Re: [PR] MINIFICPP-2283 Create tool to encrypt sensitive properties in config.yml [nifi-minifi-cpp]
szaszm closed pull request #1725: MINIFICPP-2283 Create tool to encrypt sensitive properties in config.yml URL: https://github.com/apache/nifi-minifi-cpp/pull/1725 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@nifi.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] MINIFICPP-2283 Create tool to encrypt sensitive properties in config.yml [nifi-minifi-cpp]
fgerlits commented on code in PR #1725: URL: https://github.com/apache/nifi-minifi-cpp/pull/1725#discussion_r1524575281 ## encrypt-config/FlowConfigEncryptor.cpp: ## @@ -0,0 +1,174 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#include "FlowConfigEncryptor.h" + +#include "core/extension/ExtensionManager.h" +#include "core/FlowConfiguration.h" +#include "core/flow/AdaptiveConfiguration.h" +#include "core/ProcessGroup.h" +#include "core/RepositoryFactory.h" +#include "core/repository/VolatileContentRepository.h" +#include "Defaults.h" +#include "Utils.h" +#include "utils/file/FileSystem.h" +#include "utils/Id.h" + +namespace minifi = org::apache::nifi::minifi; + +namespace { +enum class Type { + Processor, + ControllerService +}; + +struct SensitiveProperty { + Type type; + minifi::utils::Identifier component_id; + std::string component_name; + std::string property_name; + std::string property_display_name; +}; +} // namespace + +namespace magic_enum::customize { +template<> +constexpr customize_t enum_name(Type type) noexcept { + switch (type) { +case Type::Processor: return "Processor"; +case Type::ControllerService: return "Controller service"; + } + return invalid_tag; +} +} // namespace magic_enum::customize + +namespace { +std::vector listSensitiveProperties(const minifi::core::ProcessGroup &process_group) { + std::vector sensitive_properties; + + std::vector processors; + process_group.getAllProcessors(processors); + for (const auto *processor : processors) { +gsl_Expects(processor); +for (const auto& [_, property] : processor->getProperties()) { + if (property.isSensitive()) { +sensitive_properties.push_back(SensitiveProperty{ +.type = Type::Processor, +.component_id = processor->getUUID(), +.component_name = processor->getName(), +.property_name = property.getName(), +.property_display_name = property.getDisplayName()}); + } +} + } + + for (const auto* controller_service_node : process_group.getAllControllerServices()) { +gsl_Expects(controller_service_node); +const auto* controller_service = controller_service_node->getControllerServiceImplementation(); +gsl_Expects(controller_service); +for (const auto& [_, property] : controller_service->getProperties()) { + if (property.isSensitive()) { +sensitive_properties.push_back(SensitiveProperty{ +.type = Type::ControllerService, +.component_id = controller_service->getUUID(), +.component_name = controller_service->getName(), +.property_name = property.getName(), +.property_display_name = property.getDisplayName()}); + } +} + } + + return sensitive_properties; +} + +template +void encryptSensitiveValuesInFlowConfigImpl( +const minifi::encrypt_config::EncryptionKeys& keys, const std::filesystem::path& minifi_home, const std::filesystem::path& flow_config_path, Func create_overrides) { + const auto configure = std::make_shared(); + configure->setHome(minifi_home); + configure->loadConfigureFile(DEFAULT_NIFI_PROPERTIES_FILE); + + bool encrypt_whole_flow_config_file = (configure->get(minifi::Configure::nifi_flow_configuration_encrypt) | minifi::utils::andThen(minifi::utils::string::toBool)).value_or(false); + auto encryptor = encrypt_whole_flow_config_file ? minifi::utils::crypto::EncryptionProvider::create(minifi_home) : std::nullopt; + auto filesystem = std::make_shared(encrypt_whole_flow_config_file, encryptor); + + minifi::core::extension::ExtensionManager::get().initialize(configure); + + minifi::core::flow::AdaptiveConfiguration adaptive_configuration{minifi::core::ConfigurationContext{ + .flow_file_repo = minifi::core::createRepository("flowfilerepository"), + .content_repo = std::make_shared(), Review Comment: Good point; I've removed the repository creation in 0506380be319a185920c571ee0737556d86c89bd. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@nifi.apa
Re: [PR] MINIFICPP-2283 Create tool to encrypt sensitive properties in config.yml [nifi-minifi-cpp]
