Move PassphraseVO to use String instead of byte[] to support Encrypt annotation (#7302)

weizhouapache · Marcus Sorensen · web-flow · commit 8592de95fa09 · 2023-03-03T13:08:17.000+01:00
Co-authored-by: Marcus Sorensen &lt;mls@apple.com&gt;
diff --git a/engine/orchestration/src/main/java/org/apache/cloudstack/engine/orchestration/VolumeOrchestrator.java b/engine/orchestration/src/main/java/org/apache/cloudstack/engine/orchestration/VolumeOrchestrator.java
@@ -319,8 +319,7 @@ public VolumeVO allocateDuplicateVolumeVO(Volume oldVol, Long templateId) {
         newVol.setFormat(oldVol.getFormat());
 
         if (oldVol.getPassphraseId() != null) {
-            PassphraseVO passphrase = passphraseDao.persist(new PassphraseVO());
-            passphrase.clearPassphrase();
+            PassphraseVO passphrase = passphraseDao.persist(new PassphraseVO(true));
             newVol.setPassphraseId(passphrase.getId());
         }
 
@@ -1801,8 +1800,7 @@ private VolumeVO setPassphraseForVolumeEncryption(VolumeVO volume) {
         }
         s_logger.debug("Creating passphrase for the volume: " + volume.getName());
         long startTime = System.currentTimeMillis();
-        PassphraseVO passphrase = passphraseDao.persist(new PassphraseVO());
-        passphrase.clearPassphrase();
+        PassphraseVO passphrase = passphraseDao.persist(new PassphraseVO(true));
         volume.setPassphraseId(passphrase.getId());
         long finishTime = System.currentTimeMillis();
         s_logger.debug("Creating and persisting passphrase took: " + (finishTime - startTime) + " ms for the volume: " + volume.toString());
diff --git a/engine/schema/src/main/java/org/apache/cloudstack/secret/PassphraseVO.java b/engine/schema/src/main/java/org/apache/cloudstack/secret/PassphraseVO.java
@@ -20,13 +20,15 @@
 
 import com.cloud.utils.db.Encrypt;
 import com.cloud.utils.exception.CloudRuntimeException;
+import org.apache.commons.lang3.StringUtils;
 
 import javax.persistence.Column;
 import javax.persistence.Entity;
 import javax.persistence.GeneratedValue;
 import javax.persistence.GenerationType;
 import javax.persistence.Id;
 import javax.persistence.Table;
+
 import java.security.NoSuchAlgorithmException;
 import java.security.SecureRandom;
 import java.util.Arrays;
@@ -42,32 +44,39 @@ public class PassphraseVO {
 
     @Column(name = "passphrase")
     @Encrypt
-    private byte[] passphrase;
+    private String passphrase;
 
     public PassphraseVO() {
-        try {
-            SecureRandom random = SecureRandom.getInstanceStrong();
-            byte[] temporary = new byte[48]; // 48 byte random passphrase buffer
-            this.passphrase = new byte[64]; // 48 byte random passphrase as base64 for usability
-            random.nextBytes(temporary);
-            Base64.getEncoder().encode(temporary, this.passphrase);
-            Arrays.fill(temporary, (byte) 0); // clear passphrase from buffer
-        } catch (NoSuchAlgorithmException ex ) {
-            throw new CloudRuntimeException("Volume encryption requested but system is missing specified algorithm to generate passphrase");
+    }
+
+    public PassphraseVO(boolean initialize) {
+        if (initialize) {
+            try {
+                SecureRandom random = SecureRandom.getInstanceStrong();
+                byte[] temporary = new byte[48]; // 48 byte random passphrase buffer
+                random.nextBytes(temporary);
+                this.passphrase = Base64.getEncoder().encodeToString(temporary);
+                Arrays.fill(temporary, (byte) 0); // clear passphrase from buffer
+            } catch (NoSuchAlgorithmException ex ) {
+                throw new CloudRuntimeException("Volume encryption requested but system is missing specified algorithm to generate passphrase");
+            }
         }
     }
 
     public PassphraseVO(PassphraseVO existing) {
-        this.passphrase = existing.getPassphrase();
+        this.passphrase = existing.getPassphraseString();
     }
 
-    public void clearPassphrase() {
-        if (this.passphrase != null) {
-            Arrays.fill(this.passphrase, (byte) 0);
+    public byte[] getPassphrase() {
+        if (StringUtils.isBlank(this.passphrase)) {
+            return new byte[]{};
         }
+        return this.passphrase.getBytes();
     }
 
-    public byte[] getPassphrase() { return this.passphrase; }
+    public String getPassphraseString() {
+        return this.passphrase;
+    }
 
     public Long getId() { return this.id; }
 }
diff --git a/plugins/hypervisors/kvm/src/test/java/org/apache/cloudstack/utils/cryptsetup/CryptSetupTest.java b/plugins/hypervisors/kvm/src/test/java/org/apache/cloudstack/utils/cryptsetup/CryptSetupTest.java
@@ -51,7 +51,7 @@ public void cryptSetupTest() throws IOException, CryptSetupException {
         file.close();
 
         String filePath = path.toAbsolutePath().toString();
-        PassphraseVO passphrase = new PassphraseVO();
+        PassphraseVO passphrase = new PassphraseVO(true);
 
         cryptSetup.luksFormat(passphrase.getPassphrase(), CryptSetup.LuksType.LUKS, filePath);
 
