fix: Generate stable passwords

This commit is contained in:
janskiba 2023-12-22 10:41:07 +00:00 committed by juarez
parent abedfdaf64
commit 92984d24f3
2 changed files with 26 additions and 10 deletions

View File

@ -3,13 +3,13 @@
if [ "$ENABLE_DATASHIELD" == true ]; then if [ "$ENABLE_DATASHIELD" == true ]; then
log INFO "DataSHIELD setup detected -- will start DataSHIELD services." log INFO "DataSHIELD setup detected -- will start DataSHIELD services."
OVERRIDE+=" -f ./$PROJECT/modules/datashield-compose.yml" OVERRIDE+=" -f ./$PROJECT/modules/datashield-compose.yml"
EXPORTER_OPAL_PASSWORD="$(generate_password \"exporter in Opal\")" EXPORTER_OPAL_PASSWORD="$(generate_simple_password \"exporter in Opal\")"
TOKEN_MANAGER_OPAL_PASSWORD="$(generate_password \"Token Manager in Opal\")" TOKEN_MANAGER_OPAL_PASSWORD="$(generate_simple_password \"Token Manager in Opal\")"
OPAL_DB_PASSWORD="$(echo \"This is a salt string to generate one consistent password for Opal. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)" OPAL_DB_PASSWORD="$(echo \"Opal DB\" | generate_simple_password)"
OPAL_ADMIN_PASSWORD="$(generate_password \"admin password for Opal\")" OPAL_ADMIN_PASSWORD="$(generate_password \"admin password for Opal\")"
RSTUDIO_ADMIN_PASSWORD="$(generate_password \"admin password for R-Studio\")" RSTUDIO_ADMIN_PASSWORD="$(generate_password \"admin password for R-Studio\")"
DATASHIELD_CONNECT_SECRET="$(echo \"This is a salt string to generate one consistent password as the DataShield Connect secret. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)" DATASHIELD_CONNECT_SECRET="$(echo \"DataShield Connect\" | generate_simple_password)"
TOKEN_MANAGER_SECRET="$(echo \"This is a salt string to generate one consistent password as the Token Manger secret. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)" TOKEN_MANAGER_SECRET="$(echo \"Token Manager\" | generate_simple_password)"
if [ ! -e /tmp/bridgehead/opal-cert.pem ]; then if [ ! -e /tmp/bridgehead/opal-cert.pem ]; then
mkdir -p /tmp/bridgehead/ mkdir -p /tmp/bridgehead/
chown -R bridgehead:docker /tmp/bridgehead/ chown -R bridgehead:docker /tmp/bridgehead/

View File

@ -317,15 +317,31 @@ function generate_redirect_urls(){
echo "$redirect_urls" echo "$redirect_urls"
} }
# This password contains at least one special char, a random number and a random upper and lower case letter
generate_password(){ generate_password(){
local seed_text="$1" local seed_text="$1"
local random_digit=$(openssl rand -hex 1 | head -c 1) local seed_num=$(awk 'BEGIN{FS=""} NR==1{print $10}' /etc/bridgehead/pki/${SITE_ID}.priv.pem | od -An -tuC)
local random_upper=$(openssl rand -base64 3 | tr -dc 'A-Z' | head -c 1) local nums="1234567890"
local random_lower=$(openssl rand -base64 3 | tr -dc 'a-z' | head -c 1) local n=$(echo "$seed_num" | awk '{print $1 % 10}')
local random_special=$(echo '@#$%^&+=' | fold -w1 | shuf -n1) local random_digit=${nums:$n:1}
local n=$(echo "$seed_num" | awk '{print $1 % 26}')
local upper="ABCDEFGHIJKLMNOPQRSTUVWXYZ"
local lower="abcdefghijklmnopqrstuvwxyz"
local random_upper=${upper:$n:1}
local random_lower=${lower:$n:1}
local n=$(echo "$seed_num" | awk '{print $1 % 8}')
local special='@#$%^&+='
local random_special=${special:$n:1}
local combined_text="This is a salt string to generate one consistent password for ${seed_text}. It is not required to be secret." local combined_text="This is a salt string to generate one consistent password for ${seed_text}. It is not required to be secret."
local main_password=$(echo "${combined_text}" | openssl rsautl -sign -inkey "/etc/bridgehead/pki/${SITE_ID}.priv.pem" | base64 | head -c 26) local main_password=$(echo "${combined_text}" | openssl rsautl -sign -inkey "/etc/bridgehead/pki/${SITE_ID}.priv.pem" 2> /dev/null | base64 | head -c 26)
echo "${main_password}${random_digit}${random_upper}${random_lower}${random_special}" echo "${main_password}${random_digit}${random_upper}${random_lower}${random_special}"
} }
# This password only contains alphanumeric characters
generate_simple_password(){
local seed_text="$1"
local combined_text="This is a salt string to generate one consistent password for ${seed_text}. It is not required to be secret."
echo "${combined_text}" | openssl rsautl -sign -inkey "/etc/bridgehead/pki/${SITE_ID}.priv.pem" 2> /dev/null | base64 | head -c 26 | sed 's/[+\/]/A/g'
}