feat: 敏感信息存储支持国密 TencentBlueKing#2055

支持使用【加密类型】配置项指定使用经典算法/国密算法

src/backend/build.gradle

@@ -130,7 +130,7 @@ ext {
     set('jcommanderVersion', "1.71")
     set('kubernetesJavaClientVersion', "11.0.4")
     set('springCloudKubernetesVersion', "2.0.6")
-    set('cryptoJavaSDKVersion', "0.0.6")
+    set('cryptoJavaSDKVersion', "0.0.7-SNAPSHOT")
     if (System.getProperty("bkjobVersion")) {
         set('bkjobVersion', System.getProperty("bkjobVersion"))
         println "bkjobVersion:" + bkjobVersion

src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/AESCryptor.java

@@ -35,15 +35,21 @@
 /**
  * 使用AES/CBC/PKCS5Padding的加密实现
  */
-@Cryptor(name = JobCryptorNames.AES, type = CryptorTypeEnum.SYMMETRIC)
+@Cryptor(name = JobCryptorNames.AES_CBC, type = CryptorTypeEnum.SYMMETRIC)
 public class AESCryptor extends AbstractSymmetricCryptor {
+
+    @Override
+    public String getName() {
+        return JobCryptorNames.AES_CBC;
+    }
+
     @Override
-    public byte[] encrypt(byte[] key, byte[] message) {
+    public byte[] encryptIndeed(byte[] key, byte[] message) {
         try {
             return AESUtils.encrypt(message, key);
         } catch (Exception e) {
             FormattingTuple msg = MessageFormatter.format(
-                "Fail to encrypt using AES, key.len={}, message.len={}",
+                "Fail to encrypt using AES_CBC, key.len={}, message.len={}",
                 key.length,
                 message.length
             );
@@ -52,12 +58,12 @@ public byte[] encrypt(byte[] key, byte[] message) {
     }
 
     @Override
-    public byte[] decrypt(byte[] key, byte[] encryptedMessage) {
+    public byte[] decryptIndeed(byte[] key, byte[] encryptedMessage) {
         try {
             return AESUtils.decrypt(encryptedMessage, key);
         } catch (Exception e) {
             FormattingTuple msg = MessageFormatter.format(
-                "Fail to decrypt using AES, key.len={}, encryptedMessage.len={}",
+                "Fail to decrypt using AES_CBC, key.len={}, encryptedMessage.len={}",
                 key.length,
                 encryptedMessage.length
             );

src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/CryptoConfigService.java

@@ -24,6 +24,7 @@
 
 package com.tencent.bk.job.common.encrypt;
 
+import com.tencent.bk.sdk.crypto.cryptor.consts.CryptorNames;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
@@ -85,11 +86,18 @@ public String getSymmetricPassword() {
      */
     public String getSymmetricAlgorithmByScenario(CryptoScenarioEnum cryptoScenarioEnum) {
         if (cryptoScenarioEnum == null) {
-            return encryptConfig.getDefaultSymmetricAlgorithm();
+            return getDefaultSymmetricAlgorithm();
         }
         if (scenarioAlgorithms != null && scenarioAlgorithms.containsKey(cryptoScenarioEnum.getValue())) {
             return scenarioAlgorithms.get(cryptoScenarioEnum.getValue());
         }
-        return encryptConfig.getDefaultSymmetricAlgorithm();
+        return getDefaultSymmetricAlgorithm();
+    }
+
+    private String getDefaultSymmetricAlgorithm() {
+        if (encryptConfig.getType() == CryptoTypeEnum.SHANGMI) {
+            return CryptorNames.SM4;
+        }
+        return JobCryptorNames.AES_CBC;
     }
 }

src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/CryptoTypeEnum.java

@@ -0,0 +1,37 @@
+/*
+ * Tencent is pleased to support the open source community by making BK-JOB蓝鲸智云作业平台 available.
+ *
+ * Copyright (C) 2021 THL A29 Limited, a Tencent company.  All rights reserved.
+ *
+ * BK-JOB蓝鲸智云作业平台 is licensed under the MIT License.
+ *
+ * License for BK-JOB蓝鲸智云作业平台:
+ * --------------------------------------------------------------------
+ * Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
+ * documentation files (the "Software"), to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and
+ * to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all copies or substantial portions of
+ * the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO
+ * THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF
+ * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
+ * IN THE SOFTWARE.
+ */
+
+package com.tencent.bk.job.common.encrypt;
+
+/**
+ * 加密类型枚举值
+ */
+public enum CryptoTypeEnum {
+
+    // 经典密码算法（RSA、AES等）
+    CLASSIC,
+    // 国家商用密码算法（SM2、SM4等）
+    SHANGMI
+
+}

src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/EncryptConfig.java

@@ -46,11 +46,9 @@
 @Slf4j
 public class EncryptConfig {
 
-    private String password;
-
-    private String defaultSymmetricAlgorithm = CryptorNames.NONE;
+    private CryptoTypeEnum type;
 
-    private String defaultAsymmetricAlgorithm = JobCryptorNames.RSA;
+    private String password;
 
     /**
      * 各个场景下使用的加密算法，不配置则使用默认算法

src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/JobCryptorNames.java

@@ -26,7 +26,5 @@
 
 public class JobCryptorNames {
     // 对称加密
-    public static final String AES = "AES";
-    // 非对称加密
-    public static final String RSA = "RSA";
+    public static final String AES_CBC = "AES_CBC";
 }

support-files/kubernetes/charts/bk-job/VALUES_LOG.md

@@ -1,4 +1,13 @@
 # chart values 更新日志
+## 0.5.0
+1.增加 加密类型 配置
+```yaml
+job:
+  encrypt:
+    # 可选值：CLASSIC（经典国际算法RSA、AES等），SHANGMI（国家商用密码算法SM2、SM4等）
+    type: "CLASSIC"
+```
+
 ## 0.4.5
 1.增加 bkDomain 配置
 

support-files/kubernetes/charts/bk-job/templates/configmap-common.yaml

@@ -93,6 +93,7 @@ data:
           public-key-base64: {{ .Values.job.security.publicKeyBase64 }}
       edition: {{ .Values.job.edition }}
       encrypt:
+        type: {{ .Values.job.encrypt.type }}
         password: {{ .Values.job.encrypt.password }}
       web:
         url: {{ include "job.web.url" . }}

support-files/kubernetes/charts/bk-job/values.yaml

@@ -573,6 +573,8 @@ job:
         # 获取actuator监控数据的密码，部署时生成填入
         password: actuator_password
   encrypt:
+    # 可选值：CLASSIC（经典国际算法RSA、AES等），SHANGMI（国家商用密码算法SM2、SM4等）
+    type: "CLASSIC"
     # 用于加密作业平台中存储的数据库密码的密码
     password: "job#2021"
   features:

support-files/templates/#etc#job#job-common#application.yml

@@ -80,6 +80,7 @@ job:
   edition: ce
   {% endif -%}
   encrypt:
+    type: __BK_CRYPTO_TYPE__
     password: __BK_JOB_ENCRYPT_PASSWORD__
   web:
     url: __BK_JOB_PUBLIC_URL__

support-files/templates/job.env

@@ -15,6 +15,7 @@ BK_IAM_PRIVATE_URL=
 BK_LICENSE_PRIVATE_URL=
 CONSUL_HTTP_PORT=8500
 CONSUL_SCHEME=http
+BK_CRYPTO_TYPE=CLASSIC
 
 # Job通用
 BK_JOB_SECURITY_PRIVATE_KEY_BASE64=