From ea7eb0d461d8af6fd0db41c637dfe54180e2a220 Mon Sep 17 00:00:00 2001 From: jack ma <625198232@qq.com> Date: Wed, 13 Feb 2019 11:56:33 +0800 Subject: [PATCH 01/10] password encryption and decryption --- Makefile | 5 +- client/auth.go | 49 +++++++++----- contrib/backup/multicloud/client.go | 18 +++-- contrib/backup/multicloud/driver.go | 15 +++-- .../multicloud/testdata/multi-cloud.yaml | 6 +- contrib/drivers/huawei/dorado/client.go | 20 +++--- contrib/drivers/huawei/dorado/common.go | 11 ++-- .../huawei/dorado/testdata/dorado.yaml | 5 +- contrib/drivers/openstack/cinder/cinder.go | 21 +++--- examples/driver/cinder.yaml | 4 ++ pkg/utils/config/config_define.go | 28 ++++---- pkg/utils/pwd/aes.go | 4 ++ pkg/utils/pwd/pwd.go | 10 +-- script/devsds/lib/opensds.sh | 8 ++- script/tools/pwdEncrypter/README.md | 4 ++ script/tools/pwdEncrypter/pwdEncrypter.go | 66 +++++++++++++++++++ 16 files changed, 201 insertions(+), 73 deletions(-) create mode 100644 script/tools/pwdEncrypter/README.md create mode 100644 script/tools/pwdEncrypter/pwdEncrypter.go diff --git a/Makefile b/Makefile index e92f71d32..ae65c38c8 100755 --- a/Makefile +++ b/Makefile @@ -26,7 +26,7 @@ ubuntu-dev-setup: sudo apt-get update && sudo apt-get install -y \ build-essential gcc librados-dev librbd-dev -build:osdsdock osdslet osdsctl +build:osdsdock osdslet osdsctl pwdEncrypter prebuild: mkdir -p $(BUILD_DIR) @@ -42,6 +42,9 @@ osdslet: prebuild osdsctl: prebuild go build -o $(BUILD_DIR)/bin/osdsctl github.com/opensds/opensds/osdsctl +pwdEncrypter: prebuild + go build -o $(BUILD_DIR)/bin/pwdEncrypter github.com/opensds/opensds/script/tools/pwdEncrypter + docker: build cp $(BUILD_DIR)/bin/osdsdock ./cmd/osdsdock cp $(BUILD_DIR)/bin/osdslet ./cmd/osdslet diff --git a/client/auth.go b/client/auth.go index 50b85904e..3f2a1c3f5 100644 --- a/client/auth.go +++ b/client/auth.go @@ -15,6 +15,7 @@ package client import ( + "fmt" "os" "github.com/opensds/opensds/pkg/utils/constants" @@ -27,15 +28,16 @@ const ( OpensdsTenantId = "OPENSDS_TENANT_ID" // Keystone Auth ENVs - OsAuthUrl = "OS_AUTH_URL" - OsUsername = "OS_USERNAME" - OsPassword = "OS_PASSWORD" - OsTenantName = "OS_TENANT_NAME" - OsProjectName = "OS_PROJECT_NAME" - OsUserDomainId = "OS_USER_DOMAIN_ID" - OsPasswordTool = "OS_PASSWORD_DECRYPT_TOOL" - Keystone = "keystone" - Noauth = "noauth" + OsAuthUrl = "OS_AUTH_URL" + OsUsername = "OS_USERNAME" + OsPassword = "OS_PASSWORD" + OsTenantName = "OS_TENANT_NAME" + OsProjectName = "OS_PROJECT_NAME" + OsUserDomainId = "OS_USER_DOMAIN_ID" + PwdEncrypter = "PASSWORD_ENCRYPTER" + EnableEncrypted = "ENABLE_ENCRYPTED" + Keystone = "keystone" + Noauth = "noauth" ) type AuthOptions interface { @@ -51,6 +53,8 @@ type KeystoneAuthOptions struct { Username string UserID string Password string + PwdEncrypter string + EnableEncrypted bool DomainID string DomainName string TenantID string @@ -79,13 +83,26 @@ func LoadKeystoneAuthOptionsFromEnv() *KeystoneAuthOptions { opt := NewKeystoneAuthOptions() opt.IdentityEndpoint = os.Getenv(OsAuthUrl) opt.Username = os.Getenv(OsUsername) - // Decrypte the password - // Get the cipher text of the password - pwdCiphertext := os.Getenv(OsPassword) - // Instantiate an encryption tool - pwdTool := pwd.NewPwdTool(os.Getenv(OsPasswordTool)) - // Decrypt the password and obtain the password. - opt.Password, _ = pwdTool.Decrypter(pwdCiphertext) + + var pwdCiphertext = os.Getenv(OsPassword) + + if os.Getenv(EnableEncrypted) == "true" { + // Decrypte the password + pwdTool := os.Getenv(PwdEncrypter) + if pwdTool == "" { + fmt.Println("The password encrypter can not be empty if password encrypted is enabled.") + return nil + } + + password, err := pwd.NewPwdEncrypter(pwdTool).Decrypter(pwdCiphertext) + if err != nil { + fmt.Println("Decryption failed.", err) + return nil + } + pwdCiphertext = password + } + + opt.Password = pwdCiphertext opt.TenantName = os.Getenv(OsTenantName) projectName := os.Getenv(OsProjectName) diff --git a/contrib/backup/multicloud/client.go b/contrib/backup/multicloud/client.go index 5396a4808..8646821e9 100644 --- a/contrib/backup/multicloud/client.go +++ b/contrib/backup/multicloud/client.go @@ -79,19 +79,23 @@ func NewClient(endpooint string, opt *AuthOptions, uploadTimeout int64) (*Client type ReqSettingCB func(req *httplib.BeegoHTTPRequest) error func (c *Client) getToken(opt *AuthOptions) (*tokens.CreateResult, error) { - // Decrypte the password - pwdCiphertext := opt.Password - pwdTool := pwd.NewPwdTool(opt.PasswordTool) - pwd, err := pwdTool.Decrypter(pwdCiphertext) - if