Add to for Secrets to be generated before generating secrets

[DonRichards]

Purpose of this:

In a Slack chat it was brought up that users may be running default secrets and not know it and secrets are generated on every build. In fact there was several small improvements that were needed.

Currently the build process will always generate secrets even when USE_SECRETS is set to true . This adds a simple check then prompt that prevents the code from running the generate script (re)populating the /secrets/live* directory on every make up/down.

For the sake of keeping the description simple I'm going to use the terms make local, make up or make demo interchangeably as a reference to the make build process. It should not matter which of these to use to build ISLE. The tests will not only test the functionality but the ability to bypass/skip a function or not do anything at all. If USE_SECRETS is set to false or all the secrets exist in the secrets/live/ directory, this will not prompt the user for input.

3 scenarios to test for

Test USE_SECRETS set to either true or false for these 3 scenarios. But USE_SECRETS will always result in secrets/live/ being repopulated with new secrets every time a make build process is ran.

1. Empty secrets/live/ folder
2. secrets/live/ is missing some of the expected secrets
3. Found default values in secrets/live/ secrets

Also because this is part of the build process, you will need to run make clean between comparing current behavior vs new and different scenarios.

To test that this doesn't break existing setups

1. Switch to this PR's branch
2. With Isle either running or not running but previously built with secrets populated run the make up command.

You will see a message informing you if you're using default values, otherwise no message.

---

Run make clean to reset. Copy sample.env and modify the .env file to USE_SECRETS=false.

To test when USE_SECRETS is set to false

1. Run make local
   This should automatically generate custom secrets.

To check this worked

Check to see if the directory /secrets/live is populated with secrets, most of them are NOT set to "password"

Run make clean to reset. Copy sample.env and modify the .env file to USE_SECRETS=true to disable new secret generation as the default action.

Testing that answering No to prompt results in no changes with USE_SECRETS is set to true

When the script determines there's an issue, the user is prompted to either generate or copy secrets. This first check verifies nothing happens when n or N is applied to the prompts.

1. Run make local
2. Would you like to generate random secrets? Run a script to create secrets? [y/N] N
3. Would you like to copy the default secrets? Run a script to copy secrets? [y/N] n
4. Would you like to copy the missing secrets from /home/don/github/isle-dc/secrets/template/? [y/N] n
   It should exit completely.

To check this worked

Check to see if the directory /secrets/live is still empty.

Testing auto generate secrets with USE_SECRETS is set to true

1. Run make demo
2. Would you like to generate random secrets? Run a script to create secrets? [y/N] y
   This should automatically generate custom secrets just like the last test.
3. Run make up again
   There should be no message/warnings.

To check this worked

Check to see if the directory /secrets/live is populated with secrets, most of them are NOT set to "password"

Testing copying template secrets with USE_SECRETS is set to true

Run make clean to reset. Copy sample.env and modify the .env file to USE_SECRETS=true to disable new secret generation as the default action.

1. Run make local
2. Would you like to generate random secrets? Run a script to create secrets? [y/N] N
3. Would you like to copy the default secrets? Run a script to copy secrets? [y/N] y
   This will copy the template/ files to the live/ directory. But it's advised to make changes to these files before proceeding. The messages should be clear (if not please suggest something). This also exits not only the bash script but also the MAKEFILE. This was does intentionally.
4. Run 'make up' again
   This will check the config and output a message at both the beginning and the end of the build. This message will inform the user which secrets are using default values with information on where to go for further information.
   
5. Run make up again and the message should come up again last to inform the user they are using default/insecure secrets.

Testing with missing secrets while USE_SECRETS is set to true

1. Delete 1 or many files in /secrets/live
2. Run 'make up'
3. Would you like to copy the missing secrets from /home/don/github/isle-dc/secrets/template/? [y/N] y
   This will copy (not generate) the missing secrets from the template directory.
4. Run make up again and message is set back to the warning message when a default value is detected.

Note: This points to where the documentation should be but that doesn't exist yet.

Sorry for the really really long description.

[DonRichards]

Added update in the docs to reflect the improvement.

