From bcef73bc98012ad54db6a889e45eeec8adc1b6cf Mon Sep 17 00:00:00 2001 From: Dave Syer Date: Mon, 9 Mar 2015 22:15:41 +0000 Subject: [PATCH] Add encrypt.keyStore.secret property So that the keystore and the key can have independent secrets (the "secret" is the key, and the "password" is the store). Fixes gh-98 --- .../main/asciidoc/spring-cloud-config.adoc | 3 ++- .../EncryptionBootstrapConfiguration.java | 9 ++++--- .../bootstrap/encrypt/KeyProperties.java | 9 +++++++ ...EncryptionBootstrapConfigurationTests.java | 24 ++++++++++++++++++ .../src/test/resources/server.jks | Bin 0 -> 2239 bytes 5 files changed, 40 insertions(+), 5 deletions(-) create mode 100644 spring-cloud-config-client/src/test/java/org/springframework/cloud/bootstrap/encrypt/EncryptionBootstrapConfigurationTests.java create mode 100644 spring-cloud-config-client/src/test/resources/server.jks diff --git a/docs/src/main/asciidoc/spring-cloud-config.adoc b/docs/src/main/asciidoc/spring-cloud-config.adoc index 006d6910..5c3453a0 100644 --- a/docs/src/main/asciidoc/spring-cloud-config.adoc +++ b/docs/src/main/asciidoc/spring-cloud-config.adoc @@ -287,8 +287,9 @@ your `application.yml` for the Config Server: encrypt: keyStore: location: classpath:/server.jks - alias: mytestkey password: letmein + alias: mytestkey + secret: changeme ---- === Embedding the Config Server diff --git a/spring-cloud-config-client/src/main/java/org/springframework/cloud/bootstrap/encrypt/EncryptionBootstrapConfiguration.java b/spring-cloud-config-client/src/main/java/org/springframework/cloud/bootstrap/encrypt/EncryptionBootstrapConfiguration.java index 4751d2d3..fde82d58 100644 --- a/spring-cloud-config-client/src/main/java/org/springframework/cloud/bootstrap/encrypt/EncryptionBootstrapConfiguration.java +++ b/spring-cloud-config-client/src/main/java/org/springframework/cloud/bootstrap/encrypt/EncryptionBootstrapConfiguration.java @@ -40,7 +40,7 @@ import org.springframework.util.StringUtils; * */ @Configuration -@ConditionalOnClass({TextEncryptor.class, RsaSecretEncryptor.class}) +@ConditionalOnClass({ TextEncryptor.class, RsaSecretEncryptor.class }) @EnableConfigurationProperties(KeyProperties.class) public class EncryptionBootstrapConfiguration { @@ -65,8 +65,8 @@ public class EncryptionBootstrapConfiguration { if (keyStore.getLocation() != null && keyStore.getLocation().exists()) { return new RsaSecretEncryptor( new KeyStoreKeyFactory(keyStore.getLocation(), keyStore - .getPassword().toCharArray()).getKeyPair(keyStore - .getAlias())); + .getPassword().toCharArray()).getKeyPair( + keyStore.getAlias(), keyStore.getSecret().toCharArray())); } return new EncryptorFactory().create(key.getKey()); } @@ -94,7 +94,8 @@ public class EncryptionBootstrapConfiguration { if (encryptor == null) { encryptor = new FailsafeTextEncryptor(); } - EnvironmentDecryptApplicationInitializer listener = new EnvironmentDecryptApplicationInitializer(encryptor); + EnvironmentDecryptApplicationInitializer listener = new EnvironmentDecryptApplicationInitializer( + encryptor); listener.setFailOnError(key.isFailOnError()); return listener; } diff --git a/spring-cloud-config-client/src/main/java/org/springframework/cloud/bootstrap/encrypt/KeyProperties.java b/spring-cloud-config-client/src/main/java/org/springframework/cloud/bootstrap/encrypt/KeyProperties.java index 4b213624..d3d3b11e 100644 --- a/spring-cloud-config-client/src/main/java/org/springframework/cloud/bootstrap/encrypt/KeyProperties.java +++ b/spring-cloud-config-client/src/main/java/org/springframework/cloud/bootstrap/encrypt/KeyProperties.java @@ -56,6 +56,7 @@ public class KeyProperties { private Resource location; private String password; private String alias; + private String secret; public String getAlias() { return alias; @@ -81,5 +82,13 @@ public class KeyProperties { this.password = password; } + public String getSecret() { + return