← Back to team overview

dhis2-devs team mailing list archive

[Branch ~dhis2-devs-core/dhis2/trunk] Rev 21602: EncryptionStatus added to report on the configuration required to use encryption; Startuproute no...

 

Merge authors:
  Stian Sandvold (stian-sandvold)
------------------------------------------------------------
revno: 21602 [merge]
committer: Stian Sandvold <stian.sandvold@xxxxxxxxx>
branch nick: dhis2
timestamp: Tue 2016-01-05 19:32:18 +0100
message:
  EncryptionStatus added to report on the configuration required to use encryption; Startuproute now checks EncryptionStatus and reports any missing configuration; adding and updating attributes (tracker) now stops users from using the confidential checkbox if EncryptionStatus != OK; InitTableAlteror now removes all deprecated columns from the old Configuration; DhisConfigurationProvider handles the logic to check is Encryption is configured correctly
added:
  dhis-2/dhis-api/src/main/java/org/hisp/dhis/encryption/
  dhis-2/dhis-api/src/main/java/org/hisp/dhis/encryption/EncryptionStatus.java
modified:
  dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/startup/ConfigurationPopulator.java
  dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/startup/InitTableAlteror.java
  dhis-2/dhis-support/dhis-support-external/src/main/java/org/hisp/dhis/external/conf/ConfigurationKey.java
  dhis-2/dhis-support/dhis-support-external/src/main/java/org/hisp/dhis/external/conf/DefaultDhisConfigurationProvider.java
  dhis-2/dhis-support/dhis-support-external/src/main/java/org/hisp/dhis/external/conf/DhisConfigurationProvider.java
  dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-program/src/main/java/org/hisp/dhis/trackedentity/action/trackedentityattribute/AddAttributeAction.java
  dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-program/src/main/java/org/hisp/dhis/trackedentity/action/trackedentityattribute/ShowAddUpdateAttributeAction.java
  dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-program/src/main/resources/org/hisp/dhis/trackedentity/i18n_module.properties
  dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-program/src/main/webapp/dhis-web-maintenance-program/addAttributeForm.vm
  dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-program/src/main/webapp/dhis-web-maintenance-program/updateAttibuteForm.vm


--
lp:dhis2
https://code.launchpad.net/~dhis2-devs-core/dhis2/trunk

Your team DHIS 2 developers is subscribed to branch lp:dhis2.
To unsubscribe from this branch go to https://code.launchpad.net/~dhis2-devs-core/dhis2/trunk/+edit-subscription
=== added directory 'dhis-2/dhis-api/src/main/java/org/hisp/dhis/encryption'
=== added file 'dhis-2/dhis-api/src/main/java/org/hisp/dhis/encryption/EncryptionStatus.java'
--- dhis-2/dhis-api/src/main/java/org/hisp/dhis/encryption/EncryptionStatus.java	1970-01-01 00:00:00 +0000
+++ dhis-2/dhis-api/src/main/java/org/hisp/dhis/encryption/EncryptionStatus.java	2016-01-05 18:27:36 +0000
@@ -0,0 +1,56 @@
+package org.hisp.dhis.encryption;
+
+/*
+ * Copyright (c) 2004-2016, University of Oslo
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ * Redistributions of source code must retain the above copyright notice, this
+ * list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * Neither the name of the HISP project nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/**
+ * @author Stian Sandvold
+ */
+public enum EncryptionStatus
+{
+    OK( "Encryption is available" ),
+    MISSING_JCE_POLICY( "Missing the required JCE policy files for strong encryption." ),
+    MISSING_ENCRYPTION_PASSWORD( "Missing encryption.password in dhis.conf." ),
+    ENCRYPTION_PASSWORD_TOO_SHORT(
+        "encryption.password in dhis.conf is too short. Minimum 24 characters is required." );
+
+    private final String key;
+
+    EncryptionStatus( String key )
+    {
+        this.key = key;
+    }
+
+    public boolean isOk() {
+        return this == OK;
+    }
+
+    public String getKey() {
+        return key;
+    }
+}

