diff --git a/src/backend/build.gradle b/src/backend/build.gradle index f5c4ac9f17..5773b8dd27 100644 --- a/src/backend/build.gradle +++ b/src/backend/build.gradle @@ -130,7 +130,7 @@ ext { set('jcommanderVersion', "1.71") set('kubernetesJavaClientVersion', "11.0.4") set('springCloudKubernetesVersion', "2.0.6") - set('gmJavaSDKVersion', "0.0.4") + set('cryptoJavaSDKVersion', "0.0.6") if (System.getProperty("bkjobVersion")) { set('bkjobVersion', System.getProperty("bkjobVersion")) println "bkjobVersion:" + bkjobVersion @@ -321,7 +321,7 @@ subprojects { entry "hibernate-validator" } dependency "com.beust:jcommander:$jcommanderVersion" - dependency "com.tencent.bk.sdk:gm-java-sdk:$gmJavaSDKVersion" + dependency "com.tencent.bk.sdk:crypto-java-sdk:$cryptoJavaSDKVersion" } } dependencies { diff --git a/src/backend/commons/common-utils/src/main/java/com/tencent/bk/job/common/util/crypto/RSAUtils.java b/src/backend/commons/common-utils/src/main/java/com/tencent/bk/job/common/util/crypto/RSAUtils.java index 08d7f5909e..b5944a997d 100644 --- a/src/backend/commons/common-utils/src/main/java/com/tencent/bk/job/common/util/crypto/RSAUtils.java +++ b/src/backend/commons/common-utils/src/main/java/com/tencent/bk/job/common/util/crypto/RSAUtils.java @@ -30,9 +30,22 @@ import org.apache.commons.lang3.StringUtils; import javax.crypto.Cipher; -import java.io.*; +import java.io.BufferedReader; +import java.io.File; +import java.io.FileInputStream; +import java.io.IOException; +import java.io.InputStreamReader; +import java.io.StringReader; +import java.io.UnsupportedEncodingException; import java.nio.charset.StandardCharsets; -import java.security.*; +import java.security.GeneralSecurityException; +import java.security.InvalidKeyException; +import java.security.KeyFactory; +import java.security.NoSuchAlgorithmException; +import java.security.PrivateKey; +import java.security.PublicKey; +import java.security.Signature; +import java.security.SignatureException; import java.security.interfaces.RSAPrivateKey; import java.security.interfaces.RSAPublicKey; import java.security.spec.PKCS8EncodedKeySpec; @@ -140,15 +153,39 @@ public static boolean verify(PublicKey publicKey, String message, } public static String encrypt(String rawText, PublicKey publicKey) throws IOException, GeneralSecurityException { + return encrypt(rawText.getBytes(CHARSET_NAME), publicKey); + } + + public static String encrypt(byte[] messageBytes, + PublicKey publicKey) throws GeneralSecurityException { Cipher cipher = Cipher.getInstance(KEY_ALGORITHM); cipher.init(Cipher.ENCRYPT_MODE, publicKey); - return Base64.encodeBase64String(cipher.doFinal(rawText.getBytes(CHARSET_NAME))); + return Base64.encodeBase64String(cipher.doFinal(messageBytes)); } - public static String decrypt(String cipherText, + public static byte[] encryptToBytes(byte[] messageBytes, + PublicKey publicKey) throws GeneralSecurityException { + Cipher cipher = Cipher.getInstance(KEY_ALGORITHM); + cipher.init(Cipher.ENCRYPT_MODE, publicKey); + return cipher.doFinal(messageBytes); + } + + public static String decrypt(String cipherBase64Text, PrivateKey privateKey) throws IOException, GeneralSecurityException { + return decrypt(Base64.decodeBase64(cipherBase64Text), privateKey); + } + + public static String decrypt(byte[] cipherBytes, + PrivateKey privateKey) throws IOException, GeneralSecurityException { + Cipher cipher = Cipher.getInstance(KEY_ALGORITHM); + cipher.init(Cipher.DECRYPT_MODE, privateKey); + return new String(cipher.doFinal(cipherBytes), CHARSET_NAME); + } + + public static byte[] decryptToBytes(byte[] cipherBytes, + PrivateKey privateKey) throws IOException, GeneralSecurityException { Cipher cipher = Cipher.getInstance(KEY_ALGORITHM); cipher.init(Cipher.DECRYPT_MODE, privateKey); - return new