Spring 配置文件加密

前文

在某些场景下,使用 Spring 作为开发组件时,不可避免地需要使用到配置文件,然而,对于配置文件中的某些敏感数据(如密码等信息字段),如果使用明文的方式,则可能在一定程度上导致信息泄露。为此,需要一种有效的方式来对这些字段进行加密处理,当前主流的一种加密方式就是 Jasypt

基本使用

对于主流的 Spring 应用程序,现在基本上都是采用 Spring-Boot 的方式进行开发,因此我们可以很方便地以 starter 的方式引入 Jasypt 对应的 starter 依赖

<dependency>
    <groupId>com.github.ulisesbocchio</groupId>
    <artifactId>jasypt-spring-boot-starter</artifactId>
    <version>3.0.5</version> <!-- 具体以 Maven 仓库的为准 -->
</dependency>

然后,需要在对应的应用程序配置文件中配置 Jasypt 的相关配置属性:

jasypt:
  encryptor:
    # 解密时需要用到的对称密码
    password: 1234567
    # 解密时使用的解密算法,具体可以查看 com.sun.crypto.provider.PBEKeyFactory 的相关子类
    algorithm: PBEWithHmacSHA224AndAES_128
    # 一些通用的配置属性,如过滤字段是否需要解密、需要解密的字段的格式等
    property:
      # 如果字段需要解密,则这个字段的值的开始前缀
      prefix: ENC(
      # 如果字段需要解密,则这个字段的值的后缀
      suffix: )
    # 加密时的重 Hash 次数
    key-obtention-iterations: 1000

然而,对于需要解密的字段,需要按照解密的规则对其进行加密处理,Jasypt 已经提供了现有的工具类,只需要传入我们需要的参数进行加密即可:

import org.jasypt.encryption.pbe.StandardPBEStringEncryptor;
import org.jasypt.encryption.pbe.config.EnvironmentStringPBEConfig;
import org.jasypt.iv.RandomIvGenerator;
import org.jasypt.salt.RandomSaltGenerator;
import org.junit.Test;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.boot.test.context.SpringBootTest;

import javax.crypto.SecretKeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.Provider;
import java.security.Security;

@SpringBootTest(classes = {DemoApplication.class})
public class SimpleEncryptTest {

    private final static Logger log = LoggerFactory.getLogger(SimpleEncryptTest.class);

    // 注意,这里的 Config 必须与上文配置文件中的一致,否则会导致解密结果与最初值不一致
    private static EnvironmentStringPBEConfig pbeConfig() {
        String password = "1234567"; // 这里的密码需要与配置文件里的相对应

        final EnvironmentStringPBEConfig config = new EnvironmentStringPBEConfig();

        config.setPassword(password); // 当前对称加密算法需要的基本密码,而不是需要转换的文本

        /*
            具体对称加密算法,目前系统提供了 com.sun.crypto.provider.PBEKeyFactory 子类相关的算法
         */
        config.setAlgorithm("PBEWithHmacSHA224AndAES_128");

        /*
            迭代计算次数,通过增加这个值可以提高加密效果的强度
         */
        config.setKeyObtentionIterations(1000); // 如果配置文件不做配置,则默认 1000 次

        config.setSaltGenerator(new RandomSaltGenerator()); // 具体的盐值生成器,未配置时默认使用 RandomSaltGenerator

        /*
            如果需要设置自定义的对称加密算法,那么这里可能需要设置成对应的算法提供对象,
            在一般情况下,系统提供的加密算法已经足够满足需求,因此可以设置为 null
         */
        config.setProvider(null);

        config.setStringOutputType("Base64"); // 处理时的字节表示形式

        config.setIvGenerator(new RandomIvGenerator()); // 某些算法可能需要使用到的初始向量生成器,默认为 RandomIvGenerator
        return config;
    }

