shaba/one
1
0
Fork 0
mirror of https://github.com/OpenNebula/one.git synced 2025-03-25 02:50:08 +03:00
Code Releases Wiki Activity

F #3064: pass decrypted attributes to IPAM driver (#3706)

Browse Source
This commit is contained in:
Alejandro Huertas Herrero 2019-09-16 15:51:38 +02:00 committed by Ruben S. Montero
parent fb465d88b2
commit 536672833a
11 changed files with 214 additions and 126 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
include/AddressRange.h
View File

@ -390,6 +390,11 @@ public:
}
}
VectorAttribute * get_attr()
{
return attr;
}
/*
* add_ar from AddressRangePool needs to access the internal representation
* of the AR to include it in the ARPool template.

33
include/Attribute.h
View File

@ -104,7 +104,18 @@ public:
*/
virtual Attribute* clone() const = 0;
/**
* Encrypt all secret attributes
*/
virtual void encrypt(const string& one_key, const set<string>& eas) {};
/**
* Decrypt all secret attributes
*/
virtual void decrypt(const string& one_key, const set<string>& eas) {};
protected:
/**
* The attribute name.
*/
@ -173,7 +184,7 @@ public:
void to_json(std::ostringstream& s) const
{
one_util::escape_json(attribute_value, s);
one_util::escape_json(attribute_value, s);
}
void to_token(std::ostringstream& s) const
@ -221,6 +232,16 @@ public:
return new SingleAttribute(*this);
};
/**
* Encrypt all secret attributes
*/
virtual void encrypt(const string& one_key, const set<string>& eas) override;
/**
* Decrypt all secret attributes
*/
virtual void decrypt(const string& one_key, const set<string>& eas) override;
private:
string attribute_value;
@ -458,6 +479,16 @@ public:
return attribute_value.empty();
}
/**
* Encrypt all secret attributes
*/
virtual void encrypt(const string& one_key, const set<string>& eas) override;
/**
* Decrypt all secret attributes
*/
virtual void decrypt(const string& one_key, const set<string>& eas) override;
private:
static const char * magic_sep;

10
include/IPAMRequest.h
View File

@ -19,6 +19,8 @@
#include "SyncRequest.h"
#include "NebulaUtil.h"
#include "Attribute.h"
#include "Template.h"
/**
* The IPAMRequest class represents a request for the IPAM driver. The request
@ -32,12 +34,10 @@ public:
/* ---------------------------------------------------------------------- */
/* IPAM Request constructors */
/* ---------------------------------------------------------------------- */
IPAMRequest(const std::string& _ar_xml) :
ar_xml(_ar_xml), address_xml("<ADDRESS><MAC/><IP/><IP6_GLOBAL/>"
"<IP6_ULA/><IP6/><SIZE/></ADDRESS>"){};
IPAMRequest(VectorAttribute * _ar_vattr) : IPAMRequest(_ar_vattr,
"<ADDRESS><MAC/><IP/><IP6_GLOBAL/><IP6_ULA/><IP6/><SIZE/></ADDRESS>"){};
IPAMRequest(const std::string& _ar_xml, const std::string& _address_xml) :
ar_xml(_ar_xml), address_xml(_address_xml){};
IPAMRequest(VectorAttribute * _ar_vattr, const std::string& _address_xml);
virtual ~IPAMRequest(){};

15
include/VirtualNetworkTemplate.h
View File

@ -70,21 +70,24 @@ public:
Template::decrypt(one_key, encrypted);
}
// One-time execution
static void parse_encrypted(vector<const SingleAttribute *>& ea)
{
Template::parse_encrypted(ea, encrypted);
auto eas = const_cast<std::map<std::string, std::set<std::string>> *>(&encrypted);
Template::parse_encrypted(ea, *eas);
}
/**
* Encrypted attribute list for VirtualNetworkTemplates
*/
static const std::map<std::string, std::set<std::string> > encrypted;
private:
/**
* Restricted attribute list for VirtualNetworkTemplates
*/
static std::map<std::string, std::set<std::string> > restricted;
/**
* Encrypted attribute list for VirtualNetworkTemplates
*/
static std::map<std::string, std::set<std::string> > encrypted;
};
/* -------------------------------------------------------------------------- */

