com.netflix.spinnaker.kork.secrets.EncryptedSecret Java Examples
The following examples show how to use
com.netflix.spinnaker.kork.secrets.EncryptedSecret.
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
| Source File: GcsSecretEngine.java From kork with Apache License 2.0 | 6 votes |
|
@Override
protected InputStream downloadRemoteFile(EncryptedSecret encryptedSecret) {
String bucket = encryptedSecret.getParams().get(STORAGE_BUCKET);
String objName = encryptedSecret.getParams().get(STORAGE_FILE_URI);
log.info("Getting contents of object {} from bucket {}", objName, bucket);
try {
Storage storage = getStorage();
return storage.objects().get(bucket, objName).executeMediaAsInputStream();
} catch (IOException e) {
throw new SecretException(
String.format(
"Error reading contents of GCS. Bucket: %s, Object: %s.\nError: %s",
bucket, objName, e.toString()));
}
}
Example #2
| Source File: LocalFileConverter.java From halyard with Apache License 2.0 | 6 votes |
|
@Override
public String convert(String value) {
if (EncryptedSecret.isEncryptedSecret(value) || isConfigServerResource(value)) {
return value;
}
if (GlobalApplicationOptions.getInstance().isUseRemoteDaemon()) {
try {
return FileUtil.readAsString(new File(value));
} catch (IOException e) {
throw new HalException(
Problem.Severity.FATAL,
"Was passed parameter " + value + " to unreadable file: " + e.getMessage());
}
}
return new File(value).getAbsolutePath();
}
Example #3
| Source File: DecryptingObjectMapper.java From halyard with Apache License 2.0 | 6 votes |
|
protected StdScalarSerializer<Object> getSecretSerializer() {
return new StdScalarSerializer<Object>(String.class, false) {
@Override
public void serialize(Object value, JsonGenerator gen, SerializerProvider provider)
throws IOException {
if (value != null) {
String sValue = value.toString();
if (EncryptedSecret.isEncryptedSecret(sValue)) {
gen.writeString(secretSessionManager.decrypt(sValue));
} else {
gen.writeString(sValue);
}
}
}
};
}
Example #4
| Source File: DecryptingObjectMapper.java From halyard with Apache License 2.0 | 6 votes |
|
protected StdScalarSerializer<Object> getSecretFileSerializer(
BeanPropertyWriter beanPropertyWriter, SecretFile annotation, boolean shouldDecrypt) {
return new StdScalarSerializer<Object>(String.class, false) {
@Override
public void serialize(Object value, JsonGenerator gen, SerializerProvider provider)
throws IOException {
if (value != null) {
String sValue = value.toString();
if (!EncryptedSecret.isEncryptedSecret(sValue) && !isURL(sValue)) {
// metadataUrl is either a URL or a filepath, so only add prefix if it's a path
sValue = annotation.prefix() + sValue;
}
if (EncryptedSecret.isEncryptedSecret(sValue) && shouldDecrypt) {
// Decrypt the content of the file and store on the profile under a random
// generated file name
String name = newRandomFilePath(beanPropertyWriter.getName());
byte[] bytes = secretSessionManager.decryptAsBytes(sValue);
profile.getDecryptedFiles().put(name, bytes);
sValue = annotation.prefix() + getCompleteFilePath(name);
}
gen.writeString(sValue);
}
}
};
}
Example #5
| Source File: SecretsManagerSecretEngine.java From kork with Apache License 2.0 | 6 votes |
|
@Override
public byte[] decrypt(EncryptedSecret encryptedSecret) {
String secretRegion = encryptedSecret.getParams().get(SECRET_REGION);
String secretName = encryptedSecret.getParams().get(SECRET_NAME);
String secretKey = encryptedSecret.getParams().get(SECRET_KEY);
if (encryptedSecret.isEncryptedFile()) {
GetSecretValueResult secretFileValue = getSecretValue(secretRegion, secretName);
if (secretFileValue.getSecretBinary() != null) {
return secretFileValue.getSecretBinary().array();
} else {
return secretFileValue.getSecretString().getBytes();
}
} else if (secretKey != null) {
return getSecretString(secretRegion, secretName, secretKey);
} else {
return getSecretString(secretRegion, secretName);
}
}
Example #6
| Source File: SecretsManagerSecretEngineTest.java From kork with Apache License 2.0 | 5 votes |
|
@Test
public void decryptStringWithKey() {
EncryptedSecret kvSecret =
EncryptedSecret.parse("encrypted:secrets-manager!r:us-west-2!s:test-secret!k:password");
doReturn(kvSecretValue).when(secretsManagerSecretEngine).getSecretValue(any(), any());
