server: Add support to encrypt https.keystore.password in server.properties (#5459)

* Add support to encrypt https.keystore.password in server.properties

* address comments

* address comments

Author: Pearl1594

client/conf/server.properties.in

@@ -38,7 +38,11 @@ https.port=8443
 
 # The keystore and manager passwords are assumed to be same.
 https.keystore=/etc/cloudstack/management/cloud.jks
+# If you want to encrypt the password follow the steps mentioned at:
+# http://docs.cloudstack.apache.org/projects/archived-cloudstack-administration/en/latest/management.html?highlight=jasypt#changing-the-database-password
 https.keystore.password=vmops.com
+# If an encrypted password is used, specify the encryption type - valid types: file, env (set environment variable CLOUD_SECRET_KEY), web
+# password.encryption.type=none
 
 # The path to webapp directory
 webapp.dir=/usr/share/cloudstack-management/webapp

client/src/main/java/org/apache/cloudstack/ServerDaemon.java

@@ -19,12 +19,15 @@
 package org.apache.cloudstack;
 
 import java.io.File;
+import java.io.FileInputStream;
 import java.io.IOException;
+import java.io.InputStream;
 import java.lang.management.ManagementFactory;
 import java.net.URL;
 import java.util.Properties;
 
 import com.cloud.utils.Pair;
+import com.cloud.utils.server.ServerProperties;
 import org.apache.commons.daemon.Daemon;
 import org.apache.commons.daemon.DaemonContext;
 import org.eclipse.jetty.jmx.MBeanContainer;
@@ -116,7 +119,8 @@ public void init(final DaemonContext context) {
         LOG.info("Server configuration file found: " + confFile.getAbsolutePath());
 
         try {
-            final Properties properties = PropertiesUtil.loadFromFile(confFile);
+            InputStream is = new FileInputStream(confFile);
+            final Properties properties = ServerProperties.getServerProperties(is);
             if (properties == null) {
                 return;
             }
@@ -132,7 +136,7 @@ public void init(final DaemonContext context) {
             setAccessLogFile(properties.getProperty(ACCESS_LOG, "access.log"));
             setSessionTimeout(Integer.valueOf(properties.getProperty(SESSION_TIMEOUT, "30")));
         } catch (final IOException e) {
-            LOG.warn("Failed to load configuration from server.properties file", e);
+            LOG.warn("Failed to read configuration from server.properties file", e);
         } finally {
             // make sure that at least HTTP is enabled if both of them are set to false (misconfiguration)
             if (!httpEnable && !httpsEnable) {

utils/src/main/java/com/cloud/utils/crypt/EncryptionSecretKeyChecker.java

@@ -55,8 +55,8 @@ public void init() {
         DbProperties.getDbProperties();
     }
 
-    public void check(Properties dbProps) throws IOException {
-        String encryptionType = dbProps.getProperty("db.cloud.encryption.type");
+    public void check(Properties properties, String property) throws IOException {
+        String encryptionType = properties.getProperty(property);
 
         s_logger.debug("Encryption Type: " + encryptionType);
 
@@ -116,7 +116,7 @@ public void check(Properties dbProps) throws IOException {
                     throw new CloudRuntimeException("Accept failed on " + port);
                 }
             } catch (IOException ioex) {
-                throw new CloudRuntimeException("Error initializing secret key reciever", ioex);
+                throw new CloudRuntimeException("Error initializing secret key receiver", ioex);
             }
         } else {
             throw new CloudRuntimeException("Invalid encryption type: " + encryptionType);

utils/src/main/java/com/cloud/utils/db/DbProperties.java

@@ -39,10 +39,11 @@ public class DbProperties {
 
     private static Properties properties = new Properties();
     private static boolean loaded = false;
+    public static final String dbEncryptionType = "db.cloud.encryption.type";
 
     protected static Properties wrapEncryption(Properties dbProps) throws IOException {
         EncryptionSecretKeyChecker checker = new EncryptionSecretKeyChecker();
-        checker.check(dbProps);
+        checker.check(dbProps, dbEncryptionType);
 
         if (EncryptionSecretKeyChecker.useEncryption()) {
             return dbProps;
@@ -77,7 +78,7 @@ public synchronized static Properties getDbProperties() {
                 }
 
                 EncryptionSecretKeyChecker checker = new EncryptionSecretKeyChecker();
-                checker.check(dbProps);
+                checker.check(dbProps, dbEncryptionType);
 
                 if (EncryptionSecretKeyChecker.useEncryption()) {
                     StandardPBEStringEncryptor encryptor = EncryptionSecretKeyChecker.getEncryptor();

utils/src/main/java/com/cloud/utils/server/ServerProperties.java

@@ -0,0 +1,63 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package com.cloud.utils.server;
+
+import com.cloud.utils.crypt.EncryptionSecretKeyChecker;
+import org.apache.commons.io.IOUtils;
+import org.apache.log4j.Logger;
+import org.jasypt.encryption.pbe.StandardPBEStringEncryptor;
+import org.jasypt.properties.EncryptableProperties;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.Properties;
+
+public class ServerProperties {
+    private static final Logger LOG = Logger.getLogger(ServerProperties.class);
+
+    private static Properties properties = new Properties();
+    private static boolean loaded = false;
+    public static final String passwordEncryptionType = "password.encryption.type";
+
+    public synchronized static Properties getServerProperties(InputStream inputStream) {
+        if (!loaded) {
+            Properties serverProps = new Properties();
+            try {
+                serverProps.load(inputStream);
+
+                EncryptionSecretKeyChecker checker = new EncryptionSecretKeyChecker();
+                checker.check(serverProps, passwordEncryptionType);
+
+                if (EncryptionSecretKeyChecker.useEncryption()) {
+                    StandardPBEStringEncryptor encryptor = EncryptionSecretKeyChecker.getEncryptor();
+                    EncryptableProperties encrServerProps = new EncryptableProperties(encryptor);
+                    encrServerProps.putAll(serverProps);
+                    serverProps = encrServerProps;
+                }
+            } catch (IOException e) {
+                throw new IllegalStateException("Failed to load server.properties", e);
+            } finally {
+                IOUtils.closeQuietly(inputStream);
+            }
+
+            properties = serverProps;
+            loaded = true;
+        }
+
+        return properties;
+    }
+}

utils/src/test/java/com/cloud/utils/crypto/EncryptionSecretKeyCheckerTest.java

@@ -39,7 +39,7 @@ public void testKeyFileDoesNotExists() throws IOException, URISyntaxException {
     Assert.assertNotNull(checker);
     Properties properties = DbProperties.getDbProperties();
     properties.setProperty("db.cloud.encryption.type", "file");
-    checker.check(properties);
+    checker.check(properties, DbProperties.dbEncryptionType);
   }
 
 }