110
src/common/Attribute.cc
View File

@ -338,3 +338,113 @@ int VectorAttribute::vector_value(const string& name, bool& value) const
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
static void encrypt_attr(const std::string& one_key,
const std::string& in,
std::string& out)
{
if (!one_key.empty())
{
std::string * encrypted = one_util::aes256cbc_encrypt(in, one_key);
out = *encrypted;
delete encrypted;
}
else
{
out = in;
}
}
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
static bool decrypt_attr(const std::string& one_key,
const std::string& in,
std::string& out)
{
if (one_key.empty())
{
out = in;
return true;
}
std::string * plain = one_util::aes256cbc_decrypt(in, one_key);
if (plain == nullptr)
{
return false;
}
out = *plain;
delete plain;
return true;
}
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
void SingleAttribute::encrypt(const string& one_key, const set<string>& eas)
{
string encrypted;
string tmp;
// Simple attribute present, but not encrypted, crypt it
if (!value().empty() && !decrypt_attr(one_key, value(), tmp))
{
encrypt_attr(one_key, value(), encrypted);
replace(encrypted);
}
}
void SingleAttribute::decrypt(const string& one_key, const set<string>& eas)
{
string plain;
if (!value().empty() && decrypt_attr(one_key, value(), plain))
{
replace(plain);
}
}
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
void VectorAttribute::encrypt(const string& one_key, const set<string>& eas)
{
string att;
string encrypted;
string tmp;
for ( auto ea : eas )
{
att = vector_value(ea);
if (!att.empty() && !decrypt_attr(one_key, att, tmp))
{
// Nested attribute present, but not encrypted, crypt it
encrypt_attr(one_key, att, encrypted);
replace(ea, encrypted);
}
}
}
void VectorAttribute::decrypt(const string& one_key, const set<string>& eas)
{
string att;
string plain;
for ( auto ea : eas )
{
att = vector_value(ea);
if (!att.empty() && decrypt_attr(one_key, att, plain))
{
replace(ea, plain);
}
}
}

41
src/ipamm/IPAMRequest.cc Normal file
View File

@ -0,0 +1,41 @@
/* -------------------------------------------------------------------------- */
/* Copyright 2002-2019, OpenNebula Project, OpenNebula Systems */
/* */
/* Licensed under the Apache License, Version 2.0 (the "License"); you may */
/* not use this file except in compliance with the License. You may obtain */
/* a copy of the License at */
/* */
/* http://www.apache.org/licenses/LICENSE-2.0 */
/* */
/* Unless required by applicable law or agreed to in writing, software */
/* distributed under the License is distributed on an "AS IS" BASIS, */
/* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. */
/* See the License for the specific language governing permissions and */
/* limitations under the License. */
/* -------------------------------------------------------------------------- */
#include "IPAMRequest.h"
#include "VirtualNetworkTemplate.h"
#include "Nebula.h"
using namespace std;
IPAMRequest::IPAMRequest(VectorAttribute * _ar_vattr,
const std::string& _address_xml)
{
string one_key;
Nebula::instance().get_configuration_attribute("ONE_KEY", one_key);
for ( auto ea : VirtualNetworkTemplate::encrypted )
{
_ar_vattr->decrypt(one_key, ea.second);
}
std::ostringstream oss;
_ar_vattr->to_xml(oss);
ar_xml = oss.str();
address_xml = _address_xml;
}

3
src/ipamm/SConstruct
View File

@ -23,7 +23,8 @@ lib_name='nebula_ipamm'
# Sources to generate the library
source_files=[
'IPAMManager.cc',
'IPAMManagerDriver.cc'
'IPAMManagerDriver.cc',
'IPAMRequest.cc'
]
# Build library

94
src/template/Template.cc
View File

@ -913,54 +913,6 @@ bool Template::check_restricted(string& ra,
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
static void encrypt_attr(const std::string& one_key,
const std::string& in,
std::string& out)
{
if (!one_key.empty())
{
std::string * encrypted = one_util::aes256cbc_encrypt(in, one_key);
out = *encrypted;
delete encrypted;
}
else
{
out = in;
}
}
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
static bool decrypt_attr(const std::string& one_key,
const std::string& in,
std::string& out)
{
if (one_key.empty())
{
out = in;
return true;
}
std::string * plain = one_util::aes256cbc_decrypt(in, one_key);
if (plain == nullptr)
{
return false;
}
out = *plain;
delete plain;
return true;
}
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
void Template::encrypt(const std::string& one_key,
const std::map<std::string, std::set<std::string> >& eas)
{
@ -968,10 +920,6 @@ void Template::encrypt(const std::string& one_key,
{
const std::set<std::string>& sub = eit.second;
std::string tmp;
std::string encrypted;
std::string att;
if (!sub.empty()) //Vector Attribute
{
vector<VectorAttribute *> vatt;
@ -985,18 +933,7 @@ void Template::encrypt(const std::string& one_key,
for ( auto vattit : vatt )
{
for ( auto subit : sub )
{
att = vattit->vector_value(subit);
if (!att.empty() && !decrypt_attr(one_key, att, tmp))
{
// Nested attribute present, but not encrypted, crypt it
encrypt_attr(one_key, att, encrypted);
vattit->replace(subit, encrypted);
}
}
vattit->encrypt(one_key, sub);
}
}
else
@ -1007,15 +944,7 @@ void Template::encrypt(const std::string& one_key,
for ( auto attit : vatt )
{
string aval = attit->value();
// Simple attribute present, but not encrypted, crypt it
if (!aval.empty() && !decrypt_attr(one_key, aval, tmp))
{
encrypt_attr(one_key, aval, encrypted);
attit->replace(encrypted);
}
attit->encrypt(one_key, sub);
}
}
}
@ -1031,9 +960,6 @@ void Template::decrypt(const std::string& one_key,
{
const std::set<std::string>& sub = eit.second;
std::string att;
std::string plain;
if (!sub.empty()) //Vector Attribute
{
vector<VectorAttribute *> vatt;
@ -1042,15 +968,8 @@ void Template::decrypt(const std::string& one_key,
for ( auto vattit : vatt )
{
for ( auto subit : sub )
{
att = vattit->vector_value(subit);
vattit->decrypt(one_key, sub);
if (!att.empty() && decrypt_attr(one_key, att, plain))
{
vattit->replace(subit, plain);
}
}
}
}
else
@ -1061,12 +980,7 @@ void Template::decrypt(const std::string& one_key,
for ( auto attit : vatt )
{
string aval = attit->value();
if (!aval.empty() && decrypt_attr(one_key, aval, plain))
{
attit->replace(plain);
}
attit->decrypt(one_key, sub);
}
}
}

