Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
slapos
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Romain Courteaud
slapos
Commits
c80ffdef
Commit
c80ffdef
authored
Jan 22, 2024
by
Jérome Perrin
Browse files
Options
Browse Files
Download
Plain Diff
Expose hashed passwords in slapos.cookbook:generate.password
See merge request
nexedi/slapos!1506
parents
81a83ffe
e820c7d0
Changes
23
Show whitespace changes
Inline
Side-by-side
Showing
23 changed files
with
82 additions
and
57 deletions
+82
-57
component/apache/buildout.cfg
component/apache/buildout.cfg
+2
-2
component/rust/buildout.cfg
component/rust/buildout.cfg
+2
-2
software/dufs/buildout.hash.cfg
software/dufs/buildout.hash.cfg
+1
-1
software/dufs/instance.cfg.in
software/dufs/instance.cfg.in
+3
-2
software/dufs/software.cfg
software/dufs/software.cfg
+2
-2
software/dufs/test/test.py
software/dufs/test/test.py
+20
-0
software/erp5/test/test/test_erp5.py
software/erp5/test/test/test_erp5.py
+17
-0
software/restic-rest-server/buildout.hash.cfg
software/restic-rest-server/buildout.hash.cfg
+1
-1
software/restic-rest-server/instance.cfg.in
software/restic-rest-server/instance.cfg.in
+5
-13
software/restic-rest-server/software.cfg
software/restic-rest-server/software.cfg
+1
-2
software/seleniumserver/buildout.hash.cfg
software/seleniumserver/buildout.hash.cfg
+1
-1
software/seleniumserver/instance-selenium.cfg.in
software/seleniumserver/instance-selenium.cfg.in
+2
-2
software/slapos-master/buildout.hash.cfg
software/slapos-master/buildout.hash.cfg
+1
-1
software/slapos-master/instance-erp5.cfg.in
software/slapos-master/instance-erp5.cfg.in
+6
-5
software/theia/buildout.hash.cfg
software/theia/buildout.hash.cfg
+1
-1
software/theia/instance-theia.cfg.jinja.in
software/theia/instance-theia.cfg.jinja.in
+1
-1
stack/erp5/buildout.hash.cfg
stack/erp5/buildout.hash.cfg
+3
-3
stack/erp5/instance-erp5.cfg.in
stack/erp5/instance-erp5.cfg.in
+6
-5
stack/erp5/instance-zope.cfg.in
stack/erp5/instance-zope.cfg.in
+1
-1
stack/erp5/instance.cfg.in
stack/erp5/instance.cfg.in
+0
-2
stack/monitor/buildout.hash.cfg
stack/monitor/buildout.hash.cfg
+1
-1
stack/monitor/instance-monitor.cfg.jinja2.in
stack/monitor/instance-monitor.cfg.jinja2.in
+2
-8
stack/slapos.cfg
stack/slapos.cfg
+3
-1
No files found.
component/apache/buildout.cfg
View file @
c80ffdef
...
...
@@ -44,9 +44,9 @@ environment =
[apache]
recipe = slapos.recipe.cmmi
shared = true
version = 2.4.5
7
version = 2.4.5
8
url = https://archive.apache.org/dist/httpd/httpd-${:version}.tar.bz2
md5sum = 3
4575e92f91fb625f3842d6ca382caa5
md5sum = 3
0377ec4d7fb8361e1d1f2ab3158b467
configure-options = --disable-static
--enable-authn-alias
--enable-bucketeer
...
...
component/rust/buildout.cfg
View file @
c80ffdef
...
...
@@ -9,8 +9,8 @@ parts = rustc
[rustc]
recipe = slapos.recipe.cmmi
shared = true
url = https://static.rust-lang.org/dist/rustc-1.
64
.0-src.tar.gz
md5sum =
948ecb62b82ed3543f03ebf598501796
url = https://static.rust-lang.org/dist/rustc-1.
75
.0-src.tar.gz
md5sum =
6420f7d4e0eb3f4f4963a2e2afdb301b
# --sysconfdir is a workaround for https://github.com/rust-lang/rust/issues/63915
configure-options =
--enable-extended
...
