Merge pull request #105 from samply/feature/custom-basic-auth

Feature/custom basic auth

bridgehead

@@ -73,7 +73,6 @@ case "$ACTION" in
 		hc_send log "Bridgehead $PROJECT startup: Checking requirements ..."
 		checkRequirements
 		hc_send log "Bridgehead $PROJECT startup: Requirements checked out. Now starting bridgehead ..."
-		export LDM_LOGIN=$(getLdmPassword)
 		exec $COMPOSE -p $PROJECT -f ./minimal/docker-compose.yml -f ./$PROJECT/docker-compose.yml $OVERRIDE up --abort-on-container-exit
 		;;
 	stop)
@@ -103,6 +102,14 @@ case "$ACTION" in
 	uninstall)
 		exec ./lib/uninstall-bridgehead.sh $PROJECT
 		;;
+	addUser)
+		loadVars
+		log "INFO" "Adding encrypted credentials in /etc/bridgehead/$PROJECT.local.conf"
+    		read -p "Please choose the component (LDM_AUTH|NNGM_AUTH) you want to add a user to : " COMPONENT
+    		read -p "Please enter a username: " USER
+    		read -s -p "Please enter a password (will not be echoed): "$'\n' PASSWORD
+    		add_basic_auth_user $USER $PASSWORD $COMPONENT $PROJECT
+		;;
 	enroll)
 		loadVars
 

ccp/nngm-compose.yml

@@ -18,7 +18,12 @@ services:
       - "traefik.http.middlewares.connector_strip.stripprefix.prefixes=/nngm-connector"
       - "traefik.http.services.connector.loadbalancer.server.port=8080"
       - "traefik.http.routers.connector.tls=true"
-      - "traefik.http.routers.connector.middlewares=connector_strip,auth"
+      - "traefik.http.routers.connector.middlewares=connector_strip,auth-nngm"
     volumes:
       - nngm-rest:/var/log
 
+  traefik:
+    labels:
+      - "traefik.http.middlewares.auth-nngm.basicauth.users=${NNGM_AUTH}"
+
+

ccp/nngm-setup.sh

@@ -1,8 +1,4 @@
 #!/bin/bash
-##nNGM vars:
-#NNGM_MAGICPL_APIKEY
-#NNGM_CTS_APIKEY
-#NNGM_CRYPTKEY
 
 function nngmSetup() {
 	if [ -n "$NNGM_CTS_APIKEY" ]; then

lib/functions.sh

@@ -9,14 +9,6 @@ detectCompose() {
 	fi
 }
 
-getLdmPassword() {
-	if [ -n "$LDM_PASSWORD" ]; then
-		docker run --rm docker.verbis.dkfz.de/cache/httpd:alpine htpasswd -nb $PROJECT $LDM_PASSWORD | tr -d '\n' | tr -d '\r'
-	else
-		echo -n ""
-	fi
-}
-
 exitIfNotRoot() {
   if [ "$EUID" -ne 0 ]; then
     log "ERROR" "Please run as root"
@@ -34,7 +26,7 @@ checkOwner(){
 }
 
 printUsage() {
-	echo "Usage: bridgehead start|stop|is-running|update|install|uninstall|enroll PROJECTNAME"
+	echo "Usage: bridgehead start|stop|is-running|update|install|uninstall|addUser|enroll PROJECTNAME"
 	echo "PROJECTNAME should be one of ccp|bbmri"
 }
 
@@ -203,3 +195,20 @@ function do_enroll_inner {
 function do_enroll {
 	do_enroll_inner $@
 }
+
+add_basic_auth_user() {
+   USER="${1}"
+   PASSWORD="${2}"
+   NAME="${3}"
+   PROJECT="${4}"
+   FILE="/etc/bridgehead/${PROJECT}.local.conf"
+   ENCRY_CREDENTIALS="$(docker run --rm docker.verbis.dkfz.de/cache/httpd:alpine htpasswd -nb $USER $PASSWORD  | tr -d '\n' | tr -d '\r')"
+   if [ -f $FILE ] && grep -R -q "$NAME=" $FILE # if a specific basic auth user already exists:
+   then
+     sed -i "/$NAME/ s|='|='$ENCRY_CREDENTIALS,|" $FILE
+   else
+     echo -e "\n## Basic Authentication Credentials for:\n$NAME='$ENCRY_CREDENTIALS'" >> $FILE;
+   fi
+ 	log DEBUG "Saving clear text credentials in $FILE. If wanted, delete them manually."
+   sed -i "/^$NAME/ s|$|\n# User: $USER\n# Password: $PASSWORD|" $FILE
+}

lib/install-bridgehead.sh

@@ -29,12 +29,16 @@ bridgehead ALL= NOPASSWD: BRIDGEHEAD${PROJECT^^}
 EOF
 
 # TODO: Determine whether this should be located in setup-bridgehead (triggered through bridgehead install) or in update bridgehead (triggered every hour)
-if [ -z "$LDM_PASSWORD" ]; then
+if [ -z "$LDM_AUTH" ]; then
-  log "INFO" "Now generating a password for the local data management. Please save the password for your ETL process!"
+  log "INFO" "Now generating basic auth for the local data management (see addUser in bridgehead for more information). "
   generated_passwd="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 32)"
+  add_basic_auth_user $PROJECT $generated_passwd "LDM_AUTH" $PROJECT
+fi
 
-  log "INFO" "Your generated credentials are:\n            user: $PROJECT\n            password: $generated_passwd"
+if [ ! -z "$NNGM_CTS_APIKEY" ] && [ -z "$NNGM_AUTH" ]; then
-  echo -e "## Local Data Management Basic Authentication\n# User: $PROJECT\nLDM_PASSWORD=$generated_passwd" >> /etc/bridgehead/${PROJECT}.local.conf;
+  log "INFO" "Now generating basic auth for nNGM upload API (see addUser in bridgehead for more information). "
+  generated_passwd="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 32)"
+  add_basic_auth_user "nngm" $generated_passwd "NNGM_AUTH" $PROJECT
 fi
 
 log "INFO" "Registering system units for bridgehead and bridgehead-update"

lib/update-bridgehead.sh

@@ -139,6 +139,15 @@ else
   log WARN "Automated backups are disabled (variable AUTO_BACKUPS != \"true\")"
 fi
 
+#TODO: the following block can be deleted after successful update at all sites
+if [ ! -z "$LDM_PASSWORD" ]; then
+  FILE="/etc/bridgehead/$PROJECT.local.conf"
+  log "INFO" "Migrating LDM_PASSWORD to encrypted credentials in $FILE"
+  add_basic_auth_user $PROJECT $LDM_PASSWORD "LDM_AUTH" $PROJECT
+  add_basic_auth_user $PROJECT $LDM_PASSWORD "NNGM_AUTH" $PROJECT
+  sed -i "/LDM_PASSWORD/{d;}" $FILE
+fi
+
 exit 0
 
 # TODO: Print last commit explicit

minimal/docker-compose.yml

@@ -21,7 +21,7 @@ services:
       - "traefik.http.routers.dashboard.service=api@internal"
       - "traefik.http.routers.dashboard.tls=true"
       - "traefik.http.routers.dashboard.middlewares=auth"
-      - "traefik.http.middlewares.auth.basicauth.users=${LDM_LOGIN}"
+      - "traefik.http.middlewares.auth.basicauth.users=${LDM_AUTH}"
     ports:
       - 80:80
       - 443:443