Break out frontend and backend auth options into stand alone options (#925)

* Break out frontend and backend auth options into stand alone options

* Improve the token auth checks when installing clients
This commit is contained in:
Daniel Markstedt 2022-10-21 19:49:53 -07:00 committed by GitHub
parent 99a1c7cdbc
commit ade656e38b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 75 additions and 62 deletions

View File

@ -22,7 +22,7 @@ USER pi
COPY --chown=pi:pi . . COPY --chown=pi:pi . .
# Standalone RaSCSI web UI # Standalone RaSCSI web UI
RUN ./easyinstall.sh --run_choice=11 --skip-token RUN ./easyinstall.sh --run_choice=11
# Wired network bridge # Wired network bridge
RUN ./easyinstall.sh --run_choice=6 --headless RUN ./easyinstall.sh --run_choice=6 --headless

View File

@ -21,7 +21,7 @@ COPY --chown=pi:pi . .
RUN patch -p0 < docker/rascsi/cfilesystem.patch RUN patch -p0 < docker/rascsi/cfilesystem.patch
# Install RaSCSI standalone # Install RaSCSI standalone
RUN ./easyinstall.sh --run_choice=10 --cores=`nproc` --skip-token RUN ./easyinstall.sh --run_choice=10 --cores=`nproc`
USER root USER root
WORKDIR /home/pi WORKDIR /home/pi