assertArrayEquals("hunter2".getBytes(), secretsManagerSecretEngine.decrypt(kvSecret));
}
Example #7
| Source File: AbstractStorageEngineTest.java From kork with Apache License 2.0 | 5 votes |
|
@Before
public void init() {
engine =
new AbstractStorageSecretEngine() {
@Override
protected InputStream downloadRemoteFile(EncryptedSecret encryptedSecret) {
return null;
}
@Override
public String identifier() {
return "test";
}
};
}
Example #8
| Source File: AbstractStorageSecretEngine.java From kork with Apache License 2.0 | 5 votes |
|
public void validate(EncryptedSecret encryptedSecret) throws InvalidSecretFormatException {
Set<String> paramNames = encryptedSecret.getParams().keySet();
if (!paramNames.contains(STORAGE_BUCKET)) {
throw new InvalidSecretFormatException(
"Storage bucket parameter is missing (" + STORAGE_BUCKET + "=...)");
}
if (!paramNames.contains(STORAGE_REGION)) {
throw new InvalidSecretFormatException(
"Storage region parameter is missing (" + STORAGE_REGION + "=...)");
}
if (!paramNames.contains(STORAGE_FILE_URI)) {
throw new InvalidSecretFormatException(
"Storage file parameter is missing (" + STORAGE_FILE_URI + "=...)");
}
}
Example #9
| Source File: GcsSecretEngine.java From kork with Apache License 2.0 | 5 votes |
|
@Override
public void validate(EncryptedSecret encryptedSecret) throws InvalidSecretFormatException {
Set<String> paramNames = encryptedSecret.getParams().keySet();
if (!paramNames.contains(STORAGE_BUCKET)) {
throw new InvalidSecretFormatException(
"Storage bucket parameter is missing (" + STORAGE_BUCKET + "=...)");
}
if (!paramNames.contains(STORAGE_FILE_URI)) {
throw new InvalidSecretFormatException(
"Storage file parameter is missing (" + STORAGE_FILE_URI + "=...)");
}
}
Example #10
| Source File: SecretsManagerSecretEngineTest.java From kork with Apache License 2.0 | 5 votes |
|
@Test
public void decryptStringWithBinaryResult() {
EncryptedSecret kvSecret =
EncryptedSecret.parse("encrypted:secrets-manager!r:us-west-2!s:test-secret!k:password");
doReturn(binarySecretValue).when(secretsManagerSecretEngine).getSecretValue(any(), any());
exceptionRule.expect(SecretException.class);
secretsManagerSecretEngine.decrypt(kvSecret);
}
Example #11
| Source File: SecretsManagerSecretEngineTest.java From kork with Apache License 2.0 | 5 votes |
|
@Test
public void decryptSecretBinaryAsFile() {
EncryptedSecret secretBinaryFile =
EncryptedSecret.parse("encryptedFile:secrets-manager!r:us-west-2!s:private-key");
doReturn(binarySecretValue).when(secretsManagerSecretEngine).getSecretValue(any(), any());
assertArrayEquals(
"i'm binary".getBytes(), secretsManagerSecretEngine.decrypt(secretBinaryFile));
}
Example #12
| Source File: SecretsManagerSecretEngineTest.java From kork with Apache License 2.0 | 5 votes |
|
@Test
public void decryptSecretStringAsFile() {
EncryptedSecret secretStringFile =
EncryptedSecret.parse("encryptedFile:secrets-manager!r:us-west-2!s:private-key");
doReturn(secretStringFileValue).when(secretsManagerSecretEngine).getSecretValue(any(), any());
assertArrayEquals(
"BEGIN RSA PRIVATE KEY".getBytes(), secretsManagerSecretEngine.decrypt(secretStringFile));
}
Example #13
| Source File: SecretsManagerSecretEngineTest.java From kork with Apache License 2.0 | 5 votes |
|
@Test
public void decryptFileWithKey() {
EncryptedSecret kvSecret =
EncryptedSecret.parse("encryptedFile:secrets-manager!r:us-west-2!s:private-key!k:password");
exceptionRule.expect(InvalidSecretFormatException.class);
doReturn(kvSecretValue).when(secretsManagerSecretEngine).getSecretValue(any(), any());
secretsManagerSecretEngine.validate(kvSecret);
}
Example #14
| Source File: SecretsManagerSecretEngineTest.java From kork with Apache License 2.0 | 5 votes |
|
@Test
public void decryptStringWithoutKey() {
EncryptedSecret plaintextSecret =
EncryptedSecret.parse("encrypted:secrets-manager!r:us-west-2!s:test-secret");
doReturn(plaintextSecretValue).when(secretsManagerSecretEngine).getSecretValue(any(), any());
assertArrayEquals("letmein".getBytes(), secretsManagerSecretEngine.decrypt(plaintextSecret));
}
Example #15
| Source File: SecretsManagerSecretEngine.java From cerberus with Apache License 2.0 | 5 votes |
|
