[
https://issues.apache.org/jira/browse/CAMEL-23250?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Guillaume Nodet updated CAMEL-23250:
------------------------------------
Description:
Currently, Camel has a well-established pipeline for detecting and masking
secret properties (via @Metadata(secret=true) and SensitiveUtils), but it only
masks values in logs and console output. There is no mechanism to warn users
when secrets are configured via plain-text properties instead of using secure
alternatives like RAW(), vault references ({{vault:...}}), or environment
variable placeholders (${env:...}).
This improvement should:
h3. 1. Warn on plain-text secrets
*Log a warning at startup* when a secret property is set via plain-text (not
RAW(), not {{vault:...}}, not ${env:...}). This could be added in
MainHelper.sensitiveAwareLogging() or BaseMainSupport auto-configuration.
h3. 2. Add a configuration flag
Add a *camel.main.warnOnPlainTextSecrets* flag (default: true) to control
whether warnings are emitted, allowing users to suppress them in development
environments.
h3. 3. Fix PropertiesDevConsole JSON output
PropertiesDevConsole currently does *not mask secret values in JSON mode* (only
masks in text mode), potentially exposing secrets via monitoring endpoints.
h3. 4. Strict mode
Consider adding a *strict mode* (e.g. camel.main.forbidPlainTextSecrets) that
would fail startup if plain-text secrets are detected, for production hardening.
h3. 5. Warn on development-only settings in production
Beyond secrets, some configuration options are inherently unsafe for production
use, such as:
- *camel.ssl.selfSigned=true* — generates an ephemeral self-signed certificate
(added in CAMEL-22497)
- *camel.ssl.trustAllCertificates=true* — disables certificate validation
These are not secrets (they are boolean flags) so @Metadata(secret=true) is not
the right mechanism. Consider adding a new annotation attribute like
@Metadata(label = "development") or @Metadata(warnInProduction = true) that
would trigger a startup warning when these options are enabled in a
non-development profile. This would catch cases where development settings are
accidentally left in production configuration.
Related: there are currently 143+ secret keys detected by SensitiveUtils. The
detection infrastructure is solid - it just needs to be leveraged for
prevention, not just masking.
Key files:
- core/camel-main/src/main/java/org/apache/camel/main/MainHelper.java
(sensitiveAwareLogging)
- core/camel-util/src/main/java/org/apache/camel/util/SensitiveUtils.java
-
core/camel-console/src/main/java/org/apache/camel/impl/console/PropertiesDevConsole.java
-
core/camel-main/src/main/java/org/apache/camel/main/SSLConfigurationProperties.java
(selfSigned, trustAllCertificates)
was:
Currently, Camel has a well-established pipeline for detecting and masking
secret properties (via @Metadata(secret=true) and SensitiveUtils), but it only
masks values in logs and console output. There is no mechanism to warn users
when secrets are configured via plain-text properties instead of using secure
alternatives like RAW(), vault references ({{vault:...}}), or environment
variable placeholders (${env:...}).
This improvement should:
1. *Log a warning at startup* when a secret property is set via plain-text (not
RAW(), not {{vault:...}}, not ${env:...}). This could be added in
MainHelper.sensitiveAwareLogging() or BaseMainSupport auto-configuration.
2. *Add a camel.main.warnOnPlainTextSecrets flag* (default: true) to control
whether warnings are emitted, allowing users to suppress them in development
environments.
3. *Fix PropertiesDevConsole JSON output* which currently does not mask secret
values in JSON mode (only masks in text mode), potentially exposing secrets via
monitoring endpoints.
4. Consider adding a *strict mode* (e.g. camel.main.forbidPlainTextSecrets)
that would fail startup if plain-text secrets are detected, for production
hardening.
Related: there are currently 143+ secret keys detected by SensitiveUtils. The
detection infrastructure is solid - it just needs to be leveraged for
prevention, not just masking.
Key files:
- core/camel-main/src/main/java/org/apache/camel/main/MainHelper.java
(sensitiveAwareLogging)
- core/camel-util/src/main/java/org/apache/camel/util/SensitiveUtils.java
-
core/camel-console/src/main/java/org/apache/camel/impl/console/PropertiesDevConsole.java
> Warn or prevent plain-text secrets in configuration properties
> --------------------------------------------------------------
>
> Key: CAMEL-23250
> URL: https://issues.apache.org/jira/browse/CAMEL-23250
> Project: Camel
> Issue Type: Improvement
> Components: camel-core
> Reporter: Guillaume Nodet
> Priority: Major
>
> Currently, Camel has a well-established pipeline for detecting and masking
> secret properties (via @Metadata(secret=true) and SensitiveUtils), but it
> only masks values in logs and console output. There is no mechanism to warn
> users when secrets are configured via plain-text properties instead of using
> secure alternatives like RAW(), vault references ({{vault:...}}), or
> environment variable placeholders (${env:...}).
> This improvement should:
> h3. 1. Warn on plain-text secrets
> *Log a warning at startup* when a secret property is set via plain-text (not
> RAW(), not {{vault:...}}, not ${env:...}). This could be added in
> MainHelper.sensitiveAwareLogging() or BaseMainSupport auto-configuration.
> h3. 2. Add a configuration flag
> Add a *camel.main.warnOnPlainTextSecrets* flag (default: true) to control
> whether warnings are emitted, allowing users to suppress them in development
> environments.
> h3. 3. Fix PropertiesDevConsole JSON output
> PropertiesDevConsole currently does *not mask secret values in JSON mode*
> (only masks in text mode), potentially exposing secrets via monitoring
> endpoints.
> h3. 4. Strict mode
> Consider adding a *strict mode* (e.g. camel.main.forbidPlainTextSecrets) that
> would fail startup if plain-text secrets are detected, for production
> hardening.
> h3. 5. Warn on development-only settings in production
> Beyond secrets, some configuration options are inherently unsafe for
> production use, such as:
> - *camel.ssl.selfSigned=true* — generates an ephemeral self-signed
> certificate (added in CAMEL-22497)
> - *camel.ssl.trustAllCertificates=true* — disables certificate validation
> These are not secrets (they are boolean flags) so @Metadata(secret=true) is
> not the right mechanism. Consider adding a new annotation attribute like
> @Metadata(label = "development") or @Metadata(warnInProduction = true) that
> would trigger a startup warning when these options are enabled in a
> non-development profile. This would catch cases where development settings
> are accidentally left in production configuration.
> Related: there are currently 143+ secret keys detected by SensitiveUtils. The
> detection infrastructure is solid - it just needs to be leveraged for
> prevention, not just masking.
> Key files:
> - core/camel-main/src/main/java/org/apache/camel/main/MainHelper.java
> (sensitiveAwareLogging)
> - core/camel-util/src/main/java/org/apache/camel/util/SensitiveUtils.java
> -
> core/camel-console/src/main/java/org/apache/camel/impl/console/PropertiesDevConsole.java
> -
> core/camel-main/src/main/java/org/apache/camel/main/SSLConfigurationProperties.java
> (selfSigned, trustAllCertificates)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