21
src/vnm/AddressRangeIPAM.cc
View File

@ -26,13 +26,9 @@
int AddressRangeIPAM::from_vattr(VectorAttribute * attr, std::string& error_msg)
{
std::ostringstream oss;
IPAMManager * ipamm = Nebula::instance().get_ipamm();
attr->to_xml(oss);
IPAMRequest ir(oss.str());
IPAMRequest ir(attr);
ipamm->trigger(IPMAction::REGISTER_ADDRESS_RANGE, &ir);
@ -61,20 +57,17 @@ int AddressRangeIPAM::allocate_addr(unsigned int index, unsigned int rsize,
IPAMManager * ipamm = Nebula::instance().get_ipamm();
std::ostringstream oss;
std::string ar_xml;
std::string address_xml;
to_xml(oss);
ar_xml = oss.str();
oss.str("");
addr_to_xml(index, rsize, oss);
address_xml = oss.str();
IPAMRequest ir(ar_xml, address_xml);
IPAMRequest ir(get_attr(), address_xml);
ipamm->trigger(IPMAction::ALLOCATE_ADDRESS, &ir);
@ -98,20 +91,17 @@ int AddressRangeIPAM::get_addr(unsigned int& index, unsigned int rsize,
IPAMManager * ipamm = Nebula::instance().get_ipamm();
std::ostringstream oss;
std::string ar_xml;
std::string address_xml;
to_xml(oss);
ar_xml = oss.str();
oss.str("");
oss << "<ADDRESS><SIZE>" << rsize << "</SIZE></ADDRESS>";
address_xml = oss.str();
IPAMRequest ir(ar_xml, address_xml);
IPAMRequest ir(get_attr(), address_xml);
ipamm->trigger(IPMAction::GET_ADDRESS, &ir);
@ -158,20 +148,17 @@ int AddressRangeIPAM::free_addr(unsigned int index, std::string& error_msg)
IPAMManager * ipamm = Nebula::instance().get_ipamm();
std::ostringstream oss;
std::string ar_xml;
std::string address_xml;
to_xml(oss);
ar_xml = oss.str();
oss.str("");
addr_to_xml(index, 1, oss);
address_xml = oss.str();
IPAMRequest ir(ar_xml, address_xml);
IPAMRequest ir(get_attr(), address_xml);
ipamm->trigger(IPMAction::FREE_ADDRESS, &ir);

6
src/vnm/AddressRangePool.cc
View File

@ -214,11 +214,7 @@ int AddressRangePool::rm_ar(unsigned int ar_id, string& error_msg)
{
IPAMManager * ipamm = Nebula::instance().get_ipamm();
std::ostringstream ar_xml;
ar_ptr->to_xml(ar_xml);
IPAMRequest ir(ar_xml.str());
IPAMRequest ir(ar_ptr->get_attr());
ipamm->trigger(IPMAction::UNREGISTER_ADDRESS_RANGE, &ir);

2
src/vnm/VirtualNetworkTemplate.cc
View File

@ -20,7 +20,7 @@
/* -------------------------------------------------------------------------- */
std::map<std::string, std::set<std::string> > VirtualNetworkTemplate::restricted;
std::map<std::string, std::set<std::string> > VirtualNetworkTemplate::encrypted;
const std::map<std::string, std::set<std::string> > VirtualNetworkTemplate::encrypted;
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */