Greg Padgett has posted comments on this change.
Change subject: core: Encrypt CHAP credentials in the database
......................................................................
Patch Set 3: (3 inline comments)
> You don't need to give your-self -1...
True, just protection against merging after noticing my typo.
....................................................
File backend/manager/dbscripts/upgrade/03_01_1440_encrypt_chap_password.sh
Line 3: #include db general functions
Line 4: source ./dbfunctions.sh
Line 5:
Line 6: # detect failure of commands within pipelines
Line 7: set -p
The check on line 32 won't detect failure of the first openssl invocation in
line 31 if the second invocation succeeds. Unlikely, but could lead to corrupt
data.
Line 8:
Line 9: # get configuration values needed for password encryption from DB
Line 10: certificate=$(get_config_value "CertificateFileName" "general")
Line 11:
Line 6: # detect failure of commands within pipelines
Line 7: set -p
Line 8:
Line 9: # get configuration values needed for password encryption from DB
Line 10: certificate=$(get_config_value "CertificateFileName" "general")
Ahh tunnel vision, I was only looking inside the subprocess command string.
Thanks.
Line 11:
Line 12: # change password column to text to fit the encrypted password.
Line 13: CMD="select
fn_db_change_column_type('storage_server_connections','password','VARCHAR','text');"
Line 14: execute_command "${CMD}" "${DATABASE}" ${SERVERNAME} ${PORT} >
/dev/null
Line 27: connName=$(echo "${line}" | cut -d "|" -f2 | sed 's/^ *//g; s/
*$//g')
Line 28: connPasswd=$(echo "${line}" | cut -d "|" -f3 | sed 's/^ *//g; s/
*$//g')
Line 29: if [ "$connId" != "" -a "$connPasswd" != "" ]; then
Line 30: # encrypt the password
Line 31: encryptedPasswd=$(echo -n "$connPasswd" | /usr/bin/openssl
rsautl -certin -inkey $certificate -encrypt -pkcs | /usr/bin/openssl enc -a)
Engine even stores them with dos line endings. (I didn't bother with that
here...)
Line 32: if [ $? -ne 0 ]; then
Line 33: echo "Failed to encrypt connection ${connName} password.
The password will remain unencrypted in the database until this is complete."
Line 34: else
Line 35: # update the password field for the given connection
--
To view, visit http://gerrit.ovirt.org/8344
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I15b4cba7418d9d818fb2fd69c708fdeb20942f9c
Gerrit-PatchSet: 3
Gerrit-Project: ovirt-engine
Gerrit-Branch: master
Gerrit-Owner: Greg Padgett <gpadg...@redhat.com>
Gerrit-Reviewer: Allon Mureinik <amure...@redhat.com>
Gerrit-Reviewer: Alon Bar-Lev <alo...@redhat.com>
Gerrit-Reviewer: Ayal Baron <aba...@redhat.com>
Gerrit-Reviewer: Doron Fediuck <dfedi...@redhat.com>
Gerrit-Reviewer: Eduardo <ewars...@redhat.com>
Gerrit-Reviewer: Eli Mesika <emes...@redhat.com>
Gerrit-Reviewer: Federico Simoncelli <fsimo...@redhat.com>
Gerrit-Reviewer: Greg Padgett <gpadg...@redhat.com>
Gerrit-Reviewer: Liron Aravot <lara...@redhat.com>
_______________________________________________
Engine-patches mailing list
Engine-patches@ovirt.org
http://lists.ovirt.org/mailman/listinfo/engine-patches
