From 4d100fda92ada13f357417aabc65f8d5399749a3 Mon Sep 17 00:00:00 2001 From: Evgeniy Antonyuk Date: Tue, 11 Feb 2025 20:16:14 +0300 Subject: [PATCH] Add signature and encryption secrets for identity services --- install/OneClickInstall/install-Docker.sh | 13 ++++++ install/common/product-configuration | 50 ++++++++++------------- install/docker/.env | 2 + install/docker/identity.yml | 2 + 4 files changed, 38 insertions(+), 29 deletions(-) diff --git a/install/OneClickInstall/install-Docker.sh b/install/OneClickInstall/install-Docker.sh index ba151c08bec..d2f0a9d6884 100644 --- a/install/OneClickInstall/install-Docker.sh +++ b/install/OneClickInstall/install-Docker.sh @@ -41,6 +41,7 @@ DOCKER_TAG="" INSTALLATION_TYPE="ENTERPRISE" IMAGE_NAME="${PACKAGE_SYSNAME}/${STATUS}${PRODUCT}-api" CONTAINER_NAME="${PACKAGE_SYSNAME}-api" +IDENTITY_CONTAINER_NAME="${PACKAGE_SYSNAME}-identity-api" NETWORK_NAME=${PACKAGE_SYSNAME} @@ -103,6 +104,8 @@ APP_CORE_MACHINEKEY="" ENV_EXTENSION="" LETS_ENCRYPT_DOMAIN="" LETS_ENCRYPT_MAIL="" +IDENTITY_SIGNATURE_SECRET="" +IDENTITY_ENCRYPTION_SECRET="" HELP_TARGET="install-Docker.sh" OFFLINE_INSTALLATION="false" @@ -1105,6 +1108,13 @@ set_core_machinekey () { [ "$UPDATE" != "true" ] && APP_CORE_MACHINEKEY="${APP_CORE_MACHINEKEY:-$(get_random_str 12)}" } +set_identity_secrets () { + IDENTITY_SIGNATURE_SECRET="${IDENTITY_SIGNATURE_SECRET:-$(get_env_parameter "IDENTITY_SIGNATURE_SECRET" "${IDENTITY_CONTAINER_NAME}")}" + IDENTITY_SIGNATURE_SECRET="${IDENTITY_SIGNATURE_SECRET:-$(get_random_str 12)}" + IDENTITY_ENCRYPTION_SECRET="${IDENTITY_ENCRYPTION_SECRET:-$(get_env_parameter "IDENTITY_ENCRYPTION_SECRET" "${IDENTITY_CONTAINER_NAME}")}" + IDENTITY_ENCRYPTION_SECRET="${IDENTITY_ENCRYPTION_SECRET:-$(get_random_str 12)}" +} + set_mysql_params () { MYSQL_PASSWORD="${MYSQL_PASSWORD:-$(get_env_parameter "MYSQL_PASSWORD" "${CONTAINER_NAME}")}" MYSQL_PASSWORD="${MYSQL_PASSWORD:-$(get_random_str 20)}" @@ -1287,6 +1297,8 @@ install_product () { reconfigure ENV_EXTENSION ${ENV_EXTENSION} reconfigure IDENTITY_PROFILE "${IDENTITY_PROFILE:-"prod,server"}" reconfigure APP_CORE_MACHINEKEY ${APP_CORE_MACHINEKEY} + reconfigure IDENTITY_SIGNATURE_SECRET ${IDENTITY_SIGNATURE_SECRET} + reconfigure IDENTITY_ENCRYPTION_SECRET ${IDENTITY_ENCRYPTION_SECRET} reconfigure APP_CORE_BASE_DOMAIN ${APP_CORE_BASE_DOMAIN} reconfigure APP_URL_PORTAL "${APP_URL_PORTAL:-"http://${PACKAGE_SYSNAME}-router:8092"}" reconfigure EXTERNAL_PORT ${EXTERNAL_PORT} @@ -1512,6 +1524,7 @@ start_installation () { set_jwt_header set_core_machinekey + set_identity_secrets set_mysql_params diff --git a/install/common/product-configuration b/install/common/product-configuration index 38d0821c496..ab0b48eed23 100644 --- a/install/common/product-configuration +++ b/install/common/product-configuration @@ -169,6 +169,7 @@ while [ "$1" != "" ]; do -mk | --machinekey ) if [ "$2" != "" ]; then CORE_MACHINEKEY=$2 + echo "$CORE_MACHINEKEY" > "$APP_DIR/.private/machinekey" shift fi ;; @@ -197,6 +198,7 @@ while [ "$1" != "" ]; do -dp | --dashboadrspassword ) if [ "$2" != "" ]; then DASHBOARDS_PASSWORD=$2 + echo "$DASHBOARDS_PASSWORD" > "$APP_DIR/.private/dashboards-password" shift fi ;; @@ -246,23 +248,6 @@ while [ "$1" != "" ]; do shift done -set_core_machinekey () { - if [[ -f $APP_DIR/.private/machinekey ]] || [[ -n $CORE_MACHINEKEY ]]; then - CORE_MACHINEKEY=${CORE_MACHINEKEY:-$(cat $APP_DIR/.private/machinekey)}; - else - CORE_MACHINEKEY=$(cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 12); - if [ "$DIST" = "RedHat" ]; then - echo $CORE_MACHINEKEY > $APP_DIR/.private/machinekey - chmod o-rwx $APP_DIR/.private/machinekey - fi - fi - - save_undefined_param "${USER_CONF}" "core.machinekey" "${CORE_MACHINEKEY}" - save_undefined_param "${USER_CONF}" "core['base-domain']" "${APP_HOST}" "rewrite" - save_undefined_param "${APP_DIR}/apisystem.${ENVIRONMENT}.json" "core.machinekey" "${CORE_MACHINEKEY}" - save_undefined_param "${APP_DIR}/apisystem.${ENVIRONMENT}.json" "core['base-domain']" "${APP_HOST}" "rewrite" -} - install_json() { if ! command -v json; then echo -n "Install json package... " @@ -718,16 +703,7 @@ setup_dashboards() { echo -n "Configuring dashboards... " DASHBOARDS_CONF_PATH="/etc/opensearch-dashboards/opensearch_dashboards.yml" - - if [[ -n ${DASHBOARDS_PASSWORD} ]]; then - echo "${DASHBOARDS_PASSWORD}" > ${APP_DIR}/.private/dashboards-password - elif [[ -f ${APP_DIR}/.private/dashboards-password ]]; then - DASHBOARDS_PASSWORD=$(cat ${APP_DIR}/.private/dashboards-password); - else - DASHBOARDS_PASSWORD=$(echo "$(cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 20)" | tee ${APP_DIR}/.private/dashboards-password) - fi - - chmod o-rwx $APP_DIR/.private/dashboards-password + DASHBOARDS_PASSWORD=${DASHBOARDS_PASSWORD:-$(generate_key "dashboards-password" 20)} # configure login&pass for Dashboards, used by Nginx HTTP Basic Authentication echo "${DASHBOARDS_USERNAME:-"onlyoffice"}:$(openssl passwd -6 -stdin <<< "${DASHBOARDS_PASSWORD}")" > /etc/openresty/.htpasswd_dashboards @@ -806,6 +782,14 @@ setup_rabbitmq() { echo "OK" } +generate_key() { + local FILE_NAME=$1 + local KEY_LENGTH=${2:-12} + local KEY=${3:-$( [[ -f ${APP_DIR}/.private/$FILE_NAME ]] && cat ${APP_DIR}/.private/$FILE_NAME || tr -dc A-Za-z0-9 > "$APP_DIR/systemd.env" chmod o-rwx "$APP_DIR/systemd.env" - set_core_machinekey + echo "SPRING_APPLICATION_SIGNATURE_SECRET=${SIGNATURE_SECRET:-$(generate_key "signature")}" >> "$APP_DIR/systemd.env" + echo "SPRING_APPLICATION_ENCRYPTION_SECRET=${ENCRYPTION_SECRET:-$(generate_key "encryption")}" >> "$APP_DIR/systemd.env" + + CORE_MACHINEKEY=${CORE_MACHINEKEY:-$(generate_key "machinekey")} + save_undefined_param "${USER_CONF}" "core.machinekey" "${CORE_MACHINEKEY}" + save_undefined_param "${APP_DIR}/apisystem.${ENVIRONMENT}.json" "core.machinekey" "${CORE_MACHINEKEY}" + + save_undefined_param "${USER_CONF}" "core['base-domain']" "${APP_HOST}" "rewrite" + save_undefined_param "${APP_DIR}/apisystem.${ENVIRONMENT}.json" "core['base-domain']" "${APP_HOST}" "rewrite" echo "OK" } @@ -918,5 +910,5 @@ if $PACKAGE_MANAGER opensearch >/dev/null 2>&1; then ELASTIC_VERSION=$(awk '/build:/{f=1} f&&/version:/{gsub(/"/,"",$2);print $2; exit}' /usr/share/opensearch/manifest.yml 2>/dev/null || echo "2.18.0") [[ ! -f "$APP_DIR/.private/opensearch-version" || $(cat "$APP_DIR/.private/opensearch-version") != *"$ELASTIC_VERSION"* ]] && $MYSQL "$DB_NAME" -e "TRUNCATE webstudio_index"; echo "$ELASTIC_VERSION" > $APP_DIR/.private/opensearch-version - chmod o-rwx $APP_DIR/.private/opensearch-version + chmod -R 600 $APP_DIR/.private fi diff --git a/install/docker/.env b/install/docker/.env index 9a658fcb6f0..1d491493106 100644 --- a/install/docker/.env +++ b/install/docker/.env @@ -127,6 +127,8 @@ IDENTITY_AUTHORIZATION_SERVER_PORT=8080 IDENTITY_API_CONTAINER_NAME=${CONTAINER_PREFIX}identity-api IDENTITY_API_SERVER_PORT=9090 + IDENTITY_SIGNATURE_SECRET=your_secret_key + IDENTITY_ENCRYPTION_SECRET=your_secret_key # router upstream environment # SERVICE_API_SYSTEM=${API_SYSTEM_HOST}:${SERVICE_PORT} diff --git a/install/docker/identity.yml b/install/docker/identity.yml index f704e120d1b..1678fcff84b 100644 --- a/install/docker/identity.yml +++ b/install/docker/identity.yml @@ -6,6 +6,8 @@ x-healthcheck: &x-healthcheck x-common-environment: &x-common-environment SPRING_PROFILES_ACTIVE: ${IDENTITY_PROFILE} + SPRING_APPLICATION_SIGNATURE_SECRET: ${IDENTITY_SIGNATURE_SECRET} + SPRING_APPLICATION_ENCRYPTION_SECRET: ${IDENTITY_ENCRYPTION_SECRET} MYSQL_CONTAINER_NAME: ${MYSQL_CONTAINER_NAME} MYSQL_HOST: ${MYSQL_HOST} MYSQL_PORT: ${MYSQL_PORT}