@Override
public byte[] decrypt(EncryptedSecret encryptedSecret) {
String secretName = encryptedSecret.getParams().get(SECRET_NAME);
String secretRegion = encryptedSecret.getParams().get(SECRET_REGION);
String secretKey = encryptedSecret.getParams().get(SECRET_KEY);
AWSSecretsManager client =
AWSSecretsManagerClientBuilder.standard().withRegion(secretRegion).build();
byte[] binarySecret = null;
GetSecretValueRequest getSecretValueRequest =
new GetSecretValueRequest().withSecretId(secretName);
GetSecretValueResult getSecretValueResult = null;
try {
getSecretValueResult = client.getSecretValue(getSecretValueRequest);
} catch (Exception e) {
log.error(
"An error occurred when trying to use AWS Secrets Manager to fetch: [secretName: {}, secretRegion: {}, secretKey: {}]",
secretName,
secretRegion,
secretKey,
e);
throw new RuntimeException("Failed to fetch secret from AWS Secrets Manager", e);
}
if (getSecretValueResult.getSecretString() != null) {
String secret = getSecretValueResult.getSecretString();
Gson gson = new Gson();
Type type = new TypeToken<Map<String, String>>() {}.getType();
Map<String, String> myMap = gson.fromJson(secret, type);
binarySecret = myMap.get(secretKey).getBytes(StandardCharsets.UTF_8);
} else {
binarySecret = getSecretValueResult.getSecretBinary().array();
}
return binarySecret;
}
Example #16
| Source File: SecretsManagerSecretEngine.java From kork with Apache License 2.0 | 5 votes |
|
@Override
public void validate(EncryptedSecret encryptedSecret) {
Set<String> paramNames = encryptedSecret.getParams().keySet();
if (!paramNames.contains(SECRET_NAME)) {
throw new InvalidSecretFormatException(
"Secret name parameter is missing (" + SECRET_NAME + "=...)");
}
if (!paramNames.contains(SECRET_REGION)) {
throw new InvalidSecretFormatException(
"Secret region parameter is missing (" + SECRET_REGION + "=...)");
}
if (encryptedSecret.isEncryptedFile() && paramNames.contains(SECRET_KEY)) {
throw new InvalidSecretFormatException("Encrypted file should not specify key");
}
}
Example #17
| Source File: ApachePassphraseProfileFactory.java From halyard with Apache License 2.0 | 5 votes |
|
@Override
protected Map<String, Object> getBindings(
DeploymentConfiguration deploymentConfiguration,
Profile profile,
SpinnakerRuntimeSettings endpoints) {
Map<String, Object> bindings = new HashMap<>();
ApacheSsl ssl = deploymentConfiguration.getSecurity().getUiSecurity().getSsl();
if (EncryptedSecret.isEncryptedSecret(ssl.getSslCertificatePassphrase())
&& !supportsSecretDecryption(deploymentConfiguration.getName())) {
bindings.put("passphrase", secretSessionManager.decrypt(ssl.getSslCertificatePassphrase()));
} else {
bindings.put("passphrase", ssl.getSslCertificatePassphrase());
}
return bindings;
}
Example #18
| Source File: BindingsSecretDecrypter.java From halyard with Apache License 2.0 | 5 votes |
|
public String trackSecretFile(Profile profile, Path outputDir, String value, String fieldName) {
if (!EncryptedSecret.isEncryptedSecret(value)) {
return value;
}
String decryptedFilename = newRandomFileName(fieldName);
profile.getDecryptedFiles().put(decryptedFilename, secretSessionManager.decryptAsBytes(value));
return outputDir.resolve(decryptedFilename).toString();
}
Example #19
| Source File: FileService.java From halyard with Apache License 2.0 | 5 votes |
|
/**
* Return the contents of a file as a byte array.
*
* @param fileReference a file reference can be a secret, a config server resource or a path in
* the local file system.
* @return file contents as bytes.
*/
public byte[] getFileContentBytes(String fileReference) throws IOException {
if (CloudConfigResourceService.isCloudConfigResource(fileReference)) {
String localPath = cloudConfigResourceService.getLocalPath(fileReference);
return configFileService.getContents(localPath).getBytes();
}
if (EncryptedSecret.isEncryptedSecret(fileReference)) {
return secretSessionManager.decryptAsBytes(fileReference);
}
return readFromLocalFilesystem(fileReference);
}
Example #20
| Source File: FileService.java From halyard with Apache License 2.0 | 5 votes |
|
/**
* Returns an absolute file path in the local file system resolved by this file reference,
* retrieving the file from external systems if necessary.
