From d57161b5a5b2085dce9cdfa7431e44e282a42536 Mon Sep 17 00:00:00 2001 From: jsonwan Date: Fri, 7 Jul 2023 20:50:13 +0800 Subject: [PATCH] =?UTF-8?q?feat:=20=E6=95=8F=E6=84=9F=E4=BF=A1=E6=81=AF?= =?UTF-8?q?=E5=AD=98=E5=82=A8=E6=94=AF=E6=8C=81=E5=9B=BD=E5=AF=86=20#2055?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 支持使用【加密类型】配置项指定使用经典算法/国密算法 --- src/backend/build.gradle | 2 +- .../bk/job/common/encrypt/AESCryptor.java | 16 +++-- .../common/encrypt/CryptoConfigService.java | 12 +++- .../bk/job/common/encrypt/CryptoTypeEnum.java | 37 ++++++++++ .../bk/job/common/encrypt/EncryptConfig.java | 6 +- .../job/common/encrypt/JobCryptorNames.java | 4 +- .../bk/job/common/encrypt/RSACryptor.java | 70 ------------------- ...nt.bk.sdk.crypto.cryptor.ASymmetricCryptor | 1 - .../kubernetes/charts/bk-job/VALUES_LOG.md | 9 +++ .../bk-job/templates/configmap-common.yaml | 1 + .../kubernetes/charts/bk-job/values.yaml | 2 + .../#etc#job#job-common#application.yml | 1 + support-files/templates/job.env | 1 + 13 files changed, 76 insertions(+), 86 deletions(-) create mode 100644 src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/CryptoTypeEnum.java delete mode 100644 src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/RSACryptor.java delete mode 100644 src/backend/commons/common/src/main/resources/META-INF/services/com.tencent.bk.sdk.crypto.cryptor.ASymmetricCryptor diff --git a/src/backend/build.gradle b/src/backend/build.gradle index 5773b8dd27..fdde5944d2 100644 --- a/src/backend/build.gradle +++ b/src/backend/build.gradle @@ -130,7 +130,7 @@ ext { set('jcommanderVersion', "1.71") set('kubernetesJavaClientVersion', "11.0.4") set('springCloudKubernetesVersion', "2.0.6") - set('cryptoJavaSDKVersion', "0.0.6") + set('cryptoJavaSDKVersion', "0.0.7-SNAPSHOT") if (System.getProperty("bkjobVersion")) { set('bkjobVersion', System.getProperty("bkjobVersion")) println "bkjobVersion:" + bkjobVersion diff --git a/src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/AESCryptor.java b/src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/AESCryptor.java index f5a80ab80c..8eecc109ee 100644 --- a/src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/AESCryptor.java +++ b/src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/AESCryptor.java @@ -35,15 +35,21 @@ /** * 使用AES/CBC/PKCS5Padding的加密实现 */ -@Cryptor(name = JobCryptorNames.AES, type = CryptorTypeEnum.SYMMETRIC) +@Cryptor(name = JobCryptorNames.AES_CBC, type = CryptorTypeEnum.SYMMETRIC) public class AESCryptor extends AbstractSymmetricCryptor { + + @Override + public String getName() { + return JobCryptorNames.AES_CBC; + } + @Override - public byte[] encrypt(byte[] key, byte[] message) { + public byte[] encryptIndeed(byte[] key, byte[] message) { try { return AESUtils.encrypt(message, key); } catch (Exception e) { FormattingTuple msg = MessageFormatter.format( - "Fail to encrypt using AES, key.len={}, message.len={}", + "Fail to encrypt using AES_CBC, key.len={}, message.len={}", key.length, message.length ); @@ -52,12 +58,12 @@ public byte[] encrypt(byte[] key, byte[] message) { } @Override - public byte[] decrypt(byte[] key, byte[] encryptedMessage) { + public byte[] decryptIndeed(byte[] key, byte[] encryptedMessage) { try { return AESUtils.decrypt(encryptedMessage, key); } catch (Exception e) { FormattingTuple msg = MessageFormatter.format( - "Fail to decrypt using AES, key.len={}, encryptedMessage.len={}", + "Fail to decrypt using AES_CBC, key.len={}, encryptedMessage.len={}", key.length, encryptedMessage.length ); diff --git a/src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/CryptoConfigService.java b/src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/CryptoConfigService.java index a339aba2b2..733fbfc454 100644 --- a/src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/CryptoConfigService.java +++ b/src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/CryptoConfigService.java @@ -24,6 +24,7 @@ package com.tencent.bk.job.common.encrypt; +import com.tencent.bk.sdk.crypto.cryptor.consts.CryptorNames; import lombok.extern.slf4j.Slf4j; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Service; @@ -85,11 +86,18 @@ public String getSymmetricPassword() { */ public String getSymmetricAlgorithmByScenario(CryptoScenarioEnum cryptoScenarioEnum) { if (cryptoScenarioEnum == null) { - return encryptConfig.getDefaultSymmetricAlgorithm(); + return getDefaultSymmetricAlgorithm(); } if (scenarioAlgorithms != null && scenarioAlgorithms.containsKey(cryptoScenarioEnum.getValue())) { return scenarioAlgorithms.get(cryptoScenarioEnum.getValue()); } - return encryptConfig.getDefaultSymmetricAlgorithm(); + return getDefaultSymmetricAlgorithm(); + } + + private String getDefaultSymmetricAlgorithm() { + if (encryptConfig.getType() == CryptoTypeEnum.SHANGMI) { + return CryptorNames.SM4; + } + return JobCryptorNames.AES_CBC; } } diff --git a/src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/CryptoTypeEnum.java b/src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/CryptoTypeEnum.java new file mode 100644 index 0000000000..8d973bdfbb --- /dev/null +++ b/src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/CryptoTypeEnum.java @@ -0,0 +1,37 @@ +/* + * Tencent is pleased to support the open source community by making BK-JOB蓝鲸智云作业平台 available. + * + * Copyright (C) 2021 THL A29 Limited, a Tencent company. All rights reserved. + * + * BK-JOB蓝鲸智云作业平台 is licensed under the MIT License. + * + * License for BK-JOB蓝鲸智云作业平台: + * -------------------------------------------------------------------- + * Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated + * documentation files (the "Software"), to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and + * to permit persons to whom the Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all copies or substantial portions of + * the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO + * THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF + * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS + * IN THE SOFTWARE. + */ + +package com.tencent.bk.job.common.encrypt; + +/** + * 加密类型枚举值 + */ +public enum CryptoTypeEnum { + + // 经典密码算法(RSA、AES等) + CLASSIC, + // 国家商用密码算法(SM2、SM4等) + SHANGMI + +} diff --git a/src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/EncryptConfig.java b/src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/EncryptConfig.java index 95fa80057d..cc67da1a87 100644 --- a/src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/EncryptConfig.java +++ b/src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/EncryptConfig.java @@ -46,11 +46,9 @@ @Slf4j public class EncryptConfig { - private String password; - - private String defaultSymmetricAlgorithm = CryptorNames.NONE; + private CryptoTypeEnum type; - private String defaultAsymmetricAlgorithm = JobCryptorNames.RSA; + private String password; /** * 各个场景下使用的加密算法,不配置则使用默认算法 diff --git a/src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/JobCryptorNames.java b/src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/JobCryptorNames.java index ce9b9a63d8..8226ddaf03 100644 --- a/src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/JobCryptorNames.java +++ b/src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/JobCryptorNames.java @@ -26,7 +26,5 @@ public class JobCryptorNames { // 对称加密 - public static final String AES = "AES"; - // 非对称加密 - public static final String RSA = "RSA"; + public static final String AES_CBC = "AES_CBC"; } diff --git a/src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/RSACryptor.java b/src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/RSACryptor.java deleted file mode 100644 index a659d9c1d2..0000000000 --- a/src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/RSACryptor.java +++ /dev/null @@ -1,70 +0,0 @@ -/* - * Tencent is pleased to support the open source community by making BK-JOB蓝鲸智云作业平台 available. - * - * Copyright (C) 2021 THL A29 Limited, a Tencent company. All rights reserved. - * - * BK-JOB蓝鲸智云作业平台 is licensed under the MIT License. - * - * License for BK-JOB蓝鲸智云作业平台: - * -------------------------------------------------------------------- - * Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated - * documentation files (the "Software"), to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and - * to permit persons to whom the Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included in all copies or substantial portions of - * the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO - * THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF - * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS - * IN THE SOFTWARE. - */ - -package