Use safer default values

scripts/st2bootstrap-deb.sh

@@ -105,6 +105,11 @@ setup_args() {
     echo "Press \"ENTER\" to continue or \"CTRL+C\" to exit/abort"
     read -e -p "Admin username: " -i "st2admin" USERNAME
     read -e -s -p "Password: " PASSWORD
+
+    if [ "${PASSWORD}" = '' ]; then
+        echo "Password cannot be empty."
+        exit 1
+    fi
   fi
 }
 
@@ -173,14 +178,33 @@ check_st2_host_dependencies() {
   fi
 }
 
+generate_random_passwords() {
+  # Generate random password used for MongoDB and PostgreSQL user authentication
+  ST2_MONGODB_PASSWORD=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 24 ; echo '')
+  ST2_POSTGRESQL_PASSWORD=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 24 ; echo '')
+}
+
 install_st2_dependencies() {
   sudo apt-get update
 
   # Note: gnupg-curl is needed to be able to use https transport when fetching keys
   sudo apt-get install -y gnupg-curl
   sudo apt-get install -y curl
   sudo apt-get install -y rabbitmq-server
+
+  # Configure RabbitMQ to listen on localhost only
+  sudo sh -c 'echo "RABBITMQ_NODE_IP_ADDRESS=127.0.0.1" >> /etc/rabbitmq/rabbitmq-env.conf'
+
+  if [[ "$SUBTYPE" == 'xenial' ]]; then
+    sudo systemctl restart rabbitmq-server
+  else
+    sudo service rabbitmq-server restart
+  fi
+
+  # Various other dependencies needed by st2 and installer script
+  sudo apt-get install -y crudini
 }
+
 install_mongodb() {
   # Add key and repo for the latest stable MongoDB (3.2)
   sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv EA312927
@@ -189,11 +213,55 @@ install_mongodb() {
   sudo apt-get update
   sudo apt-get install -y mongodb-org
 
+  # Configure MongoDB to listen on localhost only
+  sudo sed -i -e "s#bindIp:.*#bindIp: 127.0.0.1#g" /etc/mongod.conf
+
   if [[ "$SUBTYPE" == 'xenial' ]]; then
     sudo systemctl enable mongod
     sudo systemctl start mongod
+  else
+    sudo service mongod restart
   fi
+
+  sleep 5
+
+  # Create admin user and user used by StackStorm (MongoDB needs to be running)
+  mongo <<EOF
+use admin;
+db.createUser({
+    user: "admin",
+    pwd: "${ST2_MONGODB_PASSWORD}",
+    roles: [
+        { role: "userAdminAnyDatabase", db: "admin" }
+    ]
+});
+quit();
+EOF
+
+  mongo <<EOF
+use st2;
+db.createUser({
+    user: "stackstorm",
+    pwd: "${ST2_MONGODB_PASSWORD}",
+    roles: [
+        { role: "readWrite", db: "st2" }
+    ]
+});
+quit();
+EOF
+
+  # Require authentication to be able to acccess the database
+  sudo sh -c 'echo "security:\n  authorization: enabled" >> /etc/mongod.conf'
+
+  # MongoDB needs to be restarted after enabling auth
+  if [[ "$SUBTYPE" == 'xenial' ]]; then
+    sudo systemctl restart mongod
+  else
+    sudo service mongod restart
+  fi
+
 }
+
 get_full_pkg_versions() {
   if [ "$VERSION" != '' ];
   then
@@ -255,7 +323,11 @@ install_st2() {
     sudo apt-get install -yf
     rm ${PACKAGE_FILENAME}
   fi
-
+
+  # Configure [database] section in st2.conf (username password for MongoDB access)
+  sudo crudini --set /etc/st2/st2.conf database username "stackstorm"
+  sudo crudini --set /etc/st2/st2.conf database password "${ST2_MONGODB_PASSWORD}"
+
   sudo st2ctl start
   sleep 5
   sudo st2ctl reload --register-all
@@ -290,8 +362,8 @@ configure_st2_user () {
 }
 
 configure_st2_authentication() {
-  # Install htpasswd and tool for editing ini files
-  sudo apt-get install -y apache2-utils crudini
+  # Install htpasswd tool for editing ini files
+  sudo apt-get install -y apache2-utils
 
