Use LazySecretKeysHandler for Jasypt Config

apache · Jun 14, 2024 · 5ee74f5 · 5ee74f5
1 parent dbb1c41
commit 5ee74f5
Show file tree

Hide file tree

Showing 10 changed files with 187 additions and 179 deletions.
diff --git a/...t/src/main/java/org/apache/camel/quarkus/component/jasypt/deployment/JasyptProcessor.java b/...t/src/main/java/org/apache/camel/quarkus/component/jasypt/deployment/JasyptProcessor.java
@@ -81,7 +81,7 @@ static final class CamelJasyptEnabled implements BooleanSupplier {
 
         @Override
         public boolean getAsBoolean() {
-            return config.enabled;
+            return config.enabled();
         }
     }
 }
diff --git a/...org/apache/camel/quarkus/component/jasypt/deployment/devui/JasyptUtilsDevUIProcessor.java b/...org/apache/camel/quarkus/component/jasypt/deployment/devui/JasyptUtilsDevUIProcessor.java
@@ -49,7 +49,7 @@ static final class CamelJasyptEnabled implements BooleanSupplier {
 
         @Override
         public boolean getAsBoolean() {
-            return config.enabled;
+            return config.enabled();
         }
     }
 }
diff --git a/...rc/test/java/org/apache/camel/quarkus/component/jasypt/JasyptPasswordNotProvidedTest.java b/...rc/test/java/org/apache/camel/quarkus/component/jasypt/JasyptPasswordNotProvidedTest.java
@@ -17,6 +17,9 @@
 package org.apache.camel.quarkus.component.jasypt;
 
 import io.quarkus.test.QuarkusUnitTest;
+import org.apache.camel.builder.RouteBuilder;
+import org.apache.camel.component.jasypt.JasyptPropertiesParser;
+import org.apache.camel.component.properties.PropertiesComponent;
 import org.jboss.shrinkwrap.api.ShrinkWrap;
 import org.jboss.shrinkwrap.api.spec.JavaArchive;
 import org.junit.jupiter.api.Test;
@@ -25,11 +28,27 @@
 public class JasyptPasswordNotProvidedTest {
     @RegisterExtension
     static final QuarkusUnitTest CONFIG = new QuarkusUnitTest()
+            .overrideConfigKey("greeting.secret", "ENC(GKJfy64eBDzxUuQCfArd6OjnAaW/oM9e)")
             .setExpectedException(IllegalStateException.class)
-            .setArchiveProducer(() -> ShrinkWrap.create(JavaArchive.class));
+            .setArchiveProducer(() -> ShrinkWrap.create(JavaArchive.class).addClass(JasyptRoutes.class));
 
     @Test
     void passwordNotProvidedThrowsException() {
         // Nothing to test as we just verify the application fails to start
     }
+
+    public static final class JasyptRoutes extends RouteBuilder {
+        @Override
+        public void configure() {
+            JasyptPropertiesParser jasypt = new JasyptPropertiesParser();
+            jasypt.setPassword("2s3cr3t");
+
+            PropertiesComponent component = (PropertiesComponent) getContext().getPropertiesComponent();
+            jasypt.setPropertiesComponent(component);
+            component.setPropertiesParser(jasypt);
+
+            from("direct:decryptManualConfiguration")
+                    .setBody().simple("{{greeting.secret}}");
+        }
+    }
 }
diff --git a/.../java/org/apache/camel/quarkus/component/jasypt/JasyptPasswordSysEnvValueMissingTest.java b/.../java/org/apache/camel/quarkus/component/jasypt/JasyptPasswordSysEnvValueMissingTest.java
@@ -17,6 +17,9 @@
 package org.apache.camel.quarkus.component.jasypt;
 
 import io.quarkus.test.QuarkusUnitTest;
+import org.apache.camel.builder.RouteBuilder;
+import org.apache.camel.component.jasypt.JasyptPropertiesParser;
+import org.apache.camel.component.properties.PropertiesComponent;
 import org.jboss.shrinkwrap.api.ShrinkWrap;
 import org.jboss.shrinkwrap.api.spec.JavaArchive;
 import org.junit.jupiter.api.Test;
@@ -27,12 +30,28 @@ public class JasyptPasswordSysEnvValueMissingTest {
 
