Config-server won't decrypt properties server-side (even if it's enabled). Whenever a client asks for a configuration the server will not decrypt {cipher}
marked properties. This happens if the spring-boot-starter-parent
version is equal or greater than 2.2.0.RELEASE
.
The error is caused by the following java method:
https://github.com/spring-cloud/spring-cloud-config/blob/baabff6a60c1a6a0dd7836804b6b076f4b53e471/spring-cloud-config-server/src/main/java/org/springframework/cloud/config/server/encryption/CipherEnvironmentEncryptor.java#L60-L80
seems that since 2.2.0.RELEASE
the Map.Entry<Object, Object> entry
(line: 65) value is not a String
but an Object
. This will cause entry.getValue().toString()
call to return the full name of the object class instead of the value itself, preventing any decryption.
The solution is to change the way how the entry value is retrieved from entry.getValue().toString()
to entry.getValue().getValue()
.
Details
Working: 2.1.7.RELEASE Not Working: 2.2.0.RELEASE and above
To reproduce the error it's sufficient to start a config-server instance (with a spring-boot-starter-parent version 2.2.0.RELEASE or above) and another SpringBootApplication with spring-cloud-config-client
that fetches the configuration. The config-server configuration must contain at least a property marked with {cipher}
placeholder.
Comment From: spencergibb
related #1490
Comment From: spencergibb
I'm unable to reproduce this problem. I can successfully decrypt with the proper keystore and properties setup.
Can you provide a complete, minimal, verifiable sample that reproduces the problem? It should be available as a GitHub (or similar) project or attached to this issue as a zip file.
Comment From: davgia
I'm unable to reproduce this problem. I can successfully decrypt with the proper keystore and properties setup.
Could you please try with a symmetric encryption by declaring just the encryption key (encrypt.key
) on the config-server bootstrap.yml
file? (example below)
encrypt:
key: mys3cr3t
Comment From: spencergibb
That works for me as well.
Can you provide a complete, minimal, verifiable sample that reproduces the problem? It should be available as a GitHub (or similar) project or attached to this issue as a zip file.
Comment From: davgia
I've created a sample project that reproduces the problem. Here is the file with the project config-server-test.zip (remember to initialize the git repository inside the configurations folder and commit the yml file). To reproduce the error just run eureka-server first, config-server and then springboot-admin. The last one show report the following error:
[main] ERROR o.s.boot.SpringApplication - Application run failed
java.lang.IllegalStateException: Cannot decrypt: key=spring.security.user.name
at org.springframework.cloud.bootstrap.encrypt.EnvironmentDecryptApplicationInitializer.decrypt(EnvironmentDecryptApplicationInitializer.java:292)
at org.springframework.cloud.bootstrap.encrypt.EnvironmentDecryptApplicationInitializer.lambda$decrypt$0(EnvironmentDecryptApplicationInitializer.java:270)
at java.base/java.util.LinkedHashMap.replaceAll(LinkedHashMap.java:694)
at org.springframework.cloud.bootstrap.encrypt.EnvironmentDecryptApplicationInitializer.decrypt(EnvironmentDecryptApplicationInitializer.java:265)
at org.springframework.cloud.bootstrap.encrypt.EnvironmentDecryptApplicationInitializer.decrypt(EnvironmentDecryptApplicationInitializer.java:190)
at org.springframework.cloud.bootstrap.encrypt.EnvironmentDecryptApplicationInitializer.initialize(EnvironmentDecryptApplicationInitializer.java:124)
at org.springframework.boot.SpringApplication.applyInitializers(SpringApplication.java:626)
at org.springframework.boot.SpringApplication.prepareContext(SpringApplication.java:370)
at org.springframework.boot.SpringApplication.run(SpringApplication.java:314)
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1226)
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1215)
at com.example.SpringBootAdminApplication.main(SpringBootAdminApplication.java:17)
Caused by: java.lang.UnsupportedOperationException: No decryption for FailsafeTextEncryptor. Did you configure the keystore correctly?
at org.springframework.cloud.bootstrap.encrypt.EncryptionBootstrapConfiguration$FailsafeTextEncryptor.decrypt(EncryptionBootstrapConfiguration.java:165)
at org.springframework.cloud.bootstrap.encrypt.EnvironmentDecryptApplicationInitializer.decrypt(EnvironmentDecryptApplicationInitializer.java:277)
... 11 common frames omitted
NOTE
While creating the new sample project I discovered what it was probably causing the problem. Apparently I was using the Spring Cloud Hoxton.M3
when I initially discovered the problem. Now I've changed to Hoxton.RELEASE
and the problem is gone.
Comment From: spencergibb
eureka and springboot-admin should not be needed to replicate the issue, can you remove them and make the project as minimal as possible.
Comment From: davgia
Ok, I've simplified the project. Here it is the new archive config-server-test-v2.zip
Comment From: OLPMO
I ran the demo, but there was something wrong.I ran config-server,and then ran project test-app.Some error info output to the console.The error info displayed below:
java.lang.IllegalStateException: No .git at file://${user.dir}/configurations
@DaviGia
Comment From: davgia
I ran the demo, but there was something wrong.I ran config-server,and then ran project test-app.Some error info output to the console.The error info displayed below:
java.lang.IllegalStateException: No .git at file://${user.dir}/configurations
@DaviGia
As I have already told in a comment above, you must initialize the git repository and add/commit your configuration files before launching the config-server application (ref: comment)
Comment From: OLPMO
Well,the new error info was output to the console of project test-app after I init the git repo.The error info displayed below:
java.lang.IllegalStateException: Could not locate PropertySource and the fail fast property is set, failing: None of labels [] found
@DaviGia
Comment From: davgia
Well,the new error info was output to the console of project test-app after I init the git repo.The error info displayed below:
java.lang.IllegalStateException: Could not locate PropertySource and the fail fast property is set, failing: None of labels [] found
@DaviGia
You did not add/commit the yml file in the repository, please read carefully the whole reply I made.
Comment From: OLPMO
Oh,Sorry. It is my carelessness. I reproduced the bug after commit the yml file. @DaviGia
Comment From: spencergibb
Now I've changed to Hoxton.RELEASE and the problem is gone.
M3 is a milestone and not supported.