From 788e4ea9f76c936c1a79cf9afd06d015da144f37 Mon Sep 17 00:00:00 2001
From: "p.delpy@dkfz-heidelberg.de"
Date: Tue, 25 Jul 2023 14:08:54 +0200
Subject: [PATCH 1/6] add generic bash function addBasicAuthUser
---
bridgehead | 4 ++++
ccp/nngm-compose.yml | 7 ++++++-
lib/functions.sh | 24 ++++++++++++++++++++++++
lib/install-bridgehead.sh | 2 +-
lib/sitespecific-functions.sh | 7 +++++++
5 files changed, 42 insertions(+), 2 deletions(-)
create mode 100644 lib/sitespecific-functions.sh
diff --git a/bridgehead b/bridgehead
index 2709f8c..1a88973 100755
--- a/bridgehead
+++ b/bridgehead
@@ -103,6 +103,10 @@ case "$ACTION" in
uninstall)
exec ./lib/uninstall-bridgehead.sh $PROJECT
;;
+ addUser)
+ loadVars
+ exec ./lib/sitespecific-functions.sh $PROJECT
+ ;;
enroll)
loadVars
diff --git a/ccp/nngm-compose.yml b/ccp/nngm-compose.yml
index 47bfa70..18be977 100644
--- a/ccp/nngm-compose.yml
+++ b/ccp/nngm-compose.yml
@@ -18,7 +18,12 @@ services:
- "traefik.http.middlewares.connector_strip.stripprefix.prefixes=/nngm-connector"
- "traefik.http.services.connector.loadbalancer.server.port=8080"
- "traefik.http.routers.connector.tls=true"
- - "traefik.http.routers.connector.middlewares=connector_strip,auth"
+ - "traefik.http.routers.connector.middlewares=connector_strip,auth-nngm"
volumes:
- nngm-rest:/var/log
+ traefik:
+ labels:
+ - "traefik.http.middlewares.auth-nngm.basicauth.users=$NNGM_AUTH"
+
+
diff --git a/lib/functions.sh b/lib/functions.sh
index a243842..cd73186 100644
--- a/lib/functions.sh
+++ b/lib/functions.sh
@@ -183,3 +183,27 @@ function bk_is_running {
##Setting Network properties
# currently not needed
#export HOSTIP=$(MSYS_NO_PATHCONV=1 docker run --rm --add-host=host.docker.internal:host-gateway ubuntu cat /etc/hosts | grep 'host.docker.internal' | awk '{print $1}');
+addBasicAuthUser() {
+ USER="${1}"
+ PASSWORD="${2}"
+ NAME="${3}"
+ PROJECT="${4}"
+ FILE="/etc/bridgehead/${PROJECT}.local.conf"
+ ENCRY_CREDENTIALS="$(docker run --rm docker.verbis.dkfz.de/cache/httpd:alpine htpasswd -nb $USER $PASSWORD | tr -d '\n' | tr -d '\r')"
+ if [ -f $FILE ] && grep -R -q "$NAME=" $FILE # if a basic auth user already exists:
+ then
+ sed -i "/$NAME/ s/$/,$ENCRY_CREDENTIALS/" $FILE
+ else
+ echo -e "\n## Basic Authentication Credentials for:\n$NAME=$ENCRY_CREDENTIALS" >> $FILE;
+ fi
+ read -p "Do you want to have your cleartext credentials saved in your $FILE: [y/n]" yn
+ case $yn in
+ [yYjJ] )
+ echo "ok, variables are saved in $FILE"
+ echo -e "# User: $USER\n# Password: $PASSWORD" >> $FILE;
+ ;;
+ [nN] )
+ echo "skip saving cleartext LDM credentials; make sure to save them somewhere else"
+ ;;
+ esac
+}
\ No newline at end of file
diff --git a/lib/install-bridgehead.sh b/lib/install-bridgehead.sh
index c42119f..906e4a1 100755
--- a/lib/install-bridgehead.sh