View File

@ -157,8 +157,18 @@ function installRaScsi() {
cleanupOutdatedManPage "scsimon.1" cleanupOutdatedManPage "scsimon.1"
cleanupOutdatedManPage "rasdump.1" cleanupOutdatedManPage "rasdump.1"
cleanupOutdatedManPage "sasidump.1" cleanupOutdatedManPage "sasidump.1"
# install # install
sudo make install CONNECT_TYPE="${CONNECT_TYPE:-FULLSPEC}" </dev/null sudo make install CONNECT_TYPE="${CONNECT_TYPE:-FULLSPEC}" </dev/null
# update launch parameters
if [[ -f $SECRET_FILE ]]; then
sudo sed -i "\@^ExecStart.*@ s@@& -F $VIRTUAL_DRIVER_PATH -P $SECRET_FILE@" "$SYSTEMD_PATH/rascsi.service"
echo "Secret token file $SECRET_FILE detected. Using it to enable back-end authentication."
else
sudo sed -i "\@^ExecStart.*@ s@@& -F $VIRTUAL_DRIVER_PATH@" "$SYSTEMD_PATH/rascsi.service"
fi
echo "Configured rascsi.service to use $VIRTUAL_DRIVER_PATH as default image dir."
} }
function preparePythonCommon() { function preparePythonCommon() {
@ -280,7 +290,7 @@ function backupRaScsiService() {
fi fi
} }
# Offers the choice of enabling token-based authentication for RaSCSI # Offers the choice of enabling token-based authentication for RaSCSI, or disables it if enabled
function configureTokenAuth() { function configureTokenAuth() {
if [[ -f "$HOME/.rascsi_secret" ]]; then if [[ -f "$HOME/.rascsi_secret" ]]; then
sudo rm "$HOME/.rascsi_secret" sudo rm "$HOME/.rascsi_secret"
@ -289,46 +299,34 @@ function configureTokenAuth() {
if [[ -f $SECRET_FILE ]]; then if [[ -f $SECRET_FILE ]]; then
sudo rm "$SECRET_FILE" sudo rm "$SECRET_FILE"
echo "Removed RaSCSI token file" echo "RaSCSI token file $SECRET_FILE already exists. Do you want to disable authentication? (y/N)"
fi
if [[ $SKIP_TOKEN ]]; then
echo "Skipping RaSCSI token setup"
return 0
fi
if [[ -z $TOKEN ]]; then
echo ""
echo "Do you want to protect your RaSCSI installation with a password? [y/N]"
read REPLY read REPLY
if ! [[ $REPLY =~ ^[Yy]$ ]]; then if [[ $REPLY =~ ^[Yy]$ ]]; then
return 0 sudo sed -i 's@-P '"$SECRET_FILE"'@@' "$SYSTEMD_PATH/rascsi.service"
return
fi
fi fi
echo -n "Enter the password that you want to use: " echo -n "Enter the token password for protecting RaSCSI: "
read -r TOKEN read -r TOKEN
fi
echo "$TOKEN" > "$SECRET_FILE" echo "$TOKEN" > "$SECRET_FILE"
# Make the secret file owned and only readable by root # Make the secret file owned and only readable by root
sudo chown root:root "$SECRET_FILE" sudo chown root:root "$SECRET_FILE"
sudo chmod 600 "$SECRET_FILE" sudo chmod 600 "$SECRET_FILE"
sudo sed -i "s@^ExecStart.*@& -P $SECRET_FILE@" "$SYSTEMD_PATH/rascsi.service"
echo "" echo ""
echo "Configured RaSCSI to use $SECRET_FILE for authentication. This file is readable by root only." echo "Configured RaSCSI to use $SECRET_FILE for authentication. This file is readable by root only."
echo "Make note of your password: you will need it to use rasctl and other RaSCSI clients." echo "Make note of your password: you will need it to use rasctl and other RaSCSI clients."
echo "If you have RaSCSI clients installed, please re-run the installation scripts, or update the systemd config manually."
} }
# Modifies and installs the rascsi service # Enables and starts the rascsi service
function enableRaScsiService() { function enableRaScsiService() {
if [ ! -z "$TOKEN" ]; then
sudo sed -i "s@^ExecStart.*@& -F $VIRTUAL_DRIVER_PATH -P $SECRET_FILE@" "$SYSTEMD_PATH/rascsi.service"
else
sudo sed -i "s@^ExecStart.*@& -F $VIRTUAL_DRIVER_PATH@" "$SYSTEMD_PATH/rascsi.service"
fi
echo "Configured rascsi.service to use $VIRTUAL_DRIVER_PATH as default image dir."
sudo systemctl daemon-reload sudo systemctl daemon-reload
sudo systemctl restart rsyslog sudo systemctl restart rsyslog
sudo systemctl enable rascsi # optional - start rascsi at boot sudo systemctl enable rascsi # optional - start rascsi at boot
@ -338,10 +336,16 @@ function enableRaScsiService() {
# Modifies and installs the rascsi-web service # Modifies and installs the rascsi-web service
function installWebInterfaceService() { function installWebInterfaceService() {
if [[ -f "$SECRET_FILE" && -z "$TOKEN" ]] ; then
echo ""
echo "Secret token file $SECRET_FILE detected. You must enter the password, or press Ctrl+C to cancel installation."
read -r TOKEN
fi
echo "Installing the rascsi-web.service configuration..." echo "Installing the rascsi-web.service configuration..."
sudo cp -f "$WEB_INSTALL_PATH/service-infra/rascsi-web.service" "$SYSTEMD_PATH/rascsi-web.service" sudo cp -f "$WEB_INSTALL_PATH/service-infra/rascsi-web.service" "$SYSTEMD_PATH/rascsi-web.service"
