[Engine-patches] Change in ovirt-engine[master]: core: Encrypt CHAP credentials in the database

Alon Bar-Lev Sun, 14 Oct 2012 13:36:47 -0700

Alon Bar-Lev has posted comments on this change.

Change subject: core: Encrypt CHAP credentials in the database
......................................................................



Patch Set 3: (6 inline comments)

You don't need to give your-self -1...

....................................................
File backend/manager/dbscripts/upgrade/03_01_1440_encrypt_chap_password.sh
Line 1: #!/bin/bash
Please do. Even if someone love the #!/bin/bash... we do need to get POSIX.
Line 2: 
Line 3: #include db general functions
Line 4: source ./dbfunctions.sh
Line 5: 


Line 3: #include db general functions
Line 4: source ./dbfunctions.sh
Line 5: 
Line 6: # detect failure of commands within pipelines
Line 7: set -p
why do you use it anyway?
Line 8: 
Line 9: # get configuration values needed for password encryption from DB
Line 10: certificate=$(get_config_value "CertificateFileName" "general")
Line 11: 


Line 6: # detect failure of commands within pipelines
Line 7: set -p
Line 8: 
Line 9: # get configuration values needed for password encryption from DB
Line 10: certificate=$(get_config_value "CertificateFileName" "general")
No... add!

 certificate="$(get_config_value "CertificateFileName" "general")"
Line 11: 
Line 12: # change password column to text to fit the encrypted password.
Line 13: CMD="select 
fn_db_change_column_type('storage_server_connections','password','VARCHAR','text');"
Line 14: execute_command "${CMD}" "${DATABASE}" ${SERVERNAME} ${PORT} > 
/dev/null


Line 19: execute_command "${CMD}" "${DATABASE}" ${SERVERNAME} ${PORT} > 
${filename}
Line 20: while read line
Line 21: do
Line 22:     # extracting the relevant fields values from each record.
Line 23:     if [ $(echo $line | grep "|" |wc -l) -eq 0 ]; then
I am not the dba.. :) just suggesting.
Line 24:         continue
Line 25:     fi
Line 26:     connId=$(echo "${line}" | cut -d "|" -f1 | sed 's/^ *//g; s/ 
*$//g')
Line 27:     connName=$(echo "${line}" | cut -d "|" -f2 | sed 's/^ *//g; s/ 
*$//g')


Line 22:     # extracting the relevant fields values from each record.
Line 23:     if [ $(echo $line | grep "|" |wc -l) -eq 0 ]; then
Line 24:         continue
Line 25:     fi
Line 26:     connId=$(echo "${line}" | cut -d "|" -f1 | sed 's/^ *//g; s/ 
*$//g')
I would have done so using single sed...

But in your case...

 get_field(line, n) {
     echo "${line}" | cut -d '|' -f${n} | sed ....
 }

 connName="$(get_field "${line}", 1)"
 connName="$(get_field "${line}", 2)"
Line 27:     connName=$(echo "${line}" | cut -d "|" -f2 | sed 's/^ *//g; s/ 
*$//g')
Line 28:     connPasswd=$(echo "${line}" | cut -d "|" -f3 | sed 's/^ *//g; s/ 
*$//g')
Line 29:     if [ "$connId" != "" -a "$connPasswd" != "" ]; then
Line 30:         # encrypt the password


Line 27:     connName=$(echo "${line}" | cut -d "|" -f2 | sed 's/^ *//g; s/ 
*$//g')
Line 28:     connPasswd=$(echo "${line}" | cut -d "|" -f3 | sed 's/^ *//g; s/ 
*$//g')
Line 29:     if [ "$connId" != "" -a "$connPasswd" != "" ]; then
Line 30:         # encrypt the password
Line 31:         encryptedPasswd=$(echo -n "$connPasswd" | /usr/bin/openssl 
rsautl -certin -inkey $certificate -encrypt -pkcs | /usr/bin/openssl enc -a)
Are you sure? it should not do so. It is not that important... as we can always 
remove these.
Line 32:         if [ $? -ne 0 ]; then
Line 33:             echo "Failed to encrypt connection ${connName} password. 
The password will remain unencrypted in the database until this is complete."
Line 34:         else
Line 35:             # update the password field for the given connection


--
To view, visit http://gerrit.ovirt.org/8344
To unsubscribe, visit http://gerrit.ovirt.org/settings

Gerrit-MessageType: comment
Gerrit-Change-Id: I15b4cba7418d9d818fb2fd69c708fdeb20942f9c
Gerrit-PatchSet: 3
Gerrit-Project: ovirt-engine
Gerrit-Branch: master
Gerrit-Owner: Greg Padgett <gpadg...@redhat.com>
Gerrit-Reviewer: Allon Mureinik <amure...@redhat.com>
Gerrit-Reviewer: Alon Bar-Lev <alo...@redhat.com>
Gerrit-Reviewer: Ayal Baron <aba...@redhat.com>
Gerrit-Reviewer: Doron Fediuck <dfedi...@redhat.com>
Gerrit-Reviewer: Eduardo <ewars...@redhat.com>
Gerrit-Reviewer: Eli Mesika <emes...@redhat.com>
Gerrit-Reviewer: Federico Simoncelli <fsimo...@redhat.com>
Gerrit-Reviewer: Greg Padgett <gpadg...@redhat.com>
Gerrit-Reviewer: Liron Aravot <lara...@redhat.com>
_______________________________________________
Engine-patches mailing list
Engine-patches@ovirt.org
http://lists.ovirt.org/mailman/listinfo/engine-patches

[Engine-patches] Change in ovirt-engine[master]: core: Encrypt CHAP credentials in the database

Reply via email to