Support PhabricatorOpaqueEnvelope for managing database passwords

Summary: Currently, MySQL/MySQLi connections store passwords in plain text on the object. Allow them to be stored in PhutilOpaqueEnvelopes instead. See D3053.

Test Plan: Loaded site.

Reviewers: vrana, btrahan

Reviewed By: vrana

CC: aran

Differential Revision: https://secure.phabricator.com/D3054

Author: epriestley

scripts/sql/manage_storage.php

@@ -38,7 +38,6 @@
 $conf = PhabricatorEnv::newObjectFromConfig('mysql.configuration-provider');
 
 $default_user       = $conf->getUser();
-$default_password   = $conf->getPassword();
 $default_host       = $conf->getHost();
 $default_namespace  = PhabricatorLiskDAO::getDefaultStorageNamespace();
 
@@ -62,7 +61,6 @@
         'name'    => 'password',
         'short'   => 'p',
         'param'   => 'password',
-        'default' => $default_password,
         'help'    => 'Use __password__ instead of the configured default.',
       ),
       array(
@@ -85,10 +83,18 @@
   exit(77);
 }
 
+if ($args->getArg('password') === null) {
+  // This is already a PhutilOpaqueEnvelope.
+  $password = $conf->getPassword();
+} else {
+  // Put this in a PhutilOpaqueEnvelope.
+  $password = new PhutilOpaqueEnvelope($args->getArg('password'));
+}
+
 $api = new PhabricatorStorageManagementAPI();
 $api->setUser($args->getArg('user'));
 $api->setHost($default_host);
-$api->setPassword($args->getArg('password'));
+$api->setPassword($password);
 $api->setNamespace($args->getArg('namespace'));
 
 try {

src/infrastructure/storage/configuration/DefaultDatabaseConfigurationProvider.php

@@ -38,7 +38,7 @@ public function getUser() {
   }
 
   public function getPassword() {
-    return PhabricatorEnv::getEnvConfig('mysql.pass');
+    return new PhutilOpaqueEnvelope(PhabricatorEnv::getEnvConfig('mysql.pass'));
   }
 
   public function getHost() {

src/infrastructure/storage/connection/mysql/AphrontMySQLDatabaseConnection.php

@@ -52,7 +52,11 @@ protected function connect() {
     $user = $this->getConfiguration('user');
     $host = $this->getConfiguration('host');
     $database = $this->getConfiguration('database');
+
     $pass = $this->getConfiguration('pass');
+    if ($pass instanceof PhutilOpaqueEnvelope) {
+      $pass = $pass->openEnvelope();
+    }
 
     $conn = @mysql_connect(
       $host,

src/infrastructure/storage/connection/mysql/AphrontMySQLiDatabaseConnection.php

@@ -50,7 +50,11 @@ protected function connect() {
     $user = $this->getConfiguration('user');
     $host = $this->getConfiguration('host');
     $database = $this->getConfiguration('database');
+
     $pass = $this->getConfiguration('pass');
+    if ($pass instanceof PhutilOpaqueEnvelope) {
+      $pass = $pass->openEnvelope();
+    }
 
     $conn = @new mysqli(
       $host,