getting a NULL pointer exception when encrypting passwords in deployement.toml file

[shagihan]

Description:

Getting the following exception when running cipher tool for the first time with the -Dconfigure parameter

[wso2student@ip-172-31-39-130 bin]$ ./ciphertool.sh -Dconfigure

Encrypting using Internal KeyStore.

{type: JKS, alias: wso2carbon, path: /opt/wso2/Desktop/c3/wso2am-3.0.0/repository/resources/security/wso2carbon.jks}
[Please Enter Internal KeyStore Password of Carbon Server : ]

Internal KeyStore of Carbon Server is initialized Successfully

Encryption is done Successfully

Exception in thread "main" java.lang.NullPointerException
at java.lang.String.concat(String.java:2027)
at org.wso2.ciphertool.CipherTool.updateDeploymentConfigurationWithEncryptedKeys(CipherTool.java:381)
at org.wso2.ciphertool.CipherTool.main(CipherTool.java:75)

Suggested Labels:
cipher-tool,toml

Steps to reproduce:

• Run the ciphertool.sh file in the APIM-3.0.0 with the -Dconfigre command.

[tharindu1st]

@shagihan ,
Could you please attach the deployment.toml secrets section that you used to vault.

Thanks

[shagihan]

Adding a new line after the [secrets] section solved the issue.

Eg.

[server]
hostname = "localhost"
node_ip = "127.0.0.1"
#offset=0
mode = "single" #single or ha
base_path = "${carbon.protocol}://${carbon.host}:${carbon.management.port}"
#discard_empty_caches = false
server_role = "default"

[secrets]
admin_password = "[admin]"

[super_admin]
username = "admin"
password="$secret{admin_password}"
create_admin_account = true

[Dumindu-Kanchana]

This issue still persists in AM-3.0.0.

Steps to reproduce

This can be reproduced when the [secrets] section defined between the other defined configs in the deployment.toml file. With the NPE, the deployment.toml file will get corrupted and all the configurations below the [secrets] section will get lost.

If the [secrets] section is defined at the end of the deployment.toml file, this issue is not occurring.

[yasassri]

We are still observing the same error. There is a workaround for this issue to place the secure vault block at the end of the file, but the issue needs to be properly fixed.

Exception in thread "main" java.lang.NullPointerException at java.base/java.lang.String.concat(String.java:1937) at org.wso2.ciphertool.CipherTool.updateDeploymentConfigurationWithEncryptedKeys(CipherTool.java:394) at org.wso2.ciphertool.CipherTool.main(CipherTool.java:75)

[nadeepoornima]

This issue is available in APIM 3.1.0 too and the document[1] did not mention putting this as last(as a workaround) to resolve this issue.

[1]. https://apim.docs.wso2.com/en/3.1.0/install-and-setup/setup/security/logins-and-passwords/working-with-encrypted-passwords/#encrypting-passwords-in-configuration-files

[Shaaali]

The issue happens because,
Consider the if block below.

cipher-tool/components/ciphertool/src/main/java/org/wso2/ciphertool/CipherTool.java

Lines 378 to 389 in 89c0cf1

	if (found && !isLineCommented) {
	if (line.matches("\\[.+\\]")) {
	found = false;
	} else {
	StringTokenizer stringTokenizer = new StringTokenizer(line,
	Constants.KEY_VALUE_SEPERATOR);
	if (stringTokenizer.hasMoreTokens()) {
	String key = stringTokenizer.nextToken();
	String value = encryptedKeyMap.get(key.trim());
	line = key.concat("= \"").concat(value).concat("\"");
	}
	}

This block is only intended to process the secrets block. Once the secret section is found and, found flag is set, the next section will pass through this if block. if this is the secret block, it gets processed correctly and the line gets added into the deployment toml.
However, for the section after the secret section also, the found is set to true, and therefore, at this particular point(

cipher-tool/components/ciphertool/src/main/java/org/wso2/ciphertool/CipherTool.java

Line 386 in 89c0cf1

String value = encryptedKeyMap.get(key.trim());

), we are going to get a value to some key from encryptedKeyMap, and then try to concatenate in the next line, which will throw an NPE.

Therefore, introducing an isNotProcessed variable to the code and not passing subsequent configuration blocks through this if block will avoid the NPE.

boolean isNotProcessed =true;
boolean isLineCommented = line.trim().matches("^#.*");
                    if (found && !isLineCommented && isNotProcessed) {
                        if (line.matches("\\[.+\\]")) {
                            found = false;
                        } else {
                            isNotProcessed=false;
                            StringTokenizer stringTokenizer = new StringTokenizer(line,
                                                                                  Constants.KEY_VALUE_SEPERATOR);
                            if (stringTokenizer.hasMoreTokens()) {
                                String key = stringTokenizer.nextToken();
                                String value = encryptedKeyMap.get(key.trim());
                                line = key.concat("= \"").concat(value).concat("\"");
                            }
                        }
                    } else {
                        if (Constants.SECRETS_SECTION.equals(line.trim())) {
                            found = true;
                        }
                    }