Avoid exposing passwords in the process list, use a password file.

2024-01-19 21:43:32 +01:00 · 2024-01-19 21:43:32 +01:00 · 57ec856f49
commit 57ec856f49
parent 917b45aadc
7 changed files with 156 additions and 131 deletions
--- a/roles/lmn_vm/files/uploadseed
+++ b/roles/lmn_vm/files/uploadseed
@ -7,24 +7,34 @@ import ssl
 import argparse

 parser = argparse.ArgumentParser(description='Upload a file to the bittorrent seeder.')
-parser.add_argument('--rpc-server', required=True,
-                    help='the RPC server IPaddress:port')
-parser.add_argument('--rpc-secret', required=True,
-                    help='the RPC secret')
+parser.add_argument('--server', required=True,
+                    help="the server address and RPC port like 'IPaddress:port'")
 parser.add_argument('--dht-port', required=True,
                    help='the DHT port the RPC server is listening on')
-parser.add_argument('--no-cert', action='store_true',
-                    help='do not use SSL certificate')
-parser.add_argument('--cert', help='the certificate to use for verification')
-parser.add_argument('file', help='the file to upload')
+pwgrp = parser.add_mutually_exclusive_group(required=True)
+pwgrp.add_argument('--passwd',
+                   help='the RPC secret. Either this or --pwdfile needs to be ' \
+                   'provided')
+pwgrp.add_argument('--pwdfile',
+                   help="file containing the RPC secret in the form " \
+                   "'secret = \"token:SECRET\"'. " \
+                   'Either this or --secret needs to be provided')
+certgrp = parser.add_mutually_exclusive_group(required=True)
+certgrp.add_argument('--no-cert', action='store_true',
+                     help='do not use SSL certificate')
+certgrp.add_argument('--cert', help='the certificate to use for verification')
+parser.add_argument('FILE', help='the file to upload')

 args = parser.parse_args()

-rpcseeder = 'https://' + args.rpc_server + '/rpc'
-secret = 'token:' + args.rpc_secret
-dhtentry = args.rpc_server.split(':')[0] + ':' + args.dht_port
-file2send = args.file
+rpcseeder = 'https://' + args.server + '/rpc'
+dhtentry = args.server.split(':')[0] + ':' + args.dht_port
+file2send = args.FILE
 torrent = '/tmp/' + os.path.basename(file2send) + '.torrent'
+if args.passwd:
+    secret = 'token:' + args.passwd
+else:
+    exec(open(args.pwdfile).read())

 ssl_ctx = ssl.create_default_context()
 if args.no_cert:
--- a/roles/lmn_vm/files/vm-sync
+++ b/roles/lmn_vm/files/vm-sync
@ -71,7 +71,8 @@ get_file() {

 push_file() {
   cd "${VM_SYSDIR}"
-   uploadseed --rpc-server "${SEEDBOX_HOST}:${SEEDBOX_RPC_PORT}" --dht-port "${SEEDBOX_PORT}" --rpc-secret insecure --no-cert "${FILENAME}"
+   uploadseed --server "${SEEDBOX_HOST}:${SEEDBOX_RPC_PORT}" --dht-port "${SEEDBOX_PORT}" \
+	      --pwdfile "${SEEDBOX_PWFILE}" --no-cert "${FILENAME}"
 }

 if [[ "$(id -nu)" != "lmnsynci" ]]; then
@ -106,26 +107,25 @@ case "$command" in
   push_file)
      for FILENAME in "$@"; do
 	 push_file
-      done 
+      done
      ;;
   get_file)
      for FILENAME in "$@"; do
 	 get_file
-      done 
+      done
      ;;
   get_image)
      for VM_NAME in "$@"; do
 	 get_torrent
-      done 
+      done
      ;;
   delete_outdated_image)
      for FILENAME in "$@"; do
         delete_outdated_image
-      done 
+      done
      ;;
   *)
      show_help
      exit 1
      ;;
 esac
-
--- a/roles/lmn_vm/files/vm-upload
+++ b/roles/lmn_vm/files/vm-upload
@ -39,8 +39,10 @@ upload_image() {
      cp -a "${VM_DIR}/${VM_NAME}.xml" "${VM_SYSDIR}"
    fi
    cd "${VM_SYSDIR}"
-    uploadseed --rpc-server "${SEEDBOX_HOST}:${SEEDBOX_RPC_PORT}" --dht-port "${SEEDBOX_PORT}" --rpc-secret insecure --no-cert "${VM_NAME}.qcow2"
-    uploadseed --rpc-server "${SEEDBOX_HOST}:${SEEDBOX_RPC_PORT}" --dht-port "${SEEDBOX_PORT}" --rpc-secret insecure --no-cert "${VM_NAME}.xml"
+    uploadseed --server "${SEEDBOX_HOST}:${SEEDBOX_RPC_PORT}" --dht-port "${SEEDBOX_PORT}" \
+	       --pwdfile "${SEEDBOX_PWFILE}" --no-cert "${VM_NAME}.qcow2"
+    uploadseed --server "${SEEDBOX_HOST}:${SEEDBOX_RPC_PORT}" --dht-port "${SEEDBOX_PORT}" \
+	       --pwdfile "${SEEDBOX_PWFILE}" --no-cert "${VM_NAME}.xml"
 }

 source /etc/lmn/vm.conf
--- a/roles/lmn_vm/files/vm.conf
+++ b/roles/lmn_vm/files/vm.conf
@ -1,8 +1,9 @@
 # variables for LMN VM submodule

-SEEDBOX_HOST=seedbox.pn.steinbeis.schule
+SEEDBOX_HOST="seedbox.pn.steinbeis.schule"
 SEEDBOX_PORT=6789
 SEEDBOX_RPC_PORT=6800
+SEEDBOX_PWFILE="/etc/lmn/uploadseed.conf"

 VM_SYSDIR="/lmn/vm"
 if [[ -v SUDO_UID ]]; then
--- a/roles/lmn_vm/tasks/main.yml
+++ b/roles/lmn_vm/tasks/main.yml
@ -163,12 +163,21 @@
    - uploadseed

 - name: Deploy vm configuration file vm.conf
-  copy:
+  ansible.builtin.copy:
    src: vm.conf
    dest: /etc/lmn/vm.conf
    owner: root
    group: root

+- name: Deploy aria2 RPC password file
+  ansible.builtin.copy:
+    dest: /etc/lmn/uploadseed.conf
+    owner: root
+    group: lmnsynci
+    mode: '0640'
+    content: |
+      "{{ uploadseed_pwd }}"
+
 - name: Prepare directory for qemu bridge config
  ansible.builtin.file:
    path: /etc/qemu/