From 28309c1a2d37d8ec3b3e3bfdbce1afda1c33ca28 Mon Sep 17 00:00:00 2001 From: Tyler Moore Date: Mon, 3 Apr 2023 14:09:23 -0400 Subject: [PATCH] v0.72 Release Bug Fix - fix bad hash algorithm implementation in the CLI functions - fix schema migration issues on `dsip_settings` table - fix edge cases where bootstrapping failed # Please enter the commit message for your changes. Lines starting # with '#' will be ignored, and an empty message aborts the commit. # # On branch v0.72 # Your branch is up to date with 'origin/v0.72'. # # Changes to be committed: # modified: dsiprouter/dsip_lib.sh # modified: resources/upgrade/v0.72/scripts/bootstrap.sh # modified: resources/upgrade/v0.72/scripts/migrate.sh # --- dsiprouter.sh | 2 +- dsiprouter/dsip_lib.sh | 28 +- resources/upgrade/v0.72/scripts/bootstrap.sh | 15 +- resources/upgrade/v0.72/scripts/migrate.sh | 357 +++---------------- 4 files changed, 77 insertions(+), 325 deletions(-) diff --git a/dsiprouter.sh b/dsiprouter.sh index e118694d..35e4e092 100755 --- a/dsiprouter.sh +++ b/dsiprouter.sh @@ -2841,7 +2841,7 @@ function upgrade() { # check if the new function definitions need bootstrapped prior to upgrade if (( $BOOTSTRAPPING_UPGRADE == 0 )) && curl -sf -I "$BS_SCRIPT_URL" -o /dev/null; then - curl -s "$BS_SCRIPT_URL" | bash -s upgrade -rel ${UPGRADE_RELEASE} + curl -s "$BS_SCRIPT_URL" | bash return $? fi diff --git a/dsiprouter/dsip_lib.sh b/dsiprouter/dsip_lib.sh index 73e8ca35..759685cd 100644 --- a/dsiprouter/dsip_lib.sh +++ b/dsiprouter/dsip_lib.sh @@ -28,10 +28,10 @@ DSIP_PROJECT_DIR=${DSIP_PROJECT_DIR:-$(git rev-parse --show-toplevel 2>/dev/null export DSIP_PROJECT_DIR=${DSIP_PROJECT_DIR:-$(dirname $(dirname $(readlink -f "$BASH_SOURCE")))} # reuse credential settings from python files (exported for later usage) -SALT_LEN=${SALT_LEN:-$(grep -m 1 -oP 'SALT_LEN[ \t]+=[ \t]+\K[0-9]+' ${DSIP_PROJECT_DIR}/gui/util/security.py)} -DK_LEN_DEFAULT=${DK_LEN_DEFAULT:-$(grep -m 1 -oP 'DK_LEN_DEFAULT[ \t]+=[ \t]+\K[0-9]+' ${DSIP_PROJECT_DIR}/gui/util/security.py)} -CREDS_MAX_LEN=${CREDS_MAX_LEN:-$(grep -m 1 -oP 'CREDS_MAX_LEN[ \t]+=[ \t]+\K[0-9]+' ${DSIP_PROJECT_DIR}/gui/util/security.py)} -HASH_ITERATIONS=${HASH_ITERATIONS:-$(grep -m 1 -oP 'HASH_ITERATIONS[ \t]+=[ \t]+\K[0-9]+' ${DSIP_PROJECT_DIR}/gui/util/security.py)} +export SALT_LEN=${SALT_LEN:-$(grep -m 1 -oP 'SALT_LEN[ \t]+=[ \t]+\K[0-9]+' ${DSIP_PROJECT_DIR}/gui/util/security.py)} +export DK_LEN_DEFAULT=${DK_LEN_DEFAULT:-$(grep -m 1 -oP 'DK_LEN_DEFAULT[ \t]+=[ \t]+\K[0-9]+' ${DSIP_PROJECT_DIR}/gui/util/security.py)} +export