fic/server
1
0
Fork 0
Code Issues Pull Requests 4 Releases Wiki Activity

fickit: Handle secrets more seriously

Browse Source
This commit is contained in:
nemunaire 2024-03-23 18:03:08 +01:00
parent c3e6cadb70
commit dc5350c20f
3 changed files with 81 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
admin/main.go
View File

@ -3,6 +3,7 @@ package main
import ( import (
"flag" "flag"
"io/fs" "io/fs"
"io/ioutil"
"log" "log"
"net/http" "net/http"
"os" "os"
@ -10,6 +11,7 @@ import (
"path" "path"
"path/filepath" "path/filepath"
"strconv" "strconv"
"strings"
"syscall" "syscall"
"srs.epita.fr/fic-server/admin/api" "srs.epita.fr/fic-server/admin/api"
@ -39,9 +41,29 @@ func main() {
} }
if v, exists := os.LookupEnv("FICOIDC_SECRET"); exists { if v, exists := os.LookupEnv("FICOIDC_SECRET"); exists {
api.OidcSecret = v api.OidcSecret = v
} else if v, exists := os.LookupEnv("FICOIDC_SECRET_FILE"); exists {
fd, err := os.Open(v)
if err != nil {
log.Fatal("Unable to open FICOIDC_SECRET_FILE:", err)
}
b, _ := ioutil.ReadAll(fd)
api.OidcSecret = strings.TrimSpace(string(b))
fd.Close()
} }
if v, exists := os.LookupEnv("FICCA_PASS"); exists { if v, exists := os.LookupEnv("FICCA_PASS"); exists {
pki.SetCAPassword(v) pki.SetCAPassword(v)
} else if v, exists := os.LookupEnv("FICCA_PASS_FILE"); exists {
fd, err := os.Open(v)
if err != nil {
log.Fatal("Unable to open FICCA_PASS_FILE:", err)
}
b, _ := ioutil.ReadAll(fd)
pki.SetCAPassword(strings.TrimSpace(string(b)))
fd.Close()
} else { } else {
log.Println("WARNING: no password defined for the CA, will use empty password to secure CA private key") log.Println("WARNING: no password defined for the CA, will use empty password to secure CA private key")
log.Println("WARNING: PLEASE DEFINE ENVIRONMENT VARIABLE: FICCA_PASS") log.Println("WARNING: PLEASE DEFINE ENVIRONMENT VARIABLE: FICCA_PASS")
@ -54,6 +76,16 @@ func main() {
} }
if v, exists := os.LookupEnv("FICCLOUD_PASS"); exists { if v, exists := os.LookupEnv("FICCLOUD_PASS"); exists {
cloudPassword = v cloudPassword = v
} else if v, exists := os.LookupEnv("FICCLOUD_PASS_FILE"); exists {
fd, err := os.Open(v)
if err != nil {
log.Fatal("Unable to open FICCLOUD_PASS_FILE:", err)
}
b, _ := ioutil.ReadAll(fd)
cloudPassword = strings.TrimSpace(string(b))
fd.Close()
} }
if v, exists := os.LookupEnv("FIC_BASEURL"); exists { if v, exists := os.LookupEnv("FIC_BASEURL"); exists {
baseURL = v baseURL = v

