add feature: encrypt credential file

Author: Funny-Systems-OSS

README.md

@@ -1,144 +1,22 @@
 
-## Cloud SQL Proxy
-The Cloud SQL Proxy allows a user with the appropriate permissions to connect
-to a Second Generation Cloud SQL database without having to deal with IP whitelisting or SSL
-certificates manually. It works by opening unix/tcp sockets on the local machine
-and proxying connections to the associated Cloud SQL instances when the sockets
-are used.
-
-To build from source, ensure you have [go installed](https://golang.org/doc/install)
-and have set [GOPATH](https://github.com/golang/go/wiki/GOPATH). Then, simply do a go get:
-
-    GO111MODULE=on go get github.com/GoogleCloudPlatform/cloudsql-proxy/cmd/cloud_sql_proxy
-
-The cloud_sql_proxy will be placed in `$GOPATH/bin` after `go get` completes.
-
-cloud_sql_proxy takes a few arguments to configure what instances to connect to and connection behavior:
-
-* `-fuse`: requires access to `/dev/fuse` as well as the `fusermount` binary. An
-  optional `-fuse_tmp` flag can specify where to place temporary files. The
-  directory indicated by `-dir` is mounted.
-* `-instances="project1:region:instance1,project3:region:instance1"`: A comma-separated list
-  of instances to open inside `-dir`. Also supports exposing a tcp port and renaming the default Unix Domain Sockets; see examples below.
-  Same list can be provided via INSTANCES environment variable, in case when both are provided - proxy will use command line flag.
-* `-instances_metadata=metadata_key`: Usable on [GCE](https://cloud.google.com/compute/docs/quickstart) only. The given [GCE metadata](https://cloud.google.com/compute/docs/metadata) key will be
-  polled for a list of instances to open in `-dir`. The metadata key is relative from `computeMetadata/v1/`. The format for the value is the same as the 'instances' flag. A hanging-poll strategy is used, meaning that changes to
-  the metadata value will be reflected in the `-dir` even while the proxy is
-  running. When an instance is removed from the list the corresponding socket
-  will be removed from `-dir` as well (unless it was also specified in
-  `-instances`), but any existing connections to this instance will NOT be
-  terminated.
-* `-ip_address_types=PUBLIC,PRIVATE`: A comma-delimited list of preferred IP
-  types for connecting to an instance. For example, setting this to PRIVATE will
-  force the proxy to connect to instances using an instance's associated private
-  IP. Defaults to `PUBLIC,PRIVATE`
-* `-term_timeout=30s`: How long to wait for connections to close before shutting
-  down the proxy. Defaults to 0.
-* `-skip_failed_instance_config`: Setting this flag will allow you to prevent the proxy from terminating when
-	some instance configurations could not be parsed and/or are unavailable.
-* `-log_debug_stdout=true`: This is to log non-error output to stdOut instead of stdErr. For example, if you don't want connection related messages to log as errors, set this flag to true. Defaults to false.
-
-Note: `-instances` and `-instances_metadata` may be used at the same time but
-are not compatible with the `-fuse` flag.
-
-cloud_sql_proxy authentication can be configured in a few different ways. Those listed higher on the list will override options lower on the list:
-
-1. `credential_file` flag
-2. `token` flag
-3. Service account key at path stored in `GOOGLE_APPLICATION_CREDENTIALS`
-4. gcloud _user_ credentials (set from `gcloud auth login`)
-5. Default Application Credentials via goauth:
-
-   1. `GOOGLE_APPLICATION_CREDENTIALS` (again)
-   2. gcloud _application default_ credentials (set from ` gcloud auth application-default login`)
-   3. appengine.AccessToken (for App Engine Go < =1.9)
-   4. GCE/GAE metadata credentials
-
-When the proxy authenticates under the default service account of the
-Compute Engine VM it is running on the VM must have at least the
-sqlservice.admin API scope ("https://www.googleapis.com/auth/sqlservice.admin")
-and the associated project must have the SQL Admin API
-enabled.  The default service account must also have at least WRITER/EDITOR
-priviledges to any projects of target SQL instances.
-
-Specifying the `-credential_file` flag allows use of the proxy outside of
-Google's cloud. Simply [create a new service
-account](https://cloud.google.com/sql/docs/mysql/sql-proxy#create-service-account),
-download the associated JSON file, and set `-credential_file` to the path of the
-JSON file. You can also set the GOOGLE_APPLICATION_CREDENTIALS environment variable
