UC-445: Security Vulnerability: No password for postgresql user postgres

-change in sipXcdrLog to use postgres password

Author: Mircea Carasel

sipXcdrLog/src/org/sipfoundry/sipxrest/cdrlog/CdrLogRestlet.java

@@ -52,6 +52,7 @@ public void handle(Request request, Response response) {
         RestServerConfig config = RestServer.getRestServerConfig();
         String cdrDBUrl = config.getSipxcdrAddress();
         String dbUser = config.getDbUser();
+        String dbPassword = config.getDbPassword();
 
         try {
             Method httpMethod = request.getMethod();
@@ -105,7 +106,7 @@ public void handle(Request request, Response response) {
 
             System.setProperty("jdbc.drivers", "org.postgresql.Driver");
             // Establish a connection to the CDR database.
-            cdrConnection = DriverManager.getConnection(cdrDBUrl, dbUser, "");
+            cdrConnection = DriverManager.getConnection(cdrDBUrl, dbUser, dbPassword);
 
             String sqlPrepareString;
             String userLike = "%:" + userId + "@%";

sipXcommons/src/main/java/org/sipfoundry/commons/restconfig/RestServerConfig.java

@@ -19,6 +19,7 @@ public class RestServerConfig {
 	private String sipxProxyDomain;
 	private String sipxcdrAddress;
 	private String dbUser;
+	private String dbPassword;
 
 	public void setIpAddress(String ipAddress) {
 		this.ipAddress = ipAddress;
@@ -92,6 +93,14 @@ public void setDbUser(String dbUser) {
         this.dbUser = dbUser;
     }
 
+    public String getDbPassword() {
+        return dbPassword;
+    }
+
+    public void setDbPassword(String dbPassword) {
+        this.dbPassword = dbPassword;
+    }
+
     public int getCacheTimeout() {
         return 30;
     }

sipXcommons/src/main/java/org/sipfoundry/commons/restconfig/RestServerConfigFileParser.java

@@ -31,6 +31,7 @@ private static void addRules(Digester digester) {
         digester.addCallMethod( String.format("%s/%s", REST_CONFIG,"log-level"), "setLogLevel",0);
         digester.addCallMethod( String.format("%s/%s", REST_CONFIG,"sipxcdr-address"), "setSipxcdrAddress", 0);
         digester.addCallMethod( String.format("%s/%s", REST_CONFIG,"db-user"), "setDbUser", 0);
+        digester.addCallMethod( String.format("%s/%s", REST_CONFIG,"db-password"), "setDbPassword", 0);
     }
 
     public RestServerConfig parse(String url) {

sipXconfig/etc/sipxpbx/sipxrest/sipxrest-config.vm

@@ -8,4 +8,5 @@
   <sip-port>$settings.getSetting('sipPort').Value</sip-port>
   <sipxcdr-address>${sipxcdrDbAddress}</sipxcdr-address>
   <db-user>@POSTGRESQL_USER@</db-user>
+  <db-password>${postgresPwd}</db-password>
 </rest-config>

sipXconfig/neoconf/src/org/sipfoundry/sipxconfig/admin/AdminConfig.java

@@ -21,7 +21,6 @@
 import java.util.Set;
 
 import org.apache.commons.io.IOUtils;
-import org.sipfoundry.sipxconfig.cdr.CdrManager;
 import org.sipfoundry.sipxconfig.cfgmgt.CfengineModuleConfiguration;
 import org.sipfoundry.sipxconfig.cfgmgt.ConfigManager;
 import org.sipfoundry.sipxconfig.cfgmgt.ConfigProvider;
@@ -49,8 +48,7 @@ public void replicate(ConfigManager manager, ConfigRequest request) throws IOExc
 
         for (Location l : locations) {
             File dir = manager.getLocationDataDirectory(l);
-            if (l.isPrimary() || manager.getFeatureManager().isFeatureEnabled(ProxyManager.FEATURE, l)
-                || manager.getFeatureManager().isFeatureEnabled(CdrManager.FEATURE, l)) {
+            if (l.isPrimary() || manager.getFeatureManager().isFeatureEnabled(ProxyManager.FEATURE, l)) {
                 Writer pwd = new FileWriter(new File(dir, "postgres-pwd.properties"));
                 Writer pwdCfdat = new FileWriter(new File(dir, "postgres-pwd.cfdat"));
                 try {

sipXconfig/neoconf/src/org/sipfoundry/sipxconfig/restserver/RestConfiguration.java

@@ -35,11 +35,13 @@
 import org.sipfoundry.sipxconfig.domain.Domain;
 import org.sipfoundry.sipxconfig.setting.Setting;
 import org.sipfoundry.sipxconfig.setting.SettingUtil;
+import org.springframework.beans.factory.annotation.Required;
 
 public class RestConfiguration implements ConfigProvider {
     private RestServer m_restServer;
     private VelocityEngine m_velocityEngine;
     private String m_restSettingKey = "rest-config";
+    private String m_postgresPwd;
 
     @Override
     public void replicate(ConfigManager manager, ConfigRequest request) throws IOException {
@@ -80,6 +82,7 @@ void write(Writer wtr, RestServerSettings settings, Location location,
         context.put("location", location);
         context.put("domainName", domain.getName());
         context.put("sipxcdrDbAddress", sipxcdrApi.toString());
+        context.put("postgresPwd", m_postgresPwd);
         try {
             m_velocityEngine.mergeTemplate("sipxrest/sipxrest-config.vm", context, wtr);
         } catch (Exception e) {
@@ -94,4 +97,9 @@ public void setRestServer(RestServer restServer) {
     public void setVelocityEngine(VelocityEngine velocityEngine) {
         m_velocityEngine = velocityEngine;
     }
+
+    @Required
+    public void setPostgresPwd(String postgresPwd) {
+        m_postgresPwd = postgresPwd;
+    }
 }

sipXconfig/neoconf/src/org/sipfoundry/sipxconfig/restserver/restserver.beans.xml

@@ -25,6 +25,7 @@
   <bean id="restServerConfiguration" class="org.sipfoundry.sipxconfig.restserver.RestConfiguration">
     <property name="restServer" ref="restServer" />
     <property name="velocityEngine" ref="velocityEngine"/>
+    <property name="postgresPwd" value="${password}"/>
   </bean>
 
 </beans>