CLOUD-86088 Encrypt sensitive data in periscope database

Author: mhmxs

autoscale/build.gradle

@@ -55,7 +55,6 @@ dependencies {
     compile group: 'dnsjava',                       name: 'dnsjava',                                version: '2.1.7'
     compile group: 'org.mybatis',                   name: 'mybatis-migrations',                     version: '3.2.0'
 
-
     compile group: 'io.springfox',                  name: 'springfox-swagger2',                     version: '2.5.0'
     compile group: 'io.springfox',                  name: 'springfox-core',                         version: '2.5.0'
     compile group: 'io.springfox',                  name: 'springfox-swagger-ui',                   version: '2.5.0'

autoscale/src/main/java/com/sequenceiq/periscope/config/SecurityConfig.java

@@ -4,8 +4,13 @@
 
 import javax.inject.Inject;
 
+import org.jasypt.encryption.pbe.PBEStringCleanablePasswordEncryptor;
+import org.jasypt.encryption.pbe.StandardPBEStringEncryptor;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Lazy;
+import org.springframework.context.annotation.Scope;
 import org.springframework.security.access.expression.method.MethodSecurityExpressionHandler;
 import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
 import org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration;
@@ -23,6 +28,25 @@
 @Configuration
 public class SecurityConfig {
 
+    @Value("${periscope.client.secret}")
+    private String clientSecret;
+
+    @Bean("PBEStringCleanablePasswordEncryptor")
+    @Scope("prototype")
+    public PBEStringCleanablePasswordEncryptor encryptor() {
+        PBEStringCleanablePasswordEncryptor encryptor = new StandardPBEStringEncryptor();
+        encryptor.setPassword(clientSecret);
+        return encryptor;
+    }
+
+    @Bean("LegacyPBEStringCleanablePasswordEncryptor")
+    @Scope("prototype")
+    public PBEStringCleanablePasswordEncryptor legacyEncryptor() {
+        PBEStringCleanablePasswordEncryptor encryptor = new StandardPBEStringEncryptor();
+        encryptor.setPassword("cbsecret2015");
+        return encryptor;
+    }
+
     @EnableGlobalMethodSecurity(prePostEnabled = true)
     protected static class MethodSecurityConfig extends GlobalMethodSecurityConfiguration {
 
@@ -49,7 +73,7 @@ protected static class ResourceServerConfiguration extends ResourceServerConfigu
         private ResourceServerTokenServices resourceServerTokenServices;
 
         @Override
-        public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
+        public void configure(ResourceServerSecurityConfigurer resources) {
             resources.resourceId("periscope");
             resources.tokenServices(resourceServerTokenServices);
         }

autoscale/src/main/java/com/sequenceiq/periscope/controller/EndpointConfig.java

@@ -32,7 +32,7 @@
 
 @ApplicationPath(AutoscaleApi.API_ROOT_CONTEXT)
 @Component
-public class EndpointConfig  extends ResourceConfig {
+public class EndpointConfig extends ResourceConfig {
 
     public EndpointConfig() throws IOException {
         registerEndpoints();

autoscale/src/main/java/com/sequenceiq/periscope/domain/Ambari.java

@@ -7,6 +7,8 @@
 import javax.persistence.Id;
 import javax.persistence.SequenceGenerator;
 
+import org.hibernate.annotations.Type;
+
 @Entity
 public class Ambari {
 
@@ -21,9 +23,11 @@ public class Ambari {
     @Column(name = "ambari_port")
     private String port;
 
+    @Type(type = "encrypted_string")
     @Column(name = "ambari_user")
     private String user;
 
+    @Type(type = "encrypted_string")
     @Column(name = "ambari_pass")
     private String pass;
 

autoscale/src/main/java/com/sequenceiq/periscope/domain/SecurityConfig.java

@@ -12,6 +12,7 @@
 import javax.persistence.Table;
 
 import org.apache.commons.codec.binary.Base64;
+import org.hibernate.annotations.Type;
 
 @Entity
 @Table(name = "SecurityConfig")
@@ -23,22 +24,25 @@ public class SecurityConfig {
     @SequenceGenerator(name = "securityconfig_generator", sequenceName = "securityconfig_id_seq", allocationSize = 1)
     private Long id;
 
-    @Column
-    private byte[] clientKey;
+    @Type(type = "encrypted_string")
+    @Column(columnDefinition = "TEXT")
+    private String clientKey;
 
-    @Column
-    private byte[] clientCert;
+    @Type(type = "encrypted_string")
+    @Column(columnDefinition = "TEXT")
+    private String clientCert;
 
-    @Column
-    private byte[] serverCert;
+    @Type(type = "encrypted_string")
+    @Column(columnDefinition = "TEXT")
+    private String serverCert;
 
     @OneToOne
     private Cluster cluster;
 
     public SecurityConfig() {
     }
 
-    public SecurityConfig(byte[] clientKey, byte[] clientCert, byte[] serverCert) {
+    public SecurityConfig(String clientKey, String clientCert, String serverCert) {
         this.clientKey = clientKey;
         this.clientCert = clientCert;
         this.serverCert = serverCert;
@@ -72,27 +76,27 @@ public void setCluster(Cluster cluster) {
         this.cluster = cluster;
     }
 
-    public byte[] getClientKey() {
+    public String getClientKey() {
         return clientKey;
     }
 
-    public byte[] getClientCert() {
+    public String getClientCert() {
         return clientCert;
     }
 
-    public byte[] getServerCert() {
+    public String getServerCert() {
         return serverCert;
     }
 