-instead of passing this flag.
-
-## Example invocations:
-
-    ./cloud_sql_proxy -dir=/cloudsql -instances=my-project:us-central1:sql-inst &
-    mysql -u root -S /cloudsql/my-project:us-central1:sql-inst
-
-    # To retrieve instances from a custom metadata value (only when running on GCE)
-    ./cloud_sql_proxy -dir=/cloudsql -instances_metadata instance/attributes/<custom-metadata-key> &
-    mysql -u root -S /cloudsql/my-project:us-central1:sql-inst
-
-    # For -fuse you do not need to specify instance names ahead of time:
-    ./cloud_sql_proxy -dir=/cloudsql -fuse &
-    mysql -u root -S /cloudsql/my-project:us-central1:sql-inst
-
-    # For programs which do not support using Unix Domain Sockets, specify tcp:
-    ./cloud_sql_proxy -dir=/cloudsql -instances=my-project:us-central1:sql-inst=tcp:3306 &
-    mysql -u root -h 127.0.0.1
-
-    # For programs which require a certain Unix Domain Socket name:
-    ./cloud_sql_proxy -dir=/cloudsql -instances=my-project:us-central1:sql-inst=unix:custom_socket_name &
-    mysql -u root -S /cloudsql/custom_socket_name
-
-    # For programs which require a the Unix Domain Socket at a specific location, set an absolute path (overrides -dir):
-    ./cloud_sql_proxy -dir=/cloudsql -instances=my-project:us-central1:sql-inst=unix:/my/custom/sql-socket &
-    mysql -u root -S /my/custom/sql-socket
-
-## Container Images
-
-For convenience, we maintain several containerized versions. These images are 
-currently hosted in the following GCR repositories:
-   * `gcr.io/cloudsql-docker/gce-proxy`
-   * `us.gcr.io/cloudsql-docker/gce-proxy`
-   * `eu.gcr.io/cloudsql-docker/gce-proxy`
-   * `asia.gcr.io/cloudsql-docker/gce-proxy`
-
-__Note:__ 
-
-Each image is tagged with the version of the proxy it was released with. The 
-following tags are currently supported:
-  * `$VERSION` - default image (recommended)
-  * `$VERSION-alpine` - uses [`alpine:3`](https://hub.docker.com/_/alpine) as a base image (only supported from v1.17 up)
-  * `$VERSION-buster` - uses [`debian:buster`](https://hub.docker.com/_/debian) as a base image (only supported from v1.17 up)
-
-__Note:__ We strongly recommend to always use the latest version of the proxy,
-and to update the version regularly. However, we recommend pinning to a
-specific tag and avoid the `latest` tag. Additionally, please note that
-the tagged version is _only_ that of the proxy - changes in base images may 
-break specific setups, even on non-major version increments. As such,
-it's a best practice to test changes before deployment, and use automated
-rollbacks to revert potential failures. 
-
-## To use from Kubernetes:
-
-### Deploying Cloud SQL Proxy as a sidecar container
-Follow this [page](https://github.com/GoogleCloudPlatform/kubernetes-engine-samples/tree/master/cloudsql). See also
-[Connecting from Google Kubernetes Engine](https://cloud.google.com/sql/docs/mysql/connect-kubernetes-engine).
-
-
-## Third Party
-
-__WARNING__: _These distributions are not officially supported by Google._
-
-### Installing via Homebrew
-
-  You can find a formula for with Homebrew [here](https://github.com/tclass/homebrew-cloud_sql_proxy).
-
-
-### K8s Cluster Service using Helm
-
-  Follow these [instructions](https://github.com/rimusz/charts/tree/master/stable/gcloud-sqlproxy).
-  This chart creates a Deployment and a Service, but we recommend deploying the proxy as a sidecar container in your pods.
-
-### .Net Proxy Wrapper (Nuget Package)
-  
-  Install via Nuget, follow these [instructions](https://github.com/expert1-pty-ltd/cloudsql-proxy#install-via-nuget).
+# Cloud SQL Proxy Hardening
++ [Features](#Features)
++ [Requirements](#Requirements)
++ [Installation](#Installation)
++ [Usage](#Usage)
+## Fork from
+cloudsql-proxy: https://github.com/GoogleCloudPlatform/cloudsql-proxy/tree/v1.19.0
+## Features
++ Replace plaintext credential file with encrypted one which bound to instance ID.
+## Requirements
++ Go 1.15 or higher.
+## Installation
+1. git clone https://github.com/Funny-Systems-OSS/cloudsql-proxy-hardening.git
+2. cd ./cloudsql-proxy-hardening
+3. go build -o ../cloud_sql_proxy_funny ./cmd/cloud_sql_proxy/
+## Usage
++ ./cloud_sql_proxy_funny <-credential_file credential_file_path> [-use_plainfile]
+  + -credential_file:\
+    The encrypted credential file be used to retrieve Service Account credential in cloud_sql_proxy.
+  + -use_plainfile:\
+    Setting this flag will allow you to use not encrypted credential file.

cmd/cloud_sql_proxy/cloud_sql_proxy.go

@@ -33,6 +33,12 @@ import (
 	"sync"
 	"syscall"
 	"time"
+	
+    "crypto/aes"
+	"crypto/cipher"
+    "crypto/md5"
+    "encoding/hex"
+    "strconv"
 
 	"github.com/GoogleCloudPlatform/cloudsql-proxy/logging"
 	"github.com/GoogleCloudPlatform/cloudsql-proxy/proxy/certs"
@@ -92,15 +98,32 @@ You may set the GOOGLE_APPLICATION_CREDENTIALS environment variable for the same
 
 	// Setting to choose what API to connect to
 	host = flag.String("host", "", "When set, the proxy uses this host as the base API path. Example: https://sqladmin.googleapis.com")
+
+	usePlainfile = flag.Bool("use_plainfile", false, "Setting this flag will allow you to use not encrypted credential file.")
+
+	strInstanceID, _ = metadata.InstanceID()
+	instanceID, _ = strconv.Atoi(strInstanceID)
 )
 
 const (
 	minimumRefreshCfgThrottle = time.Second
 
 	port = 3307
+
+	funny = `
+    ________ ___  ___  ________   ________       ___    ___
+    |\  _____\\  \|\  \|\   ___  \|\   ___  \    |\  \  /  /|
+    \ \  \__/\ \  \\\  \ \  \\ \  \ \  \\ \  \   \ \  \/  / /
+     \ \   __\\ \  \\\  \ \  \\ \  \ \  \\ \  \   \ \    / /
+      \ \  \_| \ \  \\\  \ \  \\ \  \ \  \\ \  \   \/  /  /
+       \ \__\   \ \_______\ \__\\ \__\ \__\\ \__\__/  / /
+        \|__|    \|_______|\|__| \|__|\|__| \|__|\___/ /
+                                                \|___|/
+`
 )
 
 func init() {
+    fmt.Println(funny)
 	flag.Usage = func() {
 		fmt.Fprintf(os.Stderr, `
 The Cloud SQL Proxy allows simple, secure connectivity to Google Cloud SQL. It
@@ -211,7 +234,7 @@ Information for all flags:
 var defaultTmp = filepath.Join(os.TempDir(), "cloudsql-proxy-tmp")
 
 // versionString indiciates the version of the proxy currently in use.
-var versionString = "1.19.0"
+var versionString = "1.19.0-funny"
 
 // metadataString indiciates additional build or distribution metadata.
 var metadataString = ""
@@ -225,6 +248,37 @@ func semanticVersion() string {
 	return v
 }
 
+func md5sum(text string) string {
+    hash := md5.Sum([]byte(text))
+    return hex.EncodeToString(hash[:])
+}
+
+func keyGenerator(val int) string {
+    return md5sum(strconv.Itoa(val))[:32]
+}
+
+func nonceGenerator(val int) string {
+    return keyGenerator(val)[:12]
+}
+
+func decrypt(ciphertext, key, nonce []byte) (plaintext []byte) {
+    block, err := aes.NewCipher(key)
+    if err != nil {
+        log.Fatal(err)
+    }
+
+    aesgcm, err := cipher.NewGCM(block)
+    if err != nil {
+        log.Fatal(err)
+    }
+
+    plaintext, err = aesgcm.Open(nil, nonce, ciphertext, nil)
+    if err != nil {
+        log.Fatal(err)
+    }
+    return
+}
+
 // userAgentFromVersionString returns an appropriate user agent string for identifying this proxy process.
 func userAgentFromVersionString() string {
 	return "cloud_sql_proxy/" + semanticVersion()
@@ -272,10 +326,24 @@ func checkFlags(onGCE bool) error {
 }
 
 func authenticatedClientFromPath(ctx context.Context, f string) (*http.Client, error) {
-	all, err := ioutil.ReadFile(f)
-	if err != nil {
-		return nil, fmt.Errorf("invalid json file %q: %v", f, err)
+	var all []byte
+	if ! *usePlainfile {
+		byteCiphertext, err := ioutil.ReadFile(f)
+		if err != nil {
+			return nil, fmt.Errorf("invalid json file %q: %v", f, err)
+		}
+		
+		key := keyGenerator(instanceID + 69)
+		nonce := nonceGenerator(instanceID + 6969)
+		all = decrypt(byteCiphertext, []byte(key), []byte(nonce))
+	} else {
+		var err error
+		all, err = ioutil.ReadFile(f)
+		if err != nil {
+			return nil, fmt.Errorf("invalid json file %q: %v", f, err)
+		}
 	}
+
 	// First try and load this as a service account config, which allows us to see the service account email:
 	if cfg, err := goauth.JWTConfigFromJSON(all, proxy.SQLScope); err == nil {
 		logging.Infof("using credential file for authentication; email=%s", cfg.Email)
@@ -555,4 +623,4 @@ func main() {
 	}()
 
 	proxyClient.Run(connSrc)
-}
+}