szaszm commented on code in PR #1725: URL: https://github.com/apache/nifi-minifi-cpp/pull/1725#discussion_r1523587236 ## encrypt-config/FlowConfigEncryptor.cpp: ## @@ -0,0 +1,174 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#include "FlowConfigEncryptor.h" + +#include "core/extension/ExtensionManager.h" +#include "core/FlowConfiguration.h" +#include "core/flow/AdaptiveConfiguration.h" +#include "core/ProcessGroup.h" +#include "core/RepositoryFactory.h" +#include "core/repository/VolatileContentRepository.h" +#include "Defaults.h" +#include "Utils.h" +#include "utils/file/FileSystem.h" +#include "utils/Id.h" + +namespace minifi = org::apache::nifi::minifi; + +namespace { +enum class Type { + Processor, + ControllerService +}; + +struct SensitiveProperty { + Type type; + minifi::utils::Identifier component_id; + std::string component_name; + std::string property_name; + std::string property_display_name; +}; +} // namespace + +namespace magic_enum::customize { +template<> +constexpr customize_t enum_name(Type type) noexcept { + switch (type) { +case Type::Processor: return "Processor"; +case Type::ControllerService: return "Controller service"; + } + return invalid_tag; +} +} // namespace magic_enum::customize + +namespace { +std::vector listSensitiveProperties(const minifi::core::ProcessGroup &process_group) { + std::vector sensitive_properties; + + std::vector processors; + process_group.getAllProcessors(processors); + for (const auto *processor : processors) { +gsl_Expects(processor); +for (const auto& [_, property] : processor->getProperties()) { + if (property.isSensitive()) { +sensitive_properties.push_back(SensitiveProperty{ +.type = Type::Processor, +.component_id = processor->getUUID(), +.component_name = processor->getName(), +.property_name = property.getName(), +.property_display_name = property.getDisplayName()}); + } +} + } + + for (const auto* controller_service_node : process_group.getAllControllerServices()) { +gsl_Expects(controller_service_node); +const auto* controller_service = controller_service_node->getControllerServiceImplementation(); +gsl_Expects(controller_service); +for (const auto& [_, property] : controller_service->getProperties()) { + if (property.isSensitive()) { +sensitive_properties.push_back(SensitiveProperty{ +.type = Type::ControllerService, +.component_id = controller_service->getUUID(), +.component_name = controller_service->getName(), +.property_name = property.getName(), +.property_display_name = property.getDisplayName()}); + } +} + } + + return sensitive_properties; +} + +template +void encryptSensitiveValuesInFlowConfigImpl( +const minifi::encrypt_config::EncryptionKeys& keys, const std::filesystem::path& minifi_home, const std::filesystem::path& flow_config_path, Func create_overrides) { + const auto configure = std::make_shared(); + configure->setHome(minifi_home); + configure->loadConfigureFile(DEFAULT_NIFI_PROPERTIES_FILE); + + bool encrypt_whole_flow_config_file = (configure->get(minifi::Configure::nifi_flow_configuration_encrypt) | minifi::utils::andThen(minifi::utils::string::toBool)).value_or(false); + auto encryptor = encrypt_whole_flow_config_file ? minifi::utils::crypto::EncryptionProvider::create(minifi_home) : std::nullopt; + auto filesystem = std::make_shared(encrypt_whole_flow_config_file, encryptor); + + minifi::core::extension::ExtensionManager::get().initialize(configure); + + minifi::core::flow::AdaptiveConfiguration adaptive_configuration{minifi::core::ConfigurationContext{ + .flow_file_repo = minifi::core::createRepository("flowfilerepository"), + .content_repo = std::make_shared(), Review Comment: Would this work with passing null or NoopRepository? I don't think we need repositories for modifying the config. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-un
Re: [PR] MINIFICPP-2283 Create tool to encrypt sensitive properties in config.yml [nifi-minifi-cpp]
fgerlits commented on code in PR #1725: URL: https://github.com/apache/nifi-minifi-cpp/pull/1725#discussion_r1514369116 ## libminifi/include/core/ProcessGroup.h: ## @@ -205,6 +205,8 @@ class ProcessGroup : public CoreComponent { */ std::shared_ptr findControllerService(const std::string &nodeId) const; + std::vector> getAllControllerServices() const; Review Comment: They can't be null, but I think `not_null` should be added to the container in `ControllerServiceMap`, so I would prefer to do this as part of MINIFICPP-2312. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@nifi.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] MINIFICPP-2283 Create tool to encrypt sensitive properties in config.yml [nifi-minifi-cpp]
