Expose hashed passwords in slapos.cookbook:generate.password

See merge request nexedi/slapos!1506

Expose hashed passwords in slapos.cookbook:generate.password
See merge request nexedi/slapos!1506
c80ffdef · Jérome Perrin · 81a83ffe · e820c7d0 · c80ffdef · c80ffdef
Commit c80ffdef authored Jan 22, 2024 by Jérome Perrin
23 changed files
--- a/component/apache/buildout.cfg
+++ b/component/apache/buildout.cfg
@@ -44,9 +44,9 @@ environment =
 [apache]
 recipe = slapos.recipe.cmmi
 shared = true
-version = 2.4.57
+version = 2.4.58
 url = https://archive.apache.org/dist/httpd/httpd-${:version}.tar.bz2
-md5sum = 34575e92f91fb625f3842d6ca382caa5
+md5sum = 30377ec4d7fb8361e1d1f2ab3158b467
 configure-options = --disable-static
                    --enable-authn-alias
                    --enable-bucketeer

--- a/component/rust/buildout.cfg
+++ b/component/rust/buildout.cfg
@@ -9,8 +9,8 @@ parts = rustc
 [rustc]
 recipe = slapos.recipe.cmmi
 shared = true
-url = https://static.rust-lang.org/dist/rustc-1.64.0-src.tar.gz
+url = https://static.rust-lang.org/dist/rustc-1.75.0-src.tar.gz
-md5sum = 948ecb62b82ed3543f03ebf598501796
+md5sum = 6420f7d4e0eb3f4f4963a2e2afdb301b
 # --sysconfdir is a workaround for https://github.com/rust-lang/rust/issues/63915
 configure-options =
    --enable-extended

--- a/software/dufs/buildout.hash.cfg
+++ b/software/dufs/buildout.hash.cfg
@@ -15,4 +15,4 @@
 [instance.cfg.in]
 filename = instance.cfg.in
-md5sum = 6edf5c64bf25dfd2e6e8a4e74c9b9812
+md5sum = f7a283e3288d3a9ddfd5de7e9b309273
--- a/software/dufs/instance.cfg.in
+++ b/software/dufs/instance.cfg.in
@@ -155,9 +155,10 @@ command-line =
    --enable-cors
    --bind ${:ip}
    --port ${:port}
+    --render-try-index
    --allow-all
    --auth-method basic
-    --auth ${admin-password:user}:${admin-password:passwd}@/:rw
+    --auth ${admin-password:user}:${admin-password:passwd-sha512-crypt}@/:rw
    --auth @/pub
    --tls-cert ${dufs-certificate:cert-file}
    --tls-key ${dufs-certificate:key-file}
@@ -210,7 +211,7 @@ init =
  frontend_url = urlparse(self.options['frontend-url'])
  admin_user = self.options['admin-user']
  admin_password = self.options['admin-password']
-  self.options['public-url'] = frontend_url._replace(path='/pub').geturl()
+  self.options['public-url'] = frontend_url._replace(path='/pub/').geturl()
  assert not frontend_url.username
  self.options['upload-url'] = frontend_url._replace(
    netloc=f'{admin_user}:{admin_password}@{frontend_url.netloc}').geturl()

--- a/software/dufs/software.cfg
+++ b/software/dufs/software.cfg
@@ -13,8 +13,8 @@ parts =
 [dufs]
 recipe = slapos.recipe.cmmi
 shared = true
-url = https://github.com/sigoden/dufs/archive/refs/tags/v0.34.1.tar.gz
+url = https://github.com/sigoden/dufs/archive/refs/tags/v0.39.0.tar.gz
-md5sum = 77cbb2523aca8dad90fd77ee0277704f
+md5sum = e0fca35530c043c5dff7fcbe415ed35d
 configure-command = :
 make-binary = cargo install --root=%(location)s --path . --locked
 make-targets =

--- a/software/dufs/test/test.py
+++ b/software/dufs/test/test.py
@@ -91,6 +91,26 @@ class TestFileServer(SlapOSInstanceTestCase):
      self.assertNotIn('secret', resp.text)
      self.assertEqual(resp.status_code, requests.codes.ok)
+  def test_index(self):
+    pub = pathlib.Path(self.computer_partition_root_path) / 'srv' / 'www' / 'pub'
+    (pub / 'with-index').mkdir()
+    (pub / 'with-index' / 'index.html').write_text('<html>Hello !</html>')
+    self.assertEqual(
+      requests.get(
+        urllib.parse.urljoin(self.connection_parameters['public-url'], 'with-index/'),
+        verify=self.ca_cert,
+      ).text,
+      '<html>Hello !</html>')
+    (pub / 'without-index').mkdir()
+    (pub / 'without-index' / 'file.txt').write_text('Hello !')
+    self.assertIn(
+      'file.txt',
+      requests.get(
+        urllib.parse.urljoin(self.connection_parameters['public-url'], 'without-index/'),
+        verify=self.ca_cert,
+      ).text)
  def test_upload_file_refused_without_auth(self):
    parsed_upload_url = urllib.parse.urlparse(self.connection_parameters['upload-url'])
    # upload-url has username:password, remove it

