MINIFICPP-2846 minifi-encrypt-config should encrypt sensitive propert…#2204
Draft
fgerlits wants to merge 2 commits into
Draft
MINIFICPP-2846 minifi-encrypt-config should encrypt sensitive propert…#2204fgerlits wants to merge 2 commits into
fgerlits wants to merge 2 commits into
Conversation
…ies in all properties files The minifi-encrypt-config utility should encrypt the additional properties files in the minifi.properties.d directory, too, if they exist. We allow nifi.sensitive.props.additional.keys (the list of additional sensitive property keys) to be in any of the properties files.
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the minifi-encrypt-config utility to encrypt sensitive properties across all MiNiFi properties files, including additional .properties files under minifi.properties.d/, and refactors the encrypt-config implementation to reuse PropertiesFile/PropertiesImpl instead of a dedicated ConfigFile wrapper.
Changes:
- Extend minifi-encrypt-config to discover and encrypt sensitive properties in
minifi.properties.d/*.propertiesas well as the baseminifi.properties. - Refactor encrypt-config to remove
ConfigFileand introducegetSensitiveProperties(path)+ updatedencryptSensitivePropertiesInFile(...)APIs. - Add/adjust unit tests and test resources to cover additional sensitive keys defined in extra properties files.
Reviewed changes
Copilot reviewed 18 out of 18 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| libminifi/test/unit/PropertiesFileTests.cpp | Switches unit tests from encrypt-config ConfigFile to PropertiesFile, and updates test resource path handling. |
| libminifi/test/resources/with-additional-sensitive-props.minifi.properties | Adds/updates properties resource used to validate parsing and handling of additional sensitive keys. |
| libminifi/test/resources/minifi.properties | Adds/updates a baseline properties resource used by unit tests. |
| libminifi/src/properties/Properties.cpp | Exposes helper functions for extra properties file discovery and uses them when loading multi-file properties. |
| libminifi/include/properties/PropertiesFile.h | Removes the Line equality friend declaration (tests now supply equality operators). |
| libminifi/include/properties/Properties.h | Declares shared helpers for extra properties directory naming and enumeration. |
| encrypt-config/tests/resources/conf/minifi.properties.d/90_c2.properties | Adds an extra properties file defining nifi.sensitive.props.additional.keys in .d to validate the new behavior. |
| encrypt-config/tests/resources/conf/minifi.properties.d/20_llm.properties | Adds an extra properties file containing an additional sensitive key value to validate encryption across .d. |
| encrypt-config/tests/resources/conf/minifi.properties | Adds a base properties file for end-to-end encrypt-config testing with .d overlays. |
| encrypt-config/tests/resources/conf/bootstrap.conf | Adds bootstrap.conf fixture for end-to-end encrypt-config test setup. |
| encrypt-config/tests/PropertiesFileEncryptorTests.cpp | Updates encrypt-config unit tests to use the new PropertiesFileEncryptor APIs and verify sensitive key discovery/encryption. |
| encrypt-config/tests/EncryptConfigTests.cpp | Adds an end-to-end test ensuring encryption affects both base and .d properties files. |
| encrypt-config/PropertiesFileEncryptor.h | Replaces ConfigFile-based API with functions operating on PropertiesFile + explicit sensitive key list. |
| encrypt-config/PropertiesFileEncryptor.cpp | Implements sensitive property discovery via PropertiesImpl and updates encryption logic to use explicit sensitive key lists. |
| encrypt-config/EncryptConfig.h | Updates EncryptConfig constructor to take std::filesystem::path. |
| encrypt-config/EncryptConfig.cpp | Implements encryption across base and .d properties files and uses shared extra-file discovery helpers. |
| encrypt-config/ConfigFileEncryptor.h | Removes obsolete ConfigFile-based encryptor API header. |
| encrypt-config/ConfigFile.cpp | Removes obsolete ConfigFile implementation. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
200
to
+203
| void EncryptConfig::encryptSensitiveValuesInMinifiProperties() const { | ||
| EncryptionKeys keys = getEncryptionKeys(ENCRYPTION_KEY_PROPERTY_NAME); | ||
| const auto base_properties_file = propertiesFilePath(); | ||
| const std::vector<std::string> sensitive_properties = getSensitiveProperties(base_properties_file); | ||
| const EncryptionKeys keys = getEncryptionKeys(ENCRYPTION_KEY_PROPERTY_NAME); |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
…ies in all properties files
The minifi-encrypt-config utility should encrypt the additional properties files in the minifi.properties.d directory, too, if they exist. We allow nifi.sensitive.props.additional.keys (the list of additional sensitive property keys) to be in any of the properties files.
https://issues.apache.org/jira/browse/MINIFICPP-2846
Thank you for submitting a contribution to Apache NiFi - MiNiFi C++.
In order to streamline the review of the contribution we ask you to ensure the following steps have been taken:
For all changes:
Is there a JIRA ticket associated with this PR? Is it referenced in the commit message?
Does your PR title start with MINIFICPP-XXXX where XXXX is the JIRA number you are trying to resolve? Pay particular attention to the hyphen "-" character.
Has your PR been rebased against the latest commit within the target branch (typically main)?
Is your initial contribution a single, squashed commit?
For code changes:
For documentation related changes:
Note:
Please ensure that once the PR is submitted, you check GitHub Actions CI results for build issues and submit an update to your PR as soon as possible.