Merge branch 'main' into feature/custom-basic-auth

2025-08-01 02:10:23 +02:00 · 2023-08-15 14:24:19 +02:00
parent 4754eb282b 7e6c310148
commit 829102f23e
21 changed files with 219 additions and 89 deletions
--- a/lib/functions.sh
+++ b/lib/functions.sh
@@ -172,24 +172,43 @@ function bk_is_running {
 	fi
 }

-##Setting Network properties
-# currently not needed
-#export HOSTIP=$(MSYS_NO_PATHCONV=1 docker run --rm --add-host=host.docker.internal:host-gateway ubuntu cat /etc/hosts | grep 'host.docker.internal' | awk '{print $1}');
+function do_enroll_inner {
+	PARAMS=""
+	
+	MANUAL_PROXY_ID="${1:-$PROXY_ID}"
+	if [ -z "$MANUAL_PROXY_ID" ]; then
+		log ERROR "No Proxy ID set"
+		exit 1
+	else
+		log INFO "Enrolling Beam Proxy Id $MANUAL_PROXY_ID"
+	fi

+	SUPPORT_EMAIL="${2:-$SUPPORT_EMAIL}"
+	if [ -n "$SUPPORT_EMAIL" ]; then
+		PARAMS+="--admin-email $SUPPORT_EMAIL"
+	fi
+
+	docker run --rm -ti -v /etc/bridgehead/pki:/etc/bridgehead/pki samply/beam-enroll:latest --output-file $PRIVATEKEYFILENAME --proxy-id $MANUAL_PROXY_ID $PARAMS
+	chmod 600 $PRIVATEKEYFILENAME
+}
+
+function do_enroll {
+	do_enroll_inner $@
+}

 add_basic_auth_user() {
-  USER="${1}"
-  PASSWORD="${2}"
-  NAME="${3}"
-  PROJECT="${4}"
-  FILE="/etc/bridgehead/${PROJECT}.local.conf"
-  ENCRY_CREDENTIALS="$(docker run --rm docker.verbis.dkfz.de/cache/httpd:alpine htpasswd -nb $USER $PASSWORD  | tr -d '\n' | tr -d '\r')"
-  if [ -f $FILE ] && grep -R -q "$NAME=" $FILE # if a specific basic auth user already exists:
-  then
-    sed -i "/$NAME/ s|='|='$ENCRY_CREDENTIALS,|" $FILE
-  else
-    echo -e "\n## Basic Authentication Credentials for:\n$NAME='$ENCRY_CREDENTIALS'" >> $FILE;
-  fi
-	log DEBUG "Saving clear text credentials in $FILE. If wanted, delete them manually."
-  sed -i "/^$NAME/ s|$|\n# User: $USER\n# Password: $PASSWORD|" $FILE
+   USER="${1}"
+   PASSWORD="${2}"
+   NAME="${3}"
+   PROJECT="${4}"
+   FILE="/etc/bridgehead/${PROJECT}.local.conf"
+   ENCRY_CREDENTIALS="$(docker run --rm docker.verbis.dkfz.de/cache/httpd:alpine htpasswd -nb $USER $PASSWORD  | tr -d '\n' | tr -d '\r')"
+   if [ -f $FILE ] && grep -R -q "$NAME=" $FILE # if a specific basic auth user already exists:
+   then
+     sed -i "/$NAME/ s|='|='$ENCRY_CREDENTIALS,|" $FILE
+   else
+     echo -e "\n## Basic Authentication Credentials for:\n$NAME='$ENCRY_CREDENTIALS'" >> $FILE;
+   fi
+ 	log DEBUG "Saving clear text credentials in $FILE. If wanted, delete them manually."
+   sed -i "/^$NAME/ s|$|\n# User: $USER\n# Password: $PASSWORD|" $FILE
 }
--- a/lib/prepare-system.sh
+++ b/lib/prepare-system.sh
@@ -71,8 +71,12 @@ if [ -d /etc/bridgehead ]; then
    fi
 elif [[ "$DEV_MODE" == "NODEV" ]]; then
    log "INFO" "Now cloning your site configuration repository for you."
-    read -p "Please enter your site: " site
-    read -s -p "Please enter the bridgehead's access token for your site configuration repository (will not be echoed): " access_token
+    if [ -z "$site" ]; then
+        read -p "Please enter your site: " site
+    fi
+    if [ -z "$access_token" ]; then
+        read -s -p "Please enter the bridgehead's access token for your site configuration repository (will not be echoed): " access_token
+    fi
    site_configuration_repository_url="https://bytoken:${access_token}@${site_configuration_repository_middle}$(echo $site | tr '[:upper:]' '[:lower:]').git"
    git clone $site_configuration_repository_url /etc/bridgehead
    if [ $? -gt 0 ]; then
--- a/lib/prerequisites.sh
+++ b/lib/prerequisites.sh
@@ -62,6 +62,34 @@ if [ -e /etc/bridgehead/vault.conf ]; then
  fi
 fi

+log INFO "Checking network access ($BROKER_URL_FOR_PREREQ) ..."
+
+source /etc/bridgehead/${PROJECT}.conf
+source ${PROJECT}/vars
+
+set +e
+SERVERTIME="$(https_proxy=$HTTPS_PROXY_URL curl -m 5 -s -I $BROKER_URL_FOR_PREREQ 2>&1 | grep -i -e '^Date: ' | sed -e 's/^Date: //i')"
+RET=$?
+set -e
+if [ $RET -ne 0 ]; then
+	log WARN "Unable to connect to Samply.Beam broker at $BROKER_URL_FOR_PREREQ. Please check your proxy settings.\nThe currently configured proxy was \"$HTTPS_PROXY_URL\". This error is normal when using proxy authentication."
+	log WARN "Unable to check clock skew due to previous error."
+else
+	log INFO "Checking clock skew ..."
+
+	SERVERTIME_AS_TIMESTAMP=$(date --date="$SERVERTIME" +%s)
+	MYTIME=$(date +%s)
+	SKEW=$(($SERVERTIME_AS_TIMESTAMP - $MYTIME))
+	SKEW=$(echo $SKEW | awk -F- '{print $NF}')
+	SYNCTEXT="For example, consider entering a correct NTP server (e.g. your institution's Active Directory Domain Controller in /etc/systemd/timesyncd.conf (option NTP=) and restart systemd-timesyncd."
+	if [ $SKEW -ge 300 ]; then
+		report_error 5 "Your clock is not synchronized (${SKEW}s off). This will cause Samply.Beam's certificate will fail. Please setup time synchronization. $SYNCTEXT"
+		exit 1
+	elif [ $SKEW -ge 60 ]; then
+		log WARN "Your clock is more than a minute off (${SKEW}s). Consider syncing to a time server. $SYNCTEXT"
+	fi
+fi
+
 checkPrivKey() {
  if [ -e /etc/bridgehead/pki/${SITE_ID}.priv.pem ]; then
    log INFO "Success - private key found."
@@ -69,8 +97,6 @@ checkPrivKey() {
    log ERROR "Unable to find private key at /etc/bridgehead/pki/${SITE_ID}.priv.pem. To fix, please run\n  bridgehead enroll ${PROJECT}\nand follow the instructions."
    return 1
  fi
-  log INFO "Success - all prerequisites are met!"
-  hc_send log "Success - all prerequisites are met!"
  return 0
 }

@@ -80,4 +106,7 @@ else
  checkPrivKey || exit 1
 fi

+log INFO "Success - all prerequisites are met!"
+hc_send log "Success - all prerequisites are met!"
+
 exit 0