CLOUDSTACK-5921: S3 security key is stored in DB unencrypted

minchen07 · minchen07 · commit afb8a79321ca · 2014-01-21T14:17:30.000-08:00
diff --git a/engine/schema/src/com/cloud/upgrade/dao/Upgrade421to430.java b/engine/schema/src/com/cloud/upgrade/dao/Upgrade421to430.java
@@ -29,10 +29,10 @@
 import java.util.Map;
 import java.util.Set;
 
-import com.cloud.hypervisor.Hypervisor;
 import org.apache.commons.lang.StringUtils;
 import org.apache.log4j.Logger;
 
+import com.cloud.hypervisor.Hypervisor;
 import com.cloud.utils.crypt.DBEncryptionUtil;
 import com.cloud.utils.exception.CloudRuntimeException;
 import com.cloud.utils.script.Script;
@@ -68,6 +68,7 @@ public File[] getPrepareScripts() {
     @Override
     public void performDataMigration(Connection conn) {
         encryptLdapConfigParams(conn);
+        encryptImageStoreDetails(conn);
         upgradeMemoryOfSsvmOffering(conn);
         updateSystemVmTemplates(conn);
     }
@@ -305,8 +306,44 @@ private void updateSystemVmTemplates(Connection conn) {
                 }
             }
             s_logger.debug("Updating System Vm Template IDs Complete");
+        } finally {
+            try {
+                if (rs != null) {
+                    rs.close();
+                }
+
+                if (pstmt != null) {
+                    pstmt.close();
+                }
+            } catch (SQLException e) {
+            }
         }
-        finally {
+    }
+
+    private void encryptImageStoreDetails(Connection conn) {
+        s_logger.debug("Encrypting image store details");
+        PreparedStatement pstmt = null;
+        ResultSet rs = null;
+        try {
+            pstmt = conn.prepareStatement("select id, value from `cloud`.`image_store_details` where name = 'key' or name = 'secretkey'");
+            rs = pstmt.executeQuery();
+            while (rs.next()) {
+                long id = rs.getLong(1);
+                String value = rs.getString(2);
+                if (value == null) {
+                    continue;
+                }
+                String encryptedValue = DBEncryptionUtil.encrypt(value);
+                pstmt = conn.prepareStatement("update `cloud`.`image_store_details` set value=? where id=?");
+                pstmt.setBytes(1, encryptedValue.getBytes("UTF-8"));
+                pstmt.setLong(2, id);
+                pstmt.executeUpdate();
+            }
+        } catch (SQLException e) {
+            throw new CloudRuntimeException("Unable encrypt image_store_details values ", e);
+        } catch (UnsupportedEncodingException e) {
+            throw new CloudRuntimeException("Unable encrypt image_store_details values ", e);
+        } finally {
             try {
                 if (rs != null) {
                     rs.close();
@@ -318,6 +355,7 @@ private void updateSystemVmTemplates(Connection conn) {
             } catch (SQLException e) {
             }
         }
+        s_logger.debug("Done encrypting image_store_details");
     }
 
     @Override
diff --git a/engine/storage/src/org/apache/cloudstack/storage/image/datastore/ImageStoreHelper.java b/engine/storage/src/org/apache/cloudstack/storage/image/datastore/ImageStoreHelper.java
@@ -26,6 +26,7 @@
 
 import org.springframework.stereotype.Component;
 
+import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.engine.subsystem.api.storage.DataStore;
 import org.apache.cloudstack.storage.datastore.db.ImageStoreDao;
 import org.apache.cloudstack.storage.datastore.db.ImageStoreDetailVO;
@@ -35,6 +36,7 @@
 
 import com.cloud.storage.DataStoreRole;
 import com.cloud.storage.ScopeType;
+import com.cloud.utils.crypt.DBEncryptionUtil;
 import com.cloud.utils.exception.CloudRuntimeException;
 
 @Component
@@ -104,7 +106,12 @@ public ImageStoreVO createImageStore(Map<String, Object> params, Map<String, Str
                 ImageStoreDetailVO detail = new ImageStoreDetailVO();
                 detail.setStoreId(store.getId());
                 detail.setName(key);
-                detail.setValue(details.get(key));
+                String value = details.get(key);
+                // encrypt swift key or s3 secret key
+                if (key.equals(ApiConstants.KEY) || key.equals(ApiConstants.S3_SECRET_KEY)) {
+                    value = DBEncryptionUtil.encrypt(value);
+                }
+                detail.setValue(value);
                 imageStoreDetailsDao.persist(detail);
             }
         }
diff --git a/engine/storage/src/org/apache/cloudstack/storage/image/db/ImageStoreDetailsDaoImpl.java b/engine/storage/src/org/apache/cloudstack/storage/image/db/ImageStoreDetailsDaoImpl.java
@@ -22,10 +22,13 @@
 
 import javax.ejb.Local;
 
