Break out frontend and backend auth options into stand alone options (#925)

* Break out frontend and backend auth options into stand alone options

* Improve the token auth checks when installing clients
This commit is contained in:
Daniel Markstedt 2022-10-21 19:49:53 -07:00 committed by GitHub
parent 99a1c7cdbc
commit ade656e38b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 75 additions and 62 deletions

View File

@ -22,7 +22,7 @@ USER pi
COPY --chown=pi:pi . .
# Standalone RaSCSI web UI
RUN ./easyinstall.sh --run_choice=11 --skip-token
RUN ./easyinstall.sh --run_choice=11
# Wired network bridge
RUN ./easyinstall.sh --run_choice=6 --headless

View File

@ -21,7 +21,7 @@ COPY --chown=pi:pi . .
RUN patch -p0 < docker/rascsi/cfilesystem.patch
# Install RaSCSI standalone
RUN ./easyinstall.sh --run_choice=10 --cores=`nproc` --skip-token
RUN ./easyinstall.sh --run_choice=10 --cores=`nproc`
USER root
WORKDIR /home/pi

View File

@ -157,8 +157,18 @@ function installRaScsi() {
cleanupOutdatedManPage "scsimon.1"
cleanupOutdatedManPage "rasdump.1"
cleanupOutdatedManPage "sasidump.1"
# install
sudo make install CONNECT_TYPE="${CONNECT_TYPE:-FULLSPEC}" </dev/null
# update launch parameters
if [[ -f $SECRET_FILE ]]; then
sudo sed -i "\@^ExecStart.*@ s@@& -F $VIRTUAL_DRIVER_PATH -P $SECRET_FILE@" "$SYSTEMD_PATH/rascsi.service"
echo "Secret token file $SECRET_FILE detected. Using it to enable back-end authentication."
else
sudo sed -i "\@^ExecStart.*@ s@@& -F $VIRTUAL_DRIVER_PATH@" "$SYSTEMD_PATH/rascsi.service"
fi
echo "Configured rascsi.service to use $VIRTUAL_DRIVER_PATH as default image dir."
}
function preparePythonCommon() {
@ -280,7 +290,7 @@ function backupRaScsiService() {
fi
}
# Offers the choice of enabling token-based authentication for RaSCSI
# Offers the choice of enabling token-based authentication for RaSCSI, or disables it if enabled
function configureTokenAuth() {
if [[ -f "$HOME/.rascsi_secret" ]]; then
sudo rm "$HOME/.rascsi_secret"
@ -289,46 +299,34 @@ function configureTokenAuth() {
if [[ -f $SECRET_FILE ]]; then
sudo rm "$SECRET_FILE"
echo "Removed RaSCSI token file"
fi
if [[ $SKIP_TOKEN ]]; then
echo "Skipping RaSCSI token setup"
return 0
fi
if [[ -z $TOKEN ]]; then
echo ""
echo "Do you want to protect your RaSCSI installation with a password? [y/N]"
echo "RaSCSI token file $SECRET_FILE already exists. Do you want to disable authentication? (y/N)"
read REPLY
if ! [[ $REPLY =~ ^[Yy]$ ]]; then
return 0
if [[ $REPLY =~ ^[Yy]$ ]]; then
sudo sed -i 's@-P '"$SECRET_FILE"'@@' "$SYSTEMD_PATH/rascsi.service"
return
fi
echo -n "Enter the password that you want to use: "
read -r TOKEN
fi
echo -n "Enter the token password for protecting RaSCSI: "
read -r TOKEN
echo "$TOKEN" > "$SECRET_FILE"
# Make the secret file owned and only readable by root
sudo chown root:root "$SECRET_FILE"
sudo chmod 600 "$SECRET_FILE"
sudo sed -i "s@^ExecStart.*@& -P $SECRET_FILE@" "$SYSTEMD_PATH/rascsi.service"
echo ""
echo "Configured RaSCSI to use $SECRET_FILE for authentication. This file is readable by root only."
echo "Make note of your password: you will need it to use rasctl and other RaSCSI clients."
echo "If you have RaSCSI clients installed, please re-run the installation scripts, or update the systemd config manually."
}
# Modifies and installs the rascsi service
# Enables and starts the rascsi service
function enableRaScsiService() {
if [ ! -z "$TOKEN" ]; then
