feat: 敏感信息存储支持国密 TencentBlueKing#2055

密文变量场景实现

src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/scenario/CipherVariableService.java

@@ -0,0 +1,77 @@
+/*
+ * Tencent is pleased to support the open source community by making BK-JOB蓝鲸智云作业平台 available.
+ *
+ * Copyright (C) 2021 THL A29 Limited, a Tencent company.  All rights reserved.
+ *
+ * BK-JOB蓝鲸智云作业平台 is licensed under the MIT License.
+ *
+ * License for BK-JOB蓝鲸智云作业平台:
+ * --------------------------------------------------------------------
+ * Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
+ * documentation files (the "Software"), to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and
+ * to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all copies or substantial portions of
+ * the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO
+ * THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF
+ * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
+ * IN THE SOFTWARE.
+ */
+
+package com.tencent.bk.job.common.encrypt.scenario;
+
+import com.tencent.bk.job.common.constant.TaskVariableTypeEnum;
+import com.tencent.bk.job.common.encrypt.CryptoScenarioEnum;
+import com.tencent.bk.job.common.encrypt.CryptorNames;
+import com.tencent.bk.job.common.encrypt.SymmetricCryptoService;
+import lombok.extern.slf4j.Slf4j;
+import org.apache.commons.lang3.StringUtils;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Service;
+
+/**
+ * 密文变量相关加解密服务
+ */
+@Slf4j
+@Service
+public class CipherVariableService {
+
+    private final SymmetricCryptoService symmetricCryptoService;
+
+    @Autowired
+    public CipherVariableService(SymmetricCryptoService symmetricCryptoService) {
+        this.symmetricCryptoService = symmetricCryptoService;
+    }
+
+    public String getCipherVariableEncryptAlgorithm(TaskVariableTypeEnum taskVariableTypeEnum) {
+        if (!isCipherVariable(taskVariableTypeEnum)) {
+            return CryptorNames.NONE;
+        }
+        return symmetricCryptoService.getAlgorithmByScenario(CryptoScenarioEnum.CIPHER_VARIABLE);
+    }
+
+    private boolean isCipherVariable(TaskVariableTypeEnum taskVariableTypeEnum) {
+        return TaskVariableTypeEnum.CIPHER == taskVariableTypeEnum;
+    }
+
+    public String encryptTaskVariableIfNeeded(TaskVariableTypeEnum taskVariableTypeEnum, String taskVariable) {
+        if (!isCipherVariable(taskVariableTypeEnum)) {
+            return taskVariable;
+        }
+        return symmetricCryptoService.encryptToBase64Str(taskVariable, CryptoScenarioEnum.CIPHER_VARIABLE);
+    }
+
+    public String decryptTaskVariableIfNeeded(TaskVariableTypeEnum taskVariableTypeEnum,
+                                              String encryptedTaskVariable,
+                                              String algorithm) {
+        if (!isCipherVariable(taskVariableTypeEnum) || StringUtils.isBlank(algorithm)) {
+            return encryptedTaskVariable;
+        }
+        return symmetricCryptoService.decrypt(encryptedTaskVariable, algorithm);
+    }
+
+}

src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/scenario/SensitiveParamService.java

@@ -31,6 +31,9 @@
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
 
+/**
+ * 脚本敏感参数相关加解密服务
+ */
 @Slf4j
 @Service
 public class SensitiveParamService {

src/backend/commons/common/src/main/java/com/tencent/bk/job/common/model/dto/CmdbTopoNodeDTO.java

@@ -37,7 +37,7 @@
 @NoArgsConstructor
 @AllArgsConstructor
 @ApiModel("业务拓扑节点")
-public class CmdbTopoNodeDTO {
+public class CmdbTopoNodeDTO implements Cloneable {
     @ApiModelProperty("节点ID")
     private Long id;
     @ApiModelProperty("节点类型，module-模块，set-集群，biz-业务")
@@ -62,4 +62,13 @@ public static CmdbTopoNodeDTO fromVO(TargetNodeVO targetNode) {
         cmdbTopoNodeDTO.setNodeType(targetNode.getObjectId());
         return cmdbTopoNodeDTO;
     }
+
+    @SuppressWarnings("MethodDoesntCallSuperMethod")
+    @Override
+    public CmdbTopoNodeDTO clone() {
+        CmdbTopoNodeDTO nodeDTO = new CmdbTopoNodeDTO();
+        nodeDTO.setId(id);
+        nodeDTO.setNodeType(nodeType);
+        return nodeDTO;
+    }
 }

src/backend/job-crontab/api-job-crontab/src/main/java/com/tencent/bk/job/crontab/model/inner/ServerDTO.java