*
* @param fileReference a file reference can be a secret, a config server resource or a path in
* the local file system.
* @return an absolute path to the file, or null if the reference cannot be resolved to a local
* path.
*/
public Path getLocalFilePath(String fileReference) {
if (StringUtils.isEmpty(fileReference)) {
return null;
}
if (CloudConfigResourceService.isCloudConfigResource(fileReference)) {
return Paths.get(cloudConfigResourceService.getLocalPath(fileReference));
}
if (EncryptedSecret.isEncryptedSecret(fileReference)) {
return Paths.get(secretSessionManager.decryptAsFile(fileReference));
}
return absolutePath(fileReference);
}
Example #21
| Source File: Node.java From halyard with Apache License 2.0 | 5 votes |
|
private boolean isSecretFile(Field field) {
if (field.getDeclaredAnnotation(SecretFile.class) != null) {
try {
field.setAccessible(true);
String val = (String) field.get(this);
return EncryptedSecret.isEncryptedSecret(val);
} catch (IllegalAccessException e) {
return false;
}
}
return false;
}
Example #22
| Source File: SecretsManagerSecretEngine.java From cerberus with Apache License 2.0 | 5 votes |
|
@Override
public void validate(EncryptedSecret encryptedSecret) {
Set<String> paramNames = encryptedSecret.getParams().keySet();
if (!paramNames.contains(SECRET_NAME)) {
throw new InvalidSecretFormatException(
"Secret name parameter is missing (" + SECRET_NAME + "=...)");
}
if (!paramNames.contains(SECRET_REGION)) {
throw new InvalidSecretFormatException(
"Secret region parameter is missing (" + SECRET_REGION + "=...)");
}
}
Example #23
| Source File: NoopSecretEngine.java From kork with Apache License 2.0 | 4 votes |
|
@Override
public byte[] decrypt(EncryptedSecret encryptedSecret) {
return encryptedSecret.getParams().get(PARAM_VALUE).getBytes();
}
Example #24
| Source File: NoopSecretEngine.java From kork with Apache License 2.0 | 4 votes |
|
@Override
public void validate(EncryptedSecret encryptedSecret) {}
Example #25
| Source File: AbstractStorageSecretEngine.java From kork with Apache License 2.0 | 4 votes |
|
public EncryptedSecret encrypt(String secretToEncrypt) throws UnsupportedOperationException {
throw new UnsupportedOperationException("This operation is not supported");
}
Example #26
| Source File: AbstractStorageSecretEngine.java From kork with Apache License 2.0 | 4 votes |
|
protected abstract InputStream downloadRemoteFile(EncryptedSecret encryptedSecret) throws IOException;
Example #27
| Source File: SecretSessionManager.java From halyard with Apache License 2.0 | 3 votes |
|
/**
* Takes an encrypted string or path to an encrypted file, calls SecretManager to decrypt the
* contents and return the path to the decrypted temporary file.
*
* <p>Format for Encrypted Secrets:
*
* <p>encrypted:<engine-identifier>!<param-name_1>:<param-value_1>!..!<param-name_n>:<param-value_n>
*
* <p>Note: Valid param-names match the regex: `[a-zA-Z0-9]+` Note: secret-params may contain ':'
* Note: `encrypted` cannot be a param-name Note: There must be at least one
* <param-name>:<param-value> pair Named parameters are used to allow for adding
* additional options in the future.
*
* @param filePath the encrypted string in the format above defined by EncryptedSecret
* @return path to the decrypted temporary file
*/
public String decryptAsFile(String filePath) {
if (!EncryptedSecret.isEncryptedSecret(filePath)) {
return filePath;
}
SecretSession session = getSession();
Path decryptedFilePath = session.decryptAsFile(filePath);
if (decryptedFilePath != null) {
return decryptedFilePath.toString();
} else {
return null;
}
}
Example #28
| Source File: FileService.java From halyard with Apache License 2.0 | 2 votes |
|
/**
* Indicates if the given file reference is for a remote (secret reference, config server) or
* local file.
*
* @param fileReference to be checked.
* @return true if it's a remote file.
*/
public boolean isRemoteFile(String fileReference) {
return CloudConfigResourceService.isCloudConfigResource(fileReference)
|| EncryptedSecret.isEncryptedFile(fileReference);
}
