/** * There can be sensitive information like passwords in configuration file. If they are encrypted * using secure vault, this method will resolve them and replace with original values. */ private static void resolveSecrets(Properties properties) { SecretResolver secretResolver = SecretResolverFactory.create(properties); Enumeration propertyNames = properties.propertyNames(); if (secretResolver != null && secretResolver.isInitialized()) { // Iterate through whole config file and find encrypted properties and resolve them while (propertyNames.hasMoreElements()) { String key = (String) propertyNames.nextElement(); if (secretResolver.isTokenProtected(key)) { if (log.isDebugEnabled()) { log.debug("Resolving and replacing secret for " + key); } // Resolving the secret password. String value = secretResolver.resolve(key); // Replaces the original encrypted property with resolved property properties.put(key, value); } else { if (log.isDebugEnabled()) { log.debug("No encryption done for value with key :" + key); } } } } else { log.warn( "Secret Resolver is not present. Will not resolve encryptions in " + Constants.TenantConstants.CONFIG_RELATIVE_PATH + " file"); } }
public static synchronized String loadFromSecureVault(String alias) { if (secretResolver == null) { secretResolver = SecretResolverFactory.create((OMElement) null, false); secretResolver.init( DataServicesDSComponent.getSecretCallbackHandlerService().getSecretCallbackHandler()); } return secretResolver.resolve(alias); }
/** * Check the given password is encrypted or not, if its encrypted resolve the password. * * @param dataService Data service object * @param password Password before resolving * @return Resolved password */ public static String resolvePasswordValue(DataService dataService, String password) { SecretResolver secretResolver = dataService.getSecretResolver(); if (secretResolver != null && secretResolver.isTokenProtected(password)) { return secretResolver.resolve(password); } else { return password; } }
private static synchronized String loadFromSecureVault(String alias) { if (secretResolver == null) { secretResolver = SecretResolverFactory.create((OMElement) null, false); secretResolver.init( RSSManagerDataHolder.getInstance() .getSecretCallbackHandlerService() .getSecretCallbackHandler()); } return secretResolver.resolve(alias); }
private void loadCredentials( final IaasProvider iaas, final OMElement iaasElt, final String xpath) { Iterator<?> it = iaasElt.getChildrenWithName(new QName(CloudControllerConstants.CREDENTIAL_ELEMENT)); if (it.hasNext()) { OMElement credentialElt = (OMElement) it.next(); // retrieve the value using secure vault SecretResolver secretResolver = SecretResolverFactory.create(documentElement, false); String alias = credentialElt.getAttributeValue(new QName(CloudControllerConstants.ALIAS_ATTRIBUTE)); // retrieve the secured password if (secretResolver != null && secretResolver.isInitialized() && secretResolver.isTokenProtected(alias)) { iaas.setCredential(secretResolver.resolve(alias)); } // if we still cannot find a value, we try to assign the value which // is specified // in the element, if any if (iaas.getCredential() == null) { log.warn( "Unable to find a value for " + CloudControllerConstants.CREDENTIAL_ELEMENT + " element from Secure Vault." + "Hence we will try to assign the plain text value (if specified)."); iaas.setCredential(credentialElt.getText()); } } if (it.hasNext()) { log.warn( xmlSource + " contains more than one " + CloudControllerConstants.CREDENTIAL_ELEMENT + " elements!" + " Elements other than the first will be neglected."); } if (iaas.getCredential() == null) { String msg = "Essential '" + CloudControllerConstants.CREDENTIAL_ELEMENT + "' element" + " has not specified in " + xmlSource; handleException(msg); } }
