Provide options for key rotation and per-app cryptography

Cipher text (and plain text in the /encrypt endpoint) can now
carry a prefix of {name:value} pairs, all of which are passed
into the TextEncryptorLocator (instead of just the app name
and profiles).

The inputs are prepared symmetrically by the EncryptionController
(if used) and the EnvironmentEncryptor (used in the EnvironmentController).

Tidy up docs and add notes on keys.
This commit is contained in:
Dave Syer
2015-06-09 13:13:35 +01:00
parent fdf6689e90
commit 1504d6cb0c
30 changed files with 975 additions and 468 deletions

View File

@@ -261,15 +261,13 @@ You can download the "Java Cryptography Extension (JCE) Unlimited Strength Juris
from Oracle, and follow instructions for installation (essentially replace the 2 policy files
in the JRE lib/security directory with the ones that you downloaded).
The server exposes `/encrypt` and `/decrypt` endpoints (on the
assumption that these will be secured and only accessed by authorized
agents). If the remote property sources contain encryted content
If the remote property sources contain encryted content
(values starting with `{cipher}`) they will be decrypted before
sending to clients over HTTP. The main advantage of this set up is
that the property values don't have to be in plain text when they are
"at rest" (e.g. in a git repository). If a value cannot be decrypted
it is replaced with an empty string, largely to prevent cipher text
being used as a password in Spring Boot autconfigured HTTP basic.
being used as a password and accidentally leaking.
If you are setting up a remote config repository for config client
applications it might contain an `application.yml` like this, for
@@ -286,7 +284,9 @@ spring:
You can safely push this plain text to a shared git repository and the
secret password is protected.
If you are editing a remote config file you can use the Config Server
The server also exposes `/encrypt` and `/decrypt` endpoints (on the
assumption that these will be secured and only accessed by authorized
agents). If you are editing a remote config file you can use the Config Server
to encrypt values by POSTing to the `/encrypt` endpoint, e.g.
----
@@ -304,7 +304,15 @@ mysecret
Take the encypted value and add the `{cipher}` prefix before you put
it in the YAML or properties file, and before you commit and push it
to a remote, potentially insecure store.
to a remote, potentially insecure store. The `/encypt` and `/decrypt`
endpoints also both accept paths of the form `/*/{name}/{profiles}`
which can be used to control cryptography per application (name)
and profile when clients call into the main Environment resource.
NOTE: to control the cryptography in this granular way you must also
provide a `@Bean` of type `TextEncryptorLocator` that creates a
different encryptor per name and profiles. The one that is provided
by default does not do this.
The `spring` command line client (with Spring Cloud CLI extensions
installed) can also be used to encrypt and decrypt, e.g.
@@ -335,9 +343,7 @@ it is just a single property value to configure.
To configure a symmetric key you just need to set `encrypt.key` to a
secret String (or use an enviroment variable `ENCRYPT_KEY` to keep it
out of plain text configuration files). You can also POST a key value
to the `/key` endpoint (but that won't change any existing encrypted
values in remote repositories).
out of plain text configuration files).
To configure an asymmetric key you can either set the key as a
PEM-encoded text value (in `encrypt.key`), or via a keystore (e.g. as
@@ -381,6 +387,43 @@ encrypt:
secret: changeme
----
=== Using Multiple Keys and Key Rotation
In addition to the `{cipher}` prefix in encrypted property values, the
Config Server looks for `{name:value}` prefixes (zero or many) before
the start of the (Base64 encoded) cipher text. The keys are passed to
a `TextEncryptorLocator` which can do whatever logic it needs to
locate a `TextEncryptor` for the cipher. If you have configured a
keystore (`encrypt.keystore.location`) the default locator will look
for keys in the store with aliases as supplied by the "key" prefix,
i.e. with a cipher text like this:
----
foo:
bar: `{cipher}{key:testkey}...`
----
the locator will look for a key named "testkey". A secret can also be
supplied via a `{secret:...}` value in the prefix, but if it is not
the default is to use the keystore password (which is what you get
when you build a keytore and don't specify a secret). If you *do*
supply a secret it is recommended that you also encrypt the secrets
using a custom `SecretLocator`.
Key rotation is hardly ever necessary on cryptographic grounds if the
keys are only being used to encrypt a few bytes of configuration data
(i.e. they are not being used elsewhere), but occasionally you might
need to change the keys if there is a security breach for instance. In
that case all the clients would need to change their source config
files (e.g. in git) and use a new `{key:...}` prefix in all the
ciphers, checking beforehand of course that the key alias is available
in the Config Server keystore.
TIP: the `{name:value}` prefixes can also be added to plaintext posted
to the `/encrypt` endpoint, if you want to let the Config Server
handle all encryption as well as decryption.
=== Embedding the Config Server
The Config Server runs best as a standalone application, but if you

View File

@@ -18,6 +18,7 @@ package org.springframework.cloud.config.server;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.cloud.config.client.ConfigClientProperties;
import org.springframework.cloud.config.server.config.EnvironmentRepositoryConfiguration;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Import;

View File

@@ -21,7 +21,9 @@ import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;
import org.springframework.cloud.config.server.encryption.ConfigServerEncryptionConfiguration;
import org.springframework.cloud.config.server.config.ConfigServerEncryptionConfiguration;
import org.springframework.cloud.config.server.config.ConfigServerMvcConfiguration;
import org.springframework.cloud.config.server.config.EnvironmentRepositoryConfiguration;
import org.springframework.context.annotation.Import;
/**

View File

@@ -14,11 +14,12 @@
* limitations under the License.
*/
package org.springframework.cloud.config.server.encryption;
package org.springframework.cloud.config.server.config;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.cloud.config.server.ConfigServerProperties;
import org.springframework.cloud.config.server.EncryptionController;
import org.springframework.cloud.config.server.encryption.EncryptionController;
import org.springframework.cloud.config.server.encryption.TextEncryptorLocator;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
@@ -30,20 +31,15 @@ import org.springframework.context.annotation.Configuration;
@Configuration
public class ConfigServerEncryptionConfiguration {
@Autowired
private TextEncryptorLocator locator;
@Autowired(required=false)
private TextEncryptorLocator encryptor;
@Autowired
private ConfigServerProperties properties;
@Bean
public EnvironmentEncryptor environmentEncryptor() {
return new CipherEnvironmentEncryptor(locator);
}
@Bean
public EncryptionController encryptionController() {
return new EncryptionController(locator, properties);
return new EncryptionController(this.encryptor, this.properties);
}
}

View File

@@ -13,10 +13,13 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.cloud.config.server;
package org.springframework.cloud.config.server.config;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
import org.springframework.cloud.config.server.ConfigServerProperties;
import org.springframework.cloud.config.server.EnvironmentController;
import org.springframework.cloud.config.server.EnvironmentRepository;
import org.springframework.cloud.config.server.encryption.EnvironmentEncryptor;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

View File

@@ -0,0 +1,87 @@
/*
* Copyright 2002-2015 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.cloud.config.server.config;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.cloud.bootstrap.encrypt.KeyProperties;
import org.springframework.cloud.bootstrap.encrypt.KeyProperties.KeyStore;
import org.springframework.cloud.config.server.encryption.CipherEnvironmentEncryptor;
import org.springframework.cloud.config.server.encryption.EnvironmentEncryptor;
import org.springframework.cloud.config.server.encryption.KeyStoreTextEncryptorLocator;
import org.springframework.cloud.config.server.encryption.TextEncryptorLocator;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.crypto.encrypt.Encryptors;
import org.springframework.security.crypto.encrypt.TextEncryptor;
import org.springframework.security.rsa.crypto.KeyStoreKeyFactory;
import org.springframework.security.rsa.crypto.RsaSecretEncryptor;
/**
* Auto configuration for text encryptors and environment encryptors (non-web stuff).
* Users can provide beans of the same type as any or all of the beans defined here in
* application code to override the default behaviour.
*
* @author Bartosz Wojtkiewicz
* @author Rafal Zukowski
* @author Dave Syer
*
*/
@Configuration
public class EncryptionAutoConfiguration {
@ConditionalOnMissingBean(TextEncryptor.class)
protected static class DefaultTextEncryptorConfiguration {
@Bean
public TextEncryptor nullTextEncryptor() {
return Encryptors.noOpText();
}
}
@Bean
@ConditionalOnMissingBean
public EnvironmentEncryptor environmentEncryptor(
TextEncryptorLocator textEncryptorLocator) {
return new CipherEnvironmentEncryptor(textEncryptorLocator);
}
@Configuration
@ConditionalOnClass(RsaSecretEncryptor.class)
@ConditionalOnProperty(value = "encrypt.keyStore.location", matchIfMissing = false)
@EnableConfigurationProperties(KeyProperties.class)
protected static class KeyStoreConfiguration {
@Autowired
private KeyProperties key;
@Bean
@ConditionalOnMissingBean
public TextEncryptorLocator textEncryptorLocator() {
KeyStore keyStore = this.key.getKeyStore();
return new KeyStoreTextEncryptorLocator(new KeyStoreKeyFactory(
keyStore.getLocation(), keyStore.getPassword().toCharArray()),
keyStore.getSecret(), keyStore.getAlias());
}
}
}

View File

@@ -13,12 +13,18 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.cloud.config.server;
package org.springframework.cloud.config.server.config;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.cloud.config.server.ConfigServerHealthIndicator;
import org.springframework.cloud.config.server.ConfigServerProperties;
import org.springframework.cloud.config.server.EnvironmentRepository;
import org.springframework.cloud.config.server.MultipleJGitEnvironmentRepository;
import org.springframework.cloud.config.server.NativeEnvironmentRepository;
import org.springframework.cloud.config.server.SvnKitEnvironmentRepository;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Profile;

View File

@@ -1,5 +1,5 @@
/*
* Copyright 2002-2015 the original author or authors.
* Copyright 2015 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -14,36 +14,28 @@
* limitations under the License.
*/
package org.springframework.cloud.config.server.encryption;
package org.springframework.cloud.config.server.config;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.autoconfigure.AutoConfigureAfter;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.cloud.config.server.encryption.SingleTextEncryptorLocator;
import org.springframework.cloud.config.server.encryption.TextEncryptorLocator;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.crypto.encrypt.Encryptors;
import org.springframework.security.crypto.encrypt.TextEncryptor;
/**
* @author Bartosz Wojtkiewicz
* @author Rafal Zukowski
*
*/
@Configuration
public class EncryptionAutoConfiguration {
@AutoConfigureAfter(EncryptionAutoConfiguration.class)
public class SingleEncryptorAutoConfiguration {
@Autowired(required = false)
private TextEncryptor encryptor;
@Bean
@ConditionalOnMissingBean
public TextEncryptorLocator textEncryptorLocator(TextEncryptor encryptor) {
return new SingleTextEncryptorLocator(encryptor);
}
@ConditionalOnMissingBean(TextEncryptor.class)
protected static class DefaultTextEncryptorConfiguration {
@Bean
public TextEncryptor nullTextEncryptor() {
return Encryptors.noOpText();
}
public TextEncryptorLocator textEncryptorLocator() {
return new SingleTextEncryptorLocator(this.encryptor);
}
}
}

View File

@@ -22,11 +22,9 @@ import java.util.Map;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.cloud.config.environment.Environment;
import org.springframework.cloud.config.environment.PropertySource;
import org.springframework.security.crypto.encrypt.TextEncryptor;
import org.springframework.stereotype.Component;
import org.springframework.util.StringUtils;
@@ -43,25 +41,27 @@ public class CipherEnvironmentEncryptor implements EnvironmentEncryptor {
private static Log logger = LogFactory.getLog(CipherEnvironmentEncryptor.class);
private final TextEncryptorLocator encryptorLocator;
private final TextEncryptorLocator encryptor;
private EnvironmentPrefixHelper helper = new EnvironmentPrefixHelper();
@Autowired
public CipherEnvironmentEncryptor(TextEncryptorLocator encryptorLocator) {
this.encryptorLocator = encryptorLocator;
public CipherEnvironmentEncryptor(TextEncryptorLocator encryptor) {
this.encryptor = encryptor;
}
@Override
public Environment decrypt(Environment environment) {
TextEncryptor encryptor = encryptorLocator.locate(environment.getName(),
StringUtils.arrayToCommaDelimitedString(environment.getProfiles()));
return encryptor != null ? decrypt(environment, encryptor) : environment;
return this.encryptor != null ? decrypt(environment, this.encryptor)
: environment;
}
private Environment decrypt(Environment environment, TextEncryptor encryptor) {
private Environment decrypt(Environment environment, TextEncryptorLocator encryptor) {
Environment result = new Environment(environment.getName(),
environment.getProfiles(), environment.getLabel());
environment.getProfiles(), environment.getLabel());
for (PropertySource source : environment.getPropertySources()) {
Map<Object, Object> map = new LinkedHashMap<Object, Object>(source.getSource());
Map<Object, Object> map = new LinkedHashMap<Object, Object>(
source.getSource());
for (Map.Entry<Object, Object> entry : new LinkedHashSet<>(map.entrySet())) {
Object key = entry.getKey();
String name = key.toString();
@@ -69,13 +69,17 @@ public class CipherEnvironmentEncryptor implements EnvironmentEncryptor {
if (value.startsWith("{cipher}")) {
map.remove(key);
try {
value = value == null ? null : encryptor.decrypt(value.substring(
"{cipher}".length()));
} catch (Exception e) {
value = value.substring("{cipher}".length());
value = encryptor.locate(
this.helper.getEncryptorKeys(name, StringUtils
.arrayToCommaDelimitedString(environment
.getProfiles()), value)).decrypt(this.helper.stripPrefix(value));
}
catch (Exception e) {
value = "<n/a>";
name = "invalid." + name;
logger.warn("Cannot decrypt key: " + key
+ " (" + e.getClass() + ": " + e.getMessage() + ")");
logger.warn("Cannot decrypt key: " + key + " (" + e.getClass()
+ ": " + e.getMessage() + ")");
}
map.put(name, value);
}

View File

@@ -13,42 +13,33 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.cloud.config.server;
package org.springframework.cloud.config.server.encryption;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;
import java.security.KeyPair;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.cloud.config.server.encryption.SingleTextEncryptorLocator;
import org.springframework.cloud.config.server.encryption.TextEncryptorLocator;
import org.springframework.cloud.context.encrypt.EncryptorFactory;
import org.springframework.cloud.config.server.ConfigServerProperties;
import org.springframework.cloud.context.encrypt.KeyFormatException;
import org.springframework.core.io.ByteArrayResource;
import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType;
import org.springframework.http.ResponseEntity;
import org.springframework.security.crypto.codec.Base64;
import org.springframework.security.crypto.codec.Hex;
import org.springframework.security.crypto.encrypt.TextEncryptor;
import org.springframework.security.rsa.crypto.KeyStoreKeyFactory;
import org.springframework.security.rsa.crypto.RsaKeyHolder;
import org.springframework.security.rsa.crypto.RsaSecretEncryptor;
import org.springframework.web.bind.annotation.ExceptionHandler;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestHeader;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController;
import org.springframework.web.multipart.MultipartFile;
/**
* @author Dave Syer
@@ -60,77 +51,36 @@ public class EncryptionController {
private static Log logger = LogFactory.getLog(EncryptionController.class);
private final TextEncryptorLocator encryptorLocator;
volatile private TextEncryptorLocator encryptor;
private final ConfigServerProperties properties;
public EncryptionController(TextEncryptorLocator encryptorLocator,
private EnvironmentPrefixHelper helper = new EnvironmentPrefixHelper();
public EncryptionController(TextEncryptorLocator encryptor,
ConfigServerProperties configServerProperties) {
this.encryptorLocator = encryptorLocator;
this.encryptor = encryptor;
this.properties = configServerProperties;
}
@RequestMapping(value = "/key", method = RequestMethod.GET)
public String getPublicKey() {
TextEncryptor encryptor = locateDefaultTextEncryptor();
TextEncryptor encryptor = this.encryptor.locate(this.helper.getEncryptorKeys(
"application", "default", ""));
if (!(encryptor instanceof RsaKeyHolder)) {
throw new KeyNotAvailableException();
}
return ((RsaKeyHolder) encryptor).getPublicKey();
}
@RequestMapping(value = "/key", method = RequestMethod.POST, params = { "password" })
public ResponseEntity<Map<String, Object>> uploadKeyStore(
@RequestParam("file") MultipartFile file,
@RequestParam("password") String password, @RequestParam("alias") String alias) {
Map<String, Object> body = new HashMap<String, Object>();
body.put("status", "OK");
try {
ByteArrayResource resource = new ByteArrayResource(file.getBytes());
KeyPair keyPair = new KeyStoreKeyFactory(resource, password.toCharArray())
.getKeyPair(alias);
RsaSecretEncryptor encryptor = new RsaSecretEncryptor(keyPair);
updateEncryptor(encryptor);
body.put("publicKey", encryptor.getPublicKey());
}
catch (IOException e) {
throw new KeyFormatException();
}
logger.info("Key changed to alias=" + alias);
return new ResponseEntity<Map<String, Object>>(body, HttpStatus.CREATED);
}
@RequestMapping(value = "/key", method = RequestMethod.POST, params = { "!password" })
public ResponseEntity<Map<String, Object>> uploadKey(@RequestBody String data,
@RequestHeader("Content-Type") MediaType type) {
Map<String, Object> body = new HashMap<String, Object>();
body.put("status", "OK");
TextEncryptor encryptor = new EncryptorFactory().create(stripFormData(data, type,
false));
updateEncryptor(encryptor);
if (encryptor instanceof RsaKeyHolder) {
body.put("publicKey", ((RsaKeyHolder) encryptor).getPublicKey());
}
logger.info("Key changed with literal value");
return new ResponseEntity<Map<String, Object>>(body, HttpStatus.CREATED);
}
// this is temporary solution to support existing REST API
// downcasting is only necessary until we introduce some key management abstraction,
// we don't want TextEncryptorLocator to have setEncryptor method
private void updateEncryptor(TextEncryptor encryptor) {
if (encryptorLocator instanceof SingleTextEncryptorLocator) {
((SingleTextEncryptorLocator) encryptorLocator).setEncryptor(encryptor);
}
else {
throw new IncompatibleTextEncryptorLocatorException();
@RequestMapping(value = "/key/{name}/{profiles}", method = RequestMethod.GET)
public String getPublicKey(@PathVariable String name, @PathVariable String profiles) {
TextEncryptor encryptor = this.encryptor.locate(this.helper.getEncryptorKeys(
name, profiles, ""));
if (!(encryptor instanceof RsaKeyHolder)) {
throw new KeyNotAvailableException();
}
return ((RsaKeyHolder) encryptor).getPublicKey();
}
@ExceptionHandler(KeyFormatException.class)
@@ -153,7 +103,7 @@ public class EncryptionController {
@RequestMapping(value = "encrypt/status", method = RequestMethod.GET)
public Map<String, Object> status() {
checkEncryptorInstalled(locateDefaultTextEncryptor());
checkEncryptorInstalled("application", "default");
return Collections.<String, Object> singletonMap("status", "OK");
}
@@ -161,18 +111,20 @@ public class EncryptionController {
public String encrypt(@RequestBody String data,
@RequestHeader("Content-Type") MediaType type) {
return encrypt(properties.getDefaultApplicationName(),
properties.getDefaultProfile(), data, type);
return encrypt(this.properties.getDefaultApplicationName(),
this.properties.getDefaultProfile(), data, type);
}
@RequestMapping(value = "/encrypt/{name}/{profiles}", method = RequestMethod.POST)
public String encrypt(@PathVariable String name, @PathVariable String profiles,
@RequestBody String data, @RequestHeader("Content-Type") MediaType type) {
checkEncryptorInstalled(name, profiles);
try {
TextEncryptor encryptor = checkEncryptorInstalled(encryptorLocator.locate(
name, profiles));
String encrypted = encryptor.encrypt(stripFormData(data, type, false));
String input = stripFormData(data, type, false);
Map<String, String> keys = this.helper
.getEncryptorKeys(name, profiles, input);
String encrypted = this.helper.addPrefix(keys, this.encryptor.locate(keys)
.encrypt(input));
logger.info("Encrypted data");
return encrypted;
}
@@ -185,18 +137,19 @@ public class EncryptionController {
public String decrypt(@RequestBody String data,
@RequestHeader("Content-Type") MediaType type) {
return decrypt(properties.getDefaultApplicationName(),
properties.getDefaultProfile(), data, type);
return decrypt(this.properties.getDefaultApplicationName(),
this.properties.getDefaultProfile(), data, type);
}
@RequestMapping(value = "/decrypt/{name}/{profiles}", method = RequestMethod.POST)
public String decrypt(@PathVariable String name, @PathVariable String profiles,
@RequestBody String data, @RequestHeader("Content-Type") MediaType type) {
checkEncryptorInstalled(name, profiles);
try {
TextEncryptor encryptor = checkEncryptorInstalled(encryptorLocator.locate(
name, profiles));
String decrypted = encryptor.decrypt(stripFormData(data, type, true));
String input = stripFormData(data, type, true);
String decrypted = this.helper.stripPrefix(this.encryptor.locate(
this.helper.getEncryptorKeys(name, profiles, input)).decrypt(
this.helper.stripPrefix(input)));
logger.info("Decrypted cipher data");
return decrypted;
}
@@ -205,16 +158,13 @@ public class EncryptionController {
}
}
private TextEncryptor checkEncryptorInstalled(TextEncryptor encryptor) {
if (encryptor == null || encryptor.encrypt("FOO").equals("FOO")) {
private void checkEncryptorInstalled(String name, String profiles) {
if (this.encryptor == null
|| this.encryptor
.locate(this.helper.getEncryptorKeys(name, profiles, ""))
.encrypt("FOO").equals("FOO")) {
throw new KeyNotInstalledException();
}
return encryptor;
}
private TextEncryptor locateDefaultTextEncryptor() {
return encryptorLocator.locate(properties.getDefaultApplicationName(),
properties.getDefaultProfile());
}
private String stripFormData(String data, MediaType type, boolean cipher) {
@@ -285,7 +235,3 @@ class KeyNotAvailableException extends RuntimeException {
@SuppressWarnings("serial")
class InvalidCipherException extends RuntimeException {
}
@SuppressWarnings("serial")
class IncompatibleTextEncryptorLocatorException extends RuntimeException {
}

View File

@@ -0,0 +1,128 @@
/*
* Copyright 2015 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.cloud.config.server.encryption;
import java.util.LinkedHashMap;
import java.util.Map;
import org.springframework.security.crypto.encrypt.TextEncryptor;
import org.springframework.util.StringUtils;
/**
* Shared helper class for encryption and decryption concerns where the plain text and
* cipher texts can optionally contain prefixes of <code>{name:value}</code> pairs.
* Special treatment is given to the "name" and "profiles" keys, which can be provided by
* the caller, explicitly instead of by the input text strings. This is to support
* independent decryptions using different cryptographic keys for different applications
* and profiles, if needed (this class does not have any crypto features, but it can be
* used by components that do).
*
* @author Dave Syer
*
*/
class EnvironmentPrefixHelper {
/**
* key for the "profiles" prefix pair (usually a Spring profile or comma separated
* value).
*/
private static final String PROFILES = "profiles";
/**
* key for the "name" (Environment name or application name).
*/
private static final String NAME = "name";
/**
* If plain text actually starts with text in the form <code>{name:value}</code>
* prefix it with this to signal the start of the plain text.
*/
private static final String ESCAPE = "{plain}";
/**
* Extract keys for looking up a {@link TextEncryptor} from the input text in the form
* of a prefix of zero or many <code>{name:value}</code> pairs. The name and profiles
* properties are always added to the keys (replacing any provided in the inputs).
*/
public Map<String, String> getEncryptorKeys(String name, String profiles, String text) {
Map<String, String> keys = new LinkedHashMap<String, String>();
text = removeEnvironmentPrefix(text);
keys.put(NAME, name);
keys.put(PROFILES, profiles);
if (text.contains(ESCAPE)) {
text = text.substring(0, text.indexOf(ESCAPE));
}
String[] tokens = StringUtils.split(text, "}");
while (tokens != null) {
String token = tokens[0].trim();
if (token.startsWith("{")) {
String key = "";
String value = "";
if (token.contains(":") && !token.endsWith(":")) {
key = token.substring(1, token.indexOf(":"));
value = token.substring(token.indexOf(":") + 1);
}
else {
key = token.substring(1);
}
keys.put(key, value);
}
text = tokens[1];
tokens = StringUtils.split(text, "}");
}
return keys;
}
/**
* Add a prefix to the input text (usually a cipher) consisting of the
* <code>{name:value}</code> pairs. The "name" and "profiles" keys are special in that
* they are stripped since that information is always available when deriving the keys
* in {@link #getEncryptorKeys(String, String, String)}.
*/
public String addPrefix(Map<String, String> keys, String input) {
keys.remove(NAME);
keys.remove(PROFILES);
StringBuilder builder = new StringBuilder();
for (String key : keys.keySet()) {
builder.append("{").append(key).append(":").append(keys.get(key)).append("}");
}
builder.append(input);
return builder.toString();
}
public String stripPrefix(String value) {
if (!value.contains("}")) {
return value;
}
if (value.contains(ESCAPE)) {
return value.substring(value.indexOf(ESCAPE) + ESCAPE.length());
}
return value.substring(value.lastIndexOf("}") + 1);
}
private String removeEnvironmentPrefix(String input) {
return input.replaceFirst("\\{name:.*\\}", "").replaceFirst("\\{profiles:.*\\}",
"");
}
}

