Skip to content

Commit

Permalink
feat: 脚本执行敏感参数存储支持国密 TencentBlueKing#2055
Browse files Browse the repository at this point in the history
敏感参数场景支持国密实现
  • Loading branch information
jsonwan committed May 30, 2023
1 parent 6462078 commit e53c49b
Show file tree
Hide file tree
Showing 28 changed files with 957 additions and 254 deletions.
2 changes: 1 addition & 1 deletion src/backend/build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -130,7 +130,7 @@ ext {
set('jcommanderVersion', "1.71")
set('kubernetesJavaClientVersion', "11.0.4")
set('springCloudKubernetesVersion', "2.0.6")
set('gmJavaSDKVersion', "0.0.1")
set('gmJavaSDKVersion', "0.0.4")
if (System.getProperty("bkjobVersion")) {
set('bkjobVersion', System.getProperty("bkjobVersion"))
println "bkjobVersion:" + bkjobVersion
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -25,14 +25,15 @@
package com.tencent.bk.job.common.encrypt;

import com.tencent.bk.job.common.util.crypto.AESUtils;
import com.tencent.bk.sdk.gm.annotation.CryptoPriority;
import com.tencent.bk.sdk.gm.cryptor.Cryptor;
import com.tencent.bk.sdk.gm.annotation.Cryptor;
import com.tencent.bk.sdk.gm.annotation.CryptorTypeEnum;
import com.tencent.bk.sdk.gm.cryptor.AbstractSymmetricCryptor;

/**
* 使用AES/CBC/PKCS5Padding的加密实现
*/
@CryptoPriority(name = "AES")
public class AESCryptor implements Cryptor {
@Cryptor(name = CryptorNames.AES, type = CryptorTypeEnum.SYMMETRIC)
public class AESCryptor extends AbstractSymmetricCryptor {
@Override
public byte[] encrypt(byte[] key, byte[] message) {
try {
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,92 @@
/*
* Tencent is pleased to support the open source community by making BK-JOB蓝鲸智云作业平台 available.
*
* Copyright (C) 2021 THL A29 Limited, a Tencent company. All rights reserved.
*
* BK-JOB蓝鲸智云作业平台 is licensed under the MIT License.
*
* License for BK-JOB蓝鲸智云作业平台:
* --------------------------------------------------------------------
* Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
* documentation files (the "Software"), to deal in the Software without restriction, including without limitation
* the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and
* to permit persons to whom the Software is furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all copies or substantial portions of
* the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO
* THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF
* CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
* IN THE SOFTWARE.
*/

package com.tencent.bk.job.common.encrypt;

import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;

import java.util.HashMap;
import java.util.Map;

/**
* 加密配置服务
*/
@SuppressWarnings("unused")
@Slf4j
@Service
public class CryptoConfigService {

private final EncryptConfig encryptConfig;
private final Map<String, String> scenarioAlgorithms;

@Autowired
public CryptoConfigService(EncryptConfig encryptConfig) {
this.encryptConfig = encryptConfig;
this.scenarioAlgorithms = trimKeyValues(encryptConfig.getScenarioAlgorithms());
}

private Map<String, String> trimKeyValues(Map<String, String> map) {
if (map == null) {
return null;
}
Map<String, String> resultMap = new HashMap<>();
map.forEach((key, value) -> {
if (key != null) {
key = key.trim();
}
if (value != null) {
value = value.trim();
}
resultMap.put(key, value);
});
return resultMap;
}

/**
* 获取对称加密密钥
*
* @return 对称加密密钥
*/
public String getSymmetricPassword() {
return encryptConfig.getPassword();
}

/**
* 根据加密场景获取需要使用的加密算法
*
* @param cryptoScenarioEnum 加密场景枚举值
* @return 加密算法标识
*/
public String getSymmetricAlgorithmByScenario(CryptoScenarioEnum cryptoScenarioEnum) {
if (cryptoScenarioEnum == null) {
return encryptConfig.getDefaultSymmetricAlgorithm();
}
if (scenarioAlgorithms != null && scenarioAlgorithms.containsKey(cryptoScenarioEnum.getValue())) {
return scenarioAlgorithms.get(cryptoScenarioEnum.getValue());
}
return encryptConfig.getDefaultSymmetricAlgorithm();
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
/*
* Tencent is pleased to support the open source community by making BK-JOB蓝鲸智云作业平台 available.
*
* Copyright (C) 2021 THL A29 Limited, a Tencent company. All rights reserved.
*
* BK-JOB蓝鲸智云作业平台 is licensed under the MIT License.
*
* License for BK-JOB蓝鲸智云作业平台:
* --------------------------------------------------------------------
* Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
* documentation files (the "Software"), to deal in the Software without restriction, including without limitation
* the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and
* to permit persons to whom the Software is furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all copies or substantial portions of
* the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO
* THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF
* CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
* IN THE SOFTWARE.
*/

package com.tencent.bk.job.common.encrypt;