--- a/software/erp5/test/test/test_erp5.py
+++ b/software/erp5/test/test/test_erp5.py
@@ -32,6 +32,7 @@ import glob
 import http.client
 import json
 import os
+import pathlib
 import resource
 import shutil
 import socket
@@ -1100,6 +1101,22 @@ class TestNEO(ZopeSkinsMixin, CrontabMixin, ERP5InstanceTestCase):
          'log',
          f))
+class TestPassword(ERP5InstanceTestCase, TestPublishedURLIsReachableMixin):
+  __partition_reference__ = 'p'
+  def test_no_plain_text_password_in_files(self):
+    inituser_password = self.getRootPartitionConnectionParameterDict()[
+      'inituser-password'].encode()
+    self.assertFalse(
+      [f for f in pathlib.Path(self.slap._instance_root).glob('**/*')
+        if f.is_file() and inituser_password in f.read_bytes()])
+    # the hashed password is present in some files
+    inituser_password_hashed = self.getRootPartitionConnectionParameterDict()[
+      'inituser-password-hashed'].encode()
+    self.assertTrue(
+      [f for f in pathlib.Path(self.slap._instance_root).glob('**/*')
+        if f.is_file() and inituser_password_hashed in f.read_bytes()])
 class TestWithMaxRlimitNofileParameter(ERP5InstanceTestCase, TestPublishedURLIsReachableMixin):
  """Test setting the with-max-rlimit-nofile parameter sets the open fd soft limit to the hard limit.

--- a/software/restic-rest-server/buildout.hash.cfg
+++ b/software/restic-rest-server/buildout.hash.cfg
@@ -15,4 +15,4 @@
 [instance.cfg.in]
 filename = instance.cfg.in
-md5sum = 361991f333119f22c8266dc8bde7bc57
+md5sum = b5c479ebb4cf2fd2f63623af88b95078
--- a/software/restic-rest-server/instance.cfg.in
+++ b/software/restic-rest-server/instance.cfg.in
@@ -147,23 +147,15 @@ recipe = slapos.cookbook:generate.password
 user = backup
 [rest-server-htpassword]
-recipe = plone.recipe.command
+recipe = slapos.recipe.template
-command =
+inline =
-  if [ ! -f '${:htpassword}' ] ; then
+  ${rest-server-password:user}:${rest-server-password:passwd-bcrypt}
-    {{ htpasswd_bin }} \
+output = ${directory:rest-server-data-dir}/.htpasswd
-      -b \
-      -B \
-      -c ${:htpassword} \
-      ${rest-server-password:user} \
-      ${rest-server-password:passwd}
-  fi
-htpassword = ${directory:rest-server-data-dir}/.htpasswd
-stop-on-error = true
 [rest-server]
 recipe = slapos.cookbook:wrapper
 command-line =
-  {{ gowork_bin }}/rest-server \
+  {{ gowork_bin }}/rest-server
    --listen [${:ip}]:${:port}
    --log ${directory:var-log}/${:_buildout_section_name_}-access.log
    --path ${directory:rest-server-data-dir}

--- a/software/restic-rest-server/software.cfg
+++ b/software/restic-rest-server/software.cfg
@@ -25,7 +25,7 @@ install +=
 <= go-git-package
 go.importpath = github.com/restic/rest-server
 repository =  https://github.com/restic/rest-server
-revision = v0.10.0-0-g9313f19
+revision = v0.12.1-0-g4231ef6
 [instance.cfg.in]
 recipe = slapos.recipe.template:jinja2
@@ -35,7 +35,6 @@ context =
  section buildout buildout
  key gowork_bin gowork:bin
  raw openssl_bin ${openssl:location}/bin/openssl
-  raw htpasswd_bin ${apache:location}/bin/htpasswd
  raw dash_bin ${dash:location}/bin/dash
  raw curl_bin ${curl:location}/bin/curl
  key template_monitor monitor2-template:output

