passbolt.php is ignored

[MYDIH]

Hi,

I just migrate my install to V2 and I don't want to use environment variables to transmit passwords to my container. I created a passbolt.php file (by using the template), I put it in the config folder as described, I chown it to the www-data user and group but when I start the container, passbolt just ignores my database settings and tries to locate the MySQL socket.

I will post the passbolt.php file and my dockerfile as soon as possible.

Passbolt.php (anonymised) :

<?php
/**
 * Passbolt ~ Open source password manager for teams
 * Copyright (c) Passbolt SARL (https://www.passbolt.com)
 *
 * Licensed under GNU Affero General Public License version 3 of the or any later version.
 * For full copyright and license information, please see the LICENSE.txt
 * Redistributions of files must retain the above copyright notice.
 *
 * @copyright     Copyright (c) Passbolt SARL (https://www.passbolt.com)
 * @license       https://opensource.org/licenses/AGPL-3.0 AGPL License
 * @link          https://www.passbolt.com Passbolt(tm)
 * @since         2.0.0
 */
/**
 * PASSBOLT CONFIGURATION FILE TEMPLATE
 *
 * By default passbolt try to use the environment variables or fallback on the default values as
 * defined in default.php. You can use passbolt.default.php as a basis to set your own configuration
 * without using environment variables.
 *
 * 1. copy/paste passbolt.default.php to passbolt.php
 * 2. set the variables in the App section
 * 3. set the variables in the passbolt section
 *
 * To see all available options, you can refer to the default.php file, and modify passsbolt.php accordingly.
 * Do not modify default.php or you may break your upgrade process.
 *
 * Read more about how to install passbolt: https://www.passbolt.com/help/tech/install
 * Any issue, check out our FAQ: https://www.passbolt.com/faq
 * An installation issue? Ask for help to the community: https://community.passbolt.com/
 */
return [

    /**
     * DEFAULT APP CONFIGURATION
     *
     * All the information in this section must be provided in order for passbolt to work
     * This configuration overrides the CakePHP defaults locating in app.php
     * Do not edit app.php as it may break your upgrade process
     */
    'App' => [
        // A base URL to use for absolute links.
        // The url where the passbolt instance will be reachable to your end users.
        // This information is need to render images in emails for example
        'fullBaseUrl' => 'https://passbolt.<my-domain>/',
    ],

    // Database configuration.
    'Datasources' => [
        'default' => [
            'host' => '<reachable-host>',
            //'port' => 'non_standard_port_number',
            'username' => 'passbolt',
            'password' => '<secret>',
            'database' => 'passbolt',
        ],
    ],

    // Email configuration.
    'EmailTransport' => [
        'default' => [
            'host' => '<reachable-host>',
            'port' => 25,
            'username' => 'passbolt',
            'password' => '<secret>',
            // Is this a secure connection? true if yes, null if no.
            'tls' => true,
            //'timeout' => 30,
            //'client' => null,
            //'url' => null,
        ],
    ],
    'Email' => [
        'default' => [
            // Defines the default name and email of the sender of the emails.
            'from' => ['passbolt@<my-domain>' => 'Passbolt'],
            //'charset' => 'utf-8',
            //'headerCharset' => 'utf-8',
        ],
    ],

    /**
     * DEFAULT PASSBOLT CONFIGURATION
     *
     * This is the default configuration.
     * It enforces the use of ssl, and does not provide a default OpenPGP key.
     * If your objective is to try passbolt quickly for evaluation purpose, and security is not important
     * you can use the demo config example provided in the next section below.
     */
    'passbolt' => [
        // GPG Configuration.
        // The keyring must to be owned and accessible by the webserver user.
        // Example: www-data user on Debian
        'gpg' => [
            // Tell GPG where to find the keyring.
            // If putenv is set to false, gnupg will use the default path ~/.gnupg.
            // For example :
            // - Apache on Centos it would be in '/usr/share/httpd/.gnupg'
            // - Apache on Debian it would be in '/var/www/.gnupg'
            // - Nginx on Centos it would be in '/var/lib/nginx/.gnupg'
            // - etc.
            //'keyring' => getenv("HOME") . DS . '.gnupg',
            //
            // Replace GNUPGHOME with above value even if it is set.
            //'putenv' => false,

            // Main server key.
            'serverKey' => [
                // Server private key fingerprint.
                'fingerprint' => '',
                // 'public' => CONFIG . 'gpg' . DS . 'serverkey.asc',
                // 'private' => CONFIG . 'gpg' . DS . 'serverkey_private.asc',
            ],
        ],
    ],

/**
 * DEMO CONFIGURATION EXAMPLE
 *
 * Uncomment the lines below if you want to try passbolt quickly.
 * and if you are not concerned about the security of your installation.
 * (Don't forget to comment the default config above).
 */
//    'debug' => true,
//    'passbolt' => [
//        'registration' => [
//            'public' => true
//        ],
//        'ssl' => [
//            'force' => false,
//        ],
//        'gpg' => [
//            'serverKey' => [
//                'fingerprint' => '2FC8945833C51946E937F9FED47B0811573EE67E',
//                'public' => CONFIG . DS . 'gpg' . DS . 'unsecure.key',
//                'private' => CONFIG . DS . 'gpg' . DS . 'unsecure_private.key',
//            ],
//        ],
//    ]

];

And my Dockerfile :

FROM passbolt/passbolt

COPY passbolt.php /var/www/passbolt/config/
RUN chown www-data:www-data /var/www/passbolt/config/passbolt.php \
    && chmod 664 /var/www/passbolt/config/passbolt.php

Thanks

[MYDIH]

I tried to edit app.php directly, it's not working either ... Even when I completely remove the calls to the env() function, some defaults are still applied ...

EDIT :

Found the issue I think. Look at this snippet in docker-entrypoint.sh :

tables=$(mysql \
    -u "${DATASOURCES_DEFAULT_USERNAME:-passbolt}" \
    -h "${DATASOURCES_DEFAULT_HOST:-localhost}" \
    -P "${DATASOURCES_DEFAULT_PORT:-3306}" \
    -BN -e "SHOW TABLES FROM ${DATASOURCES_DEFAULT_DATABASE:-passbolt}" \
    -p"${DATASOURCES_DEFAULT_PASSWORD:-P4ssb0lt}" |wc -l)
  app_config="/var/www/passbolt/config/app.php"

mysql is called ignoring configuration ... I leave the honor to parse the php file in bash to you guys. Sed is always giving me a headache 😆

Thanks for your time

[dlen]

Hi @MYDIH
Yes, you are right, yesterday I realized about that snippet to be the culprit. We are discussing on how to approach this fix since parsing the file in bash maybe is not the best of them.

Thanks for your feedback and your investigation on the issue!

[mannp]

I believe I have experienced this too.

[dlen]

Yeah this logic could be moved out of the container into a shell task inside passbolt_api. It could make more sense than parsing a php file in bash

[mannp]

Its also inconsistent @dlen as I have setup an env variable for the full base url and pb is still checking the passbolt.php config?

[PASS] App.fullBaseUrl validation OK.
[FAIL] Could not reach the /healthcheck/status with the url specified in App.fullBaseUrl
[HELP] Check that the domain name is correct in config/passbolt.php
[HELP] Check the network settings

[dlen]

Interesting, that looks like a bug in the healthcheck @cedricalfonsi

[cedricalfonsi]

@mannp @dlen

The fullBaseUrl is defined with an env variable APP_FULL_BASE_URL, but it can be overridden with the passbolt.php file. The Healthcheck use this variable to access the /healthcheck/status.json entry point.

Can you maybe test to access this url directly with your browser and tell us is something is wrong ?

What would be interesting is to know what value is returned by `Configure::read('App.fullBaseUrl'). If this value is not well set the links inserted in the email sent by your passbolt should be wrong.

[mannp]

@cedricalfonsi using the direct entry point ( /healthcheck/status.json) i get this, which would appear to be fine;

id | "my id"
status | "success"
servertime | 1523780530
title | "app_healthcheck_status_success"
message | "OK"
url | "/healthcheck/status.json"
code | 200
body | "OK"

While rerunning healthcheck, still gives me this ;

[PASS] App.fullBaseUrl validation OK.
[FAIL] Could not reach the /healthcheck/status with the url specified in App.fullBaseUrl

Also, adding new users always uses my correct fqdn and the urls work, allowing the creation of the accounts.

Can Configure::read('App.fullBaseUrl') be checked from the command line in some way?

Perhaps this can be moved to a new issue if it not related to the OP's issue?

I am finding the env variable is taking precidence over the passbolt.php rather than the other way around as you state? or its healthcheck confusing the issue, not sure.

[MYDIH]

I'm reopening this, the issue is still here, don't know why I closed it. Surely because I worked around the problem, but now that I updated the docker, same issue arise. Offending lines :

passbolt_docker/bin/docker-entrypoint.sh

Lines 73 to 78 in 8e1c638

	tables=$(mysql \
	-u "${DATASOURCES_DEFAULT_USERNAME:-passbolt}" \
	-h "${DATASOURCES_DEFAULT_HOST:-localhost}" \
	-P "${DATASOURCES_DEFAULT_PORT:-3306}" \
	-BN -e "SHOW TABLES FROM ${DATASOURCES_DEFAULT_DATABASE:-passbolt}" \
	-p"${DATASOURCES_DEFAULT_PASSWORD:-P4ssb0lt}" |wc -l)

[dlen]

Hi @MYDIH ,

Thanks for reminding this here. Indeed the install task from passbolt_api has changed and it already checks for a previous installation to be present.
The docker-entrypoint.sh no longer checks the tables it only runs install and migrations in a ORed fashion.

The fix has been pushed to develop to be released possibly next week. Feel free to test it if you want.