@@ -48,7 +48,7 @@
 @PersistenceObject
 @ApiModel("目标服务器，四个不可同时为空")
 @Data
-public class ServerDTO {
+public class ServerDTO implements Cloneable {
     /**
      * 全局变量名
      * <p>
@@ -214,4 +214,38 @@ public void standardizeDynamicGroupId() {
             this.dynamicGroupIds = standardDynamicGroupIdList;
         }
     }
+
+    @SuppressWarnings("MethodDoesntCallSuperMethod")
+    @Override
+    public ServerDTO clone() {
+        ServerDTO serverDTO = new ServerDTO();
+        serverDTO.setVariable(variable);
+        if (null != ips) {
+            List<HostDTO> cloneIps = new ArrayList<>(ips.size());
+            for (HostDTO ip : ips) {
+                if (ip != null) {
+                    cloneIps.add(ip.clone());
+                } else {
+                    cloneIps.add(null);
+                }
+            }
+            serverDTO.setIps(cloneIps);
+        }
+        if (null != dynamicGroupIds) {
+            List<String> cloneDynamicGroupIds = new ArrayList<>(dynamicGroupIds);
+            serverDTO.setDynamicGroupIds(cloneDynamicGroupIds);
+        }
+        if (null != topoNodes) {
+            List<CmdbTopoNodeDTO> cloneTopoNodes = new ArrayList<>(topoNodes.size());
+            for (CmdbTopoNodeDTO topoNode : topoNodes) {
+                if (topoNode != null) {
+                    cloneTopoNodes.add(topoNode.clone());
+                } else {
+                    cloneTopoNodes.add(null);
+                }
+            }
+            serverDTO.setTopoNodes(cloneTopoNodes);
+        }
+        return serverDTO;
+    }
 }

src/backend/job-crontab/boot-job-crontab/src/test/java/com/tencent/bk/job/crontab/dao/impl/CronJobDAOImplIntegrationTest.java

@@ -25,6 +25,7 @@
 package com.tencent.bk.job.crontab.dao.impl;
 
 import com.tencent.bk.job.common.constant.TaskVariableTypeEnum;
+import com.tencent.bk.job.common.encrypt.CryptorNames;
 import com.tencent.bk.job.common.model.BaseSearchCondition;
 import com.tencent.bk.job.common.model.PageData;
 import com.tencent.bk.job.common.model.dto.UserRoleInfoDTO;
@@ -93,10 +94,12 @@ void initTest() {
         VARIABLE_1.setName("a");
         VARIABLE_1.setValue("b");
         VARIABLE_1.setType(TaskVariableTypeEnum.HOST_LIST);
+        VARIABLE_1.setCipherEncryptAlgorithm(CryptorNames.NONE);
 
         VARIABLE_2.setName("b");
         VARIABLE_2.setValue("c");
         VARIABLE_2.setType(TaskVariableTypeEnum.CIPHER);
+        VARIABLE_2.setCipherEncryptAlgorithm(CryptorNames.NONE);
 
         NOTIFY_USER_1.setUserList(Arrays.asList("userC", "userJ"));
         NOTIFY_USER_1.setRoleList(Arrays.asList("JOB_ROLE_1", "JOB_ROLE_2"));
@@ -357,7 +360,8 @@ void updateCronJobById() {
 
     @Test
     void giveCronJobIdReturnDeleteSuccess() {
-        assertThat(cronJobDAO.getCronJobById(CRON_JOB_1.getAppId(), CRON_JOB_1.getId())).isEqualTo(CRON_JOB_1);
+        CronJobInfoDTO cronJobInfoDTO = cronJobDAO.getCronJobById(CRON_JOB_1.getAppId(), CRON_JOB_1.getId());
+        assertThat(cronJobInfoDTO).isEqualTo(CRON_JOB_1);
         assertThat(cronJobDAO.deleteCronJobById(CRON_JOB_1.getAppId(), CRON_JOB_1.getId())).isTrue();
         assertThat(cronJobDAO.deleteCronJobById(CRON_JOB_1.getAppId(), CRON_JOB_1.getId())).isFalse();
         assertThat(cronJobDAO.getCronJobById(CRON_JOB_1.getAppId(), CRON_JOB_1.getId())).isNull();
@@ -399,7 +403,8 @@ void insertCronJobReturnCorrectId() {
         CRON_JOB_1.setNotifyUser(userRoleInfo);
         CRON_JOB_1.setNotifyChannel(Arrays.asList(UUID.randomUUID().toString(), UUID.randomUUID().toString()));
         CRON_JOB_1.setId(cronJobDAO.insertCronJob(CRON_JOB_1));
-        assertThat(cronJobDAO.getCronJobById(CRON_JOB_1.getAppId(), CRON_JOB_1.getId())).isEqualTo(CRON_JOB_1);
+        CronJobInfoDTO cronJobInfoDTO = cronJobDAO.getCronJobById(CRON_JOB_1.getAppId(), CRON_JOB_1.getId());
+        assertThat(cronJobInfoDTO).isEqualTo(CRON_JOB_1);
     }
 
     @Test

src/backend/job-crontab/boot-job-crontab/src/test/resources/init_cron_job_data.sql

