iSharkFly-Docs
/
java-tutorials
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

BAEL-6046 MongoDB - Field Level Encryption (#13859)

This commit is contained in:
Ulisses Lima 2023-05-06 04:59:46 -03:00 committed by GitHub
parent 4a9e72664c
commit 7123ae8ad7
7 changed files with 150 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
persistence-modules/spring-boot-persistence-mongodb-3/pom.xml
View File

@ -16,6 +16,21 @@
</parent>
<dependencies>
<dependency>
<groupId>org.mongodb</groupId>
<artifactId>mongodb-driver-sync</artifactId>
<version>${mongodb-driver.version}</version>
</dependency>
<dependency>
<groupId>org.mongodb</groupId>
<artifactId>mongodb-driver-core</artifactId>
<version>${mongodb-driver.version}</version>
</dependency>
<dependency>
<groupId>org.mongodb</groupId>
<artifactId>bson</artifactId>
<version>${mongodb-driver.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
@ -23,6 +38,16 @@
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-mongodb</artifactId>
<exclusions>
<exclusion>
<groupId>org.mongodb</groupId>
<artifactId>mongodb-driver-sync</artifactId>
</exclusion>
<exclusion>
<groupId>org.mongodb</groupId>
<artifactId>mongodb-driver-core</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.mongodb</groupId>
@ -37,7 +62,8 @@
</dependencies>
<properties>
<mongodb-crypt.version>1.6.1</mongodb-crypt.version>
<mongodb-crypt.version>1.7.3</mongodb-crypt.version>
<mongodb-driver.version>4.9.1</mongodb-driver.version>
</properties>
</project>

28
persistence-modules/spring-boot-persistence-mongodb-3/src/main/java/com/baeldung/boot/csfle/config/EncryptionConfig.java
View File

@ -1,5 +1,7 @@
package com.baeldung.boot.csfle.config;
import java.io.File;
import org.bson.BsonBinary;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Configuration;
@ -17,7 +19,13 @@ public class EncryptionConfig {
private String keyVaultAlias;
@Value("${com.baeldung.csfle.auto-decryption:false}")
private Boolean autoDecryption;
private boolean autoDecryption;
@Value("${com.baeldung.csfle.auto-encryption:false}")
private boolean autoEncryption;
@Value("${com.baeldung.csfle.auto-encryption-lib:#{null}}")
private File autoEncryptionLib;
private BsonBinary dataKeyId;
@ -41,7 +49,23 @@ public class EncryptionConfig {
return masterKeyPath;
}
public Boolean getAutoDecryption() {
public boolean isAutoDecryption() {
return autoDecryption;
}
public boolean isAutoEncryption() {
return autoEncryption;
}
public File getAutoEncryptionLib() {
return autoEncryptionLib;
}
public String dataKeyIdUuid() {
if (dataKeyId == null)
throw new IllegalStateException("data key not initialized");
return dataKeyId.asUuid()
.toString();
}
}

88
persistence-modules/spring-boot-persistence-mongodb-3/src/main/java/com/baeldung/boot/csfle/config/MongoClientConfig.java
View File

