From 43d7dd5a396b7eda3af6ec29b18a004c03ce7e47 Mon Sep 17 00:00:00 2001 From: Rensy Thomas Date: Mon, 27 Jan 2025 16:02:25 +0530 Subject: [PATCH] Add code to encode and decode os and pg passwords in case of fresh deployment Signed-off-by: Rensy Thomas --- .../automate-backend-deployment/README.md | 2 +- .../cmd/chef-automate/decode_password.go | 51 +++++++------------ .../cmd/chef-automate/decode_password_test.go | 20 ++++---- .../cmd/chef-automate/encode_password.go | 48 +++++++---------- .../cmd/chef-automate/encode_password_test.go | 8 +-- .../automate/templates/provision.sh.tpl | 4 +- 6 files changed, 55 insertions(+), 78 deletions(-) diff --git a/components/automate-backend-deployment/README.md b/components/automate-backend-deployment/README.md index ae169c36ac9..896e2a23777 100644 --- a/components/automate-backend-deployment/README.md +++ b/components/automate-backend-deployment/README.md @@ -4,4 +4,4 @@ This provides the `automate-backend-deployment` package. This package will build a package using terraform/a2ha-terraform, inspecs, test, certs and Makefile. -This is the heart of the a2ha because this component will set up a workspace for a2ha and all the a2ha command will get available after installing this package. +This is the heart of the a2ha because this component will set up a workspace for a2ha and all the a2ha command will get available after installing this package. \ No newline at end of file diff --git a/components/automate-cli/cmd/chef-automate/decode_password.go b/components/automate-cli/cmd/chef-automate/decode_password.go index 06d1eccc92e..52aa08d2b57 100644 --- a/components/automate-cli/cmd/chef-automate/decode_password.go +++ b/components/automate-cli/cmd/chef-automate/decode_password.go @@ -12,41 +12,28 @@ import ( var decodePasswordCmdFlags = struct { config string - overwrite bool - updatedConfig string }{} -func newDecodePasswordCmd() *cobra.Command { - decodePasswordCmd := &cobra.Command{ - Use: "decodePassword [/path/to/config.toml]", - Short: "Decodes the password fields", - Long: "Decodes the password fields in the specified config.toml file", - RunE: runDecodePasswordCmd, - Args: cobra.ExactArgs(1), - Hidden: true, - Annotations: map[string]string{ - docs.Tag: docs.BastionHost, - }, - } - decodePasswordCmd.PersistentFlags().StringVarP( +func init() { + RootCmd.AddCommand(decodePasswordCmd) + decodePasswordCmd.PersistentFlags().StringVarP( &decodePasswordCmdFlags.config, "config", "c", "", "Config file that needs to be updated with decoded passwords") - - decodePasswordCmd.Flags().BoolVarP( - &encodePasswordCmdFlags.overwrite, - "overwrite", - "o", - false, - "Overwrite existing config file with the decoded password", - ) - return decodePasswordCmd } -func init() { - RootCmd.AddCommand(newDecodePasswordCmd()) +var decodePasswordCmd = &cobra.Command{ + Use: "decode-password [/path/to/config.toml]", + Short: "Decodes the password fields", + Long: "Decodes the password fields in the specified config.toml file", + RunE: runDecodePasswordCmd, + Args: cobra.ExactArgs(1), + Hidden: true, + Annotations: map[string]string{ + docs.Tag: docs.BastionHost, + }, } func runDecodePasswordCmd(cmd *cobra.Command, args []string) error { @@ -68,7 +55,7 @@ func runDecodePasswordCmd(cmd *cobra.Command, args []string) error { superUserPswd, decErr := base64.StdEncoding.DecodeString(superUserPassword) if decErr != nil { return decErr - } + } config.Global.V1.External.Postgresql.Auth.Password.Superuser.Password.Value = string(superUserPswd) } } @@ -78,7 +65,7 @@ func runDecodePasswordCmd(cmd *cobra.Command, args []string) error { dbUserPswd, decErr := base64.StdEncoding.DecodeString(dbUserPassword) if decErr != nil { return decErr - } + } config.Global.V1.External.Postgresql.Auth.Password.Dbuser.Password.Value = string(dbUserPswd) } } @@ -89,14 +76,14 @@ func runDecodePasswordCmd(cmd *cobra.Command, args []string) error { userPswd, decErr := base64.StdEncoding.DecodeString(userPassword) if decErr != nil { return decErr - } + } config.Global.V1.External.Opensearch.Auth.BasicAuth.Password.Value = string(userPswd) } } _, err := fileutils.CreateTomlFileFromConfig(&config, configFile) - if err != nil { - return err - } + if err != nil { + return err + } } } diff --git a/components/automate-cli/cmd/chef-automate/decode_password_test.go b/components/automate-cli/cmd/chef-automate/decode_password_test.go index e765cffdbf9..be0a2d61d67 100644 --- a/components/automate-cli/cmd/chef-automate/decode_password_test.go +++ b/components/automate-cli/cmd/chef-automate/decode_password_test.go @@ -9,13 +9,13 @@ import ( "github.com/stretchr/testify/assert" ) - func TestRunDecodePasswordCmd(t *testing.T) { - runDecodePasswordCmd(cmd, []string{CONFIG_PATH + "/config_externaldb.toml"}) - tomlbyte, _ := fileutils.ReadFile(CONFIG_PATH + "/config_externaldb.toml") - configString := string(tomlbyte) - var config dc.AutomateConfig - toml.Decode(configString, &config) - assert.Equal(t, "admin", config.Global.V1.External.Opensearch.Auth.BasicAuth.Password.Value) - assert.Equal(t, "admin", config.Global.V1.External.Postgresql.Auth.Password.Superuser.Password.Value) - assert.Equal(t, "admin", config.Global.V1.External.Postgresql.Auth.Password.Dbuser.Password.Value) - } \ No newline at end of file +func TestRunDecodePasswordCmd(t *testing.T) { + runDecodePasswordCmd(cmd, []string{CONFIG_PATH + "/config_externaldb.toml"}) + tomlbyte, _ := fileutils.ReadFile(CONFIG_PATH + "/config_externaldb.toml") + configString := string(tomlbyte) + var config dc.AutomateConfig + toml.Decode(configString, &config) + assert.Equal(t, "admin", config.Global.V1.External.Opensearch.Auth.BasicAuth.Password.Value) + assert.Equal(t, "admin", config.Global.V1.External.Postgresql.Auth.Password.Superuser.Password.Value) + assert.Equal(t, "admin", config.Global.V1.External.Postgresql.Auth.Password.Dbuser.Password.Value) +} diff --git a/components/automate-cli/cmd/chef-automate/encode_password.go b/components/automate-cli/cmd/chef-automate/encode_password.go index a6302de9c40..dfc32129166 100644 --- a/components/automate-cli/cmd/chef-automate/encode_password.go +++ b/components/automate-cli/cmd/chef-automate/encode_password.go @@ -12,41 +12,29 @@ import ( var encodePasswordCmdFlags = struct { config string - overwrite bool - updatedConfig string }{} -func newEncodePasswordCmd() *cobra.Command { - encodePasswordCmd := &cobra.Command{ - Use: "encodePassword [/path/to/config.toml]", - Short: "Encodes the password fields", - Long: "Encodes the password fields in the specified config.toml file", - RunE: runEncodePasswordCmd, - Args: cobra.ExactArgs(1), - Hidden: true, - Annotations: map[string]string{ - docs.Tag: docs.BastionHost, - }, - } - encodePasswordCmd.PersistentFlags().StringVarP( +var encodePasswordCmd = &cobra.Command{ + Use: "encode-password [/path/to/config.toml]", + Short: "Encodes the password fields", + Long: "Encodes the password fields in the specified config.toml file", + RunE: runEncodePasswordCmd, + Args: cobra.ExactArgs(1), + Hidden: true, + Annotations: map[string]string{ + docs.Tag: docs.BastionHost, + }, +} + +func init() { + RootCmd.AddCommand(encodePasswordCmd) + encodePasswordCmd.PersistentFlags().StringVarP( &encodePasswordCmdFlags.config, "config", "c", "", "Config file that needs to be updated with encoded passwords") - encodePasswordCmd.Flags().BoolVarP( - &encodePasswordCmdFlags.overwrite, - "overwrite", - "o", - false, - "Overwrite existing config file with the encoded password", - ) - return encodePasswordCmd -} - -func init() { - RootCmd.AddCommand(newEncodePasswordCmd()) } func runEncodePasswordCmd(cmd *cobra.Command, args []string) error { @@ -85,9 +73,9 @@ func runEncodePasswordCmd(cmd *cobra.Command, args []string) error { } } _, err := fileutils.CreateTomlFileFromConfig(&config, configFile) - if err != nil { - return err - } + if err != nil { + return err + } } } diff --git a/components/automate-cli/cmd/chef-automate/encode_password_test.go b/components/automate-cli/cmd/chef-automate/encode_password_test.go index 31964654712..5bff8ea788f 100644 --- a/components/automate-cli/cmd/chef-automate/encode_password_test.go +++ b/components/automate-cli/cmd/chef-automate/encode_password_test.go @@ -9,17 +9,19 @@ import ( "github.com/spf13/cobra" "github.com/stretchr/testify/assert" ) + const CONFIG_PATH = "../../pkg/testfiles/onprem" + var cmd = &cobra.Command{} func TestRunEncodePasswordCmd(t *testing.T) { runEncodePasswordCmd(cmd, []string{CONFIG_PATH + "/config_externaldb.toml"}) - tomlbyte, _ := fileutils.ReadFile(CONFIG_PATH + "/config_externaldb.toml") + tomlbyte, _ := fileutils.ReadFile(CONFIG_PATH + "/config_externaldb.toml") configString := string(tomlbyte) var config dc.AutomateConfig - toml.Decode(configString, &config) + toml.Decode(configString, &config) assert.Equal(t, "YWRtaW4=", config.Global.V1.External.Opensearch.Auth.BasicAuth.Password.Value) assert.Equal(t, "YWRtaW4=", config.Global.V1.External.Postgresql.Auth.Password.Superuser.Password.Value) assert.Equal(t, "YWRtaW4=", config.Global.V1.External.Postgresql.Auth.Password.Dbuser.Password.Value) runDecodePasswordCmd(cmd, []string{CONFIG_PATH + "/config_externaldb.toml"}) -} \ No newline at end of file +} diff --git a/terraform/a2ha-terraform/modules/automate/templates/provision.sh.tpl b/terraform/a2ha-terraform/modules/automate/templates/provision.sh.tpl index 5de1366936b..21d1df792f2 100644 --- a/terraform/a2ha-terraform/modules/automate/templates/provision.sh.tpl +++ b/terraform/a2ha-terraform/modules/automate/templates/provision.sh.tpl @@ -392,9 +392,9 @@ else # Skip checks for the hab user as we create and manage that separately. # Fixes issues when the hab user/group is setup via LDAP in nsswitch configs. export CHEF_AUTOMATE_SKIP_HAB_USER=true - chef-automate decodePassword /etc/chef-automate/config.toml + chef-automate decode-password /etc/chef-automate/config.toml chef-automate deploy /etc/chef-automate/config.toml $DEPLOY_BUNDLES --accept-terms-and-mlsa | grep --line-buffered -v "\┤\|\┘\|\└\|\┴\|\├\|\┌\|\┬\|\┴\|\┐" - chef-automate encodePassword /etc/chef-automate/config.toml + chef-automate encode-password /etc/chef-automate/config.toml fi create_bootstrap_bundle