Merge pull request #69 from onixbyte/release/2.3.0

2025-06-12 09:42:09 +08:00
parent 744f82f2e3 d15adfdb97
commit 81f6acbc1f
12 changed files with 154 additions and 347 deletions
@@ -15,8 +15,8 @@
 # limitations under the License.
 #
-artefactVersion=2.2.0
+artefactVersion=2.3.0
-projectUrl=https://onixbyte.com/java-dev-kit
+projectUrl=https://onixbyte.com/projects/java-dev-kit
 projectGithubUrl=https://github.com/onixbyte/java-dev-kit
 licenseName=The Apache License, Version 2.0
-licenseUrl=https://www.apache.org/licenses/LICENSE-2.0.txt
+licenseUrl=https://onixbyte.com/projects/java-dev-kit/LICENSE.txt
@@ -17,8 +17,14 @@
 package com.onixbyte.security;
 import com.onixbyte.security.exception.KeyLoadingException;
 import java.security.KeyFactory;
 import java.security.PrivateKey;
 import java.security.PublicKey;
 import java.security.interfaces.ECPublicKey;
 import java.security.interfaces.RSAPublicKey;
 import java.security.spec.KeySpec;
 /**
 * The {@code KeyLoader} class provides utility methods for loading keys pairs from PEM-formatted
@@ -49,6 +55,41 @@ public interface KeyLoader {
     */
    PublicKey loadPublicKey(String pemKeyText);
    /**
     * Loads an RSA public key using the provided modulus and exponent.
     * <p>
     * This default implementation throws a {@link KeyLoadingException} to signify that this key loader does not support
     * loading an RSA public key. Implementing classes are expected to override this method to supply their own
     * loading logic.
     *
     * @param modulus  the modulus value of the RSA public key, usually represented in hexadecimal or Base64
     *                 string format
     * @param exponent the public exponent value of the RSA public key, usually represented in hexadecimal or Base64
     *                 string format
     * @return the loaded {@link RSAPublicKey} instance
     * @throws KeyLoadingException if loading is not supported or fails
     */
    default RSAPublicKey loadPublicKey(String modulus, String exponent) {
        throw new KeyLoadingException("This key loader does not support loading an RSA public key.");
    }
    /**
     * Loads an EC public key using the provided x and y coordinates together with the curve name.
     * <p>
     * This default implementation throws a {@link KeyLoadingException} to signify that this key loader does not support
     * loading an EC public key. Implementing classes are expected to override this method to supply their own
     * loading logic.
     *
     * @param xHex      the hexadecimal string representing the x coordinate of the EC point
     * @param yHex      the hexadecimal string representing the y coordinate of the EC point
     * @param curveName the name of the elliptic curve
     * @return the loaded {@link ECPublicKey} instance
     * @throws KeyLoadingException if loading is not supported or fails
     */
    default ECPublicKey loadPublicKey(String xHex, String yHex, String curveName) {
        throw new KeyLoadingException("This key loader does not support loading an EC public key.");
    }
    /**
     * Retrieves the raw content of a PEM formatted key by removing unnecessary headers, footers,
     * and new line characters.
@@ -20,14 +20,16 @@ package com.onixbyte.security.impl;
 import com.onixbyte.security.KeyLoader;
 import com.onixbyte.security.exception.KeyLoadingException;
 import java.math.BigInteger;
 import java.security.AlgorithmParameters;
 import java.security.KeyFactory;
 import java.security.NoSuchAlgorithmException;
 import java.security.interfaces.ECPrivateKey;
 import java.security.interfaces.ECPublicKey;
-import java.security.spec.InvalidKeySpecException;
+import java.security.spec.*;
 import java.security.spec.PKCS8EncodedKeySpec;
 import java.security.spec.X509EncodedKeySpec;
 import java.util.Base64;
 import java.util.HashSet;
 import java.util.Set;
 /**
 * Key pair loader for loading key pairs for ECDSA-based algorithms.
@@ -53,16 +55,23 @@ import java.util.Base64;
 * @version 2.0.0
 * @since 2.0.0
 */
-public class EcKeyLoader implements KeyLoader {
+public class ECKeyLoader implements KeyLoader {
    private final KeyFactory keyFactory;
    private final Base64.Decoder decoder;
    /**
     * Supported curves.
