Add signature and encryption secrets for identity services

install/OneClickInstall/install-Docker.sh

@@ -41,6 +41,7 @@ DOCKER_TAG=""
 INSTALLATION_TYPE="ENTERPRISE"
 IMAGE_NAME="${PACKAGE_SYSNAME}/${STATUS}${PRODUCT}-api"
 CONTAINER_NAME="${PACKAGE_SYSNAME}-api"
+IDENTITY_CONTAINER_NAME="${PACKAGE_SYSNAME}-identity-api"
 
 NETWORK_NAME=${PACKAGE_SYSNAME}
 
@@ -103,6 +104,8 @@ APP_CORE_MACHINEKEY=""
 ENV_EXTENSION=""
 LETS_ENCRYPT_DOMAIN=""
 LETS_ENCRYPT_MAIL=""
+IDENTITY_SIGNATURE_SECRET=""
+IDENTITY_ENCRYPTION_SECRET=""
 
 HELP_TARGET="install-Docker.sh"
 OFFLINE_INSTALLATION="false"
@@ -1105,6 +1108,13 @@ set_core_machinekey () {
 	[ "$UPDATE" != "true" ] && APP_CORE_MACHINEKEY="${APP_CORE_MACHINEKEY:-$(get_random_str 12)}"
 }
 
+set_identity_secrets () {
+	IDENTITY_SIGNATURE_SECRET="${IDENTITY_SIGNATURE_SECRET:-$(get_env_parameter "IDENTITY_SIGNATURE_SECRET" "${IDENTITY_CONTAINER_NAME}")}"
+	IDENTITY_SIGNATURE_SECRET="${IDENTITY_SIGNATURE_SECRET:-$(get_random_str 12)}"
+	IDENTITY_ENCRYPTION_SECRET="${IDENTITY_ENCRYPTION_SECRET:-$(get_env_parameter "IDENTITY_ENCRYPTION_SECRET" "${IDENTITY_CONTAINER_NAME}")}"
+	IDENTITY_ENCRYPTION_SECRET="${IDENTITY_ENCRYPTION_SECRET:-$(get_random_str 12)}"
+}
+
 set_mysql_params () {
 	MYSQL_PASSWORD="${MYSQL_PASSWORD:-$(get_env_parameter "MYSQL_PASSWORD" "${CONTAINER_NAME}")}"
 	MYSQL_PASSWORD="${MYSQL_PASSWORD:-$(get_random_str 20)}"
@@ -1287,6 +1297,8 @@ install_product () {
 		reconfigure ENV_EXTENSION ${ENV_EXTENSION}
 		reconfigure IDENTITY_PROFILE "${IDENTITY_PROFILE:-"prod,server"}"
 		reconfigure APP_CORE_MACHINEKEY ${APP_CORE_MACHINEKEY}
+		reconfigure IDENTITY_SIGNATURE_SECRET ${IDENTITY_SIGNATURE_SECRET}
+		reconfigure IDENTITY_ENCRYPTION_SECRET ${IDENTITY_ENCRYPTION_SECRET}
 		reconfigure APP_CORE_BASE_DOMAIN ${APP_CORE_BASE_DOMAIN}
 		reconfigure APP_URL_PORTAL "${APP_URL_PORTAL:-"http://${PACKAGE_SYSNAME}-router:8092"}"
 		reconfigure EXTERNAL_PORT ${EXTERNAL_PORT}
@@ -1512,6 +1524,7 @@ start_installation () {
 	set_jwt_header
 
 	set_core_machinekey
+	set_identity_secrets
 
 	set_mysql_params
 

install/common/product-configuration

@@ -169,6 +169,7 @@ while [ "$1" != "" ]; do
 		-mk | --machinekey )
 			if [ "$2" != "" ]; then
 				CORE_MACHINEKEY=$2
+				echo "$CORE_MACHINEKEY" > "$APP_DIR/.private/machinekey"
 				shift
 			fi
 		;;
@@ -197,6 +198,7 @@ while [ "$1" != "" ]; do
 		-dp | --dashboadrspassword )
 			if [ "$2" != "" ]; then
 				DASHBOARDS_PASSWORD=$2
+				echo "$DASHBOARDS_PASSWORD" > "$APP_DIR/.private/dashboards-password"
 				shift
 			fi
 		;;
@@ -246,23 +248,6 @@ while [ "$1" != "" ]; do
 	shift
 done
 
-set_core_machinekey () {
-	if [[ -f $APP_DIR/.private/machinekey ]] || [[ -n $CORE_MACHINEKEY ]]; then
-		CORE_MACHINEKEY=${CORE_MACHINEKEY:-$(cat $APP_DIR/.private/machinekey)};
-	else
-		CORE_MACHINEKEY=$(cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 12);
-		if [ "$DIST" = "RedHat" ]; then
-			echo $CORE_MACHINEKEY > $APP_DIR/.private/machinekey
-			chmod o-rwx $APP_DIR/.private/machinekey
-		fi
-	fi
-
-	save_undefined_param "${USER_CONF}" "core.machinekey" "${CORE_MACHINEKEY}"
-	save_undefined_param "${USER_CONF}" "core['base-domain']" "${APP_HOST}" "rewrite"
-	save_undefined_param "${APP_DIR}/apisystem.${ENVIRONMENT}.json" "core.machinekey" "${CORE_MACHINEKEY}"
-	save_undefined_param "${APP_DIR}/apisystem.${ENVIRONMENT}.json" "core['base-domain']" "${APP_HOST}" "rewrite"
-}
-
 install_json() {
 	if ! command -v json; then
 		echo -n "Install json package... "
@@ -718,16 +703,7 @@ setup_dashboards() {
 	echo -n "Configuring dashboards... "
 
