diff options
| author | Ramón M. Gómez <ramongomez@us.es> | 2019-05-09 13:37:05 +0200 |
|---|---|---|
| committer | Ramón M. Gómez <ramongomez@us.es> | 2019-05-09 13:37:05 +0200 |
| commit | c33184637d4a4fd3fa2ee10c7637113728afac73 (patch) | |
| tree | 07a83ec09472719562100191e9fd36857890fe78 | |
| parent | d32a8b6f453fd0ce4d1c67d46912dbecf881191d (diff) | |
#907: Securing client's token generation during installation process.
| -rwxr-xr-x | client/shared/etc/init/default.sh | 5 | ||||
| -rwxr-xr-x | installer/opengnsys_installer.sh | 17 | ||||
| -rwxr-xr-x | server/bin/setsmbpass | 10 |
3 files changed, 20 insertions, 12 deletions
diff --git a/client/shared/etc/init/default.sh b/client/shared/etc/init/default.sh index 2d147c45..2fc3ede9 100755 --- a/client/shared/etc/init/default.sh +++ b/client/shared/etc/init/default.sh @@ -17,13 +17,14 @@ echo "${MSG_LAUNCHCLIENT:-.}" # Indicar fichero de teclado de Qt para el idioma especificado (tipo "es.qmap"). [ -f /usr/local/etc/${LANG%_*}.qmap ] && export QWS_KEYBOARD="TTY:keymap=/usr/local/etc/${LANG%_*}.qmap" +source /scripts/client.cfg VERSION="1.1.1" # TEMPORAL if [ -f "$OPENGNSYS/images/ogagent-oglive_${VERSION}_all.deb" -a "$ogstatus" != "offline" ]; then # Instalar, configurar e iniciar agente. dpkg -i "$OPENGNSYS/images/ogagent-oglive_${VERSION}_all.deb" sed -i -e "s,remote=.*,remote=https://$(ogGetServerIp)/opengnsys3/backend/web/app_dev.php/," \ - -e "s,client=.*,client=CLIENTID," \ - -e "s,secret=.*,secret=CLIENTSECRET," \ + -e "s,client=.*,client=$CLIENTID," \ + -e "s,secret=.*,secret=$CLIENTSECRET," \ /usr/share/OGAgent/cfg/ogagent.cfg ogagent start sleep 10 diff --git a/installer/opengnsys_installer.sh b/installer/opengnsys_installer.sh index 32c74b05..ff2605d8 100755 --- a/installer/opengnsys_installer.sh +++ b/installer/opengnsys_installer.sh @@ -188,7 +188,7 @@ case "$OSDISTRIB" in APACHEOGSITE=opengnsys APACHEUSER="www-data" APACHEGROUP="www-data" - APACHEENABLEMODS="a2enmod ssl rewrite proxy_fcgi fastcgi actions alias" + APACHEENABLEMODS="a2enmod ssl rewrite proxy_fcgi actions alias" APACHEENABLESSL="a2ensite default-ssl" APACHEENABLEOG="a2ensite $APACHEOGSITE" APACHEMAKECERT="make-ssl-cert generate-default-snakeoil --force-overwrite" @@ -1048,7 +1048,7 @@ function dhcpConfigure() # Instalar OpenGnsys Web Console. function installWebFiles() { -local $tmpdir +local $tmpdir jsonfile=$INSTALL_TARGET/etc/opengnsys.json echoAndLog "${FUNCNAME}(): Copying backend files..." sed -e "s/ database_name:.