[HOPSWORKS-1585] Encrypt JWT signing keys

hopsworks-admin/pom.xml

@@ -72,13 +72,21 @@
         </exclusion>
       </exclusions>
     </dependency>
+
     <dependency>
       <groupId>io.hops.hopsworks</groupId>
       <artifactId>hopsworks-rest-utils</artifactId>
       <version>${project.version}</version>
       <scope>provided</scope>
     </dependency>
 
+    <dependency>
+      <groupId>io.hops.hopsworks</groupId>
+      <artifactId>hopsworks-security</artifactId>
+      <version>${project.version}</version>
+      <scope>provided</scope>
+    </dependency>
+
     <dependency>
       <groupId>io.hops.hopsworks</groupId>
       <artifactId>hopsworks-common</artifactId>

hopsworks-admin/src/main/java/io/hops/hopsworks/admin/maintenance/LoggedMaintenanceHelper.java

@@ -15,10 +15,10 @@
  */
 package io.hops.hopsworks.admin.maintenance;
 
-import io.hops.hopsworks.common.security.CertificatesMgmService;
 import io.hops.hopsworks.common.util.Settings;
 import io.hops.hopsworks.exceptions.EncryptionMasterPasswordException;
 import io.hops.hopsworks.persistence.entity.util.VariablesVisibility;
+import io.hops.hopsworks.security.password.MasterPasswordService;
 
 import javax.ejb.EJB;
 import javax.ejb.Stateless;
@@ -36,7 +36,7 @@ public class LoggedMaintenanceHelper {
   @EJB
   private Settings settings;
   @EJB
-  private CertificatesMgmService certificatesMgmService;
+  private MasterPasswordService masterPasswordService;
 
 
   public void updateVariable(String varName, String varValue,
@@ -47,8 +47,8 @@ public void updateVariable(String varName, String varValue,
   public void changeMasterEncryptionPassword(String currentPassword, String newPassword, HttpServletRequest request)
     throws IOException, EncryptionMasterPasswordException {
     String userEmail = request.getUserPrincipal().getName();
-    certificatesMgmService.checkPassword(currentPassword, userEmail);
-    Integer opId = certificatesMgmService.initUpdateOperation();
-    certificatesMgmService.resetMasterEncryptionPassword(opId, newPassword, userEmail);
+    masterPasswordService.checkPassword(currentPassword, userEmail);
+    Integer opId = masterPasswordService.initUpdateOperation();
+    masterPasswordService.resetMasterEncryptionPassword(opId, newPassword, userEmail);
   }
 }

hopsworks-api/pom.xml

@@ -173,6 +173,13 @@
       </exclusions>
     </dependency>
 
+    <dependency>
+      <groupId>io.hops.hopsworks</groupId>
+      <artifactId>hopsworks-security</artifactId>
+      <version>${project.version}</version>
+      <scope>provided</scope>
+    </dependency>
+
     <!-- jersey dependencies -->
     <dependency>
       <groupId>org.glassfish.jersey.core</groupId>

hopsworks-api/src/main/java/io/hops/hopsworks/api/admin/SystemAdminService.java

@@ -65,6 +65,7 @@
 import io.hops.hopsworks.persistence.entity.user.Users;
 import io.hops.hopsworks.persistence.entity.util.Variables;
 import io.hops.hopsworks.restutils.RESTCodes;
+import io.hops.hopsworks.security.password.MasterPasswordService;
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiOperation;
 
@@ -103,6 +104,8 @@ public class SystemAdminService {
   @EJB
   private CertificatesMgmService certificatesMgmService;
   @EJB
+  private MasterPasswordService masterPasswordService;
+  @EJB
   private NoCacheResponse noCacheResponse;
   @EJB
   private Settings settings;
@@ -134,9 +137,9 @@ public Response changeMasterEncryptionPassword(@Context SecurityContext sc,
     LOGGER.log(Level.FINE, "Requested master encryption password change");
     try {
       Users user = jWTHelper.getUserPrincipal(sc);
-      certificatesMgmService.checkPassword(oldPassword, user.getEmail());
-      Integer operationId = certificatesMgmService.initUpdateOperation();
-      certificatesMgmService.resetMasterEncryptionPassword(operationId, newPassword, user.getEmail());
+      masterPasswordService.checkPassword(oldPassword, user.getEmail());
+      Integer operationId = masterPasswordService.initUpdateOperation();
+      masterPasswordService.resetMasterEncryptionPassword(operationId, newPassword, user.getEmail());
 
       RESTApiJsonResponse response = noCacheResponse.buildJsonResponse(Response.Status.CREATED,
           String.valueOf(operationId));
@@ -154,7 +157,7 @@ public Response changeMasterEncryptionPassword(@Context SecurityContext sc,
   @GET
   @Path("/encryptionPass/{opId}")
   public Response getUpdatePasswordStatus(@PathParam("opId") Integer operationId, @Context SecurityContext sc) {
-    CertificatesMgmService.UPDATE_STATUS status = certificatesMgmService.getOperationStatus(operationId);
+    MasterPasswordService.UPDATE_STATUS status = masterPasswordService.getOperationStatus(operationId);
     switch (status) {
       case OK:
         return noCacheResponse.getNoCacheCORSResponseBuilder(Response.Status.OK).build();

hopsworks-api/src/main/java/io/hops/hopsworks/api/filter/AuthFilter.java

@@ -25,6 +25,7 @@
 import io.hops.hopsworks.jwt.AlgorithmFactory;
 import io.hops.hopsworks.jwt.JWTController;
 import io.hops.hopsworks.jwt.annotation.JWTRequired;
+import io.hops.hopsworks.jwt.exception.SigningKeyEncryptionException;
 import io.hops.hopsworks.jwt.exception.SigningKeyNotFoundException;
 import io.hops.hopsworks.jwt.filter.JWTFilter;
 import io.hops.hopsworks.restutils.JsonResponse;
@@ -65,7 +66,7 @@ public class AuthFilter extends JWTFilter {
   private ResourceInfo resourceInfo;
 
   @Override
-  public Algorithm getAlgorithm(DecodedJWT jwt) throws SigningKeyNotFoundException {
+  public Algorithm getAlgorithm(DecodedJWT jwt) throws SigningKeyNotFoundException, SigningKeyEncryptionException {
     return algorithmFactory.getAlgorithm(jwt);
   }
 

hopsworks-api/src/main/java/io/hops/hopsworks/api/jwt/JWTHelper.java

@@ -33,6 +33,7 @@
 import io.hops.hopsworks.jwt.exception.InvalidationException;
 import io.hops.hopsworks.jwt.exception.JWTException;
 import io.hops.hopsworks.jwt.exception.NotRenewableException;
+import io.hops.hopsworks.jwt.exception.SigningKeyEncryptionException;
 import io.hops.hopsworks.jwt.exception.SigningKeyNotFoundException;
 import io.hops.hopsworks.jwt.exception.VerificationException;
 import io.hops.hopsworks.persistence.entity.project.Project;
@@ -163,8 +164,7 @@ public String getAuthToken(ContainerRequestContext req) {
    * @throws DuplicateSigningKeyException
    */
   public String createToken(Users user, String issuer, Map<String, Object> claims) throws NoSuchAlgorithmException,
-      SigningKeyNotFoundException,
-      DuplicateSigningKeyException {
+    SigningKeyNotFoundException, DuplicateSigningKeyException, SigningKeyEncryptionException {
     String[] audience = null;
     Date expiresAt = null;
 
