[SYNCOPE-1932] Improve AES management

core/idrepo/logic/src/main/java/org/apache/syncope/core/logic/AccessTokenLogic.java

@@ -43,12 +43,10 @@
 
 public class AccessTokenLogic extends AbstractTransactionalLogic<AccessTokenTO> {
 
-    protected static final Encryptor ENCRYPTOR = Encryptor.getInstance();
-
     protected static byte[] getAuthorities() {
         byte[] authorities = null;
         try {
-            authorities = ENCRYPTOR.encode(POJOHelper.serialize(
+            authorities = Encryptor.getInstance().encode(POJOHelper.serialize(
                     AuthContextUtils.getAuthorities()), CipherAlgorithm.AES).
                     getBytes();
         } catch (Exception e) {

core/persistence-jpa-json/src/test/resources/core-majson-test.properties

@@ -18,7 +18,7 @@
 security.adminUser=${adminUser}
 security.anonymousUser=${anonymousUser}
 security.jwsKey=${jwsKey}
-security.secretKey=${secretKey}
+security.aesSecretKey=${secretKey}
 
 persistence.domain[0].jdbcURL=jdbc:mariadb://${DB_CONTAINER_IP}:3306/syncope?characterEncoding=UTF-8
 persistence.domain[0].poolMaxActive=10

core/persistence-jpa-json/src/test/resources/core-myjson-test.properties

@@ -18,7 +18,7 @@
 security.adminUser=${adminUser}
 security.anonymousUser=${anonymousUser}
 security.jwsKey=${jwsKey}
-security.secretKey=${secretKey}
+security.aesSecretKey=${secretKey}
 
 persistence.domain[0].jdbcURL=jdbc:mysql://${DB_CONTAINER_IP}:3306/syncope?useSSL=false&allowPublicKeyRetrieval=true&characterEncoding=UTF-8
 persistence.domain[0].poolMaxActive=10

core/persistence-jpa-json/src/test/resources/core-ojson-test.properties

@@ -18,7 +18,7 @@
 security.adminUser=${adminUser}
 security.anonymousUser=${anonymousUser}
 security.jwsKey=${jwsKey}
-security.secretKey=${secretKey}
+security.aesSecretKey=${secretKey}
 
 persistence.domain[0].jdbcURL=jdbc:oracle:thin:@${DB_CONTAINER_IP}:1521/XEPDB1
 #persistence.domain[0].jdbcURL=jdbc:oracle:thin:@192.168.0.176:1521/orcl

core/persistence-jpa-json/src/test/resources/core-pgjsonb-test.properties

@@ -18,7 +18,7 @@
 security.adminUser=${adminUser}
 security.anonymousUser=${anonymousUser}
 security.jwsKey=${jwsKey}
-security.secretKey=${secretKey}
+security.aesSecretKey=${secretKey}
 
 persistence.domain[0].jdbcURL=jdbc:postgresql://${DB_CONTAINER_IP}:5432/syncope?stringtype=unspecified
 persistence.domain[0].poolMaxActive=10

core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/entity/user/JPALinkedAccount.java

@@ -61,8 +61,6 @@ public class JPALinkedAccount extends AbstractGeneratedKeyEntity implements Link
 
     public static final String TABLE = "LinkedAccount";
 
-    private static final Encryptor ENCRYPTOR = Encryptor.getInstance();
-
     @NotNull
     private String connObjectKeyValue;
 
@@ -151,7 +149,7 @@ public void setCipherAlgorithm(final CipherAlgorithm cipherAlgorithm) {
             throw new IllegalArgumentException("Cannot override existing cipher algorithm");
         }
     }
-    
+
     @Override
     public boolean canDecodeSecrets() {
         return this.cipherAlgorithm != null && this.cipherAlgorithm.isInvertible();
@@ -168,14 +166,22 @@ public void setEncodedPassword(final String password, final CipherAlgorithm ciph
         this.cipherAlgorithm = cipherAlgoritm;
     }
 
