The goal of this project is to develop the official European solution for the interoperability between national backend servers of decentralised contact tracing applications to combat COVID-19.
Apache License 2.0
59
stars
25
forks
source link
Use SpringBoot Dependency Injection System for Database Encryption Password #275
The previous implementation mixed the SpringBoot property resolution system with the classical "Java" one. This leads to confusion, as the naming scheme looks as if SpringBoot would inject the encryption password to a variable, and hence would allow for variable substitution.
There are deployment environments (e.g. CloudFoundry), which do not allow the injection of secrets into arbitrary variables. Hence, the EFGS can only be used with an encryption password manually injected during deployment, which is unpractical since i cannot be automated, or providing the encryption password in a build manifest, checked into the version control, which of course defeats the purpose of using an encryption password.
Solution
In this PR we provide a new Bean, which holds the encryption password, which uses the SpringBoot dependency injection system to provide an instance to the JPA database system. This way, we can use normal SpringBoot variable substitution. The property is named according to the same scheme as before, so it will be backwards compatible and no change for existing systems is needed.
Preface
This is a modified and adjusted version of https://github.com/eu-federation-gateway-service/efgs-federation-gateway/pull/268 intended to simplify reviewing.
Problem
The previous implementation mixed the
SpringBoot
property resolution system with the classical "Java
" one. This leads to confusion, as the naming scheme looks as ifSpringBoot
would inject the encryption password to a variable, and hence would allow for variable substitution. There are deployment environments (e.g. CloudFoundry), which do not allow the injection of secrets into arbitrary variables. Hence, theEFGS
can only be used with an encryption password manually injected during deployment, which is unpractical since i cannot be automated, or providing the encryption password in a build manifest, checked into the version control, which of course defeats the purpose of using an encryption password.Solution
In this PR we provide a new Bean, which holds the encryption password, which uses the
SpringBoot
dependency injection system to provide an instance to theJPA
database system. This way, we can use normalSpringBoot
variable substitution. The property is named according to the same scheme as before, so it will be backwards compatible and no change for existing systems is needed.