From 1c814f002af3aafa76aced040845d6fdeee7953e Mon Sep 17 00:00:00 2001 From: Alex Auvolat Date: Tue, 19 Jan 2021 17:53:53 +0100 Subject: Add CMD_ONCE secret type and fill in/change secret definitions --- app/im/secrets/chat/easybridge/as_token | 1 + app/im/secrets/chat/easybridge/db_pass | 1 + app/im/secrets/chat/easybridge/db_user | 1 + app/im/secrets/chat/easybridge/hs_token | 1 + app/im/secrets/chat/easybridge/web_session_key | 2 ++ app/im/secrets/chat/fb2mx/as_token | 2 +- app/im/secrets/chat/fb2mx/hs_token | 2 +- app/im/secrets/chat/synapse/homeserver.signing.key | 1 + app/im/secrets/chat/synapse/registration_shared_secret | 2 +- app/plume/secrets/plume/pgsql_pw | 2 +- app/secretmgr.py | 9 +++++++-- 11 files changed, 18 insertions(+), 6 deletions(-) create mode 100644 app/im/secrets/chat/easybridge/as_token create mode 100644 app/im/secrets/chat/easybridge/db_pass create mode 100644 app/im/secrets/chat/easybridge/db_user create mode 100644 app/im/secrets/chat/easybridge/hs_token create mode 100644 app/im/secrets/chat/easybridge/web_session_key create mode 100644 app/im/secrets/chat/synapse/homeserver.signing.key (limited to 'app') diff --git a/app/im/secrets/chat/easybridge/as_token b/app/im/secrets/chat/easybridge/as_token new file mode 100644 index 0000000..5fa4e3c --- /dev/null +++ b/app/im/secrets/chat/easybridge/as_token @@ -0,0 +1 @@ +CMD openssl rand -hex 32 diff --git a/app/im/secrets/chat/easybridge/db_pass b/app/im/secrets/chat/easybridge/db_pass new file mode 100644 index 0000000..7e1f94b --- /dev/null +++ b/app/im/secrets/chat/easybridge/db_pass @@ -0,0 +1 @@ +SERVICE_PASSWORD easybridge diff --git a/app/im/secrets/chat/easybridge/db_user b/app/im/secrets/chat/easybridge/db_user new file mode 100644 index 0000000..436267c --- /dev/null +++ b/app/im/secrets/chat/easybridge/db_user @@ -0,0 +1 @@ +CONST easybridge diff --git a/app/im/secrets/chat/easybridge/hs_token b/app/im/secrets/chat/easybridge/hs_token new file mode 100644 index 0000000..5fa4e3c --- /dev/null +++ b/app/im/secrets/chat/easybridge/hs_token @@ -0,0 +1 @@ +CMD openssl rand -hex 32 diff --git a/app/im/secrets/chat/easybridge/web_session_key b/app/im/secrets/chat/easybridge/web_session_key new file mode 100644 index 0000000..614bed7 --- /dev/null +++ b/app/im/secrets/chat/easybridge/web_session_key @@ -0,0 +1,2 @@ +CMD openssl rand -hex 32 + diff --git a/app/im/secrets/chat/fb2mx/as_token b/app/im/secrets/chat/fb2mx/as_token index 20b76d4..5fa4e3c 100644 --- a/app/im/secrets/chat/fb2mx/as_token +++ b/app/im/secrets/chat/fb2mx/as_token @@ -1 +1 @@ -USER fb2mx API server token +CMD openssl rand -hex 32 diff --git a/app/im/secrets/chat/fb2mx/hs_token b/app/im/secrets/chat/fb2mx/hs_token index 8808f8f..5fa4e3c 100644 --- a/app/im/secrets/chat/fb2mx/hs_token +++ b/app/im/secrets/chat/fb2mx/hs_token @@ -1 +1 @@ -USER fb2mx homeserver token +CMD openssl rand -hex 32 diff --git a/app/im/secrets/chat/synapse/homeserver.signing.key b/app/im/secrets/chat/synapse/homeserver.signing.key new file mode 100644 index 0000000..099bd18 --- /dev/null +++ b/app/im/secrets/chat/synapse/homeserver.signing.key @@ -0,0 +1 @@ +USER Synapse homeserver ed25519 signing key diff --git a/app/im/secrets/chat/synapse/registration_shared_secret b/app/im/secrets/chat/synapse/registration_shared_secret index 395cccc..b82f191 100644 --- a/app/im/secrets/chat/synapse/registration_shared_secret +++ b/app/im/secrets/chat/synapse/registration_shared_secret @@ -1 +1 @@ -USER Shared secret for homeserver registrations (?) +CMD head -c 32 /dev/urandom | base64 diff --git a/app/plume/secrets/plume/pgsql_pw b/app/plume/secrets/plume/pgsql_pw index 978be54..0f831bb 100644 --- a/app/plume/secrets/plume/pgsql_pw +++ b/app/plume/secrets/plume/pgsql_pw @@ -1 +1 @@ -CMD openssl rand -base64 32 +SERVICE_PASSWORD plume diff --git a/app/secretmgr.py b/app/secretmgr.py index 6af6d13..5cf55dc 100755 --- a/app/secretmgr.py +++ b/app/secretmgr.py @@ -43,6 +43,9 @@ USER_LONG CMD (a secret that is generated by running this command) +CMD_ONCE +(same, but value is not changed when doing a regen) + CONST (the secret has a constant value set here) @@ -81,6 +84,7 @@ consul_server = consul.Consul() USER = "USER" USER_LONG = "USER_LONG" CMD = "CMD" +CMD_ONCE = "CMD_ONCE" CONST = "CONST" CONST_LONG = "CONST_LONG" SERVICE_DN = "SERVICE_DN" @@ -108,7 +112,7 @@ def read_secret(key, file_path): secret = {"type": stype, "key": key} if stype in [USER, USER_LONG]: secret["desc"] = " ".join(l0[1:]) - elif stype == CMD: + elif stype in [CMD, CMD_ONCE]: secret["cmd"] = " ".join(l0[1:]) elif stype == CONST: secret["value"] = " ".join(l0[1:]) @@ -151,6 +155,7 @@ def get_secrets_services(secrets): if svc not in services: services[svc] = { "dn": "cn=%s,%s"%(svc, SERVICE_DN_SUFFIX), + "desc": "(not provided)", "pass": None, "dn_at": [], "pass_at": [], @@ -289,7 +294,7 @@ def gen_secrets_base(secrets, regen): consul_server.kv.put(key, secret["value"]) print(bcolors.OKCYAN, "Value set.", bcolors.ENDC) - if secret["type"] == CMD: + if secret["type"] == CMD or (secret["type"] == CMD_ONCE and data is None): print("----") print(key) print("Executing command:", secret["cmd"]) -- cgit v1.2.3