[joshdentremont]

@DonRichards I don't think this will work for randomly generated secrets. The other thing USE_SECRETS does is include the file docker-compose.secrets.yml. As I understand it, without this file it won't use secrets at all and must use hard coded values in the containers. This would mean that if USE_SECRETS=false it would never use the randomly generated secrets in secrets/live.

[DonRichards]

@joshdentremont Feel free to test this now. I think it covers everything we talked about.

[joshdentremont]

@DonRichards sha1sum is not installed on macOS. When I run make local with USE_SECRETS=false I get a bunch of warnings like this:
scripts/check-secrets.sh: line 100: sha1sum: command not found
and it tells me I am using the default secrets

Also, I think we might want to change the name of the USE_SECRETS variable since it no longer does the same thing as it used to and this could confuse people. Maybe we should rename it to USE_CUSTOM_SECRETS or something like that?

[DonRichards]

OK, I'll make the change.

[DonRichards]

@joshdentremont Give this a try. I switched it to MD5 which is more common and a default for linux mac.

[joshdentremont]

Same problem
scripts/check-secrets.sh: line 100: md5sum: command not found

[joshdentremont]

Looks like Mac has a program called md5 that does the same thing
https://stackoverflow.com/questions/8996820/how-to-create-md5-hash-in-bash-in-mac-os-x
https://security.stackexchange.com/questions/65499/difference-between-os-x-md5-and-gnu-md5sum

[DonRichards]

I added a OS check since in linux the command is md5sum and OSX is just md5. I switched the Linux version back to sha1sum and OSX to MD5. Also added a bypass for anyone that wants a CICD script to generate new secrets by passing yes into the script directly bash scripts/check-secrets.sh yes. It won't impact other functionality. 1 moment and I'll push this. Github is taking a long time.

[DonRichards]

OK, @joshdentremont it's ready.

[joshdentremont]

It's telling me I'm using default secrets when I'm not. I think this is because of the following
> md5 secrets/template/DRUPAL_DEFAULT_ACCOUNT_PASSWORD
MD5 (secrets/template/DRUPAL_DEFAULT_ACCOUNT_PASSWORD) = 5f4dcc3b5aa765d61d8327deb882cf99
> md5 secrets/template/DRUPAL_DEFAULT_ACCOUNT_PASSWORD | awk '{print $1}'
MD5

I think what you want for MD5 is this (print $4 instead of print $1):
> md5 secrets/template/DRUPAL_DEFAULT_ACCOUNT_PASSWORD | awk '{print $4}'
5f4dcc3b5aa765d61d8327deb882cf99

[DonRichards]

Yeah, made an assumption there. OK. I switched MACs to the failsafe so that I'm not duplicated more code or spending too much time on this. So basically it will compare the cat output for either file. Lets give this one a try.

[joshdentremont]

Tested with USE_SECRETS=false and it created the randomly generated secrets but does not use them. I wonder if we should stop if from generating them when it's set to false? This probably doesn't matter but it has confused me in the past.

I also misunderstood how you had set this up so you can ignore my earlier comments about renaming USE_SECRETS. I thought you had made it so USE_SECRETS=false was the way to use randomly generated secrets.

Trying with USE_SECRETS=true and got this issue:
'Uses Secrets' is set to 'true'.
Starting scripts/check-secrets.sh
ls: illegal option -- I
usage: ls [-@ABCFGHLOPRSTUWabcdefghiklmnopqrstuwx1%] [file ...]
This seems to be another Mac difference, and is set on this line: https://github.com/Islandora-Devops/isle-dc/pull/226/files#diff-019c27b7e1851c31b7dff95fc6645cb2aabe7d3642de7128aca156872fb6721cR61

I think you can just drop the -I because ls will not list hidden files anyway unless you give it the -a option. I removed it and things seem to run as intended

Another issue I see is that I changed only the drupal account password and it's still telling me I am using the default. I don't know if there's a check for individual ones or if it just outputs all the secrets when any of them are using the defaults.

[joshdentremont]

Setting USE_SECRETS=true then saying no to generating and copying secrets causes the build to quit and no secrets to be generated.