     */
    public static final Set<String> SUPPORTED_CURVES = new HashSet<>(Set.of(
            "secp256r1", "secp384r1", "secp521r1", "secp224r1"
    ));
    /**
     * Initialise a key loader for EC-based algorithms.
     */
-    public EcKeyLoader() {
+    public ECKeyLoader() {
        try {
            this.keyFactory = KeyFactory.getInstance("EC");
            this.decoder = Base64.getDecoder();
@@ -122,4 +131,55 @@ public class EcKeyLoader implements KeyLoader {
        }
    }
    /**
     * Loads an EC public key from the given hexadecimal x and y coordinates alongside the curve name.
     * <p>
     * This method converts the hexadecimal string representations of the EC point coordinates into {@link BigInteger}
     * instances, then constructs an {@link ECPoint} and retrieves the corresponding {@link ECParameterSpec} for the
     * named curve. Subsequently, it utilises the {@link KeyFactory} to generate an {@link ECPublicKey}.
     * <p>
     * Only curves listed in {@link #SUPPORTED_CURVES} are supported. Should the specified curve name be unsupported,
     * or if key construction fails due to invalid parameters or unsupported algorithms, a {@link KeyLoadingException}
     * will be thrown.
     *
     * @param xHex      the hexadecimal string representing the x-coordinate of the EC point
     * @param yHex      the hexadecimal string representing the y-coordinate of the EC point
     * @param curveName the name of the elliptic curve
     * @return the {@link ECPublicKey} generated from the specified coordinates and curve
     * @throws KeyLoadingException if the curve is unsupported or key generation fails
     */
    @Override
    public ECPublicKey loadPublicKey(String xHex, String yHex, String curveName) {
        if (!SUPPORTED_CURVES.contains(curveName)) {
            throw new KeyLoadingException("Given curve is not supported yet.");
        }
        try {
            // Convert hex string coordinates to BigInteger
            var x = new BigInteger(xHex, 16);
            var y = new BigInteger(yHex, 16);
            // Create ECPoint with (x, y)
            var ecPoint = new ECPoint(x, y);
            // Get EC parameter spec for the named curve
            var parameters = AlgorithmParameters.getInstance("EC");
            parameters.init(new ECGenParameterSpec(curveName));
            var ecParameterSpec = parameters.getParameterSpec(ECParameterSpec.class);
            // Create ECPublicKeySpec with point and curve params
            var pubSpec = new ECPublicKeySpec(ecPoint, ecParameterSpec);
            // Generate public key using KeyFactory
            var publicKey = keyFactory.generatePublic(pubSpec);
            if (publicKey instanceof ECPublicKey ecPublicKey) {
                return ecPublicKey;
            } else {
                throw new KeyLoadingException("Cannot load EC public key with given x, y and curve name.");
            }
        } catch (NoSuchAlgorithmException | InvalidParameterSpecException | InvalidKeySpecException e) {
            throw new KeyLoadingException("Cannot load EC public key with given x, y and curve name.", e);
        }
    }
 }
@@ -20,13 +20,12 @@ package com.onixbyte.security.impl;
 import com.onixbyte.security.KeyLoader;
 import com.onixbyte.security.exception.KeyLoadingException;
 import java.math.BigInteger;
 import java.security.KeyFactory;
 import java.security.NoSuchAlgorithmException;
 import java.security.interfaces.RSAPrivateKey;
 import java.security.interfaces.RSAPublicKey;
-import java.security.spec.InvalidKeySpecException;
+import java.security.spec.*;
 import java.security.spec.PKCS8EncodedKeySpec;
 import java.security.spec.X509EncodedKeySpec;
 import java.util.Base64;
 /**
@@ -44,9 +43,12 @@ import java.util.Base64;
 * @see KeyLoader
 * @see KeyLoadingException
 */
-public class RsaKeyLoader implements KeyLoader {
+public class RSAKeyLoader implements KeyLoader {
    private final Base64.Decoder decoder;
    private final Base64.Decoder urlDecoder;
    private final KeyFactory keyFactory;
    /**
@@ -55,9 +57,10 @@ public class RsaKeyLoader implements KeyLoader {
     * This constructor initialises the Base64 decoder and the RSA {@link KeyFactory}. It may throw
     * a {@link KeyLoadingException} if the RSA algorithm is not available.
