config-server do not decrypt properties

[davgia]

Config-server won't decrypt properties server-side (even if it's enabled). Whenever a client asks for a configuration the server will not decrypt {cipher} marked properties. This happens if the spring-boot-starter-parent version is equal or greater than 2.2.0.RELEASE.
The error is caused by the following java method:

spring-cloud-config/spring-cloud-config-server/src/main/java/org/springframework/cloud/config/server/encryption/CipherEnvironmentEncryptor.java

Lines 60 to 80 in baabff6

	private Environment decrypt(Environment environment, TextEncryptorLocator encryptor) {
	Environment result = new Environment(environment);
	for (PropertySource source : environment.getPropertySources()) {
	Map<Object, Object> map = new LinkedHashMap<Object, Object>(
	source.getSource());
	for (Map.Entry<Object, Object> entry : new LinkedHashSet<>(map.entrySet())) {
	Object key = entry.getKey();
	String name = key.toString();
	if (entry.getValue() != null
	&& entry.getValue().toString().startsWith("{cipher}")) {
	String value = entry.getValue().toString();
	map.remove(key);
	try {
	value = value.substring("{cipher}".length());
	value = encryptor
	.locate(this.helper.getEncryptorKeys(name,
	StringUtils.arrayToCommaDelimitedString(
	environment.getProfiles()),
	value))
	.decrypt(this.helper.stripPrefix(value));
	}

seems that since 2.2.0.RELEASE the Map.Entry<Object, Object> entry (line: 65) value is not a String but an Object. This will cause entry.getValue().toString() call to return the full name of the object class instead of the value itself, preventing any decryption.

The solution is to change the way how the entry value is retrieved from entry.getValue().toString() to entry.getValue().getValue().

Details

Working: 2.1.7.RELEASE
Not Working: 2.2.0.RELEASE and above

To reproduce the error it's sufficient to start a config-server instance (with a spring-boot-starter-parent version 2.2.0.RELEASE or above) and another SpringBootApplication with spring-cloud-config-client that fetches the configuration. The config-server configuration must contain at least a property marked with {cipher} placeholder.

[spencergibb]

related #1490

[spencergibb]

I'm unable to reproduce this problem. I can successfully decrypt with the proper keystore and properties setup.

Can you provide a complete, minimal, verifiable sample that reproduces the problem? It should be available as a GitHub (or similar) project or attached to this issue as a zip file.

[davgia]

I'm unable to reproduce this problem. I can successfully decrypt with the proper keystore and properties setup.

Could you please try with a symmetric encryption by declaring just the encryption key (encrypt.key) on the config-server bootstrap.yml file? (example below)

encrypt:
  key: mys3cr3t

[spencergibb]

That works for me as well.

Can you provide a complete, minimal, verifiable sample that reproduces the problem? It should be available as a GitHub (or similar) project or attached to this issue as a zip file.

[davgia]

I've created a sample project that reproduces the problem. Here is the file with the project config-server-test.zip (remember to initialize the git repository inside the configurations folder and commit the yml file).
To reproduce the error just run eureka-server first, config-server and then springboot-admin. The last one show report the following error:

[main] ERROR o.s.boot.SpringApplication - Application run failed 
java.lang.IllegalStateException: Cannot decrypt: key=spring.security.user.name
	at org.springframework.cloud.bootstrap.encrypt.EnvironmentDecryptApplicationInitializer.decrypt(EnvironmentDecryptApplicationInitializer.java:292)
	at org.springframework.cloud.bootstrap.encrypt.EnvironmentDecryptApplicationInitializer.lambda$decrypt$0(EnvironmentDecryptApplicationInitializer.java:270)
	at java.base/java.util.LinkedHashMap.replaceAll(LinkedHashMap.java:694)
	at org.springframework.cloud.bootstrap.encrypt.EnvironmentDecryptApplicationInitializer.decrypt(EnvironmentDecryptApplicationInitializer.java:265)
	at org.springframework.cloud.bootstrap.encrypt.EnvironmentDecryptApplicationInitializer.decrypt(EnvironmentDecryptApplicationInitializer.java:190)
	at org.springframework.cloud.bootstrap.encrypt.EnvironmentDecryptApplicationInitializer.initialize(EnvironmentDecryptApplicationInitializer.java:124)
	at org.springframework.boot.SpringApplication.applyInitializers(SpringApplication.java:626)
	at org.springframework.boot.SpringApplication.prepareContext(SpringApplication.java:370)
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:314)
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:1226)
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:1215)
	at com.example.SpringBootAdminApplication.main(SpringBootAdminApplication.java:17)
Caused by: java.lang.UnsupportedOperationException: No decryption for FailsafeTextEncryptor. Did you configure the keystore correctly?
	at org.springframework.cloud.bootstrap.encrypt.EncryptionBootstrapConfiguration$FailsafeTextEncryptor.decrypt(EncryptionBootstrapConfiguration.java:165)
	at org.springframework.cloud.bootstrap.encrypt.EnvironmentDecryptApplicationInitializer.decrypt(EnvironmentDecryptApplicationInitializer.java:277)
	... 11 common frames omitted

NOTE
While creating the new sample project I discovered what it was probably causing the problem. Apparently I was using the Spring Cloud Hoxton.M3 when I initially discovered the problem. Now I've changed to Hoxton.RELEASE and the problem is gone.

[spencergibb]

eureka and springboot-admin should not be needed to replicate the issue, can you remove them and make the project as minimal as possible.

[davgia]

Ok, I've simplified the project. Here it is the new archive config-server-test-v2.zip

[OLPMO]

I ran the demo, but there was something wrong.I ran config-server,and then ran project test-app.Some error info output to the console.The error info displayed below:
java.lang.IllegalStateException: No .git at file://${user.dir}/configurations
@DaviGia

[davgia]

I ran the demo, but there was something wrong.I ran config-server,and then ran project test-app.Some error info output to the console.The error info displayed below:
java.lang.IllegalStateException: No .git at file://${user.dir}/configurations
@DaviGia

As I have already told in a comment above, you must initialize the git repository and add/commit your configuration files before launching the config-server application (ref: comment)

[OLPMO]

Well,the new error info was output to the console of project test-app after I init the git repo.The error info displayed below:
java.lang.IllegalStateException: Could not locate PropertySource and the fail fast property is set, failing: None of labels [] found @DaviGia

[davgia]

Well,the new error info was output to the console of project test-app after I init the git repo.The error info displayed below:
java.lang.IllegalStateException: Could not locate PropertySource and the fail fast property is set, failing: None of labels [] found @DaviGia

You did not add/commit the yml file in the repository, please read carefully the whole reply I made.

[OLPMO]

Oh,Sorry. It is my carelessness. I reproduced the bug after commit the yml file. @DaviGia

[spencergibb]

Now I've changed to Hoxton.RELEASE and the problem is gone.

M3 is a milestone and not supported.