Updated Branches: refs/heads/master d4e069ecc -> c0da0a884
CLOUDSTACK-5921:S3 security key is stored in DB unencrypted Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/c0da0a88 Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/c0da0a88 Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/c0da0a88 Branch: refs/heads/master Commit: c0da0a884a1cf7655c751b9d02e4994bf0fd0d2e Parents: d4e069e Author: Min Chen <min.c...@citrix.com> Authored: Tue Jan 21 14:34:32 2014 -0800 Committer: Min Chen <min.c...@citrix.com> Committed: Tue Jan 21 14:34:32 2014 -0800 ---------------------------------------------------------------------- .../com/cloud/upgrade/dao/Upgrade421to430.java | 42 +++++++++++++++++++- .../image/datastore/ImageStoreHelper.java | 9 ++++- .../image/db/ImageStoreDetailsDaoImpl.java | 9 ++++- .../api/query/dao/ImageStoreJoinDaoImpl.java | 25 ++++++++---- 4 files changed, 74 insertions(+), 11 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cloudstack/blob/c0da0a88/engine/schema/src/com/cloud/upgrade/dao/Upgrade421to430.java ---------------------------------------------------------------------- diff --git a/engine/schema/src/com/cloud/upgrade/dao/Upgrade421to430.java b/engine/schema/src/com/cloud/upgrade/dao/Upgrade421to430.java index 599c1fb..7e26132 100644 --- a/engine/schema/src/com/cloud/upgrade/dao/Upgrade421to430.java +++ b/engine/schema/src/com/cloud/upgrade/dao/Upgrade421to430.java @@ -29,10 +29,10 @@ import java.util.HashSet; import java.util.Map; import java.util.Set; -import com.cloud.hypervisor.Hypervisor; import org.apache.commons.lang.StringUtils; import org.apache.log4j.Logger; +import com.cloud.hypervisor.Hypervisor; import com.cloud.utils.crypt.DBEncryptionUtil; import com.cloud.utils.exception.CloudRuntimeException; import com.cloud.utils.script.Script; @@ -68,6 +68,7 @@ public class Upgrade421to430 implements DbUpgrade { @Override public void performDataMigration(Connection conn) { encryptLdapConfigParams(conn); + encryptImageStoreDetails(conn); upgradeMemoryOfSsvmOffering(conn); updateSystemVmTemplates(conn); } @@ -305,8 +306,44 @@ public class Upgrade421to430 implements DbUpgrade { } } s_logger.debug("Updating System Vm Template IDs Complete"); + } finally { + try { + if (rs != null) { + rs.close(); + } + + if (pstmt != null) { + pstmt.close(); + } + } catch (SQLException e) { + } } - finally { + } + + private void encryptImageStoreDetails(Connection conn) { + s_logger.debug("Encrypting image store details"); + PreparedStatement pstmt = null; + ResultSet rs = null; + try { + pstmt = conn.prepareStatement("select id, value from `cloud`.`image_store_details` where name = 'key' or name = 'secretkey'"); + rs = pstmt.executeQuery(); + while (rs.next()) { + long id = rs.getLong(1); + String value = rs.getString(2); + if (value == null) { + continue; + } + String encryptedValue = DBEncryptionUtil.encrypt(value); + pstmt = conn.prepareStatement("update `cloud`.