-    public void setClientKey(byte[] clientKey) {
+    public void setClientKey(String clientKey) {
         this.clientKey = clientKey;
     }
 
-    public void setClientCert(byte[] clientCert) {
+    public void setClientCert(String clientCert) {
         this.clientCert = clientCert;
     }
 
-    public void setServerCert(byte[] serverCert) {
+    public void setServerCert(String serverCert) {
         this.serverCert = serverCert;
     }
 

autoscale/src/main/java/com/sequenceiq/periscope/domain/package-info.java

@@ -0,0 +1,9 @@
+@TypeDefs(@TypeDef(name = "encrypted_string", typeClass = EncryptedStringType.class, parameters = @Parameter(name = "encryptorRegisteredName",
+        value = "hibernateStringEncryptor")))
+
+package com.sequenceiq.periscope.domain;
+
+import org.hibernate.annotations.Parameter;
+import org.hibernate.annotations.TypeDef;
+import org.hibernate.annotations.TypeDefs;
+import org.jasypt.hibernate4.type.EncryptedStringType;

autoscale/src/main/java/com/sequenceiq/periscope/service/registry/RetryingServiceAddressResolver.java

@@ -58,7 +58,7 @@ private void handleException(ServiceAddressResolvingException e, int attemptCoun
                 LOGGER.warn("Unsuccessful address resolving: {}, retrying in {}millis", e.getMessage(), SLEEPTIME);
                 Thread.sleep(SLEEPTIME);
             } catch (InterruptedException ie) {
-                LOGGER.warn("Interrupted exception occurred.", ie.getMessage());
+                LOGGER.warn("Interrupted exception occurred: {}", ie.getMessage());
             }
         }
     }

autoscale/src/main/java/com/sequenceiq/periscope/service/security/TlsSecurityService.java

@@ -26,7 +26,7 @@ public SecurityConfig prepareSecurityConfig(Long stackId) {
         byte[] serverCert = Base64.encode(response.getServerCert());
         byte[] clientKey = Base64.encode(response.getClientKey());
         byte[] clientCert = Base64.encode(response.getClientCert());
-        return new SecurityConfig(clientKey, clientCert, serverCert);
+        return new SecurityConfig(new String(clientKey), new String(clientCert), new String(serverCert));
     }
 
     public TlsConfiguration getConfiguration(Cluster cluster) {

autoscale/src/main/resources/schema/app/20180119100457_CLOUD-86088_encrypt_database_fields.sql

@@ -0,0 +1,45 @@
+-- // CLOUD-86088_encrypt_database_fields
+-- Migration SQL that makes the change goes here.
+
+CREATE TABLE securityconfig_encrypted (
+    id bigint NOT NULL,
+    clientkey text,
+    clientcert text,
+    servercert text,
+    cluster_id bigint NOT NULL
+);
+
+ALTER TABLE securityconfig_encrypted ALTER COLUMN id SET DEFAULT nextval ('securityconfig_id_seq');
+
+INSERT INTO securityconfig_encrypted (clientkey, clientcert, servercert, cluster_id) SELECT encode(clientkey, 'escape'), encode(clientcert, 'escape'), encode(servercert, 'escape'), cluster_id FROM securityconfig;
+
+DROP TABLE securityconfig;
+
+ALTER TABLE securityconfig_encrypted RENAME TO securityconfig;
+
+ALTER TABLE ONLY securityconfig ADD CONSTRAINT securityconfig_pkey PRIMARY KEY (id);
+
+ALTER TABLE ONLY securityconfig ADD CONSTRAINT fk_securityconfig_cluster_id FOREIGN KEY (cluster_id) REFERENCES cluster(id);
+
+-- //@UNDO
+-- SQL to undo the change goes here.
+
+CREATE TABLE securityconfig_decrypted (
+    id bigint NOT NULL,
+    clientkey bytea,
+    clientcert bytea,
+    servercert bytea,
+    cluster_id bigint NOT NULL
+);
+
+ALTER TABLE securityconfig_decrypted ALTER COLUMN id SET DEFAULT nextval ('securityconfig_id_seq');
+
+INSERT INTO securityconfig_decrypted (clientkey, clientcert, servercert, cluster_id) SELECT decode(clientkey, 'escape'), decode(clientcert, 'escape'), decode(servercert, 'escape'), cluster_id FROM securityconfig;
+
+DROP TABLE securityconfig;
+
+ALTER TABLE securityconfig_decrypted RENAME TO securityconfig;
+
+ALTER TABLE ONLY securityconfig ADD CONSTRAINT securityconfig_pkey PRIMARY KEY (id);
+
+ALTER TABLE ONLY securityconfig ADD CONSTRAINT fk_securityconfig_cluster_id FOREIGN KEY (cluster_id) REFERENCES cluster(id);

cloud-common/build.gradle

@@ -40,6 +40,7 @@ dependencies {
     compile group: 'org.postgresql',                        name: 'postgresql',                     version: '9.4.1212'
     compile group: 'com.sequenceiq',                        name: 'consul-api',                     version: '1.10'
     compile group: 'org.apache.commons',                    name: 'commons-lang3',                  version: apacheCommonsLangVersion
+    compile group: 'org.jasypt',                            name: 'jasypt-hibernate4',              version: jasyptVersion
     testCompile group: 'junit',                             name: 'junit',                          version: junitVersion
     testCompile group: 'org.mockito',                       name: 'mockito-all',                    version: mockitoAllVersion
 }