From e9b727a638ff51c0081baf4a621f7eca81f7af0d Mon Sep 17 00:00:00 2001 From: John Meyer <0x326@users.noreply.github.com> Date: Thu, 20 Aug 2020 13:04:58 -0400 Subject: [PATCH 1/4] Store secrets in separate .env file This allows a downstream-user to keep .env under some version control without worrying about password leakage. --- .gitignore | 1 + docker-compose.yml | 21 ++++++++++--------- env.example | 28 -------------------------- gen-passwords.sh | 50 ++++++++++++++++++++++++++++++++-------------- 4 files changed, 48 insertions(+), 52 deletions(-) diff --git a/.gitignore b/.gitignore index 85cf233bc0..f94f7d351b 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,5 @@ *.swp .env .env.bak +/.secrets docker-compose.override.yml diff --git a/docker-compose.yml b/docker-compose.yml index 558946ba0e..4b116ef483 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -104,6 +104,13 @@ services: volumes: - ${CONFIG}/prosody/config:/config:Z - ${CONFIG}/prosody/prosody-plugins-custom:/prosody-plugins-custom:Z + env_file: + - .secrets/JICOFO_COMPONENT_SECRET.env + - .secrets/JICOFO_AUTH_PASSWORD.env + - .secrets/JVB_AUTH_PASSWORD.env + - .secrets/JIGASI_XMPP_PASSWORD.env + - .secrets/JIBRI_XMPP_PASSWORD.env + - .secrets/JIBRI_RECORDER_PASSWORD.env environment: - AUTH_TYPE - ENABLE_AUTH @@ -134,17 +141,11 @@ services: - XMPP_MUC_MODULES - XMPP_INTERNAL_MUC_MODULES - XMPP_RECORDER_DOMAIN - - JICOFO_COMPONENT_SECRET - JICOFO_AUTH_USER - - JICOFO_AUTH_PASSWORD - JVB_AUTH_USER - - JVB_AUTH_PASSWORD - JIGASI_XMPP_USER - - JIGASI_XMPP_PASSWORD - JIBRI_XMPP_USER - - JIBRI_XMPP_PASSWORD - JIBRI_RECORDER_USER - - JIBRI_RECORDER_PASSWORD - JWT_APP_ID - JWT_APP_SECRET - JWT_ACCEPTED_ISSUERS @@ -167,6 +168,9 @@ services: restart: ${RESTART_POLICY} volumes: - ${CONFIG}/jicofo:/config:Z + env_file: + - .secrets/JICOFO_COMPONENT_SECRET.env + - .secrets/JICOFO_AUTH_PASSWORD.env environment: - AUTH_TYPE - ENABLE_AUTH @@ -175,9 +179,7 @@ services: - XMPP_INTERNAL_MUC_DOMAIN - XMPP_MUC_DOMAIN - XMPP_SERVER - - JICOFO_COMPONENT_SECRET - JICOFO_AUTH_USER - - JICOFO_AUTH_PASSWORD - JICOFO_RESERVATION_REST_BASE_URL - JVB_BREWERY_MUC - JIGASI_BREWERY_MUC @@ -199,13 +201,14 @@ services: - '${JVB_TCP_PORT}:${JVB_TCP_PORT}' volumes: - ${CONFIG}/jvb:/config:Z + env_file: + - .secrets/JVB_AUTH_PASSWORD.env environment: - DOCKER_HOST_ADDRESS - XMPP_AUTH_DOMAIN - XMPP_INTERNAL_MUC_DOMAIN - XMPP_SERVER - JVB_AUTH_USER - - JVB_AUTH_PASSWORD - JVB_BREWERY_MUC - JVB_PORT - JVB_TCP_HARVESTER_DISABLED diff --git a/env.example b/env.example index 64a174c829..9512ce5d50 100644 --- a/env.example +++ b/env.example @@ -1,33 +1,5 @@ # shellcheck disable=SC2034 -# Security -# -# Set these to strong passwords to avoid intruders from impersonating a service account -# The service(s) won't start unless these are specified -# Running ./gen-passwords.sh will update .env with strong passwords -# You may skip the Jigasi and Jibri passwords if you are not using those -# DO NOT reuse passwords -# - -# XMPP component password for Jicofo -JICOFO_COMPONENT_SECRET= - -# XMPP password for Jicofo client connections -JICOFO_AUTH_PASSWORD= - -# XMPP password for JVB client connections -JVB_AUTH_PASSWORD= - -# XMPP password for Jigasi MUC client connections -JIGASI_XMPP_PASSWORD= - -# XMPP recorder password for Jibri client connections -JIBRI_RECORDER_PASSWORD= - -# XMPP password for Jibri client connections -JIBRI_XMPP_PASSWORD= - - # # Basic configuration options # diff --git a/gen-passwords.sh b/gen-passwords.sh index c05a07b0db..49473eeb0e 100755 --- a/gen-passwords.sh +++ b/gen-passwords.sh @@ -1,21 +1,41 @@ #!