Merge pull request #872 from spring-cloud/rebinder

Creates TextEncryptorBindHandler for Binder decryption.

It is registered in TextEncryptorConfigBootstrapper for later use in
other ConfigData implementations.

Creates DecryptEnvironmentPostProcessor. 

This is used if bootstrap and legacy processing are not enabled.

EnvironmentDecryptApplicationInitializer is only is if bootstrap and legacy processing are enabled.

Fixes gh-815

@spencergibb

Author: spencergibb

spring-cloud-context/src/main/java/org/springframework/cloud/bootstrap/TextEncryptorBindHandler.java

@@ -0,0 +1,86 @@
+/*
+ * Copyright 2013-2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.cloud.bootstrap;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+import org.springframework.boot.context.properties.bind.AbstractBindHandler;
+import org.springframework.boot.context.properties.bind.BindContext;
+import org.springframework.boot.context.properties.bind.Bindable;
+import org.springframework.boot.context.properties.source.ConfigurationPropertyName;
+import org.springframework.cloud.bootstrap.encrypt.KeyProperties;
+import org.springframework.security.crypto.encrypt.TextEncryptor;
+
+/**
+ * BindHandler that uses a TextEncryptor to decrypt text if properly prefixed with
+ * {cipher}.
+ *
+ * @author Marcin Grzejszczak
+ * @since 3.0.0
+ */
+class TextEncryptorBindHandler extends AbstractBindHandler {
+
+	private static final Log logger = LogFactory.getLog(TextEncryptorBindHandler.class);
+
+	/**
+	 * Prefix indicating an encrypted value.
+	 */
+	protected static final String ENCRYPTED_PROPERTY_PREFIX = "{cipher}";
+
+	private final TextEncryptor textEncryptor;
+
+	private final KeyProperties keyProperties;
+
+	TextEncryptorBindHandler(TextEncryptor textEncryptor, KeyProperties keyProperties) {
+		this.textEncryptor = textEncryptor;
+		this.keyProperties = keyProperties;
+	}
+
+	@Override
+	public Object onSuccess(ConfigurationPropertyName name, Bindable<?> target, BindContext context, Object result) {
+		if (result instanceof String && ((String) result).startsWith(ENCRYPTED_PROPERTY_PREFIX)) {
+			return decrypt(name.toString(), (String) result);
+		}
+		return result;
+	}
+
+	private String decrypt(String key, String original) {
+		String value = original.substring(ENCRYPTED_PROPERTY_PREFIX.length());
+		try {
+			value = this.textEncryptor.decrypt(value);
+			if (logger.isDebugEnabled()) {
+				logger.debug("Decrypted: key=" + key);
+			}
+			return value;
+		}
+		catch (Exception e) {
+			String message = "Cannot decrypt: key=" + key;
+			if (logger.isDebugEnabled()) {
+				logger.warn(message, e);
+			}
+			else {
+				logger.warn(message);
+			}
+			if (this.keyProperties.isFailOnError()) {
+				throw new IllegalStateException(message, e);
+			}
+			return "";
+		}
+	}
+
+}

spring-cloud-context/src/main/java/org/springframework/cloud/bootstrap/TextEncryptorConfigBootstrapper.java