   # Create a user record in a password file.
   sudo echo "${PASSWORD}" | sudo htpasswd -i /etc/st2/htpasswd $USERNAME
@@ -371,8 +443,13 @@ generate_symmetric_crypto_key_for_datastore() {
 install_st2mistral_depdendencies() {
   sudo apt-get install -y postgresql
 
+  # Configure service only listens on localhost
+  sudo crudini --set /etc/postgresql/*/main/postgresql.conf '' listen_addresses "'127.0.0.1'"
+
+  sudo service postgresql restart
+
   cat << EHD | sudo -u postgres psql
-CREATE ROLE mistral WITH CREATEDB LOGIN ENCRYPTED PASSWORD 'StackStorm';
+CREATE ROLE mistral WITH CREATEDB LOGIN ENCRYPTED PASSWORD '${ST2_POSTGRESQL_PASSWORD}';
 CREATE DATABASE mistral OWNER mistral;
 EHD
 }
@@ -391,8 +468,12 @@ install_st2mistral() {
     rm ${PACKAGE_FILENAME}
   fi
 
+  # Configure database settings
+  sudo crudini --set /etc/mistral/mistral.conf database connection "postgresql://mistral:${ST2_POSTGRESQL_PASSWORD}@127.0.0.1/mistral"
+
   # Setup Mistral DB tables, etc.
   /opt/stackstorm/mistral/bin/mistral-db-manage --config-file /etc/mistral/mistral.conf upgrade head
+
   # Register mistral actions
   /opt/stackstorm/mistral/bin/mistral-db-manage --config-file /etc/mistral/mistral.conf populate
 
@@ -527,6 +608,7 @@ ok_message() {
 trap 'fail' EXIT
 STEP="Setup args" && setup_args $@
 STEP="Check TCP ports and MongoDB storage requirements" && check_st2_host_dependencies
+STEP="Generate random password" && generate_random_passwords
 STEP="Install st2 dependencies" && install_st2_dependencies
 STEP="Install st2 dependencies (MongoDB)" && install_mongodb
 STEP="Install st2" && install_st2

scripts/st2bootstrap-el6.sh

@@ -95,6 +95,11 @@ setup_args() {
     echo "Press \"ENTER\" to continue or \"CTRL+C\" to exit/abort"
     read -e -p "Admin username: " -i "st2admin" USERNAME
     read -e -s -p "Password: " PASSWORD
+
+    if [ "${PASSWORD}" = '' ]; then
+        echo "Password cannot be empty."
+        exit 1
+    fi
   fi
 }
 
@@ -258,14 +263,27 @@ check_st2_host_dependencies() {
   fi
 }
 
+generate_random_passwords() {
+  # Generate random password used for MongoDB and PostgreSQL user authentication
+  ST2_MONGODB_PASSWORD=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 24 ; echo '')
+  ST2_POSTGRESQL_PASSWORD=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 24 ; echo '')
+}
+
 install_st2_dependencies() {
   is_epel_installed=$(rpm -qa | grep epel-release || true)
   if [[ -z "$is_epel_installed" ]]; then
     sudo yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm
   fi
   sudo yum -y install curl rabbitmq-server
+
+  # Configure RabbitMQ to listen on localhost only
+  sudo sh -c 'echo "RABBITMQ_NODE_IP_ADDRESS=127.0.0.1" >> /etc/rabbitmq/rabbitmq-env.conf'
+
   sudo service rabbitmq-server start
   sudo chkconfig rabbitmq-server on
+
+  # Various other dependencies needed by st2 and installer script
+  sudo yum -y install crudini
 }
 
 install_mongodb() {
@@ -281,8 +299,45 @@ gpgkey=https://www.mongodb.org/static/pgp/server-3.2.asc
 EOT"
 