secret==null ? password : secret; + } + + public void setSecret(String secret) { + this.secret = secret; + } + } } \ No newline at end of file diff --git a/spring-cloud-config-client/src/test/java/org/springframework/cloud/bootstrap/encrypt/EncryptionBootstrapConfigurationTests.java b/spring-cloud-config-client/src/test/java/org/springframework/cloud/bootstrap/encrypt/EncryptionBootstrapConfigurationTests.java new file mode 100644 index 00000000..52c654ba --- /dev/null +++ b/spring-cloud-config-client/src/test/java/org/springframework/cloud/bootstrap/encrypt/EncryptionBootstrapConfigurationTests.java @@ -0,0 +1,24 @@ +package org.springframework.cloud.bootstrap.encrypt; + +import static org.junit.Assert.assertEquals; + +import org.junit.Test; +import org.springframework.boot.builder.SpringApplicationBuilder; +import org.springframework.context.ConfigurableApplicationContext; +import org.springframework.security.crypto.encrypt.TextEncryptor; + +public class EncryptionBootstrapConfigurationTests { + + @Test + public void rsaKeyStore() { + ConfigurableApplicationContext context = new SpringApplicationBuilder( + EncryptionBootstrapConfiguration.class).web(false).properties( + "encrypt.keyStore.location:classpath:/server.jks", + "encrypt.keyStore.password:letmein", + "encrypt.keyStore.alias:mytestkey", "encrypt.keyStore.secret:changeme") + .run(); + TextEncryptor encryptor = context.getBean(TextEncryptor.class); + assertEquals("foo", encryptor.decrypt(encryptor.encrypt("foo"))); + } + +} diff --git a/spring-cloud-config-client/src/test/resources/server.jks b/spring-cloud-config-client/src/test/resources/server.jks new file mode 100644 index 0000000000000000000000000000000000000000..560be5fed77efd4c75d2ca49a33bc6eb616b1af4 GIT binary patch literal 2239 zcmchY`8yPh7RP7C%rIjJLzY)zELn=NhDi1$y_4*e8X9X^Cu0pmj2Ow9$i74&`!?Ci zOPb7;C2J95j2C4a*OIP!?tPy3FStLPA3o>#{&1e}InVbTtsSia007W&0e=_lZYUlX zg!jRP9(ODO>AD#J00fLCLI7xPC|m&w1Ow$kyg(oX049Q0e@x9;9QG?AIP}u(CND%g zNL5^8ki_Z1zB6X`UVR^kr^@)Za%CW-5U~S{(x=E5SHze8uy8g$xVXbqb9SqI-=~O@ zDZ-raMhb2A?eA;^2tpvt&n0=Tv~MNkS+5cI%2ij=N0R1?xp!A9C1<%SwZ8R?wlAsRHE9}}VzAy?cNnNwj3mGJ ztO-#a(awjYi`pB4QZ3Sa>N48Czr(&Q=D8EzCsp2oRlI1!@Jy_}uMmM35Rjvce76Rn{sAPO-#KSC6*SKdCs(y+|98led18K-}~uxm*ZA&V^CZTUPC=1H?jjd$lM3^4l7AqAr-bX7jb``=cD5 zIMw4W+r|afp*>WF;-%HTL*$lgBv>W;L8@p+@?Kk>K6P2+eo?#rDto48>|$m{!Mv~| zZTB|eUT&A*oNw=a){D@F+($ge__?FdLyRjz*lRDez{=JYg4t z?T~Nt7#sXK7fcsAcfuQGw6HUwEVz3Mz5@Lwa*Hl=t%Lmw?4Z9v8jwg8nK}#Sqj)?@ z+BHxVUHV)dfenu1h-K@``b@EO8Sw3V_&_T`&^p}|BI4Vx{pNX5ssPQYGTg0~$E>ZZ zxZ>hl6L&y&)hn3)$)D@C!aF_SboqQait#%U_4yu{^2MAuH>-}q#;M{-yd1sEc}}h! z!#R{Sd)}9cwF7759L{M(#|V;PRF~2@PreCz|3njzoAGE%6!otuPeTYZZ^g%Z#3eRn zfshtdY)|?AhZHX!nd2(_w=WHNxPONdAds*OoAny-|6E(ZSi8K@(5{zd?hjA#*fa0A5i#N z%rmW5VdEX0hc-bhk02~eAijXoC+$e9-XlfzUF})OwsJnHR0sF zfatDpl0ix+$9?M5TCe{>$N+shXTFzo#jerT+q%)Oc~h}D?gBV^5n;FCWxdgBw&;N7 zN{wjk`x>K^_Es|RoSRFxBcx{L(Kp#025&_laa2I;_fiG}I zpoS4qhz7VB4~TLti;qdy^LItOQ4{U3yu8ra=~pg66Esfh%l#1~{PL5Y`|o&!I4G*4 zwEzIN05p;9E}96kEo1`$K_Kvn{YyP)E+|Ys-YkBX3kc*q4onYaPBaY4W($TQLAKV) z+-Srv;6OsG@mM@gnG4PNi`kK2Loa-&vH%+S3*krvCeQ=x>lKE@d-?hPPsND@+xmLp zm62%PUn({v+#csDZjB2J#s#8J3vwx|qgBybDk^9VRb{8&sDVEJU;O_KLIk4zX~OZB zU?T!g0MJAr97F^H0j<}O_wE`aZ!*0iCzaqH1hqf0+fr9?67F{Ebpew?$mhB&83hK4 zbBl&033s?#ah`4>B<<81CH3DC00DJZ)gi+s=F+}Lxi@H@0y83l;?Cqd`eXQ#9@lj+ z*#y&cb7JoMR$hRii5{jpak1L`W0@XCEZzJ8f+a?)$YvmD!kR3%;Q7;6H~C=qL9xcN zE25LR2KygI@^3lUo~-IaK@~>Y$IDilLxP+&>l4NrZp_yWTXyE$WaCT@$hiIBImvxD zhhd8Uq1WXUQzT+lYPkC>XO}>?TQ5vITGGgjB1B6T{_EE0gL2hVwBV}8_iuk9*`Z*d znazx?DX@+`hz$q;mPnw*(5H^Kc#0c*63j1Km`l&8nC&gig1yvy+y)X=VB!C1;_)RN zn+OCro@z?g7#s%qHRrwC^N|V3zjS?-I9tyi;S%$8bY$=6&e`}fp~OZ z|EKLrH4p2BRMUw)`_g&D+e3dF>4S>M{md%)*Au18*)bhS+QV7_<))PO@Rl^c)wbtG z4`Se;rC}V&=!-~igc?GjgpvaLkU=Y6o=rx%ZUo5@86BYt%_zS7>8*CS==nH7KCXF7 z&o@r*mXjiJChyy>&-+zlxc9rzJuA5g3ev~OryKWVMcd_O(`6AD4W$M$SEiOftl^v?Ht^0YZuAWk}0Qx X87oqp`%q!o8#z_2ZOluhie~)>Rnq1* literal 0 HcmV?d00001