ALF-9510: wip. Further code changes.

Plus, some code tidy up, comments. git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@30111 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
2025-08-07 17:49:17 +00:00 · 2011-08-26 16:15:48 +00:00
parent 2910af4b61
commit cfabcb18e3
7 changed files with 187 additions and 91 deletions
--- a/config/alfresco/encryption-context.xml
+++ b/config/alfresco/encryption-context.xml
@@ -45,7 +45,16 @@
       <property name="type"     value="${encryption.keystore.type}"/>
       <property name="keyMetaDataFileLocation" value="${encryption.keystore.keyMetaData.location}"/>
    </bean>
-
+    
    <bean id="keyStore" class="org.alfresco.encryption.AlfrescoKeyStoreImpl" init-method="init">
       <property name="keyStoreParameters" ref="keyStoreParameters"/>
       <property name="keyResourceLoader" ref="springKeyResourceLoader"/>
    </bean>
    <bean id="keyProvider" class="org.alfresco.encryption.KeystoreKeyProvider" init-method="init">
       <property name="keyStore" ref="keyStore"/>
    </bean>
    <bean id="backupKeyStoreParameters" class="org.alfresco.encryption.KeyStoreParameters">
       <property name="location" value="${encryption.keystore.backup.location}"/>
       <property name="provider" value="${encryption.keystore.backup.provider}"/>
@@ -53,20 +62,36 @@
       <property name="keyMetaDataFileLocation" value="${encryption.keystore.backup.keyMetaData.location}"/>
    </bean>
-    <bean id="keyProvider" class="org.alfresco.encryption.KeystoreKeyProvider" init-method="init">
+    <bean id="backupKeyStore" class="org.alfresco.encryption.AlfrescoKeyStoreImpl" init-method="init">
-       <property name="keyStoreParameters" ref="keyStoreParameters"/>
+       <property name="keyStoreParameters" ref="backupKeyStoreParameters"/>
       <property name="keyResourceLoader" ref="springKeyResourceLoader"/>
    </bean>
    <bean id="backupKeyProvider" class="org.alfresco.encryption.KeystoreKeyProvider" init-method="init">
       <property name="keyStore" ref="backupKeyStore"/>
    </bean>
    <bean id="backupEncryptor" class="org.alfresco.encryption.DefaultEncryptor" init-method="init">
        <property name="keyProvider" ref="backupKeyProvider"/>
        <property name="cipherAlgorithm" value="${encryption.cipherAlgorithm}" />
    </bean>
    <bean id="encryptor" class="org.alfresco.encryption.DefaultEncryptor" init-method="init">
        <property name="keyProvider" ref="keyProvider"/>
        <property name="cipherAlgorithm" value="${encryption.cipherAlgorithm}" />
    </bean>
    <bean id="fallbackEncryptor" class="org.alfresco.encryption.DefaultFallbackEncryptor">
        <property name="main" ref="encryptor"/>
        <property name="fallback" ref="backupEncryptor" />
    </bean>
    <bean id="reEncryptor" class="org.alfresco.encryption.ReEncryptor">
-        <property name="backupKeyStoreParameters" ref="backupKeyStoreParameters"/>
+        <property name="chunkSize" value="${encryption.reencryptor.chunkSize}"/>
        <property name="backupKeyStore" ref="backupKeyStore"/>
        <property name="keyStore" ref="keyStore"/>
        <property name="backupKeyProvider" ref="backupKeyProvider"/>
        <property name="keyProvider" ref="keyProvider"/>
        <property name="keyResourceLoader" ref="springKeyResourceLoader"/>
        <property name="transactionService" ref="transactionService"/>
        <property name="dictionaryService" ref="dictionaryService"/>
        <property name="nodeDAO" ref="nodeDAO"/>
--- a/config/alfresco/node-services-context.xml
+++ b/config/alfresco/node-services-context.xml
@@ -243,10 +243,11 @@
        <property name="nodeService" ref="NodeService"/>
        <property name="policyComponent" ref="policyComponent"/>
    </bean>
-    
+
    <!-- Encryptor for node properties -->
    <bean id="metadataEncryptor" class="org.alfresco.repo.node.encryption.MetadataEncryptor">
        <property name="dictionaryService" ref="dictionaryService" />
-        <property name="encryptor" ref="encryptor" />
+        <property name="encryptor" ref="fallbackEncryptor" />
    </bean>