     */
-    public RsaKeyLoader() {
+    public RSAKeyLoader() {
        try {
            this.decoder = Base64.getDecoder();
            this.urlDecoder = Base64.getUrlDecoder();
            this.keyFactory = KeyFactory.getInstance("RSA");
        } catch (NoSuchAlgorithmException e) {
            throw new KeyLoadingException(e);
@@ -133,4 +136,31 @@ public class RsaKeyLoader implements KeyLoader {
            throw new KeyLoadingException("Key spec is invalid.", e);
        }
    }
    /**
     * Get the public key with given modulus and public exponent.
     *
     * @param modulus  the modulus
     * @param exponent the public exponent
     * @return generated public key object from the provided key specification
     * @see KeyFactory#getInstance(String)
     * @see KeyFactory#generatePublic(KeySpec)
     */
    @Override
    public RSAPublicKey loadPublicKey(String modulus, String exponent) {
        try {
            var _modulus = new BigInteger(1, urlDecoder.decode(modulus));
            var _exponent = new BigInteger(1, urlDecoder.decode(exponent));
            var keySpec = new RSAPublicKeySpec(_modulus, _exponent);
            var kf = KeyFactory.getInstance("RSA");
            if (kf.generatePublic(keySpec) instanceof RSAPublicKey rsaPublicKey) {
                return rsaPublicKey;
            } else {
                throw new KeyLoadingException("Cannot generate RSA public key with given modulus and exponent.");
            }
        } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
            throw new KeyLoadingException("Cannot generate RSA public key with given modulus and exponent.", e);
        }
    }
 }
@@ -66,7 +66,10 @@ import java.util.Map;
 * @author zihluwang
 * @version 1.4.2
 * @since 1.4.2
 * @deprecated This utility class is no longer maintained and will be removed in a future release. If you still need to
 * use {@link ReflectMapUtil}, please stick to the last available version (2.2.0).
 */
@Deprecated(forRemoval = true, since = "2.2.0")
 public final class ReflectMapUtil {
    private final static Logger log = LoggerFactory.getLogger(ReflectMapUtil.class);
@@ -1,37 +0,0 @@
 # Property Guard
 `property-guard-spring-boot-starter` is a utility that can help you protect secret values in Spring Boot configurations.
 ## Example usage
 ### 1. Implementation this module
 ```kotlin
 dependencies {
    implementation(platform("com.onixbyte:devkit-bom:$devKitVersion"))
    implementation("com.onixbyte:devkit-utils")
    implementation("com.onixbyte:property-guard-spring-boot-starter")
 }
 ```
 ### 2. Generate a secret
 Use the following codes to get a random secret.
 ```java
@SpringBootTest
 class SpringBootApplicationTest {
    @Test
    void contextLoads() {
        System.out.println(AesUtil.generateRandomSecret()); // Output: a 16-char long secret
    }
 }
 ```
 Or you can write a 16-char long secret by yourself.
 ### 3. Encrypt your secret properties and place them into your configuration file
 ### 4. Run application with parameter `--pg.key=$your_secret`
@@ -1,132 +0,0 @@
 /*
 * Copyright (C) 2024-2025 OnixByte.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 *
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 import java.net.URI
 plugins {
    java
    id("java-library")
    id("maven-publish")
    id("signing")
 }
 val artefactVersion: String by project
 val projectUrl: String by project
 val projectGithubUrl: String by project
 val licenseName: String by project
 val licenseUrl: String by project
 group = "com.onixbyte"
 version = artefactVersion
 repositories {
    mavenCentral()
 }
 java {
    sourceCompatibility = JavaVersion.VERSION_17
    targetCompatibility = JavaVersion.VERSION_17
    withSourcesJar()
    withJavadocJar()
 }
 tasks.withType<JavaCompile> {
    options.encoding = "UTF-8"
 }
 tasks.withType<Jar> {
    exclude("logback.xml")
 }
 dependencies {
    compileOnly(libs.slf4j)
    implementation(libs.logback)
    api(project(":devkit-core"))
    api(project(":devkit-utils"))
    implementation(libs.springBoot.autoconfigure)
    implementation(libs.springBoot.starter.logging)
    implementation(libs.springBoot.configurationProcessor)
    testImplementation(platform(libs.junit.bom))
    testImplementation(libs.junit.jupiter)
    testImplementation(libs.springBoot.starter.test)
 }
 tasks.test {
    useJUnitPlatform()
 }
 publishing {
    publications {
        create<MavenPublication>("propertyGuardSpringBootStarter") {
            groupId = group.toString()
            artifactId = "property-guard-spring-boot-starter"
            version = artefactVersion
            pom {
                name = "Property Guard Spring Boot Starter"
                description = "This module is made for protecting your secret properties in your spring application properties."
