feat(cmapi): MCOL-5019: distributing cskeys secrets file, move cskeys and cspasswd functions to mcs cli.

[add] distribute .secrets file to all nodes while adding a new node [add] encrypt_password, generate_secrets_data, save_secrets to CEJPasswordHandler [add] tools section to mcs cli tool [add] mcs_cluster_tool/tools_commands.py file with cskeys and cspasswd commands [add] cskeys and cspasswd commands to tools section of mcs cli [mv] backup/restore commands to tools section mcs cli [fix] minor imports ordering [fix] constants
2025-08-01 06:46:55 +03:00 · 2025-03-11 15:44:25 +03:00
parent 10dec6ea94
commit 215e4eea4d
10 changed files with 235 additions and 19 deletions
--- a/cmapi/cmapi_server/constants.py
+++ b/cmapi/cmapi_server/constants.py
@ -20,9 +20,11 @@ EM_PATH_SUFFIX = 'data1/systemFiles/dbrm'
 MCS_EM_PATH = os.path.join(MCS_DATA_PATH, EM_PATH_SUFFIX)
 MCS_BRM_CURRENT_PATH = os.path.join(MCS_EM_PATH, 'BRM_saves_current')
 S3_BRM_CURRENT_PATH = os.path.join(EM_PATH_SUFFIX, 'BRM_saves_current')
 # keys file for CEJ password encryption\decryption
 # (CrossEngineSupport section in Columnstore.xml)
-MCS_SECRETS_FILE_PATH = os.path.join(MCS_DATA_PATH, '.secrets')
+MCS_SECRETS_FILENAME = '.secrets'
 MCS_SECRETS_FILE_PATH = os.path.join(MCS_DATA_PATH, MCS_SECRETS_FILENAME)
 # CMAPI SERVER
 CMAPI_CONFIG_FILENAME = 'cmapi_server.conf'
--- a/cmapi/cmapi_server/controllers/endpoints.py
+++ b/cmapi/cmapi_server/controllers/endpoints.py
@ -19,6 +19,7 @@ from cmapi_server.constants import (
 )
 from cmapi_server.controllers.error import APIError
 from cmapi_server.handlers.cej import CEJError
 from cmapi_server.handlers.cej import CEJPasswordHandler
 from cmapi_server.handlers.cluster import ClusterHandler
 from cmapi_server.helpers import (
    cmapi_config_check, dequote, get_active_nodes, get_config_parser,
@ -363,6 +364,7 @@ class ConfigController:
        sm_config_filename = request_body.get(
            'sm_config_filename', DEFAULT_SM_CONF_PATH
        )
        secrets = request_body.get('secrets', None)
        if request_mode is None and request_config is None:
            raise_422_error(
@ -391,6 +393,9 @@ class ConfigController:
            )
        request_response = {'timestamp': str(datetime.now())}
        if secrets:
            CEJPasswordHandler().save_secrets(secrets)
        node_config = NodeConfig()
        xml_config = request_body.get('config', None)
        sm_config = request_body.get('sm_config', None)
--- a/cmapi/cmapi_server/handlers/cej.py
+++ b/cmapi/cmapi_server/handlers/cej.py
@ -1,12 +1,18 @@
 """Module contains all things related to working with .secrets file."""
 import binascii
 import json
 import logging
 import os
 import pwd
 import stat
 from shutil import copyfile
 from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
 from cryptography.hazmat.primitives import padding
-from cmapi_server.constants import MCS_SECRETS_FILE_PATH
+from cmapi_server.constants import (
    MCS_DATA_PATH, MCS_SECRETS_FILENAME, MCS_SECRETS_FILE_PATH
 )
 from cmapi_server.exceptions import CEJError
@ -20,7 +26,7 @@ class CEJPasswordHandler():
    """Handler for CrossEngineSupport password decryption."""
    @classmethod
-    def secretsfile_exists(cls):
+    def secretsfile_exists(cls) -> bool:
        """Check the .secrets file in MCS_SECRETS_FILE_PATH.
        :return: True if file exists and not empty.
