shaba/one
1
0
Fork 0
mirror of https://github.com/OpenNebula/one.git synced 2025-02-22 17:57:46 +03:00
Code Releases Wiki Activity

F #3064: encrypt address range template

Browse Source 
The address range template in address range pool is encrypted
This commit is contained in:
Alejandro Huertas 2019-09-12 18:24:23 +02:00 committed by Ruben S. Montero
parent 258196c165
commit e997d2b2b3
No known key found for this signature in database
GPG Key ID: A0CEA6FA880A1D87
10 changed files with 109 additions and 190 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
include/AddressRange.h
View File

@ -368,11 +368,6 @@ public:
*/
static void set_restricted_attributes(vector<const SingleAttribute *>& ras);
/**
* Helper function to initialize encrypted attributes of an AddressRange
*/
static void set_encrypted_attributes(vector<const SingleAttribute *>& eas);
/**
* Get the security groups for this AR.
* @return a reference to the security group set
@ -401,16 +396,6 @@ public:
*/
friend int AddressRangePool::add_ar(AddressRange * ar);
/**
* Encrypt all secret attributes
*/
void encrypt(const std::string& one_key);
/**
* Decrypt all secret attributes
*/
void decrypt(const std::string& one_key);
protected:
/**
* Base constructor it cannot be called directly but from the
@ -801,15 +786,6 @@ private:
*/
static set<string> restricted_attributes;
/* ---------------------------------------------------------------------- */
/* Encrypted Attributes */
/* ---------------------------------------------------------------------- */
/**
* The encrypted attributes from oned.conf
*/
static set<string> encrypted_attributes;
/**
* Attributes to be process for Security Group rules
*/

14
include/AddressRangePool.h
View File

@ -24,7 +24,7 @@
#include <libxml/parser.h>
#include "Template.h"
#include "VirtualNetworkTemplate.h"
#include "PoolObjectSQL.h"
class VectorAttribute;
@ -332,19 +332,25 @@ public:
/**
* Encrypt all secret attributes
*/
void encrypt(const std::string& one_key);
void encrypt(const std::string& one_key)
{
ar_template.encrypt(one_key);
};
/**
* Decrypt all secret attributes
*/
void decrypt(const std::string& one_key);
void decrypt(const std::string& one_key)
{
ar_template.decrypt(one_key);
};
private:
/**
* Stores the Address Ranges in a template form. This template is used
* to store the pool in the DB
*/
Template ar_template;
VirtualNetworkTemplate ar_template;
/**
* ID for the next Address Range

19
include/Template.h
View File

@ -446,25 +446,6 @@ public:
*/
virtual void decrypt(const std::string& one_key){};
/**
* Crypt string using aes256cbc, use ONE_KEY as key
* If key doesn't exists out = in
* @param in plain text
* @param out crypted text encoded as base64
*/
static void encrypt_attr(const std::string& one_key,
const std::string& in,
std::string& out);
/**
* Decrypt input text encoded as base64, using ONE_KEY as key
* If key doesn't exists,
* @param in base64 text crypted by aes256cbc
* @param out plain text, if decryption succesfull.
* @return true, if text was decrypted, false otherwise
*/
static bool decrypt_attr(const std::string& one_key,
const std::string& in,
std::string& out);
/**
* @return true if template is empty
*/

6
include/VirtualNetworkTemplate.h
View File

@ -29,6 +29,12 @@ class VirtualNetworkTemplate : public Template
public:
VirtualNetworkTemplate():Template(false,'=',"TEMPLATE"){};
VirtualNetworkTemplate(bool replace_mode,
const char separator,
const char * xml_root):Template(replace_mode,
separator,
xml_root){};
~VirtualNetworkTemplate(){};
VirtualNetworkTemplate(VirtualNetworkTemplate& vnt):Template(vnt){};