CREDS_MAX_LEN=${CREDS_MAX_LEN:-$(grep -m 1 -oP 'CREDS_MAX_LEN[ \t]+=[ \t]+\K[0-9]+' ${DSIP_PROJECT_DIR}/gui/util/security.py)} +export HASH_ITERATIONS=${HASH_ITERATIONS:-$(grep -m 1 -oP 'HASH_ITERATIONS[ \t]+=[ \t]+\K[0-9]+' ${DSIP_PROJECT_DIR}/gui/util/security.py)} export HASHED_CREDS_ENCODED_MAX_LEN=${HASHED_CREDS_ENCODED_MAX_LEN:-$(grep -m 1 -oP 'HASHED_CREDS_ENCODED_MAX_LEN[ \t]+=[ \t]+\K[0-9]+' ${DSIP_PROJECT_DIR}/gui/util/security.py)} export AESCTR_CREDS_ENCODED_MAX_LEN=${AESCTR_CREDS_ENCODED_MAX_LEN:-$(grep -m 1 -oP 'AESCTR_CREDS_ENCODED_MAX_LEN[ \t]+=[ \t]+\K[0-9]+' ${DSIP_PROJECT_DIR}/gui/util/security.py)} @@ -1116,16 +1116,18 @@ function parseDBConnURI() { } export -f parseDBConnURI -# $1 == number of characters to get -# output: string of random printable characters +# usage: urandomChars [options] [args] +# options: -f == characters to allow +# args: $1 == number of characters to get +# output: string of random printable characters function urandomChars() { local LEN=32 FILTER="a-zA-Z0-9" while (( $# > 0 )); do # last arg is length - if (( $# == 1 )) && [[ -z "$CREDS" ]]; then - LEN="$1" - shift + if (( $# == 1 )); then + LEN="$1" + shift break fi @@ -1230,7 +1232,13 @@ function hashCreds() { # python native version # no external dependencies other than vanilla python3 - ${PYTHON} -c "import hashlib,binascii; print(binascii.hexlify(hashlib.pbkdf2_hmac('sha512', '$CREDS'.encode('utf-8'), '$SALT'.encode('utf-8'), iterations=$HASH_ITERATIONS, dklen=$DK_LEN)).decode('utf-8'));" + ${PYTHON} </dev/null -git clone --depth 1 -b "$TAG_NAME" "$REPO_URL" /tmp/dsiprouter -ln -sf /tmp/dsiprouter/resources/upgrade /opt/dsiprouter/resources/upgrade -. /tmp/dsiprouter/dsiprouter/dsip_lib.sh -. /tmp/dsiprouter/dsiprouter.sh upgrade -rel v0.72 +rm -rf "$DSIP_PROJECT_DIR" 2>/dev/null +git clone --depth 1 -b "$TAG_NAME" "$REPO_URL" "$DSIP_PROJECT_DIR" +${DSIP_PROJECT_DIR}/dsiprouter.sh upgrade -rel v0.72 diff --git a/resources/upgrade/v0.72/scripts/migrate.sh b/resources/upgrade/v0.72/scripts/migrate.sh index 0dbfe61d..616d1af5 100755 --- a/resources/upgrade/v0.72/scripts/migrate.sh +++ b/resources/upgrade/v0.72/scripts/migrate.sh @@ -1,14 +1,10 @@ #!/usr/bin/env bash # set project dir (where src files are located) -export DSIP_PROJECT_DIR=/opt/dsiprouter +export DSIP_PROJECT_DIR=${DSIP_PROJECT_DIR:-/opt/dsiprouter} # import dsip_lib utility / shared functions if [[ "$DSIP_LIB_IMPORTED" != "1" ]]; then - if (( ${BOOTSTRAPPING_UPGRADE:-0} == 1 )); then - . /tmp/dsiprouter/dsiprouter/dsip_lib.sh - else - . ${DSIP_PROJECT_DIR}/dsiprouter/dsip_lib.sh - fi + . ${DSIP_PROJECT_DIR}/dsiprouter/dsip_lib.sh fi printdbg 'backing up configs just in case the upgrade fails' @@ -126,10 +122,15 @@ encryptCreds() { ( else cd ${DSIP_PROJECT_DIR}/gui fi - python3 -c "from util.security import AES_CTR; print(AES_CTR.encrypt('$1').decode('utf-8'));" + python3 -c "from util.security import AES_CTR; print(AES_CTR.encrypt('$1').decode('utf-8'), end='');" ) } +DSIP_PASSWORD_HASH=$(hashCreds "$DSIP_PASSWORD") +DSIP_API_TOKEN_CIPHERTEXT=$(encryptCreds "$DSIP_API_TOKEN") +DSIP_IPC_PASS_CIPHERTEXT=$(encryptCreds "$DSIP_IPC_PASS") +KAM_DB_PASS_CIPHERTEXT=$(encryptCreds "$KAM_DB_PASS") +MAIL_PASSWORD_CIPHERTEXT=$(encryptCreds "$MAIL_PASSWORD") +ROOT_DB_PASS_CIPHERTEXT=$(encryptCreds "$ROOT_DB_PASS") -# TODO: does not support multiple rows in dsip_settings table (cluster upgrade not supported yet) printdbg 'migrating database schema' ( cat <<'EOF' @@ -153,287 +154,6 @@ ALTER TABLE dr_rules ALTER TABLE dsip_cdrinfo MODIFY email VARCHAR(255) NOT NULL DEFAULT ''; -UPDATE dsip_settings - SET DSIP_ID='', - SET DSIP_PASSWORD='', - SET DSIP_IPC_PASS='', - SET DSIP_API_TOKEN='', - SET KAM_DB_PASS='', - SET MAIL_PASSWORD=''; - -ALTER TABLE dsip_settings - MODIFY DSIP_ID VARBINARY(128) COLLATE 'binary' NOT NULL, - MODIFY DSIP_PASSWORD VARBINARY(128) COLLATE 'binary' NOT NULL, - MODIFY DSIP_IPC_PASS VARBINARY(160) COLLATE 'binary' NOT NULL, - MODIFY DSIP_API_TOKEN VARBINARY(160) COLLATE 'binary' NOT NULL, - DROP IF EXISTS SQLALCHEMY_TRACK_MODIFICATIONS, - DROP IF EXISTS SQLALCHEMY_SQL_DEBUG, - MODIFY VERSION VARCHAR(32) NOT NULL, - MODIFY KAM_DB_PASS VARBINARY(160) COLLATE 'binary' NOT NULL, - MODIFY MAIL_PASSWORD VARBINARY (160) COLLATE 'binary' NOT NULL, - ADD IF NOT EXISTS HOMER_ID INT NOT NULL AFTER FLOWROUTE_API_ROOT_URL, - ADD IF NOT EXISTS NETWORK_MODE INT NOT NULL DEFAULT 0 AFTER HOMER_HEP_PORT, - ADD IF NOT EXISTS INTERNAL_FQDN VARCHAR (255) NOT NULL DEFAULT '' AFTER INTERNAL_IP6_NET, - ADD IF NOT EXISTS PUBLIC_IFACE VARCHAR (255) NOT NULL DEFAULT '' AFTER EXTERNAL_FQDN, - ADD IF NOT EXISTS PRIVATE_IFACE VARCHAR (255) NOT NULL DEFAULT '' AFTER PUBLIC_IFACE, - ADD IF NOT EXISTS DSIP_CORE_LICENSE VARBINARY (160) COLLATE 'binary' NOT NULL, - ADD IF NOT EXISTS DSIP_STIRSHAKEN_LICENSE VARBINARY (160) COLLATE 'binary' NOT NULL, - ADD IF NOT EXISTS DSIP_TRANSNEXUS_LICENSE VARBINARY (160) COLLATE 'binary' NOT NULL, - ADD IF NOT EXISTS DSIP_MSTEAMS_LICENSE VARBINARY (160) COLLATE 'binary' NOT NULL; -EOF - -cat <