@@ -0,0 +1,168 @@
+/*
+ * Copyright 2012-2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.cloud.bootstrap;
+
+import org.springframework.beans.factory.config.ConfigurableListableBeanFactory;
+import org.springframework.boot.BootstrapContext;
+import org.springframework.boot.BootstrapRegistry;
+import org.springframework.boot.Bootstrapper;
+import org.springframework.boot.context.properties.bind.BindHandler;
+import org.springframework.boot.context.properties.bind.Binder;
+import org.springframework.cloud.bootstrap.encrypt.KeyProperties;
+import org.springframework.cloud.bootstrap.encrypt.RsaProperties;
+import org.springframework.cloud.context.encrypt.EncryptorFactory;
+import org.springframework.core.env.Environment;
+import org.springframework.security.crypto.encrypt.TextEncryptor;
+import org.springframework.security.rsa.crypto.KeyStoreKeyFactory;
+import org.springframework.security.rsa.crypto.RsaSecretEncryptor;
+import org.springframework.util.ClassUtils;
+import org.springframework.util.StringUtils;
+
+/**
+ * Bootstrapper.
+ *
+ * @author Marcin Grzejszczak
+ * @since 3.0.0
+ */
+public class TextEncryptorConfigBootstrapper implements Bootstrapper {
+
+	private static final boolean RSA_IS_PRESENT = ClassUtils
+			.isPresent("org.springframework.security.rsa.crypto.RsaSecretEncryptor", null);
+
+	@Override
+	public void intitialize(BootstrapRegistry registry) {
+		if (!ClassUtils.isPresent("org.springframework.security.crypto.encrypt.TextEncryptor", null)) {
+			return;
+		}
+
+		registry.registerIfAbsent(KeyProperties.class, context -> context.get(Binder.class)
+				.bind(KeyProperties.PREFIX, KeyProperties.class).orElseGet(KeyProperties::new));
+		if (RSA_IS_PRESENT) {
+			registry.registerIfAbsent(RsaProperties.class, context -> context.get(Binder.class)
+					.bind(RsaProperties.PREFIX, RsaProperties.class).orElseGet(RsaProperties::new));
+		}
+		registry.registerIfAbsent(TextEncryptor.class, context -> {
+			KeyProperties keyProperties = context.get(KeyProperties.class);
+			if (keysConfigured(keyProperties)) {
+				if (RSA_IS_PRESENT) {
+					RsaProperties rsaProperties = context.get(RsaProperties.class);
+					return rsaTextEncryptor(keyProperties, rsaProperties);
+				}
+				return new EncryptorFactory(keyProperties.getSalt()).create(keyProperties.getKey());
+			}
+			// no keys configured
+			return new FailsafeTextEncryptor();
+		});
+		registry.registerIfAbsent(BindHandler.class, context -> {
+			TextEncryptor textEncryptor = context.get(TextEncryptor.class);
+			if (textEncryptor != null) {
+				KeyProperties keyProperties = context.get(KeyProperties.class);
+				return new TextEncryptorBindHandler(textEncryptor, keyProperties);
+			}
+			return null;
+		});
+
+		// promote beans to context
+		registry.addCloseListener(event -> {
+			if (isLegacyBootstrap(event.getApplicationContext().getEnvironment())) {
+				return;
+			}
+			BootstrapContext bootstrapContext = event.getBootstrapContext();
+			KeyProperties keyProperties = bootstrapContext.get(KeyProperties.class);
+			ConfigurableListableBeanFactory beanFactory = event.getApplicationContext().getBeanFactory();
+			if (keyProperties != null) {
+				beanFactory.registerSingleton("keyProperties", keyProperties);
+			}
+			if (RSA_IS_PRESENT) {
+				RsaProperties rsaProperties = bootstrapContext.get(RsaProperties.class);
+				if (rsaProperties != null) {
+					beanFactory.registerSingleton("rsaProperties", rsaProperties);
+				}
+			}
+			TextEncryptor textEncryptor = bootstrapContext.get(TextEncryptor.class);
+			if (textEncryptor != null) {
+				beanFactory.registerSingleton("textEncryptor", textEncryptor);
+			}
+		});
+	}
+
+	public static TextEncryptor rsaTextEncryptor(KeyProperties keyProperties, RsaProperties rsaProperties) {
+		KeyProperties.KeyStore keyStore = keyProperties.getKeyStore();
+		if (keyStore.getLocation() != null) {
+			if (keyStore.getLocation().exists()) {
+				return new RsaSecretEncryptor(
+						new KeyStoreKeyFactory(keyStore.getLocation(), keyStore.getPassword().toCharArray())
+								.getKeyPair(keyStore.getAlias(), keyStore.getSecret().toCharArray()),
+						rsaProperties.getAlgorithm(), rsaProperties.getSalt(), rsaProperties.isStrong());
+			}
+
+			throw new IllegalStateException("Invalid keystore location");
+		}
+
+		return new EncryptorFactory(keyProperties.getSalt()).create(keyProperties.getKey());
+	}
+
+	public static boolean keysConfigured(KeyProperties properties) {
+		if (hasProperty(properties.getKeyStore().getLocation())) {
+			if (hasProperty(properties.getKeyStore().getPassword())) {
+				return true;
+			}
+			return false;
+		}
+		else if (hasProperty(properties.getKey())) {
+			return true;
+		}
+		return false;
+	}
+
+	static boolean hasProperty(Object value) {
+		if (value instanceof String) {
+			return StringUtils.hasText((String) value);
+		}
+		return value != null;
+	}
+
+	static boolean isLegacyBootstrap(Environment environment) {
+		boolean isLegacy = environment.getProperty("spring.config.use-legacy-processing", Boolean.class, false);
+		boolean isBootstrapEnabled = environment.getProperty("spring.cloud.bootstrap.enabled", Boolean.class, false);
+		return isLegacy || isBootstrapEnabled;
+	}
+
+	/**
+	 * TextEncryptor that just fails, so that users don't get a false sense of security
+	 * adding ciphers to config files and not getting them decrypted.
+	 *
+	 * @author Dave Syer
+	 *
+	 */
+	public static class FailsafeTextEncryptor implements TextEncryptor {
+
+		@Override
+		public String encrypt(String text) {
+			throw new UnsupportedOperationException(
+					"No encryption for FailsafeTextEncryptor. Did you configure the keystore correctly?");
+		}
+
+		@Override
+		public String decrypt(String encryptedText) {
+			throw new UnsupportedOperationException(
+					"No decryption for FailsafeTextEncryptor. Did you configure the keystore correctly?");
+		}
+
+	}
+
+}