Setting USE_SECRETS=true then accepting random secrets seems to work as intended.

Setting USE_SECRETS=true then using the defaults seems to work as intended. It exits the first time to give you opportunity to replace the defaults, and if you don't it gives the appropriate warnings

Setting USE_SECRETS=true then overwriting the defaults also works as intended and uses the custom secrets without warnings.

I would say this is all working except for the ls -I issue and the fact that it seems to be all or nothing with checking whether some secrets are set to the default.

[DonRichards]

@joshdentremont I can remove the "i" part of that command. As for changing the admin password, if you're using the make to change the password it should update that file. If you're changing the password within Drupal directly it does not output the password to the file and won't be able to track updated passwords like that.
One of the pros to always having this run upon build is it will always warn the user if they are using defaults and/or if they're missing newly created secrets.

[DonRichards]

@joshdentremont Ready to check

[DonRichards]

I'll give that a try and push as soon as I can.

[DonRichards]

@joshdentremont OK, ready.

[joshdentremont]

@DonRichards Looks good now.

[DonRichards]

Ready for testing

[misilot]

This worked for me, to not stop on existing secrets being there. ❤️

[misilot]

Might want to also mention that they should be sure to set

to the value of DRUPAL_DEFAULT_SALT to $settings['hash_salt'] in codebase/web/sites/default/settings.php and the value of DRUPAL_DEFAULT_DB_PASSWORD to the value $databases['default']['default']['password'] in the same file (it's actually in the file twice??)

Or maybe we should use the file path option instead of parsing it into the file? $settings['hash_salt'] = file_get_contents('/home/example/salt.txt');

[misilot]

Also will a make up update passwords if they are created after a make local or make up?

[DonRichards]

I only see $databases['default']['default']['password'] once in my install.

I just pushed a warning to the user to manually update their settings.php file when it notices a difference between the secrets/live/DRUPAL_DEFAULT_SALT and web/sites/default/settings.php file. I felt like it might take too long to try to automatically do this for the user and restart their container because this script is running on the local and we'd need to account for Mac command discrepancies.

[misilot]

It looks like it was my older version had some extra things in there

[misilot]

I also think it might be worth at somepoint just creating secrets or using existing ones going forward, and not, not having them. ie "USE_SECRETS" goes away except maybe as a legacy option for existing systems? (expert option?)

[seth-shaw-unlv]

The last test for the missing secret prompt didn't work when I tested this morning:

~/isle-dc$ rm secrets/live/DRUPAL_DEFAULT_DB_PASSWORD
~/isle-dc$ make up
WARNING: Some services (activemq, alpaca, blazegraph, cantaloupe, crayfits, drupal, fcrepo, fits, homarus, houdini, hypercube, mariadb, matomo, milliner, recast, solr, traefik) use the 'deploy' key, which will be ignored. Compose does not support 'deploy' configuration - use `docker stack deploy` to deploy to a swarm.
WARNING: Service "drupal" uses an undefined secret file "/home/sshaw/isle-dc/secrets/live/DRUPAL_DEFAULT_DB_PASSWORD", the following file should be created "/home/sshaw/isle-dc/secrets/live/DRUPAL_DEFAULT_DB_PASSWORD"

I should also note that the requests for make demo don't result in a working site anyway, but that is probably a separate issue.

[DonRichards]

@misilot @seth-shaw-unlv This is ready to test again.

[seth-shaw-unlv]

In the section "Testing auto generate secrets with USE_SECRETS is set to true" it indicates that after selecting "yes" one should run "make up" again. However, the script simply continues running the "make demo". Is that the expected behavior, @DonRichards?

[DonRichards]

No. I don't believe so. Let me double-check now

[DonRichards]

@seth-shaw-unlv Sorry, yes, that's correct—this way new people can build right away with as few steps as possible. But if a person is only copying files over, I assume it's for a purpose (to add their passwords to the files).

[DonRichards]

Oh, and it should ask the user if they want to exit when they opt for copying the defaults over.

[seth-shaw-unlv]

👍