mongodb persistence encryption

Author: Alexander Geist

multibanking-persistence/src/main/java/de/adorsys/multibanking/domain/AccountAnalyticsEntity.java

@@ -3,6 +3,8 @@
 import de.adorsys.multibanking.encrypt.Encrypted;
 import lombok.Data;
 import org.springframework.data.annotation.Id;
+import org.springframework.data.mongodb.core.index.CompoundIndex;
+import org.springframework.data.mongodb.core.index.CompoundIndexes;
 import org.springframework.data.mongodb.core.index.Indexed;
 import org.springframework.data.mongodb.core.mapping.Document;
 
@@ -14,13 +16,16 @@
  */
 @Data
 @Document
-@Encrypted(fields = {"incomeTotal", "incomeFixed", "incomeNext", "expensesTotal", "expensesFixed", "expensesNext", "balanceCalculated"})
+@Encrypted(exclude = {"_id", "accountId", "userId", "analyticsDate"})
+@CompoundIndexes({
+        @CompoundIndex(name = "account_index", def = "{'userId': 1, 'accountId': 1}")
+})
 public class AccountAnalyticsEntity {
 
     @Id
     private String id;
-    @Indexed
     private String accountId;
+    private String userId;
 
     private LocalDate analyticsDate = LocalDate.now();
 

multibanking-persistence/src/main/java/de/adorsys/multibanking/domain/BankAccessEntity.java

@@ -6,6 +6,8 @@
 import lombok.Data;
 import org.springframework.data.annotation.Id;
 import org.springframework.data.annotation.Transient;
+import org.springframework.data.mongodb.core.index.CompoundIndex;
+import org.springframework.data.mongodb.core.index.CompoundIndexes;
 import org.springframework.data.mongodb.core.index.Indexed;
 import org.springframework.data.mongodb.core.mapping.Document;
 
@@ -14,29 +16,18 @@
  */
 @Data
 @Document
-@JsonIgnoreProperties({"getPassportState"})
-@Encrypted(fields = {"bankName", "bankLogin", "bankCode", "passportState"})
+@JsonIgnoreProperties({"getPassportState", "getPin"})
+@Encrypted(exclude = {"_id", "userId"})
 public class BankAccessEntity extends BankAccess {
 
     @Id
     private String id;
     @Indexed
     private String userId;
-    @Transient
     private String pin;
 
     public BankAccessEntity id(String id) {
         this.id = id;
         return this;
     }
-
-    public BankAccessEntity userId(String userId) {
-        this.userId = userId;
-        return this;
-    }
-
-    public BankAccessEntity pin(String pin) {
-        this.pin = pin;
-        return this;
-    }
 }

multibanking-persistence/src/main/java/de/adorsys/multibanking/domain/BankAccountEntity.java

@@ -4,6 +4,8 @@
 import domain.BankAccount;
 import lombok.Data;
 import org.springframework.data.annotation.Id;
+import org.springframework.data.mongodb.core.index.CompoundIndex;
+import org.springframework.data.mongodb.core.index.CompoundIndexes;
 import org.springframework.data.mongodb.core.index.Indexed;
 import org.springframework.data.mongodb.core.mapping.Document;
 
@@ -12,14 +14,16 @@
  */
 @Data
 @Document
-@Encrypted(fields = {"blzHbciAccount", "numberHbciAccount", "typeHbciAccount", "typeHbciAccount",
-        "nameHbciAccount", "bicHbciAccount", "ibanHbciAccount", "bankAccountBalance.readyHbciBalance"})
+@Encrypted(exclude = {"_id", "bankAccessId", "userId", "syncStatus"})
+@CompoundIndexes({
+        @CompoundIndex(name = "account_index", def = "{'userId': 1, 'bankAccessId': 1}")
+})
 public class BankAccountEntity extends BankAccount {
 
     @Id
     private String id;
-    @Indexed
     private String bankAccessId;
+    private String userId;
 
     public String getId() {
         return id;

multibanking-persistence/src/main/java/de/adorsys/multibanking/domain/BookingCategoryEntity.java

@@ -15,25 +15,19 @@
 @Data
 @Document
 @CompoundIndexes({
+        @CompoundIndex(name = "booking_index", def = "{'userId': 1, 'accountId': 1}"),
         @CompoundIndex(name = "booking_unique_index", def = "{'externalId': 1, 'accountId': 1}", unique = true)
 })
-@Encrypted(fields = {"amount", "usage", "balance", "otherAccount.blzHbciAccount",
-        "otherAccount.numberHbciAccount", "otherAccount.nameHbciAccount"})
+@Encrypted(exclude = {"_id", "accountId", "externalId", "userId", "valutaDate", "bookingDate"})
 public class BookingEntity extends Booking {
 
     @Id
     private String id;
-    @Indexed
     private String accountId;
-    private BookingCategoryEntity category;
+    private String userId;
 
     public BookingEntity id(String id) {
         this.id = id;
         return this;
     }
-
-    public BookingEntity accountId(String accountId) {
-        this.accountId = accountId;
-        return this;
-    }
 }

multibanking-persistence/src/main/java/de/adorsys/multibanking/domain/BookingContractEntity.java