    @Test
    public void encryptTest() {
        String message = "123"; // 当前需要被加密的密码

        final EnvironmentStringPBEConfig config = pbeConfig();

        final StandardPBEStringEncryptor encryptor = new StandardPBEStringEncryptor();
        encryptor.setConfig(config);

        log.info("{}", encryptor.encrypt(message)); // 这里得到的就是加密后的结果
    }
}

现在,将加密后的密码配置到我们系统的配置文件中,使用 jasypt 配置中定义的前后缀进行包装,以 Druid 配置为例,通过上文的加密算法,我将密码 "123" 加密后得到了 对应的加密文本 "354GiF5aGOgfrpisxVAw+y1fCNQ43Hv4vaHd9GVp8YZi86e0igV8sS6zyF1N14AP",现在将它配置到 Druid 的登录密码中:

spring:
  datasource:
    druid:
      stat-view-servlet:
        enabled: true
        login-username: admin
        login-password: ENC(354GiF5aGOgfrpisxVAw+y1fCNQ43Hv4vaHd9GVp8YZi86e0igV8sS6zyF1N14AP)

之后,如果希望登录 Druid 监视界面,只需要输入用户名为 admin 并且密码 123 即可完成登录

组件配置

一般情况下,Jasypt 默认的配置已经足够满足大部分的应用场景,然而,如果希望能够自定义相关的配置,Jasypt 也提供了相应的配置选项,主要包括 "过滤器"、"解码器" 以及 "检测器",这些组件在 com.ulisesbocchio.jasyptspringboot.properties.JasyptEncryptorConfigurationProperties.PropertyConfigurationProperties 有具体的描述

过滤器

过滤器的目的为了过滤那些需要进行解码的属性,默认情况下是对所有的配置属性都进行拦截处理,如果需要进行相关配置,可以在配置文件中加入相关的过滤属性字段:

jasypt:
  encryptor:
    property:
      filter:
      	# 需要传入全限定名称,以过滤这些不需要解密的字段
        exclude-names: ["spring.datasource.druid.stat-view-servlet.login-password"]

显然,如果需要过滤的字段太多,一个一个配置比较麻烦,因此我们可以自定顶一个过滤器来完成相关的过滤操作,具体的实现以 com.ulisesbocchio.jasyptspringboot.EncryptablePropertyFilter 定义的为准:

import com.ulisesbocchio.jasyptspringboot.EncryptablePropertyFilter;
import com.ulisesbocchio.jasyptspringboot.properties.JasyptEncryptorConfigurationProperties;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.core.env.ConfigurableEnvironment;
import org.springframework.core.env.PropertySource;
import org.springframework.stereotype.Component;

import java.util.HashSet;
import java.util.Set;

// 设置过滤器 Bean 名称,使得能够被加载到 Jasypt 的配置中
@Component("jasyptPropertiesFilter")
public class PropertiesFilter
        implements EncryptablePropertyFilter {

    private final Set<String> excludeSet = new HashSet<>();

    @Autowired
    public PropertiesFilter(ConfigurableEnvironment env) {
        // 复用 Jasypt 的过滤器配置属性
        JasyptEncryptorConfigurationProperties props = JasyptEncryptorConfigurationProperties.bindConfigProps(env);
        JasyptEncryptorConfigurationProperties.PropertyConfigurationProperties.FilterConfigurationProperties filterProps = props.getProperty().getFilter();
        excludeSet.addAll(filterProps.getExcludeNames());
    }

    @Override
    public boolean shouldInclude(PropertySource<?> source, String name) {
        // 如果是开发环境,则不需要对字段进行加密处理
        if (source.getName().endsWith("dev.yml")) {
            return true;
        }
        // 如果前缀与配置的匹配,则不进行加密处理
        for (String excludeName : excludeSet) {
            if (excludeName.startsWith(name)) {
                return false;
            }
        }
        return true;
    }
}

同时,需要将编写好的过滤器替换到原有的过滤器,可以通过配置如下属性来完成:

jasypt:
  encryptor:
    property:
      filter:
      	# 通过我们自定的过滤器,就不再需要写全限定名称了,只需要写对应的不匹配前缀即可
        exclude-names: ["spring.datasource.druid"]
      filter-bean: jasyptPropertiesFilter

检测器

检测器的目的是为了检查配置的属性是否是被加密的,效果与过滤器类似,区别在于过滤器的效果会先于检测器,默认的检测器实现是通过配置的前后缀值来进行判断的,即配置的 ENC()。如果希望改变这个行为(虽然基本不会改变 😦),也可以自定编写检测器来替换现有的行为,具体的实现需要以 com.ulisesbocchio.jasyptspringboot.EncryptablePropertyDetector 定位为准:

import com.ulisesbocchio.jasyptspringboot.EncryptablePropertyDetector;
import com.ulisesbocchio.jasyptspringboot.detector.DefaultPropertyDetector;
import org.apache.commons.codec.binary.Base64;
import org.springframework.stereotype.Component;

@Component("jasyptPropertiesDetector")
public class PropertiesDetector
        extends DefaultPropertyDetector
        implements EncryptablePropertyDetector {

    private String prefix = "ENC(";

    public PropertiesDetector() {
        super();
    }

    public PropertiesDetector(String prefix, String suffix) {
        super(prefix, suffix);
        this.prefix = prefix;
    }

    @Override
    public boolean isEncrypted(String property) {
        if (super.isEncrypted(property)) {
            return true;
        }
        // 如果是以 Base64 的方式进行的编码,则我们认为它是被加密的
		return property.length() >= 64 && Base64.isBase64(property);
    }

    @Override
    public String unwrapEncryptedValue(String property) {
        if (property.contains(prefix)) {
            return super.unwrapEncryptedValue(property);
        }
        return property;
    }
}

同样,需要将其配置到对应的配置文件中,替换默认的检测器使得其生效:

jasypt:
  encryptor:
    property:
      detector-bean: jasyptPropertiesDetector

解码器

解码器是真正完成解码工作的组件,如果希望配置一些额外的加密选项(如加盐、替换向量生成器,使用自定义的解密算法等),都可以通过重写该组件来完成。

具体的解码器需要按照 com.ulisesbocchio.jasyptspringboot.EncryptablePropertyResolver 来实现:

import com.ulisesbocchio.jasyptspringboot.EncryptablePropertyDetector;
import com.ulisesbocchio.jasyptspringboot.EncryptablePropertyResolver;
import com.ulisesbocchio.jasyptspringboot.exception.DecryptionException;
import com.ulisesbocchio.jasyptspringboot.properties.JasyptEncryptorConfigurationProperties;
import org.jasypt.encryption.pbe.PooledPBEStringEncryptor;
import org.jasypt.encryption.pbe.config.SimpleStringPBEConfig;
import org.jasypt.exceptions.EncryptionOperationNotPossibleException;
import org.jasypt.iv.StringFixedIvGenerator;
import org.jasypt.salt.StringFixedSaltGenerator;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.core.env.ConfigurableEnvironment;
import org.springframework.core.env.Environment;
import org.springframework.stereotype.Component;

import java.util.Optional;

@Component("jasyptPropertiesPropertyResolver")
public class PropertiesPropertyResolver
        implements EncryptablePropertyResolver {

    private final static Logger log = LoggerFactory.getLogger(PropertiesPropertyResolver.class);

    private final static String IV_GEN_TEXT = "这是一个向量生成器";

    private final static String SALT_TEXT = "我能够吞下玻璃而不伤身体";

    private final Environment environment;

    private final PooledPBEStringEncryptor encryptor;

    private final EncryptablePropertyDetector detector;

    @Autowired
    public PropertiesPropertyResolver(ConfigurableEnvironment env,
                                      @Qualifier("jasyptPropertiesDetector") EncryptablePropertyDetector detector) {
        this.environment = env;
        this.encryptor = new PooledPBEStringEncryptor();
        this.detector = detector;

        // 复用原有 Jasypt 的配置属性
        JasyptEncryptorConfigurationProperties props = JasyptEncryptorConfigurationProperties.bindConfigProps(env);
        String password = props.getPassword();
        
