Class EncryptionFilter

  • All Implemented Interfaces:
    ConfigFilter

    public final class EncryptionFilter
    extends Object
    implements ConfigFilter
    Provides possibility to decrypt passwords from configuration sources. Configuration can be used to enforce encryption (e.g. we will fail on clear-text value).

    Password in properties must be stored as follows:

    • ${AES=base64} - encrypted password using a master password (must be provided to Prime through configuration, system property or environment variable)
    • ${RSA=base64} - encrypted password using a public key (private key must be available to Prime instance, its location must be provided to prime through configuration, system property or environment variable)
    • ${ALIAS=alias_name} - reference to another property, that is encrypted
    • ${CLEAR=text} - clear-text password. Intentionally denoting this value as a protectable one, so we can enforce encryption (e.g. in prod)
    Example:
     google_client_secret=${AES=mYRkg+4Q4hua1kvpCCI2hg==}
     service_password=${RSA=mYRkg+4Q4hua1kvpCCI2hg==}
     another_password=${ALIAS=service_password}
     cleartext_password=${CLEAR=known_password}
     
    See Also:
    ConfigProperties.PRIVATE_KEYSTORE_PATH_ENV_VARIABLE, ConfigProperties.MASTER_PASSWORD_ENV_VARIABLE, ConfigProperties.MASTER_PASSWORD_CONFIG_KEY, ConfigProperties.REQUIRE_ENCRYPTION_ENV_VARIABLE
    • Method Detail

      • fromConfig

        public static Function<Config,​ConfigFilter> fromConfig()
        Create a filter based on configuration (it takes its configuration from the configuration object it filters).
        Returns:
        ConfigFilter instance to register to config
      • builder

        public static EncryptionFilter.Builder builder()
        Builder to programmatically configure filter.
        Returns:
        Builder instance
      • apply

        public String apply​(Config.Key key,
                            String stringValue)
        Description copied from interface: ConfigFilter
        Filters an elementary config value before it is made available to the application via the Config API.
        Specified by:
        apply in interface ConfigFilter
        Parameters:
        key - configuration key associated with the Config node
        stringValue - original value to be filtered, never null
        Returns:
        original value or filtered (changed) value, never null