Pluggable Secret Managers support in Apache OFBiz trunk#1367
Open
ashishvijaywargiya wants to merge 28 commits into
Open
Pluggable Secret Managers support in Apache OFBiz trunk#1367ashishvijaywargiya wants to merge 28 commits into
ashishvijaywargiya wants to merge 28 commits into
Conversation
…or various providers support we can add plugins components.
…radle task that will help us in generating the plain or encrypted password.
…plain text and encrypted passwords both. Added a method in ConfigCryptoUtil.java and this method will be used by all the secret manager plugins present in plugins folder.
…cret manager/vault is unavailable then it will check the password(plain or encrypted one) in the passwords.properties file.
…sole warnings, now it will return file name as well if it's falling back to file based credentials if all the plugins are disabled.
Replace the hand-rolled javax.crypto AES/GCM/NoPadding implementation in ConfigCryptoUtil with Apache Shiro's AesCipherService (AES-256-GCM), the same crypto library already used by EntityCrypto for entity field-level encryption. This standardizes the encryption approach across the codebase and removes duplicate, manually-managed cipher/IV handling code. PBKDF2WithHmacSHA256 key derivation from OFBIZ_DB_KEY is retained unchanged. Note: the on-disk format of ENC(...) values changes (Shiro uses a 16-byte IV vs the previous 12-byte IV), so any existing encrypted values in passwords.properties or external secret stores must be regenerated using the generateDBPassword Gradle task. I have tested out it and everything is working fine.
…his work to add support of secret manager/vaults in ofbiz. In previous commits, We added the six secret manager/vault support in ofbiz. In this commit, I am adding the support of the following points: 1) Add SecretValueResolver to resolve SECRET(key) markers in .properties values via SecretProviderFactory, with TTL cache and passwords.properties fallback. 2) UtilProperties.getPropertyValue now passes resolved values through SecretValueResolver. 3) Add SystemProperty.systemPropertyLookup field; EntityUtilProperties resolves it via SecretValueResolver, falling back to systemPropertyValue (ENC(...) via ConfigCryptoUtil, or plain text). 4) Rename OFBIZ_DB_KEY to OFBIZ_MASTER_KEY across ConfigCryptoUtil, SecretProvider SPI, and docs. 5) Add generateEncryptedSecret Gradle task to produce systemPropertyLookup/systemPropertyValue pairs for SystemProperty rows. 6) Add INFO logging in EntityUtilProperties indicating whether a resolved value came from systemPropertyLookup or systemPropertyValue. 7) jdbc-password-lookup and EntityConfig.getJdbcPassword() remain unchanged and fully backward compatible. 8) Add unit tests for SecretValueResolver.
…Test.java that I missed in my previous commit.
… task to generate encrypted secrets/password on the console and that can be used to setup data in SystemProperty file.
…STER_KEY. So updating the information in Javadoc.
…Secret, so secrets/master keys never need to be passed via -P (and end up in shell history or ps). Falls back to OFBIZ_MASTER_KEY env var when no master key is supplied; existing -P based usage is unchanged.
…d passwords either in SystemProperty or passwords.properties file. Also added the bulk secret creation option. Also added the Sandboxing support for the entered csv file so that someone couldn't not add malicious file.
…able via secret.value.marker in security.properties, which is the natural home for this setting. SecretValueResolver exposes a new resolveKey(String) method so callers holding a raw key (e.g. SystemProperty.systemPropertyLookup) can resolve without wrapping the value in a LOOKUP(...) marker — the field name already implies lookup semantics. Marker-based resolution (LOOKUP(key) in .properties files) is unchanged. Server-side and client-side guards now reject a LOOKUP(...) marker typed into lookupKey, and an ENC(...) prefix typed into secretValue, on both the single-entry form and the CSV bulk-upload path.
Security: bound and format checks on identifiers and secret values in testSecretProviderConnection and storeEncryptedSecret; usage stats OUT attributes made optional. Plugin lifecycle: AWS, Azure, Bitwarden, HashiCorp, 1Password, and GCP providers now implement close() for clean shutdown. Code quality: de duplicated SAFE_IDENTIFIER pattern; clarified the key not found contract in SecretProvider.getSecret() Javadoc. Testing: new unit tests for FileBasedSecretProvider, SecretProviderFactory, CSV and identifier validation, usage stats, and PBKDF2 iteration defaults. UI/UX: Active Configuration panel, truncated usage report keys, input maxlength, and submit button Processing state. Docs: added a PBKDF2 iteration migration guide.
Move the inline groovy logic from screen widget to EncryptValue.groovy and reference it using the location attribute. Also wire the getSecretUsageStats OUT parameters usageSummary and usageReport into the screen context. Request attributes are available only under context.parameters, so the FTL check usageSummary?has_content was always evaluating to false.
getClass For "${...}" content: Expected a string or something automatically convertible to string (number, date or boolean), or
"template output" , but this has evaluated to a method+sequence (wrapper: f.e.b.SimpleMethodModel): ==> activeSettings[k] [in template
"component://webtools/template/secret/EncryptValue.ftl" at line 26, column 76] ---- Tip: Maybe using obj.something instead of
obj.getSomething will yield the desired value. ---- ---- FTL stack trace ("~" means nesting-related): - Failed at: ${activeSettings[k]}
[in template "component://webtools/template/secret/EncryptValue.ftl" at line 26, column 74] ----
getOrDefault For "${...}" content: Expected a string or something automatically convertible to string (number, date or boolean), or
"template output" , but this has evaluated to a method+sequence (wrapper: f.e.b.SimpleMethodModel): ==> activeSettings[k] [in template
"component://webtools/template/secret/EncryptValue.ftl" at line 26, column 76] ---- Tip: Maybe using obj.something(params) instead of
obj.something will yield the desired value ---- ---- FTL stack trace ("~" means nesting-related): - Failed at: ${activeSettings[k]} [in
template "component://webtools/template/secret/EncryptValue.ftl" at line 26, column 74] ----
gilPts
reviewed
Jun 19, 2026
| runtimeOnly 'org.apache.axis2:axis2-transport-http:1.8.2' | ||
| runtimeOnly 'org.apache.axis2:axis2-transport-local:1.8.2' | ||
| runtimeOnly 'com.h2database:h2:2.4.240' | ||
| runtimeOnly 'com.mysql:mysql-connector-j:8.4.0' |
Contributor
There was a problem hiding this comment.
Not sure that is required for trunk ?
Thanks
Adds an hourly JobSandbox job (autoSyncRotatedSecrets, disabled by default via secret.rotation.autosync.enabled) that detects secrets rotated in the remote vault and writes the new value into SystemProperty.systemPropertyValue, without an admin manually clicking "Sync Now" in EncryptValue. Also adds change-detection to syncSecretFromProvider so lastRotatedDate only advances on an actual value change, not on every poll. Limitations: sync is one-way (vault -> OFBiz) only; no SecretProvider writes back to the vault, so a value edited locally for a vault-backed SystemProperty row is overwritten on the next run. Scope is SystemProperty only - passwords.properties-backed secrets (including jdbc-password-lookup DB passwords, explicitly out of scope) remain manual-sync-only via EncryptValue or the generateEncryptedSecret/generateDBPassword Gradle tasks.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adding support for pluggable secret managers, a webtools "Encrypt Value" screen with CSV bulk upload, and a configurable secret-value marker.