security patch for credential info

cloud-barista · Jun 1, 2020 · 21bd87c · 21bd87c
1 parent 818c211
commit 21bd87c
Show file tree

Hide file tree

Showing 2 changed files with 102 additions and 3 deletions.
diff --git a/cloud-control-manager/CloudDriverHandler.go b/cloud-control-manager/CloudDriverHandler.go
@@ -103,7 +103,7 @@ func GetCloudConnection(cloudConnectName string) (icon.CloudConnection, error) {
 		return nil, err
 	}
 
-	crdInfo, err := cim.GetCredential(cccInfo.CredentialName)
+	crdInfo, err := cim.GetCredentialDecrypt(cccInfo.CredentialName)
 	if err != nil {
 		return nil, err
 	}

diff --git a/cloud-info-manager/credential-info-manager/CredentialInfoManager.go b/cloud-info-manager/credential-info-manager/CredentialInfoManager.go
@@ -14,6 +14,12 @@ import (
 	"github.com/cloud-barista/cb-store/config"
 	icbs "github.com/cloud-barista/cb-store/interfaces"
 	"github.com/sirupsen/logrus"
+
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/rand"
+	"encoding/base64"
+	"io"
 )
 
 var cblog *logrus.Logger
@@ -42,8 +48,7 @@ func RegisterCredentialInfo(crdInfo CredentialInfo) (*CredentialInfo, error) {
 // 2. insert them into cb-store
 func RegisterCredential(credentialName string, providerName string, keyValueInfoList []icbs.KeyValue) (*CredentialInfo, error) {
 	cblog.Info("call RegisterCredential()")
-
-	cblog.Debug("check params")
+cblog.Debug("check params")
 	err := checkParams(credentialName, providerName, keyValueInfoList)
 	if err != nil {
 		return nil, err
@@ -52,6 +57,11 @@ func RegisterCredential(credentialName string, providerName string, keyValueInfo
 
 	cblog.Debug("insert metainfo into store")
 
+        err = encryptKeyValueList(keyValueInfoList)
+        if err != nil {
+                return &CredentialInfo{}, err
+	}
+
 	err = insertInfo(credentialName, providerName, keyValueInfoList)
 	if err != nil {
 		cblog.Error(err)
@@ -91,6 +101,95 @@ func GetCredential(credentialName string) (*CredentialInfo, error) {
 	return crdInfo, err
 }
 
+// 1. check params
+// 2. get CredentialInfo from cb-store
+// 3. decrypt CrednetialInfo
+func GetCredentialDecrypt(credentialName string) (*CredentialInfo, error) {
+        cblog.Info("call GetCredential()")
+
+        if credentialName == "" {
+                return nil, fmt.Errorf("CredentialName is empty!")
+        }
+
+        crdInfo, err := getInfo(credentialName)
+        if err != nil {
+                cblog.Error(err)
+                return nil, err
+        }
+
+	err = decryptKeyValueList(crdInfo.KeyValueInfoList)	
+	if err != nil {
+		return &CredentialInfo{}, err
+	}
+	return crdInfo, nil
+}
+
+// @todo env by powerkim, 2020.06.01.
+var key = []byte("cloud-barista-cb-spider-cloud-ba") // 32 bytes
+
+func encryptKeyValueList(keyValueInfoList []icbs.KeyValue) error {
+
+        for i, kv := range keyValueInfoList {
+                encb, err := encrypt(key, []byte(kv.Value))
+                kv.Value = string(encb)
+                if err != nil {
+                        return err
+                }
+                keyValueInfoList[i] = kv
+        }
+        return  nil
+}
+
+func decryptKeyValueList(keyValueInfoList []icbs.KeyValue) error {
+
+	for i, kv := range keyValueInfoList {
+		decb, err := decrypt(key, []byte(kv.Value))
+		kv.Value = string(decb)
+		if err != nil {
+			return err
+		}
+		keyValueInfoList[i] = kv
+	}
+	return nil	
+}
+
+func encrypt(key, text []byte) ([]byte, error) {
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return nil, err
+	}
+	b := base64.StdEncoding.EncodeToString(text)
+	ciphertext := make([]byte, aes.BlockSize+len(b))
+	iv := ciphertext[:aes.BlockSize]
+	if _, err := io.ReadFull(rand.Reader, iv); err != nil {
+		return nil, err
+	}
+	cfb := cipher.NewCFBEncrypter(block, iv)
+	cfb.XORKeyStream(ciphertext[aes.BlockSize:], []byte(b))
+	return ciphertext, nil
+}
+
+func decrypt(key, text []byte) ([]byte, error) {
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return nil, err
+	}
+	if len(text) < aes.BlockSize {
+		err := fmt.Errorf("decryption: " + "ciphertext too short")
+		cblog.Error(err)
+		return nil, err
+	}
+	iv := text[:aes.BlockSize]
+	text = text[aes.BlockSize:]
+	cfb := cipher.NewCFBDecrypter(block, iv)
+	cfb.XORKeyStream(text, text)
+	data, err := base64.StdEncoding.DecodeString(string(text))
+	if err != nil {
+		return nil, err
+	}
+	return data, nil
+}
+
 func UnRegisterCredential(credentialName string) (bool, error) {
 	cblog.Info("call UnRegisterCredential()")