F #5431: User encrypted attributes (#1574)

2025-03-22 18:50:08 +03:00 · 2021-11-24 10:58:42 +01:00 · 2021-11-24 10:58:42 +01:00 · 9aa26b295d
commit 9aa26b295d
parent 896f8fe2f0
7 changed files with 37 additions and 6 deletions
--- a/include/UserPool.h
+++ b/include/UserPool.h
@ -40,7 +40,8 @@ class UserPool : public PoolSQL
 public:

    UserPool(SqlDB * db, time_t  __session_expiration_time, bool is_slave,
-        std::vector<const SingleAttribute *>& restricted_attrs);
+        std::vector<const SingleAttribute *>& restricted_attrs,
+        std::vector<const SingleAttribute *>& encrypted_attrs);

    ~UserPool() = default;

--- a/include/UserTemplate.h
+++ b/include/UserTemplate.h
@ -47,11 +47,34 @@ public:
        Template::parse_restricted(ra, restricted);
    }

+    // -------------------------------------------------------------------------
+    // Encrypted attributes interface implementation
+    // -------------------------------------------------------------------------
+    virtual void encrypt(const std::string& one_key)
+    {
+        Template::encrypt(one_key, encrypted);
+    }
+
+    virtual void decrypt(const std::string& one_key)
+    {
+        Template::decrypt(one_key, encrypted);
+    }
+
+    static void parse_encrypted(std::vector<const SingleAttribute *>& ea)
+    {
+        Template::parse_encrypted(ea, encrypted);
+    }
+
 private:
    /**
     *  Restricted attribute list for UserTemplate
     */
    static std::map<std::string, std::set<std::string>> restricted;
+
+    /**
+     *  Encrypted attribute list for ImageTemplates
+     */
+    static std::map<std::string, std::set<std::string> > encrypted;
 };

 /* -------------------------------------------------------------------------- */
--- a/src/cli/oneuser
+++ b/src/cli/oneuser
@ -573,7 +573,7 @@ CommandParser::CmdParser.new(ARGV) do
    EOT

    command :show, show_desc, [:userid, nil],
-            :options => OpenNebulaHelper::FORMAT do
+            :options => [OpenNebulaHelper::FORMAT, OpenNebulaHelper::DECRYPT] do
        user = args[0] || OpenNebula::User::SELF
        helper.show_resource(user, options)
    end
--- a/src/nebula/Nebula.cc
+++ b/src/nebula/Nebula.cc
@ -734,6 +734,7 @@ void Nebula::start(bool bootstrap_only)
        /* ----------------------- Group/User Pool -------------------------- */
        vector<const SingleAttribute *> user_restricted;
        vector<const SingleAttribute *> group_restricted;
+        vector<const SingleAttribute *> user_encrypted;

        time_t  expiration_time;

@ -743,9 +744,10 @@ void Nebula::start(bool bootstrap_only)

        nebula_configuration->get("SESSION_EXPIRATION_TIME", expiration_time);
        nebula_configuration->get("USER_RESTRICTED_ATTR", user_restricted);
+        nebula_configuration->get("USER_ENCRYPTED_ATTR", user_encrypted);

        upool = new UserPool(db_ptr, expiration_time, is_federation_slave(),
-                user_restricted);
+                user_restricted, user_encrypted);

        /* -------------------- Image/Datastore Pool ------------------------ */
        string  image_type;
--- a/src/oca/ruby/opennebula/user.rb
+++ b/src/oca/ruby/opennebula/user.rb
@ -89,8 +89,8 @@ module OpenNebula
        #######################################################################

        # Retrieves the information of the given User.
-        def info()
-            super(USER_METHODS[:info], 'USER')
+        def info(decrypt = false)
+            super(USER_METHODS[:info], 'USER', decrypt)
        end

        alias_method :info!, :info
--- a/src/um/UserPool.cc
+++ b/src/um/UserPool.cc
@ -54,7 +54,8 @@ string UserPool::oneadmin_name;
 /* -------------------------------------------------------------------------- */

 UserPool::UserPool(SqlDB * db, time_t __session_expiration_time, bool is_slave,
-        vector<const SingleAttribute *>& restricted_attrs)
+        vector<const SingleAttribute *>& restricted_attrs,
+        vector<const SingleAttribute *>& encrypted_attrs)
    : PoolSQL(db, one_db::user_table)
 {
    int one_uid    = -1;
@ -81,6 +82,8 @@ UserPool::UserPool(SqlDB * db, time_t __session_expiration_time, bool is_slave,
    // Set restricted attributes
    UserTemplate::parse_restricted(restricted_attrs);

+    UserTemplate::parse_encrypted(encrypted_attrs);
+
    auto oneadmin_user = get_ro(0);

    //Slaves do not need to init the pool, just the oneadmin username
--- a/src/um/UserTemplate.cc
+++ b/src/um/UserTemplate.cc
@ -20,3 +20,5 @@
 /* -------------------------------------------------------------------------- */

 std::map<std::string, std::set<std::string>> UserTemplate::restricted;
+
+std::map<std::string, std::set<std::string> > UserTemplate::encrypted;