@ -1,14 +1,15 @@
package com.baeldung.boot.csfle.config;
import java.io.File;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Map;
import org.bson.BsonBinary;
import org.bson.BsonDocument;
import org.bson.Document;
import org.bson.conversions.Bson;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
@ -51,14 +52,10 @@ public class MongoClientConfig extends AbstractMongoClientConfiguration {
@Bean
@Override
public MongoClient mongoClient() {
MongoClient client;
try {
client = MongoClients.create(clientSettings());
ClientEncryption encryption = clientEncryption();
encryptionConfig.setDataKeyId(createOrRetrieveDataKey(client, encryption));
return client;
encryptionConfig.setDataKeyId(createOrRetrieveDataKey(encryption));
return MongoClients.create(clientSettings());
} catch (IOException e) {
throw new IllegalStateException("unable to create client", e);
}
@ -77,19 +74,10 @@ public class MongoClientConfig extends AbstractMongoClientConfiguration {
return ClientEncryptions.create(encryptionSettings);
}
private BsonBinary createOrRetrieveDataKey(MongoClient client, ClientEncryption encryption) {
MongoNamespace namespace = new MongoNamespace(encryptionConfig.getKeyVaultNamespace());
MongoCollection<Document> keyVault = client.getDatabase(namespace.getDatabaseName())
.getCollection(namespace.getCollectionName());
Bson query = Filters.in("keyAltNames", encryptionConfig.getKeyVaultAlias());
BsonDocument key = keyVault.withDocumentClass(BsonDocument.class)
.find(query)
.first();
private BsonBinary createOrRetrieveDataKey(ClientEncryption encryption) {
BsonDocument key = encryption.getKeyByAltName(encryptionConfig.getKeyVaultAlias());
if (key == null) {
keyVault.createIndex(Indexes.ascending("keyAltNames"), new IndexOptions().unique(true)
.partialFilterExpression(Filters.exists("keyAltNames")));
createKeyUniqueIndex();
DataKeyOptions options = new DataKeyOptions();
options.keyAltNames(Arrays.asList(encryptionConfig.getKeyVaultAlias()));
@ -99,16 +87,68 @@ public class MongoClientConfig extends AbstractMongoClientConfiguration {
}
}
private void createKeyUniqueIndex() {
try (MongoClient client = MongoClients.create(MongoClientSettings.builder()
.applyConnectionString(new ConnectionString(uri))
.build())) {
MongoNamespace namespace = new MongoNamespace(encryptionConfig.getKeyVaultNamespace());
MongoCollection<Document> keyVault = client.getDatabase(namespace.getDatabaseName())
.getCollection(namespace.getCollectionName());
keyVault.createIndex(Indexes.ascending("keyAltNames"), new IndexOptions().unique(true)
.partialFilterExpression(Filters.exists("keyAltNames")));
}
}
private MongoClientSettings clientSettings() throws FileNotFoundException, IOException {
Builder settings = MongoClientSettings.builder()
.applyConnectionString(new ConnectionString(uri));
if (encryptionConfig.getAutoDecryption()) {
settings.autoEncryptionSettings(AutoEncryptionSettings.builder()
if (encryptionConfig.isAutoDecryption()) {
AutoEncryptionSettings.Builder builder = AutoEncryptionSettings.builder()
.keyVaultNamespace(encryptionConfig.getKeyVaultNamespace())
.kmsProviders(LocalKmsUtils.providersMap(encryptionConfig.getMasterKeyPath()))
.bypassAutoEncryption(true)
.build());
.kmsProviders(LocalKmsUtils.providersMap(encryptionConfig.getMasterKeyPath()));
if (encryptionConfig.isAutoEncryption() && encryptionConfig.getDataKeyId() != null) {
File autoEncryptionLib = encryptionConfig.getAutoEncryptionLib();
if (!autoEncryptionLib.isFile()) {
throw new IllegalArgumentException("encryption lib must be an existing file");
}
Map<String, Object> map = new HashMap<>();
map.put("cryptSharedLibRequired", true);
map.put("cryptSharedLibPath", autoEncryptionLib.toString());
builder.extraOptions(map);
String keyUuid = encryptionConfig.dataKeyIdUuid();
HashMap<String, BsonDocument> schemaMap = new HashMap<>();
schemaMap.put(getDatabaseName() + ".citizens",
BsonDocument.parse("{"
+ " bsonType: \"object\","
+ " encryptMetadata: {"
+ " keyId: [UUID(\"" + keyUuid + "\")]"
+ " },"
+ " properties: {"
+ " email: {"
+ " encrypt: {"
+ " bsonType: \"string\","
+ " algorithm: \"AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic\""
+ " }"
+ " },"
+ " birthYear: {"
+ " encrypt: {"
+ " bsonType: \"int\","
+ " algorithm: \"AEAD_AES_256_CBC_HMAC_SHA_512-Random\""
+ " }"
+ " }"
+ " }"
+ "}"));
builder.schemaMap(schemaMap);
} else {
builder.bypassAutoEncryption(true);
}
settings.autoEncryptionSettings(builder.build());
}
return settings.build();

33
persistence-modules/spring-boot-persistence-mongodb-3/src/main/java/com/baeldung/boot/csfle/service/CitizenService.java
View File