szaszm commented on code in PR #1725: URL: https://github.com/apache/nifi-minifi-cpp/pull/1725#discussion_r1514353106 ## libminifi/include/core/ProcessGroup.h: ## @@ -205,6 +205,8 @@ class ProcessGroup : public CoreComponent { */ std::shared_ptr findControllerService(const std::string &nodeId) const; + std::vector> getAllControllerServices() const; Review Comment: I'm assuming they can't be null, so I think it would be nicer to wrap the pointers in not_null. Or have runtime checks more graceful than gsl_Expects if they can be null. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@nifi.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] MINIFICPP-2283 Create tool to encrypt sensitive properties in config.yml [nifi-minifi-cpp]
fgerlits commented on code in PR #1725: URL: https://github.com/apache/nifi-minifi-cpp/pull/1725#discussion_r1513225896 ## libminifi/include/core/ProcessGroup.h: ## @@ -205,6 +205,8 @@ class ProcessGroup : public CoreComponent { */ std::shared_ptr findControllerService(const std::string &nodeId) const; + std::vector> getAllControllerServices() const; Review Comment: I have changed this in 929aafecc10ae3d41ce8623d062de58c4f785abe Now the interface is a bit of a mess, with a mix of return types; I have created a Jira to fix this: https://issues.apache.org/jira/browse/MINIFICPP-2312 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@nifi.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] MINIFICPP-2283 Create tool to encrypt sensitive properties in config.yml [nifi-minifi-cpp]
szaszm commented on code in PR #1725: URL: https://github.com/apache/nifi-minifi-cpp/pull/1725#discussion_r1513209019 ## libminifi/src/core/json/JsonFlowSerializer.cpp: ## @@ -47,14 +47,21 @@ void JsonFlowSerializer::encryptSensitiveProperties(rapidjson::Value &property_j } if (properties.at(name).isSensitive()) { auto& value = property.value; - const std::string_view value_sv{value.GetString(), value.GetStringLength()}; + const std::string_view value_sv = component_overrides.contains(name) ? component_overrides.at(name) : std::string_view{value.GetString(), value.GetStringLength()}; const std::string encrypted_value = utils::crypto::property_encryption::encrypt(value_sv, encryption_provider); value.SetString(encrypted_value.c_str(), encrypted_value.size(), alloc); } +component_overrides.erase(name); + } + + for (const auto& [name, value] : component_overrides) { +const std::string encrypted_value = utils::crypto::property_encryption::encrypt(value, encryption_provider); +property_jsons.AddMember(rapidjson::Value(name, alloc), rapidjson::Value(encrypted_value, alloc), alloc); Review Comment: My bad, I missed the encrypt call on line 51 at first. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@nifi.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] MINIFICPP-2283 Create tool to encrypt sensitive properties in config.yml [nifi-minifi-cpp]
szaszm commented on code in PR #1725: URL: https://github.com/apache/nifi-minifi-cpp/pull/1725#discussion_r1512874899 ## libminifi/src/core/json/JsonFlowSerializer.cpp: ## @@ -47,14 +47,21 @@ void JsonFlowSerializer::encryptSensitiveProperties(rapidjson::Value &property_j } if (properties.at(name).isSensitive()) { auto& value = property.value; - const std::string_view value_sv{value.GetString(), value.GetStringLength()}; + const std::string_view value_sv = component_overrides.contains(name) ? component_overrides.at(name) : std::string_view{value.GetString(), value.GetStringLength()}; const std::string encrypted_value = utils::crypto::property_encryption::encrypt(value_sv, encryption_provider); value.SetString(encrypted_value.c_str(), encrypted_value.size(), alloc); } +component_overrides.erase(name); + } + + for (const auto& [name, value] : component_overrides) { +const std::string encrypted_value = utils::crypto::property_encryption::encrypt(value, encryption_provider); +property_jsons.AddMember(rapidjson::Value(name, alloc), rapidjson::Value(encrypted_value, alloc), alloc); Review Comment: Overrides as a name is fine for me, but their expected format needs to be clearly defined. I think we should standardize whether the values in the overrides are already encrypted (if sensitive) or not encrypted. I'm not sure how we currently decide about encryption based on this control flow. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@nifi.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] MINIFICPP-2283 Create tool to encrypt sensitive properties in config.yml [nifi-minifi-cpp]
