From b0ced71197a7c9d4df7252135f8e4676fab911ee Mon Sep 17 00:00:00 2001 From: juarez Date: Thu, 23 Nov 2023 15:54:44 +0100 Subject: [PATCH] Add generate_password function --- ccp/modules/datashield-setup.sh | 10 +++++----- ccp/modules/login-setup.sh | 2 +- lib/functions.sh | 13 +++++++++++++ 3 files changed, 19 insertions(+), 6 deletions(-) diff --git a/ccp/modules/datashield-setup.sh b/ccp/modules/datashield-setup.sh index 420a450..3a964cd 100644 --- a/ccp/modules/datashield-setup.sh +++ b/ccp/modules/datashield-setup.sh @@ -3,10 +3,10 @@ if [ "$ENABLE_DATASHIELD" == true ]; then log INFO "DataSHIELD setup detected -- will start DataSHIELD services." OVERRIDE+=" -f ./$PROJECT/modules/datashield-compose.yml" - EXPORTER_OPAL_PASSWORD="$(echo \"This is a salt string to generate one consistent password for Opal DB. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)" - TOKEN_MANAGER_OPAL_PASSWORD="$(echo \"This is a salt string to generate one consistent password for Token Manager in Opal. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)" - OPAL_DB_PASSWORD="$(echo \"This is a salt string to generate one consistent password for Opal DB. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)" - OPAL_ADMIN_PASSWORD="$(echo \"This is a salt string to generate one consistent admin password for Opal. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)" + EXPORTER_OPAL_PASSWORD="$(generate_password \"exporter in Opal\")" + TOKEN_MANAGER_OPAL_PASSWORD="$(generate_password \"Token Manager in Opal\")" + OPAL_DB_PASSWORD="$(echo \"This is a salt string to generate one consistent password for Opal. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)" + OPAL_ADMIN_PASSWORD="$(generate_password \"admin password for Opal\")" DATASHIELD_CONNECT_SECRET="$(echo \"This is a salt string to generate one consistent password as the DataShield Connect secret. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)" if [ ! -e /tmp/bridgehead/opal-cert.pem ]; then mkdir -p /tmp/bridgehead/ @@ -20,7 +20,7 @@ if [ "$ENABLE_DATASHIELD" == true ]; then "external": "opal-'"$SITE_ID"'", "internal": "opal:8080", "allowed": [$input.sites[].id | "datashield-connect.\(.).broker.ccp-it.dktk.dkfz.de"] - }]' > /tmp/bridgehead/opal-map/local.json + }]' >/tmp/bridgehead/opal-map/local.json cp -f ./$PROJECT/modules/datashield-mappings.json /tmp/bridgehead/opal-map/central.json chown -R bridgehead:docker /tmp/bridgehead/ generate_private_oidc_client "OIDC_CLIENT_SECRET" "$(generate_redirect_urls '/opal/*')" diff --git a/ccp/modules/login-setup.sh b/ccp/modules/login-setup.sh index 5ead5d4..1981b87 100644 --- a/ccp/modules/login-setup.sh +++ b/ccp/modules/login-setup.sh @@ -3,5 +3,5 @@ if [ "$ENABLE_LOGIN" == true ]; then log INFO "Login setup detected -- will start Login services." OVERRIDE+=" -f ./$PROJECT/modules/login-compose.yml" - KEYCLOAK_DB_PASSWORD="$(echo \"This is a salt string to generate one consistent password for Keycloak. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)" + KEYCLOAK_DB_PASSWORD="$(generate_password \"local Keycloak\")" fi diff --git a/lib/functions.sh b/lib/functions.sh index a9d3c01..69c4e78 100644 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -307,3 +307,16 @@ generate_redirect_urls(){ fi echo "$redirect_urls" } + +generate_password(){ + local seed_text="$1" + local random_digit=$(openssl rand -hex 1 | head -c 1) + local random_upper=$(openssl rand -base64 3 | tr -dc 'A-Z' | head -c 1) + local random_lower=$(openssl rand -base64 3 | tr -dc 'a-z' | head -c 1) + local random_special=$(echo '@#$%^&+=' | fold -w1 | shuf -n1) + + local combined_text="This is a salt string to generate one consistent password for ${seed_text}. It is not required to be secret." + local main_password=$(echo "${combined_text}" | openssl rsautl -sign -inkey "/etc/bridgehead/pki/${SITE_ID}.priv.pem" | base64 | head -c 26) + + echo "${main_password}${random_digit}${random_upper}${random_lower}${random_special}" +}