Fix

engity-com · Oct 11, 2024 · 860bba7 · 860bba7
1 parent ef2a21b
commit 860bba7
Show file tree

Hide file tree

Showing 4 changed files with 114 additions and 13 deletions.
diff --git a/cmd/build/build-digest.go b/cmd/build/build-digest.go
@@ -17,15 +17,11 @@ import (
 func newBuildDigest(b *build) *buildDigest {
 	return &buildDigest{
 		build: b,
-
-		defaultConfigFile: "contrib/configurations/sshd-dropin-replacement.yaml",
 	}
 }
 
 type buildDigest struct {
 	*build
-
-	defaultConfigFile string
 }
 
 func (this *buildDigest) attach(_ *kingpin.CmdClause) {}

diff --git a/cmd/build/build-image.go b/cmd/build/build-image.go
@@ -34,21 +34,27 @@ func newBuildImage(b *build) *buildImage {
 	return &buildImage{
 		build: b,
 
-		defaultConfigFile: "contrib/configurations/sshd-dropin-replacement.yaml",
+		defaultGenericConfigFile:  "contrib/configurations/dummy-for-oci-images.yaml",
+		defaultExtendedConfigFile: "contrib/configurations/sshd-dropin-replacement.yaml",
 	}
 }
 
 type buildImage struct {
 	*build
 
-	defaultConfigFile string
+	defaultGenericConfigFile  string
+	defaultExtendedConfigFile string
 }
 
 func (this *buildImage) attach(cmd *kingpin.CmdClause) {
 	cmd.Flag("defaultConfigFile", "").
-		Default(this.defaultConfigFile).
+		Default(this.defaultGenericConfigFile).
 		PlaceHolder("<file>").
-		StringVar(&this.defaultConfigFile)
+		StringVar(&this.defaultGenericConfigFile)
+	cmd.Flag("defaultExtendedConfigFile", "").
+		Default(this.defaultExtendedConfigFile).
+		PlaceHolder("<file>").
+		StringVar(&this.defaultExtendedConfigFile)
 }
 
 func (this *buildImage) create(ctx context.Context, binary *buildArtifact) (_ buildArtifacts, rErr error) {
@@ -156,9 +162,14 @@ func (this *buildImage) createPart(ctx context.Context, binary *buildArtifact) (
 
 	img = mutate.Annotations(img, annotations).(gcv1.Image)
 
+	configFile := this.defaultGenericConfigFile
+	if a.edition == editionExtended {
+		configFile = this.defaultExtendedConfigFile
+	}
+
 	binaryLayer, err := binary.toLayer(common.JoinSeq2[imageArtifactLayerItem, error](
 		common.Seq2ErrOf[imageArtifactLayerItem](imageArtifactLayerItem{
-			sourceFile: this.defaultConfigFile,
+			sourceFile: configFile,
 			targetFile: binary.platform.os.bifroestConfigFilePath(),
 			mode:       0644,
 		}),

diff --git a/contrib/configurations/dummy-for-oci-images.yaml b/contrib/configurations/dummy-for-oci-images.yaml
@@ -0,0 +1,34 @@
+## This configuration should only be used as dummy configuration within OCI/Docker images.
+## It will create (if not exists)
+## for the regular sshd.
+
+ssh:
+  addresses: [ ":22" ]
+  banner: |+
+    Transcend with Engity Bifröst
+    =============================
+
+    This is instance runs with a demo configuration which should
+    NEVER be used in production.
+
+    To login to this instance see the service logs, like:
+    docker logs bifroest
+
+session:
+  type: fs
+
+flows:
+  - name: local
+    authorization:
+      type: htpasswd
+
+      # DO NOT USE THIS SETTING IN PRODUCTION!
+      # This will create at the default location of the property "file" a file if it does not already exist
+      # with dummy data inside. This really only make sense to create dummy data for demo purposes.
+      generateWithUserIfAbsentAndWarn: true
+
+    environment:
+      type: local
+
+      # This property will not be evaluated in Windows.
+      name: "root"
diff --git a/pkg/configuration/authorization-htpasswd.go b/pkg/configuration/authorization-htpasswd.go
@@ -1,9 +1,19 @@
 package configuration
 
 import (
+	"crypto/rand"
+	"fmt"
+	"os"
+	"path/filepath"
+
+	log "github.com/echocat/slf4g"
+	"github.com/mr-tron/base58"
+	"golang.org/x/crypto/bcrypt"
 	"gopkg.in/yaml.v3"
 
+	"github.com/engity-com/bifroest/pkg/common"
 	"github.com/engity-com/bifroest/pkg/crypto"
+	"github.com/engity-com/bifroest/pkg/errors"
 	"github.com/engity-com/bifroest/pkg/sys"
 )
 
