Add CMD_ONCE secret type and fill in/change secret definitions

2021-01-19 17:53:53 +01:00 · 2021-01-19 17:53:53 +01:00 · 1c814f002a
commit 1c814f002a
parent 9560f80852
11 changed files with 18 additions and 6 deletions
--- a/app/im/secrets/chat/easybridge/as_token
+++ b/app/im/secrets/chat/easybridge/as_token
@ -0,0 +1 @@
+CMD openssl rand -hex 32
--- a/app/im/secrets/chat/easybridge/db_pass
+++ b/app/im/secrets/chat/easybridge/db_pass
@ -0,0 +1 @@
+SERVICE_PASSWORD easybridge
--- a/app/im/secrets/chat/easybridge/db_user
+++ b/app/im/secrets/chat/easybridge/db_user
@ -0,0 +1 @@
+CONST easybridge
--- a/app/im/secrets/chat/easybridge/hs_token
+++ b/app/im/secrets/chat/easybridge/hs_token
@ -0,0 +1 @@
+CMD openssl rand -hex 32
--- a/app/im/secrets/chat/easybridge/web_session_key
+++ b/app/im/secrets/chat/easybridge/web_session_key
@ -0,0 +1,2 @@
+CMD openssl rand -hex 32
+
--- a/app/im/secrets/chat/fb2mx/as_token
+++ b/app/im/secrets/chat/fb2mx/as_token
@ -1 +1 @@
-USER fb2mx API server token
+CMD openssl rand -hex 32
--- a/app/im/secrets/chat/fb2mx/hs_token
+++ b/app/im/secrets/chat/fb2mx/hs_token
@ -1 +1 @@
-USER fb2mx homeserver token
+CMD openssl rand -hex 32
--- a/app/im/secrets/chat/synapse/homeserver.signing.key
+++ b/app/im/secrets/chat/synapse/homeserver.signing.key
@ -0,0 +1 @@
+USER Synapse homeserver ed25519 signing key
--- a/app/im/secrets/chat/synapse/registration_shared_secret
+++ b/app/im/secrets/chat/synapse/registration_shared_secret
@ -1 +1 @@
-USER Shared secret for homeserver registrations (?)
+CMD head -c 32 /dev/urandom | base64
--- a/app/plume/secrets/plume/pgsql_pw
+++ b/app/plume/secrets/plume/pgsql_pw
@ -1 +1 @@
-CMD openssl rand -base64 32
+SERVICE_PASSWORD plume
--- a/app/secretmgr.py
+++ b/app/secretmgr.py
@ -43,6 +43,9 @@ USER_LONG <description>
 CMD <command>
 (a secret that is generated by running this command)

+CMD_ONCE <command>
+(same, but value is not changed when doing a regen)
+
 CONST <constant value>
 (the secret has a constant value set here)

@ -81,6 +84,7 @@ consul_server = consul.Consul()
 USER             = "USER"
 USER_LONG        = "USER_LONG"
 CMD              = "CMD"
+CMD_ONCE         = "CMD_ONCE"
 CONST            = "CONST"
 CONST_LONG       = "CONST_LONG"
 SERVICE_DN       = "SERVICE_DN"
@ -108,7 +112,7 @@ def read_secret(key, file_path):
    secret = {"type": stype, "key": key}
    if stype in [USER, USER_LONG]:
        secret["desc"] = " ".join(l0[1:])
-    elif stype == CMD:
+    elif stype in [CMD, CMD_ONCE]:
        secret["cmd"] = " ".join(l0[1:])
    elif stype == CONST:
        secret["value"] = " ".join(l0[1:])
@ -151,6 +155,7 @@ def get_secrets_services(secrets):
        if svc not in services:
            services[svc] = {
                "dn": "cn=%s,%s"%(svc, SERVICE_DN_SUFFIX),
+                "desc": "(not provided)",
                "pass": None,
                "dn_at": [],
                "pass_at": [],
@ -289,7 +294,7 @@ def gen_secrets_base(secrets, regen):
            consul_server.kv.put(key, secret["value"])
            print(bcolors.OKCYAN, "Value set.", bcolors.ENDC)

-        if secret["type"] == CMD:
+        if secret["type"] == CMD or (secret["type"] == CMD_ONCE and data is None):
            print("----")
            print(key)
            print("Executing command:", secret["cmd"])