+    protected String encode(final String value) throws Exception {
+        return Encryptor.getInstance().encode(
+                value,
+                Optional.ofNullable(cipherAlgorithm).
+                        orElseGet(() -> CipherAlgorithm.valueOf(
+                        ApplicationContextProvider.getBeanFactory().getBean(ConfParamOps.class).get(
+                                AuthContextUtils.getDomain(),
+                                "password.cipher.algorithm",
+                                CipherAlgorithm.AES.name(),
+                                String.class))));
+    }
+
     @Override
     public void setPassword(final String password) {
         try {
-            this.password = ENCRYPTOR.encode(password, cipherAlgorithm == null
-                    ? CipherAlgorithm.valueOf(ApplicationContextProvider.getBeanFactory().getBean(ConfParamOps.class).
-                    get(AuthContextUtils.getDomain(), "password.cipher.algorithm", CipherAlgorithm.AES.name(),
-                            String.class))
-                    : cipherAlgorithm);
+            this.password = encode(password);
         } catch (Exception e) {
             LOG.error("Could not encode password", e);
             this.password = null;

core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/entity/user/JPAUser.java

@@ -77,8 +77,6 @@ public class JPAUser
 
     public static final String TABLE = "SyncopeUser";
 
-    protected static final Encryptor ENCRYPTOR = Encryptor.getInstance();
-
     protected static final TypeReference<List<String>> TYPEREF = new TypeReference<List<String>>() {
     };
 
@@ -223,14 +221,22 @@ public void setEncodedPassword(final String password, final CipherAlgorithm ciph
         setMustChangePassword(false);
     }
 
+    protected String encode(final String value) throws Exception {
+        return Encryptor.getInstance().encode(
+                value,
+                Optional.ofNullable(cipherAlgorithm).
+                        orElseGet(() -> CipherAlgorithm.valueOf(
+                        ApplicationContextProvider.getBeanFactory().getBean(ConfParamOps.class).get(
+                                AuthContextUtils.getDomain(),
+                                "password.cipher.algorithm",
+                                CipherAlgorithm.AES.name(),
+                                String.class))));
+    }
+
     @Override
     public void setPassword(final String password) {
         try {
-            this.password = ENCRYPTOR.encode(password, cipherAlgorithm == null
-                    ? CipherAlgorithm.valueOf(ApplicationContextProvider.getBeanFactory().getBean(ConfParamOps.class).
-                            get(AuthContextUtils.getDomain(), "password.cipher.algorithm", CipherAlgorithm.AES.name(),
-                                    String.class))
-                    : cipherAlgorithm);
+            this.password = encode(password);
             setMustChangePassword(false);
         } catch (Exception e) {
             LOG.error("Could not encode password", e);
@@ -414,11 +420,7 @@ public String getSecurityAnswer() {
     @Override
     public void setSecurityAnswer(final String securityAnswer) {
         try {
-            this.securityAnswer = ENCRYPTOR.encode(securityAnswer, cipherAlgorithm == null
-                    ? CipherAlgorithm.valueOf(ApplicationContextProvider.getBeanFactory().getBean(ConfParamOps.class).
-                            get(AuthContextUtils.getDomain(), "password.cipher.algorithm", CipherAlgorithm.AES.name(),
-                                    String.class))
-                    : cipherAlgorithm);
+            this.securityAnswer = encode(securityAnswer);
         } catch (Exception e) {
             LOG.error("Could not encode security answer", e);
             this.securityAnswer = null;

core/persistence-jpa/src/test/resources/core-test.properties

@@ -18,7 +18,7 @@
 security.adminUser=${adminUser}
 security.anonymousUser=${anonymousUser}
 security.jwsKey=${jwsKey}
-security.secretKey=${secretKey}
+security.aesSecretKey=${secretKey}
 
 persistence.domain[0].key=Master
 persistence.domain[0].jdbcDriver=org.h2.Driver

core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/DefaultMappingManager.java

@@ -110,8 +110,6 @@ public class DefaultMappingManager implements MappingManager {
 
     protected static final Logger LOG = LoggerFactory.getLogger(MappingManager.class);
 
-    protected static final Encryptor ENCRYPTOR = Encryptor.getInstance();
-
     protected final AnyTypeDAO anyTypeDAO;
 
     protected final UserDAO userDAO;
@@ -500,7 +498,7 @@ public Pair<String, Set<Attribute>> prepareAttrsFromRealm(final Realm realm, fin
 
     protected String decodePassword(final Account account) {
         try {
-            return ENCRYPTOR.decode(account.getPassword(), account.getCipherAlgorithm());
+            return Encryptor.getInstance().decode(account.getPassword(), account.getCipherAlgorithm());
         } catch (Exception e) {
             LOG.error("Could not decode password for {}", account, e);
             return null;

core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/AnyTypeDataBinderImpl.java

@@ -49,8 +49,6 @@ public class AnyTypeDataBinderImpl implements AnyTypeDataBinder {
 
     protected static final Logger LOG = LoggerFactory.getLogger(AnyTypeDataBinder.class);
 