@@ -1,5 +1,6 @@
 package de.adorsys.multibanking.domain;
 
+import de.adorsys.multibanking.encrypt.Encrypted;
 import domain.BankApiUser;
 import lombok.Data;
 import org.springframework.data.annotation.Id;
@@ -12,6 +13,7 @@
  */
 @Data
 @Document
+@Encrypted(exclude = "_id")
 public class UserEntity {
 
     @Id

multibanking-persistence/src/main/java/de/adorsys/multibanking/domain/BookingEntity.java

@@ -12,5 +12,5 @@
 @Retention(RetentionPolicy.RUNTIME)
 public @interface Encrypted {
 
-    String[] fields();
+    String[] exclude();
 }

multibanking-persistence/src/main/java/de/adorsys/multibanking/domain/UserEntity.java

@@ -0,0 +1,97 @@
+package de.adorsys.multibanking.encrypt;
+
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.mongodb.BasicDBObject;
+import com.mongodb.DBObject;
+import com.mongodb.util.JSON;
+import org.apache.commons.lang3.StringUtils;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.data.annotation.Id;
+import org.springframework.data.mongodb.core.index.Indexed;
+import org.springframework.data.mongodb.core.mapping.event.AbstractMongoEventListener;
+import org.springframework.data.mongodb.core.mapping.event.AfterLoadEvent;
+import org.springframework.data.mongodb.core.mapping.event.BeforeSaveEvent;
+import org.springframework.stereotype.Component;
+
+import javax.crypto.SecretKey;
+import javax.crypto.spec.SecretKeySpec;
+import java.lang.reflect.Field;
+import java.security.Principal;
+import java.util.Arrays;
+import java.util.List;
+import java.util.Set;
+
+/**
+ * Created by alexg on 09.05.17.
+ */
+@Component
+public class EncryptionEventListener extends AbstractMongoEventListener<Object> {
+
+    @Autowired
+    Principal principal;
+
+    private ObjectMapper objectMapper = new ObjectMapper();
+
+    private SecretKey secretKey = new SecretKeySpec("1234567890123456".getBytes(), "AES");
+
+    @Override
+    public void onBeforeSave(BeforeSaveEvent<Object> event) {
+        Object source = event.getSource();
+
+        if (source.getClass().isAnnotationPresent(Encrypted.class)) {
+            try {
+                //encrypt dbobject
+                String json = objectMapper.writeValueAsString(source);
+                String encrypted = EncryptionUtil.encrypt(json, secretKey);
+
+                //cleanup dbobject exclude annotated fields
+                List<String> excludeFields = Arrays.asList(source.getClass().getAnnotation(Encrypted.class).exclude());
+                Object[] keySet = event.getDBObject().keySet().toArray();
+                for (int i = keySet.length - 1; i >= 0; i--) {
+                    if (!excludeFields.contains(keySet[i].toString())) {
+                        event.getDBObject().removeField(keySet[i].toString());
+                    }
+                }
+
+                event.getDBObject().put("encrypted", encrypted);
+            } catch (JsonProcessingException e) {
+                throw new RuntimeException(e);
+            }
+        }
+    }
+
+    @Override
+    public void onAfterLoad(AfterLoadEvent event) {
+        Class source = event.getType();
+
+        if (source.isAnnotationPresent(Encrypted.class)) {
+            if (event.getDBObject().get("encrypted") == null) {
+                return;
+            }
+
+            String decryptedJson = EncryptionUtil.decrypt(event.getDBObject().get("encrypted").toString(), secretKey);
+            DBObject decryptedDbObject = (DBObject) JSON.parse(decryptedJson);
+            List<String> exclude = Arrays.asList(((Encrypted) source.getAnnotation(Encrypted.class)).exclude());
+
+            //cleanup loaded dbobject exclude annotated fields
+            Object[] keySet = event.getDBObject().keySet().toArray();
+            for (int i = keySet.length - 1; i >= 0; i--) {
+                if (!exclude.contains(keySet[i].toString())) {
+                    event.getDBObject().removeField(keySet[i].toString());
+                }
+            }
+
+            //restore encrypted data exclude annotated fields
+            keySet = decryptedDbObject.keySet().toArray();
+            for (int i = keySet.length - 1; i >= 0; i--) {
+                String key = keySet[i].toString();
+                if (!exclude.contains(key)) {
+                    event.getDBObject().put(key, decryptedDbObject.get(key));
+                }
+            }
+        }
+    }
+
+
+}

multibanking-persistence/src/main/java/de/adorsys/multibanking/encrypt/Encrypted.java

@@ -13,9 +13,9 @@
 /**
  * Created by alexg on 09.05.17.
  */
-public class FieldEncryptionUtil {
+public class EncryptionUtil {
 
-    private static final Logger log = LoggerFactory.getLogger(FieldEncryptionUtil.class);
+    private static final Logger log = LoggerFactory.getLogger(EncryptionUtil.class);
 
     private static final String AES_CBC_PKCS5_PADDING = "AES/CBC/PKCS5Padding";