dhis2-devs team mailing list archive
-
dhis2-devs team
-
Mailing list archive
-
Message #42265
[Branch ~dhis2-devs-core/dhis2/trunk] Rev 21602: EncryptionStatus added to report on the configuration required to use encryption; Startuproute no...
Merge authors:
Stian Sandvold (stian-sandvold)
------------------------------------------------------------
revno: 21602 [merge]
committer: Stian Sandvold <stian.sandvold@xxxxxxxxx>
branch nick: dhis2
timestamp: Tue 2016-01-05 19:32:18 +0100
message:
EncryptionStatus added to report on the configuration required to use encryption; Startuproute now checks EncryptionStatus and reports any missing configuration; adding and updating attributes (tracker) now stops users from using the confidential checkbox if EncryptionStatus != OK; InitTableAlteror now removes all deprecated columns from the old Configuration; DhisConfigurationProvider handles the logic to check is Encryption is configured correctly
added:
dhis-2/dhis-api/src/main/java/org/hisp/dhis/encryption/
dhis-2/dhis-api/src/main/java/org/hisp/dhis/encryption/EncryptionStatus.java
modified:
dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/startup/ConfigurationPopulator.java
dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/startup/InitTableAlteror.java
dhis-2/dhis-support/dhis-support-external/src/main/java/org/hisp/dhis/external/conf/ConfigurationKey.java
dhis-2/dhis-support/dhis-support-external/src/main/java/org/hisp/dhis/external/conf/DefaultDhisConfigurationProvider.java
dhis-2/dhis-support/dhis-support-external/src/main/java/org/hisp/dhis/external/conf/DhisConfigurationProvider.java
dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-program/src/main/java/org/hisp/dhis/trackedentity/action/trackedentityattribute/AddAttributeAction.java
dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-program/src/main/java/org/hisp/dhis/trackedentity/action/trackedentityattribute/ShowAddUpdateAttributeAction.java
dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-program/src/main/resources/org/hisp/dhis/trackedentity/i18n_module.properties
dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-program/src/main/webapp/dhis-web-maintenance-program/addAttributeForm.vm
dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-program/src/main/webapp/dhis-web-maintenance-program/updateAttibuteForm.vm
--
lp:dhis2
https://code.launchpad.net/~dhis2-devs-core/dhis2/trunk
Your team DHIS 2 developers is subscribed to branch lp:dhis2.
To unsubscribe from this branch go to https://code.launchpad.net/~dhis2-devs-core/dhis2/trunk/+edit-subscription
=== added directory 'dhis-2/dhis-api/src/main/java/org/hisp/dhis/encryption'
=== added file 'dhis-2/dhis-api/src/main/java/org/hisp/dhis/encryption/EncryptionStatus.java'
--- dhis-2/dhis-api/src/main/java/org/hisp/dhis/encryption/EncryptionStatus.java 1970-01-01 00:00:00 +0000
+++ dhis-2/dhis-api/src/main/java/org/hisp/dhis/encryption/EncryptionStatus.java 2016-01-05 18:27:36 +0000
@@ -0,0 +1,56 @@
+package org.hisp.dhis.encryption;
+
+/*
+ * Copyright (c) 2004-2016, University of Oslo
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ * Redistributions of source code must retain the above copyright notice, this
+ * list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * Neither the name of the HISP project nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/**
+ * @author Stian Sandvold
+ */
+public enum EncryptionStatus
+{
+ OK( "Encryption is available" ),
+ MISSING_JCE_POLICY( "Missing the required JCE policy files for strong encryption." ),
+ MISSING_ENCRYPTION_PASSWORD( "Missing encryption.password in dhis.conf." ),
+ ENCRYPTION_PASSWORD_TOO_SHORT(
+ "encryption.password in dhis.conf is too short. Minimum 24 characters is required." );
+
+ private final String key;
+
+ EncryptionStatus( String key )
+ {
+ this.key = key;
+ }
+
+ public boolean isOk() {
+ return this == OK;
+ }
+
+ public String getKey() {
+ return key;
+ }
+}
=== modified file 'dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/startup/ConfigurationPopulator.java'
--- dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/startup/ConfigurationPopulator.java 2016-01-04 02:27:49 +0000
+++ dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/startup/ConfigurationPopulator.java 2016-01-05 18:25:17 +0000
@@ -30,8 +30,12 @@
import java.util.UUID;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
import org.hisp.dhis.configuration.Configuration;
import org.hisp.dhis.configuration.ConfigurationService;
