From fca41148b7fafe891df6264b178d2e0baf184ecf Mon Sep 17 00:00:00 2001
From: Rajani Karuturi <rajani.karuturi@accelerite.com>
Date: Thu, 3 Nov 2016 10:56:53 +0530
Subject: [PATCH 1/2] CLOUDSTACK-9901 secure and hidden config values are
 returned as plaintext string

secure and hidden config values are first unencrypted before returning
them in the api. This is not desired as they are secure configs
returning encrypted strings for secure and hidden configs if encryption
is enabled.
---
 .../src/org/apache/cloudstack/config/Configuration.java    | 6 ++++++
 .../cloudstack/framework/config/impl/ConfigurationVO.java  | 7 ++++---
 server/src/com/cloud/api/ApiResponseHelper.java            | 7 ++++++-
 3 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/framework/config/src/org/apache/cloudstack/config/Configuration.java b/framework/config/src/org/apache/cloudstack/config/Configuration.java
index a8031a5b5c9..19219305ca1 100644
--- a/framework/config/src/org/apache/cloudstack/config/Configuration.java
+++ b/framework/config/src/org/apache/cloudstack/config/Configuration.java
@@ -81,4 +81,10 @@ public interface Configuration {
      * parameter is no longer used and can be deleted.
      */
     Date getUpdated();
+
+    /**
+     *
+     * @return returns true if the configuration is encrypted else false.
+     */
+    boolean isEncrypted();
 }
diff --git a/framework/config/src/org/apache/cloudstack/framework/config/impl/ConfigurationVO.java b/framework/config/src/org/apache/cloudstack/framework/config/impl/ConfigurationVO.java
index b317ea21c51..7cd9afb8384 100644
--- a/framework/config/src/org/apache/cloudstack/framework/config/impl/ConfigurationVO.java
+++ b/framework/config/src/org/apache/cloudstack/framework/config/impl/ConfigurationVO.java
@@ -122,7 +122,7 @@ public class ConfigurationVO implements Configuration {
 
     @Override
     public String getValue() {
-        if(isEncryptedConfig()) {
+        if(isEncrypted()) {
             return DBEncryptionUtil.decrypt(value);
         } else {
             return value;
@@ -130,14 +130,15 @@ public class ConfigurationVO implements Configuration {
     }
 
     public void setValue(String value) {
-        if(isEncryptedConfig()) {
+        if(isEncrypted()) {
             this.value = DBEncryptionUtil.encrypt(value);
         } else {
             this.value = value;
         }
     }
 
-    private boolean isEncryptedConfig() {
+    @Override
+    public boolean isEncrypted() {
         return "Hidden".equals(getCategory()) || "Secure".equals(getCategory());
     }
 
diff --git a/server/src/com/cloud/api/ApiResponseHelper.java b/server/src/com/cloud/api/ApiResponseHelper.java
index f0581863e4f..4086a7e3974 100644
--- a/server/src/com/cloud/api/ApiResponseHelper.java
+++ b/server/src/com/cloud/api/ApiResponseHelper.java
@@ -16,6 +16,7 @@
 // under the License.
 package com.cloud.api;
 
+import com.cloud.utils.crypt.DBEncryptionUtil;
 import com.cloud.agent.api.VgpuTypesInfo;
 import com.cloud.api.query.ViewResponseHelper;
 import com.cloud.api.query.vo.AccountJoinVO;
@@ -455,7 +456,11 @@ public class ApiResponseHelper implements ResponseGenerator {
         cfgResponse.setCategory(cfg.getCategory());
         cfgResponse.setDescription(cfg.getDescription());
         cfgResponse.setName(cfg.getName());
-        cfgResponse.setValue(cfg.getValue());
+        if(cfg.isEncrypted()) {
+            cfgResponse.setValue(DBEncryptionUtil.encrypt(cfg.getValue()));
+        } else {
+            cfgResponse.setValue(cfg.getValue());
+        }
         cfgResponse.setObjectName("configuration");
 
         return cfgResponse;

From 6809ce4a7b822e63caead82626a588d73a81657a Mon Sep 17 00:00:00 2001
From: Rajani Karuturi <rajani.karuturi@accelerite.com>
Date: Wed, 3 May 2017 14:56:35 +0530
Subject: [PATCH 2/2] CLOUDSTACK-9901 secure and hidden config values are
 returned as plaintext

fixed a testcase which was using encypted value.
---
 test/integration/smoke/test_internal_lb.py | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/test/integration/smoke/test_internal_lb.py b/test/integration/smoke/test_internal_lb.py
index f2f93649fec..5b4c66325ad 100644
--- a/test/integration/smoke/test_internal_lb.py
+++ b/test/integration/smoke/test_internal_lb.py
@@ -705,8 +705,12 @@ class TestInternalLb(cloudstackTestCase):
                 self.apiclient, name="network.loadbalancer.haproxy.stats.port")[0].value
             settings["stats_uri"] = Configurations.list(
                 self.apiclient, name="network.loadbalancer.haproxy.stats.uri")[0].value
-            settings["username"], settings["password"] = Configurations.list(
-                self.apiclient, name="network.loadbalancer.haproxy.stats.auth")[0].value.split(":")
+            # Update global setting network.loadbalancer.haproxy.stats.auth to a known value
+            haproxy_auth = "admin:password"
+            Configurations.update(self.apiclient, "network.loadbalancer.haproxy.stats.auth", haproxy_auth)
+            self.logger.debug(
+                "Updated global setting stats network.loadbalancer.haproxy.stats.auth to %s" % (haproxy_auth))
+            settings["username"], settings["password"] = haproxy_auth.split(":")
             settings["visibility"] = Configurations.list(
                 self.apiclient, name="network.loadbalancer.haproxy.stats.visibility")[0].value
             self.logger.debug(settings)