[Engine-patches] Change in ovirt-engine[master]: core: Encrypt CHAP credentials in the database

[Alon Bar-Lev]

Alon Bar-Lev has posted comments on this change.

Change subject: core: Encrypt CHAP credentials in the database
......................................................................


Patch Set 3: (10 inline comments)

....................................................
File backend/manager/dbscripts/upgrade/03_01_1440_encrypt_chap_password.sh
Line 1: #!/bin/bash
I fully agree, we should remove the bash usage whenever we can, but Eli 
rejected this in the past... Eli?
Line 2: 
Line 3: #include db general functions
Line 4: source ./dbfunctions.sh
Line 5: 


Line 6: # detect failure of commands within pipelines
Line 7: set -p
Line 8: 
Line 9: # get configuration values needed for password encryption from DB
Line 10: certificate=$(get_config_value "CertificateFileName" "general")
quates
Line 11: 
Line 12: # change password column to text to fit the encrypted password.
Line 13: CMD="select 
fn_db_change_column_type('storage_server_connections','password','VARCHAR','text');"
Line 14: execute_command "${CMD}" "${DATABASE}" ${SERVERNAME} ${PORT} > 
/dev/null


Line 10: certificate=$(get_config_value "CertificateFileName" "general")
Line 11: 
Line 12: # change password column to text to fit the encrypted password.
Line 13: CMD="select 
fn_db_change_column_type('storage_server_connections','password','VARCHAR','text');"
Line 14: execute_command "${CMD}" "${DATABASE}" ${SERVERNAME} ${PORT} > 
/dev/null
quotes
Line 15: 
Line 16: # get all connections that have a password configured
Line 17: filename=$(mktemp)
Line 18: CMD="select id, connection||' '||coalesce(iqn, '') as name, password 
from storage_server_connections where password is not null;"


Line 13: CMD="select 
fn_db_change_column_type('storage_server_connections','password','VARCHAR','text');"
Line 14: execute_command "${CMD}" "${DATABASE}" ${SERVERNAME} ${PORT} > 
/dev/null
Line 15: 
Line 16: # get all connections that have a password configured
Line 17: filename=$(mktemp)
quotes
Line 18: CMD="select id, connection||' '||coalesce(iqn, '') as name, password 
from storage_server_connections where password is not null;"
Line 19: execute_command "${CMD}" "${DATABASE}" ${SERVERNAME} ${PORT} > 
${filename}
Line 20: while read line
Line 21: do


Line 15: 
Line 16: # get all connections that have a password configured
Line 17: filename=$(mktemp)
Line 18: CMD="select id, connection||' '||coalesce(iqn, '') as name, password 
from storage_server_connections where password is not null;"
Line 19: execute_command "${CMD}" "${DATABASE}" ${SERVERNAME} ${PORT} > 
${filename}
quotes
Line 20: while read line
Line 21: do
Line 22:     # extracting the relevant fields values from each record.
Line 23:     if [ $(echo $line | grep "|" |wc -l) -eq 0 ]; then


Line 19: execute_command "${CMD}" "${DATABASE}" ${SERVERNAME} ${PORT} > 
${filename}
Line 20: while read line
Line 21: do
Line 22:     # extracting the relevant fields values from each record.
Line 23:     if [ $(echo $line | grep "|" |wc -l) -eq 0 ]; then
There must be a better way to do this... recently I used the csv creation which 
was better... there is also xml output, so xpath can be used... not sure what 
are the standards...
Line 24:         continue
Line 25:     fi
Line 26:     connId=$(echo "${line}" | cut -d "|" -f1 | sed 's/^ *//g; s/ 
*$//g')
Line 27:     connName=$(echo "${line}" | cut -d "|" -f2 | sed 's/^ *//g; s/ 
*$//g')