45
fickit-backend.yml
View File

@ -143,6 +143,16 @@ onboot:
- /etc/iptables/rules.v6:/etc/iptables/rules.v6:ro - /etc/iptables/rules.v6:/etc/iptables/rules.v6:ro
net: /run/netns/fic-admin net: /run/netns/fic-admin
- name: create-secrets
image: alpine:3.19
command: ["/bin/init_secrets.sh"]
binds:
- /bin/init_secrets.sh:/bin/init_secrets.sh:ro
- /var/lib/fic/secrets:/var/lib/fic/secrets
runtime:
mkdir:
- /var/lib/fic/secrets
services: services:
# - name: getty # - name: getty
# image: linuxkit/getty:5d86a2ce2d890c14ab66b13638dcadf74f29218b # image: linuxkit/getty:5d86a2ce2d890c14ab66b13638dcadf74f29218b
@ -165,12 +175,13 @@ services:
env: env:
- MYSQL_DATABASE=fic - MYSQL_DATABASE=fic
- MYSQL_USER=fic - MYSQL_USER=fic
- MYSQL_PASSWORD=fic - MYSQL_PASSWORD_FILE=/run/secrets/mysql_password
- MYSQL_RANDOM_ROOT_PASSWORD=yes - MYSQL_RANDOM_ROOT_PASSWORD=yes
binds: binds:
- /etc/hosts:/etc/hosts:ro - /etc/hosts:/etc/hosts:ro
- /etc/mysql/conf.d:/etc/mysql/conf.d:ro - /etc/mysql/conf.d:/etc/mysql/conf.d:ro
- /var/lib/fic/mysql:/var/lib/mysql - /var/lib/fic/mysql:/var/lib/mysql
- /var/lib/fic/secrets/mysql_password:/run/secrets/mysql_password:ro
net: /run/netns/db net: /run/netns/db
pid: new pid: new
ipc: new ipc: new
@ -185,11 +196,12 @@ services:
- MYSQL_HOST=db - MYSQL_HOST=db
- MYSQL_DATABASE=fic - MYSQL_DATABASE=fic
- MYSQL_USER=fic - MYSQL_USER=fic
- MYSQL_PASSWORD=fic - MYSQL_PASSWORD_FILE=/run/secrets/mysql_password
binds: binds:
- /etc/hosts:/etc/hosts:ro - /etc/hosts:/etc/hosts:ro
- /root/mysql_backup.sh:/root/mysql_backup.sh:ro - /root/mysql_backup.sh:/root/mysql_backup.sh:ro
- /var/lib/fic/backups/:/var/lib/fic/backups/ - /var/lib/fic/backups/:/var/lib/fic/backups/
- /var/lib/fic/secrets/mysql_password:/run/secrets/mysql_password:ro
net: /run/netns/db net: /run/netns/db
runtime: runtime:
mkdir: mkdir:
@ -200,11 +212,15 @@ services:
env: env:
- PATH=/usr/sbin:/usr/bin:/sbin:/bin - PATH=/usr/sbin:/usr/bin:/sbin:/bin
- MYSQL_HOST=db - MYSQL_HOST=db
- FICCA_PASS=jee8AhloAith1aesCeQu5ahgIegaeM4K - MYSQL_PASSWORD_FILE=/run/secrets/mysql_password
- FICCA_PASS_FILE=/run/secrets/fic_ca_pass
- FICOIDC_ISSUER=live.fic.srs.epita.fr - FICOIDC_ISSUER=live.fic.srs.epita.fr
- FICOIDC_SECRET=N4n7AXzK9kpXt3TmSn8wAgtxqxhGORgcubLaE2g - FICOIDC_SECRET_FILE=/run/secrets/fic_oidc_secret
binds: binds:
- /etc/hosts:/etc/hosts:ro - /etc/hosts:/etc/hosts:ro
- /var/lib/fic/secrets/fic_ca_pass:/run/secrets/fic_ca_pass:ro
- /var/lib/fic/secrets/fic_oidc_secret:/run/secrets/fic_oidc_secret:ro
- /var/lib/fic/secrets/mysql_password:/run/secrets/mysql_password:ro
- /var/lib/fic/raw_files:/mnt/fic - /var/lib/fic/raw_files:/mnt/fic
- /var/lib/fic/dashboard:/srv/DASHBOARD - /var/lib/fic/dashboard:/srv/DASHBOARD
- /var/lib/fic/files:/srv/FILES - /var/lib/fic/files:/srv/FILES
@ -248,11 +264,12 @@ services:
image: nemunaire/fic-checker:latest image: nemunaire/fic-checker:latest
env: env:
- MYSQL_HOST=db - MYSQL_HOST=db
- MYSQL_PASSWORD=fic - MYSQL_PASSWORD_FILE=/run/secrets/mysql_password
binds: binds:
- /etc/hosts:/etc/hosts:ro - /etc/hosts:/etc/hosts:ro
- /var/lib/fic/generator:/srv/GENERATOR:ro - /var/lib/fic/generator:/srv/GENERATOR:ro
- /var/lib/fic/teams:/srv/TEAMS:ro - /var/lib/fic/teams:/srv/TEAMS:ro
