conga-aem-crypto-cli: Add command line options to encrypt and decrypt values using AEM crypto support.

Author: stefanseifert

changes.xml

@@ -23,7 +23,10 @@
     xsi:schemaLocation="http://maven.apache.org/changes/1.0.0 http://maven.apache.org/plugins/maven-changes-plugin/xsd/changes-1.0.0.xsd">
   <body>
 
-    <release version="1.9.4" date="not released">
+    <release version="1.10.0" date="not released">
+      <action type="add" dev="sseifert">
+        conga-aem-crypto-cli: Add command line options to encrypt and decrypt values using AEM crypto support.
+      </action>
       <action type="fix" dev="sseifert">
         conga-aem-crypto-cli: Allow to generate AEM crypto keys without specifying and Ansible vault password.
       </action>

src/site/markdown/crypto-cli.md.vm

@@ -1,4 +1,7 @@
-## CONGA AEM Crypto CLI tool
+#set( $symbol_pound = '#' )
+#set( $symbol_dollar = '$' )
+#set( $symbol_escape = '\' )
+${symbol_pound}${symbol_pound} CONGA AEM Crypto CLI tool
 
 The CONGA AEM plugin also provides a command-line interface tool for generating new AEM crypto keys.
 
@@ -7,15 +10,15 @@ The generated keys are supported by AEM 6.3 and upwards.
 _**Please note:** You need to install the [Java Cryptography Extension (JCE) Unlimited Strength policy files][jce-policy] from Oracle, because Ansible uses 256 bit keys to handle encryption and decryption of the vault files. If you are using Java 8u162 or higher they are already active by default._
 
 
-### Download
+${symbol_pound}${symbol_pound}${symbol_pound} Download
 
 Download it from Maven Central:
 
 |---|---|---|
 | [CONGA AEM Crypto CLI tool](https://repo1.maven.org/maven2/io/wcm/devops/conga/plugins/conga-aem-crypto-cli/${project.properties['releasedVersion.version']}/conga-aem-crypto-cli-${project.properties['releasedVersion.version']}-dist.zip) | [![Maven Central](https://maven-badges.herokuapp.com/maven-central/io.wcm.devops.conga.plugins/conga-aem-crypto-cli/badge.svg)](https://repo1.maven.org/maven2/io/wcm/devops/conga/plugins/conga-aem-crypto-cli/${project.properties['releasedVersion.version']}/conga-aem-crypto-cli-${project.properties['releasedVersion.version']}-dist.zip) |
 
 
-### Generate AEM crypto keys
+${symbol_pound}${symbol_pound}${symbol_pound} Generate AEM crypto keys
 
 Generate a set of crypto keys:
 