...
software/dufs/buildout.hash.cfg
View file @
c80ffdef
...
...
@@ -15,4 +15,4 @@
[instance.cfg.in]
filename = instance.cfg.in
md5sum =
6edf5c64bf25dfd2e6e8a4e74c9b9812
md5sum =
f7a283e3288d3a9ddfd5de7e9b309273
software/dufs/instance.cfg.in
View file @
c80ffdef
...
...
@@ -155,9 +155,10 @@ command-line =
--enable-cors
--bind ${:ip}
--port ${:port}
--render-try-index
--allow-all
--auth-method basic
--auth ${admin-password:user}:${admin-password:passwd}@/:rw
--auth ${admin-password:user}:${admin-password:passwd
-sha512-crypt
}@/:rw
--auth @/pub
--tls-cert ${dufs-certificate:cert-file}
--tls-key ${dufs-certificate:key-file}
...
...
@@ -210,7 +211,7 @@ init =
frontend_url = urlparse(self.options['frontend-url'])
admin_user = self.options['admin-user']
admin_password = self.options['admin-password']
self.options['public-url'] = frontend_url._replace(path='/pub').geturl()
self.options['public-url'] = frontend_url._replace(path='/pub
/
').geturl()
assert not frontend_url.username
self.options['upload-url'] = frontend_url._replace(
netloc=f'{admin_user}:{admin_password}@{frontend_url.netloc}').geturl()
...
...
software/dufs/software.cfg
View file @
c80ffdef
...
...
@@ -13,8 +13,8 @@ parts =
[dufs]
recipe = slapos.recipe.cmmi
shared = true
url = https://github.com/sigoden/dufs/archive/refs/tags/v0.3
4.1
.tar.gz
md5sum =
77cbb2523aca8dad90fd77ee0277704f
url = https://github.com/sigoden/dufs/archive/refs/tags/v0.3
9.0
.tar.gz
md5sum =
e0fca35530c043c5dff7fcbe415ed35d
configure-command = :
make-binary = cargo install --root=%(location)s --path . --locked
make-targets =
...
...
software/dufs/test/test.py
View file @
c80ffdef
...
...
@@ -91,6 +91,26 @@ class TestFileServer(SlapOSInstanceTestCase):
self
.
assertNotIn
(
'secret'
,
resp
.
text
)
self
.
assertEqual
(
resp
.
status_code
,
requests
.
codes
.
ok
)
def
test_index
(
self
):
pub
=
pathlib
.
Path
(
self
.
computer_partition_root_path
)
/
'srv'
/
'www'
/
'pub'
(
pub
/
'with-index'
).
mkdir
()
(
pub
/
'with-index'
/
'index.html'
).
write_text
(
'<html>Hello !</html>'
)
self
.
assertEqual
(
requests
.
get
(
urllib
.
parse
.
urljoin
(
self
.
connection_parameters
[
'public-url'
],
'with-index/'
),
verify
=
self
.
ca_cert
,
).
text
,
'<html>Hello !</html>'
)
(
pub
/
'without-index'
).
mkdir
()
(
pub
/
'without-index'
/
'file.txt'
).
write_text
(
'Hello !'
)
self
.
assertIn
(
'file.txt'
,
requests
.
get
(
urllib
.
parse
.
urljoin
(
self
.
connection_parameters
[
'public-url'
],
'without-index/'
),
verify
=
self
.
ca_cert
,
).
text
)
def
test_upload_file_refused_without_auth
(
self
):
parsed_upload_url
=
urllib
.
parse
.
urlparse
(
self
.
connection_parameters
[
'upload-url'
])
# upload-url has username:password, remove it
...
...
software/erp5/test/test/test_erp5.py
View file @
c80ffdef
...
...
@@ -32,6 +32,7 @@ import glob
import
http.client
import
json
import
os
import
pathlib
import
resource
import
shutil
import
socket
...
...
