Alon Bar-Lev has posted comments on this change.
Change subject: core: Encrypt CHAP credentials in the database
......................................................................
Patch Set 3: (6 inline comments)
You don't need to give your-self -1...
....................................................
File backend/manager/dbscripts/upgrade/03_01_1440_encrypt_chap_password.sh
Line 1: #!/bin/bash
Please do. Even if someone love the #!/bin/bash... we do need to get POSIX.
Line 2:
Line 3: #include db general functions
Line 4: source ./dbfunctions.sh
Line 5:
Line 3: #include db general functions
Line 4: source ./dbfunctions.sh
Line 5:
Line 6: # detect failure of commands within pipelines
Line 7: set -p
why do you use it anyway?
Line 8:
Line 9: # get configuration values needed for password encryption from DB
Line 10: certificate=$(get_config_value "CertificateFileName" "general")
Line 11:
Line 6: # detect failure of commands within pipelines
Line 7: set -p
Line 8:
Line 9: # get configuration values needed for password encryption from DB
Line 10: certificate=$(get_config_value "CertificateFileName" "general")
No... add!
certificate="$(get_config_value "CertificateFileName" "general")"
Line 11:
Line 12: # change password column to text to fit the encrypted password.
Line 13: CMD="select
fn_db_change_column_type('storage_server_connections','password','VARCHAR','text');"
Line 14: execute_command "${CMD}" "${DATABASE}" ${SERVERNAME} ${PORT} >
/dev/null
Line 19: execute_command "${CMD}" "${DATABASE}" ${SERVERNAME} ${PORT} >
${filename}
Line 20: while read line
Line 21: do
Line 22: # extracting the relevant fields values from each record.
Line 23: if [ $(echo $line | grep "|" |wc -l) -eq 0 ]; then
I am not the dba.. :) just suggesting.
Line 24: continue
Line 25: fi
Line 26: connId=$(echo "${line}" | cut -d "|" -f1 | sed 's/^ *//g; s/
*$//g')
Line 27: connName=$(echo "${line}" | cut -d "|" -f2 | sed 's/^ *//g; s/
*$//g')
Line 22: # extracting the relevant fields values from each record.
Line 23: if [ $(echo $line | grep "|" |wc -l) -eq 0 ]; then
Line 24: continue
Line 25: fi
Line 26: connId=$(echo "${line}" | cut -d "|" -f1 | sed 's/^ *//g; s/
*$//g')
I would have done so using single sed...
But in your case...
get_field(line, n) {
echo "${line}" | cut -d '|' -f${n} | sed ....
}
connName="$(get_field "${line}", 1)"
connName="$(get_field "${line}", 2)"
Line 27: connName=$(echo "${line}" | cut -d "|" -f2 | sed 's/^ *//g; s/
*$//g')
Line 28: connPasswd=$(echo "${line}" | cut -d "|" -f3 | sed 's/^ *//g; s/
*$//g')
Line 29: if [ "$connId" != "" -a "$connPasswd" != "" ]; then
Line 30: # encrypt the password
Line 27: connName=$(echo "${line}" | cut -d "|" -f2 | sed 's/^ *//g; s/
*$//g')
Line 28: connPasswd=$(echo "${line}" | cut -d "|" -f3 | sed 's/^ *//g; s/
*$//g')
Line 29: if [ "$connId" != "" -a "$connPasswd" != "" ]; then
Line 30: # encrypt the password
Line 31: encryptedPasswd=$(echo -n "$connPasswd" | /usr/bin/openssl
rsautl -certin -inkey $certificate -encrypt -pkcs | /usr/bin/openssl enc -a)
Are you sure? it should not do so. It is not that important... as we can always
remove these.
Line 32: if [ $? -ne 0 ]; then
Line 33: echo "Failed to encrypt connection ${connName} password.
The password will remain unencrypted in the database until this is complete."
Line 34: else
Line 35: # update the password field for the given connection
--
To view, visit http://gerrit.ovirt.org/8344
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I15b4cba7418d9d818fb2fd69c708fdeb20942f9c
Gerrit-PatchSet: 3
Gerrit-Project: ovirt-engine
Gerrit-Branch: master
Gerrit-Owner: Greg Padgett <[email protected]>
Gerrit-Reviewer: Allon Mureinik <[email protected]>
Gerrit-Reviewer: Alon Bar-Lev <[email protected]>
Gerrit-Reviewer: Ayal Baron <[email protected]>
Gerrit-Reviewer: Doron Fediuck <[email protected]>
Gerrit-Reviewer: Eduardo <[email protected]>
Gerrit-Reviewer: Eli Mesika <[email protected]>
Gerrit-Reviewer: Federico Simoncelli <[email protected]>
Gerrit-Reviewer: Greg Padgett <[email protected]>
Gerrit-Reviewer: Liron Aravot <[email protected]>
_______________________________________________
Engine-patches mailing list
[email protected]
http://lists.ovirt.org/mailman/listinfo/engine-patches