szaszm commented on code in PR #1725: URL: https://github.com/apache/nifi-minifi-cpp/pull/1725#discussion_r1512869627 ## libminifi/include/core/ProcessGroup.h: ## @@ -205,6 +205,8 @@ class ProcessGroup : public CoreComponent { */ std::shared_ptr findControllerService(const std::string &nodeId) const; + std::vector> getAllControllerServices() const; Review Comment: That would be an improvement. Optionally, they could be wrapped in gsl::not_null. Whether a const refernce is enough for all consumers also needs to be considered, but if it is, then less unnecessary exposure is better. Currently it's pointers to mutable objects. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@nifi.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] MINIFICPP-2283 Create tool to encrypt sensitive properties in config.yml [nifi-minifi-cpp]
fgerlits commented on code in PR #1725: URL: https://github.com/apache/nifi-minifi-cpp/pull/1725#discussion_r1512455086 ## libminifi/src/core/json/JsonFlowSerializer.cpp: ## @@ -47,14 +47,21 @@ void JsonFlowSerializer::encryptSensitiveProperties(rapidjson::Value &property_j } if (properties.at(name).isSensitive()) { auto& value = property.value; - const std::string_view value_sv{value.GetString(), value.GetStringLength()}; + const std::string_view value_sv = component_overrides.contains(name) ? component_overrides.at(name) : std::string_view{value.GetString(), value.GetStringLength()}; const std::string encrypted_value = utils::crypto::property_encryption::encrypt(value_sv, encryption_provider); value.SetString(encrypted_value.c_str(), encrypted_value.size(), alloc); } +component_overrides.erase(name); + } + + for (const auto& [name, value] : component_overrides) { +const std::string encrypted_value = utils::crypto::property_encryption::encrypt(value, encryption_provider); +property_jsons.AddMember(rapidjson::Value(name, alloc), rapidjson::Value(encrypted_value, alloc), alloc); Review Comment: Also, this part of the code handles the case when the property given by the user to the `encrypt-config` tool does not exist in the JSON, yet. In this case, we add the property to the JSON flow configuration. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@nifi.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] MINIFICPP-2283 Create tool to encrypt sensitive properties in config.yml [nifi-minifi-cpp]
fgerlits commented on code in PR #1725: URL: https://github.com/apache/nifi-minifi-cpp/pull/1725#discussion_r1512449471 ## libminifi/src/core/json/JsonFlowSerializer.cpp: ## @@ -47,14 +47,21 @@ void JsonFlowSerializer::encryptSensitiveProperties(rapidjson::Value &property_j } if (properties.at(name).isSensitive()) { auto& value = property.value; - const std::string_view value_sv{value.GetString(), value.GetStringLength()}; + const std::string_view value_sv = component_overrides.contains(name) ? component_overrides.at(name) : std::string_view{value.GetString(), value.GetStringLength()}; const std::string encrypted_value = utils::crypto::property_encryption::encrypt(value_sv, encryption_provider); value.SetString(encrypted_value.c_str(), encrypted_value.size(), alloc); } +component_overrides.erase(name); + } + + for (const auto& [name, value] : component_overrides) { +const std::string encrypted_value = utils::crypto::property_encryption::encrypt(value, encryption_provider); +property_jsons.AddMember(rapidjson::Value(name, alloc), rapidjson::Value(encrypted_value, alloc), alloc); Review Comment: Encrypted or not is a red herring. The property value in the JSON (or YAML) may or may not be already encrypted; if it isn't, then it will be encrypted now. Overrides are used by the `encrypt-config` tool to replace the existing property value with a new value given by the user. "Override" may not be the best name for this; do you have a suggestion for a better name? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@nifi.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] MINIFICPP-2283 Create tool to encrypt sensitive properties in config.yml [nifi-minifi-cpp]
fgerlits commented on code in PR #1725: URL: https://github.com/apache/nifi-minifi-cpp/pull/1725#discussion_r1512442049 ## libminifi/include/core/ProcessGroup.h: ## @@ -205,6 +205,8 @@ class ProcessGroup : public CoreComponent { */ std::shared_ptr findControllerService(const std::string &nodeId) const; + std::vector> getAllControllerServices() const; Review Comment: do you mean the vector should contain `const ControllerServiceNode*`s? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@nifi.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] MINIFICPP-2283 Create tool to encrypt sensitive properties in config.yml [nifi-minifi-cpp]