err != nil { - return nil, err + var pwdCiphertext = opt.Password + + if opt.EnableEncrypted { + // Decrypte the password + pwdTool := pwd.NewPwdEncrypter(opt.PwdEncrypter) + password, err := pwdTool.Decrypter(pwdCiphertext) + if err != nil { + return nil, err + } + pwdCiphertext = password } auth := gophercloud.AuthOptions{ IdentityEndpoint: opt.AuthUrl, DomainName: opt.DomainName, Username: opt.UserName, - Password: pwd, + Password: pwdCiphertext, TenantName: opt.TenantName, } diff --git a/contrib/backup/multicloud/driver.go b/contrib/backup/multicloud/driver.go index 0adfacc3a..a62f5d1f7 100644 --- a/contrib/backup/multicloud/driver.go +++ b/contrib/backup/multicloud/driver.go @@ -40,13 +40,14 @@ func NewMultiCloud() (backup.BackupDriver, error) { } type AuthOptions struct { - Strategy string `yaml:"Strategy"` - AuthUrl string `yaml:"AuthUrl,omitempty"` - DomainName string `yaml:"DomainName,omitempty"` - UserName string `yaml:"UserName,omitempty"` - Password string `yaml:"Password,omitempty"` - PasswordTool string `yaml:"PasswordTool,omitempty"` - TenantName string `yaml:"TenantName,omitempty"` + Strategy string `yaml:"Strategy"` + AuthUrl string `yaml:"AuthUrl,omitempty"` + DomainName string `yaml:"DomainName,omitempty"` + UserName string `yaml:"UserName,omitempty"` + Password string `yaml:"Password,omitempty"` + PwdEncrypter string `yaml:"PwdEncrypter,omitempty"` + EnableEncrypted bool `yaml:"EnableEncrypted,omitempty"` + TenantName string `yaml:"TenantName,omitempty"` } type MultiCloudConf struct { diff --git a/contrib/backup/multicloud/testdata/multi-cloud.yaml b/contrib/backup/multicloud/testdata/multi-cloud.yaml index 63d4a2de2..f89b0a490 100644 --- a/contrib/backup/multicloud/testdata/multi-cloud.yaml +++ b/contrib/backup/multicloud/testdata/multi-cloud.yaml @@ -7,4 +7,8 @@ AuthOptions: DomainName: "Default" UserName: "admin" Password: "opensds@123" - TenantName: "admin" \ No newline at end of file + TenantName: "admin" + # Whether to encrypt the password. If enabled, the value of the password must be ciphertext. + EnableEncrypted: false + # Encryption and decryption tool. Default value is aes. The decryption tool can only decrypt the corresponding ciphertext. + PwdEncrypter: "aes" \ No newline at end of file diff --git a/contrib/drivers/huawei/dorado/client.go b/contrib/drivers/huawei/dorado/client.go index c9e0a4fa0..a29a534cd 100644 --- a/contrib/drivers/huawei/dorado/client.go +++ b/contrib/drivers/huawei/dorado/client.go @@ -59,21 +59,25 @@ type DoradoClient struct { func NewClient(opt *AuthOptions) (*DoradoClient, error) { endpoints := strings.Split(opt.Endpoints, ",") - // Decrypte the password - pwdCiphertext := opt.Password - pwdTool := pwd.NewPwdTool(opt.PasswordTool) - pwd, err := pwdTool.Decrypter(pwdCiphertext) - if err != nil { - return nil, err + var pwdCiphertext = opt.Password + + if opt.EnableEncrypted { + // Decrypte the password + pwdTool := pwd.NewPwdEncrypter(opt.PwdEncrypter) + password, err := pwdTool.Decrypter(pwdCiphertext) + if err != nil { + return nil, err + } + pwdCiphertext = password } c := &DoradoClient{ user: opt.Username, - passwd: pwd, + passwd: pwdCiphertext, endpoints: endpoints, insecure: opt.Insecure, } - err = c.login() + err := c.login() return c, err } diff --git a/contrib/drivers/huawei/dorado/common.go b/contrib/drivers/huawei/dorado/common.go index f68e8d64c..3da672a6e 100644 --- a/contrib/drivers/huawei/dorado/common.go +++ b/contrib/drivers/huawei/dorado/common.go @@ -14,11 +14,12 @@ import ( ) type AuthOptions struct { - Username string `yaml:"username,omitempty"` - Password string `yaml:"password,omitempty"` - PasswordTool string `yaml:"passwordtool,omitempty"` - Endpoints string `yaml:"endpoints,omitempty"` - Insecure bool `yaml:"insecure,omitempty"` + Username string `yaml:"username,omitempty"` + Password string `yaml:"password,omitempty"` + PwdEncrypter string `yaml:"PwdEncrypter,omitempty"` + EnableEncrypted bool `yaml:"EnableEncrypted,omitempty"` + Endpoints string `yaml:"endpoints,omitempty"` + Insecure bool `yaml:"insecure,omitempty"` } type Replication struct { diff --git a/contrib/drivers/huawei/dorado/testdata/dorado.yaml b/contrib/drivers/huawei/dorado/testdata/dorado.yaml index 481a493ff..abac35d4b 100644 --- a/contrib/drivers/huawei/dorado/testdata/dorado.yaml +++ b/contrib/drivers/huawei/dorado/testdata/dorado.yaml @@ -2,7 +2,10 @@ authOptions: endpoints: "https://8.46.185.114:8088/deviceManager/rest" username: "opensds" password: "Opensds@123" - passwordtool: "aes" + # Whether to encrypt