From: tierno Date: Tue, 23 Oct 2018 09:30:42 +0000 (+0200) Subject: bug559 use of encrypt/decrypt methods X-Git-Tag: v5.0.0~18 X-Git-Url: https://osm.etsi.org/gitweb/?a=commitdiff_plain;h=17a612f3ae65192b04bea9518e3c35ebfec05924;p=osm%2FLCM.git bug559 use of encrypt/decrypt methods Change-Id: Ic0ac895136f547a63102ea92867fc5bcb4e9132a Signed-off-by: tierno --- diff --git a/Dockerfile.local b/Dockerfile.local index be26cfe..3f841cf 100644 --- a/Dockerfile.local +++ b/Dockerfile.local @@ -57,6 +57,11 @@ ENV OSMLCM_VCA_SECRET: secret ENV OSMLCM_DATABASE_DRIVER mongo ENV OSMLCM_DATABASE_HOST mongo ENV OSMLCM_DATABASE_PORT 27017 +# ENV OSMLCM_DATABASE_USER xxx +# ENV OSMLCM_DATABASE_PASSWORD xxx +# ENV OSMLCM_DATABASE_MASTERPASSWORD xxx + +#storage ENV OSMLCM_STORAGE_DRIVER local ENV OSMLCM_STORAGE_PATH /app/storage diff --git a/osm_lcm/lcm.cfg b/osm_lcm/lcm.cfg index e85ad71..3c9b1fd 100644 --- a/osm_lcm/lcm.cfg +++ b/osm_lcm/lcm.cfg @@ -12,7 +12,7 @@ RO: host: ro # hostname or IP port: 9090 tenant: osm - loglevel: DEBUG + # loglevel: DEBUG # logfile: /var/log/osm/lcm-ro.log #[VCA] @@ -21,7 +21,7 @@ VCA: port: 17070 user: admin secret: secret - loglevel: DEBUG + # loglevel: DEBUG # logfile: /var/log/osm/lcm-vca.log #[database] @@ -30,9 +30,10 @@ database: host: mongo # hostname or IP port: 27017 name: osm - user: user - password: password - loglevel: DEBUG + # user: user + # password: password + # masterpassword: "XXXXXX" # password used for encryption of sensible information + # loglevel: DEBUG # logfile: /var/log/osm/lcm-database.log #[storage] @@ -40,7 +41,7 @@ storage: driver: local # local filesystem # for local provide file path path: /app/storage - loglevel: DEBUG + # loglevel: DEBUG # logfile: /var/log/osm/lcm-storage.log #[message] @@ -51,5 +52,5 @@ message: # for kafka provide host and port host: kafka port: 9092 - loglevel: DEBUG + # loglevel: DEBUG # logfile: /var/log/osm/lcm-message.log diff --git a/osm_lcm/lcm.py b/osm_lcm/lcm.py index d2e9b60..2a040af 100644 --- a/osm_lcm/lcm.py +++ b/osm_lcm/lcm.py @@ -25,7 +25,7 @@ from n2vc import version as n2vc_version __author__ = "Alfonso Tierno" min_RO_version = [0, 5, 72] min_n2vc_version = "0.0.2" -min_common_version = "0.1.7" +min_common_version = "0.1.11" # uncomment if LCM is installed as library and installed, and get them from __init__.py lcm_version = '0.1.18' lcm_version_date = '2018-10-11' @@ -385,12 +385,14 @@ class Lcm: if not k.startswith("OSMLCM_"): continue k_items = k.lower().split("_") + if len(k_items) < 3: + continue + if k_items[1] in ("ro", "vca"): + # put in capital letter + k_items[1] = k_items[1].upper() c = conf try: for k_item in k_items[1:-1]: - if k_item in ("ro", "vca"): - # put in capital letter - k_item = k_item.upper() c = c[k_item] if k_items[-1] == "port": c[k_items[-1]] = int(v) @@ -440,14 +442,14 @@ if __name__ == '__main__': assert False, "Unhandled option" if config_file: if not path.isfile(config_file): - print("configuration file '{}' that not exist".format(config_file), file=sys.stderr) + print("configuration file '{}' not exist".format(config_file), file=sys.stderr) exit(1) else: for config_file in (__file__[:__file__.rfind(".")] + ".cfg", "./lcm.cfg", "/etc/osm/lcm.cfg"): if path.isfile(config_file): break else: - print("No configuration file 'nbi.cfg' found neither at local folder nor at /etc/osm/", file=sys.stderr) + print("No configuration file 'lcm.cfg' found neither at local folder nor at /etc/osm/", file=sys.stderr) exit(1) lcm = Lcm(config_file) if health_check: diff --git a/osm_lcm/vim_sdn.py b/osm_lcm/vim_sdn.py index cf836bf..610bd97 100644 --- a/osm_lcm/vim_sdn.py +++ b/osm_lcm/vim_sdn.py @@ -13,6 +13,8 @@ __author__ = "Alfonso Tierno" class VimLcm(LcmBase): + # values that are encrypted at vim config because they are passwords + vim_config_encrypted = ("admin_password", "nsx_password", "vcenter_password") def __init__(self, db, msg, fs, lcm_tasks, ro_config, loop): """ @@ -56,7 +58,7 @@ class VimLcm(LcmBase): vim_RO = deepcopy(vim_content) vim_RO.pop("_id", None) vim_RO.pop("_admin", None) - vim_RO.pop("schema_version", None) + schema_version = vim_RO.pop("schema_version", None) vim_RO.pop("schema_type", None) vim_RO.pop("vim_tenant_name", None) vim_RO["type"] = vim_RO.pop("vim_type") @@ -72,6 +74,10 @@ class VimLcm(LcmBase): db_vim_update["_admin.detailed-status"] = step self.update_db_2("vim_accounts", vim_id, db_vim_update) + if vim_content.get("vim_password"): + vim_content["vim_password"] = self.db.decrypt(vim_content["vim_password"], + schema_version=schema_version, + salt=vim_id) vim_account_RO = {"vim_tenant_name": vim_content["vim_tenant_name"], "vim_username": vim_content["vim_user"], "vim_password": vim_content["vim_password"] @@ -82,6 +88,12 @@ class VimLcm(LcmBase): del vim_account_RO["config"]["sdn-controller"] if "sdn-port-mapping" in vim_account_RO["config"]: del vim_account_RO["config"]["sdn-port-mapping"] + for p in self.vim_config_encrypted: + if vim_account_RO["config"].get(p): + vim_account_RO["config"][p] = self.db.decrypt(vim_account_RO["config"][p], + schema_version=schema_version, + salt=vim_id) + desc = await RO.attach_datacenter(RO_vim_id, descriptor=vim_account_RO) db_vim_update["_admin.deployed.RO-account"] = desc["uuid"] db_vim_update["_admin.operationalState"] = "ENABLED" @@ -156,7 +168,7 @@ class VimLcm(LcmBase): vim_RO = deepcopy(vim_content) vim_RO.pop("_id", None) vim_RO.pop("_admin", None) - vim_RO.pop("schema_version", None) + schema_version = vim_RO.pop("schema_version", None) vim_RO.pop("schema_type", None) vim_RO.pop("vim_tenant_name", None) if "vim_type" in vim_RO: @@ -178,9 +190,23 @@ class VimLcm(LcmBase): del vim_content["config"]["sdn-port-mapping"] if not vim_content["config"]: del vim_content["config"] - for k in ("vim_tenant_name", "vim_password", "config"): - if k in vim_content: - vim_account_RO[k] = vim_content[k] + if "vim_tenant_name" in vim_content: + vim_account_RO["vim_tenant_name"] = vim_content["vim_tenant_name"] + if "vim_password" in vim_content: + vim_account_RO["vim_password"] = vim_content["vim_password"] + if vim_content.get("vim_password"): + vim_account_RO["vim_password"] = self.db.decrypt(vim_content["vim_password"], + schema_version=schema_version, + salt=vim_id) + if "config" in vim_content: + vim_account_RO["config"] = vim_content["config"] + if vim_content.get("config"): + for p in self.vim_config_encrypted: + if vim_content["config"].get(p): + vim_account_RO["config"][p] = self.db.decrypt(vim_content["config"][p], + schema_version=schema_version, + salt=vim_id) + if "vim_user" in vim_content: vim_content["vim_username"] = vim_content["vim_user"] # vim_account must be edited always even if empty in order to ensure changes are translated to RO @@ -291,9 +317,12 @@ class SdnLcm(LcmBase): sdn_RO = deepcopy(sdn_content) sdn_RO.pop("_id", None) sdn_RO.pop("_admin", None) - sdn_RO.pop("schema_version", None) + schema_version = sdn_RO.pop("schema_version", None) sdn_RO.pop("schema_type", None) sdn_RO.pop("description", None) + if sdn_RO.get("password"): + sdn_RO["password"] = self.db.decrypt(sdn_RO["password"], schema_version=schema_version, salt=sdn_id) + desc = await RO.create("sdn", descriptor=sdn_RO) RO_sdn_id = desc["uuid"] db_sdn_update["_admin.deployed.RO"] = RO_sdn_id @@ -332,9 +361,11 @@ class SdnLcm(LcmBase): sdn_RO = deepcopy(sdn_content) sdn_RO.pop("_id", None) sdn_RO.pop("_admin", None) - sdn_RO.pop("schema_version", None) + schema_version = sdn_RO.pop("schema_version", None) sdn_RO.pop("schema_type", None) sdn_RO.pop("description", None) + if sdn_RO.get("password"): + sdn_RO["password"] = self.db.decrypt(sdn_RO["password"], schema_version=schema_version, salt=sdn_id) if sdn_RO: await RO.edit("sdn", RO_sdn_id, descriptor=sdn_RO) db_sdn_update["_admin.operationalState"] = "ENABLED"