        // 这里的配置将会覆盖原有配置文件中的相关配置,因为配置文件中的配置并不能显示地支持配置对象的设置
        SimpleStringPBEConfig config = new SimpleStringPBEConfig();
        config.setPasswordCharArray(password.toCharArray());
        config.setAlgorithm("PBEWITHHMACSHA512ANDAES_256");
        config.setKeyObtentionIterations("1000");
        config.setPoolSize(1);
        config.setProviderName("SunJCE");
        config.setSaltGenerator(new StringFixedSaltGenerator(SALT_TEXT)); // 替换默认的盐值生成器
        config.setIvGenerator(new StringFixedIvGenerator(IV_GEN_TEXT)); // 替换默认的向量生成器
        config.setStringOutputType("base64");
        this.encryptor.setConfig(config);
    }

    @Override
    public String resolvePropertyValue(String value) {
        return Optional.ofNullable(value)
                .map(environment::resolvePlaceholders)
                .filter(detector::isEncrypted)
                .map(resolvedValue -> {
                    try {
                        String unwrappedProperty = detector.unwrapEncryptedValue(resolvedValue.trim());
                        String resolvedProperty = environment.resolvePlaceholders(unwrappedProperty);
                        String decrypt = encryptor.decrypt(resolvedProperty);
                        log.info("from {} to {}", resolvedProperty, decrypt);
                        return decrypt;
                    } catch (EncryptionOperationNotPossibleException e) {
                        throw new DecryptionException("Unable to decrypt property: "
                                + value + " resolved to: " + resolvedValue + ". Decryption of Properties failed,  make sure encryption/decryption " +
                                "passwords match", e);
                    }
                })
                .orElse(value);
    }
}

同样地,也需要在配置文件中进行配置以替换默认的解码器:

jasypt:
  encryptor:
    property:
      resolver-bean: jasyptPropertiesPropertyResolver

实现原理

一般来讲,在 SpringBoot 项目中引入 starter 来实现自动装配 功能,基本上都是通过加载 META/spring.factories 文件中的自动配置项来实现的,对于 Jassyptstarter 来讲,对应的 spring.factories 文件如下:

org.springframework.boot.autoconfigure.EnableAutoConfiguration=com.ulisesbocchio.jasyptspringbootstarter.JasyptSpringBootAutoConfiguration

org.springframework.cloud.bootstrap.BootstrapConfiguration=com.ulisesbocchio.jasyptspringbootstarter.JasyptSpringCloudBootstrapConfiguration

SpringBoot 的加载接口从 EnableAutoConfiguration 配置引入,对应的配置项为 com.ulisesbocchio.jasyptspringbootstarter.JasyptSpringBootAutoConfiguration

import com.ulisesbocchio.jasyptspringboot.configuration.EnableEncryptablePropertiesConfiguration;

import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Import;

@Configuration
@Import(EnableEncryptablePropertiesConfiguration.class)
public class JasyptSpringBootAutoConfiguration {
}

实际上这个类并没有实际的配置操作,而是通过导入 EnableEncryptablePropertiesConfiguration 来间接实现的:

import com.ulisesbocchio.jasyptspringboot.EncryptablePropertySourceConverter;
import org.jasypt.encryption.StringEncryptor;
import org.jasypt.encryption.pbe.config.StringPBEConfig;
import org.springframework.beans.factory.config.BeanFactoryPostProcessor;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Import;
import org.springframework.core.env.ConfigurableEnvironment;
import org.springframework.core.env.Environment;
import org.springframework.core.env.PropertySource;

@Configuration
/*
	EncryptablePropertyResolverConfiguration 这个配置类为上文的 "解码器" 等相关组件的配置类,也就是
	实际完成解码工作的组件类
*/
@Import({EncryptablePropertyResolverConfiguration.class, CachingConfiguration.class})
public class EnableEncryptablePropertiesConfiguration {
    
    @Bean
    public static EnableEncryptablePropertiesBeanFactoryPostProcessor enableEncryptablePropertySourcesPostProcessor(final ConfigurableEnvironment environment, EncryptablePropertySourceConverter converter) {
        return new EnableEncryptablePropertiesBeanFactoryPostProcessor(environment, converter);
    }
}

对于内置的 EnableEncryptablePropertiesBeanFactoryPostProcessor Bean,Spring 会在初始化 BeanFactory 时调用这些 BeanPostProcessorpostProcessBeanFactory 方法,以实现对 BeanFactory 的配置处理。具体 EnableEncryptablePropertiesBeanFactoryPostProcessor 的处理如下:

import com.ulisesbocchio.jasyptspringboot.EncryptablePropertyResolver;
import com.ulisesbocchio.jasyptspringboot.EncryptablePropertySourceConverter;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.BeansException;
import org.springframework.beans.factory.config.BeanFactoryPostProcessor;
import org.springframework.beans.factory.config.ConfigurableListableBeanFactory;
import org.springframework.core.Ordered;
import org.springframework.core.env.ConfigurableEnvironment;
import org.springframework.core.env.MutablePropertySources;

public class EnableEncryptablePropertiesBeanFactoryPostProcessor 
    implements BeanFactoryPostProcessor, Ordered {

    private final ConfigurableEnvironment environment;
    private final EncryptablePropertySourceConverter converter;

    public EnableEncryptablePropertiesBeanFactoryPostProcessor(ConfigurableEnvironment environment, EncryptablePropertySourceConverter converter) {
        this.environment = environment;
        this.converter = converter;
    }

    @Override
    public void postProcessBeanFactory(ConfigurableListableBeanFactory beanFactory) throws BeansException {
        log.info("Post-processing PropertySource instances");
        /*
        	这里的作用是加载系统中存在的配置文件,包括系统自带的 System、BootStrap 以及 application 等配置文件
        */
        MutablePropertySources propSources = environment.getPropertySources();
        
        /*
        	替换原有的配置文件对象,以改变获取配置属性值的相关行为
        */
        converter.convertPropertySources(propSources);
    }
    
    // 省略部分代码
}

关键的部分在于对 propSources 的替换处理,具体的源码如下:

public class EncryptablePropertySourceConverter {
    
    public void convertPropertySources(MutablePropertySources propSources) {
        propSources.stream()
                .filter(ps -> !(ps instanceof EncryptablePropertySource))
                .map(this::makeEncryptable)
                .collect(toList())
                .forEach(ps -> propSources.replace(ps.getName(), ps));
    }
    
    public <T> PropertySource<T> makeEncryptable(PropertySource<T> propertySource) {
        // 省略部分代码。。。。
        PropertySource<T> encryptablePropertySource = convertPropertySource(propertySource);
        return encryptablePropertySource;
    }
    
    private <T> PropertySource<T> convertPropertySource(PropertySource<T> propertySource) {
        // 默认不是代理模式,因此走 instantiatePropertySource 方法
        return interceptionMode == InterceptionMode.PROXY
                ? proxyPropertySource(propertySource) : instantiatePropertySource(propertySource);
    }
    
    private <T> PropertySource<T> instantiatePropertySource(PropertySource<T> propertySource) {
        PropertySource<T> encryptablePropertySource;
        if (needsProxyAnyway(propertySource)) {
            encryptablePropertySource = proxyPropertySource(propertySource);
        } else if (propertySource instanceof SystemEnvironmentPropertySource) {
            encryptablePropertySource = (PropertySource<T>) new EncryptableSystemEnvironmentPropertySourceWrapper((SystemEnvironmentPropertySource) propertySource, propertyResolver, propertyFilter);
        } else if (propertySource instanceof MapPropertySource) {
            /*
            	应用程序的配置文件对应的类型为 MapPropertySource,因此走这里,
            	即:将原有应用程序配置文件对应的属性配置对象替换成了 EncryptableMapPropertySourceWrapper 类型
            */
            encryptablePropertySource = (PropertySource<T>) new EncryptableMapPropertySourceWrapper((MapPropertySource) propertySource, propertyResolver, propertyFilter);
        } else if (propertySource instanceof EnumerablePropertySource) {
            encryptablePropertySource = new EncryptableEnumerablePropertySourceWrapper<>((EnumerablePropertySource) propertySource, propertyResolver, propertyFilter);
        } else {
            encryptablePropertySource = new EncryptablePropertySourceWrapper<>(propertySource, propertyResolver, propertyFilter);
        }
        return encryptablePropertySource;
    }
}