private String resolveSecret(final OMElement elt) { // retrieve the value using secure vault SecretResolver secretResolver = SecretResolverFactory.create(documentElement, false); String alias = elt.getAttributeValue(new QName(CloudControllerConstants.ALIAS_ATTRIBUTE)); // retrieve the secured password if (secretResolver != null && secretResolver.isInitialized() && secretResolver.isTokenProtected(alias)) { return secretResolver.resolve(alias); } return null; }
private Map<String, String> getChildPropertyElements( OMElement omElement, SecretResolver secretResolver) { Map<String, String> map = new HashMap<String, String>(); Iterator<?> ite = omElement.getChildrenWithName(new QName(UserCoreConstants.RealmConfig.LOCAL_NAME_PROPERTY)); while (ite.hasNext()) { OMElement propElem = (OMElement) ite.next(); String propName = propElem.getAttributeValue(new QName(UserCoreConstants.RealmConfig.ATTR_NAME_PROP_NAME)); String propValue = propElem.getText(); if (secretResolver != null && secretResolver.isInitialized()) { if (secretResolver.isTokenProtected("UserManager.Configuration.Property." + propName)) { propValue = secretResolver.resolve("UserManager.Configuration.Property." + propName); } if (secretResolver.isTokenProtected("UserStoreManager.Property." + propName)) { propValue = secretResolver.resolve("UserStoreManager.Property." + propName); } } map.put(propName.trim(), propValue.trim()); } return map; }
public RealmConfiguration buildRealmConfiguration(OMElement realmElem, boolean supperTenant) throws UserStoreException { RealmConfiguration realmConfig = null; String userStoreClass = null; String authorizationManagerClass = null; String addAdmin = null; String adminRoleName = null; String adminUserName = null; String adminPassword = null; String everyOneRoleName = null; String realmClass = null; String description = null; Map<String, String> userStoreProperties = null; Map<String, String> authzProperties = null; Map<String, String> realmProperties = null; boolean passwordsExternallyManaged = false; realmClass = (String) realmElem.getAttributeValue(new QName(UserCoreConstants.RealmConfig.ATTR_NAME_CLASS)); OMElement mainConfig = realmElem.getFirstChildWithName( new QName(UserCoreConstants.RealmConfig.LOCAL_NAME_CONFIGURATION)); realmProperties = getChildPropertyElements(mainConfig, secretResolver); String dbUrl = constructDatabaseURL(realmProperties.get(JDBCRealmConstants.URL)); realmProperties.put(JDBCRealmConstants.URL, dbUrl); if (mainConfig.getFirstChildWithName( new QName(UserCoreConstants.RealmConfig.LOCAL_NAME_ADD_ADMIN)) != null && !mainConfig .getFirstChildWithName(new QName(UserCoreConstants.RealmConfig.LOCAL_NAME_ADD_ADMIN)) .getText() .trim() .equals("")) { addAdmin = mainConfig .getFirstChildWithName(new QName(UserCoreConstants.RealmConfig.LOCAL_NAME_ADD_ADMIN)) .getText() .trim(); } else { if (supperTenant) { log.error( "AddAdmin configuration not found or invalid in user-mgt.xml. Cannot start server!"); throw new UserStoreException( "AddAdmin configuration not found or invalid user-mgt.xml. Cannot start server!"); } else { log.debug("AddAdmin configuration not found"); addAdmin = "true"; } } OMElement reservedRolesElm = mainConfig.getFirstChildWithName( new QName(UserCoreConstants.RealmConfig.LOCAL_NAME_RESERVED_ROLE_NAMES)); String[] reservedRoles = new String[0]; if (reservedRolesElm != null && !reservedRolesElm.getText().trim().equals("")) { String rolesStr = reservedRolesElm.getText().trim(); if (rolesStr.contains(",")) { reservedRoles = rolesStr.split(","); } else { reservedRoles = rolesStr.split(";"); } } OMElement restrictedDomainsElm = mainConfig.getFirstChildWithName( new QName( UserCoreConstants.RealmConfig.LOCAL_NAME_RESTRICTED_DOMAINS_FOR_SELF_SIGN_UP)); String[] restrictedDomains = new String[0]; if (restrictedDomainsElm != null && !restrictedDomainsElm.getText().trim().equals("")) { String domain = restrictedDomainsElm.getText().trim(); if (domain.contains(",")) { restrictedDomains = domain.split(","); } else { restrictedDomains = domain.split(";"); } } OMElement adminUser = mainConfig.getFirstChildWithName( new QName(UserCoreConstants.RealmConfig.LOCAL_NAME_ADMIN_USER)); adminUserName = adminUser .getFirstChildWithName(new QName(UserCoreConstants.RealmConfig.LOCAL_NAME_USER_NAME)) .getText() .trim(); adminPassword = adminUser .getFirstChildWithName(new QName(UserCoreConstants.RealmConfig.LOCAL_NAME_PASSWORD)) .getText() .trim(); if (secretResolver != null && secretResolver.isInitialized() && secretResolver.isTokenProtected("UserManager.AdminUser.Password")) { adminPassword = secretResolver.resolve("UserManager.AdminUser.Password"); } adminRoleName = mainConfig .getFirstChildWithName(new QName(UserCoreConstants.RealmConfig.LOCAL_NAME_ADMIN_ROLE)) .getText() .trim(); everyOneRoleName = mainConfig .getFirstChildWithName( new QName(UserCoreConstants.RealmConfig.LOCAL_NAME_EVERYONE_ROLE)) .getText() .trim(); OMElement authzConfig = realmElem.getFirstChildWithName( new QName(UserCoreConstants.RealmConfig.LOCAL_NAME_ATHZ_MANAGER)); authorizationManagerClass = authzConfig .getAttributeValue(new QName(UserCoreConstants.RealmConfig.ATTR_NAME_CLASS)) .trim(); authzProperties = getChildPropertyElements(authzConfig, null); Iterator<OMElement> iterator = realmElem.getChildrenWithName( new QName(UserCoreConstants.RealmConfig.LOCAL_NAME_USER_STORE_MANAGER)); RealmConfiguration primaryConfig = null; RealmConfiguration tmpConfig = null; for (; iterator.hasNext(); ) { OMElement usaConfig = iterator.next(); userStoreClass = usaConfig.getAttributeValue(new QName(UserCoreConstants.RealmConfig.ATTR_NAME_CLASS)); if (usaConfig.getFirstChildWithName( new QName(UserCoreConstants.RealmConfig.CLASS_DESCRIPTION)) != null) { description = usaConfig .getFirstChildWithName(new QName(UserCoreConstants.RealmConfig.CLASS_DESCRIPTION)) .getText() .trim(); } userStoreProperties = getChildPropertyElements(usaConfig, secretResolver); String sIsPasswordExternallyManaged = userStoreProperties.get(UserCoreConstants.RealmConfig.LOCAL_PASSWORDS_EXTERNALLY_MANAGED); Map<String, String> multipleCredentialsProperties = getMultipleCredentialsProperties(usaConfig); if (null != sIsPasswordExternallyManaged && !sIsPasswordExternallyManaged.trim().equals("")) { passwordsExternallyManaged = Boolean.parseBoolean(sIsPasswordExternallyManaged); } else { if (log.isDebugEnabled()) { log.debug("External password management is disabled."); } } realmConfig = new RealmConfiguration(); realmConfig.setRealmClassName(realmClass); realmConfig.setUserStoreClass(userStoreClass); realmConfig.setDescription(description); realmConfig.setAuthorizationManagerClass(authorizationManagerClass); if (primaryConfig == null) { realmConfig.setPrimary(true); realmConfig.setAddAdmin(addAdmin); realmConfig.setAdminPassword(adminPassword); // if domain name not provided, add default primary domain name String domain = userStoreProperties.get(UserCoreConstants.RealmConfig.PROPERTY_DOMAIN_NAME); if (domain == null) { userStoreProperties.put( UserCoreConstants.RealmConfig.PROPERTY_DOMAIN_NAME, UserCoreConstants.PRIMARY_DEFAULT_DOMAIN_NAME); } for (int i = 0; i < reservedRoles.length; i++) { realmConfig.addReservedRoleName(reservedRoles[i].trim().toUpperCase()); } for (int i = 0; i < restrictedDomains.length; i++) { realmConfig.addRestrictedDomainForSelfSignUp(restrictedDomains[i].trim().toUpperCase()); } if (supperTenant && userStoreProperties.get(UserCoreConstants.TenantMgtConfig.LOCAL_NAME_TENANT_MANAGER) == null) { log.error( "Required property '" + UserCoreConstants.TenantMgtConfig.LOCAL_NAME_TENANT_MANAGER + "' not found for the primary UserStoreManager in user_mgt.xml. Cannot start server!"); throw new UserStoreException( "Required property '" + UserCoreConstants.TenantMgtConfig.LOCAL_NAME_TENANT_MANAGER + "' not found for the primary UserStoreManager in user_mgt.xml. Cannot start server!"); } } // If the domain name still empty String domain = userStoreProperties.get(UserCoreConstants.RealmConfig.PROPERTY_DOMAIN_NAME); if (domain == null) { log.warn( "Required property " + UserCoreConstants.RealmConfig.PROPERTY_DOMAIN_NAME + " missing in secondary user store. Skip adding the user store."); continue; } // Making user stores added using user-mgt.xml non-editable(static) at runtime userStoreProperties.put(UserCoreConstants.RealmConfig.STATIC_USER_STORE, "true"); realmConfig.setEveryOneRoleName( UserCoreConstants.INTERNAL_DOMAIN + CarbonConstants.DOMAIN_SEPARATOR + everyOneRoleName); realmConfig.setAdminRoleName(adminRoleName); realmConfig.setAdminUserName(adminUserName); realmConfig.setUserStoreProperties(userStoreProperties); realmConfig.setAuthzProperties(authzProperties); realmConfig.setRealmProperties(realmProperties); realmConfig.setPasswordsExternallyManaged(passwordsExternallyManaged); realmConfig.addMultipleCredentialProperties(userStoreClass, multipleCredentialsProperties); if (realmConfig.getUserStoreProperty(UserCoreConstants.RealmConfig.PROPERTY_MAX_USER_LIST) == null) { realmConfig .getUserStoreProperties() .put( UserCoreConstants.RealmConfig.PROPERTY_MAX_USER_LIST, UserCoreConstants.RealmConfig.PROPERTY_VALUE_DEFAULT_MAX_COUNT); } if (realmConfig.getUserStoreProperty(UserCoreConstants.RealmConfig.PROPERTY_READ_ONLY) == null) { realmConfig .getUserStoreProperties() .put( UserCoreConstants.RealmConfig.PROPERTY_READ_ONLY, UserCoreConstants.RealmConfig.PROPERTY_VALUE_DEFAULT_READ_ONLY); } if (primaryConfig == null) { primaryConfig = realmConfig; } else { tmpConfig.setSecondaryRealmConfig(realmConfig); } tmpConfig = realmConfig; } if (primaryConfig != null && primaryConfig.isPrimary()) { // Check if Admin user name has been provided with domain String primaryDomainName = primaryConfig.getUserStoreProperty(UserCoreConstants.RealmConfig.PROPERTY_DOMAIN_NAME); String readOnly = primaryConfig.getUserStoreProperty(UserCoreConstants.RealmConfig.PROPERTY_READ_ONLY); Boolean isReadOnly = false; if (readOnly != null) { isReadOnly = Boolean.parseBoolean(readOnly); } if (primaryDomainName != null && primaryDomainName.trim().length() > 0) { if (adminUserName.indexOf(CarbonConstants.DOMAIN_SEPARATOR) > 0) { // Using the short-circuit. User name comes with the domain name. String adminUserDomain = adminUserName.substring(0, adminUserName.indexOf(CarbonConstants.DOMAIN_SEPARATOR)); if (!primaryDomainName.equalsIgnoreCase(adminUserDomain)) { throw new UserStoreException( "Admin User domain does not match primary user store domain."); } } else { primaryConfig.setAdminUserName( UserCoreUtil.addDomainToName(adminUserName, primaryDomainName)); } if (adminRoleName.indexOf(CarbonConstants.DOMAIN_SEPARATOR) > 0) { // Using the short-circuit. User name comes with the domain name. String adminRoleDomain = adminRoleName.substring(0, adminRoleName.indexOf(CarbonConstants.DOMAIN_SEPARATOR)); if ((!primaryDomainName.equalsIgnoreCase(adminRoleDomain)) || (isReadOnly) && (!primaryDomainName.equalsIgnoreCase(UserCoreConstants.INTERNAL_DOMAIN))) { throw new UserStoreException( "Admin Role domain does not match primary user store domain."); } } } // This will be overridden inside the UserStoreManager constructor. primaryConfig.setAdminRoleName( UserCoreUtil.addDomainToName(adminRoleName, primaryDomainName)); } return primaryConfig; }
public RealmConfiguration buildRealmConfiguration(OMElement realmElem) { RealmConfiguration realmConfig = null; String userStoreClass = null; String authorizationManagerClass = null; String adminRoleName = null; String adminUserName = null; String adminPassword = null; String everyOneRoleName = null; String realmClass = null; Map<String, String> userStoreProperties = null; Map<String, String> authzProperties = null; Map<String, String> realmProperties = null; boolean passwordsExternallyManaged = false; realmClass = (String) realmElem.getAttributeValue(new QName(UserCoreConstants.RealmConfig.ATTR_NAME_CLASS)); OMElement mainConfig = realmElem.getFirstChildWithName( new QName(UserCoreConstants.RealmConfig.LOCAL_NAME_CONFIGURATION)); realmProperties = getChildPropertyElements(mainConfig, secretResolver); String dbUrl = constructDatabaseURL(realmProperties.get(JDBCRealmConstants.URL)); realmProperties.put(JDBCRealmConstants.URL, dbUrl); OMElement adminUser = mainConfig.getFirstChildWithName( new QName(UserCoreConstants.RealmConfig.LOCAL_NAME_ADMIN_USER)); adminUserName = adminUser .getFirstChildWithName(new QName(UserCoreConstants.RealmConfig.LOCAL_NAME_USER_NAME)) .getText(); adminPassword = adminUser .getFirstChildWithName(new QName(UserCoreConstants.RealmConfig.LOCAL_NAME_PASSWORD)) .getText(); if (secretResolver != null && secretResolver.isInitialized() && secretResolver.isTokenProtected("UserManager.AdminUser.Password")) { adminPassword = secretResolver.resolve("UserManager.AdminUser.Password"); } adminRoleName = mainConfig .getFirstChildWithName(new QName(UserCoreConstants.RealmConfig.LOCAL_NAME_ADMIN_ROLE)) .getText(); everyOneRoleName = mainConfig .getFirstChildWithName( new QName(UserCoreConstants.RealmConfig.LOCAL_NAME_EVERYONE_ROLE)) .getText(); OMElement authzConfig = realmElem.getFirstChildWithName( new QName(UserCoreConstants.RealmConfig.LOCAL_NAME_ATHZ_MANAGER)); authorizationManagerClass = authzConfig.getAttributeValue(new QName(UserCoreConstants.RealmConfig.ATTR_NAME_CLASS)); authzProperties = getChildPropertyElements(authzConfig, null); Iterator<OMElement> iterator = realmElem.getChildrenWithName( new QName(UserCoreConstants.RealmConfig.LOCAL_NAME_USER_STORE_MANAGER)); RealmConfiguration primaryConfig = null; RealmConfiguration tmpConfig = null; for (; iterator.hasNext(); ) { OMElement usaConfig = iterator.next(); userStoreClass = usaConfig.getAttributeValue(new QName(UserCoreConstants.RealmConfig.ATTR_NAME_CLASS)); userStoreProperties = getChildPropertyElements(usaConfig, secretResolver); String sIsPasswordExternallyManaged = userStoreProperties.get(UserCoreConstants.RealmConfig.LOCAL_PASSWORDS_EXTERNALLY_MANAGED); Map<String, String> multipleCredentialsProperties = getMultipleCredentialsProperties(usaConfig); if (null != sIsPasswordExternallyManaged && !sIsPasswordExternallyManaged.trim().equals("")) { passwordsExternallyManaged = Boolean.parseBoolean(sIsPasswordExternallyManaged); } else { if (log.isDebugEnabled()) { log.debug("External password management is disabled."); } } realmConfig = new RealmConfiguration(); realmConfig.setRealmClassName(realmClass); realmConfig.setUserStoreClass(userStoreClass); realmConfig.setAuthorizationManagerClass(authorizationManagerClass); realmConfig.setAdminRoleName(adminRoleName); realmConfig.setAdminUserName(adminUserName); realmConfig.setAdminPassword(adminPassword); realmConfig.setEveryOneRoleName(everyOneRoleName); realmConfig.setUserStoreProperties(userStoreProperties); realmConfig.setAuthzProperties(authzProperties); realmConfig.setRealmProperties(realmProperties); realmConfig.setPasswordsExternallyManaged(passwordsExternallyManaged); realmConfig.addMultipleCredentialProperties(userStoreClass, multipleCredentialsProperties); if (realmConfig.getUserStoreProperty(UserCoreConstants.RealmConfig.PROPERTY_MAX_USER_LIST) == null) { realmConfig .getUserStoreProperties() .put( UserCoreConstants.RealmConfig.PROPERTY_MAX_USER_LIST, UserCoreConstants.RealmConfig.PROPERTY_VALUE_DEFAULT_MAX_COUNT); } if (realmConfig.getUserStoreProperty(UserCoreConstants.RealmConfig.PROPERTY_READ_ONLY) == null) { realmConfig .getUserStoreProperties() .put( UserCoreConstants.RealmConfig.PROPERTY_READ_ONLY, UserCoreConstants.RealmConfig.PROPERTY_VALUE_DEFAULT_READ_ONLY); } if (primaryConfig == null) { primaryConfig = realmConfig; } else { tmpConfig.setSecondaryRealmConfig(realmConfig); } tmpConfig = realmConfig; } return primaryConfig; }