   sudo yum -y install mongodb-org
+
+  # Configure MongoDB to listen on localhost only
+  sudo sed -i -e "s#bindIp:.*#bindIp: 127.0.0.1#g" /etc/mongod.conf
+
   sudo service mongod start
   sudo chkconfig mongod on
+
+  sleep 5
+
+  # Create admin user and user used by StackStorm (MongoDB needs to be running)
+  mongo <<EOF
+use admin;
+db.createUser({
+    user: "admin",
+    pwd: "${ST2_MONGODB_PASSWORD}",
+    roles: [
+        { role: "userAdminAnyDatabase", db: "admin" }
+    ]
+});
+quit();
+EOF
+
+  mongo <<EOF
+use st2;
+db.createUser({
+    user: "stackstorm",
+    pwd: "${ST2_MONGODB_PASSWORD}",
+    roles: [
+        { role: "readWrite", db: "st2" }
+    ]
+});
+quit();
+EOF
+
+  # Require authentication to be able to acccess the database
+  sudo sh -c 'echo -e "security:\n  authorization: enabled" >> /etc/mongod.conf'
+
+  # MongoDB needs to be restarted after enabling auth
+  sudo service mongod restart
 }
 
 install_st2() {
@@ -297,6 +352,10 @@ install_st2() {
     sudo yum -y install ${PACKAGE_URL}
   fi
 
+  # Configure [database] section in st2.conf (username password for MongoDB access)
+  sudo crudini --set /etc/st2/st2.conf database username "stackstorm"
+  sudo crudini --set /etc/st2/st2.conf database password "${ST2_MONGODB_PASSWORD}"
+
   sudo st2ctl start
   sleep 5
   sudo st2ctl reload --register-all
@@ -328,8 +387,8 @@ configure_st2_user() {
 }
 
 configure_st2_authentication() {
-  # Install htpasswd and tool for editing ini files
-  sudo yum -y install httpd-tools crudini
+  # Install htpasswd tool
+  sudo yum -y install httpd-tools
 
   # Create a user record in a password file.
   sudo htpasswd -bs /etc/st2/htpasswd $USERNAME $PASSWORD
@@ -444,6 +503,9 @@ install_st2mistral_depdendencies() {
   # Setup postgresql at a first time
   sudo service postgresql-9.4 initdb
 
+  # Configure service only listens on localhost
+  sudo sh -c "echo \"listen_addresses = '127.0.0.1'\" >> /var/lib/pgsql/9.4/data/postgresql.conf"
+
   # Make localhost connections to use an MD5-encrypted password for authentication
   sudo sed -i "s/\(host.*all.*all.*127.0.0.1\/32.*\)ident/\1md5/" /var/lib/pgsql/9.4/data/pg_hba.conf
   sudo sed -i "s/\(host.*all.*all.*::1\/128.*\)ident/\1md5/" /var/lib/pgsql/9.4/data/pg_hba.conf
@@ -453,7 +515,7 @@ install_st2mistral_depdendencies() {
   sudo chkconfig postgresql-9.4 on
 
   cat << EHD | sudo -u postgres psql
-CREATE ROLE mistral WITH CREATEDB LOGIN ENCRYPTED PASSWORD 'StackStorm';
+CREATE ROLE mistral WITH CREATEDB LOGIN ENCRYPTED PASSWORD '${ST2_POSTGRESQL_PASSWORD}';
 CREATE DATABASE mistral OWNER mistral;
 EHD
 }
@@ -468,8 +530,12 @@ install_st2mistral() {
     sudo yum -y install ${PACKAGE_URL}
   fi
 
+  # Configure database settings
+  sudo crudini --set /etc/mistral/mistral.conf database connection "postgresql://mistral:${ST2_POSTGRESQL_PASSWORD}@127.0.0.1/mistral"
+
   # Setup Mistral DB tables, etc.
   /opt/stackstorm/mistral/bin/mistral-db-manage --config-file /etc/mistral/mistral.conf upgrade head
+
   # Register mistral actions
   /opt/stackstorm/mistral/bin/mistral-db-manage --config-file /etc/mistral/mistral.conf populate
 
@@ -580,6 +646,7 @@ STEP="Check TCP ports and MongoDB storage requirements" && check_st2_host_depend
 STEP='Check libffi-devel availability' && check_libffi_devel
 STEP='Adjust SELinux policies' && adjust_selinux_policies
 STEP='Install repoquery tool' && install_yum_utils
+STEP="Generate random password" && generate_random_passwords
 
 STEP="Install st2 dependencies" && install_st2_dependencies
 STEP="Install st2 dependencies (MongoDB)" && install_mongodb