diff --git a/bridgehead b/bridgehead index 5793370..192cc0e 100755 --- a/bridgehead +++ b/bridgehead @@ -73,7 +73,6 @@ case "$ACTION" in hc_send log "Bridgehead $PROJECT startup: Checking requirements ..." checkRequirements hc_send log "Bridgehead $PROJECT startup: Requirements checked out. Now starting bridgehead ..." - export LDM_LOGIN=$(getLdmPassword) exec $COMPOSE -p $PROJECT -f ./minimal/docker-compose.yml -f ./$PROJECT/docker-compose.yml $OVERRIDE up --abort-on-container-exit ;; stop) @@ -103,6 +102,14 @@ case "$ACTION" in uninstall) exec ./lib/uninstall-bridgehead.sh $PROJECT ;; + addUser) + loadVars + log "INFO" "Adding encrypted credentials in /etc/bridgehead/$PROJECT.local.conf" + read -p "Please choose the component (LDM_AUTH|NNGM_AUTH) you want to add a user to : " COMPONENT + read -p "Please enter a username: " USER + read -s -p "Please enter a password (will not be echoed): "$'\n' PASSWORD + add_basic_auth_user $USER $PASSWORD $COMPONENT $PROJECT + ;; enroll) loadVars diff --git a/ccp/nngm-compose.yml b/ccp/nngm-compose.yml index 47bfa70..e61532d 100644 --- a/ccp/nngm-compose.yml +++ b/ccp/nngm-compose.yml @@ -18,7 +18,12 @@ services: - "traefik.http.middlewares.connector_strip.stripprefix.prefixes=/nngm-connector" - "traefik.http.services.connector.loadbalancer.server.port=8080" - "traefik.http.routers.connector.tls=true" - - "traefik.http.routers.connector.middlewares=connector_strip,auth" + - "traefik.http.routers.connector.middlewares=connector_strip,auth-nngm" volumes: - nngm-rest:/var/log + traefik: + labels: + - "traefik.http.middlewares.auth-nngm.basicauth.users=${NNGM_AUTH}" + + diff --git a/ccp/nngm-setup.sh b/ccp/nngm-setup.sh index bcc4cd1..cb9590a 100644 --- a/ccp/nngm-setup.sh +++ b/ccp/nngm-setup.sh @@ -1,8 +1,4 @@ #!/bin/bash -##nNGM vars: -#NNGM_MAGICPL_APIKEY -#NNGM_CTS_APIKEY -#NNGM_CRYPTKEY function nngmSetup() { if [ -n "$NNGM_CTS_APIKEY" ]; then diff --git a/lib/functions.sh b/lib/functions.sh index 48bc650..9173e86 100644 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -9,14 +9,6 @@ detectCompose() { fi } -getLdmPassword() { - if [ -n "$LDM_PASSWORD" ]; then - docker run --rm docker.verbis.dkfz.de/cache/httpd:alpine htpasswd -nb $PROJECT $LDM_PASSWORD | tr -d '\n' | tr -d '\r' - else - echo -n "" - fi -} - exitIfNotRoot() { if [ "$EUID" -ne 0 ]; then log "ERROR" "Please run as root" @@ -34,7 +26,7 @@ checkOwner(){ } printUsage() { - echo "Usage: bridgehead start|stop|is-running|update|install|uninstall|enroll PROJECTNAME" + echo "Usage: bridgehead start|stop|is-running|update|install|uninstall|addUser|enroll PROJECTNAME" echo "PROJECTNAME should be one of ccp|bbmri" } @@ -202,4 +194,21 @@ function do_enroll_inner { function do_enroll { do_enroll_inner $@ +} + +add_basic_auth_user() { + USER="${1}" + PASSWORD="${2}" + NAME="${3}" + PROJECT="${4}" + FILE="/etc/bridgehead/${PROJECT}.local.conf" + ENCRY_CREDENTIALS="$(docker run --rm docker.verbis.dkfz.de/cache/httpd:alpine htpasswd -nb $USER $PASSWORD | tr -d '\n' | tr -d '\r')" + if [ -f $FILE ] && grep -R -q "$NAME=" $FILE # if a