sudo sed -i /^ExecStart=/d "$SYSTEMD_PATH/rascsi-web.service" sudo sed -i /^ExecStart=/d "$SYSTEMD_PATH/rascsi-web.service"
echo "$TOKEN"
if [ ! -z "$TOKEN" ]; then if [ ! -z "$TOKEN" ]; then
sudo sed -i "8 i ExecStart=$WEB_INSTALL_PATH/start.sh --password=$TOKEN" "$SYSTEMD_PATH/rascsi-web.service" sudo sed -i "8 i ExecStart=$WEB_INSTALL_PATH/start.sh --password=$TOKEN" "$SYSTEMD_PATH/rascsi-web.service"
# Make the service file readable by root only, to protect the token string # Make the service file readable by root only, to protect the token string
@ -934,6 +938,12 @@ function installMacproxy {
# updates configuration files and installs packages needed for the OLED screen script # updates configuration files and installs packages needed for the OLED screen script
function installRaScsiScreen() { function installRaScsiScreen() {
if [[ -f "$SECRET_FILE" && -z "$TOKEN" ]] ; then
echo ""
echo "Secret token file $SECRET_FILE detected. You must enter the password, or press Ctrl+C to cancel installation."
read -r TOKEN
fi
echo "IMPORTANT: This configuration requires a OLED screen to be installed onto your RaSCSI board." echo "IMPORTANT: This configuration requires a OLED screen to be installed onto your RaSCSI board."
echo "See wiki for more information: https://github.com/akuker/RASCSI/wiki/OLED-Status-Display-(Optional)" echo "See wiki for more information: https://github.com/akuker/RASCSI/wiki/OLED-Status-Display-(Optional)"
echo "" echo ""
@ -964,16 +974,6 @@ function installRaScsiScreen() {
SCREEN_HEIGHT="32" SCREEN_HEIGHT="32"
fi fi
if [ -z "$TOKEN" ]; then
echo ""
echo "Did you protect your RaSCSI installation with a token password? [y/N]"
read -r REPLY
if [ "$REPLY" == "y" ] || [ "$REPLY" == "Y" ]; then
echo -n "Enter the password that you configured with RaSCSI at the time of installation: "
read -r TOKEN
fi
fi
stopRaScsiScreen stopRaScsiScreen
disableRaScsiCtrlBoardService disableRaScsiCtrlBoardService
updateRaScsiGit updateRaScsiGit
@ -1026,6 +1026,12 @@ function installRaScsiScreen() {
# updates configuration files and installs packages needed for the CtrlBoard script # updates configuration files and installs packages needed for the CtrlBoard script
function installRaScsiCtrlBoard() { function installRaScsiCtrlBoard() {
if [[ -f "$SECRET_FILE" && -z "$TOKEN" ]] ; then
echo ""
echo "Secret token file $SECRET_FILE detected. You must enter the password, or press Ctrl+C to cancel installation."
read -r TOKEN
fi
echo "IMPORTANT: This configuration requires a RaSCSI Control Board connected to your RaSCSI board." echo "IMPORTANT: This configuration requires a RaSCSI Control Board connected to your RaSCSI board."
echo "See wiki for more information: https://github.com/akuker/RASCSI/wiki/RaSCSI-Control-Board" echo "See wiki for more information: https://github.com/akuker/RASCSI/wiki/RaSCSI-Control-Board"
echo "" echo ""
@ -1042,16 +1048,6 @@ function installRaScsiCtrlBoard() {
ROTATION="180" ROTATION="180"
fi fi
if [ -z "$TOKEN" ]; then
echo ""
echo "Did you protect your RaSCSI installation with a token password? [y/N]"
read -r REPLY
if [ "$REPLY" == "y" ] || [ "$REPLY" == "Y" ]; then
echo -n "Enter the password that you configured with RaSCSI at the time of installation: "
read -r TOKEN
fi
fi
stopRaScsiCtrlBoard stopRaScsiCtrlBoard
updateRaScsiGit updateRaScsiGit
@ -1148,6 +1144,13 @@ function enableWebInterfaceAuth {
if [ $(getent group "$AUTH_GROUP") ]; then if [ $(getent group "$AUTH_GROUP") ]; then
echo "The '$AUTH_GROUP' group already exists." echo "The '$AUTH_GROUP' group already exists."
echo "Do you want to disable Web Interface authentication? (y/N)"
read -r REPLY
if [ "$REPLY" == "y" ] || [ "$REPLY" == "Y" ]; then
sudo groupdel "$AUTH_GROUP"
echo "The '$AUTH_GROUP' group has been deleted."
exit 0
fi
else else
echo "Creating the '$AUTH_GROUP' group." echo "Creating the '$AUTH_GROUP' group."
sudo groupadd "$AUTH_GROUP" sudo groupadd "$AUTH_GROUP"
@ -1175,7 +1178,6 @@ function runChoice() {
sudoCheck sudoCheck
createImagesDir createImagesDir
createCfgDir createCfgDir
configureTokenAuth
stopOldWebInterface stopOldWebInterface
updateRaScsiGit updateRaScsiGit
installPackages installPackages
@ -1196,7 +1198,6 @@ function runChoice() {
cachePipPackages cachePipPackages
installRaScsiWebInterface installRaScsiWebInterface
installWebInterfaceService installWebInterfaceService
enableWebInterfaceAuth
showRaScsiScreenStatus showRaScsiScreenStatus
showRaScsiCtrlBoardStatus showRaScsiCtrlBoardStatus