@@ -1100,6 +1101,22 @@ class TestNEO(ZopeSkinsMixin, CrontabMixin, ERP5InstanceTestCase):
'log'
,
f
))
class
TestPassword
(
ERP5InstanceTestCase
,
TestPublishedURLIsReachableMixin
):
__partition_reference__
=
'p'
def
test_no_plain_text_password_in_files
(
self
):
inituser_password
=
self
.
getRootPartitionConnectionParameterDict
()[
'inituser-password'
].
encode
()
self
.
assertFalse
(
[
f
for
f
in
pathlib
.
Path
(
self
.
slap
.
_instance_root
).
glob
(
'**/*'
)
if
f
.
is_file
()
and
inituser_password
in
f
.
read_bytes
()])
# the hashed password is present in some files
inituser_password_hashed
=
self
.
getRootPartitionConnectionParameterDict
()[
'inituser-password-hashed'
].
encode
()
self
.
assertTrue
(
[
f
for
f
in
pathlib
.
Path
(
self
.
slap
.
_instance_root
).
glob
(
'**/*'
)
if
f
.
is_file
()
and
inituser_password_hashed
in
f
.
read_bytes
()])
class
TestWithMaxRlimitNofileParameter
(
ERP5InstanceTestCase
,
TestPublishedURLIsReachableMixin
):
"""Test setting the with-max-rlimit-nofile parameter sets the open fd soft limit to the hard limit.
...
...
software/restic-rest-server/buildout.hash.cfg
View file @
c80ffdef
...
...
@@ -15,4 +15,4 @@
[instance.cfg.in]
filename = instance.cfg.in
md5sum =
361991f333119f22c8266dc8bde7bc57
md5sum =
b5c479ebb4cf2fd2f63623af88b95078
software/restic-rest-server/instance.cfg.in
View file @
c80ffdef
...
...
@@ -147,23 +147,15 @@ recipe = slapos.cookbook:generate.password
user = backup
[rest-server-htpassword]
recipe = plone.recipe.command
command =
if [ ! -f '${:htpassword}' ] ; then
{{ htpasswd_bin }} \
-b \
-B \
-c ${:htpassword} \
${rest-server-password:user} \
${rest-server-password:passwd}
fi
htpassword = ${directory:rest-server-data-dir}/.htpasswd
stop-on-error = true
recipe = slapos.recipe.template
inline =
${rest-server-password:user}:${rest-server-password:passwd-bcrypt}
output = ${directory:rest-server-data-dir}/.htpasswd
[rest-server]
recipe = slapos.cookbook:wrapper
command-line =
{{ gowork_bin }}/rest-server
\
{{ gowork_bin }}/rest-server
--listen [${:ip}]:${:port}
--log ${directory:var-log}/${:_buildout_section_name_}-access.log
--path ${directory:rest-server-data-dir}
...
...
software/restic-rest-server/software.cfg
View file @
c80ffdef
...
...
@@ -25,7 +25,7 @@ install +=
<= go-git-package
go.importpath = github.com/restic/rest-server
repository = https://github.com/restic/rest-server
revision = v0.1
0.0-0-g9313f19
revision = v0.1
2.1-0-g4231ef6
[instance.cfg.in]
recipe = slapos.recipe.template:jinja2
...
...
@@ -35,7 +35,6 @@ context =
section buildout buildout
key gowork_bin gowork:bin
raw openssl_bin ${openssl:location}/bin/openssl
raw htpasswd_bin ${apache:location}/bin/htpasswd
raw dash_bin ${dash:location}/bin/dash
raw curl_bin ${curl:location}/bin/curl
key template_monitor monitor2-template:output
...
...
software/seleniumserver/buildout.hash.cfg
View file @
c80ffdef
...
...
@@ -19,4 +19,4 @@ md5sum = 10e19df182c692b71ea552da183a0bcf
[template-selenium]
filename = instance-selenium.cfg.in
md5sum = 5a7abfff9f9d7898620f8c7fc1e6f488
\ No newline at end of file
md5sum = 7239845e758b2d10299699e061b0fc75
\ No newline at end of file
software/seleniumserver/instance-selenium.cfg.in
View file @
c80ffdef
...
...
