[spring] spring cloud config 사용시 암호 관련 예시

spring cloud config 사용시 사용자 이름, 패스워드를 입력한다

"java -jar config-server.jar --spring.cloud.config.server.git.username=knight76 --spring.cloud.config.server.git.password=1234"

아니면 프로퍼티(property) 설정을 추가한다.

spring.cloud.config.server.git.username=knight76

spring.cloud.config.server.git.password=1234

패스워드가 나타나는 게 꺼림직하다.

jasypt(com.github.ulisesbocchio:jasypt-spring-boot-starter) 라이브러리를 사용하면 암호화를 할수 있다.

gradle 설정에  jasypt(com.github.ulisesbocchio:jasypt-spring-boot-starter) 라이브러리를  추가한다.

dependencies {
   implementation 'org.springframework.cloud:spring-cloud-config-server'
   implementation 'org.springframework.cloud:spring-cloud-starter-config'
   compile 'com.github.ulisesbocchio:jasypt-spring-boot-starter:2.1.2'
   testImplementation 'org.springframework.boot:spring-boot-starter-test'
}

application.properties에 

server.port=8080
jasypt.encryptor.bean=jasyptStringEncryptor

management.endpoint.env.enabled=true
management.endpoints.web.exposure.include=*

spring.cloud.config.server.bootstrap=true
spring.cloud.config.server.git.uri=https://github.com/knight76/spring-cloud-config-example
spring.cloud.config.server.git.timeout=5
spring.cloud.config.server.git.username=knight76
spring.cloud.config.server.git.password=123214

암호화에 사용되는 JasyptConfig 클래스를 추가한다. 

package com.github.knight76.config.configserver;

import org.jasypt.encryption.StringEncryptor;
import org.jasypt.encryption.pbe.PooledPBEStringEncryptor;
import org.jasypt.encryption.pbe.config.SimpleStringPBEConfig;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

@Configuration
public class JasyptConfig {

   final static String KEY = "knight76";

   final static String ALGORITHM = "PBEWithMD5AndDES";

   @Bean("jasyptStringEncryptor")
   public StringEncryptor stringEncryptor() {
      PooledPBEStringEncryptor encryptor = new PooledPBEStringEncryptor();
      SimpleStringPBEConfig config = new SimpleStringPBEConfig();
      config.setPassword(KEY);
      config.setAlgorithm(ALGORITHM);
      config.setKeyObtentionIterations("1000");
      config.setPoolSize("1");
      config.setProviderName("SunJCE");
      config.setSaltGeneratorClassName("org.jasypt.salt.RandomSaltGenerator");
      config.setStringOutputType("base64");
      encryptor.setConfig(config);
      return encryptor;
   }

}

 테스트 코드는 다음과 같다. 테스트 코드의 비밀번호를 사용한다. 

package com.github.knight76.config.configserver;

import org.jasypt.encryption.pbe.StandardPBEStringEncryptor;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.springframework.boot.test.context.SpringBootTest;
import org.springframework.test.context.junit4.SpringRunner;

@RunWith(SpringRunner.class)
@SpringBootTest
public class ConfigServerApplicationTests {

   @Test
   public void test() {
      StandardPBEStringEncryptor standardPBEStringEncryptor = 
                      new StandardPBEStringEncryptor();
      standardPBEStringEncryptor.setAlgorithm(JasyptConfig.ALGORITHM);
      standardPBEStringEncryptor.setPassword(JasyptConfig.KEY);

      String enc = standardPBEStringEncryptor.encrypt("비밀번호");
      System.out.println("enc = " + enc);

      String des = standardPBEStringEncryptor.decrypt(enc);
      System.out.println("des = " + des);
   }
}

테스트 코드를 통해 얻은 비밀번호를 application.properties의 비밀번호로 설정한다. ENC(..비밀번호..)로 적용한다.

server.port=8080
jasypt.encryptor.bean=jasyptStringEncryptor

management.endpoint.env.enabled=true
management.endpoints.web.exposure.include=*

spring.cloud.config.server.bootstrap=true
spring.cloud.config.server.git.uri=https://github.com/knight76/spring-cloud-config-example
spring.cloud.config.server.git.timeout=5
spring.cloud.config.server.git.username=knight76
spring.cloud.config.server.git.password=ENC(암호문)

풀 예제 코드는 다음과 같다.

