Skip to content

encrypt.fail-on-error Ignored by DecryptEnvironmentPostProcessor  #882

New issue
New issue
Closed
Closed
encrypt.fail-on-error Ignored by DecryptEnvironmentPostProcessor #882
Labels
bug
Milestone
3.0.1
@agisbert

Description

@agisbert
agisbert
opened on Jan 11, 2021

ISSUE

Old behavior - Hoxton, Greenwich, Finchley...

The old EnvironmentDecryptApplicationInitializer bean creation process took into account the encrypt.fail-on-error property by calling setFailOnError:

EncryptionBootstrapConfiguration

	@Bean
	public EnvironmentDecryptApplicationInitializer environmentDecryptApplicationListener(
			ConfigurableApplicationContext context, KeyProperties keyProperties) {
		TextEncryptor encryptor;
		try {
			encryptor = context.getBean(TextEncryptor.class);
		}
		catch (NoSuchBeanDefinitionException e) {
			encryptor = new FailsafeTextEncryptor();
		}
		EnvironmentDecryptApplicationInitializer listener = new EnvironmentDecryptApplicationInitializer(encryptor);
		listener.setFailOnError(keyProperties.isFailOnError());
		return listener;
	}

Current behavior - 2020.0.0

The new DecryptEnvironmentPostProcessor however doesn't make use of a custom initialization/creation, and by the time it tries to decrypt all the encrypted properties, the value of AbstractEnvironmentDecrypt#failOnError attribute has its default value (true).

As opposed to the previous implementation, It creates the text encryptor on the fly right before decrypting the properties (methods DecryptEnvironmentPostProcessor#postProcessEnvironment & DecryptEnvironmentPostProcessor#getTextEncryptor) but misses to call setFailOnError with the keyProperties.isFailOnError() value.

Then, of course, when decrypting with a no/wrong key, it throws the exception even when encrypt.fail-on-error is set to false.

AbstractEnvironmentDecrypt

	protected String decrypt(TextEncryptor encryptor, String key, String original) {
		String value = original.substring(ENCRYPTED_PROPERTY_PREFIX.length());
		try {
			value = encryptor.decrypt(value);
			if (logger.isDebugEnabled()) {
				logger.debug("Decrypted: key=" + key);
			}
			return value;
		}
		catch (Exception e) {
			String message = "Cannot decrypt: key=" + key;
			if (logger.isDebugEnabled()) {
				logger.warn(message, e);
			}
			else {
				logger.warn(message);
			}
			if (this.failOnError) {
				throw new IllegalStateException(message, e);
			}
			return "";
		}
	}

SUGGESTION

The fix could be based on:

  1. Creating a DecryptEnvironmentPostProcessor default constructor, performing the configuration in the same fashion as the old EnvironmentDecryptApplicationInitializer (calling setFailOnError and creating the encryptors)
  2. Hooking into the DecryptEnvironmentPostProcessor#getTextEncryptor and calling setFailOnError

Metadata

Metadata

Assignees

No one assigned

    Labels

    bug

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions