From 2fbc8cf3ef34d373b19c6ea48d2216108d0db6ae Mon Sep 17 00:00:00 2001 From: Eugene Kozlov Date: Mon, 9 Aug 2021 16:28:03 +0000 Subject: [PATCH] fix: add pasword validation --- .../aws-rfdk/lib/deadline/lib/repository.ts | 21 ++++++++++------ .../scripts/bash/installDeadlineRepository.sh | 25 ++++++------------- .../lib/deadline/test/repository.test.ts | 2 +- 3 files changed, 23 insertions(+), 25 deletions(-) diff --git a/packages/aws-rfdk/lib/deadline/lib/repository.ts b/packages/aws-rfdk/lib/deadline/lib/repository.ts index 4729abb90..b1f4de793 100644 --- a/packages/aws-rfdk/lib/deadline/lib/repository.ts +++ b/packages/aws-rfdk/lib/deadline/lib/repository.ts @@ -286,9 +286,9 @@ export interface RepositorySecurityGroupsOptions { export interface SecretsManagementProps { /** * Whether or not to enable the Secrets Management feature. - * @default true */ - readonly enabled?: boolean; + readonly enabled: boolean; + /** * A Secret containing the username and password to use for the admin role. * The contents of this secret must be a JSON document with the keys "username" and "password". ex: @@ -296,7 +296,9 @@ export interface SecretsManagementProps { * "username": , * "password": , * } - * Password should contain at least one lowercase letter, one uppercase letter, one symbol and one number. + * Password should be at least 8 characters long and contain at least one lowercase letter, one uppercase letter, one symbol and one number. + * In case when password does not meet requirements secret management will be disabled. + * It is highly recommended that you leave this parameter undefined to enable the automatic generation of a strong password. * * @default: A random username and password will be generated in a Secret with ID `SMAdminUser` and will need to be retrieved from AWS Secrets Manager if it is needed */ @@ -427,7 +429,7 @@ export interface RepositoryProps { * https://docs.thinkboxsoftware.com/products/deadline/10.1/1_User%20Manual/manual/secrets-management/deadline-secrets-management.html * @default: Secrets Management will be enabled and a username and password will be automatically generated if none are supplied. */ - readonly secretsManagementSettings?: SecretsManagementProps + readonly secretsManagementSettings?: SecretsManagementProps; } /** @@ -518,6 +520,11 @@ export class Repository extends Construct implements IRepository { */ private static REPOSITORY_OWNER = { uid: 1000, gid: 1000 }; + /** + * Default username for auto generated admin credentials in Secret Manager. + */ + private static DEFAULT_SECRETS_MANAGEMENT_USERNAME: string = 'admin'; + /** * @inheritdoc */ @@ -552,7 +559,7 @@ export class Repository extends Construct implements IRepository { /** * Deadline Secrets Management settings. */ - public readonly secretsManagementSettings: SecretsManagementProps + public readonly secretsManagementSettings: SecretsManagementProps; constructor(scope: Construct, id: string, props: RepositoryProps) { super(scope, id); @@ -578,13 +585,13 @@ export class Repository extends Construct implements IRepository { ((props.secretsManagementSettings?.enabled ?? true) ? new Secret(this, 'SMAdminUser', { description: 'Admin credentials for Secret Management', generateSecretString: { - excludeCharacters: '\"$&\'()-/<>[\\]\`{|}', + excludeCharacters: '\"$&\'()/<>[\\]\`{|}', includeSpace: false, passwordLength: 24, requireEachIncludedType: true, generateStringKey: 'password', - secretStringTemplate: JSON.stringify({ username: 'admin' }), + secretStringTemplate: JSON.stringify({ username: Repository.DEFAULT_SECRETS_MANAGEMENT_USERNAME }), }, }) : undefined), }; diff --git a/packages/aws-rfdk/lib/deadline/scripts/bash/installDeadlineRepository.sh b/packages/aws-rfdk/lib/deadline/scripts/bash/installDeadlineRepository.sh index 302b1f9e9..771ec36ea 100644 --- a/packages/aws-rfdk/lib/deadline/scripts/bash/installDeadlineRepository.sh +++ b/packages/aws-rfdk/lib/deadline/scripts/bash/installDeadlineRepository.sh @@ -118,27 +118,18 @@ fi SECRET_MANAGEMENT_ARG='' if [ ! -z "${SECRET_MANAGEMENT_ARN+x}" ]; then sudo yum install -y jq - SM_SECRET_VALUE=$(aws secretsmanager get-secret-value --secret-id=$SECRET_MANAGEMENT_ARN --region=$AWS_REGION) SM_SECRET_STRING=$(jq -r '.SecretString' <<< "$SM_SECRET_VALUE") SECRET_MANAGEMENT_USER=$(jq -r '.username' <<< "$SM_SECRET_STRING") SECRET_MANAGEMENT_PASSWORD=$(jq -r '.password' <<< "$SM_SECRET_STRING") - - len=$(echo ${#SECRET_MANAGEMENT_PASSWORD}) - if test $len -ge 8 ; then - echo "$SECRET_MANAGEMENT_PASSWORD" | grep -q [0-9] - if test $? -eq 0 ; then - echo "$SECRET_MANAGEMENT_PASSWORD" | grep -q [A-Z] - if test $? -eq 0 ; then - echo "$SECRET_MANAGEMENT_PASSWORD" | grep -q [a-z] - if test $? -eq 0 ; then - echo "$SECRET_MANAGEMENT_PASSWORD" | grep -q [~,.,:,@,!,\#,%,*,_,+,-,=,?] - if test $? -eq 0 ; then - SM_STRONG_PASSWORD='true' - fi - fi - fi - fi + if !([[ ${#SECRET_MANAGEMENT_PASSWORD} -ge 8 ]] && + echo $SECRET_MANAGEMENT_PASSWORD | grep -q [0-9] && + echo $SECRET_MANAGEMENT_PASSWORD | grep -q [a-z] && + echo $SECRET_MANAGEMENT_PASSWORD | grep -q [A-Z] && + echo $SECRET_MANAGEMENT_PASSWORD | grep -q [^[:alnum:]]) + then + echo "ERROR: Admin password is too weak. It must be at least 8 characters long and contain at least one lowercase letter, one uppercase letter, one symbol and one digit." + exit 1 fi if [ -z "${SM_STRONG_PASSWORD+x}" ]; then echo "ERROR: Admin password is too weak. It must be at least 8 characters long and contain at least one lowercase letter, one uppercase letter, one symbol and one digit." diff --git a/packages/aws-rfdk/lib/deadline/test/repository.test.ts b/packages/aws-rfdk/lib/deadline/test/repository.test.ts index 4d7a844a6..1f5a4a3ce 100644 --- a/packages/aws-rfdk/lib/deadline/test/repository.test.ts +++ b/packages/aws-rfdk/lib/deadline/test/repository.test.ts @@ -1289,7 +1289,7 @@ test('secret manager enabled', () => { // THEN expect(repository.secretsManagementSettings.credentials).toBe(expectedCredentials); const installerGroup = repository.node.tryFindChild('Installer') as AutoScalingGroup; - expect(installerGroup.userData.render()).toContain(`--installSecretsManagement true ${stack.region} ${expectedCredentials.secretArn}`); + expect(installerGroup.userData.render()).toContain(`-r ${stack.region} -c ${expectedCredentials.secretArn}`); }); test('secret manager is enabled by default', () => {