@@ -204,15 +204,17 @@ public String createOneTimeToken(Users user, String issuer, Map<String, Object>
     try {
       token = createOneTimeToken(user, roles, issuer, audience, now, expiresAt,
           Constants.ONE_TIME_JWT_SIGNING_KEY_NAME, claims, false);
-    } catch (NoSuchAlgorithmException | SigningKeyNotFoundException | DuplicateSigningKeyException ex) {
+    } catch (NoSuchAlgorithmException | SigningKeyNotFoundException | DuplicateSigningKeyException |
+      SigningKeyEncryptionException ex) {
       Logger.getLogger(JWTHelper.class.getName()).log(Level.SEVERE, null, ex);
     }
     return token;
   }
 
   public String createOneTimeToken(Users user, String[] roles, String issuer, String[] audience, Date notBefore,
       Date expiresAt, String keyName, Map<String, Object> claims, boolean createNewKey)
-    throws NoSuchAlgorithmException, SigningKeyNotFoundException, DuplicateSigningKeyException {
+    throws NoSuchAlgorithmException, SigningKeyNotFoundException, DuplicateSigningKeyException,
+    SigningKeyEncryptionException {
     SignatureAlgorithm algorithm = SignatureAlgorithm.valueOf(Constants.ONE_TIME_JWT_SIGNATURE_ALGORITHM);
     claims = jwtController.addDefaultClaimsIfMissing(claims, false, 0, roles);
 
@@ -233,7 +235,8 @@ public String createOneTimeToken(Users user, String[] roles, String issuer, Stri
    * @throws DuplicateSigningKeyException
    */
   public String createToken(Users user, String[] audience, String issuer, Date expiresAt, Map<String, Object> claims)
-      throws NoSuchAlgorithmException, SigningKeyNotFoundException, DuplicateSigningKeyException {
+    throws NoSuchAlgorithmException, SigningKeyNotFoundException, DuplicateSigningKeyException,
+    SigningKeyEncryptionException {
     SignatureAlgorithm alg = SignatureAlgorithm.valueOf(settings.getJWTSignatureAlg());
     String[] roles = userController.getUserRoles(user).toArray(new String[0]);
 
@@ -253,7 +256,7 @@ public String createToken(Users user, String[] audience, String issuer, Date exp
    * @throws DuplicateSigningKeyException
    */
   public JWTResponseDTO createToken(JWTRequestDTO jWTRequestDTO, String issuer) throws NoSuchAlgorithmException,
-      SigningKeyNotFoundException, DuplicateSigningKeyException {
+    SigningKeyNotFoundException, DuplicateSigningKeyException, SigningKeyEncryptionException {
     if (jWTRequestDTO == null || jWTRequestDTO.getKeyName() == null || jWTRequestDTO.getKeyName().isEmpty()
         || jWTRequestDTO.getAudiences() == null || jWTRequestDTO.getAudiences().length == 0
         || jWTRequestDTO.getSubject() == null || jWTRequestDTO.getSubject().isEmpty()) {
@@ -302,9 +305,8 @@ public boolean validToken(HttpServletRequest req, String issuer) {
    * @throws NotRenewableException
    * @throws InvalidationException  
    */
-  public JWTResponseDTO renewToken(JsonWebTokenDTO jsonWebTokenDTO, boolean invalidate,
-      Map<String, Object> claims)
-      throws SigningKeyNotFoundException, NotRenewableException, InvalidationException {
+  public JWTResponseDTO renewToken(JsonWebTokenDTO jsonWebTokenDTO, boolean invalidate, Map<String, Object> claims)
+    throws SigningKeyNotFoundException, NotRenewableException, InvalidationException, SigningKeyEncryptionException {
     if (jsonWebTokenDTO == null || jsonWebTokenDTO.getToken() == null || jsonWebTokenDTO.getToken().isEmpty()) {
       throw new IllegalArgumentException("No token provided.");
     }
@@ -414,8 +416,8 @@ public void deleteSigningKeyByName(String keyName) {
    * @throws SigningKeyNotFoundException
    * @throws VerificationException 
    */
-  public DecodedJWT verifyOneTimeToken(String token, String issuer) throws SigningKeyNotFoundException, 
-      VerificationException {
+  public DecodedJWT verifyOneTimeToken(String token, String issuer) throws SigningKeyNotFoundException,
+    VerificationException, SigningKeyEncryptionException {
     DecodedJWT jwt = null;
     if (token == null || token.trim().isEmpty()) {
       throw new VerificationException("Token not provided.");

