fix #2322 encrypt values in parameters

src/main/java/org/codelibs/fess/app/service/DataConfigService.java

@@ -26,6 +26,7 @@ import org.codelibs.fess.es.config.cbean.DataConfigCB;
 import org.codelibs.fess.es.config.exbhv.DataConfigBhv;
 import org.codelibs.fess.es.config.exentity.DataConfig;
 import org.codelibs.fess.mylasta.direction.FessConfig;
+import org.codelibs.fess.util.ParameterUtil;
 import org.dbflute.cbean.result.PagingResultBean;
 import org.dbflute.optional.OptionalEntity;
 
@@ -65,7 +66,7 @@ public class DataConfigService {
     }
 
     public void store(final DataConfig dataConfig) {
-
+        dataConfig.setHandlerParameter(ParameterUtil.encrypt(dataConfig.getHandlerParameter()));
         dataConfigBhv.insertOrUpdate(dataConfig, op -> {
             op.setRefreshPolicy(Constants.TRUE);
         });

src/main/java/org/codelibs/fess/app/service/FileAuthenticationService.java

@@ -26,6 +26,7 @@ import org.codelibs.fess.es.config.cbean.FileAuthenticationCB;
 import org.codelibs.fess.es.config.exbhv.FileAuthenticationBhv;
 import org.codelibs.fess.es.config.exentity.FileAuthentication;
 import org.codelibs.fess.mylasta.direction.FessConfig;
+import org.codelibs.fess.util.ParameterUtil;
 import org.dbflute.cbean.result.PagingResultBean;
 import org.dbflute.optional.OptionalEntity;
 
@@ -58,7 +59,7 @@ public class FileAuthenticationService {
     }
 
     public void store(final FileAuthentication fileAuthentication) {
-
+        fileAuthentication.setParameters(ParameterUtil.encrypt(fileAuthentication.getParameters()));
         fileAuthenticationBhv.insertOrUpdate(fileAuthentication, op -> {
             op.setRefreshPolicy(Constants.TRUE);
         });

src/main/java/org/codelibs/fess/app/service/FileConfigService.java

@@ -27,6 +27,7 @@ import org.codelibs.fess.es.config.exbhv.FileAuthenticationBhv;
 import org.codelibs.fess.es.config.exbhv.FileConfigBhv;
 import org.codelibs.fess.es.config.exentity.FileConfig;
 import org.codelibs.fess.mylasta.direction.FessConfig;
+import org.codelibs.fess.util.ParameterUtil;
 import org.dbflute.cbean.result.PagingResultBean;
 import org.dbflute.optional.OptionalEntity;
 
@@ -75,6 +76,7 @@ public class FileConfigService {
     }
 
     public void store(final FileConfig fileConfig) {
+        fileConfig.setConfigParameter(ParameterUtil.encrypt(fileConfig.getConfigParameter()));
         fileConfigBhv.insertOrUpdate(fileConfig, op -> {
             op.setRefreshPolicy(Constants.TRUE);
         });

src/main/java/org/codelibs/fess/app/service/WebAuthenticationService.java

@@ -26,6 +26,7 @@ import org.codelibs.fess.es.config.cbean.WebAuthenticationCB;
 import org.codelibs.fess.es.config.exbhv.WebAuthenticationBhv;
 import org.codelibs.fess.es.config.exentity.WebAuthentication;
 import org.codelibs.fess.mylasta.direction.FessConfig;
+import org.codelibs.fess.util.ParameterUtil;
 import org.dbflute.cbean.result.PagingResultBean;
 import org.dbflute.optional.OptionalEntity;
 
@@ -58,7 +59,7 @@ public class WebAuthenticationService {
     }
 
     public void store(final WebAuthentication webAuthentication) {
-
+        webAuthentication.setParameters(ParameterUtil.encrypt(webAuthentication.getParameters()));
         webAuthenticationBhv.insertOrUpdate(webAuthentication, op -> {
             op.setRefreshPolicy(Constants.TRUE);
         });

src/main/java/org/codelibs/fess/app/service/WebConfigService.java

@@ -28,6 +28,7 @@ import org.codelibs.fess.es.config.exbhv.WebAuthenticationBhv;
 import org.codelibs.fess.es.config.exbhv.WebConfigBhv;
 import org.codelibs.fess.es.config.exentity.WebConfig;
 import org.codelibs.fess.mylasta.direction.FessConfig;
+import org.codelibs.fess.util.ParameterUtil;
 import org.dbflute.cbean.result.PagingResultBean;
 import org.dbflute.optional.OptionalEntity;
 
@@ -83,6 +84,7 @@ public class WebConfigService {
     }
 
     public void store(final WebConfig webConfig) {
+        webConfig.setConfigParameter(ParameterUtil.encrypt(webConfig.getConfigParameter()));
         webConfigBhv.insertOrUpdate(webConfig, op -> {
             op.setRefreshPolicy(Constants.TRUE);
         });

src/main/java/org/codelibs/fess/helper/SystemHelper.java

@@ -443,7 +443,7 @@ public class SystemHelper {
             logger.debug("system.properties: {}", value);
         }
         if (StringUtil.isNotBlank(value)) {
-            ParameterUtil.parse(value).entrySet().stream().filter(e -> {
+            ParameterUtil.parse(ParameterUtil.encrypt(value)).entrySet().stream().filter(e -> {
                 final String key = e.getKey();
                 if (StringUtil.isBlank(key)) {
                     return false;

src/main/java/org/codelibs/fess/mylasta/direction/FessConfig.java

@@ -37,6 +37,9 @@ public interface FessConfig extends FessEnv, org.codelibs.fess.mylasta.direction
     /** The key of the configuration. e.g. sha256 */
     String APP_DIGEST_ALGORISM = "app.digest.algorism";
 
+    /** The key of the configuration. e.g. .*password|.*key */
+    String APP_ENCRYPT_PROPERTY_PATTERN = "app.encrypt.property.pattern";
+
     /** The key of the configuration. e.g. -Djava.awt.headless=true
     -Dfile.encoding=UTF-8
     -Djna.nosys=true
@@ -1613,6 +1616,13 @@ public interface FessConfig extends FessEnv, org.codelibs.fess.mylasta.direction
      */
     String getAppDigestAlgorism();
 
+    /**
+     * Get the value for the key 'app.encrypt.property.pattern'. <br>
+     * The value is, e.g. .*password|.*key <br>
+     * @return The value of found property. (NotNull: if not found, exception but basically no way)
+     */
+    String getAppEncryptPropertyPattern();
+
     /**
      * Get the value for the key 'jvm.crawler.options'. <br>
      * The value is, e.g. -Djava.awt.headless=true
@@ -6412,6 +6422,10 @@ public interface FessConfig extends FessEnv, org.codelibs.fess.mylasta.direction
             return get(FessConfig.APP_DIGEST_ALGORISM);
         }
 