继续查看 EncryptableMapPropertySourceWrapper对应的源码:

import com.ulisesbocchio.jasyptspringboot.caching.CachingDelegateEncryptablePropertySource;
import com.ulisesbocchio.jasyptspringboot.EncryptablePropertyFilter;
import com.ulisesbocchio.jasyptspringboot.EncryptablePropertyResolver;
import com.ulisesbocchio.jasyptspringboot.EncryptablePropertySource;
import org.springframework.boot.origin.Origin;
import org.springframework.boot.origin.OriginLookup;
import org.springframework.boot.origin.OriginTrackedValue;
import org.springframework.core.env.MapPropertySource;
import org.springframework.core.env.PropertySource;

import java.util.Map;

public class EncryptableMapPropertySourceWrapper extends MapPropertySource implements EncryptablePropertySource<Map<String, Object>> {

    private final CachingDelegateEncryptablePropertySource<Map<String, Object>> encryptableDelegate;

    public EncryptableMapPropertySourceWrapper(MapPropertySource delegate, EncryptablePropertyResolver resolver, EncryptablePropertyFilter filter) {
        super(delegate.getName(), delegate.getSource());
        encryptableDelegate = new CachingDelegateEncryptablePropertySource<>(delegate, resolver, filter);
    }

    /*
    	重点在于对于获取属性时的特殊处理,具体是由 CachingDelegateEncryptablePropertySource 完成的实际处理
    */
    @Override
    public Object getProperty(String name) {
        return encryptableDelegate.getProperty(name);
    }

    @Override
    public PropertySource<Map<String, Object>> getDelegate() {
        return encryptableDelegate;
    }
}

继续查看 CachingDelegateEncryptablePropertySource

import com.ulisesbocchio.jasyptspringboot.EncryptablePropertyFilter;
import com.ulisesbocchio.jasyptspringboot.EncryptablePropertyResolver;
import com.ulisesbocchio.jasyptspringboot.EncryptablePropertySource;

import java.util.Map;
import java.util.Objects;
import java.util.concurrent.ConcurrentHashMap;

import lombok.AllArgsConstructor;
import org.springframework.core.env.PropertySource;
import org.springframework.util.Assert;

public class CachingDelegateEncryptablePropertySource<T> extends PropertySource<T> implements EncryptablePropertySource<T> {
    private final PropertySource<T> delegate; // 原有的配置属性对象
    private final EncryptablePropertyResolver resolver; // 解码器
    private final EncryptablePropertyFilter filter; // 过滤器
    private final Map<String, CachedValue> cache; // 缓存,不重要

    public CachingDelegateEncryptablePropertySource(PropertySource<T> delegate, EncryptablePropertyResolver resolver, EncryptablePropertyFilter filter) {
        super(delegate.getName(), delegate.getSource());
        Assert.notNull(delegate, "PropertySource delegate cannot be null");
        Assert.notNull(resolver, "EncryptablePropertyResolver cannot be null");
        Assert.notNull(filter, "EncryptablePropertyFilter cannot be null");
        this.delegate = delegate;
        this.resolver = resolver;
        this.filter = filter;
        this.cache = new ConcurrentHashMap<>();
    }
    
    // 省略部分源码。。。。

    @Override
    public Object getProperty(String name) {
        Object originValue = delegate.getProperty(name);
        
        if (!(originValue instanceof String)) {
            /*
            	由于实际的解码器只能支持对 String 类型的解码,因此如果不是 String 类型的值则不做处理
            */
            return originValue;
        }
        // 省略缓存的有关处理

        // 如果该字段不在过滤器的排除选项中,则进一步考虑解密的处理
        if (filter.shouldInclude(delegate, name)) {
            String originStringValue = (String) originValue;
            
            /*
            	解码器的实际解码处理,至此,完成了对加密字段的解密获取处理
            */
            String resolved = resolver.resolvePropertyValue(originStringValue);
            // 省略缓存的有关处理
            return resolved;
        }
        return originValue;
    }
    
    // 省略部分源码。。。。
}

具体结构图如下所示:

EncryptProxy.png

posted @ 2024-07-07 17:01  FatalFlower  阅读(284)  评论(0编辑  收藏  举报