     @RegisterExtension
     static final QuarkusUnitTest CONFIG = new QuarkusUnitTest()
+            .overrideConfigKey("greeting.secret", "ENC(GKJfy64eBDzxUuQCfArd6OjnAaW/oM9e)")
             .overrideConfigKey("quarkus.camel.jasypt.password", "sysenv:" + PASSWORD_VAR_NAME)
             .setExpectedException(IllegalStateException.class)
-            .setArchiveProducer(() -> ShrinkWrap.create(JavaArchive.class));
+            .setArchiveProducer(() -> ShrinkWrap.create(JavaArchive.class).addClass(JasyptRoutes.class));
 
     @Test
     void nonExistentPasswordEnvironmentVariableHandledGracefully() {
         // Nothing to test as we just verify the application fails to start
     }
+
+    public static final class JasyptRoutes extends RouteBuilder {
+        @Override
+        public void configure() {
+            JasyptPropertiesParser jasypt = new JasyptPropertiesParser();
+            jasypt.setPassword("2s3cr3t");
+
+            PropertiesComponent component = (PropertiesComponent) getContext().getPropertiesComponent();
+            jasypt.setPropertiesComponent(component);
+            component.setPropertiesParser(jasypt);
+
+            from("direct:decryptManualConfiguration")
+                    .setBody().simple("{{greeting.secret}}");
+        }
+    }
 }
diff --git a/...est/java/org/apache/camel/quarkus/component/jasypt/JasyptPasswordSysValueMissingTest.java b/...est/java/org/apache/camel/quarkus/component/jasypt/JasyptPasswordSysValueMissingTest.java
@@ -17,6 +17,9 @@
 package org.apache.camel.quarkus.component.jasypt;
 
 import io.quarkus.test.QuarkusUnitTest;
+import org.apache.camel.builder.RouteBuilder;
+import org.apache.camel.component.jasypt.JasyptPropertiesParser;
+import org.apache.camel.component.properties.PropertiesComponent;
 import org.jboss.shrinkwrap.api.ShrinkWrap;
 import org.jboss.shrinkwrap.api.spec.JavaArchive;
 import org.junit.jupiter.api.Test;
@@ -27,12 +30,28 @@ public class JasyptPasswordSysValueMissingTest {
 
     @RegisterExtension
     static final QuarkusUnitTest CONFIG = new QuarkusUnitTest()
+            .overrideConfigKey("greeting.secret", "ENC(GKJfy64eBDzxUuQCfArd6OjnAaW/oM9e)")
             .overrideConfigKey("quarkus.camel.jasypt.password", "sys:" + PASSWORD_PROPERTY_NAME)
             .setExpectedException(IllegalStateException.class)
-            .setArchiveProducer(() -> ShrinkWrap.create(JavaArchive.class));
+            .setArchiveProducer(() -> ShrinkWrap.create(JavaArchive.class).addClass(JasyptRoutes.class));
 
     @Test
     void nonExistentPasswordSystemPropertyHandledGracefully() {
         // Nothing to test as we just verify the application fails to start
     }
+
+    public static final class JasyptRoutes extends RouteBuilder {
+        @Override
+        public void configure() {
+            JasyptPropertiesParser jasypt = new JasyptPropertiesParser();
+            jasypt.setPassword("2s3cr3t");
+
+            PropertiesComponent component = (PropertiesComponent) getContext().getPropertiesComponent();
+            jasypt.setPropertiesComponent(component);
+            component.setPropertiesParser(jasypt);
+
+            from("direct:decryptManualConfiguration")
+                    .setBody().simple("{{greeting.secret}}");
+        }
+    }
 }
diff --git a/...e/src/main/java/org/apache/camel/quarkus/component/jasypt/CamelJasyptBuildTimeConfig.java b/...e/src/main/java/org/apache/camel/quarkus/component/jasypt/CamelJasyptBuildTimeConfig.java
@@ -16,21 +16,19 @@
  */
 package org.apache.camel.quarkus.component.jasypt;
 
-import io.quarkus.runtime.annotations.ConfigItem;
 import io.quarkus.runtime.annotations.ConfigPhase;
 import io.quarkus.runtime.annotations.ConfigRoot;
+import io.smallrye.config.ConfigMapping;
+import io.smallrye.config.WithDefault;
 