hopsworks-api/src/main/java/io/hops/hopsworks/api/jwt/JWTResource.java

@@ -27,6 +27,7 @@
 import io.hops.hopsworks.jwt.exception.InvalidationException;
 import io.hops.hopsworks.jwt.exception.JWTException;
 import io.hops.hopsworks.jwt.exception.NotRenewableException;
+import io.hops.hopsworks.jwt.exception.SigningKeyEncryptionException;
 import io.hops.hopsworks.jwt.exception.SigningKeyNotFoundException;
 import io.hops.hopsworks.persistence.entity.user.Users;
 import io.hops.hopsworks.restutils.RESTCodes;
@@ -75,15 +76,15 @@ public class JWTResource {
   @POST
   @ApiOperation(value = "Create application token", response = JWTResponseDTO.class)
   public Response createToken(JWTRequestDTO jWTRequestDTO, @Context SecurityContext sc) throws NoSuchAlgorithmException,
-    SigningKeyNotFoundException, DuplicateSigningKeyException {
+    SigningKeyNotFoundException, DuplicateSigningKeyException, SigningKeyEncryptionException {
     JWTResponseDTO jWTResponseDTO = jWTHelper.createToken(jWTRequestDTO, settings.getJWTIssuer());
     return Response.ok().entity(jWTResponseDTO).build();
   }
 
   @PUT
   @ApiOperation(value = "Renew application token", response = JWTResponseDTO.class)
   public Response renewToken(JsonWebTokenDTO jsonWebTokenDTO, @Context SecurityContext sc)
-    throws SigningKeyNotFoundException, NotRenewableException, InvalidationException {
+    throws SigningKeyNotFoundException, NotRenewableException, InvalidationException, SigningKeyEncryptionException {
     JWTResponseDTO jWTResponseDTO = jWTHelper.renewToken(jsonWebTokenDTO, true, new HashMap<>(3));
     return Response.ok().entity(jWTResponseDTO).build();
   }

hopsworks-api/src/main/java/io/hops/hopsworks/api/user/AuthService.java

@@ -60,6 +60,7 @@
 import io.hops.hopsworks.jwt.annotation.JWTRequired;
 import io.hops.hopsworks.jwt.exception.DuplicateSigningKeyException;
 import io.hops.hopsworks.jwt.exception.InvalidationException;
+import io.hops.hopsworks.jwt.exception.SigningKeyEncryptionException;
 import io.hops.hopsworks.jwt.exception.SigningKeyNotFoundException;
 import io.hops.hopsworks.persistence.entity.user.Users;
 import io.hops.hopsworks.persistence.entity.util.FormatUtils;
@@ -156,8 +157,7 @@ public Response jwtSession(@Context SecurityContext sc) {
   @JWTNotRequired
   public Response login(@FormParam("email") String email, @FormParam("password") String password,
     @FormParam("otp") String otp, @Context HttpServletRequest req) throws UserException, SigningKeyNotFoundException,
-    NoSuchAlgorithmException,
-    LoginException, DuplicateSigningKeyException {
+    NoSuchAlgorithmException, LoginException, DuplicateSigningKeyException, SigningKeyEncryptionException {
 
     if (email == null || email.isEmpty()) {
       throw new IllegalArgumentException("Email was not provided");
@@ -204,7 +204,7 @@ public Response logout(@Context HttpServletRequest req) throws UserException, In
   @JWTNotRequired
   public Response serviceLogin(@FormParam("email") String email, @FormParam("password") String password,
     @Context HttpServletRequest request) throws UserException, GeneralSecurityException, SigningKeyNotFoundException,
-    DuplicateSigningKeyException, HopsSecurityException {
+    DuplicateSigningKeyException, HopsSecurityException, SigningKeyEncryptionException {
     if (Strings.isNullOrEmpty(email)) {
       throw new IllegalArgumentException("Email cannot be null or empty");
     }
@@ -418,7 +418,7 @@ private void logoutSession(HttpServletRequest req) throws UserException {
   }
 
   private Response login(Users user, String password, HttpServletRequest req) throws UserException,
-      SigningKeyNotFoundException, NoSuchAlgorithmException, DuplicateSigningKeyException {
+    SigningKeyNotFoundException, NoSuchAlgorithmException, DuplicateSigningKeyException, SigningKeyEncryptionException {
     RESTApiJsonResponse json = new RESTApiJsonResponse();
     if (user.getBbcGroupCollection() == null || user.getBbcGroupCollection().isEmpty()) {
       throw new UserException(RESTCodes.UserErrorCode.NO_ROLE_FOUND, Level.FINE,

hopsworks-api/src/main/java/io/hops/hopsworks/api/util/DownloadService.java

@@ -57,6 +57,7 @@
 import io.hops.hopsworks.exceptions.DatasetException;
 import io.hops.hopsworks.exceptions.ProjectException;
 import io.hops.hopsworks.jwt.annotation.JWTRequired;
+import io.hops.hopsworks.jwt.exception.SigningKeyEncryptionException;
 import io.hops.hopsworks.jwt.exception.SigningKeyNotFoundException;
 import io.hops.hopsworks.jwt.exception.VerificationException;
 import io.hops.hopsworks.persistence.entity.dataset.Dataset;
@@ -171,7 +172,7 @@ public Response getDownloadToken(@PathParam("path") String path, @QueryParam("ty
   @ApiOperation(value = "Download file.", response = StreamingOutput.class)
   public Response downloadFromHDFS(@PathParam("path") String path, @QueryParam("token") String token,
     @QueryParam("type") DatasetType datasetType, @Context SecurityContext sc) throws DatasetException,
-    SigningKeyNotFoundException, VerificationException, ProjectException {
+    SigningKeyNotFoundException, VerificationException, ProjectException, SigningKeyEncryptionException {
     if(!settings.isDownloadAllowed()){
       throw new DatasetException(RESTCodes.DatasetErrorCode.DOWNLOAD_NOT_ALLOWED, Level.FINEST);
     }

hopsworks-ca/pom.xml

@@ -72,6 +72,12 @@
       <artifactId>hopsworks-rest-utils</artifactId>
       <version>${project.version}</version>
     </dependency>
+    <dependency>
+      <groupId>io.hops.hopsworks</groupId>
+      <artifactId>hopsworks-security</artifactId>
+      <version>${project.version}</version>
+      <scope>provided</scope>
+    </dependency>
     <dependency>
       <groupId>io.hops.hopsworks</groupId>
       <artifactId>hopsworks-jwt</artifactId>

hopsworks-ca/src/main/java/io/hops/hopsworks/ca/api/filter/AuthFilter.java

@@ -20,6 +20,7 @@
 import com.auth0.jwt.interfaces.DecodedJWT;
 import io.hops.hopsworks.ca.api.exception.mapper.CAJsonResponse;
 import io.hops.hopsworks.ca.controllers.CAConf;
+import io.hops.hopsworks.jwt.exception.SigningKeyEncryptionException;
 import io.hops.hopsworks.restutils.JsonResponse;
 import io.hops.hopsworks.restutils.RESTCodes;
 import io.hops.hopsworks.jwt.AlgorithmFactory;
@@ -62,7 +63,7 @@ public class AuthFilter extends JWTFilter {
   private UriInfo uriInfo;
 
   @Override
-  public Algorithm getAlgorithm(DecodedJWT jwt) throws SigningKeyNotFoundException {
+  public Algorithm getAlgorithm(DecodedJWT jwt) throws SigningKeyNotFoundException, SigningKeyEncryptionException {
     return algorithmFactory.getAlgorithm(jwt);
   }
 

hopsworks-common/pom.xml

@@ -69,6 +69,13 @@
       <scope>provided</scope>
     </dependency>
 
+    <dependency>
+      <groupId>io.hops.hopsworks</groupId>
+      <artifactId>hopsworks-security</artifactId>
+      <version>${project.version}</version>
+      <scope>provided</scope>
+    </dependency>
+
     <dependency>
       <groupId>io.hops.hopsworks</groupId>
       <artifactId>hopsworks-jwt</artifactId>

hopsworks-common/src/main/java/io/hops/hopsworks/common/elastic/ElasticJWTController.java

@@ -15,6 +15,7 @@
  */
 package io.hops.hopsworks.common.elastic;
 
+import io.hops.hopsworks.jwt.exception.SigningKeyEncryptionException;
 import io.hops.hopsworks.persistence.entity.project.Project;
 import io.hops.hopsworks.persistence.entity.project.team.ProjectRoleTypes;
 import io.hops.hopsworks.common.dao.project.team.ProjectTeamFacade;
@@ -54,7 +55,7 @@ public String getSigningKeyForELK() throws ElasticException {
     SignatureAlgorithm alg = SignatureAlgorithm.valueOf(settings.getJWTSignatureAlg());
     try {
       return jwtController.getSigningKeyForELK(alg);
-    } catch (NoSuchAlgorithmException e) {
+    } catch (NoSuchAlgorithmException | SigningKeyEncryptionException e) {
       throw new ElasticException(RESTCodes.ElasticErrorCode.SIGNING_KEY_ERROR,
           Level.SEVERE, "Failed to get elk signing key", e.getMessage(),
           e);
@@ -98,7 +99,8 @@ private String createTokenForELK(String project, Optional<Long> projectInodeId,
       }
       return jwtController.createTokenForELK(project, settings.getJWTIssuer()
           , claims, expiresAt, alg);
-    } catch (DuplicateSigningKeyException | NoSuchAlgorithmException | SigningKeyNotFoundException e) {
+    } catch (DuplicateSigningKeyException | NoSuchAlgorithmException | SigningKeyNotFoundException |
+      SigningKeyEncryptionException e) {
       throw new ElasticException(RESTCodes.ElasticErrorCode.JWT_NOT_CREATED,
           Level.SEVERE, "Failed to create jwt token for elk", e.getMessage(), e);
     }

hopsworks-common/src/main/java/io/hops/hopsworks/common/security/CertificateMaterializer.java

@@ -51,6 +51,7 @@
 import io.hops.hopsworks.common.util.HopsUtils;
 import io.hops.hopsworks.common.util.Settings;
 import io.hops.hopsworks.exceptions.CryptoPasswordNotFoundException;
+import io.hops.hopsworks.security.password.MasterPasswordService;
 import org.apache.commons.collections.Bag;
 import org.apache.commons.collections.MapUtils;
 import org.apache.commons.collections.bag.HashBag;
@@ -125,7 +126,7 @@ public class CertificateMaterializer {
   @EJB
   private UserFacade userFacade;
   @EJB
-  private CertificatesMgmService certificatesMgmService;
+  private MasterPasswordService masterPasswordService;
   @EJB
   private RemoteMaterialReferencesFacade remoteMaterialReferencesFacade;
   @EJB
@@ -1206,7 +1207,7 @@ private char[] decryptMaterialPassword(String certificateIdentifier, String encr
     String userPassword = user.getPassword();
 
     try {
-      String decryptedPassword = HopsUtils.decrypt(userPassword, encryptedPassword, certificatesMgmService
+      String decryptedPassword = HopsUtils.decrypt(userPassword, encryptedPassword, masterPasswordService
           .getMasterEncryptionPassword());
       return decryptedPassword.toCharArray();
     } catch (Exception ex) {