com.tencent.bk.job.common.encrypt; - -import com.tencent.bk.job.common.exception.CryptoException; -import com.tencent.bk.job.common.util.crypto.RSAUtils; -import com.tencent.bk.sdk.crypto.annotation.Cryptor; -import com.tencent.bk.sdk.crypto.annotation.CryptorTypeEnum; -import com.tencent.bk.sdk.crypto.cryptor.AbstractASymmetricCryptor; -import org.slf4j.helpers.FormattingTuple; -import org.slf4j.helpers.MessageFormatter; - -import java.security.PrivateKey; -import java.security.PublicKey; - -/** - * 使用RSA的加密实现 - */ -@Cryptor(name = JobCryptorNames.RSA, type = CryptorTypeEnum.ASYMMETRIC) -public class RSACryptor extends AbstractASymmetricCryptor { - @Override - public byte[] encrypt(PublicKey publicKey, byte[] message) { - try { - return RSAUtils.encryptToBytes(message, publicKey); - } catch (Exception e) { - FormattingTuple msg = MessageFormatter.format( - "Fail to encrypt using RSA, publicKey.len={}, message.len={}", - publicKey.getEncoded().length, - message.length - ); - throw new CryptoException(msg.getMessage(), e); - } - } - - @Override - public byte[] decrypt(PrivateKey privateKey, byte[] encryptedMessage) { - try { - return RSAUtils.decryptToBytes(encryptedMessage, privateKey); - } catch (Exception e) { - FormattingTuple msg = MessageFormatter.format( - "Fail to decrypt using RSA, privateKey.len={}, encryptedMessage.len={}", - privateKey.getEncoded().length, - encryptedMessage.length - ); - throw new CryptoException(msg.getMessage(), e); - } - } -} diff --git a/src/backend/commons/common/src/main/resources/META-INF/services/com.tencent.bk.sdk.crypto.cryptor.ASymmetricCryptor b/src/backend/commons/common/src/main/resources/META-INF/services/com.tencent.bk.sdk.crypto.cryptor.ASymmetricCryptor deleted file mode 100644 index e1339cc9f1..0000000000 --- a/src/backend/commons/common/src/main/resources/META-INF/services/com.tencent.bk.sdk.crypto.cryptor.ASymmetricCryptor +++ /dev/null @@ -1 +0,0 @@ -com.tencent.bk.job.common.encrypt.RSACryptor diff --git a/support-files/kubernetes/charts/bk-job/VALUES_LOG.md b/support-files/kubernetes/charts/bk-job/VALUES_LOG.md index f742218c85..9c05399464 100644 --- a/support-files/kubernetes/charts/bk-job/VALUES_LOG.md +++ b/support-files/kubernetes/charts/bk-job/VALUES_LOG.md @@ -1,4 +1,13 @@ # chart values 更新日志 +## 0.5.0 +1.增加 加密类型 配置 +```yaml +job: + encrypt: + # 可选值:CLASSIC(经典国际算法RSA、AES等),SHANGMI(国家商用密码算法SM2、SM4等) + type: "CLASSIC" +``` + ## 0.4.5 1.增加 bkDomain 配置 diff --git a/support-files/kubernetes/charts/bk-job/templates/configmap-common.yaml b/support-files/kubernetes/charts/bk-job/templates/configmap-common.yaml index d79953ed11..4877d80566 100644 --- a/support-files/kubernetes/charts/bk-job/templates/configmap-common.yaml +++ b/support-files/kubernetes/charts/bk-job/templates/configmap-common.yaml @@ -93,6 +93,7 @@ data: public-key-base64: {{ .Values.job.security.publicKeyBase64 }} edition: {{ .Values.job.edition }} encrypt: + type: {{ .Values.job.encrypt.type }} password: {{ .Values.job.encrypt.password }} web: url: {{ include "job.web.url" . }} diff --git a/support-files/kubernetes/charts/bk-job/values.yaml b/support-files/kubernetes/charts/bk-job/values.yaml index 9e47a9c565..359f742ffe 100644 --- a/support-files/kubernetes/charts/bk-job/values.yaml +++ b/support-files/kubernetes/charts/bk-job/values.yaml @@ -573,6 +573,8 @@ job: # 获取actuator监控数据的密码,部署时生成填入 password: actuator_password encrypt: + # 可选值:CLASSIC(经典国际算法RSA、AES等),SHANGMI(国家商用密码算法SM2、SM4等) + type: "CLASSIC" # 用于加密作业平台中存储的数据库密码的密码 password: "job#2021" features: diff --git a/support-files/templates/#etc#job#job-common#application.yml b/support-files/templates/#etc#job#job-common#application.yml index cf3c396325..d041807ca5 100644 --- a/support-files/templates/#etc#job#job-common#application.yml +++ b/support-files/templates/#etc#job#job-common#application.yml @@ -80,6 +80,7 @@ job: edition: ce {% endif -%} encrypt: + type: __BK_CRYPTO_TYPE__ password: __BK_JOB_ENCRYPT_PASSWORD__ web: url: __BK_JOB_PUBLIC_URL__ diff --git a/support-files/templates/job.env b/support-files/templates/job.env index ca8fb9b425..ff24f58bd3 100644 --- a/support-files/templates/job.env +++ b/support-files/templates/job.env @@ -15,6 +15,7 @@ BK_IAM_PRIVATE_URL= BK_LICENSE_PRIVATE_URL= CONSUL_HTTP_PORT=8500 CONSUL_SCHEME=http +BK_CRYPTO_TYPE=CLASSIC # Job通用 BK_JOB_SECURITY_PRIVATE_KEY_BASE64=