+++ b/lib/install-bridgehead.sh
@@ -34,7 +34,7 @@ if [ -z "$LDM_PASSWORD" ]; then
generated_passwd="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 32)"
log "INFO" "Your generated credentials are:\n user: $PROJECT\n password: $generated_passwd"
- echo -e "## Local Data Management Basic Authentication\n# User: $PROJECT\nLDM_PASSWORD=$generated_passwd" >> /etc/bridgehead/${PROJECT}.local.conf;
+ addBasicAuthUser $PROJECT $generated_passwd "LDM_LOGIN" $PROJECT
fi
log "INFO" "Registering system units for bridgehead and bridgehead-update"
diff --git a/lib/sitespecific-functions.sh b/lib/sitespecific-functions.sh
new file mode 100644
index 0000000..55c3142
--- /dev/null
+++ b/lib/sitespecific-functions.sh
@@ -0,0 +1,7 @@
+#!/bin/bash -e
+source lib/functions.sh
+PROJECT="ccp"
+log "INFO" "Adding custom encrypted credentials in /etc/bridgehead/$PROJECT.local.conf"
+read -p "Please enter custom user: " user
+read -s -p "Please enter password (will not be echoed): "$'\n' password
+addBasicAuthUser $user $password "NNGM_AUTH" $PROJECT
\ No newline at end of file
From dc0fc286b1fb356293934f30b90e4983e6b6974c Mon Sep 17 00:00:00 2001
From: "p.delpy@dkfz-heidelberg.de"
Date: Thu, 27 Jul 2023 15:38:29 +0200
Subject: [PATCH 2/6] add generic bash function addBasicAuthUser
---
bridgehead | 1 -
ccp/nngm-compose.yml | 2 +-
ccp/nngm-setup.sh | 4 ----
lib/functions.sh | 32 +++++++++-----------------------
lib/install-bridgehead.sh | 12 ++++++++----
lib/sitespecific-functions.sh | 14 +++++++++-----
minimal/docker-compose.yml | 2 +-
7 files changed, 28 insertions(+), 39 deletions(-)
mode change 100644 => 100755 lib/sitespecific-functions.sh
diff --git a/bridgehead b/bridgehead
index 1a88973..5319620 100755
--- a/bridgehead
+++ b/bridgehead
@@ -73,7 +73,6 @@ case "$ACTION" in
hc_send log "Bridgehead $PROJECT startup: Checking requirements ..."
checkRequirements
hc_send log "Bridgehead $PROJECT startup: Requirements checked out. Now starting bridgehead ..."
- export LDM_LOGIN=$(getLdmPassword)
exec $COMPOSE -p $PROJECT -f ./minimal/docker-compose.yml -f ./$PROJECT/docker-compose.yml $OVERRIDE up --abort-on-container-exit
;;
stop)
diff --git a/ccp/nngm-compose.yml b/ccp/nngm-compose.yml
index 18be977..e61532d 100644
--- a/ccp/nngm-compose.yml
+++ b/ccp/nngm-compose.yml
@@ -24,6 +24,6 @@ services:
traefik:
labels:
- - "traefik.http.middlewares.auth-nngm.basicauth.users=$NNGM_AUTH"
+ - "traefik.http.middlewares.auth-nngm.basicauth.users=${NNGM_AUTH}"
diff --git a/ccp/nngm-setup.sh b/ccp/nngm-setup.sh
index bcc4cd1..cb9590a 100644
--- a/ccp/nngm-setup.sh
+++ b/ccp/nngm-setup.sh
@@ -1,8 +1,4 @@
#!/bin/bash
-##nNGM vars:
-#NNGM_MAGICPL_APIKEY
-#NNGM_CTS_APIKEY
-#NNGM_CRYPTKEY
function nngmSetup() {
if [ -n "$NNGM_CTS_APIKEY" ]; then
diff --git a/lib/functions.sh b/lib/functions.sh