--- a/software/seleniumserver/buildout.hash.cfg
+++ b/software/seleniumserver/buildout.hash.cfg
@@ -19,4 +19,4 @@ md5sum = 10e19df182c692b71ea552da183a0bcf
 [template-selenium]
 filename = instance-selenium.cfg.in
-md5sum = 5a7abfff9f9d7898620f8c7fc1e6f488
+md5sum = 7239845e758b2d10299699e061b0fc75
\ No newline at end of file
--- a/software/seleniumserver/instance-selenium.cfg.in
+++ b/software/seleniumserver/instance-selenium.cfg.in
@@ -170,14 +170,14 @@ content =
    use_backend admin if { path_beg $${selenium-server-frontend-configuration:path-admin} }
  userlist hub
-    user $${selenium-server-selenium-password:username} insecure-password $${selenium-server-selenium-password:passwd}
+    user $${selenium-server-selenium-password:username} password $${selenium-server-selenium-password:passwd-sha256-crypt}
  backend hub
    acl auth_ok http_auth(hub)
    http-request auth realm "Selenium Server" unless auth_ok
    server hub $${selenium-server-hub-instance:hostname}:$${selenium-server-hub-instance:port}
  userlist admin
-    user $${selenium-server-admin-password:username} insecure-password $${selenium-server-admin-password:passwd}
+    user $${selenium-server-admin-password:username} password $${selenium-server-admin-password:passwd-sha256-crypt}
  backend admin
    acl auth_ok http_auth(admin)
    http-request auth realm "Grid Admin" unless auth_ok

--- a/software/slapos-master/buildout.hash.cfg
+++ b/software/slapos-master/buildout.hash.cfg
@@ -14,7 +14,7 @@
 # not need these here).
 [template-erp5]
 filename = instance-erp5.cfg.in
-md5sum = 1fbfca2d64a9824054f7a3281e71efdc
+md5sum = ba46a66da1c834df14a80a20b21e4a96
 [template-balancer]
 filename = instance-balancer.cfg.in

--- a/software/slapos-master/instance-erp5.cfg.in
+++ b/software/slapos-master/instance-erp5.cfg.in
@@ -247,7 +247,7 @@ config-id-store-interval = {{ dumps(slapparameter_dict.get('id-store-interval'))
 config-zope-longrequest-logger-error-threshold = {{ dumps(monitor_dict.get('zope-longrequest-logger-error-threshold', 20)) }}
 config-zope-longrequest-logger-maximum-delay = {{ dumps(monitor_dict.get('zope-longrequest-logger-maximum-delay', 0)) }}
 config-inituser-login = {{ dumps(inituser_login) }}
-config-inituser-password = ${publish-early:inituser-password}
+config-inituser-password-hashed = ${publish-early:inituser-password-hashed}
 config-kumofs-url = ${request-memcached-persistent:connection-url}
 config-memcached-url = ${request-memcached-volatile:connection-url}
 config-monitor-passwd = ${monitor-htpasswd:passwd}
@@ -515,6 +515,7 @@ hosts-dict = {{ '${' ~ zope_address_list_id_dict.keys()[0] ~ ':connection-hosts-
 recipe = slapos.cookbook:publish-early
 -init =
  inituser-password gen-password:passwd
+  inituser-password-hashed gen-password:passwd-ldap-salted-sha1
  deadlock-debugger-password gen-deadlock-debugger-password:passwd
 {%- if has_posftix %}
  smtpd-sasl-password gen-smtpd-sasl-password:passwd
@@ -532,10 +533,6 @@ recipe = slapos.cookbook:publish-early
 neo-cluster = {{ dumps(neo[0]) }}
 {%-  endif %}
 {%- endif %}
-{%- set inituser_password = slapparameter_dict.get('inituser-password') %}
-{%- if inituser_password %}
-inituser-password = {{ dumps(inituser_password) }}
-{%- endif %}
 {%- set deadlock_debugger_password = slapparameter_dict.get('deadlock-debugger-password') -%}
 {%- if deadlock_debugger_password %}
 deadlock-debugger-password = {{ dumps(deadlock_debugger_password) }}
@@ -552,6 +549,10 @@ recipe =
 [gen-password]
 recipe = slapos.cookbook:generate.password
 storage-path =
+{%- set inituser_password = slapparameter_dict.get('inituser-password') %}
+{%- if inituser_password %}
+passwd = {{ dumps(inituser_password) }}
+{%- endif %}
 [gen-deadlock-debugger-password]
 <= gen-password