=== modified file 'dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/startup/ConfigurationPopulator.java'
--- dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/startup/ConfigurationPopulator.java	2016-01-04 02:27:49 +0000
+++ dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/startup/ConfigurationPopulator.java	2016-01-05 18:25:17 +0000
@@ -30,8 +30,12 @@
 
 import java.util.UUID;
 
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
 import org.hisp.dhis.configuration.Configuration;
 import org.hisp.dhis.configuration.ConfigurationService;
+import org.hisp.dhis.encryption.EncryptionStatus;
+import org.hisp.dhis.external.conf.DhisConfigurationProvider;
 import org.hisp.dhis.system.startup.AbstractStartupRoutine;
 import org.springframework.beans.factory.annotation.Autowired;
 
@@ -41,16 +45,34 @@
     @Autowired
     private ConfigurationService configurationService;
 
+    @Autowired
+    private DhisConfigurationProvider dhisConfigurationProvider;
+
+    private static final Log log = LogFactory.getLog( ConfigurationPopulator.class );
+
     @Override
     public void execute()
         throws Exception
     {
+
+        checkSecurityConfiguration();
+
         Configuration config = configurationService.getConfiguration();
-        
+
         if ( config != null && config.getSystemId() == null )
         {
             config.setSystemId( UUID.randomUUID().toString() );
             configurationService.setConfiguration( config );
         }
     }
+
+    private void checkSecurityConfiguration()
+    {
+        EncryptionStatus status = dhisConfigurationProvider.isEncryptionConfigured();
+
+        if ( !status.isOk() )
+        {
+            log.warn( "Encryption not configured: " + status.getKey() );
+        }
+    }
 }

=== modified file 'dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/startup/InitTableAlteror.java'
--- dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/startup/InitTableAlteror.java	2016-01-04 14:27:34 +0000
+++ dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/startup/InitTableAlteror.java	2016-01-05 18:25:17 +0000
@@ -78,7 +78,7 @@
         updateFeatureTypes();
         updateValidationRuleEnums();
         updateProgramStatus();
-        updateSmtpPasswordColumn();
+        removeDeprecatedConfigurationColumns();
         updateTimestamps();
         updateCompletedBy();
 
@@ -100,12 +100,16 @@
     // Supportive methods
     // -------------------------------------------------------------------------
 
-    private void updateSmtpPasswordColumn()
+    private void removeDeprecatedConfigurationColumns()
     {
         try
         {
-            executeSql( "UPDATE configuration SET smtppassword = smptpassword" );
             executeSql( "ALTER TABLE configuration DROP COLUMN smptpassword" );
+            executeSql( "ALTER TABLE configuration DROP COLUMN smtppassword" );
+            executeSql( "ALTER TABLE configuration DROP COLUMN remoteserverurl" );
+            executeSql( "ALTER TABLE configuration DROP COLUMN remoteserverusername" );
+            executeSql( "ALTER TABLE configuration DROP COLUMN remotepassword" );
+            executeSql( "ALTER TABLE configuration DROP COLUMN remoteserverpassword" );
 
         }
         catch ( Exception ex )

=== modified file 'dhis-2/dhis-support/dhis-support-external/src/main/java/org/hisp/dhis/external/conf/ConfigurationKey.java'
--- dhis-2/dhis-support/dhis-support-external/src/main/java/org/hisp/dhis/external/conf/ConfigurationKey.java	2016-01-05 14:03:19 +0000
+++ dhis-2/dhis-support/dhis-support-external/src/main/java/org/hisp/dhis/external/conf/ConfigurationKey.java	2016-01-05 18:25:17 +0000
@@ -35,6 +35,7 @@
 {
     SYSTEM_BASE_URL( "system.base_url" ),
     SYSTEM_READ_ONLY_MODE( "system.read_only_mode", "off" ),
+    ENCRYPTION_PASSWORD( "encryption.password", "" ),
     CONNECTION_DIALECT( "connection.dialect" ),
     CONNECTION_DRIVER_CLASS( "connection.driver_class" ),
     CONNECTION_URL( "connection.url" ),

