search

quarkusio / quarkus

Quarkus: Supersonic Subatomic Java.
https://quarkus.io
Apache License 2.0
13.58k stars 2.63k forks source link

Missing security feature ENC() #34151

Closed mkmpnataraj closed 1 year ago

mkmpnataraj commented 1 year ago

Description

It is a breeze to add some secuity to passwords in springboot. Please provide an easy way to use jasypt. If not, how is Quarkus integrating bcrypt or some other system, so users can EASILY encrypt the passwords. Do not suggest external systems like Vault.

https://github.com/quarkusio/quarkus/issues/10855

# quite easy in springboot, as jasypt is integrated well
set DB_URL=ENC(ATBD2N+G1GjGZ3rhpdDgSzmMvtJMpyKaqHVGIJgt10iHsZcRilfpPKPDJ25gr+jRwxlD3VIUzCX3kjFkFs/5/bNbDIpyld=)
set DB_USER=ENC(82hdW8ZfRPBRz28v6eA4NTE4dRTd7yRAVp041QPPPeJlIov2I2GX)
set DB_PASSWORD=ENC(xqDhKNFrAASJf69NXM54PmOOk0RhsvucuYppQOy0wpHo30JCiXQg)

Implementation ideas

A suggested developer workflow [work in progress, please revise]:

  1. Override environment specific props like db-passwords, apikeys etc in config/application.yml
  2. For sensitive config parameters in config/applicaiton.yml, use DEC(naked_password).
  3. During development: When you run quarkus:dev, those DEC() values will be seemlessly overwritten in those file(s) with ENC(encrypted_password)
  4. During bulid: When you run quarkus:build, it will create xyz-app.jar, also it will create .rundev.bat and .rundev.sh. The env specific overrides in config/application.yml will be specified as environmental variables in those run script files. This will give an idea of what environment variables you will expose in kubernetes or other cloud environments.
  5. For encrypting passwords in commandline, please use the command quarkus:encrypt . You may override the algorithm if required.
  6. For working example: Please see the secret-message property in the basic hello-world example.
  7. Non documented complexity: Developer do not need to know small-rye, big-rye, what algo to use for encryption etc. Quarkus will those the appropriate mechanism for securing sensitive information.
quarkus-bot[bot] commented 1 year ago

/cc @sberyozkin (security)

sberyozkin commented 1 year ago

@radcortez Hey Roberto, you've added a Jasypt secret encryption with Smallrye config crypto, right ?

radcortez commented 1 year ago

Correct, it is possible to use Jasypt with Quarkus via SmallRye Config: https://smallrye.io/smallrye-config/3.3.0/config/secret-keys/#jasypt

The only issue is that is not yet supported in native mode.

mkmpnataraj commented 1 year ago

As a dev advocate, I feel this ENC() is top important thing that can un/popularize Quarkus, and rapidly send developers to competing-frameworks. The world is security conscious, developers do not like frameworks that COMPLICATE securing passwords.

If you feel the same, please prioritize this. Just to give an example -- I put in 2 months in developing an app in quarkus (one year back!), I was hoping that ENC() may make its way in that 1 year, but it did not. It is scary to have naked passwords in property file whether local dev or not. I may need to explore rewrite in springboot.

# quite easy in springboot, as jasypt is integrated well
set DB_URL=ENC(ATBD2N+G1GjGZ3rhpdDgSzmMvtJMpyKaqHVGIJgt10iHsZcRilfpPKPDJ25gr+jRwxlD3VIUzCX3kjFkFs/5/bNbDIpyld=)
radcortez commented 1 year ago

@mkmpnataraj I've just pasted a link allowing you to use Jasypt with Quarkus: https://smallrye.io/smallrye-config/3.3.0/config/secret-keys/#jasypt

gsmet commented 1 year ago

I think it's a feature we should document in the Quarkus doc. Maybe by adding a link to the SmallRye doc.

That being said, I'm not sure I fully understand how I would set that up, just by reading the SmallRye doc.

gsmet commented 1 year ago

Also, should we add smallrye-config-jasypt to our BOM? I see -crypto is there.

radcortez commented 1 year ago

That being said, I'm not sure I fully understand how I would set that up, just by reading the SmallRye doc.

I guess I can improve that :)

Anyway, it requires the SR Config dependency, and to set up the configuration detailed in the docs. I'll add an example in the docs.

Also, should we add smallrye-config-jasypt to our BOM? I see -crypto is there.

Unfortunately, no, because Jasypt does not work in native mode... I still need to provide proper support for it.

mkmpnataraj commented 1 year ago

Simplify, failsafe, secure by default, less work, less document to read, less 3rd party things to refer to for a core-feature like security.

Suggestion moved to "Implementation idea" section of the issue.

gsmet commented 1 year ago

@mkmpnataraj Word of advice: you can state your opinion politely and avoid antagonizing people. You'll see that it usually works better.

mkmpnataraj commented 1 year ago

Thanks for the advice. Please feel free to revise/change/implement as you find good for developer community. I moved my suggestion to "Implementation idea" section of initial request.

radcortez commented 1 year ago

I've improved the documentation in SmallRye Config about using the Jasypt SecretKeyHandler: https://smallrye.io/smallrye-config/Main/config/secret-keys/#jasypt

This does work with the latest Quarkus version (in JVM mode only) and SmallRye Config 3.3.0, so it requires the following dependency in your Quarkus project:

<dependency>
    <groupId>io.smallrye.config</groupId>
    <artifactId>smallrye-config-jasypt</artifactId>
    <version>3.3.0</version>
</dependency>

While I agree this is not ideal, we cannot document this in Quarkus until we have full native support with Jasypt. I'll see if I can find time to look into it and add it.

gsmet commented 1 year ago

@radcortez what could help is if you were able to create a draft PR with a native IT testing the Jasypt support: we might be able to find someone else to work on the native support and make the test pass.

radcortez commented 1 year ago

If I remember correctly, it failed at build image time with some initialization code and classloading. I believe this will require some substitutions. I would say that it would be better to have the wrapping extension in https://github.com/quarkiverse/quarkus-config-extensions, instead of Quarkus core.

radcortez commented 1 year ago

This should add the native image support for Jasypt: https://github.com/quarkiverse/quarkus-config-extensions/pull/147

radcortez commented 1 year ago

This is now available in Quarkiverse Config Extensions:

gsmet commented 1 year ago

Should we add a note in the Quarkus doc pointing to the new extension?

radcortez commented 1 year ago

Sure. Do you mean the migration guide?