+import org.hisp.dhis.encryption.EncryptionStatus;
+import org.hisp.dhis.external.conf.DhisConfigurationProvider;
import org.hisp.dhis.system.startup.AbstractStartupRoutine;
import org.springframework.beans.factory.annotation.Autowired;
@@ -41,16 +45,34 @@
@Autowired
private ConfigurationService configurationService;
+ @Autowired
+ private DhisConfigurationProvider dhisConfigurationProvider;
+
+ private static final Log log = LogFactory.getLog( ConfigurationPopulator.class );
+
@Override
public void execute()
throws Exception
{
+
+ checkSecurityConfiguration();
+
Configuration config = configurationService.getConfiguration();
-
+
if ( config != null && config.getSystemId() == null )
{
config.setSystemId( UUID.randomUUID().toString() );
configurationService.setConfiguration( config );
}
}
+
+ private void checkSecurityConfiguration()
+ {
+ EncryptionStatus status = dhisConfigurationProvider.isEncryptionConfigured();
+
+ if ( !status.isOk() )
+ {
+ log.warn( "Encryption not configured: " + status.getKey() );
+ }
+ }
}
=== modified file 'dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/startup/InitTableAlteror.java'
--- dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/startup/InitTableAlteror.java 2016-01-04 14:27:34 +0000
+++ dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/startup/InitTableAlteror.java 2016-01-05 18:25:17 +0000
@@ -78,7 +78,7 @@
updateFeatureTypes();
updateValidationRuleEnums();
updateProgramStatus();
- updateSmtpPasswordColumn();
+ removeDeprecatedConfigurationColumns();
updateTimestamps();
updateCompletedBy();
@@ -100,12 +100,16 @@
// Supportive methods
// -------------------------------------------------------------------------
- private void updateSmtpPasswordColumn()
+ private void removeDeprecatedConfigurationColumns()
{
try
{
- executeSql( "UPDATE configuration SET smtppassword = smptpassword" );
executeSql( "ALTER TABLE configuration DROP COLUMN smptpassword" );
+ executeSql( "ALTER TABLE configuration DROP COLUMN smtppassword" );
+ executeSql( "ALTER TABLE configuration DROP COLUMN remoteserverurl" );
+ executeSql( "ALTER TABLE configuration DROP COLUMN remoteserverusername" );
+ executeSql( "ALTER TABLE configuration DROP COLUMN remotepassword" );
+ executeSql( "ALTER TABLE configuration DROP COLUMN remoteserverpassword" );
}
catch ( Exception ex )
=== modified file 'dhis-2/dhis-support/dhis-support-external/src/main/java/org/hisp/dhis/external/conf/ConfigurationKey.java'
--- dhis-2/dhis-support/dhis-support-external/src/main/java/org/hisp/dhis/external/conf/ConfigurationKey.java 2016-01-05 14:03:19 +0000
+++ dhis-2/dhis-support/dhis-support-external/src/main/java/org/hisp/dhis/external/conf/ConfigurationKey.java 2016-01-05 18:25:17 +0000
@@ -35,6 +35,7 @@
{
SYSTEM_BASE_URL( "system.base_url" ),
SYSTEM_READ_ONLY_MODE( "system.read_only_mode", "off" ),
+ ENCRYPTION_PASSWORD( "encryption.password", "" ),
CONNECTION_DIALECT( "connection.dialect" ),
CONNECTION_DRIVER_CLASS( "connection.driver_class" ),
CONNECTION_URL( "connection.url" ),
=== modified file 'dhis-2/dhis-support/dhis-support-external/src/main/java/org/hisp/dhis/external/conf/DefaultDhisConfigurationProvider.java'
--- dhis-2/dhis-support/dhis-support-external/src/main/java/org/hisp/dhis/external/conf/DefaultDhisConfigurationProvider.java 2016-01-04 02:27:49 +0000
+++ dhis-2/dhis-support/dhis-support-external/src/main/java/org/hisp/dhis/external/conf/DefaultDhisConfigurationProvider.java 2016-01-05 18:25:17 +0000
@@ -30,13 +30,17 @@
import java.io.IOException;
import java.io.InputStream;
+import java.security.NoSuchAlgorithmException;
import java.util.Properties;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
+import org.hisp.dhis.encryption.EncryptionStatus;
import org.hisp.dhis.external.location.LocationManager;
import org.hisp.dhis.external.location.LocationManagerException;
+import javax.crypto.Cipher;
+
/**
* @author Lars Helge Overland
*/
@@ -46,14 +50,15 @@
private static final Log log = LogFactory.getLog( DefaultDhisConfigurationProvider.class );
private static final String CONF_FILENAME = "dhis.conf";
+
private static final String ENABLED_VALUE = "on";
-
+
// -------------------------------------------------------------------------
// Dependencies
// -------------------------------------------------------------------------
private LocationManager locationManager;
-
+
public void setLocationManager( LocationManager locationManager )
{
this.locationManager = locationManager;
@@ -63,11 +68,11 @@
* Cache for properties.
