From e0458305c284181c9e57221b6e2ebc9c6eee03e6 Mon Sep 17 00:00:00 2001
From: Alexander Lutay <alutay@sipwise.com>
Date: Tue, 8 Oct 2019 18:14:24 +0200
Subject: [PATCH] TT#68032 Migrate from 'mysql -p${SIPWISE_DB_PASSWORD}' to
 Perl DBI defaults-extra-file=""

There is no need to read the text file and search for password inside,
we have properly formatted credentials file /etc/mysql/sipwise_extra.cnf
which is fully supported by MySQL/MariaDB client library and Perl DBI.

Also we have plans to remove /etc/mysql/sipwise.cnf to prevent it usage
(to prevent password leakage through Linux process list).

Change-Id: I62006ae01d9097642a3dae063781a621f5050842
---
 helper/sync-db        | 23 +++++------------------
 sbin/ngcp-sync-grants | 27 +++++----------------------
 2 files changed, 10 insertions(+), 40 deletions(-)

diff --git a/helper/sync-db b/helper/sync-db
index add376d0..fff57338 100755
--- a/helper/sync-db
+++ b/helper/sync-db
@@ -21,14 +21,8 @@ foreach my $file (@ARGV) {
 # rw connection to central node
 my $dbhost = $config->{database}->{central}->{dbhost};
 my $dbport = $config->{database}->{central}->{dbport};
-
-open my $SWFH, '<', '/etc/mysql/sipwise.cnf';
-my $dbpass = join ' ', <$SWFH>;
-close $SWFH;
-$dbpass =~ s/^\s*SIPWISE_DB_PASSWORD=\'([^\']+)\'.*$/$1/;
-chomp $dbpass;
-my $dbuser = 'sipwise';
 my $dbname = $config->{ossbss}->{provisioning}->{database}->{name};
+my $dbcredentials = "/etc/mysql/sipwise_extra.cnf";
 
 unless(defined $dbhost) {
   print "Error: Could not determine provisioning db hostname\n";
@@ -42,14 +36,6 @@ unless(defined $dbname) {
   print "Error: Could not determine provisioning db name\n";
   exit 1;
 }
-unless(defined $dbuser) {
-  print "Error: Could not determine provisioning db user\n";
-  exit 1;
-}
-unless(defined $dbpass) {
-  print "Error: Could not determine provisioning db password\n";
-  exit 1;
-}
 
 $dbh = db_connect();
 
@@ -76,10 +62,11 @@ exit 0;
 
 sub db_connect
 {
-	my $dbh = DBI->connect("DBI:mysql:database=${dbname};host=${dbhost};port=${dbport}",
-						$dbuser, $dbpass, { PrintError => 1 });
+	my $dbh = DBI->connect("DBI:mysql:database=${dbname};host=${dbhost};port=${dbport};"
+                        . "mysql_read_default_file=${dbcredentials}",
+						"", "", { PrintError => 1 });
 	unless(defined $dbh) {
-		print "Error: Could not connect to database '$dbname' at '$dbhost:$dbport' as '${dbuser}': $DBI::errstr\n";
+		print "Error: Could not connect to database '$dbname' at '$dbhost:$dbport' using '${dbcredentials}': $DBI::errstr\n";
 		exit 1;
 	}
 	return $dbh;
diff --git a/sbin/ngcp-sync-grants b/sbin/ngcp-sync-grants
index 655cc565..9acad7b8 100755
--- a/sbin/ngcp-sync-grants
+++ b/sbin/ngcp-sync-grants
@@ -12,8 +12,6 @@ use YAML::XS;
 use Readonly;
 
 Readonly my $GRANTS_SCHEMA => '/etc/mysql/grants.yml';
-Readonly my $DEFAULT_MYSQL_USER => "sipwise";
-Readonly my $MYSQL_CREDENTIALS => "/etc/mysql/sipwise.cnf";
 Readonly my $DB_CFG => "/etc/default/ngcp-db";
 Readonly my $DEFAULT_DBHOST => "127.0.0.1";
 Readonly my $DEFAULT_DBPORT => "3306";
@@ -63,13 +61,14 @@ sub pwgen {
 
 sub connect_db {
     my ($dbhost, $dbport) = @_;
-    my ($mysql_user, $mysql_pass) = get_mysql_credentials();
+    my $dbcredentials = "/etc/mysql/sipwise_extra.cnf";
 
-    $dbh = DBI->connect("DBI:mysql:database=mysql;host=$dbhost;port=$dbport",
-                        $mysql_user, $mysql_pass,
+    $dbh = DBI->connect("DBI:mysql:database=mysql;host=$dbhost;port=$dbport;"
+                        . "mysql_read_default_file=${dbcredentials}",
+                        "", "",
                         { PrintError => 0 })
         or die "Can't connect to MySQL database 'mysql': ". $DBI::errstr;
-    log_debug("connected to $dbhost:$dbport as $mysql_user");
+    log_debug("connected to $dbhost:$dbport using '${dbcredentials}'");
     $dbh->do("SET sql_log_bin=0")
         or die "Cannot set sql_log_bin=0: ".$DBI::errstr;
 
@@ -95,22 +94,6 @@ sub log_info  { logger(shift, 0); }
 sub log_debug { logger(shift, 1); }
 sub log_warn  { logger(shift, 2); }
 
-sub get_mysql_credentials {
-    my $mysql_user = $DEFAULT_MYSQL_USER;
-    my $mysql_pass;
-
-    my $mysql_creds = Config::Tiny->read($MYSQL_CREDENTIALS)
-        or die "Cannot open $MYSQL_CREDENTIALS: $ERRNO";
-
-    if ($mysql_pass = $mysql_creds->{_}{SIPWISE_DB_PASSWORD}) {
-        $mysql_pass =~ s/^['"]|['"]$//g;
-    } else {
-        die "Cannot parse mysql credentials file $MYSQL_CREDENTIALS";
-    }
-
-    return ($mysql_user, $mysql_pass);
-}
-
 sub get_hostname {
 
     open(my $fh, "<", "/etc/hostname")