--- a/software/theia/buildout.hash.cfg
+++ b/software/theia/buildout.hash.cfg
@@ -15,7 +15,7 @@
 [instance-theia]
 _update_hash_filename_ = instance-theia.cfg.jinja.in
-md5sum = 43b3435b3bc08db42335c03b5b8fe465
+md5sum = 07b222d8c29d446fc0957e4e37706585
 [instance]
 _update_hash_filename_ = instance.cfg.in

--- a/software/theia/instance-theia.cfg.jinja.in
+++ b/software/theia/instance-theia.cfg.jinja.in
@@ -255,7 +255,7 @@ context =
  key content :content
 content =
  userlist basic-auth-list
-    user $${frontend-instance-password:username} insecure-password $${frontend-instance-password:passwd}
+    user $${frontend-instance-password:username} password $${frontend-instance-password:passwd-sha256-crypt}
  frontend app
    log global

--- a/stack/erp5/buildout.hash.cfg
+++ b/stack/erp5/buildout.hash.cfg
@@ -70,11 +70,11 @@ md5sum = b95084ae9eed95a68eada45e28ef0c04
 [template]
 filename = instance.cfg.in
-md5sum = 55232eae0bcdb68a7cb2598d2ba9d60c
+md5sum = 5e0e9565227fe190c420a7bbcd0f7b93
 [template-erp5]
 filename = instance-erp5.cfg.in
-md5sum = 359bab24aec7772adb5d822c1389b1bd
+md5sum = 2b91528d3a77a64714e4295a84c1d71b
 [template-zeo]
 filename = instance-zeo.cfg.in
@@ -86,7 +86,7 @@ md5sum = 0ac4b74436f554cd677f19275d18d880
 [template-zope]
 filename = instance-zope.cfg.in
-md5sum = 2439b90d6f707f47050fc9074fa4d810
+md5sum = 41709f47e5a9051ca4a9c943859f589b
 [template-balancer]
 filename = instance-balancer.cfg.in

--- a/stack/erp5/instance-erp5.cfg.in
+++ b/stack/erp5/instance-erp5.cfg.in
@@ -254,7 +254,7 @@ config-id-store-interval = {{ dumps(slapparameter_dict.get('id-store-interval'))
 config-zope-longrequest-logger-error-threshold = {{ dumps(monitor_dict.get('zope-longrequest-logger-error-threshold', 20)) }}
 config-zope-longrequest-logger-maximum-delay = {{ dumps(monitor_dict.get('zope-longrequest-logger-maximum-delay', 0)) }}
 config-inituser-login = {{ dumps(inituser_login) }}
-config-inituser-password = ${publish-early:inituser-password}
+config-inituser-password-hashed = ${publish-early:inituser-password-hashed}
 config-kumofs-url = ${request-memcached-persistent:connection-url}
 config-memcached-url = ${request-memcached-volatile:connection-url}
 config-monitor-passwd = ${monitor-htpasswd:passwd}
@@ -515,6 +515,7 @@ hosts-dict = {{ '${' ~ next(iter(zope_address_list_id_dict)) ~ ':connection-host
 recipe = slapos.cookbook:publish-early
 -init =
  inituser-password gen-password:passwd
+  inituser-password-hashed gen-password:passwd-ldap-salted-sha1
  deadlock-debugger-password gen-deadlock-debugger-password:passwd
 {%- if has_posftix %}
  smtpd-sasl-password gen-smtpd-sasl-password:passwd
@@ -532,10 +533,6 @@ recipe = slapos.cookbook:publish-early
 neo-cluster = {{ dumps(neo[0]) }}
 {%-  endif %}
 {%- endif %}
-{%- set inituser_password = slapparameter_dict.get('inituser-password') %}
-{%- if inituser_password %}
-inituser-password = {{ dumps(inituser_password) }}
-{%- endif %}
 {%- set deadlock_debugger_password = slapparameter_dict.get('deadlock-debugger-password') -%}
 {%- if deadlock_debugger_password %}
 deadlock-debugger-password = {{ dumps(deadlock_debugger_password) }}
@@ -552,6 +549,10 @@ recipe =
 [gen-password]
 recipe = slapos.cookbook:generate.password
 storage-path =
+{%- set inituser_password = slapparameter_dict.get('inituser-password') %}
+{%- if inituser_password %}
+passwd = {{ dumps(inituser_password) }}
+{%- endif %}
 [gen-deadlock-debugger-password]
 <= gen-password

