Provide options for key rotation and per-app cryptography
Cipher text (and plain text in the /encrypt endpoint) can now
carry a prefix of {name:value} pairs, all of which are passed
into the TextEncryptorLocator (instead of just the app name
and profiles).
The inputs are prepared symmetrically by the EncryptionController
(if used) and the EnvironmentEncryptor (used in the EnvironmentController).
Tidy up docs and add notes on keys.
This commit is contained in:
@@ -261,15 +261,13 @@ You can download the "Java Cryptography Extension (JCE) Unlimited Strength Juris
|
||||
from Oracle, and follow instructions for installation (essentially replace the 2 policy files
|
||||
in the JRE lib/security directory with the ones that you downloaded).
|
||||
|
||||
The server exposes `/encrypt` and `/decrypt` endpoints (on the
|
||||
assumption that these will be secured and only accessed by authorized
|
||||
agents). If the remote property sources contain encryted content
|
||||
If the remote property sources contain encryted content
|
||||
(values starting with `{cipher}`) they will be decrypted before
|
||||
sending to clients over HTTP. The main advantage of this set up is
|
||||
that the property values don't have to be in plain text when they are
|
||||
"at rest" (e.g. in a git repository). If a value cannot be decrypted
|
||||
it is replaced with an empty string, largely to prevent cipher text
|
||||
being used as a password in Spring Boot autconfigured HTTP basic.
|
||||
being used as a password and accidentally leaking.
|
||||
|
||||
If you are setting up a remote config repository for config client
|
||||
applications it might contain an `application.yml` like this, for
|
||||
@@ -286,7 +284,9 @@ spring:
|
||||
You can safely push this plain text to a shared git repository and the
|
||||
secret password is protected.
|
||||
|
||||
If you are editing a remote config file you can use the Config Server
|
||||
The server also exposes `/encrypt` and `/decrypt` endpoints (on the
|
||||
assumption that these will be secured and only accessed by authorized
|
||||
agents). If you are editing a remote config file you can use the Config Server
|
||||
to encrypt values by POSTing to the `/encrypt` endpoint, e.g.
|
||||
|
||||
----
|
||||
@@ -304,7 +304,15 @@ mysecret
|
||||
|
||||
Take the encypted value and add the `{cipher}` prefix before you put
|
||||
it in the YAML or properties file, and before you commit and push it
|
||||
to a remote, potentially insecure store.
|
||||
to a remote, potentially insecure store. The `/encypt` and `/decrypt`
|
||||
endpoints also both accept paths of the form `/*/{name}/{profiles}`
|
||||
which can be used to control cryptography per application (name)
|
||||
and profile when clients call into the main Environment resource.
|
||||
|
||||
NOTE: to control the cryptography in this granular way you must also
|
||||
provide a `@Bean` of type `TextEncryptorLocator` that creates a
|
||||
different encryptor per name and profiles. The one that is provided
|
||||
by default does not do this.
|
||||
|
||||
The `spring` command line client (with Spring Cloud CLI extensions
|
||||
installed) can also be used to encrypt and decrypt, e.g.
|
||||
@@ -335,9 +343,7 @@ it is just a single property value to configure.
|
||||
|
||||
To configure a symmetric key you just need to set `encrypt.key` to a
|
||||
secret String (or use an enviroment variable `ENCRYPT_KEY` to keep it
|
||||
out of plain text configuration files). You can also POST a key value
|
||||
to the `/key` endpoint (but that won't change any existing encrypted
|
||||
values in remote repositories).
|
||||
out of plain text configuration files).
|
||||
|
||||
To configure an asymmetric key you can either set the key as a
|
||||
PEM-encoded text value (in `encrypt.key`), or via a keystore (e.g. as
|
||||
@@ -381,6 +387,43 @@ encrypt:
|
||||
secret: changeme
|
||||
----
|
||||
|
||||
=== Using Multiple Keys and Key Rotation
|
||||
|
||||
In addition to the `{cipher}` prefix in encrypted property values, the
|
||||
Config Server looks for `{name:value}` prefixes (zero or many) before
|
||||
the start of the (Base64 encoded) cipher text. The keys are passed to
|
||||
a `TextEncryptorLocator` which can do whatever logic it needs to
|
||||
locate a `TextEncryptor` for the cipher. If you have configured a
|
||||
keystore (`encrypt.keystore.location`) the default locator will look
|
||||
for keys in the store with aliases as supplied by the "key" prefix,
|
||||
i.e. with a cipher text like this:
|
||||
|
||||
|
||||
----
|
||||
foo:
|
||||
bar: `{cipher}{key:testkey}...`
|
||||
----
|
||||
|
||||
the locator will look for a key named "testkey". A secret can also be
|
||||
supplied via a `{secret:...}` value in the prefix, but if it is not
|
||||
the default is to use the keystore password (which is what you get
|
||||
when you build a keytore and don't specify a secret). If you *do*
|
||||
supply a secret it is recommended that you also encrypt the secrets
|
||||
using a custom `SecretLocator`.
|
||||
|
||||
Key rotation is hardly ever necessary on cryptographic grounds if the
|
||||
keys are only being used to encrypt a few bytes of configuration data
|
||||
(i.e. they are not being used elsewhere), but occasionally you might
|
||||
need to change the keys if there is a security breach for instance. In
|
||||
that case all the clients would need to change their source config
|
||||
files (e.g. in git) and use a new `{key:...}` prefix in all the
|
||||
ciphers, checking beforehand of course that the key alias is available
|
||||
in the Config Server keystore.
|
||||
|
||||
TIP: the `{name:value}` prefixes can also be added to plaintext posted
|
||||
to the `/encrypt` endpoint, if you want to let the Config Server
|
||||
handle all encryption as well as decryption.
|
||||
|
||||
=== Embedding the Config Server
|
||||
|
||||
The Config Server runs best as a standalone application, but if you
|
||||
|
||||
@@ -18,6 +18,7 @@ package org.springframework.cloud.config.server;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
|
||||
import org.springframework.cloud.config.client.ConfigClientProperties;
|
||||
import org.springframework.cloud.config.server.config.EnvironmentRepositoryConfiguration;
|
||||
import org.springframework.context.annotation.Bean;
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
import org.springframework.context.annotation.Import;
|
||||
|
||||
@@ -21,7 +21,9 @@ import java.lang.annotation.Retention;
|
||||
import java.lang.annotation.RetentionPolicy;
|
||||
import java.lang.annotation.Target;
|
||||
|
||||
import org.springframework.cloud.config.server.encryption.ConfigServerEncryptionConfiguration;
|
||||
import org.springframework.cloud.config.server.config.ConfigServerEncryptionConfiguration;
|
||||
import org.springframework.cloud.config.server.config.ConfigServerMvcConfiguration;
|
||||
import org.springframework.cloud.config.server.config.EnvironmentRepositoryConfiguration;
|
||||
import org.springframework.context.annotation.Import;
|
||||
|
||||
/**
|
||||
|
||||
@@ -14,11 +14,12 @@
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.cloud.config.server.encryption;
|
||||
package org.springframework.cloud.config.server.config;
|
||||
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.cloud.config.server.ConfigServerProperties;
|
||||
import org.springframework.cloud.config.server.EncryptionController;
|
||||
import org.springframework.cloud.config.server.encryption.EncryptionController;
|
||||
import org.springframework.cloud.config.server.encryption.TextEncryptorLocator;
|
||||
import org.springframework.context.annotation.Bean;
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
|
||||
@@ -30,20 +31,15 @@ import org.springframework.context.annotation.Configuration;
|
||||
@Configuration
|
||||
public class ConfigServerEncryptionConfiguration {
|
||||
|
||||
@Autowired
|
||||
private TextEncryptorLocator locator;
|
||||
@Autowired(required=false)
|
||||
private TextEncryptorLocator encryptor;
|
||||
|
||||
@Autowired
|
||||
private ConfigServerProperties properties;
|
||||
|
||||
@Bean
|
||||
public EnvironmentEncryptor environmentEncryptor() {
|
||||
return new CipherEnvironmentEncryptor(locator);
|
||||
}
|
||||
|
||||
@Bean
|
||||
public EncryptionController encryptionController() {
|
||||
return new EncryptionController(locator, properties);
|
||||
return new EncryptionController(this.encryptor, this.properties);
|
||||
}
|
||||
|
||||
}
|
||||
@@ -13,10 +13,13 @@
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.springframework.cloud.config.server;
|
||||
package org.springframework.cloud.config.server.config;
|
||||
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
|
||||
import org.springframework.cloud.config.server.ConfigServerProperties;
|
||||
import org.springframework.cloud.config.server.EnvironmentController;
|
||||
import org.springframework.cloud.config.server.EnvironmentRepository;
|
||||
import org.springframework.cloud.config.server.encryption.EnvironmentEncryptor;
|
||||
import org.springframework.context.annotation.Bean;
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
@@ -0,0 +1,87 @@
|
||||
/*
|
||||
* Copyright 2002-2015 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.cloud.config.server.config;
|
||||
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
|
||||
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
|
||||
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
|
||||
import org.springframework.boot.context.properties.EnableConfigurationProperties;
|
||||
import org.springframework.cloud.bootstrap.encrypt.KeyProperties;
|
||||
import org.springframework.cloud.bootstrap.encrypt.KeyProperties.KeyStore;
|
||||
import org.springframework.cloud.config.server.encryption.CipherEnvironmentEncryptor;
|
||||
import org.springframework.cloud.config.server.encryption.EnvironmentEncryptor;
|
||||
import org.springframework.cloud.config.server.encryption.KeyStoreTextEncryptorLocator;
|
||||
import org.springframework.cloud.config.server.encryption.TextEncryptorLocator;
|
||||
import org.springframework.context.annotation.Bean;
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
import org.springframework.security.crypto.encrypt.Encryptors;
|
||||
import org.springframework.security.crypto.encrypt.TextEncryptor;
|
||||
import org.springframework.security.rsa.crypto.KeyStoreKeyFactory;
|
||||
import org.springframework.security.rsa.crypto.RsaSecretEncryptor;
|
||||
|
||||
/**
|
||||
* Auto configuration for text encryptors and environment encryptors (non-web stuff).
|
||||
* Users can provide beans of the same type as any or all of the beans defined here in
|
||||
* application code to override the default behaviour.
|
||||
*
|
||||
* @author Bartosz Wojtkiewicz
|
||||
* @author Rafal Zukowski
|
||||
* @author Dave Syer
|
||||
*
|
||||
*/
|
||||
@Configuration
|
||||
public class EncryptionAutoConfiguration {
|
||||
|
||||
@ConditionalOnMissingBean(TextEncryptor.class)
|
||||
protected static class DefaultTextEncryptorConfiguration {
|
||||
|
||||
@Bean
|
||||
public TextEncryptor nullTextEncryptor() {
|
||||
return Encryptors.noOpText();
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@Bean
|
||||
@ConditionalOnMissingBean
|
||||
public EnvironmentEncryptor environmentEncryptor(
|
||||
TextEncryptorLocator textEncryptorLocator) {
|
||||
return new CipherEnvironmentEncryptor(textEncryptorLocator);
|
||||
}
|
||||
|
||||
@Configuration
|
||||
@ConditionalOnClass(RsaSecretEncryptor.class)
|
||||
@ConditionalOnProperty(value = "encrypt.keyStore.location", matchIfMissing = false)
|
||||
@EnableConfigurationProperties(KeyProperties.class)
|
||||
protected static class KeyStoreConfiguration {
|
||||
|
||||
@Autowired
|
||||
private KeyProperties key;
|
||||
|
||||
@Bean
|
||||
@ConditionalOnMissingBean
|
||||
public TextEncryptorLocator textEncryptorLocator() {
|
||||
KeyStore keyStore = this.key.getKeyStore();
|
||||
return new KeyStoreTextEncryptorLocator(new KeyStoreKeyFactory(
|
||||
keyStore.getLocation(), keyStore.getPassword().toCharArray()),
|
||||
keyStore.getSecret(), keyStore.getAlias());
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
@@ -13,12 +13,18 @@
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.springframework.cloud.config.server;
|
||||
package org.springframework.cloud.config.server.config;
|
||||
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
|
||||
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
|
||||
import org.springframework.boot.context.properties.EnableConfigurationProperties;
|
||||
import org.springframework.cloud.config.server.ConfigServerHealthIndicator;
|
||||
import org.springframework.cloud.config.server.ConfigServerProperties;
|
||||
import org.springframework.cloud.config.server.EnvironmentRepository;
|
||||
import org.springframework.cloud.config.server.MultipleJGitEnvironmentRepository;
|
||||
import org.springframework.cloud.config.server.NativeEnvironmentRepository;
|
||||
import org.springframework.cloud.config.server.SvnKitEnvironmentRepository;
|
||||
import org.springframework.context.annotation.Bean;
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
import org.springframework.context.annotation.Profile;
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2015 the original author or authors.
|
||||
* Copyright 2015 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -14,36 +14,28 @@
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.cloud.config.server.encryption;
|
||||
package org.springframework.cloud.config.server.config;
|
||||
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.boot.autoconfigure.AutoConfigureAfter;
|
||||
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
|
||||
import org.springframework.cloud.config.server.encryption.SingleTextEncryptorLocator;
|
||||
import org.springframework.cloud.config.server.encryption.TextEncryptorLocator;
|
||||
import org.springframework.context.annotation.Bean;
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
import org.springframework.security.crypto.encrypt.Encryptors;
|
||||
import org.springframework.security.crypto.encrypt.TextEncryptor;
|
||||
|
||||
/**
|
||||
* @author Bartosz Wojtkiewicz
|
||||
* @author Rafal Zukowski
|
||||
*
|
||||
*/
|
||||
@Configuration
|
||||
public class EncryptionAutoConfiguration {
|
||||
@AutoConfigureAfter(EncryptionAutoConfiguration.class)
|
||||
public class SingleEncryptorAutoConfiguration {
|
||||
|
||||
@Autowired(required = false)
|
||||
private TextEncryptor encryptor;
|
||||
|
||||
@Bean
|
||||
@ConditionalOnMissingBean
|
||||
public TextEncryptorLocator textEncryptorLocator(TextEncryptor encryptor) {
|
||||
return new SingleTextEncryptorLocator(encryptor);
|
||||
}
|
||||
|
||||
@ConditionalOnMissingBean(TextEncryptor.class)
|
||||
protected static class DefaultTextEncryptorConfiguration {
|
||||
|
||||
@Bean
|
||||
public TextEncryptor nullTextEncryptor() {
|
||||
return Encryptors.noOpText();
|
||||
}
|
||||
|
||||
public TextEncryptorLocator textEncryptorLocator() {
|
||||
return new SingleTextEncryptorLocator(this.encryptor);
|
||||
}
|
||||
|
||||
}
|
||||
}
|
||||
@@ -22,11 +22,9 @@ import java.util.Map;
|
||||
|
||||
import org.apache.commons.logging.Log;
|
||||
import org.apache.commons.logging.LogFactory;
|
||||
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.cloud.config.environment.Environment;
|
||||
import org.springframework.cloud.config.environment.PropertySource;
|
||||
import org.springframework.security.crypto.encrypt.TextEncryptor;
|
||||
import org.springframework.stereotype.Component;
|
||||
import org.springframework.util.StringUtils;
|
||||
|
||||
@@ -43,25 +41,27 @@ public class CipherEnvironmentEncryptor implements EnvironmentEncryptor {
|
||||
|
||||
private static Log logger = LogFactory.getLog(CipherEnvironmentEncryptor.class);
|
||||
|
||||
private final TextEncryptorLocator encryptorLocator;
|
||||
private final TextEncryptorLocator encryptor;
|
||||
|
||||
private EnvironmentPrefixHelper helper = new EnvironmentPrefixHelper();
|
||||
|
||||
@Autowired
|
||||
public CipherEnvironmentEncryptor(TextEncryptorLocator encryptorLocator) {
|
||||
this.encryptorLocator = encryptorLocator;
|
||||
public CipherEnvironmentEncryptor(TextEncryptorLocator encryptor) {
|
||||
this.encryptor = encryptor;
|
||||
}
|
||||
|
||||
@Override
|
||||
public Environment decrypt(Environment environment) {
|
||||
TextEncryptor encryptor = encryptorLocator.locate(environment.getName(),
|
||||
StringUtils.arrayToCommaDelimitedString(environment.getProfiles()));
|
||||
return encryptor != null ? decrypt(environment, encryptor) : environment;
|
||||
return this.encryptor != null ? decrypt(environment, this.encryptor)
|
||||
: environment;
|
||||
}
|
||||
|
||||
private Environment decrypt(Environment environment, TextEncryptor encryptor) {
|
||||
private Environment decrypt(Environment environment, TextEncryptorLocator encryptor) {
|
||||
Environment result = new Environment(environment.getName(),
|
||||
environment.getProfiles(), environment.getLabel());
|
||||
environment.getProfiles(), environment.getLabel());
|
||||
for (PropertySource source : environment.getPropertySources()) {
|
||||
Map<Object, Object> map = new LinkedHashMap<Object, Object>(source.getSource());
|
||||
Map<Object, Object> map = new LinkedHashMap<Object, Object>(
|
||||
source.getSource());
|
||||
for (Map.Entry<Object, Object> entry : new LinkedHashSet<>(map.entrySet())) {
|
||||
Object key = entry.getKey();
|
||||
String name = key.toString();
|
||||
@@ -69,13 +69,17 @@ public class CipherEnvironmentEncryptor implements EnvironmentEncryptor {
|
||||
if (value.startsWith("{cipher}")) {
|
||||
map.remove(key);
|
||||
try {
|
||||
value = value == null ? null : encryptor.decrypt(value.substring(
|
||||
"{cipher}".length()));
|
||||
} catch (Exception e) {
|
||||
value = value.substring("{cipher}".length());
|
||||
value = encryptor.locate(
|
||||
this.helper.getEncryptorKeys(name, StringUtils
|
||||
.arrayToCommaDelimitedString(environment
|
||||
.getProfiles()), value)).decrypt(this.helper.stripPrefix(value));
|
||||
}
|
||||
catch (Exception e) {
|
||||
value = "<n/a>";
|
||||
name = "invalid." + name;
|
||||
logger.warn("Cannot decrypt key: " + key
|
||||
+ " (" + e.getClass() + ": " + e.getMessage() + ")");
|
||||
logger.warn("Cannot decrypt key: " + key + " (" + e.getClass()
|
||||
+ ": " + e.getMessage() + ")");
|
||||
}
|
||||
map.put(name, value);
|
||||
}
|
||||
|
||||
@@ -13,42 +13,33 @@
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.springframework.cloud.config.server;
|
||||
package org.springframework.cloud.config.server.encryption;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.io.UnsupportedEncodingException;
|
||||
import java.net.URLDecoder;
|
||||
import java.security.KeyPair;
|
||||
import java.util.Collections;
|
||||
import java.util.HashMap;
|
||||
import java.util.Map;
|
||||
|
||||
import org.apache.commons.logging.Log;
|
||||
import org.apache.commons.logging.LogFactory;
|
||||
import org.springframework.cloud.config.server.encryption.SingleTextEncryptorLocator;
|
||||
import org.springframework.cloud.config.server.encryption.TextEncryptorLocator;
|
||||
import org.springframework.cloud.context.encrypt.EncryptorFactory;
|
||||
import org.springframework.cloud.config.server.ConfigServerProperties;
|
||||
import org.springframework.cloud.context.encrypt.KeyFormatException;
|
||||
import org.springframework.core.io.ByteArrayResource;
|
||||
import org.springframework.http.HttpStatus;
|
||||
import org.springframework.http.MediaType;
|
||||
import org.springframework.http.ResponseEntity;
|
||||
import org.springframework.security.crypto.codec.Base64;
|
||||
import org.springframework.security.crypto.codec.Hex;
|
||||
import org.springframework.security.crypto.encrypt.TextEncryptor;
|
||||
import org.springframework.security.rsa.crypto.KeyStoreKeyFactory;
|
||||
import org.springframework.security.rsa.crypto.RsaKeyHolder;
|
||||
import org.springframework.security.rsa.crypto.RsaSecretEncryptor;
|
||||
import org.springframework.web.bind.annotation.ExceptionHandler;
|
||||
import org.springframework.web.bind.annotation.PathVariable;
|
||||
import org.springframework.web.bind.annotation.RequestBody;
|
||||
import org.springframework.web.bind.annotation.RequestHeader;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.RestController;
|
||||
import org.springframework.web.multipart.MultipartFile;
|
||||
|
||||
/**
|
||||
* @author Dave Syer
|
||||
@@ -60,77 +51,36 @@ public class EncryptionController {
|
||||
|
||||
private static Log logger = LogFactory.getLog(EncryptionController.class);
|
||||
|
||||
private final TextEncryptorLocator encryptorLocator;
|
||||
volatile private TextEncryptorLocator encryptor;
|
||||
|
||||
private final ConfigServerProperties properties;
|
||||
|
||||
public EncryptionController(TextEncryptorLocator encryptorLocator,
|
||||
private EnvironmentPrefixHelper helper = new EnvironmentPrefixHelper();
|
||||
|
||||
public EncryptionController(TextEncryptorLocator encryptor,
|
||||
ConfigServerProperties configServerProperties) {
|
||||
this.encryptorLocator = encryptorLocator;
|
||||
this.encryptor = encryptor;
|
||||
this.properties = configServerProperties;
|
||||
}
|
||||
|
||||
@RequestMapping(value = "/key", method = RequestMethod.GET)
|
||||
public String getPublicKey() {
|
||||
TextEncryptor encryptor = locateDefaultTextEncryptor();
|
||||
TextEncryptor encryptor = this.encryptor.locate(this.helper.getEncryptorKeys(
|
||||
"application", "default", ""));
|
||||
if (!(encryptor instanceof RsaKeyHolder)) {
|
||||
throw new KeyNotAvailableException();
|
||||
}
|
||||
return ((RsaKeyHolder) encryptor).getPublicKey();
|
||||
}
|
||||
|
||||
@RequestMapping(value = "/key", method = RequestMethod.POST, params = { "password" })
|
||||
public ResponseEntity<Map<String, Object>> uploadKeyStore(
|
||||
@RequestParam("file") MultipartFile file,
|
||||
@RequestParam("password") String password, @RequestParam("alias") String alias) {
|
||||
|
||||
Map<String, Object> body = new HashMap<String, Object>();
|
||||
body.put("status", "OK");
|
||||
|
||||
try {
|
||||
ByteArrayResource resource = new ByteArrayResource(file.getBytes());
|
||||
KeyPair keyPair = new KeyStoreKeyFactory(resource, password.toCharArray())
|
||||
.getKeyPair(alias);
|
||||
RsaSecretEncryptor encryptor = new RsaSecretEncryptor(keyPair);
|
||||
updateEncryptor(encryptor);
|
||||
body.put("publicKey", encryptor.getPublicKey());
|
||||
}
|
||||
catch (IOException e) {
|
||||
throw new KeyFormatException();
|
||||
}
|
||||
logger.info("Key changed to alias=" + alias);
|
||||
|
||||
return new ResponseEntity<Map<String, Object>>(body, HttpStatus.CREATED);
|
||||
|
||||
}
|
||||
|
||||
@RequestMapping(value = "/key", method = RequestMethod.POST, params = { "!password" })
|
||||
public ResponseEntity<Map<String, Object>> uploadKey(@RequestBody String data,
|
||||
@RequestHeader("Content-Type") MediaType type) {
|
||||
|
||||
Map<String, Object> body = new HashMap<String, Object>();
|
||||
body.put("status", "OK");
|
||||
|
||||
TextEncryptor encryptor = new EncryptorFactory().create(stripFormData(data, type,
|
||||
false));
|
||||
updateEncryptor(encryptor);
|
||||
if (encryptor instanceof RsaKeyHolder) {
|
||||
body.put("publicKey", ((RsaKeyHolder) encryptor).getPublicKey());
|
||||
}
|
||||
logger.info("Key changed with literal value");
|
||||
return new ResponseEntity<Map<String, Object>>(body, HttpStatus.CREATED);
|
||||
}
|
||||
|
||||
// this is temporary solution to support existing REST API
|
||||
// downcasting is only necessary until we introduce some key management abstraction,
|
||||
// we don't want TextEncryptorLocator to have setEncryptor method
|
||||
private void updateEncryptor(TextEncryptor encryptor) {
|
||||
if (encryptorLocator instanceof SingleTextEncryptorLocator) {
|
||||
((SingleTextEncryptorLocator) encryptorLocator).setEncryptor(encryptor);
|
||||
}
|
||||
else {
|
||||
throw new IncompatibleTextEncryptorLocatorException();
|
||||
@RequestMapping(value = "/key/{name}/{profiles}", method = RequestMethod.GET)
|
||||
public String getPublicKey(@PathVariable String name, @PathVariable String profiles) {
|
||||
TextEncryptor encryptor = this.encryptor.locate(this.helper.getEncryptorKeys(
|
||||
name, profiles, ""));
|
||||
if (!(encryptor instanceof RsaKeyHolder)) {
|
||||
throw new KeyNotAvailableException();
|
||||
}
|
||||
return ((RsaKeyHolder) encryptor).getPublicKey();
|
||||
}
|
||||
|
||||
@ExceptionHandler(KeyFormatException.class)
|
||||
@@ -153,7 +103,7 @@ public class EncryptionController {
|
||||
|
||||
@RequestMapping(value = "encrypt/status", method = RequestMethod.GET)
|
||||
public Map<String, Object> status() {
|
||||
checkEncryptorInstalled(locateDefaultTextEncryptor());
|
||||
checkEncryptorInstalled("application", "default");
|
||||
return Collections.<String, Object> singletonMap("status", "OK");
|
||||
}
|
||||
|
||||
@@ -161,18 +111,20 @@ public class EncryptionController {
|
||||
public String encrypt(@RequestBody String data,
|
||||
@RequestHeader("Content-Type") MediaType type) {
|
||||
|
||||
return encrypt(properties.getDefaultApplicationName(),
|
||||
properties.getDefaultProfile(), data, type);
|
||||
return encrypt(this.properties.getDefaultApplicationName(),
|
||||
this.properties.getDefaultProfile(), data, type);
|
||||
}
|
||||
|
||||
@RequestMapping(value = "/encrypt/{name}/{profiles}", method = RequestMethod.POST)
|
||||
public String encrypt(@PathVariable String name, @PathVariable String profiles,
|
||||
@RequestBody String data, @RequestHeader("Content-Type") MediaType type) {
|
||||
|
||||
checkEncryptorInstalled(name, profiles);
|
||||
try {
|
||||
TextEncryptor encryptor = checkEncryptorInstalled(encryptorLocator.locate(
|
||||
name, profiles));
|
||||
String encrypted = encryptor.encrypt(stripFormData(data, type, false));
|
||||
String input = stripFormData(data, type, false);
|
||||
Map<String, String> keys = this.helper
|
||||
.getEncryptorKeys(name, profiles, input);
|
||||
String encrypted = this.helper.addPrefix(keys, this.encryptor.locate(keys)
|
||||
.encrypt(input));
|
||||
logger.info("Encrypted data");
|
||||
return encrypted;
|
||||
}
|
||||
@@ -185,18 +137,19 @@ public class EncryptionController {
|
||||
public String decrypt(@RequestBody String data,
|
||||
@RequestHeader("Content-Type") MediaType type) {
|
||||
|
||||
return decrypt(properties.getDefaultApplicationName(),
|
||||
properties.getDefaultProfile(), data, type);
|
||||
return decrypt(this.properties.getDefaultApplicationName(),
|
||||
this.properties.getDefaultProfile(), data, type);
|
||||
}
|
||||
|
||||
@RequestMapping(value = "/decrypt/{name}/{profiles}", method = RequestMethod.POST)
|
||||
public String decrypt(@PathVariable String name, @PathVariable String profiles,
|
||||
@RequestBody String data, @RequestHeader("Content-Type") MediaType type) {
|
||||
|
||||
checkEncryptorInstalled(name, profiles);
|
||||
try {
|
||||
TextEncryptor encryptor = checkEncryptorInstalled(encryptorLocator.locate(
|
||||
name, profiles));
|
||||
String decrypted = encryptor.decrypt(stripFormData(data, type, true));
|
||||
String input = stripFormData(data, type, true);
|
||||
String decrypted = this.helper.stripPrefix(this.encryptor.locate(
|
||||
this.helper.getEncryptorKeys(name, profiles, input)).decrypt(
|
||||
this.helper.stripPrefix(input)));
|
||||
logger.info("Decrypted cipher data");
|
||||
return decrypted;
|
||||
}
|
||||
@@ -205,16 +158,13 @@ public class EncryptionController {
|
||||
}
|
||||
}
|
||||
|
||||
private TextEncryptor checkEncryptorInstalled(TextEncryptor encryptor) {
|
||||
if (encryptor == null || encryptor.encrypt("FOO").equals("FOO")) {
|
||||
private void checkEncryptorInstalled(String name, String profiles) {
|
||||
if (this.encryptor == null
|
||||
|| this.encryptor
|
||||
.locate(this.helper.getEncryptorKeys(name, profiles, ""))
|
||||
.encrypt("FOO").equals("FOO")) {
|
||||
throw new KeyNotInstalledException();
|
||||
}
|
||||
return encryptor;
|
||||
}
|
||||
|
||||
private TextEncryptor locateDefaultTextEncryptor() {
|
||||
return encryptorLocator.locate(properties.getDefaultApplicationName(),
|
||||
properties.getDefaultProfile());
|
||||
}
|
||||
|
||||
private String stripFormData(String data, MediaType type, boolean cipher) {
|
||||
@@ -285,7 +235,3 @@ class KeyNotAvailableException extends RuntimeException {
|
||||
@SuppressWarnings("serial")
|
||||
class InvalidCipherException extends RuntimeException {
|
||||
}
|
||||
|
||||
@SuppressWarnings("serial")
|
||||
class IncompatibleTextEncryptorLocatorException extends RuntimeException {
|
||||
}
|
||||
@@ -0,0 +1,128 @@
|
||||
/*
|
||||
* Copyright 2015 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.cloud.config.server.encryption;
|
||||
|
||||
import java.util.LinkedHashMap;
|
||||
import java.util.Map;
|
||||
|
||||
import org.springframework.security.crypto.encrypt.TextEncryptor;
|
||||
import org.springframework.util.StringUtils;
|
||||
|
||||
/**
|
||||
* Shared helper class for encryption and decryption concerns where the plain text and
|
||||
* cipher texts can optionally contain prefixes of <code>{name:value}</code> pairs.
|
||||
* Special treatment is given to the "name" and "profiles" keys, which can be provided by
|
||||
* the caller, explicitly instead of by the input text strings. This is to support
|
||||
* independent decryptions using different cryptographic keys for different applications
|
||||
* and profiles, if needed (this class does not have any crypto features, but it can be
|
||||
* used by components that do).
|
||||
*
|
||||
* @author Dave Syer
|
||||
*
|
||||
*/
|
||||
class EnvironmentPrefixHelper {
|
||||
|
||||
/**
|
||||
* key for the "profiles" prefix pair (usually a Spring profile or comma separated
|
||||
* value).
|
||||
*/
|
||||
private static final String PROFILES = "profiles";
|
||||
|
||||
/**
|
||||
* key for the "name" (Environment name or application name).
|
||||
*/
|
||||
private static final String NAME = "name";
|
||||
|
||||
/**
|
||||
* If plain text actually starts with text in the form <code>{name:value}</code>
|
||||
* prefix it with this to signal the start of the plain text.
|
||||
*/
|
||||
private static final String ESCAPE = "{plain}";
|
||||
|
||||
/**
|
||||
* Extract keys for looking up a {@link TextEncryptor} from the input text in the form
|
||||
* of a prefix of zero or many <code>{name:value}</code> pairs. The name and profiles
|
||||
* properties are always added to the keys (replacing any provided in the inputs).
|
||||
*/
|
||||
public Map<String, String> getEncryptorKeys(String name, String profiles, String text) {
|
||||
|
||||
Map<String, String> keys = new LinkedHashMap<String, String>();
|
||||
|
||||
text = removeEnvironmentPrefix(text);
|
||||
keys.put(NAME, name);
|
||||
keys.put(PROFILES, profiles);
|
||||
|
||||
if (text.contains(ESCAPE)) {
|
||||
text = text.substring(0, text.indexOf(ESCAPE));
|
||||
}
|
||||
|
||||
String[] tokens = StringUtils.split(text, "}");
|
||||
while (tokens != null) {
|
||||
String token = tokens[0].trim();
|
||||
if (token.startsWith("{")) {
|
||||
String key = "";
|
||||
String value = "";
|
||||
if (token.contains(":") && !token.endsWith(":")) {
|
||||
key = token.substring(1, token.indexOf(":"));
|
||||
value = token.substring(token.indexOf(":") + 1);
|
||||
}
|
||||
else {
|
||||
key = token.substring(1);
|
||||
}
|
||||
keys.put(key, value);
|
||||
}
|
||||
text = tokens[1];
|
||||
tokens = StringUtils.split(text, "}");
|
||||
}
|
||||
|
||||
return keys;
|
||||
|
||||
}
|
||||
|
||||
/**
|
||||
* Add a prefix to the input text (usually a cipher) consisting of the
|
||||
* <code>{name:value}</code> pairs. The "name" and "profiles" keys are special in that
|
||||
* they are stripped since that information is always available when deriving the keys
|
||||
* in {@link #getEncryptorKeys(String, String, String)}.