https://github.com/knight76/spring-cloud-config-example

이 방식 외에 RSA 비밀 키를 사용하는 방식이 있다. 

https://cloud.spring.io/spring-cloud-config/reference/html/

spring: cloud: config: server: git: uri: git@gitserver.com:team/repo1.git ignoreLocalSshSettings: true hostKey: someHostKey hostKeyAlgorithm: ssh-rsa privateKey: | -----BEGIN RSA PRIVATE KEY----- MIIEpgIBAAKCAQEAx4UbaDzY5xjW6hc9jwN0mX33XpTDVW9WqHp5AKaRbtAC3DqX IXFMPgw3K45jxRb93f8tv9vL3rD9CUG1Gv4FM+o7ds7FRES5RTjv2RT/JVNJCoqF ol8+ngLqRZCyBtQN7zYByWMRirPGoDUqdPYrj2yq+ObBBNhg5N+hOwKjjpzdj2Ud 1l7R+wxIqmJo1IYyy16xS8WsjyQuyC0lL456qkd5BDZ0Ag8j2X9H9D5220Ln7s9i oezTipXipS7p7Jekf3Ywx6abJwOmB0rX79dV4qiNcGgzATnG1PkXxqt76VhcGa0W DDVHEEYGbSQ6hIGSh0I7BQun0aLRZojfE3gqHQIDAQABAoIBAQCZmGrk8BK6tXCd fY6yTiKxFzwb38IQP0ojIUWNrq0+9Xt+NsypviLHkXfXXCKKU4zUHeIGVRq5MN9b BO56/RrcQHHOoJdUWuOV2qMqJvPUtC0CpGkD+valhfD75MxoXU7s3FK7yjxy3rsG EmfA6tHV8/4a5umo5TqSd2YTm5B19AhRqiuUVI1wTB41DjULUGiMYrnYrhzQlVvj 5MjnKTlYu3V8PoYDfv1GmxPPh6vlpafXEeEYN8VB97e5x3DGHjZ5UrurAmTLTdO8 +AahyoKsIY612TkkQthJlt7FJAwnCGMgY6podzzvzICLFmmTXYiZ/28I4BX/mOSe pZVnfRixAoGBAO6Uiwt40/PKs53mCEWngslSCsh9oGAaLTf/XdvMns5VmuyyAyKG ti8Ol5wqBMi4GIUzjbgUvSUt+IowIrG3f5tN85wpjQ1UGVcpTnl5Qo9xaS1PFScQ xrtWZ9eNj2TsIAMp/svJsyGG3OibxfnuAIpSXNQiJPwRlW3irzpGgVx/AoGBANYW dnhshUcEHMJi3aXwR12OTDnaLoanVGLwLnkqLSYUZA7ZegpKq90UAuBdcEfgdpyi PhKpeaeIiAaNnFo8m9aoTKr+7I6/uMTlwrVnfrsVTZv3orxjwQV20YIBCVRKD1uX VhE0ozPZxwwKSPAFocpyWpGHGreGF1AIYBE9UBtjAoGBAI8bfPgJpyFyMiGBjO6z FwlJc/xlFqDusrcHL7abW5qq0L4v3R+FrJw3ZYufzLTVcKfdj6GelwJJO+8wBm+R gTKYJItEhT48duLIfTDyIpHGVm9+I1MGhh5zKuCqIhxIYr9jHloBB7kRm0rPvYY4 VAykcNgyDvtAVODP+4m6JvhjAoGBALbtTqErKN47V0+JJpapLnF0KxGrqeGIjIRV cYA6V4WYGr7NeIfesecfOC356PyhgPfpcVyEztwlvwTKb3RzIT1TZN8fH4YBr6Ee KTbTjefRFhVUjQqnucAvfGi29f+9oE3Ei9f7wA+H35ocF6JvTYUsHNMIO/3gZ38N CPjyCMa9AoGBAMhsITNe3QcbsXAbdUR00dDsIFVROzyFJ2m40i4KCRM35bC/BIBs q0TY3we+ERB40U8Z2BvU61QuwaunJ2+uGadHo58VSVdggqAo0BSkH58innKKt96J 69pcVH/4rmLbXdcmNYGm6iu+MlPQk4BUZknHSmVHIFdJ0EPupVaQ8RHT 

-----END RSA PRIVATE KEY-----