Add option to encrypt redis password (#302)

alexsong93 · mhamann · commit da17089d2711 · 2018-05-18T22:43:35.000-04:00
diff --git a/Dockerfile b/Dockerfile
@@ -26,7 +26,7 @@ FROM alpine:latest
 # install dependencies
 RUN apk --update add \
     gcc tar libtool zlib jemalloc jemalloc-dev perl \
-    ca-certificates wget make musl-dev openssl-dev pcre-dev g++ zlib-dev curl python \
+    ca-certificates wget make musl-dev openssl-dev openssl pcre-dev g++ zlib-dev curl python \
     perl-test-longstring perl-list-moreutils perl-http-message geoip-dev dumb-init jq \
     && update-ca-certificates \
     && rm -rf /var/cache/apk/*
diff --git a/Makefile b/Makefile
@@ -58,6 +58,7 @@ docker-run:
 	docker run --rm --name="apigateway" -p 80:80 -p ${PUBLIC_MANAGEDURL_PORT}:8080 -p 9000:9000 \
 		-e PUBLIC_MANAGEDURL_HOST=${PUBLIC_MANAGEDURL_HOST} -e PUBLIC_MANAGEDURL_PORT=${PUBLIC_MANAGEDURL_PORT} \
 		-e REDIS_HOST=${REDIS_HOST} -e REDIS_PORT=${REDIS_PORT} -e REDIS_PASS=${REDIS_PASS} \
+		-e DECRYPT_REDIS_PASS=${DECRYPT_REDIS_PASS} -e ENCRYPTION_KEY=${ENCRYPTION_KEY} -e ENCRYPTION_IV=${ENCRYPTION_IV} \
 		-e TOKEN_GOOGLE_URL=https://www.googleapis.com/oauth2/v3/tokeninfo \
 	 	-e TOKEN_FACEBOOK_URL=https://graph.facebook.com/debug_token \
 		-e TOKEN_GITHUB_URL=https://api.github.com/user \
diff --git a/README.md b/README.md
@@ -50,6 +50,11 @@ docker run -p 80:80 -p <managedurl_port>:8080 -p 9000:9000 \
             openwhisk/apigateway:latest
 ```
 
+(Optional) The redis password can be passed in encrypted using the `aes-256-cbc` encryption algorithm. To do so, pass in the following environment variables, in addition to the encrypted password:
+- `DECRYPT_REDIS_PASS=true`
+- `ENCRYPTION_KEY=<32 Byte hex string that was used for encryption>`
+- `ENCRYPTION_IV=<16 Byte hex string that was used for encryption>`
+
 ## API
 - [v2 Management Interface](https://github.com/openwhisk/openwhisk-apigateway/blob/master/doc/v2/management_interface_v2.md)
 - [v1 Management Interface](https://github.com/openwhisk/openwhisk-apigateway/blob/master/doc/v1/management_interface_v1.md)
diff --git a/api-gateway.conf b/api-gateway.conf
@@ -43,6 +43,9 @@ env TOKEN_GOOGLE_URL;
 env TOKEN_FACEBOOK_URL;
 env TOKEN_GITHUB_URL;
 
+env ENCRYPTION_KEY;
+env ENCRYPTION_IV;
+
 
 events {
     use epoll;
diff --git a/init.sh b/init.sh
@@ -21,6 +21,10 @@ log_level=${LOG_LEVEL:-warn}
 marathon_host=${MARATHON_HOST}
 redis_host=${REDIS_HOST}
 redis_port=${REDIS_PORT}
+if [ "${DECRYPT_REDIS_PASS}" == "true" ]; then
+    export REDIS_PASS=$(printf "${REDIS_PASS}\n" | openssl enc -d -K ${ENCRYPTION_KEY} -iv ${ENCRYPTION_IV} -aes-256-cbc -base64)
+fi
+
 sleep_duration=${MARATHON_POLL_INTERVAL:-5}
 # location for a remote /etc/api-gateway folder.
 # i.e s3://api-gateway-config