 </beans>
--- a/config/alfresco/repository.properties
+++ b/config/alfresco/repository.properties
@@ -680,10 +680,10 @@ deployment.filesystem.default.metadatadir=${deployment.filesystem.metadatadir}/d
 #
 # Encryption properties
 #
 #dir.keystore=${dir.root}/keystore
 # default keystores location
 dir.keystore=classpath:alfresco/keystore
 # general encryption parameters
 encryption.keySpec.class=org.alfresco.encryption.DESEDEKeyGenerator
 encryption.keyAlgorithm=DESede
 encryption.cipherAlgorithm=DESede/CBC/PKCS5Padding
@@ -694,11 +694,11 @@ encryption.keystore.keyMetaData.location=${dir.keystore}/keystore-passwords.prop
 encryption.keystore.provider=
 encryption.keystore.type=JCEKS
-# backup keystore (if configured)
+# backup secret key keystore configuration
-encryption.keystore.backup.location=
+encryption.keystore.backup.location=${dir.keystore}/backup-keystore
-encryption.keystore.backup.keyMetaData.location=
+encryption.keystore.backup.keyMetaData.location=${dir.keystore}/backup-keystore-passwords.properties
 encryption.keystore.backup.provider=
-encryption.keystore.backup.type=
+encryption.keystore.backup.type=JCEKS
 # Should encryptable properties be re-encrypted with new encryption keys on botstrap?
 encryption.bootstrap.reencrypt=false
@@ -707,7 +707,7 @@ encryption.bootstrap.reencrypt=false
 encryption.mac.messageTimeout=30000
 encryption.mac.algorithm=HmacSHA1
-# ssl
+# ssl encryption
 encryption.ssl.keystore.location=${dir.keystore}/ssl.keystore
 encryption.ssl.keystore.provider=
 encryption.ssl.keystore.type=JCEKS
@@ -717,6 +717,8 @@ encryption.ssl.truststore.provider=
 encryption.ssl.truststore.type=JCEKS
 encryption.ssl.truststore.keyMetaData.location=${dir.keystore}/ssl-truststore-passwords.properties
 encryption.reencryptor.chunkSize=50
 # SOLR connection details (e.g. for JMX)
 solr.host=localhost
 solr.port=8080
@@ -726,8 +728,11 @@ solr.solrPassword=solr
 # none, https
 solr.secureComms=https
-# ms
+# Solr connection timeouts
 # solr connect timeout in ms
 solr.solrConnectTimeout=5000
 # cron expression defining how often the Solr Admin client (used by JMX) pings Solr if it goes away
 solr.solrPingCronExpression=0 0/5 * * * ? *
 #
--- a/source/java/org/alfresco/encryption/BootstrapReEncryptor.java
+++ b/source/java/org/alfresco/encryption/BootstrapReEncryptor.java
@@ -50,11 +50,7 @@ public class BootstrapReEncryptor extends AbstractLifecycleBean
 	{
 		try
 		{
-			return reEncryptor.reEncrypt();
+			return reEncryptor.bootstrapReEncrypt();
 		}
 		catch(MissingKeyException e)
 		{
 			throw new AlfrescoRuntimeException("Bootstrap re-encryption failed", e);
 		}
 		catch(MissingKeyStoreException e)
 		{
--- a/source/java/org/alfresco/encryption/EncryptionTests.java
+++ b/source/java/org/alfresco/encryption/EncryptionTests.java
@@ -266,16 +266,12 @@ public class EncryptionTests extends TestCase
 	{
 		try
 		{
-			reEncryptor.reEncrypt();
+			reEncryptor.bootstrapReEncrypt();
 			fail("Should have caught missing backup key store");
 		}
 		catch(MissingKeyException e)
 		{
 			fail("");
 		}
 		catch(MissingKeyStoreException e)
 		{
-
+			System.out.println("Successfully caught missing key store exception");
 		}
 	}
--- a/source/java/org/alfresco/encryption/ReEncryptor.java
+++ b/source/java/org/alfresco/encryption/ReEncryptor.java
@@ -19,17 +19,14 @@
 package org.alfresco.encryption;
 import java.io.Serializable;
 import java.security.Key;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
 import javax.crypto.SealedObject;
 import org.alfresco.error.AlfrescoRuntimeException;
 import org.alfresco.repo.batch.BatchProcessWorkProvider;
 import org.alfresco.repo.batch.BatchProcessor;
 import org.alfresco.repo.dictionary.DictionaryDAO;
@@ -52,7 +49,6 @@ import org.springframework.context.ApplicationContext;
 import org.springframework.context.ApplicationContextAware;
 import org.springframework.extensions.surf.util.I18NUtil;
 // TODO use Batch code to run in parallel
 // TODO lock so that only one encryptor can run at a time
 /**
 * Re-encrypts encryptable repository properties using a new set of encryption keys.
