// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package com.cloud.utils.crypt;
import java.io.BufferedWriter;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileWriter;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.Properties;
import org.apache.commons.configuration.ConfigurationException;
import org.apache.commons.configuration.PropertiesConfiguration;
import org.jasypt.encryption.pbe.StandardPBEStringEncryptor;
import org.jasypt.encryption.pbe.config.SimpleStringPBEConfig;
import org.jasypt.exceptions.EncryptionOperationNotPossibleException;
import org.jasypt.properties.EncryptableProperties;
import com.cloud.utils.PropertiesUtil;
import com.cloud.utils.db.TransactionLegacy;
import com.cloud.utils.exception.CloudRuntimeException;
/*
* EncryptionSecretKeyChanger updates Management Secret Key / DB Secret Key or both.
* DB secret key is validated against the key in db.properties
* db.properties is updated with values encrypted using new MS secret key
* DB data migrated using new DB secret key
*/
public class EncryptionSecretKeyChanger {
private StandardPBEStringEncryptor oldEncryptor = new StandardPBEStringEncryptor();
private StandardPBEStringEncryptor newEncryptor = new StandardPBEStringEncryptor();
private static final String keyFile = "/etc/cloudstack/management/key";
public static void main(String[] args) {
List<String> argsList = Arrays.asList(args);
Iterator<String> iter = argsList.iterator();
String oldMSKey = null;
String oldDBKey = null;
String newMSKey = null;
String newDBKey = null;
//Parse command-line args
while (iter.hasNext()) {
String arg = iter.next();
// Old MS Key
if (arg.equals("-m")) {
oldMSKey = iter.next();
}
// Old DB Key
if (arg.equals("-d")) {
oldDBKey = iter.next();
}
// New MS Key
if (arg.equals("-n")) {
newMSKey = iter.next();
}
// New DB Key
if (arg.equals("-e")) {
newDBKey = iter.next();
}
}
if (oldMSKey == null || oldDBKey == null) {
System.out.println("Existing MS secret key or DB secret key is not provided");
usage();
return;
}
if (newMSKey == null && newDBKey == null) {
System.out.println("New MS secret key and DB secret are both not provided");
usage();
return;
}
final File dbPropsFile = PropertiesUtil.findConfigFile("db.properties");
final Properties dbProps;
EncryptionSecretKeyChanger keyChanger = new EncryptionSecretKeyChanger();
StandardPBEStringEncryptor encryptor = new StandardPBEStringEncryptor();
keyChanger.initEncryptor(encryptor, oldMSKey);
dbProps = new EncryptableProperties(encryptor);
PropertiesConfiguration backupDBProps = null;
System.out.println("Parsing db.properties file");
try(FileInputStream db_prop_fstream = new FileInputStream(dbPropsFile);) {
dbProps.load(db_prop_fstream);
backupDBProps = new PropertiesConfiguration(dbPropsFile);
} catch (FileNotFoundException e) {
System.out.println("db.properties file not found while reading DB secret key" + e.getMessage());
} catch (IOException e) {
System.out.println("Error while reading DB secret key from db.properties" + e.getMessage());
} catch (ConfigurationException e) {
e.printStackTrace();
}
String dbSecretKey = null;
try {
dbSecretKey = dbProps.getProperty("db.cloud.encrypt.secret");
} catch (EncryptionOperationNotPossibleException e) {
System.out.println("Failed to decrypt existing DB secret key from db.properties. " + e.getMessage());
return;
}
if (!oldDBKey.equals(dbSecretKey)) {
System.out.println("Incorrect MS Secret Key or DB Secret Key");
return;
}
System.out.println("Secret key provided matched the key in db.properties");
final String encryptionType = dbProps.getProperty("db.cloud.encryption.type");
if (newMSKey == null) {
System.out.println("No change in MS Key. Skipping migrating db.properties");
} else {
if (!keyChanger.migrateProperties(dbPropsFile, dbProps, newMSKey, newDBKey)) {
