search

Alfresco / alfresco-ansible-deployment

Ansible playbooks for deploying ACS
https://alfresco.github.io/alfresco-ansible-deployment/
Apache License 2.0
29 stars 33 forks source link

SOLR Shared Secret Incorrectly Quoted in JAVA_TOOL_OPTIONS #806

Open jalvarezferr opened 8 months ago

jalvarezferr commented 8 months ago

Bug description

The SOLR shared secret is configured both for the repository and for SOLR through the JAVA_TOOL_OPTIONS. In both cases it is set in a shell script (tomcat.sh or solr.sh) in this way:

export JAVA_TOOL_OPTIONS="-Dalfresco.secureComms.secret={{ search_shared_secret | quote }}"

Which results in, for example:

export JAVA_TOOL_OPTIONS="-Dalfresco.secureComms.secret='D_i0ftPp$example>66Vp'"

As the example contains a $ sign, the shell script will process the string and result in:

-Dalfresco.secureComms.secret='D_i0ftPp>66Vp'

Which end up being the secret value set for both repository and SOLR. As the value matches, it operationally works, but breaks any attempt to access the SOLR in other way.

A simple way to test it:

#!/bin/bash
export JAVA_TOOL_OPTIONS="-Dalfresco.secureComms.secret='D_i0ftPp$example>66Vp'"
java -version

Will output:

Picked up JAVA_TOOL_OPTIONS: -Dalfresco.secureComms.secret='D_i0ftPp>66Vp'
openjdk version "1.8.0_362"
OpenJDK Runtime Environment (build 1.8.0_362-b08)
OpenJDK 64-Bit Server VM (build 25.362-b08, mixed mode)

Whereas:

#!/bin/bash
export JAVA_TOOL_OPTIONS='-Dalfresco.secureComms.secret=D_i0ftPp$example>66Vp'
java -version

Gives the correct result:

Picked up JAVA_TOOL_OPTIONS: -Dalfresco.secureComms.secret=D_i0ftPp$example>66Vp
openjdk version "1.8.0_362"
OpenJDK Runtime Environment (build 1.8.0_362-b08)
OpenJDK 64-Bit Server VM (build 25.362-b08, mixed mode)

Target OS

Any

Host OS

Any

Playbook version

Any (ACS vertion 7.2+)

Ansible error

Not relevant

Ansible context

Not relevant

ansible --version

Not relevant

ansible-config dump --only-changed

Not relevant

ansible-inventory -i your_inventory_file --graph

Not relevant

pip list

Not relevant

jalvarezferr commented 8 months ago

Reviweing the code. Same seems to apply to the other values set to JAVA_TOOL_OPTIONS about the metada-keystore, and in general all the variables exported here:

https://github.com/Alfresco/alfresco-ansible-deployment/blob/a535cdc8b573dec74736bea85836a0d2e3d67d99/roles/repository/tasks/main.yml#L201

alxgomz commented 8 months ago

Fixing it in shell will be a nightmare and probably open the door for regressions or we'll simply miss some use-cases. I think we'd better move the JAVA_TOOL_OPTIONS off to a systemd unit override. It is more secure and avoids dealing with files created in one role from another one. However the counter part is that it's not possible to further expand env vars within a systemd Environment=, so the values can only be static. That would break anything set in the user's profile for instance. Other suggestions?

jalvarezferr commented 2 months ago

Came back to this and foud this works:

#!/bin/bash
export JAVA_OPTS="-version \$JAVA_OPTS"
export JAVA_TOOL_OPTIONS="-Dalfresco.secureComms.secret=D_i0ftP\$example>66Vp"
java $JAVA_OPTS

Produces:

~# ./test.sh
Picked up JAVA_TOOL_OPTIONS: -Dalfresco.secureComms.secret=D_i0ftP$example>66Vp
openjdk version "17.0.3" 2022-04-19
OpenJDK Runtime Environment Temurin-17.0.3+7 (build 17.0.3+7)
OpenJDK 64-Bit Server VM Temurin-17.0.3+7 (build 17.0.3+7, mixed mode, sharing)

Would just require to sanitize the every value escaping the $ signs. Maybe something like (untested):

    - name: Add additional env vars to tomcat.sh
      ansible.builtin.lineinfile:
        path: "{{ binaries_folder }}/tomcat.sh"
        insertafter: 'CATALINA_OPTS'
        line: export {{ item.key }}="{{ item.value  | replace(\"$\",\"\\$\") | join(' ') }}"
        owner: "{{ username }}"
        group: "{{ group_name }}"
      loop: >-
        {{ acs_environment
        | ansible.builtin.combine(acs_secure_environment
        | default(None), list_merge='prepend')
        | dict2items }}