+import org.springframework.stereotype.Component;
+
+import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.storage.datastore.db.ImageStoreDetailVO;
 import org.apache.cloudstack.storage.datastore.db.ImageStoreDetailsDao;
-import org.springframework.stereotype.Component;
 
+import com.cloud.utils.crypt.DBEncryptionUtil;
 import com.cloud.utils.db.GenericDaoBase;
 import com.cloud.utils.db.SearchBuilder;
 import com.cloud.utils.db.SearchCriteria;
@@ -67,7 +70,12 @@ public Map<String, String> getDetails(long storeId) {
         List<ImageStoreDetailVO> details = listBy(sc);
         Map<String, String> detailsMap = new HashMap<String, String>();
         for (ImageStoreDetailVO detail : details) {
-            detailsMap.put(detail.getName(), detail.getValue());
+            String name = detail.getName();
+            String value = detail.getValue();
+            if (name.equals(ApiConstants.KEY) || name.equals(ApiConstants.S3_SECRET_KEY)) {
+                value = DBEncryptionUtil.decrypt(value);
+            }
+            detailsMap.put(name, value);
         }
 
         return detailsMap;
diff --git a/server/src/com/cloud/api/query/dao/ImageStoreJoinDaoImpl.java b/server/src/com/cloud/api/query/dao/ImageStoreJoinDaoImpl.java
@@ -22,15 +22,18 @@
 import javax.ejb.Local;
 import javax.inject.Inject;
 
+import org.apache.log4j.Logger;
+import org.springframework.stereotype.Component;
+
+import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.api.response.ImageStoreDetailResponse;
 import org.apache.cloudstack.api.response.ImageStoreResponse;
 import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
-import org.apache.log4j.Logger;
-import org.springframework.stereotype.Component;
 
-import com.cloud.utils.StringUtils;
 import com.cloud.api.query.vo.ImageStoreJoinVO;
 import com.cloud.storage.ImageStore;
+import com.cloud.utils.StringUtils;
+import com.cloud.utils.crypt.DBEncryptionUtil;
 import com.cloud.utils.db.GenericDaoBase;
 import com.cloud.utils.db.SearchBuilder;
 import com.cloud.utils.db.SearchCriteria;
@@ -58,7 +61,7 @@ protected ImageStoreJoinDaoImpl() {
         dsIdSearch.and("id", dsIdSearch.entity().getId(), SearchCriteria.Op.EQ);
         dsIdSearch.done();
 
-        this._count = "select count(distinct id) from image_store_view WHERE ";
+        _count = "select count(distinct id) from image_store_view WHERE ";
     }
 
 
@@ -84,7 +87,11 @@ public ImageStoreResponse newImageStoreResponse(ImageStoreJoinVO ids) {
 
         String detailName = ids.getDetailName();
         if ( detailName != null && detailName.length() > 0 ){
-            ImageStoreDetailResponse osdResponse = new ImageStoreDetailResponse(detailName, ids.getDetailValue());
+            String detailValue = ids.getDetailValue();
+            if (detailName.equals(ApiConstants.KEY) || detailName.equals(ApiConstants.S3_SECRET_KEY)) {
+                detailValue = DBEncryptionUtil.decrypt(detailValue);
+            }
+            ImageStoreDetailResponse osdResponse = new ImageStoreDetailResponse(detailName, detailValue);
             osResponse.addDetail(osdResponse);
         }
         osResponse.setObjectName("imagestore");
@@ -99,7 +106,11 @@ public ImageStoreResponse newImageStoreResponse(ImageStoreJoinVO ids) {
     public ImageStoreResponse setImageStoreResponse(ImageStoreResponse response, ImageStoreJoinVO ids) {
         String detailName = ids.getDetailName();
         if ( detailName != null && detailName.length() > 0 ){
-            ImageStoreDetailResponse osdResponse = new ImageStoreDetailResponse(detailName, ids.getDetailValue());
+            String detailValue = ids.getDetailValue();
+            if (detailName.equals(ApiConstants.KEY) || detailName.equals(ApiConstants.S3_SECRET_KEY)) {
+                detailValue = DBEncryptionUtil.decrypt(detailValue);
+            }
+            ImageStoreDetailResponse osdResponse = new ImageStoreDetailResponse(detailName, detailValue);
             response.addDetail(osdResponse);
         }
         return response;
