diff --git a/include/AddressRange.h b/include/AddressRange.h index 9315e8a3ac..81c955baeb 100644 --- a/include/AddressRange.h +++ b/include/AddressRange.h @@ -390,6 +390,11 @@ public: } } + VectorAttribute * get_attr() + { + return attr; + } + /* * add_ar from AddressRangePool needs to access the internal representation * of the AR to include it in the ARPool template. diff --git a/include/Attribute.h b/include/Attribute.h index 7a12c7c24b..4923cb2486 100644 --- a/include/Attribute.h +++ b/include/Attribute.h @@ -104,7 +104,18 @@ public: */ virtual Attribute* clone() const = 0; + /** + * Encrypt all secret attributes + */ + virtual void encrypt(const string& one_key, const set& eas) {}; + + /** + * Decrypt all secret attributes + */ + virtual void decrypt(const string& one_key, const set& eas) {}; + protected: + /** * The attribute name. */ @@ -173,7 +184,7 @@ public: void to_json(std::ostringstream& s) const { - one_util::escape_json(attribute_value, s); + one_util::escape_json(attribute_value, s); } void to_token(std::ostringstream& s) const @@ -221,6 +232,16 @@ public: return new SingleAttribute(*this); }; + /** + * Encrypt all secret attributes + */ + virtual void encrypt(const string& one_key, const set& eas) override; + + /** + * Decrypt all secret attributes + */ + virtual void decrypt(const string& one_key, const set& eas) override; + private: string attribute_value; @@ -458,6 +479,16 @@ public: return attribute_value.empty(); } + /** + * Encrypt all secret attributes + */ + virtual void encrypt(const string& one_key, const set& eas) override; + + /** + * Decrypt all secret attributes + */ + virtual void decrypt(const string& one_key, const set& eas) override; + private: static const char * magic_sep; diff --git a/include/IPAMRequest.h b/include/IPAMRequest.h index 298f7614ab..6164d86c25 100644 --- a/include/IPAMRequest.h +++ b/include/IPAMRequest.h @@ -19,6 +19,8 @@ #include "SyncRequest.h" #include "NebulaUtil.h" +#include "Attribute.h" +#include "Template.h" /** * The IPAMRequest class represents a request for the IPAM driver. The request @@ -32,12 +34,10 @@ public: /* ---------------------------------------------------------------------- */ /* IPAM Request constructors */ /* ---------------------------------------------------------------------- */ - IPAMRequest(const std::string& _ar_xml) : - ar_xml(_ar_xml), address_xml("
" - "
"){}; + IPAMRequest(VectorAttribute * _ar_vattr) : IPAMRequest(_ar_vattr, + "
"){}; - IPAMRequest(const std::string& _ar_xml, const std::string& _address_xml) : - ar_xml(_ar_xml), address_xml(_address_xml){}; + IPAMRequest(VectorAttribute * _ar_vattr, const std::string& _address_xml); virtual ~IPAMRequest(){}; diff --git a/include/VirtualNetworkTemplate.h b/include/VirtualNetworkTemplate.h index 466bf76408..2e01d629d2 100644 --- a/include/VirtualNetworkTemplate.h +++ b/include/VirtualNetworkTemplate.h @@ -70,21 +70,24 @@ public: Template::decrypt(one_key, encrypted); } + // One-time execution static void parse_encrypted(vector& ea) { - Template::parse_encrypted(ea, encrypted); + auto eas = const_cast> *>(&encrypted); + + Template::parse_encrypted(ea, *eas); } + /** + * Encrypted attribute list for VirtualNetworkTemplates + */ + static const std::map > encrypted; + private: /** * Restricted attribute list for VirtualNetworkTemplates */ static std::map > restricted; - - /** - * Encrypted attribute list for VirtualNetworkTemplates - */ - static std::map > encrypted; }; /* -------------------------------------------------------------------------- */ diff --git