Add some unit tests and improve overall performance of reading passwords

- Lazily remember the decrypted secrets in a map as more secrets are decrypted
- Perform a `stat()` like operation to check if the file was modified in the last 5 seconds
  before reloading the DB file from disk.

Author: ketan

db/build.gradle

@@ -17,4 +17,12 @@
 dependencies {
     compile group: 'com.google.code.gson', name: 'gson', version: '2.8.5'
     compile group: 'commons-io', name: 'commons-io', version: '2.6'
+
+    testCompile group: 'org.assertj', name: 'assertj-core', version: '3.12.2'
+    testCompile group: 'org.junit.jupiter', name: 'junit-jupiter-api', version: '5.4.2'
+    testRuntime group: 'org.junit.jupiter', name: 'junit-jupiter-engine', version: '5.4.2'
+}
+
+test {
+    useJUnitPlatform()
 }

db/src/main/java/cd/go/plugin/secret/filebased/db/SecretsDatabase.java

@@ -34,11 +34,13 @@
 import static org.apache.commons.io.FileUtils.readFileToString;
 
 public class SecretsDatabase {
+
     private static final Gson GSON = new GsonBuilder()
             .excludeFieldsWithoutExposeAnnotation()
             .serializeNulls()
             .setPrettyPrinting()
             .create();
+
     @Expose
     @SerializedName("secret_key")
     private final String secretKey;
@@ -47,6 +49,8 @@ public class SecretsDatabase {
     @SerializedName("secrets")
     private final LinkedHashMap<String, String> secrets = new LinkedHashMap<>();
 
+    final LinkedHashMap<String, String> decryptedSecrets = new LinkedHashMap<>();
+
     public SecretsDatabase(String secretKey) {
         this.secretKey = secretKey;
     }
@@ -56,23 +60,37 @@ public SecretsDatabase() throws NoSuchAlgorithmException {
     }
 
     public SecretsDatabase addSecret(String name, String value) throws GeneralSecurityException {
-        secrets.put(name, Cipher.encrypt(secretKey, value));
+        synchronized (this) {
+            secrets.put(name, Cipher.encrypt(secretKey, value));
+            decryptedSecrets.remove(name);
+        }
         return this;
     }
 
-    public String getSecret(String name) throws BadSecretException, GeneralSecurityException {
-        if (secrets.containsKey(name)) {
-            return Cipher.decrypt(secretKey, secrets.get(name));
+    public String getSecret(String name) {
+        synchronized (this) {
+            return decryptedSecrets.computeIfAbsent(name, key -> {
+                if (secrets.containsKey(name)) {
+                    try {
+                        return Cipher.decrypt(secretKey, secrets.get(name));
+                    } catch (BadSecretException | GeneralSecurityException e) {
+                        throw new RuntimeException(e);
+                    }
+                }
+                return null;
+            });
         }
-        return null;
     }
 
     public Set<String> getAllSecretKeys() {
         return secrets.keySet();
     }
 
     public SecretsDatabase removeSecret(String name) {
-        secrets.remove(name);
+        synchronized (this) {
+            secrets.remove(name);
+            decryptedSecrets.remove(name);
+        }
         return this;
     }
 
@@ -88,4 +106,14 @@ public SecretsDatabase saveTo(File secretFile) throws IOException {
     public String toJSON() {
         return GSON.toJson(this);
     }
+
+
+    // for testing
+    String getSecretKey() {
+        return secretKey;
+    }
+
+    LinkedHashMap<String, String> getSecrets() {
+        return secrets;
+    }
 }

db/src/test/java/cd/go/plugin/secret/filebased/db/CipherTest.java

@@ -0,0 +1,93 @@
+/*
+ * Copyright 2019 ThoughtWorks, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package cd.go.plugin.secret.filebased.db;
+
+import org.junit.jupiter.api.Nested;
+import org.junit.jupiter.api.Test;
+
+import java.security.GeneralSecurityException;
+import java.security.NoSuchAlgorithmException;
+import java.util.Base64;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatCode;
+
+class CipherTest {
+
+    @Nested
+    class GenerateKey {
+
+        @Test
+        void shouldGenerate128BitKey() throws NoSuchAlgorithmException {
+            assertThat(Cipher.generateKey())
+                    .hasSize(128 / 8);
+        }
+
+        @Test
+        void shouldGenerateRandomKeyEveryTime() throws NoSuchAlgorithmException {
+            assertThat(Cipher.generateKey())
+                    .isNotEqualTo(Cipher.generateKey());
+        }
+    }
+
+    @Nested
+    class Encrypt {
+
+        @Test
+        void shouldEncrypt() throws GeneralSecurityException {
+            String clearText = "foo";
+
+            String key = Base64.getEncoder().encodeToString(Cipher.generateKey());
+
+            assertThat(Cipher.encrypt(key, clearText))
+                    .doesNotContain(clearText);
+        }
+
+        @Test
+        void shouldEncryptToDifferentValueEveryTime() throws GeneralSecurityException {
+            String clearText = "foo";
+
+            String key = Base64.getEncoder().encodeToString(Cipher.generateKey());
+
+            assertThat(Cipher.encrypt(key, clearText))
+                    .isNotEqualTo(Cipher.encrypt(key, clearText));
+        }
+    }
+
+    @Nested
+    class Decrypt {
+
+        @Test
+        void shouldDecrypt() throws GeneralSecurityException, BadSecretException {
+            String clearText = "foo";
+
+            String key = Base64.getEncoder().encodeToString(Cipher.generateKey());
+
+            String encryptedValue = Cipher.encrypt(key, clearText);
+
+            assertThat(Cipher.decrypt(key, encryptedValue)).isEqualTo(clearText);
+        }
+
+        @Test
+        void shouldFailIfEncryptedValueIsTampered() throws GeneralSecurityException {
+            String key = Base64.getEncoder().encodeToString(Cipher.generateKey());
+
+            assertThatCode(() -> Cipher.decrypt(key, "junk")).hasMessage("Bad cipher text")
+                    .isInstanceOf(BadSecretException.class);
+        }
+    }
+}

db/src/test/java/cd/go/plugin/secret/filebased/db/SecretsDatabaseTest.java

@@ -0,0 +1,101 @@
+/*
+ * Copyright 2019 ThoughtWorks, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package cd.go.plugin.secret.filebased.db;
+
+import org.junit.jupiter.api.Nested;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.io.TempDir;
+
+import java.io.File;
+import java.io.IOException;
+import java.security.GeneralSecurityException;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+class SecretsDatabaseTest {
+
+    @Test
+    void shouldAddASecret() throws GeneralSecurityException {
+        SecretsDatabase secretsDatabase = new SecretsDatabase();
+        secretsDatabase.addSecret("foo", "bar");
+        assertThat(secretsDatabase.getSecret("foo")).isEqualTo("bar");
+
+    }
+
+    @Test
+    void decryptingASecretShouldCacheIt() throws GeneralSecurityException {
+        SecretsDatabase secretsDatabase = new SecretsDatabase();
+
+        secretsDatabase.addSecret("foo", "bar");
+        assertThat(secretsDatabase.decryptedSecrets).doesNotContainKeys("foo");
+
+        secretsDatabase.getSecret("foo");
+        assertThat(secretsDatabase.decryptedSecrets).containsKeys("foo");
+    }
+
+    @Test
+    void removingASecretShouldRemoveItFromCache() throws GeneralSecurityException {
+        SecretsDatabase secretsDatabase = new SecretsDatabase();
+
+        secretsDatabase.addSecret("foo", "bar");
+
+        // populate cache
+        secretsDatabase.getSecret("foo");
+        assertThat(secretsDatabase.decryptedSecrets).containsKeys("foo");
+
+        // remove secret
+        secretsDatabase.removeSecret("foo");
+        assertThat(secretsDatabase.decryptedSecrets).doesNotContainKeys("foo");
+    }
+
+    @Test
+    void addingASecretShouldRemoveItFromCache() throws GeneralSecurityException {
+        SecretsDatabase secretsDatabase = new SecretsDatabase();
+
+        secretsDatabase.addSecret("foo", "bar");
+
+        // populate cache
+        secretsDatabase.getSecret("foo");
+        assertThat(secretsDatabase.decryptedSecrets).containsKeys("foo");
+
+        // add secret
+        secretsDatabase.addSecret("foo", "bar");
+        assertThat(secretsDatabase.decryptedSecrets).doesNotContainKeys("foo");
+    }
+
+    @Nested
+    class Persistance {
+
+        @Test
+        void shouldPersistDBToDisk(@TempDir File tempDir) throws GeneralSecurityException, IOException {
+            SecretsDatabase secretsDatabase = new SecretsDatabase();
+
+            secretsDatabase.addSecret("foo", "bar");
+
+            secretsDatabase.saveTo(new File(tempDir, "db.json"));
+
+            SecretsDatabase loadedDB = SecretsDatabase.readFrom(new File(tempDir, "db.json"));
+
+            // is able to decrypt
+            assertThat(loadedDB.getSecret("foo")).isEqualTo("bar");
+
+            // and saves the passphrase and all secrets
+            assertThat(secretsDatabase.getSecretKey()).isEqualTo(loadedDB.getSecretKey());
+            assertThat(secretsDatabase.getSecrets()).isEqualTo(loadedDB.getSecrets());
+        }
+    }
+}

gocd-file-based-secrets-plugin/build.gradle

@@ -14,17 +14,25 @@
  * limitations under the License.
  */
 
+plugins {
+    id "me.champeau.gradle.jmh" version "0.4.8"
+}
+
 configurations {
     extractedAtTopLevel
 }
 
 dependencies {
-    compile group: 'cd.go.plugin.base', name: 'gocd-plugin-base', version: '0.0.1'
     compileOnly group: 'cd.go.plugin', name: 'go-plugin-api', version: '18.9.0'
+    compile group: 'cd.go.plugin.base', name: 'gocd-plugin-base', version: '0.0.1'
     compile group: 'org.apache.commons', name: 'commons-lang3', version: '3.9'
+
     compile project(':db')
     compile project(':cli')
 
+    compileOnly group: 'org.projectlombok', name: 'lombok', version: '1.18.8'
+    annotationProcessor group: 'org.projectlombok', name: 'lombok', version: '1.18.8'
+
     extractedAtTopLevel project(':jar-class-loader')
 
     testCompile group: 'org.assertj', name: 'assertj-core', version: '3.12.2'
@@ -55,3 +63,7 @@ jar {
         into("/")
     }
 }
+
+test {
+    useJUnitPlatform()
+}