-
-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update password generation to support PS Core #1476
Conversation
Signed-off-by: Kyle Parrish <arnydo@arnydo.com>
Just ran that command on my Windows OS PowerShell 5.1 and got this:
Could you test and verify that the special characters in the password work with the OpenFaaS Gateway? for reference, the bash version generates an alpha-numeric password:
|
The special characters worked for me. I did notice that the PowerShell script has the parameter I was simply following the format that was already in place. This is the logic:
Is there a reason this option is not available in the bash script? |
To answer your question about why the Based on that message, I think it would be best to maintain parity as much as possible with the bash script and generate a similar alpha-numeric password |
I completely agree. However, by default, it will generate the alphanumeric password. Is that not occurring for you? ❯ .\deploy_stack.ps1
Attempting to create credentials for gateway..
[Credentials]
username: admin
password: 08fb751797daceeb57d709057ed212582df066721e65027c5aa0b3649bfcc417
Write-Output "08fb751797daceeb57d709057ed212582df066721e65027c5aa0b3649bfcc417" | faas-cli login --username=admin --password-stdin
Enabling basic authentication for gateway..
Deploying OpenFaaS core services
Creating service func_nats
Creating service func_queue-worker
Creating service func_prometheus
Creating service func_alertmanager
Creating service func_gateway
Creating service func_basic-auth-plugin
Creating service func_faas-swarm |
I apologize, you're right. It does work exactly as expected in context. I was running only the line you had changed independent of the rest of the This does work as expected generating a hashed password similar to the bash function. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure that the approach is cryptographically equivalent.
# AE: would be nice to avoid this dependency. | ||
Add-Type -AssemblyName System.Web | ||
$password = [System.Web.Security.Membership]::GeneratePassword(24,5) | ||
$password = -join ((33..126) * 120 | Get-Random -Count 24 | ForEach-Object { [char]$_ }) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am not keen on this approach vs the original Web security API call.
Can you look at whether there is an equivalent in .NET Core that can be used?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree, however, there does not seem to be a comparable alternative built in. Based on the article here it looks like the GeneratePassword
function may resemble the following:
Function GeneratePassword ([int]$Length) {
Add-Type -AssemblyName System.Web
$CharSet = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789{]+-[*=@:)}$^%;(_!&#?>/|.'.ToCharArray()
#Index1s 012345678901234567890123456789012345678901234567890123456789012345678901234567890123456
#Index10s 0 1 2 3 4 5 6 7 8
$rng = New-Object System.Security.Cryptography.RNGCryptoServiceProvider
$bytes = New-Object byte[]($Length)
$rng.GetBytes($bytes)
$Return = New-Object char[]($Length)
For ($i = 0 ; $i -lt $Length ; $i++) {
$Return[$i] = $CharSet[$bytes[$i]%$CharSet.Length]
}
Return (-join $Return)
}
The result would resemble:
GeneratePassword -Length 24
$@Unw_C6xQ+W*YBo#HEFBJv2
Would you be more comfortable adding this function to the deploy script?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Any thoughts @alexellis ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I'm happier with the original suggestion in the linked issue under generatePassword
Is there any reason why you are using Swarm and not Kubernetes?
You can also use Git Bash to get around this on any Windows system.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you would like to support PowerShell core then I think the only option is the function I referenced here. I believe it to be just as secure as the original .Net class that is being used.
I am currently using Swarm as that is what we have deployed.
Sure, there are other workarounds, but I am simply trying to address the situation where PowerShell Core may be used (Windows, Linux, OSX). Since there is already support for some PowerShell versions I wanted to expand on that. If you don't agree or find it beneficial then I will discontinue working on a solution.
Signed-off-by: Kyle Parrish arnydo@arnydo.com
Fixes: #1475
Core
versions of PowerShell lack support for theSystem.Web.dll
which causes[System.Web.Security.Membership]::GeneratePassword(14, 5)
to fail.Changed the password generation method to support all current versions of PowerShell.
Description
To address the lack of support for the
System.Web
assembly in PowerShell Core, the password generation process has been updated from:$password = [System.Web.Security.Membership]::GeneratePassword(14, 5)
To:
$password = -join ((33..126) * 120 | Get-Random -Count 24 | ForEach-Object { [char]$_ })
Motivation and Context
When running the script with a
Core
edition of PowerShell such as6.0.0
or7.0.0
the script runs but fails to generate a password. The script continues to completion with no way to access the UI or CLI since the password is unknown/no-set.Here is the output of the script running in
7.0.0
.design/approved
labelHow Has This Been Tested?
This has been tested in various versions of PowerShell, including:
The result is a randomly generated password.
Types of changes
Checklist:
git commit -s