View File

@@ -0,0 +1,71 @@
/*
* Copyright 2015 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.cloud.config.server.encryption;
import java.util.Map;
import org.springframework.security.crypto.encrypt.TextEncryptor;
import org.springframework.security.rsa.crypto.KeyStoreKeyFactory;
import org.springframework.security.rsa.crypto.RsaSecretEncryptor;
/**
* A {@link TextEncryptorLocator} that pulls RSA key pairs out of a keystore. The input
* map can contain entries for "key" or "secret" or both, or neither. The secret in the
* input map is not, in general, the secret in the keystore, but is dereferenced through a
* {@link SecretLocator} (so for example you can keep a table of encrypted secrets and
* update it separately to the keystore).
*
* @author Dave Syer
*
*/
public class KeyStoreTextEncryptorLocator implements TextEncryptorLocator {
private final static String KEY = "key";
private final static String SECRET = "secret";
private KeyStoreKeyFactory keys;
private String defaultSecret;
private String defaultAlias;
private SecretLocator secretLocator = new PassthruSecretLocator();
public KeyStoreTextEncryptorLocator(KeyStoreKeyFactory keys, String defaultSecret,
String defaultAlias) {
this.keys = keys;
this.defaultAlias = defaultAlias;
this.defaultSecret = defaultSecret;
}
/**
* @param secretLocator the secretLocator to set
*/
public void setSecretLocator(SecretLocator secretLocator) {
this.secretLocator = secretLocator;
}
@Override
public TextEncryptor locate(Map<String, String> keys) {
String alias = keys.containsKey(KEY) ? keys.get(KEY) : this.defaultAlias;
String secret = keys.containsKey(SECRET) ? keys.get(SECRET) : this.defaultSecret;
return new RsaSecretEncryptor(this.keys.getKeyPair(alias,
this.secretLocator.locate(secret)));
}
}

View File

@@ -0,0 +1,30 @@
/*
* Copyright 2015 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.cloud.config.server.encryption;
/**
* @author Dave Syer
*
*/
public class PassthruSecretLocator implements SecretLocator {
@Override
public char[] locate(String secret) {
return secret==null ? new char[0] : secret.toCharArray();
}
}

View File

@@ -0,0 +1,27 @@
/*
* Copyright 2015 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.cloud.config.server.encryption;
/**
* @author Dave Syer
*
*/
public interface SecretLocator {
char[] locate(String secret);
}

View File

@@ -1,5 +1,5 @@
/*
* Copyright 2002-2015 the original author or authors.
* Copyright 2015 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -16,33 +16,27 @@
package org.springframework.cloud.config.server.encryption;
import java.util.Map;
import org.springframework.security.crypto.encrypt.Encryptors;
import org.springframework.security.crypto.encrypt.TextEncryptor;
/**
* Basic implementation of TextEncryptorLocator which uses
* single TextEncryptor for all applications and profiles.
*
* @author Bartosz Wojtkiewicz
* @author Rafal Zukowski
* @author Dave Syer
*
*/
public class SingleTextEncryptorLocator implements TextEncryptorLocator {
private TextEncryptor encryptor;
public SingleTextEncryptorLocator() {
}
public SingleTextEncryptorLocator(TextEncryptor encryptor) {
this.encryptor = encryptor;
}
// temporary solution to support EncryptionController REST API
public void setEncryptor(TextEncryptor encryptor) {
this.encryptor = encryptor;
this.encryptor = encryptor == null ? Encryptors.noOpText() : encryptor;
}
@Override
public TextEncryptor locate(String applicationName, String profiles) {
return encryptor;
public TextEncryptor locate(Map<String, String> keys) {
return this.encryptor;
}
}

View File

@@ -1,5 +1,5 @@
/*
* Copyright 2002-2015 the original author or authors.
* Copyright 2015 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -16,22 +16,17 @@
package org.springframework.cloud.config.server.encryption;
import java.util.Map;
import org.springframework.security.crypto.encrypt.TextEncryptor;
/**
* Service interface for locating proper TextEncryptor to be used for particular application.
* It can be used to provide config server with application and environment specific encryption.
*
* @author Dave Syer
* @author Bartosz Wojtkiewicz
* @author Rafal Zukowski
*
*/
public interface TextEncryptorLocator {
/**
* Returns TextEncryptor to be used for given application and profiles.
*
* @param applicationName application name
* @param profiles comma separated list of profiles
*/
TextEncryptor locate(String applicationName, String profiles);
TextEncryptor locate(Map<String,String> keys);
}

View File

@@ -8,4 +8,5 @@ org.springframework.cloud.config.server.ConfigServerBootstrapApplicationListener
# Autoconfiguration
org.springframework.boot.autoconfigure.EnableAutoConfiguration=\
org.springframework.cloud.config.server.encryption.EncryptionAutoConfiguration
org.springframework.cloud.config.server.config.EncryptionAutoConfiguration,\
org.springframework.cloud.config.server.config.SingleEncryptorAutoConfiguration

View File

@@ -1,77 +0,0 @@
package org.springframework.cloud.config.server;
import java.util.HashMap;
import java.util.Map;
import org.junit.Test;
import org.springframework.cloud.config.server.encryption.TextEncryptorLocator;
import org.springframework.security.crypto.encrypt.TextEncryptor;
import static org.junit.Assert.assertEquals;
import static org.springframework.http.MediaType.TEXT_PLAIN;
import static org.springframework.security.crypto.encrypt.Encryptors.noOpText;
import static org.springframework.security.crypto.encrypt.Encryptors.text;
/**
* @author Bartosz Wojtkiewicz
*
*/
public class EncryptionControllerMultiTextEncryptorTests {
NaiveMultiTextEncryptorLocator encryptorLocator = new NaiveMultiTextEncryptorLocator();
ConfigServerProperties properties = new ConfigServerProperties();
EncryptionController controller = new EncryptionController(encryptorLocator, properties);
String application = "application";
String profiles = "profile1,profile2";
String data = "foo";
@Test
public void shouldEncryptUsingApplicationAndProfiles() {
// given
encryptorLocator.addSupportFor(application, profiles);
// when
String encrypted = controller.encrypt(application, profiles, data, TEXT_PLAIN);
// then
assertEquals(data, controller.decrypt(application, profiles, encrypted, TEXT_PLAIN));
}
@Test(expected = KeyNotInstalledException.class)
public void shouldNotEncryptUsingUnknownApplicationName() {
// given
String application = "unknown";
// when
controller.encrypt(application, profiles, data, TEXT_PLAIN);
// then exception is thrown
}
@Test(expected = KeyNotInstalledException.class)
public void shouldNotDecryptUsingUnknownApplicationName() {
// given
String application = "unknown";
// when
controller.decrypt(application, profiles, data, TEXT_PLAIN);
// then exception is thrown
}
class NaiveMultiTextEncryptorLocator implements TextEncryptorLocator {
private Map<String, TextEncryptor> encryptors = new HashMap<>();
@Override
public TextEncryptor locate(String applicationName, String profiles) {
String key = applicationName + profiles;
return encryptors.containsKey(key) ? encryptors.get(key) : noOpText();
}
public void addSupportFor(String applicationName, String profiles) {
encryptors.put(applicationName + profiles, text(applicationName, "11"));
}
}
}

View File

@@ -1,103 +0,0 @@
/*
* Copyright 2013-2014 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.cloud.config.server;
import org.junit.Test;
import org.springframework.cloud.config.server.encryption.SingleTextEncryptorLocator;
import org.springframework.cloud.context.encrypt.KeyFormatException;
import org.springframework.http.MediaType;
import org.springframework.security.crypto.encrypt.Encryptors;
import org.springframework.security.rsa.crypto.RsaSecretEncryptor;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNotEquals;
import static org.junit.Assert.assertTrue;
/**
* @author Dave Syer
*
*/
public class EncryptionControllerTests {
private SingleTextEncryptorLocator textEncryptorLocator = new SingleTextEncryptorLocator();
private ConfigServerProperties properties = new ConfigServerProperties();
private EncryptionController controller = new EncryptionController(textEncryptorLocator, properties);
@Test(expected = KeyNotInstalledException.class)
public void cannotDecryptWithoutKey() {
controller.decrypt("foo", MediaType.TEXT_PLAIN);
}
@Test(expected = KeyNotInstalledException.class)
public void cannotDecryptWithNoopEncryptor() {
textEncryptorLocator.setEncryptor(Encryptors.noOpText());
controller.decrypt("foo", MediaType.TEXT_PLAIN);
}
@Test(expected = KeyFormatException.class)
public void cannotUploadPublicKey() {
controller.uploadKey("ssh-rsa ...", MediaType.TEXT_PLAIN);
}
@Test(expected = KeyFormatException.class)
public void cannotUploadPublicKeyPemFormat() {
controller.uploadKey("---- BEGIN RSA PUBLIC KEY ...", MediaType.TEXT_PLAIN);
}
@Test(expected = InvalidCipherException.class)
public void invalidCipher() {
controller.uploadKey("foo", MediaType.TEXT_PLAIN);
controller.decrypt("foo", MediaType.TEXT_PLAIN);
}
@Test
public void sunnyDaySymmetricKey() {
controller.uploadKey("foo", MediaType.TEXT_PLAIN);
String cipher = controller.encrypt("foo", MediaType.TEXT_PLAIN);
assertEquals("foo", controller.decrypt(cipher, MediaType.TEXT_PLAIN));
}
@Test
public void sunnyDayRsaKey() {
textEncryptorLocator.setEncryptor(new RsaSecretEncryptor());
String cipher = controller.encrypt("foo", MediaType.TEXT_PLAIN);
assertEquals("foo", controller.decrypt(cipher, MediaType.TEXT_PLAIN));
}
@Test
public void publicKey() {
textEncryptorLocator.setEncryptor(new RsaSecretEncryptor());
String key = controller.getPublicKey();
assertTrue("Wrong key format: " + key, key.startsWith("ssh-rsa"));
}
@Test
public void formDataIn() {
textEncryptorLocator.setEncryptor(new RsaSecretEncryptor());
// Add space to input
String cipher = controller.encrypt("foo bar=", MediaType.APPLICATION_FORM_URLENCODED);
String decrypt = controller.decrypt(cipher + "=", MediaType.APPLICATION_FORM_URLENCODED);
assertEquals("Wrong decrypted plaintext: " + decrypt, "foo bar", decrypt);
}
@Test
public void randomizedCipher() {
controller.uploadKey("foo", MediaType.TEXT_PLAIN);
String cipher = controller.encrypt("foo", MediaType.TEXT_PLAIN);
assertNotEquals(cipher, controller.encrypt("foo", MediaType.TEXT_PLAIN));
}
}

View File

@@ -19,10 +19,8 @@ package org.springframework.cloud.config.server;
import org.junit.Before;
import org.junit.Test;
import org.mockito.Mockito;
import org.springframework.cloud.config.environment.Environment;
import org.springframework.cloud.config.server.encryption.CipherEnvironmentEncryptor;
import org.springframework.cloud.config.server.encryption.SingleTextEncryptorLocator;
import org.springframework.test.web.servlet.MockMvc;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import org.springframework.test.web.servlet.result.MockMvcResultMatchers;
@@ -39,32 +37,33 @@ public class EnvironmentControllerIntegrationTests {
@Before
public void init() {
Mockito.when(repository.getDefaultLabel()).thenReturn("master");
mvc = MockMvcBuilders.standaloneSetup(
new EnvironmentController(repository, new CipherEnvironmentEncryptor(new SingleTextEncryptorLocator())))
.build();
Mockito.when(this.repository.getDefaultLabel()).thenReturn("master");
this.mvc = MockMvcBuilders.standaloneSetup(
new EnvironmentController(this.repository,
new CipherEnvironmentEncryptor(null))).build();
}
@Test
public void environmentNoLabel() throws Exception {
Mockito.when(repository.findOne("foo", "default", "master")).thenReturn(
Mockito.when(this.repository.findOne("foo", "default", "master")).thenReturn(
new Environment("foo", "default"));
mvc.perform(MockMvcRequestBuilders.get("/foo/default")).andExpect(
this.mvc.perform(MockMvcRequestBuilders.get("/foo/default")).andExpect(
MockMvcResultMatchers.status().isOk());
}
@Test
public void environmentWithLabel() throws Exception {
Mockito.when(repository.findOne("foo", "default", "awesome")).thenReturn(
Mockito.when(this.repository.findOne("foo", "default", "awesome")).thenReturn(
new Environment("foo", "default"));
mvc.perform(MockMvcRequestBuilders.get("/foo/default/awesome")).andExpect(
this.mvc.perform(MockMvcRequestBuilders.get("/foo/default/awesome")).andExpect(
MockMvcResultMatchers.status().isOk());
}
@Test
public void environmentWithLabelContainingPeriod() throws Exception {
Mockito.when(repository.findOne("foo", "default", "1.0.0")).thenReturn(
Mockito.when(this.repository.findOne("foo", "default", "1.0.0")).thenReturn(
new Environment("foo", "default"));
mvc.perform(MockMvcRequestBuilders.get("/foo/default/1.0.0")).andExpect(
this.mvc.perform(MockMvcRequestBuilders.get("/foo/default/1.0.0")).andExpect(
MockMvcResultMatchers.status().isOk());
}

