Merge pull request #196 from xenit-eu/ACC-2372-alfresco-decryption

[ACC-2372] Add support for encrypted content migrated from Alfresco

Author: vierbergenlars

contentgrid-appserver-autoconfigure/src/main/java/com/contentgrid/appserver/autoconfigure/contentstore/EncryptedContentStoreAutoConfiguration.java

@@ -5,25 +5,32 @@
 import com.contentgrid.appserver.contentstore.api.ContentStore;
 import com.contentgrid.appserver.contentstore.impl.encryption.EncryptedContentStore;
 import com.contentgrid.appserver.contentstore.impl.encryption.engine.AesCtrEncryptionEngine;
+import com.contentgrid.appserver.contentstore.impl.encryption.engine.AlfrescoCompatibleEncryptionEngine;
 import com.contentgrid.appserver.contentstore.impl.encryption.engine.ContentEncryptionEngine;
 import com.contentgrid.appserver.contentstore.impl.encryption.keys.DataEncryptionKeyAccessor;
 import com.contentgrid.appserver.contentstore.impl.encryption.keys.DataEncryptionKeyWrapper;
 import com.contentgrid.appserver.contentstore.impl.encryption.keys.TableStorageDataEncryptionKeyAccessor;
 import com.contentgrid.appserver.contentstore.impl.encryption.keys.UnencryptedSymmetricDataEncryptionKeyWrapper;
+
 import java.util.List;
 import java.util.Set;
+
 import org.jooq.DSLContext;
+import org.springframework.beans.factory.InitializingBean;
 import org.springframework.boot.autoconfigure.AutoConfiguration;
+import org.springframework.boot.autoconfigure.condition.AllNestedConditions;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnBooleanProperty;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
-import org.springframework.boot.autoconfigure.jooq.JooqAutoConfiguration;
 import org.springframework.boot.context.properties.ConfigurationProperties;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
 import org.springframework.boot.context.properties.bind.DefaultValue;
 import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Conditional;
+import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Primary;
+import org.springframework.context.annotation.ConfigurationCondition.ConfigurationPhase;
 
 @AutoConfiguration
 @ConditionalOnClass(EncryptedContentStore.class)
@@ -32,8 +39,8 @@
 public class EncryptedContentStoreAutoConfiguration {
 
     @Bean
-    @ConditionalOnMissingBean
-    DataEncryptionKeyAccessor tableStorageEncryptionKeyAccessor(DSLContext dslContext) {
+    @ConditionalOnMissingBean(DataEncryptionKeyAccessor.class)
+    TableStorageDataEncryptionKeyAccessor tableStorageEncryptionKeyAccessor(DSLContext dslContext) {
         return new TableStorageDataEncryptionKeyAccessor(dslContext);
     }
 
@@ -55,6 +62,12 @@ ContentStore encryptedContentStore(ContentStore contentStore, DataEncryptionKeyA
         return new EncryptedContentStore(contentStore, encryptionKeyAccessor, encryptionKeyWrappers, encryptionEngines);
     }
 
+    @Bean
+    @Conditional(TableInitializerCondition.class)
+    TableInitializer dekTableInitializer(TableStorageDataEncryptionKeyAccessor encryptionKeyAccessor) {
+        return new TableInitializer(encryptionKeyAccessor);
+    }
+
     private DataEncryptionKeyWrapper dataEncryptionKeyWrapperForAlgorithm(EncryptionKeyWrapperAlgorithm algorithm) {
         return switch (algorithm) {
             case NONE -> new UnencryptedSymmetricDataEncryptionKeyWrapper(true);
@@ -66,6 +79,7 @@ private ContentEncryptionEngine contentEncryptionEngineForAlgorithm(EncryptionEn
             case AES128_CTR -> new AesCtrEncryptionEngine(128);
             case AES192_CTR -> new AesCtrEncryptionEngine(192);
             case AES256_CTR -> new AesCtrEncryptionEngine(256);
+            case ALFRESCO -> new AlfrescoCompatibleEncryptionEngine();
         };
     }
 
