Describe the bug With decryption of plain text files enabled according to the docs, when I request a plain text configuration file from the server the values are still encrypted.
The following warning appears in the log:
WARN 6432 --- [configserver] [ main] o.s.c.c.s.resource.ResourceController : Cannot decrypt for extension properties
Based on my debugging, I've observed that no Map<String, ResourceEncryptor> bean is autowired despite the bean definition in ResourceEncryptorConfiguration.
From the condition evaluation report:
ResourceEncryptorConfiguration:
Did not match:
- @ConditionalOnBean (types: org.springframework.cloud.config.server.encryption.TextEncryptorLocator; SearchStrategy: all) did not find any beans of type org.springframework.cloud.config.server.encryption.TextEncryptorLocator (OnBeanCondition)
Matched:
- @ConditionalOnExpression (#{${spring.cloud.config.server.encrypt.enabled:true} && ${spring.cloud.config.server.encrypt.plainTextEncrypt:true}}) resulted in true (OnExpressionCondition)
However, EncryptionAutoConfiguration does create a TextEncryptorLocator bean:
EncryptionAutoConfiguration#environmentEncryptor matched:
- @ConditionalOnProperty (spring.cloud.config.server.encrypt.enabled) matched (OnPropertyCondition)
- @ConditionalOnBean (types: org.springframework.cloud.config.server.encryption.TextEncryptorLocator; SearchStrategy: all) found bean 'singleTextEncryptorLocator'; @ConditionalOnMissingBean (types: org.springframework.cloud.config.server.encryption.EnvironmentEncryptor; SearchStrategy: all) did not find any beans (OnBeanCondition)
EncryptionAutoConfiguration#singleTextEncryptorLocator matched:
- @ConditionalOnBean (types: org.springframework.security.crypto.encrypt.TextEncryptor; SearchStrategy: all) found bean 'textEncryptor'; @ConditionalOnMissingBean (types: org.springframework.cloud.config.server.encryption.TextEncryptorLocator; SearchStrategy: all) did not find any beans (OnBeanCondition)
I suspect there's an issue with how (auto)configuration classes are ordered.
The workaround mentioned in https://github.com/spring-cloud/spring-cloud-config/issues/1541 works in this case too.
Spring Boot: 3.4.1 Spring Cloud: 2024.0.0
Sample https://github.com/cselagea/spring-cloud-config-server-plaintext-decrypt-bug
Comment From: ryanjbaxter
As the note says in the docs you point to, spring.cloud.config.server.encrypt.enabled=true and spring.cloud.config.server.encrypt.plainTextEncrypt=true should be placed in bootstrap.[yml|properties]. You don't appear to be using bootstrap in your sample. Can you add spring-cloud-starter-bootstrap to your POM and then add bootstrap.properties to the app and place the properties in that file and try again?
Comment From: cselagea
I must have read the Config First Bootstrap section, which says "legacy bootstrap way", and assumed it was also a legacy feature of the server side that I should avoid using...
I'll give it a shot. Thanks!
Comment From: ryanjbaxter
Yes it is a legacy functionality, but still supported and necessary to use in some situations. Let me know if that works.
Comment From: cselagea
@ryanjbaxter, that worked. I also had to move encrypt.key to bootstrap.properties. (I know this is not a secure place for the encryption key, just for convenience.)