[SR-Users] DBURL password in clear

[Daniel-Constantin Mierla]

On 15.11.17 18:27, Robert wrote:
> Thank you Daniel. This provides me with some capability, but I can’t
> seem to consume the result in the configuration, I just get lots of
> errors. The issue seems to be that the value of the define, passed via
> -A doesn’t seem to be processed in anyway.
>
> I’ve had a quick look in the cfg.lex and cfg.y files, but that’s the
> first time delving into Flex etc. so I’m not sure I’m following it
> correctly.
>
> I’ve tried every combination of encapsulation of the parameters in
> single and double quotes I can think of i.e. -A DBURL=“…”, -A
> “DBURL=…”, all with the same result.

Variants of the quoting was referring to the value of DBURL, maybe it
was not clear ... Anyhow, I just tried and the next command starts
kamailio with the default config:

./src/kamailio -f etc/kamailio.cfg -A WITH_MYSQL -A WITH_AUTH -A
DBURL='"mysql://kamailio:kamailiorw@localhost/kamailio"' -L src/modules/
-a no -E -e -ddd

Note that the value for DBURL is enclosed first in between ' ' and then
inside are " ".

Cheers,
Daniel

>
> I also tried #!subst "/DB_URL/DBURL/g” but that doesn’t seem to expand
> out the DBURL define.
>
> In short, I’m stumped… Any further thoughts would be truly
> appreciated. I’ve put a few error details in the mail below. I’m
> feeling that I may need to resort to changing the behaviour of the
> subst directive to meet my needs (more likely, add substvar,
> substfromfile or some such).
>
> Any further thoughts would be truly welcome, otherwise I think I’m
> going to have to dig out my dusty K&R book and roll my sleeves up…
> Sincere thanks in advance for any ideas.
>
> Cheers - Robert...
>
> -------------------------------------------------------------------------------------------------------------------------
>
> In the configuration file, I have failures for example on:
>
> modparam("htable", "db_url", DBURL)
>
> when launched with the -A results in:
>
> 0(7) DEBUG: <core> [core/cfg.lex:1838]: pp_define_get(): ### returning
> define ID [DBURL] value [oracle://username:password@/DB]
> 0(7) CRITICAL: <core> [core/cfg.y:3431]: yyerror_at(): parse error in
> config file /usr/local/etc/kamailio/kamailio.cfg, line 97, column
> 30-35: syntax error
> 0(7) CRITICAL: <core> [core/cfg.y:3431]: yyerror_at(): parse error in
> config file /usr/local/etc/kamailio/kamailio.cfg, line 97, column
> 30-35: Invalid arguments
> 0(7) CRITICAL: <core> [core/cfg.y:3434]: yyerror_at(): parse error in
> config file /usr/local/etc/kamailio/kamailio.cfg, line 97, column 36: 
> ERROR: bad config file (3 errors)
>
> I’ve tried with #!subst but it seems that pre-processor directive
> doesn’t expand out defines, so:
>
> #!subst "/DB_URL/DBURL/g”
> modparam("htable", "db_url", DB_URL)
>
> just results in:
>
> 0(7) INFO: <core> [core/ppcfg.c:82]: pp_subst_add(): ### added subst
> expression: /DB_URL/DBURL/g
> 0(7) DEBUG: <core> [core/re.c:436]: subst_run(): running. r=1
> 0(7) DEBUG: <core> [core/re.c:504]: subst_str(): no match
> 0(7) DEBUG: <core> [core/re.c:436]: subst_run(): running. r=1
> 0(7) DEBUG: <core> [core/re.c:504]: subst_str(): no match
> 0(7) DEBUG: <core> [core/re.c:436]: subst_run(): running. r=1
> 0(7) DEBUG: <core> [core/re.c:504]: subst_str(): no match
> 0(7) DEBUG: <core> [core/re.c:436]: subst_run(): running. r=1
> 0(7) DEBUG: <core> [core/re.c:504]: subst_str(): no match
> 0(7) DEBUG: <core> [core/re.c:436]: subst_run(): running. r=1
> 0(7) DEBUG: <core> [core/re.c:504]: subst_str(): no match
> 0(7) DEBUG: <core> [core/re.c:436]: subst_run(): running. r=1
> 0(7) DEBUG: <core> [core/re.c:504]: subst_str(): no match
> 0(7) CRITICAL: <core> [core/cfg.y:3431]: yyerror_at(): parse error in
> config file /usr/local/etc/kamailio/kamailio.cfg, line 97, column
> 30-35: syntax error
> 0(7) CRITICAL: <core> [core/cfg.y:3431]: yyerror_at(): parse error in
> config file /usr/local/etc/kamailio/kamailio.cfg, line 97, column
> 30-35: Invalid arguments
> 0(7) CRITICAL: <core> [core/cfg.y:3434]: yyerror_at(): parse error in
> config file /usr/local/etc/kamailio/kamailio.cfg, line 97, column 36: 
> ERROR: bad config file (3 errors)
>
>
>
>> On 15 Nov 2017, at 07:46, Daniel-Constantin Mierla <miconda at gmail.com
>> <mailto:miconda at gmail.com>> wrote:
>>
>> Hello,
>>
>>
>> On 14.11.17 14:25, Robert wrote:
>>> Hello,
>>>
>>> I’m working for a UK high street bank and our Kamailio
>>> implementation has been challenged because we’ve got database
>>> passwords held in clear in the configuration file.
>>>
>>> I am unable to find any examples of where this has been worked
>>> around, there doesn’t seem to be any module or configuration means
>>> of supplying a variable in the modparam() entry that is expanded a
>>> startup. The security tutorials only seem to relate to the SIP level
>>> of security, not Kamailio as a platform.
>>>
>>> My requirement is simple, I need to be able to supply a password via
>>> means such as loading a variable from a run-once script at start up,
>>> or a module. The ideal would be to be able to read in a Docker secret :)
>>>
>>> I am by no means a Kamailio expert, so apologies in advance if this
>>> is a mindblowingly basic thing to achieve, but I do feel I’ve
>>> exhausted the Kamailio documentation, wiki etc. and all the goodness
>>> Google usually has to offer and drawn a blank.
>>>
>>> Sincere thanks in advance for any assistance.
>>>
>>>
>> you can define a for a token to be used inside kamailio.cfg by using -A
>> command line parameter. So when you start kamailio, fetch the password
>> from your secure system by what so ever meaning, then build the database
>> url based on it and run kamailio with:
>>
>> kamailio - A DBURL='mysql://user:passwd@dbhost/kamailio' ...
>>
>> You may need to enclose in double quotes inside the single quotes, I am
>> not sure at this moment, but sometime she shell 'eats' a pair of quotes,
>> so just try with it if first fails ...
>>
>> Cheers,
>> Daniel
>>
>> -- 
>> Daniel-Constantin Mierla
>> www.twitter.com/miconda
>> <http://www.twitter.com/miconda> -- www.linkedin.com/in/miconda
>> <http://www.linkedin.com/in/miconda>
>> Kamailio Advanced Training, Nov 13-15, 2017, in Berlin
>> - www.asipto.com <http://www.asipto.com/>
>> Kamailio World Conference - www.kamailioworld.com
>> <http://www.kamailioworld.com/>
>

-- 
Daniel-Constantin Mierla
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Kamailio Advanced Training - www.asipto.com
Kamailio World Conference - May 14-16, 2018 - www.kamailioworld.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20171117/327b9e9a/attachment.html>