1390 - SFTP Plugin Password Encryption (#258)

* first attempt

* working encryption

* finished

* removed unnecesary import

* testing updating magerc

* hard-coding version

* salt not found fix

* salt not found fix 2

* forgot about types version

Author: danbenner-vega

docker-compose.yml

@@ -31,6 +31,8 @@ services:
     environment:
       MAGE_MONGO_URL: mongodb://mage-db:27017/magedb
       MAGE_TOKEN_EXPIRATION: "28800"
+      # NOTE: default INSECURE salt value, recommend generate new UUID before deployment, **NOT** after deployment
+      SFTP_PLUGIN_CONFIG_SALT: "A0E6D3B4-25BD-4DD6-BBC9-B367931966AB"
 
   # Uncomment the following block to enable the TLS reverse proxy.  You will
   # also need to generate the key and certificate as the README describes.

plugins/sftp/config/sftpConfig.ts

@@ -0,0 +1,20 @@
+export const eKey: Promise<CryptoKey> = window.crypto.subtle.generateKey(
+  {
+      name: "AES-GCM",
+      length: 256, //can be  128, 192, or 256
+  },
+  true, //whether the key is extractable (i.e. can be used in exportKey)
+  ["encrypt", "decrypt"] //can "encrypt", "decrypt", "wrapKey", or "unwrapKey"
+)
+
+export function arrayBufferToString(buffer: ArrayBuffer, encoding = 'utf-8'): string {
+  const decoder = new TextDecoder(encoding);
+  const view = new Uint8Array(buffer);
+  return decoder.decode(view);
+}
+
+export function stringToArrayBuffer(str: string): ArrayBuffer {
+  let enc = new TextEncoder();
+  var encoded = enc.encode(str);
+  return encoded;
+}

plugins/sftp/service/package-lock.json

@@ -26,6 +26,7 @@
   "devDependencies": {
     "@types/archiver": "^6.0.2",
     "@types/bson": "^1.0.11",
+    "@types/crypto-js": "4.1.1",
     "@types/express": "4.17.21",
     "@types/express-serve-static-core": "4.17.29",
     "@types/geojson": "^7946.0.7",
@@ -51,6 +52,7 @@
   },
   "dependencies": {
     "archiver": "^6.0.1",
+    "crypto-js": "4.1.1",
     "ssh2-sftp-client": "^9.1.0"
   }
 }

plugins/sftp/service/package.json

@@ -1,5 +1,6 @@
 import { MageEventId } from '@ngageoint/mage.service/lib/entities/events/entities.events';
 import { ArchiveFormat, CompletionAction, TriggerRule } from '../format/entities.format';
+import * as CryptoJS from 'crypto-js';
 
 /**
  * Contains various configuration values used by the plugin.
@@ -73,3 +74,19 @@ export const defaultSFTPPluginConfig = Object.freeze<SFTPPluginConfig>({
     password: ''
   }
 })
+
+export async function encryptDecrypt(config: SFTPPluginConfig, isEncrypt: boolean): Promise<SFTPPluginConfig> {
+  // NOTE: default INSECURE salt value, recommend generate new UUID before deployment, **NOT** after deployment
+  const salt = "A0E6D3B4-25BD-4DD6-BBC9-B367931966AB"; // process.env.SFTP_PLUGIN_CONFIG_SALT;
+  try {
+    let tempConfig = config;
+    if(salt === undefined) { throw new Error("No salt value found, update docker-compose value...") }
+    const encryptedPass = isEncrypt ?
+      CryptoJS.AES.encrypt(config.sftpClient.password, salt).toString() :
+      CryptoJS.AES.decrypt(config.sftpClient.password, salt).toString();
+    tempConfig.sftpClient.password = encryptedPass;
+    return tempConfig;
+  } catch (err) {
+    throw err;
+  }
+}

plugins/sftp/service/src/configuration/SFTPPluginConfig.ts

@@ -4,7 +4,7 @@ import { Observation, ObservationAttrs, ObservationRepositoryForEvent } from '@n
 import { PluginStateRepository } from '@ngageoint/mage.service/lib/plugins.api';
 import SFTPClient from 'ssh2-sftp-client';
 import { PassThrough } from 'stream';
-import { SFTPPluginConfig, defaultSFTPPluginConfig } from '../configuration/SFTPPluginConfig';
+import { SFTPPluginConfig, defaultSFTPPluginConfig, encryptDecrypt } from '../configuration/SFTPPluginConfig';
 import { ArchiveFormat, ArchiveStatus, ArchiverFactory, ArchiveResult, TriggerRule } from '../format/entities.format';
 import { SftpAttrs, SftpObservationRepository, SftpStatus } from '../adapters/adapters.sftp.mongoose';
 
@@ -96,7 +96,7 @@ export class SftpController {
    */
   public async getConfiguration(): Promise<SFTPPluginConfig> {
     if (this.configuration === null) {
-      return await this.stateRepository.get().then(x => !!x ? x : this.stateRepository.put(defaultSFTPPluginConfig))
+      return await this.stateRepository.get().then((x: SFTPPluginConfig | null) => !!x ? encryptDecrypt(x, false) : this.stateRepository.put(defaultSFTPPluginConfig))
     } else {
       return this.configuration
     }
@@ -107,7 +107,12 @@ export class SftpController {
    * @param configuration The new config to put into the state repo.
    */
   public async updateConfiguration(configuration: SFTPPluginConfig) {
-    await this.stateRepository.put(configuration)
+    try {
+      let config = await encryptDecrypt(configuration, true);
+      await this.stateRepository.put(config)
+    } catch (err) {
+      this.console.log(`ERROR: updateConfiguration: ${err}`)
+    }
   }
 
   /**

plugins/sftp/service/src/controller/controller.ts

@@ -108,7 +108,7 @@ const sftpPluginHooks: InitPluginHook<typeof InjectedServices> = {
 
               await controller.start()
 
-              res.status(200).json(configuration)
+              res.status(200) //.json(configuration)
             })
 
           return routes

plugins/sftp/service/src/index.ts

@@ -60,3 +60,4 @@ export MAGE_MONGO_CONN_RETRY_DELAY=5
 export MAGE_MONGO_TLS_INSECURE=false
 # Name of the db that contains the credentials
 export MAGE_MONGO_CRED_DB_NAME=
+export SFTP_PLUGIN_CONFIG_SALT="A0E6D3B4-25BD-4DD6-BBC9-B367931966AB"