-/**
- * Note: This class exists mainly for documentation purposes. The actual configuration values
- * are read via the SmallRye config internals within the SecretKeysHandler.
- */
-@ConfigRoot(name = "camel.jasypt", phase = ConfigPhase.BUILD_AND_RUN_TIME_FIXED)
-public class CamelJasyptBuildTimeConfig {
+@ConfigMapping(prefix = "quarkus.camel.jasypt")
+@ConfigRoot(phase = ConfigPhase.BUILD_AND_RUN_TIME_FIXED)
+public interface CamelJasyptBuildTimeConfig {
     /**
      * Setting this option to false will disable Jasypt integration with Quarkus SmallRye configuration.
      * You can however, manually configure Jasypt with Camel in the 'classic' way of manually configuring
      * JasyptPropertiesParser and PropertiesComponent. Refer to the usage section for more details.
      */
-    @ConfigItem(defaultValue = "true")
-    public boolean enabled;
+    @WithDefault("true")
+    boolean enabled();
 }
diff --git a/...pt/runtime/src/main/java/org/apache/camel/quarkus/component/jasypt/CamelJasyptConfig.java b/...pt/runtime/src/main/java/org/apache/camel/quarkus/component/jasypt/CamelJasyptConfig.java
@@ -16,29 +16,34 @@
  */
 package org.apache.camel.quarkus.component.jasypt;
 
+import java.lang.reflect.InvocationTargetException;
 import java.util.Optional;
+import java.util.Set;
 
-import io.quarkus.runtime.annotations.ConfigItem;
 import io.quarkus.runtime.annotations.ConfigPhase;
 import io.quarkus.runtime.annotations.ConfigRoot;
+import io.smallrye.config.ConfigMapping;
+import io.smallrye.config.WithDefault;
+import org.apache.camel.util.ObjectHelper;
+import org.apache.camel.util.StringHelper;
 import org.jasypt.encryption.pbe.StandardPBEByteEncryptor;
+import org.jasypt.encryption.pbe.config.EnvironmentStringPBEConfig;
+import org.jasypt.encryption.pbe.config.PBEConfig;
+import org.jasypt.iv.NoIvGenerator;
 import org.jasypt.iv.RandomIvGenerator;
 import org.jasypt.salt.RandomSaltGenerator;
 
-/**
- * Note: This class exists mainly for documentation purposes. The actual configuration values
- * are read via the SmallRye config internals within the SecretKeysHandler.
- */
-@ConfigRoot(name = "camel.jasypt", phase = ConfigPhase.RUN_TIME)
-public class CamelJasyptConfig {
-    static final String NAME = "camel-jasypt";
-    static final String DEFAULT_ALGORITHM = StandardPBEByteEncryptor.DEFAULT_ALGORITHM;
+@ConfigMapping(prefix = "quarkus.camel.jasypt")
+@ConfigRoot(phase = ConfigPhase.RUN_TIME)
+public interface CamelJasyptConfig {
+    String NAME = "camel-jasypt";
+    String DEFAULT_ALGORITHM = StandardPBEByteEncryptor.DEFAULT_ALGORITHM;
 
     /**
      * The algorithm to be used for decryption.
      */
-    @ConfigItem(defaultValue = DEFAULT_ALGORITHM)
-    public String algorithm;
+    @WithDefault(DEFAULT_ALGORITHM)
+    String algorithm();
 
     /**
      * The master password used by Jasypt for decrypting configuration values.
@@ -48,25 +53,82 @@ public class CamelJasyptConfig {
      * <code>sysenv:</code> will look up the value from the OS system environment with the given key.
      * <p>
      */
-    @ConfigItem
-    public Optional<String> password;
+    Optional<String> password();
 
     /**
      * Configures the Jasypt StandardPBEStringEncryptor with a RandomIvGenerator using the given algorithm.
      */
-    @ConfigItem(defaultValue = RandomIvGenerator.DEFAULT_SECURE_RANDOM_ALGORITHM)
-    public String randomIvGeneratorAlgorithm;
+    @WithDefault(RandomIvGenerator.DEFAULT_SECURE_RANDOM_ALGORITHM)
+    String randomIvGeneratorAlgorithm();
 
     /**
      * Configures the Jasypt StandardPBEStringEncryptor with a RandomSaltGenerator using the given algorithm.
      */
-    @ConfigItem(defaultValue = RandomSaltGenerator.DEFAULT_SECURE_RANDOM_ALGORITHM)
-    public String randomSaltGeneratorAlgorithm;
+    @WithDefault(RandomSaltGenerator.DEFAULT_SECURE_RANDOM_ALGORITHM)
+    String randomSaltGeneratorAlgorithm();
 