the password. If enabled, the value of the password must be ciphertext. + EnableEncrypted: false + # Encryption and decryption tool. Default value is aes. The decryption tool can only decrypt the corresponding ciphertext. + PwdEncrypter: "aes" insecure: true replication: diff --git a/contrib/drivers/openstack/cinder/cinder.go b/contrib/drivers/openstack/cinder/cinder.go index 92435b9cf..4ede91e91 100755 --- a/contrib/drivers/openstack/cinder/cinder.go +++ b/contrib/drivers/openstack/cinder/cinder.go @@ -66,7 +66,8 @@ type AuthOptions struct { DomainName string `yaml:"domainName,omitempty"` Username string `yaml:"username,omitempty"` Password string `yaml:"password,omitempty"` - PasswordTool string `yaml:"passwordtool,omitempty"` + PwdEncrypter string `yaml:"PwdEncrypter,omitempty"` + EnableEncrypted bool `yaml:"EnableEncrypted,omitempty"` TenantID string `yaml:"tenantId,omitempty"` TenantName string `yaml:"tenantName,omitempty"` } @@ -117,12 +118,16 @@ func (d *Driver) Setup() error { } Parse(d.conf, p) - // Decrypte the password - pwdCiphertext := d.conf.Password - pwdTool := pwd.NewPwdTool(d.conf.PasswordTool) - pwd, err := pwdTool.Decrypter(pwdCiphertext) - if err != nil { - return err + var pwdCiphertext = d.conf.Password + + if d.conf.EnableEncrypted { + // Decrypte the password + pwdTool := pwd.NewPwdEncrypter(d.conf.PwdEncrypter) + password, err := pwdTool.Decrypter(pwdCiphertext) + if err != nil { + return err + } + pwdCiphertext = password } opts := gophercloud.AuthOptions{ @@ -130,7 +135,7 @@ func (d *Driver) Setup() error { DomainID: d.conf.DomainID, DomainName: d.conf.DomainName, Username: d.conf.Username, - Password: pwd, + Password: pwdCiphertext, TenantID: d.conf.TenantID, TenantName: d.conf.TenantName, } diff --git a/examples/driver/cinder.yaml b/examples/driver/cinder.yaml index eb7177bab..30762eeef 100755 --- a/examples/driver/cinder.yaml +++ b/examples/driver/cinder.yaml @@ -17,6 +17,10 @@ authOptions: domainName: "Default" username: "admin" password: "admin" + # Whether to encrypt the password. If enabled, the value of the password must be ciphertext. + EnableEncrypted: false + # Encryption and decryption tool. Default value is aes. The decryption tool can only decrypt the corresponding ciphertext. + PwdEncrypter: "aes" tenantName: "admin" pool: pool1: diff --git a/pkg/utils/config/config_define.go b/pkg/utils/config/config_define.go index 5c8af890b..e910e060d 100755 --- a/pkg/utils/config/config_define.go +++ b/pkg/utils/config/config_define.go @@ -16,20 +16,24 @@ package config import "time" -type Default struct{} +type Default struct { + // Encryption and decryption tool. Default value is aes. The decryption tool can only decrypt the corresponding ciphertext. + PwdEncrypter string `conf:"pwd_encrypter,aes"` + // Whether to encrypt the password. If enabled, the value of the password must be ciphertext. + EnableEncrypted bool `conf:"enable_encrypted,false"` +} type OsdsLet struct { - ApiEndpoint string `conf:"api_endpoint,localhost:50040"` - Graceful bool `conf:"graceful,true"` - SocketOrder string `conf:"socket_order"` - AuthStrategy string `conf:"auth_strategy,noauth"` - Daemon bool `conf:"daemon,false"` - PolicyPath string `conf:"policy_path,/etc/opensds/policy.json"` - LogFlushFrequency time.Duration `conf:"log_flush_frequency,5s"` // Default value is 5s - HTTPSEnabled bool `conf:"https_enabled,false"` - BeegoHTTPSCertFile string `conf:"beego_https_cert_file,/opt/opensds-security/opensds/opensds-cert.pem"` - BeegoHTTPSKeyFile string `conf:"beego_https_key_file,/opt/opensds-security/opensds/opensds-key.pem"` - PasswordDecryptTool string `conf:"password_decrypt_tool,aes"` + ApiEndpoint string `conf:"api_endpoint,localhost:50040"` + Graceful bool `conf:"graceful,true"` + SocketOrder string `conf:"socket_order"` + AuthStrategy string `conf:"auth_strategy,noauth"` + Daemon bool `conf:"daemon,false"` + PolicyPath string `conf:"policy_path,/etc/opensds/policy.json"` + LogFlushFrequency time.Duration `conf:"log_flush_frequency,5s"` // Default value is 5s + HTTPSEnabled bool `conf:"https_enabled,false"` + BeegoHTTPSCertFile string `conf:"beego_https_cert_file,/opt/opensds-security/opensds/opensds-cert.pem"` + BeegoHTTPSKeyFile string `conf:"beego_https_key_file,/opt/opensds-security/opensds/opensds-key.pem"` } type OsdsDock struct { diff --git a/pkg/utils/pwd/aes.go b/pkg/utils/pwd/aes.go index e5ef47c54..939f9ba44 100644 --- a/pkg/utils/pwd/aes.go +++ b/pkg/utils/pwd/aes.go @@ -25,6 +25,10 @@ import ( type AES struct{} +func NewAES() *AES { + return &AES{} +} + var ( key = []byte("8RcY34!7dce3,cdcaeb*faeC3cd9fQfe") ) diff --git a/pkg/utils/pwd/pwd.go b/pkg/utils/pwd/pwd.go index 4b1a5e866..a694dd45a 100644 --- a/pkg/utils/pwd/pwd.go +++ b/pkg/utils/pwd/pwd.go @@ -14,16 +14,16 @@ package pwd -type PwdTool interface { +type PwdEncrypter interface { Encrypter(password string) (string, error) Decrypter(code string) (string, error) } -func NewPwdTool(tool string) PwdTool { - switch tool { +func NewPwdEncrypter(encrypter string) PwdEncrypter { + switch encrypter { case "aes": - return &AES{} + return NewAES() default: - return &AES{} + return NewAES() } } diff --git a/script/devsds/lib/opensds.sh b/script/devsds/lib/opensds.sh index 412a6d27d..1304a6c39 100644 --- a/script/devsds/lib/opensds.sh +++ b/script/devsds/lib/opensds.sh @@ -23,6 +23,12 @@ set +o xtrace osds:opensds:configuration(){ # Set global configuration. cat >> $OPENSDS_CONFIG_DIR/opensds.conf << OPENSDS_GLOBAL_CONFIG_DOC +[default] +# Whether to encrypt the password. If enabled, the value of the password must be ciphertext. +enable_encrypted = False +# Encryption and decryption tool. Default value is aes. The decryption tool can only decrypt the corresponding ciphertext. +pwd_encrypter = aes + [osdslet] api_endpoint = 0.0.0.0:50040 graceful = True @@ -35,8 +41,6 @@ auth_strategy = $OPENSDS_AUTH_STRATEGY https_enabled = False beego_https_cert_file = beego_https_key_file = -# Encryption and decryption tool. Default value is aes. -password_decrypt_tool = aes [osdsdock] api_endpoint = $HOST_IP:50050 diff --git a/script/tools/pwdEncrypter/README.md b/script/tools/pwdEncrypter/README.md new file mode 100644 index 000000000..352a8251e --- /dev/null +++ b/script/tools/pwdEncrypter/README.md @@ -0,0 +1,4 @@ +This is OpenSDS default AES password encryption tool. User can use this tool to get cipher text and shell scripts can call it for automatic encryption during the deployment process. Please use go build command to compile before use. + +AES encryption tool use guide: +./pwdEncrypter password \ No newline at end of file diff --git a/script/tools/pwdEncrypter/pwdEncrypter.go b/script/tools/pwdEncrypter/pwdEncrypter.go new file mode 100644 index 000000000..30695ae92 --- /dev/null +++ b/script/tools/pwdEncrypter/pwdEncrypter.go @@ -0,0 +1,66 @@ +// Copyright (c) 2019 Huawei Technologies Co., Ltd. All Rights Reserved. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package main + +import ( + "fmt" + "os" + + config "github.com/opensds/opensds/pkg/utils/config" + "github.com/opensds/opensds/pkg/utils/pwd" + "github.com/spf13/cobra" +) + +var encrypterCommand = &cobra.Command{ + Use: "pwdEncrypter ", + Short: "password encryption tool", + Run: encrypter, +} + +func encrypter(cmd *cobra.Command, args []string) { + if len(args) == 0 { + cmd.Usage() + os.Exit(0) + } + + if len(args) != 1 { + fmt.Println("The number of args is not correct!") + cmd.Usage() + os.Exit(1) + } + + // Initialize configuration file + if config.CONF == nil { + fmt.Println("feafeaf") + config.CONF.Load("/etc/opensds/opensds.conf") + } + + // Encrypt the password + encrypterTool := pwd.NewPwdEncrypter(config.CONF.PwdEncrypter) + plaintext, err := encrypterTool.Encrypter(args[0]) + if err != nil { + fmt.Println("Encrypt password error:", err) + os.Exit(1) + } + + fmt.Println(plaintext) +} + +func main() { + if err := encrypterCommand.Execute(); err != nil { + fmt.Println("Encrypt password error:", err) + os.Exit(1) + } +} From 31889f68d54c08ded2029fe00286950fdb016e18 Mon Sep 17 00:00:00 2001 From: jack ma <625198232@qq.com> Date: Wed, 13 Feb 2019 14:24:05 +0800 Subject: [PATCH 02/10] fix bugs --- contrib/backup/multicloud/driver_test.go | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/contrib/backup/multicloud/driver_test.go b/contrib/backup/multicloud/driver_test.go index 9faea46f3..5b4a8a1a5 100644 --- a/contrib/backup/multicloud/driver_test.go +++ b/contrib/backup/multicloud/driver_test.go @@ -34,12 +34,14 @@ func TestLoadConf(t *testing.T) { Endpoint: "http://127.0.0.1:8088", UploadTimeout: DefaultUploadTimeout, AuthOptions: AuthOptions{ - Strategy: "keystone", - AuthUrl: "http://127.0.0.1/identity", - DomainName: "Default", - UserName: "admin", - Password: "opensds@123", - TenantName: "admin", + Strategy: "keystone", + AuthUrl: "http://127.0.0.1/identity", + DomainName: "Default", + UserName: "admin", + Password: "opensds@123", + TenantName: "admin", + PwdEncrypter: "aes", + EnableEncrypted: false, }, } fmt.Printf("%+v", conf) From bc2797aa425fd31e858026a13987ab4a031e1a35 Mon Sep 