@ -43,7 +49,7 @@ class CEJPasswordHandler():
        return False
    @classmethod
-    def get_secrets_json(cls):
+    def get_secrets_json(cls) -> dict:
        """Get json from .secrets file.
        :raises CEJError: on empty\corrupted\wrong format .secrets file
@ -68,7 +74,7 @@ class CEJPasswordHandler():
            return secrets_json
    @classmethod
-    def decrypt_password(cls, enc_data:str):
+    def decrypt_password(cls, enc_data: str) -> str:
        """Decrypt CEJ password if needed.
        :param enc_data: encrypted initialization vector + password in hex str
@ -91,7 +97,7 @@ class CEJPasswordHandler():
            ) from value_error
        secrets_json = cls.get_secrets_json()
-        encryption_key_hex = secrets_json.get('encryption_key')
+        encryption_key_hex = secrets_json.get('encryption_key', None)
        if not encryption_key_hex:
            raise CEJError(
                f'Empty "encryption key" found in {MCS_SECRETS_FILE_PATH}'
@ -117,3 +123,93 @@ class CEJPasswordHandler():
            unpadder.update(padded_passwd_bytes) + unpadder.finalize()
        )
        return passwd_bytes.decode()
    @classmethod
    def encrypt_password(cls, passwd: str) -> str:
        iv = os.urandom(size=AES_IV_BIN_SIZE)
        secrets_json = cls.get_secrets_json()
        encryption_key_hex = secrets_json.get('encryption_key')
        if not encryption_key_hex:
            raise CEJError(
                f'Empty "encryption key" found in {MCS_SECRETS_FILE_PATH}'
            )
        try:
            encryption_key = bytes.fromhex(encryption_key_hex)
        except ValueError as value_error:
            raise CEJError(
                'Non-hexadecimal number found in encryption key from '
                f'{MCS_SECRETS_FILE_PATH} file.'
            ) from value_error
        cipher = Cipher(
            algorithms.AES(encryption_key),
            modes.CBC(iv)
        )
        encryptor = cipher.encryptor()
        padder = padding.PKCS7(algorithms.AES.block_size).padder()
        padded_data = padder.update(passwd.encode()) + padder.finalize()
        encrypted_data = encryptor.update(padded_data) + encryptor.finalize()
        return iv + encrypted_data
    @classmethod
    def generate_secrets_data(cls) -> dict:
        """Generate secrets data for .secrets file.
        :return: secrets data
        :rtype: dict
        """
        key_length = algorithms.AES256.key_size // 8
        encryption_key = os.urandom(size=key_length)
        encryption_key_hex = binascii.hexlify(encryption_key).decode()
        secrets_dict = {
            'description': 'Columnstore CrossEngineSupport password encryption/decryption key',
            'encryption_cipher': 'EVP_aes_256_cbc',
            'encryption_key': encryption_key_hex
        }
        return secrets_dict
    @classmethod
    def save_secrets(
        cls, secrets: dict, filepath: str = MCS_SECRETS_FILE_PATH,
        owner: str = 'mysql'
    ) -> None:
        """Write secrets to .secrets file.
        :param secrets: secrets dict
        :type secrets: dict
        :param filepath: path to the .secrets file
        :type filepath: str, optional
        :param owner: owner of the file
        :type owner: str, optional
        """
        if cls.secretsfile_exists():
            copyfile(
                filepath,
                os.path.join(
                    os.path.dirname(filepath),
                    f'{os.path.basename(filepath)}.cmapi.save'
                )
            )
        try:
            with open(
                MCS_SECRETS_FILE_PATH, 'w', encoding='utf-8'
            ) as secrets_file:
                json.dump(secrets, secrets_file)
        except Exception as exc:
            raise CEJError(f'Write to .secrets file failed.') from exc
        try:
            os.chmod(MCS_SECRETS_FILE_PATH, stat.S_IRUSR)
            userinfo = pwd.getpwnam(owner)
            os.chown(MCS_SECRETS_FILE_PATH, userinfo.pw_uid, userinfo.pw_gid)
            logging.debug(f'Permissions of .secrets file set to {owner}:read.')
            logging.debug(f'Ownership of .secrets file given to {owner}.')
        except Exception as exc:
            raise CEJError(
                f'Failed to set permissions or ownership for .secrets file.'
