-
-
Notifications
You must be signed in to change notification settings - Fork 1.9k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Enable hashed passwords with PowerShell
- PR #929 introduced the ability to generate passwords for the gateway admin user, this is a good step forwards for Windows users. It did introduce an inconsistency in the format that passwords are stored by not using a form of hashing. Hashing of secrets is used extensively within OpenFaaS/OpenFaaS Cloud whether with Swarm or Kubernetes via helm. If there are concerns about using a hashed value for a password I would suggest raising an issue to track this and have any decision we make applied for all users (not just PowerShell users). As a compromise I've introduced hashing by default and added a new flag called -noHash which can be used to replicate the behaviour of the original PR. After feedback from other contributors I also looked into whether the flag syntax could match the existing syntax but left this as is. Bash will use --no-auth and PowerShell will use --noAuth. This was tested on Docker Swarm on Windows. Signed-off-by: Alex Ellis (VMware) <alexellis2@gmail.com>
- Loading branch information
Showing
1 changed file
with
92 additions
and
76 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,76 +1,92 @@ | ||
#!ps1 | ||
|
||
param ( | ||
[switch] $noAuth, | ||
[switch] $n, | ||
[switch] $help, | ||
[switch] $h | ||
) | ||
|
||
if ($help -Or $h) { | ||
Write-Host "Usage: " | ||
Write-Host " [default]`tdeploy the OpenFaaS core services" | ||
Write-Host " -noAuth [-n]`tdisable basic authentication" | ||
Write-Host " -help [-h]`tdisplays this screen" | ||
Exit | ||
} | ||
|
||
if (Get-Command docker -errorAction SilentlyContinue) | ||
{ | ||
docker node ls 2>&1 | out-null | ||
if(-Not $?) | ||
{ | ||
throw "Docker not in swarm mode, please initialise the cluster (`docker swarm init`) and retry" | ||
} | ||
|
||
Add-Type -AssemblyName System.Web | ||
$secret = [System.Web.Security.Membership]::GeneratePassword(24,5) | ||
$user = 'admin' | ||
|
||
Write-Host "Attempting to create credentials for gateway.." | ||
$user_secret = "basic-auth-user" | ||
docker secret inspect $user_secret 2>&1 | out-null | ||
if($?) | ||
{ | ||
Write-Host "$user_secret secret exists" | ||
} | ||
else | ||
{ | ||
$user | docker secret create $user_secret - | out-null | ||
} | ||
|
||
$password_secret = "basic-auth-password" | ||
docker secret inspect $password_secret 2>&1 | out-null | ||
if($?) | ||
{ | ||
Write-Host "$password_secret secret exists" | ||
} | ||
else | ||
{ | ||
$secret | docker secret create $password_secret - | out-null | ||
Write-Host "[Credentials]" | ||
Write-Host " username: admin" | ||
Write-Host " password: $secret" | ||
Write-Host " Write-Output `"$secret`" | faas-cli login --username=$user --password-stdin" | ||
} | ||
|
||
if ($noAuth -Or $n) { | ||
Write-Host "" | ||
Write-Host "Disabling basic authentication for gateway.." | ||
Write-Host "" | ||
$env:BASIC_AUTH="false"; | ||
} | ||
else | ||
{ | ||
Write-Host "" | ||
Write-Host "Enabling basic authentication for gateway.." | ||
Write-Host "" | ||
} | ||
|
||
Write-Host "Deploying OpenFaaS core services" | ||
docker stack deploy func --compose-file ./docker-compose.yml | ||
} | ||
else | ||
{ | ||
throw "Unable to find docker command, please install Docker (https://www.docker.com/) and retry" | ||
} | ||
#!ps1 | ||
|
||
param ( | ||
[switch] $noAuth, | ||
[switch] $noHash, | ||
[switch] $n, | ||
[switch] $help, | ||
[switch] $h | ||
) | ||
|
||
if ($help -Or $h) { | ||
Write-Host "Usage: " | ||
Write-Host " [default]`tdeploy the OpenFaaS core services" | ||
Write-Host " -noAuth [-n]`tdisable basic authentication" | ||
Write-Host " -noHash`tprevents the password from being hashed (optional)" | ||
Write-Host " -help [-h]`tdisplays this screen" | ||
Exit | ||
} | ||
|
||
if (Get-Command docker -errorAction SilentlyContinue) | ||
{ | ||
docker node ls 2>&1 | out-null | ||
if(-Not $?) | ||
{ | ||
throw "Docker not in swarm mode, please initialise the cluster (`docker swarm init`) and retry" | ||
} | ||
|
||
# AE: would be nice to avoid this dependency. | ||
Add-Type -AssemblyName System.Web | ||
$password = [System.Web.Security.Membership]::GeneratePassword(24,5) | ||
$secret = "" | ||
|
||
if (-Not $noHash) | ||
{ | ||
$sha256 = [System.Security.Cryptography.HashAlgorithm]::Create('sha256') | ||
$hash = $sha256.ComputeHash([System.Text.Encoding]::UTF8.GetBytes($password)) | ||
|
||
$secret = [System.BitConverter]::ToString($hash).Replace('-', '').toLower() | ||
} else { | ||
$secret =$password | ||
} | ||
|
||
$user = 'admin' | ||
|
||
Write-Host "Attempting to create credentials for gateway.." | ||
$user_secret = "basic-auth-user" | ||
docker secret inspect $user_secret 2>&1 | out-null | ||
if($?) | ||
{ | ||
Write-Host "$user_secret secret exists" | ||
} | ||
else | ||
{ | ||
$user | docker secret create $user_secret - | out-null | ||
} | ||
|
||
$password_secret = "basic-auth-password" | ||
docker secret inspect $password_secret 2>&1 | out-null | ||
if($?) | ||
{ | ||
Write-Host "$password_secret secret exists" | ||
} | ||
else | ||
{ | ||
$secret | docker secret create $password_secret - | out-null | ||
Write-Host "[Credentials]" | ||
Write-Host " username: admin" | ||
Write-Host " password: $secret" | ||
Write-Host " Write-Output `"$secret`" | faas-cli login --username=$user --password-stdin" | ||
} | ||
|
||
if ($noAuth -Or $n) { | ||
Write-Host "" | ||
Write-Host "Disabling basic authentication for gateway.." | ||
Write-Host "" | ||
$env:BASIC_AUTH="false"; | ||
} | ||
else | ||
{ | ||
Write-Host "" | ||
Write-Host "Enabling basic authentication for gateway.." | ||
Write-Host "" | ||
} | ||
|
||
Write-Host "Deploying OpenFaaS core services" | ||
docker stack deploy func --compose-file ./docker-compose.yml --orchestrator swarm | ||
} | ||
else | ||
{ | ||
throw "Unable to find docker command, please install Docker (https://www.docker.com/) and retry" | ||
} | ||
|