*/
private Properties properties;
-
+
public void init()
{
InputStream in = null;
-
+
try
{
in = locationManager.getInputStream( CONF_FILENAME );
@@ -75,7 +80,7 @@
catch ( LocationManagerException ex1 )
{
log.debug( "Could not load dhis.conf, looking for hibernate.properties" );
-
+
try // Deprecated
{
in = locationManager.getInputStream( "hibernate.properties" );
@@ -85,9 +90,9 @@
log.debug( "Could not load hibernate.properties" );
}
}
-
+
Properties properties = new Properties();
-
+
if ( in != null )
{
try
@@ -99,7 +104,7 @@
throw new IllegalStateException( "Properties could not be loaded", ex );
}
}
-
+
this.properties = properties;
}
@@ -114,7 +119,7 @@
}
@Override
- public String getProperty( ConfigurationKey key )
+ public String getProperty( ConfigurationKey key )
{
return properties.getProperty( key.getKey(), key.getDefaultValue() );
}
@@ -124,7 +129,7 @@
{
return properties.getProperty( key.getKey(), defaultValue );
}
-
+
@Override
public boolean isEnabled( ConfigurationKey key )
{
@@ -136,8 +141,40 @@
{
String ldapUrl = getProperty( ConfigurationKey.LDAP_URL );
String managerDn = getProperty( ConfigurationKey.LDAP_MANAGER_DN );
-
- return !( ConfigurationKey.LDAP_URL.getDefaultValue().equals( ldapUrl ) ||
- ldapUrl == null || managerDn == null );
+
+ return !(ConfigurationKey.LDAP_URL.getDefaultValue().equals( ldapUrl ) ||
+ ldapUrl == null || managerDn == null);
+ }
+
+ @Override
+ public EncryptionStatus isEncryptionConfigured()
+ {
+ String password;
+ int maxKeyLength;
+
+ // Check for JCE files is present (key length > 128) and AES is available
+ try
+ {
+ maxKeyLength = Cipher.getMaxAllowedKeyLength( "AES" );
+ if(maxKeyLength == 128) {
+ return EncryptionStatus.MISSING_JCE_POLICY;
+ }
+ }
+ catch ( NoSuchAlgorithmException e )
+ {
+ return EncryptionStatus.MISSING_JCE_POLICY;
+ }
+
+ password = getProperty( ConfigurationKey.ENCRYPTION_PASSWORD );
+
+ if(password.length() == 0) {
+ return EncryptionStatus.MISSING_ENCRYPTION_PASSWORD;
+ }
+
+ if(password.length() < 24) {
+ return EncryptionStatus.ENCRYPTION_PASSWORD_TOO_SHORT;
+ }
+
+ return EncryptionStatus.OK;
}
}
=== modified file 'dhis-2/dhis-support/dhis-support-external/src/main/java/org/hisp/dhis/external/conf/DhisConfigurationProvider.java'
--- dhis-2/dhis-support/dhis-support-external/src/main/java/org/hisp/dhis/external/conf/DhisConfigurationProvider.java 2016-01-04 02:27:49 +0000
+++ dhis-2/dhis-support/dhis-support-external/src/main/java/org/hisp/dhis/external/conf/DhisConfigurationProvider.java 2016-01-05 18:25:17 +0000
@@ -28,6 +28,8 @@
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
+import org.hisp.dhis.encryption.EncryptionStatus;
+
import java.util.Properties;
/**
@@ -78,4 +80,11 @@
* @return true if LDAP authentication is configured.
*/
boolean isLdapConfigured();
+
+ /**
+ * Indicates whether encryption is correctly configured and available in the system.
