Remove sensitive data from nethvoice #292

stephdl · 2024-09-10T17:04:40Z

Previously random keys were stored in redis, now we use a passfile passwords.env to store the keys

The relevant variables are

'MARIADB_ROOT_PASSWORD'
'AMPDBPASS'
'AMPMGRPASS'
'NETHCTI_AMI_PASSWORD'
'CDRDBPASS'
'NETHCTI_DB_PASSWORD'
'TANCREDI_STATIC_TOKEN'
'NETHVOICESECRETKEY'
'JANUS_ADMIN_SECRET'
'PHONEBOOK_DB_PASS'
'PHONEBOOK_LDAP_PASS'
'REPORTS_PASSWORD'
'REPORTS_API_KEY'
'REPORTS_SECRET'
'NETHVOICE_USER_PORTAL_PASSWORD'
'SUBSCRIPTION_SECRET'
'NETHVOICE_LDAP_PASS'

NethServer/dev#7011

…tting

…ting

imageroot/systemd/user/freepbx.service

imageroot/actions/configure-module/85mysql_background_import

Amygos · 2024-10-01T09:06:54Z

imageroot/actions/configure-module/95service_adjust

 # start nethcti-server if wizard step is completed
-WIZARD_STEP=$(/usr/bin/podman exec mariadb mysql -u root -h 127.0.0.1 -P $NETHVOICE_MARIADB_PORT -p$MARIADB_ROOT_PASSWORD asterisk -BNe "select step from rest_wizard" | tr -d -c '[:digit:]')
+WIZARD_STEP=$(/usr/bin/podman exec --env-file=./passwords.env mariadb mysql -u root -h 127.0.0.1 -P $NETHVOICE_MARIADB_PORT -p$MARIADB_ROOT_PASSWORD asterisk -BNe "select step from rest_wizard" | tr -d -c '[:digit:]')


Are you sure the the $NETHVOICE_MARIADB_PORT and $MARIADB_ROOT_PASSWORD are expanded inside the container and not in the host?

imageroot/actions/import-module/40mysql

imageroot/actions/restore-module/21database

imageroot/update-module.d/10env

imageroot/actions/clone-module/21set_mariadb_passwords

imageroot/actions/clone-module/20start_mariadb_service

imageroot/actions/clone-module/21set_mariadb_passwords

…odules

…USER_PORTAL_USERNAME environment variable gracefully

…ices

stephdl marked this pull request as draft September 10, 2024 17:04

stephdl force-pushed the sdl-7011 branch 7 times, most recently from 8b55528 to 3276be5 Compare September 11, 2024 17:47

stephdl added 11 commits September 11, 2024 19:50

Clone.refactor environment file handling and database password setting

99457bc

Configure.refactor environment file handling and database password se…

1da8b2e

…tting

Create.refactor environment file handling and database password setting

a060dc6

Destroy.refactor environment file handling and database password setting

86a210e

Get-conf.refactor environment file handling and database password set…

b936a80

…ting

Refactor password retrieval in get-facts script

be61977

Restore.refactor environment file handling and database password setting

a328034

Refactor password retrieval in set-nethvoice-admin-password script

28687b2

Refactor state-include.conf and add passwords.env

c045880

Services.Refactor environment file handling and add passwords.env

876d04b

Update.refactor environment file handling and add passwords.env

9bbd2fd

stephdl force-pushed the sdl-7011 branch 3 times, most recently from 172351b to b4693e8 Compare September 12, 2024 09:08

stephdl added 6 commits September 12, 2024 12:26

Update.write passfile only if sensitive data with passfile exists

ad47809

Add NETHVOICE_LDAP_PASS to passfile passwords.env

6ab273f

clone.remove unused code for cleaning environment variables

9c112df

Bin.refactor environment file handling

cc60749

Import.refactor environment file handling, read from passfile

4be331a

Merge branch 'main' of github.com:nethesis/ns8-nethvoice into sdl-7011

93eeb47

stephdl force-pushed the sdl-7011 branch from be77968 to 93eeb47 Compare September 12, 2024 10:27

stephdl self-assigned this Sep 12, 2024

Stell0 approved these changes Sep 26, 2024

View reviewed changes

Amygos requested changes Oct 1, 2024

View reviewed changes

stephdl added 6 commits October 1, 2024 16:30

Remove duplicate environment variables in in systemd user services

15fa902

Refactor service adjustment script to fix sourcing issue

978a599

Remove environment secret handling in import and restore modules

97f44e7

Remove duplicated environment variables in MySQL import and restore m…

64e81ae

…odules

Add default value for env vars in update script

03ecbfc

Refactor restore-module configure script to handle missing NETHVOICE_…

376ed51

…USER_PORTAL_USERNAME environment variable gracefully

Amygos self-assigned this Oct 3, 2024

stephdl force-pushed the sdl-7011 branch 10 times, most recently from 6f39134 to 51445f9 Compare October 7, 2024 09:09

stephdl requested a review from Amygos October 7, 2024 09:11

stephdl force-pushed the sdl-7011 branch from 51445f9 to 689d9a2 Compare October 7, 2024 09:14

Refactor MariaDB password handling in clone-module script

3588416

stephdl force-pushed the sdl-7011 branch from 9934592 to 3588416 Compare October 7, 2024 15:49

Merge remote-tracking branch 'upstream/main' into sdl-7011

0f8652b

Stell0 mentioned this pull request Oct 7, 2024

Add phonebook LDAP environment to Tancredi (used in entrypoint) #315

Merged

Amygos added 2 commits October 8, 2024 10:29

fixup! Remove duplicate environment variables in in systemd user serv…

d8e2a41

…ices

Merge remote-tracking branch 'upstream/main' into sdl-7011

f3fa0ac

Amygos approved these changes Oct 8, 2024

View reviewed changes

Amygos merged commit 2a8733a into main Oct 8, 2024
4 checks passed

Amygos deleted the sdl-7011 branch October 8, 2024 13:37

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Remove sensitive data from nethvoice #292

Remove sensitive data from nethvoice #292

stephdl commented Sep 10, 2024 •

edited

Loading

Amygos Oct 1, 2024

Remove sensitive data from nethvoice #292

Remove sensitive data from nethvoice #292

Conversation

stephdl commented Sep 10, 2024 • edited Loading

Amygos Oct 1, 2024

Choose a reason for hiding this comment

stephdl commented Sep 10, 2024 •

edited

Loading