String(cipher.doFinal(Base64.decodeBase64(cipherText)), CHARSET_NAME); + return cipher.doFinal(cipherBytes); } } diff --git a/src/backend/commons/common/build.gradle b/src/backend/commons/common/build.gradle index cd6efa889a..e01861dcee 100644 --- a/src/backend/commons/common/build.gradle +++ b/src/backend/commons/common/build.gradle @@ -45,7 +45,7 @@ dependencies { implementation 'com.cronutils:cron-utils' implementation 'commons-validator:commons-validator' implementation 'org.springframework.cloud:spring-cloud-sleuth-instrumentation' - implementation 'com.tencent.bk.sdk:gm-java-sdk' + implementation 'com.tencent.bk.sdk:crypto-java-sdk' compileOnly 'org.springframework:spring-web' compileOnly 'org.projectlombok:lombok' annotationProcessor 'org.projectlombok:lombok' diff --git a/src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/AESCryptor.java b/src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/AESCryptor.java index 797f56d895..f5a80ab80c 100644 --- a/src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/AESCryptor.java +++ b/src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/AESCryptor.java @@ -24,22 +24,30 @@ package com.tencent.bk.job.common.encrypt; +import com.tencent.bk.job.common.exception.CryptoException; import com.tencent.bk.job.common.util.crypto.AESUtils; -import com.tencent.bk.sdk.gm.annotation.Cryptor; -import com.tencent.bk.sdk.gm.annotation.CryptorTypeEnum; -import com.tencent.bk.sdk.gm.cryptor.AbstractSymmetricCryptor; +import com.tencent.bk.sdk.crypto.annotation.Cryptor; +import com.tencent.bk.sdk.crypto.annotation.CryptorTypeEnum; +import com.tencent.bk.sdk.crypto.cryptor.AbstractSymmetricCryptor; +import org.slf4j.helpers.FormattingTuple; +import org.slf4j.helpers.MessageFormatter; /** * 使用AES/CBC/PKCS5Padding的加密实现 */ -@Cryptor(name = CryptorNames.AES, type = CryptorTypeEnum.SYMMETRIC) +@Cryptor(name = JobCryptorNames.AES, type = CryptorTypeEnum.SYMMETRIC) public class AESCryptor extends AbstractSymmetricCryptor { @Override public byte[] encrypt(byte[] key, byte[] message) { try { return AESUtils.encrypt(message, key); } catch (Exception e) { - throw new RuntimeException(e); + FormattingTuple msg = MessageFormatter.format( + "Fail to encrypt using AES, key.len={}, message.len={}", + key.length, + message.length + ); + throw new CryptoException(msg.getMessage(), e); } } @@ -48,7 +56,12 @@ public byte[] decrypt(byte[] key, byte[] encryptedMessage) { try { return AESUtils.decrypt(encryptedMessage, key); } catch (Exception e) { - throw new RuntimeException(e); + FormattingTuple msg = MessageFormatter.format( + "Fail to decrypt using AES, key.len={}, encryptedMessage.len={}", + key.length, + encryptedMessage.length + ); + throw new CryptoException(msg.getMessage(), e); } } } diff --git a/src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/EncryptConfig.java b/src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/EncryptConfig.java index 86ce20f2c0..95fa80057d 100644 --- a/src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/EncryptConfig.java +++ b/src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/EncryptConfig.java @@ -25,6 +25,7 @@ package com.tencent.bk.job.common.encrypt; import com.tencent.bk.job.common.util.json.JsonUtils; +import com.tencent.bk.sdk.crypto.cryptor.consts.CryptorNames; import lombok.Getter; import lombok.Setter; import lombok.ToString; @@ -49,7 +50,7 @@ public class EncryptConfig { private String defaultSymmetricAlgorithm = CryptorNames.NONE; - private String defaultAsymmetricAlgorithm = CryptorNames.RSA; + private String defaultAsymmetricAlgorithm = JobCryptorNames.RSA; /** * 各个场景下使用的加密算法,不配置则使用默认算法 diff --git a/src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/CryptorNames.java b/src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/JobCryptorNames.java