Encryption PoC

commands/management/add_mongodb.go

@@ -16,7 +16,10 @@
 package management
 
 import (
+	"context"
 	"fmt"
+	"github.com/percona/pmm-admin/utils/encryption"
+	"github.com/sirupsen/logrus"
 	"os"
 	"strings"
 
@@ -112,6 +115,10 @@ func (cmd *addMongoDBCommand) GetCredentials() error {
 }
 
 func (cmd *addMongoDBCommand) Run() (commands.Result, error) {
+	return cmd.RunWithContext(context.TODO())
+}
+
+func (cmd *addMongoDBCommand) RunWithContext(ctx context.Context) (commands.Result, error) {
 	customLabels, err := commands.ParseCustomLabels(cmd.CustomLabels)
 	if err != nil {
 		return nil, err
@@ -150,6 +157,14 @@ func (cmd *addMongoDBCommand) Run() (commands.Result, error) {
 		}
 	}
 
+	encryptor := encryption.GetEncryptor(ctx)
+	password, err := encryptor.EncryptAsBlock(cmd.Password)
+	if err != nil {
+		logrus.Warnf("Failed to encrypt password: %s", err)
+		password = cmd.Password
+	}
+	password = cmd.Password
+
 	params := &mongodb.AddMongoDBParams{
 		Body: mongodb.AddMongoDBBody{
 			NodeID:         cmd.NodeID,
@@ -162,7 +177,7 @@ func (cmd *addMongoDBCommand) Run() (commands.Result, error) {
 			Cluster:        cmd.Cluster,
 			ReplicationSet: cmd.ReplicationSet,
 			Username:       cmd.Username,
-			Password:       cmd.Password,
+			Password:       password,
 			AgentPassword:  cmd.AgentPassword,
 
 			QANMongodbProfiler: cmd.QuerySource == mongodbQuerySourceProfiler,

main.go

@@ -19,6 +19,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"github.com/percona/pmm-admin/utils/encryption"
 	"os"
 	"os/exec"
 	"os/signal"
@@ -60,6 +61,7 @@ func main() {
 		return nil
 	}).Bool()
 
+	kingpin.CommandLine.DefaultEnvars()
 	cmd := kingpin.Parse()
 
 	logrus.SetFormatter(new(logger.TextFormatter)) // with levels and timestamps for debug and trace
@@ -75,6 +77,10 @@ func main() {
 	}
 
 	ctx, cancel := context.WithCancel(context.Background())
+	ctx, errEnc := encryption.InjectEncryptorIfNotPresent(ctx)
+	if errEnc != nil {
+		logrus.Panicf("Failed to inject encryptor: %v", errEnc)
+	}
 
 	// handle termination signals
 	signals := make(chan os.Signal, 1)

utils/encryption/default-key.pub

@@ -0,0 +1,14 @@
+-----BEGIN PUBLIC KEY-----
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAmsIPAv+mDTBX4kAVFeon
+wLHcXOjzu/hgca1f4bCgsyTvoUdcg7EAIlpfv14nCQ+1zUXI3h0iWH/ZJsHNb7Wy
+NYZZpkCIrWk9XUuPbzijazjLvBaMzyVLb8zQFESvuKumSOZ+WizvuHL2MGaJqLYI
+2eVLDKX3TVeJCe8HK8KA6XUau28tNDEymf/Hyk7BQAINkQTnwIWIX+lzeGI+eMzT
+uptDIf3OCvoe/a1qp0RP7jQ8bU2fj6SUB0Ts3FElqTsGZczP6zag20CR0hSzlqNI
+785Mcv3tRxszwu+rET9CVyjRG9Y6X9TqPODbuM1n6aKla1X9Wkt386Li0TgXtF/S
+tJA/BK7JrPrSRz+vKakhqqcmudPA5NeqdjC92jdxmtLObVm4L/OF0FwRYAEeYRVi
+CZNTo8DwEjecYHy+FNutGxvOP/p15ip3YG6IHGp1kPoGdxwzAJQK957ZVqQUJCAC
+M2lcNPEQ+muYRTMHLYuNMyVVW+OOdTFrFxUK/xisYhb7tJoN/aZUrww7KVDVD6AD
+HImr1TL7hE9r/ko3e/0TQN8D+fgLPpKLyaguuLI2HyRalzFWuQSEWUOz/2IQ76kR
+glL2yQVAOh8oG8sX6xXY1fFpfpvZd4VCWdWOQfW2tBqOKpcMgmkgxKctMUeHhhgx
+GFI7b65SXK9uPB3Rs6EXbd8CAwEAAQ==
+-----END PUBLIC KEY-----

utils/encryption/encryption.go

@@ -0,0 +1,33 @@
+package encryption
+
+import (
+	"context"
+	_ "embed"
+	"github.com/percona/pmm/utils/rsa_encryptor"
+)
+
+//go:embed default-key.pub
+var publicKey []byte
+
+const EncryptorKey = "encryptor"
+
+func NewFromDefaultKey() (*rsa_encryptor.Service, error) {
+	return rsa_encryptor.NewFromPublicKey("d1", publicKey)
+}
+
+func InjectEncryptorIfNotPresent(ctx context.Context) (context.Context, error) {
+	encryptor := ctx.Value(EncryptorKey)
+	if encryptor == nil {
+		encryptor, err := NewFromDefaultKey()
+		if err != nil {
+			return nil, err
+		}
+		return context.WithValue(ctx, EncryptorKey, encryptor), nil
+	}
+
+	return ctx, nil
+}
+
+func GetEncryptor(ctx context.Context) *rsa_encryptor.Service {
+	return ctx.Value(EncryptorKey).(*rsa_encryptor.Service)
+}