            ) from exc
--- a/cmapi/cmapi_server/handlers/cluster.py
+++ b/cmapi/cmapi_server/handlers/cluster.py
@ -178,8 +178,7 @@ class ClusterHandler():
        update_revision_and_manager(
            input_config_filename=config, output_config_filename=config
        )
-
+        broadcast_new_config(config, distribute_secrets=True)
        broadcast_new_config(config)
        logger.debug(f'Successfully finished adding node {node}.')
        return response
--- a/cmapi/cmapi_server/helpers.py
+++ b/cmapi/cmapi_server/helpers.py
@ -290,9 +290,10 @@ def broadcast_new_config(
    sm_config_filename: str = DEFAULT_SM_CONF_PATH,
    test_mode: bool = False,
    nodes: Optional[list] = None,
-    timeout: Optional[int] = None
+    timeout: Optional[int] = None,
    distribute_secrets: bool = False
 ) -> None:
-    """Send new config to nodes in async way.
+    """Send new config to nodes. Now in async way.
    :param cs_config_filename: Columnstore.xml path,
                               defaults to DEFAULT_MCS_CONF_PATH
@ -310,6 +311,8 @@ def broadcast_new_config(
    :param timeout: timeout passing to gracefully stop DMLProc TODO: for next
                    releases. Could affect all logic of broadcacting new config
    :type timeout: Optional[int], optional
    :param distribute_secrets: flag to distribute secrets to nodes
    :type distribute_secrets: bool
    :raises CMAPIBasicError: If Broadcasting config to nodes failed with errors
    """
@ -338,6 +341,12 @@ def broadcast_new_config(
        'sm_config_filename': sm_config_filename,
        'sm_config': sm_config_text
    }
    if distribute_secrets:
        # TODO: do not restart cluster when put xml config only with
        secrets = CEJPasswordHandler.get_secrets_json()
        body['secrets'] = secrets
    # TODO: remove test mode here and replace it by mock in tests
    if test_mode:
        body['test'] = True
--- a/cmapi/mcs_cluster_tool/main.py
+++ b/cmapi/mcs_cluster_tool/main.py
@ -6,7 +6,7 @@ import typer
 from cmapi_server.logging_management import dict_config, add_logging_level, enable_console_logging
 from mcs_cluster_tool import (
-    cluster_app, cmapi_app, backup_commands, restore_commands
+    cluster_app, cmapi_app, backup_commands, restore_commands, tools_commands
 )
 from mcs_cluster_tool.constants import MCS_CLI_LOG_CONF_PATH
@ -21,13 +21,25 @@ app = typer.Typer(
    rich_markup_mode='rich',
 )
 app.add_typer(cluster_app.app)
-# TODO: keep this only for potential backward compatibility
+# keep this only for potential backward compatibility and userfriendliness
 app.add_typer(cluster_app.app, name='cluster', hidden=True)
 app.add_typer(cmapi_app.app, name='cmapi')
-app.command('backup')(backup_commands.backup)
+app.command(
-app.command('dbrm_backup')(backup_commands.dbrm_backup)
+    'backup', rich_help_panel='Tools commands'
-app.command('restore')(restore_commands.restore)
+)(backup_commands.backup)
-app.command('dbrm_restore')(restore_commands.dbrm_restore)
+app.command(
    'dbrm_backup', rich_help_panel='Tools commands'
 )(backup_commands.dbrm_backup)
 app.command(
    'restore', rich_help_panel='Tools commands'
 )(restore_commands.restore)
 app.command(
    'dbrm_restore', rich_help_panel='Tools commands'
 )(restore_commands.dbrm_restore)
 app.command('cskeys', rich_help_panel='Tools commands')(tools_commands.cskeys)
 app.command(
    'cspasswd', rich_help_panel='Tools commands'
 )(tools_commands.cspasswd)
@app.command(
--- a/cmapi/mcs_cluster_tool/backup_commands.py
+++ b/cmapi/mcs_cluster_tool/backup_commands.py
@ -2,9 +2,9 @@
 import logging
 import sys
 from datetime import datetime
 from typing_extensions import Annotated
 import typer
 from typing_extensions import Annotated
 from cmapi_server.process_dispatchers.base import BaseDispatcher
 from mcs_cluster_tool.constants import MCS_BACKUP_MANAGER_SH
--- a/cmapi/mcs_cluster_tool/cluster_app.py
+++ b/cmapi/mcs_cluster_tool/cluster_app.py
@ -7,7 +7,6 @@ import time
 from datetime import datetime, timedelta
 from typing import List, Optional
 import pyotp
 import requests
 import typer
 from typing_extensions import Annotated
--- a/cmapi/mcs_cluster_tool/restore_commands.py
+++ b/cmapi/mcs_cluster_tool/restore_commands.py
@ -1,9 +1,9 @@
 """Typer application for restore Columnstore data."""
