From 788e4ea9f76c936c1a79cf9afd06d015da144f37 Mon Sep 17 00:00:00 2001 From: "p.delpy@dkfz-heidelberg.de" Date: Tue, 25 Jul 2023 14:08:54 +0200 Subject: [PATCH 1/6] add generic bash function addBasicAuthUser --- bridgehead | 4 ++++ ccp/nngm-compose.yml | 7 ++++++- lib/functions.sh | 24 ++++++++++++++++++++++++ lib/install-bridgehead.sh | 2 +- lib/sitespecific-functions.sh | 7 +++++++ 5 files changed, 42 insertions(+), 2 deletions(-) create mode 100644 lib/sitespecific-functions.sh diff --git a/bridgehead b/bridgehead index 2709f8c..1a88973 100755 --- a/bridgehead +++ b/bridgehead @@ -103,6 +103,10 @@ case "$ACTION" in uninstall) exec ./lib/uninstall-bridgehead.sh $PROJECT ;; + addUser) + loadVars + exec ./lib/sitespecific-functions.sh $PROJECT + ;; enroll) loadVars diff --git a/ccp/nngm-compose.yml b/ccp/nngm-compose.yml index 47bfa70..18be977 100644 --- a/ccp/nngm-compose.yml +++ b/ccp/nngm-compose.yml @@ -18,7 +18,12 @@ services: - "traefik.http.middlewares.connector_strip.stripprefix.prefixes=/nngm-connector" - "traefik.http.services.connector.loadbalancer.server.port=8080" - "traefik.http.routers.connector.tls=true" - - "traefik.http.routers.connector.middlewares=connector_strip,auth" + - "traefik.http.routers.connector.middlewares=connector_strip,auth-nngm" volumes: - nngm-rest:/var/log + traefik: + labels: + - "traefik.http.middlewares.auth-nngm.basicauth.users=$NNGM_AUTH" + + diff --git a/lib/functions.sh b/lib/functions.sh index a243842..cd73186 100644 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -183,3 +183,27 @@ function bk_is_running { ##Setting Network properties # currently not needed #export HOSTIP=$(MSYS_NO_PATHCONV=1 docker run --rm --add-host=host.docker.internal:host-gateway ubuntu cat /etc/hosts | grep 'host.docker.internal' | awk '{print $1}'); +addBasicAuthUser() { + USER="${1}" + PASSWORD="${2}" + NAME="${3}" + PROJECT="${4}" + FILE="/etc/bridgehead/${PROJECT}.local.conf" + ENCRY_CREDENTIALS="$(docker run --rm docker.verbis.dkfz.de/cache/httpd:alpine htpasswd -nb $USER $PASSWORD | tr -d '\n' | tr -d '\r')" + if [ -f $FILE ] && grep -R -q "$NAME=" $FILE # if a basic auth user already exists: + then + sed -i "/$NAME/ s/$/,$ENCRY_CREDENTIALS/" $FILE + else + echo -e "\n## Basic Authentication Credentials for:\n$NAME=$ENCRY_CREDENTIALS" >> $FILE; + fi + read -p "Do you want to have your cleartext credentials saved in your $FILE: [y/n]" yn + case $yn in + [yYjJ] ) + echo "ok, variables are saved in $FILE" + echo -e "# User: $USER\n# Password: $PASSWORD" >> $FILE; + ;; + [nN] ) + echo "skip saving cleartext LDM credentials; make sure to save them somewhere else" + ;; + esac +} \ No newline at end of file diff --git a/lib/install-bridgehead.sh b/lib/install-bridgehead.sh index c42119f..906e4a1 100755 --- a/lib/install-bridgehead.sh +++ b/lib/install-bridgehead.sh @@ -34,7 +34,7 @@ if [ -z "$LDM_PASSWORD" ]; then generated_passwd="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 32)" log "INFO" "Your generated credentials are:\n user: $PROJECT\n password: $generated_passwd" - echo -e "## Local Data Management Basic Authentication\n# User: $PROJECT\nLDM_PASSWORD=$generated_passwd" >> /etc/bridgehead/${PROJECT}.local.conf; + addBasicAuthUser $PROJECT $generated_passwd "LDM_LOGIN" $PROJECT fi log "INFO" "Registering system units for bridgehead and bridgehead-update" diff --git a/lib/sitespecific-functions.sh b/lib/sitespecific-functions.sh new file mode 100644 index 0000000..55c3142 --- /dev/null +++ b/lib/sitespecific-functions.sh @@ -0,0 +1,7 @@ +#!