31
share/etc/oned.conf
View File

@ -60,8 +60,6 @@
# std to use the default log stream (stderr) to use with systemd
# debug_level: 0 = ERROR, 1 = WARNING, 2 = INFO, 3 = DEBUG
#
# ENCRYPTED_ATTRIBUTES: These template attributes are encrypted before storing
# them in the database.
#*******************************************************************************
LOG = [
@ -109,14 +107,6 @@ VNC_PORTS = [
# RESERVED = "6800, 6801, 6810:6820, 9869"
]
HOST_ENCRYPTED_ATTR = "EC2_ACCESS"
HOST_ENCRYPTED_ATTR = "EC2_SECRET"
HOST_ENCRYPTED_ATTR = "AZ_ID"
HOST_ENCRYPTED_ATTR = "AZ_CERT"
HOST_ENCRYPTED_ATTR = "VCENTER_PASSWORD"
HOST_ENCRYPTED_ATTR = "NSX_PASSWORD"
HOST_ENCRYPTED_ATTR = "ONE_PASSWORD"
#*******************************************************************************
# API configuration attributes
#-------------------------------------------------------------------------------
@ -1068,6 +1058,27 @@ GROUP_RESTRICTED_ATTR = "VM_USE_OPERATIONS"
GROUP_RESTRICTED_ATTR = "VM_MANAGE_OPERATIONS"
GROUP_RESTRICTED_ATTR = "VM_ADMIN_OPERATIONS"
#*******************************************************************************
# Encrypted Attributes Configuration
#*******************************************************************************
# The following attributes are encrypted
#*******************************************************************************
HOST_ENCRYPTED_ATTR = "EC2_ACCESS"
HOST_ENCRYPTED_ATTR = "EC2_SECRET"
HOST_ENCRYPTED_ATTR = "AZ_ID"
HOST_ENCRYPTED_ATTR = "AZ_CERT"
HOST_ENCRYPTED_ATTR = "VCENTER_PASSWORD"
HOST_ENCRYPTED_ATTR = "NSX_PASSWORD"
HOST_ENCRYPTED_ATTR = "ONE_PASSWORD"
# VM_ENCRYPTED_ATTR = "PACKET_TOKEN
# VM_ENCRYPTED_ATTR = "PROVISION/PACKET_TOKEN
# VNET_ENCRYPTED_ATTR = "PROVISION/PACKET_TOKEN
# VNET_ENCRYPTED_ATTR = "PROVISION/PACKET_TOKEN
# VNET_ENCRYPTED_ATTR = "PROVISION/PACKET_TOKEN
#*******************************************************************************
# Inherited Attributes Configuration
#*******************************************************************************

8
src/nebula/NebulaTemplate.cc
View File

@ -451,6 +451,14 @@ void OpenNebulaTemplate::set_conf_default()
set_conf_single("SCRIPTS_REMOTE_DIR", "/var/tmp/one");
set_conf_single("VM_SUBMIT_ON_HOLD", "NO");
set_conf_single("API_LIST_ORDER", "DESC");
set_conf_single("HOST_ENCRYPTED_ATTR", "EC2_ACCESS");
set_conf_single("HOST_ENCRYPTED_ATTR", "EC2_SECRET");
set_conf_single("HOST_ENCRYPTED_ATTR", "AZ_ID");
set_conf_single("HOST_ENCRYPTED_ATTR", "AZ_CERT");
set_conf_single("HOST_ENCRYPTED_ATTR", "VCENTER_PASSWORD");
set_conf_single("HOST_ENCRYPTED_ATTR", "NSX_PASSWORD");
set_conf_single("HOST_ENCRYPTED_ATTR", "ONE_PASSWORD");
//DB CONFIGURATION
vvalue.insert(make_pair("BACKEND","sqlite"));

