the `--base-dir` parameter of the configuration tool or the `axway.config.ce
 |Support for confidential properties.
 
 For confidential properties the configuration tools supports to pass a secrets file.
-It is a JSON file where the values of the properties are encrypted by a passphrase.
-
+It is a JSON file where the values of the properties are encrypted by a key.
 |===
 
 == Version 0.12.0
diff --git a/doc/manual/_config-tool.adoc b/doc/manual/_config-tool.adoc
@@ -61,8 +61,8 @@ Options:
   --secrets-file=FILEPATH
                         Path of JSON file containing confidential propertiers
                         [optional]
-  --secrets-passphrase=PASSPHRASE
-                        Passphrase to decrypt confidential properties [optional]
+  --secrets-key=FILEPATH
+                        Path to key file to decrypt confidential properties [optional]
 ....
 
 If environmentalized fields or certificates are not configured, the build fails.
@@ -160,10 +160,15 @@ If specified relative path to certificate files is based on this directory.
 |Path of JSON file containing confidential properties.
 The file has to be created by the `encrypt` tool.
 
-|--secrets-passphrase
-|Passphrase to decryt confidential properties.
-This parameter is requried if a secrets file is specified.
-The passphrase has to be the same as on creating the secrets file.
+|--secrets-key
+|Path to key file to decrypt confidential properties.
+
+This a file containing any arbitrary bytes.
+If you edit this file with a text editor be aware of the encoding and the end of line sequence.
+
+The key file has to be the same as on creating the secrets file.
+
+This parameter is required if a secrets file is specified.
 |===
 
 
@@ -172,7 +177,7 @@ The passphrase has to be the same as on creating the secrets file.
 The `encrypt` tools is used to generate an initial secrets file and to encrypt the values of the properties.
 The script is invoked with the `jython` interpreter provided with the package and deployment tools of the API Gateway.
 
-The tool requries a path to the secrets file and a passphrase to encryt the values.
+The tool requires a path to the secrets file and a passphrase to encrypt the values.
 If the secrets file doesn't exist a new file will be created.
 For existing files the given passphrase is checked against the passphrase used on file creation.
 
@@ -186,8 +191,8 @@ Options:
   -v, --verbose         Enable verbose messages [optional]
   --secrets-file=FILEPATH
                         Path of JSON file containing confidential properties
-  --secrets-passphrase=PASSPHRASE
-                        Passphrase to decrypt confidential values
+  --secrets-key=FILEPATH
+                        Path to key file to decrypt confidential properties
 
 Encrypt credentials.
 ....
@@ -200,9 +205,15 @@ Encrypt credentials.
 |--secrets-file
 |Path of JSON file containing confidential properties.
 
-|--secrets-passphrase
-|Passphrase to decrypt confidential properties.
-This parameter is requried if a secrets file is specified.
+|--secrets-key
+|Path to key file to decrypt confidential properties.
+
+This a file containing any arbitrary bytes.
+
+If you edit this file with a text editor be aware of the encoding and the end of line sequence.
+In this case use ASCII characters in a single line (no line feed at the end).
+
+This parameter is required if a secrets file is specified.
 |===
 
 To add new properties tag the values with the `encrypt:` prefix.
@@ -218,11 +229,11 @@ Values having this prefix will be encrypted on running the tool.
   }
 }
 ----
-<1> Marker to check the passphrase. Don't delete or change it.
+<1> Marker to check the key. Don't delete or change it.
 <2> The prefix `encrypt:` indicates that the value `changeme` has to be encrypted.
 <3> Values without the prefix are already encrypted and will not be changed.
 
-NOTE: The `encrypt` tool use the cipher of the entity store.
+NOTE: The `encrypt` tool use the same cipher as the entity store.
 
 == Configuration Files
 
@@ -507,8 +518,8 @@ For the build process the property file may be temporarily generated from the co
 === Secrets
 
 A secrets file is used to store confidential configurations (e.g. passwords).
-The values of the properties are encrypted and can be access with a passphrase only.
-All values are encrypted with the same passphrase.
+The values of the properties are encrypted and can be access with a key only.
+All values are encrypted with the same key.
 