@@ -29,32 +29,32 @@ INSERT INTO `cron_job` (id, app_id, name, creator, task_template_id, task_plan_i
                         create_time, last_modify_user, last_modify_time, end_time, notify_offset, notify_user,
                         notify_channel)
 VALUES (1, 2, 'cron_job_1', 'userC', 1, 100, null, null, '* * * * *', null,
-        '[{"id":null,"name":"a","type":3,"value":"b","server":null},{"id":null,"name":"b","type":4,"value":"c","server":null}]',
+        '[{"id":null,"name":"a","type":3,"value":"b","cipherEncryptAlgorithm":"None","server":null},{"id":null,"name":"b","type":4,"value":"c","cipherEncryptAlgorithm":"None","server":null}]',
         null, 1, 0, '1546272000', 'userT', '1546272000', 0, 600,
         '{"userList":["userC", "userJ"], "roleList":["JOB_ROLE_1", "JOB_ROLE_2"]}', '["wechat", "email"]'),
        (2, 2, 'cron_job_2', 'userT', 2, 200, null, null, null, '1546272000',
-        '[{"id":null,"name":"a","type":3,"value":"b","server":null},{"id":null,"name":"b","type":4,"value":"c","server":null}]',
+        '[{"id":null,"name":"a","type":3,"value":"b","cipherEncryptAlgorithm":"None","server":null},{"id":null,"name":"b","type":4,"value":"c","cipherEncryptAlgorithm":"None","server":null}]',
         1, 0, 1, '1546272000', 'userT', '1546272000', 0, 600,
         '{"userList":["userT", "userJ"], "roleList":["JOB_ROLE_3", "JOB_ROLE_4"]}', '["email"]'),
        (3, 2, 'cron_job_3', 'userC', 3, 300, null, null, '* * * * *', null,
-        '[{"id":null,"name":"a","type":3,"value":"b","server":null},{"id":null,"name":"b","type":4,"value":"c","server":null}]',
+        '[{"id":null,"name":"a","type":3,"value":"b","cipherEncryptAlgorithm":"None","server":null},{"id":null,"name":"b","type":4,"value":"c","cipherEncryptAlgorithm":"None","server":null}]',
         0, 1, 0, '1546272000', 'userC', '1546272000', 1577808000, 0, null, null),
        (4, 2, 'cron_job_4', 'userT', 4, 400, null, null, null, '1546272000',
-        '[{"id":null,"name":"a","type":3,"value":"b","server":null},{"id":null,"name":"b","type":4,"value":"c","server":null}]',
+        '[{"id":null,"name":"a","type":3,"value":"b","cipherEncryptAlgorithm":"None","server":null},{"id":null,"name":"b","type":4,"value":"c","cipherEncryptAlgorithm":"None","server":null}]',
         null, 1, 0, '1546272000', 'userC', '1546272000', 0, 0, null, null),
        (5, 2, 'cron_job_5', 'userC', 5, 500, null, null, '* * * * *', null,
-        '[{"id":null,"name":"a","type":3,"value":"b","server":null},{"id":null,"name":"b","type":4,"value":"c","server":null}]',
+        '[{"id":null,"name":"a","type":3,"value":"b","cipherEncryptAlgorithm":"None","server":null},{"id":null,"name":"b","type":4,"value":"c","cipherEncryptAlgorithm":"None","server":null}]',
         1, 1, 0, '1546272000', 'userT', '1546272000', 0, 0, null, null),
        (6, 2, 'cron_job_6', 'userT', null, null, 'aaaa', 1, null, '1546272000',
-        '[{"id":null,"name":"a","type":3,"value":"b","server":null},{"id":null,"name":"b","type":4,"value":"c","server":null}]',
+        '[{"id":null,"name":"a","type":3,"value":"b","cipherEncryptAlgorithm":"None","server":null},{"id":null,"name":"b","type":4,"value":"c","cipherEncryptAlgorithm":"None","server":null}]',
         0, 1, 0, '1546272000', 'userT', '1546272000', 0, 0, null, null),
        (7, 2, 'cron_job_7', 'userC', null, null, 'bbbb', 2, '* * * * *', null,
-        '[{"id":null,"name":"a","type":3,"value":"b","server":null},{"id":null,"name":"b","type":4,"value":"c","server":null}]',
+        '[{"id":null,"name":"a","type":3,"value":"b","cipherEncryptAlgorithm":"None","server":null},{"id":null,"name":"b","type":4,"value":"c","cipherEncryptAlgorithm":"None","server":null}]',
         null, 0, 1, '1546272000', 'userC', '1546272000', 0, 0, null, null),
        (8, 2, 'cron_job_8', 'userT', null, null, 'cccc', 3, null, '1546272000',
-        '[{"id":null,"name":"a","type":3,"value":"b","server":null},{"id":null,"name":"b","type":4,"value":"c","server":null}]',
+        '[{"id":null,"name":"a","type":3,"value":"b","cipherEncryptAlgorithm":"None","server":null},{"id":null,"name":"b","type":4,"value":"c","cipherEncryptAlgorithm":"None","server":null}]',
         1, 1, 0, '1546272000', 'userC', '1546272000', 0, 0, null, null),
        (9, 2, 'cron_job_9', 'userC', null, null, 'vvvv', 4, '* * * * *', null,
-        '[{"id":null,"name":"a","type":3,"value":"b","server":null},{"id":null,"name":"b","type":4,"value":"c","server":null}]',
+        '[{"id":null,"name":"a","type":3,"value":"b","cipherEncryptAlgorithm":"None","server":null},{"id":null,"name":"b","type":4,"value":"c","cipherEncryptAlgorithm":"None","server":null}]',
         0, 1, 0, '1546272000', 'userC', '1546272000', 0, 0, null, null)
 ;

src/backend/job-crontab/service-job-crontab/src/main/java/com/tencent/bk/job/crontab/dao/CronJobDAO.java

@@ -178,11 +178,11 @@ PageData<CronJobInfoDTO> listPageCronJobsByCondition(CronJobInfoDTO cronJobCondi
     /**
      * 根据ID更新定时任务的变量值
      *
-     * @param id               定时任务ID
-     * @param variableValueStr 变量值字符串
+     * @param id                 定时任务ID
+     * @param cronJobWithVarsDTO 含变量的定时任务数据
      * @return 受影响行数
      */
-    int updateVariableById(Long id, String variableValueStr);
+    int updateVariableById(Long id, CronJobWithVarsDTO cronJobWithVarsDTO);
 
     // 删除