[backend] feat(catalog): encryption of pwd values in db (#4605)

[Dimfacion]

Proposed changes

• Encryption/decryption with an AES 256 bit with GCM key of sensitive data in database
• Small fix to update the config of the executors when stopping/starting the executor

Testing Instructions

1. In your application.properties (or application-dev.properties), fill the openaev.admin.encryption_key and openaev.admin.encryption_salt properties
2. (Optional) If your catalog_connectors table is not empty, empty it
3. Start your backend
4. Check that the properties with a column set to is_encrypted are encrypted
5. Update the configuration for an encrypted field in the OAEV interface
6. Check that it's still encrypted and different from the previous value
7. Start an executor
8. Check that the encrypted value in database is decrypted in the config in memory

Related issues

• Closes [EE] Built-in integrations: introduce encryption of sensitive values in the database #4605

Checklist

• I consider the submitted work as finished
• I tested the code for its functionality
• I wrote test cases for the relevant uses case
• I added/update the relevant documentation (either on github or on notion)
• Where necessary I refactored code to improve the overall quality
• For bug fix -> I implemented a test that covers the bug

Further comments

In your application.properties (or application-dev.properties), fill the openaev.admin.encryption_key and openaev.admin.encryption_salt properties. The documentation for the encryption library provided by spring is available here : https://docs.spring.io/spring-security/reference/features/integrations/cryptography.html#spring-security-crypto-encryption-text

[codecov]

Codecov Report

❌ Patch coverage is 85.92593% with 19 lines in your changes missing coverage. Please review.
✅ Project coverage is 52.91%. Comparing base (6eaed84) to head (32d1c79).

Files with missing lines	Patch %	Lines
.../executors/caldera/CalderaExecutorIntegration.java	69.23%	4 Missing ⚠️
...rs/crowdstrike/CrowdStrikeExecutorIntegration.java	69.23%	4 Missing ⚠️
...rs/sentinelone/SentinelOneExecutorIntegration.java	69.23%	4 Missing ⚠️
...pl/executors/tanium/TaniumExecutorIntegration.java	69.23%	4 Missing ⚠️
...on/configuration/BaseIntegrationConfiguration.java	88.88%	1 Missing and 2 partials ⚠️

Additional details and impacted files

@@                  Coverage Diff                  @@
##             release/current    #4689      +/-   ##
=====================================================
+ Coverage              52.82%   52.91%   +0.08%     
- Complexity              4138     4166      +28     
=====================================================
  Files                    966      968       +2     
  Lines                  29007    29087      +80     
  Branches                2162     2169       +7     
=====================================================
+ Hits                   15323    15391      +68     
- Misses                 12779    12792      +13     
+ Partials                 905      904       -1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Copilot]

Pull request overview

This pull request implements encryption for sensitive password values stored in the database. The feature adds native encryption support using Spring Security's Encryptors.delux() method, complementing the existing XTM Composer encryption strategy.

Key changes:

• Introduces NativeEncryptionService for encrypting/decrypting sensitive configuration values using AES encryption
• Adds encryption_key and encryption_salt configuration properties to OpenAEVAdminConfig
• Updates all executor integrations (Tanium, SentinelOne, CrowdStrike, Caldera, OpenAEV) to support encryption/decryption during configuration loading
• Implements a refresh() method in Integration classes to reload decrypted configurations on-demand

Reviewed changes

Copilot reviewed 40 out of 40 changed files in this pull request and generated 16 comments.

Show a summary per file

File	Description
OpenAEVAdminConfig.java	Adds encryption_key and encryption_salt configuration properties
application.properties	Documents new mandatory encryption configuration properties
NativeEncryptionService.java	New service implementing EncryptionService interface using Spring Security Encryptors
EncryptionFactory.java	Updated to return NativeEncryptionService for non-manager connectors instead of null
UncypherableElementException.java	New exception for encryption failures
BaseIntegrationConfiguration.java	Modified to encrypt values on save and decrypt on load based on field encryption flag
Integration.java	Adds encryptionService field and abstract refresh() method for reloading configs
IntegrationFactory.java	Updated to inject EncryptionFactory and HttpClientFactory
ConfigurationMigration.java	Passes encryption service when converting configurations
Executor factories (Tanium, SentinelOne, CrowdStrike, Caldera)	Updated to instantiate encryption service and pass to integrations
Executor integrations	Implement refresh() to reload and decrypt configurations, initialize client with decrypted config
Migration tests	Add validation that encrypted fields are actually encrypted in database
Integration tests	Updated to inject EncryptionFactory and test null encryption service handling

[RomuDeuxfois]

question: This is a breaking changes for version upgrade right ?

[Dimfacion]

Yes, I have planned to add this to the doc and this will need to be correctly announced in the release note

[RomuDeuxfois]

It feels odd to pass a service as a method argument.
This breaks the dependency injection model.
We should move this logic into a dedicated service and embed the method there instead.

[Dimfacion]

Yeah, I do agree that was my initial intention but I had cyclic dependencies. I did not think of moving part of the code to a dedicated utils, I'll try to change that :)

[RomuDeuxfois]

This method feels overly complex to me. Could we simplify it by passing the config and only decrypting the relevant keys?

[Dimfacion]

This method do not only do decrypting. It's used to create a Configuration java model from the database model. I guess I can simplify it a bit with another private method but it can't be used only for the relevant keys.