similarity index 90% rename from src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/CryptorNames.java rename to src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/JobCryptorNames.java index 2b2a1b97cc..ce9b9a63d8 100644 --- a/src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/CryptorNames.java +++ b/src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/JobCryptorNames.java @@ -24,13 +24,9 @@ package com.tencent.bk.job.common.encrypt; -public class CryptorNames { - // 不加密 - public static final String NONE = "None"; +public class JobCryptorNames { // 对称加密 public static final String AES = "AES"; - public static final String SM4 = "SM4"; // 非对称加密 public static final String RSA = "RSA"; - public static final String SM2 = "SM2"; } diff --git a/src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/RSACryptor.java b/src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/RSACryptor.java new file mode 100644 index 0000000000..a659d9c1d2 --- /dev/null +++ b/src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/RSACryptor.java @@ -0,0 +1,70 @@ +/* + * Tencent is pleased to support the open source community by making BK-JOB蓝鲸智云作业平台 available. + * + * Copyright (C) 2021 THL A29 Limited, a Tencent company. All rights reserved. + * + * BK-JOB蓝鲸智云作业平台 is licensed under the MIT License. + * + * License for BK-JOB蓝鲸智云作业平台: + * -------------------------------------------------------------------- + * Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated + * documentation files (the "Software"), to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and + * to permit persons to whom the Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all copies or substantial portions of + * the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO + * THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF + * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS + * IN THE SOFTWARE. + */ + +package com.tencent.bk.job.common.encrypt; + +import com.tencent.bk.job.common.exception.CryptoException; +import com.tencent.bk.job.common.util.crypto.RSAUtils; +import com.tencent.bk.sdk.crypto.annotation.Cryptor; +import com.tencent.bk.sdk.crypto.annotation.CryptorTypeEnum; +import com.tencent.bk.sdk.crypto.cryptor.AbstractASymmetricCryptor; +import org.slf4j.helpers.FormattingTuple; +import org.slf4j.helpers.MessageFormatter; + +import java.security.PrivateKey; +import java.security.PublicKey; + +/** + * 使用RSA的加密实现 + */ +@Cryptor(name = JobCryptorNames.RSA, type = CryptorTypeEnum.ASYMMETRIC) +public class RSACryptor extends AbstractASymmetricCryptor { + @Override + public byte[] encrypt(PublicKey publicKey, byte[] message) { + try { + return RSAUtils.encryptToBytes(message, publicKey); + } catch (Exception e) { + FormattingTuple msg = MessageFormatter.format( + "Fail to encrypt using RSA, publicKey.len={}, message.len={}", + publicKey.getEncoded().length, + message.length + ); + throw new CryptoException(msg.getMessage(), e); + } + } + + @Override + public byte[] decrypt(PrivateKey privateKey, byte[] encryptedMessage) { + try { + return RSAUtils.decryptToBytes(encryptedMessage, privateKey); + } catch (Exception e) { + FormattingTuple msg = MessageFormatter.format( + "Fail to decrypt using RSA, privateKey.len={}, encryptedMessage.len={}", + privateKey.getEncoded().length, + encryptedMessage.length + ); + throw new CryptoException(msg.getMessage(), e); + } + } +} diff --git a/src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/SymmetricCryptoService.java b/src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/SymmetricCryptoService.java index a281618c8d..68590198fb 100644 --- a/src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/SymmetricCryptoService.java +++ b/src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/SymmetricCryptoService.java @@ -24,8 +24,8 @@ package com.tencent.bk.job.common.encrypt; -import com.tencent.bk.sdk.gm.cryptor.SymmetricCryptor; -import com.tencent.bk.sdk.gm.cryptor.SymmetricCryptorFactory; +import com.tencent.bk.sdk.crypto.cryptor.SymmetricCryptor; +import com.tencent.bk.sdk.crypto.cryptor.SymmetricCryptorFactory; import lombok.extern.slf4j.Slf4j; import org.apache.commons.lang3.StringUtils; import org.springframework.beans.factory.annotation.Autowired; diff --git a/src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/scenario/CipherVariableService.java b/src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/scenario/CipherVariableService.java index 125a6cb763..d9afb94164 100644 --- a/src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/scenario/CipherVariableService.java +++ b/src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/scenario/CipherVariableService.java @@ -26,8 +26,8 @@ import com.tencent.bk.job.common.constant.TaskVariableTypeEnum; import com.tencent.bk.job.common.encrypt.CryptoScenarioEnum; -import com.tencent.bk.job.common.encrypt.CryptorNames; import com.tencent.bk.job.common.encrypt.SymmetricCryptoService; +import com.tencent.bk.sdk.crypto.cryptor.consts.CryptorNames; import lombok.extern.slf4j.Slf4j; import org.apache.commons.lang3.StringUtils; import org.springframework.beans.factory.annotation.Autowired; diff --git a/src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/scenario/DbPasswordService.java b/src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/scenario/DbPasswordService.java index cc4362cf62..ffdc4ccedb 100644 --- a/src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/scenario/DbPasswordService.java +++ b/src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/scenario/DbPasswordService.java @@ -26,8 +26,8 @@ import com.tencent.bk.job.common.constant.AccountCategoryEnum; import com.tencent.bk.job.common.encrypt.CryptoScenarioEnum; -import com.tencent.bk.job.common.encrypt.CryptorNames; import com.tencent.bk.job.common.encrypt.SymmetricCryptoService; +import com.tencent.bk.sdk.crypto.cryptor.consts.CryptorNames; import lombok.extern.slf4j.Slf4j; import org.apache.commons.lang3.StringUtils; import org.springframework.beans.factory.annotation.Autowired; diff --git a/src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/scenario/SensitiveParamService.java b/src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/scenario/SensitiveParamService.java index 3efbdefc6f..efca961b31 100644 --- a/src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/scenario/SensitiveParamService.java +++ b/src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/scenario/SensitiveParamService.java @@ -25,8 +25,8 @@ package com.tencent.bk.job.common.encrypt.scenario; import com.tencent.bk.job.common.encrypt.CryptoScenarioEnum; -import com.tencent.bk.job.common.encrypt.CryptorNames; import com.tencent.bk.job.common.encrypt.SymmetricCryptoService; +import com.tencent.bk.sdk.crypto.cryptor.consts.CryptorNames; import lombok.extern.slf4j.Slf4j; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Service; diff --git a/src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/NoneCryptor.java b/src/backend/commons/common/src/main/java/com/tencent/bk/job/common/exception/CryptoException.java similarity index 65% rename from src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/NoneCryptor.java rename to src/backend/commons/common/src/main/java/com/tencent/bk/job/common/exception/CryptoException.java index a70d470edb..92e86c7811 100644 --- a/src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/NoneCryptor.java +++ b/src/backend/commons/common/src/main/java/com/tencent/bk/job/common/exception/CryptoException.java @@ -22,34 +22,19 @@ * IN THE SOFTWARE. */ -package com.tencent.bk.job.common.encrypt; +package com.tencent.bk.job.common.exception; - -import com.tencent.bk.sdk.gm.annotation.Cryptor; -import com.tencent.bk.sdk.gm.cryptor.SymmetricCryptor; +import lombok.Getter; +import lombok.ToString; /** - * 不做任何加密操作,直接返回明文的加密实现 + * 加解密异常 */ -@Cryptor(name = CryptorNames.NONE) -public class NoneCryptor implements SymmetricCryptor { - @Override - public byte[] encrypt(byte[] key, byte[] message) { - return message; - } - - @Override - public byte[] decrypt(byte[] key, byte[] encryptedMessage) { - return encryptedMessage; - } - - @Override - public String encrypt(String key, String message) { - return message; - } +@Getter +@ToString +public class CryptoException extends RuntimeException { - @Override - public String decrypt(String key, String base64EncodedEncryptedMessage) { - return base64EncodedEncryptedMessage; + public CryptoException(String message, Throwable cause) { + super(message, cause); } } diff --git a/src/backend/commons/common/src/main/resources/META-INF/services/com.tencent.bk.sdk.crypto.cryptor.ASymmetricCryptor b/src/backend/commons/common/src/main/resources/META-INF/services/com.tencent.bk.sdk.crypto.cryptor.ASymmetricCryptor new file mode 100644 index 0000000000..e1339cc9f1 --- /dev/null +++ b/src/backend/commons/common/src/main/resources/META-INF/services/com.tencent.bk.sdk.crypto.cryptor.ASymmetricCryptor @@ -0,0 +1 @@ +com.tencent.bk.job.common.encrypt.RSACryptor diff --git a/src/backend/commons/common/src/main/resources/META-INF/services/com.tencent.bk.sdk.crypto.cryptor.SymmetricCryptor b/src/backend/commons/common/src/main/resources/META-INF/services/com.tencent.bk.sdk.crypto.cryptor.SymmetricCryptor new file mode 100644 index 0000000000..1b8c6c3c10 --- /dev/null +++ b/src/backend/commons/common/src/main/resources/META-INF/services/com.tencent.bk.sdk.crypto.cryptor.SymmetricCryptor @@ -0,0 +1 @@ +com.tencent.bk.job.common.encrypt.AESCryptor diff --git a/src/backend/commons/common/src/main/resources/META-INF/services/com.tencent.bk.sdk.gm.cryptor.SymmetricCryptor b/src/backend/commons/common/src/main/resources/META-INF/services/com.tencent.bk.sdk.gm.cryptor.SymmetricCryptor deleted file mode 100644 index a5b8855774..0000000000 --- a/src/backend/commons/common/src/main/resources/META-INF/services/com.tencent.bk.sdk.gm.cryptor.SymmetricCryptor +++ /dev/null @@ -1,2 +0,0 @@ -com.tencent.bk.job.common.encrypt.NoneCryptor -com.tencent.bk.job.common.encrypt.AESCryptor diff --git a/src/backend/job-crontab/boot-job-crontab/src/test/java/com/tencent/bk/job/crontab/dao/impl/CronJobDAOImplIntegrationTest.java b/src/backend/job-crontab/boot-job-crontab/src/test/java/com/tencent/bk/job/crontab/dao/impl/CronJobDAOImplIntegrationTest.java index 48f4f6b721..864693a334 100644 --- a/src/backend/job-crontab/boot-job-crontab/src/test/java/com/tencent/bk/job/crontab/dao/impl/CronJobDAOImplIntegrationTest.java +++ b/src/backend/job-crontab/boot-job-crontab/src/test/java/com/tencent/bk/job/crontab/dao/impl/CronJobDAOImplIntegrationTest.java @@ -25,7 +25,6 @@ package com.tencent.bk.job.crontab.dao.impl; import com.tencent.bk.job.common.constant.TaskVariableTypeEnum; -import com.tencent.bk.job.common.encrypt.CryptorNames; import com.tencent.bk.job.common.model.BaseSearchCondition; import com.tencent.bk.job.common.model.PageData; import com.tencent.bk.job.common.model.dto.UserRoleInfoDTO; @@ -35,6 +34,7 @@ import com.tencent.bk.job.crontab.model.dto.CronJobInfoDTO; import com.tencent.bk.job.crontab.model.dto.CronJobVariableDTO; import com.tencent.bk.job.crontab.util.CronExpressionUtil; +import com.tencent.bk.sdk.crypto.cryptor.consts.CryptorNames; import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; import org.junit.jupiter.api.extension.ExtendWith;