*/ database_name: $OPENGNSYS_DATABASE/" \ @@ -1072,13 +1072,17 @@ sudo -u $OPENGNSYS_CLIENT_USER php app/console doctrine:schema:update --force echo yes | php app/console doctrine:fixtures:load php app/console fos:user:create "$OPENGNSYS_DB_USER" "${OPENGNSYS_DB_USER}@localhost.localdomain" "$OPENGNSYS_DB_USER" # Guardar tokens de seguridad. -read -e ADMINID ADMINSECRET <<< \ +read -e APIID APISECRET <<< \ "$(php app/console doctrine:query:sql "SELECT random_id, secret FROM og_core__clients WHERE id=1;" | \ awk -F\" '$2~/^(random_id|secret)$/ {getline; printf("%s ", $2)}')" read -e CLIENTID CLIENTSECRET <<< \ "$(php app/console opengnsys:oauth-server:client:create --no-ansi | \ awk 'BEGIN {RS=" "} /^(id|secret)$/ {getline; gsub(/,/, ""); printf("%s ", $0)}')" +[ -f $jsonfile ] || echo "{}" > $jsonfile +jq '.client |= (. + {"id":"'"$CLIENTID"'", "secret":"'"$CLIENTSECRET"'"})' $jsonfile | sponge $jsonfile +chown root $jsonfile +chmod 600 $jsonfile popd echoAndLog "${FUNCNAME}(): Installing frontend framework..." @@ -1087,8 +1091,8 @@ tmpdir=$(sudo -u $OPENGNSYS_CLIENT_USER mktemp -d) echo "cache = $tmpdir" > .npmrc sudo -u $OPENGNSYS_CLIENT_USER npm install sed -i -e "s/SERVERIP/$SERVERIP/" \ - -e "s/CLIENTID/1_$ADMINID/" \ - -e "s/CLIENTSECRET/$ADMINSECRET/" src/environments/environment.ts + -e "s/CLIENTID/1_$APIID/" \ + -e "s/CLIENTSECRET/$APISECRET/" src/environments/environment.ts sed -i 's,base href=.*,base href="/opengnsys3/frontend/">,' src/index.html sudo -u $OPENGNSYS_CLIENT_USER ng build rm -fr $tmpdir @@ -1357,9 +1361,6 @@ function copyClientFiles() echoAndLog "${FUNCNAME}(): Copying OpenGnsys Client files." cp -a $WORKDIR/opengnsys/client/shared/* $INSTALL_TARGET/client - sed -i -e "s/CLIENTID/$CLIENTID/" \ - -e "s/CLIENTSECRET/$CLIENTSECRET/" \ - $INSTALL_TARGET/client/etc/init/default.sh ### TEMPORAL if [ $? -ne 0 ]; then errorAndLog "${FUNCNAME}(): error while copying client estructure" errstatus=1 diff --git a/server/bin/setsmbpass b/server/bin/setsmbpass index 2162b3be..57c354d7 100755 --- a/server/bin/setsmbpass +++ b/server/bin/setsmbpass @@ -19,6 +19,7 @@ PROG=$(basename "$0") PATH=$PATH:$(dirname "$(realpath "$0")") OPENGNSYS=${OPENGNSYS:-"/opt/opengnsys"} +OGCFGFILE=$OPENGNSYS/etc/opengnsys.json SAMBAUSER="opengnsys" # Usuario por defecto. TFTPDIR=$OPENGNSYS/tftpboot INITRD=oginitrd.img @@ -88,8 +89,13 @@ for OGLIVE in $LIST; do # FIN CÓDIGO TEMPORAL. # Ticket 565, preparar acceso Rsync cliente. echo "$SAMBAPASS" > scripts/passrsync - chown root.root scripts/passrsync - chmod 400 scripts/passrsync + # Guardar tokens de seguridad. + cat << EOT > scripts/client.cfg +CLIENTID=$(jq -r .client.id $OGCFGFILE) +CLIENTSECRET=$(jq -r .client.secret $OGCFGFILE) +EOT + chown root.root scripts/passrsync scripts/client.cfg + chmod 400 scripts/passrsync scripts/client.cfg # Generar Initrd del cliente. find . | cpio -H newc -oa | gzip -9c > "$CLIENTINITRD" else |