/bin/bash -e +source lib/functions.sh +PROJECT="ccp" +log "INFO" "Adding custom encrypted credentials in /etc/bridgehead/$PROJECT.local.conf" +read -p "Please enter custom user: " user +read -s -p "Please enter password (will not be echoed): "$'\n' password +addBasicAuthUser $user $password "NNGM_AUTH" $PROJECT \ No newline at end of file From dc0fc286b1fb356293934f30b90e4983e6b6974c Mon Sep 17 00:00:00 2001 From: "p.delpy@dkfz-heidelberg.de" Date: Thu, 27 Jul 2023 15:38:29 +0200 Subject: [PATCH 2/6] add generic bash function addBasicAuthUser --- bridgehead | 1 - ccp/nngm-compose.yml | 2 +- ccp/nngm-setup.sh | 4 ---- lib/functions.sh | 32 +++++++++----------------------- lib/install-bridgehead.sh | 12 ++++++++---- lib/sitespecific-functions.sh | 14 +++++++++----- minimal/docker-compose.yml | 2 +- 7 files changed, 28 insertions(+), 39 deletions(-) mode change 100644 => 100755 lib/sitespecific-functions.sh diff --git a/bridgehead b/bridgehead index 1a88973..5319620 100755 --- a/bridgehead +++ b/bridgehead @@ -73,7 +73,6 @@ case "$ACTION" in hc_send log "Bridgehead $PROJECT startup: Checking requirements ..." checkRequirements hc_send log "Bridgehead $PROJECT startup: Requirements checked out. Now starting bridgehead ..." - export LDM_LOGIN=$(getLdmPassword) exec $COMPOSE -p $PROJECT -f ./minimal/docker-compose.yml -f ./$PROJECT/docker-compose.yml $OVERRIDE up --abort-on-container-exit ;; stop) diff --git a/ccp/nngm-compose.yml b/ccp/nngm-compose.yml index 18be977..e61532d 100644 --- a/ccp/nngm-compose.yml +++ b/ccp/nngm-compose.yml @@ -24,6 +24,6 @@ services: traefik: labels: - - "traefik.http.middlewares.auth-nngm.basicauth.users=$NNGM_AUTH" + - "traefik.http.middlewares.auth-nngm.basicauth.users=${NNGM_AUTH}" diff --git a/ccp/nngm-setup.sh b/ccp/nngm-setup.sh index bcc4cd1..cb9590a 100644 --- a/ccp/nngm-setup.sh +++ b/ccp/nngm-setup.sh @@ -1,8 +1,4 @@ #!/bin/bash -##nNGM vars: -#NNGM_MAGICPL_APIKEY -#NNGM_CTS_APIKEY -#NNGM_CRYPTKEY function nngmSetup() { if [ -n "$NNGM_CTS_APIKEY" ]; then diff --git a/lib/functions.sh b/lib/functions.sh index cd73186..d6c1b85 100644 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -9,14 +9,6 @@ detectCompose() { fi } -getLdmPassword() { - if [ -n "$LDM_PASSWORD" ]; then - docker run --rm docker.verbis.dkfz.de/cache/httpd:alpine htpasswd -nb $PROJECT $LDM_PASSWORD | tr -d '\n' | tr -d '\r' - else - echo -n "" - fi -} - exitIfNotRoot() { if [ "$EUID" -ne 0 ]; then log "ERROR" "Please run as root" @@ -34,7 +26,7 @@ checkOwner(){ } printUsage() { - echo "Usage: bridgehead start|stop|is-running|update|install|uninstall|enroll PROJECTNAME" + echo "Usage: bridgehead start|stop|is-running|update|install|uninstall|addUser|enroll PROJECTNAME" echo "PROJECTNAME should be one of ccp|bbmri" } @@ -183,27 +175,21 @@ function bk_is_running { ##Setting Network properties # currently not needed #export HOSTIP=$(MSYS_NO_PATHCONV=1 docker run --rm --add-host=host.docker.internal:host-gateway ubuntu cat /etc/hosts | grep 'host.docker.internal' | awk '{print $1}'); -addBasicAuthUser() { + + +add_basic_auth_user() { USER="${1}" PASSWORD="${2}" NAME="${3}" PROJECT="${4}" FILE="/etc/bridgehead/${PROJECT}.local.conf" ENCRY_CREDENTIALS="$(docker run --rm docker.verbis.dkfz.de/cache/httpd:alpine htpasswd -nb $USER $PASSWORD | tr -d '\n' | tr -d '\r')" - if [ -f $FILE ] && grep -R -q "$NAME=" $FILE # if a basic auth user already exists: + if [ -f $FILE ] && grep -R -q "$NAME=" $FILE # if a specific basic auth user already exists: then - sed -i "/$NAME/ s/$/,$ENCRY_CREDENTIALS/" $FILE + sed -i "/$NAME/ s|='|='$ENCRY_CREDENTIALS,|" $FILE else - echo -e "\n## Basic Authentication Credentials for:\n$NAME=$ENCRY_CREDENTIALS" >> $FILE; + echo -e "\n## Basic Authentication Credentials for:\n$NAME='$ENCRY_CREDENTIALS'" >> $FILE; fi - read -p "Do you want to have your cleartext credentials saved in your $FILE: [y/n]" yn - case $yn in - [yYjJ] ) - echo "ok, variables are saved in $FILE" - echo -e "# User: $USER\n# Password: $PASSWORD" >> $FILE; - ;; - [nN] ) - echo "skip saving cleartext LDM credentials; make sure to save them somewhere else" - ;; - esac + log DEBUG "Saving clear text credentials in $FILE. If wanted, delete them manually." + sed -i "/^$NAME/ s|$|\n# User: $USER\n# Password: $PASSWORD|" $FILE } \ No newline at end of file diff --git a/lib/install-bridgehead.sh b/lib/install-bridgehead.sh index 906e4a1..d0e9964 100755 --- a/lib/install-bridgehead.sh +++ b/lib/install-bridgehead.sh @@ -29,12 +29,16 @@ bridgehead ALL= NOPASSWD: BRIDGEHEAD${PROJECT^^} EOF # TODO: Determine whether this should be located in setup-bridgehead (triggered through bridgehead install) or in update bridgehead (triggered every hour) -if [ -z "$LDM_PASSWORD" ]; then - log "INFO" "Now generating a password for the local data management. Please save the password for your ETL process!" +if [ -z "$LDM_AUTH" ]; then + log "INFO" "Now generating basic auth for the local data management (see addUser in bridgehead for more information). " generated_passwd="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 32)" + add_basic_auth_user $PROJECT $generated_passwd "LDM_AUTH" $PROJECT +fi - log "INFO" "Your generated credentials are:\n user: $PROJECT\n password: $generated_passwd" - addBasicAuthUser $PROJECT $generated_passwd "LDM_LOGIN" $PROJECT +if [ -z "$NNGM_CTS_APIKEY" ] && [ -z "$NNGM_AUTH" ]; then + log "INFO" "Now generating basic auth for nNGM upload API (see addUser in bridgehead for more information). " + generated_passwd="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 32)" + add_basic_auth_user "nngm" $generated_passwd "NNGM_AUTH" $PROJECT fi log "INFO" "Registering system units for bridgehead and bridgehead-update" diff --git a/lib/sitespecific-functions.sh b/lib/sitespecific-functions.sh old mode 100644 new mode 100755 index 55c3142..04db02e --- a/lib/sitespecific-functions.sh +++ b/lib/sitespecific-functions.sh @@ -1,7 +1,11 @@ #!