- /var/lib/fic/secrets/mysql_password:/run/secrets/mysql_password:ro
- /var/lib/fic/settingsdist:/srv/SETTINGSDIST:ro - /var/lib/fic/settingsdist:/srv/SETTINGSDIST:ro
- /var/lib/fic/submissions:/srv/submissions - /var/lib/fic/submissions:/srv/submissions
net: /run/netns/fic-checker net: /run/netns/fic-checker
@ -288,11 +305,12 @@ services:
command: ["/srv/generator", "-bind=/srv/GENERATOR/generator.socket"] command: ["/srv/generator", "-bind=/srv/GENERATOR/generator.socket"]
env: env:
- MYSQL_HOST=db - MYSQL_HOST=db
- MYSQL_PASSWORD=fic - MYSQL_PASSWORD_FILE=/run/secrets/mysql_password
binds: binds:
- /etc/hosts:/etc/hosts:ro - /etc/hosts:/etc/hosts:ro
- /var/lib/fic/generator:/srv/GENERATOR - /var/lib/fic/generator:/srv/GENERATOR
- /var/lib/fic/teams:/srv/TEAMS - /var/lib/fic/teams:/srv/TEAMS
- /var/lib/fic/secrets/mysql_password:/run/secrets/mysql_password:ro
- /var/lib/fic/settingsdist:/srv/SETTINGSDIST:ro - /var/lib/fic/settingsdist:/srv/SETTINGSDIST:ro
net: /run/netns/fic-generator net: /run/netns/fic-generator
pid: new pid: new
@ -308,10 +326,11 @@ services:
command: ["/srv/qa", "--bind=:8083", "-baseurl=/qa"] command: ["/srv/qa", "--bind=:8083", "-baseurl=/qa"]
env: env:
- MYSQL_HOST=db - MYSQL_HOST=db
- MYSQL_PASSWORD=fic - MYSQL_PASSWORD_FILE=/run/secrets/mysql_password
binds: binds:
- /etc/hosts:/etc/hosts:ro - /etc/hosts:/etc/hosts:ro
- /var/lib/fic/teams:/srv/TEAMS:ro - /var/lib/fic/teams:/srv/TEAMS:ro
- /var/lib/fic/secrets/mysql_password:/run/secrets/mysql_password:ro
- /var/lib/fic/settingsdist:/srv/SETTINGSDIST:ro - /var/lib/fic/settingsdist:/srv/SETTINGSDIST:ro
net: /run/netns/fic-qa net: /run/netns/fic-qa
pid: new pid: new
@ -383,6 +402,18 @@ files:
/bin/hostname deimos /bin/hostname deimos
mode: "0555" mode: "0555"
- path: bin/init_secrets.sh
contents: |
#!/bin/sh
SECRETS_DIR="/var/lib/fic/secrets"
[ -f "${SECRETS_DIR}/mysql_password" ] || tr -d -c "a-zA-Z0-9" < /dev/urandom | fold -w31 | head -n 1 > "${SECRETS_DIR}/mysql_password"
[ -f "${SECRETS_DIR}/fic_ca_pass" ] || tr -d -c "a-zA-Z0-9" < /dev/urandom | fold -w31 | head -n 1 > "${SECRETS_DIR}/fic_ca_pass"
[ -f "${SECRETS_DIR}/fic_oidc_secret" ] || tr -d -c "a-zA-Z0-9" < /dev/urandom | fold -w31 | head -n 1 > "${SECRETS_DIR}/fic_oidc_secret"
mode: "0755"
- path: etc/profile.d/color_prompt.sh - path: etc/profile.d/color_prompt.sh
contents: | contents: |
PS1='\[\e[1;33m\]'$PS1'\[\e[0m\]' PS1='\[\e[1;33m\]'$PS1'\[\e[0m\]'

11
libfic/db.go
View File

@ -4,6 +4,7 @@ import (
"database/sql" "database/sql"
"errors" "errors"
"fmt" "fmt"
"io/ioutil"
"log" "log"
"os" "os"
"strings" "strings"
@ -36,6 +37,16 @@ func DSNGenerator() string {
} }
if v, exists := os.LookupEnv("MYSQL_PASSWORD"); exists { if v, exists := os.LookupEnv("MYSQL_PASSWORD"); exists {
db_password = v db_password = v
} else if v, exists := os.LookupEnv("MYSQL_PASSWORD_FILE"); exists {
fd, err := os.Open(v)
if err != nil {
log.Fatal("Unable to open MYSQL_PASSWORD_FILE:", err)
}
b, _ := ioutil.ReadAll(fd)
db_password = strings.TrimSpace(string(b))
fd.Close()
} else if v, exists := os.LookupEnv("MYSQL_ROOT_PASSWORD"); exists { } else if v, exists := os.LookupEnv("MYSQL_ROOT_PASSWORD"); exists {
db_user = "root" db_user = "root"
db_password = v db_password = v