103
src/template/Template.cc
View File

@ -913,9 +913,9 @@ bool Template::check_restricted(string& ra,
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
void Template::encrypt_attr(const std::string& one_key,
const std::string& in,
std::string& out)
static void encrypt_attr(const std::string& one_key,
const std::string& in,
std::string& out)
{
if (!one_key.empty())
{
@ -934,9 +934,9 @@ void Template::encrypt_attr(const std::string& one_key,
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
bool Template::decrypt_attr(const std::string& one_key,
const std::string& in,
std::string& out)
static bool decrypt_attr(const std::string& one_key,
const std::string& in,
std::string& out)
{
if (one_key.empty())
{
@ -964,11 +964,9 @@ bool Template::decrypt_attr(const std::string& one_key,
void Template::encrypt(const std::string& one_key,
const std::map<std::string, std::set<std::string> >& eas)
{
std::map<std::string, std::set<std::string> >::const_iterator eit;
for ( eit = eas.begin(); eit != eas.end(); ++eit )
for ( auto eit : eas )
{
const std::set<std::string>& sub = eit->second;
const std::set<std::string>& sub = eit.second;
std::string tmp;
std::string encrypted;
@ -976,38 +974,48 @@ void Template::encrypt(const std::string& one_key,
if (!sub.empty()) //Vector Attribute
{
auto vatt = get(eit->first);
vector<VectorAttribute *> vatt;
if (vatt == nullptr)
get(eit.first, vatt);
if (vatt.empty())
{
continue;
}
std::set<std::string>::iterator subit;
for ( subit = sub.begin(); subit != sub.end(); ++subit)
for ( auto vattit : vatt )
{
att = vatt->vector_value(*subit);
if (!att.empty() && !decrypt_attr(one_key, att, tmp))
for ( auto subit : sub )
{
// Nested attribute present, but not encrypted, crypt it
encrypt_attr(one_key, att, encrypted);
att = vattit->vector_value(subit);
vatt->replace(*subit, encrypted);
if (!att.empty() && !decrypt_attr(one_key, att, tmp))
{
// Nested attribute present, but not encrypted, crypt it
encrypt_attr(one_key, att, encrypted);
vattit->replace(subit, encrypted);
}
}
}
}
else
{
get(eit->first, att);
vector<SingleAttribute *> vatt;
if (!att.empty() && !decrypt_attr(one_key, att, tmp))
get(eit.first, vatt);
for ( auto attit : vatt )
{
// Simple attribute present, but not encrypted, crypt it
encrypt_attr(one_key, att, encrypted);
string aval = attit->value();
replace(eit->first, encrypted);
// Simple attribute present, but not encrypted, crypt it
if (!aval.empty() && !decrypt_attr(one_key, aval, tmp))
{
encrypt_attr(one_key, aval, encrypted);
attit->replace(encrypted);
}
}
}
}
@ -1019,43 +1027,46 @@ void Template::encrypt(const std::string& one_key,
void Template::decrypt(const std::string& one_key,
const std::map<std::string, std::set<std::string> >& eas)
{
std::map<std::string, std::set<std::string> >::const_iterator eit;
for ( eit = eas.begin(); eit != eas.end(); ++eit )
for ( auto eit : eas )
{
const std::set<std::string>& sub = eit->second;
const std::set<std::string>& sub = eit.second;
std::string att;
std::string plain;
if (!sub.empty()) //Vector Attribute
{
auto vatt = get(eit->first);
vector<VectorAttribute *> vatt;
if (vatt == nullptr)
get(eit.first, vatt);
for ( auto vattit : vatt )
{
continue;
}
std::set<std::string>::iterator subit;
for ( subit = sub.begin(); subit != sub.end(); ++subit)
{
att = vatt->vector_value(*subit);
if (!att.empty() && decrypt_attr(one_key, att, plain))
for ( auto subit : sub )
{
vatt->replace(*subit, plain);
att = vattit->vector_value(subit);
if (!att.empty() && decrypt_attr(one_key, att, plain))
{
vattit->replace(subit, plain);
}
}
}
}
else
{
get(eit->first, att);
vector<SingleAttribute *> vatt;
if (!att.empty() && decrypt_attr(one_key, att, plain))
get(eit.first, vatt);
for ( auto attit : vatt )
{
replace(eit->first, plain);
string aval = attit->value();
if (!aval.empty() && decrypt_attr(one_key, aval, plain))
{
attit->replace(plain);
}
}
}
}