 .gateway.crypt.json
 [source,json]
@@ -522,6 +533,6 @@ All values are encrypted with the same passphrase.
 }
 ----
 <1> The `secrets` property is requried.
-<2> Marker to check the passphrase. Don't delete or change it.
+<2> Marker to check the key. Don't delete or change it.
 <3> The prefix `encrypt:` indicates that the value `changeme` has to be encrypted by the `encrypt` tool.
 <4> Values without the prefix are already encrypted.
diff --git a/doc/manual/_reference.adoc b/doc/manual/_reference.adoc
@@ -376,8 +376,8 @@ NOTE: It is not checked if the source files are newer than the target artifact.
 |axway.config.secrets.file
 |Path to file storing secrets.
 
-|axway.config.secrets.passphrase
-|Passphrase to decrypt/encrypt values of secrets file.
+|axway.config.secrets.key
+|Path to key file to decrypt/encrypt values of secrets file.
 |===
 
 == Plugin Configuration
@@ -408,7 +408,7 @@ The plugin can also be configured in the `pom.xml` via the <configuration> eleme
     <configCertsBaseDir>${basedir}/src/main/axwgw/certs</configCertsBaseDir> <!--5-->
 
     <configSecretsFile>${basedir}/src/main/axwgw/gateway.crypt.json</configSecretsFile> <!--6-->
-    <configSecretsPassphrase>changeme</configSecretsPassphrase> <!--7-->
+    <configSecretsKey>${user.home}/secrets.key</configSecretsKey> <!--7-->
   </configuration>
 </plugin>
 <!- ... ->
@@ -419,4 +419,4 @@ The plugin can also be configured in the `pom.xml` via the <configuration> eleme
 <4> Location of a list of configuration files for properties.
 <5> Base directory for certificate files.
 <6> Path to secrets file.
-<7> Passphrase to decrypt/encrypt values of secrets file.
+<7> Key file to decrypt/encrypt values of secrets file.
diff --git a/example/config-tool/README.adoc b/example/config-tool/README.adoc
@@ -91,21 +91,29 @@ Remember to use the passphrase `changeme` for the `.pol`and `.env` archive and t
 
 == How does it work?
 
-We have three configuration files in the `config` folder:
+We have a set of configuration files in the `config` folder:
 
  * `gateway.config.json`: used to configure the environmentalized fields.
  * `gateway.certs.json`: used to replace certificates identified by their alias.
  * `gateway.props.json`: used for properties not applicable in the configuration or certs file.
  This file may be generated during the build process with values from external resources (e.g. configuration DB or secured vault).
+ * `gateway.crypt.json`: used for confidential properties.
+ All values in this file are encrypted.
 
 NOTE: For a description of the configuration files please check the link:../../doc/manual/user-guide.adoc[User Guide]
 
+To decrypt the confidential values there is a `key.binary` file.
+This a file containing any arbitrary bytes.
+If you edit this file with a text editor be aware of the encoding and the end of line sequence.
+
+CAUTION: Never store the key file in the source code repository. Here it's only for demonstration.
+
 In this example some environment variables (`INFO_NAME` and `NEW_SERVER_PASSWORD`) are set.
 Then the `buildfed` tool will be invoked with the following parameters:
 
-* `-e src\gateway.env`: specifies the path to the input `.env` archive
-* `-p src\gateway.pol`: specifies the path to the input `.pol` archive
-* `-c config\gateway.config.json`: specifies the path to the environmentalized fields configuration file
+* `-e src/gateway.env`: specifies the path to the input `.env` archive
+* `-p src/gateway.pol`: specifies the path to the input `.pol` archive
+* `-c config/gateway.config.json`: specifies the path to the environmentalized fields configuration file
 * `--cert=config/gateway.certs.json`: specifies the path to the certificates configuration file
 * `--prop=config/gateway.props.json`: specifies the path to a properties file
 * `--prop=config/passwords.props.json`: specifies the path to a second properties file
@@ -114,6 +122,8 @@ Then the `buildfed` tool will be invoked with the following parameters:
 * `--passphrase-out=changed`: passphrase for the generated `.fed` file
 * `-D artifact:demo-1.0.0`: specifies the value of property `artifact` via the command line instead of from the configuration files
 * `-F info.descr:config/description.txt`: specifies to set the value of property `info.descr` from the content of the `config/description.txt` file
+* `--secrets-file=config/gateway.crypt.json`: specifies the path to a properties file containing confidential values
+* `--secrets-key=key.binary`: specifies the path to the key file for decrypting the confidential values
 
 The tool reads the source archives, configures the environmentalized fields, replaces the certificates and write the configured `.fed` file.
 
diff --git a/example/config-tool/encrypt.cmd b/example/config-tool/encrypt.cmd
@@ -4,5 +4,5 @@ SET CMD_HOME=%~dp0
 CD /d "%CMD_HOME%"
 SET ENCRYPT="..\..\src\main\resources\scripts\encrypt.cmd"
 
-CALL %ENCRYPT% --secrets-file=config/gateway.crypt.json --secrets-passphrase=changeme
+CALL %ENCRYPT% --secrets-file=config/gateway.crypt.json --secrets-key=key.binary
 ENDLOCAL
diff --git a/example/config-tool/key.binary b/example/config-tool/key.binary
@@ -0,0 +1 @@
+changeme
diff --git a/example/config-tool/run.cmd b/example/config-tool/run.cmd
@@ -8,5 +8,5 @@ REM Define environment variables for field value and password configuration
 SET INFO_NAME=Demo
 SET NEW_SERVER_PASSWORD=changeme
 
-CALL %BUILDFED% -v -e src\gateway.env -p src\gateway.pol -c config\gateway.config.json --cert=config\gateway.certs.json --prop=config\gateway.props.json --secrets-file=config\gateway.crypt.json --secrets-passphrase=changeme -D artifact:demo-1.0.0 -F info.descr:config\description.txt --output-fed=gateway.fed --passphrase-in=changeme --passphrase-out=changed --base-dir=config/certs
+CALL %BUILDFED% -v -e src\gateway.env -p src\gateway.pol -c config\gateway.config.json --cert=config\gateway.certs.json --prop=config\gateway.props.json --secrets-file=config\gateway.crypt.json --secrets-key=key.binary -D artifact:demo-1.0.0 -F info.descr:config\description.txt --output-fed=gateway.fed --passphrase-in=changeme --passphrase-out=changed --base-dir=config/certs
 ENDLOCAL
diff --git a/src/main/java/com/axway/maven/apigw/AbstractGatewayMojo.java b/src/main/java/com/axway/maven/apigw/AbstractGatewayMojo.java
@@ -107,8 +107,8 @@ public abstract class AbstractGatewayMojo extends AbstractMojo {
 	@Parameter(property = "axway.config.secrets.file", required = false)
 	protected File configSecretsFile = null;
 	
-	@Parameter(property = "axway.config.secrets.passphrase", required = false)
-	protected String configSecretsPassphrase = null;
+	@Parameter(property = "axway.config.secrets.key", required = false)
+	protected File configSecretsKey = null;
 
 	
 	@Parameter(defaultValue = "${project}", readonly = true)
diff --git a/src/main/java/com/axway/maven/apigw/DeploymentArchiveMojo.java b/src/main/java/com/axway/maven/apigw/DeploymentArchiveMojo.java
@@ -170,9 +170,9 @@ private void buildFedArchive(File targetDir, File srcPolFile, File srcEnvFile, F
 			fedBuilder.setCertificatesBasePath(this.configCertsBaseDir);
 		}
 		if (this.configSecretsFile != null) {
-			if (this.configSecretsPassphrase == null)
+			if (this.configSecretsKey == null)
 				throw new MojoExecutionException("Passphrase for secrets file not specified!");
-			fedBuilder.setSecrets(this.configSecretsFile, this.configSecretsPassphrase);
+			fedBuilder.setSecrets(this.configSecretsFile, this.configSecretsKey);
 		}
 
 		fedBuilder.setPassphrasePol(this.passphrasePol);
diff --git a/src/main/java/com/axway/maven/apigw/DeploymentMojo.java b/src/main/java/com/axway/maven/apigw/DeploymentMojo.java
@@ -134,9 +134,9 @@ private File configFed(File pol, File env, File info) throws MojoExecutionExcept
 		fb.enableVerboseMode(this.verboseCfgTools);
 		
 		if (this.configSecretsFile != null) {
-			if (this.configSecretsPassphrase == null)
-				throw new MojoExecutionException("Passphrase for secrets file not specified!");
-			fb.setSecrets(this.configSecretsFile, this.configSecretsPassphrase);
+			if (this.configSecretsKey == null)
+				throw new MojoExecutionException("Key file for secrets is not specified!");
+			fb.setSecrets(this.configSecretsFile, this.configSecretsKey);
 		}
 
 		File fed = new File(getTempDir(), PROJECT_NAME + ".fed");
diff --git a/src/main/java/com/axway/maven/apigw/EncryptMojo.java b/src/main/java/com/axway/maven/apigw/EncryptMojo.java
@@ -17,11 +17,11 @@ public EncryptMojo() {
 	public void execute() throws MojoExecutionException, MojoFailureException {
 		if (this.configSecretsFile == null)
 			throw new MojoExecutionException("Secrets file not specified, nothing to encrypt!");
-		if (this.configSecretsPassphrase == null)
-			throw new MojoExecutionException("Passphrase for secrets file not specified!");
+		if (this.configSecretsKey == null)
+			throw new MojoExecutionException("Key file for secrets not specified!");
 
 		Encryptor e = new Encryptor(this,  this.configSecretsFile);
-		int exitCode = e.execute(this.configSecretsPassphrase);
+		int exitCode = e.execute(this.configSecretsKey);
 		if (exitCode != 0) {
 			throw new MojoExecutionException("failed to encrypt secrets file: exitCode=" + exitCode);
 		}
diff --git a/src/main/java/com/axway/maven/apigw/utils/Encryptor.java b/src/main/java/com/axway/maven/apigw/utils/Encryptor.java
@@ -23,7 +23,7 @@ public void enableVerboseMode(boolean enabled) {
 		this.verboseCfgTools = enabled;
 	}
 
-	public int execute(String passphrase) throws MojoExecutionException {
+	public int execute(File key) throws MojoExecutionException {
 
 		try {
 			JythonExecutor jython = new JythonExecutor(mojo.getHomeAxwayGateway(), mojo.getLog(),
@@ -36,8 +36,8 @@ public int execute(String passphrase) throws MojoExecutionException {
 			if (this.secretsFile != null) {
 				args.add("--secrets-file");
 				args.add(this.secretsFile.getPath());
-				args.add("--secrets-passphrase");
-				args.add(passphrase);
+				args.add("--secrets-key");
+				args.add(key.getPath());
 			}
 			return jython.execute("secrets.py", args.toArray(new String[0]));
 		} catch (JythonExecutorException e) {
diff --git a/src/main/java/com/axway/maven/apigw/utils/FedBuilder.java b/src/main/java/com/axway/maven/apigw/utils/FedBuilder.java
@@ -31,7 +31,7 @@ public class FedBuilder {
 	private boolean verboseCfgTools = false;
 
 	private File secretsFile = null;
-	private String secretsPassphrase = null;
+	private File secretsKey = null;
 
 	public FedBuilder(AbstractGatewayMojo mojo, File polFile, File envFile, File configFile, File infoFile)
 			throws MojoExecutionException {
@@ -93,11 +93,11 @@ public void setPassphraseFed(String passphrase) {
 		this.passphraseFed = passphrase;
 	}
 