`image_store_details` set value=? where id=?"); + pstmt.setBytes(1, encryptedValue.getBytes("UTF-8")); + pstmt.setLong(2, id); + pstmt.executeUpdate(); + } + } catch (SQLException e) { + throw new CloudRuntimeException("Unable encrypt image_store_details values ", e); + } catch (UnsupportedEncodingException e) { + throw new CloudRuntimeException("Unable encrypt image_store_details values ", e); + } finally { try { if (rs != null) { rs.close(); @@ -318,6 +355,7 @@ public class Upgrade421to430 implements DbUpgrade { } catch (SQLException e) { } } + s_logger.debug("Done encrypting image_store_details"); } @Override http://git-wip-us.apache.org/repos/asf/cloudstack/blob/c0da0a88/engine/storage/src/org/apache/cloudstack/storage/image/datastore/ImageStoreHelper.java ---------------------------------------------------------------------- diff --git a/engine/storage/src/org/apache/cloudstack/storage/image/datastore/ImageStoreHelper.java b/engine/storage/src/org/apache/cloudstack/storage/image/datastore/ImageStoreHelper.java index bf5d646..a4c423c 100644 --- a/engine/storage/src/org/apache/cloudstack/storage/image/datastore/ImageStoreHelper.java +++ b/engine/storage/src/org/apache/cloudstack/storage/image/datastore/ImageStoreHelper.java @@ -26,6 +26,7 @@ import javax.inject.Inject; import org.springframework.stereotype.Component; +import org.apache.cloudstack.api.ApiConstants; import org.apache.cloudstack.engine.subsystem.api.storage.DataStore; import org.apache.cloudstack.storage.datastore.db.ImageStoreDao; import org.apache.cloudstack.storage.datastore.db.ImageStoreDetailVO; @@ -35,6 +36,7 @@ import org.apache.cloudstack.storage.datastore.db.SnapshotDataStoreDao; import com.cloud.storage.DataStoreRole; import com.cloud.storage.ScopeType; +import com.cloud.utils.crypt.DBEncryptionUtil; import com.cloud.utils.exception.CloudRuntimeException; @Component @@ -104,7 +106,12 @@ public class ImageStoreHelper { ImageStoreDetailVO detail = new ImageStoreDetailVO(); detail.setStoreId(store.getId()); detail.setName(key); - detail.setValue(details.get(key)); + String value = details.get(key); + // encrypt swift key or s3 secret key + if (key.equals(ApiConstants.KEY) || key.equals(ApiConstants.S3_SECRET_KEY)) { + value = DBEncryptionUtil.encrypt(value); + } + detail.setValue(value); imageStoreDetailsDao.persist(detail); } } http://git-wip-us.apache.org/repos/asf/cloudstack/blob/c0da0a88/engine/storage/src/org/apache/cloudstack/storage/image/db/ImageStoreDetailsDaoImpl.java ---------------------------------------------------------------------- diff --git a/engine/storage/src/org/apache/cloudstack/storage/image/db/ImageStoreDetailsDaoImpl.java b/engine/storage/src/org/apache/cloudstack/storage/image/db/ImageStoreDetailsDaoImpl.java index 659a148..56feb26 100644 --- a/engine/storage/src/org/apache/cloudstack/storage/image/db/ImageStoreDetailsDaoImpl.java +++ b/engine/storage/src/org/apache/cloudstack/storage/image/db/ImageStoreDetailsDaoImpl.java @@ -24,9 +24,11 @@ import javax.ejb.Local; import org.springframework.stereotype.Component; +import org.apache.cloudstack.api.ApiConstants; import org.apache.cloudstack.storage.datastore.db.ImageStoreDetailVO; import org.apache.cloudstack.storage.datastore.db.ImageStoreDetailsDao; +import com.cloud.utils.crypt.DBEncryptionUtil; import com.cloud.utils.db.GenericDaoBase; import com.cloud.utils.db.SearchBuilder; import com.cloud.utils.db.SearchCriteria; @@ -68,7 +70,12 @@ public class ImageStoreDetailsDaoImpl extends GenericDaoBase<ImageStoreDetailVO, List<ImageStoreDetailVO> details = listBy(sc); Map<String, String> detailsMap = new HashMap<String, String>(); for (ImageStoreDetailVO detail : details) { - detailsMap.put(detail.getName(), detail.getValue()); + String name = detail.getName(); + String value = detail.getValue(); + if (name.equals(ApiConstants.KEY) || name.equals(ApiConstants.S3_SECRET_KEY)) { + value = DBEncryptionUtil.decrypt(value); + } + detailsMap.put(name, value); } return detailsMap; http://git-wip-us.apache.org/repos/asf/cloudstack/blob/c0da0a88/server/src/com/cloud/api/query/dao/ImageStoreJoinDaoImpl.