/bin/bash -e + source lib/functions.sh -PROJECT="ccp" -log "INFO" "Adding custom encrypted credentials in /etc/bridgehead/$PROJECT.local.conf" -read -p "Please enter custom user: " user -read -s -p "Please enter password (will not be echoed): "$'\n' password -addBasicAuthUser $user $password "NNGM_AUTH" $PROJECT \ No newline at end of file + +PROJECT=$1 + +log "INFO" "Adding encrypted credentials in /etc/bridgehead/$PROJECT.local.conf" +read -p "Please choose the component (LDM_AUTH|NNGM_AUTH) you want to add a user to : " COMPONENT +read -p "Please enter a username: " USER +read -s -p "Please enter a password (will not be echoed): "$'\n' PASSWORD +add_basic_auth_user $USER $PASSWORD $COMPONENT $PROJECT \ No newline at end of file diff --git a/minimal/docker-compose.yml b/minimal/docker-compose.yml index cd4c2e5..055f683 100644 --- a/minimal/docker-compose.yml +++ b/minimal/docker-compose.yml @@ -21,7 +21,7 @@ services: - "traefik.http.routers.dashboard.service=api@internal" - "traefik.http.routers.dashboard.tls=true" - "traefik.http.routers.dashboard.middlewares=auth" - - "traefik.http.middlewares.auth.basicauth.users=${LDM_LOGIN}" + - "traefik.http.middlewares.auth.basicauth.users=${LDM_AUTH}" ports: - 80:80 - 443:443 From 3f43c32bd258f51be769ef645671694eb0aa5dad Mon Sep 17 00:00:00 2001 From: "p.delpy@dkfz-heidelberg.de" Date: Wed, 9 Aug 2023 09:10:20 +0200 Subject: [PATCH 3/6] refactor addUser code --- bridgehead | 6 +++++- lib/sitespecific-functions.sh | 11 ----------- 2 files changed, 5 insertions(+), 12 deletions(-) delete mode 100755 lib/sitespecific-functions.sh diff --git a/bridgehead b/bridgehead index 5319620..37e7e7b 100755 --- a/bridgehead +++ b/bridgehead @@ -104,7 +104,11 @@ case "$ACTION" in ;; addUser) loadVars - exec ./lib/sitespecific-functions.sh $PROJECT + log "INFO" "Adding encrypted credentials in /etc/bridgehead/$PROJECT.local.conf" + read -p "Please choose the component (LDM_AUTH|NNGM_AUTH) you want to add a user to : " COMPONENT + read -p "Please enter a username: " USER + read -s -p "Please enter a password (will not be echoed): "$'\n' PASSWORD + add_basic_auth_user $USER $PASSWORD $COMPONENT $PROJECT ;; enroll) loadVars diff --git a/lib/sitespecific-functions.sh b/lib/sitespecific-functions.sh deleted file mode 100755 index 04db02e..0000000 --- a/lib/sitespecific-functions.sh +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/bash -e - -source lib/functions.sh - -PROJECT=$1 - -log "INFO" "Adding encrypted credentials in /etc/bridgehead/$PROJECT.local.conf" -read -p "Please choose the component (LDM_AUTH|NNGM_AUTH) you want to add a user to : " COMPONENT -read -p "Please enter a username: " USER -read -s -p "Please enter a password (will not be echoed): "$'\n' PASSWORD -add_basic_auth_user $USER $PASSWORD $COMPONENT $PROJECT \ No newline at end of file From 2c7de6c8b40ad812be93f6daa947e4c7778cdf13 Mon Sep 17 00:00:00 2001 From: Pierre Delpy <75260699+PierreDelpy@users.noreply.github.com> Date: Wed, 9 Aug 2023 09:24:23 +0200 Subject: [PATCH 4/6] refactor strange formatting --- bridgehead | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/bridgehead