Added patch to store barbican data in ascii format in DB

Currently Barbican stores base64 encoded secret data (plugin_meta and cypher_text) as hex bytes in database. But when these data is retrieved from database for base64 decoding, it is not converted back to ascii format, causing the decoding failed with error: binascii.Error: Invalid base64-encoded string: number of data characters (273) cannot be 1 more than a multiple of 4. This commit added a patch to Barbican to store these data in ascii format in the database so they can be decoded when retrieved. Test Plan for Debian: PASS: trigger mtcAgent to store a password secret in Barbican by system host-update controller-0 bm_type=dynamic bm_ip=<bm IP> bm_username=root bm_password=root. PASS: retrieve the secret with "--payload" option by openstack secret get <secret URL> --payload. PASS: AIO-SX deployment and unlock. Closes-Bug: 1975611 Signed-off-by: Andy Ning <andy.ning@windriver.com> Change-Id: I1c2fa112caa8700b1c21130aec041fd7d2a52a19
2022-05-24 12:15:06 -04:00 · 2022-05-24 12:15:06 -04:00 · ccf9416b74
commit ccf9416b74
parent 453fe66e2b
2 changed files with 37 additions and 0 deletions
--- a/openstack/barbican/debian/patches/0001-Store-secret-data-in-ascii-format-in-DB.patch
+++ b/openstack/barbican/debian/patches/0001-Store-secret-data-in-ascii-format-in-DB.patch
@ -0,0 +1,36 @@
+From 754fc74974be3b854173f7ce51ed0e248eb24b03 Mon Sep 17 00:00:00 2001
+From: Andy Ning <andy.ning@windriver.com>
+Date: Tue, 24 May 2022 10:33:02 -0400
+Subject: [PATCH] Store secret data in ascii format in DB
+
+Store secret data (plugin_meta and cypher_text) in ascii format
+instead of hex format in database.
+
+Signed-off-by: Andy Ning <andy.ning@windriver.com>
+---
+ barbican/plugin/store_crypto.py | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/barbican/plugin/store_crypto.py b/barbican/plugin/store_crypto.py
+index c13e59c..843d5a8 100644
+--- a/barbican/plugin/store_crypto.py
+++ b/barbican/plugin/store_crypto.py
+@@ -311,7 +311,8 @@ def _store_secret_and_datum(
+     # setup and store encrypted datum
+     datum_model = models.EncryptedDatum(secret_model, kek_datum_model)
+     datum_model.content_type = context.content_type
+-    datum_model.cypher_text = base64.b64encode(generated_dto.cypher_text)
+    datum_model.cypher_text = \
+        base64.b64encode(generated_dto.cypher_text).decode('utf-8')
+     datum_model.kek_meta_extended = generated_dto.kek_meta_extended
+     repositories.get_encrypted_datum_repository().create_from(
+         datum_model)
+@@ -333,4 +334,4 @@ def _indicate_bind_completed(kek_meta_dto, kek_datum):
+     kek_datum.algorithm = kek_meta_dto.algorithm
+     kek_datum.bit_length = kek_meta_dto.bit_length
+     kek_datum.mode = kek_meta_dto.mode
+-    kek_datum.plugin_meta = kek_meta_dto.plugin_meta
+    kek_datum.plugin_meta = kek_meta_dto.plugin_meta.decode('utf-8')
+-- 
+2.25.1
+
--- a/openstack/barbican/debian/patches/series
+++ b/openstack/barbican/debian/patches/series
@ -0,0 +1 @@
+0001-Store-secret-data-in-ascii-format-in-DB.patch
				`@ -0,0 +1 @@`
				`0001-Store-secret-data-in-ascii-format-in-DB.patch`