@@ -170,14 +170,14 @@ content =
use_backend admin if { path_beg $${selenium-server-frontend-configuration:path-admin} }
userlist hub
user $${selenium-server-selenium-password:username}
insecure-password $${selenium-server-selenium-password:passwd
}
user $${selenium-server-selenium-password:username}
password $${selenium-server-selenium-password:passwd-sha256-crypt
}
backend hub
acl auth_ok http_auth(hub)
http-request auth realm "Selenium Server" unless auth_ok
server hub $${selenium-server-hub-instance:hostname}:$${selenium-server-hub-instance:port}
userlist admin
user $${selenium-server-admin-password:username}
insecure-password $${selenium-server-admin-password:passwd
}
user $${selenium-server-admin-password:username}
password $${selenium-server-admin-password:passwd-sha256-crypt
}
backend admin
acl auth_ok http_auth(admin)
http-request auth realm "Grid Admin" unless auth_ok
...
...
software/slapos-master/buildout.hash.cfg
View file @
c80ffdef
...
...
@@ -14,7 +14,7 @@
# not need these here).
[template-erp5]
filename = instance-erp5.cfg.in
md5sum =
1fbfca2d64a9824054f7a3281e71efdc
md5sum =
ba46a66da1c834df14a80a20b21e4a96
[template-balancer]
filename = instance-balancer.cfg.in
...
...
software/slapos-master/instance-erp5.cfg.in
View file @
c80ffdef
...
...
@@ -247,7 +247,7 @@ config-id-store-interval = {{ dumps(slapparameter_dict.get('id-store-interval'))
config-zope-longrequest-logger-error-threshold = {{ dumps(monitor_dict.get('zope-longrequest-logger-error-threshold', 20)) }}
config-zope-longrequest-logger-maximum-delay = {{ dumps(monitor_dict.get('zope-longrequest-logger-maximum-delay', 0)) }}
config-inituser-login = {{ dumps(inituser_login) }}
config-inituser-password
= ${publish-early:inituser-passwor
d}
config-inituser-password
-hashed = ${publish-early:inituser-password-hashe
d}
config-kumofs-url = ${request-memcached-persistent:connection-url}
config-memcached-url = ${request-memcached-volatile:connection-url}
config-monitor-passwd = ${monitor-htpasswd:passwd}
...
...
@@ -515,6 +515,7 @@ hosts-dict = {{ '${' ~ zope_address_list_id_dict.keys()[0] ~ ':connection-hosts-
recipe = slapos.cookbook:publish-early
-init =
inituser-password gen-password:passwd
inituser-password-hashed gen-password:passwd-ldap-salted-sha1
deadlock-debugger-password gen-deadlock-debugger-password:passwd
{%- if has_posftix %}
smtpd-sasl-password gen-smtpd-sasl-password:passwd
...
...
@@ -532,10 +533,6 @@ recipe = slapos.cookbook:publish-early
neo-cluster = {{ dumps(neo[0]) }}
{%- endif %}
{%- endif %}
{%- set inituser_password = slapparameter_dict.get('inituser-password') %}
{%- if inituser_password %}
inituser-password = {{ dumps(inituser_password) }}
{%- endif %}
{%- set deadlock_debugger_password = slapparameter_dict.get('deadlock-debugger-password') -%}
{%- if deadlock_debugger_password %}
deadlock-debugger-password = {{ dumps(deadlock_debugger_password) }}
...
...
@@ -552,6 +549,10 @@ recipe =
[gen-password]
recipe = slapos.cookbook:generate.password
storage-path =
{%- set inituser_password = slapparameter_dict.get('inituser-password') %}
{%- if inituser_password %}
passwd = {{ dumps(inituser_password) }}
{%- endif %}
[gen-deadlock-debugger-password]
<= gen-password
...
...
software/theia/buildout.hash.cfg
View file @
c80ffdef
...
...
@@ -15,7 +15,7 @@
[instance-theia]
_update_hash_filename_ = instance-theia.cfg.jinja.in
md5sum =
43b3435b3bc08db42335c03b5b8fe46
5
md5sum =
07b222d8c29d446fc0957e4e3770658
5
[instance]
_update_hash_filename_ = instance.cfg.in
...
...
software/theia/instance-theia.cfg.jinja.in
View file @
c80ffdef
...
...
