日志脫敏功能

前言

數據安全尤為重要，最為簡單的防線就是防止重要信息（身份證、手機號、姓名等）明文顯示，對此需要在數據庫層、日志層等做好數據加解密。

思路

1、編寫需加密的正則模板、加密字段
2、重寫ch.qos.logback.classic.pattern.MessageConverter
3、編寫日志框架，確認轉換模板（本篇采用logback.xml）

看不明白的直接無腦復制代碼，在logback-sensitive-rule.properties文件中加上你需要的脫敏的字段即可

實戰

正則模板及加密字段

在resource目錄下建立兩個properties文件，logback-sensitive-def-rule 和 logback-sensitive-rule。前者logback-sensitive-def-rule 主要指定正則表達式和默認加密字段，可作為公共二方包供所有項目使用，logback-sensitive-rule主要用于定制化項目，對特別項目需要加密字段的做定制化。

logback-sensitive-def-rule

#mobile  \"mobile\"|\"telphone\"
# ??json
def_rule1=(KEYWORD)(\\s{0,})(:)(\\s{0,})(\\\\"|\")(\\w{3})(\\w{4})(\\w{4})*(\\\\"|\")&$1$2$3$4$5$6****$8$9&mobile
# ??toString
def_rule_sec11=(KEYWORD)(\\s{0,})(:|=)(\\s{0,})(\"|\'|)(\\w{3})(\\w{4})(\\w{4})*(\"|\'|)&$1$2$3$4$5$6****$8$9&mobile
def_rule_sec12=(KEYWORD)(\\\\{0,}\\\"\\s{0,})(:)(\\s{0,})(\\\\{0,}\\\")(\\w{3})(\\w{4})(\\w{4})*(\\\\{0,}\\\")&$1$2$3$4$5$6****$8$9&mobile
def_field_rule_mobile=mobile|telphone#idcard,bankcard
def_rule2=(KEYWORD)(\\s{0,})(:)(\\s{0,})(\\\\"|\")(\\w{3})(\\w{1,})(\\w{4})(\\\\"|\")&$1$2$3$4$5$6*********$8$9&idcard
def_rule_sec21=(KEYWORD)(\\s{0,})(:|=)(\\s{0,})(\"|\'|)(\\w{3})(\\w{1,})(\\w{4})(\"|\'|)&$1$2$3$4$5$6*********$8$9&idcard
def_rule_sec22=(KEYWORD)(\\\\{0,}\\\"\\s{0,})(:)(\\\\{0,}\\s{0,})(\")(\\w{3})(\\w{1,})(\\w{4})(\\\\{0,}\\s{0,})(\")&$1$2$3$4$5$6******$8$9$10&idcard
def_field_rule_idcard=idcard|bankcard|idNo#pwd ("pwd")(\s{0,})(:|=)(\s{0,})(\\"|")(.*?)(\\"|")
def_rule3=(KEYWORD)(\\s{0,})(:)(\\s{0,})(\\\\"|\")(.*?)(\\\\"|\")&$1$2$3$4$5*****$7&pwd
def_rule_sec31=(KEYWORD)(\\s{0,})(:|=)(\\s{0,})(\"|)(.*?)(\"|,|\\)|])&$1$2$3$4$5*****$7&pwd
# def_rule_sec32=(KEYWORD)(,)(.*?)&$1$2*****&pwd
def_field_rule_pwd=password|pwd#username
# ??json
def_rule4=(KEYWORD)(\\s{0,})(:)(\\s{0,})(\\\\"|\")([\u4E00-\u9FA5]{1})[\u4E00-\u9FA5]{1,}(\\\\"|\")&$1$2$3$4$5$6**$7&name
# ??toString
def_rule_sec41=(KEYWORD)(\\s{0,})(:|=)(\\s{0,})(\"|\'|)([\u4E00-\u9FA5]{1})([\u4E00-\u9FA5]{1,})(\"|\'|)&$1$2$3$4$5$6**$8&name
# ????json???
def_rule_sec42=(KEYWORD)(\\\\{0,}\\\"\\s{0,})(:)(\\\\{0,}\\s{0,})(\\\")([\u4E00-\u9FA5]{1})([\u4E00-\u9FA5]{1,})(\\\\{0,}\\\")&$1$2$3$4$5$6**$8&name
def_field_rule_name=customerName|userName|name|custName#email
def_rule5=(KEYWORD)(\\s{0,})(:)(\\s{0,})(\\\\"|\")([A-Za-z0-9\u4e00-\u9fa5|_-]{1,2})([A-Za-z0-9\u4e00-\u9fa5|_-]{1,})@([a-z0-9A-Z_-]{2,})+(\\.[a-zA-Z0-9_-]{1,})(\\\\"|\")&$1$2$3$4$5$6***@$8$9$10&email
def_rule_sec51=(KEYWORD)(\\s{0,})(:|=)(\\s{0,})(\"|\'|)([A-Za-z0-9\u4e00-\u9fa5|_-]{1,2})([A-Za-z0-9\u4e00-\u9fa5|_-]{1,})@([a-z0-9A-Z_-]{2,})+(\\.[a-zA-Z0-9_-]{1,})(\"|\'|)&$1$2$3$4$5$6***@$8$9&email
def_field_rule_email=email#address
def_rule6=
# 未知長度，且未知數據格式
def_rule_sec61=(KEYWORD)(\\s{0,})(:|=)(\\s{0,})(\"|\')([\\u4E00-\\u9FA5]{0,}?\\S{0,}?)(\\S{0,10})(\"|\')&$1$2$3$4$5$6*****$8&address
def_rule_sec62=(KEYWORD)(\\\\{0,}\\\"\\s{0,})(:)(\\\\{0,}\\s{0,})(\\\")([\\u4E00-\\u9FA5]{0,}?\\S{0,}?)(\\S{0,10})(\\\\{0,}\\\")&$1$2$3$4$5$6*****$8&address
def_field_rule_address=address|idAddress

logback-sensitive-rule

# 定制化字段 分別代表 電話、姓名、證件號、地址
sen_field_rule_mobile=mobile|custMobileNo|bankPhone|mobileNo|reserveMobileNo|phone|contactPhone|accountPhone|custMobile|bankMobile
sen_field_rule_name=custName|acctName|openCustName|OCRname|name|accountName|dbAcctName|bankAcctName
sen_field_rule_idcard=idNo|acct|bankCardNo|ocrPrcid|certNo|dbAcct|id|originValue|idCardNo
sen_field_rule_address=custAddress|address|idAddress|entAddress|certAddress|ocrIdAddress

LogBackSensitiveConverter

重新ch.qos.logback.classic.pattern.MessageConverter的convert方法，主要實現思路是約定號規則字段(如sen_field_rule_、def_field_rule_）,從properties文件中讀取配置。

LogBackSensitiveConverter


import ch.qos.logback.classic.LoggerContext;
import ch.qos.logback.classic.pattern.MessageConverter;
import ch.qos.logback.classic.spi.ILoggingEvent;
import org.apache.commons.lang3.ArrayUtils;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import java.util.Properties;
import java.util.regex.Pattern;/*** 敏感信息脫敏處理**/
public class LogBackSensitiveConverter extends MessageConverter {private static Logger log = LoggerFactory.getLogger(LogBackSensitiveConverter.class);private static final String SEN_RULE = "sen_rule_";private static final String SEN_RULE_FIELD = "sen_field_rule_";private static final String DEFAULT_RULE = "def_rule";private static final String DEFAULT_RULE_FIELD = "def_field_rule_";/** 脫敏規則 */private static volatile List<RuleConfig> configList;/** 是否脫敏開關 */private static volatile boolean sensitiveOpen;/** 是否初始化配置 */private static volatile boolean initFlag;@Overridepublic String convert(ILoggingEvent event) {init();return doConvert(event);}private void init() {try {if (!initFlag) {initFlag = true;Map<String, String> propertyMap = ((LoggerContext) LoggerFactory.getILoggerFactory()).getCopyOfPropertyMap();sensitiveOpen = Boolean.valueOf(propertyMap.get("sensitiveOpen"));if (sensitiveOpen) {initRuleConfig(propertyMap);}}} catch (Exception e) {configList = null;log.error("error,{}", e);}}private String doConvert(ILoggingEvent event) {try {//本工具打日志不做轉換if (LogBackSensitiveConverter.class.getName().equals(event.getLoggerName())) {return event.getFormattedMessage();}String result = event.getFormattedMessage();if (configList != null && configList.size() > 0) {for (RuleConfig ruleConfig : configList) {result = ruleConfig.apply(result);}if (StringUtils.isEmpty(result)) {result = event.getFormattedMessage();}} else {result = super.convert(event);}return result;} catch (Exception e) {log.error("error,{}", e);return event.getFormattedMessage();}}private void initRuleConfig(Map<String, String> propertyMap) {if (configList == null) {synchronized (LogBackSensitiveConverter.class) {if (configList == null) {// read propertiesPropertiesUtil propertiesUtil = new PropertiesUtil("logback-sensitive-def-rule.properties");Properties properties = propertiesUtil.get();configList = new ArrayList<>();//添加默認表達式addDefaultRule(propertyMap, properties);//添加自定義正則表達式addCustomRule(propertyMap);//                    this.addInfo("logback sensitive rule init end ! ");log.info("logback_sensitive_rule_init_end !");}}}}private void addCustomRule(Map<String, String> propertyMap) {for (String s : propertyMap.keySet()) {if (s.startsWith(SEN_RULE)) {String[] array = propertyMap.get(s).split("&");if (ArrayUtils.isNotEmpty(array) && array.length == 2) {configList.add(new