From 27bae40efb59aad19fbd0064f0e913a5c20f0c40 Mon Sep 17 00:00:00 2001 From: Brett Date: Tue, 12 Sep 2023 14:19:22 +0200 Subject: [PATCH] Update overrides and generate_passwords.py --- ckan/setup/prerun.py.override | 7 +++++++ ckan/setup/start_ckan.sh.override | 4 ++-- generate_passwords.py | 16 +++++++++++----- 3 files changed, 20 insertions(+), 7 deletions(-) diff --git a/ckan/setup/prerun.py.override b/ckan/setup/prerun.py.override index 3d686969..d8b79219 100644 --- a/ckan/setup/prerun.py.override +++ b/ckan/setup/prerun.py.override @@ -194,6 +194,13 @@ def create_sysadmin(): subprocess.call(command) print("[prerun] Made user {0} a sysadmin".format(name)) + # cleanup permissions + # We're running as root before pivoting to uwsgi and dropping privs + data_dir = "%s/storage" % os.environ['CKAN_STORAGE_PATH'] + + command = ["chown", "-R", "ckan:ckan", data_dir] + subprocess.call(command) + print("[prerun] Ensured storage directory is owned by ckan") if __name__ == "__main__": diff --git a/ckan/setup/start_ckan.sh.override b/ckan/setup/start_ckan.sh.override index 0c8409c9..5927deac 100755 --- a/ckan/setup/start_ckan.sh.override +++ b/ckan/setup/start_ckan.sh.override @@ -16,7 +16,7 @@ then fi # Run the prerun script to init CKAN and create the default admin user -sudo -u ckan -EH python3 prerun.py +python3 prerun.py echo "Set up ckan.datapusher.api_token in the CKAN config file" ckan config-tool $CKAN_INI "ckan.datapusher.api_token=$(ckan -c $CKAN_INI user token add ckan_admin datapusher | tail -n 1 | tr -d '\t')" @@ -51,7 +51,7 @@ then # Start supervisord supervisord --configuration /etc/supervisord.conf & # Start uwsgi - sudo -u ckan -EH uwsgi $UWSGI_OPTS + uwsgi $UWSGI_OPTS else echo "[prerun] failed...not starting CKAN." fi diff --git a/generate_passwords.py b/generate_passwords.py index 9db22f3d..3a474a38 100644 --- a/generate_passwords.py +++ b/generate_passwords.py @@ -6,7 +6,7 @@ vn = {} pwvars = ["POSTGRES_PASSWORD", "CKAN_DB_PASSWORD", "DATASTORE_READONLY_PASSWORD","CKAN_SYSADMIN_PASSWORD", \ - "CKAN___BEAKER__SESSION__SECRET","CKAN___API_TOKEN__JWT__ENCODE__SECRET"] + "CKAN___BEAKER__SESSION__SECRET"] print("\n[setup_passwords] attempting to setup secure passwords") @@ -19,18 +19,24 @@ vn[pwvar] = pw +# Set up the environment variables from the values in the .pw file POSTGRES_PASSWORD = vn["POSTGRES_PASSWORD"] CKAN_DB_PASSWORD = vn["CKAN_DB_PASSWORD"] DATASTORE_READONLY_PASSWORD = vn["DATASTORE_READONLY_PASSWORD"] CKAN_SYSADMIN_PASSWORD = vn["CKAN_SYSADMIN_PASSWORD"] CKAN___BEAKER__SESSION__SECRET = vn["CKAN___BEAKER__SESSION__SECRET"] -CKAN___API_TOKEN__JWT__ENCODE__SECRET = vn["CKAN___API_TOKEN__JWT__ENCODE__SECRET"] -CKAN___API_TOKEN__JWT__DECODE__SECRET = vn["CKAN___API_TOKEN__JWT__ENCODE__SECRET"] -# Write the same secret for decoding as encoding +# The API_TOKEN is a JWT token, which is a special case +jwtpw = secrets.token_urlsafe(plen) + with open(fn, 'a') as f: - f.write(f"CKAN___API_TOKEN__JWT__DECODE__SECRET={CKAN___API_TOKEN__JWT__DECODE__SECRET}\n") + f.write(f"CKAN___API_TOKEN__JWT__ENCODE__SECRET=string:" + str(jwtpw) + "\n") + f.write(f"CKAN___API_TOKEN__JWT__DECODE__SECRET=string:" + str(jwtpw) + "\n") + +CKAN___API_TOKEN__JWT__ENCODE__SECRET = "string:" + str(jwtpw) +CKAN___API_TOKEN__JWT__DECODE__SECRET = "string:" + str(jwtpw) +# Now the database URL's which include the password generated above CKAN_DB_USER = os.environ.get('CKAN_DB_USER') CKAN_DB = os.environ.get('CKAN_DB') DATASTORE_DB_USER = os.environ.get('DATASTORE_DB_USER')