ID-39: add support to change key of a secrets file

Author: mlookaxw

doc/manual/_config-tool.adoc

@@ -163,9 +163,6 @@ The file has to be created by the `encrypt` tool.
 |--secrets-key
 |Path to key file to decrypt confidential properties.
 
-This a file containing any arbitrary bytes.
-If you edit this file with a text editor be aware of the encoding and the end of line sequence.
-
 The key file has to be the same as on creating the secrets file.
 
 This parameter is required if a secrets file is specified.
@@ -177,13 +174,15 @@ This parameter is required if a secrets file is specified.
 The `encrypt` tools is used to generate an initial secrets file and to encrypt the values of the properties.
 The script is invoked with the `jython` interpreter provided with the package and deployment tools of the API Gateway.
 
-The tool requires a path to the secrets file and a passphrase to encrypt the values.
+The tool requires a path to the secrets file and a key file to encrypt the values.
 If the secrets file doesn't exist a new file will be created.
-For existing files the given passphrase is checked against the passphrase used on file creation.
+For existing files the given key is checked against the key used on file creation.
 
 ....
 $ encrypt.sh -h
-Usage: secrets.py OPTIONS
+Usage: encrypt OPTIONS
+
+Encrypt secrets.
 
 Options:
   --version             show program's version number and exit
@@ -192,9 +191,9 @@ Options:
   --secrets-file=FILEPATH
                         Path of JSON file containing confidential properties
   --secrets-key=FILEPATH
-                        Path to key file to decrypt confidential properties
-
-Encrypt credentials.
+                        Path to key file to encrypt confidential properties
+  --secrets-key-new=FILEPATH
+                        Path to new key file to change key [optional]
 ....
 
 [cols="2,5a", options="header"]
@@ -206,14 +205,22 @@ Encrypt credentials.
 |Path of JSON file containing confidential properties.
 
 |--secrets-key
-|Path to key file to decrypt confidential properties.
+|Path to key file to encrypt confidential properties.
 
-This a file containing any arbitrary bytes.
+.Key File
+****
+The key file contains any arbitrary sequence of bytes.
+It is treated as a binary file.
 
 If you edit this file with a text editor be aware of the encoding and the end of line sequence.
-In this case use ASCII characters in a single line (no line feed at the end).
+In this case use ASCII characters in a single line (no line feed at the end) to prevent any incompatibility with other line end formats or editor encodings.
+****
 
-This parameter is required if a secrets file is specified.
+|--secrets-key-new
+|Path to new key file.
+
+Use this option to change the key.
+All values will be re-encrypted with the new key.
 |===
 
 To add new properties tag the values with the `encrypt:` prefix.
@@ -235,6 +242,22 @@ Values having this prefix will be encrypted on running the tool.
 
 NOTE: The `encrypt` tool use the same cipher as the entity store.
 
+*Examples*
+
+Encrypt values with the given key:
+
+.Command Line
+....
+$ encrypt.sh --secrets-file=gateway.crypt.json --secrets-key=secrets.key
+....
+
+Change the key of a secrets file:
+
+.Command Line
+....
+$ encrypt.sh --secrets-file=gateway.crypt.json --secrets-key=secrets.key --secrets-key-new=new_secrets.key
+....
+
 == Configuration Files
 
 For the configuration of the environment specific deployment archive, various configuration files are used.
@@ -532,7 +555,7 @@ All values are encrypted with the same key.
   }
 }
 ----
-<1> The `secrets` property is requried.
+<1> The `secrets` property is required.
 <2> Marker to check the key. Don't delete or change it.
 <3> The prefix `encrypt:` indicates that the value `changeme` has to be encrypted by the `encrypt` tool.
 <4> Values without the prefix are already encrypted.

doc/manual/_usage.adoc

@@ -393,8 +393,17 @@ $ mvn apigw:tools
 
 === Encrypt Secrets File
 To create an empty secrets file or to add properties to secrets file, the goal `apigw:encrypt` can be used.
-A passphrase is used to initially create the secrets file.
-The same passphrase as used to create the file has to be used to decrypt values.
+A file containing a key is used to initially create the secrets file.
+The same key file as used to create the file has to be used to decrypt values.
+
+.Key File
+****
+The key file contains any arbitrary sequence of bytes.
+It is treated as a binary file.
+
+If you edit this file with a text editor be aware of the encoding and the end of line sequence.
+In this case use ASCII characters in a single line (no line feed at the end) to prevent any incompatibility with other line end formats or editor encodings.
+****
 
 .gateway.crypt.json
 [source,json]
@@ -412,9 +421,10 @@ The same passphrase as used to create the file has to be used to decrypt values.
 
 .Command Line
 ....
-$ mvn apigw:encrypt -Daxway.config.secrets.file=gateway.crypt.json -Daxway.config.secrets.passphrase=changeme
+$ mvn apigw:encrypt -Daxway.config.secrets.file=gateway.crypt.json -Daxway.config.secrets.key=secrets.key
 ....
 
+
 == Maven Goals
 This section provides a short overview of the goals supported by the Maven plugin.
 

src/main/resources/scripts/lib/secrets.py

@@ -61,13 +61,16 @@ def __init__(self, secrets_key_file, secrets_file_path, create_if_not_exists=Fal
             raise ValueError("Secrets file '%s' doesn't exist!" % (self.__file_path))
         return
 
-    def __encrypt_value(self, value):
+    def __encrypt_value(self, value, cipher=None):
+        if not cipher:
+            cipher = self.__cipher
+    
         # add salt
         salt = "#{:06d}:".format(random.randint(0,999999))
         value = salt + value
 
         # encrypt salted value
-        value_bytes = self.__cipher.encrypt(value.encode('utf-8'))
+        value_bytes = cipher.encrypt(value.encode('utf-8'))
         value_b64 = base64.b64encode(value_bytes)
 
         return value_b64
@@ -114,6 +117,28 @@ def get_secret(self, key):
 
         return value
 
+    def change_key(self, secrets_key_file_new):
+        # create new cipher using new key file
+        if not os.path.isfile(secrets_key_file_new):
+            raise ValueError("Key file not found: %s" % (secrets_key_file_new))
+        
+        key = None
+        with open(secrets_key_file_new, mode='rb') as skf:
+            key = skf.read()
+
+        new_cipher = PasswordCipher(key)
+
+        # re-encrypt values
+        for s in self.__secrets_json["secrets"]:
+            v = self.get_secret(s)
+            v = self.__encrypt_value(v, new_cipher)
+
+            self.__secrets_json["secrets"][s] = v
+
+            logging.info("Key changed for property '%s'." % (s))
+
+        self.__cipher = new_cipher
+        return
 
     def write(self):
         json_str = json.dumps(self.__secrets_json, sort_keys=True, indent=2)
@@ -123,15 +148,17 @@ def write(self):
         return
 
 def main_encrypt():
-    prog = sys.argv[0]
+    prog = "encrypt"
+    description="Encrypt secrets."
     version = "%prog 1.0.0"
     usage = "%prog OPTIONS"
-    epilog = "Encrypt secrets."
+    epilog = ""
 
-    parser = OptionParser(usage=usage, version=version, epilog=epilog)
+    parser = OptionParser(usage=usage, version=version, epilog=epilog, prog=prog, description=description)
     parser.add_option("-v", "--verbose", dest="verbose", help="Enable verbose messages [optional]", action="store_true")
-    parser.add_option("--secrets-file", dest="secrets_file", help="Path of JSON file containing confidential propertiers", metavar="FILEPATH")
-    parser.add_option("--secrets-key", dest="secrets_key_file", help="Path to key file to decrypt confidential properties", metavar="FILEPATH")
+    parser.add_option("--secrets-file", dest="secrets_file", help="Path of JSON file containing confidential properties", metavar="FILEPATH")
+    parser.add_option("--secrets-key", dest="secrets_key_file", help="Path to key file to encrypt confidential properties", metavar="FILEPATH")
+    parser.add_option("--secrets-key-new", dest="secrets_key_file_new", help="Path to new key file to change key [optional]", metavar="FILEPATH")
 
     (options, args) = parser.parse_args()
 
@@ -150,6 +177,9 @@ def main_encrypt():
     try:
         secrets = Secrets(options.secrets_key_file, options.secrets_file, create_if_not_exists=True)
         secrets.encrypt()
+        if options.secrets_key_file_new:
+            logging.info("Re-encrypt values to change key.")
+            secrets.change_key(options.secrets_key_file_new)
         secrets.write()
 
     except Exception as e: