Support PhabricatorOpaqueEnvelope for managing database passwords

Summary: Currently, MySQL/MySQLi connections store passwords in plain text on the object. Allow them to be stored in PhutilOpaqueEnvelopes instead. See D3053. Test Plan: Loaded site. Reviewers: vrana, btrahan Reviewed By: vrana CC: aran Differential Revision: https://secure.phabricator.com/D3054
2024-11-09 16:32:39 +01:00 · 2012-07-24 11:13:53 -07:00 · 2012-07-24 11:13:53 -07:00 · 27f6cc3b27
commit 27f6cc3b27
parent 5d4a6bcf95
4 changed files with 18 additions and 4 deletions
--- a/scripts/sql/manage_storage.php
+++ b/scripts/sql/manage_storage.php
@ -38,7 +38,6 @@ $args->parseStandardArguments();
 $conf = PhabricatorEnv::newObjectFromConfig('mysql.configuration-provider');

 $default_user       = $conf->getUser();
-$default_password   = $conf->getPassword();
 $default_host       = $conf->getHost();
 $default_namespace  = PhabricatorLiskDAO::getDefaultStorageNamespace();

@ -62,7 +61,6 @@ try {
        'name'    => 'password',
        'short'   => 'p',
        'param'   => 'password',
-        'default' => $default_password,
        'help'    => 'Use __password__ instead of the configured default.',
      ),
      array(
@ -85,10 +83,18 @@ try {
  exit(77);
 }

+if ($args->getArg('password') === null) {
+  // This is already a PhutilOpaqueEnvelope.
+  $password = $conf->getPassword();
+} else {
+  // Put this in a PhutilOpaqueEnvelope.
+  $password = new PhutilOpaqueEnvelope($args->getArg('password'));
+}
+
 $api = new PhabricatorStorageManagementAPI();
 $api->setUser($args->getArg('user'));
 $api->setHost($default_host);
-$api->setPassword($args->getArg('password'));
+$api->setPassword($password);
 $api->setNamespace($args->getArg('namespace'));

 try {
--- a/src/infrastructure/storage/configuration/DefaultDatabaseConfigurationProvider.php
+++ b/src/infrastructure/storage/configuration/DefaultDatabaseConfigurationProvider.php
@ -38,7 +38,7 @@ final class DefaultDatabaseConfigurationProvider
  }

  public function getPassword() {
-    return PhabricatorEnv::getEnvConfig('mysql.pass');
+    return new PhutilOpaqueEnvelope(PhabricatorEnv::getEnvConfig('mysql.pass'));
  }

  public function getHost() {
--- a/src/infrastructure/storage/connection/mysql/AphrontMySQLDatabaseConnection.php
+++ b/src/infrastructure/storage/connection/mysql/AphrontMySQLDatabaseConnection.php
@ -52,7 +52,11 @@ final class AphrontMySQLDatabaseConnection
    $user = $this->getConfiguration('user');
    $host = $this->getConfiguration('host');
    $database = $this->getConfiguration('database');
+
    $pass = $this->getConfiguration('pass');
+    if ($pass instanceof PhutilOpaqueEnvelope) {
+      $pass = $pass->openEnvelope();
+    }

    $conn = @mysql_connect(
      $host,
--- a/src/infrastructure/storage/connection/mysql/AphrontMySQLiDatabaseConnection.php
+++ b/src/infrastructure/storage/connection/mysql/AphrontMySQLiDatabaseConnection.php
@ -50,7 +50,11 @@ final class AphrontMySQLiDatabaseConnection
    $user = $this->getConfiguration('user');
    $host = $this->getConfiguration('host');
    $database = $this->getConfiguration('database');
+
    $pass = $this->getConfiguration('pass');
+    if ($pass instanceof PhutilOpaqueEnvelope) {
+      $pass = $pass->openEnvelope();
+    }

    $conn = @new mysqli(
      $host,