b/bridgehead index 37e7e7b..4f023fa 100755 --- a/bridgehead +++ b/bridgehead @@ -105,10 +105,10 @@ case "$ACTION" in addUser) loadVars log "INFO" "Adding encrypted credentials in /etc/bridgehead/$PROJECT.local.conf" - read -p "Please choose the component (LDM_AUTH|NNGM_AUTH) you want to add a user to : " COMPONENT - read -p "Please enter a username: " USER - read -s -p "Please enter a password (will not be echoed): "$'\n' PASSWORD - add_basic_auth_user $USER $PASSWORD $COMPONENT $PROJECT + read -p "Please choose the component (LDM_AUTH|NNGM_AUTH) you want to add a user to : " COMPONENT + read -p "Please enter a username: " USER + read -s -p "Please enter a password (will not be echoed): "$'\n' PASSWORD + add_basic_auth_user $USER $PASSWORD $COMPONENT $PROJECT ;; enroll) loadVars From 4754eb282b68d0d60442eec03ab2cb6206251339 Mon Sep 17 00:00:00 2001 From: "p.delpy@dkfz-heidelberg.de" Date: Tue, 15 Aug 2023 13:55:07 +0200 Subject: [PATCH 5/6] add migration for old credentials --- lib/install-bridgehead.sh | 2 +- lib/update-bridgehead.sh | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/lib/install-bridgehead.sh b/lib/install-bridgehead.sh index d0e9964..784020e 100755 --- a/lib/install-bridgehead.sh +++ b/lib/install-bridgehead.sh @@ -35,7 +35,7 @@ if [ -z "$LDM_AUTH" ]; then add_basic_auth_user $PROJECT $generated_passwd "LDM_AUTH" $PROJECT fi -if [ -z "$NNGM_CTS_APIKEY" ] && [ -z "$NNGM_AUTH" ]; then +if [ ! -z "$NNGM_CTS_APIKEY" ] && [ -z "$NNGM_AUTH" ]; then log "INFO" "Now generating basic auth for nNGM upload API (see addUser in bridgehead for more information). " generated_passwd="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 32)" add_basic_auth_user "nngm" $generated_passwd "NNGM_AUTH" $PROJECT diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh index 89db369..0d985f7 100755 --- a/lib/update-bridgehead.sh +++ b/lib/update-bridgehead.sh @@ -139,6 +139,13 @@ else log WARN "Automated backups are disabled (variable AUTO_BACKUPS != \"true\")" fi +if [ ! -z "$LDM_PASSWORD" ]; then + FILE="/etc/bridgehead/$PROJECT.local.conf" + log "INFO" "Migrating LDM_PASSWORD to encrypted credentials in $FILE" + add_basic_auth_user $PROJECT $LDM_PASSWORD "LDM_AUTH" $PROJECT + sed -i "/LDM_PASSWORD/{d;}" $FILE +fi + exit 0 # TODO: Print last commit explicit From b58348328c91c06a102ac323f38df60239d4351b Mon Sep 17 00:00:00 2001 From: "p.delpy@dkfz-heidelberg.de" Date: Tue, 15 Aug 2023 15:34:49 +0200 Subject: [PATCH 6/6] fix nngm migration --- lib/update-bridgehead.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh index 0d985f7..aea043a 100755 --- a/lib/update-bridgehead.sh +++ b/lib/update-bridgehead.sh @@ -139,10 +139,12 @@ else log WARN "Automated backups are disabled (variable AUTO_BACKUPS != \"true\")" fi +#TODO: the following block can be deleted after successful update at all sites if [ ! -z "$LDM_PASSWORD" ]; then FILE="/etc/bridgehead/$PROJECT.local.conf" log "INFO" "Migrating LDM_PASSWORD to encrypted credentials in $FILE" add_basic_auth_user $PROJECT $LDM_PASSWORD "LDM_AUTH" $PROJECT + add_basic_auth_user $PROJECT $LDM_PASSWORD "NNGM_AUTH" $PROJECT sed -i "/LDM_PASSWORD/{d;}" $FILE fi