feat(ct): introduce runtime password changing

A new init script allows to set passwords at boot time of the container. If the passwords are not changed, there will be warnings logged about the default in use.

Slightly modifying the startInForeground.sh script to avoid keeping password files or sensitive passwords around after starting the server.

modules/container-base/src/main/docker/scripts/init_1_change_passwords.sh

@@ -0,0 +1,43 @@
+#!/bin/bash
+set -euo pipefail
+
+# NOTE: ALL PASSWORD ENV VARS WILL BE SCRAMBLED IN startInForeground.sh FOR SECURITY!
+#       This is to avoid possible attack vectors where someone could extract the sensitive information
+#       from within an env var dump inside an application!
+
+# Someone set the env var for passwords - get the new password in. Otherwise print warning.
+# https://docs.openshift.com/container-platform/4.14/openshift_images/create-images.html#avoid-default-passwords
+if [ "$LINUX_USER_PASSWORD" != "payara" ]; then
+  echo -e "payara\n$LINUX_USER_PASSWORD\n$LINUX_USER_PASSWORD" | passwd
+else
+  echo "IMPORTANT: THIS CONTAINER USES THE DEFAULT PASSWORD FOR USER payara! ('payara')"
+  echo "           To change the password, set the LINUX_USER_PASSWORD env var."
+fi
+
+# Change the domain admin password if necessary
+if [ "$ADMIN_PASSWORD" != "admin" ]; then
+  PASSWORD_FILE=$(mktemp)
+  echo "AS_ADMIN_PASSWORD=admin" > "$PASSWORD_FILE"
+  echo "AS_ADMIN_NEWPASSWORD=${ADMIN_PASSWORD}" >> "$PASSWORD_FILE"
+  asadmin --user="${ADMIN_USER}" --passwordfile="$PASSWORD_FILE" change-admin-password --domain_name="${DOMAIN_NAME}"
+  rm "$PASSWORD_FILE"
+else
+  echo "IMPORTANT: THIS CONTAINER USES THE DEFAULT PASSWORD FOR PAYARA ASADMIN! ('admin')"
+  echo "           To change the password, set the ADMIN_PASSWORD env var."
+fi
+
+# Change the domain master password if necessary
+# > The master password is not tied to a user account, and it is not used for authentication.
+# > Instead, Payara Server strictly uses the master password to ONLY encrypt the keystore and truststore used to store keys and certificates for the DAS and instances usage.
+# It will be requested when booting the application server!
+# https://docs.payara.fish/community/docs/Technical%20Documentation/Payara%20Server%20Documentation/Security%20Guide/Administering%20System%20Security.html#to-change-the-master-password
+if [ "$DOMAIN_MASTER_PASSWORD" != "changeit" ]; then
+  PASSWORD_FILE=$(mktemp)
+  echo "AS_ADMIN_MASTERPASSWORD=changeit" >> "$PASSWORD_FILE"
+  echo "AS_ADMIN_NEWMASTERPASSWORD=${DOMAIN_MASTER_PASSWORD}" >> "$PASSWORD_FILE"
+  asadmin --user="${ADMIN_USER}" --passwordfile="$PASSWORD_FILE" change-master-password --savemasterpassword false "${DOMAIN_NAME}"
+  rm "$PASSWORD_FILE"
+else
+  echo "IMPORTANT: THIS CONTAINER USES THE DEFAULT MASTER PASSWORD FOR THE DOMAIN! ('changeit')"
+  echo "           To change the password, set the DOMAIN_MASTER_PASSWORD env var."
+fi

modules/container-base/src/main/docker/scripts/startInForeground.sh

@@ -33,7 +33,8 @@
 
 # Check required variables are set
 if [ -z "$ADMIN_USER" ]; then echo "Variable ADMIN_USER is not set."; exit 1; fi
-if [ -z "$PASSWORD_FILE" ]; then echo "Variable PASSWORD_FILE is not set."; exit 1; fi
+if [ -z "$ADMIN_PASSWORD" ]; then echo "Variable ADMIN_PASSWORD is not set."; exit 1; fi
+if [ -z "$DOMAIN_MASTER_PASSWORD" ]; then echo "Variable DOMAIN_MASTER_PASSWORD is not set."; exit 1; fi
 if [ -z "$PREBOOT_COMMANDS_FILE" ]; then echo "Variable PREBOOT_COMMANDS_FILE is not set."; exit 1; fi
 if [ -z "$POSTBOOT_COMMANDS_FILE" ]; then echo "Variable POSTBOOT_COMMANDS_FILE is not set."; exit 1; fi
 if [ -z "$DOMAIN_NAME" ]; then echo "Variable DOMAIN_NAME is not set."; exit 1; fi
@@ -43,6 +44,13 @@ if [ -n "${ENABLE_DUMPS}" ] && [ "${ENABLE_DUMPS}" = "1" ]; then
   JVM_ARGS="${JVM_DUMPS_ARG} ${JVM_ARGS}"
 fi
 
+# For safety reasons, do no longer expose the passwords - malicious code could extract it!
+# (We need to save the master password for booting the server though)
+MASTER_PASSWORD="${DOMAIN_MASTER_PASSWORD}"
+export LINUX_USER_PASSWORD="have-some-scrambled-eggs"
+export ADMIN_PASSWORD="have-some-scrambled-eggs"
+export DOMAIN_MASTER_PASSWORD="have-some-scrambled-eggs"
+
 # The following command gets the command line to be executed by start-domain
 # - print the command line to the server with --dry-run, each argument on a separate line
 # - remove -read-string argument
@@ -53,16 +61,22 @@ fi
 touch "$POSTBOOT_COMMANDS_FILE" || exit 1
 touch "$PREBOOT_COMMANDS_FILE" || exit 1
 
+# This workaround is necessary due to limitations of asadmin
+PASSWORD_FILE=$(mktemp)
+echo "AS_ADMIN_MASTERPASSWORD=$MASTER_PASSWORD" > "$PASSWORD_FILE"
 # shellcheck disable=SC2068
 #   -- Using $@ is necessary here as asadmin cannot deal with options enclosed in ""!
 OUTPUT=$("${PAYARA_DIR}"/bin/asadmin --user="${ADMIN_USER}" --passwordfile="$PASSWORD_FILE" start-domain --dry-run --prebootcommandfile="${PREBOOT_COMMANDS_FILE}" --postbootcommandfile="${POSTBOOT_COMMANDS_FILE}" $@ "$DOMAIN_NAME")
 STATUS=$?
+rm "$PASSWORD_FILE"
 if [ "$STATUS" -ne 0 ]
   then
     echo ERROR: "$OUTPUT" >&2
     exit 1
 fi
 
+echo "Booting now..."
+
 COMMAND=$(echo "$OUTPUT"\
  | sed -n -e '2,/^$/p'\
  | sed "s|glassfish.jar|glassfish.jar $JVM_ARGS |g")
@@ -72,18 +86,6 @@ echo "$COMMAND" | tr ' ' '\n'
 echo
 
 # Run the server in foreground - read master password from variable or file or use the default "changeit" password
-
-set +x
-if test "$AS_ADMIN_MASTERPASSWORD"x = x -a -f "$PASSWORD_FILE"
-  then
-    # shellcheck disable=SC1090
-    source "$PASSWORD_FILE"
-fi
-if test "$AS_ADMIN_MASTERPASSWORD"x = x
-  then
-    AS_ADMIN_MASTERPASSWORD=changeit
-fi
-echo "AS_ADMIN_MASTERPASSWORD=$AS_ADMIN_MASTERPASSWORD" > /tmp/masterpwdfile
 # shellcheck disable=SC2086
 #   -- Unquoted exec var is necessary, as otherwise things get escaped that may not be escaped (parameters for Java)
-exec ${COMMAND} < /tmp/masterpwdfile
+exec ${COMMAND} < <(echo "AS_ADMIN_MASTERPASSWORD=$MASTER_PASSWORD")