@@ -60,7 +56,12 @@ import org.springframework.extensions.surf.util.I18NUtil;
 * a backup decryptor (using the old encryption keys) if necessary, and then re-encrypts
 * the properties.
 * 
- * The system can stay running during this operation.
+ * Can run in one of two ways:
 * 
 * <ul>
 * <li> during bootstrap (used by the community edition of the software)
 * <li> by using JMX. In this case, the system can stay running while the re-encryption takes place.
 * </ul>
 * 
 * @since 4.0
 */
@@ -73,17 +74,21 @@ public class ReEncryptor implements ApplicationContextAware
 	private DictionaryService dictionaryService;
 	private TransactionService transactionService;
 	private QNameDAO qnameDAO;
-
+	
-	private KeyStoreParameters backupKeyStoreParameters;
+	private MetadataEncryptor metadataEncryptor;
 //	private KeyStoreParameters keyStoreParameters;
 //	private KeyStoreParameters backupKeyStoreParameters;
 	private AlfrescoKeyStore backupKeyStore;
 	private AlfrescoKeyStore keyStore;
 	private KeyProvider backupKeyProvider;
 	private KeyProvider keyProvider;
-	private KeyResourceLoader keyResourceLoader;
+//	private KeyResourceLoader keyResourceLoader;
-
+	
 	private ApplicationContext applicationContext;
 	private RetryingTransactionHelper transactionHelper;
 	private String cipherAlgorithm;
-	// TODO propertize
+	private int chunkSize;
 	private int chunkSize = 50;
 	private boolean splitTxns = true;
    /**
@@ -96,6 +101,16 @@ public class ReEncryptor implements ApplicationContextAware
        this.transactionHelper.setForceWritable(true);
    }
 	public void setMetadataEncryptor(MetadataEncryptor metadataEncryptor)
 	{
 		this.metadataEncryptor = metadataEncryptor;
 	}
 	public void setChunkSize(int chunkSize)
 	{
 		this.chunkSize = chunkSize;
 	}
 	public void setSplitTxns(boolean splitTxns)
 	{
 		this.splitTxns = splitTxns;
@@ -126,15 +141,35 @@ public class ReEncryptor implements ApplicationContextAware
 		this.cipherAlgorithm = cipherAlgorithm;
 	}
-	public void setBackupKeyStoreParameters(KeyStoreParameters backupKeyStoreParameters)
+//	public void setKeyStoreParameters(KeyStoreParameters keyStoreParameters)
-	{
+//	{
-		this.backupKeyStoreParameters = backupKeyStoreParameters;
+//		this.keyStoreParameters = keyStoreParameters;
-	}
+//	}
 //
 //	public void setBackupKeyStoreParameters(KeyStoreParameters backupKeyStoreParameters)
 //	{
 //		this.backupKeyStoreParameters = backupKeyStoreParameters;
 //	}
-	protected KeyProvider getKeyProvider(KeyStoreParameters keyStoreParameters)
+//	protected KeyProvider getKeyProvider(AlfrescoKeyStore keyStore)
 //	{
 //		KeyProvider keyProvider = new KeystoreKeyProvider(keyStore);
 //		return keyProvider;
 //	}
 	public void setBackupKeyStore(AlfrescoKeyStore backupKeyStore)
 	{
-		KeyProvider keyProvider = new KeystoreKeyProvider(keyStoreParameters, keyResourceLoader);
+		this.backupKeyStore = backupKeyStore;
-		return keyProvider;
+	}
 	public void setKeyStore(AlfrescoKeyStore keyStore)
 	{
 		this.keyStore = keyStore;
 	}
 	public void setBackupKeyProvider(KeyProvider backupKeyProvider)
 	{
 		this.backupKeyProvider = backupKeyProvider;
 	}
 	public void setKeyProvider(KeyProvider keyProvider)
@@ -142,44 +177,84 @@ public class ReEncryptor implements ApplicationContextAware
 		this.keyProvider = keyProvider;
 	}
-	public void setKeyResourceLoader(KeyResourceLoader keyResourceLoader)
