inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-08-07 17:49:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

Refactoring to support ALF-9510, ALF-8702

Browse Source 
ALF-8702: Solr-Repository SSL Communications (see solr/source/solr/instance/HowToSetUpSolr.txt
ALF-9510: Initial checkin

git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@30005 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Steven Glover
2011-08-23 18:34:15 +00:00
parent 6f73e4153c
commit f7f23f6eb7
22 changed files with 1109 additions and 269 deletions
Download Patch File Download Diff File Expand all files Collapse all files

228
source/java/org/alfresco/encryption/ReEncryptor.java Normal file
View File

@@ -0,0 +1,228 @@
/*
* Copyright (C) 2005-2011 Alfresco Software Limited.
*
* This file is part of Alfresco
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
*/
package org.alfresco.encryption;
import java.io.Serializable;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import javax.crypto.SealedObject;
import org.alfresco.repo.batch.BatchProcessWorkProvider;
import org.alfresco.repo.batch.BatchProcessor;
import org.alfresco.repo.dictionary.DictionaryDAO;
import org.alfresco.repo.dictionary.NamespaceDAO;
import org.alfresco.repo.domain.node.NodeDAO;
import org.alfresco.repo.domain.node.NodePropertyEntity;
import org.alfresco.repo.domain.node.NodePropertyKey;
import org.alfresco.repo.domain.qname.QNameDAO;
import org.alfresco.repo.node.encryption.MetadataEncryptor;
import org.alfresco.repo.transaction.RetryingTransactionHelper;
import org.alfresco.service.cmr.dictionary.DataTypeDefinition;
import org.alfresco.service.cmr.dictionary.DictionaryService;
import org.alfresco.service.cmr.dictionary.PropertyDefinition;
import org.alfresco.service.namespace.NamespaceService;
import org.alfresco.service.namespace.QName;
import org.alfresco.service.transaction.TransactionService;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.beans.BeansException;
import org.springframework.context.ApplicationContext;
import org.springframework.context.ApplicationContextAware;
import org.springframework.extensions.surf.util.I18NUtil;
// TODO use Batch code to run in parallel
// TODO lock so that only one encryptor can run at a time
/**
* Re-encrypts encryptable repository properties using a new set of encryption keys.
* Decrypts the repository properties using the default encryptor, falling back to
* a backup decryptor (using the old encryption keys) if necessary, and then re-encrypts
* the properties.
*
* The system can stay running during this operation.
*
* @since 4.0
*/
public class ReEncryptor implements ApplicationContextAware
{
private static Log logger = LogFactory.getLog(ReEncryptor.class);
private NodeDAO nodeDAO;
private NamespaceDAO namespaceDAO;
private DictionaryDAO dictionaryDAO;
private DictionaryService dictionaryService;
private QNameDAO qnameDAO;
private MetadataEncryptor metadataEncryptor;
private ApplicationContext applicationContext;
private TransactionService transactionService;
private RetryingTransactionHelper transactionHelper;
/**
* Set the transaction provider so that each execution can be performed within a transaction
*/
public void setTransactionService(TransactionService transactionService)
{
this.transactionService = transactionService;
this.transactionHelper = transactionService.getRetryingTransactionHelper();
this.transactionHelper.setForceWritable(true);
}
// protected MetadataEncryptor getMetadataEncryptor(EncryptionParameters encryptionParameters)
// {
// DefaultEncryptor encryptor = new DefaultEncryptor();
// encryptor.setCipherAlgorithm(encryptionParameters.getCipherAlgorithm());
// encryptor.setCipherProvider(null);
// KeystoreKeyProvider keyProvider = new KeystoreKeyProvider();
// keyProvider.setLocation(encryptionParameters.getKeyStoreLocation());
// keyProvider.setPasswordsFileLocation(encryptionParameters.getPasswordFileLocation());
// keyProvider.setType(encryptionParameters.getKeyStoreType());
// keyProvider.setKeyResourceLoader(new SpringKeyResourceLoader());
// keyProvider.setProvider(encryptionParameters.getKeyStoreProvider()
// );
//
// encryptor.setKeyProvider(keyProvider);
//
// MetadataEncryptor metadataEncryptor = new MetadataEncryptor();
// metadataEncryptor.setEncryptor(encryptor);
// metadataEncryptor.setDictionaryService(dictionaryService);
//
// return metadataEncryptor;
// }
public void setMetadataEncryptor(MetadataEncryptor metadataEncryptor)
{
this.metadataEncryptor = metadataEncryptor;
}
public void init()
{
}
public void reencrypt(final KeyStoreParameters newEncryptionParameters, final List<NodePropertyEntity> properties)
{
BatchProcessor.BatchProcessWorker<NodePropertyEntity> worker = new BatchProcessor.BatchProcessWorker<NodePropertyEntity>()
{
public String getIdentifier(NodePropertyEntity entity)
{
return String.valueOf(entity.getNodeId());
}
public void beforeProcess() throws Throwable
{
}
public void afterProcess() throws Throwable
{
}
public void process(NodePropertyEntity entity) throws Throwable
{
Object value = entity.getValue();
if(value instanceof SealedObject)
{
SealedObject sealed = (SealedObject)value;
NodePropertyKey nodeKey = entity.getKey();
QName propertyQName = qnameDAO.getQName(nodeKey.getQnameId()).getSecond();
// metadataEncryptor uses a fallback encryptor; decryption will try the
// default (new) keys first (which will fail for properties created before the
// change in keys), followed by the backup keys.
Serializable decrypted = metadataEncryptor.decrypt(propertyQName, sealed);
// Re-encrypt. The new keys will be used.
Serializable resealed = metadataEncryptor.encrypt(propertyQName, decrypted);
// TODO update resealed using batch update?
// does the node DAO do batch updating?
nodeDAO.setNodeProperties(entity.getNodeId(), Collections.singletonMap(propertyQName, resealed));
}
else
{
// TODO
}
}
};
BatchProcessWorkProvider<NodePropertyEntity> provider = new BatchProcessWorkProvider<NodePropertyEntity>()
{
private int start = 0;
@Override
public int getTotalEstimatedWorkSize()
{
return properties.size();
}
@Override
public Collection<NodePropertyEntity> getNextWork()
{
int end = start + 20;
if(end > properties.size())
{
end = properties.size();
}
List<NodePropertyEntity> sublist = properties.subList(start, end);
start += 20;
return sublist;
}
};
// Migrate using 2 threads, 20 authorities per transaction. Log every 100 entries.
// TODO, propertize these numbers
new BatchProcessor<NodePropertyEntity>(
I18NUtil.getMessage(""),
transactionHelper,
provider,
2, 20,
applicationContext,
logger, 100).process(worker, true);
}
public void execute(KeyStoreParameters newEncryptionParameters)
{
// Proceed only if fallback is available i.e. the systems has both old and new keys
if(metadataEncryptor.isFallbackAvailable())
{
QName model = QName.createQName(NamespaceService.CONTENT_MODEL_1_0_URI, namespaceDAO);
// get properties that are encrypted
Collection<PropertyDefinition> propertyDefs = dictionaryDAO.getProperties(model, DataTypeDefinition.ENCRYPTED);
List<NodePropertyEntity> properties = nodeDAO.getProperties(propertyDefs);
// reencrypt these properties
reencrypt(newEncryptionParameters, properties);
}
else
{
// TODO
}
}
@Override
public void setApplicationContext(ApplicationContext applicationContext)
throws BeansException
{
this.applicationContext = applicationContext;
}
}