56
src/vnm/AddressRange.cc
View File

@ -2051,59 +2051,3 @@ void AddressRange::remove_all_except_restricted(VectorAttribute* va)
}
}
}
/******************************************************************************/
/******************************************************************************/
set<string> AddressRange::encrypted_attributes;
void AddressRange::set_encrypted_attributes(vector<const SingleAttribute *>& eattrs)
{
for (unsigned int i = 0 ; i < eattrs.size() ; i++ )
{
string attr_s = eattrs[i]->value();
encrypted_attributes.insert(one_util::toupper(attr_s));
}
};
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
void AddressRange::encrypt(const std::string& one_key)
{
string att;
string encrypted;
string tmp;
for (auto ea : encrypted_attributes)
{
att = attr->vector_value(ea);
if (!att.empty() && !Template::decrypt_attr(one_key, att, tmp))
{
Template::encrypt_attr(one_key, att, encrypted);
attr->replace(ea, encrypted);
}
}
}
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
void AddressRange::decrypt(const std::string& one_key)
{
string att;
string plain;
for (auto ea : encrypted_attributes)
{
att = attr->vector_value(ea);
if (!att.empty() && Template::decrypt_attr(one_key, att, plain))
{
attr->replace(ea, plain);
}
}
}

36
src/vnm/AddressRangePool.cc
View File

@ -56,13 +56,13 @@ int AddressRangePool::from_vattr(VectorAttribute* va, string& error_msg)
return -1;
}
Nebula::instance().get_configuration_attribute("ONE_KEY", one_key);
ar->encrypt(one_key);
ar_pool.insert(make_pair(ar->ar_id(), ar));
ar_template.set(va);
Nebula::instance().get_configuration_attribute("ONE_KEY", one_key);
ar_template.encrypt(one_key);
return 0;
}
@ -94,6 +94,7 @@ AddressRange * AddressRangePool::allocate_ar(const string& ipam_mad,
int AddressRangePool::add_ar(AddressRange * ar)
{
pair<map<unsigned int, AddressRange *>::iterator, bool> rc;
string one_key;
rc = ar_pool.insert(make_pair(ar->ar_id(), ar));
@ -104,6 +105,9 @@ int AddressRangePool::add_ar(AddressRange * ar)
ar_template.set(ar->attr);
Nebula::instance().get_configuration_attribute("ONE_KEY", one_key);
ar_template.encrypt(one_key);
return 0;
}
@ -877,29 +881,3 @@ void AddressRangePool::process_security_rule(
new_rules.push_back(new_rule);
}
}
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
void AddressRangePool::encrypt(const std::string& one_key)
{
map<unsigned int, AddressRange *>::iterator it;
for (it = ar_pool.begin(); it != ar_pool.end(); it++)
{
it->second->encrypt(one_key);
}
}
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
void AddressRangePool::decrypt(const std::string& one_key)
{
map<unsigned int, AddressRange *>::iterator it;
for (it = ar_pool.begin(); it != ar_pool.end(); it++)
{
it->second->decrypt(one_key);
}
}

2
src/vnm/VirtualNetworkPool.cc
View File

@ -98,8 +98,6 @@ VirtualNetworkPool::VirtualNetworkPool(
// Parse encrypted attributes
VirtualNetworkTemplate::parse_encrypted(encrypted_attrs);
AddressRange::set_encrypted_attributes(encrypted_attrs);
for (it = _inherit_attrs.begin(); it != _inherit_attrs.end(); it++)
{
inherit_attrs.push_back((*it)->value());