Migrates general decryption to DecryptEnvironmentPostProcessor

This is only used if legacy bootstrap is not being used.

This works for both @ConfigurationProperties and calls to Environment.

TextEncryptorBindHandler is only used in ConfigData Bootstrapper.

Existing EnvironmentDecryptApplicationInitializer is only used if legacy bootstrap is used.

Some code could be put in an abstract class that EnvironmentDecryptApplicationInitializer and DecryptEnvironmentPostProcessor could share.

Author: spencergibb

spring-cloud-context/src/main/java/org/springframework/cloud/autoconfigure/EncryptionBootstrapAutoConfiguration.java

@@ -0,0 +1,86 @@
+/*
+ * Copyright 2013-2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.cloud.bootstrap;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+import org.springframework.boot.context.properties.bind.AbstractBindHandler;
+import org.springframework.boot.context.properties.bind.BindContext;
+import org.springframework.boot.context.properties.bind.Bindable;
+import org.springframework.boot.context.properties.source.ConfigurationPropertyName;
+import org.springframework.cloud.bootstrap.encrypt.KeyProperties;
+import org.springframework.security.crypto.encrypt.TextEncryptor;
+
+/**
+ * BindHandler that uses a TextEncryptor to decrypt text if properly prefixed with
+ * {cipher}.
+ *
+ * @author Marcin Grzejszczak
+ * @since 3.0.0
+ */
+class TextEncryptorBindHandler extends AbstractBindHandler {
+
+	private static final Log logger = LogFactory.getLog(TextEncryptorBindHandler.class);
+
+	/**
+	 * Prefix indicating an encrypted value.
+	 */
+	protected static final String ENCRYPTED_PROPERTY_PREFIX = "{cipher}";
+
+	private final TextEncryptor textEncryptor;
+
+	private final KeyProperties keyProperties;
+
+	TextEncryptorBindHandler(TextEncryptor textEncryptor, KeyProperties keyProperties) {
+		this.textEncryptor = textEncryptor;
+		this.keyProperties = keyProperties;
+	}
+
+	@Override
+	public Object onSuccess(ConfigurationPropertyName name, Bindable<?> target, BindContext context, Object result) {
+		if (result instanceof String && ((String) result).startsWith(ENCRYPTED_PROPERTY_PREFIX)) {
+			return decrypt(name.toString(), (String) result);
+		}
+		return result;
+	}
+
+	private String decrypt(String key, String original) {
+		String value = original.substring(ENCRYPTED_PROPERTY_PREFIX.length());
+		try {
+			value = this.textEncryptor.decrypt(value);
+			if (logger.isDebugEnabled()) {
+				logger.debug("Decrypted: key=" + key);
+			}
+			return value;
+		}
+		catch (Exception e) {
+			String message = "Cannot decrypt: key=" + key;
+			if (logger.isDebugEnabled()) {
+				logger.warn(message, e);
+			}
+			else {
+				logger.warn(message);
+			}
+			if (this.keyProperties.isFailOnError()) {
+				throw new IllegalStateException(message, e);
+			}
+			return "";
+		}
+	}
+
+}

spring-cloud-context/src/main/java/org/springframework/cloud/bootstrap/TextEncryptorBindHandler.java

@@ -22,13 +22,13 @@
 import org.springframework.boot.Bootstrapper;
 import org.springframework.boot.context.properties.bind.BindHandler;
 import org.springframework.boot.context.properties.bind.Binder;
-import org.springframework.cloud.autoconfigure.EncryptionBootstrapAutoConfiguration;
-import org.springframework.cloud.bootstrap.TextEncryptorConfigurationPropertiesBindHandlerAdvisor.TextEncryptorBindHandler;
 import org.springframework.cloud.bootstrap.encrypt.KeyProperties;
 import org.springframework.cloud.bootstrap.encrypt.RsaProperties;
 import org.springframework.cloud.context.encrypt.EncryptorFactory;
 import org.springframework.core.env.Environment;
 import org.springframework.security.crypto.encrypt.TextEncryptor;
+import org.springframework.security.rsa.crypto.KeyStoreKeyFactory;
+import org.springframework.security.rsa.crypto.RsaSecretEncryptor;
 import org.springframework.util.ClassUtils;
 import org.springframework.util.StringUtils;
 
@@ -40,22 +40,27 @@
  */
 public class TextEncryptorConfigBootstrapper implements Bootstrapper {
 