+//	public void setKeyResourceLoader(KeyResourceLoader keyResourceLoader)
-	{
+//	{
-		this.keyResourceLoader = keyResourceLoader;
+//		this.keyResourceLoader = keyResourceLoader;
-	}
+//	}
 //	public MetadataEncryptor getMetadataEncryptor()
 //	{
 //		DefaultEncryptor backupEncryptor = new DefaultEncryptor();
 //		backupEncryptor.setCipherProvider(null); // TODO parameterize
 //		backupEncryptor.setCipherAlgorithm(cipherAlgorithm);
 //		backupEncryptor.setKeyProvider(backupKeyProvider);
 //
 //		DefaultEncryptor encryptor = new DefaultEncryptor();
 //		encryptor.setCipherProvider(null); // TODO parameterize
 //		encryptor.setCipherAlgorithm(cipherAlgorithm);
 //		encryptor.setKeyProvider(keyProvider);
 //
 //		DefaultFallbackEncryptor fallbackEncryptor = new DefaultFallbackEncryptor(encryptor, backupEncryptor);
 //		MetadataEncryptor metadataEncryptor = new MetadataEncryptor();
 //		metadataEncryptor.setEncryptor(fallbackEncryptor);
 //		metadataEncryptor.setDictionaryService(dictionaryService);
 //		return metadataEncryptor;
 //	}
 //
 //	public MetadataEncryptor getMetadataEncryptor(KeyProvider backupKeyProvider, KeyProvider newKeyProvider)
 //	{
 //		DefaultEncryptor backupEncryptor = new DefaultEncryptor();
 //		backupEncryptor.setCipherProvider(null); // TODO parameterize
 //		backupEncryptor.setCipherAlgorithm(cipherAlgorithm);
 //		backupEncryptor.setKeyProvider(backupKeyProvider);
 //
 //		DefaultEncryptor encryptor = new DefaultEncryptor();
 //		encryptor.setCipherProvider(null); // TODO parameterize
 //		encryptor.setCipherAlgorithm(cipherAlgorithm);
 //		encryptor.setKeyProvider(newKeyProvider);
 //
 //		DefaultFallbackEncryptor fallbackEncryptor = new DefaultFallbackEncryptor(encryptor, backupEncryptor);
 //		MetadataEncryptor metadataEncryptor = new MetadataEncryptor();
 //		metadataEncryptor.setEncryptor(fallbackEncryptor);
 //		metadataEncryptor.setDictionaryService(dictionaryService);
 //		return metadataEncryptor;
 //	}
-	public MetadataEncryptor getMetadataEncryptor(KeyProvider backupKeyProvider, KeyProvider newKeyProvider)
+//	protected KeyProvider getKeyProvider(final Map<String, Key> keys)
-	{
+//	{
-		DefaultEncryptor backupEncryptor = new DefaultEncryptor();
+//		KeyProvider keyProvider = new KeyProvider()
-		backupEncryptor.setCipherProvider(null); // TODO parameterize
+//		{
-		backupEncryptor.setCipherAlgorithm(cipherAlgorithm);
+//			@Override
-		backupEncryptor.setKeyProvider(backupKeyProvider);
+//			public Key getKey(String keyAlias)
 //			{
 //				return keys.get(keyAlias);
 //			}
 //		};
 //		return keyProvider;
 //	}
 	protected Encryptor getEncryptor(KeyProvider keyProvider)
 	{
 		DefaultEncryptor encryptor = new DefaultEncryptor();
 		encryptor.setCipherProvider(null); // TODO parameterize
 		encryptor.setCipherAlgorithm(cipherAlgorithm);
-		encryptor.setKeyProvider(newKeyProvider);
+		encryptor.setKeyProvider(keyProvider);
-		DefaultFallbackEncryptor fallbackEncryptor = new DefaultFallbackEncryptor(encryptor, backupEncryptor);
+		return encryptor;
 		MetadataEncryptor metadataEncryptor = new MetadataEncryptor();
 		metadataEncryptor.setEncryptor(fallbackEncryptor);
 		metadataEncryptor.setDictionaryService(dictionaryService);
 		return metadataEncryptor;
 	}
-	protected KeyProvider getKeyProvider(final Map<String, Key> keys)
+	/**
 	 * For testing use.
 	 * 
 	 * @param keyProvider
 	 */
 	void reEncrypt(KeyProvider keyProvider)
 	{
-		KeyProvider keyProvider = new KeyProvider()
+		metadataEncryptor.setEncryptor(getEncryptor(keyProvider));
-		{
+		reEncryptImpl();
 			@Override
 			public Key getKey(String keyAlias)
 			{
 				return keys.get(keyAlias);
 			}
 		};
 		return keyProvider;
 	}
-	protected void reencrypt(final MetadataEncryptor metadataEncryptor, final List<NodePropertyEntity> properties)
+	protected void reEncrypt(final MetadataEncryptor metadataEncryptor, final List<NodePropertyEntity> properties)
 	{
 		final Iterator<NodePropertyEntity> it = properties.iterator();
        BatchProcessor.BatchProcessWorker<NodePropertyEntity> worker = new BatchProcessor.BatchProcessWorker<NodePropertyEntity>()
@@ -265,19 +340,13 @@ public class ReEncryptor implements ApplicationContextAware
 	/**
 	 * Re-encrypt using the configured backup keystore to decrypt and the main keystore to encrypt
 	 */
-	public int reEncrypt() throws MissingKeyException, MissingKeyStoreException
+	public int bootstrapReEncrypt() throws MissingKeyStoreException
 	{
-		if(!backupKeyStoreParameters.isDefined())
+		if(backupKeyStore.getKey(KeyProvider.ALIAS_METADATA) == null)
 		{
-			throw new MissingKeyStoreException("Backup key store is not defined");
+			throw new MissingKeyStoreException("Backup key store is either not present or does not contain a metadata encryption key");
 		}
-		KeyProvider backupKeyProvider = getKeyProvider(backupKeyStoreParameters);
+		return reEncrypt();
 		if(backupKeyProvider.getKey(KeyProvider.ALIAS_METADATA) == null)
 		{
 			throw new MissingKeyException("Unable to find the metadata key in backup key store. Does the backup key store exist?");
 		}
 		MetadataEncryptor metadataEncryptor = getMetadataEncryptor(backupKeyProvider, keyProvider);
 		return reEncrypt(metadataEncryptor);
 	}
 	/**
@@ -288,19 +357,22 @@ public class ReEncryptor implements ApplicationContextAware
 	 * placed in the repository keystore directory. This can be done while the repository is running and it will be picked
 	 * up automatically the next time the repository restarts.
 	 */
-	public int reEncrypt(KeyStoreParameters parameters)
+	public int reEncrypt() throws MissingKeyStoreException
 	{
-		KeyProvider newKeyProvider = getKeyProvider(parameters);
+		backupKeyStore.reload();
-		return reEncrypt(newKeyProvider);
+		keyStore.reload();
-	}
+		if(keyStore.getKey(KeyProvider.ALIAS_METADATA) == null)
-	
+		{
-	public int reEncrypt(KeyProvider newKeyProvider)
+			throw new MissingKeyStoreException("Main key store is either not present or does not contain a metadata encryption key");
-	{
+		}
-		MetadataEncryptor metadataEncryptor = getMetadataEncryptor(keyProvider, newKeyProvider);
+		if(backupKeyStore.getKey(KeyProvider.ALIAS_METADATA) == null)
-		return reEncrypt(metadataEncryptor);
+		{
 			throw new MissingKeyStoreException("Backup key store is either not present or does not contain a metadata encryption key");
 		}
 		return reEncryptImpl();
 	}
-	protected int reEncrypt(MetadataEncryptor metadataEncryptor)
+	protected int reEncryptImpl()
 	{
 		// get properties that are encrypted
 		Collection<PropertyDefinition> propertyDefs = dictionaryDAO.getPropertiesOfDataType(DataTypeDefinition.ENCRYPTED);
@@ -313,7 +385,7 @@ public class ReEncryptor implements ApplicationContextAware
 		}
 		// reencrypt these properties
-		reencrypt(metadataEncryptor, properties);
+		reEncrypt(metadataEncryptor, properties);
 		if(logger.isDebugEnabled())
 		{
--- a/source/java/org/alfresco/repo/search/impl/solr/SolrQueryHTTPClient.java
+++ b/source/java/org/alfresco/repo/search/impl/solr/SolrQueryHTTPClient.java
@@ -303,6 +303,7 @@ public class SolrQueryHTTPClient
            body.put("textAttributes", textAttributes);
            PostMethod post = new PostMethod(url.toString());
            // TOOD deal with redirects for SSL
            post.setRequestEntity(new ByteArrayRequestEntity(body.toString().getBytes("UTF-8"), "application/json"));
            try