                url = projectUrl
                licenses {
                    license {
                        name = licenseName
                        url = licenseUrl
                    }
                }
                scm {
                    connection = "scm:git:git://github.com:OnixByte/JDevKit.git"
                    developerConnection = "scm:git:git://github.com:OnixByte/JDevKit.git"
                    url = projectGithubUrl
                }
                developers {
                    developer {
                        id = "zihluwang"
                        name = "Zihlu Wang"
                        email = "really@zihlu.wang"
                        timezone = "Asia/Hong_Kong"
                    }
                    developer {
                        id = "siujamo"
                        name = "Siu Jam'o"
                        email = "jamo.siu@outlook.com"
                        timezone = "Asia/Shanghai"
                    }
                }
            }
            from(components["java"])
            signing {
                sign(publishing.publications["propertyGuardSpringBootStarter"])
            }
        }
        repositories {
            maven {
                name = "sonatypeNexus"
                url = URI(providers.gradleProperty("repo.maven-central.host").get())
                credentials {
                    username = providers.gradleProperty("repo.maven-central.username").get()
                    password = providers.gradleProperty("repo.maven-central.password").get()
                }
            }
        }
    }
 }
@@ -1,122 +0,0 @@
 /*
 * Copyright (C) 2024-2025 OnixByte.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 *
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 package com.onixbyte.propertyguard.autoconfiguration;
 import com.onixbyte.devkit.utils.AesUtil;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.env.EnvironmentPostProcessor;
 import org.springframework.boot.env.OriginTrackedMapPropertySource;
 import org.springframework.core.env.ConfigurableEnvironment;
 import org.springframework.core.env.MapPropertySource;
 import org.springframework.core.env.SimpleCommandLinePropertySource;
 import java.security.GeneralSecurityException;
 import java.util.HashMap;
 import java.util.Optional;
 /**
 * {@code PropertyGuard} is a utility class designed for encrypting configuration properties in
 * Spring Boot applications.
 * <p>
 * Spring Boot applications often need to store sensitive configuration details such as database
 * passwords, API keys, etc. To ensure that these sensitive pieces of information are not exposed
 * to the public, developers can utilize the {@code PropertyGuard} class to encrypt and store them
 * within configuration files.
 * <p>
 * <b>Usage</b>
 * You need a 16-char long secret for encrypting a configuration property. You can get this secret
 * on your own, or use the helper utility class by the following code:
 * <pre>{@code
 * var secret = AesUtil.generateRandomSecret(); // Let's presume the result is "3856faef0d2d4f33"
 * }</pre>
 * <p>
 * Then, in {@code application.yml} or {@code application.properties}, change the original value
 * from plain text to encrypted value with the prefix "<code>pg:</code>".
 * <pre>{@code
 * # original
 * app.example-properties=Sample Value
 *
 * # encrypted with key 3856faef0d2d4f33
 * app.example-properties=pg:t4YBfv8M9ZmTzWgTi2gJqg==
 * }</pre>
 * After that, before running, you need to add the command line arguments "pg.key" as the following
 * codes: {@code --pg.key=<the secret>}.
 * <p>
 * This class is extracted from <a href="https://baomidou.com/pages/e0a5ce/">MyBatis-Plus</a>.
 *
 * @author hubin@baomidou
 * @version 1.1.0
 * @see EnvironmentPostProcessor
 * @since 1.1.0 (3.3.2 of MyBatis-Plus)
 */
@Deprecated(forRemoval = true)
 public class PropertyGuard implements EnvironmentPostProcessor {
    private final static Logger log = LoggerFactory.getLogger(PropertyGuard.class);
    /**
     * Create a {@link PropertyGuard} instance.
     */
    public PropertyGuard() {
    }
    /**
     * Process the encryption environment variables.