System.out.println("Failed to update db.properties");
return;
} else {
//db.properties updated successfully
if (encryptionType.equals("file")) {
//update key file with new MS key
try (FileWriter fwriter = new FileWriter(keyFile);
BufferedWriter bwriter = new BufferedWriter(fwriter);)
{
bwriter.write(newMSKey);
} catch (IOException e) {
System.out.println("Failed to write new secret to file. Please update the file manually");
}
}
}
}
boolean success = false;
if (newDBKey == null || newDBKey.equals(oldDBKey)) {
System.out.println("No change in DB Secret Key. Skipping Data Migration");
} else {
EncryptionSecretKeyChecker.initEncryptorForMigration(oldMSKey);
try {
success = keyChanger.migrateData(oldDBKey, newDBKey);
} catch (Exception e) {
System.out.println("Error during data migration");
e.printStackTrace();
success = false;
}
}
if (success) {
System.out.println("Successfully updated secret key(s)");
} else {
System.out.println("Data Migration failed. Reverting db.properties");
//revert db.properties
try {
backupDBProps.save();
} catch (ConfigurationException e) {
e.printStackTrace();
}
if (encryptionType.equals("file")) {
//revert secret key in file
try (FileWriter fwriter = new FileWriter(keyFile);
BufferedWriter bwriter = new BufferedWriter(fwriter);)
{
bwriter.write(oldMSKey);
} catch (IOException e) {
System.out.println("Failed to revert to old secret to file. Please update the file manually");
}
}
}
}
private boolean migrateProperties(File dbPropsFile, Properties dbProps, String newMSKey, String newDBKey) {
System.out.println("Migrating db.properties..");
StandardPBEStringEncryptor msEncryptor = new StandardPBEStringEncryptor();
;
initEncryptor(msEncryptor, newMSKey);
try {
PropertiesConfiguration newDBProps = new PropertiesConfiguration(dbPropsFile);
if (newDBKey != null && !newDBKey.isEmpty()) {
newDBProps.setProperty("db.cloud.encrypt.secret", "ENC(" + msEncryptor.encrypt(newDBKey) + ")");
}
String prop = dbProps.getProperty("db.cloud.password");
if (prop != null && !prop.isEmpty()) {
newDBProps.setProperty("db.cloud.password", "ENC(" + msEncryptor.encrypt(prop) + ")");
}
prop = dbProps.getProperty("db.usage.password");
if (prop != null && !prop.isEmpty()) {
newDBProps.setProperty("db.usage.password", "ENC(" + msEncryptor.encrypt(prop) + ")");
}
newDBProps.save(dbPropsFile.getAbsolutePath());
} catch (Exception e) {
e.printStackTrace();
return false;
}
System.out.println("Migrating db.properties Done.");
return true;
}
private boolean migrateData(String oldDBKey, String newDBKey) {
System.out.println("Begin Data migration");
initEncryptor(oldEncryptor, oldDBKey);
initEncryptor(newEncryptor, newDBKey);
System.out.println("Initialised Encryptors");
TransactionLegacy txn = TransactionLegacy.open("Migrate");
txn.start();
try {
Connection conn;
try {
conn = txn.getConnection();
} catch (SQLException e) {
throw new CloudRuntimeException("Unable to migrate encrypted data in the database", e);
}
migrateConfigValues(conn);
migrateHostDetails(conn);
migrateVNCPassword(conn);
migrateUserCredentials(conn);
txn.commit();
} finally {
txn.close();
}
System.out.println("End Data migration");
return true;
}
private void initEncryptor(StandardPBEStringEncryptor encryptor, String secretKey) {
encryptor.setAlgorithm("PBEWithMD5AndDES");
SimpleStringPBEConfig stringConfig = new SimpleStringPBEConfig();
stringConfig.setPassword(secretKey);
encryptor.setConfig(stringConfig);
}
private String migrateValue(String value) {
if (value == null || value.isEmpty()) {
return value;
}
String decryptVal = oldEncryptor.decrypt(value);
return newEncryptor.encrypt(decryptVal);
}
private void migrateConfigValues(Connection conn) {
System.out.println("Begin migrate config values");