17 00:00:00 2001 From: jack ma <625198232@qq.com> Date: Wed, 13 Feb 2019 16:16:40 +0800 Subject: [PATCH 03/10] fix bugs --- Makefile | 5 +--- pkg/api/filter/auth/keystone.go | 15 +++++++++- pkg/utils/config/config_define.go | 17 +++++------ pkg/utils/pwd/pwd.go | 5 ++++ script/devsds/lib/keystone.sh | 4 +++ script/devsds/lib/opensds.sh | 6 ---- script/tools/pwdEncrypter/README.md | 11 +++++-- script/tools/pwdEncrypter/pwdEncrypter.go | 33 +++++++++++++++++---- script/tools/pwdEncrypter/pwdEncrypter.yaml | 2 ++ 9 files changed, 70 insertions(+), 28 deletions(-) create mode 100644 script/tools/pwdEncrypter/pwdEncrypter.yaml diff --git a/Makefile b/Makefile index ae65c38c8..e92f71d32 100755 --- a/Makefile +++ b/Makefile @@ -26,7 +26,7 @@ ubuntu-dev-setup: sudo apt-get update && sudo apt-get install -y \ build-essential gcc librados-dev librbd-dev -build:osdsdock osdslet osdsctl pwdEncrypter +build:osdsdock osdslet osdsctl prebuild: mkdir -p $(BUILD_DIR) @@ -42,9 +42,6 @@ osdslet: prebuild osdsctl: prebuild go build -o $(BUILD_DIR)/bin/osdsctl github.com/opensds/opensds/osdsctl -pwdEncrypter: prebuild - go build -o $(BUILD_DIR)/bin/pwdEncrypter github.com/opensds/opensds/script/tools/pwdEncrypter - docker: build cp $(BUILD_DIR)/bin/osdsdock ./cmd/osdsdock cp $(BUILD_DIR)/bin/osdslet ./cmd/osdslet diff --git a/pkg/api/filter/auth/keystone.go b/pkg/api/filter/auth/keystone.go index 126c5a444..a3ac2efd9 100644 --- a/pkg/api/filter/auth/keystone.go +++ b/pkg/api/filter/auth/keystone.go @@ -31,6 +31,7 @@ import ( "github.com/opensds/opensds/pkg/utils" "github.com/opensds/opensds/pkg/utils/config" "github.com/opensds/opensds/pkg/utils/constants" + "github.com/opensds/opensds/pkg/utils/pwd" ) func NewKeystone() AuthBase { @@ -49,11 +50,23 @@ type Keystone struct { func (k *Keystone) SetUp() error { c := config.CONF.KeystoneAuthToken + var pwdCiphertext = c.Password + + if c.EnableEncrypted { + // Decrypte the password + pwdTool := pwd.NewPwdEncrypter(c.PwdEncrypter) + password, err := pwdTool.Decrypter(pwdCiphertext) + if err != nil { + return err + } + pwdCiphertext = password + } + opts := gophercloud.AuthOptions{ IdentityEndpoint: c.AuthUrl, DomainName: c.UserDomainName, Username: c.Username, - Password: c.Password, + Password: pwdCiphertext, TenantName: c.ProjectName, } provider, err := openstack.AuthenticatedClient(opts) diff --git a/pkg/utils/config/config_define.go b/pkg/utils/config/config_define.go index e910e060d..22a0a375e 100755 --- a/pkg/utils/config/config_define.go +++ b/pkg/utils/config/config_define.go @@ -16,12 +16,7 @@ package config import "time" -type Default struct { - // Encryption and decryption tool. Default value is aes. The decryption tool can only decrypt the corresponding ciphertext. - PwdEncrypter string `conf:"pwd_encrypter,aes"` - // Whether to encrypt the password. If enabled, the value of the password must be ciphertext. - EnableEncrypted bool `conf:"enable_encrypted,false"` -} +type Default struct{} type OsdsLet struct { ApiEndpoint string `conf:"api_endpoint,localhost:50040"` @@ -79,9 +74,13 @@ type KeystoneAuthToken struct { ProjectName string `conf:"project_name"` UserDomainName string `conf:"user_domain_name"` Password string `conf:"password"` - Username string `conf:"username"` - AuthUrl string `conf:"auth_url"` - AuthType string `conf:"auth_type"` + // Encryption and decryption tool. Default value is aes. The decryption tool can only decrypt the corresponding ciphertext. + PwdEncrypter string `conf:"pwd_encrypter,aes"` + // Whether to encrypt the password. If enabled, the value of the password must be ciphertext. + EnableEncrypted bool `conf:"enable_encrypted,false"` + Username string `conf:"username"` + AuthUrl string `conf:"auth_url"` + AuthType string `conf:"auth_type"` } type Config struct { diff --git a/pkg/utils/pwd/pwd.go b/pkg/utils/pwd/pwd.go index a694dd45a..5da950957 100644 --- a/pkg/utils/pwd/pwd.go +++ b/pkg/utils/pwd/pwd.go @@ -14,6 +14,10 @@ package pwd +import ( + "fmt" +) + type PwdEncrypter interface { Encrypter(password string) (string, error) Decrypter(code string) (string, error) @@ -24,6 +28,7 @@ func NewPwdEncrypter(encrypter string) PwdEncrypter { case "aes": return NewAES() default: + fmt.Println("Use default encryption tool: aes.") return NewAES() } } diff --git a/script/devsds/lib/keystone.sh b/script/devsds/lib/keystone.sh index 684dad9bc..be5b20ccc 100644 --- a/script/devsds/lib/keystone.sh +++ b/script/devsds/lib/keystone.sh @@ -77,6 +77,10 @@ project_domain_name = Default project_name = service user_domain_name = Default password = $STACK_PASSWORD +# Whether to encrypt the password. If enabled, the value of the password must be ciphertext. +enable_encrypted = False +# Encryption and decryption tool. Default value is aes. The decryption tool can only decrypt the corresponding ciphertext. +pwd_encrypter = aes username = $OPENSDS_SERVER_NAME auth_url = http://$KEYSTONE_IP/identity auth_type = password diff --git a/script/devsds/lib/opensds.sh b/script/devsds/lib/opensds.sh index 1304a6c39..5235f29a0 100644 --- a/script/devsds/lib/opensds.sh +++ b/script/devsds/lib/opensds.sh @@ -23,12 +23,6 @@ set +o xtrace osds:opensds:configuration(){ # Set global configuration. cat >> $OPENSDS_CONFIG_DIR/opensds.conf << OPENSDS_GLOBAL_CONFIG_DOC -[default] -# Whether to encrypt the password. If enabled, the value of the password must be ciphertext. -enable_encrypted = False -# Encryption and decryption tool. Default value is aes. The decryption tool can only decrypt the corresponding ciphertext. -pwd_encrypter = aes - [osdslet] api_endpoint = 0.0.0.0:50040 graceful = True diff --git a/script/tools/pwdEncrypter/README.md b/script/tools/pwdEncrypter/README.md index 352a8251e..d69ec6f27 100644 --- a/script/tools/pwdEncrypter/README.md +++ b/script/tools/pwdEncrypter/README.md @@ -1,4 +1,9 @@ -This is OpenSDS default AES password encryption tool. User can use this tool to get cipher text and shell scripts can call it for automatic encryption during the deployment process. Please use go build command to compile before use. +This is a password encryption tool provided by OpenSDS. User can use this tool to get cipher text and shell scripts can call it for automatic encryption during the deployment process. -AES encryption tool use guide: -./pwdEncrypter password \ No newline at end of file +Steps for usage: + +1: Use go build command to compile go source file. + +2: Modify the pwdEncrypter.yaml to choose encryption tool. + +3: Run ./pwdEncrypter password to get cipher text. \ No newline at end of file diff --git a/script/tools/pwdEncrypter/pwdEncrypter.go b/script/tools/pwdEncrypter/pwdEncrypter.go index 30695ae92..20a3d91be 100644 --- a/script/tools/pwdEncrypter/pwdEncrypter.go +++ b/script/tools/pwdEncrypter/pwdEncrypter.go @@ -18,11 +18,21 @@ import ( "fmt" "os" - config "github.com/opensds/opensds/pkg/utils/config" + "io/ioutil" + "github.com/opensds/opensds/pkg/utils/pwd" "github.com/spf13/cobra" + "gopkg.in/yaml.v2" +) + +const ( + confFile = "github.com/opensds/opensds/script/tools/pwdEncrypter/pwdEncrypter.yaml" ) +type tool struct { + encrypter string `yaml:"PwdEncrypter,omitempty"` +} + var encrypterCommand = &cobra.Command{ Use: "pwdEncrypter ", Short: "password encryption tool", @@ -42,13 +52,14 @@ func encrypter(cmd *cobra.Command, args []string) { } // Initialize configuration file - if config.CONF == nil { - fmt.Println("feafeaf") - config.CONF.Load("/etc/opensds/opensds.conf") + pwdEncrypter, err := loadConf(confFile) + if err != nil { + fmt.Println("Encrypt password error:", err) + os.Exit(1) } // Encrypt the password - encrypterTool := pwd.NewPwdEncrypter(config.CONF.PwdEncrypter) + encrypterTool := pwd.NewPwdEncrypter(pwdEncrypter.encrypter) plaintext, err := encrypterTool.Encrypter(args[0]) if err != nil { fmt.Println("Encrypt password error:", err) @@ -58,6 +69,18 @@ func encrypter(cmd *cobra.Command, args []string) { fmt.Println(plaintext) } +func loadConf(f string) (*tool, error) { + var conf = &tool{} + confYaml, err := ioutil.ReadFile(f) + if err != nil { + return nil, fmt.Errorf("Read config yaml file (%s) failed, reason:(%v)", f, err) + } + if err = yaml.Unmarshal(confYaml, conf); err != nil { + return nil, fmt.Errorf("Parse error: %v", err) + } + return conf, nil +} + func main() { if err := encrypterCommand.Execute(); err != nil { fmt.Println("Encrypt password error:", err) diff --git a/script/tools/pwdEncrypter/pwdEncrypter.yaml b/script/tools/pwdEncrypter/pwdEncrypter.yaml new file mode 100644 index 000000000..adf8286b9 --- /dev/null +++ b/script/tools/pwdEncrypter/pwdEncrypter.yaml @@ -0,0 +1,2 @@ +# Encryption tool. Default value is aes. +PwdEncrypter: "fuck" \ No newline at end of file From fdefe741ea973b0f4008baaaaf4aba1939a03732 Mon Sep 17 00:00:00 2001 From: jack ma <625198232@qq.com> Date: Wed, 13 Feb 2019 16:20:05 +0800 Subject: [PATCH 04/10] fix bug --- script/tools/pwdEncrypter/pwdEncrypter.