     *
     * @param environment the environment to post-process
     * @param application the application to which the environment belongs
     */
    @Override
    public void postProcessEnvironment(ConfigurableEnvironment environment, SpringApplication application) {
        // Get the key for encryption from command line.
        var encryptionKey = "";
        for (var ps : environment.getPropertySources()) {
            if (ps instanceof SimpleCommandLinePropertySource source) {
                encryptionKey = source.getProperty("%s.key".formatted(PREFIX));
                break;
            }
        }
        if (Optional.ofNullable(encryptionKey).map((key) -> !key.isEmpty()).orElse(false)) {
            var map = new HashMap<String, Object>();
            for (var propertySources : environment.getPropertySources()) {
                if (propertySources instanceof OriginTrackedMapPropertySource source) {
                    for (var name : source.getPropertyNames()) {
                        if (source.getProperty(name) instanceof String str) {
                            if (str.startsWith("%s:".formatted(PREFIX))) {
                                try {
                                    map.put(name, AesUtil.decrypt(str.substring(3), encryptionKey));
                                } catch (GeneralSecurityException e) {
                                    log.error("Unable to decrypt param {}", name);
                                }
                            }
                        }
                    }
                }
            }
            // Put the decrypted data into environment variables, and made them at top-level.
            if (!map.isEmpty()) {
                environment.getPropertySources().addFirst(new MapPropertySource("custom-encrypt", map));
            }
        }
    }
    private static final String PREFIX = "pg";
 }
@@ -1 +0,0 @@
 org.springframework.boot.env.EnvironmentPostProcessor=com.onixbyte.propertyguard.autoconfiguration.PropertyGuard
@@ -1,32 +0,0 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
  ~ Copyright (C) 2023-2024 OnixByte.
  ~
  ~ Licensed under the Apache License, Version 2.0 (the "License");
  ~ you may not use this file except in compliance with the License.
  ~ You may obtain a copy of the License at
  ~
  ~     http://www.apache.org/licenses/LICENSE-2.0
  ~
  ~ Unless required by applicable law or agreed to in writing, software
  ~ distributed under the License is distributed on an "AS IS" BASIS,
  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  ~
  ~ See the License for the specific language governing permissions and
  ~ limitations under the License.
  -->
 <configuration>
    <property name="COLOURFUL_OUTPUT" value="%black(%date{'dd MMM, yyyy HH:mm:ss', Asia/Hong_Kong, en-UK}) %highlight(%-5level) %black(---) %black([%10.10t]) %cyan(%-20.20logger{20}) %black(:) %msg%n"/>
    <property name="STANDARD_OUTPUT" value="%date{'dd MMM, yyyy HH:mm:ss', Asia/Hong_Kong, en-UK} %-5level %black(---) [%10.10t] %-20.20logger{20} : %msg%n"/>
    <statusListener class="ch.qos.logback.core.status.NopStatusListener" />
    <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
        <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder">
            <pattern>${COLOURFUL_OUTPUT}</pattern>
        </encoder>
    </appender>
    <root level="INFO">
        <appender-ref ref="STDOUT"/>
    </root>
 </configuration>
@@ -29,6 +29,5 @@ include(
    "simple-jwt-facade",
    "simple-jwt-authzero",
    "simple-jwt-spring-boot-starter",
    "property-guard-spring-boot-starter",
    "simple-serial-spring-boot-starter"
 )
@@ -19,8 +19,7 @@ package com.onixbyte.simplejwt.authzero;
 import com.onixbyte.devkit.utils.Base64Util;
 import com.onixbyte.guid.GuidCreator;
-import com.onixbyte.security.KeyLoader;
+import com.onixbyte.security.impl.ECKeyLoader;
 import com.onixbyte.security.impl.EcKeyLoader;
 import com.onixbyte.simplejwt.TokenPayload;
 import com.onixbyte.simplejwt.TokenResolver;
 import com.onixbyte.simplejwt.annotations.ExcludeFromPayload;
@@ -43,7 +42,6 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import java.lang.reflect.InvocationTargetException;
 import java.security.NoSuchAlgorithmException;
 import java.security.interfaces.ECPrivateKey;
 import java.security.interfaces.ECPublicKey;
 import java.time.Duration;
@@ -179,7 +177,7 @@ public class AuthzeroTokenResolver implements TokenResolver<DecodedJWT> {
         * @return the builder instance
         */
        public Builder keyPair(String publicKey, String privateKey) {
-            var keyLoader = new EcKeyLoader();
+            var keyLoader = new ECKeyLoader();
            this.publicKey = keyLoader.loadPublicKey(publicKey);
            this.privateKey = keyLoader.loadPrivateKey(privateKey);
            return this;
		`@@ -1 +0,0 @@`
			`org.springframework.boot.env.EnvironmentPostProcessor=com.onixbyte.propertyguard.autoconfiguration.PropertyGuard`