try(PreparedStatement select_pstmt = conn.prepareStatement("select name, value from configuration where category in ('Hidden', 'Secure')");
ResultSet rs = select_pstmt.executeQuery();
PreparedStatement update_pstmt = conn.prepareStatement("update configuration set value=? where name=?");
) {
while (rs.next()) {
String name = rs.getString(1);
String value = rs.getString(2);
if (value == null || value.isEmpty()) {
continue;
}
String encryptedValue = migrateValue(value);
update_pstmt.setBytes(1, encryptedValue.getBytes("UTF-8"));
update_pstmt.setString(2, name);
update_pstmt.executeUpdate();
}
} catch (SQLException e) {
throw new CloudRuntimeException("Unable to update configuration values ", e);
} catch (UnsupportedEncodingException e) {
throw new CloudRuntimeException("Unable to update configuration values ", e);
}
System.out.println("End migrate config values");
}
private void migrateHostDetails(Connection conn) {
System.out.println("Begin migrate host details");
try( PreparedStatement sel_pstmt = conn.prepareStatement("select id, value from host_details where name = 'password'");
ResultSet rs = sel_pstmt.executeQuery();
PreparedStatement pstmt = conn.prepareStatement("update host_details set value=? where id=?");
) {
while (rs.next()) {
long id = rs.getLong(1);
String value = rs.getString(2);
if (value == null || value.isEmpty()) {
continue;
}
String encryptedValue = migrateValue(value);
pstmt.setBytes(1, encryptedValue.getBytes("UTF-8"));
pstmt.setLong(2, id);
pstmt.executeUpdate();
}
} catch (SQLException e) {
throw new CloudRuntimeException("Unable update host_details values ", e);
} catch (UnsupportedEncodingException e) {
throw new CloudRuntimeException("Unable update host_details values ", e);
}
System.out.println("End migrate host details");
}
private void migrateVNCPassword(Connection conn) {
System.out.println("Begin migrate VNC password");
try(PreparedStatement select_pstmt = conn.prepareStatement("select id, vnc_password from vm_instance");
ResultSet rs = select_pstmt.executeQuery();
PreparedStatement pstmt = conn.prepareStatement("update vm_instance set vnc_password=? where id=?");
) {
while (rs.next()) {
long id = rs.getLong(1);
String value = rs.getString(2);
if (value == null || value.isEmpty()) {
continue;
}
String encryptedValue = migrateValue(value);
pstmt.setBytes(1, encryptedValue.getBytes("UTF-8"));
pstmt.setLong(2, id);
pstmt.executeUpdate();
}
} catch (SQLException e) {
throw new CloudRuntimeException("Unable update vm_instance vnc_password ", e);
} catch (UnsupportedEncodingException e) {
throw new CloudRuntimeException("Unable update vm_instance vnc_password ", e);
}
System.out.println("End migrate VNC password");
}
private void migrateUserCredentials(Connection conn) {
System.out.println("Begin migrate user credentials");
try(PreparedStatement select_pstmt = conn.prepareStatement("select id, secret_key from user");
ResultSet rs = select_pstmt.executeQuery();
PreparedStatement pstmt = conn.prepareStatement("update user set secret_key=? where id=?");
) {
while (rs.next()) {
long id = rs.getLong(1);
String secretKey = rs.getString(2);
if (secretKey == null || secretKey.isEmpty()) {
continue;
}
String encryptedSecretKey = migrateValue(secretKey);
pstmt.setBytes(1, encryptedSecretKey.getBytes("UTF-8"));
pstmt.setLong(2, id);
pstmt.executeUpdate();
}
} catch (SQLException e) {
throw new CloudRuntimeException("Unable update user secret key ", e);
} catch (UnsupportedEncodingException e) {
throw new CloudRuntimeException("Unable update user secret key ", e);
}
System.out.println("End migrate user credentials");
}
private static void usage() {
System.out.println("Usage: \tEncryptionSecretKeyChanger \n" + "\t\t-m <Mgmt Secret Key> \n" + "\t\t-d <DB Secret Key> \n" + "\t\t-n [New Mgmt Secret Key] \n"
+ "\t\t-e [New DB Secret Key]");
}
}