utils/src/main/java/com/cloud/utils/crypt/CloudStackEncryptor.java

//
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements.  See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership.  The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License.  You may obtain a copy of the License at
//
//   http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied.  See the License for the
// specific language governing permissions and limitations
// under the License.
//

package com.cloud.utils.crypt;

import java.nio.charset.StandardCharsets;
import java.util.Arrays;
import java.util.stream.Collectors;

import org.apache.commons.lang3.StringUtils;

import com.cloud.utils.exception.CloudRuntimeException;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

public class CloudStackEncryptor {
    protected Logger logger = LogManager.getLogger(getClass());
    private Base64Encryptor encryptor = null;
    private LegacyBase64Encryptor encryptorV1;
    private AeadBase64Encryptor encryptorV2;
    String password;
    EncryptorVersion version;
    Class callerClass;

    enum EncryptorVersion {
        V1, V2;

        public static EncryptorVersion fromString(String version) {
            if (version != null && version.equalsIgnoreCase("v1")) {
                return V1;
            }
            if (version != null && version.equalsIgnoreCase("v2")) {
                return V2;
            }
            if (StringUtils.isNotEmpty(version)) {
                throw new CloudRuntimeException(String.format("Invalid encryptor version: %s, valid options are: %s", version,
                        Arrays.stream(EncryptorVersion.values()).map(EncryptorVersion::name).collect(Collectors.joining(","))));
            }
            return null;
        }

        public static EncryptorVersion defaultVersion() {
            return V2;
        }
    }

    public CloudStackEncryptor(String password, String version, Class callerClass) {
        this.password = password;
        this.version = EncryptorVersion.fromString(version);
        this.callerClass = callerClass;
        initialize();
    }

    public String encrypt(String plain) {
        if (StringUtils.isEmpty(plain)) {
            return plain;
        }
        try {
            if (encryptor == null) {
                encryptor = encryptorV2;
                logger.debug(String.format("CloudStack will encrypt and decrypt values using default encryptor : %s for class %s",
                        encryptor.getClass().getSimpleName(), callerClass.getSimpleName()));
            }
            return encryptor.encrypt(plain);
        } catch (EncryptionException e) {
            throw new CloudRuntimeException("Error encrypting value: ", e);
        }
    }

    public String decrypt(String encrypted) {
        if (StringUtils.isEmpty(encrypted)) {
            return encrypted;
        }
        if (encryptor != null) {
            try {
                return encryptor.decrypt(encrypted);
            } catch (EncryptionException e) {
                throw new CloudRuntimeException("Error decrypting value: " + hideValueWithAsterisks(encrypted), e);
            }
        } else {
            String result = decrypt(encryptorV2, encrypted);
            if (result != null) {
                return result;
            }
            result = decrypt(encryptorV1, encrypted);
            if (result != null) {
                return result;
            }
            throw new CloudRuntimeException("Failed to decrypt value: " + hideValueWithAsterisks(encrypted));
        }
    }

    private String decrypt(Base64Encryptor encryptorToUse, String encrypted) {
        try {
            String result = encryptorToUse.decrypt(encrypted);
            logger.debug(String.format("CloudStack will encrypt and decrypt values using encryptor : %s for class %s",
                    encryptorToUse.getClass().getSimpleName(), callerClass.getSimpleName()));
            encryptor = encryptorToUse;
            return result;
        } catch (EncryptionException ex) {
            logger.warn(String.format("Failed to decrypt value using %s: %s", encryptorToUse.getClass().getSimpleName(), hideValueWithAsterisks(encrypted)));
        }
        return null;
    }

    protected static String hideValueWithAsterisks(String value) {
        if (StringUtils.isEmpty(value)) {
            return value;
        }
        int numChars = value.length() >= 10 ? 5: 1;
        int numAsterisks = 10 - numChars;
        return value.substring(0, numChars) + "*".repeat(numAsterisks);
    }

    protected void initialize() {
        logger.debug("Calling to initialize for class " + callerClass.getName());
        encryptor = null;
        if (EncryptorVersion.V1.equals(version)) {
            encryptorV1 = new LegacyBase64Encryptor(password);
            encryptor = encryptorV1;
            logger.debug("Initialized with encryptor : " + encryptorV1.getClass().getSimpleName());
        } else if (EncryptorVersion.V2.equals(version)) {
            encryptorV2 = new AeadBase64Encryptor(password.getBytes(StandardCharsets.UTF_8));
            encryptor = encryptorV2;
            logger.debug("Initialized with encryptor : " + encryptorV2.getClass().getSimpleName());
        } else {
            encryptorV1 = new LegacyBase64Encryptor(password);
            encryptorV2 = new AeadBase64Encryptor(password.getBytes(StandardCharsets.UTF_8));
            logger.debug("Initialized with all possible encryptors");
        }
    }
}