a/src/common/Attribute.cc b/src/common/Attribute.cc index bcc2d3f38b..6c640e9c72 100644 --- a/src/common/Attribute.cc +++ b/src/common/Attribute.cc @@ -338,3 +338,113 @@ int VectorAttribute::vector_value(const string& name, bool& value) const /* -------------------------------------------------------------------------- */ /* -------------------------------------------------------------------------- */ +static void encrypt_attr(const std::string& one_key, + const std::string& in, + std::string& out) +{ + if (!one_key.empty()) + { + std::string * encrypted = one_util::aes256cbc_encrypt(in, one_key); + + out = *encrypted; + + delete encrypted; + } + else + { + out = in; + } +} + +/* -------------------------------------------------------------------------- */ +/* -------------------------------------------------------------------------- */ + +static bool decrypt_attr(const std::string& one_key, + const std::string& in, + std::string& out) +{ + if (one_key.empty()) + { + out = in; + return true; + } + + std::string * plain = one_util::aes256cbc_decrypt(in, one_key); + + if (plain == nullptr) + { + return false; + } + + out = *plain; + + delete plain; + + return true; +} + +/* -------------------------------------------------------------------------- */ +/* -------------------------------------------------------------------------- */ + +void SingleAttribute::encrypt(const string& one_key, const set& eas) +{ + string encrypted; + string tmp; + + // Simple attribute present, but not encrypted, crypt it + if (!value().empty() && !decrypt_attr(one_key, value(), tmp)) + { + encrypt_attr(one_key, value(), encrypted); + + replace(encrypted); + } +} + +void SingleAttribute::decrypt(const string& one_key, const set& eas) +{ + string plain; + + if (!value().empty() && decrypt_attr(one_key, value(), plain)) + { + replace(plain); + } +} + +/* -------------------------------------------------------------------------- */ +/* -------------------------------------------------------------------------- */ + +void VectorAttribute::encrypt(const string& one_key, const set& eas) +{ + string att; + string encrypted; + string tmp; + + for ( auto ea : eas ) + { + att = vector_value(ea); + + if (!att.empty() && !decrypt_attr(one_key, att, tmp)) + { + // Nested attribute present, but not encrypted, crypt it + encrypt_attr(one_key, att, encrypted); + + replace(ea, encrypted); + } + } +} + +void VectorAttribute::decrypt(const string& one_key, const set& eas) +{ + string att; + string plain; + + for ( auto ea : eas ) + { + att = vector_value(ea); + + if (!att.empty() && decrypt_attr(one_key, att, plain)) + { + replace(ea, plain); + } + } +} diff --git a/src/ipamm/IPAMRequest.cc b/src/ipamm/IPAMRequest.cc new file mode 100644 index 0000000000..30e81701b7 --- /dev/null +++ b/src/ipamm/IPAMRequest.cc @@ -0,0 +1,41 @@ +/* -------------------------------------------------------------------------- */ +/* Copyright 2002-2019, OpenNebula Project, OpenNebula Systems */ +/* */ +/* Licensed under the Apache License, Version 2.0 (the "License"); you may */ +/* not use this file except in compliance with the License. You may obtain */ +/* a copy of the License at */ +/* */ +/* http://www.apache.org/licenses/LICENSE-2.0 */ +/* */ +/* Unless required by applicable law or agreed to in writing, software */ +/* distributed under the License is distributed on an "AS IS" BASIS, */ +/* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. */ +/* See the License for the specific language governing permissions and */ +/* limitations under the License. */ +/* -------------------------------------------------------------------------- */ + +#include "IPAMRequest.h" +#include "VirtualNetworkTemplate.h" +#include "Nebula.h" + +using namespace std; + +IPAMRequest::IPAMRequest(VectorAttribute * _ar_vattr, + const std::string& _address_xml) +{ + string one_key; + + Nebula::instance().get_configuration_attribute("ONE_KEY", one_key); + + for ( auto ea : VirtualNetworkTemplate::encrypted ) + { + _ar_vattr->decrypt(one_key, ea.second); + } + + std::ostringstream oss; + + _ar_vattr->to_xml(oss); + + ar_xml = oss.str(); + address_xml = _address_xml; +} diff --git a/src/ipamm/SConstruct b/src/ipamm/SConstruct index 950ce85927..128c9dc8e6 100644 --- a/src/ipamm/SConstruct +++ b/src/ipamm/SConstruct @@ -23,7 +23,8 @@ lib_name='nebula_ipamm' # Sources to generate the library source_files=[ 'IPAMManager.cc', - 'IPAMManagerDriver.cc' + 'IPAMManagerDriver.cc', + 'IPAMRequest.cc' ] # Build library diff --git a/src/template/Template.cc b/src/template/Template.cc index 15e79472a8..5a447c85d6 100644 --- a/src/template/Template.cc +++ b/src/template/Template.cc @@ -913,54 +913,6 @@ bool Template::check_restricted(string& ra, /* -------------------------------------------------------------------------- */ /* -------------------------------------------------------------------------- */ -static void encrypt_attr(const std::string& one_key, - const std::string& in, - std::string& out) -{ - if (!one_key.empty()) - { - std::string * encrypted = one_util::aes256cbc_encrypt(in, one_key); - - out = *encrypted; - - delete encrypted; - } - else - { - out = in; - } -} - -/* -------------------------------------------------------------------------- */ -/* -------------------------------------------------------------------------- */ - -static bool decrypt_attr(const std::string& one_key, - const std::string& in, - std::string& out) -{ - if (one_key.empty()) - { - out = in; - return true; - } - - std::string * plain = one_util::aes256cbc_decrypt(in, one_key); - - if (plain == nullptr) - { - return false; - } - - out = *plain; - - delete plain; - - return true; -} - -/* -------------------------------------------------------------------------- */ -/* -------------------------------------------------------------------------- */ - void Template::encrypt(const std::string& one_key, const std::map >& eas) { @@ -968,10 +920,6 @@ void Template::encrypt(const std::string& one_key, { const std::set& sub = eit.second; - std::string tmp; - std::string encrypted; - std::string att; - if (!sub.empty()) //Vector Attribute { vector vatt; @@ -985,18 +933,7 @@ void Template::encrypt(const std::string& one_key, for ( auto vattit : vatt ) { - for ( auto subit : sub ) - { - att = vattit->vector_value(subit); - - if (!att.empty() && !decrypt_attr(one_key, att, tmp)) - { - // Nested attribute present, but not encrypted, crypt it - encrypt_attr(one_key, att, encrypted); - - vattit->replace(subit, encrypted); - } - } + vattit->encrypt(one_key, sub); } } else @@ -1007,15 +944,7 @@ void Template::encrypt(const std::string& one_key, for ( auto attit : vatt ) { - string aval = attit->value(); - - // Simple attribute present, but not encrypted, crypt it - if (!aval.empty() && !decrypt_attr(one_key, aval, tmp)) - { - encrypt_attr(one_key, aval, encrypted); - - attit->replace(encrypted); - } + attit->encrypt(one_key, sub); } } } @@ -1031,9 +960,6 @@ void Template::decrypt(const std::string& one_key, { const std::set& sub = eit.second; - std::string att; - std::string plain; - if (!sub.empty()) //Vector Attribute { vector vatt; @@ -1042,15 +968,8 @@ void Template::decrypt(const std::string& one_key, for ( auto vattit : vatt ) { - for ( auto subit : sub ) - { - att = vattit->vector_value(subit); + vattit->decrypt(one_key, sub); - if (!att.empty() && decrypt_attr(one_key, att, plain)) - { - vattit->replace(subit, plain); - } - } } } else @@ -1061,12 +980,7 @@ void Template::decrypt(const std::string& one_key, for ( auto attit : vatt ) { - string aval = attit->value(); - - if (!aval.empty() && decrypt_attr(one_key, aval, plain)) - { - attit->replace(plain); - } + attit->decrypt(one_key, sub); } } } diff --git a/src/vnm/AddressRangeIPAM.cc b/src/vnm/AddressRangeIPAM.cc index a5b95c7c17..2a82e0dd17 100644 --- a/src/vnm/AddressRangeIPAM.cc +++ b/src/vnm/AddressRangeIPAM.cc @@ -26,13 +26,9 @@ int AddressRangeIPAM::from_vattr(VectorAttribute * attr, std::string& error_msg) { - std::ostringstream oss; - IPAMManager * ipamm = Nebula::instance().get_ipamm(); - attr->to_xml(oss); - - IPAMRequest ir(oss.str()); + IPAMRequest ir(attr); ipamm->trigger(IPMAction::REGISTER_ADDRESS_RANGE, &ir); @@ -61,20 +57,17 @@ int AddressRangeIPAM::allocate_addr(unsigned int index, unsigned int rsize, IPAMManager * ipamm = Nebula::instance().get_ipamm(); std::ostringstream oss; - std::string ar_xml; std::string address_xml; to_xml(oss); - ar_xml = oss.str(); - oss.str(""); addr_to_xml(index, rsize, oss); address_xml = oss.str(); - IPAMRequest ir(ar_xml, address_xml); + IPAMRequest ir(get_attr(), address_xml); ipamm->trigger(IPMAction::ALLOCATE_ADDRESS, &ir); @@ -98,20 +91,17 @@ int AddressRangeIPAM::get_addr(unsigned int& index, unsigned int rsize, IPAMManager * ipamm = Nebula::instance().get_ipamm(); std::ostringstream oss; - std::string ar_xml; std::string address_xml; to_xml(oss); - ar_xml = oss.str(); - oss.str(""); oss << "
" << rsize << "
"; address_xml = oss.str(); - IPAMRequest ir(ar_xml, address_xml); + IPAMRequest ir(get_attr(), address_xml); ipamm->trigger(IPMAction::GET_ADDRESS, &ir); @@ -158,20 +148,17 @@ int AddressRangeIPAM::free_addr(unsigned int index, std::string& error_msg) IPAMManager * ipamm = Nebula::instance().get_ipamm(); std::ostringstream oss; - std::string ar_xml; std::string address_xml; to_xml(oss); - ar_xml = oss.str(); - oss.str(""); addr_to_xml(index, 1, oss); address_xml = oss.str(); - IPAMRequest ir(ar_xml, address_xml); + IPAMRequest ir(get_attr(), address_xml); ipamm->trigger(IPMAction::FREE_ADDRESS, &ir); diff --git a/src/vnm/AddressRangePool.cc b/src/vnm/AddressRangePool.cc index 116a98e6c0..cf01050b9a 100644 --- a/src/vnm/AddressRangePool.cc +++ b/src/vnm/AddressRangePool.cc @@ -214,11 +214,7 @@ int AddressRangePool::rm_ar(unsigned int ar_id, string& error_msg) { IPAMManager * ipamm = Nebula::instance().get_ipamm(); - std::ostringstream ar_xml; - - ar_ptr->to_xml(ar_xml); - - IPAMRequest ir(ar_xml.str()); + IPAMRequest ir(ar_ptr->get_attr()); ipamm->trigger(IPMAction::UNREGISTER_ADDRESS_RANGE, &ir); diff --git a/src/vnm/VirtualNetworkTemplate.cc b/src/vnm/VirtualNetworkTemplate.cc index 8d7cd9ed16..d5216b2004 100644 --- a/src/vnm/VirtualNetworkTemplate.cc +++ b/src/vnm/VirtualNetworkTemplate.cc @@ -20,7 +20,7 @@ /* -------------------------------------------------------------------------- */ std::map > VirtualNetworkTemplate::restricted; -std::map > VirtualNetworkTemplate::encrypted; +const std::map > VirtualNetworkTemplate::encrypted; /* -------------------------------------------------------------------------- */ /* -------------------------------------------------------------------------- */