/modules/core/src/main/java/org/adroitlogic/ultraesb/util/encrypt/SecurePropertyManager.java

/*
 * AdroitLogic UltraESB Enterprise Service Bus
 *
 * Copyright (c) 2010-2015 AdroitLogic Private Ltd. (http://adroitlogic.org). All Rights Reserved.
 *
 * GNU Affero General Public License Usage
 *
 * This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General
 * Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option)
 * any later version.
 *
 * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied
 * warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Affero General Public License for
 * more details.
 *
 * You should have received a copy of the GNU Affero General Public License along with this program (See LICENSE-AGPL.TXT).
 * If not, see http://www.gnu.org/licenses/agpl-3.0.html
 *
 * Commercial Usage
 *
 * Licensees holding valid UltraESB Commercial licenses may use this file in accordance with the UltraESB Commercial
 * License Agreement provided with the Software or, alternatively, in accordance with the terms contained in a written
 * agreement between you and AdroitLogic.
 *
 * If you are unsure which license is appropriate for your use, or have questions regarding the use of this file,
 * please contact AdroitLogic at info@adroitlogic.com
 */

package org.adroitlogic.ultraesb.util.encrypt;

import org.adroitlogic.logging.api.Logger;
import org.adroitlogic.ultraesb.api.BusRuntimeException;
import org.adroitlogic.logging.api.LoggerFactory;
import org.springframework.beans.factory.config.PropertyPlaceholderConfigurer;

import javax.crypto.Cipher;
import javax.crypto.spec.SecretKeySpec;
import java.math.BigInteger;
import java.security.SecureRandom;

/**
 * Allows sensitive information such as passwords specified on the configurations to be secured
 *
 * @author asankha
 */
public class SecurePropertyManager extends PropertyPlaceholderConfigurer {

    private static final Logger logger = LoggerFactory.getLogger(SecurePropertyManager.class);

    private static final String USAGE = "Invalid arguments. Execute as follows:\n" +
        "java SecurePropertyManager [-decrypt] <secret> [-p<password>] [-a<algorithm>] [-salted]";
    private static final String SALT_PREFIX = "__salt__";

    private String algorithm = "Blowfish";
    private String password = "jaas is the way";
    private String passwordEnvVar = null;
    private boolean salted = false;
    private Cipher decipher;
    private Cipher cipher;
    private SecureRandom secureRandom = new SecureRandom();

    public void setPassword(String password) {
        this.password = password;
    }

    public void setAlgorithm(String algorithm) {
        this.algorithm = algorithm;
    }

    public void setPasswordEnvVar(String passwordEnvVar) {
        this.passwordEnvVar = passwordEnvVar;
    }

    public void setSalted(boolean salted) {
        this.salted = salted;
    }

    private String getPassword() {
        if (passwordEnvVar != null) {
            return System.getenv(passwordEnvVar);
        }
        return password;
    }

    public void init() {
        try {
            decipher = Cipher.getInstance(algorithm);
            decipher.init(Cipher.DECRYPT_MODE, new SecretKeySpec(getPassword().getBytes(), algorithm));

            cipher = Cipher.getInstance(algorithm);
            cipher.init(Cipher.ENCRYPT_MODE, new SecretKeySpec(getPassword().getBytes(), algorithm));
        } catch (Exception e) {
            logger.error("Error initializing algorithm : {}", algorithm, e);
            throw new BusRuntimeException("Error initializing algorithm : " + algorithm, e);
        }
    }

    protected String convertPropertyValue(final String originalValue) {

        if (originalValue.startsWith("SALTEDBIGINT16(") && originalValue.endsWith(")")) {
            try {
                BigInteger bigInteger = new BigInteger(originalValue.substring(15, originalValue.length() - 1), 16);
                byte[] encryptedBytes = bigInteger.toByteArray();
                byte[] decrypted = decipher.doFinal(encryptedBytes);

                final String decryptedStr = new String(decrypted);
                final int pos = decryptedStr.indexOf(SALT_PREFIX);
                return decryptedStr.substring(0, pos);

            } catch (Exception e) {
                logger.error("Error decoding encrypted and salted property key : {}", originalValue, e);
                throw new BusRuntimeException("Error decoding encrypted property key : " + originalValue, e);
            }

        } else if (originalValue.startsWith("BIGINT16(") && originalValue.endsWith(")")) {
            try {
                BigInteger bigInteger = new BigInteger(originalValue.substring(9, originalValue.length() - 1), 16);
                byte[] encryptedBytes = bigInteger.toByteArray();
                byte[] decrypted = decipher.doFinal(encryptedBytes);
                return new String(decrypted);

            } catch (Exception e) {
                logger.error("Error decoding encrypted property key : {}", originalValue, e);
                throw new BusRuntimeException("Error decoding encrypted property key : " + originalValue, e);
            }
        }

        return originalValue;
    }

    private String encrypt(String originalValue) {

        if (salted) {
            originalValue = originalValue + SALT_PREFIX + secureRandom.nextLong();
        }

        try {
            byte[] encrypted = cipher.doFinal(originalValue.getBytes());
            BigInteger bigInteger = new BigInteger(encrypted);
            return (salted ? "SALTEDBIGINT16(" : "BIGINT16(") + bigInteger.toString(16) + ")";

        } catch (Exception e) {
            logger.error("Error decoding encrypted property key : {}", originalValue, e);
            throw new BusRuntimeException("Error decoding encrypted property key : " + originalValue, e);
        }
    }

    /**
     * Encrypts (unless -decrypt is specified) the <input> using the <password> and <algorithm>, or decrypts it
     * <p/>
     * The default algorithm is Blowfish, and the password is the default used in JBoss AS
     * <p/>
     * java SecurePropertyManager [-decrypt] <input> [-p<password>] [-a<algorithm>] [-salted]
     * <p/>
     * Examples of clear text and encrypted passwords
     * test,      48e90df5bc00051e
     * esb2004db, -17741c6ab3e49477dd7a7db5da950da9
     * dbESB0420, -2840cadf9d9e244af66025633c93b691
     * aä&zz%4d,  -662396de3bba58629ba2ea1ca027b24c
     * xyz/{\d,   3331ee4824be0100
     */
    public static void main(String[] args) throws Exception {

        SecurePropertyManager s = new SecurePropertyManager();

        if (args.length == 0 || args.length > 6) {
            System.out.println(USAGE);
            return;
        }

        boolean encrypt = true;
        String input = null;

        for (String arg : args) {
            if ("-decrypt".equals(arg)) {
                encrypt = false;
            } else if ("-salted".equals(arg)) {
                s.setSalted(true);
            } else if (arg.startsWith("-p")) {
                s.setPassword(arg.substring(2));
            } else if (arg.startsWith("-a")) {
                s.setAlgorithm(arg.substring(2));
            } else {
                input = arg;
            }
        }

        if (input == null) {
            System.out.println(USAGE);
            return;
        }

        s.init();
        if (encrypt) {
            final String result = s.encrypt(input);
            if (input.equals(s.convertPropertyValue(result))) {
                System.out.println(result);
            } else {
                System.out.println("Unexpected error encrypting the password - " + input);
            }

        } else {
            System.out.println(s.convertPropertyValue(input));
        }
    }
}