/bin/bash +# Security +# +# Set these to strong passwords to avoid intruders from impersonating a service account +# The service(s) won't start unless these are specified +# Running ./gen-passwords.sh will update .env with strong passwords +# You may skip the Jigasi and Jibri passwords if you are not using those +# DO NOT reuse passwords +# + function generatePassword() { openssl rand -hex 16 } -JICOFO_COMPONENT_SECRET=$(generatePassword) -JICOFO_AUTH_PASSWORD=$(generatePassword) -JVB_AUTH_PASSWORD=$(generatePassword) -JIGASI_XMPP_PASSWORD=$(generatePassword) -JIBRI_RECORDER_PASSWORD=$(generatePassword) -JIBRI_XMPP_PASSWORD=$(generatePassword) - -sed -i.bak \ - -e "s#JICOFO_COMPONENT_SECRET=.*#JICOFO_COMPONENT_SECRET=${JICOFO_COMPONENT_SECRET}#g" \ - -e "s#JICOFO_AUTH_PASSWORD=.*#JICOFO_AUTH_PASSWORD=${JICOFO_AUTH_PASSWORD}#g" \ - -e "s#JVB_AUTH_PASSWORD=.*#JVB_AUTH_PASSWORD=${JVB_AUTH_PASSWORD}#g" \ - -e "s#JIGASI_XMPP_PASSWORD=.*#JIGASI_XMPP_PASSWORD=${JIGASI_XMPP_PASSWORD}#g" \ - -e "s#JIBRI_RECORDER_PASSWORD=.*#JIBRI_RECORDER_PASSWORD=${JIBRI_RECORDER_PASSWORD}#g" \ - -e "s#JIBRI_XMPP_PASSWORD=.*#JIBRI_XMPP_PASSWORD=${JIBRI_XMPP_PASSWORD}#g" \ - "$(dirname "$0")/.env" +GENERATED_ENV_VARIABLES=( + # XMPP component password for Jicofo + JICOFO_COMPONENT_SECRET + + # XMPP password for Jicofo client connections + JICOFO_AUTH_PASSWORD + + # XMPP password for JVB client connections + JVB_AUTH_PASSWORD + + # XMPP password for Jigasi MUC client connections + JIGASI_XMPP_PASSWORD + + # XMPP recorder password for Jibri client connections + JIBRI_RECORDER_PASSWORD + + # XMPP password for Jibri client connections + JIBRI_XMPP_PASSWORD +) + +for ENV_VARIABLE in "${GENERATED_ENV_VARIABLES[@]}"; do + if [[ -e ".secrets/${ENV_VARIABLE}.env" ]]; then + mv ".secrets/${ENV_VARIABLE}.env" ".secrets/${ENV_VARIABLE}.env.bak" + fi + echo "${ENV_VARIABLE}=$(generatePassword)" > ".secrets/${ENV_VARIABLE}.env" +done From 92900280186e97250e95dae65b067bae2559581f Mon Sep 17 00:00:00 2001 From: John Meyer <0x326@users.noreply.github.com> Date: Thu, 17 Sep 2020 20:36:32 -0400 Subject: [PATCH 2/4] Generate JWT_APP_SECRET --- docker-compose.yml | 2 +- env.example | 3 --- gen-passwords.sh | 4 ++++ 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 4b116ef483..2c1eea6689 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -106,6 +106,7 @@ services: - ${CONFIG}/prosody/prosody-plugins-custom:/prosody-plugins-custom:Z env_file: - .secrets/JICOFO_COMPONENT_SECRET.env + - .secrets/JWT_APP_SECRET.env - .secrets/JICOFO_AUTH_PASSWORD.env - .secrets/JVB_AUTH_PASSWORD.env - .secrets/JIGASI_XMPP_PASSWORD.env @@ -147,7 +148,6 @@ services: - JIBRI_XMPP_USER - JIBRI_RECORDER_USER - JWT_APP_ID - - JWT_APP_SECRET - JWT_ACCEPTED_ISSUERS - JWT_ACCEPTED_AUDIENCES - JWT_ASAP_KEYSERVER diff --git a/env.example b/env.example index 9512ce5d50..a1392583f7 100644 --- a/env.example +++ b/env.example @@ -92,9 +92,6 @@ TZ=UTC # Application