Sonar

Support for encrypted configuration

Details

  • Type: New Feature New Feature
  • Status: Closed Closed
  • Priority: Major Major
  • Resolution: Fixed
  • Affects Version/s: 2.4.1
  • Fix Version/s: 3.0
  • Component/s: None
  • Labels:
    None
  • Number of attachments :
    0

Description

While trying to use the new feature "Update Center", I discovered that password are stored in clear in the file sonar.properties

For the db password, it's not really a problem to have it in clear cause sonar db is not as critical as our business one (it's considered as a dev tool) but when we talk about connecting to the Internet to download updates, it's not possbile anymore to use service account.

Could provide a way to encrypt passwords stored in the sonar.properties files ?

Thanks in advance.
Alex

Issue Links

is duplicated by

New Feature - A new feature of the product, which has yet to be developed. SONAR-2389 Support for encrypted configuration

  • Major - Major loss of function.
  • Closed - The issue is considered finished, the resolution is correct. Issues which are not closed can be reopened.

Improvement - An improvement or enhancement to an existing feature or task. SONAR-3330 Security problem (can easily "by pass" sonar authentication & authorization)

  • Major - Major loss of function.
  • Closed - The issue is considered finished, the resolution is correct. Issues which are not closed can be reopened.
is related to

Bug - A problem which impairs or prevents the functions of the product. SONAR-3448 Sonar fails to start if the sonar.jdbc.* properties are encrypted

  • Major - Major loss of function.
  • Closed - The issue is considered finished, the resolution is correct. Issues which are not closed can be reopened.

Improvement - An improvement or enhancement to an existing feature or task. SONAR-2244 Sonar Analysis needs DB User / PW

  • Major - Major loss of function.
  • Closed - The issue is considered finished, the resolution is correct. Issues which are not closed can be reopened.

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Simon Brandhof added a comment -

For sonar developers, here are some links to encrypt passwords in configuration files :

Show
Simon Brandhof added a comment - For sonar developers, here are some links to encrypt passwords in configuration files : http://docs.codehaus.org/display/JETTY/Securing+Passwords http://www.jasypt.org/encrypting-configuration.html
Hide
Permalink
Simon Brandhof added a comment -

Title is updated in order to be more generic (both server and batch sides).

Show
Simon Brandhof added a comment - Title is updated in order to be more generic (both server and batch sides).
Hide
Permalink
Alexandre Navarro added a comment -

I'm not sure your solution resolves the problem.
Can I use the login/encrypt password to connect another sonar on the db?
If you use a symetric cryptology (like the jasypt), it is to decrypt the password easily, isn't it?

Show
Alexandre Navarro added a comment - I'm not sure your solution resolves the problem. Can I use the login/encrypt password to connect another sonar on the db? If you use a symetric cryptology (like the jasypt), it is to decrypt the password easily, isn't it?
Hide
Permalink
Simon Brandhof added a comment -

The key point is that the secret key must be stored in a secured file that is readable only by the java process owner.
That means that two different sonar launched with the same system account can access to the same database.

Show
Simon Brandhof added a comment - The key point is that the secret key must be stored in a secured file that is readable only by the java process owner. That means that two different sonar launched with the same system account can access to the same database.
Hide
Permalink
Freddy Mallet added a comment -

Works well Simon, here are several minor possible improvements :

  • Add a title to the Encryption page
  • Add a link to the Confluence documentation page ?
  • When a secret is generated perhaps the title of the button should become "Generate a new random key". According to me in both cases, the word random should be replace by secret.
  • typo : "readable and by owner only" (the 'and' word should be removed)
  • type : the property is sonar.secretKeyFile and not sonar.secretKeyPath
  • replace 'on those machines if needed' by 'Define the property sonar.secretKeyPath on those machines if the standard ~/.sonar/sonar-secret.txt path is not used'
  • I do think that it would be better to have the two forms in the same page
  • The "Restart the Sonar server" step is missing
Show
Freddy Mallet added a comment - Works well Simon, here are several minor possible improvements : Add a title to the Encryption page Add a link to the Confluence documentation page ? When a secret is generated perhaps the title of the button should become "Generate a new random key". According to me in both cases, the word random should be replace by secret. typo : "readable and by owner only" (the 'and' word should be removed) type : the property is sonar.secretKeyFile and not sonar.secretKeyPath replace 'on those machines if needed' by 'Define the property sonar.secretKeyPath on those machines if the standard ~/.sonar/sonar-secret.txt path is not used' I do think that it would be better to have the two forms in the same page The "Restart the Sonar server" step is missing
Hide
Permalink
Simon Brandhof added a comment - - edited

For information the server must be restarted only if the property sonar.secretKeyPath is changed.

Show
Simon Brandhof added a comment - - edited For information the server must be restarted only if the property sonar.secretKeyPath is changed.
Hide
Permalink
Freddy Mallet added a comment -

Manually tested

Show
Freddy Mallet added a comment - Manually tested
Hide
Permalink
Simon Brandhof added a comment -

Integration tests added

Show
Simon Brandhof added a comment - Integration tests added

People

  • Assignee:
    Simon Brandhof
    Reporter:
    Alexandre GIGLEUX
Vote (5)
Watch (3)

Dates

  • Created:
    Updated:
    Resolved: