From 6dba1f2d0b577620593c57df9e2dc9e9b59c7804 Mon Sep 17 00:00:00 2001
From: Dominik Mizyn <d.mizyn@samsung.com>
Date: Mon, 16 Dec 2019 15:38:17 +0100
Subject: Encryption and decryption of OpenStack Passwords removed

Description from Jira ticket:

Current way of passing OpenStack password to SO is to
encrypt it with a symmetric key that can be find in both
OOM repo and source code. This means that the key is already
compromised and this additional encryption does not introduce
any additional security layer. Additionally this creates a fake
security feeling for people who are not very familiar with the
cryptography as they may think that their password is safe because
it has been encrypted.

Instead of using some custom-made method of passing this password
please just use a secret and pass it via environment variable
unencrypted
and just never store it in a config file

Issue-ID: SO-2535
Change-Id: Iaad50d7d22fe0fc1e3f7e8c5c5cd3a788d777574
Signed-off-by: Dominik Mizyn <d.mizyn@samsung.com>
---
 common/src/main/java/org/onap/so/utils/CryptoUtils.java | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'common/src')

diff --git a/common/src/main/java/org/onap/so/utils/CryptoUtils.java b/common/src/main/java/org/onap/so/utils/CryptoUtils.java
index ff69e3e4b1..1c38dfb774 100644
--- a/common/src/main/java/org/onap/so/utils/CryptoUtils.java
+++ b/common/src/main/java/org/onap/so/utils/CryptoUtils.java
@@ -76,6 +76,8 @@ public final class CryptoUtils {
      * @throws GeneralSecurityException
      */
     public static String decrypt(String message, String keyString) throws GeneralSecurityException {
+        if (message.equals(System.getenv("PLAINTEXTPASSWORD")))
+            return message;
         SecretKeySpec sks = getSecretKeySpec(keyString);
         byte[] cipherText = hexStringToByteArray(message);
         Cipher cipher = Cipher.getInstance(AES_GCM_NO_PADDING);
-- 
cgit