+ *
+ * @return EncryptionStatus reflecting the status of encryption in the system
+ */
+ EncryptionStatus isEncryptionConfigured();
}
=== modified file 'dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-program/src/main/java/org/hisp/dhis/trackedentity/action/trackedentityattribute/AddAttributeAction.java'
--- dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-program/src/main/java/org/hisp/dhis/trackedentity/action/trackedentityattribute/AddAttributeAction.java 2016-01-04 02:27:49 +0000
+++ dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-program/src/main/java/org/hisp/dhis/trackedentity/action/trackedentityattribute/AddAttributeAction.java 2016-01-05 18:25:17 +0000
@@ -5,6 +5,7 @@
import org.hisp.dhis.analytics.AggregationType;
import org.hisp.dhis.attribute.AttributeService;
import org.hisp.dhis.common.ValueType;
+import org.hisp.dhis.external.conf.DhisConfigurationProvider;
import org.hisp.dhis.legend.LegendService;
import org.hisp.dhis.option.OptionService;
import org.hisp.dhis.option.OptionSet;
@@ -80,6 +81,9 @@
@Autowired
private AttributeService attributeService;
+ @Autowired
+ private DhisConfigurationProvider dhisConfigurationProvider;
+
// -------------------------------------------------------------------------
// Input/Output
// -------------------------------------------------------------------------
=== modified file 'dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-program/src/main/java/org/hisp/dhis/trackedentity/action/trackedentityattribute/ShowAddUpdateAttributeAction.java'
--- dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-program/src/main/java/org/hisp/dhis/trackedentity/action/trackedentityattribute/ShowAddUpdateAttributeAction.java 2016-01-04 02:27:49 +0000
+++ dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-program/src/main/java/org/hisp/dhis/trackedentity/action/trackedentityattribute/ShowAddUpdateAttributeAction.java 2016-01-05 18:25:17 +0000
@@ -31,6 +31,7 @@
import com.opensymphony.xwork2.Action;
import org.hisp.dhis.attribute.Attribute;
import org.hisp.dhis.attribute.AttributeService;
+import org.hisp.dhis.external.conf.DhisConfigurationProvider;
import org.hisp.dhis.legend.LegendService;
import org.hisp.dhis.legend.LegendSet;
import org.hisp.dhis.option.OptionService;
@@ -83,6 +84,9 @@
@Autowired
private AttributeService attributeService;
+ @Autowired
+ private DhisConfigurationProvider dhisConfigurationProvider;
+
// -------------------------------------------------------------------------
// Input/Output
// -------------------------------------------------------------------------
@@ -150,6 +154,12 @@
return trackedEntities;
}
+ public boolean getEncryptionStatus()
+ {
+ return dhisConfigurationProvider.isEncryptionConfigured().isAvailable();
+
+ }
+
// -------------------------------------------------------------------------
// Action implementation
// -------------------------------------------------------------------------
=== modified file 'dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-program/src/main/resources/org/hisp/dhis/trackedentity/i18n_module.properties'
--- dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-program/src/main/resources/org/hisp/dhis/trackedentity/i18n_module.properties 2015-12-07 13:12:15 +0000
+++ dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-program/src/main/resources/org/hisp/dhis/trackedentity/i18n_module.properties 2016-01-05 18:25:17 +0000
@@ -541,4 +541,5 @@
missing_value_replacement=Missing value replacement
skip_offline=Skip offline
data_approval_workflow=Data approval workflow
-display_front_page_list=Display front page list
\ No newline at end of file
+display_front_page_list=Display front page list
+encryption_not_available=Encryption is not configured.
\ No newline at end of file
=== modified file 'dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-program/src/main/webapp/dhis-web-maintenance-program/addAttributeForm.vm'
--- dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-program/src/main/webapp/dhis-web-maintenance-program/addAttributeForm.vm 2015-12-02 13:56:57 +0000
+++ dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-program/src/main/webapp/dhis-web-maintenance-program/addAttributeForm.vm 2016-01-05 18:25:17 +0000
@@ -78,9 +78,15 @@
<tr>
<td><label for="confidential">$i18n.getString( "confidential" ) <br /><span class="tipText">(Confidential attributes can not be used in search and analytics.)</span></label></td>
<td>
- <input type='checkbox' id="confidential" name="confidential" value='true'>
+ #if($encryptionAvailable)
+ <input type='checkbox' id="confidential" name="confidential" value='true'>
+ #else
+ <p style="max-width: 312px">
+ <b>$i18n.getString( "encryption_not_available" )</b>
+ </p>
+ #end
</td>
- <td></td>
+ <td></td>
</tr>
<tr>
=== modified file 'dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-program/src/main/webapp/dhis-web-maintenance-program/updateAttibuteForm.vm'
--- dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-program/src/main/webapp/dhis-web-maintenance-program/updateAttibuteForm.vm 2015-12-02 13:56:57 +0000
+++ dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-program/src/main/webapp/dhis-web-maintenance-program/updateAttibuteForm.vm 2016-01-05 18:25:17 +0000
@@ -75,7 +75,13 @@
<tr>
<td><label for="confidential">$i18n.getString( "confidential" ) <br /><span class="tipText">(Confidential attributes can not be used in search and analytics.)</span></label></td>
<td>
- <input type='checkbox' id="confidential" name="confidential" value='true' #if( $attribute.confidential ) checked #end disabled="disabled">
+ #if($encryptionAvailable)
+ <input type='checkbox' id="confidential" name="confidential" value='true' #if( $attribute.confidential ) checked #end disabled="disabled">
+ #else
+ <p style="max-width: 312px">
+ <b>$i18n.getString( "encryption_not_available" )</b>
+ </p>
+ #end
</td>
<td></td>
</tr>