Line 22:     # extracting the relevant fields values from each record.
Line 23:     if [ $(echo $line | grep "|" |wc -l) -eq 0 ]; then
Line 24:         continue
Line 25:     fi
Line 26:     connId=$(echo "${line}" | cut -d "|" -f1 | sed 's/^ *//g; s/ 
*$//g')
Minor issue... why use both cut and sed?
Line 27:     connName=$(echo "${line}" | cut -d "|" -f2 | sed 's/^ *//g; s/ 
*$//g')
Line 28:     connPasswd=$(echo "${line}" | cut -d "|" -f3 | sed 's/^ *//g; s/ 
*$//g')
Line 29:     if [ "$connId" != "" -a "$connPasswd" != "" ]; then
Line 30:         # encrypt the password


Line 25:     fi
Line 26:     connId=$(echo "${line}" | cut -d "|" -f1 | sed 's/^ *//g; s/ 
*$//g')
Line 27:     connName=$(echo "${line}" | cut -d "|" -f2 | sed 's/^ *//g; s/ 
*$//g')
Line 28:     connPasswd=$(echo "${line}" | cut -d "|" -f3 | sed 's/^ *//g; s/ 
*$//g')
Line 29:     if [ "$connId" != "" -a "$connPasswd" != "" ]; then
please use -z
Line 30:         # encrypt the password
Line 31:         encryptedPasswd=$(echo -n "$connPasswd" | /usr/bin/openssl 
rsautl -certin -inkey $certificate -encrypt -pkcs | /usr/bin/openssl enc -a)
Line 32:         if [ $? -ne 0 ]; then
Line 33:             echo "Failed to encrypt connection ${connName} password. 
The password will remain unencrypted in the database until this is complete."


Line 27:     connName=$(echo "${line}" | cut -d "|" -f2 | sed 's/^ *//g; s/ 
*$//g')
Line 28:     connPasswd=$(echo "${line}" | cut -d "|" -f3 | sed 's/^ *//g; s/ 
*$//g')
Line 29:     if [ "$connId" != "" -a "$connPasswd" != "" ]; then
Line 30:         # encrypt the password
Line 31:         encryptedPasswd=$(echo -n "$connPasswd" | /usr/bin/openssl 
rsautl -certin -inkey $certificate -encrypt -pkcs | /usr/bin/openssl enc -a)
quotes

as in my sample, please add:

 | tar -d '\n'
Line 32:         if [ $? -ne 0 ]; then
Line 33:             echo "Failed to encrypt connection ${connName} password. 
The password will remain unencrypted in the database until this is complete."
Line 34:         else
Line 35:             # update the password field for the given connection


Line 36:             CMD="update storage_server_connections set password = 
'${encryptedPasswd}' where id = '${connId}';"
Line 37:             execute_command "${CMD}" "${DATABASE}" ${SERVERNAME} 
${PORT} > /dev/null
Line 38:         fi
Line 39:     fi
Line 40: done < ${filename}
quotes.

but why not:

 execute_command "${CMD}" "${DATABASE}" ${SERVERNAME} ${PORT} | while read 
line; do
     ...
 done


--
To view, visit http://gerrit.ovirt.org/8344
To unsubscribe, visit http://gerrit.ovirt.org/settings

Gerrit-MessageType: comment
Gerrit-Change-Id: I15b4cba7418d9d818fb2fd69c708fdeb20942f9c
Gerrit-PatchSet: 3
Gerrit-Project: ovirt-engine
Gerrit-Branch: master
Gerrit-Owner: Greg Padgett <gpadg...@redhat.com>
Gerrit-Reviewer: Allon Mureinik <amure...@redhat.com>
Gerrit-Reviewer: Alon Bar-Lev <alo...@redhat.com>
Gerrit-Reviewer: Ayal Baron <aba...@redhat.com>
Gerrit-Reviewer: Doron Fediuck <dfedi...@redhat.com>
Gerrit-Reviewer: Eduardo <ewars...@redhat.com>
Gerrit-Reviewer: Eli Mesika <emes...@redhat.com>
Gerrit-Reviewer: Federico Simoncelli <fsimo...@redhat.com>
Gerrit-Reviewer: Greg Padgett <gpadg...@redhat.com>
Gerrit-Reviewer: Liron Aravot <lara...@redhat.com>
_______________________________________________
Engine-patches mailing list
Engine-patches@ovirt.org
http://lists.ovirt.org/mailman/listinfo/engine-patches