=== modified file 'dhis-2/dhis-support/dhis-support-external/src/main/java/org/hisp/dhis/external/conf/DefaultDhisConfigurationProvider.java'
--- dhis-2/dhis-support/dhis-support-external/src/main/java/org/hisp/dhis/external/conf/DefaultDhisConfigurationProvider.java	2016-01-04 02:27:49 +0000
+++ dhis-2/dhis-support/dhis-support-external/src/main/java/org/hisp/dhis/external/conf/DefaultDhisConfigurationProvider.java	2016-01-05 18:25:17 +0000
@@ -30,13 +30,17 @@
 
 import java.io.IOException;
 import java.io.InputStream;
+import java.security.NoSuchAlgorithmException;
 import java.util.Properties;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.hisp.dhis.encryption.EncryptionStatus;
 import org.hisp.dhis.external.location.LocationManager;
 import org.hisp.dhis.external.location.LocationManagerException;
 
+import javax.crypto.Cipher;
+
 /**
  * @author Lars Helge Overland
  */
@@ -46,14 +50,15 @@
     private static final Log log = LogFactory.getLog( DefaultDhisConfigurationProvider.class );
 
     private static final String CONF_FILENAME = "dhis.conf";
+
     private static final String ENABLED_VALUE = "on";
-    
+
     // -------------------------------------------------------------------------
     // Dependencies
     // -------------------------------------------------------------------------
 
     private LocationManager locationManager;
-    
+
     public void setLocationManager( LocationManager locationManager )
     {
         this.locationManager = locationManager;
@@ -63,11 +68,11 @@
      * Cache for properties.
      */
     private Properties properties;
-    
+
     public void init()
     {
         InputStream in = null;
-        
+
         try
         {
             in = locationManager.getInputStream( CONF_FILENAME );
@@ -75,7 +80,7 @@
         catch ( LocationManagerException ex1 )
         {
             log.debug( "Could not load dhis.conf, looking for hibernate.properties" );
-                        
+
             try // Deprecated
             {
                 in = locationManager.getInputStream( "hibernate.properties" );
@@ -85,9 +90,9 @@
                 log.debug( "Could not load hibernate.properties" );
             }
         }
-        
+
         Properties properties = new Properties();
-        
+
         if ( in != null )
         {
             try
@@ -99,7 +104,7 @@
                 throw new IllegalStateException( "Properties could not be loaded", ex );
             }
         }
-        
+
         this.properties = properties;
     }
 
@@ -114,7 +119,7 @@
     }
 
     @Override
-    public String getProperty( ConfigurationKey key  )
+    public String getProperty( ConfigurationKey key )
     {
         return properties.getProperty( key.getKey(), key.getDefaultValue() );
     }
@@ -124,7 +129,7 @@
     {
         return properties.getProperty( key.getKey(), defaultValue );
     }
-    
+
     @Override
     public boolean isEnabled( ConfigurationKey key )
     {
@@ -136,8 +141,40 @@
     {
         String ldapUrl = getProperty( ConfigurationKey.LDAP_URL );
         String managerDn = getProperty( ConfigurationKey.LDAP_MANAGER_DN );
-        
-        return !( ConfigurationKey.LDAP_URL.getDefaultValue().equals( ldapUrl ) ||
-            ldapUrl == null || managerDn == null );
+
+        return !(ConfigurationKey.LDAP_URL.getDefaultValue().equals( ldapUrl ) ||
+            ldapUrl == null || managerDn == null);
+    }
+
+    @Override
+    public EncryptionStatus isEncryptionConfigured()
+    {
+        String password;
+        int maxKeyLength;
+
+        // Check for JCE files is present (key length > 128) and AES is available
+        try
+        {
+            maxKeyLength = Cipher.getMaxAllowedKeyLength( "AES" );
+            if(maxKeyLength == 128) {
+                return EncryptionStatus.MISSING_JCE_POLICY;
+            }
+        }
+        catch ( NoSuchAlgorithmException e )
+        {
+            return EncryptionStatus.MISSING_JCE_POLICY;
+        }
+
+        password = getProperty( ConfigurationKey.ENCRYPTION_PASSWORD );
+
+        if(password.length() == 0) {
+            return EncryptionStatus.MISSING_ENCRYPTION_PASSWORD;
+        }
+
+        if(password.length() < 24) {
+            return EncryptionStatus.ENCRYPTION_PASSWORD_TOO_SHORT;
+        }
+
+        return EncryptionStatus.OK;
     }
 }