@@ -88,6 +102,31 @@ enum EncryptionKeyWrapperAlgorithm {
     enum EncryptionEngineAlgorithm {
         AES128_CTR,
         AES192_CTR,
-        AES256_CTR
+        AES256_CTR,
+        ALFRESCO
+    }
+
+    private static class TableInitializerCondition extends AllNestedConditions {
+
+        public TableInitializerCondition() {
+            super(ConfigurationPhase.REGISTER_BEAN);
+        }
+
+        @ConditionalOnBean(TableStorageDataEncryptionKeyAccessor.class)
+        static class UsesTableStorage {}
+
+        @ConditionalOnBooleanProperty("contentgrid.appserver.content.encryption.bootstrap-tables")
+        static class TableBootstrapConfigured {}
+    }
+
+    @lombok.Value
+    private static class TableInitializer implements InitializingBean {
+
+        private TableStorageDataEncryptionKeyAccessor encryptionKeyAccessor;
+
+        @Override
+        public void afterPropertiesSet() throws Exception {
+            encryptionKeyAccessor.setupTables();
+        }
     }
 }

contentgrid-appserver-autoconfigure/src/main/java/com/contentgrid/appserver/autoconfigure/query/engine/JOOQQueryEngineAutoConfiguration.java

@@ -67,7 +67,7 @@ TableCreator jooqTableCreator(DSLContextResolver dslContextResolver) {
     @Bean
     @ConditionalOnBean(ApplicationResolver.class)
     @ConditionalOnBooleanProperty("contentgrid.appserver.query-engine.bootstrap-tables")
-    TableInitializer tableInitializer(TableCreator tableCreator, ApplicationResolver applicationResolver) {
+    TableInitializer jooqTableInitializer(TableCreator tableCreator, ApplicationResolver applicationResolver) {
         return new TableInitializer(tableCreator, applicationResolver);
     }
 

contentgrid-appserver-autoconfigure/src/test/java/com/contentgrid/appserver/autoconfigure/contentstore/EncryptedContentStoreAutoConfigurationTest.java

@@ -12,6 +12,7 @@
 import com.contentgrid.appserver.contentstore.impl.encryption.testing.InMemoryDataEncryptionKeyAccessor;
 import com.contentgrid.appserver.contentstore.impl.encryption.testing.XorTestEncryptionEngine;
 import com.contentgrid.appserver.contentstore.impl.fs.FilesystemContentStore;
+
 import java.util.Set;
 import org.jooq.DSLContext;
 import org.junit.jupiter.api.Test;
@@ -50,6 +51,7 @@ void checkDefaults() {
                 .run(context -> {
                     assertThat(context).hasNotFailed();
                     assertThat(context).hasSingleBean(EncryptedContentStore.class);
+                    assertThat(context).doesNotHaveBean("dekTableInitializer");
                 });
     }
 
@@ -123,7 +125,8 @@ void checkWithMultipleEncryptionKeyAlgorithms() {
                 .withPropertyValues(
                         "contentgrid.appserver.content.encryption.engine.algorithms[0]=AES128-CTR",
                         "contentgrid.appserver.content.encryption.engine.algorithms[1]=AES192-CTR",
-                        "contentgrid.appserver.content.encryption.engine.algorithms[2]=AES256-CTR"
+                        "contentgrid.appserver.content.encryption.engine.algorithms[2]=AES256-CTR",
+                        "contentgrid.appserver.content.encryption.engine.algorithms[3]=ALFRESCO"
                 )
                 .run(context -> {
                     assertThat(context).hasNotFailed();
@@ -171,6 +174,31 @@ void checkWithCustomEncryptionKeyAccessor() {
                 });
     }
 
+    @Test
+    void checkWithBootStrapTables() {
+        contextRunner
+                .withPropertyValues("contentgrid.appserver.content.encryption.bootstrap-tables=true")
+                .run(context -> {
+                    assertThat(context).hasNotFailed();
+                    assertThat(context).hasSingleBean(EncryptedContentStore.class);
+                    assertThat(context).hasSingleBean(TableStorageDataEncryptionKeyAccessor.class);
+                    assertThat(context).hasBean("dekTableInitializer");
+                });
+    }
+
+    @Test
+    void checkWithCustomEncryptionKeyAccessorAndBootStrapTables() {
+        contextRunner
+                .withUserConfiguration(CustomEncryptionKeyAccessorConfiguration.class)
+                .withPropertyValues("contentgrid.appserver.content.encryption.bootstrap-tables=true")
+                .run(context -> {
+                    assertThat(context).hasNotFailed();
+                    assertThat(context).hasSingleBean(EncryptedContentStore.class);
+                    assertThat(context).doesNotHaveBean(TableStorageDataEncryptionKeyAccessor.class);
+                    assertThat(context).doesNotHaveBean("dekTableInitializer");
+                });
+    }
+
     @Configuration
     static class CustomEncryptionKeyWrapperConfiguration {
 

contentgrid-appserver-autoconfigure/src/test/java/com/contentgrid/appserver/autoconfigure/query/engine/JOOQQueryEngineAutoConfigurationTest.java