showRaScsiStatus showRaScsiStatus
@ -1217,7 +1218,6 @@ function runChoice() {
sudoCheck sudoCheck
createImagesDir createImagesDir
createCfgDir createCfgDir
configureTokenAuth
updateRaScsiGit updateRaScsiGit
installPackages installPackages
stopRaScsiScreen stopRaScsiScreen
@ -1306,7 +1306,6 @@ function runChoice() {
echo "- Install manpages to /usr/local/man" echo "- Install manpages to /usr/local/man"
sudoCheck sudoCheck
createImagesDir createImagesDir
configureTokenAuth
updateRaScsiGit updateRaScsiGit
installPackagesStandalone installPackagesStandalone
stopRaScsi stopRaScsi
@ -1322,21 +1321,36 @@ function runChoice() {
echo "- Add and modify systemd services" echo "- Add and modify systemd services"
echo "- Modify and enable Apache2 and Nginx web service" echo "- Modify and enable Apache2 and Nginx web service"
echo "- Create directories and change permissions" echo "- Create directories and change permissions"
echo "- Modify user groups and permissions"
echo "- Create a self-signed certificate in /etc/ssl" echo "- Create a self-signed certificate in /etc/ssl"
sudoCheck sudoCheck
createCfgDir createCfgDir
configureTokenAuth
updateRaScsiGit updateRaScsiGit
installPackages installPackages
preparePythonCommon preparePythonCommon
cachePipPackages cachePipPackages
installRaScsiWebInterface installRaScsiWebInterface
enableWebInterfaceAuth
echo "Configuring RaSCSI Web Interface stand-alone - Complete!" echo "Configuring RaSCSI Web Interface stand-alone - Complete!"
echo "Launch the Web Interface with the 'start.sh' script. To use a custom port for the web server: 'start.sh --web-port=8081" echo "Launch the Web Interface with the 'start.sh' script. To use a custom port for the web server: 'start.sh --web-port=8081"
;; ;;
12) 12)
echo "Enabling or disabling RaSCSI back-end authentication"
echo "This script will make the following changes to your system:"
echo "- Modify user groups and permissions"
sudoCheck
stopRaScsi
configureTokenAuth
enableRaScsiService
echo "Enabling or disabling RaSCSI back-end authentication - Complete!"
;;
13)
echo "Enabling or disabling Web Interface authentication"
echo "This script will make the following changes to your system:"
echo "- Modify user groups and permissions"
sudoCheck
enableWebInterfaceAuth
echo "Enabling or disabling Web Interface authentication - Complete!"
;;
14)
echo "Installing / Updating RaSCSI Control Board UI" echo "Installing / Updating RaSCSI Control Board UI"
echo "This script will make the following changes to your system:" echo "This script will make the following changes to your system:"
echo "- Install additional packages with apt-get" echo "- Install additional packages with apt-get"
@ -1349,7 +1363,7 @@ function runChoice() {
showRaScsiCtrlBoardStatus showRaScsiCtrlBoardStatus
echo "Installing / Updating RaSCSI Control Board UI - Complete!" echo "Installing / Updating RaSCSI Control Board UI - Complete!"
;; ;;
13) 15)
shareImagesWithNetatalk shareImagesWithNetatalk
echo "Configuring AppleShare File Server - Complete!" echo "Configuring AppleShare File Server - Complete!"
;; ;;
@ -1366,7 +1380,7 @@ function runChoice() {
function readChoice() { function readChoice() {
choice=-1 choice=-1
until [ $choice -ge "0" ] && [ $choice -le "13" ]; do until [ $choice -ge "0" ] && [ $choice -le "15" ]; do
echo -n "Enter your choice (0-13) or CTRL-C to exit: " echo -n "Enter your choice (0-13) or CTRL-C to exit: "
read -r choice read -r choice
done done
@ -1395,9 +1409,11 @@ function showMenu() {
echo "ADVANCED OPTIONS" echo "ADVANCED OPTIONS"
echo " 10) compile and install RaSCSI stand-alone" echo " 10) compile and install RaSCSI stand-alone"
echo " 11) configure the RaSCSI Web Interface stand-alone" echo " 11) configure the RaSCSI Web Interface stand-alone"
echo " 12) enable or disable RaSCSI back-end authentication"
echo " 13) enable or disable RaSCSI Web Interface authentication"
echo "EXPERIMENTAL FEATURES" echo "EXPERIMENTAL FEATURES"
echo " 12) install or update RaSCSI Control Board UI (requires hardware)" echo " 14) install or update RaSCSI Control Board UI (requires hardware)"
echo " 13) share the images dir over AppleShare (requires Netatalk)" echo " 15) share the images dir over AppleShare (requires Netatalk)"
} }
# parse arguments passed to the script # parse arguments passed to the script
@ -1433,9 +1449,6 @@ while [ "$1" != "" ]; do
fi fi
TOKEN=$VALUE TOKEN=$VALUE
;; ;;
-s | --skip-token)
SKIP_TOKEN=1
;;
-h | --headless) -h | --headless)
HEADLESS=1 HEADLESS=1
;; ;;