-    protected static final Encryptor ENCRYPTOR = Encryptor.getInstance();
-
     protected final SecurityProperties securityProperties;
 
     protected final AnyTypeDAO anyTypeDAO;
@@ -86,15 +84,14 @@ public AnyType create(final AnyTypeTO anyTypeTO) {
             AccessToken accessToken = accessTokenDAO.findByOwner(AuthContextUtils.getUsername());
             try {
                 Set<SyncopeGrantedAuthority> authorities = new HashSet<>(POJOHelper.deserialize(
-                        ENCRYPTOR.decode(new String(accessToken.getAuthorities()), CipherAlgorithm.AES),
+                        Encryptor.getInstance().decode(new String(accessToken.getAuthorities()), CipherAlgorithm.AES),
                         new TypeReference<Set<SyncopeGrantedAuthority>>() {
                 }));
 
                 added.forEach(e -> authorities.add(new SyncopeGrantedAuthority(e, SyncopeConstants.ROOT_REALM)));
 
-                accessToken.setAuthorities(ENCRYPTOR.encode(
-                        POJOHelper.serialize(authorities), CipherAlgorithm.AES).
-                        getBytes());
+                accessToken.setAuthorities(Encryptor.getInstance().encode(
+                        POJOHelper.serialize(authorities), CipherAlgorithm.AES).getBytes());
 
                 accessTokenDAO.save(accessToken);
             } catch (Exception e) {
@@ -142,16 +139,15 @@ public AnyTypeTO delete(final AnyType anyType) {
             AccessToken accessToken = accessTokenDAO.findByOwner(AuthContextUtils.getUsername());
             try {
                 Set<SyncopeGrantedAuthority> authorities = new HashSet<>(POJOHelper.deserialize(
-                        ENCRYPTOR.decode(new String(accessToken.getAuthorities()), CipherAlgorithm.AES),
+                        Encryptor.getInstance().decode(new String(accessToken.getAuthorities()), CipherAlgorithm.AES),
                         new TypeReference<Set<SyncopeGrantedAuthority>>() {
                 }));
 
                 authorities.removeAll(authorities.stream().
                         filter(authority -> removed.contains(authority.getAuthority())).collect(Collectors.toList()));
 
-                accessToken.setAuthorities(ENCRYPTOR.encode(
-                        POJOHelper.serialize(authorities), CipherAlgorithm.AES).
-                        getBytes());
+                accessToken.setAuthorities(Encryptor.getInstance().encode(
+                        POJOHelper.serialize(authorities), CipherAlgorithm.AES).getBytes());
 
                 accessTokenDAO.save(accessToken);
             } catch (Exception e) {

core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/utils/ConnObjectUtils.java

@@ -68,8 +68,6 @@ public class ConnObjectUtils {
 
     protected static final Logger LOG = LoggerFactory.getLogger(ConnObjectUtils.class);
 
-    protected static final Encryptor ENCRYPTOR = Encryptor.getInstance();
-
     public static SyncToken toSyncToken(final String syncToken) {
         return Optional.ofNullable(syncToken).map(st -> POJOHelper.deserialize(st, SyncToken.class)).orElse(null);
     }
@@ -266,7 +264,7 @@ public <U extends AnyUR> U getAnyUR(
                 // update password if and only if password is really changed
                 User user = userDAO.authFind(key);
                 if (StringUtils.isBlank(updatedUser.getPassword())
-                        || ENCRYPTOR.verify(updatedUser.getPassword(),
+                        || Encryptor.getInstance().verify(updatedUser.getPassword(),
                                 user.getCipherAlgorithm(), user.getPassword())) {
 
                     updatedUser.setPassword(null);

core/self-keymaster-starter/src/test/resources/core-debug.properties

@@ -33,7 +33,7 @@ spring.h2.console.path=/h2
 security.adminUser=${adminUser}
 security.anonymousUser=${anonymousUser}
 security.jwsKey=${jwsKey}
-security.secretKey=${secretKey}
+security.aesSecretKey=${secretKey}
 
 persistence.domain[0].key=Master
 persistence.domain[0].jdbcDriver=org.h2.Driver

core/spring/src/main/java/org/apache/syncope/core/spring/policy/DefaultPasswordRule.java

@@ -59,8 +59,6 @@ public class DefaultPasswordRule implements PasswordRule {
 
     protected static final Logger LOG = LoggerFactory.getLogger(DefaultPasswordRule.class);
 