+        public String getAppEncryptPropertyPattern() {
+            return get(FessConfig.APP_ENCRYPT_PROPERTY_PATTERN);
+        }
+
         public String getJvmCrawlerOptions() {
             return get(FessConfig.JVM_CRAWLER_OPTIONS);
         }
@@ -8904,6 +8918,7 @@ public interface FessConfig extends FessEnv, org.codelibs.fess.mylasta.direction
             defaultMap.put(FessConfig.APP_CIPHER_ALGORISM, "aes");
             defaultMap.put(FessConfig.APP_CIPHER_KEY, "___change__me___");
             defaultMap.put(FessConfig.APP_DIGEST_ALGORISM, "sha256");
+            defaultMap.put(FessConfig.APP_ENCRYPT_PROPERTY_PATTERN, ".*password|.*key");
             defaultMap
                     .put(FessConfig.JVM_CRAWLER_OPTIONS,
                             "-Djava.awt.headless=true\n-Dfile.encoding=UTF-8\n-Djna.nosys=true\n-Djdk.io.permissionsUseCanonicalPath=true\n-Dhttp.maxConnections=20\n-Djava.util.logging.manager=org.apache.logging.log4j.jul.LogManager\n-server\n-Xms128m\n-Xmx512m\n-XX:MaxMetaspaceSize=128m\n-XX:CompressedClassSpaceSize=32m\n-XX:-UseGCOverheadLimit\n-XX:+UseTLAB\n-XX:+DisableExplicitGC\n-XX:-HeapDumpOnOutOfMemoryError\n-XX:-OmitStackTraceInFastThrow\n-XX:+UnlockExperimentalVMOptions\n-XX:+UseG1GC\n-XX:InitiatingHeapOccupancyPercent=45\n-XX:G1HeapRegionSize=1m\n-XX:MaxGCPauseMillis=60000\n-XX:G1NewSizePercent=5\n-XX:G1MaxNewSizePercent=5\n-Djcifs.smb.client.responseTimeout=30000\n-Djcifs.smb.client.soTimeout=35000\n-Djcifs.smb.client.connTimeout=60000\n-Djcifs.smb.client.sessionTimeout=60000\n-Djcifs.smb1.smb.client.connTimeout=60000\n-Djcifs.smb1.smb.client.soTimeout=35000\n-Djcifs.smb1.smb.client.responseTimeout=30000\n-Dgroovy.use.classvalue=true\n-Dio.netty.noUnsafe=true\n-Dio.netty.noKeySetOptimization=true\n-Dio.netty.recycler.maxCapacityPerThread=0\n-Dlog4j.shutdownHookEnabled=false\n-Dlog4j2.disable.jmx=true\n-Dlog4j.skipJansi=true\n-Dsun.java2d.cmm=sun.java2d.cmm.kcms.KcmsServiceProvider\n-Dorg.apache.pdfbox.rendering.UsePureJavaCMYKConversion=true\n");

src/main/java/org/codelibs/fess/util/ParameterUtil.java

@@ -18,12 +18,16 @@ package org.codelibs.fess.util;
 import java.util.HashMap;
 import java.util.LinkedHashMap;
 import java.util.Map;
+import java.util.regex.Pattern;
 
 import org.codelibs.core.lang.StringUtil;
+import org.codelibs.core.misc.Pair;
 import org.codelibs.fess.es.config.exentity.CrawlingConfig.ConfigName;
-import org.codelibs.fess.exception.FessSystemException;
+import org.lastaflute.core.security.PrimaryCipher;
 
 public class ParameterUtil {
+    private static final String CIPHER_PREFIX = "{cipher}";
+
     protected static final String XPATH_PREFIX = "field.xpath.";
 
     protected static final String META_PREFIX = "field.meta.";
@@ -45,17 +49,26 @@ public class ParameterUtil {
     public static Map<String, String> parse(final String value) {
         final Map<String, String> paramMap = new LinkedHashMap<>();
         if (value != null) {
+            int unknownKey = 0;
+            final Pattern properyPattern = Pattern.compile(ComponentUtil.getFessConfig().getAppEncryptPropertyPattern());
+            final PrimaryCipher cipher = ComponentUtil.getPrimaryCipher();
             final String[] lines = value.split("[\r\n]");
             for (final String line : lines) {
                 if (StringUtil.isNotBlank(line)) {
                     final int pos = line.indexOf('=');
                     if (pos == 0) {
-                        throw new FessSystemException("Invalid parameter. The key is null.");
+                        paramMap.put("unknown." + (unknownKey + 1), line.substring(pos + 1).trim());
+                        unknownKey++;
                     } else if (pos > 0) {
+                        final String key = line.substring(0, pos).trim();
                         if (pos < line.length()) {
-                            paramMap.put(line.substring(0, pos).trim(), line.substring(pos + 1).trim());
+                            String data = line.substring(pos + 1).trim();
+                            if (properyPattern.matcher(key).matches() && data.startsWith(CIPHER_PREFIX)) {
+                                data = cipher.decrypt(data.substring(CIPHER_PREFIX.length()));
+                            }
+                            paramMap.put(key, data);
                         } else {
-                            paramMap.put(line.substring(0, pos).trim(), StringUtil.EMPTY);
+                            paramMap.put(key, StringUtil.EMPTY);
                         }
                     } else {
                         paramMap.put(line.trim(), StringUtil.EMPTY);
@@ -66,6 +79,28 @@ public class ParameterUtil {
         return paramMap;
     }
 
