diff --git a/commands/management/add_mongodb.go b/commands/management/add_mongodb.go index 6eeb2bd0..3c09843c 100644 --- a/commands/management/add_mongodb.go +++ b/commands/management/add_mongodb.go @@ -16,7 +16,10 @@ package management import ( + "context" "fmt" + "github.com/percona/pmm-admin/utils/encryption" + "github.com/sirupsen/logrus" "os" "strings" @@ -112,6 +115,10 @@ func (cmd *addMongoDBCommand) GetCredentials() error { } func (cmd *addMongoDBCommand) Run() (commands.Result, error) { + return cmd.RunWithContext(context.TODO()) +} + +func (cmd *addMongoDBCommand) RunWithContext(ctx context.Context) (commands.Result, error) { customLabels, err := commands.ParseCustomLabels(cmd.CustomLabels) if err != nil { return nil, err @@ -150,6 +157,14 @@ func (cmd *addMongoDBCommand) Run() (commands.Result, error) { } } + encryptor := encryption.GetEncryptor(ctx) + password, err := encryptor.EncryptAsBlock(cmd.Password) + if err != nil { + logrus.Warnf("Failed to encrypt password: %s", err) + password = cmd.Password + } + password = cmd.Password + params := &mongodb.AddMongoDBParams{ Body: mongodb.AddMongoDBBody{ NodeID: cmd.NodeID, @@ -162,7 +177,7 @@ func (cmd *addMongoDBCommand) Run() (commands.Result, error) { Cluster: cmd.Cluster, ReplicationSet: cmd.ReplicationSet, Username: cmd.Username, - Password: cmd.Password, + Password: password, AgentPassword: cmd.AgentPassword, QANMongodbProfiler: cmd.QuerySource == mongodbQuerySourceProfiler, diff --git a/main.go b/main.go index e80f2b83..bd75e385 100644 --- a/main.go +++ b/main.go @@ -19,6 +19,7 @@ import ( "context" "encoding/json" "fmt" + "github.com/percona/pmm-admin/utils/encryption" "os" "os/exec" "os/signal" @@ -60,6 +61,7 @@ func main() { return nil }).Bool() + kingpin.CommandLine.DefaultEnvars() cmd := kingpin.Parse() logrus.SetFormatter(new(logger.TextFormatter)) // with levels and timestamps for debug and trace @@ -75,6 +77,10 @@ func main() { } ctx, cancel := context.WithCancel(context.Background()) + ctx, errEnc := encryption.InjectEncryptorIfNotPresent(ctx) + if errEnc != nil { + logrus.Panicf("Failed to inject encryptor: %v", errEnc) + } // handle termination signals signals := make(chan os.Signal, 1) diff --git a/utils/encryption/default-key.pub b/utils/encryption/default-key.pub new file mode 100644 index 00000000..999a29ef --- /dev/null +++ b/utils/encryption/default-key.pub @@ -0,0 +1,14 @@ +-----BEGIN PUBLIC KEY----- +MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAmsIPAv+mDTBX4kAVFeon +wLHcXOjzu/hgca1f4bCgsyTvoUdcg7EAIlpfv14nCQ+1zUXI3h0iWH/ZJsHNb7Wy +NYZZpkCIrWk9XUuPbzijazjLvBaMzyVLb8zQFESvuKumSOZ+WizvuHL2MGaJqLYI +2eVLDKX3TVeJCe8HK8KA6XUau28tNDEymf/Hyk7BQAINkQTnwIWIX+lzeGI+eMzT +uptDIf3OCvoe/a1qp0RP7jQ8bU2fj6SUB0Ts3FElqTsGZczP6zag20CR0hSzlqNI +785Mcv3tRxszwu+rET9CVyjRG9Y6X9TqPODbuM1n6aKla1X9Wkt386Li0TgXtF/S +tJA/BK7JrPrSRz+vKakhqqcmudPA5NeqdjC92jdxmtLObVm4L/OF0FwRYAEeYRVi +CZNTo8DwEjecYHy+FNutGxvOP/p15ip3YG6IHGp1kPoGdxwzAJQK957ZVqQUJCAC +M2lcNPEQ+muYRTMHLYuNMyVVW+OOdTFrFxUK/xisYhb7tJoN/aZUrww7KVDVD6AD +HImr1TL7hE9r/ko3e/0TQN8D+fgLPpKLyaguuLI2HyRalzFWuQSEWUOz/2IQ76kR +glL2yQVAOh8oG8sX6xXY1fFpfpvZd4VCWdWOQfW2tBqOKpcMgmkgxKctMUeHhhgx +GFI7b65SXK9uPB3Rs6EXbd8CAwEAAQ== +-----END PUBLIC KEY----- diff --git a/utils/encryption/encryption.go b/utils/encryption/encryption.go new file mode 100644 index 00000000..6ec784a3 --- /dev/null +++ b/utils/encryption/encryption.go @@ -0,0 +1,33 @@ +package encryption + +import ( + "context" + _ "embed" + "github.com/percona/pmm/utils/rsa_encryptor" +) + +//go:embed default-key.pub +var publicKey []byte + +const EncryptorKey = "encryptor" + +func NewFromDefaultKey() (*rsa_encryptor.Service, error) { + return rsa_encryptor.NewFromPublicKey("d1", publicKey) +} + +func InjectEncryptorIfNotPresent(ctx context.Context) (context.Context, error) { + encryptor := ctx.Value(EncryptorKey) + if encryptor == nil { + encryptor, err := NewFromDefaultKey() + if err != nil { + return nil, err + } + return context.WithValue(ctx, EncryptorKey, encryptor), nil + } + + return ctx, nil +} + +func GetEncryptor(ctx context.Context) *rsa_encryptor.Service { + return ctx.Value(EncryptorKey).(*rsa_encryptor.Service) +}