[
https://issues.apache.org/jira/browse/CAMEL-23250?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Work on CAMEL-23250 started by Guillaume Nodet.
-----------------------------------------------
> Warn or prevent plain-text secrets in configuration properties
> --------------------------------------------------------------
>
> Key: CAMEL-23250
> URL: https://issues.apache.org/jira/browse/CAMEL-23250
> Project: Camel
> Issue Type: Improvement
> Components: camel-core
> Reporter: Guillaume Nodet
> Assignee: Guillaume Nodet
> Priority: Major
>
> Currently, Camel has a well-established pipeline for detecting and masking
> secret properties (via @Metadata(secret=true) and SensitiveUtils), but it
> only masks values in logs and console output. There is no mechanism to warn
> users when secrets are configured via plain-text properties instead of using
> secure alternatives like RAW(), vault references ({{vault:...}}), or
> environment variable placeholders (${env:...}).
> This improvement should:
> h3. 1. Warn on plain-text secrets
> *Log a warning at startup* when a secret property is set via plain-text (not
> RAW(), not {{vault:...}}, not ${env:...}). This could be added in
> MainHelper.sensitiveAwareLogging() or BaseMainSupport auto-configuration.
> h3. 2. Add a configuration flag
> Add a *camel.main.warnOnPlainTextSecrets* flag (default: true) to control
> whether warnings are emitted, allowing users to suppress them in development
> environments.
> h3. 3. Fix PropertiesDevConsole JSON output
> PropertiesDevConsole currently does *not mask secret values in JSON mode*
> (only masks in text mode), potentially exposing secrets via monitoring
> endpoints.
> h3. 4. Strict mode
> Consider adding a *strict mode* (e.g. camel.main.forbidPlainTextSecrets) that
> would fail startup if plain-text secrets are detected, for production
> hardening.
> h3. 5. Warn on development-only settings in production
> Beyond secrets, some configuration options are inherently unsafe for
> production use, such as:
> - *camel.ssl.selfSigned=true* — generates an ephemeral self-signed
> certificate (added in CAMEL-22497)
> - *camel.ssl.trustAllCertificates=true* — disables certificate validation
> These are not secrets (they are boolean flags) so @Metadata(secret=true) is
> not the right mechanism. Consider adding a new annotation attribute like
> @Metadata(label = "development") or @Metadata(warnInProduction = true) that
> would trigger a startup warning when these options are enabled in a
> non-development profile. This would catch cases where development settings
> are accidentally left in production configuration.
> Related: there are currently 143+ secret keys detected by SensitiveUtils. The
> detection infrastructure is solid - it just needs to be leveraged for
> prevention, not just masking.
> Key files:
> - core/camel-main/src/main/java/org/apache/camel/main/MainHelper.java
> (sensitiveAwareLogging)
> - core/camel-util/src/main/java/org/apache/camel/util/SensitiveUtils.java
> -
> core/camel-console/src/main/java/org/apache/camel/impl/console/PropertiesDevConsole.java
> -
> core/camel-main/src/main/java/org/apache/camel/main/SSLConfigurationProperties.java
> (selfSigned, trustAllCertificates)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
