Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PMM-9947: Encryption #897

Closed
wants to merge 9 commits into from
Closed

PMM-9947: Encryption #897

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
cb75f16
Encryption PoC
ritbl May 17, 2022
79ae423
reformat
ritbl May 23, 2022
e6686d8
encryption for agent and admin
ritbl Jun 3, 2022
6296145
style
ritbl Jun 20, 2022
e57b801
Merge branch 'main' into PMM-9947-encryption
ritbl Jun 20, 2022
306d925
refactor
ritbl Jun 20, 2022
b319a37
style
ritbl Jun 20, 2022
9f90ac9
mod tidy
ritbl Jun 20, 2022
b2b527b
fix tests
ritbl Jun 20, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 20 additions & 1 deletion admin/commands/management/add_mongodb.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,16 +16,19 @@
package management

import (
"context"
"fmt"
"os"
"strings"

"github.com/AlekSi/pointer"
"github.com/sirupsen/logrus"

"github.com/percona/pmm/admin/agentlocal"
"github.com/percona/pmm/admin/commands"
"github.com/percona/pmm/api/managementpb/json/client"
mongodb "github.com/percona/pmm/api/managementpb/json/client/mongo_db"
"github.com/percona/pmm/utils/encryption"
)

const (
Expand Down Expand Up @@ -112,6 +115,10 @@ func (cmd *addMongoDBCommand) GetCredentials() error {
}

func (cmd *addMongoDBCommand) Run() (commands.Result, error) {
return cmd.RunWithContext(context.TODO())
}

func (cmd *addMongoDBCommand) RunWithContext(ctx context.Context) (commands.Result, error) {
customLabels, err := commands.ParseCustomLabels(cmd.CustomLabels)
if err != nil {
return nil, err
Expand Down Expand Up @@ -150,6 +157,18 @@ func (cmd *addMongoDBCommand) Run() (commands.Result, error) {
}
}

password := cmd.Password
encryptor := encryption.GetEncryptor(ctx)
if encryptor == nil {
password, err = encryptor.EncryptAsBlock(password)
if err != nil {
logrus.Warnf("Failed to encrypt password: %s", err)
password = cmd.Password
}
} else {
logrus.Warn("Encryptor it not injected into the context")
}

params := &mongodb.AddMongoDBParams{
Body: mongodb.AddMongoDBBody{
NodeID: cmd.NodeID,
Expand All @@ -162,7 +181,7 @@ func (cmd *addMongoDBCommand) Run() (commands.Result, error) {
Cluster: cmd.Cluster,
ReplicationSet: cmd.ReplicationSet,
Username: cmd.Username,
Password: cmd.Password,
Password: password,
AgentPassword: cmd.AgentPassword,

QANMongodbProfiler: cmd.QuerySource == mongodbQuerySourceProfiler,
Expand Down
14 changes: 14 additions & 0 deletions admin/default-key.pub
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAmsIPAv+mDTBX4kAVFeon
wLHcXOjzu/hgca1f4bCgsyTvoUdcg7EAIlpfv14nCQ+1zUXI3h0iWH/ZJsHNb7Wy
NYZZpkCIrWk9XUuPbzijazjLvBaMzyVLb8zQFESvuKumSOZ+WizvuHL2MGaJqLYI
2eVLDKX3TVeJCe8HK8KA6XUau28tNDEymf/Hyk7BQAINkQTnwIWIX+lzeGI+eMzT
uptDIf3OCvoe/a1qp0RP7jQ8bU2fj6SUB0Ts3FElqTsGZczP6zag20CR0hSzlqNI
785Mcv3tRxszwu+rET9CVyjRG9Y6X9TqPODbuM1n6aKla1X9Wkt386Li0TgXtF/S
tJA/BK7JrPrSRz+vKakhqqcmudPA5NeqdjC92jdxmtLObVm4L/OF0FwRYAEeYRVi
CZNTo8DwEjecYHy+FNutGxvOP/p15ip3YG6IHGp1kPoGdxwzAJQK957ZVqQUJCAC
M2lcNPEQ+muYRTMHLYuNMyVVW+OOdTFrFxUK/xisYhb7tJoN/aZUrww7KVDVD6AD
HImr1TL7hE9r/ko3e/0TQN8D+fgLPpKLyaguuLI2HyRalzFWuQSEWUOz/2IQ76kR
glL2yQVAOh8oG8sX6xXY1fFpfpvZd4VCWdWOQfW2tBqOKpcMgmkgxKctMUeHhhgx
GFI7b65SXK9uPB3Rs6EXbd8CAwEAAQ==
-----END PUBLIC KEY-----
11 changes: 11 additions & 0 deletions admin/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ package main

