Alon Bar-Lev has posted comments on this change.
Change subject: core: Encrypt CHAP credentials in the database
......................................................................
Patch Set 3: (10 inline comments)
....................................................
File backend/manager/dbscripts/upgrade/03_01_1440_encrypt_chap_password.sh
Line 1: #!/bin/bash
I fully agree, we should remove the bash usage whenever we can, but Eli
rejected this in the past... Eli?
Line 2:
Line 3: #include db general functions
Line 4: source ./dbfunctions.sh
Line 5:
Line 6: # detect failure of commands within pipelines
Line 7: set -p
Line 8:
Line 9: # get configuration values needed for password encryption from DB
Line 10: certificate=$(get_config_value "CertificateFileName" "general")
quates
Line 11:
Line 12: # change password column to text to fit the encrypted password.
Line 13: CMD="select
fn_db_change_column_type('storage_server_connections','password','VARCHAR','text');"
Line 14: execute_command "${CMD}" "${DATABASE}" ${SERVERNAME} ${PORT} >
/dev/null
Line 10: certificate=$(get_config_value "CertificateFileName" "general")
Line 11:
Line 12: # change password column to text to fit the encrypted password.
Line 13: CMD="select
fn_db_change_column_type('storage_server_connections','password','VARCHAR','text');"
Line 14: execute_command "${CMD}" "${DATABASE}" ${SERVERNAME} ${PORT} >
/dev/null
quotes
Line 15:
Line 16: # get all connections that have a password configured
Line 17: filename=$(mktemp)
Line 18: CMD="select id, connection||' '||coalesce(iqn, '') as name, password
from storage_server_connections where password is not null;"
Line 13: CMD="select
fn_db_change_column_type('storage_server_connections','password','VARCHAR','text');"
Line 14: execute_command "${CMD}" "${DATABASE}" ${SERVERNAME} ${PORT} >
/dev/null
Line 15:
Line 16: # get all connections that have a password configured
Line 17: filename=$(mktemp)
quotes
Line 18: CMD="select id, connection||' '||coalesce(iqn, '') as name, password
from storage_server_connections where password is not null;"
Line 19: execute_command "${CMD}" "${DATABASE}" ${SERVERNAME} ${PORT} >
${filename}
Line 20: while read line
Line 21: do
Line 15:
Line 16: # get all connections that have a password configured
Line 17: filename=$(mktemp)
Line 18: CMD="select id, connection||' '||coalesce(iqn, '') as name, password
from storage_server_connections where password is not null;"
Line 19: execute_command "${CMD}" "${DATABASE}" ${SERVERNAME} ${PORT} >
${filename}
quotes
Line 20: while read line
Line 21: do
Line 22: # extracting the relevant fields values from each record.
Line 23: if [ $(echo $line | grep "|" |wc -l) -eq 0 ]; then
Line 19: execute_command "${CMD}" "${DATABASE}" ${SERVERNAME} ${PORT} >
${filename}
Line 20: while read line
Line 21: do
Line 22: # extracting the relevant fields values from each record.
Line 23: if [ $(echo $line | grep "|" |wc -l) -eq 0 ]; then
There must be a better way to do this... recently I used the csv creation which
was better... there is also xml output, so xpath can be used... not sure what
are the standards...
Line 24: continue
Line 25: fi
Line 26: connId=$(echo "${line}" | cut -d "|" -f1 | sed 's/^ *//g; s/
*$//g')
Line 27: connName=$(echo "${line}" | cut -d "|" -f2 | sed 's/^ *//g; s/
*$//g')
Line 22: # extracting the relevant fields values from each record.
Line 23: if [ $(echo $line | grep "|" |wc -l) -eq 0 ]; then
Line 24: continue
Line 25: fi
Line 26: connId=$(echo "${line}" | cut -d "|" -f1 | sed 's/^ *//g; s/
*$//g')
Minor issue... why use both cut and sed?
Line 27: connName=$(echo "${line}" | cut -d "|" -f2 | sed 's/^ *//g; s/
*$//g')
Line 28: connPasswd=$(echo "${line}" | cut -d "|" -f3 | sed 's/^ *//g; s/
*$//g')
Line 29: if [ "$connId" != "" -a "$connPasswd" != "" ]; then
Line 30: # encrypt the password
Line 25: fi
Line 26: connId=$(echo "${line}" | cut -d "|" -f1 | sed 's/^ *//g; s/
*$//g')
Line 27: connName=$(echo "${line}" | cut -d "|" -f2 | sed 's/^ *//g; s/
*$//g')
Line 28: connPasswd=$(echo "${line}" | cut -d "|" -f3 | sed 's/^ *//g; s/
*$//g')
Line 29: if [ "$connId" != "" -a "$connPasswd" != "" ]; then
please use -z
Line 30: # encrypt the password
Line 31: encryptedPasswd=$(echo -n "$connPasswd" | /usr/bin/openssl
rsautl -certin -inkey $certificate -encrypt -pkcs | /usr/bin/openssl enc -a)
Line 32: if [ $? -ne 0 ]; then
Line 33: echo "Failed to encrypt connection ${connName} password.
The password will remain unencrypted in the database until this is complete."
Line 27: connName=$(echo "${line}" | cut -d "|" -f2 | sed 's/^ *//g; s/
*$//g')
Line 28: connPasswd=$(echo "${line}" | cut -d "|" -f3 | sed 's/^ *//g; s/
*$//g')
Line 29: if [ "$connId" != "" -a "$connPasswd" != "" ]; then
Line 30: # encrypt the password
Line 31: encryptedPasswd=$(echo -n "$connPasswd" | /usr/bin/openssl
rsautl -certin -inkey $certificate -encrypt -pkcs | /usr/bin/openssl enc -a)
quotes
as in my sample, please add:
| tar -d '\n'
Line 32: if [ $? -ne 0 ]; then
Line 33: echo "Failed to encrypt connection ${connName} password.
The password will remain unencrypted in the database until this is complete."
Line 34: else
Line 35: # update the password field for the given connection
Line 36: CMD="update storage_server_connections set password =
'${encryptedPasswd}' where id = '${connId}';"
Line 37: execute_command "${CMD}" "${DATABASE}" ${SERVERNAME}
${PORT} > /dev/null
Line 38: fi
Line 39: fi
Line 40: done < ${filename}
quotes.
but why not:
execute_command "${CMD}" "${DATABASE}" ${SERVERNAME} ${PORT} | while read
line; do
...
done
--
To view, visit http://gerrit.ovirt.org/8344
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I15b4cba7418d9d818fb2fd69c708fdeb20942f9c
Gerrit-PatchSet: 3
Gerrit-Project: ovirt-engine
Gerrit-Branch: master
Gerrit-Owner: Greg Padgett <[email protected]>
Gerrit-Reviewer: Allon Mureinik <[email protected]>
Gerrit-Reviewer: Alon Bar-Lev <[email protected]>
Gerrit-Reviewer: Ayal Baron <[email protected]>
Gerrit-Reviewer: Doron Fediuck <[email protected]>
Gerrit-Reviewer: Eduardo <[email protected]>
Gerrit-Reviewer: Eli Mesika <[email protected]>
Gerrit-Reviewer: Federico Simoncelli <[email protected]>
Gerrit-Reviewer: Greg Padgett <[email protected]>
Gerrit-Reviewer: Liron Aravot <[email protected]>
_______________________________________________
Engine-patches mailing list
[email protected]
http://lists.ovirt.org/mailman/listinfo/engine-patches