@@ -16,8 +26,9 @@ var (
 )
 
 type AuthorizationHtpasswd struct {
-	File    crypto.HtpasswdFile `yaml:"file,omitempty"`
-	Entries crypto.Htpasswd     `yaml:"entries,omitempty"`
+	File                            crypto.HtpasswdFile `yaml:"file,omitempty"`
+	Entries                         crypto.Htpasswd     `yaml:"entries,omitempty"`
+	GenerateWithUserIfAbsentAndWarn bool                `yaml:"generateWithUserIfAbsentAndWarn"`
 }
 
 func (this *AuthorizationHtpasswd) SetDefaults() error {
@@ -36,23 +47,71 @@ func (this *AuthorizationHtpasswd) SetDefaults() error {
 			})
 		},
 		noopSetDefault[AuthorizationHtpasswd]("entries"),
+		noopSetDefault[AuthorizationHtpasswd]("generateWithUserIfAbsentAndWarn"),
 	)
 }
 
 func (this *AuthorizationHtpasswd) Trim() error {
 	return trim(this,
 		noopTrim[AuthorizationHtpasswd]("file"),
 		noopTrim[AuthorizationHtpasswd]("entries"),
+		noopTrim[AuthorizationHtpasswd]("generateWithUserIfAbsentAndWarn"),
 	)
 }
 
-func (this *AuthorizationHtpasswd) Validate() error {
+func (this *AuthorizationHtpasswd) Validate() (rErr error) {
+	if this.GenerateWithUserIfAbsentAndWarn && this.File.IsZero() && this.Entries.IsZero() {
+		fn, err := this.createDummyFileAndWarn()
+		if err != nil {
+			return err
+		}
+		if err := this.File.Set(fn); err != nil {
+			return err
+		}
+	}
+
 	return validate(this,
 		func(v *AuthorizationHtpasswd) (string, validator) { return "file", &v.File },
 		func(v *AuthorizationHtpasswd) (string, validator) { return "entries", &v.Entries },
+		noopValidate[AuthorizationHtpasswd]("generateWithUserIfAbsentAndWarn"),
 	)
 }
 
+func (this *AuthorizationHtpasswd) createDummyFileAndWarn() (fn string, rErr error) {
+	buf := make([]byte, 12)
+	if n, err := rand.Read(buf); err != nil {
+		return "", errors.System.Newf("cannot create demo password: %w", err)
+	} else if n != len(buf) {
+		return "", errors.System.Newf("cannot create demo password: not enough entries in random source")
+	}
+	pass := base58.Encode(buf)
+	hash, err := bcrypt.GenerateFromPassword([]byte(pass), bcrypt.DefaultCost)
+	if err != nil {
+		return "", errors.System.Newf("cannot create demo password: %w", err)
+	}
+
+	_ = os.MkdirAll(filepath.Dir(DefaultAuthorizationHtpasswdFile), 0700)
+	f, err := os.OpenFile(DefaultAuthorizationHtpasswdFile, os.O_CREATE|os.O_EXCL|os.O_WRONLY, 0600)
+	if os.IsExist(err) {
+		return DefaultAuthorizationHtpasswdFile, nil
+	}
+	if err != nil {
+		return "", errors.System.Newf("cannot create demo password in %q: %w", DefaultAuthorizationHtpasswdFile, err)
+	}
+	defer common.KeepCloseError(&rErr, f)
+
+	if _, err = fmt.Fprintf(f, "demo:%s\n", string(hash)); err != nil {
+		return "", errors.System.Newf("cannot create demo password in %q: %w", DefaultAuthorizationHtpasswdFile, err)
+	}
+
+	log.Warn("NOT CONFIGURED FOR PRODUCTION USE!!")
+	log.With("user", "demo").
+		With("password", pass).
+		Info("as this instance runs in dummy mode; a user for demonstration purposes was created - use this credentials to login to Bifröst - this message will never be shown again!")
+
+	return DefaultAuthorizationHtpasswdFile, nil
+}
+
 func (this *AuthorizationHtpasswd) UnmarshalYAML(node *yaml.Node) error {
 	return unmarshalYAML(this, node, func(target *AuthorizationHtpasswd, node *yaml.Node) error {
 		type raw AuthorizationHtpasswd
@@ -76,7 +135,8 @@ func (this AuthorizationHtpasswd) IsEqualTo(other any) bool {
 
 func (this AuthorizationHtpasswd) isEqualTo(other *AuthorizationHtpasswd) bool {
 	return isEqual(&this.File, &other.File) &&
-		isEqual(&this.Entries, &other.Entries)
+		isEqual(&this.Entries, &other.Entries) &&
+		this.GenerateWithUserIfAbsentAndWarn == other.GenerateWithUserIfAbsentAndWarn
 }
 
 func (this AuthorizationHtpasswd) Types() []string {