/**
* 加密场景枚举值
*/
public enum CryptoScenarioEnum {
// 脚本敏感参数
SCRIPT_SENSITIVE_PARAM((byte) 0, "scriptSensitiveParam"),
// 密文变量
CIPHER_VARIABLE((byte) 0, "cipherVariable"),
// DB账号的密码
DATABASE_PASSWORD((byte) 0, "databasePassword"),
// 凭证信息
CREDENTIAL((byte) 0, "credential");

// 加密类型:0为对称加密,1为非对称加密
private final byte type;
// 场景标识
private final String value;

CryptoScenarioEnum(byte type, String value) {
this.type = type;
this.value = value;
}

public String getValue() {
return value;
}

public byte getType() {
return type;
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
/*
* Tencent is pleased to support the open source community by making BK-JOB蓝鲸智云作业平台 available.
*
* Copyright (C) 2021 THL A29 Limited, a Tencent company. All rights reserved.
*
* BK-JOB蓝鲸智云作业平台 is licensed under the MIT License.
*
* License for BK-JOB蓝鲸智云作业平台:
* --------------------------------------------------------------------
* Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
* documentation files (the "Software"), to deal in the Software without restriction, including without limitation
* the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and
* to permit persons to whom the Software is furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all copies or substantial portions of
* the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO
* THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF
* CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
* IN THE SOFTWARE.
*/

package com.tencent.bk.job.common.encrypt;

public class CryptorNames {
// 不加密
public static final String NONE = "None";
// 对称加密
public static final String AES = "AES";
public static final String SM4 = "SM4";
// 非对称加密
public static final String RSA = "RSA";
public static final String SM2 = "SM2";
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
/*
* Tencent is pleased to support the open source community by making BK-JOB蓝鲸智云作业平台 available.
*
* Copyright (C) 2021 THL A29 Limited, a Tencent company. All rights reserved.
*
* BK-JOB蓝鲸智云作业平台 is licensed under the MIT License.
*
* License for BK-JOB蓝鲸智云作业平台:
* --------------------------------------------------------------------
* Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
* documentation files (the "Software"), to deal in the Software without restriction, including without limitation
* the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and
* to permit persons to whom the Software is furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all copies or substantial portions of
* the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO
* THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF
* CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
* IN THE SOFTWARE.
*/

package com.tencent.bk.job.common.encrypt;

import com.tencent.bk.job.common.util.json.JsonUtils;
import lombok.Getter;
import lombok.Setter;
import lombok.ToString;
import lombok.extern.slf4j.Slf4j;
import org.springframework.boot.context.properties.ConfigurationProperties;

import javax.annotation.PostConstruct;
import java.util.Map;

/**
* 加密配置
* <p>
* ignoreInvalidFields: true, 避免因为错误的配置导致微服务不可用(RefreshScopeHealthIndicator会对ConfigurationProperties
* 进行健康检查,如果配置有问题,会把微服务的状态设置为health=DOWN)
*/
@ConfigurationProperties(prefix = "job.encrypt", ignoreInvalidFields = true)
@ToString
@Getter
@Setter
@Slf4j
public class EncryptConfig {

private String password;

private String defaultSymmetricAlgorithm = CryptorNames.NONE;

private String defaultAsymmetricAlgorithm = CryptorNames.RSA;

/**
* 各个场景下使用的加密算法,不配置则使用默认算法
*/
private Map<String, String> scenarioAlgorithms;

@PostConstruct
public void print() {
log.info("EncryptConfig init: {}", JsonUtils.toJson(this));
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -24,14 +24,15 @@

package com.tencent.bk.job.common.encrypt;

import com.tencent.bk.sdk.gm.annotation.CryptoPriority;
import com.tencent.bk.sdk.gm.cryptor.Cryptor;

import com.tencent.bk.sdk.gm.annotation.Cryptor;
import com.tencent.bk.sdk.gm.cryptor.SymmetricCryptor;

/**
* 不做任何加密操作,直接返回明文的加密实现
*/
@CryptoPriority(name = "None")
public class NoneCryptor implements Cryptor {
@Cryptor(name = CryptorNames.NONE)
public class NoneCryptor implements SymmetricCryptor {
@Override
public byte[] encrypt(byte[] key, byte[] message) {
return message;
Expand All @@ -41,4 +42,14 @@ public byte[] encrypt(byte[] key, byte[] message) {
public byte[] decrypt(byte[] key, byte[] encryptedMessage) {
return encryptedMessage;
}

@Override
public String encrypt(String key, String message) {
return message;
}

@Override
public String decrypt(String key, String base64EncodedEncryptedMessage) {
return base64EncodedEncryptedMessage;
}
}
Loading

0 comments on commit e53c49b

Please sign in to comment.