Plugins various secret managers - AWS Secrets Manager, GCP(Google Cloud Platform) Secret Manager, Azure Key Vault, HashiCorp Vault by IBM, 1Password, and Bitwarden Secrets Manager.#291
Open
ashishvijaywargiya wants to merge 21 commits into
Open
Conversation
…g is being done with AWS Secret Manager plugin. For other plugins, I need to create account at all the providers then will update the code if required.
…d on need. We are keeping it disabled because we want to make sure that plain text and encrypted password scheme on file system is working fine.
…from the secret manager. Testing with aws secret manager has been completed. I tested it with plain text and encrypted passwords both. Added a method in ConfigCryptoUtil.java and this method will be used by all the secret manager plugins present in plugins folder.
…REST one. Formatted the code following the best practices.
- Wrong oauthClientId format ("service-account." prefix shouldn't be there)
- Wrong sealing key length validation (16 bytes, not 64)
- Missing encrypted_payload decryption step to derive the org key, plus "secrets" vs "data" field name in the list API response
- Wrong oauthClientId format ("service-account." prefix shouldn't be there)
- Wrong sealing key length validation (16 bytes, not 64)
- Missing encrypted_payload decryption step to derive the org key, plus "secrets" vs "data" field name in the list API response
…cret manager/vault is unavailable then it will check the password(plain or encrypted one) in the passwords.properties file. And added a fallback parameter in all the property files. And also used proper naming convention in the hashicorp vault component.
Network-level AWS SDK errors (e.g. connection refused) extend SdkException, not SecretsManagerException, so they previously escaped as unhandled RuntimeExceptions and bypassed FallbackSecretProvider.
…ies file. Those parameters were used by aws cli. Now we are reading access key and secret access key from the properties file. Also renamed the properties file parameters in onepassword-secrets-provider.
…e with a "data" array key, but BitwardenSecretsProvider.findSecretId() (and Bitwarden's real Secrets Manager API) expects "secrets". Fixed the two mock JSON strings to use "secrets" - 4 previously-failing tests from Bitwarden now pass.
…naming conventions and improve readability.
…ly for minor/patch updates to their respective SDKs (AWS, Azure, Bitwarden, GCP, HashiCorp Vault, 1Password), opening a PR against trunk whenever one's available — major version bumps are still ignored per the existing ignore rule, so those stay manual.
Security: bound and format checks on identifiers and secret values in testSecretProviderConnection and storeEncryptedSecret; usage stats OUT attributes made optional. Plugin lifecycle: AWS, Azure, Bitwarden, HashiCorp, 1Password, and GCP providers now implement close() for clean shutdown. Code quality: de duplicated SAFE_IDENTIFIER pattern; clarified the key not found contract in SecretProvider.getSecret() Javadoc. Testing: new unit tests for FileBasedSecretProvider, SecretProviderFactory, CSV and identifier validation, usage stats, and PBKDF2 iteration defaults. UI/UX: Active Configuration panel, truncated usage report keys, input maxlength, and submit button Processing state. Docs: added a PBKDF2 iteration migration guide.
Adds dependencyLocking + gradle.lockfile to all six secret-provider plugins (AWS, Azure, Bitwarden, GCP, HashiCorp, 1Password) so transitive dependency versions are pinned and reproducible. Fixes SonarCloud warning about missing lock files.
…ugins Add key.alias.<logicalKey>=<physicalKey> support to all seven secret providers (AWS, Azure, GCP, HashiCorp Vault, Bitwarden, 1Password, EnvVar), so a secret key used in OFBiz code can be stored under a different name in the external vault. This is needed because some providers restrict characters (no dots/dashes, length limits), and we don't want to rename keys across the codebase to satisfy one backend. Add the EnvVar provider as a hot-deploy plugin so secrets can be read from plain environment variables with no vault at all, useful for container/CI setups where an external tool already injects secrets as env vars before OFBiz starts. Move the duplicated TTL cache and key-alias config loading out of each plugin into one shared helper, SecretProviderUtil, in framework/base, so every provider reuses the same cache and config-reading code instead of its own copy. Add unit tests for the new alias overrides and the shared helper, consolidated into a single test class and properties fixture.
…o me since I created it.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adding support for various secrets managers as a plugin in the plugins folder: AWS Secrets Manager, GCP(Google Cloud Platform) Secret Manager, Azure Key Vault, HashiCorp Vault by IBM, 1Password, and Bitwarden Secrets Manager.