index cd73186..d6c1b85 100644
--- a/lib/functions.sh
+++ b/lib/functions.sh
@@ -9,14 +9,6 @@ detectCompose() {
fi
}
-getLdmPassword() {
- if [ -n "$LDM_PASSWORD" ]; then
- docker run --rm docker.verbis.dkfz.de/cache/httpd:alpine htpasswd -nb $PROJECT $LDM_PASSWORD | tr -d '\n' | tr -d '\r'
- else
- echo -n ""
- fi
-}
-
exitIfNotRoot() {
if [ "$EUID" -ne 0 ]; then
log "ERROR" "Please run as root"
@@ -34,7 +26,7 @@ checkOwner(){
}
printUsage() {
- echo "Usage: bridgehead start|stop|is-running|update|install|uninstall|enroll PROJECTNAME"
+ echo "Usage: bridgehead start|stop|is-running|update|install|uninstall|addUser|enroll PROJECTNAME"
echo "PROJECTNAME should be one of ccp|bbmri"
}
@@ -183,27 +175,21 @@ function bk_is_running {
##Setting Network properties
# currently not needed
#export HOSTIP=$(MSYS_NO_PATHCONV=1 docker run --rm --add-host=host.docker.internal:host-gateway ubuntu cat /etc/hosts | grep 'host.docker.internal' | awk '{print $1}');
-addBasicAuthUser() {
+
+
+add_basic_auth_user() {
USER="${1}"
PASSWORD="${2}"
NAME="${3}"
PROJECT="${4}"
FILE="/etc/bridgehead/${PROJECT}.local.conf"
ENCRY_CREDENTIALS="$(docker run --rm docker.verbis.dkfz.de/cache/httpd:alpine htpasswd -nb $USER $PASSWORD | tr -d '\n' | tr -d '\r')"
- if [ -f $FILE ] && grep -R -q "$NAME=" $FILE # if a basic auth user already exists:
+ if [ -f $FILE ] && grep -R -q "$NAME=" $FILE # if a specific basic auth user already exists:
then
- sed -i "/$NAME/ s/$/,$ENCRY_CREDENTIALS/" $FILE
+ sed -i "/$NAME/ s|='|='$ENCRY_CREDENTIALS,|" $FILE
else
- echo -e "\n## Basic Authentication Credentials for:\n$NAME=$ENCRY_CREDENTIALS" >> $FILE;
+ echo -e "\n## Basic Authentication Credentials for:\n$NAME='$ENCRY_CREDENTIALS'" >> $FILE;
fi
- read -p "Do you want to have your cleartext credentials saved in your $FILE: [y/n]" yn
- case $yn in
- [yYjJ] )
- echo "ok, variables are saved in $FILE"
- echo -e "# User: $USER\n# Password: $PASSWORD" >> $FILE;
- ;;
- [nN] )
- echo "skip saving cleartext LDM credentials; make sure to save them somewhere else"
- ;;
- esac
+ log DEBUG "Saving clear text credentials in $FILE. If wanted, delete them manually."
+ sed -i "/^$NAME/ s|$|\n# User: $USER\n# Password: $PASSWORD|" $FILE
}
\ No newline at end of file
diff --git a/lib/install-bridgehead.sh b/lib/install-bridgehead.sh
index 906e4a1..d0e9964 100755
--- a/lib/install-bridgehead.sh
+++ b/lib/install-bridgehead.sh
@@ -29,12 +29,16 @@ bridgehead ALL= NOPASSWD: BRIDGEHEAD${PROJECT^^}
EOF
# TODO: Determine whether this should be located in setup-bridgehead (triggered through bridgehead install) or in update bridgehead (triggered every hour)
-if [ -z "$LDM_PASSWORD" ]; then
- log "INFO" "Now generating a password for the local data management. Please save the password for your ETL process!"
