From 169431375d1a7a5d413c4aa0652adc23bd0f11c9 Mon Sep 17 00:00:00 2001 From: "Alex Ellis (VMware)" Date: Sun, 4 Nov 2018 20:37:11 +0000 Subject: [PATCH] Enable hashed passwords with PowerShell - PR #929 introduced the ability to generate passwords for the gateway admin user, this is a good step forwards for Windows users. It did introduce an inconsistency in the format that passwords are stored by not using a form of hashing. Hashing of secrets is used extensively within OpenFaaS/OpenFaaS Cloud whether with Swarm or Kubernetes via helm. If there are concerns about using a hashed value for a password I would suggest raising an issue to track this and have any decision we make applied for all users (not just PowerShell users). As a compromise I've introduced hashing by default and added a new flag called -noHash which can be used to replicate the behaviour of the original PR. After feedback from other contributors I also looked into whether the flag syntax could match the existing syntax but left this as is. Bash will use --no-auth and PowerShell will use --noAuth. This was tested on Docker Swarm on Windows. Signed-off-by: Alex Ellis (VMware) --- deploy_stack.ps1 | 168 ++++++++++++++++++++++++++--------------------- 1 file changed, 92 insertions(+), 76 deletions(-) diff --git a/deploy_stack.ps1 b/deploy_stack.ps1 index 100aa87e..0bdb362a 100644 --- a/deploy_stack.ps1 +++ b/deploy_stack.ps1 @@ -1,76 +1,92 @@ -#!ps1 - -param ( - [switch] $noAuth, - [switch] $n, - [switch] $help, - [switch] $h -) - -if ($help -Or $h) { - Write-Host "Usage: " - Write-Host " [default]`tdeploy the OpenFaaS core services" - Write-Host " -noAuth [-n]`tdisable basic authentication" - Write-Host " -help [-h]`tdisplays this screen" - Exit -} - -if (Get-Command docker -errorAction SilentlyContinue) -{ - docker node ls 2>&1 | out-null - if(-Not $?) - { - throw "Docker not in swarm mode, please initialise the cluster (`docker swarm init`) and retry" - } - - Add-Type -AssemblyName System.Web - $secret = [System.Web.Security.Membership]::GeneratePassword(24,5) - $user = 'admin' - - Write-Host "Attempting to create credentials for gateway.." - $user_secret = "basic-auth-user" - docker secret inspect $user_secret 2>&1 | out-null - if($?) - { - Write-Host "$user_secret secret exists" - } - else - { - $user | docker secret create $user_secret - | out-null - } - - $password_secret = "basic-auth-password" - docker secret inspect $password_secret 2>&1 | out-null - if($?) - { - Write-Host "$password_secret secret exists" - } - else - { - $secret | docker secret create $password_secret - | out-null - Write-Host "[Credentials]" - Write-Host " username: admin" - Write-Host " password: $secret" - Write-Host " Write-Output `"$secret`" | faas-cli login --username=$user --password-stdin" - } - - if ($noAuth -Or $n) { - Write-Host "" - Write-Host "Disabling basic authentication for gateway.." - Write-Host "" - $env:BASIC_AUTH="false"; - } - else - { - Write-Host "" - Write-Host "Enabling basic authentication for gateway.." - Write-Host "" - } - - Write-Host "Deploying OpenFaaS core services" - docker stack deploy func --compose-file ./docker-compose.yml -} -else -{ - throw "Unable to find docker command, please install Docker (https://www.docker.com/) and retry" -} +#!ps1 + +param ( + [switch] $noAuth, + [switch] $noHash, + [switch] $n, + [switch] $help, + [switch] $h +) + +if ($help -Or $h) { + Write-Host "Usage: " + Write-Host " [default]`tdeploy the OpenFaaS core services" + Write-Host " -noAuth [-n]`tdisable basic authentication" + Write-Host " -noHash`tprevents the password from being hashed (optional)" + Write-Host " -help [-h]`tdisplays this screen" + Exit +} + +if (Get-Command docker -errorAction SilentlyContinue) +{ + docker node ls 2>&1 | out-null + if(-Not $?) + { + throw "Docker not in swarm mode, please initialise the cluster (`docker swarm init`) and retry" + } + + # AE: would be nice to avoid this dependency. + Add-Type -AssemblyName System.Web + $password = [System.Web.Security.Membership]::GeneratePassword(24,5) + $secret = "" + + if (-Not $noHash) + { + $sha256 = [System.Security.Cryptography.HashAlgorithm]::Create('sha256') + $hash = $sha256.ComputeHash([System.Text.Encoding]::UTF8.GetBytes($password)) + + $secret = [System.BitConverter]::ToString($hash).Replace('-', '').toLower() + } else { + $secret =$password + } + + $user = 'admin' + + Write-Host "Attempting to create credentials for gateway.." + $user_secret = "basic-auth-user" + docker secret inspect $user_secret 2>&1 | out-null + if($?) + { + Write-Host "$user_secret secret exists" + } + else + { + $user | docker secret create $user_secret - | out-null + } + + $password_secret = "basic-auth-password" + docker secret inspect $password_secret 2>&1 | out-null + if($?) + { + Write-Host "$password_secret secret exists" + } + else + { + $secret | docker secret create $password_secret - | out-null + Write-Host "[Credentials]" + Write-Host " username: admin" + Write-Host " password: $secret" + Write-Host " Write-Output `"$secret`" | faas-cli login --username=$user --password-stdin" + } + + if ($noAuth -Or $n) { + Write-Host "" + Write-Host "Disabling basic authentication for gateway.." + Write-Host "" + $env:BASIC_AUTH="false"; + } + else + { + Write-Host "" + Write-Host "Enabling basic authentication for gateway.." + Write-Host "" + } + + Write-Host "Deploying OpenFaaS core services" + docker stack deploy func --compose-file ./docker-compose.yml --orchestrator swarm +} +else +{ + throw "Unable to find docker command, please install Docker (https://www.docker.com/) and retry" +} +