Enable hashed passwords with PowerShell

- PR #929 introduced the ability to generate passwords for the gateway admin user, this is a good step forwards for Windows users. It did introduce an inconsistency in the format that passwords are stored by not using a form of hashing. Hashing of secrets is used extensively within OpenFaaS/OpenFaaS Cloud whether with Swarm or Kubernetes via helm. If there are concerns about using a hashed value for a password I would suggest raising an issue to track this and have any decision we make applied for all users (not just PowerShell users). As a compromise I've introduced hashing by default and added a new flag called -noHash which can be used to replicate the behaviour of the original PR. After feedback from other contributors I also looked into whether the flag syntax could match the existing syntax but left this as is. Bash will use --no-auth and PowerShell will use --noAuth. This was tested on Docker Swarm on Windows. Signed-off-by: Alex Ellis (VMware) <alexellis2@gmail.com>
openfaas · Nov 4, 2018 · 1694313 · 1694313
1 parent 47a834c
commit 1694313
Showing 1 changed file with 92 additions and 76 deletions.
diff --git a/deploy_stack.ps1 b/deploy_stack.ps1
@@ -1,76 +1,92 @@
-#!ps1
-
-param (
-    [switch] $noAuth,
-    [switch] $n,
-    [switch] $help,
-    [switch] $h
-)
-
-if ($help -Or $h) {
-    Write-Host "Usage: "
-    Write-Host " [default]`tdeploy the OpenFaaS core services"
-    Write-Host " -noAuth [-n]`tdisable basic authentication"
-    Write-Host " -help [-h]`tdisplays this screen"
-    Exit
-}
-
-if (Get-Command docker -errorAction SilentlyContinue)
-{
-    docker node ls 2>&1 | out-null
-    if(-Not $?)
-    {
-        throw "Docker not in swarm mode, please initialise the cluster (`docker swarm init`) and retry"
-    }
-
-    Add-Type -AssemblyName System.Web
-    $secret = [System.Web.Security.Membership]::GeneratePassword(24,5)
-    $user = 'admin'
-
-    Write-Host "Attempting to create credentials for gateway.."
-    $user_secret = "basic-auth-user"
-    docker secret inspect $user_secret 2>&1 | out-null
-    if($?)
-    {
-        Write-Host "$user_secret secret exists"
-    }
-    else
-    {
-        $user | docker secret create $user_secret - | out-null
-    }
-
-    $password_secret = "basic-auth-password"
-    docker secret inspect $password_secret 2>&1 | out-null
-    if($?)
-    {
-        Write-Host "$password_secret secret exists"
-    }
-    else
-    {
-        $secret | docker secret create $password_secret - | out-null
-        Write-Host "[Credentials]"
-        Write-Host " username: admin"
-        Write-Host " password: $secret"
-        Write-Host " Write-Output `"$secret`" | faas-cli login --username=$user --password-stdin"
-    }
-
-    if ($noAuth -Or $n) {
-        Write-Host ""
-        Write-Host "Disabling basic authentication for gateway.."
-        Write-Host ""
-        $env:BASIC_AUTH="false";
-    }
-    else 
-    {
-        Write-Host ""
-        Write-Host "Enabling basic authentication for gateway.."
-        Write-Host ""
-    }
-
-    Write-Host "Deploying OpenFaaS core services"
-    docker stack deploy func --compose-file ./docker-compose.yml
-}
-else
-{
-    throw "Unable to find docker command, please install Docker (https://www.docker.com/) and retry"
-}
+#!ps1
+
+param (
+    [switch] $noAuth,
+    [switch] $noHash,
+    [switch] $n,
+    [switch] $help,
+    [switch] $h
+)
+
+if ($help -Or $h) {
+    Write-Host "Usage: "
+    Write-Host " [default]`tdeploy the OpenFaaS core services"
+    Write-Host " -noAuth [-n]`tdisable basic authentication"
+    Write-Host " -noHash`tprevents the password from being hashed (optional)"
+    Write-Host " -help [-h]`tdisplays this screen"
+    Exit
+}
+
+if (Get-Command docker -errorAction SilentlyContinue)
+{
+    docker node ls 2>&1 | out-null
+    if(-Not $?)
+    {
+        throw "Docker not in swarm mode, please initialise the cluster (`docker swarm init`) and retry"
+    }
+
+    # AE: would be nice to avoid this dependency.
+    Add-Type -AssemblyName System.Web
+    $password = [System.Web.Security.Membership]::GeneratePassword(24,5)
+    $secret = ""
+
+    if (-Not $noHash)
+    {
+        $sha256 = [System.Security.Cryptography.HashAlgorithm]::Create('sha256')
+        $hash = $sha256.ComputeHash([System.Text.Encoding]::UTF8.GetBytes($password))
+
+        $secret = [System.BitConverter]::ToString($hash).Replace('-', '').toLower()
+    } else {
+        $secret =$password 
+    }
+
+    $user = 'admin'
+
+    Write-Host "Attempting to create credentials for gateway.."
+    $user_secret = "basic-auth-user"
+    docker secret inspect $user_secret 2>&1 | out-null
+    if($?)
+    {
+        Write-Host "$user_secret secret exists"
+    }
+    else
+    {
+        $user | docker secret create $user_secret - | out-null
+    }
+
+    $password_secret = "basic-auth-password"
+    docker secret inspect $password_secret 2>&1 | out-null
+    if($?)
+    {
+        Write-Host "$password_secret secret exists"
+    }
+    else
+    {
+        $secret | docker secret create $password_secret - | out-null
+        Write-Host "[Credentials]"
+        Write-Host " username: admin"
+        Write-Host " password: $secret"
+        Write-Host " Write-Output `"$secret`" | faas-cli login --username=$user --password-stdin"
+    }
+
+    if ($noAuth -Or $n) {
+        Write-Host ""
+        Write-Host "Disabling basic authentication for gateway.."
+        Write-Host ""
+        $env:BASIC_AUTH="false";
+    }
+    else 
+    {
+        Write-Host ""
+        Write-Host "Enabling basic authentication for gateway.."
+        Write-Host ""
+    }
+
+    Write-Host "Deploying OpenFaaS core services"
+    docker stack deploy func --compose-file ./docker-compose.yml  --orchestrator swarm
+}
+else
+{
+    throw "Unable to find docker command, please install Docker (https://www.docker.com/) and retry"
+}
+