+if [ -z "$LDM_AUTH" ]; then
+ log "INFO" "Now generating basic auth for the local data management (see addUser in bridgehead for more information). "
generated_passwd="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 32)"
+ add_basic_auth_user $PROJECT $generated_passwd "LDM_AUTH" $PROJECT
+fi
- log "INFO" "Your generated credentials are:\n user: $PROJECT\n password: $generated_passwd"
- addBasicAuthUser $PROJECT $generated_passwd "LDM_LOGIN" $PROJECT
+if [ -z "$NNGM_CTS_APIKEY" ] && [ -z "$NNGM_AUTH" ]; then
+ log "INFO" "Now generating basic auth for nNGM upload API (see addUser in bridgehead for more information). "
+ generated_passwd="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 32)"
+ add_basic_auth_user "nngm" $generated_passwd "NNGM_AUTH" $PROJECT
fi
log "INFO" "Registering system units for bridgehead and bridgehead-update"
diff --git a/lib/sitespecific-functions.sh b/lib/sitespecific-functions.sh
old mode 100644
new mode 100755
index 55c3142..04db02e
--- a/lib/sitespecific-functions.sh
+++ b/lib/sitespecific-functions.sh
@@ -1,7 +1,11 @@
#!/bin/bash -e
+
source lib/functions.sh
-PROJECT="ccp"
-log "INFO" "Adding custom encrypted credentials in /etc/bridgehead/$PROJECT.local.conf"
-read -p "Please enter custom user: " user
-read -s -p "Please enter password (will not be echoed): "$'\n' password
-addBasicAuthUser $user $password "NNGM_AUTH" $PROJECT
\ No newline at end of file
+
+PROJECT=$1
+
+log "INFO" "Adding encrypted credentials in /etc/bridgehead/$PROJECT.local.conf"
+read -p "Please choose the component (LDM_AUTH|NNGM_AUTH) you want to add a user to : " COMPONENT
+read -p "Please enter a username: " USER
+read -s -p "Please enter a password (will not be echoed): "$'\n' PASSWORD
+add_basic_auth_user $USER $PASSWORD $COMPONENT $PROJECT
\ No newline at end of file
diff --git a/minimal/docker-compose.yml b/minimal/docker-compose.yml
index cd4c2e5..055f683 100644
--- a/minimal/docker-compose.yml
+++ b/minimal/docker-compose.yml
@@ -21,7 +21,7 @@ services:
- "traefik.http.routers.dashboard.service=api@internal"
- "traefik.http.routers.dashboard.tls=true"
- "traefik.http.routers.dashboard.middlewares=auth"
- - "traefik.http.middlewares.auth.basicauth.users=${LDM_LOGIN}"
+ - "traefik.http.middlewares.auth.basicauth.users=${LDM_AUTH}"
ports:
- 80:80
- 443:443
From 3f43c32bd258f51be769ef645671694eb0aa5dad Mon Sep 17 00:00:00 2001
From: "p.delpy@dkfz-heidelberg.de"
Date: Wed, 9 Aug 2023 09:10:20 +0200
Subject: [PATCH 3/6] refactor addUser code
---
bridgehead | 6 +++++-
lib/sitespecific-functions.sh | 11 -----------
2 files changed, 5 insertions(+), 12 deletions(-)
delete mode 100755 lib/sitespecific-functions.sh
diff --git a/bridgehead b/bridgehead
index 5319620..37e7e7b 100755
--- a/bridgehead
+++ b/bridgehead
@@ -104,7 +104,11 @@ case "$ACTION" in
;;
addUser)
loadVars
- exec ./lib/sitespecific-functions.sh $PROJECT
+ log "INFO" "Adding encrypted credentials in /etc/bridgehead/$PROJECT.local.conf"
+ read -p "Please choose the component (LDM_AUTH|NNGM_AUTH) you want to add a user to : " COMPONENT
+ read -p "Please enter a username: " USER
+ read -s -p "Please enter a password (will not be echoed): "$'\n' PASSWORD
+ add_basic_auth_user $USER $PASSWORD $COMPONENT $PROJECT
;;
enroll)
loadVars
diff --git a/lib/sitespecific-functions.sh b/lib/sitespecific-functions.sh
deleted file mode 100755
index 04db02e..0000000
--- a/lib/sitespecific-functions.sh
+++ /dev/null
@@ -1,11 +0,0 @@
-#!/bin/bash -e
-
-source lib/functions.sh
-
-PROJECT=$1
-
-log "INFO" "Adding encrypted credentials in /etc/bridgehead/$PROJECT.local.conf"
-read -p "Please choose the component (LDM_AUTH|NNGM_AUTH) you want to add a user to : " COMPONENT