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/script/tools/pwdEncrypter/pwdEncrypter.yaml b/script/tools/pwdEncrypter/pwdEncrypter.yaml index adf8286b9..fc1176c24 100644 --- a/script/tools/pwdEncrypter/pwdEncrypter.yaml +++ b/script/tools/pwdEncrypter/pwdEncrypter.yaml @@ -1,2 +1,2 @@ # Encryption tool. Default value is aes. -PwdEncrypter: "fuck" \ No newline at end of file +PwdEncrypter: "aes" \ No newline at end of file From 6b67811cd8332a83fbb767c4013e7efc2dd65153 Mon Sep 17 00:00:00 2001 From: jack ma <625198232@qq.com> Date: Wed, 13 Feb 2019 17:48:46 +0800 Subject: [PATCH 05/10] Delete graceful and socket order options --- pkg/utils/config/config_define.go | 2 -- 1 file changed, 2 deletions(-) diff --git a/pkg/utils/config/config_define.go b/pkg/utils/config/config_define.go index 7a184ef9f..4644685eb 100755 --- a/pkg/utils/config/config_define.go +++ b/pkg/utils/config/config_define.go @@ -20,8 +20,6 @@ type Default struct{} type OsdsApiServer struct { ApiEndpoint string `conf:"api_endpoint,localhost:50040"` - Graceful bool `conf:"graceful,true"` - SocketOrder string `conf:"socket_order"` AuthStrategy string `conf:"auth_strategy,noauth"` Daemon bool `conf:"daemon,false"` PolicyPath string `conf:"policy_path,/etc/opensds/policy.json"` From 61f14ac7a527ec6f63341e58cdeb9990aaf85773 Mon Sep 17 00:00:00 2001 From: jack ma <625198232@qq.com> Date: Wed, 13 Feb 2019 18:27:26 +0800 Subject: [PATCH 06/10] fix some encryption bugs --- script/devsds/install.sh | 2 +- script/tools/pwdEncrypter/pwdEncrypter.go | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/script/devsds/install.sh b/script/devsds/install.sh index 9f009d04f..4f1443ef7 100755 --- a/script/devsds/install.sh +++ b/script/devsds/install.sh @@ -157,7 +157,7 @@ echo echo "Execute commands blow to set up ENVs which are needed by OpenSDS CLI:" echo "------------------------------------------------------------------" echo "export OPENSDS_AUTH_STRATEGY=$OPENSDS_AUTH_STRATEGY" -echo "export OPENSDS_ENDPOINT=https://localhost:50040" +echo "export OPENSDS_ENDPOINT=http://localhost:50040" if osds::util::is_service_enabled keystone; then echo "source $DEV_STACK_DIR/openrc" fi diff --git a/script/tools/pwdEncrypter/pwdEncrypter.go b/script/tools/pwdEncrypter/pwdEncrypter.go index 46cc41f91..dd087f8ed 100644 --- a/script/tools/pwdEncrypter/pwdEncrypter.go +++ b/script/tools/pwdEncrypter/pwdEncrypter.go @@ -30,7 +30,7 @@ const ( ) type tool struct { - encrypter string `yaml:"PwdEncrypter,omitempty"` + PwdEncrypter string `yaml:"PwdEncrypter,omitempty"` } var encrypterCommand = &cobra.Command{ @@ -59,7 +59,7 @@ func encrypter(cmd *cobra.Command, args []string) { } // Encrypt the password - encrypterTool := pwd.NewPwdEncrypter(pwdEncrypter.encrypter) + encrypterTool := pwd.NewPwdEncrypter(pwdEncrypter.PwdEncrypter) plaintext, err := encrypterTool.Encrypter(args[0]) if err != nil { fmt.Println("Encrypt password error:", err) @@ -70,7 +70,7 @@ func encrypter(cmd *cobra.Command, args []string) { } func loadConf(f string) (*tool, error) { - var conf = &tool{} + conf := &tool{} confYaml, err := ioutil.ReadFile(f) if err != nil { return nil, fmt.Errorf("Read config yaml file (%s) failed, reason:(%v)", f, err) From 5e5fcb1241901863303d28995788b7b411b1ff4c Mon Sep 17 00:00:00 2001 From: jack ma <625198232@qq.com> Date: Thu, 14 Feb 2019 15:57:10 +0800 Subject: [PATCH 07/10] Test encryption and decryption --- client/auth.go | 1 - script/devsds/lib/certificate.sh | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/client/auth.go b/client/auth.go index 3f2a1c3f5..c701635ca 100644 --- a/client/auth.go +++ b/client/auth.go @@ -103,7 +103,6 @@ func LoadKeystoneAuthOptionsFromEnv() *KeystoneAuthOptions { } opt.Password = pwdCiphertext - opt.TenantName = os.Getenv(OsTenantName) projectName := os.Getenv(OsProjectName) opt.DomainID = os.Getenv(OsUserDomainId) diff --git a/script/devsds/lib/certificate.sh b/script/devsds/lib/certificate.sh index 0f0923ad1..4f047ded8 100644 --- a/script/devsds/lib/certificate.sh +++ b/script/devsds/lib/certificate.sh @@ -1,4 +1,4 @@ -#!/usr/bin/env bash +#!/bin/bash # Copyright (c) 2019 Huawei Technologies Co., Ltd. All Rights Reserved. # From ac91a0a607893dcca054800df03a37c28b861218 Mon Sep 17 00:00:00 2001 From: jack ma <625198232@qq.com> Date: Thu, 14 Feb 2019 16:04:21 +0800 Subject: [PATCH 08/10] change file name and fix issue --- script/tools/pwdEncrypter/pwdencryptesr.go | 89 ++++++++++++++++++++++ 1 file changed, 89 insertions(+) create mode 100644 script/tools/pwdEncrypter/pwdencryptesr.go diff --git a/script/tools/pwdEncrypter/pwdencryptesr.go b/script/tools/pwdEncrypter/pwdencryptesr.go new file mode 100644 index 000000000..dd087f8ed --- /dev/null +++ b/script/tools/pwdEncrypter/pwdencryptesr.go @@ -0,0 +1,89 @@ +// Copyright (c) 2019 Huawei Technologies Co., Ltd. All Rights Reserved. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package main + +import ( + "fmt" + "os" + + "io/ioutil" + + "github.com/opensds/opensds/pkg/utils/pwd" + "github.com/spf13/cobra" + "gopkg.in/yaml.v2" +) + +const ( + confFile = "./pwdEncrypter.yaml" +) + +type tool struct { + PwdEncrypter string `yaml:"PwdEncrypter,omitempty"` +} + +var encrypterCommand = &cobra.Command{ + Use: "pwdEncrypter ", + Short: "password encryption tool", + Run: encrypter, +} + +func encrypter(cmd *cobra.Command, args []string) { + if len(args) == 0 { + cmd.Usage() + os.Exit(0) + } + + if len(args) != 1 { + fmt.Println("The number of args is not correct!") + cmd.Usage() + os.Exit(1) + } + + // Initialize configuration file + pwdEncrypter, err := loadConf(confFile) + if err != nil { + fmt.Println("Encrypt password error:", err) + os.Exit(1) + } + + // Encrypt the password + encrypterTool := pwd.NewPwdEncrypter(pwdEncrypter.PwdEncrypter) + plaintext, err := encrypterTool.Encrypter(args[0]) + if err != nil { + fmt.Println("Encrypt password error:", err) + os.Exit(1) + } + + fmt.Println(plaintext) +} + +func loadConf(f string) (*tool, error) { + conf := &tool{} + confYaml, err := ioutil.ReadFile(f) + if err != nil { + return nil, fmt.Errorf("Read config yaml file (%s) failed, reason:(%v)", f, err) + } + if err = yaml.Unmarshal(confYaml, conf); err != nil { + return nil, fmt.Errorf("Parse error: %v", err) + } + return conf, nil +} + +func main() { + if err := encrypterCommand.Execute(); err != nil { + fmt.Println("Encrypt password error:", err) + os.Exit(1) + } +} From 290695328c02bd0fa2a91669c7fb02620d58e438 Mon Sep 17 00:00:00 2001 From: jack ma <625198232@qq.com> Date: Thu, 14 Feb 2019 16:05:49 +0800 Subject: [PATCH 09/10] delete file --- script/tools/pwdEncrypter/pwdencryptesr.go | 89 ---------------------- 1 file changed, 89 deletions(-) delete mode 100644 script/tools/pwdEncrypter/pwdencryptesr.go diff --git a/script/tools/pwdEncrypter/pwdencryptesr.go b/script/tools/pwdEncrypter/pwdencryptesr.go deleted file mode 100644 index dd087f8ed..000000000 --- a/script/tools/pwdEncrypter/pwdencryptesr.go +++ /dev/null @@ -1,89 +0,0 @@ -// Copyright (c) 2019 Huawei Technologies Co., Ltd. All Rights Reserved. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package main - -import ( - "fmt" - "os" - - "io/ioutil" - - "github.com/opensds/opensds/pkg/utils/pwd" - "github.com/spf13/cobra" - "gopkg.in/yaml.v2" -) - -const ( - confFile = "./pwdEncrypter.yaml" -) - -type tool struct { - PwdEncrypter string `yaml:"PwdEncrypter,omitempty"` -} - -var encrypterCommand = &cobra.Command{ - Use: "pwdEncrypter ", - Short: "password encryption tool", - Run: encrypter, -} - -func encrypter(cmd *cobra.Command, args []string) { - if len(args) == 0 { - cmd.Usage() - os.Exit(0) - } - - if len(args) != 1 { - fmt.Println("The number of args is not correct!") - cmd.Usage() - os.Exit(1) - } - - // Initialize configuration file - pwdEncrypter, err := loadConf(confFile) - if err != nil { - fmt.Println("Encrypt password error:", err) - os.Exit(1) - } - - // Encrypt the password - encrypterTool := pwd.NewPwdEncrypter(pwdEncrypter.PwdEncrypter) - plaintext, err := encrypterTool.Encrypter(args[0]) - if err != nil { - fmt.Println("Encrypt password error:", err) - os.Exit(1) - } - - fmt.Println(plaintext) -} - -func loadConf(f string) (*tool, error) { - conf := &tool{} - confYaml, err := ioutil.ReadFile(f) - if err != nil { - return nil, fmt.Errorf("Read config yaml file (%s) failed, reason:(%v)", f, err) - } - if err = yaml.Unmarshal(confYaml, conf); err != nil { - return nil, fmt.Errorf("Parse error: %v", err) - } - return conf, nil -} - -func main() { - if err := encrypterCommand.Execute(); err != nil { - fmt.Println("Encrypt password error:", err) - os.Exit(1) - } -} From 11496d175a1380238b58547737fd43ce37358d3a Mon Sep 17 00:00:00 2001 From: jack ma <625198232@qq.com> Date: Thu, 14 Feb 2019 16:14:56 +0800 Subject: [PATCH 10/10] change file name and fix issue --- .../tools/pwdEncrypter/{pwdEncrypter.go => passwordencrypter.go} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename script/tools/pwdEncrypter/{pwdEncrypter.go => passwordencrypter.go} (100%) diff --git a/script/tools/pwdEncrypter/pwdEncrypter.go b/script/tools/pwdEncrypter/passwordencrypter.go similarity index 100% rename from script/tools/pwdEncrypter/pwdEncrypter.go rename to script/tools/pwdEncrypter/passwordencrypter.go