--- a/stack/erp5/instance-zope.cfg.in
+++ b/stack/erp5/instance-zope.cfg.in
@@ -252,7 +252,7 @@ file-list = {{ parameter_dict['site-zcml'] }}
 [{{ section('zope-inituser') }}]
 < = jinja2-template-base
 output = ${directory:instance}/inituser
-inline = {{ slapparameter_dict['inituser-login'] }}:{SHA}{{ base64.b64encode(hashlib.sha1(slapparameter_dict['inituser-password'].encode('utf-8')).digest()) }}
+inline = {{ slapparameter_dict['inituser-login'] }}:{{ slapparameter_dict['inituser-password-hashed'] }}
 once = ${:output}_done
 [zope-conf-parameter-base]

--- a/stack/erp5/instance.cfg.in
+++ b/stack/erp5/instance.cfg.in
@@ -143,9 +143,7 @@ extra-context =
    key buildout_directory buildout:directory
    key root_common context:root-common
    section parameter_dict dynamic-template-zope-parameters
-    import base64 base64
    import urllib_parse six.moves.urllib.parse
-    import hashlib hashlib
    import itertools itertools
    import json json
 import-list =

--- a/stack/monitor/buildout.hash.cfg
+++ b/stack/monitor/buildout.hash.cfg
@@ -14,7 +14,7 @@
 # not need these here).
 [monitor2-template]
 filename = instance-monitor.cfg.jinja2.in
-md5sum = 3850140a4e61349cc64fa924ce410803
+md5sum = 24c7f5527d994e231b4c2bf9fecb68a6
 [monitor-httpd-conf]
 _update_hash_filename_ = templates/monitor-httpd.conf.in

--- a/stack/monitor/instance-monitor.cfg.jinja2.in
+++ b/stack/monitor/instance-monitor.cfg.jinja2.in
@@ -112,7 +112,6 @@ parameter-list =
  htpasswd monitor-password ${httpd-monitor-htpasswd:password-file} ${monitor-instance-parameter:username} ${httpd-monitor-htpasswd:htpasswd-path}
  file min-free-disk-MB ${promise-check-free-disk-space:config-threshold-file}
  ${monitor-instance-parameter:instance-configuration}
-# htpasswd entry:  htpasswd key password-file username htpasswd-file
 promise-output-file = ${directory:monitor}/monitor-bootstrap-status
@@ -157,14 +156,11 @@ storage-path = ${directory:etc}/.monitor_pwd
 [httpd-monitor-htpasswd]
 recipe = plone.recipe.command
 stop-on-error = true
-password-file = ${directory:etc}/.monitor_pwd
+password-file = ${monitor-directory:etc}/.monitor-password
 htpasswd-path = ${monitor-directory:etc}/monitor-htpasswd
 command =
  echo "${monitor-instance-parameter:password}" >${:password-file}
-  [ -s "${:htpasswd-path}" ] ||
+  {{ apache_location }}/bin/htpasswd -cib ${:htpasswd-path} "${monitor-instance-parameter:username}" "${monitor-instance-parameter:password}"
-    {{ apache_location }}/bin/htpasswd -ci ${:htpasswd-path} "${monitor-instance-parameter:username}" <${:password-file}
-update-command =
-  [ -s "${:password-file}" ] || ${:command}
 [monitor-symlink]
 recipe = cns.recipe.symlink
@@ -343,8 +339,6 @@ collector-db = /srv/slapgrid/var/data-log/collector.db
 # Credentials
 password = ${monitor-htpasswd:passwd}
 username = admin
-# XXX: type key value
-# ex raw monitor-password resqdsdsd34
 instance-configuration =
 configuration-file-path = ${monitor-directory:etc}/monitor_knowledge0.cfg

--- a/stack/slapos.cfg
+++ b/stack/slapos.cfg
@@ -20,6 +20,7 @@ allow-picked-versions = false
 # Use shacache and lxml
 extends =
  ../component/defaults.cfg
+  ../component/bcrypt/buildout.cfg
  ../component/git/buildout.cfg
  ../component/lxml-python/buildout.cfg
  ../component/python-backports-lzma/buildout.cfg
@@ -102,6 +103,7 @@ eggs =
  ${python-PyYAML:egg}
  ${python-cryptography:egg}
  ${pyrsistent:egg}
+  ${bcrypt:egg}
 # slapos.toolbox containing utilities
 [slapos-toolbox]
@@ -302,7 +304,7 @@ sgmllib3k = 1.0.0
 simplegeneric = 0.8.1
 singledispatch = 3.4.0.3
 six = 1.16.0
-slapos.cookbook = 1.0.329
+slapos.cookbook = 1.0.351
 slapos.core = 1.11.0
 slapos.extension.shared = 1.0
 slapos.libnetworkcache = 0.25