RuleConfig(array[0], array[1]));}}}}private void addDefaultRule(Map<String, String> propertyMap, Properties properties) {for (String key : properties.stringPropertyNames()) {if (!key.startsWith(DEFAULT_RULE)) {continue;}String[] array = properties.getProperty(key).split("&");if (ArrayUtils.isNotEmpty(array) && array.length == 3) {//讀默認字段String defFields = String.valueOf(properties.get(DEFAULT_RULE_FIELD + array[2]));//讀自定義字段String senFields = propertyMap.get(SEN_RULE_FIELD + array[2]);String keyword = StringUtils.EMPTY;if (key.indexOf("sec") != -1) {senFields = StringUtils.isEmpty(senFields) ? "" : "|" + senFields;keyword = defFields + senFields;} else {keyword = "\"" + defFields.replace("|", "\"|\"") + "\"";if (!StringUtils.isEmpty(senFields)) {keyword += "|" + "\"" + senFields.replace("|", "\"|\"") + "\"";}keyword += "|\\\\\"" + defFields.replace("|", "\\\\\"|\\\\\"") + "\\\\\"";if (!StringUtils.isEmpty(senFields)) {keyword += "|\\\\\"" + senFields.replace("|", "\\\\\"|\\\\\"") + "\\\\\"";}}if (StringUtils.isEmpty(keyword)) {continue;}configList.add(new RuleConfig(array[0].replace("KEYWORD", keyword), array[1]));}}}private class RuleConfig {private String reg;private String replacement;private Pattern pattern;RuleConfig(String reg, String replacement) {this.reg = reg;this.replacement = replacement;this.pattern = Pattern.compile(reg);}public String getReg() {return reg;}public void setReg(String reg) {this.reg = reg;}public String getReplacement() {return replacement;}public void setReplacement(String replacement) {this.replacement = replacement;}public Pattern getPattern() {return pattern;}public void setPattern(Pattern pattern) {this.pattern = pattern;}String apply(String message) {if (StringUtils.isEmpty(message)) {return message;}return this.pattern.matcher(message).replaceAll(replacement);}}
}

PropertiesUtil


import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;import java.io.IOException;
import java.io.InputStreamReader;
import java.util.Properties;/*** Created by rayfoo@qq.com Luna on 2020/4/15 18:38* Description : 讀取配置文件工具類*/
public class PropertiesUtil {private static Logger log = LoggerFactory.getLogger(PropertiesUtil.class);private Properties properties;public PropertiesUtil(String fileName) {if (StringUtils.isBlank(fileName)) {return;}properties = new Properties();try {properties.load(new InputStreamReader(PropertiesUtil.class.getClassLoader().getResourceAsStream(fileName)));} catch (IOException e) {log.error("PropertiesUtil load data error :{}", e);return;}}public Properties get() {return this.properties;}public String getProperty(String key) {String value = properties.getProperty(key.trim());if (StringUtils.isBlank(value)) {return null;}return value.trim();}public String getProperty(String key, String defaultValue) {String value = properties.getProperty(key);if (StringUtils.isBlank(value)) {return defaultValue;}return value;}}

配置logback,xml

<?xml version="1.0" encoding="UTF-8"?>
<configuration><!--     脫敏開啟開關 必須配置--><property scope="context" name="sensitiveOpen" value="true"/><!--    自定義屬性配置文件：可自定義字段名和匹配正則表達式  可選配置--><property scope="context" resource="logback-sensitive-rule.properties"/><!--    轉換配置 必選配置--><conversionRule conversionWord="msg" converterClass="com.xxx.xxx.xx.LogBackSensitiveConverter"> </conversionRule>
</configuration>