@ -35,16 +35,20 @@ public class CitizenService {
@Autowired
private ClientEncryption clientEncryption;
public EncryptedCitizen save(Citizen citizen) {
EncryptedCitizen encryptedCitizen = new EncryptedCitizen(citizen);
encryptedCitizen.setEmail(encrypt(citizen.getEmail(), DETERMINISTIC_ALGORITHM));
encryptedCitizen.setBirthYear(encrypt(citizen.getBirthYear(), RANDOM_ALGORITHM));
public Object save(Citizen citizen) {
if (encryptionConfig.isAutoEncryption()) {
return mongo.save(citizen);
} else {
EncryptedCitizen encryptedCitizen = new EncryptedCitizen(citizen);
encryptedCitizen.setEmail(encrypt(citizen.getEmail(), DETERMINISTIC_ALGORITHM));
encryptedCitizen.setBirthYear(encrypt(citizen.getBirthYear(), RANDOM_ALGORITHM));
return mongo.save(encryptedCitizen);
return mongo.save(encryptedCitizen);
}
}
public List<Citizen> findAll() {
if (!encryptionConfig.getAutoDecryption()) {
if (!encryptionConfig.isAutoDecryption()) {
List<EncryptedCitizen> allEncrypted = mongo.findAll(EncryptedCitizen.class);
return allEncrypted.stream()
@ -56,13 +60,20 @@ public class CitizenService {
}
public Citizen findByEmail(String email) {
Query byEmail = new Query(Criteria.where("email")
.is(encrypt(email, DETERMINISTIC_ALGORITHM)));
if (!encryptionConfig.getAutoDecryption()) {
Criteria emailCriteria = Criteria.where("email");
if (encryptionConfig.isAutoEncryption()) {
emailCriteria.is(email);
} else {
emailCriteria
.is(encrypt(email, DETERMINISTIC_ALGORITHM));
}
Query byEmail = new Query(emailCriteria);
if (encryptionConfig.isAutoDecryption()) {
return mongo.findOne(byEmail, Citizen.class);
} else {
EncryptedCitizen encryptedCitizen = mongo.findOne(byEmail, EncryptedCitizen.class);
return decrypt(encryptedCitizen);
} else {
return mongo.findOne(byEmail, Citizen.class);
}
}

3
persistence-modules/spring-boot-persistence-mongodb-3/src/main/java/com/baeldung/boot/csfle/web/CitizenController.java
View File

@ -11,7 +11,6 @@ import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.RestController;
import com.baeldung.boot.csfle.data.Citizen;
import com.baeldung.boot.csfle.data.EncryptedCitizen;
import com.baeldung.boot.csfle.service.CitizenService;
@RestController
@ -32,7 +31,7 @@ public class CitizenController {
}
@PostMapping
public EncryptedCitizen post(@RequestBody Citizen citizen) {
public Object post(@RequestBody Citizen citizen) {
return service.save(citizen);
}
}

10
persistence-modules/spring-boot-persistence-mongodb-3/src/test/java/com/baeldung/boot/csfle/CitizenServiceLiveTest.java
View File

@ -38,10 +38,14 @@ public class CitizenServiceLiveTest {
citizen.setName("Foo");
citizen.setEmail("foo@citizen.com");
Binary encryptedEmail = service.encrypt(citizen.getEmail(), CitizenService.DETERMINISTIC_ALGORITHM);
Object saved = service.save(citizen);
if (saved instanceof EncryptedCitizen) {
Binary encryptedEmail = service.encrypt(citizen.getEmail(), CitizenService.DETERMINISTIC_ALGORITHM);
EncryptedCitizen saved = service.save(citizen);
assertEquals(encryptedEmail, saved.getEmail());
assertEquals(encryptedEmail, ((EncryptedCitizen) saved).getEmail());
} else {
assertEquals(citizen.getEmail(), ((Citizen) saved).getEmail());
}
}
@Test

6
persistence-modules/spring-boot-persistence-mongodb-3/src/test/resources/embedded.properties
View File

@ -1,10 +1,10 @@
spring.mongodb.embedded.version=4.4.9
spring.data.mongodb.uri=changeit
spring.data.mongodb.database=changeit
#spring.data.mongodb.uri=changeit
#spring.data.mongodb.database=changeit
com.baeldung.csfle.kms-provider=local
com.baeldung.csfle.key-vault.namespace=encryption._keyVault
com.baeldung.csfle.key-vault.alias=master.key
com.baeldung.csfle.master-key-path=/tmp/master.key
#com.baeldung.csfle.master-key-path=/tmp/master.key
com.baeldung.csfle.auto-decryption=false