=== modified file 'dhis-2/dhis-support/dhis-support-external/src/main/java/org/hisp/dhis/external/conf/DhisConfigurationProvider.java'
--- dhis-2/dhis-support/dhis-support-external/src/main/java/org/hisp/dhis/external/conf/DhisConfigurationProvider.java	2016-01-04 02:27:49 +0000
+++ dhis-2/dhis-support/dhis-support-external/src/main/java/org/hisp/dhis/external/conf/DhisConfigurationProvider.java	2016-01-05 18:25:17 +0000
@@ -28,6 +28,8 @@
  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
+import org.hisp.dhis.encryption.EncryptionStatus;
+
 import java.util.Properties;
 
 /**
@@ -78,4 +80,11 @@
      * @return true if LDAP authentication is configured.
      */
     boolean isLdapConfigured();
+
+    /**
+     * Indicates whether encryption is correctly configured and available in the system.
+     *
+     * @return EncryptionStatus reflecting the status of encryption in the system
+     */
+    EncryptionStatus isEncryptionConfigured();
 }

=== modified file 'dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-program/src/main/java/org/hisp/dhis/trackedentity/action/trackedentityattribute/AddAttributeAction.java'
--- dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-program/src/main/java/org/hisp/dhis/trackedentity/action/trackedentityattribute/AddAttributeAction.java	2016-01-04 02:27:49 +0000
+++ dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-program/src/main/java/org/hisp/dhis/trackedentity/action/trackedentityattribute/AddAttributeAction.java	2016-01-05 18:25:17 +0000
@@ -5,6 +5,7 @@
 import org.hisp.dhis.analytics.AggregationType;
 import org.hisp.dhis.attribute.AttributeService;
 import org.hisp.dhis.common.ValueType;
+import org.hisp.dhis.external.conf.DhisConfigurationProvider;
 import org.hisp.dhis.legend.LegendService;
 import org.hisp.dhis.option.OptionService;
 import org.hisp.dhis.option.OptionSet;
@@ -80,6 +81,9 @@
     @Autowired
     private AttributeService attributeService;
 
+    @Autowired
+    private DhisConfigurationProvider dhisConfigurationProvider;
+
     // -------------------------------------------------------------------------
     // Input/Output
     // -------------------------------------------------------------------------

=== modified file 'dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-program/src/main/java/org/hisp/dhis/trackedentity/action/trackedentityattribute/ShowAddUpdateAttributeAction.java'
--- dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-program/src/main/java/org/hisp/dhis/trackedentity/action/trackedentityattribute/ShowAddUpdateAttributeAction.java	2016-01-04 02:27:49 +0000
+++ dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-program/src/main/java/org/hisp/dhis/trackedentity/action/trackedentityattribute/ShowAddUpdateAttributeAction.java	2016-01-05 18:25:17 +0000
@@ -31,6 +31,7 @@
 import com.opensymphony.xwork2.Action;
 import org.hisp.dhis.attribute.Attribute;
 import org.hisp.dhis.attribute.AttributeService;
+import org.hisp.dhis.external.conf.DhisConfigurationProvider;
 import org.hisp.dhis.legend.LegendService;
 import org.hisp.dhis.legend.LegendSet;
 import org.hisp.dhis.option.OptionService;
@@ -83,6 +84,9 @@
     @Autowired
     private AttributeService attributeService;
 