@@ -255,7 +255,7 @@ context =
key content :content
content =
userlist basic-auth-list
user $${frontend-instance-password:username}
insecure-password $${frontend-instance-password:passwd
}
user $${frontend-instance-password:username}
password $${frontend-instance-password:passwd-sha256-crypt
}
frontend app
log global
...
...
stack/erp5/buildout.hash.cfg
View file @
c80ffdef
...
...
@@ -70,11 +70,11 @@ md5sum = b95084ae9eed95a68eada45e28ef0c04
[template]
filename = instance.cfg.in
md5sum = 5
5232eae0bcdb68a7cb2598d2ba9d60c
md5sum = 5
e0e9565227fe190c420a7bbcd0f7b93
[template-erp5]
filename = instance-erp5.cfg.in
md5sum =
359bab24aec7772adb5d822c1389b1bd
md5sum =
2b91528d3a77a64714e4295a84c1d71b
[template-zeo]
filename = instance-zeo.cfg.in
...
...
@@ -86,7 +86,7 @@ md5sum = 0ac4b74436f554cd677f19275d18d880
[template-zope]
filename = instance-zope.cfg.in
md5sum =
2439b90d6f707f47050fc9074fa4d810
md5sum =
41709f47e5a9051ca4a9c943859f589b
[template-balancer]
filename = instance-balancer.cfg.in
...
...
stack/erp5/instance-erp5.cfg.in
View file @
c80ffdef
...
...
@@ -254,7 +254,7 @@ config-id-store-interval = {{ dumps(slapparameter_dict.get('id-store-interval'))
config-zope-longrequest-logger-error-threshold = {{ dumps(monitor_dict.get('zope-longrequest-logger-error-threshold', 20)) }}
config-zope-longrequest-logger-maximum-delay = {{ dumps(monitor_dict.get('zope-longrequest-logger-maximum-delay', 0)) }}
config-inituser-login = {{ dumps(inituser_login) }}
config-inituser-password
= ${publish-early:inituser-passwor
d}
config-inituser-password
-hashed = ${publish-early:inituser-password-hashe
d}
config-kumofs-url = ${request-memcached-persistent:connection-url}
config-memcached-url = ${request-memcached-volatile:connection-url}
config-monitor-passwd = ${monitor-htpasswd:passwd}
...
...
@@ -515,6 +515,7 @@ hosts-dict = {{ '${' ~ next(iter(zope_address_list_id_dict)) ~ ':connection-host
recipe = slapos.cookbook:publish-early
-init =
inituser-password gen-password:passwd
inituser-password-hashed gen-password:passwd-ldap-salted-sha1
deadlock-debugger-password gen-deadlock-debugger-password:passwd
{%- if has_posftix %}
smtpd-sasl-password gen-smtpd-sasl-password:passwd
...
...
@@ -532,10 +533,6 @@ recipe = slapos.cookbook:publish-early
neo-cluster = {{ dumps(neo[0]) }}
{%- endif %}
{%- endif %}
{%- set inituser_password = slapparameter_dict.get('inituser-password') %}
{%- if inituser_password %}
inituser-password = {{ dumps(inituser_password) }}
{%- endif %}
{%- set deadlock_debugger_password = slapparameter_dict.get('deadlock-debugger-password') -%}
{%- if deadlock_debugger_password %}
deadlock-debugger-password = {{ dumps(deadlock_debugger_password) }}
...
...
@@ -552,6 +549,10 @@ recipe =
[gen-password]
recipe = slapos.cookbook:generate.password
storage-path =
{%- set inituser_password = slapparameter_dict.get('inituser-password') %}
{%- if inituser_password %}
passwd = {{ dumps(inituser_password) }}
{%- endif %}
[gen-deadlock-debugger-password]
<= gen-password
...
...
stack/erp5/instance-zope.cfg.in
View file @
c80ffdef
...
...
@@ -252,7 +252,7 @@ file-list = {{ parameter_dict['site-zcml'] }}
[{{ section('zope-inituser') }}]
< = jinja2-template-base
output = ${directory:instance}/inituser
inline = {{ slapparameter_dict['inituser-login'] }}:{
SHA}{{ base64.b64encode(hashlib.sha1(slapparameter_dict['inituser-password'].encode('utf-8')).digest())
}}
inline = {{ slapparameter_dict['inituser-login'] }}:{
{ slapparameter_dict['inituser-password-hashed']
}}
once = ${:output}_done
[zope-conf-parameter-base]
...
