gobblin.password.PasswordManager.java Source code

Introduction

Here is the source code for gobblin.password.PasswordManager.java

Source

/*
 * Licensed to the Apache Software Foundation (ASF) under one or more
 * contributor license agreements.  See the NOTICE file distributed with
 * this work for additional information regarding copyright ownership.
 * The ASF licenses this file to You under the Apache License, Version 2.0
 * (the "License"); you may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at
 *
 *    http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package gobblin.password;

import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.net.URI;
import java.util.AbstractMap;
import java.util.Map;
import java.util.Properties;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import java.util.regex.Matcher;
import java.util.regex.Pattern;

import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.FileSystem;
import org.apache.hadoop.fs.Path;
import org.jasypt.util.text.BasicTextEncryptor;
import org.jasypt.util.text.StrongTextEncryptor;
import org.jasypt.util.text.TextEncryptor;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import com.google.common.base.Charsets;
import com.google.common.base.Optional;
import com.google.common.base.Preconditions;
import com.google.common.cache.CacheBuilder;
import com.google.common.cache.CacheLoader;
import com.google.common.cache.LoadingCache;
import com.google.common.io.Closer;
import com.google.common.io.LineReader;

import gobblin.configuration.ConfigurationKeys;
import gobblin.configuration.State;

/**
 * A class for managing password encryption and decryption. To encrypt or decrypt a password, a master password
 * should be provided which is used as encryption or decryption key.
 *
 * @author Ziyang Liu
 */
public class PasswordManager {

    private static final Logger LOG = LoggerFactory.getLogger(PasswordManager.class);

    private static final long CACHE_SIZE = 100;
    private static final long CACHE_EXPIRATION_MIN = 10;
    private static final Pattern PASSWORD_PATTERN = Pattern.compile("ENC\\((.*)\\)");

    private static final LoadingCache<Map.Entry<Optional<String>, Boolean>, PasswordManager> CACHED_INSTANCES = CacheBuilder
            .newBuilder().maximumSize(CACHE_SIZE).expireAfterAccess(CACHE_EXPIRATION_MIN, TimeUnit.MINUTES)
            .build(new CacheLoader<Map.Entry<Optional<String>, Boolean>, PasswordManager>() {

                @Override
                public PasswordManager load(Map.Entry<Optional<String>, Boolean> cacheKey) {
                    return new PasswordManager(cacheKey.getKey(), cacheKey.getValue());
                }
            });

    private Optional<TextEncryptor> encryptor;

    private PasswordManager(Optional<String> masterPassword, boolean useStrongEncryptor) {
        if (masterPassword.isPresent()) {
            this.encryptor = useStrongEncryptor ? Optional.of((TextEncryptor) new StrongTextEncryptor())
                    : Optional.of((TextEncryptor) new BasicTextEncryptor());
            try {

                // setPassword() needs to be called via reflection since the TextEncryptor interface doesn't have this method.
                this.encryptor.get().getClass().getMethod("setPassword", String.class).invoke(this.encryptor.get(),
                        masterPassword.get());
            } catch (Exception e) {
                LOG.error("Failed to set master password for encryptor", e);
                this.encryptor = Optional.absent();
            }
        } else {
            this.encryptor = Optional.absent();
        }
    }

    /**
     * Get an instance with no master password, which cannot encrypt or decrypt passwords.
     */
    public static PasswordManager getInstance() {
        try {
            Optional<String> absent = Optional.absent();
            return CACHED_INSTANCES
                    .get(new AbstractMap.SimpleEntry<>(absent, shouldUseStrongEncryptor(new State())));
        } catch (ExecutionException e) {
            throw new RuntimeException("Unable to get an instance of PasswordManager", e);
        }
    }

    /**
     * Get an instance. The location of the master password file is provided via "encrypt.key.loc".
     */
    public static PasswordManager getInstance(State state) {
        try {
            return CACHED_INSTANCES
                    .get(new AbstractMap.SimpleEntry<>(getMasterPassword(state), shouldUseStrongEncryptor(state)));
        } catch (ExecutionException e) {
            throw new RuntimeException("Unable to get an instance of PasswordManager", e);
        }
    }

    /**
     * Get an instance. The location of the master password file is provided via "encrypt.key.loc".
     */
    public static PasswordManager getInstance(Properties props) {
        return getInstance(new State(props));
    }