-	public void setSecrets(File secretsFile, String passphrase) throws MojoExecutionException {
-		if (secretsFile != null && passphrase == null)
-			throw new MojoExecutionException("No passphrase sepecified for secrets file.");
+	public void setSecrets(File secretsFile, File key) throws MojoExecutionException {
+		if (secretsFile != null && key == null)
+			throw new MojoExecutionException("No key file for secrets is specified!");
 		this.secretsFile = secretsFile;
-		this.secretsPassphrase = passphrase;
+		this.secretsKey = key;
 	}
 
 	public int execute(File targetFed, Map<String, String> props) throws MojoExecutionException {
@@ -138,8 +138,8 @@ public int execute(File targetFed, Map<String, String> props) throws MojoExecuti
 			if (this.secretsFile != null) {
 				args.add("--secrets-file");
 				args.add(this.secretsFile.getPath());
-				args.add("--secrets-passphrase");
-				args.add(this.secretsPassphrase);
+				args.add("--secrets-key");
+				args.add(this.secretsKey.getPath());
 			}
 			args.add("--output-fed");
 			args.add(outFedFile.getPath());
diff --git a/src/main/resources/scripts/lib/buildfed.py b/src/main/resources/scripts/lib/buildfed.py
@@ -53,8 +53,8 @@ def main():
     parser.add_option("-s", "--simulate", dest="simulate", help="Enable simulation mode [optional]", action="store_true")
     parser.add_option("-b", "--base-dir", dest="base_dir", help="Base directory for certificate files [optional]", metavar="DIRECTORY")
     parser.add_option("--secrets-file", dest="secrets_file", help="Path of JSON file containing confidential properties [optional]", metavar="FILEPATH")
-    parser.add_option("--secrets-passphrase", dest="secrets_passphrase", help="Passphrase to decryt confidential properties [optional]", metavar="PASSPHRASE")
-
+    parser.add_option("--secrets-key", dest="secrets_key_file", help="Path to key file to decrypt confidential properties [optional]", metavar="FILEPATH")
+    
     (options, args) = parser.parse_args()
 
     if not options.env_file_path:
@@ -63,8 +63,8 @@ def main():
         parser.error("Policy archive option is missing!")
     if not options.config_file_path:
         parser.error("Configuration file option is missing!")
-    if options.secrets_file and not options.secrets_passphrase:
-        parser.error("Passphrase for secrets file is missing!")
+    if options.secrets_file and not options.secrets_key_file:
+        parser.error("Key file for secrets is missing!")
 
     logging.basicConfig(format='%(levelname)s: %(message)s')
     if options.verbose:
@@ -111,7 +111,7 @@ def main():
         # Set secrets
         secrets = None
         if options.secrets_file:
-            secrets = Secrets(options.secrets_passphrase, options.secrets_file)
+            secrets = Secrets(options.secrets_key_file, options.secrets_file)
 
         # Setup configuration
         fed_config = FedConfigurator(options.pol_file_path, options.env_file_path, options.config_file_path, options.cert_file_path, properties, passphrase_in, secrets)
diff --git a/src/main/resources/scripts/lib/secrets.py b/src/main/resources/scripts/lib/secrets.py

Original file line number	Diff line number	Diff line change
`@@ -170,9 +170,9 @@ private void buildFedArchive(File targetDir, File srcPolFile, File srcEnvFile, F`
`170`	`170`	`fedBuilder.setCertificatesBasePath(this.configCertsBaseDir);`
`171`	`171`	`}`
`172`	`172`	`if (this.configSecretsFile != null) {`
`173`		`- if (this.configSecretsPassphrase == null)`
	`173`	`+ if (this.configSecretsKey == null)`
`174`	`174`	`throw new MojoExecutionException("Passphrase for secrets file not specified!");`
`175`		`- fedBuilder.setSecrets(this.configSecretsFile, this.configSecretsPassphrase);`
	`175`	`+ fedBuilder.setSecrets(this.configSecretsFile, this.configSecretsKey);`
`176`	`176`	`}`
`177`	`177`
`178`	`178`	`fedBuilder.setPassphrasePol(this.passphrasePol);`