+    @Autowired
+    private DhisConfigurationProvider dhisConfigurationProvider;
+
     // -------------------------------------------------------------------------
     // Input/Output
     // -------------------------------------------------------------------------
@@ -150,6 +154,12 @@
         return trackedEntities;
     }
 
+    public boolean getEncryptionStatus()
+    {
+        return dhisConfigurationProvider.isEncryptionConfigured().isAvailable();
+
+    }
+
     // -------------------------------------------------------------------------
     // Action implementation
     // -------------------------------------------------------------------------

=== modified file 'dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-program/src/main/resources/org/hisp/dhis/trackedentity/i18n_module.properties'
--- dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-program/src/main/resources/org/hisp/dhis/trackedentity/i18n_module.properties	2015-12-07 13:12:15 +0000
+++ dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-program/src/main/resources/org/hisp/dhis/trackedentity/i18n_module.properties	2016-01-05 18:25:17 +0000
@@ -541,4 +541,5 @@
 missing_value_replacement=Missing value replacement
 skip_offline=Skip offline
 data_approval_workflow=Data approval workflow
-display_front_page_list=Display front page list
\ No newline at end of file
+display_front_page_list=Display front page list
+encryption_not_available=Encryption is not configured.
\ No newline at end of file

=== modified file 'dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-program/src/main/webapp/dhis-web-maintenance-program/addAttributeForm.vm'
--- dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-program/src/main/webapp/dhis-web-maintenance-program/addAttributeForm.vm	2015-12-02 13:56:57 +0000
+++ dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-program/src/main/webapp/dhis-web-maintenance-program/addAttributeForm.vm	2016-01-05 18:25:17 +0000
@@ -78,9 +78,15 @@
 	<tr>
 		<td><label for="confidential">$i18n.getString( "confidential" ) <br /><span class="tipText">(Confidential attributes can not be used in search and analytics.)</span></label></td>
 		<td>
-			<input type='checkbox' id="confidential" name="confidential" value='true'>
+            #if($encryptionAvailable)
+			    <input type='checkbox' id="confidential" name="confidential" value='true'>
+            #else
+                <p style="max-width: 312px">
+                    <b>$i18n.getString( "encryption_not_available" )</b>
+                </p>
+            #end
 		</td>
-		<td></td>				
+		<td></td>
 	</tr>
 
 	<tr>

=== modified file 'dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-program/src/main/webapp/dhis-web-maintenance-program/updateAttibuteForm.vm'
--- dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-program/src/main/webapp/dhis-web-maintenance-program/updateAttibuteForm.vm	2015-12-02 13:56:57 +0000
+++ dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-program/src/main/webapp/dhis-web-maintenance-program/updateAttibuteForm.vm	2016-01-05 18:25:17 +0000
@@ -75,7 +75,13 @@
 	<tr>
 		<td><label for="confidential">$i18n.getString( "confidential" ) <br /><span class="tipText">(Confidential attributes can not be used in search and analytics.)</span></label></td>
 		<td>
-			<input type='checkbox' id="confidential" name="confidential" value='true' #if( $attribute.confidential ) checked #end disabled="disabled">
+            #if($encryptionAvailable)
+                <input type='checkbox' id="confidential" name="confidential" value='true' #if( $attribute.confidential ) checked #end disabled="disabled">
+            #else
+                <p style="max-width: 312px">
+                    <b>$i18n.getString( "encryption_not_available" )</b>
+                </p>
+            #end
         </td>
 		<td></td>				
 	</tr>