-read -p "Please enter a username: " USER
-read -s -p "Please enter a password (will not be echoed): "$'\n' PASSWORD
-add_basic_auth_user $USER $PASSWORD $COMPONENT $PROJECT
\ No newline at end of file
From 2c7de6c8b40ad812be93f6daa947e4c7778cdf13 Mon Sep 17 00:00:00 2001
From: Pierre Delpy <75260699+PierreDelpy@users.noreply.github.com>
Date: Wed, 9 Aug 2023 09:24:23 +0200
Subject: [PATCH 4/6] refactor strange formatting
---
bridgehead | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/bridgehead b/bridgehead
index 37e7e7b..4f023fa 100755
--- a/bridgehead
+++ b/bridgehead
@@ -105,10 +105,10 @@ case "$ACTION" in
addUser)
loadVars
log "INFO" "Adding encrypted credentials in /etc/bridgehead/$PROJECT.local.conf"
- read -p "Please choose the component (LDM_AUTH|NNGM_AUTH) you want to add a user to : " COMPONENT
- read -p "Please enter a username: " USER
- read -s -p "Please enter a password (will not be echoed): "$'\n' PASSWORD
- add_basic_auth_user $USER $PASSWORD $COMPONENT $PROJECT
+ read -p "Please choose the component (LDM_AUTH|NNGM_AUTH) you want to add a user to : " COMPONENT
+ read -p "Please enter a username: " USER
+ read -s -p "Please enter a password (will not be echoed): "$'\n' PASSWORD
+ add_basic_auth_user $USER $PASSWORD $COMPONENT $PROJECT
;;
enroll)
loadVars
From 4754eb282b68d0d60442eec03ab2cb6206251339 Mon Sep 17 00:00:00 2001
From: "p.delpy@dkfz-heidelberg.de"
Date: Tue, 15 Aug 2023 13:55:07 +0200
Subject: [PATCH 5/6] add migration for old credentials
---
lib/install-bridgehead.sh | 2 +-
lib/update-bridgehead.sh | 7 +++++++
2 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/lib/install-bridgehead.sh b/lib/install-bridgehead.sh
index d0e9964..784020e 100755
--- a/lib/install-bridgehead.sh
+++ b/lib/install-bridgehead.sh
@@ -35,7 +35,7 @@ if [ -z "$LDM_AUTH" ]; then
add_basic_auth_user $PROJECT $generated_passwd "LDM_AUTH" $PROJECT
fi
-if [ -z "$NNGM_CTS_APIKEY" ] && [ -z "$NNGM_AUTH" ]; then
+if [ ! -z "$NNGM_CTS_APIKEY" ] && [ -z "$NNGM_AUTH" ]; then
log "INFO" "Now generating basic auth for nNGM upload API (see addUser in bridgehead for more information). "
generated_passwd="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 32)"
add_basic_auth_user "nngm" $generated_passwd "NNGM_AUTH" $PROJECT
diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh
index 89db369..0d985f7 100755
--- a/lib/update-bridgehead.sh
+++ b/lib/update-bridgehead.sh
@@ -139,6 +139,13 @@ else
log WARN "Automated backups are disabled (variable AUTO_BACKUPS != \"true\")"
fi
+if [ ! -z "$LDM_PASSWORD" ]; then
+ FILE="/etc/bridgehead/$PROJECT.local.conf"
+ log "INFO" "Migrating LDM_PASSWORD to encrypted credentials in $FILE"
+ add_basic_auth_user $PROJECT $LDM_PASSWORD "LDM_AUTH" $PROJECT
+ sed -i "/LDM_PASSWORD/{d;}" $FILE
+fi
+
exit 0
# TODO: Print last commit explicit
From b58348328c91c06a102ac323f38df60239d4351b Mon Sep 17 00:00:00 2001
From: "p.delpy@dkfz-heidelberg.de"
Date: Tue, 15 Aug 2023 15:34:49 +0200
Subject: [PATCH 6/6] fix nngm migration
---
lib/update-bridgehead.sh | 2 ++
1 file changed, 2 insertions(+)
diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh
index 0d985f7..aea043a 100755
--- a/lib/update-bridgehead.sh
+++ b/lib/update-bridgehead.sh
@@ -139,10 +139,12 @@ else
log WARN "Automated backups are disabled (variable AUTO_BACKUPS != \"true\")"
fi
+#TODO: the following block can be deleted after successful update at all sites
if [ ! -z "$LDM_PASSWORD" ]; then
FILE="/etc/bridgehead/$PROJECT.local.conf"
log "INFO" "Migrating LDM_PASSWORD to encrypted credentials in $FILE"
add_basic_auth_user $PROJECT $LDM_PASSWORD "LDM_AUTH" $PROJECT
+ add_basic_auth_user $PROJECT $LDM_PASSWORD "NNGM_AUTH" $PROJECT
sed -i "/LDM_PASSWORD/{d;}" $FILE
fi