    /**
     * Get an instance. The master password file is given by masterPwdLoc.
     */
    public static PasswordManager getInstance(Path masterPwdLoc) {
        try {
            return CACHED_INSTANCES.get(new AbstractMap.SimpleEntry<>(getMasterPassword(masterPwdLoc),
                    shouldUseStrongEncryptor(new State())));
        } catch (ExecutionException e) {
            throw new RuntimeException("Unable to get an instance of PasswordManager", e);
        }
    }

    private static boolean shouldUseStrongEncryptor(State state) {
        return state.getPropAsBoolean(ConfigurationKeys.ENCRYPT_USE_STRONG_ENCRYPTOR,
                ConfigurationKeys.DEFAULT_ENCRYPT_USE_STRONG_ENCRYPTOR);
    }

    /**
     * Encrypt a password. A master password must have been provided in the constructor.
     * @param plain A plain password to be encrypted.
     * @return The encrypted password.
     */
    public String encryptPassword(String plain) {
        Preconditions.checkArgument(this.encryptor.isPresent(),
                "A master password needs to be provided for encrypting passwords.");

        try {
            return this.encryptor.get().encrypt(plain);
        } catch (Exception e) {
            throw new RuntimeException("Failed to encrypt password", e);
        }
    }

    /**
     * Decrypt an encrypted password. A master password must have been provided in the constructor.
     * @param encrypted An encrypted password.
     * @return The decrypted password.
     */
    public String decryptPassword(String encrypted) {
        Preconditions.checkArgument(this.encryptor.isPresent(),
                "A master password needs to be provided for decrypting passwords.");

        try {
            return this.encryptor.get().decrypt(encrypted);
        } catch (Exception e) {
            throw new RuntimeException("Failed to decrypt password " + encrypted, e);
        }
    }

    /**
     * Decrypt a password if it is an encrypted password (in the form of ENC(.*)), and a master password has been
     * provided in the constructor. Otherwise, return the password as is.
     */
    public String readPassword(String password) {
        if (password == null || !this.encryptor.isPresent()) {
            return password;
        }
        Matcher matcher = PASSWORD_PATTERN.matcher(password);
        if (matcher.find()) {
            return this.decryptPassword(matcher.group(1));
        }
        return password;
    }

    private static Optional<String> getMasterPassword(State state) {
        if (!state.contains(ConfigurationKeys.ENCRYPT_KEY_LOC)) {
            LOG.warn(String.format("Property %s not set. Cannot decrypt any encrypted password.",
                    ConfigurationKeys.ENCRYPT_KEY_LOC));
            return Optional.absent();
        }
        try {
            if (state.contains(ConfigurationKeys.ENCRYPT_KEY_FS_URI)) {
                FileSystem fs = FileSystem.get(URI.create(state.getProp(ConfigurationKeys.ENCRYPT_KEY_FS_URI)),
                        new Configuration());
                return getMasterPassword(fs, new Path(state.getProp(ConfigurationKeys.ENCRYPT_KEY_LOC)));
            }
            return getMasterPassword(new Path(state.getProp(ConfigurationKeys.ENCRYPT_KEY_LOC)));
        } catch (Exception e) {
            throw new RuntimeException(
                    "Failed to obtain master password from " + state.getProp(ConfigurationKeys.ENCRYPT_KEY_LOC), e);
        }
    }

    public static Optional<String> getMasterPassword(Path masterPasswordFile) {
        try {
            FileSystem fs = masterPasswordFile.getFileSystem(new Configuration());
            return getMasterPassword(fs, masterPasswordFile);
        } catch (IOException e) {
            throw new RuntimeException("Failed to obtain master password from " + masterPasswordFile, e);
        }
    }

    public static Optional<String> getMasterPassword(FileSystem fs, Path masterPasswordFile) {
        try (Closer closer = Closer.create()) {
            if (!fs.exists(masterPasswordFile) || fs.getFileStatus(masterPasswordFile).isDirectory()) {
                LOG.warn(masterPasswordFile
                        + " does not exist or is not a file. Cannot decrypt any encrypted password.");
                return Optional.absent();
            }
            InputStream in = closer.register(fs.open(masterPasswordFile));
            return Optional.of(new LineReader(new InputStreamReader(in, Charsets.UTF_8)).readLine());
        } catch (IOException e) {
            throw new RuntimeException("Failed to obtain master password from " + masterPasswordFile, e);
        }
    }
}