From ed7f8c5a788bd1929eff25f9fea120e52c4bd35d Mon Sep 17 00:00:00 2001
From: Dmitry Tantsur <dtantsur@protonmail.com>
Date: Wed, 5 Jun 2024 15:55:24 +0200
Subject: [PATCH] Allow independent credentials for JSON RPC

It's probably not a great idea to allow users to easily access JSON RPC,
so a different set of credentials is useful.

Also allow the secret to be mounted directly without the convoluted
auth-config format (which is an ini file in reality). Deprecate
the auth-config approach (JSON RPC is the last instance where it's
used).

Signed-off-by: Dmitry Tantsur <dtantsur@protonmail.com>
---
 scripts/auth-common.sh      | 48 +++++++++++++++++++++++++------------
 scripts/configure-ironic.sh |  4 +---
 2 files changed, 34 insertions(+), 18 deletions(-)

diff --git a/scripts/auth-common.sh b/scripts/auth-common.sh
index 90cea4c5b..a6e6621b8 100644
--- a/scripts/auth-common.sh
+++ b/scripts/auth-common.sh
@@ -15,38 +15,56 @@ IRONIC_HTPASSWD_FILE=/etc/ironic/htpasswd
 if [[ -f "/auth/ironic/htpasswd" ]]; then
     IRONIC_HTPASSWD=$(</auth/ironic/htpasswd)
 fi
+if [[ -f "/auth/ironic-rpc/htpasswd" ]]; then
+    IRONIC_RPC_HTPASSWD=$(</auth/ironic-rpc/htpasswd)
+fi
 export IRONIC_HTPASSWD=${IRONIC_HTPASSWD:-${HTTP_BASIC_HTPASSWD:-}}
+export IRONIC_RPC_HTPASSWD=${IRONIC_RPC_HTPASSWD:-${IRONIC_HTPASSWD}}
+
+IRONIC_CONFIG=/etc/ironic/ironic.conf
 
-configure_client_basic_auth()
-{
-    local auth_config_file="/auth/$1/auth-config"
-    local dest="${2:-/etc/ironic/ironic.conf}"
-    if [[ -f "${auth_config_file}" ]]; then
-        # Merge configurations in the "auth" directory into the default ironic configuration file
-        crudini --merge "${dest}" < "${auth_config_file}"
-    fi
-}
 
 configure_json_rpc_auth()
 {
     if [[ "${IRONIC_EXPOSE_JSON_RPC}" == "true" ]]; then
-        if [[ -z "${IRONIC_HTPASSWD}" ]]; then
-            echo "FATAL: enabling JSON RPC requires authentication"
+        local auth_config_file="/auth/ironic-rpc/auth-config"
+        local username_file="/auth/ironic-rpc/username"
+        local password_file="/auth/ironic-rpc/password"
+        if [[ -f "${username_file}" ]] && [[ -f "${password_file}" ]]; then
+            crudini --set "${IRONIC_CONFIG}" json_rpc username "$(<${username_file})"
+            set +x
+            crudini --set "${IRONIC_CONFIG}" json_rpc password "$(<${password_file})"
+            set -x
+        elif [[ -f "${auth_config_file}" ]]; then
+            echo "WARNING: using auth-config is deprecated, mount a secret directly"
+            # Merge configurations in the "auth" directory into the default ironic configuration file
+            crudini --merge "${IRONIC_CONFIG}" < "${auth_config_file}"
+        else
+            echo "FATAL: no client-side credentials provided for JSON RPC"
             exit 1
         fi
-        printf "%s\n" "${IRONIC_HTPASSWD}" > "${IRONIC_HTPASSWD_FILE}-rpc"
+
+        if [[ -z "${IRONIC_RPC_HTPASSWD}" ]]; then
+            if [[ -f "${username_file}" ]] && [[ -f "${password_file}" ]]; then
+                htpasswd -c -i -B "${IRONIC_HTPASSWD_FILE}-rpc" "$(<${username_file})" <"${password_file}"
+            else
+                echo "FATAL: enabling JSON RPC requires authentication"
+                exit 1
+            fi
+        else
+            printf "%s\n" "${IRONIC_RPC_HTPASSWD}" > "${IRONIC_HTPASSWD_FILE}-rpc"
+        fi
     fi
 }
 
 configure_ironic_auth()
 {
-    local config=/etc/ironic/ironic.conf
     # Configure HTTP basic auth for API server
     if [[ -n "${IRONIC_HTPASSWD}" ]]; then
         printf "%s\n" "${IRONIC_HTPASSWD}" > "${IRONIC_HTPASSWD_FILE}"
         if [[ "${IRONIC_REVERSE_PROXY_SETUP}" == "false" ]]; then
-            crudini --set "${config}" DEFAULT auth_strategy http_basic
-            crudini --set "${config}" DEFAULT http_basic_auth_user_file "${IRONIC_HTPASSWD_FILE}"
+            crudini --set "${IRONIC_CONFIG}" DEFAULT auth_strategy http_basic
+            crudini --set "${IRONIC_CONFIG}" DEFAULT http_basic_auth_user_file "${IRONIC_HTPASSWD_FILE}"
         fi
     fi
 }
diff --git a/scripts/configure-ironic.sh b/scripts/configure-ironic.sh
index 3c6dc5afc..3c6333e9c 100755
--- a/scripts/configure-ironic.sh
+++ b/scripts/configure-ironic.sh
@@ -84,12 +84,10 @@ env | grep "^OS_" || true
 mkdir -p /shared/html
 mkdir -p /shared/ironic_prometheus_exporter
 
-configure_json_rpc_auth
-
 # The original ironic.conf is empty, and can be found in ironic.conf_orig
 render_j2_config /etc/ironic/ironic.conf.j2 /etc/ironic/ironic.conf
 
-configure_client_basic_auth ironic-rpc
+configure_json_rpc_auth
 
 # Make sure ironic traffic bypasses any proxies
 export NO_PROXY="${NO_PROXY:-},$IRONIC_IP"