 	DASHBOARDS_CONF_PATH="/etc/opensearch-dashboards/opensearch_dashboards.yml"
-
-	if [[ -n ${DASHBOARDS_PASSWORD} ]]; then
-		echo "${DASHBOARDS_PASSWORD}" > ${APP_DIR}/.private/dashboards-password
-	elif [[ -f ${APP_DIR}/.private/dashboards-password ]]; then
-		DASHBOARDS_PASSWORD=$(cat ${APP_DIR}/.private/dashboards-password);
-	else
-		DASHBOARDS_PASSWORD=$(echo "$(cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 20)" | tee ${APP_DIR}/.private/dashboards-password)
-	fi
-
-	chmod o-rwx $APP_DIR/.private/dashboards-password
+	DASHBOARDS_PASSWORD=${DASHBOARDS_PASSWORD:-$(generate_key "dashboards-password" 20)}
 
 	# configure login&pass for Dashboards, used by Nginx HTTP Basic Authentication
 	echo "${DASHBOARDS_USERNAME:-"onlyoffice"}:$(openssl passwd -6 -stdin <<< "${DASHBOARDS_PASSWORD}")" > /etc/openresty/.htpasswd_dashboards
@@ -806,6 +782,14 @@ setup_rabbitmq() {
 	echo "OK"
 }
 
+generate_key() {
+    local FILE_NAME=$1
+    local KEY_LENGTH=${2:-12}
+    local KEY=${3:-$( [[ -f ${APP_DIR}/.private/$FILE_NAME ]] && cat ${APP_DIR}/.private/$FILE_NAME || tr -dc A-Za-z0-9 </dev/urandom | head -c $KEY_LENGTH )}
+    echo "${KEY}" | tee "${APP_DIR}/.private/$FILE_NAME"
+    chmod -R 600 ${APP_DIR}/.private
+}
+
 product_configuration(){
 	echo -n "Configuring ${PRODUCT}... "
 
@@ -829,7 +813,15 @@ product_configuration(){
 	echo "SPRING_PROFILES_ACTIVE=prod,server" >> "$APP_DIR/systemd.env"
 	chmod o-rwx "$APP_DIR/systemd.env"
 
-	set_core_machinekey
+	echo "SPRING_APPLICATION_SIGNATURE_SECRET=${SIGNATURE_SECRET:-$(generate_key "signature")}" >> "$APP_DIR/systemd.env"
+	echo "SPRING_APPLICATION_ENCRYPTION_SECRET=${ENCRYPTION_SECRET:-$(generate_key "encryption")}" >> "$APP_DIR/systemd.env"
+
+	CORE_MACHINEKEY=${CORE_MACHINEKEY:-$(generate_key "machinekey")}
+	save_undefined_param "${USER_CONF}" "core.machinekey" "${CORE_MACHINEKEY}"
+	save_undefined_param "${APP_DIR}/apisystem.${ENVIRONMENT}.json" "core.machinekey" "${CORE_MACHINEKEY}"
+
+	save_undefined_param "${USER_CONF}" "core['base-domain']" "${APP_HOST}" "rewrite"
+	save_undefined_param "${APP_DIR}/apisystem.${ENVIRONMENT}.json" "core['base-domain']" "${APP_HOST}" "rewrite"
 
 	echo "OK"
 }
@@ -918,5 +910,5 @@ if $PACKAGE_MANAGER opensearch >/dev/null 2>&1; then
 	ELASTIC_VERSION=$(awk '/build:/{f=1} f&&/version:/{gsub(/"/,"",$2);print $2; exit}' /usr/share/opensearch/manifest.yml 2>/dev/null || echo "2.18.0")
 	[[ ! -f "$APP_DIR/.private/opensearch-version" || $(cat "$APP_DIR/.private/opensearch-version") != *"$ELASTIC_VERSION"* ]] && $MYSQL "$DB_NAME" -e "TRUNCATE webstudio_index";
 	echo "$ELASTIC_VERSION" > $APP_DIR/.private/opensearch-version
-	chmod o-rwx $APP_DIR/.private/opensearch-version
+	chmod -R 600 $APP_DIR/.private
 fi

install/docker/.env

@@ -127,6 +127,8 @@
     IDENTITY_AUTHORIZATION_SERVER_PORT=8080
     IDENTITY_API_CONTAINER_NAME=${CONTAINER_PREFIX}identity-api
     IDENTITY_API_SERVER_PORT=9090
+    IDENTITY_SIGNATURE_SECRET=your_secret_key
+    IDENTITY_ENCRYPTION_SECRET=your_secret_key
 
 # router upstream environment #
     SERVICE_API_SYSTEM=${API_SYSTEM_HOST}:${SERVICE_PORT}

install/docker/identity.yml

@@ -6,6 +6,8 @@ x-healthcheck: &x-healthcheck
 
 x-common-environment: &x-common-environment
   SPRING_PROFILES_ACTIVE: ${IDENTITY_PROFILE}
+  SPRING_APPLICATION_SIGNATURE_SECRET: ${IDENTITY_SIGNATURE_SECRET}
+  SPRING_APPLICATION_ENCRYPTION_SECRET: ${IDENTITY_ENCRYPTION_SECRET}
   MYSQL_CONTAINER_NAME: ${MYSQL_CONTAINER_NAME}
   MYSQL_HOST: ${MYSQL_HOST}
   MYSQL_PORT: ${MYSQL_PORT}