     /**
      * The fully qualified class name of an org.apache.camel.quarkus.component.jasypt.JasyptConfigurationCustomizer
      * implementation. This provides the optional capability of having full control over the Jasypt configuration.
      */
-    @ConfigItem
-    public Optional<String> configurationCustomizerClassName;
+    Optional<String> configurationCustomizerClassName();
+
+    String SYS_CONFIG_PREFIX = "sys:";
+    String SYS_ENV_CONFIG_PREFIX = "sysenv:";
+    Set<String> ALGORITHMS_THAT_REQUIRE_IV = Set.of(
+            "PBEWITHHMACSHA1ANDAES_128",
+            "PBEWITHHMACSHA1ANDAES_256",
+            "PBEWITHHMACSHA224ANDAES_128",
+            "PBEWITHHMACSHA224ANDAES_256",
+            "PBEWITHHMACSHA256ANDAES_128",
+            "PBEWITHHMACSHA256ANDAES_256",
+            "PBEWITHHMACSHA384ANDAES_128",
+            "PBEWITHHMACSHA384ANDAES_256",
+            "PBEWITHHMACSHA512ANDAES_128",
+            "PBEWITHHMACSHA512ANDAES_256");
+
+    default PBEConfig pbeConfig() {
+        EnvironmentStringPBEConfig config = new EnvironmentStringPBEConfig();
+
+        String password = null;
+        if (password().isPresent()) {
+            password = password().get();
+            if (ObjectHelper.isNotEmpty(password)) {
+                // Preserve backwards compat with the Camel way of configuring the master password
+                if (password.startsWith(SYS_ENV_CONFIG_PREFIX)) {
+                    password = System.getenv(StringHelper.after(password, SYS_ENV_CONFIG_PREFIX));
+                } else if (password.startsWith(SYS_CONFIG_PREFIX)) {
+                    password = System.getProperty(StringHelper.after(password, SYS_CONFIG_PREFIX));
+                }
+            }
+        }
+
+        config.setPassword(password);
+        config.setAlgorithm(algorithm());
+        config.setIvGenerator(ALGORITHMS_THAT_REQUIRE_IV.contains(algorithm().toUpperCase())
+                ? new RandomIvGenerator(randomIvGeneratorAlgorithm()) : new NoIvGenerator());
+        config.setSaltGenerator(new RandomSaltGenerator(randomSaltGeneratorAlgorithm()));
+
+        if (configurationCustomizerClassName().isPresent()) {
+            try {
+                Class<?> encryptorClass = Thread.currentThread().getContextClassLoader()
+                        .loadClass(configurationCustomizerClassName().get());
+                JasyptConfigurationCustomizer customizer = (JasyptConfigurationCustomizer) encryptorClass
+                        .getDeclaredConstructor().newInstance();
+                customizer.customize(config);
+            } catch (ClassNotFoundException | InvocationTargetException | InstantiationException | IllegalAccessException
+                    | NoSuchMethodException e) {
+                throw new RuntimeException(e);
+            }
+        }
+
+        // Avoid potentially confusing runtime NPEs and fail fast if no password has been configured
+        try {
+            config.getPassword();
+        } catch (NullPointerException e) {
+            throw new IllegalStateException("The jasypt password has not been configured.");
+        }
+
+        return config;
+    }
 }
diff --git a/...time/src/main/java/org/apache/camel/quarkus/component/jasypt/CamelJasyptDevUIService.java b/...time/src/main/java/org/apache/camel/quarkus/component/jasypt/CamelJasyptDevUIService.java
@@ -21,19 +21,18 @@
 
 @ApplicationScoped
 public class CamelJasyptDevUIService {
+    private final StandardPBEStringEncryptor encryptor;
+
+    public CamelJasyptDevUIService(CamelJasyptConfig jasyptConfig) {
+        encryptor = new StandardPBEStringEncryptor();
+        encryptor.setConfig(jasyptConfig.pbeConfig());
+    }
+
     public String encryptText(String text) {
-        StandardPBEStringEncryptor encryptor = CamelJasyptPropertiesParserHolder.getEncryptor();
-        if (encryptor != null) {
-            return encryptor.encrypt(text);
-        }
-        return null;
+        return encryptor.encrypt(text);
     }
 
     public String decryptText(String text) {
-        StandardPBEStringEncryptor encryptor = CamelJasyptPropertiesParserHolder.getEncryptor();
-        if (encryptor != null) {
-            return encryptor.decrypt(text);
-        }
-        return null;
+        return encryptor.decrypt(text);
     }
 }
diff --git a/...ain/java/org/apache/camel/quarkus/component/jasypt/CamelJasyptPropertiesParserHolder.java b/...ain/java/org/apache/camel/quarkus/component/jasypt/CamelJasyptPropertiesParserHolder.java
@@ -44,8 +44,4 @@ static void setEncryptor(StandardPBEStringEncryptor encryptor) {
             ENCRYPTOR = encryptor;
         }
     }
-
-    static StandardPBEStringEncryptor getEncryptor() {
-        return ENCRYPTOR;
-    }
 }