From 4859476f72fc4643393866b943389605f91cfdad Mon Sep 17 00:00:00 2001 From: janskiba Date: Fri, 22 Dec 2023 10:41:07 +0000 Subject: [PATCH] fix: Generate stable passwords --- ccp/modules/datashield-setup.sh | 10 +++++----- lib/functions.sh | 26 +++++++++++++++++++++----- 2 files changed, 26 insertions(+), 10 deletions(-) diff --git a/ccp/modules/datashield-setup.sh b/ccp/modules/datashield-setup.sh index 5142cb4..604fcc8 100644 --- a/ccp/modules/datashield-setup.sh +++ b/ccp/modules/datashield-setup.sh @@ -3,13 +3,13 @@ if [ "$ENABLE_DATASHIELD" == true ]; then log INFO "DataSHIELD setup detected -- will start DataSHIELD services." OVERRIDE+=" -f ./$PROJECT/modules/datashield-compose.yml" - EXPORTER_OPAL_PASSWORD="$(generate_password \"exporter in Opal\")" - TOKEN_MANAGER_OPAL_PASSWORD="$(generate_password \"Token Manager in Opal\")" - OPAL_DB_PASSWORD="$(echo \"This is a salt string to generate one consistent password for Opal. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)" + EXPORTER_OPAL_PASSWORD="$(generate_simple_password \"exporter in Opal\")" + TOKEN_MANAGER_OPAL_PASSWORD="$(generate_simple_password \"Token Manager in Opal\")" + OPAL_DB_PASSWORD="$(echo \"Opal DB\" | generate_simple_password)" OPAL_ADMIN_PASSWORD="$(generate_password \"admin password for Opal\")" RSTUDIO_ADMIN_PASSWORD="$(generate_password \"admin password for R-Studio\")" - DATASHIELD_CONNECT_SECRET="$(echo \"This is a salt string to generate one consistent password as the DataShield Connect secret. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)" - TOKEN_MANAGER_SECRET="$(echo \"This is a salt string to generate one consistent password as the Token Manger secret. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)" + DATASHIELD_CONNECT_SECRET="$(echo \"DataShield Connect\" | generate_simple_password)" + TOKEN_MANAGER_SECRET="$(echo \"Token Manager\" | generate_simple_password)" if [ ! -e /tmp/bridgehead/opal-cert.pem ]; then mkdir -p /tmp/bridgehead/ chown -R bridgehead:docker /tmp/bridgehead/ diff --git a/lib/functions.sh b/lib/functions.sh index c53859b..b89de60 100644 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -317,15 +317,31 @@ function generate_redirect_urls(){ echo "$redirect_urls" } +# This password contains at least one special char, a random number and a random upper and lower case letter generate_password(){ local seed_text="$1" - local random_digit=$(openssl rand -hex 1 | head -c 1) - local random_upper=$(openssl rand -base64 3 | tr -dc 'A-Z' | head -c 1) - local random_lower=$(openssl rand -base64 3 | tr -dc 'a-z' | head -c 1) - local random_special=$(echo '@#$%^&+=' | fold -w1 | shuf -n1) + local seed_num=$(awk 'BEGIN{FS=""} NR==1{print $10}' /etc/bridgehead/pki/${SITE_ID}.priv.pem | od -An -tuC) + local nums="1234567890" + local n=$(echo "$seed_num" | awk '{print $1 % 10}') + local random_digit=${nums:$n:1} + local n=$(echo "$seed_num" | awk '{print $1 % 26}') + local upper="ABCDEFGHIJKLMNOPQRSTUVWXYZ" + local lower="abcdefghijklmnopqrstuvwxyz" + local random_upper=${upper:$n:1} + local random_lower=${lower:$n:1} + local n=$(echo "$seed_num" | awk '{print $1 % 8}') + local special='@#$%^&+=' + local random_special=${special:$n:1} local combined_text="This is a salt string to generate one consistent password for ${seed_text}. It is not required to be secret." - local main_password=$(echo "${combined_text}" | openssl rsautl -sign -inkey "/etc/bridgehead/pki/${SITE_ID}.priv.pem" | base64 | head -c 26) + local main_password=$(echo "${combined_text}" | openssl rsautl -sign -inkey "/etc/bridgehead/pki/${SITE_ID}.priv.pem" 2> /dev/null | base64 | head -c 26) echo "${main_password}${random_digit}${random_upper}${random_lower}${random_special}" } + +# This password only contains alphanumeric characters +generate_simple_password(){ + local seed_text="$1" + local combined_text="This is a salt string to generate one consistent password for ${seed_text}. It is not required to be secret." + echo "${combined_text}" | openssl rsautl -sign -inkey "/etc/bridgehead/pki/${SITE_ID}.priv.pem" 2> /dev/null | base64 | head -c 26 | sed 's/[+\/]/A/g' +}