sudo sed -i "s@^ExecStart.*@& -F $VIRTUAL_DRIVER_PATH -P $SECRET_FILE@" "$SYSTEMD_PATH/rascsi.service"
else
sudo sed -i "s@^ExecStart.*@& -F $VIRTUAL_DRIVER_PATH@" "$SYSTEMD_PATH/rascsi.service"
fi
echo "Configured rascsi.service to use $VIRTUAL_DRIVER_PATH as default image dir."
sudo systemctl daemon-reload
sudo systemctl restart rsyslog
sudo systemctl enable rascsi # optional - start rascsi at boot
@ -338,10 +336,16 @@ function enableRaScsiService() {
# Modifies and installs the rascsi-web service
function installWebInterfaceService() {
if [[ -f "$SECRET_FILE" && -z "$TOKEN" ]] ; then
echo ""
echo "Secret token file $SECRET_FILE detected. You must enter the password, or press Ctrl+C to cancel installation."
read -r TOKEN
fi
echo "Installing the rascsi-web.service configuration..."
sudo cp -f "$WEB_INSTALL_PATH/service-infra/rascsi-web.service" "$SYSTEMD_PATH/rascsi-web.service"
sudo sed -i /^ExecStart=/d "$SYSTEMD_PATH/rascsi-web.service"
echo "$TOKEN"
if [ ! -z "$TOKEN" ]; then
sudo sed -i "8 i ExecStart=$WEB_INSTALL_PATH/start.sh --password=$TOKEN" "$SYSTEMD_PATH/rascsi-web.service"
# Make the service file readable by root only, to protect the token string
@ -934,6 +938,12 @@ function installMacproxy {
# updates configuration files and installs packages needed for the OLED screen script
function installRaScsiScreen() {
if [[ -f "$SECRET_FILE" && -z "$TOKEN" ]] ; then
echo ""
echo "Secret token file $SECRET_FILE detected. You must enter the password, or press Ctrl+C to cancel installation."
read -r TOKEN
fi
echo "IMPORTANT: This configuration requires a OLED screen to be installed onto your RaSCSI board."
echo "See wiki for more information: https://github.com/akuker/RASCSI/wiki/OLED-Status-Display-(Optional)"
echo ""
@ -964,16 +974,6 @@ function installRaScsiScreen() {
SCREEN_HEIGHT="32"
fi
if [ -z "$TOKEN" ]; then
echo ""
echo "Did you protect your RaSCSI installation with a token password? [y/N]"
read -r REPLY
if [ "$REPLY" == "y" ] || [ "$REPLY" == "Y" ]; then
echo -n "Enter the password that you configured with RaSCSI at the time of installation: "
read -r TOKEN
fi
fi
stopRaScsiScreen
disableRaScsiCtrlBoardService
updateRaScsiGit
@ -1026,6 +1026,12 @@ function installRaScsiScreen() {
# updates configuration files and installs packages needed for the CtrlBoard script
function installRaScsiCtrlBoard() {
if [[ -f "$SECRET_FILE" && -z "$TOKEN" ]] ; then
echo ""
echo "Secret token file $SECRET_FILE detected. You must enter the password, or press Ctrl+C to cancel installation."
read -r TOKEN
fi
echo "IMPORTANT: This configuration requires a RaSCSI Control Board connected to your RaSCSI board."
echo "See wiki for more information: https://github.com/akuker/RASCSI/wiki/RaSCSI-Control-Board"
echo ""
@ -1042,16 +1048,6 @@ function installRaScsiCtrlBoard() {
ROTATION="180"
fi
if [ -z "$TOKEN" ]; then
echo ""
echo "Did you protect your RaSCSI installation with a token password? [y/N]"
read -r REPLY
if [ "$REPLY" == "y" ] || [ "$REPLY" == "Y" ]; then
echo -n "Enter the password that you configured with RaSCSI at the time of installation: "
read -r TOKEN
fi
fi
stopRaScsiCtrlBoard
updateRaScsiGit
@ -1148,6 +1144,13 @@ function enableWebInterfaceAuth {
if [ $(getent group "$AUTH_GROUP") ]; then
echo "The '$AUTH_GROUP' group already exists."
echo "Do you want to disable Web Interface authentication? (y/N)"
read -r REPLY
if [ "$REPLY" == "y" ] || [ "$REPLY" == "Y" ]; then
sudo groupdel "$AUTH_GROUP"
echo "The '$AUTH_GROUP' group has been deleted."
exit 0
fi
else
echo "Creating the '$AUTH_GROUP' group."
sudo groupadd "$AUTH_GROUP"
@ -1175,7 +1178,6 @@ function runChoice() {
sudoCheck
createImagesDir
createCfgDir
configureTokenAuth
stopOldWebInterface
updateRaScsiGit
installPackages
@ -1196,7 +1198,6 @@ function runChoice() {
cachePipPackages
installRaScsiWebInterface
installWebInterfaceService
enableWebInterfaceAuth
showRaScsiScreenStatus
showRaScsiCtrlBoardStatus
showRaScsiStatus
@ -1217,7 +1218,6 @@ function runChoice() {
sudoCheck
createImagesDir
createCfgDir
configureTokenAuth
updateRaScsiGit
installPackages
stopRaScsiScreen
@ -1306,7 +1306,6 @@ function runChoice() {
echo "- Install manpages to /usr/local/man"
sudoCheck
createImagesDir
configureTokenAuth
updateRaScsiGit
installPackagesStandalone
stopRaScsi
@ -1322,21 +1321,36 @@ function runChoice() {
echo "- Add and modify systemd services"
echo "- Modify and enable Apache2 and Nginx web service"
echo "- Create directories and change permissions"
echo "- Modify user groups and permissions"
echo "- Create a self-signed certificate in /etc/ssl"
sudoCheck
createCfgDir
configureTokenAuth
updateRaScsiGit
installPackages
preparePythonCommon
cachePipPackages
installRaScsiWebInterface
enableWebInterfaceAuth
echo "Configuring RaSCSI Web Interface stand-alone - Complete!"
echo "Launch the Web Interface with the 'start.sh' script. To use a custom port for the web server: 'start.sh --web-port=8081"
;;
12)
echo "Enabling or disabling RaSCSI back-end authentication"
echo "This script will make the following changes to your system:"
echo "- Modify user groups and permissions"
sudoCheck
stopRaScsi
configureTokenAuth
enableRaScsiService
echo "Enabling or disabling RaSCSI back-end authentication - Complete!"
;;
13)
echo "Enabling or disabling Web Interface authentication"
echo "This script will make the following changes to your system:"
echo "- Modify user groups and permissions"
sudoCheck
enableWebInterfaceAuth
echo "Enabling or disabling Web Interface authentication - Complete!"
;;
14)
echo "Installing / Updating RaSCSI Control Board UI"
echo "This script will make the following changes to your system:"
echo "- Install additional packages with apt-get"
@ -1349,7 +1363,7 @@ function runChoice() {
showRaScsiCtrlBoardStatus
echo "Installing / Updating RaSCSI Control Board UI - Complete!"
;;
13)
15)
shareImagesWithNetatalk
echo "Configuring AppleShare File Server - Complete!"
;;
@ -1366,7 +1380,7 @@ function runChoice() {
function readChoice() {
choice=-1
until [ $choice -ge "0" ] && [ $choice -le "13" ]; do
until [ $choice -ge "0" ] && [ $choice -le "15" ]; do
echo -n "Enter your choice (0-13) or CTRL-C to exit: "
read -r choice
done
@ -1395,9 +1409,11 @@ function showMenu() {
echo "ADVANCED OPTIONS"
echo " 10) compile and install RaSCSI stand-alone"
echo " 11) configure the RaSCSI Web Interface stand-alone"
echo " 12) enable or disable RaSCSI back-end authentication"
echo " 13) enable or disable RaSCSI Web Interface authentication"
echo "EXPERIMENTAL FEATURES"
echo " 12) install or update RaSCSI Control Board UI (requires hardware)"
echo " 13) share the images dir over AppleShare (requires Netatalk)"
echo " 14) install or update RaSCSI Control Board UI (requires hardware)"
echo " 15) share the images dir over AppleShare (requires Netatalk)"
}
# parse arguments passed to the script
@ -1433,9 +1449,6 @@ while [ "$1" != "" ]; do
fi
TOKEN=$VALUE
;;
-s | --skip-token)
SKIP_TOKEN=1
;;
-h | --headless)
HEADLESS=1
;;