@@ -42,7 +42,7 @@ void checkDefaults() {
                     assertThat(context).hasNotFailed();
                     assertThat(context).hasSingleBean(DSLContextResolver.class);
                     assertThat(context).hasSingleBean(QueryEngine.class);
-                    assertThat(context).doesNotHaveBean("tableInitializer");
+                    assertThat(context).doesNotHaveBean("jooqTableInitializer");
                 });
     }
 
@@ -55,7 +55,7 @@ void checkWithBootStrapTables() {
                     assertThat(context).hasNotFailed();
                     assertThat(context).hasSingleBean(DSLContextResolver.class);
                     assertThat(context).hasSingleBean(QueryEngine.class);
-                    assertThat(context).hasBean("tableInitializer");
+                    assertThat(context).hasBean("jooqTableInitializer");
                 });
     }
 
@@ -67,7 +67,7 @@ void checkWithBootStrapTables_noApplication() {
                     assertThat(context).hasNotFailed();
                     assertThat(context).hasSingleBean(DSLContextResolver.class);
                     assertThat(context).hasSingleBean(QueryEngine.class);
-                    assertThat(context).doesNotHaveBean("tableInitializer");
+                    assertThat(context).doesNotHaveBean("jooqTableInitializer");
                 });
     }
 

contentgrid-appserver-contentstore-impl-encryption/.gitignore

@@ -0,0 +1 @@
+/bin/

contentgrid-appserver-contentstore-impl-encryption/src/main/java/com/contentgrid/appserver/contentstore/impl/encryption/engine/AesCtrEncryptionEngine.java

@@ -6,8 +6,10 @@
 import com.contentgrid.appserver.contentstore.api.range.ResolvedContentRange;
 import com.contentgrid.appserver.contentstore.impl.encryption.UndecryptableContentException;
 import com.contentgrid.appserver.contentstore.impl.encryption.keys.KeyBytes;
+import com.contentgrid.appserver.contentstore.impl.utils.SkippableCipherInputStream;
 import com.contentgrid.appserver.contentstore.impl.utils.SkippingInputStream;
 import com.contentgrid.appserver.contentstore.impl.utils.ZeroPrefixedInputStream;
+
 import java.io.InputStream;
 import java.math.BigInteger;
 import java.security.InvalidAlgorithmParameterException;
@@ -18,14 +20,14 @@
 import java.util.List;
 import java.util.Objects;
 import java.util.stream.Collectors;
+
 import javax.crypto.Cipher;
 import javax.crypto.CipherInputStream;
 import javax.crypto.NoSuchPaddingException;
 import javax.crypto.spec.IvParameterSpec;
-import javax.security.auth.Destroyable;
+
 import lombok.RequiredArgsConstructor;
 import lombok.SneakyThrows;
-import lombok.experimental.Delegate;
 
 /**
  * Symmetric data encryption engine using AES-CTR encryption mode
@@ -77,7 +79,7 @@ private Cipher initializeCipher(EncryptionParameters parameters, boolean forEncr
         try {
             cipher.init(
                     forEncryption ? Cipher.ENCRYPT_MODE : Cipher.DECRYPT_MODE,
-                    new AESSecretKey(parameters.getSecretKey()),
+                    new SecretKey(parameters.getSecretKey(), "AES"),
                     new IvParameterSpec(parameters.getInitializationVector())
             );
         } finally {
@@ -164,29 +166,6 @@ private byte[] adjustIvForOffset(byte[] iv, long offsetBlocks) {
         }
     }
 
-    @RequiredArgsConstructor
-    private static class AESSecretKey implements javax.crypto.SecretKey {
-        @Delegate(types = Destroyable.class)
-        private final KeyBytes keyBytes;
-
-        @Override
-        public String getAlgorithm() {
-            return "AES";
-        }
-
-        @Override
-        public String getFormat() {
-            return "RAW";
-        }
-
-        @Override
-        public byte[] getEncoded() {
-            // This one needs to be a copy, because the AES engine clears it.
-            // We don't want to have it destroy our KeyBytes copy
-            return keyBytes.getKeyBytesCopy();
-        }
-    }
-
     @RequiredArgsConstructor
     private static class DecryptingContentReader implements ContentReader {
 
@@ -197,7 +176,10 @@ private static class DecryptingContentReader implements ContentReader {
         @Override
         public InputStream getContentInputStream() throws UnreadableContentException {
             return new ZeroPrefixedInputStream(
-                    new CipherInputStream(
+                    // CipherInputStream does not skip(n) into not-yet-decrypted data
+                    // Spring StreamUtils.copyRange needs that behaviour
+                    // so we use our SkippableCipherInputStream
+                    new SkippableCipherInputStream(
                             new SkippingInputStream(
                                     delegate.getContentInputStream(),
                                     byteStartOffset