coop-cloud/abra
coop-cloud
/
abra
Archived
7
0
Fork 2
Code Issues 21 Pull Requests Releases Activity

Secret auto-generation grep pattern doesn't match arbitrary naming #32

New Issue
Closed
opened 2020-11-01 16:37:40 +00:00 by decentral1se · 7 comments
decentral1se commented 2020-11-01 16:37:40 +00:00
Owner
Copy Link

For foodsoft app, I ran the pattern when I didn't get anything auto-generated:

➜  foodsoft (master) ✔ cat .envrc.sample | grep "PASSWORD.*VERSION" 
# No results :(

But I have:

export DB_PASSWD_VERSION=v1
export DB_ROOT_PASSWD_VERSION=v1
export SHARED_LISTS_DB_PASSWD_VERSION=v1
export SMTP_PASSWD_VERSION=v1
export SECRET_KEY_BASE_VERSION=v1

Culture war over PASSWD/PASSWORD aside (😹) it seems like the SECRET_KEY_BASE_VERSION would always be left out. I think we need to exted this logic. Anything with a line ending of =v1? Maybe too brittle...

For foodsoft app, I ran the pattern when I didn't get anything auto-generated: ``` ➜ foodsoft (master) ✔ cat .envrc.sample | grep "PASSWORD.*VERSION" # No results :( ``` But I have: ``` export DB_PASSWD_VERSION=v1 export DB_ROOT_PASSWD_VERSION=v1 export SHARED_LISTS_DB_PASSWD_VERSION=v1 export SMTP_PASSWD_VERSION=v1 export SECRET_KEY_BASE_VERSION=v1 ``` Culture war over PASSWD/PASSWORD aside (😹) it seems like the `SECRET_KEY_BASE_VERSION` would always be left out. I think we need to exted this logic. Anything with a line ending of `=v1`? Maybe too brittle...
decentral1se commented 2020-11-01 16:40:37 +00:00
Author
Owner
Copy Link

Anything with a line ending of =v1? Maybe too brittle...

Oh darn, that would also include the configs too. Woops.

> Anything with a line ending of =v1? Maybe too brittle... Oh darn, that would also include the configs too. Woops.
decentral1se commented 2020-11-01 17:03:07 +00:00
Author
Owner
Copy Link

Time for https://mikefarah.gitbook.io/yq/?

Time for https://mikefarah.gitbook.io/yq/?
3wordchant commented 2020-11-01 17:17:10 +00:00
Owner
Copy Link

it seems like the SECRET_KEY_BASE_VERSION would always be left out

Yep, also e.g. MEDIAWIKI_SECRET_KEY_VERSION.

My plan was to make sure all the env vars had SECRET in the name, then change the grep call to SECRET.*VERSION... but then we'd still be missing the instructions on how to generate each kind of password.

Possibly SECRET.*PASSWORD.*VERSION uses pwqgen and SECRET.*KEY.*VERSION uses pwgen -n 64 1?

Or we just default to pwgen.. for everything and lose semi-human-communicable passwords..

Also fine for a yml format to happen, still don't have momentum to solo that at present.

> it seems like the `SECRET_KEY_BASE_VERSION` would always be left out Yep, also e.g. `MEDIAWIKI_SECRET_KEY_VERSION`. My plan was to make sure all the env vars had `SECRET` in the name, then change the `grep` call to `SECRET.*VERSION`... but then we'd still be missing the instructions on how to generate each kind of password. Possibly `SECRET.*PASSWORD.*VERSION` uses `pwqgen` and `SECRET.*KEY.*VERSION` uses `pwgen -n 64 1`? Or we just default to `pwgen..` for everything and lose semi-human-communicable passwords.. Also fine for a `yml` format to happen, still don't have momentum to solo that at present.
decentral1se commented 2020-11-01 17:26:06 +00:00
Author
Owner
Copy Link

Also fine for a yml format to happen, still don’t have momentum to solo that at present.

Ah, I meant, parsing the compose*.yml files for the secret names instead of the .envrc.sample files? As a way to grab the exact position by parsing and then do a transformation there.

My plan was to make sure all the env vars had SECRET in the name, then change the grep call to SECRET.*VERSION... but then we’d still be missing the instructions on how to generate each kind of password.