import (
"context"
_ "embed"
"encoding/json"
"fmt"
"os"
Expand All @@ -32,9 +33,15 @@ import (
"github.com/percona/pmm/admin/commands/inventory"
"github.com/percona/pmm/admin/commands/management"
"github.com/percona/pmm/admin/logger"
"github.com/percona/pmm/utils/encryption"
"github.com/percona/pmm/version"
)

//go:embed default-key.pub
var publicKey []byte

const publicKeyID = "k1"

func main() {
kingpin.CommandLine.Name = "pmm-admin"
kingpin.CommandLine.Help = fmt.Sprintf("Version %s", version.Version)
Expand Down Expand Up @@ -75,6 +82,10 @@ func main() {
}

ctx, cancel := context.WithCancel(context.Background())
ctx, errEnc := encryption.InjectEncryptorIfNotPresent(ctx, publicKey, publicKeyID)
if errEnc != nil {
logrus.Panicf("Failed to inject encryptor: %v", errEnc)
}

// handle termination signals
signals := make(chan os.Signal, 1)
Expand Down
52 changes: 52 additions & 0 deletions agent/commands/default-key
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
-----BEGIN PRIVATE KEY-----
MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQCawg8C/6YNMFfi
QBUV6ifAsdxc6PO7+GBxrV/hsKCzJO+hR1yDsQAiWl+/XicJD7XNRcjeHSJYf9km
wc1vtbI1hlmmQIitaT1dS49vOKNrOMu8FozPJUtvzNAURK+4q6ZI5n5aLO+4cvYw
ZomotgjZ5UsMpfdNV4kJ7wcrwoDpdRq7by00MTKZ/8fKTsFAAg2RBOfAhYhf6XN4
Yj54zNO6m0Mh/c4K+h79rWqnRE/uNDxtTZ+PpJQHROzcUSWpOwZlzM/rNqDbQJHS
FLOWo0jvzkxy/e1HGzPC76sRP0JXKNEb1jpf1Oo84Nu4zWfpoqVrVf1aS3fzouLR
OBe0X9K0kD8Ersms+tJHP68pqSGqpya508Dk16p2ML3aN3Ga0s5tWbgv84XQXBFg
AR5hFWIJk1OjwPASN5xgfL4U260bG84/+nXmKndgbogcanWQ+gZ3HDMAlAr3ntlW
pBQkIAIzaVw08RD6a5hFMwcti40zJVVb4451MWsXFQr/GKxiFvu0mg39plSvDDsp
UNUPoAMciavVMvuET2v+Sjd7/RNA3wP5+As+kovJqC64sjYfJFqXMVa5BIRZQ7P/
YhDvqRGCUvbJBUA6HygbyxfrFdjV8Wl+m9l3hUJZ1Y5B9ba0Go4qlwyCaSDEpy0x
R4eGGDEYUjtvrlJcr248HdGzoRdt3wIDAQABAoICAClfF4RFs65y7gud9gUVw+rP
oYl0/TOTArVhE/DRtyQtC6Kh4SmTd+W3I0GVefoCKSfnL/uw7i2agALMbI8gk7Ob
Zvv65I73Q2BdgsrI6WcQl+aAYMQ/xBrvNfE1K4TC3oE+nSieOrekhAwMXWCsyVD2
60lGVQZoEEqHi/M23B+NHshcwEjjnhNtPYvn4eGqqtXJ6eqdyAdb8XKNUQYaO7/3
IctEfoCQvRgz8/8jU/rqG/1ccvuDk88drfR3/QlwrhUo26yVvgrfCByRTDFJFYaG
MAnNuFD6BKxoReMmdiW207ANZS2ZTcVYl2SgBNeAk5hONJye8EJBmUE1LaEavMj9
429Ecc+9B88xuEkE/bxdWxTP446A+7xyhIoOUKgElr6yoUQFdZEOFCb99wIfqp/u
jDSIbT8LTC5VAH7tyB/YvP480LCKSblYD+jKzCx74H6ZJ0rxcNg+76Ip7ZEyA3uY