|
||||
*/
|
||||
public String addPrefix(Map<String, String> keys, String input) {
|
||||
keys.remove(NAME);
|
||||
keys.remove(PROFILES);
|
||||
StringBuilder builder = new StringBuilder();
|
||||
for (String key : keys.keySet()) {
|
||||
builder.append("{").append(key).append(":").append(keys.get(key)).append("}");
|
||||
}
|
||||
builder.append(input);
|
||||
return builder.toString();
|
||||
}
|
||||
|
||||
public String stripPrefix(String value) {
|
||||
if (!value.contains("}")) {
|
||||
return value;
|
||||
}
|
||||
if (value.contains(ESCAPE)) {
|
||||
return value.substring(value.indexOf(ESCAPE) + ESCAPE.length());
|
||||
}
|
||||
return value.substring(value.lastIndexOf("}") + 1);
|
||||
}
|
||||
|
||||
private String removeEnvironmentPrefix(String input) {
|
||||
return input.replaceFirst("\\{name:.*\\}", "").replaceFirst("\\{profiles:.*\\}",
|
||||
"");
|
||||
}
|
||||
|
||||
}
|
||||
@@ -0,0 +1,71 @@
|
||||
/*
|
||||
* Copyright 2015 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.cloud.config.server.encryption;
|
||||
|
||||
import java.util.Map;
|
||||
|
||||
import org.springframework.security.crypto.encrypt.TextEncryptor;
|
||||
import org.springframework.security.rsa.crypto.KeyStoreKeyFactory;
|
||||
import org.springframework.security.rsa.crypto.RsaSecretEncryptor;
|
||||
|
||||
/**
|
||||
* A {@link TextEncryptorLocator} that pulls RSA key pairs out of a keystore. The input
|
||||
* map can contain entries for "key" or "secret" or both, or neither. The secret in the
|
||||
* input map is not, in general, the secret in the keystore, but is dereferenced through a
|
||||
* {@link SecretLocator} (so for example you can keep a table of encrypted secrets and
|
||||
* update it separately to the keystore).
|
||||
*
|
||||
* @author Dave Syer
|
||||
*
|
||||
*/
|
||||
public class KeyStoreTextEncryptorLocator implements TextEncryptorLocator {
|
||||
|
||||
private final static String KEY = "key";
|
||||
|
||||
private final static String SECRET = "secret";
|
||||
|
||||
private KeyStoreKeyFactory keys;
|
||||
|
||||
private String defaultSecret;
|
||||
|
||||
private String defaultAlias;
|
||||
|
||||
private SecretLocator secretLocator = new PassthruSecretLocator();
|
||||
|
||||
public KeyStoreTextEncryptorLocator(KeyStoreKeyFactory keys, String defaultSecret,
|
||||
String defaultAlias) {
|
||||
this.keys = keys;
|
||||
this.defaultAlias = defaultAlias;
|
||||
this.defaultSecret = defaultSecret;
|
||||
}
|
||||
|
||||
/**
|
||||
* @param secretLocator the secretLocator to set
|
||||
*/
|
||||
public void setSecretLocator(SecretLocator secretLocator) {
|
||||
this.secretLocator = secretLocator;
|
||||
}
|
||||
|
||||
@Override
|
||||
public TextEncryptor locate(Map<String, String> keys) {
|
||||
String alias = keys.containsKey(KEY) ? keys.get(KEY) : this.defaultAlias;
|
||||
String secret = keys.containsKey(SECRET) ? keys.get(SECRET) : this.defaultSecret;
|
||||
return new RsaSecretEncryptor(this.keys.getKeyPair(alias,
|
||||
this.secretLocator.locate(secret)));
|
||||
}
|
||||
|
||||
}
|
||||
@@ -0,0 +1,30 @@
|
||||
/*
|
||||
* Copyright 2015 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.cloud.config.server.encryption;
|
||||
|
||||
/**
|
||||
* @author Dave Syer
|
||||
*
|
||||
*/
|
||||
public class PassthruSecretLocator implements SecretLocator {
|
||||
|
||||
@Override
|
||||
public char[] locate(String secret) {
|
||||
return secret==null ? new char[0] : secret.toCharArray();
|
||||
}
|
||||
|
||||
}
|
||||
@@ -0,0 +1,27 @@
|
||||
/*
|
||||
* Copyright 2015 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.cloud.config.server.encryption;
|
||||
|
||||
/**
|
||||
* @author Dave Syer
|
||||
*
|
||||
*/
|
||||
public interface SecretLocator {
|
||||
|
||||
char[] locate(String secret);
|
||||
|
||||
}
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2015 the original author or authors.
|
||||
* Copyright 2015 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -16,33 +16,27 @@
|
||||
|
||||
package org.springframework.cloud.config.server.encryption;
|
||||
|
||||
import java.util.Map;
|
||||
|
||||
import org.springframework.security.crypto.encrypt.Encryptors;
|
||||
import org.springframework.security.crypto.encrypt.TextEncryptor;
|
||||
|
||||
/**
|
||||
* Basic implementation of TextEncryptorLocator which uses
|
||||
* single TextEncryptor for all applications and profiles.
|
||||
*
|
||||
* @author Bartosz Wojtkiewicz
|
||||
* @author Rafal Zukowski
|
||||
* @author Dave Syer
|
||||
*
|
||||
*/
|
||||
public class SingleTextEncryptorLocator implements TextEncryptorLocator {
|
||||
|
||||
private TextEncryptor encryptor;
|
||||
|
||||
public SingleTextEncryptorLocator() {
|
||||
}
|
||||
|
||||
public SingleTextEncryptorLocator(TextEncryptor encryptor) {
|
||||
this.encryptor = encryptor;
|
||||
}
|
||||
|
||||
// temporary solution to support EncryptionController REST API
|
||||
public void setEncryptor(TextEncryptor encryptor) {
|
||||
this.encryptor = encryptor;
|
||||
this.encryptor = encryptor == null ? Encryptors.noOpText() : encryptor;
|
||||
}
|
||||
|
||||
@Override
|
||||
public TextEncryptor locate(String applicationName, String profiles) {
|
||||
return encryptor;
|
||||
public TextEncryptor locate(Map<String, String> keys) {
|
||||
return this.encryptor;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2015 the original author or authors.
|
||||
* Copyright 2015 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -16,22 +16,17 @@
|
||||
|
||||
package org.springframework.cloud.config.server.encryption;
|
||||
|
||||
import java.util.Map;
|
||||
|
||||
import org.springframework.security.crypto.encrypt.TextEncryptor;
|
||||
|
||||
/**
|
||||
* Service interface for locating proper TextEncryptor to be used for particular application.
|
||||
* It can be used to provide config server with application and environment specific encryption.
|
||||
*
|
||||
* @author Dave Syer
|
||||
* @author Bartosz Wojtkiewicz
|
||||
* @author Rafal Zukowski
|
||||
*
|
||||
*/
|
||||
public interface TextEncryptorLocator {
|
||||
/**
|
||||
* Returns TextEncryptor to be used for given application and profiles.
|
||||
*
|
||||
* @param applicationName application name
|
||||
* @param profiles comma separated list of profiles
|
||||
*/
|
||||
TextEncryptor locate(String applicationName, String profiles);
|
||||
|
||||
TextEncryptor locate(Map<String,String> keys);
|
||||
|
||||
}
|
||||
|
||||
@@ -8,4 +8,5 @@ org.springframework.cloud.config.server.ConfigServerBootstrapApplicationListener
|
||||
|
||||
# Autoconfiguration
|
||||
org.springframework.boot.autoconfigure.EnableAutoConfiguration=\
|
||||
org.springframework.cloud.config.server.encryption.EncryptionAutoConfiguration
|
||||
org.springframework.cloud.config.server.config.EncryptionAutoConfiguration,\
|
||||
org.springframework.cloud.config.server.config.SingleEncryptorAutoConfiguration
|
||||
|
||||
@@ -1,77 +0,0 @@
|
||||
package org.springframework.cloud.config.server;
|
||||
|
||||
import java.util.HashMap;
|
||||
import java.util.Map;
|
||||
|
||||
import org.junit.Test;
|
||||
|
||||
import org.springframework.cloud.config.server.encryption.TextEncryptorLocator;
|
||||
import org.springframework.security.crypto.encrypt.TextEncryptor;
|
||||
|
||||
import static org.junit.Assert.assertEquals;
|
||||
import static org.springframework.http.MediaType.TEXT_PLAIN;
|
||||
import static org.springframework.security.crypto.encrypt.Encryptors.noOpText;
|
||||
import static org.springframework.security.crypto.encrypt.Encryptors.text;
|
||||
|
||||
/**
|
||||
* @author Bartosz Wojtkiewicz
|
||||
*
|
||||
*/
|
||||
|
||||
public class EncryptionControllerMultiTextEncryptorTests {
|
||||
NaiveMultiTextEncryptorLocator encryptorLocator = new NaiveMultiTextEncryptorLocator();
|
||||
ConfigServerProperties properties = new ConfigServerProperties();
|
||||
EncryptionController controller = new EncryptionController(encryptorLocator, properties);
|
||||
|
||||
String application = "application";
|
||||
String profiles = "profile1,profile2";
|
||||
String data = "foo";
|
||||
|
||||
@Test
|
||||
public void shouldEncryptUsingApplicationAndProfiles() {
|
||||
// given
|
||||
encryptorLocator.addSupportFor(application, profiles);
|
||||
|
||||
// when
|
||||
String encrypted = controller.encrypt(application, profiles, data, TEXT_PLAIN);
|
||||
|
||||
// then
|
||||
assertEquals(data, controller.decrypt(application, profiles, encrypted, TEXT_PLAIN));
|
||||
}
|
||||
|
||||
@Test(expected = KeyNotInstalledException.class)
|
||||
public void shouldNotEncryptUsingUnknownApplicationName() {
|
||||
// given
|
||||
String application = "unknown";
|
||||
|
||||
// when
|
||||
controller.encrypt(application, profiles, data, TEXT_PLAIN);
|
||||
|
||||
// then exception is thrown
|
||||
}
|
||||
|
||||
@Test(expected = KeyNotInstalledException.class)
|
||||
public void shouldNotDecryptUsingUnknownApplicationName() {
|
||||
// given
|
||||
String application = "unknown";
|
||||
|
||||
// when
|
||||
controller.decrypt(application, profiles, data, TEXT_PLAIN);
|
||||
|
||||
// then exception is thrown
|
||||
}
|
||||
|
||||
class NaiveMultiTextEncryptorLocator implements TextEncryptorLocator {
|
||||
private Map<String, TextEncryptor> encryptors = new HashMap<>();
|
||||
|
||||
@Override
|
||||
public TextEncryptor locate(String applicationName, String profiles) {
|
||||
String key = applicationName + profiles;
|
||||
return encryptors.containsKey(key) ? encryptors.get(key) : noOpText();
|
||||
}
|
||||
|
||||
public void addSupportFor(String applicationName, String profiles) {
|
||||
encryptors.put(applicationName + profiles, text(applicationName, "11"));
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,103 +0,0 @@
|
||||
/*
|
||||
* Copyright 2013-2014 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.springframework.cloud.config.server;
|
||||
|
||||
import org.junit.Test;
|
||||
import org.springframework.cloud.config.server.encryption.SingleTextEncryptorLocator;
|
||||
import org.springframework.cloud.context.encrypt.KeyFormatException;
|
||||
import org.springframework.http.MediaType;
|
||||
import org.springframework.security.crypto.encrypt.Encryptors;
|
||||
import org.springframework.security.rsa.crypto.RsaSecretEncryptor;
|
||||
|
||||
import static org.junit.Assert.assertEquals;
|
||||
import static org.junit.Assert.assertNotEquals;
|
||||
import static org.junit.Assert.assertTrue;
|
||||
|
||||
/**
|
||||
* @author Dave Syer
|
||||
*
|
||||
*/
|
||||
public class EncryptionControllerTests {
|
||||
|
||||
private SingleTextEncryptorLocator textEncryptorLocator = new SingleTextEncryptorLocator();
|
||||
private ConfigServerProperties properties = new ConfigServerProperties();
|
||||
private EncryptionController controller = new EncryptionController(textEncryptorLocator, properties);
|
||||
|
||||
@Test(expected = KeyNotInstalledException.class)
|
||||
public void cannotDecryptWithoutKey() {
|
||||
controller.decrypt("foo", MediaType.TEXT_PLAIN);
|
||||
}
|
||||
|
||||
@Test(expected = KeyNotInstalledException.class)
|
||||
public void cannotDecryptWithNoopEncryptor() {
|
||||
textEncryptorLocator.setEncryptor(Encryptors.noOpText());
|
||||
controller.decrypt("foo", MediaType.TEXT_PLAIN);
|
||||
}
|
||||
|
||||
@Test(expected = KeyFormatException.class)
|
||||
public void cannotUploadPublicKey() {
|
||||
controller.uploadKey("ssh-rsa ...", MediaType.TEXT_PLAIN);
|
||||
}
|
||||
|
||||
@Test(expected = KeyFormatException.class)
|
||||
public void cannotUploadPublicKeyPemFormat() {
|
||||
controller.uploadKey("---- BEGIN RSA PUBLIC KEY ...", MediaType.TEXT_PLAIN);
|
||||
}
|
||||
|
||||
@Test(expected = InvalidCipherException.class)
|
||||
public void invalidCipher() {
|
||||
controller.uploadKey("foo", MediaType.TEXT_PLAIN);
|
||||
controller.decrypt("foo", MediaType.TEXT_PLAIN);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void sunnyDaySymmetricKey() {
|
||||
controller.uploadKey("foo", MediaType.TEXT_PLAIN);
|
||||
String cipher = controller.encrypt("foo", MediaType.TEXT_PLAIN);
|
||||
assertEquals("foo", controller.decrypt(cipher, MediaType.TEXT_PLAIN));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void sunnyDayRsaKey() {
|
||||
textEncryptorLocator.setEncryptor(new RsaSecretEncryptor());
|
||||
String cipher = controller.encrypt("foo", MediaType.TEXT_PLAIN);
|
||||
assertEquals("foo", controller.decrypt(cipher, MediaType.TEXT_PLAIN));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void publicKey() {
|
||||
textEncryptorLocator.setEncryptor(new RsaSecretEncryptor());
|
||||
String key = controller.getPublicKey();
|
||||
assertTrue("Wrong key format: " + key, key.startsWith("ssh-rsa"));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void formDataIn() {
|
||||
textEncryptorLocator.setEncryptor(new RsaSecretEncryptor());
|
||||
// Add space to input
|
||||
String cipher = controller.encrypt("foo bar=", MediaType.APPLICATION_FORM_URLENCODED);
|
||||
String decrypt = controller.decrypt(cipher + "=", MediaType.APPLICATION_FORM_URLENCODED);
|
||||
assertEquals("Wrong decrypted plaintext: " + decrypt, "foo bar", decrypt);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void randomizedCipher() {
|
||||
controller.uploadKey("foo", MediaType.TEXT_PLAIN);
|
||||
String cipher = controller.encrypt("foo", MediaType.TEXT_PLAIN);
|
||||
assertNotEquals(cipher, controller.encrypt("foo", MediaType.TEXT_PLAIN));
|
||||
}
|
||||
|
||||
}
|
||||
@@ -19,10 +19,8 @@ package org.springframework.cloud.config.server;
|
||||
import org.junit.Before;
|
||||
import org.junit.Test;
|
||||
import org.mockito.Mockito;
|
||||
|
||||
import org.springframework.cloud.config.environment.Environment;
|
||||
import org.springframework.cloud.config.server.encryption.CipherEnvironmentEncryptor;
|
||||
import org.springframework.cloud.config.server.encryption.SingleTextEncryptorLocator;
|
||||
import org.springframework.test.web.servlet.MockMvc;
|
||||
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
|
||||
import org.springframework.test.web.servlet.result.MockMvcResultMatchers;
|
||||
@@ -39,32 +37,33 @@ public class EnvironmentControllerIntegrationTests {
|
||||
|
||||
@Before
|
||||
public void init() {
|
||||
Mockito.when(repository.getDefaultLabel()).thenReturn("master");
|
||||
mvc = MockMvcBuilders.standaloneSetup(
|
||||
new EnvironmentController(repository, new CipherEnvironmentEncryptor(new SingleTextEncryptorLocator())))
|
||||
.build();
|
||||
Mockito.when(this.repository.getDefaultLabel()).thenReturn("master");
|
||||
this.mvc = MockMvcBuilders.standaloneSetup(
|
||||
new EnvironmentController(this.repository,
|
||||
new CipherEnvironmentEncryptor(null))).build();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void environmentNoLabel() throws Exception {
|
||||
Mockito.when(repository.findOne("foo", "default", "master")).thenReturn(
|
||||
Mockito.when(this.repository.findOne("foo", "default", "master")).thenReturn(
|
||||
new Environment("foo", "default"));
|
||||
mvc.perform(MockMvcRequestBuilders.get("/foo/default")).andExpect(
|
||||
this.mvc.perform(MockMvcRequestBuilders.get("/foo/default")).andExpect(
|
||||
MockMvcResultMatchers.status().isOk());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void environmentWithLabel() throws Exception {
|
||||
Mockito.when(repository.findOne("foo", "default", "awesome")).thenReturn(
|
||||
Mockito.when(this.repository.findOne("foo", "default", "awesome")).thenReturn(
|
||||
new Environment("foo", "default"));
|
||||
mvc.perform(MockMvcRequestBuilders.get("/foo/default/awesome")).andExpect(
|
||||
this.mvc.perform(MockMvcRequestBuilders.get("/foo/default/awesome")).andExpect(
|
||||
MockMvcResultMatchers.status().isOk());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void environmentWithLabelContainingPeriod() throws Exception {
|
||||
Mockito.when(repository.findOne("foo", "default", "1.0.0")).thenReturn(
|
||||
Mockito.when(this.repository.findOne("foo", "default", "1.0.0")).thenReturn(
|
||||
new Environment("foo", "default"));
|
||||
mvc.perform(MockMvcRequestBuilders.get("/foo/default/1.0.0")).andExpect(
|
||||
this.mvc.perform(MockMvcRequestBuilders.get("/foo/default/1.0.0")).andExpect(
|
||||
MockMvcResultMatchers.status().isOk());
|
||||
}
|
||||
|
||||
|
||||
@@ -15,6 +15,9 @@
|
||||
*/
|
||||
package org.springframework.cloud.config.server;
|
||||
|
||||
import static org.junit.Assert.assertEquals;
|
||||
import static org.junit.Assert.assertTrue;
|
||||
|
||||
import java.util.Collections;
|
||||
import java.util.HashMap;
|
||||
import java.util.LinkedHashMap;
|
||||
@@ -25,20 +28,15 @@ import org.junit.Rule;
|
||||
import org.junit.Test;
|
||||
import org.junit.rules.ExpectedException;
|
||||
import org.mockito.Mockito;
|
||||
|
||||
import org.springframework.cloud.config.environment.Environment;
|
||||
import org.springframework.cloud.config.environment.PropertySource;
|
||||
import org.springframework.cloud.config.server.encryption.CipherEnvironmentEncryptor;
|
||||
import org.springframework.cloud.config.server.encryption.SingleTextEncryptorLocator;
|
||||
import org.springframework.http.MediaType;
|
||||
import org.springframework.test.web.servlet.MockMvc;
|
||||
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
|
||||
import org.springframework.test.web.servlet.result.MockMvcResultMatchers;
|
||||
import org.springframework.test.web.servlet.setup.MockMvcBuilders;
|
||||
|
||||
import static org.junit.Assert.assertEquals;
|
||||
import static org.junit.Assert.assertTrue;
|
||||
|
||||
/**
|
||||
* @author Dave Syer
|
||||
* @author Roy Clarkson
|
||||
@@ -56,17 +54,18 @@ public class EnvironmentControllerTests {
|
||||
|
||||
@Before
|
||||
public void init() {
|
||||
Mockito.when(repository.getDefaultLabel()).thenReturn("master");
|
||||
this.controller = new EnvironmentController(repository, new CipherEnvironmentEncryptor(new SingleTextEncryptorLocator()));
|
||||
Mockito.when(this.repository.getDefaultLabel()).thenReturn("master");
|
||||
this.controller = new EnvironmentController(this.repository,
|
||||
new CipherEnvironmentEncryptor(null));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void vanillaYaml() throws Exception {
|
||||
Map<String, Object> map = new HashMap<String, Object>();
|
||||
map.put("a.b.c", "d");
|
||||
environment.add(new PropertySource("one", map));
|
||||
Mockito.when(repository.findOne("foo", "bar", "master")).thenReturn(environment);
|
||||
String yaml = controller.yaml("foo", "bar").getBody();
|
||||
this.environment.add(new PropertySource("one", map));
|
||||
Mockito.when(this.repository.findOne("foo", "bar", "master")).thenReturn(this.environment);
|
||||
String yaml = this.controller.yaml("foo", "bar").getBody();
|
||||
assertEquals("a:\n b:\n c: d\n", yaml);
|
||||
}
|
||||
|
||||
@@ -74,11 +73,11 @@ public class EnvironmentControllerTests {
|
||||
public void propertyOverrideInYaml() throws Exception {
|
||||
Map<String, Object> map = new LinkedHashMap<String, Object>();
|
||||
map.put("a.b.c", "d");
|
||||
environment.add(new PropertySource("one", map));
|
||||
environment.addFirst(new PropertySource("two", Collections.singletonMap("a.b.c",
|
||||
this.environment.add(new PropertySource("one", map));
|
||||
this.environment.addFirst(new PropertySource("two", Collections.singletonMap("a.b.c",
|
||||
"e")));
|
||||
Mockito.when(repository.findOne("foo", "bar", "master")).thenReturn(environment);
|
||||
String yaml = controller.yaml("foo", "bar").getBody();
|
||||
Mockito.when(this.repository.findOne("foo", "bar", "master")).thenReturn(this.environment);
|
||||
String yaml = this.controller.yaml("foo", "bar").getBody();
|
||||
assertEquals("a:\n b:\n c: e\n", yaml);
|
||||
}
|
||||
|
||||
@@ -87,9 +86,9 @@ public class EnvironmentControllerTests {
|
||||
Map<String, Object> map = new LinkedHashMap<String, Object>();
|
||||
map.put("a.b[0]", "c");
|
||||
map.put("a.b[1]", "d");
|
||||
environment.add(new PropertySource("one", map));
|
||||
Mockito.when(repository.findOne("foo", "bar", "master")).thenReturn(environment);
|
||||
String yaml = controller.yaml("foo", "bar").getBody();
|
||||
this.environment.add(new PropertySource("one", map));
|
||||
Mockito.when(this.repository.findOne("foo", "bar", "master")).thenReturn(this.environment);
|
||||
String yaml = this.controller.yaml("foo", "bar").getBody();
|
||||
assertEquals("a:\n b:\n - c\n - d\n", yaml);
|
||||
}
|
||||
|
||||
@@ -97,9 +96,9 @@ public class EnvironmentControllerTests {
|
||||
public void textAtTopLevelInYaml() throws Exception {
|
||||
Map<String, Object> map = new LinkedHashMap<String, Object>();
|
||||
map.put("document", "blah");
|
||||
environment.add(new PropertySource("one", map));
|
||||
Mockito.when(repository.findOne("foo", "bar", "master")).thenReturn(environment);
|
||||
String yaml = controller.yaml("foo", "bar").getBody();
|
||||
this.environment.add(new PropertySource("one", map));
|
||||
Mockito.when(this.repository.findOne("foo", "bar", "master")).thenReturn(this.environment);
|
||||
String yaml = this.controller.yaml("foo", "bar").getBody();
|
||||
assertEquals("blah\n", yaml);
|
||||
}
|
||||
|
||||
@@ -108,9 +107,9 @@ public class EnvironmentControllerTests {
|
||||
Map<String, Object> map = new LinkedHashMap<String, Object>();
|
||||
map.put("document[0]", "c");
|
||||
map.put("document[1]", "d");
|
||||
environment.add(new PropertySource("one", map));
|
||||
Mockito.when(repository.findOne("foo", "bar", "master")).thenReturn(environment);
|
||||
String yaml = controller.yaml("foo", "bar").getBody();
|
||||
this.environment.add(new PropertySource("one", map));
|
||||
Mockito.when(this.repository.findOne("foo", "bar", "master")).thenReturn(this.environment);
|
||||
String yaml = this.controller.yaml("foo", "bar").getBody();
|
||||
assertEquals("- c\n- d\n", yaml);
|
||||
}
|
||||
|
||||
@@ -119,9 +118,9 @@ public class EnvironmentControllerTests {
|
||||
Map<String, Object> map = new LinkedHashMap<String, Object>();
|
||||
map.put("document[0].a", "c");
|
||||
map.put("document[1].a", "d");
|
||||
environment.add(new PropertySource("one", map));
|
||||
Mockito.when(repository.findOne("foo", "bar", "master")).thenReturn(environment);
|
||||
String yaml = controller.yaml("foo", "bar").getBody();
|
||||
this.environment.add(new PropertySource("one", map));
|
||||
Mockito.when(this.repository.findOne("foo", "bar", "master")).thenReturn(this.environment);
|
||||
String yaml = this.controller.yaml("foo", "bar").getBody();
|
||||
assertEquals("- a: c\n- a: d\n", yaml);
|
||||
}
|
||||
|
||||
@@ -131,12 +130,12 @@ public class EnvironmentControllerTests {
|
||||
map.put("a.b[0].c", "d");
|
||||
map.put("a.b[0].d", "e");
|
||||
map.put("a.b[1].c", "d");
|
||||
environment.add(new PropertySource("one", map));
|
||||
Mockito.when(repository.findOne("foo", "bar", "master")).thenReturn(environment);
|
||||
String yaml = controller.yaml("foo", "bar").getBody();
|
||||
this.environment.add(new PropertySource("one", map));
|
||||
Mockito.when(this.repository.findOne("foo", "bar", "master")).thenReturn(this.environment);
|
||||
String yaml = this.controller.yaml("foo", "bar").getBody();
|
||||
assertTrue("Wrong output: " + yaml,
|
||||
"a:\n b:\n - d: e\n c: d\n - c: d\n".equals(yaml)
|
||||
|| "a:\n b:\n - c: d\n d: e\n - c: d\n".equals(yaml));
|
||||
|| "a:\n b:\n - c: d\n d: e\n - c: d\n".equals(yaml));
|
||||
}
|
||||
|
||||
@Test
|
||||
@@ -144,9 +143,9 @@ public class EnvironmentControllerTests {
|
||||
Map<String, Object> map = new LinkedHashMap<String, Object>();
|
||||
map.put("b[0].c", "d");
|
||||
map.put("b[1].c", "d");
|
||||
environment.add(new PropertySource("one", map));
|
||||
Mockito.when(repository.findOne("foo", "bar", "master")).thenReturn(environment);
|
||||
String yaml = controller.yaml("foo", "bar").getBody();
|
||||
this.environment.add(new PropertySource("one", map));
|
||||
Mockito.when(this.repository.findOne("foo", "bar", "master")).thenReturn(this.environment);
|
||||
String yaml = this.controller.yaml("foo", "bar").getBody();
|
||||
assertEquals("b:\n- c: d\n- c: d\n", yaml);
|
||||
}
|
||||
|
||||
@@ -155,128 +154,128 @@ public class EnvironmentControllerTests {
|
||||
Map<String, Object> map = new LinkedHashMap<String, Object>();
|
||||
map.put("x.a.b[0].c", "d");
|
||||
map.put("x.a.b[1].c", "d");
|
||||
environment.add(new PropertySource("one", map));
|
||||
Mockito.when(repository.findOne("foo", "bar", "master")).thenReturn(environment);
|
||||
String yaml = controller.yaml("foo", "bar").getBody();
|
||||
this.environment.add(new PropertySource("one", map));
|
||||
Mockito.when(this.repository.findOne("foo", "bar", "master")).thenReturn(this.environment);
|
||||
String yaml = this.controller.yaml("foo", "bar").getBody();
|
||||
assertEquals("x:\n a:\n b:\n - c: d\n - c: d\n", yaml);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void mappingForEnvironment() throws Exception {
|
||||
Mockito.when(repository.findOne("foo", "bar", "master")).thenReturn(environment);
|
||||
MockMvc mvc = MockMvcBuilders.standaloneSetup(controller).build();
|
||||
Mockito.when(this.repository.findOne("foo", "bar", "master")).thenReturn(this.environment);
|
||||
MockMvc mvc = MockMvcBuilders.standaloneSetup(this.controller).build();
|
||||
mvc.perform(MockMvcRequestBuilders.get("/foo/bar")).andExpect(
|
||||
MockMvcResultMatchers.status().isOk());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void mappingForLabelledEnvironment() throws Exception {
|
||||
Mockito.when(repository.findOne("foo", "bar", "other")).thenReturn(environment);
|
||||
MockMvc mvc = MockMvcBuilders.standaloneSetup(controller).build();
|
||||
Mockito.when(this.repository.findOne("foo", "bar", "other")).thenReturn(this.environment);
|
||||
MockMvc mvc = MockMvcBuilders.standaloneSetup(this.controller).build();
|
||||
mvc.perform(MockMvcRequestBuilders.get("/foo/bar/other")).andExpect(
|
||||
MockMvcResultMatchers.status().isOk());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void mappingForYaml() throws Exception {
|
||||
Mockito.when(repository.findOne("foo", "bar", "master")).thenReturn(environment);
|
||||
MockMvc mvc = MockMvcBuilders.standaloneSetup(controller).build();
|
||||
Mockito.when(this.repository.findOne("foo", "bar", "master")).thenReturn(this.environment);
|
||||
MockMvc mvc = MockMvcBuilders.standaloneSetup(this.controller).build();
|
||||
mvc.perform(MockMvcRequestBuilders.get("/foo-bar.yml"))
|
||||
.andExpect(
|
||||
MockMvcResultMatchers.content().contentType(MediaType.TEXT_PLAIN))
|
||||
.andExpect(
|
||||
MockMvcResultMatchers.content().contentType(MediaType.TEXT_PLAIN))
|
||||
.andExpect(MockMvcResultMatchers.content().string("{}\n"));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void mappingForJson() throws Exception {
|
||||
Mockito.when(repository.findOne("foo", "bar", "master")).thenReturn(environment);
|
||||
MockMvc mvc = MockMvcBuilders.standaloneSetup(controller).build();
|
||||
Mockito.when(this.repository.findOne("foo", "bar", "master")).thenReturn(this.environment);
|
||||
MockMvc mvc = MockMvcBuilders.standaloneSetup(this.controller).build();
|
||||
mvc.perform(MockMvcRequestBuilders.get("/foo-bar.json"))
|
||||
.andExpect(
|
||||
MockMvcResultMatchers.content().contentType(
|
||||
MediaType.APPLICATION_JSON))
|
||||
.andExpect(MockMvcResultMatchers.content().string("{}"));
|
||||
.andExpect(
|
||||
MockMvcResultMatchers.content().contentType(
|
||||
MediaType.APPLICATION_JSON))
|
||||
.andExpect(MockMvcResultMatchers.content().string("{}"));
|
||||
;
|
||||
}
|
||||
|
||||
@Test
|
||||
public void mappingForLabelledYaml() throws Exception {
|
||||
Mockito.when(repository.findOne("foo", "bar", "other")).thenReturn(environment);
|
||||
MockMvc mvc = MockMvcBuilders.standaloneSetup(controller).build();
|
||||
Mockito.when(this.repository.findOne("foo", "bar", "other")).thenReturn(this.environment);
|
||||
MockMvc mvc = MockMvcBuilders.standaloneSetup(this.controller).build();
|
||||
mvc.perform(MockMvcRequestBuilders.get("/other/foo-bar.yml")).andExpect(
|
||||
MockMvcResultMatchers.content().contentType(MediaType.TEXT_PLAIN));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void mappingForLabelledProperties() throws Exception {
|
||||
Mockito.when(repository.findOne("foo", "bar", "other")).thenReturn(environment);
|
||||
MockMvc mvc = MockMvcBuilders.standaloneSetup(controller).build();
|
||||
Mockito.when(this.repository.findOne("foo", "bar", "other")).thenReturn(this.environment);
|
||||
MockMvc mvc = MockMvcBuilders.standaloneSetup(this.controller).build();
|
||||
mvc.perform(MockMvcRequestBuilders.get("/other/foo-bar.properties")).andExpect(
|
||||
MockMvcResultMatchers.content().contentType(MediaType.TEXT_PLAIN));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void mappingForProperties() throws Exception {
|
||||
Mockito.when(repository.findOne("foo", "bar", "master")).thenReturn(environment);
|
||||
MockMvc mvc = MockMvcBuilders.standaloneSetup(controller).build();
|
||||
Mockito.when(this.repository.findOne("foo", "bar", "master")).thenReturn(this.environment);
|
||||
MockMvc mvc = MockMvcBuilders.standaloneSetup(this.controller).build();
|
||||
mvc.perform(MockMvcRequestBuilders.get("/foo-bar.properties")).andExpect(
|
||||
MockMvcResultMatchers.content().contentType(MediaType.TEXT_PLAIN));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void mappingForLabelledYamlWithHyphen() throws Exception {
|
||||
Mockito.when(repository.findOne("foo", "bar-spam", "other")).thenReturn(
|
||||
environment);
|
||||
MockMvc mvc = MockMvcBuilders.standaloneSetup(controller).build();
|
||||
Mockito.when(this.repository.findOne("foo", "bar-spam", "other")).thenReturn(
|
||||
this.environment);
|
||||
MockMvc mvc = MockMvcBuilders.standaloneSetup(this.controller).build();
|
||||
mvc.perform(MockMvcRequestBuilders.get("/other/foo-bar-spam.yml")).andExpect(
|
||||
MockMvcResultMatchers.status().isBadRequest());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void mappingforLabelledJsonProperties() throws Exception {
|
||||
Mockito.when(repository.findOne("foo", "bar", "other")).thenReturn(environment);
|
||||
MockMvc mvc = MockMvcBuilders.standaloneSetup(controller).build();
|
||||
Mockito.when(this.repository.findOne("foo", "bar", "other")).thenReturn(this.environment);
|
||||
MockMvc mvc = MockMvcBuilders.standaloneSetup(this.controller).build();
|
||||
mvc.perform(MockMvcRequestBuilders.get("/other/foo-bar.json")).andExpect(
|
||||
MockMvcResultMatchers.content().contentType(MediaType.APPLICATION_JSON));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void mappingforJsonProperties() throws Exception {
|
||||
Mockito.when(repository.findOne("foo", "bar", "master")).thenReturn(environment);
|
||||
MockMvc mvc = MockMvcBuilders.standaloneSetup(controller).build();
|
||||
Mockito.when(this.repository.findOne("foo", "bar", "master")).thenReturn(this.environment);
|
||||
MockMvc mvc = MockMvcBuilders.standaloneSetup(this.controller).build();
|
||||
mvc.perform(MockMvcRequestBuilders.get("/foo-bar.json")).andExpect(
|
||||
MockMvcResultMatchers.content().contentType(MediaType.APPLICATION_JSON));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void mappingForLabelledJsonPropertiesWithHyphen() throws Exception {
|
||||
Mockito.when(repository.findOne("foo", "bar-spam", "other")).thenReturn(
|
||||
environment);
|
||||
MockMvc mvc = MockMvcBuilders.standaloneSetup(controller).build();
|
||||
Mockito.when(this.repository.findOne("foo", "bar-spam", "other")).thenReturn(
|
||||
this.environment);
|
||||
MockMvc mvc = MockMvcBuilders.standaloneSetup(this.controller).build();
|
||||
mvc.perform(MockMvcRequestBuilders.get("/other/foo-bar-spam.json")).andExpect(
|
||||
MockMvcResultMatchers.status().isBadRequest());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void allowOverrideFalse() throws Exception {
|
||||
controller.setOverrides(Collections.singletonMap("foo", "bar"));
|
||||
this.controller.setOverrides(Collections.singletonMap("foo", "bar"));
|
||||
Map<String, Object> map = new HashMap<String, Object>();
|
||||
map.put("a.b.c", "d");
|
||||
environment.add(new PropertySource("one", map));
|
||||
Mockito.when(repository.findOne("foo", "bar", "master")).thenReturn(environment);
|
||||
assertEquals("{foo=bar}", controller.defaultLabel("foo", "bar").getPropertySources()
|
||||
.get(0).getSource().toString());
|
||||
this.environment.add(new PropertySource("one", map));
|
||||
Mockito.when(this.repository.findOne("foo", "bar", "master")).thenReturn(this.environment);
|
||||
assertEquals("{foo=bar}", this.controller.defaultLabel("foo", "bar")
|
||||
.getPropertySources().get(0).getSource().toString());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void overrideWithEscapedPlaceholders() throws Exception {
|
||||
controller.setOverrides(Collections.singletonMap("foo", "$\\{bar}"));
|
||||
this.controller.setOverrides(Collections.singletonMap("foo", "$\\{bar}"));
|
||||
Map<String, Object> map = new HashMap<String, Object>();
|
||||
map.put("bar", "foo");
|
||||
environment.add(new PropertySource("one", map));
|
||||
Mockito.when(repository.findOne("foo", "bar", "master")).thenReturn(environment);
|
||||
assertEquals("{foo=${bar}}", controller.defaultLabel("foo", "bar").getPropertySources()
|
||||
.get(0).getSource().toString());
|
||||
this.environment.add(new PropertySource("one", map));
|
||||
Mockito.when(this.repository.findOne("foo", "bar", "master")).thenReturn(this.environment);
|
||||
assertEquals("{foo=${bar}}", this.controller.defaultLabel("foo", "bar")
|
||||
.getPropertySources().get(0).getSource().toString());
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -33,6 +33,7 @@ import org.junit.Test;
|
||||
import org.springframework.boot.autoconfigure.PropertyPlaceholderAutoConfiguration;
|
||||
import org.springframework.boot.builder.SpringApplicationBuilder;
|
||||
import org.springframework.cloud.config.environment.Environment;
|
||||
import org.springframework.cloud.config.server.config.EnvironmentRepositoryConfiguration;
|
||||
import org.springframework.context.ConfigurableApplicationContext;
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
import org.springframework.context.annotation.Import;
|
||||
|
||||
@@ -30,9 +30,9 @@ import org.junit.Test;
|
||||
import org.springframework.boot.autoconfigure.PropertyPlaceholderAutoConfiguration;
|
||||
import org.springframework.boot.builder.SpringApplicationBuilder;
|
||||
import org.springframework.cloud.config.environment.Environment;
|
||||
import org.springframework.cloud.config.server.EnvironmentRepositoryConfiguration;
|
||||
import org.springframework.cloud.config.server.ConfigServerTestUtils;
|
||||
import org.springframework.cloud.config.server.EnvironmentRepository;
|
||||
import org.springframework.cloud.config.server.config.EnvironmentRepositoryConfiguration;
|
||||
import org.springframework.context.ConfigurableApplicationContext;
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
import org.springframework.context.annotation.Import;
|
||||
|
||||
@@ -31,10 +31,10 @@ import org.tmatesoft.svn.core.wc2.SvnCheckout;
|
||||
import org.tmatesoft.svn.core.wc2.SvnCommit;
|
||||
import org.tmatesoft.svn.core.wc2.SvnOperationFactory;
|
||||
import org.tmatesoft.svn.core.wc2.SvnTarget;
|
||||
|
||||
import org.springframework.boot.autoconfigure.PropertyPlaceholderAutoConfiguration;
|
||||
import org.springframework.boot.builder.SpringApplicationBuilder;
|
||||
import org.springframework.cloud.config.environment.Environment;
|
||||
import org.springframework.cloud.config.server.config.EnvironmentRepositoryConfiguration;
|
||||
import org.springframework.context.ConfigurableApplicationContext;
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
import org.springframework.context.annotation.Import;
|
||||
|
||||
@@ -16,34 +16,54 @@
|
||||
|
||||
package org.springframework.cloud.config.server.encryption;
|
||||
|
||||
import static java.util.UUID.randomUUID;
|
||||
import static org.junit.Assert.assertEquals;
|
||||
|
||||
import java.util.Collections;
|
||||
import java.util.Map;
|
||||
|
||||
import org.junit.Test;
|
||||
|
||||
import org.springframework.cloud.config.environment.Environment;
|
||||
import org.springframework.cloud.config.environment.PropertySource;
|
||||
import org.springframework.cloud.context.encrypt.EncryptorFactory;
|
||||
import org.springframework.security.crypto.encrypt.TextEncryptor;
|
||||
|
||||
import static java.util.UUID.randomUUID;
|
||||
import static org.junit.Assert.assertEquals;
|
||||
|
||||
public class CipherEnvironmentEncryptorTests {
|
||||
TextEncryptor textEncryptor = new EncryptorFactory().create("foo");
|
||||
TextEncryptorLocator textEncryptorLocator = new SingleTextEncryptorLocator(textEncryptor);
|
||||
EnvironmentEncryptor encryptor = new CipherEnvironmentEncryptor(textEncryptorLocator);
|
||||
TextEncryptor textEncryptor = new EncryptorFactory().create("foo");
|
||||
EnvironmentEncryptor encryptor = new CipherEnvironmentEncryptor(new TextEncryptorLocator() {
|
||||
|
||||
@Test
|
||||
public void shouldDecryptEnvironment() {
|
||||
// given
|
||||
String secret = randomUUID().toString();
|
||||
@Override
|
||||
public TextEncryptor locate(Map<String, String> keys) {
|
||||
return CipherEnvironmentEncryptorTests.this.textEncryptor;
|
||||
}
|
||||
});
|
||||
|
||||
// when
|
||||
Environment environment = new Environment("name", "profile", "label");
|
||||
environment.add(new PropertySource("a",
|
||||
Collections.<Object, Object>singletonMap(environment.getName(), "{cipher}" + textEncryptor.encrypt(secret))));
|
||||
@Test
|
||||
public void shouldDecryptEnvironment() {
|
||||
// given
|
||||
String secret = randomUUID().toString();
|
||||
|
||||
// when
|
||||
Environment environment = new Environment("name", "profile", "label");
|
||||
environment.add(new PropertySource("a",
|
||||
Collections.<Object, Object>singletonMap(environment.getName(), "{cipher}" + this.textEncryptor.encrypt(secret))));
|
||||
|
||||
// then
|
||||
assertEquals(secret, this.encryptor.decrypt(environment).getPropertySources().get(0).getSource().get(environment.getName()));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void shouldDecryptEnvironmentWithKey() {
|
||||
// given
|
||||
String secret = randomUUID().toString();
|
||||
|
||||
// when
|
||||
Environment environment = new Environment("name", "profile", "label");
|
||||
environment.add(new PropertySource("a",
|
||||
Collections.<Object, Object>singletonMap(environment.getName(), "{cipher}{key:test}" + this.textEncryptor.encrypt(secret))));
|
||||
|
||||
// then
|
||||
assertEquals(secret, this.encryptor.decrypt(environment).getPropertySources().get(0).getSource().get(environment.getName()));
|
||||
}
|
||||
|
||||
// then
|
||||
assertEquals(secret, encryptor.decrypt(environment).getPropertySources().get(0).getSource().get(environment.getName()));
|
||||
}
|
||||
}
|
||||
|
||||
@@ -0,0 +1,62 @@
|
||||
package org.springframework.cloud.config.server.encryption;
|
||||
|
||||
import static org.junit.Assert.assertEquals;
|
||||
import static org.springframework.http.MediaType.TEXT_PLAIN;
|
||||
|
||||
import org.junit.Test;
|
||||
import org.springframework.cloud.config.server.ConfigServerProperties;
|
||||
import org.springframework.security.crypto.encrypt.Encryptors;
|
||||
|
||||
/**
|
||||
* @author Bartosz Wojtkiewicz
|
||||
*
|
||||
*/
|
||||
|
||||
public class EncryptionControllerMultiTextEncryptorTests {
|
||||
|
||||
ConfigServerProperties properties = new ConfigServerProperties();
|
||||
EncryptionController controller = new EncryptionController(
|
||||
new SingleTextEncryptorLocator(Encryptors.noOpText()), this.properties);
|
||||
|
||||
String application = "application";
|
||||
String profiles = "profile1,profile2";
|
||||
String data = "foo";
|
||||
|
||||
@Test
|
||||
public void shouldEncryptUsingApplicationAndProfiles() {
|
||||
|
||||
this.controller = new EncryptionController(new SingleTextEncryptorLocator(
|
||||
Encryptors.text("application", "11")), this.properties);
|
||||
|
||||
// when
|
||||
String encrypted = this.controller.encrypt(this.application, this.profiles,
|
||||
this.data, TEXT_PLAIN);
|
||||
|
||||
// then
|
||||
assertEquals(this.data, this.controller.decrypt(this.application, this.profiles,
|
||||
encrypted, TEXT_PLAIN));
|
||||
}
|
||||
|
||||
@Test(expected = KeyNotInstalledException.class)
|
||||
public void shouldNotEncryptUsingNoOp() {
|
||||
// given
|
||||
String application = "unknown";
|
||||
|
||||
// when
|
||||
this.controller.encrypt(application, this.profiles, this.data, TEXT_PLAIN);
|
||||
|
||||
// then exception is thrown
|
||||
}
|
||||
|
||||
@Test(expected = KeyNotInstalledException.class)
|
||||
public void shouldNotDecryptUsingNoOp() {
|
||||
// given
|
||||
String application = "unknown";
|
||||
|
||||
// when
|
||||
this.controller.decrypt(application, this.profiles, this.data, TEXT_PLAIN);
|
||||
|
||||
// then exception is thrown
|
||||
}
|
||||
|
||||
}
|
||||
@@ -0,0 +1,124 @@
|
||||
/*
|
||||
* Copyright 2013-2014 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.springframework.cloud.config.server.encryption;
|
||||
|
||||
import static org.junit.Assert.assertEquals;
|
||||
import static org.junit.Assert.assertFalse;
|
||||
import static org.junit.Assert.assertTrue;
|
||||
|
||||
import java.util.Map;
|
||||
|
||||
import org.junit.Test;
|
||||
import org.springframework.cloud.config.server.ConfigServerProperties;
|
||||
import org.springframework.http.MediaType;
|
||||
import org.springframework.security.crypto.encrypt.Encryptors;
|
||||
import org.springframework.security.crypto.encrypt.TextEncryptor;
|
||||
import org.springframework.security.rsa.crypto.RsaSecretEncryptor;
|
||||
|
||||
/**
|
||||
* @author Dave Syer
|
||||
*
|
||||
*/
|
||||
public class EncryptionControllerTests {
|
||||
|
||||
private ConfigServerProperties properties = new ConfigServerProperties();
|
||||
private EncryptionController controller = new EncryptionController(
|
||||
new SingleTextEncryptorLocator(Encryptors.noOpText()), this.properties);
|
||||
|
||||
@Test(expected = KeyNotInstalledException.class)
|
||||
public void cannotDecryptWithoutKey() {
|
||||
this.controller.decrypt("foo", MediaType.TEXT_PLAIN);
|
||||
}
|
||||
|
||||
@Test(expected = KeyNotInstalledException.class)
|
||||
public void cannotDecryptWithNoopEncryptor() {
|
||||
this.controller.decrypt("foo", MediaType.TEXT_PLAIN);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void sunnyDayRsaKey() {
|
||||
this.controller = new EncryptionController(new SingleTextEncryptorLocator(
|
||||
new RsaSecretEncryptor()), this.properties);
|
||||
String cipher = this.controller.encrypt("foo", MediaType.TEXT_PLAIN);
|
||||
assertEquals("foo", this.controller.decrypt(cipher, MediaType.TEXT_PLAIN));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void publicKey() {
|
||||
this.controller = new EncryptionController(new SingleTextEncryptorLocator(
|
||||
new RsaSecretEncryptor()), this.properties);
|
||||
String key = this.controller.getPublicKey();
|
||||
assertTrue("Wrong key format: " + key, key.startsWith("ssh-rsa"));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void appAndProfile() {
|
||||
this.controller = new EncryptionController(new SingleTextEncryptorLocator(
|
||||
new RsaSecretEncryptor()), this.properties);
|
||||
// Add space to input
|
||||
String cipher = this.controller.encrypt("app", "default", "foo bar",
|
||||
MediaType.TEXT_PLAIN);
|
||||
String decrypt = this.controller.decrypt("app", "default", cipher,
|
||||
MediaType.TEXT_PLAIN);
|
||||
assertEquals("Wrong decrypted plaintext: " + decrypt, "foo bar", decrypt);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void formDataIn() {
|
||||
this.controller = new EncryptionController(new SingleTextEncryptorLocator(
|
||||
new RsaSecretEncryptor()), this.properties);
|
||||
// Add space to input
|
||||
String cipher = this.controller.encrypt("foo bar=",
|
||||
MediaType.APPLICATION_FORM_URLENCODED);
|
||||
String decrypt = this.controller.decrypt(cipher + "=",
|
||||
MediaType.APPLICATION_FORM_URLENCODED);
|
||||
assertEquals("Wrong decrypted plaintext: " + decrypt, "foo bar", decrypt);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void formDataInWithPrefix() {
|
||||
this.controller = new EncryptionController(new SingleTextEncryptorLocator(
|
||||
new RsaSecretEncryptor()), this.properties);
|
||||
// Add space to input
|
||||
String cipher = this.controller.encrypt("{key:test}foo bar=",
|
||||
MediaType.APPLICATION_FORM_URLENCODED);
|
||||
String decrypt = this.controller.decrypt(cipher + "=",
|
||||
MediaType.APPLICATION_FORM_URLENCODED);
|
||||
assertEquals("Wrong decrypted plaintext: " + decrypt, "foo bar", decrypt);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void addEnvironment() {
|
||||
TextEncryptorLocator locator = new TextEncryptorLocator() {
|
||||
|
||||
private RsaSecretEncryptor encryptor = new RsaSecretEncryptor();
|
||||
|
||||
@Override
|
||||
public TextEncryptor locate(Map<String, String> keys) {
|
||||
return this.encryptor;
|
||||
}
|
||||
};
|
||||
this.controller = new EncryptionController(locator, this.properties);
|
||||
// Add space to input
|
||||
String cipher = this.controller.encrypt("app", "default", "foo bar",
|
||||
MediaType.TEXT_PLAIN);
|
||||
assertFalse("Wrong cipher: " + cipher, cipher.contains("{name:app}"));
|
||||
String decrypt = this.controller.decrypt("app", "default", cipher,
|
||||
MediaType.TEXT_PLAIN);
|
||||
assertEquals("Wrong decrypted plaintext: " + decrypt, "foo bar", decrypt);
|
||||
}
|
||||
|
||||
}
|
||||
@@ -0,0 +1,84 @@
|
||||
/*
|
||||
* Copyright 2015 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.cloud.config.server.encryption;
|
||||
|
||||
import static org.junit.Assert.assertEquals;
|
||||
|
||||
import java.util.Collections;
|
||||
import java.util.Map;
|
||||
|
||||
import org.junit.Test;
|
||||
|
||||
/**
|
||||
* @author Dave Syer
|
||||
*
|
||||
*/
|
||||
public class EnvironmentPrefixHelperTests {
|
||||
|
||||
private EnvironmentPrefixHelper helper = new EnvironmentPrefixHelper();
|
||||
|
||||
@Test
|
||||
public void testAddPrefix() {
|
||||
assertEquals("{bar:spam}foo",
|
||||
this.helper.addPrefix(Collections.singletonMap("bar", "spam"), "foo"));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testAddNoPrefix() {
|
||||
assertEquals("foo",
|
||||
this.helper.addPrefix(Collections.<String, String> emptyMap(), "foo"));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testStripNoPrefix() {
|
||||
assertEquals("foo", this.helper.stripPrefix("foo"));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testStripPrefix() {
|
||||
assertEquals("foo", this.helper.stripPrefix("{key:foo}foo"));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testStripPrefixWithEscape() {
|
||||
assertEquals("{key:foo}foo", this.helper.stripPrefix("{plain}{key:foo}foo"));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testKeysDefaults() {
|
||||
Map<String, String> keys = this.helper.getEncryptorKeys("foo", "bar", "spam");
|
||||
assertEquals("foo", keys.get("name"));
|
||||
assertEquals("bar", keys.get("profiles"));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testKeysWithPrefix() {
|
||||
Map<String, String> keys = this.helper.getEncryptorKeys("foo", "bar",
|
||||
"{key:mykey}foo");
|
||||
assertEquals(3, keys.size());
|
||||
assertEquals("mykey", keys.get("key"));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testKeysWithPrefixAndEscape() {
|
||||
Map<String, String> keys = this.helper.getEncryptorKeys("foo", "bar",
|
||||
"{key:mykey}{plain}{foo:bar}foo");
|
||||
assertEquals(3, keys.size());
|
||||
assertEquals("mykey", keys.get("key"));
|
||||
}
|
||||
|
||||
}
|
||||
@@ -0,0 +1,72 @@
|
||||
/*
|
||||
* Copyright 2015 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.cloud.config.server.encryption;
|
||||
|
||||
import static org.junit.Assert.assertEquals;
|
||||
|
||||
import java.util.Collections;
|
||||
import java.util.HashMap;
|
||||
import java.util.Map;
|
||||
|
||||
import org.junit.Test;
|
||||
import org.springframework.core.io.ClassPathResource;
|
||||
import org.springframework.security.crypto.encrypt.TextEncryptor;
|
||||
import org.springframework.security.rsa.crypto.KeyStoreKeyFactory;
|
||||
|
||||
/**
|
||||
* @author Dave Syer
|
||||
*
|
||||
*/
|
||||
public class KeyStoreTextEncryptorLocatorTests {
|
||||
|
||||
private KeyStoreTextEncryptorLocator locator = new KeyStoreTextEncryptorLocator(
|
||||
new KeyStoreKeyFactory(new ClassPathResource("server.jks"),
|
||||
"letmein".toCharArray()), "changeme", "mytestkey");
|
||||
|
||||
@Test
|
||||
public void testDefaults() {
|
||||
TextEncryptor encryptor = this.locator.locate(Collections
|
||||
.<String, String> emptyMap());
|
||||
assertEquals("foo", encryptor.decrypt(encryptor.encrypt("foo")));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testDifferentKeyDefaultSecret() {
|
||||
this.locator.setSecretLocator(new SecretLocator() {
|
||||
|
||||
@Override
|
||||
public char[] locate(String secret) {
|
||||
assertEquals("changeme", secret);
|
||||
// The actual secret for "mykey" is the same as the keystore password
|
||||
return "letmein".toCharArray();
|
||||
}
|
||||
});
|
||||
TextEncryptor encryptor = this.locator.locate(Collections
|
||||
.<String, String> singletonMap("key", "mykey"));
|
||||
assertEquals("foo", encryptor.decrypt(encryptor.encrypt("foo")));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testDifferentKeyAndSecret() {
|
||||
Map<String, String> map = new HashMap<String, String>();
|
||||
map.put("key", "mytestkey");
|
||||
map.put("secret", "changeme");
|
||||
TextEncryptor encryptor = this.locator.locate(map);
|
||||
assertEquals("foo", encryptor.decrypt(encryptor.encrypt("foo")));
|
||||
}
|
||||
|
||||
}
|
||||
BIN
spring-cloud-config-server/src/test/resources/server.jks
Normal file
BIN
spring-cloud-config-server/src/test/resources/server.jks
Normal file
Binary file not shown.
Reference in New Issue
Block a user