Skip to content

Commit 27f6cc3

Browse files
author
epriestley
committed
Support PhabricatorOpaqueEnvelope for managing database passwords
Summary: Currently, MySQL/MySQLi connections store passwords in plain text on the object. Allow them to be stored in PhutilOpaqueEnvelopes instead. See D3053. Test Plan: Loaded site. Reviewers: vrana, btrahan Reviewed By: vrana CC: aran Differential Revision: https://secure.phabricator.com/D3054
1 parent 5d4a6bc commit 27f6cc3

File tree

4 files changed

+18
-4
lines changed

4 files changed

+18
-4
lines changed

scripts/sql/manage_storage.php

Lines changed: 9 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -38,7 +38,6 @@
3838
$conf = PhabricatorEnv::newObjectFromConfig('mysql.configuration-provider');
3939

4040
$default_user = $conf->getUser();
41-
$default_password = $conf->getPassword();
4241
$default_host = $conf->getHost();
4342
$default_namespace = PhabricatorLiskDAO::getDefaultStorageNamespace();
4443

@@ -62,7 +61,6 @@
6261
'name' => 'password',
6362
'short' => 'p',
6463
'param' => 'password',
65-
'default' => $default_password,
6664
'help' => 'Use __password__ instead of the configured default.',
6765
),
6866
array(
@@ -85,10 +83,18 @@
8583
exit(77);
8684
}
8785

86+
if ($args->getArg('password') === null) {
87+
// This is already a PhutilOpaqueEnvelope.
88+
$password = $conf->getPassword();
89+
} else {
90+
// Put this in a PhutilOpaqueEnvelope.
91+
$password = new PhutilOpaqueEnvelope($args->getArg('password'));
92+
}
93+
8894
$api = new PhabricatorStorageManagementAPI();
8995
$api->setUser($args->getArg('user'));
9096
$api->setHost($default_host);
91-
$api->setPassword($args->getArg('password'));
97+
$api->setPassword($password);
9298
$api->setNamespace($args->getArg('namespace'));
9399

94100
try {

src/infrastructure/storage/configuration/DefaultDatabaseConfigurationProvider.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -38,7 +38,7 @@ public function getUser() {
3838
}
3939

4040
public function getPassword() {
41-
return PhabricatorEnv::getEnvConfig('mysql.pass');
41+
return new PhutilOpaqueEnvelope(PhabricatorEnv::getEnvConfig('mysql.pass'));
4242
}
4343

4444
public function getHost() {

src/infrastructure/storage/connection/mysql/AphrontMySQLDatabaseConnection.php

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -52,7 +52,11 @@ protected function connect() {
5252
$user = $this->getConfiguration('user');
5353
$host = $this->getConfiguration('host');
5454
$database = $this->getConfiguration('database');
55+
5556
$pass = $this->getConfiguration('pass');
57+
if ($pass instanceof PhutilOpaqueEnvelope) {
58+
$pass = $pass->openEnvelope();
59+
}
5660

5761
$conn = @mysql_connect(
5862
$host,

src/infrastructure/storage/connection/mysql/AphrontMySQLiDatabaseConnection.php

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -50,7 +50,11 @@ protected function connect() {
5050
$user = $this->getConfiguration('user');
5151
$host = $this->getConfiguration('host');
5252
$database = $this->getConfiguration('database');
53+
5354
$pass = $this->getConfiguration('pass');
55+
if ($pass instanceof PhutilOpaqueEnvelope) {
56+
$pass = $pass->openEnvelope();
57+
}
5458

5559
$conn = @new mysqli(
5660
$host,

0 commit comments

Comments
 (0)