@@ -49,4 +52,24 @@ java -Dansible.vault.password=mypassword -jar conga-aem-crypto-cli-${project.pro
 ```
 
 
+${symbol_pound}${symbol_pound}${symbol_pound} Encrypt and decrypt values using AEM crypto support
+
+Encrypt string using AEM crypto support and a given key:
+
+
+```
+java -jar conga-aem-crypto-cli-${project.properties['releasedVersion.version']}.jar \
+     -cryptoAesKey <path to master file> -aemCryptoEncrypt <value>
+```
+
+Decrypt string using AEM crypto support and a given key:
+
+
+```
+java -jar conga-aem-crypto-cli-${project.properties['releasedVersion.version']}.jar \
+     -cryptoAesKey <path to master file> -aemCryptoDecrypt <encrypted value>
+```
+
+
+
 [jce-policy]: http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html

tooling/conga-aem-crypto-cli/src/main/java/io/wcm/devops/conga/plugins/aem/tooling/crypto/cli/AemCrypto.java

@@ -0,0 +1,90 @@
+/*
+ * #%L
+ * wcm.io
+ * %%
+ * Copyright (C) 2019 wcm.io
+ * %%
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * #L%
+ */
+package io.wcm.devops.conga.plugins.aem.tooling.crypto.cli;
+
+import java.io.BufferedInputStream;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.security.GeneralSecurityException;
+import java.security.Key;
+
+import org.apache.commons.io.IOUtils;
+import org.apache.commons.lang3.StringUtils;
+
+import io.wcm.devops.conga.plugins.aem.crypto.CryptoSupport;
+import io.wcm.devops.conga.plugins.aem.crypto.impl.AesCryptoSupport;
+
+/**
+ * Encrypts and decrypts values using AEM crypto support.
+ */
+public final class AemCrypto {
+
+  private AemCrypto() {
+    // static methods only
+  }
+
+  /**
+   * Encrypts a string value using AEM crypto support.
+   * @param value Value to encrypt
+   * @param cryptoAesKey Path to 'master' key file
+   * @return Encrypted value
+   * @throws IOException I/O Exception
+   * @throws GeneralSecurityException Security exception
+   */
+  public static String encryptString(String value, String cryptoAesKey)
+      throws IOException, GeneralSecurityException {
+    CryptoSupport crypto = new AesCryptoSupport();
+    Key key = getCryptoKey(cryptoAesKey, crypto);
+    return crypto.encrypt(value, key);
+  }
+
+  /**
+   * Decrypts a string value using AEM crypto support.
+   * @param value Value to decrypt
+   * @param cryptoAesKey Path to 'master' key file
+   * @return Decrypted value
+   * @throws IOException I/O Exception
+   * @throws GeneralSecurityException Security exception
+   */
+  public static String decryptString(String value, String cryptoAesKey)
+      throws IOException, GeneralSecurityException {
+    CryptoSupport crypto = new AesCryptoSupport();
+    Key key = getCryptoKey(cryptoAesKey, crypto);
+    return crypto.decrypt(value, key);
+  }
+
+  private static Key getCryptoKey(String cryptoAesKey, CryptoSupport crypto)
+      throws IOException, GeneralSecurityException {
+    if (StringUtils.isBlank(cryptoAesKey)) {
+      throw new IllegalArgumentException("Please specify AEM crypto 'master' key via parameter '" + AemCryptoCli.CRYPTO_AES_KEY + "'.");
+    }
+    File file = new File(cryptoAesKey);
+    if (!(file.exists() && file.isFile())) {
+      throw new IllegalArgumentException("Unable to find AEM crypto 'master' key: " + file.getAbsolutePath());
+    }
+    try (InputStream is = new BufferedInputStream(new FileInputStream(file))) {
+      byte[] data = IOUtils.toByteArray(is);
+      return crypto.readKey(data);
+    }
+  }
+
+}

tooling/conga-aem-crypto-cli/src/main/java/io/wcm/devops/conga/plugins/aem/tooling/crypto/cli/AemCryptoCli.java

@@ -32,11 +32,14 @@
  */
 public final class AemCryptoCli {
 
-  private static final String CRYPTO_KEYS_GENERATE = "cryptoKeysGenerate";
-  private static final String CRYPTO_KEYS_ANSIBLE_VAULT_ENCRYPT = "cryptoKeysAnsibleVaultEncrypt";
-  private static final String TARGET = "target";
-  private static final String ANSIBLE_VAULT_ENCRYPT = "ansibleVaultEncrypt";
-  private static final String ANSIBLE_VAULT_DECRYPT = "ansibleVaultDecrypt";
+  static final String CRYPTO_KEYS_GENERATE = "cryptoKeysGenerate";
+  static final String CRYPTO_KEYS_ANSIBLE_VAULT_ENCRYPT = "cryptoKeysAnsibleVaultEncrypt";
+  static final String TARGET = "target";
+  static final String ANSIBLE_VAULT_ENCRYPT = "ansibleVaultEncrypt";
+  static final String ANSIBLE_VAULT_DECRYPT = "ansibleVaultDecrypt";
+  static final String AEM_CRYPTO_ENCRYPT = "aemCryptoEncrypt";
+  static final String AEM_CRYPTO_DECRYPT = "aemCryptoDecrypt";