+    public static String encrypt(final String value) {
+        final StringBuilder buf = new StringBuilder();
+        final Pattern properyPattern = Pattern.compile(ComponentUtil.getFessConfig().getAppEncryptPropertyPattern());
+        final PrimaryCipher cipher = ComponentUtil.getPrimaryCipher();
+        ParameterUtil.parse(value).entrySet().stream().map(e -> {
+            final String k = e.getKey();
+            final String v = e.getValue();
+            if (properyPattern.matcher(k).matches() && !v.startsWith(CIPHER_PREFIX)) {
+                return new Pair<>(k, CIPHER_PREFIX + cipher.encrypt(v));
+            }
+            return new Pair<>(k, v);
+        }).forEach(e -> {
+            if (buf.length() > 0) {
+                buf.append('\n');
+            }
+            buf.append(e.getFirst());
+            buf.append('=');
+            buf.append(e.getSecond());
+        });
+        return buf.toString();
+    }
+
     public static void loadConfigParams(final Map<String, Object> paramMap, final String configParam) {
         final Map<String, String> map = ParameterUtil.parse(configParam);
         if (!map.isEmpty()) {

src/main/resources/fess_config.properties

@@ -15,6 +15,7 @@ elasticsearch.http.url=http://localhost:9201
 app.cipher.algorism=aes
 app.cipher.key=___change__me___
 app.digest.algorism=sha256
+app.encrypt.property.pattern=.*password|.*key
 
 # JVM options
 jvm.crawler.options=\

src/test/java/org/codelibs/fess/util/ParameterUtilTest.java

@@ -17,9 +17,25 @@ package org.codelibs.fess.util;
 
 import java.util.Map;
 
+import org.codelibs.fess.mylasta.direction.FessConfig;
+import org.codelibs.fess.mylasta.direction.FessProp;
 import org.codelibs.fess.unit.UnitFessTestCase;
 
 public class ParameterUtilTest extends UnitFessTestCase {
+
+    @Override
+    public void setUp() throws Exception {
+        super.setUp();
+        FessProp.propMap.clear();
+        FessConfig fessConfig = new FessConfig.SimpleImpl() {
+            @Override
+            public String getAppEncryptPropertyPattern() {
+                return ".*password|.*key";
+            }
+        };
+        ComponentUtil.setFessConfig(fessConfig);
+    }
+
     public void test_convertParameterMap() {
         String parameters;
         Map<String, String> parameterMap;
@@ -163,4 +179,40 @@ public class ParameterUtilTest extends UnitFessTestCase {
         assertEquals(0, scriptMap.size());
     }
 
+    public void test_encryptParameter() {
+        String value;
+        String expect;
+
+        value = null;
+        expect = "";
+        assertEquals(expect, ParameterUtil.encrypt(value));
+
+        value = "";
+        expect = "";
+        assertEquals(expect, ParameterUtil.encrypt(value));
+
+        value = "\n";
+        expect = "";
+        assertEquals(expect, ParameterUtil.encrypt(value));
+
+        value = "=";
+        expect = "unknown.1=";
+        assertEquals(expect, ParameterUtil.encrypt(value));
+
+        value = "=1\n=";
+        expect = "unknown.1=1\nunknown.2=";
+        assertEquals(expect, ParameterUtil.encrypt(value));
+
+        value = "a=b";
+        expect = "a=b";
+        assertEquals(expect, ParameterUtil.encrypt(value));
+
+        value = "password=b";
+        expect = "password={cipher}5691346cc398a4450114883140fa84a7";
+        assertEquals(expect, ParameterUtil.encrypt(value));
+
+        value = "aaa.password=b\naaa=c\nccc.key=d";
+        expect = "aaa.password={cipher}5691346cc398a4450114883140fa84a7\n" + "aaa=c\n" + "ccc.key={cipher}bf66204f1a59036869a684d61d337bd4";
+        assertEquals(expect, ParameterUtil.encrypt(value));
+    }
 }