-    protected static final Encryptor ENCRYPTOR = Encryptor.getInstance();
-
     public static List<Rule> conf2Rules(final DefaultPasswordRuleConf conf) {
         List<Rule> rules = new ArrayList<>();
 
@@ -205,7 +203,7 @@ public void enforce(final LinkedAccount account) {
             String clear = null;
             if (account.canDecodeSecrets()) {
                 try {
-                    clear = ENCRYPTOR.decode(account.getPassword(), account.getCipherAlgorithm());
+                    clear = Encryptor.getInstance().decode(account.getPassword(), account.getCipherAlgorithm());
                 } catch (Exception e) {
                     LOG.error("Could not decode password for {}", account, e);
                 }

core/spring/src/main/java/org/apache/syncope/core/spring/policy/HaveIBeenPwnedPasswordRule.java

@@ -18,15 +18,10 @@
  */
 package org.apache.syncope.core.spring.policy;
 
-import java.io.UnsupportedEncodingException;
 import java.net.URI;
-import java.security.InvalidKeyException;
-import java.security.NoSuchAlgorithmException;
+import java.security.GeneralSecurityException;
 import java.util.Optional;
 import java.util.stream.Stream;
-import javax.crypto.BadPaddingException;
-import javax.crypto.IllegalBlockSizeException;
-import javax.crypto.NoSuchPaddingException;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.syncope.common.lib.policy.HaveIBeenPwnedPasswordRuleConf;
 import org.apache.syncope.common.lib.policy.PasswordRuleConf;
@@ -51,8 +46,6 @@ public class HaveIBeenPwnedPasswordRule implements PasswordRule {
 
     protected static final Logger LOG = LoggerFactory.getLogger(HaveIBeenPwnedPasswordRule.class);
 
-    private static final Encryptor ENCRYPTOR = Encryptor.getInstance();
-
     private HaveIBeenPwnedPasswordRuleConf conf;
 
     @Override
@@ -72,7 +65,7 @@ public void setConf(final PasswordRuleConf conf) {
 
     protected void enforce(final String clearPassword) {
         try {
-            String sha1 = ENCRYPTOR.encode(clearPassword, CipherAlgorithm.SHA1);
+            String sha1 = Encryptor.getInstance().encode(clearPassword, CipherAlgorithm.SHA1);
 
             HttpHeaders headers = new HttpHeaders();
             headers.set(HttpHeaders.USER_AGENT, "Apache Syncope");
@@ -88,9 +81,7 @@ protected void enforce(final String clearPassword) {
                     throw new PasswordPolicyException("Password pwned");
                 }
             }
-        } catch (UnsupportedEncodingException | InvalidKeyException | NoSuchAlgorithmException
-                | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException e) {
-
+        } catch (GeneralSecurityException e) {
             LOG.error("Could not encode the password value as SHA1", e);
         } catch (HttpStatusCodeException e) {
             LOG.error("Error while contacting the PwnedPasswords service", e);
@@ -115,7 +106,7 @@ public void enforce(final LinkedAccount account) {
             String clearPassword = null;
             if (account.canDecodeSecrets()) {
                 try {
-                    clearPassword = ENCRYPTOR.decode(account.getPassword(), account.getCipherAlgorithm());
+                    clearPassword = Encryptor.getInstance().decode(account.getPassword(), account.getCipherAlgorithm());
                 } catch (Exception e) {
                     LOG.error("Could not decode password for {}", account, e);
                 }

core/spring/src/main/java/org/apache/syncope/core/spring/security/AuthDataAccessor.java

@@ -83,8 +83,6 @@ public class AuthDataAccessor {
 
     public static final String GROUP_OWNER_ROLE = "GROUP_OWNER";
 
-    protected static final Encryptor ENCRYPTOR = Encryptor.getInstance();
-
     protected static final Set<SyncopeGrantedAuthority> ANONYMOUS_AUTHORITIES =
             Set.of(new SyncopeGrantedAuthority(IdRepoEntitlement.ANONYMOUS));
 
@@ -255,7 +253,7 @@ public Triple<User, Boolean, String> authenticate(final String domain, final Aut
     }
 
     protected boolean authenticate(final User user, final String password) {
-        boolean authenticated = ENCRYPTOR.verify(password, user.getCipherAlgorithm(), user.getPassword());
+        boolean authenticated = Encryptor.getInstance().verify(password, user.getCipherAlgorithm(), user.getPassword());
         LOG.debug("{} authenticated on internal storage: {}", user.getUsername(), authenticated);
 
         for (Iterator<? extends ExternalResource> itor = getPassthroughResources(user).iterator();