+  static final String CRYPTO_AES_KEY = "cryptoAesKey";
 
   /**
    * Command line options
@@ -48,6 +51,10 @@ public final class AemCryptoCli {
     CLI_OPTIONS.addOption(TARGET, true, "Target path for the generated keys.");
     CLI_OPTIONS.addOption(ANSIBLE_VAULT_ENCRYPT, true, "Encrypts the given file with Ansible Vault.");
     CLI_OPTIONS.addOption(ANSIBLE_VAULT_DECRYPT, true, "Decrypts the given file with Ansible Vault.");
+    CLI_OPTIONS.addOption(AEM_CRYPTO_ENCRYPT, true, "Encrypts the given value with AEM crypto support.");
+    CLI_OPTIONS.addOption(AEM_CRYPTO_DECRYPT, true, "Decrypts the given value with AEM crypto support.");
+    CLI_OPTIONS.addOption(CRYPTO_AES_KEY, true, "Path to 'master' file from AEM crypto keys for "
+        + "'" + AEM_CRYPTO_ENCRYPT + "' and '" + AEM_CRYPTO_DECRYPT + "'.");
     CLI_OPTIONS.addOption("?", false, "Print usage help.");
   }
 
@@ -70,6 +77,9 @@ public static void main(String[] args) throws Exception {
     File targetDir = new File(commandLine.getOptionValue(TARGET, "target"));
     String ansibleVaultEncryptPath = commandLine.getOptionValue(ANSIBLE_VAULT_ENCRYPT);
     String ansibleVaultDecryptPath = commandLine.getOptionValue(ANSIBLE_VAULT_DECRYPT);
+    String aemCryptoEncrypt = commandLine.getOptionValue(AEM_CRYPTO_ENCRYPT);
+    String aemCryptoDecrypt = commandLine.getOptionValue(AEM_CRYPTO_DECRYPT);
+    String cryptoAesKey = commandLine.getOptionValue(CRYPTO_AES_KEY);
 
     if (generateCryptoKeys) {
       CryptoKeys.generate(targetDir, ansibleVaultEncrypt)
@@ -84,6 +94,16 @@ else if (StringUtils.isNotBlank(ansibleVaultDecryptPath)) {
       AnsibleVault.decrypt(new File(ansibleVaultDecryptPath));
       return;
     }
+    else if (StringUtils.isNotBlank(aemCryptoEncrypt)) {
+      String result = AemCrypto.encryptString(aemCryptoEncrypt, cryptoAesKey);
+      System.out.println(result);
+      return;
+    }
+    else if (StringUtils.isNotBlank(aemCryptoDecrypt)) {
+      String result = AemCrypto.decryptString(aemCryptoDecrypt, cryptoAesKey);
+      System.out.println(result);
+      return;
+    }
 
     // print usage help
     HelpFormatter formatter = new HelpFormatter();

tooling/conga-aem-crypto-cli/src/test/java/io/wcm/devops/conga/plugins/aem/tooling/crypto/cli/AemCryptoTest.java

@@ -0,0 +1,65 @@
+/*
+ * #%L
+ * wcm.io
+ * %%
+ * Copyright (C) 2019 wcm.io
+ * %%
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * #L%
+ */
+package io.wcm.devops.conga.plugins.aem.tooling.crypto.cli;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+
+import java.io.File;
+
+import org.apache.commons.io.FileUtils;
+import org.apache.commons.lang3.StringUtils;
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+
+public class AemCryptoTest {
+
+  private File targetFolder;
+  private String cryptoAesKey;
+
+  @BeforeEach
+  public void setUp() throws Exception {
+    // create temp directory path
+    targetFolder = File.createTempFile(getClass().getName(), null);
+    targetFolder.delete();
+
+    // generate crypto keys
+    CryptoKeys.generate(targetFolder, false).forEach(item -> { /* generate */ });
+    cryptoAesKey = targetFolder.getPath() + "/master";
+  }
+
+  @AfterEach
+  public void tearDown() throws Exception {
+    FileUtils.deleteDirectory(targetFolder);
+  }
+
+  @Test
+  public void testEncryptDecryptString() throws Exception {
+    String value = "myTestValue-äöü߀";
+
+    String encryptedValue = AemCrypto.encryptString(value, cryptoAesKey);
+    assertFalse(StringUtils.equals(value, encryptedValue));
+
+    String decryptedValue = AemCrypto.decryptString(encryptedValue, cryptoAesKey);
+    assertEquals(value, decryptedValue);
+  }
+
+}

tooling/conga-aem-crypto-cli/src/test/java/io/wcm/devops/conga/plugins/aem/tooling/crypto/cli/CryptoKeysTest.java

@@ -55,16 +55,16 @@ public void tearDown() throws Exception {
   @Test
   public void testGenerate() throws Exception {
     Stream<File> files = CryptoKeys.generate(targetFolder, false);
-    assetFiles(files);
+    assertFiles(files);
   }
 
   @Test
   public void testGenerateAnsibleVaultEncrypt() throws Exception {
     Stream<File> files = CryptoKeys.generate(targetFolder, true);
-    assetFiles(files);
+    assertFiles(files);
   }
 
-  private void assetFiles(Stream<File> filesStream) {
+  private void assertFiles(Stream<File> filesStream) {
     List<File> files = filesStream.collect(Collectors.toList());
     assertEquals(2, files.size());
     assertTrue(files.get(0).exists());