szaszm commented on code in PR #1725: URL: https://github.com/apache/nifi-minifi-cpp/pull/1725#discussion_r1511219340 ## libminifi/src/core/json/JsonFlowSerializer.cpp: ## @@ -47,14 +47,21 @@ void JsonFlowSerializer::encryptSensitiveProperties(rapidjson::Value &property_j } if (properties.at(name).isSensitive()) { auto& value = property.value; - const std::string_view value_sv{value.GetString(), value.GetStringLength()}; + const std::string_view value_sv = component_overrides.contains(name) ? component_overrides.at(name) : std::string_view{value.GetString(), value.GetStringLength()}; const std::string encrypted_value = utils::crypto::property_encryption::encrypt(value_sv, encryption_provider); value.SetString(encrypted_value.c_str(), encrypted_value.size(), alloc); } +component_overrides.erase(name); + } + + for (const auto& [name, value] : component_overrides) { +const std::string encrypted_value = utils::crypto::property_encryption::encrypt(value, encryption_provider); +property_jsons.AddMember(rapidjson::Value(name, alloc), rapidjson::Value(encrypted_value, alloc), alloc); Review Comment: What's the idea behind overrides? I see that the override values are used in plaintext to override existing properties in the flow definition, but if they were not used, then they are used encrypted. I don't understand why it works that way. ## libminifi/include/core/ProcessGroup.h: ## @@ -205,6 +205,8 @@ class ProcessGroup : public CoreComponent { */ std::shared_ptr findControllerService(const std::string &nodeId) const; + std::vector> getAllControllerServices() const; Review Comment: Does this really need to give ownership to the callers? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@nifi.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] MINIFICPP-2283 Create tool to encrypt sensitive properties in config.yml [nifi-minifi-cpp]
fgerlits commented on code in PR #1725: URL: https://github.com/apache/nifi-minifi-cpp/pull/1725#discussion_r1496161613 ## encrypt-config/FlowConfigEncryptor.cpp: ## @@ -0,0 +1,173 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#include "FlowConfigEncryptor.h" + +#include "core/extension/ExtensionManager.h" +#include "core/FlowConfiguration.h" +#include "core/flow/AdaptiveConfiguration.h" +#include "core/ProcessGroup.h" +#include "core/RepositoryFactory.h" +#include "core/repository/VolatileContentRepository.h" +#include "Defaults.h" +#include "Utils.h" +#include "utils/file/FileSystem.h" +#include "utils/Id.h" + +namespace minifi = org::apache::nifi::minifi; + +namespace { +enum class Type { + Processor, ControllerService Review Comment: agreed, it looks better: b62a3c5b77b4a4acefcd806a81fd7d2e8aa20be4 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@nifi.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] MINIFICPP-2283 Create tool to encrypt sensitive properties in config.yml [nifi-minifi-cpp]
fgerlits commented on code in PR #1725: URL: https://github.com/apache/nifi-minifi-cpp/pull/1725#discussion_r1496160803 ## encrypt-config/EncryptConfig.h: ## @@ -21,40 +21,29 @@ #include "Utils.h" -namespace org { -namespace apache { -namespace nifi { -namespace minifi { -namespace encrypt_config { +namespace org::apache::nifi::minifi::encrypt_config { class EncryptConfig { public: - enum class EncryptionType { -ENCRYPT, -RE_ENCRYPT - }; - explicit EncryptConfig(const std::string& minifi_home); - EncryptionType encryptSensitiveProperties() const; - void encryptFlowConfig() const; + void encryptSensitiveValuesInMinifiProperties() const; + void encryptSensitiveValuesInFlowConfig(const std::optional& component_id, const std::optional& property_name, const std::optional& property_value) const; + void encryptWholeFlowConfigFile() const; - private: - std::filesystem::path bootstrapFilePath() const; - std::filesystem::path propertiesFilePath() const; + [[nodiscard]] bool isReencrypting() const; - EncryptionKeys getEncryptionKeys() const; - std::string hexDecodeAndValidateKey(const std::string& key, const std::string& key_name) const; - void writeEncryptionKeyToBootstrapFile(const utils::crypto::Bytes& encryption_key) const; + private: + [[nodiscard]] std::filesystem::path bootstrapFilePath() const; + [[nodiscard]] std::filesystem::path propertiesFilePath() const; + [[nodiscard]] std::filesystem::path flowConfigPath() const; + static std::string flowConfigContent(const std::filesystem::path& config_path); Review Comment: yes, good idea -- done in 195fdc307610b4dcdf40d76ad83345f240382f2e -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@nifi.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] MINIFICPP-2283 Create tool to encrypt sensitive properties in config.yml [nifi-minifi-cpp]