View File

@@ -15,6 +15,9 @@
*/
package org.springframework.cloud.config.server;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
import java.util.Collections;
import java.util.HashMap;
import java.util.LinkedHashMap;
@@ -25,20 +28,15 @@ import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.ExpectedException;
import org.mockito.Mockito;
import org.springframework.cloud.config.environment.Environment;
import org.springframework.cloud.config.environment.PropertySource;
import org.springframework.cloud.config.server.encryption.CipherEnvironmentEncryptor;
import org.springframework.cloud.config.server.encryption.SingleTextEncryptorLocator;
import org.springframework.http.MediaType;
import org.springframework.test.web.servlet.MockMvc;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import org.springframework.test.web.servlet.result.MockMvcResultMatchers;
import org.springframework.test.web.servlet.setup.MockMvcBuilders;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
/**
* @author Dave Syer
* @author Roy Clarkson
@@ -56,17 +54,18 @@ public class EnvironmentControllerTests {
@Before
public void init() {
Mockito.when(repository.getDefaultLabel()).thenReturn("master");
this.controller = new EnvironmentController(repository, new CipherEnvironmentEncryptor(new SingleTextEncryptorLocator()));
Mockito.when(this.repository.getDefaultLabel()).thenReturn("master");
this.controller = new EnvironmentController(this.repository,
new CipherEnvironmentEncryptor(null));
}
@Test
public void vanillaYaml() throws Exception {
Map<String, Object> map = new HashMap<String, Object>();
map.put("a.b.c", "d");
environment.add(new PropertySource("one", map));
Mockito.when(repository.findOne("foo", "bar", "master")).thenReturn(environment);
String yaml = controller.yaml("foo", "bar").getBody();
this.environment.add(new PropertySource("one", map));
Mockito.when(this.repository.findOne("foo", "bar", "master")).thenReturn(this.environment);
String yaml = this.controller.yaml("foo", "bar").getBody();
assertEquals("a:\n b:\n c: d\n", yaml);
}
@@ -74,11 +73,11 @@ public class EnvironmentControllerTests {
public void propertyOverrideInYaml() throws Exception {
Map<String, Object> map = new LinkedHashMap<String, Object>();
map.put("a.b.c", "d");
environment.add(new PropertySource("one", map));
environment.addFirst(new PropertySource("two", Collections.singletonMap("a.b.c",
this.environment.add(new PropertySource("one", map));
this.environment.addFirst(new PropertySource("two", Collections.singletonMap("a.b.c",
"e")));
Mockito.when(repository.findOne("foo", "bar", "master")).thenReturn(environment);
String yaml = controller.yaml("foo", "bar").getBody();
Mockito.when(this.repository.findOne("foo", "bar", "master")).thenReturn(this.environment);
String yaml = this.controller.yaml("foo", "bar").getBody();
assertEquals("a:\n b:\n c: e\n", yaml);
}
@@ -87,9 +86,9 @@ public class EnvironmentControllerTests {
Map<String, Object> map = new LinkedHashMap<String, Object>();
map.put("a.b[0]", "c");
map.put("a.b[1]", "d");
environment.add(new PropertySource("one", map));
Mockito.when(repository.findOne("foo", "bar", "master")).thenReturn(environment);
String yaml = controller.yaml("foo", "bar").getBody();
this.environment.add(new PropertySource("one", map));
Mockito.when(this.repository.findOne("foo", "bar", "master")).thenReturn(this.environment);
String yaml = this.controller.yaml("foo", "bar").getBody();
assertEquals("a:\n b:\n - c\n - d\n", yaml);
}
@@ -97,9 +96,9 @@ public class EnvironmentControllerTests {
public void textAtTopLevelInYaml() throws Exception {
Map<String, Object> map = new LinkedHashMap<String, Object>();
map.put("document", "blah");
environment.add(new PropertySource("one", map));
Mockito.when(repository.findOne("foo", "bar", "master")).thenReturn(environment);
String yaml = controller.yaml("foo", "bar").getBody();
this.environment.add(new PropertySource("one", map));
Mockito.when(this.repository.findOne("foo", "bar", "master")).thenReturn(this.environment);
String yaml = this.controller.yaml("foo", "bar").getBody();
assertEquals("blah\n", yaml);
}
@@ -108,9 +107,9 @@ public class EnvironmentControllerTests {
Map<String, Object> map = new LinkedHashMap<String, Object>();
map.put("document[0]", "c");
map.put("document[1]", "d");
environment.add(new PropertySource("one", map));
Mockito.when(repository.findOne("foo", "bar", "master")).thenReturn(environment);
String yaml = controller.yaml("foo", "bar").getBody();
this.environment.add(new PropertySource("one", map));
Mockito.when(this.repository.findOne("foo", "bar", "master")).thenReturn(this.environment);
String yaml = this.controller.yaml("foo", "bar").getBody();
assertEquals("- c\n- d\n", yaml);
}
@@ -119,9 +118,9 @@ public class EnvironmentControllerTests {
Map<String, Object> map = new LinkedHashMap<String, Object>();
map.put("document[0].a", "c");
map.put("document[1].a", "d");
environment.add(new PropertySource("one", map));
Mockito.when(repository.findOne("foo", "bar", "master")).thenReturn(environment);
String yaml = controller.yaml("foo", "bar").getBody();
this.environment.add(new PropertySource("one", map));
Mockito.when(this.repository.findOne("foo", "bar", "master")).thenReturn(this.environment);
String yaml = this.controller.yaml("foo", "bar").getBody();
assertEquals("- a: c\n- a: d\n", yaml);
}
@@ -131,12 +130,12 @@ public class EnvironmentControllerTests {
map.put("a.b[0].c", "d");
map.put("a.b[0].d", "e");
map.put("a.b[1].c", "d");
environment.add(new PropertySource("one", map));
Mockito.when(repository.findOne("foo", "bar", "master")).thenReturn(environment);
String yaml = controller.yaml("foo", "bar").getBody();
this.environment.add(new PropertySource("one", map));
Mockito.when(this.repository.findOne("foo", "bar", "master")).thenReturn(this.environment);
String yaml = this.controller.yaml("foo", "bar").getBody();
assertTrue("Wrong output: " + yaml,
"a:\n b:\n - d: e\n c: d\n - c: d\n".equals(yaml)
|| "a:\n b:\n - c: d\n d: e\n - c: d\n".equals(yaml));
|| "a:\n b:\n - c: d\n d: e\n - c: d\n".equals(yaml));
}
@Test
@@ -144,9 +143,9 @@ public class EnvironmentControllerTests {
Map<String, Object> map = new LinkedHashMap<String, Object>();
map.put("b[0].c", "d");
map.put("b[1].c", "d");
environment.add(new PropertySource("one", map));
Mockito.when(repository.findOne("foo", "bar", "master")).thenReturn(environment);
String yaml = controller.yaml("foo", "bar").getBody();
this.environment.add(new PropertySource("one", map));
Mockito.when(this.repository.findOne("foo", "bar", "master")).thenReturn(this.environment);
String yaml = this.controller.yaml("foo", "bar").getBody();
assertEquals("b:\n- c: d\n- c: d\n", yaml);
}
@@ -155,128 +154,128 @@ public class EnvironmentControllerTests {
Map<String, Object> map = new LinkedHashMap<String, Object>();
map.put("x.a.b[0].c", "d");
map.put("x.a.b[1].c", "d");
environment.add(new PropertySource("one", map));
Mockito.when(repository.findOne("foo", "bar", "master")).thenReturn(environment);
String yaml = controller.yaml("foo", "bar").getBody();
this.environment.add(new PropertySource("one", map));
Mockito.when(this.repository.findOne("foo", "bar", "master")).thenReturn(this.environment);
String yaml = this.controller.yaml("foo", "bar").getBody();
assertEquals("x:\n a:\n b:\n - c: d\n - c: d\n", yaml);
}
@Test
public void mappingForEnvironment() throws Exception {
Mockito.when(repository.findOne("foo", "bar", "master")).thenReturn(environment);
MockMvc mvc = MockMvcBuilders.standaloneSetup(controller).build();
Mockito.when(this.repository.findOne("foo", "bar", "master")).thenReturn(this.environment);
MockMvc mvc = MockMvcBuilders.standaloneSetup(this.controller).build();
mvc.perform(MockMvcRequestBuilders.get("/foo/bar")).andExpect(
MockMvcResultMatchers.status().isOk());
}
@Test
public void mappingForLabelledEnvironment() throws Exception {
Mockito.when(repository.findOne("foo", "bar", "other")).thenReturn(environment);
MockMvc mvc = MockMvcBuilders.standaloneSetup(controller).build();
Mockito.when(this.repository.findOne("foo", "bar", "other")).thenReturn(this.environment);
MockMvc mvc = MockMvcBuilders.standaloneSetup(this.controller).build();
mvc.perform(MockMvcRequestBuilders.get("/foo/bar/other")).andExpect(
MockMvcResultMatchers.status().isOk());
}
@Test
public void mappingForYaml() throws Exception {
Mockito.when(repository.findOne("foo", "bar", "master")).thenReturn(environment);
MockMvc mvc = MockMvcBuilders.standaloneSetup(controller).build();
Mockito.when(this.repository.findOne("foo", "bar", "master")).thenReturn(this.environment);
MockMvc mvc = MockMvcBuilders.standaloneSetup(this.controller).build();
mvc.perform(MockMvcRequestBuilders.get("/foo-bar.yml"))
.andExpect(
MockMvcResultMatchers.content().contentType(MediaType.TEXT_PLAIN))
.andExpect(
MockMvcResultMatchers.content().contentType(MediaType.TEXT_PLAIN))
.andExpect(MockMvcResultMatchers.content().string("{}\n"));
}
@Test
public void mappingForJson() throws Exception {
Mockito.when(repository.findOne("foo", "bar", "master")).thenReturn(environment);
MockMvc mvc = MockMvcBuilders.standaloneSetup(controller).build();
Mockito.when(this.repository.findOne("foo", "bar", "master")).thenReturn(this.environment);
MockMvc mvc = MockMvcBuilders.standaloneSetup(this.controller).build();
mvc.perform(MockMvcRequestBuilders.get("/foo-bar.json"))
.andExpect(
MockMvcResultMatchers.content().contentType(
MediaType.APPLICATION_JSON))
.andExpect(MockMvcResultMatchers.content().string("{}"));
.andExpect(
MockMvcResultMatchers.content().contentType(
MediaType.APPLICATION_JSON))
.andExpect(MockMvcResultMatchers.content().string("{}"));
;
}
@Test
public void mappingForLabelledYaml() throws Exception {
Mockito.when(repository.findOne("foo", "bar", "other")).thenReturn(environment);
MockMvc mvc = MockMvcBuilders.standaloneSetup(controller).build();
Mockito.when(this.repository.findOne("foo", "bar", "other")).thenReturn(this.environment);
MockMvc mvc = MockMvcBuilders.standaloneSetup(this.controller).build();
mvc.perform(MockMvcRequestBuilders.get("/other/foo-bar.yml")).andExpect(
MockMvcResultMatchers.content().contentType(MediaType.TEXT_PLAIN));
}
@Test
public void mappingForLabelledProperties() throws Exception {
Mockito.when(repository.findOne("foo", "bar", "other")).thenReturn(environment);
MockMvc mvc = MockMvcBuilders.standaloneSetup(controller).build();
Mockito.when(this.repository.findOne("foo", "bar", "other")).thenReturn(this.environment);
MockMvc mvc = MockMvcBuilders.standaloneSetup(this.controller).build();
mvc.perform(MockMvcRequestBuilders.get("/other/foo-bar.properties")).andExpect(
MockMvcResultMatchers.content().contentType(MediaType.TEXT_PLAIN));
}
@Test
public void mappingForProperties() throws Exception {
Mockito.when(repository.findOne("foo", "bar", "master")).thenReturn(environment);
MockMvc mvc = MockMvcBuilders.standaloneSetup(controller).build();
Mockito.when(this.repository.findOne("foo", "bar", "master")).thenReturn(this.environment);
MockMvc mvc = MockMvcBuilders.standaloneSetup(this.controller).build();
mvc.perform(MockMvcRequestBuilders.get("/foo-bar.properties")).andExpect(
MockMvcResultMatchers.content().contentType(MediaType.TEXT_PLAIN));
}
@Test
public void mappingForLabelledYamlWithHyphen() throws Exception {
Mockito.when(repository.findOne("foo", "bar-spam", "other")).thenReturn(
environment);
MockMvc mvc = MockMvcBuilders.standaloneSetup(controller).build();
Mockito.when(this.repository.findOne("foo", "bar-spam", "other")).thenReturn(
this.environment);
MockMvc mvc = MockMvcBuilders.standaloneSetup(this.controller).build();
mvc.perform(MockMvcRequestBuilders.get("/other/foo-bar-spam.yml")).andExpect(
MockMvcResultMatchers.status().isBadRequest());
}
@Test
public void mappingforLabelledJsonProperties() throws Exception {
Mockito.when(repository.findOne("foo", "bar", "other")).thenReturn(environment);
MockMvc mvc = MockMvcBuilders.standaloneSetup(controller).build();
Mockito.when(this.repository.findOne("foo", "bar", "other")).thenReturn(this.environment);
MockMvc mvc = MockMvcBuilders.standaloneSetup(this.controller).build();
mvc.perform(MockMvcRequestBuilders.get("/other/foo-bar.json")).andExpect(
MockMvcResultMatchers.content().contentType(MediaType.APPLICATION_JSON));
}
@Test
public void mappingforJsonProperties() throws Exception {
Mockito.when(repository.findOne("foo", "bar", "master")).thenReturn(environment);
MockMvc mvc = MockMvcBuilders.standaloneSetup(controller).build();
Mockito.when(this.repository.findOne("foo", "bar", "master")).thenReturn(this.environment);
MockMvc mvc = MockMvcBuilders.standaloneSetup(this.controller).build();
mvc.perform(MockMvcRequestBuilders.get("/foo-bar.json")).andExpect(
MockMvcResultMatchers.content().contentType(MediaType.APPLICATION_JSON));
}
@Test
public void mappingForLabelledJsonPropertiesWithHyphen() throws Exception {
Mockito.when(repository.findOne("foo", "bar-spam", "other")).thenReturn(
environment);
MockMvc mvc = MockMvcBuilders.standaloneSetup(controller).build();
Mockito.when(this.repository.findOne("foo", "bar-spam", "other")).thenReturn(
this.environment);
MockMvc mvc = MockMvcBuilders.standaloneSetup(this.controller).build();
mvc.perform(MockMvcRequestBuilders.get("/other/foo-bar-spam.json")).andExpect(
MockMvcResultMatchers.status().isBadRequest());
}
@Test
public void allowOverrideFalse() throws Exception {
controller.setOverrides(Collections.singletonMap("foo", "bar"));
this.controller.setOverrides(Collections.singletonMap("foo", "bar"));
Map<String, Object> map = new HashMap<String, Object>();
map.put("a.b.c", "d");
environment.add(new PropertySource("one", map));
Mockito.when(repository.findOne("foo", "bar", "master")).thenReturn(environment);
assertEquals("{foo=bar}", controller.defaultLabel("foo", "bar").getPropertySources()
.get(0).getSource().toString());
this.environment.add(new PropertySource("one", map));
Mockito.when(this.repository.findOne("foo", "bar", "master")).thenReturn(this.environment);
assertEquals("{foo=bar}", this.controller.defaultLabel("foo", "bar")
.getPropertySources().get(0).getSource().toString());
}
@Test
public void overrideWithEscapedPlaceholders() throws Exception {
controller.setOverrides(Collections.singletonMap("foo", "$\\{bar}"));
this.controller.setOverrides(Collections.singletonMap("foo", "$\\{bar}"));
Map<String, Object> map = new HashMap<String, Object>();
map.put("bar", "foo");
environment.add(new PropertySource("one", map));
Mockito.when(repository.findOne("foo", "bar", "master")).thenReturn(environment);
assertEquals("{foo=${bar}}", controller.defaultLabel("foo", "bar").getPropertySources()
.get(0).getSource().toString());
this.environment.add(new PropertySource("one", map));
Mockito.when(this.repository.findOne("foo", "bar", "master")).thenReturn(this.environment);
assertEquals("{foo=${bar}}", this.controller.defaultLabel("foo", "bar")
.getPropertySources().get(0).getSource().toString());
}
}