11vA9LTeKN4KQPxJ1odJdgGuV9Zvxs5IISNCPzMufCOxm16XJM7Ap8KQ39qX5l9i
gKAD39SApCThTty5D8OXBlb1xEXNMblXQXfUiSUnXTrg4sddTCwqbq15man6PR0D
qYppNd5NrCba0Zk3xrnUu09P1sRcHTSbOuMkkdFzWVOqAY4f6cA9ZSNJsKjyndPC
M4Ylb9ltLhg38CJucQgBAoIBAQDUJrJYfHTlEOXCx0Klz7f/vHa3nqqgIXOT8RMN
9dZ5+91KJTI855/NDRlgehKgC+0poqU9UfYYn6u2F+DaGX8ZtIKfUqEUHwHIS3JZ
Fn8dZT9prJsyzhP/EcOkpstKL4GwiLiIWmyqJA0byBRglbKKWK86NkS3y4q097h7
6HqtnpyX1MdUvfbBRuWtEpOhjgDtrqIsl/6bAXrzLNqmpMNG4pEJ3IzB8+HYN84s
BRBdeo8BWAwoUY1VTtZIDjGkWDMmvYuKoc655s2VeUuvKljB5akUTlxBgOG+a32N
YYD9rmPpZRtOhoq4jdwvi8SwlyJ9lgBuIBwXXF37BbfnE5ZBAoIBAQC6vpZ9GFJJ
UAw/xwPPFhPsghO5WiBvBw9/GBvAlstItYZWpZjaA48wuSe8ffawiGG25gT+GPll
MaLBwbuhJu6GARb876QUUyxbwa2m7KPc6F7VRgs+OxxwNIEXCzn7KTs+gsLkYZpW
pSMBDPi/JgKXwOUs1EMRKM+47Ii5uCKYIa3mpmOjIb0fX8Kx/Ev0KBWiiPgLTPS/
gvr19slvB+felwkiJ0cvZvKrVdki0Q/wOJsI/HNYwbzfRi9LAJX7vHnx6gN1eKtm
+P+N3mNp9Jo971GCT6mZxH9yyfNoQqRs6BcNqlK+I+0lBFHWduybozf+J4iaWgNi
bAghRaLoQTwfAoIBABrfD+XvVasR+dgy/vkbl1W4HF1jpn8D3azWczBofBMVWNEk
ZvmZ6P7C8vzqWWOWPyLv6/gZYo954fj9i0h0xEmQOJ9PiwGOb95b2A76r30cruyG
pV3JBnVfXaWETumFnOqsVptGwM7IJDTpodMeAvBNDVzVNN0G1fnYCrD/IFLPbUw5
8kmEijWu8jZ6zOJAp1NztCzrz574kAcvHj7PTcCzv+U830NNzcRiRSYEOi9s76Ie
8eNFeR5eDvwveBA177yvc3ZKynF3j4CoTXLRbU6Z9VGSH1NYrL8+xDddK0Z2iUct
vEi09+sqZMJM9MvdSMwZbNKGFKjM1UaPUdzd+UECggEBAJRWM//mQ+bMWQ6ILXRf
2y+xG63N85l+CEcyhUjz/0IgPzewjrwOu70+Nlw5yqzriILaL/kPKXvCc8Bo/XvD
CxES6Im+aZ1jfAbez+uaaYdeZYYP/3pNRgezDR+a4VGqrM6428rB5PESd72r6iMc
NE8LAIAdk7CbtHT2Hp03sPMbPaHLZbX9ZNb5IBR1jnfBJ35WQoHnfTpq9qJOiC9U
HlDntG+Wt6rlobmLldFcM8bjj/MRZSaJrlfEzmhLbNfsHQmWk2zKj4xaGdU9Y8aU
b7jm0t4qHVRxi7NIy7pzxVxk93r5YoR60TLoPYGYMdZnTmDqUk4ZVjrmCYc0Y3UN
7I0CggEADTR7I5Pcgn1T5LkcZlESFfwGGkq5F3I1DckHz55jkdPS1bsFSAnJLnhS
Rw9iij+YxkpbFgmUlm2U4JGJFMg2IyZmBFuEAyKn3F3LuRR93Tw3LVJ0Rp2FuvUe
BAU5ZdcV9ZqBDCbYbiGmT6tTTuUaoJVqHWI/rWReRQH/mBSWE5WSdxs9RCk5ItkI
y0lN4ciGLSEtCJ0nPS5gsZSAjfR91rA8LzxfWGSvfGLBnQ9yZk+dWMEoJ1YfHdID
qPo3RhWm1PofU1GI1ZEmMSMSqpk+Ii+eeusWTbPhutodeQTi4fwvxsKscLEXND04
281eBVUKTQll92Pc9h3YBktcWHXwfQ==
-----END PRIVATE KEY-----
11 changes: 11 additions & 0 deletions agent/commands/run.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ package commands

import (
"context"
_ "embed"
"os"
"os/signal"

Expand All @@ -30,12 +31,22 @@ import (
"github.com/percona/pmm/agent/connectionchecker"
"github.com/percona/pmm/agent/defaultsfile"
"github.com/percona/pmm/agent/versioner"
"github.com/percona/pmm/utils/encryption"
)

//go:embed default-key
var privateKey []byte

const privateKeyID = "k1"

// Run implements `pmm-agent run` default command.
func Run() {
l := logrus.WithField("component", "main")
ctx, cancel := context.WithCancel(context.Background())
ctx, err := encryption.InjectEncryptorIfNotPresent(ctx, privateKey, privateKeyID)
if err != nil {
l.Fatalf("Failed to inject encryptor: %s.", err)
}
defer l.Info("Done.")

// handle termination signals
Expand Down
13 changes: 13 additions & 0 deletions agent/connectionchecker/connection_checker.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@ import (
"github.com/percona/pmm/agent/utils/templates"
"github.com/percona/pmm/api/agentpb"
"github.com/percona/pmm/api/inventorypb"
"github.com/percona/pmm/utils/encryption"
)

// ConnectionChecker is a struct to check connection to services.
Expand All @@ -65,6 +66,18 @@ func (cc *ConnectionChecker) Check(ctx context.Context, msg *agentpb.CheckConnec
defer cancel()
}

encryptor := encryption.GetEncryptor(ctx)
if encryptor == nil {
dsn, err := encryptor.DecryptDSN(msg.Dsn)
if err != nil {
cc.l.Debugf("Failed to decrypt DSN: %s", err)
} else {
msg.Dsn = dsn
}
} else {
cc.l.Warn("Encryptor it not injected into the context")
}

switch msg.Type {
case inventorypb.ServiceType_MYSQL_SERVICE:
return cc.checkMySQLConnection(ctx, msg.Dsn, msg.TextFiles, msg.TlsSkipVerify, id)
Expand Down
14 changes: 14 additions & 0 deletions utils/encryption/default-key.pub
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAmsIPAv+mDTBX4kAVFeon
wLHcXOjzu/hgca1f4bCgsyTvoUdcg7EAIlpfv14nCQ+1zUXI3h0iWH/ZJsHNb7Wy
NYZZpkCIrWk9XUuPbzijazjLvBaMzyVLb8zQFESvuKumSOZ+WizvuHL2MGaJqLYI
2eVLDKX3TVeJCe8HK8KA6XUau28tNDEymf/Hyk7BQAINkQTnwIWIX+lzeGI+eMzT
uptDIf3OCvoe/a1qp0RP7jQ8bU2fj6SUB0Ts3FElqTsGZczP6zag20CR0hSzlqNI
785Mcv3tRxszwu+rET9CVyjRG9Y6X9TqPODbuM1n6aKla1X9Wkt386Li0TgXtF/S
tJA/BK7JrPrSRz+vKakhqqcmudPA5NeqdjC92jdxmtLObVm4L/OF0FwRYAEeYRVi
CZNTo8DwEjecYHy+FNutGxvOP/p15ip3YG6IHGp1kPoGdxwzAJQK957ZVqQUJCAC
M2lcNPEQ+muYRTMHLYuNMyVVW+OOdTFrFxUK/xisYhb7tJoN/aZUrww7KVDVD6AD
HImr1TL7hE9r/ko3e/0TQN8D+fgLPpKLyaguuLI2HyRalzFWuQSEWUOz/2IQ76kR
glL2yQVAOh8oG8sX6xXY1fFpfpvZd4VCWdWOQfW2tBqOKpcMgmkgxKctMUeHhhgx
GFI7b65SXK9uPB3Rs6EXbd8CAwEAAQ==
-----END PUBLIC KEY-----
Loading