feat: Rename encryption properties in DIAL settings #454 (#455)

epam · Aug 27, 2024 · cc05af0 · cc05af0
1 parent d0d84b0
commit cc05af0
Show file tree

Hide file tree

Showing 7 changed files with 24 additions and 31 deletions.
diff --git a/README.md b/README.md
@@ -71,8 +71,8 @@ Priority order:
 | storage.overrides.*                           | -                 |    No    |Key-value pairs to override storage settings. `*` might be any specific blob storage setting to be overridden. Refer to [examples](#temporary-credentials-1) in the sections below. 
 | storage.createBucket                          | false             |    No    |Indicates whether bucket should be created on start-up.
 | storage.prefix                                | -                 |    No    |Base prefix for all stored resources. The purpose to use the same bucket for different environments, e.g. dev, prod, pre-prod. Must not contain path separators or any invalid chars.
-| encryption.password                           | -                 |    No    |Password used for AES encryption.
-| encryption.salt                               | -                 |    No    |Salt used for AES encryption. The value should be random generated string.
+| encryption.secret                             | -                 |    No    |Secret is used for AES encryption of a prefix to the bucket blob storage. The value should be random generated string.
+| encryption.key                                | -                 |    No    |Key is used for AES encryption of a prefix to the bucket blob storage. The value should be random generated string.
 | resources.maxSize                             | 1048576           |    No    |Max allowed size in bytes for a resource.
 | resources.syncPeriod                          | 60000             |    No    |Period in milliseconds, how frequently check for resources to sync.
 | resources.syncDelay                           | 120000            |    No    |Delay in milliseconds for a resource to be written back in object storage after last modification.

diff --git a/sample/aidial.settings.json b/sample/aidial.settings.json
@@ -65,7 +65,7 @@
     "bucket": "your-bucket"
   },
   "encryption": {
-    "salt": "salt",
-    "password": "pass"
+    "key": "key",
+    "secret": "secret"
   }
 }
diff --git a/src/main/java/com/epam/aidial/core/AiDial.java b/src/main/java/com/epam/aidial/core/AiDial.java
@@ -2,7 +2,6 @@
 
 import com.epam.aidial.core.cache.CacheClientFactory;
 import com.epam.aidial.core.config.ConfigStore;
-import com.epam.aidial.core.config.Encryption;
 import com.epam.aidial.core.config.FileConfigStore;
 import com.epam.aidial.core.config.Storage;
 import com.epam.aidial.core.limiter.RateLimiter;
@@ -106,7 +105,7 @@ void start() throws Exception {
                 Storage storageConfig = Json.decodeValue(settings("storage").toBuffer(), Storage.class);
                 storage = new BlobStorage(storageConfig);
             }
-            EncryptionService encryptionService = new EncryptionService(Json.decodeValue(settings("encryption").toBuffer(), Encryption.class));
+            EncryptionService encryptionService = new EncryptionService(settings("encryption"));
 
             redis = CacheClientFactory.create(settings("redis"));
 

diff --git a/src/main/java/com/epam/aidial/core/config/Encryption.java b/src/main/java/com/epam/aidial/core/config/Encryption.java
diff --git a/src/main/java/com/epam/aidial/core/security/EncryptionService.java b/src/main/java/com/epam/aidial/core/security/EncryptionService.java
@@ -1,7 +1,7 @@
 package com.epam.aidial.core.security;
 
-import com.epam.aidial.core.config.Encryption;
 import com.epam.aidial.core.util.Base58;
+import io.vertx.core.json.JsonObject;
 import lombok.extern.slf4j.Slf4j;
 
 import java.security.spec.KeySpec;
@@ -23,17 +23,21 @@ public class EncryptionService {
     private final IvParameterSpec iv = new IvParameterSpec(
             new byte[]{25, -13, -25, -119, -42, 117, -118, -128, -101, 20, -103, -81, -48, -23, -54, -113});
 
-    public EncryptionService(Encryption config) {
-        this(config.getPassword(), config.getSalt());
+    public EncryptionService(JsonObject settings) {
+        if (settings.containsKey("password") || settings.containsKey("salt")) {
+            log.error("The encryption properties `password` and `salt` are obsolete and shouldn't be used any longer. Please use `secret` and `key` instead.");
+            throw new IllegalArgumentException("Unsupported encryption properties");
+        }
+        this.key = getSecretKey(settings.getString("secret"), settings.getString("key"));
     }
 
-    EncryptionService(String password, String salt) {
-        Objects.requireNonNull(password, "Encryption password is not set");
-        Objects.requireNonNull(salt, "Encryption salt is not set");
+    private static SecretKey getSecretKey(String secret, String key) {
+        Objects.requireNonNull(secret, "Encryption secret is not set");
+        Objects.requireNonNull(key, "Encryption key is not set");
         try {
             SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256");
-            KeySpec spec = new PBEKeySpec(password.toCharArray(), salt.getBytes(), 3000, 256);
-            key = new SecretKeySpec(secretKeyFactory.generateSecret(spec).getEncoded(), "AES");
+            KeySpec spec = new PBEKeySpec(secret.toCharArray(), key.getBytes(), 3000, 256);
+            return new SecretKeySpec(secretKeyFactory.generateSecret(spec).getEncoded(), "AES");
         } catch (Exception e) {
             throw new RuntimeException(e);
         }

diff --git a/src/test/java/com/epam/aidial/core/storage/ResourceDescriptionTest.java b/src/test/java/com/epam/aidial/core/storage/ResourceDescriptionTest.java
@@ -1,8 +1,8 @@
 package com.epam.aidial.core.storage;
 
-import com.epam.aidial.core.config.Encryption;
 import com.epam.aidial.core.data.ResourceType;
 import com.epam.aidial.core.security.EncryptionService;
+import io.vertx.core.json.JsonObject;
 import org.junit.jupiter.api.Test;
 
 import java.util.List;
@@ -198,7 +198,10 @@ public void testInvalidPublicLinks() {
 
     @Test
     public void testFromAnyDecodedUrl() {
-        EncryptionService encryptionService = new EncryptionService(new Encryption("password", "salt"));
+        JsonObject encryptionSettings = new JsonObject();
+        encryptionSettings.put("secret", "secret");
+        encryptionSettings.put("key", "key");
+        EncryptionService encryptionService = new EncryptionService(encryptionSettings);
         String location = "Users/User1/";
         String bucket = encryptionService.encrypt(location);
 

diff --git a/src/test/resources/aidial.settings.json b/src/test/resources/aidial.settings.json
@@ -47,8 +47,8 @@
     }
   },
   "encryption": {
-    "password": "password",
-    "salt": "salt"
+    "secret": "password",
+    "key": "salt"
   },
   "resources": {
     "maxSize" : 1048576,