specific basic auth user already exists: + then + sed -i "/$NAME/ s|='|='$ENCRY_CREDENTIALS,|" $FILE + else + echo -e "\n## Basic Authentication Credentials for:\n$NAME='$ENCRY_CREDENTIALS'" >> $FILE; + fi + log DEBUG "Saving clear text credentials in $FILE. If wanted, delete them manually." + sed -i "/^$NAME/ s|$|\n# User: $USER\n# Password: $PASSWORD|" $FILE } \ No newline at end of file diff --git a/lib/install-bridgehead.sh b/lib/install-bridgehead.sh index c42119f..784020e 100755 --- a/lib/install-bridgehead.sh +++ b/lib/install-bridgehead.sh @@ -29,12 +29,16 @@ bridgehead ALL= NOPASSWD: BRIDGEHEAD${PROJECT^^} EOF # TODO: Determine whether this should be located in setup-bridgehead (triggered through bridgehead install) or in update bridgehead (triggered every hour) -if [ -z "$LDM_PASSWORD" ]; then - log "INFO" "Now generating a password for the local data management. Please save the password for your ETL process!" +if [ -z "$LDM_AUTH" ]; then + log "INFO" "Now generating basic auth for the local data management (see addUser in bridgehead for more information). " generated_passwd="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 32)" + add_basic_auth_user $PROJECT $generated_passwd "LDM_AUTH" $PROJECT +fi - log "INFO" "Your generated credentials are:\n user: $PROJECT\n password: $generated_passwd" - echo -e "## Local Data Management Basic Authentication\n# User: $PROJECT\nLDM_PASSWORD=$generated_passwd" >> /etc/bridgehead/${PROJECT}.local.conf; +if [ ! -z "$NNGM_CTS_APIKEY" ] && [ -z "$NNGM_AUTH" ]; then + log "INFO" "Now generating basic auth for nNGM upload API (see addUser in bridgehead for more information). " + generated_passwd="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 32)" + add_basic_auth_user "nngm" $generated_passwd "NNGM_AUTH" $PROJECT fi log "INFO" "Registering system units for bridgehead and bridgehead-update" diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh index 89db369..aea043a 100755 --- a/lib/update-bridgehead.sh +++ b/lib/update-bridgehead.sh @@ -139,6 +139,15 @@ else log WARN "Automated backups are disabled (variable AUTO_BACKUPS != \"true\")" fi +#TODO: the following block can be deleted after successful update at all sites +if [ ! -z "$LDM_PASSWORD" ]; then + FILE="/etc/bridgehead/$PROJECT.local.conf" + log "INFO" "Migrating LDM_PASSWORD to encrypted credentials in $FILE" + add_basic_auth_user $PROJECT $LDM_PASSWORD "LDM_AUTH" $PROJECT + add_basic_auth_user $PROJECT $LDM_PASSWORD "NNGM_AUTH" $PROJECT + sed -i "/LDM_PASSWORD/{d;}" $FILE +fi + exit 0 # TODO: Print last commit explicit diff --git a/minimal/docker-compose.yml b/minimal/docker-compose.yml index e941350..c0eb353 100644 --- a/minimal/docker-compose.yml +++ b/minimal/docker-compose.yml @@ -21,7 +21,7 @@ services: - "traefik.http.routers.dashboard.service=api@internal" - "traefik.http.routers.dashboard.tls=true" - "traefik.http.routers.dashboard.middlewares=auth" - - "traefik.http.middlewares.auth.basicauth.users=${LDM_LOGIN}" + - "traefik.http.middlewares.auth.basicauth.users=${LDM_AUTH}" ports: - 80:80 - 443:443