You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by mc...@apache.org on 2014/01/21 23:18:24 UTC
git commit: updated refs/heads/4.3 to afb8a79
Updated Branches:
refs/heads/4.3 28b5d0a9e -> afb8a7932
CLOUDSTACK-5921: S3 security key is stored in DB unencrypted
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/afb8a793
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/afb8a793
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/afb8a793
Branch: refs/heads/4.3
Commit: afb8a79321ca3a5356e332f28038b58a8d1d040c
Parents: 28b5d0a
Author: Min Chen <mi...@citrix.com>
Authored: Tue Jan 21 14:17:30 2014 -0800
Committer: Min Chen <mi...@citrix.com>
Committed: Tue Jan 21 14:17:30 2014 -0800
----------------------------------------------------------------------
.../com/cloud/upgrade/dao/Upgrade421to430.java | 42 +++++++++++++++++++-
.../image/datastore/ImageStoreHelper.java | 9 ++++-
.../image/db/ImageStoreDetailsDaoImpl.java | 12 +++++-
.../api/query/dao/ImageStoreJoinDaoImpl.java | 23 ++++++++---
4 files changed, 75 insertions(+), 11 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/afb8a793/engine/schema/src/com/cloud/upgrade/dao/Upgrade421to430.java
----------------------------------------------------------------------
diff --git a/engine/schema/src/com/cloud/upgrade/dao/Upgrade421to430.java b/engine/schema/src/com/cloud/upgrade/dao/Upgrade421to430.java
index 599c1fb..7e26132 100644
--- a/engine/schema/src/com/cloud/upgrade/dao/Upgrade421to430.java
+++ b/engine/schema/src/com/cloud/upgrade/dao/Upgrade421to430.java
@@ -29,10 +29,10 @@ import java.util.HashSet;
import java.util.Map;
import java.util.Set;
-import com.cloud.hypervisor.Hypervisor;
import org.apache.commons.lang.StringUtils;
import org.apache.log4j.Logger;
+import com.cloud.hypervisor.Hypervisor;
import com.cloud.utils.crypt.DBEncryptionUtil;
import com.cloud.utils.exception.CloudRuntimeException;
import com.cloud.utils.script.Script;
@@ -68,6 +68,7 @@ public class Upgrade421to430 implements DbUpgrade {
@Override
public void performDataMigration(Connection conn) {
encryptLdapConfigParams(conn);
+ encryptImageStoreDetails(conn);
upgradeMemoryOfSsvmOffering(conn);
updateSystemVmTemplates(conn);
}
@@ -305,8 +306,44 @@ public class Upgrade421to430 implements DbUpgrade {
}
}
s_logger.debug("Updating System Vm Template IDs Complete");
+ } finally {
+ try {
+ if (rs != null) {
+ rs.close();
+ }
+
+ if (pstmt != null) {
+ pstmt.close();
+ }
+ } catch (SQLException e) {
+ }
}
- finally {
+ }
+
+ private void encryptImageStoreDetails(Connection conn) {
+ s_logger.debug("Encrypting image store details");
+ PreparedStatement pstmt = null;
+ ResultSet rs = null;
+ try {
+ pstmt = conn.prepareStatement("select id, value from `cloud`.`image_store_details` where name = 'key' or name = 'secretkey'");
+ rs = pstmt.executeQuery();
+ while (rs.next()) {
+ long id = rs.getLong(1);
+ String value = rs.getString(2);
+ if (value == null) {
+ continue;
+ }
+ String encryptedValue = DBEncryptionUtil.encrypt(value);
+ pstmt = conn.prepareStatement("update `cloud`.`image_store_details` set value=? where id=?");
+ pstmt.setBytes(1, encryptedValue.getBytes("UTF-8"));
+ pstmt.setLong(2, id);
+ pstmt.executeUpdate();
+ }
+ } catch (SQLException e) {
+ throw new CloudRuntimeException("Unable encrypt image_store_details values ", e);
+ } catch (UnsupportedEncodingException e) {