 import logging
 import sys
 from typing_extensions import Annotated
 import typer
 from typing_extensions import Annotated
 from cmapi_server.process_dispatchers.base import BaseDispatcher
 from mcs_cluster_tool.constants import MCS_BACKUP_MANAGER_SH
--- a/cmapi/mcs_cluster_tool/tools_commands.py
+++ b/cmapi/mcs_cluster_tool/tools_commands.py
@ -0,0 +1,94 @@
 import logging
 import os
 import typer
 from typing_extensions import Annotated
 from cmapi_server.constants import MCS_SECRETS_FILE_PATH
 from cmapi_server.exceptions import CEJError
 from cmapi_server.handlers.cej import CEJPasswordHandler
 from mcs_cluster_tool.decorators import handle_output
 logger = logging.getLogger('mcs_cli')
 # pylint: disable=unused-argument, too-many-arguments, too-many-locals
 # pylint: disable=invalid-name, line-too-long
@handle_output
 def cskeys(
    filepath: Annotated[
        str,
        typer.Option(
            '-f', '--filepath',
            help='Path to the output file',
        )
    ] = MCS_SECRETS_FILE_PATH,
    username: Annotated[
        str,
        typer.Option(
            '-u', '--username',
            help='Username for the key',
        )
    ] = 'mysql',
 ):
    if CEJPasswordHandler().secretsfile_exists():
        typer.echo(
            (
                f'Secrets file "{filepath}" already exists. '
                'Delete it before generating a new encryption key.'
            ),
            color='red',
        )
        raise typer.Exit(code=1)
    elif not os.path.exists(os.path.dirname(filepath)):
        typer.echo(
            f'Directory "{os.path.dirname(filepath)}" does not exist.',
            color='red'
        )
        raise typer.Exit(code=1)
    new_secrets_data = CEJPasswordHandler().generate_secrets_data()
    try:
        CEJPasswordHandler().save_secrets(new_secrets_data, owner=username)
    except CEJError as cej_error:
        typer.echo(cej_error.message, color='red')
        raise typer.Exit(code=2)
    raise typer.Exit(code=0)
@handle_output
 def cspasswd(
    password: Annotated[
        str,
        typer.Option(
            help='Password to encrypt/decrypt',
            prompt=True, confirmation_prompt=True, hide_input=True
        )
    ],
    decrypt: Annotated[
        bool,
        typer.Option(
            '--decrypt',
            help='Decrypt the provided password',
        )
    ] = False
 ):
    if decrypt:
        try:
            decrypted_password = CEJPasswordHandler().decrypt_password(
                password
            )
        except CEJError as cej_error:
            typer.echo(cej_error.message, color='red')
            raise typer.Exit(code=1)
        typer.echo(f'Decoded password: {decrypted_password}', color='green')
    else:
        try:
            encoded_password = CEJPasswordHandler().encrypt_password(password)
        except CEJError as cej_error:
            typer.echo(cej_error.message, color='red')
            raise typer.Exit(code=1)
        typer.echo(f'Encoded password: {encoded_password}', color='green')
    raise typer.Exit(code=0)