Sounds good then actually! Just using some sort of naming convention like this. I actually need that SECRET_KEY_BASE thing to be 30 characters long, I think. I know also the Gitea secrets need to be a specific length. That seems hard to thread down to auto-generation... maybe with comments!? Haha....uhhhhh, =v1 # length: 30?

> Also fine for a yml format to happen, still don’t have momentum to solo that at present. Ah, I meant, parsing the `compose*.yml` files for the secret names instead of the `.envrc.sample` files? As a way to grab the exact position by parsing and then do a transformation there. > My plan was to make sure all the env vars had SECRET in the name, then change the grep call to SECRET.*VERSION... but then we’d still be missing the instructions on how to generate each kind of password. Sounds good then actually! Just using some sort of naming convention like this. I actually need that `SECRET_KEY_BASE` thing to be 30 characters long, I think. I know also the Gitea secrets need to be a specific length. That seems hard to thread down to auto-generation... maybe with comments!? Haha....uhhhhh, `=v1 # length: 30`?
3wordchant commented 2020-11-01 19:29:54 +00:00
Owner
Copy Link

Ah, I meant, parsing the compose*.yml files for the secret names instead of the .envrc.sample files?

Oh yeah that works -- guess same issue about length applies tho

I actually need that SECRET_KEY_BASE thing to be 30 characters long, I think. I know also the Gitea secrets need to be a specific length. That seems hard to thread down to auto-generation... maybe with comments!? Haha....uhhhhh, =v1 # length: 30?

Yeah this seems the good kind of evil, hopefully an easy migration to eventual yaml format, too.

> Ah, I meant, parsing the `compose*.yml` files for the secret names instead of the `.envrc.sample` files? Oh yeah that works -- guess same issue about length applies tho > I actually need that `SECRET_KEY_BASE` thing to be 30 characters long, I think. I know also the Gitea secrets need to be a specific length. That seems hard to thread down to auto-generation... maybe with comments!? Haha....uhhhhh, `=v1 # length: 30`? Yeah this seems the good kind of evil, hopefully an easy migration to eventual yaml format, too.
decentral1se commented 2020-11-01 19:37:39 +00:00
Author
Owner
Copy Link

...=v1 # length=30 + PASSWORD/KEY distinction in generation! 🙉

`...=v1 # length=30` + `PASSWORD/KEY` distinction in generation! 🙉
decentral1se commented 2020-11-05 14:58:10 +00:00
Author
Owner
Copy Link

Solved in #33.

Lots of bash hair pulling but I guess I am just learning.

Solved in https://git.autonomic.zone/coop-cloud/abra/pulls/33. Lots of bash hair pulling but I guess I am just learning.
This repo is archived. You cannot comment on issues.
No Branch/Tag Specified
Branches Tags
main
requirements-install-script
prefer-fast-option
add-bump-logic
prompt-cleanup
fix-pwgen
fix-subcommand-select
digest-version
backup_restore
command_help_2
merge-logging
monorepo
10.0.0
9.0.0
8.0.1
8.0.0
0.7.4
0.7.3
0.7.2
0.7.1
0.7.0
checkout
0.6.0
0.5.0
0.4.1
0.4.0
0.3.1
0.3.0
0.2.0
0.1.2
0.1.1
0.1.0
Labels
Clear labels   
breaking-change

Anything that breaks the existing API

  
bug

Something is not working

  
CI/CD

Anything to do with testing and infra

  
design

Anything to with UX of this tool

  
documentation

Documentation

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
help wanted

Need some help

  
invalid

Something is wrong

  
plugin

Related to the plugin architecture

  
question

More information is needed

  
secrets

Everything to do with docker secrets

  
shell-completion

To do with shell completion

  
versioning

All the things to do with versioning apps

  
wontfix

This won't be fixed

No Label
breaking-change
bug
CI/CD
design
documentation
duplicate
enhancement
help wanted
invalid
plugin
question
secrets
shell-completion
versioning
wontfix
Milestone
Clear milestone
No items
No Milestone
Assignees
Clear assignees
No Assignees
2 Participants
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: coop-cloud/abra#32
No description provided.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?