+ throw new CloudRuntimeException("Unable encrypt image_store_details values ", e);
+ } finally {
try {
if (rs != null) {
rs.close();
@@ -318,6 +355,7 @@ public class Upgrade421to430 implements DbUpgrade {
} catch (SQLException e) {
}
}
+ s_logger.debug("Done encrypting image_store_details");
}
@Override
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/afb8a793/engine/storage/src/org/apache/cloudstack/storage/image/datastore/ImageStoreHelper.java
----------------------------------------------------------------------
diff --git a/engine/storage/src/org/apache/cloudstack/storage/image/datastore/ImageStoreHelper.java b/engine/storage/src/org/apache/cloudstack/storage/image/datastore/ImageStoreHelper.java
index e2c48ea..0f5b817 100644
--- a/engine/storage/src/org/apache/cloudstack/storage/image/datastore/ImageStoreHelper.java
+++ b/engine/storage/src/org/apache/cloudstack/storage/image/datastore/ImageStoreHelper.java
@@ -26,6 +26,7 @@ import javax.inject.Inject;
import org.springframework.stereotype.Component;
+import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.engine.subsystem.api.storage.DataStore;
import org.apache.cloudstack.storage.datastore.db.ImageStoreDao;
import org.apache.cloudstack.storage.datastore.db.ImageStoreDetailVO;
@@ -35,6 +36,7 @@ import org.apache.cloudstack.storage.datastore.db.SnapshotDataStoreDao;
import com.cloud.storage.DataStoreRole;
import com.cloud.storage.ScopeType;
+import com.cloud.utils.crypt.DBEncryptionUtil;
import com.cloud.utils.exception.CloudRuntimeException;
@Component
@@ -104,7 +106,12 @@ public class ImageStoreHelper {
ImageStoreDetailVO detail = new ImageStoreDetailVO();
detail.setStoreId(store.getId());
detail.setName(key);
- detail.setValue(details.get(key));
+ String value = details.get(key);
+ // encrypt swift key or s3 secret key
+ if (key.equals(ApiConstants.KEY) || key.equals(ApiConstants.S3_SECRET_KEY)) {
+ value = DBEncryptionUtil.encrypt(value);
+ }
+ detail.setValue(value);
imageStoreDetailsDao.persist(detail);
}
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/afb8a793/engine/storage/src/org/apache/cloudstack/storage/image/db/ImageStoreDetailsDaoImpl.java
----------------------------------------------------------------------
diff --git a/engine/storage/src/org/apache/cloudstack/storage/image/db/ImageStoreDetailsDaoImpl.java b/engine/storage/src/org/apache/cloudstack/storage/image/db/ImageStoreDetailsDaoImpl.java
index 3c766cf..56feb26 100644
--- a/engine/storage/src/org/apache/cloudstack/storage/image/db/ImageStoreDetailsDaoImpl.java
+++ b/engine/storage/src/org/apache/cloudstack/storage/image/db/ImageStoreDetailsDaoImpl.java
@@ -22,10 +22,13 @@ import java.util.Map;
import javax.ejb.Local;
+import org.springframework.stereotype.Component;
+
+import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.storage.datastore.db.ImageStoreDetailVO;
import org.apache.cloudstack.storage.datastore.db.ImageStoreDetailsDao;
-import org.springframework.stereotype.Component;
+import com.cloud.utils.crypt.DBEncryptionUtil;
import com.cloud.utils.db.GenericDaoBase;
import com.cloud.utils.db.SearchBuilder;
import com.cloud.utils.db.SearchCriteria;
@@ -67,7 +70,12 @@ public class ImageStoreDetailsDaoImpl extends GenericDaoBase<ImageStoreDetailVO,
List<ImageStoreDetailVO> details = listBy(sc);
Map<String, String> detailsMap = new HashMap<String, String>();