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/api/query/dao/ImageStoreJoinDaoImpl.java b/server/src/com/cloud/api/query/dao/ImageStoreJoinDaoImpl.java index 55bc573..bcf8d4c 100644 --- a/server/src/com/cloud/api/query/dao/ImageStoreJoinDaoImpl.java +++ b/server/src/com/cloud/api/query/dao/ImageStoreJoinDaoImpl.java @@ -23,17 +23,20 @@ import javax.ejb.Local; import javax.inject.Inject; import org.apache.log4j.Logger; +import org.springframework.stereotype.Component; + +import org.apache.cloudstack.api.ApiConstants; import org.apache.cloudstack.api.response.ImageStoreDetailResponse; import org.apache.cloudstack.api.response.ImageStoreResponse; import org.apache.cloudstack.framework.config.dao.ConfigurationDao; -import org.springframework.stereotype.Component; import com.cloud.api.query.vo.ImageStoreJoinVO; import com.cloud.storage.ImageStore; +import com.cloud.utils.StringUtils; +import com.cloud.utils.crypt.DBEncryptionUtil; import com.cloud.utils.db.GenericDaoBase; import com.cloud.utils.db.SearchBuilder; import com.cloud.utils.db.SearchCriteria; -import com.cloud.utils.StringUtils; @Component @Local(value = {ImageStoreJoinDao.class}) @@ -57,7 +60,7 @@ public class ImageStoreJoinDaoImpl extends GenericDaoBase<ImageStoreJoinVO, Long dsIdSearch.and("id", dsIdSearch.entity().getId(), SearchCriteria.Op.EQ); dsIdSearch.done(); - this._count = "select count(distinct id) from image_store_view WHERE "; + _count = "select count(distinct id) from image_store_view WHERE "; } @Override @@ -78,8 +81,12 @@ public class ImageStoreJoinDaoImpl extends GenericDaoBase<ImageStoreJoinVO, Long osResponse.setZoneName(ids.getZoneName()); String detailName = ids.getDetailName(); - if (detailName != null && detailName.length() > 0) { - ImageStoreDetailResponse osdResponse = new ImageStoreDetailResponse(detailName, ids.getDetailValue()); + if ( detailName != null && detailName.length() > 0 ){ + String detailValue = ids.getDetailValue(); + if (detailName.equals(ApiConstants.KEY) || detailName.equals(ApiConstants.S3_SECRET_KEY)) { + detailValue = DBEncryptionUtil.decrypt(detailValue); + } + ImageStoreDetailResponse osdResponse = new ImageStoreDetailResponse(detailName, detailValue); osResponse.addDetail(osdResponse); } osResponse.setObjectName("imagestore"); @@ -89,8 +96,12 @@ public class ImageStoreJoinDaoImpl extends GenericDaoBase<ImageStoreJoinVO, Long @Override public ImageStoreResponse setImageStoreResponse(ImageStoreResponse response, ImageStoreJoinVO ids) { String detailName = ids.getDetailName(); - if (detailName != null && detailName.length() > 0) { - ImageStoreDetailResponse osdResponse = new ImageStoreDetailResponse(detailName, ids.getDetailValue()); + if ( detailName != null && detailName.length() > 0 ){ + String detailValue = ids.getDetailValue(); + if (detailName.equals(ApiConstants.KEY) || detailName.equals(ApiConstants.S3_SECRET_KEY)) { + detailValue = DBEncryptionUtil.decrypt(detailValue); + } + ImageStoreDetailResponse osdResponse = new ImageStoreDetailResponse(detailName, detailValue); response.addDetail(osdResponse); } return response;