lordgamez commented on code in PR #1725: URL: https://github.com/apache/nifi-minifi-cpp/pull/1725#discussion_r1496055501 ## encrypt-config/FlowConfigEncryptor.cpp: ## @@ -0,0 +1,173 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#include "FlowConfigEncryptor.h" + +#include "core/extension/ExtensionManager.h" +#include "core/FlowConfiguration.h" +#include "core/flow/AdaptiveConfiguration.h" +#include "core/ProcessGroup.h" +#include "core/RepositoryFactory.h" +#include "core/repository/VolatileContentRepository.h" +#include "Defaults.h" +#include "Utils.h" +#include "utils/file/FileSystem.h" +#include "utils/Id.h" + +namespace minifi = org::apache::nifi::minifi; + +namespace { +enum class Type { + Processor, ControllerService Review Comment: minor: for readability I would put each value on a separate line ## encrypt-config/EncryptConfig.h: ## @@ -21,40 +21,29 @@ #include "Utils.h" -namespace org { -namespace apache { -namespace nifi { -namespace minifi { -namespace encrypt_config { +namespace org::apache::nifi::minifi::encrypt_config { class EncryptConfig { public: - enum class EncryptionType { -ENCRYPT, -RE_ENCRYPT - }; - explicit EncryptConfig(const std::string& minifi_home); - EncryptionType encryptSensitiveProperties() const; - void encryptFlowConfig() const; + void encryptSensitiveValuesInMinifiProperties() const; + void encryptSensitiveValuesInFlowConfig(const std::optional& component_id, const std::optional& property_name, const std::optional& property_value) const; + void encryptWholeFlowConfigFile() const; - private: - std::filesystem::path bootstrapFilePath() const; - std::filesystem::path propertiesFilePath() const; + [[nodiscard]] bool isReencrypting() const; - EncryptionKeys getEncryptionKeys() const; - std::string hexDecodeAndValidateKey(const std::string& key, const std::string& key_name) const; - void writeEncryptionKeyToBootstrapFile(const utils::crypto::Bytes& encryption_key) const; + private: + [[nodiscard]] std::filesystem::path bootstrapFilePath() const; + [[nodiscard]] std::filesystem::path propertiesFilePath() const; + [[nodiscard]] std::filesystem::path flowConfigPath() const; + static std::string flowConfigContent(const std::filesystem::path& config_path); Review Comment: minor: this could be moved to the cpp file in an anonymous namespace as it is only used in the class implementation. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@nifi.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[PR] MINIFICPP-2283 Create tool to encrypt sensitive properties in config.yml [nifi-minifi-cpp]
fgerlits opened a new pull request, #1725: URL: https://github.com/apache/nifi-minifi-cpp/pull/1725 https://issues.apache.org/jira/browse/MINIFICPP-2283 I have also upgraded argparse from 2.9 to 3.0 so I can use the new `flag()` syntax. --- Thank you for submitting a contribution to Apache NiFi - MiNiFi C++. In order to streamline the review of the contribution we ask you to ensure the following steps have been taken: ### For all changes: - [x] Is there a JIRA ticket associated with this PR? Is it referenced in the commit message? - [x] Does your PR title start with MINIFICPP- where is the JIRA number you are trying to resolve? Pay particular attention to the hyphen "-" character. - [x] Has your PR been rebased against the latest commit within the target branch (typically main)? - [x] Is your initial contribution a single, squashed commit? ### For code changes: - [ ] If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under [ASF 2.0](http://www.apache.org/legal/resolved.html#category-a)? - [ ] If applicable, have you updated the LICENSE file? - [ ] If applicable, have you updated the NOTICE file? ### For documentation related changes: - [ ] Have you ensured that format looks appropriate for the output in which it is rendered? ### Note: Please ensure that once the PR is submitted, you check GitHub Actions CI results for build issues and submit an update to your PR as soon as possible. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@nifi.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org