Ravi Nori has uploaded a new change for review. Change subject: core : Plaintext user passwords in async_tasks database ......................................................................
core : Plaintext user passwords in async_tasks database The VdcUser password is saved in async_tasks table in plain text This is a 3.3 issue, the problem has beem fixed in 3.4 by directory refactoring Change-Id: I337818f6c2a376553409587a0982c1f9e8705bec Bug-Url: https://bugzilla.redhat.com/1017267 Signed-off-by: Ravi Nori <rn...@redhat.com> --- M backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/serialization/json/JsonObjectDeserializer.java M backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/serialization/json/JsonObjectSerializer.java A backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/serialization/json/JsonVdcUserMixIn.java 3 files changed, 63 insertions(+), 0 deletions(-) git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/16/23116/1 diff --git a/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/serialization/json/JsonObjectDeserializer.java b/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/serialization/json/JsonObjectDeserializer.java index 867a99d..a695934 100644 --- a/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/serialization/json/JsonObjectDeserializer.java +++ b/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/serialization/json/JsonObjectDeserializer.java @@ -16,6 +16,7 @@ import org.ovirt.engine.core.common.businessentities.VdsStatic; import org.ovirt.engine.core.common.businessentities.VmBase; import org.ovirt.engine.core.common.businessentities.VmStatic; +import org.ovirt.engine.core.common.users.VdcUser; import org.ovirt.engine.core.compat.Guid; import org.ovirt.engine.core.utils.Deserializer; import org.ovirt.engine.core.utils.SerializationExeption; @@ -43,6 +44,7 @@ JsonVmManagementParametersBaseMixIn.class); formattedMapper.getDeserializationConfig().addMixInAnnotations(VmBase.class, JsonVmBaseMixIn.class); formattedMapper.getDeserializationConfig().addMixInAnnotations(VmStatic.class, JsonVmStaticMixIn.class); + formattedMapper.getDeserializationConfig().addMixInAnnotations(VdcUser.class, JsonVdcUserMixIn.class); formattedMapper.configure(Feature.FAIL_ON_UNKNOWN_PROPERTIES, false); formattedMapper.enableDefaultTyping(); } diff --git a/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/serialization/json/JsonObjectSerializer.java b/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/serialization/json/JsonObjectSerializer.java index 2f4ed92..da5c2d4 100644 --- a/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/serialization/json/JsonObjectSerializer.java +++ b/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/serialization/json/JsonObjectSerializer.java @@ -19,6 +19,7 @@ import org.ovirt.engine.core.common.businessentities.VmBase; import org.ovirt.engine.core.common.businessentities.VmPayload; import org.ovirt.engine.core.common.businessentities.VmStatic; +import org.ovirt.engine.core.common.users.VdcUser; import org.ovirt.engine.core.compat.Guid; import org.ovirt.engine.core.utils.SerializationExeption; import org.ovirt.engine.core.utils.Serializer; @@ -46,6 +47,7 @@ formattedMapper.getSerializationConfig().addMixInAnnotations(VmBase.class, JsonVmBaseMixIn.class); formattedMapper.getSerializationConfig().addMixInAnnotations(VmStatic.class, JsonVmStaticMixIn.class); formattedMapper.getSerializationConfig().addMixInAnnotations(VmPayload.class, JsonVmPayloadMixIn.class); + formattedMapper.getSerializationConfig().addMixInAnnotations(VdcUser.class, JsonVdcUserMixIn.class); formattedMapper.configure(Feature.INDENT_OUTPUT, true); formattedMapper.enableDefaultTyping(); diff --git a/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/serialization/json/JsonVdcUserMixIn.java b/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/serialization/json/JsonVdcUserMixIn.java new file mode 100644 index 0000000..9f7d94d --- /dev/null +++ b/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/serialization/json/JsonVdcUserMixIn.java @@ -0,0 +1,59 @@ +package org.ovirt.engine.core.utils.serialization.json; + +import org.codehaus.jackson.JsonGenerator; +import org.codehaus.jackson.JsonParser; +import org.codehaus.jackson.annotate.JsonTypeInfo; +import org.codehaus.jackson.annotate.JsonTypeInfo.As; +import org.codehaus.jackson.annotate.JsonTypeInfo.Id; +import org.codehaus.jackson.map.DeserializationContext; +import org.codehaus.jackson.map.JsonDeserializer; +import org.codehaus.jackson.map.JsonSerializer; +import org.codehaus.jackson.map.SerializerProvider; +import org.codehaus.jackson.map.annotate.JsonDeserialize; +import org.codehaus.jackson.map.annotate.JsonSerialize; +import org.ovirt.engine.core.common.users.VdcUser; +import org.ovirt.engine.core.utils.crypt.EngineEncryptionUtils; + +import java.io.IOException; +import java.security.GeneralSecurityException; + +@SuppressWarnings("serial") +@JsonTypeInfo(use = Id.CLASS, include = As.PROPERTY) +public abstract class JsonVdcUserMixIn extends VdcUser { + + @JsonSerialize(using = JsonPasswordSerializer.class) + @Override + public abstract String getPassword(); + + @JsonDeserialize(using = JsonPasswordDeserializer.class) + @Override + public abstract void setPassword(String value); + + public static class JsonPasswordSerializer extends JsonSerializer<String> { + + public JsonPasswordSerializer() {} + + @Override + public void serialize(String passwd, JsonGenerator jsonGenerator, SerializerProvider serializerProvider) throws IOException { + try { + jsonGenerator.writeString(EngineEncryptionUtils.encrypt(passwd)); + } catch(GeneralSecurityException gse) { + throw new IOException(gse); + } + } + } + + public static class JsonPasswordDeserializer extends JsonDeserializer<String> { + + public JsonPasswordDeserializer() {} + + @Override + public String deserialize(JsonParser jsonParser, DeserializationContext deserializationContext) throws IOException { + try { + return EngineEncryptionUtils.decrypt(jsonParser.getText()); + } catch(GeneralSecurityException gse) { + throw new IOException(gse); + } + } + } +} -- To view, visit http://gerrit.ovirt.org/23116 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I337818f6c2a376553409587a0982c1f9e8705bec Gerrit-PatchSet: 1 Gerrit-Project: ovirt-engine Gerrit-Branch: ovirt-engine-3.3 Gerrit-Owner: Ravi Nori <rn...@redhat.com> _______________________________________________ Engine-patches mailing list Engine-patches@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-patches
