aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlex Auvolat <alex@adnab.me>2021-01-19 17:53:53 +0100
committerAlex Auvolat <alex@adnab.me>2021-01-19 17:53:53 +0100
commit1c814f002af3aafa76aced040845d6fdeee7953e (patch)
treef1abd7369f279bb4c9fc56caf469825120564467
parent9560f8085292e990949c53b4ba964936a3d3b6e5 (diff)
downloadinfrastructure-1c814f002af3aafa76aced040845d6fdeee7953e.tar.gz
infrastructure-1c814f002af3aafa76aced040845d6fdeee7953e.zip
Add CMD_ONCE secret type and fill in/change secret definitions
-rw-r--r--app/im/secrets/chat/easybridge/as_token1
-rw-r--r--app/im/secrets/chat/easybridge/db_pass1
-rw-r--r--app/im/secrets/chat/easybridge/db_user1
-rw-r--r--app/im/secrets/chat/easybridge/hs_token1
-rw-r--r--app/im/secrets/chat/easybridge/web_session_key2
-rw-r--r--app/im/secrets/chat/fb2mx/as_token2
-rw-r--r--app/im/secrets/chat/fb2mx/hs_token2
-rw-r--r--app/im/secrets/chat/synapse/homeserver.signing.key1
-rw-r--r--app/im/secrets/chat/synapse/registration_shared_secret2
-rw-r--r--app/plume/secrets/plume/pgsql_pw2
-rwxr-xr-xapp/secretmgr.py9
11 files changed, 18 insertions, 6 deletions
diff --git a/app/im/secrets/chat/easybridge/as_token b/app/im/secrets/chat/easybridge/as_token
new file mode 100644
index 0000000..5fa4e3c
--- /dev/null
+++ b/app/im/secrets/chat/easybridge/as_token
@@ -0,0 +1 @@
+CMD openssl rand -hex 32
diff --git a/app/im/secrets/chat/easybridge/db_pass b/app/im/secrets/chat/easybridge/db_pass
new file mode 100644
index 0000000..7e1f94b
--- /dev/null
+++ b/app/im/secrets/chat/easybridge/db_pass
@@ -0,0 +1 @@
+SERVICE_PASSWORD easybridge
diff --git a/app/im/secrets/chat/easybridge/db_user b/app/im/secrets/chat/easybridge/db_user
new file mode 100644
index 0000000..436267c
--- /dev/null
+++ b/app/im/secrets/chat/easybridge/db_user
@@ -0,0 +1 @@
+CONST easybridge
diff --git a/app/im/secrets/chat/easybridge/hs_token b/app/im/secrets/chat/easybridge/hs_token
new file mode 100644
index 0000000..5fa4e3c
--- /dev/null
+++ b/app/im/secrets/chat/easybridge/hs_token
@@ -0,0 +1 @@
+CMD openssl rand -hex 32
diff --git a/app/im/secrets/chat/easybridge/web_session_key b/app/im/secrets/chat/easybridge/web_session_key
new file mode 100644
index 0000000..614bed7
--- /dev/null
+++ b/app/im/secrets/chat/easybridge/web_session_key
@@ -0,0 +1,2 @@
+CMD openssl rand -hex 32
+
diff --git a/app/im/secrets/chat/fb2mx/as_token b/app/im/secrets/chat/fb2mx/as_token
index 20b76d4..5fa4e3c 100644
--- a/app/im/secrets/chat/fb2mx/as_token
+++ b/app/im/secrets/chat/fb2mx/as_token
@@ -1 +1 @@
-USER fb2mx API server token
+CMD openssl rand -hex 32
diff --git a/app/im/secrets/chat/fb2mx/hs_token b/app/im/secrets/chat/fb2mx/hs_token
index 8808f8f..5fa4e3c 100644
--- a/app/im/secrets/chat/fb2mx/hs_token
+++ b/app/im/secrets/chat/fb2mx/hs_token
@@ -1 +1 @@
-USER fb2mx homeserver token
+CMD openssl rand -hex 32
diff --git a/app/im/secrets/chat/synapse/homeserver.signing.key b/app/im/secrets/chat/synapse/homeserver.signing.key
new file mode 100644
index 0000000..099bd18
--- /dev/null
+++ b/app/im/secrets/chat/synapse/homeserver.signing.key
@@ -0,0 +1 @@
+USER Synapse homeserver ed25519 signing key
diff --git a/app/im/secrets/chat/synapse/registration_shared_secret b/app/im/secrets/chat/synapse/registration_shared_secret
index 395cccc..b82f191 100644
--- a/app/im/secrets/chat/synapse/registration_shared_secret
+++ b/app/im/secrets/chat/synapse/registration_shared_secret
@@ -1 +1 @@
-USER Shared secret for homeserver registrations (?)
+CMD head -c 32 /dev/urandom | base64
diff --git a/app/plume/secrets/plume/pgsql_pw b/app/plume/secrets/plume/pgsql_pw
index 978be54..0f831bb 100644
--- a/app/plume/secrets/plume/pgsql_pw
+++ b/app/plume/secrets/plume/pgsql_pw
@@ -1 +1 @@
-CMD openssl rand -base64 32
+SERVICE_PASSWORD plume
diff --git a/app/secretmgr.py b/app/secretmgr.py
index 6af6d13..5cf55dc 100755
--- a/app/secretmgr.py
+++ b/app/secretmgr.py
@@ -43,6 +43,9 @@ USER_LONG <description>
CMD <command>
(a secret that is generated by running this command)
+CMD_ONCE <command>
+(same, but value is not changed when doing a regen)
+
CONST <constant value>
(the secret has a constant value set here)
@@ -81,6 +84,7 @@ consul_server = consul.Consul()
USER = "USER"
USER_LONG = "USER_LONG"
CMD = "CMD"
+CMD_ONCE = "CMD_ONCE"
CONST = "CONST"
CONST_LONG = "CONST_LONG"
SERVICE_DN = "SERVICE_DN"
@@ -108,7 +112,7 @@ def read_secret(key, file_path):
secret = {"type": stype, "key": key}
if stype in [USER, USER_LONG]:
secret["desc"] = " ".join(l0[1:])
- elif stype == CMD:
+ elif stype in [CMD, CMD_ONCE]:
secret["cmd"] = " ".join(l0[1:])
elif stype == CONST:
secret["value"] = " ".join(l0[1:])
@@ -151,6 +155,7 @@ def get_secrets_services(secrets):
if svc not in services:
services[svc] = {
"dn": "cn=%s,%s"%(svc, SERVICE_DN_SUFFIX),
+ "desc": "(not provided)",
"pass": None,
"dn_at": [],
"pass_at": [],
@@ -289,7 +294,7 @@ def gen_secrets_base(secrets, regen):
consul_server.kv.put(key, secret["value"])
print(bcolors.OKCYAN, "Value set.", bcolors.ENDC)
- if secret["type"] == CMD:
+ if secret["type"] == CMD or (secret["type"] == CMD_ONCE and data is None):
print("----")
print(key)
print("Executing command:", secret["cmd"])