View File

@@ -33,6 +33,7 @@ import org.junit.Test;
import org.springframework.boot.autoconfigure.PropertyPlaceholderAutoConfiguration;
import org.springframework.boot.builder.SpringApplicationBuilder;
import org.springframework.cloud.config.environment.Environment;
import org.springframework.cloud.config.server.config.EnvironmentRepositoryConfiguration;
import org.springframework.context.ConfigurableApplicationContext;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Import;

View File

@@ -30,9 +30,9 @@ import org.junit.Test;
import org.springframework.boot.autoconfigure.PropertyPlaceholderAutoConfiguration;
import org.springframework.boot.builder.SpringApplicationBuilder;
import org.springframework.cloud.config.environment.Environment;
import org.springframework.cloud.config.server.EnvironmentRepositoryConfiguration;
import org.springframework.cloud.config.server.ConfigServerTestUtils;
import org.springframework.cloud.config.server.EnvironmentRepository;
import org.springframework.cloud.config.server.config.EnvironmentRepositoryConfiguration;
import org.springframework.context.ConfigurableApplicationContext;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Import;

View File

@@ -31,10 +31,10 @@ import org.tmatesoft.svn.core.wc2.SvnCheckout;
import org.tmatesoft.svn.core.wc2.SvnCommit;
import org.tmatesoft.svn.core.wc2.SvnOperationFactory;
import org.tmatesoft.svn.core.wc2.SvnTarget;
import org.springframework.boot.autoconfigure.PropertyPlaceholderAutoConfiguration;
import org.springframework.boot.builder.SpringApplicationBuilder;
import org.springframework.cloud.config.environment.Environment;
import org.springframework.cloud.config.server.config.EnvironmentRepositoryConfiguration;
import org.springframework.context.ConfigurableApplicationContext;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Import;

View File

@@ -16,34 +16,54 @@
package org.springframework.cloud.config.server.encryption;
import static java.util.UUID.randomUUID;
import static org.junit.Assert.assertEquals;
import java.util.Collections;
import java.util.Map;
import org.junit.Test;
import org.springframework.cloud.config.environment.Environment;
import org.springframework.cloud.config.environment.PropertySource;
import org.springframework.cloud.context.encrypt.EncryptorFactory;
import org.springframework.security.crypto.encrypt.TextEncryptor;
import static java.util.UUID.randomUUID;
import static org.junit.Assert.assertEquals;
public class CipherEnvironmentEncryptorTests {
TextEncryptor textEncryptor = new EncryptorFactory().create("foo");
TextEncryptorLocator textEncryptorLocator = new SingleTextEncryptorLocator(textEncryptor);
EnvironmentEncryptor encryptor = new CipherEnvironmentEncryptor(textEncryptorLocator);
TextEncryptor textEncryptor = new EncryptorFactory().create("foo");
EnvironmentEncryptor encryptor = new CipherEnvironmentEncryptor(new TextEncryptorLocator() {
@Test
public void shouldDecryptEnvironment() {
// given
String secret = randomUUID().toString();
@Override
public TextEncryptor locate(Map<String, String> keys) {
return CipherEnvironmentEncryptorTests.this.textEncryptor;
}
});
// when
Environment environment = new Environment("name", "profile", "label");
environment.add(new PropertySource("a",
Collections.<Object, Object>singletonMap(environment.getName(), "{cipher}" + textEncryptor.encrypt(secret))));
@Test
public void shouldDecryptEnvironment() {
// given
String secret = randomUUID().toString();
// when
Environment environment = new Environment("name", "profile", "label");
environment.add(new PropertySource("a",
Collections.<Object, Object>singletonMap(environment.getName(), "{cipher}" + this.textEncryptor.encrypt(secret))));
// then
assertEquals(secret, this.encryptor.decrypt(environment).getPropertySources().get(0).getSource().get(environment.getName()));
}
@Test
public void shouldDecryptEnvironmentWithKey() {
// given
String secret = randomUUID().toString();
// when
Environment environment = new Environment("name", "profile", "label");
environment.add(new PropertySource("a",
Collections.<Object, Object>singletonMap(environment.getName(), "{cipher}{key:test}" + this.textEncryptor.encrypt(secret))));
// then
assertEquals(secret, this.encryptor.decrypt(environment).getPropertySources().get(0).getSource().get(environment.getName()));
}
// then
assertEquals(secret, encryptor.decrypt(environment).getPropertySources().get(0).getSource().get(environment.getName()));
}
}