identifier #JWT_APP_ID=my_jitsi_app_id -# Application secret known only to your token -#JWT_APP_SECRET=my_jitsi_app_secret - # (Optional) Set asap_accepted_issuers as a comma separated list #JWT_ACCEPTED_ISSUERS=my_web_client,my_app_client diff --git a/gen-passwords.sh b/gen-passwords.sh index 49473eeb0e..5dd1800539 100755 --- a/gen-passwords.sh +++ b/gen-passwords.sh @@ -31,6 +31,10 @@ GENERATED_ENV_VARIABLES=( # XMPP password for Jibri client connections JIBRI_XMPP_PASSWORD + + # JWT Authentication + # Application secret known only to your token + JWT_APP_SECRET ) for ENV_VARIABLE in "${GENERATED_ENV_VARIABLES[@]}"; do From 94990644f8a69f41f01d083aa47034ade59202eb Mon Sep 17 00:00:00 2001 From: John Meyer <0x326@users.noreply.github.com> Date: Thu, 17 Sep 2020 20:37:08 -0400 Subject: [PATCH 3/4] Generate JIGASI_SIP_PASSWORD --- env.example | 2 +- gen-passwords.sh | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/env.example b/env.example index a1392583f7..a10426fbee 100644 --- a/env.example +++ b/env.example @@ -62,7 +62,7 @@ TZ=UTC #JIGASI_SIP_URI=test@sip2sip.info # Password for the specified SIP account as a clear text -#JIGASI_SIP_PASSWORD=passw0rd +# (See .secrets/JIGASI_SIP_PASSWORD) # SIP server (use the SIP account domain if in doubt) #JIGASI_SIP_SERVER=sip2sip.info diff --git a/gen-passwords.sh b/gen-passwords.sh index 5dd1800539..caf7efca3d 100755 --- a/gen-passwords.sh +++ b/gen-passwords.sh @@ -32,6 +32,9 @@ GENERATED_ENV_VARIABLES=( # XMPP password for Jibri client connections JIBRI_XMPP_PASSWORD + # Password for the specified SIP account as a clear text + JIGASI_SIP_PASSWORD + # JWT Authentication # Application secret known only to your token JWT_APP_SECRET From 994eee8c1c8fd9618f9bf494aa5d60005270b0bd Mon Sep 17 00:00:00 2001 From: John Meyer <0x326@users.noreply.github.com> Date: Thu, 17 Sep 2020 20:37:29 -0400 Subject: [PATCH 4/4] Create templates for Google Cloud credentials --- env.example | 4 ++-- gen-passwords.sh | 12 ++++++++++++ 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/env.example b/env.example index a10426fbee..ee4ee8a6f5 100644 --- a/env.example +++ b/env.example @@ -251,8 +251,8 @@ JIGASI_PORT_MAX=20050 # section "Before you begin" paragraph 1 to 5 # Copy the values from the json to the related env vars #GC_PROJECT_ID= -#GC_PRIVATE_KEY_ID= -#GC_PRIVATE_KEY= +# (See .secrets/GC_PRIVATE_KEY_ID.env for GC_PRIVATE_KEY_ID) +# (See .secrets/GC_PRIVATE_KEY.env for GC_PRIVATE_KEY) #GC_CLIENT_EMAIL= #GC_CLIENT_ID= #GC_CLIENT_CERT_URL= diff --git a/gen-passwords.sh b/gen-passwords.sh index caf7efca3d..d0c4d3fba5 100755 --- a/gen-passwords.sh +++ b/gen-passwords.sh @@ -40,9 +40,21 @@ GENERATED_ENV_VARIABLES=( JWT_APP_SECRET ) +MANUAL_ENV_VARIABLES=( + GC_PRIVATE_KEY_ID + GC_PRIVATE_KEY +) + for ENV_VARIABLE in "${GENERATED_ENV_VARIABLES[@]}"; do if [[ -e ".secrets/${ENV_VARIABLE}.env" ]]; then mv ".secrets/${ENV_VARIABLE}.env" ".secrets/${ENV_VARIABLE}.env.bak" fi echo "${ENV_VARIABLE}=$(generatePassword)" > ".secrets/${ENV_VARIABLE}.env" done + +for ENV_VARIABLE in "${MANUAL_ENV_VARIABLES[@]}"; do + if [[ -e ".secrets/${ENV_VARIABLE}.env" ]]; then + mv ".secrets/${ENV_VARIABLE}.env" ".secrets/${ENV_VARIABLE}.env.bak" + fi + echo "${ENV_VARIABLE}=" > ".secrets/${ENV_VARIABLE}.env" +done