Greg Padgett has posted comments on this change.
Change subject: core: Encrypt CHAP credentials in the database
......................................................................
Patch Set 5: (2 inline comments)
....................................................
File backend/manager/dbscripts/upgrade/03_01_1440_encrypt_chap_password.sh
Line 18: # get all connections that have a password configured
Line 19: CMD="select id, connection||' '||coalesce(iqn, '') as name, password
from storage_server_connections where password is not null;"
Line 20: execute_command "${CMD}" "${DATABASE}" "${SERVERNAME}" "${PORT}" |
while read line; do
Line 21: # filter lines that don't look like tuples: uuid | name | password
Line 22: if echo "${line}" | grep -vq '^ *[a-fA-F0-9-]\{32,\} | [^|]\+ | ';
then
Note that if $VERBOSE is true, execute_command will print the query in the
first line of the output so that's really the target of this filter. It's not
really prettier than the last version, but it does the job.
Line 23: continue
Line 24: fi
Line 25:
Line 26: connId="$(get_field "${line}" "1")"
Line 29:
Line 30: if [ -n "${connId}" -a -n "${connPasswd}" ]; then
Line 31: # encrypt the password
Line 32: encryptedPasswd="$(echo -n "${connPasswd}" | /usr/bin/openssl
rsautl -certin -inkey "${certificate}" -encrypt -pkcs | /usr/bin/openssl enc
-a)"
Line 33: if [ $? -ne 0 -o -z "${encryptedPasswd}" ]; then
I found that if the first openssl invocation in line 32 fails, the output ends
up empty. If the second fails, $? is non-zero here. So, no need for the
[non-posix] 'set -o pipefail'.
Line 34: # note that an empty password here indicates failure to
encrypt
Line 35: echo "Failed to encrypt connection ${connName} password.
The password will remain unencrypted in the database until this is complete."
Line 36: else
Line 37: # update the password field for the given connection
--
To view, visit http://gerrit.ovirt.org/8344
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I15b4cba7418d9d818fb2fd69c708fdeb20942f9c
Gerrit-PatchSet: 5
Gerrit-Project: ovirt-engine
Gerrit-Branch: master
Gerrit-Owner: Greg Padgett <gpadg...@redhat.com>
Gerrit-Reviewer: Allon Mureinik <amure...@redhat.com>
Gerrit-Reviewer: Alon Bar-Lev <alo...@redhat.com>
Gerrit-Reviewer: Ayal Baron <aba...@redhat.com>
Gerrit-Reviewer: Doron Fediuck <dfedi...@redhat.com>
Gerrit-Reviewer: Eduardo <ewars...@redhat.com>
Gerrit-Reviewer: Eli Mesika <emes...@redhat.com>
Gerrit-Reviewer: Federico Simoncelli <fsimo...@redhat.com>
Gerrit-Reviewer: Greg Padgett <gpadg...@redhat.com>
Gerrit-Reviewer: Liron Aravot <lara...@redhat.com>
_______________________________________________
Engine-patches mailing list
Engine-patches@ovirt.org
http://lists.ovirt.org/mailman/listinfo/engine-patches