View File

@@ -0,0 +1,62 @@
package org.springframework.cloud.config.server.encryption;
import static org.junit.Assert.assertEquals;
import static org.springframework.http.MediaType.TEXT_PLAIN;
import org.junit.Test;
import org.springframework.cloud.config.server.ConfigServerProperties;
import org.springframework.security.crypto.encrypt.Encryptors;
/**
* @author Bartosz Wojtkiewicz
*
*/
public class EncryptionControllerMultiTextEncryptorTests {
ConfigServerProperties properties = new ConfigServerProperties();
EncryptionController controller = new EncryptionController(
new SingleTextEncryptorLocator(Encryptors.noOpText()), this.properties);
String application = "application";
String profiles = "profile1,profile2";
String data = "foo";
@Test
public void shouldEncryptUsingApplicationAndProfiles() {
this.controller = new EncryptionController(new SingleTextEncryptorLocator(
Encryptors.text("application", "11")), this.properties);
// when
String encrypted = this.controller.encrypt(this.application, this.profiles,
this.data, TEXT_PLAIN);
// then
assertEquals(this.data, this.controller.decrypt(this.application, this.profiles,
encrypted, TEXT_PLAIN));
}
@Test(expected = KeyNotInstalledException.class)
public void shouldNotEncryptUsingNoOp() {
// given
String application = "unknown";
// when
this.controller.encrypt(application, this.profiles, this.data, TEXT_PLAIN);
// then exception is thrown
}
@Test(expected = KeyNotInstalledException.class)
public void shouldNotDecryptUsingNoOp() {
// given
String application = "unknown";
// when
this.controller.decrypt(application, this.profiles, this.data, TEXT_PLAIN);
// then exception is thrown
}
}

View File

@@ -0,0 +1,124 @@
/*
* Copyright 2013-2014 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.cloud.config.server.encryption;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;
import java.util.Map;
import org.junit.Test;
import org.springframework.cloud.config.server.ConfigServerProperties;
import org.springframework.http.MediaType;
import org.springframework.security.crypto.encrypt.Encryptors;
import org.springframework.security.crypto.encrypt.TextEncryptor;
import org.springframework.security.rsa.crypto.RsaSecretEncryptor;
/**
* @author Dave Syer
*
*/
public class EncryptionControllerTests {
private ConfigServerProperties properties = new ConfigServerProperties();
private EncryptionController controller = new EncryptionController(
new SingleTextEncryptorLocator(Encryptors.noOpText()), this.properties);
@Test(expected = KeyNotInstalledException.class)
public void cannotDecryptWithoutKey() {
this.controller.decrypt("foo", MediaType.TEXT_PLAIN);
}
@Test(expected = KeyNotInstalledException.class)
public void cannotDecryptWithNoopEncryptor() {
this.controller.decrypt("foo", MediaType.TEXT_PLAIN);
}
@Test
public void sunnyDayRsaKey() {
this.controller = new EncryptionController(new SingleTextEncryptorLocator(
new RsaSecretEncryptor()), this.properties);
String cipher = this.controller.encrypt("foo", MediaType.TEXT_PLAIN);
assertEquals("foo", this.controller.decrypt(cipher, MediaType.TEXT_PLAIN));
}
@Test
public void publicKey() {
this.controller = new EncryptionController(new SingleTextEncryptorLocator(
new RsaSecretEncryptor()), this.properties);
String key = this.controller.getPublicKey();
assertTrue("Wrong key format: " + key, key.startsWith("ssh-rsa"));
}
@Test
public void appAndProfile() {
this.controller = new EncryptionController(new SingleTextEncryptorLocator(
new RsaSecretEncryptor()), this.properties);
// Add space to input
String cipher = this.controller.encrypt("app", "default", "foo bar",
MediaType.TEXT_PLAIN);
String decrypt = this.controller.decrypt("app", "default", cipher,
MediaType.TEXT_PLAIN);
assertEquals("Wrong decrypted plaintext: " + decrypt, "foo bar", decrypt);
}
@Test
public void formDataIn() {
this.controller = new EncryptionController(new SingleTextEncryptorLocator(
new RsaSecretEncryptor()), this.properties);
// Add space to input
String cipher = this.controller.encrypt("foo bar=",
MediaType.APPLICATION_FORM_URLENCODED);
String decrypt = this.controller.decrypt(cipher + "=",
MediaType.APPLICATION_FORM_URLENCODED);
assertEquals("Wrong decrypted plaintext: " + decrypt, "foo bar", decrypt);
}
@Test
public void formDataInWithPrefix() {
this.controller = new EncryptionController(new SingleTextEncryptorLocator(
new RsaSecretEncryptor()), this.properties);
// Add space to input
String cipher = this.controller.encrypt("{key:test}foo bar=",
MediaType.APPLICATION_FORM_URLENCODED);
String decrypt = this.controller.decrypt(cipher + "=",
MediaType.APPLICATION_FORM_URLENCODED);
assertEquals("Wrong decrypted plaintext: " + decrypt, "foo bar", decrypt);
}
@Test
public void addEnvironment() {
TextEncryptorLocator locator = new TextEncryptorLocator() {
private RsaSecretEncryptor encryptor = new RsaSecretEncryptor();
@Override
public TextEncryptor locate(Map<String, String> keys) {
return this.encryptor;
}
};
this.controller = new EncryptionController(locator, this.properties);
// Add space to input
String cipher = this.controller.encrypt("app", "default", "foo bar",
MediaType.TEXT_PLAIN);
assertFalse("Wrong cipher: " + cipher, cipher.contains("{name:app}"));
String decrypt = this.controller.decrypt("app", "default", cipher,
MediaType.TEXT_PLAIN);
assertEquals("Wrong decrypted plaintext: " + decrypt, "foo bar", decrypt);
}
}

View File

@@ -0,0 +1,84 @@
/*
* Copyright 2015 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.cloud.config.server.encryption;
import static org.junit.Assert.assertEquals;
import java.util.Collections;
import java.util.Map;
import org.junit.Test;
/**
* @author Dave Syer
*
*/
public class EnvironmentPrefixHelperTests {
private EnvironmentPrefixHelper helper = new EnvironmentPrefixHelper();
@Test
public void testAddPrefix() {
assertEquals("{bar:spam}foo",
this.helper.addPrefix(Collections.singletonMap("bar", "spam"), "foo"));
}
@Test
public void testAddNoPrefix() {
assertEquals("foo",
this.helper.addPrefix(Collections.<String, String> emptyMap(), "foo"));
}
@Test
public void testStripNoPrefix() {
assertEquals("foo", this.helper.stripPrefix("foo"));
}
@Test
public void testStripPrefix() {
assertEquals("foo", this.helper.stripPrefix("{key:foo}foo"));
}
@Test
public void testStripPrefixWithEscape() {
assertEquals("{key:foo}foo", this.helper.stripPrefix("{plain}{key:foo}foo"));
}
@Test
public void testKeysDefaults() {
Map<String, String> keys = this.helper.getEncryptorKeys("foo", "bar", "spam");
assertEquals("foo", keys.get("name"));
assertEquals("bar", keys.get("profiles"));
}
@Test
public void testKeysWithPrefix() {
Map<String, String> keys = this.helper.getEncryptorKeys("foo", "bar",
"{key:mykey}foo");
assertEquals(3, keys.size());
assertEquals("mykey", keys.get("key"));
}
@Test
public void testKeysWithPrefixAndEscape() {
Map<String, String> keys = this.helper.getEncryptorKeys("foo", "bar",
"{key:mykey}{plain}{foo:bar}foo");
assertEquals(3, keys.size());
assertEquals("mykey", keys.get("key"));
}
}

View File

@@ -0,0 +1,72 @@
/*
* Copyright 2015 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.cloud.config.server.encryption;
import static org.junit.Assert.assertEquals;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import org.junit.Test;
import org.springframework.core.io.ClassPathResource;
import org.springframework.security.crypto.encrypt.TextEncryptor;
import org.springframework.security.rsa.crypto.KeyStoreKeyFactory;
/**
* @author Dave Syer
*
*/
public class KeyStoreTextEncryptorLocatorTests {
private KeyStoreTextEncryptorLocator locator = new KeyStoreTextEncryptorLocator(
new KeyStoreKeyFactory(new ClassPathResource("server.jks"),
"letmein".toCharArray()), "changeme", "mytestkey");
@Test
public void testDefaults() {
TextEncryptor encryptor = this.locator.locate(Collections
.<String, String> emptyMap());
assertEquals("foo", encryptor.decrypt(encryptor.encrypt("foo")));
}
@Test
public void testDifferentKeyDefaultSecret() {
this.locator.setSecretLocator(new SecretLocator() {
@Override
public char[] locate(String secret) {
assertEquals("changeme", secret);
// The actual secret for "mykey" is the same as the keystore password
return "letmein".toCharArray();
}
});
TextEncryptor encryptor = this.locator.locate(Collections
.<String, String> singletonMap("key", "mykey"));
assertEquals("foo", encryptor.decrypt(encryptor.encrypt("foo")));
}
@Test
public void testDifferentKeyAndSecret() {
Map<String, String> map = new HashMap<String, String>();
map.put("key", "mytestkey");
map.put("secret", "changeme");
TextEncryptor encryptor = this.locator.locate(map);
assertEquals("foo", encryptor.decrypt(encryptor.encrypt("foo")));
}
}