for (ImageStoreDetailVO detail : details) {
- detailsMap.put(detail.getName(), detail.getValue());
+ String name = detail.getName();
+ String value = detail.getValue();
+ if (name.equals(ApiConstants.KEY) || name.equals(ApiConstants.S3_SECRET_KEY)) {
+ value = DBEncryptionUtil.decrypt(value);
+ }
+ detailsMap.put(name, value);
}
return detailsMap;
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/afb8a793/server/src/com/cloud/api/query/dao/ImageStoreJoinDaoImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/query/dao/ImageStoreJoinDaoImpl.java b/server/src/com/cloud/api/query/dao/ImageStoreJoinDaoImpl.java
index 2a75746..447a1ad 100644
--- a/server/src/com/cloud/api/query/dao/ImageStoreJoinDaoImpl.java
+++ b/server/src/com/cloud/api/query/dao/ImageStoreJoinDaoImpl.java
@@ -22,15 +22,18 @@ import java.util.List;
import javax.ejb.Local;
import javax.inject.Inject;
+import org.apache.log4j.Logger;
+import org.springframework.stereotype.Component;
+
+import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.response.ImageStoreDetailResponse;
import org.apache.cloudstack.api.response.ImageStoreResponse;
import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
-import org.apache.log4j.Logger;
-import org.springframework.stereotype.Component;
-import com.cloud.utils.StringUtils;
import com.cloud.api.query.vo.ImageStoreJoinVO;
import com.cloud.storage.ImageStore;
+import com.cloud.utils.StringUtils;
+import com.cloud.utils.crypt.DBEncryptionUtil;
import com.cloud.utils.db.GenericDaoBase;
import com.cloud.utils.db.SearchBuilder;
import com.cloud.utils.db.SearchCriteria;
@@ -58,7 +61,7 @@ public class ImageStoreJoinDaoImpl extends GenericDaoBase<ImageStoreJoinVO, Long
dsIdSearch.and("id", dsIdSearch.entity().getId(), SearchCriteria.Op.EQ);
dsIdSearch.done();
- this._count = "select count(distinct id) from image_store_view WHERE ";
+ _count = "select count(distinct id) from image_store_view WHERE ";
}
@@ -84,7 +87,11 @@ public class ImageStoreJoinDaoImpl extends GenericDaoBase<ImageStoreJoinVO, Long
String detailName = ids.getDetailName();
if ( detailName != null && detailName.length() > 0 ){
- ImageStoreDetailResponse osdResponse = new ImageStoreDetailResponse(detailName, ids.getDetailValue());
+ String detailValue = ids.getDetailValue();
+ if (detailName.equals(ApiConstants.KEY) || detailName.equals(ApiConstants.S3_SECRET_KEY)) {
+ detailValue = DBEncryptionUtil.decrypt(detailValue);
+ }
+ ImageStoreDetailResponse osdResponse = new ImageStoreDetailResponse(detailName, detailValue);
osResponse.addDetail(osdResponse);
}
osResponse.setObjectName("imagestore");
@@ -99,7 +106,11 @@ public class ImageStoreJoinDaoImpl extends GenericDaoBase<ImageStoreJoinVO, Long
public ImageStoreResponse setImageStoreResponse(ImageStoreResponse response, ImageStoreJoinVO ids) {
String detailName = ids.getDetailName();
if ( detailName != null && detailName.length() > 0 ){
- ImageStoreDetailResponse osdResponse = new ImageStoreDetailResponse(detailName, ids.getDetailValue());
+ String detailValue = ids.getDetailValue();
+ if (detailName.equals(ApiConstants.KEY) || detailName.equals(ApiConstants.S3_SECRET_KEY)) {
+ detailValue = DBEncryptionUtil.decrypt(detailValue);
+ }
+ ImageStoreDetailResponse osdResponse = new ImageStoreDetailResponse(detailName, detailValue);
response.addDetail(osdResponse);
}
return response;