Update overrides and generate_passwords.py

ckan · Sep 12, 2023 · 27bae40 · 27bae40
1 parent 5f2951b
commit 27bae40
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 7 deletions.
diff --git a/ckan/setup/prerun.py.override b/ckan/setup/prerun.py.override
@@ -194,6 +194,13 @@ def create_sysadmin():
         subprocess.call(command)
         print("[prerun] Made user {0} a sysadmin".format(name))
 
+        # cleanup permissions
+        # We're running as root before pivoting to uwsgi and dropping privs
+        data_dir = "%s/storage" % os.environ['CKAN_STORAGE_PATH']
+
+        command = ["chown", "-R", "ckan:ckan", data_dir]
+        subprocess.call(command)
+        print("[prerun] Ensured storage directory is owned by ckan")
 
 if __name__ == "__main__":
 

diff --git a/ckan/setup/start_ckan.sh.override b/ckan/setup/start_ckan.sh.override
@@ -16,7 +16,7 @@ then
 fi
 
 # Run the prerun script to init CKAN and create the default admin user
-sudo -u ckan -EH python3 prerun.py
+python3 prerun.py
 
 echo "Set up ckan.datapusher.api_token in the CKAN config file"
 ckan config-tool $CKAN_INI "ckan.datapusher.api_token=$(ckan -c $CKAN_INI user token add ckan_admin datapusher | tail -n 1 | tr -d '\t')"
@@ -51,7 +51,7 @@ then
     # Start supervisord
     supervisord --configuration /etc/supervisord.conf &
     # Start uwsgi
-    sudo -u ckan -EH uwsgi $UWSGI_OPTS
+    uwsgi $UWSGI_OPTS
 else
   echo "[prerun] failed...not starting CKAN."
 fi
diff --git a/generate_passwords.py b/generate_passwords.py
@@ -6,7 +6,7 @@
 vn = {}
 
 pwvars = ["POSTGRES_PASSWORD", "CKAN_DB_PASSWORD", "DATASTORE_READONLY_PASSWORD","CKAN_SYSADMIN_PASSWORD", \
-            "CKAN___BEAKER__SESSION__SECRET","CKAN___API_TOKEN__JWT__ENCODE__SECRET"]
+            "CKAN___BEAKER__SESSION__SECRET"]
 
 print("\n[setup_passwords] attempting to setup secure passwords")
 
@@ -19,18 +19,24 @@
       vn[pwvar] = pw
 
 
+# Set up the environment variables from the values in the .pw file
 POSTGRES_PASSWORD = vn["POSTGRES_PASSWORD"]
 CKAN_DB_PASSWORD = vn["CKAN_DB_PASSWORD"]
 DATASTORE_READONLY_PASSWORD = vn["DATASTORE_READONLY_PASSWORD"]
 CKAN_SYSADMIN_PASSWORD = vn["CKAN_SYSADMIN_PASSWORD"]
 CKAN___BEAKER__SESSION__SECRET = vn["CKAN___BEAKER__SESSION__SECRET"]
-CKAN___API_TOKEN__JWT__ENCODE__SECRET = vn["CKAN___API_TOKEN__JWT__ENCODE__SECRET"]
-CKAN___API_TOKEN__JWT__DECODE__SECRET = vn["CKAN___API_TOKEN__JWT__ENCODE__SECRET"]
 
-# Write the same secret for decoding as encoding
+# The API_TOKEN is a JWT token, which is a special case
+jwtpw = secrets.token_urlsafe(plen)
+
 with open(fn, 'a') as f:
-    f.write(f"CKAN___API_TOKEN__JWT__DECODE__SECRET={CKAN___API_TOKEN__JWT__DECODE__SECRET}\n")
+    f.write(f"CKAN___API_TOKEN__JWT__ENCODE__SECRET=string:" + str(jwtpw) + "\n")
+    f.write(f"CKAN___API_TOKEN__JWT__DECODE__SECRET=string:" + str(jwtpw) + "\n")
+
+CKAN___API_TOKEN__JWT__ENCODE__SECRET = "string:" + str(jwtpw)
+CKAN___API_TOKEN__JWT__DECODE__SECRET = "string:" + str(jwtpw)
 
+# Now the database URL's which include the password generated above
 CKAN_DB_USER = os.environ.get('CKAN_DB_USER')
 CKAN_DB = os.environ.get('CKAN_DB')
 DATASTORE_DB_USER = os.environ.get('DATASTORE_DB_USER')