+	private static final boolean RSA_IS_PRESENT = ClassUtils
+			.isPresent("org.springframework.security.rsa.crypto.RsaSecretEncryptor", null);
+
 	@Override
 	public void intitialize(BootstrapRegistry registry) {
 		if (!ClassUtils.isPresent("org.springframework.security.crypto.encrypt.TextEncryptor", null)) {
 			return;
 		}
 
 		registry.registerIfAbsent(KeyProperties.class, context -> context.get(Binder.class)
-				.bind("encrypt", KeyProperties.class).orElseGet(KeyProperties::new));
-		registry.registerIfAbsent(RsaProperties.class, context -> context.get(Binder.class)
-				.bind("encrypt.rsa", RsaProperties.class).orElseGet(RsaProperties::new));
+				.bind(KeyProperties.PREFIX, KeyProperties.class).orElseGet(KeyProperties::new));
+		if (RSA_IS_PRESENT) {
+			registry.registerIfAbsent(RsaProperties.class, context -> context.get(Binder.class)
+					.bind(RsaProperties.PREFIX, RsaProperties.class).orElseGet(RsaProperties::new));
+		}
 		registry.registerIfAbsent(TextEncryptor.class, context -> {
 			KeyProperties keyProperties = context.get(KeyProperties.class);
 			if (keysConfigured(keyProperties)) {
-				if (ClassUtils.isPresent("org.springframework.security.rsa.crypto.RsaSecretEncryptor", null)) {
+				if (RSA_IS_PRESENT) {
 					RsaProperties rsaProperties = context.get(RsaProperties.class);
-					return EncryptionBootstrapAutoConfiguration.rsaTextEncryptor(keyProperties, rsaProperties);
+					return rsaTextEncryptor(keyProperties, rsaProperties);
 				}
 				return new EncryptorFactory(keyProperties.getSalt()).create(keyProperties.getKey());
 			}
@@ -82,9 +87,11 @@ public void intitialize(BootstrapRegistry registry) {
 			if (keyProperties != null) {
 				beanFactory.registerSingleton("keyProperties", keyProperties);
 			}
-			RsaProperties rsaProperties = bootstrapContext.get(RsaProperties.class);
-			if (rsaProperties != null) {
-				beanFactory.registerSingleton("rsaProperties", rsaProperties);
+			if (RSA_IS_PRESENT) {
+				RsaProperties rsaProperties = bootstrapContext.get(RsaProperties.class);
+				if (rsaProperties != null) {
+					beanFactory.registerSingleton("rsaProperties", rsaProperties);
+				}
 			}
 			TextEncryptor textEncryptor = bootstrapContext.get(TextEncryptor.class);
 			if (textEncryptor != null) {
@@ -93,7 +100,23 @@ public void intitialize(BootstrapRegistry registry) {
 		});
 	}
 
-	private boolean keysConfigured(KeyProperties properties) {
+	public static TextEncryptor rsaTextEncryptor(KeyProperties keyProperties, RsaProperties rsaProperties) {
+		KeyProperties.KeyStore keyStore = keyProperties.getKeyStore();
+		if (keyStore.getLocation() != null) {
+			if (keyStore.getLocation().exists()) {
+				return new RsaSecretEncryptor(
+						new KeyStoreKeyFactory(keyStore.getLocation(), keyStore.getPassword().toCharArray())
+								.getKeyPair(keyStore.getAlias(), keyStore.getSecret().toCharArray()),
+						rsaProperties.getAlgorithm(), rsaProperties.getSalt(), rsaProperties.isStrong());
+			}
+
+			throw new IllegalStateException("Invalid keystore location");
+		}
+
+		return new EncryptorFactory(keyProperties.getSalt()).create(keyProperties.getKey());
+	}
+
+	public static boolean keysConfigured(KeyProperties properties) {
 		if (hasProperty(properties.getKeyStore().getLocation())) {
 			if (hasProperty(properties.getKeyStore().getPassword())) {
 				return true;
@@ -106,14 +129,14 @@ else if (hasProperty(properties.getKey())) {
 		return false;
 	}
 
-	private boolean hasProperty(Object value) {
+	static boolean hasProperty(Object value) {
 		if (value instanceof String) {
 			return StringUtils.hasText((String) value);
 		}
 		return value != null;
 	}
 
-	private boolean isLegacyBootstrap(Environment environment) {
+	static boolean isLegacyBootstrap(Environment environment) {
 		boolean isLegacy = environment.getProperty("spring.config.use-legacy-processing", Boolean.class, false);
 		boolean isBootstrapEnabled = environment.getProperty("spring.cloud.bootstrap.enabled", Boolean.class, false);
 		return isLegacy || isBootstrapEnabled;
@@ -126,7 +149,7 @@ private boolean isLegacyBootstrap(Environment environment) {
 	 * @author Dave Syer
 	 *
 	 */
-	protected static class FailsafeTextEncryptor implements TextEncryptor {
+	public static class FailsafeTextEncryptor implements TextEncryptor {
 
 		@Override
 		public String encrypt(String text) {