...
stack/erp5/instance.cfg.in
View file @
c80ffdef
...
...
@@ -143,9 +143,7 @@ extra-context =
key buildout_directory buildout:directory
key root_common context:root-common
section parameter_dict dynamic-template-zope-parameters
import base64 base64
import urllib_parse six.moves.urllib.parse
import hashlib hashlib
import itertools itertools
import json json
import-list =
...
...
stack/monitor/buildout.hash.cfg
View file @
c80ffdef
...
...
@@ -14,7 +14,7 @@
# not need these here).
[monitor2-template]
filename = instance-monitor.cfg.jinja2.in
md5sum =
3850140a4e61349cc64fa924ce410803
md5sum =
24c7f5527d994e231b4c2bf9fecb68a6
[monitor-httpd-conf]
_update_hash_filename_ = templates/monitor-httpd.conf.in
...
...
stack/monitor/instance-monitor.cfg.jinja2.in
View file @
c80ffdef
...
...
@@ -112,7 +112,6 @@ parameter-list =
htpasswd monitor-password ${httpd-monitor-htpasswd:password-file} ${monitor-instance-parameter:username} ${httpd-monitor-htpasswd:htpasswd-path}
file min-free-disk-MB ${promise-check-free-disk-space:config-threshold-file}
${monitor-instance-parameter:instance-configuration}
# htpasswd entry: htpasswd key password-file username htpasswd-file
promise-output-file = ${directory:monitor}/monitor-bootstrap-status
...
...
@@ -157,14 +156,11 @@ storage-path = ${directory:etc}/.monitor_pwd
[httpd-monitor-htpasswd]
recipe = plone.recipe.command
stop-on-error = true
password-file = ${
directory:etc}/.monitor_pw
d
password-file = ${
monitor-directory:etc}/.monitor-passwor
d
htpasswd-path = ${monitor-directory:etc}/monitor-htpasswd
command =
echo "${monitor-instance-parameter:password}" >${:password-file}
[ -s "${:htpasswd-path}" ] ||
{{ apache_location }}/bin/htpasswd -ci ${:htpasswd-path} "${monitor-instance-parameter:username}" <${:password-file}
update-command =
[ -s "${:password-file}" ] || ${:command}
{{ apache_location }}/bin/htpasswd -cib ${:htpasswd-path} "${monitor-instance-parameter:username}" "${monitor-instance-parameter:password}"
[monitor-symlink]
recipe = cns.recipe.symlink
...
...
@@ -343,8 +339,6 @@ collector-db = /srv/slapgrid/var/data-log/collector.db
# Credentials
password = ${monitor-htpasswd:passwd}
username = admin
# XXX: type key value
# ex raw monitor-password resqdsdsd34
instance-configuration =
configuration-file-path = ${monitor-directory:etc}/monitor_knowledge0.cfg
...
...
stack/slapos.cfg
View file @
c80ffdef
...
...
@@ -20,6 +20,7 @@ allow-picked-versions = false
# Use shacache and lxml
extends =
../component/defaults.cfg
../component/bcrypt/buildout.cfg
../component/git/buildout.cfg
../component/lxml-python/buildout.cfg
../component/python-backports-lzma/buildout.cfg
...
...
@@ -102,6 +103,7 @@ eggs =
${python-PyYAML:egg}
${python-cryptography:egg}
${pyrsistent:egg}
${bcrypt:egg}
# slapos.toolbox containing utilities
[slapos-toolbox]
...
...
@@ -302,7 +304,7 @@ sgmllib3k = 1.0.0
simplegeneric = 0.8.1
singledispatch = 3.4.0.3
six = 1.16.0
slapos.cookbook = 1.0.3
29
slapos.cookbook = 1.0.3
51
slapos.core = 1.11.0
slapos.extension.shared = 1.0
slapos.libnetworkcache = 0.25
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment